Joekens, Bittnercoins, and the serious impacts of spam analysis.
Paul: I don't think managers are aware of what necessarily low-level analysts have to see as their ordinary day job. It wasn't really what they were expecting or what their job description was.
Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week, we look behind the social engineering scams, the phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire, and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: We've got some interesting stories to share this week. And later in the show, Carole Theriault returns with an interview with a spam analyst.
Dave Bittner: All right, Joe, let's jump into our stories here. Why don't you start things off for us?
Joe Carrigan: Dave, last week I said I'm going to stay on the topic of nonfungible tokens, or NFTs.
Dave Bittner: Yeah.
Joe Carrigan: And this week, I'm talking about rug pull scams, but I think this is it for NFTs for me. I'm not going to do another one. That's...
(LAUGHTER)
Dave Bittner: OK. Fair enough. All right. And phew.
Joe Carrigan: Right.
(LAUGHTER)
Joe Carrigan: So a rug pull is a type of exit scam. And it's pretty easy to understand an exit scam.
Dave Bittner: OK.
Joe Carrigan: Right? We see these on the dark web all the time or hear about them. What an exit scam is is - let's say I want to be an escrow agent on the dark web.
Dave Bittner: OK.
Joe Carrigan: And I say, I'm going to hold your bitcoin or your cryptocurrency until you receive what it is that you have ordered, be it illicit or otherwise, from whomever you've ordered it from.
Dave Bittner: Right.
Joe Carrigan: So the person, the buyer, sends me some bitcoin. Let's say it's bitcoin.
Dave Bittner: OK.
Joe Carrigan: And I hold it. And I tell the seller, I have the bitcoin, and I'll send it to you as soon as you deliver the product to the buyer. So the seller sends the buyer the product. The buyer says, I've received the product. And then I send the bitcoin on, minus a little bit for myself.
Dave Bittner: So you're the trusted agent in the middle.
Joe Carrigan: I'm the trusted agent in the middle. I'm a middleman, Dave.
Dave Bittner: Right. OK.
Joe Carrigan: So I build a reputation for myself, and I'm starting to handle a lot of transactions. And it's all pretty easy for me to do this. And all you need is a bitcoin wallet and access to the dark web, and you can start doing this. But eventually, Dave, I'm like a bank. I'm holding tons of bitcoin, tons of it - so much, in fact, that it becomes a temptation for me just to take the money and run. And that's what I do.
Dave Bittner: Ah.
Joe Carrigan: I'm killing the goose that lays the golden eggs. But, you know, I think I'm getting as - you know, as I do this exit scam, I'm getting a lot of money. I can live the rest of my life comfortably without having to worry about anything...
Dave Bittner: I see.
Joe Carrigan: ...Provided I can launder the money. So that's an exit scam.
Joe Carrigan: A rug pull scam is a little bit different but fundamentally the same, OK? To understand what it is, I did a lot of searching and watched a lot of videos from Whiteboard Crypto, which is a channel on YouTube. They have some really good explanations of things like liquidity pools and cryptocurrencies. I'm not going to get into that. I'm just going to tell you kind of how this works in the world of Ethereum.
Dave Bittner: OK.
Joe Carrigan: First, it's important to understand that nonfungible tokens, or NFTs, exist on a blockchain. And many of them exist on the Ethereum blockchain. That's because it's a feature of the Ethereum blockchain to have something called smart contracts. I'm going to talk about Ethereum for the rest of this segment, but you can do this on any blockchain that has smart contracts, not just Ethereum. So you can't do it on Bitcoin, actually. Bitcoin doesn't have the capability to have smart contracts, so you can't put NFTs on Bitcoin.
Dave Bittner: Interesting.
Joe Carrigan: But smart contracts are just code that dictate how the ether, which is the actual cryptocurrency from the Ethereum blockchain, can be spent or used. And you can develop additional tokens on the Ethereum blockchain. But because these contracts are code, they can do just about anything. And because this code is written by humans, bad stuff can happen.
Dave Bittner: Ah.
