Hacking Humans 7.30.20
Ep 109 | 7.30.20
Be the custodian of your own digital identity.
Transcript

Bruce Esposito: You should be the owner and controller of your own digital identity.

Dave Bittner: Hello, everyone. And welcome to the CyberWire's "Hacking Humans" podcast. This is the show where, each week, we look behind the social engineering scams, the phishing schemes, the criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: Got some good stories to share this week. And later in the show, my conversation with Bruce Esposito. He is from One Identity. And we're going to be talking about digital identities and what they could mean for privacy. 

Dave Bittner: Joe, I am going to kick things off for us this week. Last year, back in August, we talked about a story where there were claims that someone was using deepfake audio to impersonate a CEO and get a company to transfer money. 

Joe Carrigan: Yes. And you were dubious of that claim. 

Dave Bittner: I was and for good reason. And in that case, I believe an employee actually transferred nearly a quarter of a million dollars. 

Joe Carrigan: Yeah, a lot of money. 

Dave Bittner: Yeah. The insurance company claimed that it was a deepfake, but you and I dug into it a little deeper and really found that there really wasn't a whole lot to back up that claim that there was a deepfake. We - and I think the conclusion that we came to was that it was probably just somebody doing an impersonation, which was easier. You know, there are a lot of reasons why (laughter) it was easier to just try to impersonate someone... 

Joe Carrigan: Yes. 

Dave Bittner: ...Than do a deepfake, especially - well, gosh - nearly a year ago now. So this story came by just recently. This is over on the Motherboard website. And it's titled "Listen to This Deepfake Audio Impersonating a CEO in Brazen Fraud Attempt." And it appears as though we've got a case here where someone did actually try to spin up a deepfake. And in this case, they actually got a sample of the voicemail that was left. I guess before we go any farther, let's listen to that brief little sample here. 

(SOUNDBITE OF ARCHIVED RECORDING) 

Unidentified Person: I'm Pedro at NISOS, and I need your immediate assistance to finalize an urgent business deal. 

Joe Carrigan: That sounds pretty close, Dave. 

Dave Bittner: (Laughter) It's not bad. 

Joe Carrigan: Right. 

Dave Bittner: It's not blatant. It doesn't sound like Mr. Roboto or something, you know, or (laughter), you know, an old '80s video game or something. It's not overtly synthesized. 

Joe Carrigan: It does sound a little stilted, though. 

Dave Bittner: I agree. I agree. 

Joe Carrigan: I need your immediate assistance. 

Dave Bittner: Right. And in this case, the employee who received the voicemail recognized that there was something up. He didn't fall for it. He contacted the security folks at his company. They contacted a security firm who investigated. And sure enough, it turns out that it was a deepfake. And the security firm actually did some forensic stuff on the audio files, and there were some telltale signs that this was a processed file. 

Joe Carrigan: Right. 

Dave Bittner: Now, it's interesting to me how far this stuff has come in the past year or so. 

Joe Carrigan: Yeah. 

Dave Bittner: I was recently looking at a tool for transcription that's available and quite popular with podcasters these days. And this tool allows you to load in an audio file. It will automatically transcribe the audio. So, basically, what you end up with is what looks like a file in a text editor, but you can go in and edit that text file, and it automatically edits the audio file as well. 

Joe Carrigan: Really? 

Dave Bittner: Yeah, which is interesting and handy. So for cutting and pasting things, moving things around, getting rid of extraneous stuff, that's one thing. But what this can also do is it can analyze the audio, and you can replace words. So for example, if I said, hey, Joe, the sky is plaid, and you wanted to go in and, say, have me say, the sky is blue... 

Joe Carrigan: Right. 

Dave Bittner: ...You could cut out the word plaid, put in the word blue, and it would put the word blue in in my voice. 

Joe Carrigan: Amazing. 

Dave Bittner: And I have. It is absolutely convincing. For single-word replacements like that - completely compelling. There's no reason to think that there's anything wrong. So my point being that this technology has come a long way, even in the past year, and it's also readily available - not hard to get your hands on these days. So interesting to see that, in this case, these bad guys - looks like they use this as an attempt to sort of set the hook, right? It just doesn't look like this was their endgame. They were using this to try to get an employee to engage, to continue the conversation, to contact them, to try to reach out. 

