Hacking Humans 2.11.21
Ep 134 | 2.11.21

In the disinformation and misinformation crosshairs.


Tim Harford: Get into the habit of not just clicking retweet, not just sharing - get into the habit of kind of slowing down and calming down.

Dave Bittner: Hello, everyone. And welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, the phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire, and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: Hello, Dave. 

Dave Bittner: Got some good stories to share this week. And later in the show, Carole Theriault returns with a discussion on disinformation with author Tim Harford. 

Dave Bittner: All right, Joe. Let's dive right into some stories here. 

Joe Carrigan: All right. 

Dave Bittner: And, you know, we're in this place now where the COVID-19 vaccines are being rolled out. 

Joe Carrigan: Yes. 

Dave Bittner: I have not been vaccinated yet. Have you? 

Joe Carrigan: No, not yet. 

Dave Bittner: (Laughter) You know, Joe... 

Joe Carrigan: I would love to be vaccinated right now. 

Dave Bittner: Some of our loved ones have been vaccinated. My father's been vaccinated. 

Joe Carrigan: Both my parents got vaccinated yesterday. 

Dave Bittner: My in-laws have been vaccinated. So it's sort of working its way down from the more elderly people. I think there's a lot of frustration that it's not happening more quickly. But there is hope. You know, I think it's a good thing that this is underway and so something that people can be happy about. But, of course, there is a certain amount of anxiety that comes with all of this that we've been experiencing for the past year, and that is - when will I be able to get vaccinated? Because like you said, if I could, I'd put this recording of the show on pause, and I'd go get vaccinated right now if possible (laughter). 

Joe Carrigan: Exactly. Dave, I am very eager to get vaccinated. I want vaccination right now. And I am waiting for an email that tells me it's time for me to go get vaccinated. 

Dave Bittner: Right. Not surprisingly, there are a lot of folks who are taking advantage of that anxiety. I have a report here from the folks at Area 1 Security. They did a write-up on a bunch of different phishing campaigns that they've been tracking that are all related to the vaccine and the availability of the vaccine. I'll just point out a couple of them here. 

Dave Bittner: One of them - you get an email, says that it's coming from Pfizer, who's one of the manufacturers of the vaccine. It has the CDC logo on it. 

Joe Carrigan: Yes. 

Dave Bittner: Centers for Disease Control. You open it up, and there's an image - has, as I said, the CDC logo, the Pfizer logo. Looks very official. It's decent graphic design. It says, you've received a secure message. Well, there you go. You've convinced me. 

Joe Carrigan: Right. 

Dave Bittner: (Laughter) There's a... 

Joe Carrigan: It's a cure. That's good to know. 

Dave Bittner: There's a checkmark on it, which, again, you know, another thing - it says, signature for vaccine 2690. Authorize Pfizer vaccine distribution use for your reference. Complete the form to ensure vaccine count for your area. So there's a button there for you to press. And if you press that button, it takes you to another website, which - wait for it - asks you for a whole bunch of personal information (laughter). 

Joe Carrigan: Right. 

Dave Bittner: Right, right. There's another one here also claiming to come from the Centers for Disease Control and Prevention. Interestingly, these folks didn't take as much care with theirs. They're trying to do a vassine (ph) count. 

Joe Carrigan: (Laughter). 

Dave Bittner: V-A-S-S-I-N-E count. So I don't know - perhaps... 

Joe Carrigan: That's fack-inating (ph). 

Dave Bittner: Right (laughter). Right. These people have no intelli-gance (ph). 

Joe Carrigan: Right (laughter). 

Dave Bittner: And so - I don't know - it's probably an autotranslate problem. But there's a bunch of these, and they're making the rounds. I think it's worth reminding people that - to spread the word about this, that if you're getting emails about - because, like, here's the thing. My mother, who has not yet been vaccinated... 

Joe Carrigan: Right. 

Dave Bittner: ...She signed up to be notified via email... 

Joe Carrigan: Yep. 

Dave Bittner: ...To when she can try to get an appointment to be vaccinated. She and my father are waiting for an email that says... 

Joe Carrigan: Yep, exactly. 

Dave Bittner: So they are primed to be susceptible to this. 

