Hacking Humans 3.23.23
Ep 236 | 3.23.23

Do you have curtains on your house?

Transcript

Iain Thomson: I do carry a smartphone, but I will say this - location is only on when it's needed and then it gets turned off immediately, same with Bluetooth, same with Wi-Fi. And the first thing you do when you get any new bit of kit is go through and see what's extraneous and take it out.

Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner. And joining me is Joe Carrigan from Harbor Labs and the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: We've got some good stories to share this week. And later in the show, Carole Theriault speaks with Iain Thomson from The Register about why he has no Iot in his house, along with his advice for those who do. 

Dave Bittner: All right. Joe, we've got some good stories to share this week. Why don't you lead things off for us here? 

Joe Carrigan: Dave, my story comes from businessplus.ie... 

Dave Bittner: OK. 

Joe Carrigan: ...Which is an Irish website. And of course, as I'm looking at this, there's an ad to the right to remind me that the last game of the Six Nations tournament is this weekend. 

Dave Bittner: Thank goodness (laughter). 

Joe Carrigan: And it will happen by the time this is released. So I'm really excited about this game. 

Dave Bittner: All right. 

Joe Carrigan: You know, but when this episode drops, everybody will know if I was disappointed or not. 

Dave Bittner: OK. 

Joe Carrigan: But this article is called "Ten Social Engineering Techniques Used By Hackers." So it's been a while since we've had a - an episode where I've talked about the general nature of social engineering. 

Dave Bittner: Yeah. 

Joe Carrigan: And I came across this article and was like, this is a pretty good summary. 

Dave Bittner: OK. 

Joe Carrigan: So of course, I also love lists. So we'll go through this like a list. 

Dave Bittner: OK. 

Joe Carrigan: No. 1 - baiting, which is where someone uses a false promise to appeal to your greed or maybe your curiosity. 

Dave Bittner: OK, yeah. 

Joe Carrigan: This is not just a social engineering trick, but it's also a marketing trick you see on all kinds of websites - click baiting. 

Dave Bittner: Right. 

Joe Carrigan: You know, you see the headline trails off with a little ellipsis, those little three little dots, that are like, Brooke Shields said what? What did Brooke Shields say? 

Dave Bittner: Right. Right. 

Joe Carrigan: That's what it is. 

Dave Bittner: Right, yeah. 

Joe Carrigan: It's the curiosity part. 

Dave Bittner: I've heard that refers - yeah, the - I've heard it referred to as the information gap. 

Joe Carrigan: Right. 

Dave Bittner: I think YouTubers use this all the time. You know, you won't believe what happened when we did this. 

Joe Carrigan: Right. 

Dave Bittner: What happened? I need to know what happened. 

Joe Carrigan: (Laughter) Really, won't I believe it? I'll bet I do believe it. 

Dave Bittner: Yeah, exactly (laughter). 

Joe Carrigan: That's my response to these things. I've become so cynical that this baiting really doesn't work on me, at least not for the information gap. 

Dave Bittner: Right. 

Joe Carrigan: But greed - I do have a little bit of greed in me. 

Dave Bittner: OK. 

Joe Carrigan: So I've got to be careful to watch out for people that promise returns, right? 

Dave Bittner: (Laughter) Yeah, right. 

Joe Carrigan: Another great example is an infected memory stick. That's another thing. I don't really fall - think I fall victim to that one because I do have a process for that that involves a Raspberry Pi... 

Dave Bittner: Yeah? 

Joe Carrigan: ...Taking a look at things. And if everything goes south, I'll just pull the disk out and rewrite it... 

Dave Bittner: OK. 

Joe Carrigan: ...Which you can do with a Raspberry Pi. It's nice. Next, pretexting - pretexting is the story that they tell you. It says here an attacker uses a made-up scenario to provoke an employee to disclose sensitive information. I like to say that it's the story they tell you to get you into the right mindset because if I called you on the phone and said, hey, Dave, I'm a scammer, and I'm going to try to take all your money out of your bank account, you'd be like, well, goodbye. 

Dave Bittner: Right. 

Joe Carrigan: Right? But if I call you and say, hey, Dave, I'm from your bank, and we need to log into your bank account because there's some fraud going on here. 

Dave Bittner: Yeah. 

Joe Carrigan: Now I have your attention. 

Dave Bittner: Yes. 

Joe Carrigan: Right? 

Dave Bittner: Yes. 

Joe Carrigan: It's the lie. A watering hole attack, which is where the attack - the attacker - this is not really a social engineering attack, but it does rely on people behavior - the behavior of people. 

Dave Bittner: Yeah. 

Joe Carrigan: So what they do is they will get a website that they know a group of people go to where they want to gain ingress into that group, like, let's say it's an employee group... 

Dave Bittner: Right. 

Joe Carrigan: ...Or a software engineering group or something like that. They will - if they - they will exploit a vulnerability in there that lets them perform some kind of malicious activity when the people they want to target come to that site. 

Dave Bittner: OK. 

Joe Carrigan: Quid pro quo... 

Dave Bittner: Yes. 

Joe Carrigan: ...This is an attack that relies on someone's sense of reciprocity. I did something for you, now you have to do something for me. This is actually an intelligence technique as well. You know, they use this a lot in intelligence gathering. 

Dave Bittner: Yeah. 

Joe Carrigan: So basically, whatever it is, is they will ask for assistance after somebody's been really nice to you. 

Dave Bittner: So you'll feel obligated to help because they did something for you. 

Joe Carrigan: Correct. 

Dave Bittner: Yeah, yeah. 