Joe Carrigan: Right. OK, so this was just the tip of the spear, as it were. 

Dave Bittner: Correct. And in this case, they were not successful. And the employee did the right thing - contacted security, didn't fall for it, just had a sense that something wasn't quite right. And so the scammers did not get what they were after. But I think it's an interesting example of how things are moving along with this technology, and where we were skeptical a year ago, it seems as though in this case it really did happen. 

Joe Carrigan: Yeah. Wasn't the story from a year ago about a conversation on the phone? 

Dave Bittner: Yes. 

Joe Carrigan: Not a voicemail? 

Dave Bittner: Correct. Correct. 

Joe Carrigan: I still don't know if that's going to be easy to do because you're going to have to write your response into something that's going to have to generate the voice. And how you're going to do that on the fly, I don't know. 

Dave Bittner: Yeah. 

Joe Carrigan: I mean, it's certainly simple to do a deepfake for a voicemail message, and then there's a couple of ways you can get that left in someone's voicemail. You can either just call the number and leave it, right? That's the simplest. 

Dave Bittner: Right. 

Joe Carrigan: But maybe if I have access to the voicemail system back-end, I can just upload the file. 

Dave Bittner: Yeah. 

Joe Carrigan: But I think we're still a couple of years away from conversational deepfakes. 

Dave Bittner: Well, let's hope so. 

Joe Carrigan: Yeah. 

(LAUGHTER) 

Dave Bittner: Let's hope so. But interesting development, nonetheless. So that's my story this week. Of course, we'll have a link for that in the show notes. Joe, what do you have for us? 

Joe Carrigan: Dave, my story this week comes from Ax Sharma over at Bleeping Computer. And we'll put a link in the show notes, but he has a story about an interesting new phishing campaign. The emails seem to come from a domain called servicedesk.com. And the email headers, if you examine the headers, seem to indicate this is correct. 

Joe Carrigan: So in an email header - I'm going to get a little bit technical down in the weeds here. So if the listeners who are non-technical can bear with me, in email headers, there are fields called received from fields. And they will have a domain and an IP address of where that email was received, and you will see a chain of these. And one of the ways you test for spam and to see if an email has been spoofed from a domain is to check and make sure that the reply path or the reported sender of the email, the reply to address domain, matches the very last or first - depending on how you read it - received from field in the header. And that is the case here, and they are both coming from a domain called servicedesk.com. 

Joe Carrigan: Ax thinks that there are two possibilities here. Either servicedesk.com has been compromised, or the attackers are injecting the received from record on an email server they control because if you control an email server, then you can just spoof that record, right? You can say, oh, yeah. I received this from servicedesk.com. Here's an email. And that's a great way to get through a lot of these spam filters. 

Joe Carrigan: I'm fairly certain it's the second part for two reasons, and Ax is also certain of that as well. He says that's what he thinks has happened. But one of the reasons is - and he points this out in the article - is there are no DMARC records for servicedesk.com. And we've talked about DMARC records. They're a way for a receiving email server to validate that the email did, in fact, come from the domain that's claiming to have sent it. And servicedesk.com doesn't have any of that set up on it.

Joe Carrigan: Exactly. I don't think that Service Desk has been compromised because I doubt there is any kind of email infrastructure there at all. It's - he's just parked a domain there and is trying to sell it, and it's a lot of effort to break in there and then set up your own email infrastructure. So I'm sure that what they're doing is they're just using a middleman and saying it's come from servicedesk.com and inserted that record into the headers. Anyway, now on to the non-technical part of it - the social engineering portion of it. 

Dave Bittner: Yeah. 

Joe Carrigan: The email is a spam quarantine message. Do you get these? 

Dave Bittner: Yes. 

Joe Carrigan: We get them... 

Dave Bittner: Yes. 

