Hacking Humans 10.27.22
Ep 218 | 10.27.22

Setting tech limits with a new tool.


Kim Allman: The great thing about the Smart Talk is that it's really adaptable to how as the family changes, as the kids are changing and as technology is changing. We wanted that flexibility to really be a key part of this tool.

Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week, we look behind the social engineering scams, the phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from Harbor Labs and the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: We've got some interesting stories to share this week. And later in the show, my conversation with Kim Allman from NortonLifeLock and Carrie Neil of the National PTA. We're discussing the Smart Talk 2.0 tool. 

Dave Bittner: All right, Joe, before we jump into our stories this week, you have a little bit of news to share. 

Joe Carrigan: Yes, I've accepted a position as director of cyberscience with a company called Harbor Labs. 

Dave Bittner: Congratulations. 

Joe Carrigan: Thank you. Thank you. 

Dave Bittner: So what exactly does this mean for you? 

Joe Carrigan: Well, it means I'm going to be doing some research on device security and also on probably doing some legal work, as well... 

Dave Bittner: Got you. 

Joe Carrigan: ...To support attorneys. But mostly, my focus is going to be on the security of medical devices, which is, I think, very important. 

Dave Bittner: And so what does this mean in terms of your relationship with Johns Hopkins? 

Joe Carrigan: I will be going to a part-time relationship with Johns Hopkins. I'm not leaving Hopkins. I'm going to still be there, maintain my presence, maintain my email address and maintain my work with the institution to just at a much lower rate. 

Dave Bittner: I see. 

Joe Carrigan: I'll be spending about 20%. So essentially, what I have now is two jobs, Dave. 


Dave Bittner: OK. You know, and that actually relates to one of our stories this week, but we'll get to that in a second. Now, Harbor Labs has a Hopkins connection, right? 

Joe Carrigan: Yes, that's correct. The owner of Harbor Labs is Dr. Avi Rubin, who is one of our professors in the Information Security Institute and has a chair - or a seat, rather - not the chair but a seat in the - or an appointment. That's the term I'm looking for. Appointment in the computer science department, as well. 

Dave Bittner: I see. All right. Well, congratulations. It's very exciting. 

Joe Carrigan: Thank you. 

Dave Bittner: I know you're excited for it. 

Joe Carrigan: I am. I'm very excited. 

Dave Bittner: Yeah. All right. Well, let's move on to our stories this week. Why don't you get us started? 

Joe Carrigan: Dave, I have a story from a listener this week... 

Dave Bittner: OK. 

Joe Carrigan: ...A listener named Beau who sent this in. And I was floored by this story. This is an amazing and harrowing tale. 

Dave Bittner: OK. 

Joe Carrigan: So I'm going to read some of this. He says, Hello, Dave and Joe. I have been listening to "Hacking Humans" for years now. Back in 2017, I was the target of a pretty wild attack that I've been calling Human DDoS. So here's what happened. During the early parts of a business day, he started receiving hundreds upon hundreds of emails to his personal email account. And these emails were mostly sign-up or random mailing lists. 

Dave Bittner: Yeah. 

Joe Carrigan: And he was confused by this. But being a person who maintains an orderly inbox, he was diligently going through them and deleting them. 

Dave Bittner: All right. 

Joe Carrigan: A few hours later, in addition to the ongoing email campaign, he started to receive countless text messages. Now, 2017 is probably the days of unlimited text plans, right? 

Dave Bittner: Yeah. 

Joe Carrigan: I can't remember when those things started becoming unlimited, but... 

Dave Bittner: Yeah, yeah. 

Joe Carrigan: So that's not going to cost him money. But he starts receiving - we're talking - he says we're talking tens to hundreds of text messages per hour, which is a lot of text messages. 

Dave Bittner: Yeah. 

Joe Carrigan: With both the emails and the texts happening, after lunch, he started getting phone calls. So, like, everything's lighting up on this guy. 

Dave Bittner: Right. 

Joe Carrigan: Beau is like, what is going on here? He says they were endless, literally ringing one after the other. And every time he answered the phone, it would be some random number, but it would be the same music. And it was holiday-themed not around the holidays. 

Dave Bittner: OK. 

Joe Carrigan: And he called the cell phone provider, and they said, well, we can't really do much about that except put you on the highest level of spam blocking. But during the phone calls, while he was still deleting emails, he caught an email from his bank - right? - telling him that they identified some suspicious ATM withdrawals from his account. So he verifies that these are actually from his bank. And he calls his bank. And they say, yeah, yeah, we've seen some people are withdrawing, like, 200 bucks from different ATM locations. And he's like, stop. Stop the card. 

Dave Bittner: Yeah. 

Joe Carrigan: Stop it. Then as soon as he tells them to freeze the ATM card, all of the texts, phone calls and emails stop... 

Dave Bittner: (Laughter). 

Joe Carrigan: ...Which is interesting. 

Dave Bittner: OK. 