Joe Carrigan: And when you go to the website to sign up for your vaccine, they're going to ask you for a bunch of personally identifiable information, right? 

Dave Bittner: Right. 

Joe Carrigan: It seems only natural you have to make an appointment for a vaccine. You're expecting that workflow. So if you go into a phishing landing page and it just asks you for more information than you need, like your Social Security number, birth date, driver - in fact, birth date might even be on the actual legitimate pages for registering because right now they're breaking it down by age, right? 

Dave Bittner: Yeah. 

Joe Carrigan: Anybody over the age of 65 can get one. Well, in order to know if you're over the age of 65, I might need to know your birthday. 

Dave Bittner: Right. 

Joe Carrigan: Actually, what I need to know is the year in which you were born and just say, OK, anybody 64 and up can get it. That's fine with me. I don't care if some 64-year-olds sneak into this process. 

Dave Bittner: (Laughter). 

Joe Carrigan: They're going to put your birthday on there. So that's not an unexpected piece of information to ask for. They might also ask for, in - on the phishing landing pages, you can see them asking for Social Security number, driver's license number, all kinds of information. But that would not seem out of the ordinary for a government service to ask for that information. 

Dave Bittner: No, no. And they point out that when these phishing emails are sent out, a lot of times they're spoofing who it's coming from. So it actually looks like it's coming from Pfizer or the CDC... 

Joe Carrigan: Right. 

Dave Bittner: ...Which makes it even harder to track down. I mean, I guess you have to be careful, obviously, where these things take you to when they land, the website that this takes you to. But this is a tough one because people are - they're expecting this. They're excited to get this. This is good news... 

Joe Carrigan: Right. 

Dave Bittner: ...Right? - when you can go register to be vaccinated. So this is a hard one to fight against, I think. You just have to be vigilant and just try to be extra careful. 

Joe Carrigan: Well, we've been warning about this on this show for a number of months. I think you and I were talking back in December... 

Dave Bittner: Yeah. 

Joe Carrigan: ...About how this is coming. When the vaccines - because once the vaccines were approved, you and I said, this is what's going to happen. 

Dave Bittner: Yeah. 

Joe Carrigan: This is, like, one of my favorite things about working in this field is you can look like Nostradamus by predicting things that are going to happen... 


Dave Bittner: Right. 

Joe Carrigan: ...Because it's really, really easy to do that, right? 

Dave Bittner: (Laughter) Right, right. 

Joe Carrigan: If you just think of something bad that's going to happen, then you just say, that's going to happen, and when it happens, you go, see, I was right. 

Dave Bittner: Yeah, it's like being a weatherman. There's really - there's not a whole lot of pressure, really (laughter). 

Joe Carrigan: Right, exactly. 

Dave Bittner: All right. Well, that is my story. We'll have a link to this research from the folks at Area 1 Security. I think this is worth spreading around because the screen captures here of these emails - I mean, that might be a good thing to share with your friends and family so that if one of these pops up, folks will know this is what one of these scams looks like. So it's - you can do it that way. 

Joe Carrigan: It is very convincing. 

Dave Bittner: Yep, absolutely. All right, that's my story this week. What do you have for us, Joe? 

Joe Carrigan: Dave, this week, my story comes from Kevin Townsend over at Security Week. And he has an article titled "The Deep Analysis of More Than 60,000 Breach Reports Over Three Years." And they did this with a company called HackNotice, which is a startup that started back in 2018 in Texas, and they are a threat intelligence and security awareness company. 

Dave Bittner: OK. 

Joe Carrigan: One of the key takeaways from this story is that according to HackNotice, data breaches that they track have gone up by more than 50% year over year since 2018. Thanks to the wonders of compound interest, if you will... 

Dave Bittner: (Laughter). 

Joe Carrigan: ...They have more than doubled. They've gone from 29,000 data breaches in 2018 to 67,000 data breaches in 2020. 

Dave Bittner: Wow. 

Joe Carrigan: That's more than double within two years. One of the things I wanted to focus on in this discussion is some of the comments from people on why these data breaches have increased so much. And the HackNotice CEO, Steve Thomas, says companies concentrate defense in the wrong areas. And here's a great quote from him. "Hackers are winning the cyberwar largely because they don't target the infrastructure, but they target the people. Phishing, credential stuffing, account takeover of personal accounts to get into business accounts - all the major attack vectors rely on the fact that the average employees are not as informed as to how exposed they are, and they value security much less than the security team does." 