Joe Carrigan: ...Frequently. And let me read the text of this email as it comes in. It says, you have six undelivered emails clustered on your cloud. And the six is in brackets, curly braces. Because your email storage capacity is full and awaiting approval from you to deliver messages and restore cloud storage, be notified this might make incoming messages bounce back or lose your important emails. Please follow the instructions to resolve issue and release the pending messages to your inbox. OK, so obviously, there's a lot of bad English in here, which is a telltale sign, right? 

Dave Bittner: Yeah. 

Joe Carrigan: It's got two links there that say release messages and clean up cloud. And guess what happens if you click on either one of those? You go to a landing page. Now, these landing pages, however, are set up on either a Microsoft or an IBM cloud service. They're using the IBM cloud hosting or Microsoft Azure or Microsoft Dynamics. And in the case of Azure or IBM, they automatically get free SSL certificates that contain these companies' names, so there's a little more legitimacy to it. 

Joe Carrigan: Here's actually a very clever part of it. If you go to the landing page and you enter an email address and then you type in a password like test, it says wrong password because that's exactly what a cloud service would say if you entered a password test. These guys have actually put password requirements on their phishing page to weed out people who are testing the phishing page. 

Dave Bittner: (Laughter). 

Joe Carrigan: It's pretty clever. Once you enter your actual email and password address, you're done. That's it. They've got you. They show you a page that says your account has been updated successfully, and they're redirecting you. And then they send you back to your company's web page - right? - the domain that is at the end of your email address. 

Dave Bittner: I see. Yeah. What strikes me about this is how vanilla it is. Like you said, you know, this is the kind of thing it's common to receive. 

Joe Carrigan: It is. I get these two or three times a week, and I just ignore them. One of the things that it's interesting to note is when you have a quarantine system like this, if you don't respond, your quarantine box doesn't fill up. It's just after 14 days, the messages are deleted. The attackers are doing the same old tricks where they're saying, hey. If you don't get to your email quickly, you're not going to be able send or receive emails. You're going to miss important emails, and that would be bad. Of course, nobody wants to miss important emails, so they're using that threat of missing emails to get you to click on the links. 

Dave Bittner: Right. All right. Well, that is an interesting one - multiple levels to that one, multiple layers. 

Joe Carrigan: Yeah - lots of moving parts in this one. I like it. 

Joe Carrigan: Yeah. And as always, we'll have a link to that one in the show notes as well. Joe, it is time to move on to our Catch of the Day. 

(SOUNDBITE OF REELING IN FISHING LINE) 

Joe Carrigan: Dave, this Catch of the Day comes from Monica (ph). She played dumb with a CashApp scammer for three days. 

Dave Bittner: (Laughter) Does Monica need a hobby? 

Joe Carrigan: Right. She posted this on Reddit, and I reached out to her. It's pretty good. So I'll be Monica, Dave, and then you can be the scammer. But the scammer starts off by sending a congratulations to the lucky winners. The first 50 people to comment cash will earn a payment of 600 to $3,600 before midnight. Monica recognized immediately this was a scam and decided she was going to play along. And she said, (reading) LOL. OK, cash - what now? 

Dave Bittner: So the scammer replies, (reading) do you have CashApp? 

Joe Carrigan: (Reading) Yep. Are you going to send me 600 to $3,600 without me having to do anything? 

Dave Bittner: (Reading) Send your cash tag with email. How much you need? 

Joe Carrigan: (Reading) Thirty-six hundred dollars would be great, but beggars can't be choosers. 

Dave Bittner: (Reading) Hold on. 

Joe Carrigan: (Reading) OK. 

Dave Bittner: (Reading) Payment sent. 

Joe Carrigan: So Monica sends back two pictures - one that actually came from CashApp and one that came from the scammer, whose address is CashApp1206 - and a bunch other numbers - @gmail.com. And Monica goes, why does the email not come from CashApp's verified source? 

Dave Bittner: You have to pay for the clearance fee before your money is available in your CashApp. 

Joe Carrigan: Huh. It does show pending in my CashApp, though. 

Dave Bittner: Check your email. 