Joe Carrigan: He was working with the bank on remediating the other risks, like web banking credentials, getting that fixed up. And then he says somebody is on another support line, pretending to be him, asking them to reactivate the card. 

Dave Bittner: Oh. 

Joe Carrigan: Right? The person on the other end has all of the verifying information. And Beau's like, OK, this is obviously bad, but that's not me. And the bank errs on the side of caution and doesn't reactivate the card... 

Dave Bittner: Right. 

Joe Carrigan: ...Right? - because if you got two people saying, I need you to reactivate my card, another person going, don't do that. That's not me. 

Dave Bittner: (Laughter). One person saying, leave all my money in a bag out front of the bank branch... 

Joe Carrigan: (Laughter). 

Dave Bittner: ...And I'll be by to pick it up. 

Joe Carrigan: Yeah. 

Dave Bittner: (Laughter). 

Joe Carrigan: You don't listen to that guy. 

Dave Bittner: Right, right. OK. 

Joe Carrigan: You listen to Beau. 

Dave Bittner: Yeah. Yeah. 

Joe Carrigan: And he got everything reset. He doesn't know where they got his PIN, but he thinks it probably came from a skimmer on an ATM because that's the only place he uses his ATM card with a PIN... 

Dave Bittner: That makes sense. 

Joe Carrigan: ...Is to get the money out. 

Dave Bittner: Right. 

Joe Carrigan: He did file a police report, and he - they were encouraged because the ATM thefts were actually - or the thefts were at, actually, local ATMs. And maybe they were going to get some people with the footage from the ATMs. He did hear later that there was somebody arrested for a string of ATM thefts, but he didn't know if it was his guy or not - you know, the bad guy. And I would be surprised if the police ever told him it was him. They probably just reached some plea deal with that guy and, you know, either locked him up or gave him probation or something. Who knows? 

Dave Bittner: Yeah, yeah. 

Joe Carrigan: But good news - the bank did make him whole. They didn't hold him accountable for any of that. He was reacting. But I thought this was absolutely fantastic. This is like alert fatigue five years ago, that alert fatigue that caused the - I think it was the Uber breach or the Rockstar breach. One of those two breaches... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Was due to alert fatigue. And here, this guy is trying to overwhelm Beau with emails, phone calls and texts so that he misses the communication from his bank... 

Dave Bittner: Oh, I see. 

Joe Carrigan: ...So that he can keep getting money out. But Beau didn't miss it. Beau caught it, fortunately. 

Dave Bittner: So just flooding him with every kind of communication, hoping that - to buy him - for the thief to buy himself time... 

Joe Carrigan: Exactly. 

Dave Bittner: ...To be running from ATM to ATM. 

Joe Carrigan: Right, because if you go from ATM to ATM and you don't distract the user - right? - then when the user gets an email from the bank, the user goes, oh, my goodness. This is happening. Let's shut that card down right now. But what happened was, I mean, this flood of information was just to drown - hoping that that communication would be lost in the noise. 

Dave Bittner: Right. 

Joe Carrigan: And it's a creative attack. 

Dave Bittner: It seems like it would require multiple operators here. Like, while one person is going from ATM to ATM, the other person is running the flooding, the DDoS-ing, you know? But just quick - real quick for folks who may not be familiar with the term, can you just define what DDoS is? 

Joe Carrigan: Sure. DDoS stands for distributed denial of service. 

Dave Bittner: Yeah. 

Joe Carrigan: And usually it has to do with overwhelming, like, a web page or a server or maybe even a client to knock them off the internet because any computer can only handle so much traffic. And when you overwhelm that computer with traffic, it can't handle it. And a lot of times it'll fail... 

Dave Bittner: Right. 

Joe Carrigan: ...Not in a graceful manner. So there - it used to just be called denial of service. But the problem with denial of service is eventually, you know - like, if you try to take down Google, right? 

Dave Bittner: Yeah. 

Joe Carrigan: You cannot - you as an individual - it doesn't matter who you are. If you're Amazon and you only have one - you know, one computer to launch from, it doesn't matter how big your pipe is. Google's pipe is bigger. 

Dave Bittner: Right. 

Joe Carrigan: Right? 

Dave Bittner: Right (laughter). 

Joe Carrigan: So you're going to be spit in the ocean, as one of my old economics professors used to say. 

Dave Bittner: Yeah. 

Joe Carrigan: So you distribute the task across many people, right? Now you have a lot of people that can come and take down the target. 

Dave Bittner: Right. And if they block one source, there's... 

Joe Carrigan: Right. 

Dave Bittner: ...So many... 

Joe Carrigan: Yeah. 

Dave Bittner: ...Coming from so many different places. 

Joe Carrigan: That's like my idea of, if you have a pack of dogs, you know, if you had to choose between 20 Rottweiler - or two Rottweilers or 20 Bichons, I say train 20 Bichons as attack dogs. 

Dave Bittner: (Laughter). 

Joe Carrigan: Right? 

Dave Bittner: OK. 