Joe Carrigan: Right? Back in 2016, someone set up a wallet with a smart contract called a distributed autonomous organization or a D-A-O or DAO, right? Somebody found a vulnerability in the code, and this vulnerability just let them transfer their - all the Ethereum out of the wallet to themselves. And they did just that. A hundred fifty million dollars’ worth of Ethereum was gone.
Dave Bittner: Wow.
Joe Carrigan: Right. This is - you can look this up. This is called the DAO, D-A-O. Just Google that - D-A-O Ethereum - and you'll see the whole story about it and get a lot of - I'm not going to go into the details of it. But what it was was a smart contract that had a defect. If the smart contract didn't have the defect - in fact, that's the reason why we now have Ethereum and Ethereum Classic - because Ethereum Classic - the guy that did this still has all the Ethereum. And modern Ethereum - he doesn't because they went back, fixed the bug and changed the - and re-rolled out the blockchain from that point on.
Dave Bittner: So it got forked at that point.
Joe Carrigan: It got it forked. Exactly.
Dave Bittner: OK. OK.
Joe Carrigan: But that's a whole story unto itself, so let's move on. Rug pulls are essentially the same thing, but the attack comes from the inside, right? So let's say I want to do a rug pull scam...
Dave Bittner: OK.
Joe Carrigan: ...Right? - because I'm a person of ill repute, right?
Dave Bittner: (Laughter) As we all know.
Joe Carrigan: So I start a wallet and write a smart contract. And now here's the social engineering part. I set up a website. And then I go to Reddit, Facebook and Twitter, and I say, hey, everybody, I'm offering my own form of token called Joekens (ph).
Dave Bittner: (Laughter).
Joe Carrigan: Joekens are great.
Dave Bittner: OK.
Joe Carrigan: Everybody should buy them.
Dave Bittner: I mean, they're great, but they're no Bittner coins.
Joe Carrigan: Right (laughter).
Dave Bittner: So...
Joe Carrigan: Bittner coins - that's a good one.
Dave Bittner: (Laughter).
Joe Carrigan: We should do this, Dave - Joekens and Bittner coins.
Dave Bittner: Yeah.
Joe Carrigan: My scam would actually be more elaborate than, hey, everybody, buy Joekens - right? It would actually be like, this is a great serious investment. You're going to make millions. You're all - we're all going to be rich.
Joe Carrigan: But then everybody puts their money into my wallet. They actually get Joekens, right? So they have some kind of representation of this. But once I have enough Joekens or once I've sold enough Joekens for ether and I'm happy with the amount of ether that's in my wallet, I take the money, I shut down all the social media accounts and I disappear. And that's a rug pull scam.
Dave Bittner: OK.
Joe Carrigan: Now, this happened earlier this month...
Dave Bittner: Oh.
Joe Carrigan: ...With something called Evolved Ape (ph). Evolved Ape (ph) was a nonfungible token that had 10,000 apes, they called it. And they were going to be used in a game. I don't know how the game was supposed to work. I don't have any information about that. You could probably find it online. But it was started by this guy who called himself Evil Ape.
Dave Bittner: No tip-off there.
Joe Carrigan: Right. Yeah, exactly.
Dave Bittner: (Laughter).
Joe Carrigan: So once good, old Evil Ape - by the way, Evil Ape - his initials are EA. I'm wondering if that's some kind of poke at Electronic Arts.
Dave Bittner: Oh. Well, it could be, could be.
Joe Carrigan: Some kind of subtle poke.
Dave Bittner: All right.
Joe Carrigan: Maybe I'm seeing patterns where there are none. But he made off with $2.7 million...
Dave Bittner: Wow.
Joe Carrigan: ...By doing a rug pull scam.
Dave Bittner: Now - OK. So again, because all of this is taking place on a blockchain...
Joe Carrigan: Right.
Dave Bittner: ...Isn't the ultimate exit - so Mr. Ape...
Joe Carrigan: Right.
Dave Bittner: Isn't his ultimate exit traceable on the blockchain itself? Or does he have to go through some sort of money laundering process to get that money out of there?
Joe Carrigan: Well, now he has ether.
Dave Bittner: Yeah.
Joe Carrigan: Right? So...
Dave Bittner: Which is a blockchain.