Joe Carrigan: This is pointing to what we've been talking about also. Again, we've been saying this kind of thing for years. I love actually having these stories that kind of - where people agree with what we say, that the average person doesn't take security as seriously as people on a security team, and they just don't believe that they have anything of value, when, in fact, they do. They are valuable for so many reasons, personal and professional. 

Dave Bittner: Right, right. It's a good point that, you know, in the same way that everyone in a company has a responsibility for making sure that the doors are locked up at night before you go home or... 

Joe Carrigan: Right. 

Dave Bittner: ...You know, that the inventory is secure - you know, you're not leaving doors open or vehicles unlocked or anything like - that basic physical security that we all agree to as part of a team with a company, that applies to online security as well. You need to have that vigilance. You need to be part of the security team. Everybody does. 

Joe Carrigan: Everybody does. That's exactly right. Josh Angell, who's an application security consultant at nVisium, says human error still accounts for the vast majority of breaches, making tools and secure coding practices obsolete if the people who maintain these networks and systems and have access to the company emails and sensitive client data are not compliant with industry best practices. So in other words, it doesn't matter how many tools you have - if you have one guy who gives away the access, it's done, right? The access is given away. 

Dave Bittner: If the security guard lets everybody into the vault (laughter)... 

Joe Carrigan: Right. 

Dave Bittner: ...That's it. Game over, right? (Laughter). 

Joe Carrigan: Right. But like you said, we're all security guards, right? 

Dave Bittner: Right, right, right. 

Joe Carrigan: So that's a lot of people that can let people into the vault. Brandon Hoffman, who's CISO at Netenrich, says several factors play into the increase in breaches. Some of this is indeed related to ingenuity of the adversary, but much of it seems to be related to the deviation from foundational security. Security tooling has advanced significantly, yet the focus of security as a discipline seems to be more on the use of advanced tooling. The challenge this creates is time and resources. So basically, what he's saying is that we spend a lot of time focusing on these tools. 

Dave Bittner: Well, everybody wants to have the latest, greatest, shiniest object tools, right? 

Joe Carrigan: There's one more great quote from this article (laughter) that says, defenders are perhaps spending too much time and effort on shiny new toys rather than getting the basics of security right. We have the technology. The technology is actually pretty good right now. I mean, yeah, there's vulnerabilities in software, but really, I have to agree with a lot of the people in this article, including Steve Thomas, the CEO from HackNotice. 

Joe Carrigan: The basics of security are the most important thing in the world. Teaching people that security is their responsibility in a corporation and telling people that when you're at home, you have a lot of responsibility for your own security - that's important. People have to get that. And for some reason, we've been struggling with this. That's why we have this podcast. That's why we do this every week, is to try to get this message out, try to make people understand - you are susceptible to these kind of attacks. 

Dave Bittner: Yeah. No, everybody has to play their part, for sure. 

Joe Carrigan: Absolutely. 

Dave Bittner: All right. Well, we will have a link to that in the show notes, as always. Joe, it is time to move on to our Catch of the Day. 


Joe Carrigan: Our Catch of the Day comes from a listener named John (ph). And John writes, My wife was on Facebook the other day and saw this in one of the groups she's in. Once she translated it, I knew that I had to send it to see if you'd enjoy it as much as we did. It's in badly broken Lithuanian, which she has helpfully translated as precisely as possible. Enjoy. 

Joe Carrigan: So, Dave, this message was originally written in some unknown language, right? Then autotranslated into Lithuanian and then translated to English by John's wife, whom I assume is fluent in both English and Lithuanian. So I think you're going to enjoy reading this one, Dave. 

Dave Bittner: All right. I will do my best. 

Joe Carrigan: OK. 