Joe Carrigan: Because what happens if, you know, you have two Rottweilers and somebody manages to incapacitate one of the Rottweilers? They just reduced your pack efficiency by 50%. But if they incapacitate one of the 20 Bichons, they still got 19 Bichons, right? 

Dave Bittner: (Laughter) Right. OK. Fair enough. 

Joe Carrigan: And it's hilarious, too (laughter). 

Dave Bittner: Yeah. Yeah. So all's well that ends well... 

Joe Carrigan: Right. 

Dave Bittner: ...For Beau. The crooks got away with some cash. 

Joe Carrigan: Maybe. They may have also gotten arrested, but we don't know. But, yeah. 

Dave Bittner: Yeah. 

Joe Carrigan: Beau's good. Beau's whole. 

Dave Bittner: Right, right. Wow. I'm trying to think, how do you protect yourself against this? I mean... 

Joe Carrigan: I think that when you start seeing this, you call all your financial institutions, tell them what's going on, and, you know, be on the lookout for - if you start seeing this, actually start looking through your communications for messages from your financial institutions. 

Dave Bittner: I see. 

Joe Carrigan: I would bet that what happened here was this ATM guy probably just leased out these services from somebody on the darknet and said, I want - you know, I'll buy spam texting services for a day for $10, spam email services for a day for $10 and spam phone call services for a day for $10. 

Dave Bittner: Right, right. 

Joe Carrigan: So it becomes very profitable for him. 

Dave Bittner: Right. Right - interesting. Now, this - I have not heard of this specifically. 

Joe Carrigan: Me neither. I'd never heard... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Of this either. And that's why I thought it was remarkably - I was floored by it. It was great. Great story, Beau. Thanks for sending it in. 

Dave Bittner: Yeah. I wonder how successful this is if someone is not as vigilant as Beau was. 

Joe Carrigan: Right. 

Dave Bittner: To what degree does this increase the thieves' ability to take from the ATMs? I suspect it probably works pretty well. 

Joe Carrigan: I would bet it does. Yeah. 

Dave Bittner: Yeah. All right - interesting. Well, yeah, to echo what Joe said, thank you, Beau, for sending that in. We do appreciate it. We would love to hear from you. Our email is hackinghumans@thecyberwire.com. 

Dave Bittner: Joe, my story this week comes from Business Insider. And this is about - it's an article written by Hannah Towey, and the title is "Tech CEO Calls Overemployment Trend a New Form of Theft and Deception After Firing Two Engineers Secretly Working Multiple Full-Time Jobs At Once." Now, Joe.... 

Joe Carrigan: I saw this story, yeah. 

Dave Bittner: This is coincidental to you - oh, I don't know - taking on two jobs. 

Joe Carrigan: Right. Yeah, yeah, that's right. 

Dave Bittner: (Laughter) Taking on two jobs at the same time. But... 

Joe Carrigan: (Laughter). 

Dave Bittner: Just - it's - what a crazy random happenstance... 

Joe Carrigan: Yes. 

Dave Bittner: ...That this would be my story this week. So this is... 

Joe Carrigan: I'm not doing two full-time jobs. 

Dave Bittner: Yeah. (Laughter) Does either company know that? 

Joe Carrigan: Yes. 

Dave Bittner: (Laughter). 

Joe Carrigan: Everybody knows everything that's going on, so - and I'm talking about it on a podcast. 

Dave Bittner: All right. OK. So this story starts off with a CEO of a company called Canopy - a gentleman named Davis Bell, who shared on LinkedIn that they had discovered that a couple of engineers who were working for them remotely had actually been working for two different companies full time... 

Joe Carrigan: Right. 

Dave Bittner: ...At the same time. 

Joe Carrigan: Yes. 

Dave Bittner: And I've seen this a couple times where people have talked to - now, I've seen this on Twitter from people bragging that they were pulling this off - right? - saying, oh, I'm a software engineer, and there's such demand for us that I can get a remote job. I've seen people brag that they had four different jobs. 

Joe Carrigan: Now, that seems a little much, though, doesn't it? 

Dave Bittner: It seems like a little much, but what they were taking advantage of was that if someone goes through the trouble of hiring you, you're generally going to make it through one pay cycle... 

Joe Carrigan: Yeah. 

Dave Bittner: ...Before they fire you. 

Joe Carrigan: Right. 

Dave Bittner: And for these jobs, which are well-paying jobs - usually, you know, in the six figures... 

Joe Carrigan: Yep. 

Dave Bittner: ...You have four of those for two weeks or a month - profit. 

Joe Carrigan: Right, yeah - huge profit. 

Dave Bittner: Right. Right. So in this case, they had an employee who was not doing well. They said after 2 1/2 months of poor performance, they brought the engineer in to talk to HR. They actually checked with the engineer's previous employer - just did a - like, an employee verification request. And the previous employer said, no, he's still working for us. 

Joe Carrigan: Aha. 

Dave Bittner: What are you talking about? Like, he never left. 

Joe Carrigan: I understand why his performance is not so good now. 