Joe Carrigan: Scareware - this is - we see this a lot. In fact, I actually landed on a scareware site yesterday. 

Dave Bittner: Really? 

Joe Carrigan: Yep. And right there in the middle of the office where I work with a bunch of other security engineers, my computer started saying, caution, your computer has been detected. 

Dave Bittner: It started saying it out loud? 

Joe Carrigan: It started saying it out loud... 

Dave Bittner: Wow (laughter). 

Joe Carrigan: ...Through the speaker system of my computer. 

Dave Bittner: I haven't heard - I haven't seen that in a while. 

Joe Carrigan: Yeah. It was really embarrassing. 

Dave Bittner: (Laughter) I'll bet. 

Joe Carrigan: I went to - I was looking something up. I was trying to find a quote from somebody, and I went to some site that said it had quotes in the Google searches. And this is what I got. 

Dave Bittner: Could have been worse, could have been porn. 

(LAUGHTER) 

Joe Carrigan: It could have been - had that happen, too. 

Dave Bittner: Yeah. 

Joe Carrigan: That's awful - with my boss standing right behind me. 

Dave Bittner: Yeah. 

Joe Carrigan: Oh, he laughed and turned away, and I was so glad he was understanding. But yeah, scareware is just what it says - tries to scare you into action. And that's exactly what this was. It was very difficult for me to close the browser, too. 

Dave Bittner: Oh, yeah. 

Joe Carrigan: I was surprised by that. 

Dave Bittner: Ugh. 

Joe Carrigan: For physical penetration of organizations, a really effective means is tailgating or piggybacking, right? Now, this is like you have badged access to somewhere. And because we are polite beings, we have said that, when we're walking in, we hold the door for people... 

Dave Bittner: That's right. 

Joe Carrigan: ...Right? Well, not in a secured area. And in fact, I've been employed by places where they say, if somebody else is coming in behind you without swiping their badge, you're supposed to tell them, swipe your badge. 

Dave Bittner: Yeah. 

Joe Carrigan: Go back out and swipe your badge. 

Dave Bittner: Yeah, but there's a lot of - I guess normal social or - social norms in any place other than a secure location... 

Joe Carrigan: Right. 

Dave Bittner: ...Makes that hard to do... 

Joe Carrigan: It does. 

Dave Bittner: ...Right? 

Joe Carrigan: A great trick with this is - that social engineers will use is they will have their hands full. 

Dave Bittner: Yeah. 

Joe Carrigan: And how you get around that is you say, oh, you have your hands full, let me hold your stuff and you go ahead and swipe us in. 

Dave Bittner: Right. 

Joe Carrigan: That's - you turn the tables on them, Dave. 

Dave Bittner: (Laughter). 

Joe Carrigan: Next is one of my least favorite terms - vishing - right? 

Dave Bittner: Oh, OK. 

Joe Carrigan: It's just calling in on the phone... 

Dave Bittner: Yeah. 

Joe Carrigan: ...And running a scam. It's a phone scam is all it is. It's the same thing as a scam when somebody walks up to you, except it's on the phone. 

Dave Bittner: Right. 

Joe Carrigan: Shoulder surfing - now, that's a technique that is used to gather things like passwords and things of that nature or to see what's going on in a website that you might not have information - you might get information disclosed to you that you're not entitled to get. 

Dave Bittner: Yeah. 

Joe Carrigan: And this is really simply just standing behind somebody and watching what they're doing. 

Dave Bittner: I've heard of this happening at ATMs... 

Joe Carrigan: Yep. 

Dave Bittner: ...Gas pumps... 

Joe Carrigan: Yep. 

Dave Bittner: ...And, you know, anywhere you have to put in your PIN for your... 

Joe Carrigan: It's a great way to get a PIN. 

Dave Bittner: Yeah. 

Joe Carrigan: It's a - it's also - it can be easily overcome by using multifactor authentication or strong passwords, although I really think multifactor is the way to go. 

Joe Carrigan: Next they have on this list - and this is an old one that I haven't thought of in a long, long time - dumpster diving. 

Dave Bittner: Oh. Hmm. 

Joe Carrigan: I mean, when was the last time you thought about dumpster diving as a means of extracting information for social engineering purposes? 

Dave Bittner: It's been a - well, I don't know that I've ever thought of that, but... 

Joe Carrigan: Oh, really? 

Dave Bittner: Well - but I mean, I've certainly - in my younger days, I certainly did my share of dumpster diving because I loved electronic gadgets... 

Joe Carrigan: Right. 

Dave Bittner: ...And dumpsters were often great places to find things that other people didn't need anymore but could be of great use to me. 

Joe Carrigan: Sure. 

Dave Bittner: So yes, I have found frightening things on people's discarded computers that they did not know they were throwing away. 

Joe Carrigan: Yeah. 

Dave Bittner: So... 

Joe Carrigan: Yeah. Whenever I'm throwing away a computer, I take the hard drive out, and I take the platters out and smash them with a hammer. Now, I thought I was nuts for doing this, but I heard another one of my co-workers doing that with the chips on a SSD recently. He was just hitting them with a hammer in his office. I walked in there - what are you doing? He says, oh, I'm just destroying this hard drive. I'm like... 

Dave Bittner: Oh. 

Joe Carrigan: Yeah, I feel vindicated. 

Dave Bittner: OK. 

(LAUGHTER) 

Dave Bittner: Very good. 

Joe Carrigan: Now, keep in mind, I work in a security company, so that's... 

Dave Bittner: Yeah, yeah. 

