Hacking Humans 10.15.20
Ep 120 | 10.15.20

Use a Dance Dance Revolution floor lock for your data center.


David Spark: What you should do is use a Dance Dance Revolution floor lock for your data centers.

Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week, we look behind the social engineering scams, the phishing schemes and the criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: We got some good stories to share this week. And later in the show, we've got a special treat for you. David Spark from the "CISO/Security Vendor Relationship" Series podcast joins us. We're going to play a game called The Best Worst Idea. (Laughter) It's a lot of fun. 

Joe Carrigan: It is. It's a blast. 

Dave Bittner: Stick around for that. 

Dave Bittner: All right, Joe, before we dig into things here, we've got a little bit of follow-up from one of our listeners. 

Joe Carrigan: Yup. 

Joe Carrigan: It says, (reading) hi, team. I was disappointed when you brought up password managers without mentioning a core function that adds further protection. Basically, it checks the URL or app was pre-authorized before filling the username and password field. This means that if you click on the link in an email - don't, but everybody does sometimes - the username and password fields are only filled if you've authorized it. From this, you don't get to the point where the second factor is needed. In fact, since on my phone, where I am most likely to be phished, my device requires a thumbprint, I've essentially got three-factor authentication - password, biometrics and one-time password. By the way, I'm amazed at how many people disappear when you tell them you are a cybersecurity analyst. Oh, well. Back to my world. SYN-ACK (ph) John (ph). 

Joe Carrigan: Thank you, John. This is a feature of password managers I frequently forget to mention. And I think that's because my password manager actually doesn't do this. 

Dave Bittner: (Laughter). 

Joe Carrigan: I use Password Safe, which is free and open-source and not integrated into my browser. But John makes an excellent point. 

Joe Carrigan: If you get one of these password managers, like Dashlane or LastPass or 1Password, that are integrated into your browser, they will protect you. They do provide this layer of protection by not filling out that information when you go to a phishing site because they have the record of what website you're supposed to enter this information. And when that string doesn't match - you know, the domain string doesn't match - that password manager will not enter that information. 

Joe Carrigan: It's actually kind of hard to build a password manager that's automated that won't work this way. So it's an added level of protection. And thank you, John, for sending that in and reminding us of that because that's another great reason to use a password manager. 

Dave Bittner: Yeah, absolutely. 

Dave Bittner: All right, Joe, let's get to our stories. What do you have for us this week? 

Joe Carrigan: What is an angel investor? You know that? It's... 

Dave Bittner: I'm - certainly, I'm familiar with the term, but I don't know the history of it. 

Joe Carrigan: Oh. Well, the term actually comes from Broadway. It was a... 

Dave Bittner: I didn't know that (laughter). 

Joe Carrigan: Yes, it was a rich person who would start funding of plays, right? This is where the great social engineering movie "The Producers" came from. 

Dave Bittner: (Laughter) Right. 

Joe Carrigan: If we bilk a bunch of investors out of money and then make a play that actually has no way of being a success, then we'll get to keep the money. But that's not what we're talking about today. 

Joe Carrigan: An angel investor is an investor that provides capital to startups early on in their phase in exchange for some kind of debt or usually ownership in the company. And there's a process for finding these investors, and this is a really simplified overview here. Let's say I have an idea that - and maybe a prototype, and I want to build a company around this idea. Somehow, I drum up some investors and I pitch my idea. The investors then decide if they want to invest. 

Joe Carrigan: And if they do, then comes this phase called the due diligence phase. This is where both sides - both me and the investor - investigate the finances of the other party and decide if we want to go further. This is how we make sure that we're not getting scammed. Sometimes investors will stipulate, however, that the startup cover the cost of the due diligence process because that's not free. 

Dave Bittner: OK. 

Joe Carrigan: And that's where our story comes in. And my story comes from Brian Krebs - Krebs on Security. He has the story and a couple other posts of a phony tech investor who's been bilking people out of these due diligence fees. He goes by the name John Bernard, and he tells people that he's a billionaire who made his money during the dot-com era by selling a company to GeoCities. 

