Hacking Humans 3.10.22
Ep 187 | 3.10.22

Technology's effects on students during the pandemic.


Justin Reilly: If you have a tool that is assessing the pace of learning and is assessing the well-being of students for you and presenting you with information about individual children that can help inform the way you teach, that has got to be a positive.

Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, the phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire, and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: Got some good stories to share this week. And later in the show, my conversation with Justin Reilly. He is the CEO of Impero, and we're going to be talking about the mental health of kids in the digital age. 

Dave Bittner: All right, Joe, let's jump into some stories this week. My story this week is actually some research. This a white paper that was published by the folks over at CloudSec (ph). They're a security company. And it's titled "Unearthing the Million-Dollar Scams Targeting the Indian Electric Vehicle Industry." 

Joe Carrigan: Really? 

Dave Bittner: Yeah. Now, electric vehicles are hot. 

Joe Carrigan: Yes, especially when they use their batteries up. 

Dave Bittner: (Laughter) Badum-bum (ph). 

Joe Carrigan: (Laughter). 

Dave Bittner: And, you know, I think electric vehicles have, in some ways, taken off a lot faster than some people expected that they would. 

Joe Carrigan: Right. 

Dave Bittner: It's one of those transitions that's slowly, slowly, slowly and then quickly, quickly, quickly. There's a tipping point. 

Joe Carrigan: Right, yeah there was all kinds of attempts at the electric car back in the '80s and '90s. 

Dave Bittner: Right. 

Joe Carrigan: There's even an Ed Begley Jr. movie - "Who Killed The Electric Car?" 

Dave Bittner: Yeah. Yeah. Yeah, yeah. 

Joe Carrigan: Which is a good movie if you watch it - but... 

Dave Bittner: Well, this story is about not so much cars, but electric bikes and scooters, which are very popular in India - a great way for people to get around and very cost effective. 

Joe Carrigan: Right. 

Dave Bittner: You know, and when you have congested cities and so on and so forth, it's a great way to get around, it doesn't cost a lot of money. And a great thing about an electric is, you know, you're not - unlike, like, a two-stroke engine that a lot of scooters... 

Joe Carrigan: Oh, yeah. 

Dave Bittner: ...And mopeds and things like that... 

Joe Carrigan: Those things are noisy and dirty. 

Dave Bittner: Noisy and dirty. So this is much better for the environment. So this is a hot market... 

Joe Carrigan: Right. 

Dave Bittner: ...In India. So what the scammers have done is they have created phishing lures, and they're using Google ads on keyword searches for folks who are looking to open e-bike dealerships. 

Joe Carrigan: Really? 

Dave Bittner: So they're taking advantage of people who have a bit of an entrepreneurial spirit, who are trying to get in on this - you know, this wave of electric vehicles... 

Joe Carrigan: Right, and a growing market. 

Dave Bittner: ...And the popularity in India in particular. 

Joe Carrigan: And you know what's most important about these people, Dave? 

Dave Bittner: What's that? 

Joe Carrigan: They probably have money to invest. 

Dave Bittner: Well, there you go (laughter). 

Joe Carrigan: Right (laughter). 

Dave Bittner: But you know what? I was thinking about this, and I think this is one of those things where, yes, you need some money to invest, but it's not like you're opening a car dealership... 

Joe Carrigan: Right. 

Dave Bittner: ...Where you need millions and millions of dollars. You know, probably - I don't know - $100,000 or something, you could open a scooter dealership or something like that. And that's the kind of thing where you could get together with some friends, pool your resources... 

Joe Carrigan: Right. 

Dave Bittner: ...And you're in business. 

Joe Carrigan: Yeah, but, you know, if you're - if I was a scammer, a hundred thousand dollars would be a good target for me. 

Dave Bittner: Yeah. 

Joe Carrigan: That'd be a good day if I can scam somebody out of that money. 

Dave Bittner: Right, exactly. So what these folks are doing is they have these - they run these Google ads, they attract people, and then they send them to fake websites. And they say, so you want to be a dealer for our electric scooters, our electric bikes? And so now they start gathering information from the folks. And they lead them down a path of pretending like they're sending them - you know, that they're setting them up to be a dealer. And at some point, they ask for some money. Here's the deposit we need before we ship you these things. Here's the deposit we need to get your paperwork going... 

Joe Carrigan: Right. 

Dave Bittner: ...And on and on and on. And then, you know, that's ultimately where the scam goes. There is no dealership. There are no bikes. There's, you know, nothing like that. 

Joe Carrigan: Right. 