Dave Bittner: Right. Right. He was missing meetings. He was missing deadlines. Another red flag was that he had taken his LinkedIn account and made it private, and he was not listing the new company as his current place of employment on his LinkedIn. So he was trying to hold two 9-to-5 positions at the same time, wasn't able to make it work and ended up being fired. 

Joe Carrigan: I have a bit of advice for him when trying to pull this off. Shut down your LinkedIn account. Just tell people you don't use it. 

Dave Bittner: OK. Is this really what we want to be doing here, Joe? 

Joe Carrigan: No. 

Dave Bittner: So I'm curious what your take on this also is, Joe, because lots of people have full-time jobs. 

Joe Carrigan: Yep. 

Dave Bittner: And then they'll have a side hustle. 

Joe Carrigan: Yeah. 

Dave Bittner: Or maybe they'll have a part-time job, and they'll pick up some hours on the weekend or in the evening to try to... 

Joe Carrigan: I've done that. I... 

Dave Bittner: Yeah. 

Joe Carrigan: I've worked at - there's a local UPS distribution center that I worked at in the evenings. 

Dave Bittner: Yeah. 

Joe Carrigan: By the way, that's a great job if you need evening work. 

Dave Bittner: Yeah. Just - so you pick up a few extra bucks, pay off some bills, you know, maybe make some - fill up your savings. Who knows? 

Joe Carrigan: Yeah. 

Dave Bittner: But they're making the point that this is not that. 

Joe Carrigan: No, this is not. This is fraud, straight up... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Is what this is. You know, when you make - I don't know if there's any legal recourse these companies have - either one of these companies have, but there might be. 

Dave Bittner: Yeah. 

Joe Carrigan: It depends on how the employment contract is written, you know? This will be your only full-time job. And I know that there are employers now that say you may not have any outside interests. And if you do, that violates the employment agreement. I don't know that they're going to go and get money back from the guy. That's probably unlikely, in my estimation. But this would be a good question for Ben Yelin, what the legal ramifications are. 

Dave Bittner: Yeah. I also wonder, like, is there an employment version of a credit report, you know, where... 

Joe Carrigan: Right. 

Dave Bittner: ...I mean, because obviously both this company and the previous company that he listed as being his employer - you know, none of them are going to have good things to say about this person. 

Joe Carrigan: Right. Yeah, that's an excellent question. I've often wondered if there's some kind of secret database out there, Dave. 

Dave Bittner: (Laughter) OK. 

Joe Carrigan: But there probably isn't, 'cause I've been looking around for a long time, and I've never found it. 

Dave Bittner: OK. That's very conspiratorial of you, Joe. 


Joe Carrigan: But I say, Dave, I didn't say there is out there. I just haven't found it. I said, I don't think it's out there. 

Dave Bittner: OK. 

Joe Carrigan: It's kind of like Bigfoot, you know? We've had - we've done a lot of searching for Bigfoot - never found him. 

Dave Bittner: Right. Right. 

Joe Carrigan: Pretty sure he's not out there. 

Dave Bittner: If he exists, he's very blurry. 

Joe Carrigan: Right. 

Dave Bittner: We know that. That's one thing we know. So I wonder, if you're an employer - you mention one way you could do this. You could have in your employer - your contract - be very overt and say, we expect that you are not going to be working for anyone else... 

Joe Carrigan: Right. 

Dave Bittner: ...Full time. Now in this case, clearly, the person was lying. 

Joe Carrigan: Right. They said, oh, yeah, sure. 

Dave Bittner: Yeah. 

Joe Carrigan: And then they don't - they miss meetings and miss deadlines. 

Dave Bittner: Right, right. But let me ask you this. Suppose you are an employee - an employer, and you had an employee doing this and they were doing a fine job. 

Joe Carrigan: Right, they're actually working 16-hour days. Right? 

Dave Bittner: Right. 

Joe Carrigan: And they're even managing the time well. I mean, at that point, do you care? 

Dave Bittner: Right. That's my question, because also for a full-time employee, they're not an hourly employee. 

Joe Carrigan: Right. They're usually salary. 

Dave Bittner: Yeah. You're paying them to do a job, regardless of the number of hours they do the job. 

Joe Carrigan: Right. 

Dave Bittner: Right? Now, I suppose for a full-time employee, you can say as part of the position that we expect you to be available between these hours of business. 

Joe Carrigan: Yes. 

Dave Bittner: So there could be that. I don't know. It's - I guess if someone could pull it off and do a great job, then this never would have come up, right? 

Joe Carrigan: Right. Right. 

Dave Bittner: They wouldn't have noticed. But this person was doing a terrible job, according to this report, and that's when they got found out. 

Joe Carrigan: Dave, I'm going to go ahead and bet that there are people out there who are doing a good job and pulling this off and doing it well... 

Dave Bittner: Yeah. 

Joe Carrigan: ...And probably managing the time well and hustling like crazy. And they're probably young, start - developers out of school who've gotten a couple of jobs. And, you know, they don't have families, right? 

Dave Bittner: Yeah. Yeah. 