Joe Carrigan: Krebs says that Bernard is actually a guy named John Davies, who has a long criminal record. The money is sent to a due diligence firm. And guess who owns that firm. 

Dave Bittner: (Laughter) Gee, I wonder. 

Joe Carrigan: Yes, it's this Bernard-Davies guy. 

Dave Bittner: OK. 

Joe Carrigan: He actually owns it. He actually is - the domain registration as well. And after he gets the money for the due diligence, the investment never comes, right? Something starts happening. I can't do this because my health, or I'm just losing interest in this investment. This is not going to happen. This is - no, no, we're not going to do this. Something happens. 

Joe Carrigan: In another story, Krebs has interviewed a bunch of people related to this. One of them was an investment banker who had two clients that worked with this investor, this John Bernard or John Davies. And the banker was suspicious, right? In the process, he goes, I can't find anything about this company that he has claimed to have sold. There's nothing that exists. I - don't go ahead. Stop dealing with this guy. 

Joe Carrigan: One of his customers listened to him, but the other one was absolutely gung-ho because this guy said, I'm going to invest $10 million in your startup idea. It's a scam that's based on - not greed, I would say, but more hope, right? 

Dave Bittner: Yeah, yeah. 

Joe Carrigan: But kind of greed - right? - 'cause... 

Dave Bittner: Yeah, yeah. I mean, they have a dream they want to pursue, and they need some help getting there. 

Joe Carrigan: Yeah. 

Dave Bittner: Yeah. 

Joe Carrigan: And this investment banker said that one of his clients said, this guy's really interested in my idea. When you open a startup, you are really, really in. You're married to this idea. You are committed, right? And that can make you less able to think clearly about things, particularly when other people start telling you, this is a great idea; I want to give you money for it. So it's a risk. 

Joe Carrigan: Krebs has a source that estimates this guy has made off with about $30 million. 

Dave Bittner: Wow. 

Joe Carrigan: Yeah. And... 

Dave Bittner: What does a due diligence round cost (laughter)? 

Joe Carrigan: He got one startup for a million dollars. Normally it's not that high... 

Dave Bittner: Really? 

Joe Carrigan: ...But he did get a million dollars out of one startup. 

Dave Bittner: Wow. 

Joe Carrigan: That's a lot of money. 

Dave Bittner: It's amazing. It is. 

Joe Carrigan: Now, where does that money come from? Now, this guy's an angel investor. Maybe this wasn't the first round of funding for these folks. Maybe they got bilked out of some other previous funding. But if not, that million dollars probably came from one of the people who started the company. 

Dave Bittner: Right, right. 

Joe Carrigan: You know, there are serial entrepreneurs out there who might have a million dollars to invest in this. 

Dave Bittner: Boy, that is fascinating. And I say... 

Joe Carrigan: Yeah. 

Dave Bittner: You know, the years that I've been around, and having been involved - you know, I had my own company for - I don't know - 20 years or so. Every now and then, there are people who would come around, and they want to do business with you. And, you know, and it was, we're all going to get rich, I tell you - rich, rich, rich. 

Joe Carrigan: Right. 

Dave Bittner: And - but, you know, it didn't add up or just something didn't feel right or... 

Joe Carrigan: Right. 

Dave Bittner: Or like this. You go down this path, and at some point, you say, something - this is not right. But it's easy to go down that path because everybody wants to get rich (laughter). 

Joe Carrigan: Right. 

Dave Bittner: Right. 

Joe Carrigan: Absolutely. 

Dave Bittner: Boy, this is fascinating. Wow. 

Joe Carrigan: It's a great story. We'll put a link in the show notes. This is the latest story that he had. It came out a couple weeks ago. But there's, like, two other stories he has that were previous to this. It's a lot of reading, but, man, it's fascinating. 

Dave Bittner: Now, is there any attempt to bring this guy to justice? I mean, is what he's doing actually illegal? 

Joe Carrigan: Yes, what he's doing is illegal. 

Dave Bittner: OK. 

Joe Carrigan: And right now, they're working on extraditing him from the Ukraine. 