Joe Carrigan: Which is on a blockchain. But he can exchange that ether on some exchange for another cryptocurrency, and then it's not traceable anymore.
Dave Bittner: OK.
Joe Carrigan: Or he could put that ether through a tumbler, which makes it more difficult to trace. It doesn't make it untraceable, but it makes it more difficult to trace. There are lots of things you can do once you have ether. This is unlike the story I was talking about last week where you have nonfungible tokens. Ether is fungible.
Dave Bittner: Yeah.
Joe Carrigan: So now you're - all you have to do is launder this money. He can probably get away with $2 million here.
Dave Bittner: I'm just thinking of the highly motivated mob of people who want to crowdsource the figuring out who this gentleman or lady is that - you know (laughter)?
Joe Carrigan: Right. Well, there's a bunch of them.
(LAUGHTER)
Dave Bittner: Right, right, right.
Joe Carrigan: They were going to sell 10,000 of these things. Maybe there's 10,000 people out there.
Dave Bittner: Wow.
Joe Carrigan: Probably less. But so how do you protect yourself? First and foremost - this is my advice, not anybody else's advice - but don't put any money into any nonfungible token that you just can't afford to just lose, right? It's like going to the casino.
Dave Bittner: Yeah. Yeah.
Joe Carrigan: Don't take your rent money to the casino. There's a website out there called rugdoc.io, call themselves Rug Doctor. I anticipate them getting a cease-and-desist letter from the people that rent you the carpet cleaners.
Dave Bittner: (Laughter) But in the meantime.
Joe Carrigan: But in the meantime, go to rugdoc.io. There's one called Token Sniffer, which looks up nonfungible tokens and does code reviews, automated code reviews on their smart contracts.
Joe Carrigan: Also, things that you can do - look for hastily assembled web presences - right? - 'cause these NFT scammers do that. They set these up very quickly. They want to publicize it. They want to get the money and get out. There's other things you can do as well, but they involve a lot of technical stuff. If you don't understand what you're buying, don't buy it.
Dave Bittner: Yeah.
Joe Carrigan: Right? If you don't understand what nonfungible tokens are, stay away. Any investment - it doesn't matter. If you don't understand what a stock is, don't invest in stocks. You really have to understand how the investment vehicle you're putting your money into works before you can safely invest in it.
Dave Bittner: You know, if this whole Hopkins thing doesn't work out for you, Joe, maybe you have a future as a financial adviser.
Joe Carrigan: Right, yeah.
Dave Bittner: (Laughter).
Joe Carrigan: Maybe I could just sell Joekens.
Dave Bittner: You could sell Joekens - yeah, yeah. Although I'm telling you, I'm going to compete with you with my Bittner coins.
Joe Carrigan: It's a good one. I like Bittner coins. They're probably more valuable than Joekens.
(LAUGHTER)
Dave Bittner: They only come in sets of eight, so they're 8-Bittner coins.
Joe Carrigan: (Laughter) Even better.
Dave Bittner: Yeah. Yeah. All right, well, interesting story, for sure. We will have links to all of that stuff in the show notes.
Dave Bittner: So, Joe, my story this week - now, before you click through and look at the link that I provided in our show notes here...
Joe Carrigan: OK.
Dave Bittner: ...I want you to close your eyes.
Joe Carrigan: Closing my eyes.
Dave Bittner: And I want you to imagine the Verizon logo.
Joe Carrigan: OK.
Dave Bittner: OK? So Verizon, of course, major telecom company, one of the largest in the world.
Joe Carrigan: Big, red V.
Dave Bittner: What do you imagine the Verizon logo looks like?
Joe Carrigan: It's a big, red V with a white 'erizon.
Dave Bittner: OK.
Joe Carrigan: Right? Maybe a black 'erizon.
Dave Bittner: All right. Is there anything - what does it look like in terms of text and logo elements?
Joe Carrigan: Well, the V is kind of like a check.
Dave Bittner: OK.
Joe Carrigan: Let's see. The letters are of a specific font that's very distinguished.
Dave Bittner: Yeah.
Joe Carrigan: Like, I'd recognize that font out of context of the word Verizon.