Dave Bittner: Hello. Very sad. If you are polite, I want to donate 105,000 euros. My name is Mrs. Anna Susana. I grew up in Lithuania and now live in France. I agree that in my brain there's a deadly reputation illness which the doctor has just informed me on and that my days are numbered with my declining daily health. I cannot live in this country much longer. I am sick with this illness for more than six years. In a car accident, I lost my mother and husband. And I haven't had kids in my life. I want to donate 105,000 euro to anyone that needs it. So that this amount is used properly, as a gift, I'm looking for a sincere, good heart. So if anyone is interested in my donatable 105,000, now my death can count my days, when this disease is not here, for which there is no cure. If you need my donations, please contact me via email. Thank you. And may God bless you. 

Joe Carrigan: That's amazing. 


Joe Carrigan: I love this. 

Dave Bittner: Yeah. 

Joe Carrigan: I love how this kind of rolls off the tongue. First off, for our listeners at home, Dave does that in one take almost every time. 


Joe Carrigan: I don't know how he does that. I could not stammer my way through this in one take if my life depended on it. 

Dave Bittner: I have an amazing ability to disconnect my brain from in between my eyes and my mouth, so I can read the words and have them come out and not be bogged down by actually processing it. It's a gift (laughter). 

Joe Carrigan: Yeah, that's a gift. That's amazing. So this is obviously just a scam, like a beneficiary scam, right? I got - hey, look; I've got all this money. I'm trying to give it away before I die. We see these a lot. But I thought this one was interesting because it was obviously translated from some third language to Lithuanian and then from Lithuanian into English. Talk about getting lost in translation. 

Dave Bittner: Yeah, absolutely. Absolutely. 

Joe Carrigan: This is awesome. 

Dave Bittner: All right. Well, we appreciate John writing that in. That was a good one. That was our Catch of the Day. We would love to hear from you. If you want to send us a Catch of the Day, you can send it to hackinghumans@thecyberwire.com. 

Dave Bittner: Joe, it is always great when Carole Theriault returns to the show - can't get enough of her stories and the things that she shares with us. This week, she's got a good one. She interviews Tim Harford. He's an author, also a TV personality. Evidentally, I believe he's a little more well-known on her side of the pond over in the U.K. than he is here. 

Joe Carrigan: Yep. 

Dave Bittner: But when you listen to this interview, you'll understand why. Really interesting conversation. Here's Carole Theriault. 

Carole Theriault: So Tim Harford, thank you so much for coming on "Hacking Humans." 

Tim Harford: It's my pleasure. Thanks for inviting me. 

Carole Theriault: OK - so just a bit of background before we get to you. So for people out there, Tim is actually a household name in my home. Now, we primarily know him from his BBC work, host of "More or Less" and "How to Vaccinate the World" - both amazing shows. But Tim, you have your mitts in so many other pies. Can you tell us a little bit about you? 

Tim Harford: Yes. As the Italians would say, you know, many fingers in the pasta. So I also have a podcast called "Cautionary Tales," which is stories of catastrophe, fiasco and, you know, what are the nerdy lessons of what we can learn from what went wrong? That's made by Pushkin, Malcolm Gladwell's podcasting company in the U.S. And I write for the Financial Times, and I write books. The most recent book is called "How to Make the World Add Up," which is all about the technical side, but more importantly, the psychological side of using statistics to think clearly about the world. 

Carole Theriault: See, you're such a perfect guest for this show because we are going to talk today about all things disinformation or misinformation. Actually, is there - do you know if there's a difference between the two? 

Tim Harford: There is thought to be a difference between the two. Disinformation is deliberate and misinformation may or may not be deliberate. 

Carole Theriault: I never knew that. That's very useful. 

Tim Harford: There you go. 

Carole Theriault: I think today most of us feel we are in the disinformation and misinformation crosshairs, and many assume that this is because of the Internet and social media and all these things - that these things are to blame. But you're saying this is not a new phenomenon at all? 

Tim Harford: It's really not. One of the first stories I tell in my book begins in 1937 with a wonderful old art critic called Abraham Bredius, who is recognized as the world's leading authority on Rembrandt and Vermeer. And he is - at the age of 82, he's approached by a charming lawyer called Gerard Boon, who's a committed antifascist. He's a really good guy. 