Dave Bittner: They've set up all this infrastructure with these websites that look legit. This report has some pictures of some of the websites that they've set up. 

Joe Carrigan: And there's probably a significant lag time between the time you send them money and they promise anything is going to happen. 

Dave Bittner: Right. 

Joe Carrigan: So that gives them time to move the money out of the account, so you can't get it back. 

Dave Bittner: That's right. That's right. And they also show some of the Google ads that these folks are putting out there. Like, one of them says, apply for e-bike dealership. Apply now. Another one says, e-bike India - ride the future. Book your electric scooter now. Come and be part of accelerating mobility for the future generations. So apply for a dealership. 

Dave Bittner: So I just think this is interesting in that, you know, this is kind of a - it's more than a scam targeting consumers, right? It's - as you said, it's targeting folks... 

Joe Carrigan: Right. 

Dave Bittner: ...Who have a little more money to lose, are excited about perhaps starting a business... 

Joe Carrigan: Right. 

Dave Bittner: ...Right? Making a better life for themselves... 

Joe Carrigan: Sure. Yeah. 

Dave Bittner: ...Right? - as we all would like to do - anybody who's been an entrepreneur. So taking advantage of a person who is in that emotional state of having that combination of some resources and some ambition... 

Joe Carrigan: And I'm sure this process is very convincing. 

Dave Bittner: Yeah. Yeah. 

Joe Carrigan: You know, it looks to me like this is something that starts off with, OK, we've got somebody on the line, right? We've got one on the hook. Let's begin the process of emulating what this would look like in the real world if somebody was actually trying to open a scooter dealership. 

Dave Bittner: Yeah. 

Joe Carrigan: And then at some point in time - you know, and they probably have multiple people on the hook at all times, just like any organization does. 

Dave Bittner: Right. 

Joe Carrigan: And then at some point in time, they take the money, and they're gone. 

Dave Bittner: Yeah. Yeah. So, I mean, recommendations - these are familiar things. You know, don't click on the ad. 

Joe Carrigan: Right. 

Dave Bittner: If you see an ad and you're interested in something like this - if you wanted to become an e-scooter dealer, you know, first, search for the legitimate brands out there and, you know, do the work and find out what their legitimate website is. Reach out to them that way. 

Joe Carrigan: Yeah. You're going to have to - I don't know how the legal system works in India. But if I was doing this in the U.S., I would definitely have an attorney involved - right? - just to make sure that I'm dealing with the right people so that I don't get scammed. 

Dave Bittner: Yeah. 

Joe Carrigan: But, you know, again, that's another cost that I'm going to have to incur. Also, I'm going to - in this kind of - let's say I was going to open a franchise. And I want to open a - I don't know - Arby's franchise. 

Dave Bittner: Sure. 

Joe Carrigan: Let's just pick one. 

Dave Bittner: Why not? 

Joe Carrigan: I'm not doing that until I go to Arby's headquarters. 

Dave Bittner: OK. 

Joe Carrigan: I'm going to go there and talk to them and make sure and meet these people face-to-face, because a franchise is not a small investment, right? 

Dave Bittner: Yeah. Yeah. 

Joe Carrigan: It's a large investment. So I'm going to go out and meet these people - same with a dealership. I'm going to - if I'm going to - I'm going to go to an office space, a physical office space, and meet these people. And that's how I'm going to protect myself against this. 

Dave Bittner: Yeah. 

Joe Carrigan: The other thing is, it's interesting that this is a - this starts with Google ads - you know, search ads. This is a problem that we've been talking about for a number of years with Google - about their ads. And frankly, they're not incentivized to stop it because these scammers do give them money to run the ads. 

Dave Bittner: Yeah. 

Joe Carrigan: I don't think it's a large portion of their business model. But they do have a perverse incentive to not stop this from happening. 

Dave Bittner: Yeah. 

Joe Carrigan: I'm not saying they don't stop it from happening. They may very well make an effort to do that. But the incentive is not there. 

Dave Bittner: Right. And I think it's very much a cat-and-mouse game... 

Joe Carrigan: Yeah. 

Dave Bittner: ...Because you've got - you know, the scammers figure out ways to avoid or evade the the automated systems that Google has... 

Joe Carrigan: Yeah. 

Dave Bittner: ...To sort of root these things out. 

Joe Carrigan: That's right. 

Dave Bittner: And so then Google is left playing a game of whack-a-mole, where they're responding to reports. And I think, you know, Google does in good faith take things down when they're reported to them. But if something figures out a way to avoid their automation, it's hard for Google to do that. As I always say, operating at scale, right? 