Dave Bittner: OK.
Joe Carrigan: There's a black background.
Dave Bittner: OK.
Joe Carrigan: So maybe the letters are white, or maybe it's a white background with the black letters. I think I've seen it both ways.
Dave Bittner: Yeah, probably. Most logos are - you know, they have different versions of it depending on where it's going and that sort of thing.
Joe Carrigan: It reminds me of an old local company that used to be called Vitro. Do you remember Vitro?
Dave Bittner: I do not.
Joe Carrigan: OK. But it kind of does remind me of that.
Dave Bittner: All right. So I've brought the logo up on my computer screen here. Open your eyes.
Joe Carrigan: OK.
Dave Bittner: Take a look.
Joe Carrigan: Oh, yes. I was wrong.
Dave Bittner: (Laughter).
Joe Carrigan: The V is not the red check. OK.
Dave Bittner: OK.
Joe Carrigan: Is that actually the Verizon logo?
Dave Bittner: That is actually the Verizon logo.
Joe Carrigan: OK. Maybe I'm actually thinking of the old Vitro logo.
Dave Bittner: OK. So - but you have perfectly fallen into my trap, Joe...
Joe Carrigan: OK.
Dave Bittner: ...Because it is a perfect example of this story (laughter) from the folks at INKY. They have - in their security blog, they've published an article titled "Phishers Get Clever, Use Math Symbols for Verizon Logo."
Joe Carrigan: I see.
Dave Bittner: So the actual Verizon logo - you go look it up. It's the word Verizon. As you say, it's in a very strong, recognizable, heavy font.
Joe Carrigan: Right.
Dave Bittner: And at the end of the word, after the word Verizon, there's a red check mark.
Joe Carrigan: Right.
Dave Bittner: And I think most of us, as you did, in our mind's eye, somewhere, we place that red check mark. Well, what INKY has found is that folks who are doing phishing attacks have made their own version of the Verizon logo. And as you describe, they have replaced the first V in Verizon with a symbol. Sometimes they use the square root symbol.
Joe Carrigan: See, now that's exactly what the Vitro logo used to look like.
Dave Bittner: (Laughter) OK.
Joe Carrigan: It had - it was a square root symbol for the V and then 'itro.
Dave Bittner: Yeah. Sometimes they'll use just a red check mark...
Joe Carrigan: Right.
Dave Bittner: ...And then the word 'erizon after it...
Joe Carrigan: OK.
Dave Bittner: ...Right? - so substituting something for the V. But that is not the actual Verizon logo. The Verizon logo is the word Verizon with a red check mark. But as you perfectly demonstrated, in our minds, we remember that red check mark, but it seems like we're a little mushy about exactly where it goes.
Joe Carrigan: Did it used to go in front? Am I suffering a Nelson Mandela effect here?
Dave Bittner: (Laughter) I don't know, Joe.
Joe Carrigan: You're making me doubt my own existence, Dave.
Dave Bittner: Well, worse things could happen.
Joe Carrigan: Right.
Dave Bittner: So what these folks are doing by substituting that symbol for the V - that allows them to get through a lot of spam filters...
Joe Carrigan: Yeah.
Dave Bittner: ...Right? - because they're looking for the word Verizon.
Joe Carrigan: Right.
Dave Bittner: And that word is not in this - in these phishing attempts.
Joe Carrigan: Right.
Dave Bittner: They're using a symbol and the E, so...
Joe Carrigan: Yep. Gets right through.
Dave Bittner: Gets right through. And folks fall for it. In this case, these are a bunch of email messages that tell you that you have a voicemail, and they say, please click through to get - you know, to listen to this new voicemail. And if you click through, it takes you to a place that asks for your login credentials, and then they got you.
Joe Carrigan: Right.
Dave Bittner: It's not actually Verizon. It's the scammers. They - now they have your Verizon credentials, and they do all sorts of things, like going in and trying to purchase new phones...
Joe Carrigan: Right.
Dave Bittner: ...In your name...
Joe Carrigan: Right.
Dave Bittner: ...Under - using your account credentials.