Joe Carrigan: Yeah. CashApp says, with pending payment, it'll show in your app feed for the next steps. Let me see if I can find a step-by-step video to help me. I don't use CashApp a lot. Does this look right? And she sends a video of a CashApp clearance fee. And it says, what is a CashApp clearance fee scam? 

Dave Bittner: You can borrow from someone and pay back when you get your money available in your CashApp. 

Joe Carrigan: OK. Could I borrow it from you? I don't have the money, hence needing it. I could pay you back right away when I get the CashApp. I'll even double it. 

Dave Bittner: It against the rules and regulations. 

Joe Carrigan: How so? It wouldn't be tied to you as the CashApp tag it originated from is Michael something. Or could you take the fee out of the money and just send me 3,600 minus $150? And then she requests $2,500 from him. I just requested $2,500 from him. When it's done, this way, Cash says they won't have a clearance fee. 

Dave Bittner: You have to pay for the clearance fee before your money is available in your CashApp. 

Joe Carrigan: And then she sends him a picture of - (laughter) she Googled CashApp fees. It says CashApp doesn't charge a fee to send a request to receive money. Why? It says it doesn't have fees. There's a fee to use a credit card. CashApp charges 3% of the transaction to send money via a linked credit card. This is a fairly standard fee compared with other money-transfer apps. Venmo, for example, charges 3% to send money with a linked credit card. To avoid this fee altogether, use your linked bank account or funds in your CashApp account to send money. Thirty-six hundred dollars times 3% is $108 anyway if Michael is sending from a credit card. In which case, he'd get charged at that point of sending, not me receiving. And then she shows a picture that says the request would exceed the funding limit that the scammer has. And he says, it doesn't look like he could send it anyway. 

Dave Bittner: It's government's money. 

Joe Carrigan: Which government's? 

Dave Bittner: If you don't believe me, please, leave me alone, OK? 

Joe Carrigan: I just want to make sure this isn't a scam. A hundred and fifty dollars is a lot of money for someone just to send to a stranger. 

Dave Bittner: Same to me. I pay for clearance fee. 

Joe Carrigan: Did you get your money? 

Dave Bittner: I swear to God. It's real and legit. 

Joe Carrigan: OK. Do you have your transaction records with CashApp? 

Dave Bittner: Yes. But I have deleted it. Leave me alone, OK? 

Joe Carrigan: So we're going to go ahead and jump onto Day 3. 

Dave Bittner: All right. So I'm going to pick up here as this scammer who's still trying to make his case to Monica. 

Joe Carrigan: Right. 

Dave Bittner: And he says this, but it's real and legit. 

Joe Carrigan: You keep saying that but offer no legal proof, screenshots of deposit or anyone to talk to. 

Dave Bittner: Should I send you the agent link? 

Joe Carrigan: Sure. 

Dave Bittner: OK. Hold on. Here is the agent link. 

Joe Carrigan: And it's a Facebook page to Agent Willie. So I don't want to alarm you. But I think Agent Willie is a narc. His Facebook profile is just screenshots of official things. But he still has his phone service and time at the top. What kind of crap scammer doesn't know how to crop those out or, better yet, just save the picture and upload it as their own? And the whole - home care, your tag here - doesn't he know he's supposed to actually put something in the tagline area? I mean, I could message him and waste his time like I'm doing to you. But I have a real job to get to. As fun as this is and as entertaining as this conversation is because it's being shared on Reddit, I just don't have the energy to talk to another person with bad grammar. 

Dave Bittner: Oh. That means you don't believe me? 

Joe Carrigan: You are correct. After two whole days, I agree with you. 

Dave Bittner: Bye. Do not text me again, OK? 

Joe Carrigan: OK. Just don't message me tomorrow morning, like the last two, even though you said leave me alone. 

Dave Bittner: Yes. Bye. But if you believe me... 

Joe Carrigan: (Laughter). 

Dave Bittner: ...You can message me. Or you want to pay for the clearance fee, message me, OK? All right. Thanks to Monica for her willingness to share that with us. Thanks to you, Joe, for hunting that one down. That was a lot of fun. 

Joe Carrigan: Yep. 