Joe Carrigan: It's - these are the kind of people. And the last list on - or last item on this list, rather - not the last list on this list. The last item on this list is deepfakes, which are essentially synthetic media. We've talked about them a lot in this show. 

Dave Bittner: Yeah. 

Joe Carrigan: In the past, I have said I was not too terribly concerned about this, but I am very concerned about this for the upcoming election cycle. 

Dave Bittner: Oh, OK. 

Joe Carrigan: I think - you know, the audio that you played me... 

Dave Bittner: Right. 

Joe Carrigan: ...A couple episodes ago - people can go back and listen to that. That is remarkable in how good it is, and it's only going to get better from here. 

Dave Bittner: Yeah. Well, we saw a story recently where a researcher was able to log into his bank account using a synthetic version of his voice. 

Joe Carrigan: Huh. 

Dave Bittner: Yeah. 

Joe Carrigan: That's terrifying. 

Dave Bittner: Yeah. 

(LAUGHTER) 

Dave Bittner: Yeah, so... 

Joe Carrigan: Here we go, everybody. 

Dave Bittner: And, well - but I'm with you. I mean, up until that point, I was pretty skeptical of it... 

Joe Carrigan: Right. 

Dave Bittner: ...Especially the notion of using deepfakes for any kind of real-time interaction. But I think we're at the point now where that's plausible. 

Joe Carrigan: Yeah, it's definitely plausible. 

Dave Bittner: And we've - the stories are starting to come in where people are doing that. 

Joe Carrigan: Yep. 

Dave Bittner: So I'm not sure how we get around that one, but it's certainly one to keep an eye on. All right. Well, we will have a link to that story in our show notes. 

Dave Bittner: My story this week - actually, I'm kind of using a press release from the FTC, the Federal Trade Commission, as a point of departure for us here. 

Joe Carrigan: OK. 

Dave Bittner: So the FTC just finalized an order. They required the makers of Fortnite - the Epic Games folks... 

Joe Carrigan: Epic Games, yes. 

Dave Bittner: ...Yep - to pay $245 million for tricking users into making unwanted charges. So we're talking about dark patterns today, Joe. 

Joe Carrigan: Huh. 

Dave Bittner: So the FTC has a settlement with Epic. And basically, they're saying that Epic had all kinds of dark patterns in their games to get people to make unintended purchases in the games. They also said that Epic made it way too easy for children to make purchases... 

Joe Carrigan: Oh, right. 

Dave Bittner: ...While playing Fortnite without requiring any consent from their parents. 

Joe Carrigan: Huh. 

Dave Bittner: And then also, Epic - according to the FTC, if you disputed unauthorized charges on your credit cards, Epic would lock you out of your account... 

Joe Carrigan: Ah, OK. 

Dave Bittner: ...To play the game. So the commission voted 4-0 to - I guess unanimously... 

Joe Carrigan: Unanimously, yeah. 

Dave Bittner: ...Would be the way to say that - to approve this fine against Epic. But it really speaks to this notion of dark patterns, which is really what I want to dig into here today. You know, in gaming - I went and actually looked up some of the methods that they were using in Fortnite here. And in gaming, a lot of the dark patterns will be - like, let's say, for example, you're playing a game, and you want to buy some coins to use in that game... 

Joe Carrigan: Right. 

Dave Bittner: ...Right? Well... 

Joe Carrigan: In Fortnite, those are called V-Bucks. 

Dave Bittner: OK. So you go to buy those, and there'll be a selection - there'll be a spectrum of things you could choose. 

Joe Carrigan: Right. 

Dave Bittner: But the one they really want you to choose is already highlighted. 

Joe Carrigan: Right. 

Dave Bittner: It's ready to go... 

Joe Carrigan: Yes. 

Dave Bittner: ...Right? It's there, right? 

Joe Carrigan: It's the one with the most coins and the biggest profit. 

Dave Bittner: Right. And that's the dark pattern. They're making it easy for you to do the thing that is in their best interest and not necessarily yours. 

Joe Carrigan: Huh. You know, I think about this - and when I signed up for Fortnite, I knew it was free to play... 

Dave Bittner: Yeah. 

Joe Carrigan: ...But I could buy some V-Bucks that would let me play with - to get the rewards for the season. That's how they do this. You pay a 950 V-Buck price... 

Dave Bittner: OK. 

Joe Carrigan: ...To play for the season. And in the season, you will get more V-Bucks... 

Dave Bittner: OK 

Joe Carrigan: ...Usually around 1,500 V-Bucks. 

Dave Bittner: OK. 

Joe Carrigan: But for some reason, I purchased the 5,000 V-Buck package, not the 1,000 V-Buck package, which would have been the minimal amount I needed to buy. My reasoning was that the 1,000 V-Bucks was 10 bucks, but the 5,000 was, like, 25 bucks. 

Dave Bittner: OK. 

Joe Carrigan: But I don't know if - I wonder if I fell victim to this one, Dave. 

Dave Bittner: (Laughter). 

Joe Carrigan: See, now you got me second guessing myself... 

Dave Bittner: You may have. 

Joe Carrigan: ...Because I still have 5,000 V-Bucks in my Fortnite account. 

Dave Bittner: Well, there you go. Right. Right. Right. And that's how they get you. 

Joe Carrigan: That's how they get you. 

Dave Bittner: Yeah. So there are lots of examples of this. I was doing some other, you know, looking around - poking around for other examples of this. And I think one that we probably all know about is when you want to get something done, and let's just say it's something - you want, like, a PDF reader or something like that. 