Joe Carrigan: I used Verizon for a time, so as I remember, and even with my current provider, you can just get on your - on their website, buy a phone, have it shipped to you, and they'll just bill you for it, right?
Dave Bittner: Right. Yeah.
Joe Carrigan: So, yeah, these guys are getting free phones.
Dave Bittner: Yeah. Phones aren't cheap.
Joe Carrigan: No.
Dave Bittner: (Laughter) So just some things to be aware of here - you know, look for suspicious domain names. Look for domain names that look close to the original domain name but aren't the original domain name.
Joe Carrigan: Right.
Dave Bittner: In a case like this, if something feels a little off, maybe it is.
Joe Carrigan: Yeah.
Dave Bittner: But I think this is a really good example of how fuzzy our memory can be, especially when it comes to visual cues and logos. And so it's very easy to fall for something like this.
Joe Carrigan: Yeah. Obviously, you have, you know, my recollection of the logo being very much like what these guys are doing here. It's remarkable.
Dave Bittner: Yeah.
Joe Carrigan: I could've sworn that check was at the front of the logo.
Dave Bittner: (Laughter) Right, right. So, dear listeners, Joe is going to spend the rest of the day questioning himself...
Joe Carrigan: Right.
Dave Bittner: ...Wondering what else does he believe in that isn't so.
Joe Carrigan: Right.
Dave Bittner: (Laughter) All right. So again, that's from the folks over at INKY, and we'll have a link to their blog post over in the show notes.
Dave Bittner: All right, Joe, it is time to move on to our Catch of the Day.
(SOUNDBITE OF REELING IN FISHING LINE)
Joe Carrigan: Dave, our Catch of the Day comes all the way from Spain via Rafael (ph) the elder, who has a son, Rafael (ph) the younger, who was the target of a Steam account takeover scam on Discord. This is our second Discord Catch of the Day. I'm seeing an uptick in Discord scams. Dave, you can read the part of the scammers, and I will play the part of young Rafa (ph). You will have to do two voices here.
Dave Bittner: OK. I can handle that.
Joe Carrigan: OK.
Dave Bittner: All right.
Joe Carrigan: I knew you could.
Dave Bittner: Here we go. All right.
Dave Bittner: (Reading) Hello, mate. This is your Steam account, right?
Joe Carrigan: And then he sends a link, and young Rafa says, yeah, why?
Dave Bittner: (Reading) Sorry for bothering you, mate. Hope you don't get mad. And I'm worried because I have mistaken your account because I reported it to the support team for scamming me instead of someone who impersonated your profile. And that impersonator is a scammer who scammed me.
Joe Carrigan: (Reading) Don't worry. I hope they don't ban me.
Dave Bittner: (Reading) Someone impersonate your Steam account, and he scammed me $200 in TF2, and I thought that was you. That's why I accidentally reported you on Steam support. And I'm worried about your account right now because if this report can get removed on your profile and get processed, they will ban you now. I'm very sorry about what happened. But, mate, the main reason why I am here is that the support team wants you to confirm to him that you are not involved my mistake report so they will cancel my report and remove your account from ban, OK?
Joe Carrigan: (Reading) OK. Anything I have to do?
Dave Bittner: (Reading) Anyways, I need to show you something. Can you read the ticket? It indicates that you need to add him and explain your side. You need to add this Steam admin via Steam and on Discord. Just add him and tell him that the report is just a mistake.
Joe Carrigan: And he includes a picture of the Steam ticket, which can be very intimidating.
Joe Carrigan: So what happens next is young Rafa reaches out to this guy on Discord going by Eric Robson (ph). It's obviously another scammer, could very well be the same guy. But young Rafa says, hey.
Dave Bittner: (Reading) Hello, Steam user. I'm an official from Steam community support, and I'm here to help and supervise you and will be providing assistance with regards to your issue. How may I help you?
Joe Carrigan: (Reading) A guy told me that he false reported my account thinking that I was a scammer.
Dave Bittner: (Reading) Good day to you. Please give me the full details about this accident, like a screenshot of the conversation between that user who warned you, so that I can look into this issue.
Joe Carrigan: (Reading) The report was a mistake. OK, here's a screenshot.