Dave Bittner: That is our catch of the day. Joe, I recently had the pleasure of speaking with Bruce Esposito. He is from One Identity. And our conversation focused on digital identities and the implications that they could have for privacy. Here's my conversation with Bruce Esposito. 

Bruce Esposito: Digital identity is a way to store basic information about yourself digitally. It can be used by applications, used online and reliably, something that's trustworthy, that's reliable, that we know that the information in there is accurate. 

Dave Bittner: And so where do we stand these days when it comes to digital identity in terms of their availability and how much people are using them? 

Bruce Esposito: We have too many digital identities. And everybody's being forced to use them, right? 

Dave Bittner: (Laughter). 

Bruce Esposito: So everything from, you know, Facebook and social media to your email address, to pretty much every bit of banking now - your online banking. And everything we do as society now involves some level of a digital identity to prove who we are. The problem is, there is no one trustworthy one. We just have lots of them depending on who we're talking to. 

Dave Bittner: Yeah. Yeah. You know, and I remember thinking back years ago, when Facebook was on the rise, and they were one of the early companies to say, hey, let us take care of your online identity, you know, use us to sign into many different things. And at the time, I remember thinking, well, this is great. This would be very convenient, and all this could be managed from one place. But, of course, over time, for me personally, Facebook wasn't a company that I felt like I could trust anymore. 

Bruce Esposito: Well, and then, of course, there's Cambridge Analytica and that whole scandal that came out of all the information they were harvesting from Facebook and then using it in election... 

Dave Bittner: Right. 

Bruce Esposito: I mean, you would be concerned about that. 

Dave Bittner: Right. 

Bruce Esposito: So thank goodness Facebook isn't our centralized digital identity. 

Dave Bittner: Who could step up and provide that? Who would be the best choice for that? Should it be a private company? Is it something the government should provide for us? 

Bruce Esposito: No, it's easier than that - it's you. That's the idea of a self-sovereign identity. That's where we have to get to. We're not there today - but get to the point of, you should be the owner and controller of your own digital identity. 

Dave Bittner: Well, take me through how something like that could work. 

Bruce Esposito: So there's lots of technologies. The - one of the big ones that seems to be that we could use to provide a basis for it is this idea of blockchain - right? - being used in the financial sector. It's a decentralized way to store digital information. There's no one central body that owns that information, right? But yet it's considered reliable. You have your own digital identity in which trustworthy sources can verify different aspects of it. So there may still be a government source that comes in there and verifies that you are Bruce Esposito and here's your birthday or here's your Social Security number, and different reliable sources would verify different pieces of digital information. But you are the one that owned that in your own little digital wallet, and you choose when to share that reliable information with other people, instead of having one source have to maintain all that information. 

Dave Bittner: Let's walk through an example together. I mean, would it be a different situation, for example, if I stopped in to buy a six-pack of beer on the way home versus visiting my doctor, for example? 

Bruce Esposito: Absolutely. That's exactly the idea, right? It depends on the information you want to share. That's the idea that it's contextual, right? You don't give all your information to anybody whenever they ask, right? A health care provider might need to know your sex and weight, but a retailer does not necessarily need to know that. They may want to, but they don't. That's a key example of where you have to be able to control your own identity and when and how that information is used. 

Dave Bittner: And so how do we protect the legitimacy of that information? How do we make sure that I'm not monkeying around with it myself? 

Bruce Esposito: Well, that's where you get in this idea of a blockchain, right? That becomes a way to establish an identity that you own, and then we tie to that identity that you own - that's trustworthy, that's in your little digital wallet - and that you tie bits of information to that that are signed by other sources. So in order to be able to use it, there are several things you need to have. I need to have, one, my own digital identity. I have to have a wallet that's trustworthy. And I have to have information that's signed by other trustworthy sources. And that information, when presented together, allows a third party to say, yeah, I know that's Bruce; the information he's presenting me is accurate because I also trust this other source. And that's all done through the idea of digital certificates and cryptography that we've been using for decades in building that around digital identities. 

Dave Bittner: How do we protect this notion of, you know, the haves and the have-nots? If someone perhaps can't afford to have a mobile device, how would they not be left out of something like this? 