Joe Carrigan: Right. 

Dave Bittner: Well, if you can't do that at scale, maybe you shouldn't do that. 

Joe Carrigan: (Laughter) Right. 

Dave Bittner: So that's - but that's where we are, right? 

Joe Carrigan: Yeah. That's where we are. 

Dave Bittner: Yeah. All right. Well, it's an interesting report and slightly different than some of the ones we've seen. And that's what caught my eye about it. We will have a link to that in the show notes. Again, that is from the folks over at CLOUDSEC. 

Dave Bittner: All right, Joe. That's my story this week. What do you have for us? 

Joe Carrigan: Dave, my story comes from Vade Security. They're a French company. (Imitating French accent) Hon, hon. 

Dave Bittner: (Laughter). 

Joe Carrigan: And they have released what they call their 2021 Phishers' Favorite report, which is a pretty good report. It's 16 pages. You do have to cough up an email to get the report, though. So keep that in mind. Let's play some games, Dave. 

Dave Bittner: OK. 

Joe Carrigan: I love doing this when we get these kind of reports out. 

Dave Bittner: OK. 

Joe Carrigan: If you were going to pick the No. 1 impersonated brand in a phishing attack, what do you think it would be? 

Dave Bittner: I would say it's probably a shipping company. 

Joe Carrigan: Oh. 

Dave Bittner: So I would say, like, UPS or FedEx. 

Joe Carrigan: Ah - wrong. 

Dave Bittner: (Laughter) OK. 

Joe Carrigan: (Imitating buzzer). 

Dave Bittner: (Laughter). 

Joe Carrigan: The number one - and this is new from this year - it's up... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Is Facebook. 

Dave Bittner: Really? 

Joe Carrigan: Facebook is number one. 

Dave Bittner: OK. 

Joe Carrigan: In fact, the first shipping company isn't even on this list until number 11, it looks like. And it is not FedEx or UPS. 

Dave Bittner: OK. 

Joe Carrigan: Can you guess who it is? 

Dave Bittner: Oh, what's the big - what's the international one? 

Joe Carrigan: Yep. You're on the right track. 

Dave Bittner: Yeah. It's... 

Joe Carrigan: Red and yellow. 

Dave Bittner: Yeah. It's, like, three letters. 

Joe Carrigan: DHL. 

Dave Bittner: DHL. 

Joe Carrigan: Right. 

Dave Bittner: Thank you very much. OK. Yeah. yeah. 

Joe Carrigan: Now, if you're going to pick cloud services, who do you think the No. 1 cloud service impersonation would be? 

Dave Bittner: I would go with AWS. 

Joe Carrigan: Ah. You'd be wrong again. 

Dave Bittner: Gah. 

Joe Carrigan: Microsoft. 

Dave Bittner: Microsoft - OK. 

Joe Carrigan: Right. Now, if you were going to pick the largest e-commerce site. 

Dave Bittner: That would be Amazon. 

Joe Carrigan: Ah. There you go. Ding, ding, ding.

Dave Bittner: Ding, ding, ding. 

Joe Carrigan: You got it. 

Dave Bittner: (Laughter) OK. I'd be doing all right if I was a baseball player - 1 out of 3. 

Joe Carrigan: Right. 

Dave Bittner: (Laughter) OK. 

Joe Carrigan: Now, their financial services website is a French company that I've never heard of, but... 

Dave Bittner: Yeah. 

Joe Carrigan: So let's discount that one, Dave. 

Dave Bittner: OK. 

Joe Carrigan: If you were going to go with another financial services company, what do you think is second on their financial list? 

Dave Bittner: Financial services company? 

Joe Carrigan: Yes. 

Dave Bittner: I would say, like, Merrill Lynch or - yeah - one of the big - one of those. 

Joe Carrigan: OK. Well, if you're going to go with, like, traditional financial services company, you're close. It's Wells Fargo. But higher on the list is actually PayPal. 

Dave Bittner: Oh, OK. 

Joe Carrigan: PayPal is pretty high on the list. 

Dave Bittner: Yeah, I guess I don't reflexively think of PayPal as being a... 

Joe Carrigan: Right. 

Dave Bittner: ...Financial services company. 

Joe Carrigan: We don't think of that. 

Dave Bittner: Yeah. 

Joe Carrigan: I find it interesting that Facebook is dominating the social media phishing. And you know, I think I know why that is. 

Dave Bittner: Yeah? 

Joe Carrigan: And here's my suspicion. First off, I think Facebook accounts are valuable, particularly when you build a business presence on them, right? Now, we're in the process of doing this with my wife. She's starting a small business. 