Joe Carrigan: 'Cause I'll tell you, Dave, there's no bigger time-sucking in the world than a family. 

Dave Bittner: (Laughter). 

Joe Carrigan: Not that you shouldn't spend time with them. 

Dave Bittner: Right. 

Joe Carrigan: Actually, that's - actually, I look at, you know, my job as the time-suck away from my family. But, you know... 

Dave Bittner: (Laughter) Right, right. Good save, Joe. Good save. Yeah. 


Dave Bittner: Yeah, it's true. 

Joe Carrigan: Yeah. We work so that we can be with our families. But if you don't have a family, maybe you do work two jobs and do it well. 

Dave Bittner: Yeah. 

Joe Carrigan: I'll bet there are people out there doing this right now, and nobody notices or cares. 

Dave Bittner: Yeah. Well, I mean, I also suppose that because there's so much remote work now and we hear about folks who get jobs and have never actually met the people they're working for... 

Joe Carrigan: Yeah. 

Dave Bittner: They get hired remotely. They work remotely. It makes it much easier for this sort of thing to happen. 

Joe Carrigan: It does. 

Dave Bittner: Yeah. All right. Well, I'll have a link to that story in our show notes. Again, we would love to hear from you. If you have a story you'd like us to consider for the show, you can email us. It's hackinghumans@thecyberwire.com. 

Dave Bittner: All right, Joe, it is time for us to move on to our Catch of the Day. 


Joe Carrigan: Speaking of remote work, Dave, our Catch of the Day comes from Rodney, who writes, my youngest son's girlfriend has been unemployed and looking for a job for a few months. She needs remote work. She received this email yesterday and sent it, due to being excited about it. Unfortunately, I had to be the one to tell her it appeared to be a scam. I explained what was going on. From looking at the job posting on LinkedIn, over 400 people had applied, and there were several things that stood out. So, Dave, why don't you go ahead and read this wonderful piece of employment-offer lettering. 

Dave Bittner: All right. It goes like this. 

Dave Bittner: (Reading) For your consideration stand, you have just been confirmed qualified for this position. Congratulations. You are welcome to TBG Services. You are now given a chance to show your commitment, charisma, diligence and be a productive employee. Furthermore, you will receive your duties via email every day, and I will always be online to assist you with any difficulties. After the orientation and training, an appointment to meet with a representative from the company would be scheduled to sign the forms you will need to complete, including eligibility-to-work forms, tax withholding forms and company-specific paperwork. 

Dave Bittner: (Reading) Your orientation will hold on a secure server because of our company policy based on the high priority of privacy of the company. Here are the names of the softwares you will need to start working with - Tracker, to calculate your hours, Peachtree Complete accounting software, Sage Simply accounting software, Microsoft Excel, Microsoft Word, MacBook Pro. 

Dave Bittner: (Reading) We have a finance department, the parent company for TPG Services, that will be funding this orientation program. They will be issuing a check to you to support the material listed above. I will let you know and provide you with a tracking number to keep track of it. Also, you would be going through a one-week probation period, after which you would start enjoying our benefits package, which include health, dental, employee wellness, 401(k) plans, paid time off and holidays, with generous company discounts. You will be working from home. 

Dave Bittner: (Reading) You are to report online by 8 a.m. to 5 p.m., Monday through Friday - $24 hourly. You will get paid $20 hourly during this probation period. Find attached, print, sign and return through email. Also, please send me the below to enlist into the company register for proper documentation, and mail your check for funds required to acquire your material. Further instruction will follow as soon as I get those details - full Name, current home address, mobile number. Thank you for taking the time to read this. We look forward to having you on board. 

Joe Carrigan: (Laughter) Right. So you know what's going on here, right? 

Dave Bittner: Well, is this like a check - advanced check scam? 

Joe Carrigan: Yeah, exactly. Exactly. 

Dave Bittner: Which is... 

Joe Carrigan: They're going to send her a check. 

Dave Bittner: Yeah. 

Joe Carrigan: She's going to deposit it into her bank. And then she's going to go out and buy things from places they're going to tell her that they need to buy it from, which actually just winds up sending money to these guys. And then she's going to send back the other check that's the balance of what she didn't spend. And then the check that she wrote is - or that she received is going to bounce. 

Dave Bittner: I see. 

Joe Carrigan: And that's how they're going to get their money. But it is just essentially a scam. And this email is very poorly worded. 

Dave Bittner: (Laughter) Yes. 

Joe Carrigan: So I think Randy just probably saved his son's girlfriend a ton of money and heartache but probably had to break her heart in the process. And I hope that she listened to him. 

Dave Bittner: Yeah. Well, you can see how someone could get excited about this, too. 

Joe Carrigan: Oh, absolutely. 

Dave Bittner: I mean, there's... 

Joe Carrigan: Sure. 

Dave Bittner: Yeah. It's probably, you know, otherwise a good job - well paying. 

Joe Carrigan: Right. Yep. 

Dave Bittner: All that sort of stuff. But you're right. There are those telltale signs - lots of repetition of words that's odd (laughter). 