Dave Bittner: Yeah, he's an international criminal mastermind... 

Joe Carrigan: Right, exactly. 

Dave Bittner: ...On the run, staying one step ahead of the law. 

Joe Carrigan: Right. 

Dave Bittner: (Laughter) All right, well, that is an interesting one. And like you say, we'll have a link in the show notes. How long until that one gets turned into a movie? 

Joe Carrigan: I don't know. It's - you know, it's like "Catch Me If You Can." It's... 

Dave Bittner: Right. Exactly, exactly. 

Joe Carrigan: It's pretty good. It's a pretty good story. 

Dave Bittner: All right, well, my story this week - this comes from our buddy Graham Cluley. He was writing over on the Tripwire website. And it's titled "Hackers Disguise Malware Attack as New Details on Donald Trump's COVID-19 Illness." 

Dave Bittner: So, of course, we all know recently, the president of the United States was diagnosed with having COVID. And that is very interesting. And there was all kinds of information coming out about it and all kinds of information that wasn't coming out about it, right? The White House was being a little tight with the information they would or would not give out. And this article by Graham Cluley outlines how all the bad guys took advantage of that. 

Dave Bittner: There was a phishing campaign that's been making the rounds. This is via some security researchers over at Proofpoint, which is a security company. This malware campaign claims to come from the Democratic National Committee, but, of course, it does not. 

Joe Carrigan: Right. 

Dave Bittner: These are just the bad guys. But you'll get an email, and it'll be titled something like, Recent Info Pertaining to the President's Situation. 

Joe Carrigan: Right. 

Dave Bittner: And then within the email itself - they have a sample of one here. It says, (reading) everything we know and what we don't about president's COVID condition. Top-secret information on hia problem - I suppose it's supposed to say his problem, but you know how bad guys just can't seem to spell anything. 

Joe Carrigan: Yes. And one thing the Democratic Party is known for is typos, right? 

Dave Bittner: (Laughter) Right. 

Dave Bittner: (Reading) Top-secret information on hia problem. Please use the password because the data is coded. 

Dave Bittner: Joe, you know what the password is? 

Joe Carrigan: I see the password, Dave - very secure password. 

Dave Bittner: Yeah, 123. 

Joe Carrigan: Yup. 

Dave Bittner: Yeah. 

Joe Carrigan: Nobody's going to break that. 

Dave Bittner: No, no, no, no. It is - it's locked up tight. 

Dave Bittner: So they have a link to a Word document. Now, this is another part that's kind of interesting about this. That link goes to a Google Doc, which is interesting in that that in itself is not going to raise any red flags in a lot of people's email systems. 

Joe Carrigan: Right. 

Dave Bittner: Sending you a link going to a Google Doc - Google's a legitimate website, nothing bad about that. But when you go to the Google Doc, that has a link to a malicious webpage where you would download the malware. Interesting when you go to the Google Doc, it pops up a message that says that the file has been scanned and deemed safe (laughter). 

Joe Carrigan: This is the Google Doc. It has a big Google logo - the G with all the colors on it. 

Dave Bittner: Yeah. 

Joe Carrigan: It says, (reading) click here to download the document. The file has been scanned and deemed safe. 

Joe Carrigan: This is a very good trick because all this is is a Google Doc that says, everything's OK, and here's your malicious link, sir or ma'am. 

Dave Bittner: Right. Multiple layers here, right? 

Joe Carrigan: Right. 

Dave Bittner: 'Cause we're playing off of - I think no matter what side of the aisle you come down on, you're probably interested in the intrigue about what's going on with the president, whether you love him or you hate him and you wish him well or you wish him ill, right? 

Joe Carrigan: Right. 

Dave Bittner: (Laughter) You want the inside scoop. And so you think, ooh, this got accidentally emailed to me. I'll just click through and see what the real deal is - you know, the... 

Joe Carrigan: Right, yup. 

Dave Bittner: ...The top-secret information. 

Joe Carrigan: (Laughter). 

Dave Bittner: So they've set the hook with that. They've got you because you want to know something that not everyone else knows. And then you click through, and you see that this thing has been scanned by Google, and it's safe. And so off you go to where the bad guys have their malware. 