Joe Carrigan: Right. 

Dave Bittner: You want some little, innocuous utility that - you have some sort of technical itch that you need to have scratched. 

Joe Carrigan: Yes. 

Dave Bittner: And you want to do it quickly. You want to do it now. You want a single-function tool that'll just do that thing. 

Joe Carrigan: Right. So you go to the website with the box of software pictures on the site. 

Dave Bittner: Right. 

Joe Carrigan: Right. 

Dave Bittner: And so you go to - and let's - I mean, let's just say I'm on my mobile device. 

Joe Carrigan: Right. 

Dave Bittner: And I go to Apple's App Store, and I say, I need a PDF reader. And I search for it, and the thing comes up, and it says, good news... 

Joe Carrigan: (Laughter). 

Dave Bittner: ...You know, right? Here is a free PDF - free-to-use PDF reader just for you. Install it, and all your problems will be solved. 

Joe Carrigan: Right. 

Dave Bittner: And I think to myself, this is great. And so I sign it up - I sign up, and I install it. And somewhere along the lines, in the microscopic print... 

Joe Carrigan: Right. 

Dave Bittner: ...Chances are, it said, this item is free to use for five days. After that, you'll be charged 5.99 a minute, right? 

(LAUGHTER) 

Joe Carrigan: Right. 

Dave Bittner: Or it's - usually it's like - you know, it's usually something like $10 a month or five... 

Joe Carrigan: Right. 

Dave Bittner: But I've seen ones that are even $50 a week... 

Joe Carrigan: Right. 

Dave Bittner: ...Right? 

Joe Carrigan: Yeah. 

Dave Bittner: And they work off of the notion that you're either not going to notice right away. 

Joe Carrigan: I'm going to notice $50 a week, Dave. 

Dave Bittner: Well - but so that's really good point. So some of them will keep it - try to keep it below a threshold where you're going to notice. 

Joe Carrigan: Right. 

Dave Bittner: You're going to notice $50 a week, but you might not notice $5 a month. 

Joe Carrigan: Right. 

Dave Bittner: That might be below your noise floor... 

Joe Carrigan: Yep. 

Dave Bittner: of - is this worth my time? 

Joe Carrigan: Yep. 

Dave Bittner: Right? And so let's say they get you for five bucks a month. And how long is it going to take you to notice that they're bleeding you for $5 a month? They're hoping you never notice... 

Joe Carrigan: Right. 

Dave Bittner: ...And you pay $5 a month for the rest of time. 

Joe Carrigan: If I can get a thousand people do that, that's $60,000 a year. 

Dave Bittner: Exactly. Exactly. And so they're counting on the fact that you're going to forget. Now, my way around this typically is I'll set a reminder for myself (laughter)... 

Joe Carrigan: Right. 

Dave Bittner: ...At - you know, at the four-day mark... 

Joe Carrigan: Right. 

Dave Bittner: ...Or something like that... 

Joe Carrigan: Yes. 

Dave Bittner: ...To disable the software. Or I'll use it for what I'm using it for, immediately opt out and, you know... 

Joe Carrigan: Be done with it. 

Dave Bittner: Yes - and be done with it. I will say, to their credit, that Apple is very good about... 

Joe Carrigan: Right. 

Dave Bittner: ...Putting a stop to this. So they actually are a helpful middleman when it comes to this sort of stuff. Not so helpful that they don't allow the vendors to do this, but... 

Joe Carrigan: Right. 

Dave Bittner: Because Apple gets a cut of it, of course. 

Joe Carrigan: Of course - 30%, I think. 

Dave Bittner: Yeah. And, you know, I think it's the same on any of these platforms. But - so anyway, that is the one that I think we're probably most familiar with - that we run across, you know, from time to time. I also came across a website that I will include a link to in the show notes, and it's called Deceptive Design. And it is a website that is dedicated to this stuff. And they have a section on their website called The Hall of Shame, which is just delightful if you're into this stuff. It's just - it's is a long - they collect a list of places where people are doing this. There's - I'll just read a couple of them. There's here - one here from an airport where, after you prepay for parking, you hit a button that seems to be a continue button, but it actually tricks you into subscribing to unrelated services. Nice. 

Joe Carrigan: Yeah. 

Dave Bittner: Right? Things like Skype tricking you into uploading your entire address book. 

Joe Carrigan: Ah, we talked about that last week. 

Dave Bittner: Yeah - has a dialog box that has no option to refuse. That is just infuriating. 

Joe Carrigan: Well, how do you not do that, then? 

Dave Bittner: Well, that's the thing... 

(LAUGHTER) 

Dave Bittner: ...Right? Instagram doesn't allow you to keep your account deactivated. It reactivates your account and doesn't allow you to deactivate it again. It says, sorry, you can only disable your account once a week. Try again in a few days. 

Joe Carrigan: (Laughter). 

Dave Bittner: Isn't that great (laughter)? 

Joe Carrigan: That makes me want to - no, it's not. I was going to say something violent, but I'm not going to say something - well, I want to punch somebody in the face. And I was going to name somebody, but I'm not going to do it. 

Dave Bittner: Right. Right. 

Joe Carrigan: Everybody knows who I'm talking about. 

Dave Bittner: Yeah. So that's - but the thing is, you read these things, and you think - how could this be so? How could it be this blatant? How could it be, and how could people fall for this? But they're designed for you to fall for them. They're so clever. They're so backhanded - or underhanded, I guess... 

Joe Carrigan: Right. 