Tim Harford: He tells him this story about this antifascist family in Italy who wanted to flee Mussolini's oppression and go to America. And they've got this painting, and they think maybe it might be worth something. And Bredius is the the only guy who he would really trust to make that assessment. And by the way, Gerard Boon believes all of this. So Bredius says, OK, fine, I'll take a look. Boon is a really distinguished pillar of the Dutch establishment. 

Carole Theriault: Did people trust lawyers back then, or is that anything that we think they're sharks now? 

Tim Harford: Yeah, lawyer and politician, it turns out. Yeah. But he was - you know, he was standing up to Hitler back in 1933. I mean, he's a great guy. And Bredius opens the parcel and looks at this huge canvas, and he is completely spellbound. And he says, you know what we have here? This is a Vermeer. 

Carole Theriault: Wow. 

Tim Harford: And there are only about 40 Vermeers in the world. He's a very mysterious painter from the 1650s, 1640s. And Bredius says, when I - he wrote about it shortly afterwards. He said, when I first saw this work, I had difficulty controlling my emotion. And that's the problem. He had difficulty controlling his emotions. It was a rotten, rotten fake, really bad fake, totally corrupt, painted by a really nasty Dutch Nazi called Han van Meegeren. 

Carole Theriault: Who obviously must have been pretty good with his paintbrush. 

Tim Harford: Well, he was all right. He was OK with the paint brush. He was much better with the industrial chemistry. So he - one of the things he did was he used absolutely the right pigments and he painted it on a 17th-century canvas - over the top of an old 17th-century painting. And he hardened it with Bakelite because oil paintings - I didn't know this until I started looking into this - but oil paintings take 50 years to dry fully. 

Carole Theriault: Yeah. 

Tim Harford: And so Bredius is looking at all of this. And he's saying, well, it's a 17th - you know, I know it's a 17th-century canvas. I know these are authentic pigments. These are the pigments that Vermeer himself would have used. The paint is hard. He's looking at all of these details. And he's not going, huh, not a very good painting, though, is it? 

Carole Theriault: Wow. 

Tim Harford: And the reason that I began a book about statistics with a story about an art forgery is because I wanted to understand how it is that we often collude in our own downfall, how we often fool ourselves. And for Bredius, it was this combination of wishful thinking. He really wanted to find one more Vermeer before he died. Wishful thinking, very powerful. Plus, once he wanted to believe it, his expertise was actually telling - giving him signals that you or I would never have noticed. Oh, this is a 17th-century canvas. Look, you know, the pigments are authentic. But for Bredius - he picked up all these little reasons to believe and, of course, ignored this one big reason to believe, which is that the painting never looked like anything Vermeer ever did. 

Carole Theriault: I want to say the word ironically here because I think I'm using it correctly. But is it ironic that he was duped by the science? 

Tim Harford: So I looked at some psychological research. The term for this is motivated reasoning. 

Carole Theriault: OK. 

Tim Harford: You're going to want to reach a certain belief that fits in with your preconceptions. So there's a lot of work on motivated reasoning in politics. And one of the studies I looked at very interestingly pointed out that people who were more expert, who knew more about politics, actually fell harder for some of these cognitive traps. And motivated reasoning is the gun, and your knowledge is the ammunition. Like, you've got so many more bullets in that gun, which are... 

Carole Theriault: Right. 

Tim Harford: ...Going to fire hard into your own foot and fool yourself. And people who actually didn't know very much didn't have the cognitive ammunition to reach the wrong conclusion. They were just like, oh, I don't know; it might be; it might not be; what do I know - whereas for Bredius - he found all these reasons. 

Carole Theriault: So, for example, if I were to apply this to a modern world scenario, this would be a bit like me already having preconceived ideas of, I think this is the place that I need to get my news for - in my mind, because I followed them for a long time or they have a strong reputation or whatever. But those things can also hinder me into actually analyzing the story and looking for all the different clues that might suggest it is not as good as it is. Is that fair? 

Tim Harford: Absolutely. So, for example, there's a whole narrative in the U.K. at the moment about how serious is COVID really. And the people who are very keen to make the case that it's actually really overblown and it's really not that dangerous - some of them are going really deep. I mean, there's some which - there's some people who just don't know anything about the subject at all. But, you know, you could talk to people who know a lot about PCR tests and will tell you, oh, there's this particular laboratory in Cambridge, and we think that their PCR tests are contaminated. And also, if you look at the research on asymptomatic cases, it shows actually, a lot of cases of asymptomatic. 