Dave Bittner: And it will load a version of malware that's called Bazar loader, which is a Trojan horse. This is from the folks who also made the TrickBot malware. And when this - it's a standard, you know, Trojan. Goes in your system. They can steal information. It can spread across your organization, probably pull data off. They could install ransomware. Basically, once they're in, the options for them are broad. 

Joe Carrigan: Yeah, it's a kit, right? It's a... 

Dave Bittner: Yep. 

Joe Carrigan: ...Dropper that... 

Dave Bittner: Yeah, exactly. 

Joe Carrigan: ...Can do whatever it wants. 

Dave Bittner: Yeah. A clever scam here from a number of different points of view. I mean, you've got the social engineering part, where they're attracting everyone with hot news. That is hard to imagine hotter news than the, you know, leader of the free world coming down with a potentially deadly disease, right? 

Joe Carrigan: Yep. And we talk about this frequently. And I've even said this recently, that here comes the election season. Get ready for the election phishing. And then after that, it's the holiday phishing. And then after that, it's the tax phishing. 

Dave Bittner: Right, right (laughter). 

Joe Carrigan: This is a news event that has happened. Look out for phishing around big news events. It's going to happen. 

Dave Bittner: Yeah. 

Joe Carrigan: These people know that you're interested in these things. And when something big like this happens, it's going to be used as phishing lures. 

Dave Bittner: Well, and Graham Cluley ends his article here with - mirroring advice that I know is near and dear to your heart, Joe. He says, so maybe you're wiser not to get your news tips from unsolicited emails. 

Joe Carrigan: Right. 


Dave Bittner: And instead, seek out election-related news on the websites and TV stations of legitimate news outlets instead (laughter). 

Joe Carrigan: Graham, that is sage advice. Thank you for saying that. 

Dave Bittner: That's right. That's right. By the way, if you're not familiar with Graham Cluley, he's got his own website. It's grahamcluley.com. But also, he's the host of the "Smashing Security" podcast, which is a fun security podcast. If you have a listen, you may even recognize some of the guests that he's had on that show (laughter)... 

Joe Carrigan: Yes. 

Dave Bittner: ...Along with his co-host, Carole Theriault, who is a regular on our show. So it's a small, little cybersecurity world here. We all help each other out, right? 

Joe Carrigan: Right, yup. 

Dave Bittner: All right, Joe, well, those are our stories. It is time to move on to our Catch of the Day. 


Joe Carrigan: Dave, our Catch of the Day comes from Rohit Srivastwa. He is on Twitter - @rohit11. And we've had a story on from Rohit before. He received an interesting email. And because you are so good at these emails, Dave, I'm just going to go ahead and insist that you read this. 

Dave Bittner: (Laughter) All right. 

Dave Bittner: (Reading) Dear sir, it's really nice meeting you, sir. It is my greatest pleasure to introduce you to this business opportunity of supplying your company animal vaccine from India with a huge profit net which will be shared equally among us. 

Dave Bittner: I am an employee of Animal Home Zoological Ghana Ltd. There is an animal drug which our company ran out of stock which is used in production of general drugs and injection for the animals and is only found in India. Since we started making use of the medicinal supplement, I only have the contact address of the local dealer in India because I worked with the former director of our company before this present one came into existence. 

Dave Bittner: The business deal is that recently I found out that this same vaccine is sold by the Indian manufacturer at the rate of $35,000 per liter to my former boss, while in my file is recorded for $65,000 per liter. That is when I discovered the business game our former director is playing at the expense of our company. 

Dave Bittner: Then I also decided to take advantage of it since I am the only person with the contact information of this same local manufacturer in India. Therefore, be rest assured our new company chairman will be willing to buy it for $65,000 per liter, as the need for the usage is rising on a daily basis, and he still could not find the manufacturer. 

Dave Bittner: I intend to present you as a supplier who would be a middleman between our company and the local vendor in India so that my company will not know the main source of the material, meaning you will contact our company with the interest to supply this animal vaccine from India, who came across a publication in Ghana Chambers (ph) of Commerce on the urgent need for said animal vaccine. 