Dave Bittner: OK. 

Joe Carrigan: And one of my concerns is the security of her personal account because she's an admin on the business page that she has, right? 

Dave Bittner: I see. 

Joe Carrigan: I'm also an admin. Our daughter is also an admin. But if they got access to her account, her personal account, they could come into that page, kick my daughter and me off as admins and start marketing anything else, change everything about it, take complete control of it. And we've seen that happen. 

Dave Bittner: Right. 

Joe Carrigan: And getting that back from Facebook is very, very difficult. 

Dave Bittner: Oh, you should just call up Facebook customer support, Joe. 

Joe Carrigan: (Laughter) Right. 

Dave Bittner: Just call the 1-800 number. Someone will answer the phone and be on your request right away. 

Joe Carrigan: Hey, Joe, what can I do for you? 

Dave Bittner: Yeah. Oh, Joe, good to hear from you again. What? Someone took over - oh, well, that won't stand. 

Joe Carrigan: We'll fix that right now. 

Dave Bittner: I'm just going to do it right now while I have you on the line. Yeah. 

Joe Carrigan: It's a service that people would even gladly pay for it, right? 

Dave Bittner: Right. 

Joe Carrigan: Like, if Facebook had a page recovery... 

Dave Bittner: Right. 

Joe Carrigan: ...A page recovery feature that you could pay 100 bucks to get your business page back... 

Dave Bittner: Yeah. Name your price. Talk about your perverse incentives. 

Joe Carrigan: Right. 

Dave Bittner: (Laughter). 

Joe Carrigan: You know, people would pay for that... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Especially if their business pages got taken over. You know, our Catch of the Day is actually from a friend of mine. And it's from a person who - I don't know if they're impersonating his friend or if they took over his account, but they're trying to scam him. So that's another use case for these social media accounts. 

Dave Bittner: Yeah. 

Joe Carrigan: Whenever you get a message from somebody that's kind of out of the blue and unexpected, you should be alert, right? 

Dave Bittner: Right. 

Joe Carrigan: If you haven't heard from somebody in a while and all of a sudden, they're talking to you about something, either maybe their account's been broken into or perhaps they've become involved in some kind of multilevel marketing program. 

Dave Bittner: Right. 

Joe Carrigan: In which case... 

Dave Bittner: Either way... 

Joe Carrigan: Right - either way. 

Dave Bittner: (Laughter) Shields up. 

Joe Carrigan: Right. 

Dave Bittner: OK. 

Joe Carrigan: There are some interesting data in here about statistics on timing. Monday and Tuesday are the top days for phishing, which I think is interesting. Seventy-eight percent of phishing attacks occur on weekdays. These guys have regular jobs, Dave... 

Dave Bittner: Yeah, yeah. 

Joe Carrigan: ...These phishers. 

Dave Bittner: Nine to five, sure. 

Joe Carrigan: Yeah. 

Dave Bittner: Sure. 

Joe Carrigan: Monday and Thursday are the top days for phishing Facebook, and Thursday and Friday are the top days for phishing Microsoft - phishing for Microsoft credentials which - that doesn't surprise me - right? - 'cause if you're phishing somebody for Microsoft credentials, you're probably going after a Microsoft 365 account... 

Dave Bittner: Yeah. 

Joe Carrigan: ...That a business uses. 

Dave Bittner: Right. 

Joe Carrigan: And the best days to hit those are at the end of the week when people are tired and they're just looking forward to getting out of it. 

Dave Bittner: Just want to clean out that inbox... 

Joe Carrigan: Right, exactly. 

Dave Bittner: ...And hit the weekend. Yeah. 

Joe Carrigan: Yep. 

Dave Bittner: Yep, makes sense. 

Joe Carrigan: So the report is from Vade Security. You can check it out if you want. They have a pretty good summary on the page - on the link that we'll put in the show notes. But if you want to click through and get the whole report, it's a pretty good report. 

Dave Bittner: Yeah. All right. 

Joe Carrigan: It's got a lot of interesting statistics. And you know, Dave, I love statistics. 

Dave Bittner: Yes, you do. 


Dave Bittner: All right. Well, it's time to move on to our Catch of the Day. 


Joe Carrigan: As I said before, Dave, our Catch of the Day comes from a friend and former co-worker of mine named Bob. Bob, by the way, writes beautiful code. 

Dave Bittner: (Laughter) OK. 

Joe Carrigan: You know, you ever see someone's code when they write it and it's just like, you haven't even read the code yet, but you look at it, and it's just like, man, that looks nice. 