Tim Harford: And this is how they'll - and actually, if you really know what you're talking about, you can pick all that apart and go, all of this is nonsense. Actually, there's a lot of detail there supporting the mistaken belief. And, of course, the simplest thing to believe about COVID is, well, you know, look; well, people seem to be dying. It probably is pretty bad. I mean, that's your Occam's Razor. 

Carole Theriault: Yeah. 

Tim Harford: But, you know, you have to work quite hard to get deep into it and to start finding reasons to disbelieve all of that. But some people will. 

Carole Theriault: So right now we're sitting here. We're still in the middle of a pandemic. Holidays - I don't know - have just passed. And we are under the impression loads and loads of people are trying to take something from us, be our information, be it our moneys, be it whatever. Is there cognitive techniques that you have researched that allow us to be able to handle this better? 

Tim Harford: Yeah, there are. And I feel - the very first thing I would say is don't despair because there's a lot of perfectly good, solid information out there. There are lots of trustworthy sources, lots of journalists doing really good work who will give you the context, who will give you the footnotes, who will check their sources. And I think one trap we fall into, which I write about in the introduction to "How to Make the World Add Up," is to just think it's all lies. 

Carole Theriault: Yeah. 

Tim Harford: And, you know, that's where we can get into these really, really grim views of the world where you just think everybody is lying to me all the time. And this is part of the anatomy of Putin's propaganda strategy in Russia. It's like, there's just so much. No one's fooled, but people don't even believe the truth. It's - they don't believe the lies. They don't believe the truth, either. 

Carole Theriault: I just heard that yesterday from a friend who just said, I'm just staying away from the news because I don't know what to believe, and it's too complicated for me to do the homework. So I'm just staying away from it. 

Tim Harford: Yeah. So, Step 1, don't despair. 

Carole Theriault: Yeah. 

Tim Harford: The truth is out there, OK? Step 2 is don't be like Abraham Bredius. Notice your emotions. Don't get carried away by... 

Carole Theriault: Yeah. 

Tim Harford: ...Your emotions. A lot of the media that we see - whether it's social media, whether it's newspaper headlines, it is designed to get a rise out of us. Social media thrives on this. And it could be anger. It could be joy. So whenever you see a claim, just say to yourself, am I having an emotional reaction to this? Am I thinking, well, that's fake news, or, this proves I was right all along? Wait till I tell my wife. Wait till I tell my husband about this. You know, they'll realize I was smart. Or, you know, it can't possibly be true. I can't believe it. You know, that must be the lamestream (ph) media. 

Tim Harford: Whatever it is, just calm down for a moment. Notice the emotion, then go back, and start thinking clearly. You don't need me to tell you that your classic kind of con approach is - the scam is to get people in a hot state, get people fearful, agitated. And you've got to do it now. 

Carole Theriault: Yeah. 

Tim Harford: Do it now. 

Carole Theriault: Right now. Yeah. You have minutes to take advantage of this or something. 

Tim Harford: Absolutely, absolutely classic, whether it's greed or whether it's fear. 

Carole Theriault: Well, a lot of it's FOMO, right? It's a lot of fear of missing out. 

Tim Harford: Yeah. 

Carole Theriault: You know, a lot of these things I see are, like, the short-term deals. 

Tim Harford: Yes, absolutely. And, of course, you know, we're all potentially vulnerable. I mean, you can't say, oh, I know these tricks. So, I mean, let me give you an example. I don't think I was conned, but I'm still trying to find out. 

Carole Theriault: Ooh, tell us. 

Tim Harford: Just a couple of days ago - so a guy in a UPS uniform with a UPS van outside my house with a big UPS parcel is standing on the door. And he says, I'm afraid you've got to pay, you know, VAT and customs on this parcel. Oh, goodness. OK, fine. You know, cash or check? I was like, OK, fine. So I get 30 quid, give him the 30 quid. And he's like, and UPS haven't even given me the facility to give you a receipt, so you have to go on the UPS website to sort that out. And he kind of strolls off. And then I'm thinking... 