Dave Bittner: (Reading) Kindly hold on a minute while I am reviewing the report filed on your Steam account.
Joe Carrigan: (Reading) OK.
Dave Bittner: (Reading) Are you willing to make an appeal to clear these reports?
Joe Carrigan: (Reading) Sure. I had a VAC ban a long time ago, but nothing more.
Joe Carrigan: I don't know what a VAC ban is. Do you know what a VAC ban is?
Dave Bittner: Do not.
Joe Carrigan: OK.
Dave Bittner: (Reading) Have you added a phone number on your Steam account? If not, kindly add it to your Steam, and tell me when you are done.
Joe Carrigan: (Reading) OK, wait. How can I - oh, wait. I saw it.
Dave Bittner: (Reading) Go to your account details and find manage phone number. Tell me when you are done.
Joe Carrigan: (Reading) Done.
Dave Bittner: (Reading) Kindly log out your Steam account from your computer because I will be connecting it to the database. Please tell me when you are done.
Joe Carrigan: (Reading) Done.
Dave Bittner: (Reading) All right. I need the confirmation code sent to the phone number ending with 7-4 to close this report on your Steam account.
Joe Carrigan: (Reading) Nope. Thanks, scammer.
Joe Carrigan: It literally says, to change the password, enter this code.
Dave Bittner: Ah, I see.
Joe Carrigan: And that's when the scammer blocks him, and no more can be done here.
Dave Bittner: So what's going on here?
Joe Carrigan: So what's happening here is that young Rafa did not have multifactor authentication enabled on his account, which he should've had already. But - so they have him enable that, and then they have him log out of his account. And then they go to his account and use the I forgot my password workflow, trying to get him to send the code because once you say I forgot my password, then Steam says, OK, fine, we'll send you a code so you can reset your password. But Steam has gone ahead and with that code they're sending him somehow - probably through an SMS message...
Dave Bittner: Yeah.
Joe Carrigan: ...They have said, this code will let you reset your password.
Dave Bittner: I see.
Joe Carrigan: Right? So he knows what's going on at this point in time.
Dave Bittner: I see. All right. Well, good for him...
Joe Carrigan: Yeah.
Dave Bittner: ...For not falling for it.
Joe Carrigan: He did not fall for it.
Dave Bittner: But word to the wise, this is how they go about doing that.
Joe Carrigan: That's right.
Dave Bittner: Yeah.
Joe Carrigan: The first person or the first contact - it could be the same person...
Dave Bittner: Yeah.
Joe Carrigan: ...Will say, hey, I accidentally reported your account. Get in touch with this person over at Steam support. And that person is not from Steam support.
Dave Bittner: Right.
Joe Carrigan: It's another scammer, could be the same guy. And that person then goes through the process of trying to steal your account.
Dave Bittner: Yeah. And they're using the pressure or the - I guess the specter of you losing your account...
Joe Carrigan: Right.
Dave Bittner: ...As the pressure to get you to act right now.
Joe Carrigan: Absolutely.
Dave Bittner: Yeah.
Joe Carrigan: The artificial time constraint.
Dave Bittner: All right. Well, that's a good one. And thanks to our listener for sending that in.
Dave Bittner: We would love to hear from you. You can send us candidates for Catch of the Day. You can mail it to hackinghumans@thecyberwire.com.
Dave Bittner: All right, Joe, it's always a treat when Carole Theriault returns to the show, and this week is no exception. She has a fascinating and, dare I say, harrowing tale of an interview with gentleman who worked professionally as a spam analyst. Here's Carole Theriault.
Carole Theriault: So recently, we've been reading about Apple introducing a new way of vetting content to ensure that it's all aboveboard. And there are people that are on-site, and there are people that are off-site. But what about all these humans that have to look at this sensitive, unpleasant content? And it made me think of a friend of mine that we're going to call Paul (ph). Now, Paul is someone I worked with 20-plus years ago. And as part of his job, he had to look at sensitive material as part of a spam-vetting service. And I wanted to know what impact it had on him.