Dave Bittner: Your role must be played perfectly, and least I expect from you is betrayal. I don't want my organization to know the contact address of this local dealer in India, as well as the real cost of the product because of these personal interests. 

Dave Bittner: Do revert back with your interest if you can play the role, and I will forward the whole detail to you immediately. But if you're not interested, kindly indicate so that I will sort for someone else. But in case there are things you do not understand, as per my mail (ph) explanation, kindly call me so that we can express more. Yours faithfully, Dr. Isidore Yau Jr. (ph). 

Joe Carrigan: This is fantastic. I love this. 

Dave Bittner: (Laughter). 

Joe Carrigan: Rohit has some of the greatest stuff on - he's on Twitter - @rohit11. This is obviously just somebody trying to appeal to someone else's greed with a fake opportunity to make $30,000. But what's going to happen is you're going to get scammed out of whatever money you pay. 

Dave Bittner: Right (laughter). 

Joe Carrigan: Because this guy is the guy selling you the liter of medicine as well. He's not the guy buying it. He's the guy collecting the money from it. 

Dave Bittner: Right, yeah. And you're probably going to get a liter of, you know, saline or something (laughter). 

Joe Carrigan: If you get anything at all. 

Dave Bittner: If you get anything at all - yeah, right, right (laughter). 

Joe Carrigan: They may not even go through that expense. 

Dave Bittner: Yeah. 

Joe Carrigan: Look; we've got his $35,000. Should we at least send him a liter of saline? No, that'll cost 10 bucks. 

Dave Bittner: (Laughter) Exactly, yeah. No, that is a good one. That's fun. And that was fun to read. 

Joe Carrigan: It was. It was great. 

Dave Bittner: All right. 

Joe Carrigan: I hope everybody reads their phishing emails in that voice. 


Joe Carrigan: 'Cause that makes it - you should read every email like this - every email in that voice so in your head, you're going, oh, this is a scam. 

Dave Bittner: Yeah. You know, it's funny. Every now and then, I'll see a tweet or something that something comes by, and people do say that when they read certain things online, they hear it in my voice, which is funny. 


Dave Bittner: And my response is always, how do you think I feel? 


Joe Carrigan: Because I always hear it in my voice, too. 

Dave Bittner: Exactly - same, same, same (laughter). All right, well, thanks to Rohit for sending that in. That is a good one. That is our Catch of the Day. 

Dave Bittner: All right, Joe, I have got a treat for us and for our audience. So joining us this week is David Spark. Security podcast listeners are probably familiar with him. He is the host of the "Defense in Depth" podcast, also the "CISO/Security Vendor Relationship" podcast. And he's the producer of the "Cyber Security Headlines" podcast. 

Dave Bittner: David, great to have you with us. 

David Spark: It is awesome to be back again. 

Dave Bittner: You are going to play a game with us this week. And this is going to be great fun. So I'm just going to hand it over to you and let you describe what's going to be going on here, and we will kick it off. So, David, the floor is yours. 

David Spark: Excellent. Once a week, we also do something on Fridays at 10 a.m. Pacific. It's our open video chat. And it's an open discussion that we have with the community, and it's a chance to have, you know, one-on-one live communication with the community. 

David Spark: And one of the games that we play is something called Best Bad Idea, where whatever the topic may be on that week - and we always have, you know, a topic per week - people send in their worst ideas given that topic. 

David Spark: And then what I do is I force the guests to play a game called the Department of Yes. And we all know in security, they are notoriously known as the Department of No - that whatever request comes in, people just say no. So I kind of completely flipped the tables here and purposely made sure that the ideas were as bad as possible and am forcing them to agree to whatever horrible idea it is. 

David Spark: So what I'm going to do with you is I'm going to actually give you some of our winners. I do pick a winner every week. And by the way, we get tons of submissions - I mean, between, like, 30 to 60 submissions on each episode. So these are grand prizewinner bad ideas. And you two will be playing the Department of Yes. 