Carole Theriault: I just handed him 30 quid (laughter). 

Tim Harford: I just gave this guy 30 quid and didn't even get a receipt. I mean, I did get the parcel. And, you know, he had a UPS van. 

Carole Theriault: Yeah. 

Tim Harford: It's probably - you know, it's probably just UPS, you know, not having their processes in order. But if you had sat me down and said, OK, in one minute, there's going to be a UPS guy; he's going to show up; he's going to ask you for 30 quid cash and not give you a receipt... 

Carole Theriault: Yeah. 

Tim Harford: ...What are you going to do? I'd say, I'd turn to go away and come back when he's got a receipt. 

Carole Theriault: Exactly. 

Tim Harford: But I didn't because I was in a hurry. 

Carole Theriault: Yeah. 

Tim Harford: So, you know, in the book - some people say, oh, you've given these Ten Commandments on how to make the world add up. Actually, I didn't think of them as commandments. I think of them as sort of habits that we need to try to train ourselves to get into. Get into the habit of not just clicking retweet, not just sharing. Get into the habit of kind of slowing down and calming down. 

Carole Theriault: I know. And there's a real weird push-pull between this because, if we use your example you just gave it back the UPS guy, you have security. So, for example, you could have - if, say, you were on high alert at this point, you might've said, look. I'm going to just take a picture of you and your badge just to make sure, right? And let me just grab the license plates of your truck. You know, you don't mind, do you? But then in a way, you're invading that person's privacy, if, in fact, they're bona fide and legit, and they just didn't have receipts or whatever. 

Tim Harford: Yeah. And you feel like, you know, gosh, suddenly, I'm the [expletive]. 

Carole Theriault: (Laughter). 

Tim Harford: There's another story. I haven't got time to go into the details, but it's one of the early episodes of "Cautionary Tales." It's in Berlin in the early 20th century. And it begins with a junior military officer being stopped on the street by a commanding officer, a captain who says, you know, where are you taking all these men? He's got four privates with him. Where are you taking this these men? Come with me. I've got an urgent business for the Kaiser himself. 

Tim Harford: And they marched on the street, and then they meet some other privates. And, you know, suddenly, he's got a little army. He's got about 10 of them. And his name is Captain Wilhelm Voigt. And they take the train across Berlin. And then they - you know, they arrest a local mayor, and they confiscate his money and take the mayor to the police station. He's wanted for questioning. And the captain has this sort of bag of money under his arm. He says, well done. Everyone's done really well. 

Tim Harford: They all disappear. He goes to Berlin Railway Station, disappears into a laboratory cubicle, comes out wearing plain clothes. And then he's (laughter) never seen again. And it's just this - it's the same thing. It's the UPS guy. 

Carole Theriault: Huge con. 

Tim Harford: The UPS guy in the uniform. I just love this guy because there's a guy in a captain's uniform, and you're a corporal. What are you going to do? Of course, you're going - you don't want to say, I don't think I've seen you before, Captain. Where's your identification? You'd be court-martialed. 

Carole Theriault: Yeah. It's like in the movies. You know, you always have these scenes where some kind of strange car pulls up. Someone dapperly dressed opens up the car, and they say, get in. You know, and you're always thinking, like, you know, why do people get into the car? I mean, obviously to make the story. But, you know, were that to happen to you, were it a bus that you were expecting, of course, you'd hop on - right? - or if it was a cab you ordered. But if it was any other car, would we get in? And would we do our, you know, due diligence beforehand? 

Tim Harford: Absolutely. Absolutely. 

Carole Theriault: Tim's new book is "How to Make the World Add Up." It's available wherever you get your books. And also, check out his new podcast, "Cautionary Tales." I had a listen to the first one, and I thought it was fantastic. What high production. 

Tim Harford: Yeah, we're working hard. We're having fun. 

Carole Theriault: Tim Harford, thank you so much. 

Tim Harford: You're such fun to talk to, Carole. Thank you. 

Carole Theriault: As are you. This is Carole Theriault for "Hacking Humans." 

Dave Bittner: All right, Joe, what do you think? 

Joe Carrigan: Great interview. I love that interview. I want to talk about a little bit of misinformation here, Dave. Are you allowed to kill a praying mantis in Maryland? 