Carole Theriault: Paul, your job was to look at dangerous spam images, sometimes containing things like sexual abuse images and the like, and I wanted to know what it was like for you to have to do that.
Paul: So some of the emails that I had looked at in the past were - had to be reported to the Internet Watch Foundation because they were of a child abuse nature.
Carole Theriault: Did you have any training to how to deal?
Paul: No, we didn't have any training at the time. And I specifically pushed to get some kind of help from the company because I don't think - I don't think managers are aware of what necessarily low-level analysts have to see as that part of their day job (unintelligible) and necessarily what the duty of care should be on them. So I was quite senior at the time when I was doing this, but there were a few people who were junior that had to look at this as well. And it wasn't quite - it wasn't really what they were expecting or what their job description was.
Carole Theriault: So do you think it would be wise for companies that have to start doing this? So these are people that are working at social media companies, at security companies, maybe even vetting - working in an IT situation where they have to vet images. And I'm trying to figure out a way to, like, prepare them for the job ahead. Do you think that managers should have to sit through a day or two of doing it just so they can understand the impact and can be more sensitive to the requirements of their staff?
Paul: I think it's always a good idea if a manager knows what their employees are doing. They don't have to understand it, but they should know. So it is good. But in my job, it wasn't something that I have to deal with 24/7.
Carole Theriault: Yeah.
Paul: So I didn't go into a shift knowing that the next eight hours of my day would be looking at this. So there was a difference then between making people aware that could happen - because it's the internet and everything lives on the internet - and the people whose job it is to vet this type of thing eight hours a day. Those are two different things. And I think I wouldn't have been able to do eight hours a day for any length of time.
Carole Theriault: Yeah. So what advice do you have? So there's going to be companies out there that are going to be putting this in place because of either regulation or because of demand from the users. Do you have any advice for them on how they can approach this?
Paul: So I was doing a lot of this at beginning of this century, so it was a while ago. And I was in an office. And I think it should be in an office because people now working from home, work-life balance - it's a lot easier to turn off your computer at an office and go home and turn off than it is from your bedroom, from the dining room. And also just third parties - so one of the things when I was working on this, we were in a secure area. People couldn't walk past you. People couldn't see what was on your screen. You weren't facing glass doors because anything could happen and there was no reason for the cleaner or the salesperson who's trying to get coffee to be subjected to what you're subjected to.
Carole Theriault: That's a really good point.
Paul: But then again, there's no reason for you to be subjected to it, but sometimes it happens.
Carole Theriault: You're saying, let's make sure that those people that have not signed up for this don't get a glimpse of it in any way.
Paul: Yeah, because there should be procedures for you to talk to. One thing I knew is that I was reporting this, and I talked to the people (unintelligible) at the Internet Watch Foundation, and they told me what they did. So I knew I was doing good. But somebody coming into this, they wouldn't necessarily know that. And it's a hard justification.
Carole Theriault: I want to come back to your comment about remote working. That is an excellent point that never even occurred to me. This is not something that anybody wants at home, even, you know, whether or not they have an official work computer to do it from and a special VPN to tunnel in. You don't want it in your house.
Paul: No, because there are other people in your house, potentially.
Carole Theriault: Yeah.
Paul: At the time, I was in a relationship, and I had good friends. So I wouldn't necessarily discuss the things that I had with my partners and friends. But if I couldn't talk about them in general, you could get into a rabbit hole that would be even worse for you because people get inured to the images, and then bad things can happen.
Carole Theriault: Yeah. It must be very isolating doing this job because this is not dinner party conversation. And if you don't have a support system in a community within the work environment, you're kind of isolated in a bad way.
Paul: Yeah, you need a support system within work.
Carole Theriault: Yeah.
Paul: And you need a sufficient support system out of work as well.
Carole Theriault: Yeah.
Paul: And that might mean that people in HR recruiting for these jobs should look further to make sure that the people doing it are better able to handle this because...
Carole Theriault: You need a psychological strength to deal with this.
Paul: You need - and even the strongest people probably couldn't do it for long periods of time.
Carole Theriault: Yeah. And training as well.
Paul: And training. But as I said, if you know it's going to - if you know eventually some good will happen, it's a lot easier.