Dave Bittner: It's a work of art. 

Joe Carrigan: It's a work of art. 

Dave Bittner: OK. 

Joe Carrigan: Bob's code was always like that. 

Dave Bittner: All right. 

Joe Carrigan: So like I said, Bob has been... 

Dave Bittner: Wait, wait, wait, what was your code like, Joe? 

Joe Carrigan: My code was also like that. I've had people tell me the same thing. 

Dave Bittner: Oh, OK. 

Joe Carrigan: You know - 'cause I'm meticulous. Maybe that's why I appreciate Bob's style layout. 

Dave Bittner: OK. 

Joe Carrigan: It's because - maybe what I'm actually saying is that Bob and I have the same kind of style layout that we do in our code. 

Dave Bittner: I see. OK. All right. Good enough. Fair enough. 

Joe Carrigan: But it makes it easier for me to read the code. 

Dave Bittner: Yeah. 

Joe Carrigan: So Bob had a - has a friend named Darren, and I don't know if this is Darren's account that got compromised or somebody is impersonating Darren, but somebody is sending Bob a message. And Bob, of course, realizes immediately, this is not Darren. So why don't you play the part of Darren, and I'll play the part of Bob? 

Dave Bittner: OK. 

Dave Bittner: (Reading) Hello. How are you doing? 

Joe Carrigan: (Reading) What's up? 

Dave Bittner: (Reading) Am good. Did you watch the news last week about Steve Phillips? He is the agent in charge of the new program by the federal government for those who need assistance paying bills, buying a home, starting their own business, going to school or even helping raise their children with old and retired people and disabled. I got $85,000 delivered to me when I apply for the grant, and you don't have to pay it back. 

Joe Carrigan: (Reading) Damn, can I borrow $5,000? 

Dave Bittner: (Reading) Let me give you the link to text him. Am sure you will qualify for it. 

Joe Carrigan: (Reading) I don't need the link to text him. 

Dave Bittner: (Reading) Trust me. 

Joe Carrigan: (Reading) Don't send. 

Dave Bittner: (Reading) Oh, OK. If you can't, bye. 

Joe Carrigan: (Reading) Can I just borrow $5,000 from you? 

Dave Bittner: (Reading) No. 

Joe Carrigan: (Reading) Come on, bro. You don't need $85,000. How about just $2,000? 

Dave Bittner: (Reading) Have use it for basic things. 

Joe Carrigan: (Reading) Oh, how about $500? 

Joe Carrigan: So at this point, Bob just starts messing with him and goes... 

Joe Carrigan: (Reading) Hey, how are you doing? Did you hear about the actress that got stabbed last week? Reese something. I'll pretend you said Witherspoon, and then I'll say no, with a knife. 

Dave Bittner: Ugh. 

Joe Carrigan: (Laughing, reading) Are you there? Can you still hear me? Hey, did you hear the news last week about Steve Phillips? I'll send you the link to text him. Hold on. 

Dave Bittner: (Laughter). 

Joe Carrigan: So Bob just starts copying and pasting the guy's messages back to him. 

Dave Bittner: Right, right. 

Joe Carrigan: But by the time this has started, the guy's realized what's going on. 

Dave Bittner: He's probably blocked him. 

Joe Carrigan: He's probably blocked him, yeah. 

Dave Bittner: Yeah, yeah. Now, I've had this happen to me before where a friend's account has been compromised, and they start texting me out of the blue. I think the point you made earlier in the show about, I think, particularly, if you start getting text messages from someone who has never texted you before... 

Joe Carrigan: Right. 

Dave Bittner: And they are this casual and - you know, then that's obviously a big red flag. 

Joe Carrigan: Right. 

Dave Bittner: Yeah. All right. Well, a good Catch of the Day. We would love to hear from you. If you have something you would like for us to share on the show, you can email us. It's hackinghumans@thecyberwire.com. 

Dave Bittner: Joe, I recently had the pleasure of speaking with Justin Reilly. He is the CEO of a company called Impero. And we discussed the mental health of kids in the digital age and particularly the transition that we've seen as kids had to go to school remotely over the past years and some of the software that has sort of inserted itself into that kid-teacher relationship. Here's my conversation with Justin Reilly. 