Dave Bittner: I - probably. I've heard this. I've heard this. 

Joe Carrigan: Right. 

Dave Bittner: This is - this rings a bell with me. We have - now, we have praying mantises here in Maryland. They are a common insect. It's also my favorite insect. They're really cool. 

Joe Carrigan: They are awesome bugs, yeah. 

Dave Bittner: I guess a better question - is a praying mantis allowed to kill me? 

Joe Carrigan: Right (laughter). 

Dave Bittner: That's the real fear here. But am I allowed to kill a praying mantis in self-defense? 

Joe Carrigan: Right. 


Dave Bittner: But I believe I've taken you off the rails here. What is the point of your question? 

Joe Carrigan: That praying mantis had a knife. I had to do it, Officer. 

Dave Bittner: (Laughter) Exactly. What is the point of your question, Joe? 

Joe Carrigan: My point is that I grew up believing that it was illegal to kill praying mantises. It was folklore around here. When I got older, I was an adult working down in Crystal City. And I had - took a van pull, and the driver of the van pull was an entomologist. And we were talking, and I asked him - I said, why is it illegal to kill praying mantises? I see them all over the place. And he says, I don't know where this myth comes from. There's nothing illegal about killing praying mantises. If you want to kill a praying mantis, you can kill a praying mantis. It's fine. I mean, I don't know why you'd go out and kill one. They're awesome bugs, as you say. 

Dave Bittner: (Laughter) Right. 

Joe Carrigan: I enjoy seeing them. But there is nothing illegal about it. But growing up, I believed with all my heart that it was illegal to do this. 

Dave Bittner: Yeah, I heard that growing up here, as well. 

Joe Carrigan: There was no publicly accessible internet at that point in time. 

Dave Bittner: Right. 

Joe Carrigan: I wasn't on the internet back in the '70s and early '80s. So this was not something that came around from the internet. And that's kind of what Tim is talking about here. This is not anything new, this massive amounts of mis- and disinformation. But we do see it being amplified by social media. 

Joe Carrigan: One of the things that he says in here that that's absolutely probably the most important thing he says is when he's talking about the guy with the piece of art that he thinks is from the Dutch master. I can't remember the name of the master. But he says, I had difficulty controlling my emotions. And that, as Tim puts it, allows us to collude in our own downfall. 

Dave Bittner: It's a good phrase. 

Joe Carrigan: This is the crux of the matter of social engineering. You have difficulty controlling your own emotions and thinking clearly about things. Motivated reasoning is very interesting to me. It sounds a lot like confirmation bias. Maybe I'm wrong. Maybe it's two different things. But, you know, you go out looking for things that confirm your belief systems. 

Dave Bittner: Right. 

Joe Carrigan: Sounds very similar. I like what Tim says about noticing your emotions when you're online or when you're engaged with somebody. Notice how things make you feel. This is what social media uses to make its money, right? This is how Facebook and Twitter keep you engaged. They show you things that elicit an emotional response, that they know will keep you looking at the page. 

Joe Carrigan: And it also works in news organizations. These 24-hour news cycles that we have all over the cable - the different channels. These people need to keep you engaged. They need to sell advertising. So they want you to be emotionally invested so that you don't turn them off so that they get the ratings. So they sensationalize the news, right? 

Dave Bittner: Sure, sure. 

Joe Carrigan: This is also nothing new. We had a similar problem back at the turn of the 20th century in yellow journalism. The journalism about 150 years ago was also just as bad. It was awful. And the important thing to remember is that scams work on all these same tools - right? - that our emotions are what they use against us. They try to get us to stop thinking and start feeling. And that's when you start running into problems. I think this was a really great interview. I really enjoyed hearing Tim talk. I think I'm going to check out the podcast that they plug at the end of this. 

Dave Bittner: Yeah. All right. Well, again, our thanks to Carole Theriault for bringing that interview to us. Thanks to Tim Harford for taking the time for her and for us. Of course, we want to thank all of you for listening. 

Dave Bittner: That is our show. 

Dave Bittner: We want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. 

Dave Bittner: The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: And I'm Joe Carrigan. 

Dave Bittner: Thanks for listening.