Bruce Esposito: Well, that's a big factor that comes into play. The reality of it is that's a very, very small population, and it's quickly going away. But the point of it is, it has been used - and I'll give you an example to where that was a real problem. In the United States, not so much. But in the United Nations, in the areas that they support, it is a problem. One was recently the United Nations World Food Program that controlled providing support for Syrian refugees. These refugees were coming into refugee camps. They had no identities. They had no digital identities, much less any paper identities. 

Dave Bittner: Right. 

Bruce Esposito: And so they established a system using blockchain technology to assign a digital identity to each person and with their biometrics, like their fingerprint. And so now they could go shop at the camp store and use their fingerprint to prove who they are, and they use blockchain as their wallet that they could assign money on a weekly basis to that person and keep track of every transaction, when they would use money. Nobody could steal it from them. Nobody could claim it was theirs because it was all tied back to a physical biometric and a digital signature that was used in the blockchain. And so that enabled people to utilize this information without necessarily even having a cellphone. 

Dave Bittner: Now, who is on the leading edge of these sorts of things? If somebody wants to dip their toe in this, to start down this path, what options are available? 

Bruce Esposito: Well, I don't think there's any one organization that's really on the leading edge. You have all the major identity providers of this space that are looking at it, but this is a really new kind of technology. So more at this point, it's a lot of strategists and people with different companies talking about it. At One Identity, this is a big part of what we talk about in enabling digital identities for enterprises. But I don't think there is a single leading edge. What's being done is a lot of government agencies are looking at it from different perspectives, a lot of businesses are looking at it from different perspectives. But everybody's trying to figure out, how can we utilize this technology to make it better for our customers, whether they're citizens or actual other companies, to be able to take this technology forward and use it forward? 

Dave Bittner: Are there frameworks that are being proposed? Are there ways to ensure interoperability? 

Bruce Esposito: There are. There are several organizations that are trying to do this. There's this idea of self-sovereign identity that's trying to be kind of formalized of what that means or the idea of contextual integrity of it being formalized. So, again, it's being put out there, but I don't know that there is, per se, a official standard that's being controlled by a standards organization saying, this is the way we're going to do it moving forward. But I think we're moving towards that, that eventually we'll see that start to stand up. This is kind of being done from the approach of solving specific problems. And out of that, I think we're going to take the technology to solve a problem and then begin to develop a standard around that. That's kind of backwards, but that's typically what drives it. For example, trying to use digital identities with contact tracing and the pandemic we face now. 

Dave Bittner: Let's explore that side. I mean, that's certainly - the situation we find ourselves has brought this issue to the fore and brought it to the top of mind for a lot of people. What is your take on that? Where do you suppose we stand with the various attempts at contact tracing that have been implemented? 

Bruce Esposito: As expected, there's two sides to this coin. It has positive implications and negative ones. On the positive side, we see how it's really being used in kind of an anonymous way. For example, the CDC has been using phone location data to get really valuable information. Right? They're able to determine, are there areas that are drawing crowds that may be a threat to health? In fact, there was - once in New York City, they found that there was a large crowd gathering in Brooklyn's Prospect Park. So the authorities took that information. They went out there. They began to post warnings in the area and to monitor it to discourage people from doing that. So that's a positive way. And they could also see when people issue or when governments issue shelter-in-place orders, how effective is it? Are people really staying sheltered in place, or are a lot of people moving around? So they get that kind of information. But that's kind of anonymous. There's nobody being singled out here. 

Bruce Esposito: On the negative side, we've begun to see this idea of contact tracing, these applications that will help us to share information to those who may become infected so they can monitor themselves better or seek help if they need be. There's lots of these contact tracing apps that are being developed. But there's - immediately with them, there becomes privacy concerns. North Dakota's contract tracing app, the Care19, it was recently discovered that they were actually sending location and advertising data to third parties, the same type of data that's often used by Facebook and other organizations to be able to, you know, kind of figure out who you are and to throw those ads in front of you based on things that you look at. They were sending that kind of information off. So now you're like - well, wait a minute. This information that I'm trying to use from a health perspective could be misused in a different way. 