Carole Theriault: Yeah. Paul, thank you so much for talking to me about this today. I know it's not easy, but I think it has been really important to hear from someone who's had to deal with it as a job and how - the impact it had. So thank you so much.
Paul: That's OK.
Dave Bittner: All right, Joe, what do you think?
Joe Carrigan: That was a tough one to listen to.
Dave Bittner: Yeah.
Joe Carrigan: This is something I never, never want to do. When - 20 years ago, before my tech career, more than 20 years ago, I had a night job where I worked at Best Buy. And there was a guy in the - he may work for Geek Squad or in the same kind of thing as Geek Squad back then. I don't know if it was actually Geek Squad. But he was an enlisted guy in the Air Force, and at night, he would work at Best Buy just like I did. We both had day jobs.
Dave Bittner: Right.
Joe Carrigan: But I could tell - sometimes he had to do this kind of forensic analysis. And I could tell when he had to do a forensic analysis he didn't like that day because he was angry. And I've talked to people who work in the forensic field when they're doing court cases for CSAM imagery. And in law enforcement, there are people that have to do this.
Dave Bittner: Yeah.
Joe Carrigan: And these people have to see some kind of mental health professional as a part of their job every six months, right? Frankly, I don't think that's often enough. I think that needs to be continuous...
Dave Bittner: Yeah.
Joe Carrigan: ...Because this does have an impact on the people viewing it.
Dave Bittner: Yeah.
Joe Carrigan: When Paul is talking about working remotely, this is absolutely something I would not want in my house. I would not - I'd quit my job before that. This is something that needs to be done by whoever is doing it in an office space, and Paul makes some great points here about not having that inadvertently exposed to anybody else, right?
Dave Bittner: Yeah. Yeah.
Joe Carrigan: Making sure that they don't see it. There are, however, automated solutions for this. There's a company called NetClean. They're out of Sweden. They do that. But I was talking to some of the folks from NetClean about 10 years ago, and this was - at the time - I don't know if the state has changed, but they said they couldn't sell a lot in the United States because U.S. law makes the person criminally liable when they know that there is this kind of imagery on a computer system and they don't report it to law enforcement. So companies would say, well, if we don't know, we don't have to report it.
Dave Bittner: Oh, I see.
Joe Carrigan: Right.
Dave Bittner: Sort of a Catch-22 in a way.
Joe Carrigan: Right.
Dave Bittner: Yeah. So they don't want to know.
Joe Carrigan: They don't want to know.
Dave Bittner: Yeah.
Joe Carrigan: Exactly. Now, I don't know what's changed in the past 10 years, but if you think about that from the company's perspective, at the time, there had been cases where an employee was doing something illicit. And the law enforcement shows up and just seizes all of the company's computers.
Dave Bittner: Right.
Joe Carrigan: Right? I don't know if that practice has changed. I would hope that it has because that shuts a company down.
Dave Bittner: Yeah.
Joe Carrigan: You're done, right? And a company can't survive that. And all these people now are unemployed. It's a terrible situation.
Dave Bittner: Yeah. And I think it speaks to the point that as someone running a company, you have to have some things in place to have a look into the types of things that your employees are doing.
Joe Carrigan: Right. Absolutely.
Dave Bittner: Yeah. You got to protect yourself.
Joe Carrigan: Yeah. People who do this do need some kind of support system. I've seen this secondhand, and it's tough. It's something that's hard to do.
Dave Bittner: Yeah, absolutely. Yeah, I just can't imagine, as you say, the mental toll...
Joe Carrigan: Right.
Dave Bittner: ...The coarsening that it would do. I'm glad - it's one of those things. I understand there are folks out there who have to do this, and it's something that needs to be done, and it's important work, but I'm glad it's not me.
Joe Carrigan: Yeah. Absolutely.
Dave Bittner: Yeah. Yeah. All right. Well, our thanks to Carole Theriault again for bringing us that story. We do appreciate it.
Dave Bittner: We want to thank all of you for listening. That is our show. And, of course, we want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu.
Dave Bittner: The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: And I'm Joe Carrigan.
Dave Bittner: Thanks for listening.