Joe Carrigan: Yeah. And when they list software, they put MacBook Pro in the software. 

Dave Bittner: Right. 

Joe Carrigan: Last time I checked, that was actually a thing you could touch, Dave. 

Dave Bittner: (Laughter) Yes, indeed. Absolutely. All right. Well, our thanks to Rodney for sending that into us. We do appreciate him taking the time. 

Dave Bittner: Joe, I recently had the pleasure of speaking with Kim Allman from NortonLifeLock along with Carrie Neill. She is from the National PTA. That is the - I suppose you could call it the mothership of all the... 

Joe Carrigan: (Laughter). 

Dave Bittner: ...PTAs that we have at our schools. And they are talking about a shared initiative that is called Smart Talk 2.0. Here's my conversation with Kim Allman and Carrie Neill. 

Carrie Neill: Well, really, speaking also as a parent, it's a tough world out there to keep track of everything that's happening online with children, talking about equity across the country, making sure that families feel safe. And the best way to do that and provide that service for our families is to partner with organizations like Norton, who can help provide opportunities for us to sit down at a table and talk about what's important to us, how we can stay on top - on track of things and how we can learn together, including our kids in a conversation. So this partnership is one that we treasure truly and benefits our families across the country. 

Dave Bittner: Kim, can you give us a little bit of the backstory here about how the two organizations got together and what led you to where you are today? 

Kim Allman: Sure. So Norton and PTA have had an alliance since 2013. And, you know, just recently we decided to invest over $1 million to revamp the Smart Talk. The Smart Talk is really a collaboration with the PTA, and it's a free, interactive online resource that helps families have conversations and set healthy technology limits together. You know, we know from our Safety Insights report that 4 in 5 Americans feel it's essential for parents to teach their children about cyber safety. Even more telling is that 78% know that it's difficult for parents to keep children safe when they're online. That's why we think the Smart Talk is so important. And that's why we've invested the money and are willing to work and try and figure out more audiences and more families that we can reach with these important cyber safety conversations. 

Joe Carrigan: So, Carrie, for folks who might not be familiar with Smart Talk, can you describe it for us? How exactly does it work? 

Carrie Neill: Sure. So it's a fantastic program. And I have three children, two of which are at the age where they're really - they have their own devices and they're using them. And so you go to a website. You include your children's names, their ages, your information. And then what I love is it really walks you through, based off of your children's ages, what kind of questions you can ask. How comfortable are you? And it also poses questions to your kids as well. 

Carrie Neill: So it gives you tools to talk about each - things from, you know, cybersecurity to understanding what programs children - your kids are using, what apps. It gives you the language to have those conversations, which - I didn't grow up with the programs and the apps and cellphones that my kids did. So I felt really far behind, and I didn't know how to start the conversation and be proactive instead of reactive. 

Carrie Neill: So it's very developmentally appropriate according to the ages of your kids and what they're doing. And at the very end of it, you have a contract that you and your children sign together where you're really making the commitment to being respectful digital citizens. And it just helps pave the path for families to even just start the conversation. But also, it respects that every family's different. Every technology boundary that a family might want to have varies greatly. And it really respects that. And I know that our families appreciate that. 

Dave Bittner: Yeah. I have to say, you know, looking at it myself and having, you know, raised a couple of kids with my wife, that this is a challenging thing for folks to deal with, for families to deal with. And I really appreciate the framework here that - it really makes it a collaborative process where, you know, you're not coming down on high as parents and saying, you will or you will not do this. It really leads you through a conversation where you can find things that you all agree with. And as you say, it starts that conversation. 

Carrie Neill: Absolutely. And I know that when we first decided to get my oldest daughter a cellphone, I was very nervous about what's OK. I don't really know. And then, also, the time it takes to really stay on top of everything that's happening - and I think that she's probably a lot more technologically savvy than me. So I like that it provides a reminder to constantly update it because it's - parents are busy. You know, two working parents at home, three kids - we're a busy household. And I like that it helps keep us on track with that, with regular reminders. And then if we couldn't finish it, we can stop and save it. And I appreciated that, too, 'cause it's just a busy life. 

Dave Bittner: Now, Kim, beyond this agreement that a family comes away with, what other things are you and your colleagues there at NortonLifeLock recommending as sort of next steps once you have this agreement and the family wants to move forward? 

Kim Allman: Well, you know, I think that this - we're really excited about the agreement and especially the new launch of it because it really provides an opportunity for a continued conversation. Once you have the agreement, it gives you a road map to go back and continue the conversation if you get new technology, if they want new websites, if they want more - you know, if kids are interested in, you know, different variations of what the agreement is or if, you know, as they grow older. So I think the great thing about the Smart Talk is that it's really adaptable to how - as the family changes, as the kids are changing and as technology is changing, we wanted that flexibility to really be a key part of this tool. 