Dave Bittner: And I suppose - I mean, that really speaks to some of the big-picture issues here, which is that when it comes to these things - when it comes to digital identities, you really have to establish trust with the people who are using it. 

Bruce Esposito: And that's the key. I think one of the things that was being done - I know that the U.K. is looking at setting a standard for this to create a contact tracing app. And they found out in their study that they had to get at least 56% of their citizens that would actually download and use a contact tracing app for it to even be effective. And they're setting a goal for 80%, which is huge. But if you break the trust - people aren't going to use that app if you don't trust it. And if not enough people use it, then it really is ineffective. 

Dave Bittner: All right, Joe. What do you think? 

Joe Carrigan: It's a good interview, Dave. I enjoyed that one a lot, actually. One of the things that pops out immediately is the beginning of the interview, he says we have too many digital identities. Right? If you think about it, that's right. Every place that you have a username and a password, that's kind of a digital identity. I have over 200 of these in my password manager. It's a lot. 

Dave Bittner: Wow. Yeah. 

Joe Carrigan: The solution he's talking about, I don't think that having the option of doing that is necessarily a bad thing. Yes, I think we need a way of having some kind of provable, demonstrable digital identity. But at the same time, I don't want that to be my only option. Right? I want to be able to go to a website and go, I just want to sign up for an account. Here's a username and password that I'm going to use to access your account. I don't want you to have access to any portion of my official digital identity. One of the last things I want is to be accurately identified across all of my internet activity. I just don't think that's a good idea. 

Joe Carrigan: And you were right about Facebook on that topic. (Laughter). 

Dave Bittner: Yeah. 

Joe Carrigan: I don't trust them to be the custodian of my identity, and nobody should. I don't know what company I would trust with that, which is why I like the idea of being the custodian of my own digital identity. And using blockchain is a great way to do that. I would like to know if there are aspects of this that could change, if there's a way for me to change my digital identity on that blockchain to remove things. One of the drawbacks of blockchain is it tends to be immutable. That's either a drawback or a strength. It can be either depending on what the situation is. But is there a way for me to expire an old identity - an old piece of identity information on that blockchain and then build new identity information onto it? I'd like to know the answer to that. 

Joe Carrigan: Trust is a big deal in these identity management systems. Do we trust the people that are putting these together? Like I said earlier, no, I would never trust Facebook to do this. When you start talking about the contact tracing app in North Dakota that was actually selling data, now, that's a huge breach of trust. We're not supposed to be doing that for these things. Also, there's the huge potential for misuse. 

Joe Carrigan: One of the things he said was they were - the contact tracing app was noticing that there was a large collection of people in a certain place. You know, that's great in time of pandemic. But what about when it's not in time of pandemic? That is not something I want the government to have the ability to do. 

Dave Bittner: Interesting for sure - and I think - the point for me is kind of what you bring out here, which is that there are good and bad sides to all this. 

Joe Carrigan: Oh, yeah. Absolutely. 

Dave Bittner: It has its utility, but there's the downside, too. And there's a real tension between those two things. 

Joe Carrigan: And that's got to be reconciled, probably per individual. I mean, you have to decide what you're willing to do and how you're willing to do it. You know, the example you give of going to pick up a six-pack of beer is a great example. When I walk in - I mean, this doesn't happen to me anymore, right? 

Dave Bittner: (Laughter). 

Joe Carrigan: When I go to pick up a six-pack of beer and the guy goes let me see your ID, I hand him my ID. Right? But he doesn't need all the information on my ID. He doesn't even need my birthdate. The only piece of information he needs is, is Joe legally allowed to buy beer? That's it. And it would be great to have a way where I could demonstrate that without having to provide all the other information. 

Dave Bittner: Right. All right. Well, our thanks to Bruce Esposito for joining us. Really interesting conversation - we appreciate him taking the time for us. 

Dave Bittner: That is our show. We want to thank all of you for listening. Of course, we want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: And I'm Joe Carrigan. 

Dave Bittner: Thanks for listening.