Justin Reilly: I think it stands to reason that using technology in some subjects is far more straightforward than using it in others. You know, if you look at mathematics, which is my background, versus English, it is much harder to use the technology to assess English literature responses to questions than it is to assess mathematics. You know, it's not completely difficult. It's not impossible. But, nonetheless, the technology is quite different, and the subject matter content will lend itself either to the use of technology or otherwise. But I think if you look at how teachers are interacting with learners and how they're using technology in the classroom, it's come to a bit of a head thanks to the pandemic. I mean, certainly, my perception is that where there was a reluctance prior to the pandemic to use technology across a lot of the profession, a significant amount of that has gone away because we were forced, through various different lockdowns, various different stages, to embrace either hybrid learning or remote learning or some combination thereof. 

Justin Reilly: And we're still seeing, you know, across the board - you know, whilst majoritively, people are back in the classroom, there is certainly still elements where children are being sent home or have got COVID and need to work from home or teachers are off because they've been tested positive. And that's impacting, you know, schools' ability to teach normally, you know. So we're not out of the woods yet. I think we all agree it's moving in the right direction, but nonetheless, it's not there yet. And so what it means is, at the moment, I think you have teachers who are more prepared to use technology and not just for assessment and setting of homework, which is positive, but actually to use it from an instructional point of view. And you have organizations who are busy creating the tools and the content to help teachers to deliver education virtually or face-to-face in, you know, use of technology. And the number of devices, you know - in the U.S, you're almost at a 1-to-1 ratio of device-to-learner, so access to that material is also much more prevalent. It certainly is something that we're going to see increasing throughout the world, and we're moving in that direction. 

Dave Bittner: So before we talk about the potential to assess a student's mental health, can we talk about just privacy in general? When software developers like yourselves are working on these sort of solutions, what is the approach to the privacy for students? 

Justin Reilly: It's - I mean, I can only talk about our organization. But I think this is certainly true of the majority of my peers. You know, we put data privacy and the child very much at the center of what we do. And we work daily to try and protect children, and that comes in various different formats. The first one is to make sure that only those that have access or have a need to have access to the data get access to the data. And secondly, what data they can access should be dictated by their role. In other words, it's not a free-for-all dip in and have a look around. Then you've got to look at who owns the data. Actually, we are not the data owner. We process data. And we, you know, enlighten teachers and educators to some of the outcomes from that processing, but we absolutely don't own the rights to that data. 

Justin Reilly: Now, once we've done analysis, and we've created, should we say, information for teachers to use, that's then put into the hands of those teachers, and it's for them to go and use - or a counselor or a digital safeguarding lead or whoever it may be. So in order to do that, we have to get permission from each and every school to do that within the school context. You know, we don't have the right to pull the data out and use it unless the school has assessed what we're doing with it and ensure that we are complying with all the decent regulations and rules that we have to. So as it stands at the moment, we are GDPR compliant. We are - you know, we applied to COPPA, FERPA. Yeah, we go through them all. 

Dave Bittner: So in terms of assessing a student's mental health and determining if a child may be struggling - you know, in a classroom, I think good teachers have a sense for this. They can tell if a child is having not a good day or worse. How do you go about doing an assessment like that with their online interactions? 

Justin Reilly: So one of the things we are looking at - and this is one of a number of different things that we look at - is what they're trying to do. So for example, we have keyword detection where we have a list of around 27,500 keywords covering a very large array of different topics with different levels of severity. I think one of the things being a U.K.-started organization - we're certainly not a U.K.-based organization now. We're predominately U.S. And we are, in fact, with a hundred different countries. But one of the things that we gain from being in the U.K. is their regulation around safeguarding and well-being is slightly enhanced. 

Justin Reilly: So there is an expectation that all schools are monitoring digitally what children are doing against that array of different topics. And that could range from eating disorders to domestic abuse to bullying all the way up to, you know, the ones that we are particularly scared about - obviously, shooting, suicide, et cetera, et cetera. So by watching what they're doing, by looking at the keywords, by then assessing the keyword against the context - and we're in the process of, you know, refining our artificial intelligence to really be better at understanding that context - we can begin to build a profile. 

Justin Reilly: In one of our products, Wellbeing, we're also encouraging teachers to manually input their observations as well, to put alongside those digital observations the very things that they see. You know, little Johnny was quiet today or had a bruise on him or something that may add a dimension to that chronology as well. And it's by viewing the chronology that we start to get a sense of the well-being around that particular child and whether there is potentially a mental health issue or something that we should be flagging to people within the school. 

Dave Bittner: How do you determine who is the most appropriate party to be alerted that there's an issue? 'Cause I'm thinking, you know, if a child - a child could have an issue with a teacher. A child could have an issue with a parent or with another child. Is there a way that you look at this and decide who best to notify? 