David Spark: And the thing is, the way it works is you have to come up with a reason why you want to implement this horrible idea. And don't be facetious about it. Are you guys ready to play? 

Dave Bittner: I'm ready. 

Joe Carrigan: I'm ready, but I'm going to have a hard time not being facetious. 

Dave Bittner: (Laughter). 

David Spark: Oh, no, no. You can't. You've got to not - you've got to be all on board on these ideas. All right. 

Joe Carrigan: I'm in. I love the concept. 

David Spark: All right. Here, we got a call that just came in. 


Prerecorded Voice: Hello. Welcome to the Department of Yes, where no request is ever rejected. 

David Spark: All right, here is your first bad idea, and it comes from an episode on hacking biometrics. And Will Talaba (ph) of Cognex Corporation said, what you should do is use a Dance Dance Revolution floor lock for your data centers. Dave Bittner, why is that a great idea? 

Dave Bittner: Oh, this is an excellent idea. First of all, you can tie it into HR's fitness program. So perhaps you could get a lower insurance rate for your company because you're integrating exercise. Everybody has to exercise in order to get in. And also, I can't think of anything more individual than the way that someone dances. I love this idea. 

David Spark: All right, good answer, David (ph). Joe, do you have a better answer? 

Joe Carrigan: I was going to go with the nature of the timing - that you could probably accurately authenticate somebody based on the timing with which they hit the buttons. So this may actually be a valid biometric method for authenticating people getting into the data center. 

Unidentified People: Hooray. 

David Spark: Excellent, both. Now, I'm warning you. That was - I started you off with a softball. They get harder. 

Dave Bittner: OK. 


Dave Bittner: OK. 

David Spark: All right, here we go. Here's another bad idea for both of you gentlemen. This comes from Carlota Sage of Sage Knowledge Works (ph). And she said, humanize your MFA, your multifactor authentication, by requiring people to call in to the help desk just to confirm they're, indeed, logging in. So every login requires a manual process. It's kind of like in the old days when the telephone operators would patch in your phone call. 

David Spark: I'll start with you, Joe. Why is this a great idea? 

Joe Carrigan: Well, I'll tell you this would absolutely eliminate the need - or the possibility of people logging in without authorization. The fact that the process is that I have to call in to the help desk and say, I'm going to log in now, if the help desk sees me trying to log in or somebody sees me trying to log in without that call to the help desk, then they know that that login attempt is inauthentic, and they could deny it. 

David Spark: Yeah, but hold on. We have a whole world of social engineering where people are spoofed. I mean, this is your entire show. Couldn't that be spoofed right there, Joe? It seems a pretty obvious spoof. 

Joe Carrigan: Yeah, but it's the timing. Well, OK, wait a minute. No, no, wait. You're right. 


David Spark: Oh, Joe, you failed. David (ph), you go. 

Joe Carrigan: First loser on the show. 


Dave Bittner: I love this idea. First of all, it's better for the communications of your company. By having people actually speak to each other rather than being faceless people throughout the company, you'll build the trust, the companionship throughout the organization. So I think you can't underestimate the value of that. 

Dave Bittner: The other thing I would say is that it's good for everybody to slow down. In these modern times when everyone's moving so quickly, to slow things down, let people stop and smell the roses is probably good for everyone's mental health in these challenging times. 


David Spark: A much better answer. Joe, pay attention to your partner here. 

Dave Bittner: (Laughter). 

Joe Carrigan: OK. All right. Sorry, everybody. Sorry. 

David Spark: Don't apologize. Just come back on the next round, all right? 

Dave Bittner: (Laughter). 

Joe Carrigan: All right. 

David Spark: All right, this one was on an episode on hacking third-party vendors. And when we say hacking, we don't mean we're actually hacking. We use hacking in the term of, we're going to spend an hour critically thinking about, how do we deal with third-party vendors? 

David Spark: So this was the bad idea on this one. I'll throw it to you first, David (ph). This comes from Shawn Bowen, who's actually a CISO over at Restaurant Brands International. And he said, select the vendor that has been breached the most. They clearly have the most lessons learned. Why is that a good idea to select that specific vendor? 