Dave Bittner: You know, Carrie, it also strikes me that, you know, the PTA is certainly an organization that's been around for all of my life, and I'm no spring chicken. But it strikes me that, you know, as an organization, you all have had to adopt to these new technologies as they've come along. You know, the PTA is not allowed - it's not just about bake sale fundraisers and, you know, community fairs and that sort of thing. You all have to adapt along with all these changing technologies. 

Carrie Neill: Absolutely. And we listen to what our families are saying and what our local units say that they need to support the families in their communities. And it's not just a reaction to the pandemic, but with the rate at which technology changes, the access level that our families have and their children have to technology, the way they're using them in schools, it's so fantastic. And we want people to feel very comfortable with utilizing technology in their life, feel safe, build that trust, but in a way where they know that it's vetted. 

Carrie Neill: It's from professionals. There's room for growth. There's room for variation between family and family. And I appreciate that as a parent but also as an advocate, that we're not just the bake sale, tweed, pearls group. We really, truly want to be where families are and where they're struggling and where they need help. And this was one that was loud and clear, was, help us understand how to keep our kids safe online. And it's just a great relationship. 

Dave Bittner: Yeah. Kim, can we touch on the inclusivity aspects of this? I mean, you know, different families, different communities have different amounts of access to this sort of technology. How did you all address that in the development of this platform? 

Kim Allman: Yeah. That's a really good question and is a really important focus for us. We made the tool really speak to what Norton and PTA's ongoing quest to advocate for inclusivity was - I mean, providing families with resources that they need to live their digital life safely. And, you know, as part of the effort to update the Smart Talk, we held focus groups, which were held with a wide range of families, to ensure that the tools worked for families from all backgrounds, beliefs and abilities. 

Kim Allman: And after conducting focus groups for Spanish-speaking families and receiving confirmation that parents would appreciate the Smart Talk in their native language, the tool is now available in Spanish, too. So we'd like to emphasize that it isn't through Google Translate. We hired native Spanish speakers to authentically reach Spanish-speaking kids and families nationwide. 

Kim Allman: You know, and another thing is that due to the fact that kids with disabilities primarily use screens to communicate, we opted to remove questions in the Smart Talk about screen time to be more cognizant of our word choices. So - and then we made the font and user experience more accessible for neurodiverse children. So it really was taking a step back and really examining what would make this tool more inclusive and reach more families. And I think we've done a really good job. It's, you know, the Smart Talk - we hadn't looked at it, really, to revise it since before TikTok. So there were lots of things that we had to consider and being inclusive was No. 1. 

Dave Bittner: Where do you suppose you're going to go from here? I mean, are there talks for a Smart Talk 3.0 on the drawing board already? 

Kim Allman: I think we would love to see this continue to get revamped and revised and made better. But we're still reeling from trying to get this out the door for the last year. 

Dave Bittner: (Laughter) Fair enough. 

Kim Allman: So we just got this over the line. So - but I think, you know, the really key thing to think about with this is technology is always changing. As I said, we hadn't looked at this before the advent of TikTok - right? - to revise it. So, you know, we're going to need to continue to look at it for, you know, reaching new audiences and for addressing, you know, technology and as kids and technology and families, you know, evolve over the course of time. So I think we'll probably update this on a regular basis. 

Dave Bittner: Carrie, if listeners want to find out more about this, where's the best place to check it out? 

Carrie Neill: Sure. That's a great question. So I'm excited to give you the website here. It's thesmarttalk.org. And I wanted to make sure that I mentioned that once you include your family name, you create that login, and you put your children's ages, it jumps you right into choosing which child that you're working on that agreement with. And it breaks it up into five segments. 

Carrie Neill: So the first questions are privacy and safety. But there's also communications, media choices, health and wellness and keeping promises, which I appreciated each one of those and the language that it gave me because sometimes I just didn't know what to say. And so it really breaks it up for everybody. And again, you don't have to do it in one sitting because I know sometimes it's hard to get all your kids in one area and corral them into sit down and work on this. 

Carrie Neill: And sometimes you need to take a break and walk away and think about some of the questions. That's what happened with us. We really weren't sure what apps we wanted our 14-year-old to use. So we took a break and then we came back to it. And so I encourage everyone that has kids out there to go and check it out. Again, it is thesmarttalk.org. 

Dave Bittner: Joe, what do you think? 

Joe Carrigan: Some interesting information here. First off, it's great that Norton is making a tool available for school-age children... 

Dave Bittner: Yeah. 

Joe Carrigan: ...About cybersecurity. They talk about the fact that a Harris poll found that 50% of parents of children 5 to 8 years old - 52% of those parents let their kids use social media. 

Dave Bittner: Yeah. 

Joe Carrigan: Yeah. Don't do that. 

Dave Bittner: (Laughter). 

Joe Carrigan: That is bad for your kids. 

Dave Bittner: (Laughter). 

Joe Carrigan: That's bad for you. I'm not a big fan of social media. I really have locked it down. I think I still - I have a Facebook still. 

Dave Bittner: Yeah. 

Joe Carrigan: I don't keep any of that stuff on my phone. 

Dave Bittner: Right. 