Dave Bittner: ...Is the word I'm looking for. That - the odds are against you here. So anyway, I will include a link to this Deceptive Design site in the show notes. I think it's worth looking through. This is one of those things it's worth sharing with your friends and family because these things are everywhere. And I think it's really great that, in this case, the FTC has cracked down on Epic Games to say, you know, knock it off. There's real money at stake here. Hopefully, some of the other big players who are doing this sort of thing will see what's going on here. 

Joe Carrigan: Yeah, that's a quarter-of-a-billion-dollar fine. 

Dave Bittner: Yeah. 

Joe Carrigan: What does Epic make in a year? 

Dave Bittner: I don't know. I mean, it seems - who knows? I mean, it seems to be - that is a chunk of cash that I think would get any company's attention, but I don't know, you know? It might be 1% of their proceeds. Who knows. 

Joe Carrigan: On just a quick Google search, in 2021, their revenue was like $5.7 billion. So that is significant. 

Dave Bittner: Yeah. 

Joe Carrigan: It's about 5% of their annual revenue. 

Dave Bittner: OK, so real money. 

Joe Carrigan: Yep. 

Dave Bittner: Real money to them. But again, hopefully other organizations will see this and, you know, an internal memo will go around that'll say, let's stop doing this... 

Joe Carrigan: Right. 

Dave Bittner: ...But I doubt it. I doubt it. 

Joe Carrigan: You know, I'd like to know how far back this goes because, recently, Epic changed the way you get things in Fortnite so that you have to press and hold the mouse and fill a bar up to purchase an item. And I'm wondering if that is a result of this case. And I remember being impressed with that going, oh, this is pretty cool. Now I can't just accidentally purchase something. 

Dave Bittner: Right, right. 

Joe Carrigan: And maybe that's a result of this FTC judgment. 

Dave Bittner: Yeah, could be. My recollection is that this stuff really started to take off when we had all of those free-to-play games filling up the app stores. 

Joe Carrigan: Fortnite is free to play. You don't have to pay anything to play it. 

Dave Bittner: Right. Right. 

Joe Carrigan: So you can - and you even get a couple free V-Bucks. Eventually, you can start buying the Battle Pass with them. 

Dave Bittner: Yeah, yeah. So... 

Joe Carrigan: So there's Joe's cheap guy tip of the week. 

Dave Bittner: Now, we will have a link to both the FTC's announcement here and then also that Deceptive Design website, where you can check out their Hall of Shame - well worth checking out. 

Joe Carrigan: That's a good website, by the way. It's pretty - it's got some awesome stuff in it. 

Dave Bittner: Yeah. All right, Joe, it is time to move on to our Catch of the Day. 

(SOUNDBITE OF REELING IN FISHING LINE) 

Joe Carrigan: Dave, our Catch of the Day comes from Lauren, who writes, hope you guys are doing well. I very much enjoy listening to your podcast. I work in accounting or finance for a startup, and we received a pretty decent phishing attempt today. I've changed the names here and added employee titles to their names to emphasize that the scammer seems to have successfully gathered the information regarding who to contact in our organization. So it's actually a series of messages, Dave. So why don't you read the first message that comes in? 

Dave Bittner: OK. So this is from the scammer... 

Joe Carrigan: Right. 

Dave Bittner: ...Via an external email address, and it has the contact name of their CEO. 

Joe Carrigan: Correct. 

Dave Bittner: And it says, Chelsea (ph), AP accountant, kindly inform Audrey (ph), VP of finance, that it is imperative to pay this invoice urgently. Let me know if you receive the attached files. I will need a wire transfer confirmation receipt as soon as the payment is made. Best regards, Jeffrey Lehman (ph), CEO, Chief Executive Officer at [Redacted Company Name]. 

Joe Carrigan: Right. OK. So now those titles were put in by Lauren, so... 

Dave Bittner: OK. 

Joe Carrigan: That's to make it clear. 

Dave Bittner: Yeah. 

Joe Carrigan: So the first message that comes in contains an attachment that reads as follows. 

Dave Bittner: OK. 

Dave Bittner: Please find attached the invoice, which contains the cost breakdown of the work completed, with our bank wire information, along with the W-9 form. Payment terms due on receipt. We will need a confirmation as soon as the payment is sent out via wire transfer, and do not hesitate to contact us via email with any questions. Kindly confirm the receipt of my email with the attached files. Attached is a legitimate-appearing invoice and W-9. 

Joe Carrigan: Right. Now, a W-9 is a request for validation of your EIN number. 

Dave Bittner: OK. 

Joe Carrigan: So it looks like not only are they sending you an invoice, but they're also asking you to fill out a W-9... 

Dave Bittner: OK. 

Joe Carrigan: ...Which is - I don't know what the tax implications are here. I'd have to talk to my son about this because he's the accountant in the family now. 

Dave Bittner: OK. 

Joe Carrigan: But anyway, it's - it looks like that's an opportunity for more identity theft or more corporate fraud here. 

Dave Bittner: Yeah. 

Joe Carrigan: But Chelsea then responds to the scammer like this... 

Dave Bittner: Hi, Jeff. I have received and entered the information. I will pass it on to Audrey for approval and let her know the urgency, but we do not currently have the funds to pay that. Kind regards. 

Joe Carrigan: To which the scammer then replies... 

Dave Bittner: Chelsea, how much do we have in our checking account at the moment? I need to know before you send it to Audrey. Best regards, Jeffrey, CEO. 