Justin Reilly: Well, we won't make those decisions. Decisions would come from the school, so we would expect the school to work with this to identify who the right character and the right player in that child's life would be. The - you know, where we're moving towards is a place where we're much more precise on that particular nature. You use the example of the child may have an issue with the teacher. You wouldn't flag a concern of that nature to that particular teacher for obvious reasons. You would need to find... 

Dave Bittner: Right. 

Justin Reilly: ...A counselor or someone else that was within the school that would be the right person to contact. And likewise, if you're talking domestic abuse, the last thing you want to do is to send a text to the parent and say, hey, we think there's this problem going on. That, in itself, would be just a trigger. So... 

Dave Bittner: Right. 

Justin Reilly: Prior to the use of something like Wellbeing, there is time spent with the school to understand who within the school should be contacted for what types of events or what types of concerns that we've got coming up. When it comes to digital safeguarding, of course, this is going to be as - on a response to something the child has done on the computer. So it will be - I'll use eating disorder as a good example. If we know that the child has got an eating disorder and we see that they're searching for appetite suppressant pages, then - or articles, then we would flag that to the right person within the organization, so they could then run the intervention. We don't do the intervention. It's not on us to do that. We can't do that. We're too removed. 

Dave Bittner: Do you have any examples of success stories here where you have flagged something and it's led to good outcomes for the students? 

Justin Reilly: Well, there are many. I mean, obviously, it is difficult to use real people in these conversations. And as much as I'd love to... 

Dave Bittner: Sure. 

Justin Reilly: You know, I can't. But I think probably the one that stands out - prior to the pandemic, I was down at a show in Florida - really good show, based on Miami Beach. And I had a teacher come up and thank me immediately for saving the lives of two children within the school. And obviously, to us, that sounds like (unintelligible). You know, we said, well, that's fantastic. You know, that's why we're here, right? But give us a bit more information. And essentially, he said we had flagged that there was a concern through our systems that there were two children who had been looking at sites that were related to suicide. And on further investigation, they were both children that had been considering it very seriously, and that intervention had worked. 

Justin Reilly: So you know, that's why we're here. That's why we do what we're doing. But it isn't only about that. That's sort of the extreme edge, if you'd like. The other edge, if you bring it in, is also on the impact of learning. So for every one child that we can save on something as severe as, say, a shooting or a suicide, on the flip side, you've got to also consider the many, many children whose education is being impacted because they're just not in a happy place. They need to be more settled. They need support with some issues that will then help them to be successful in the learning environment 'cause ultimately education, you know, that's at its core. That's what teachers are there for. 

Dave Bittner: What is the reaction of the teachers to this? I mean, it strikes me that, you know, this helps them do their job and can help take some of the burden off of them. We all know teachers are overworked, and so I could imagine that with everything they have to do, they probably appreciate something like this sort of having their back, being another set of eyes on their students. 

Justin Reilly: That's my impression. I mean, I am a teacher. I started my career as a mathematics teacher in a high school in central London, so I'm well aware of the pressure that has been placed on individual teachers. And in fact, I'd say the pressures now are far greater than when I was in the classroom. My view is that if we can provide information to a teacher that helps them to intervene earlier, that's a good thing. And if that intervention is, as I say, regarding learning as well as anything else, that is also a good thing, you know, because the same digital tools can also help us to identify how productive somebody is in the classroom. Are they on task? Are they off task? You know, really simple things like that can make quite a difference to how a teacher is engaging with the class. 

Justin Reilly: Yeah, we talk about mobility in the classroom, and the digital classroom is no different. You need to be moving amongst the students to see how they're getting on. But if you have a tool that is assessing the pace of learning and is assessing the well-being of students for you and presenting you with information about individual children that can help inform the way you teach, that has got to be a positive. And so yeah, I absolutely think teachers embrace this. When it's used fully, it becomes a very powerful aid. 

Dave Bittner: How do you strike the balance between doing what you're doing here, but also respecting people's privacy? I can imagine, you know, there are probably folks out there who would push back on this sort of thing, as they do on anything that they would see as perhaps being a little invasive. 

Justin Reilly: I think - well, yeah, I think we need to understand what invasive means on this one. Because having the data and holding the data and never letting go of the data for no purpose - in other words, you know, having that data doesn't help anybody do anything. I think they would have a genuine point, wouldn't they? If, again, you know, when they ask you to remove data after a period of time, if you refuse to do so, again, I think they'd have a genuine case. But that's not what we're talking about here. We're talking about using data to understand and learn and improve and inform, you know? And it's as simple as that. And as soon as it serves that purpose, it should no longer be with us. 