Dave Bittner: This is an excellent idea. In fact, it reminds me of a friend of mine who liked to imbibe a drink or two. And when confronted by his colleagues as to, you know, if he could drive home safely, he would say, well, who are you going to trust, someone - he said, someone who has a lot of experience driving drunk or someone who has no experience driving drunk? 


Joe Carrigan: That sounds like sage advice. 


Joe Carrigan: There's that facetiousness coming through. 

Dave Bittner: Yeah. Well, he's made it this far. And obviously, yeah, bad advice. Don't drive drunk. 

David Spark: But in this case... 

Dave Bittner: But I think there's something to this. I think there's something to this because that vendor is going to be on the lookout for every possible thing. They're going to have a high level of paranoia. They're going to be stopping and looking at everything coming their way because of the trauma that they have experienced from being breached so many times. 

Unidentified People: Oh, yeah. 

Dave Bittner: (Laughter). 

David Spark: High level of paranoia - I like that answer. That's what put you over the top there, David (ph). Joe, your turn. Select the vendor that has been breached the most. They clearly have the most lessons learned. Why is this the vendor you're going to choose? 

Joe Carrigan: That's right. This is a lot like getting on the plane of the airline that just had the latest air accident. It's kind of what Dave is saying - that you get on that plane because they're the ones paying attention to what's going on. They do have the most lessons learned. But additionally, in addition to that, their reputation may have been damaged, and they may actually be the lowest-priced vendor available. 

Unidentified People: Oh. 

David Spark: I did not even consider that one. Excellent. You literally just tipped yourself over. So actually, because of that, I'm going to actually give the win to Joe over Dave on that. 

Dave Bittner: Yeah, I like it. They're hungry for your business. That's right, Joe. That's good. 

David Spark: All right, here we go. 

Joe Carrigan: They need to redeem themselves. 

David Spark: This one - I'm going to be impressed if you guys can handle this one. And I want you to know that this one comes from pretty much our all-time winner. This guy has won about seven times the Best Bad Idea award. So he always - and he, I think, really hit it out of the park with this one. 

David Spark: This was on - hacking health care was the episode. It comes from Dutch Schwartz with Amazon Web Services. And he said, quote, "parents listed on patient records are randomized. You are randomly assigned kids and must raise them for the next 30 days." 

David Spark: Joe, why is this the idea you want to implement? 

Joe Carrigan: Can I have a second to think about this? 


Joe Carrigan: All right, here's why you want to implement the randomization of the children that you have to care for. This will actually make society better off overall. It's a societal goal. If everybody is involved randomly in the raising of other people's children, then the benefit that those children receive by being exposed to different parenting techniques and different health care decisions being made, then the diversity of thought and care and process will positively impact society down the road. 

Unidentified People: Yes. 

David Spark: Yeah, that is an excellent answer, Joe. I'm quite impressed with that. Really good job. All right, Dave, you're going to have to be able to beat him on that one. That's a good answer. 

Dave Bittner: Well, all right, I agree. But I'm going to say that - I'm going to go with that which does not kill me makes me stronger. And... 


Dave Bittner: And I'm going to go down the path... 

David Spark: Hold on. That could be the answer - wouldn't you say that could be the answer for all these bad ideas? 


Dave Bittner: It's true, but I'm going to go with increasing the - if just from the health care point of view, of increasing the variety of germs in your household, and because if you're dealing with somebody else's... 

David Spark: Somebody else's kid is riddled with germs? 

Dave Bittner: Of course, all different germs - different germs. Everybody - first of all, David, everyone's kid is riddled with germs. 

Joe Carrigan: Absolutely. 

Dave Bittner: Anyone who's had a child in day care, which we refer to as the petri dish, comes home covered in spit and snot. 

Joe Carrigan: (Laughter). 

Dave Bittner: So there's that. So I think by broadening the spectrum of pathogens that you bring into your house, you will increase the capability of your own immune system to battle those things, thereby making everyone more healthy. 

David Spark: All right. Well, I'll give you... 

Joe Carrigan: Killing off the weak, too - don't forget that. 