Joe Carrigan: Right. So here, at this point, the AP accountant responded with the current bank balance that was in - the current amount that was in the balance and said - or in the bank - and said, we also have a huge payroll. We have to - we're expecting to cover payroll coming up at the end of this week... 

Dave Bittner: Yeah. 

Joe Carrigan: ...And that would not leave enough cash to fund this incredibly high wire transfer. So be mindful of that. There's - the attacker wants to know how much money is in the account, and they know now that they have payroll coming up. And what does this scammer say in response? 

Dave Bittner: Yes, I am very much aware of the payroll. Please send the invoice to Audrey for approval and ensure that it is paid promptly. I am expecting an international wire transfer this evening, so rest assured that the payroll will be sorted. I am eagerly awaiting the confirmation of the wire transfer. 

Joe Carrigan: So at this point, the AP accountant forwards this email to the vice president of finance, Audrey - in this, you know, pseudonym of Audrey - who noticed the phrasing of the email was a little weird and that the email was coming from an external address that was not the CEO's. So she reaches out to the CEO, and the CEO goes, yeah, that's not me, and it gets nipped in the bud. 

Dave Bittner: Wow. 

Joe Carrigan: OK? So a pretty good example of process being followed here. 

Dave Bittner: Yeah. 

Joe Carrigan: Lauren says, I'm still pretty puzzled how they got the correct names of the people who would be responsible for this in our organization. My guess is LinkedIn. 

Dave Bittner: Yeah, I was going to say the same thing. 

Joe Carrigan: Right? 

Dave Bittner: Yeah. 

Joe Carrigan: They went to LinkedIn. They clicked on the company, and they found everybody that worked there. They found who the VP of finance is. They found an accounts payable accountant, and they know the person they're going to impersonate. They knew all that stuff before they went in. 

Dave Bittner: Right. 

Joe Carrigan: So they send the email to the, essentially, lower-level accountant as the CEO, invoking the name of the VP of finance that the lower-level accountant probably works for and interacts with on a daily basis, and then continued along with this process that was actually successful for a period of time. 

Dave Bittner: Yeah. 

Joe Carrigan: Lauren says she also finds it fascinating that they asked the current bank balance. This is another common thing that actually goes back from check scams, right? If you get a hold of someone's checkbook and you write yourself a $10,000 check, then - or let's say you write yourself a thousand-dollar check. 

Dave Bittner: Yeah. 

Joe Carrigan: And you walk into a bank, and you say, here's a thousand-dollar check this person has written me. And the person says, well, they don't have a thousand dollars in their account. And you go, well, how much do they have in the account? I can deposit the money to cover it and just - and get it out. So let's say they have 500 bucks. So you say, I'll put 500 bucks in, and then I'll take the 500 bucks out and settle up with the 500 bucks for the person later, right? That's a pretty - an old - well, it's a common old scam. I don't know if it still works anymore... 

Dave Bittner: Right. 

Joe Carrigan: ...But it was one of the ones that used to work back in the days of check-cashing scams. They're probably still around. So the scammer here is asking what the bank balance is because they need to know how much money they can get out of the company. That's why they're asking that question. 

Dave Bittner: Yeah. 

Joe Carrigan: Finally, Lauren notices that the person really projected a lot of I'm-the-CEO confidence with, yes, I'm very much aware of the payroll... 

Dave Bittner: Yeah. 

Joe Carrigan: ...In the response. I agree with that 100%. That kind of comes off as intimidating, and you might hear from - you might - that might be what you hear from the CEO. 

Dave Bittner: Right. 

Joe Carrigan: And then they come up with a plausible explanation as to why they're not worried about it - we got another international money transfer coming in this week. It's all going to be good. 

Dave Bittner: Yeah. 

Joe Carrigan: These guys are perfectly happy to screw everybody at this company out of their paychecks. 

Dave Bittner: (Laughter). 

Joe Carrigan: That's what I wanted to come to - that these people are horrible people. They are monsters. And they are perfectly fine taking everybody's paycheck from them and jeopardizing the ability for them to live their lives. 

Dave Bittner: Well, and I think it also demonstrates the degree of professionalism with which they operate, right? 

Joe Carrigan: They - yeah, that's a good point. 

Dave Bittner: They know their stuff here, and, you know, good on the things that this organization put in place to stop it because it very - you could very easily see how this could have gone through. 

Joe Carrigan: Correct. And I want to thank Lauren for sending this in, and I hope that Lauren - might not also be your real name. 

Dave Bittner: (Laughter). 

Joe Carrigan: But if it is, thank you, Lauren. 

Dave Bittner: Right, right. 

Joe Carrigan: Even if it isn't, thank you. 

Dave Bittner: Yeah. And we would love to hear from you. If there's something you'd like us to consider for the show, you can email us. It's hackinghumans@thecyberwire.com. 

Dave Bittner: Joe, it is always great to welcome Carole Theriault back on the show. And this week, she is speaking with Iain Thomson from The Register. They're talking about smart tech in the home and how Iain shies away from IoT devices. Here's Carole Theriault. 

Carole Theriault: Today, listeners, I have the pleasure of speaking with Iain Thomson, a seasoned tech journo at The Register and a person I've known for decades. 

Iain Thomson: I was going to say, quite literally decades, in our case. Yeah. 

Carole Theriault: Yes. Now, there are many interesting things about Iain, but one of them is rather than surround himself with all the latest smart tech, like 99.999% of tech journos I know do, he says that, actually, he refuses to have smart tech in his home. And today, I thought together we would find out why. So, Iain, welcome. Can't wait to dive into this. 