Joe Carrigan: I really don't. I only access it from my from my computer and even then, only to check on people that I know and interact with. You know, I had a great experience this weekend. I was talking to somebody who I said, do you have LinkedIn on your phone? Send me a LinkedIn request - because I don't keep it on my phone. I don't keep any social media on my phone with the exception of Facebook Messenger, and that's just to talk to my family. 

Dave Bittner: Yeah. Yeah. 

Joe Carrigan: That's it. 

Dave Bittner: Yeah, but, Joe, babysitters are expensive (laughter). 

Joe Carrigan: Yeah, that's right. 

Dave Bittner: Just sit the kid down with a tablet (laughter), turn them loose on Facebook... 

Joe Carrigan: Oh, God. 

Dave Bittner: ...I don't know, Ashley Madison, who knows? 

Joe Carrigan: No. 


Joe Carrigan: They're going to wind up a dating sites. 

Dave Bittner: Right, right. 

Joe Carrigan: It's only a matter of time, Dave, before someone makes a teen dating site, you know? 

Dave Bittner: Yeah. 

Joe Carrigan: It's going to happen. 

Dave Bittner: Yeah. 

Joe Carrigan: And I don't - I think that's a terrible idea, by the way. 

Dave Bittner: (Laughter). 

Joe Carrigan: I'm not endorsing that. 

Dave Bittner: Right. 

Joe Carrigan: I think that would just be so bad, for so many reasons. And 72% of parents of kids who are 9 to 12 let their kids use social media. And here, I have to admit, my son did have a Facebook account before he was 13. 

Dave Bittner: Yeah. 

Joe Carrigan: So as much as I hate social media - but this was years ago, Dave. 

Dave Bittner: Yeah. 

Joe Carrigan: This is almost 10 years ago now. In fact, it probably was 10 years ago because he's almost 23 now. 

Dave Bittner: Well, and I - you know, I remember having this conversation with my wife. She was - I was much more for delaying giving them mobile devices. 

Joe Carrigan: Yeah. 

Dave Bittner: But she said, no, if they're going to be out and about - and our kids walked to school. 

Joe Carrigan: Right. 

Dave Bittner: So she said, no, if they're walking to school, they're going to have a phone so they can - if there's an emergency or - and also, she was a big fan of the, you know, the GPS tracking on the phone, so... 

Joe Carrigan: Yeah. Yeah. We used that. We still use that. And now, it's turning the corner now, Dave, (laughter)... 

Dave Bittner: Oh? 

Joe Carrigan: ...That, yes, my kids have that on there so they know where I am. 


Dave Bittner: Right. 

Joe Carrigan: 'Cause as I age, it's going to be more important... 

Dave Bittner: Hello... 

Joe Carrigan: ...It's not so important I know where they are. 

Dave Bittner: ...Joe wandered off again. 

Joe Carrigan: Right (laughter). 

Dave Bittner: He's walking around in a field somewhere babbling to himself (laughter). 

Joe Carrigan: (Laughter) Yeah. It's not uncommon for that to happen now anyway. 

Dave Bittner: I've got to go find him. 

Joe Carrigan: Right. 

Dave Bittner: Yeah. Yeah. 

Joe Carrigan: Where's Joe? 

Dave Bittner: Yeah. Well, I agree, I mean, I think this is a really interesting effort, and it's nice to see this kind of partnership between a well-known company like NortonLifeLock... 

Joe Carrigan: Right. 

Dave Bittner: ...And also a nationally recognized organization in the nonprofit space, the PTA. It's something that's good for everybody. 

Joe Carrigan: Yeah, and I think, you know, schools don't teach the cybersecurity stuff. This is an opportunity for that to happen. 

Dave Bittner: Yeah. 

Joe Carrigan: You know, they might actually - I say that, but they might teach like safe operation of things. But I get the impression that a lot of them don't. 

Dave Bittner: Yeah, I think it's tough, and it's changing so fast, it's hard for them to keep up. 

Joe Carrigan: Absolutely. 

Dave Bittner: And, you know, like I know my kids - well, I still have one in high school, and they do have a technology class. But, you know, the kids are several steps ahead of the teachers... 

Joe Carrigan: Right. 

Dave Bittner: ...When it comes to this stuff. 

Joe Carrigan: And that's - high school, where they have the technology class, these kids are using this technology in elementary school. 

Dave Bittner: Right. Right. 

Joe Carrigan: You know, they're already digital natives. 

Dave Bittner: That's true. 

Joe Carrigan: And it's really - it's one of the hardest things to get kids to understand is that people are dishonest, you know? But lying is bad, is what you've always told me. Yeah, it is bad, but they're bad people. 

Dave Bittner: Yeah. 

Joe Carrigan: And they're going to do mean things to you. 

Dave Bittner: Yeah. All right. Well, again, our thanks to Kim Allman from NortonLifeLock and Carrie Neill from the National PTA. We do appreciate them taking the time. 

Dave Bittner: The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: And I'm Joe Carrigan. 

Dave Bittner: Thanks for listening.