Dave Bittner: (Laughter) Killing off the weak - right. 


David Spark: All right, well, I will give you that. 

Unidentified People: Sir, yes, sir. 

David Spark: I'll give it to you. All right, let me give you your very last one. 

Dave Bittner: All right. 

David Spark: Are you guys ready for this? 

Joe Carrigan: Absolutely. 

Dave Bittner: Yeah. 

David Spark: This was - I'm going to go so far as to say I think this might have been an audience favorite - an all-time audience favorite 'cause this one was pretty impressive. And this one was on hacking passwords. And while we got a lot of people saying, you know, change everyone's password to the same password, this one I thought was the most creative, and it comes from Philip Beyer (ph) of Global Payments. 

David Spark: And he said, your password can only be the name of your dog. If your password is compromised, you have to change the name of your dog. David (ph), why is this a great idea? 

Dave Bittner: Oh, boy. If your password is compromised, you have to change the name - do I get to change my password, too, or just the name of the dog? 

David Spark: Well, right. So both have to be changed because... 

Dave Bittner: I say... 

David Spark: ...Everyone names - gives their password as their pet's name, and... 

Dave Bittner: I see. 

David Spark: ...Inevitably, it's going to be compromised. So both have to be changed. 

Dave Bittner: Right, right. OK. Well, it's good to keep your pets on their toes. You don't want your dog... 

David Spark: (Laughter). 

Dave Bittner: You don't want your dog to get lazy. So you want to keep them sharp, especially as they get older. I have a dog. It's - he's an older dog, and so he's kind of set in his ways. You can't - you know, they say you can't teach an old dog new tricks. This could counter that. By changing the dog's name, the dog would have to realize that to get the things that the dog wanted, that dog would have to recognize the new name, thereby increasing the dog's engagement and happiness in your family. 

Dave Bittner: That's what I'm going with. 


David Spark: All right, I'm just giving you a soft win on that. 


David Spark: All right, Joe, why do you think it's a great idea? 

Joe Carrigan: OK, I am also a dog owner, but we - when we name our dogs, we pick something clever - right? - something very funny, we think. Like my current dog - she is a young dog. She's a little over a year old, but her name is Josie. And the reason we named her Josie is because we have, also, three cats, so it's Josie and the Pussycats, right? 

David Spark: Oh, God. 

Joe Carrigan: My pet - that's a bad joke, right? I love it, though. But wouldn't it be better if when the joke got old, I could also change the dog's name? So maybe I pick a new name for my dog that's just as every bit as clever, but I don't have to stick with the same name, Josie, for Josie and the Pussycats for the next 16 to 20 years, however long my dog's going to live. 

Unidentified People: Oh, no. 

David Spark: I'm sorry, Joe. I... 

Joe Carrigan: That's not a good one? 

David Spark: No, David (ph) barely squeaked out a win on this one. 


Dave Bittner: Yeah. 

David Spark: All right, guys, that - thank you, by the way, for playing along. By the way, if the audience ever wants to play, they can participate in our weekly video chats that happen every Friday. 

Dave Bittner: Yes, how can they do that? 

David Spark: Every Friday at 10 a.m. Pacific, they happen - pretty much all Fridays. Like, I think the next one we won't have it will be the one after Thanksgiving. But after that, they're every Friday. And you can just go to cisoseries.com. There's a button right at the top that says, register for video chats, and that's how you can participate. 

David Spark: And I do actually give an Amazon gift card out to the winner - again, clearly my judgment of who I think is the Best Bad Idea. And, also, I create, like, a little graphic for them that lets them know that they won the Best Bad Idea as well... 

Dave Bittner: All right. 

David Spark: ...With their actual bad idea. 

Dave Bittner: Well, great fun. David Spark, thank you so much for joining us. 

Joe Carrigan: Thank you, David. 

Dave Bittner: Yeah, do check it out. We appreciate it. 

Dave Bittner: All right, everyone. Well, that is our show. Of course, we want to thank all of you for listening. And we want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. 

Dave Bittner: The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: And I'm Joe Carrigan. 

Dave Bittner: Thanks for listening.