Iain Thomson: Always a pleasure to chat. It's - and if I'm going to be held out as the global Luddite, I shall wear it with pride. 

Carole Theriault: Excellent. No, no. I'm - 'cause I'm on the fence, right? I'm half Luddite, half keen, and I sit there - so I'm interested. I could be pivoted. So first, maybe, why don't you tell our listeners a little bit about you, your background. Who is Iain Thomson? 

Iain Thomson: Oh, God. Well, OK, we've only got 20 minutes. Born of the God Zeus... 

(LAUGHTER) 

Iain Thomson: I've been covering technology for - in one way or another for about the last 30 years. Still remember - but I still have my first computer, a ZX81, for that matter, although the RAM pack long since died, so it's pretty much useless. I love technology, you know? I love finding out about new things about it. I particularly like the security field because it's constantly changing and constantly evolving. I have had - you know, I'm one of the few people, I think, in the - on the planet who actually used a Creative NOMAD for more than five minutes, you know, when - back when MP3 players were a thing. 

Carole Theriault: (Laughter). 

Iain Thomson: Built my first computer when I was still in my teens. And, yeah, I mean, I love technology. But this whole smart devices and Internet of Things thing is just apprehensive, simply because I've been covering the security beat for so long, and I know how insecure these devices are. And I don't frankly trust the companies that make them that much. 

Carole Theriault: Hold on a sec. Hold on a sec. You do have your tech creds, though. Not only have you done all these things, but you've written - what? - how many articles? Have you - do you think you've hit a thousand yet? 

Iain Thomson: Oh, God, no. For The Register, I'm on about - I'm coming up to 5,000. 

Carole Theriault: Five thousand. Listeners, that is a lot. 

Iain Thomson: I've been there 12 years, so you know - well, I mean, before that, at the late and little lamented vnunet.com, I was doing four articles a day. But that was really churn and burn. 

Carole Theriault: Yeah. 

Iain Thomson: But, I mean, for that, you need good hardware. And I've - you know, I'm very picky about the computers I use. 

Carole Theriault: And also, like, your living condition - do you live on your own? Do you live with other people? 

Iain Thomson: I live with my wife and a very aggressive cat. 

Carole Theriault: (Laughter) OK. So we have this tech journo - serious tech journo - who's been in the industry for 30 years. You love tech, but no IoT in the house? 

Iain Thomson: No. I've got these things called fingers. They're really good. You know, if I want to adjust the thermostat temperature, I can go and press a button or rotate a dial, as it was in the last house. 

Carole Theriault: Are you jealous of the people that can do it from their car? 

Iain Thomson: Not really because I just don't see the point. It doesn't have a convincing use case given the potential problems with it. Plus, I don't like the idea of having something in the house that listens all the time. 

Carole Theriault: So it's a privacy concern, primarily, do you think? 

Iain Thomson: It is - it's certainly a privacy concern, but it's mainly I just don't see the use case for it, by and large. I mean, at first, I have to say, when Google Assistant came out, I was kind of - and when Siri came out, I was trying those left, right and center. 

Carole Theriault: Right. 

Iain Thomson: But then I started to notice that - because I'm an Android user - and I started to notice that when I was saying OK to someone in conversation, the screen would light up, and it would say, ah, OK, OK, Google, right. Tell me something that - you know, that needs to be done. And that started me thinking about, well, hang on, how could this be abused? Do I really need it? Now I just turned it off, and I've kept it that way ever since. I'll still do voice searches on some items, but you have to physically turn it on. I don't want it, you know, listening all the time. And this doesn't suggest that, you know, I'm murdering people in the house or anything, but it's just... 

Carole Theriault: I know. Isn't that the weird thing, right? If anyone requests privacy in their life - like, why? What are you hiding? What's wrong with you? 

Iain Thomson: The simple answer to that is, do you have curtains? It's like, well, yes. It's like, well, why? You're doing nothing to hide, surely. And it's like, you know, yes, but people like privacy. 

Carole Theriault: Yeah. Yeah. 

Iain Thomson: And it's just one of those things. I mean, was kind of tempted by getting... 

Carole Theriault: Oh, here we go. Here we go. 

Iain Thomson: ...Getting outside video cameras, one for the inside of the front door, just for security. 

Carole Theriault: Oh, it's croaching (ph). It's getting close there to the boundary, isn't it? 

Iain Thomson: Yeah. But then, you know, Amazon announced deals with U.S. law enforcement that they could hand over your footage at any time. And it was like, do I really want to be part of a huge surveillance network? So I'm keeping my eye out for an open-source, noncorporate security camera system that I could set up and run myself. All that's going to take is a couple of weeks of free time and an awful lot of research. 

Carole Theriault: Or a very knowledgeable listener. Please feel free to get in touch with Iain Thompson. Yeah. 

Iain Thomson: Oh, yes. If any listeners have any problems, by all means, drop me a line. 

Carole Theriault: But, OK, you have a phone though, right? And you carry your phone with you all the time. Do you - and that is definitely the quintessential IoT smart device, really, isn't it? 

Iain Thomson: Yeah. I mean, it has been one of the most ridiculously humorous things about the anti-COVID people over here. It's putting microchips in you to track you - underneath, sent from my iPhone. 

Carole Theriault: Yes (laughter). 

Iain Thomson: You know? And it's just - you just paid $1,000 for your own spying device. I do carry a smartphone, but I will say this. Location is only on when it's needed, and then it gets turned off immediately - same with Bluetooth, same with Wi-Fi. I'm quite strict about keeping handsets locked down. And the first thing you do when you get any new bit of kit is go through and see what's extraneous and take it out. 