Justin Reilly: We should be removing any data that is - and we do - you know, removing any data that is no longer valid, no longer required or is about an individual that, you know, we have no purpose to view. And I think there are some really strict rules that we do need to be following to make sure that people can feel comfortable that the data's only being used for something honorable and genuine and that at no point is it being used to, say - let's say, monetize in a different direction. And those are, again, in our industry, certainly the leading players. You know, we absolutely focus on that. We don't want to be doing anything that is an imposition or is contravening people's own personal liberties. And I think that's a very important distinction. 

Justin Reilly: But at the same time, if I have an opportunity to assess millions of children to understand better the early triggers that may lead to an event, I think we have an obligation to do that, as well. And I think being able to assess data en masse, whether it's anonymized or pseudonymized or however, in order to be able to very quickly identify a pool of children who are potentially, at some point in the future, going to be at risk and intervene before it becomes a problem, I also think that's very, very important. You know, the damage is often done once you get in front of the child. So the sooner we can get in front of them, the better. 

Dave Bittner: All right, Joe, what do you think? 

Joe Carrigan: Yeah, I'm not sure how I feel about this, Dave. You know, I think that aiding in teachers updating their teaching style for kids is great... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Right? And that - software that says, OK, maybe these kids need you to do something different, right? That's fine. That's wonderful. You mentioned this before the interview, and I'm not going out on a limb on saying this, that the education system, globally, has been really disrupted for the past two years... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Or so. And that has had an impact, and that - we are going to be seeing that impact for years to come. We can all agree that privacy and education is paramount, right? 

Dave Bittner: Right. 

Joe Carrigan: Again, not a controversial statement. You know, I'm not going out on a limb and saying anything here. But it's much more important when you're evaluating the mental health of a student, as well. So I'm glad to hear that Justin has a serious attitude about the privacy of the data for his students, and he's not using it as marketing data. That's great. That's fantastic. 

Dave Bittner: Yeah. Yep. 

Joe Carrigan: And the examples he provides are wonderful. You know, it is fantastic that he was able to enter - or that he was able to provide information that allowed teachers to intervene in the case of suicidal students... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Or students who are considering suicide. Fantastic. Good work. And systems like this can help teachers intervene when it - when intervention is necessary, I would think. 

Dave Bittner: Yeah. 

Joe Carrigan: My only concern is - I still have concerns about the data privacy. And I understand that - I still tend to err on the side of privacy and still be - tend to concern myself with the privacy, particularly when you're talking about children. 

Dave Bittner: Yeah. 

Joe Carrigan: So as long as this technology is implementing the proper controls and safety measures to make sure that that is in place, OK then. 

Dave Bittner: Yeah. 

Joe Carrigan: That's good. 

Dave Bittner: Yeah. I mean, it's an intimate relationship... 

Joe Carrigan: It is. 

Dave Bittner: ...That your student - your kids have with their teachers. 

Joe Carrigan: Yep. 

Dave Bittner: And we put our kids in our teachers hands for a huge part of their life... 

Joe Carrigan: Right. 

Dave Bittner: ...And trust them to let us know if they think our kids are have - are struggling with something. 

Joe Carrigan: Right. 

Dave Bittner: And so shifting that to - I guess putting a wall between our kids and the teachers... 

Joe Carrigan: That's not helpful. 

Dave Bittner: ...The technological wall, that makes it all the more challenging. 

Joe Carrigan: Right. 

Dave Bittner: So maybe software like this can help. 

Joe Carrigan: Oh, you're talking about, like - when you say putting a wall, you're talking about the distance. 

Dave Bittner: Well, yeah, exactly. I mean, the teacher's not walking through the classroom... 

Joe Carrigan: Right. 

Dave Bittner: ...You know, having a sense for, that kid just doesn't seem right today. 

Joe Carrigan: Yeah, they're not getting as much body language, reading from them, things of that nature. 

Dave Bittner: Exactly. Exactly. 

Joe Carrigan: Particularly if the kid turns off his camera while he's in class... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Right? 

Dave Bittner: Yeah. And you could imagine a kid who's having trouble, who's struggling, would do just that. 

Joe Carrigan: Yep. Yeah. 

Dave Bittner: Yeah. All right. Well, again, our thanks to Justin Reilly for joining us - really interesting stuff. We do appreciate him taking the time. 

Joe Carrigan: Definitely. 

Dave Bittner: That is our show. We want to thank all of you for listening. We want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: And I'm Joe Carrigan. 

Dave Bittner: Thanks for listening.