Carole Theriault: All right, I want to ask you about your - if I may, about your partner. Does she share the same mindset as you? 

Iain Thomson: She's not that bothered either way, to be honest. She too was slightly freaked out by the listening-in thing. If they could get a convincing use case, you know, if she could actually - the one use case which I haven't shown her because I know she'd be way too tempted for, but a friend of mine has an automatic cat feeder with a camera in it and a microphone so he can call the cat to the cat feeder and feed on time. 

Carole Theriault: (Laughter). 

Iain Thomson: I think she might go for that. 

Carole Theriault: Uh-huh. And that's, like, exactly the kind of kit that would be more likely to have security flaws simply because it's an industry so far removed from that of, you know, cyber and IT security, isn't it? 

Iain Thomson: Exactly. And it's the last thing they think about. 

Carole Theriault: Right. 

Iain Thomson: OK, case in point - I went to a DEFCON briefing a few years back where they looked at smart home locks. You know, the - where you come in, and you press the app, and there's no need to get your key out. Out of 12 smart locks, 11 were broadcasting the code in plain text. All you needed to do is stick a receiver on a bush outside the house, wait for the person to come home, and you got the key to the house. The one that did actually encrypt its signal was so flimsily built you could open it with a screwdriver. I take physical security seriously, but also data security. And... 

Carole Theriault: Yeah. 

Iain Thomson: ...I think - as I say, I've written an awful lot of stories about these IoT devices that security - it's kind of Windows 98 levels of security, you know? It just wasn't built with that in mind. 

Carole Theriault: Well, listeners, please tweet at @thecyberwire if you have any use cases that you think might change Iain's mind. Iain Thomson, journalist at The Register, thank you so much for sharing your IoT fears. This was Carole Theriault for "Hacking Humans." 

Dave Bittner: Joe, what do you think? 

Joe Carrigan: My favorite term - global Luddite. 

Dave Bittner: (Laughter). 

Joe Carrigan: I was worried about my Luddite-ness (ph). Is that a word? I don't even know. Luddite-itude (ph)? I could go on about this. I won't. But I was worried about my - me being perceived as a Luddite last week and talking about that when I was worrying about cloud technology. One of the things I absolutely love is that Iain's first computer is a ZX86, or 81, rather. I still have my ZX81, the old Timex from Sinclair. 

Dave Bittner: Oh, yeah, I remember. 

Joe Carrigan: It was - did you ever have one of those? 

Dave Bittner: I did not, no. My first computer was a TRS-80. 

Joe Carrigan: OK. 

Dave Bittner: But, you know, at the same time, I certainly remember them. 

Joe Carrigan: Yeah. 

Dave Bittner: Yeah. 

Joe Carrigan: Real keys on the TRS-80. 

Dave Bittner: Yeah. Yeah, we were living large. Yeah. Yeah. 

Joe Carrigan: Yeah. The ZX81 just has what they called a peanut butter keyboard. 

Dave Bittner: The membrane. Yeah. 

Joe Carrigan: Yeah, the membrane. It was terrible. 

Dave Bittner: It was. 

Joe Carrigan: But you could enter entire basic commands with one keystroke. That was nice. Iain makes a really good point, that the use case for a lot of these things is just not convincing enough. And he also says that he doesn't trust the companies that make these smart things. 

Dave Bittner: Yeah. 

Joe Carrigan: And those two go hand in hand for why I don't have very many IoT things in my house either. I don't have an Alexa device. I do have a Google Home thing... 

Dave Bittner: Yeah. 

Joe Carrigan: ...You know, one of those Google Home speakers, still in the cellophane. 

Dave Bittner: (Laughter) OK. 

Joe Carrigan: Somebody gave it to me. 

Dave Bittner: Doing a lot of good. 

Joe Carrigan: Yeah, somebody gave it to me. I don't want to set that thing up. I remember when Alexa came out, and I went to my wife, and I said, hey, look at this cool thing. We'll be able to talk to it. And my wife is like, I can't believe you of all people, wants to put a bug in your house. I'm like... 

Dave Bittner: (Laughter) Good point. 

Joe Carrigan: ...Huh, that's right. 

Dave Bittner: Right, right. 

Joe Carrigan: I have turned off my Google Assistant as well. But not because of privacy concerns, although that's kind of - it's kind of a benefit. I have found that the product is just a terrible product that does not work. It is garbage from front to back. It never gives me the right answer to any question I ask, and I hate it. 

Dave Bittner: (Laughter) OK. 

Joe Carrigan: So that's why - I got angry one day and turned it off. 

Dave Bittner: All right. Never looked back. 

Joe Carrigan: And I said, you know what? And I'll enjoy the privacy. Thank you. 

Dave Bittner: Yeah. 

Joe Carrigan: I still do have my location settings on. I share my location with my family. So there's a use case for that... 

Dave Bittner: Yeah. 

Joe Carrigan: ...That I see value in. But I like his comeback to the question about, why do you want all this privacy? What are you afraid of? And his comeback is simply, do you have curtains on your house? You know, what are you afraid of? That's a great analogy - a great analogy question. 

Dave Bittner: Yeah. 

Joe Carrigan: I love it. It's awesome. I'm going to use that. There is something here that Iain touches on, and I think it deserves a little bit more exploration here. 

Dave Bittner: OK. 

Joe Carrigan: If you want a camera system in your house that isn't essentially out-of-the-box government surveillance, like for law enforcement... 

Dave Bittner: Right. 

Joe Carrigan: ...With the Ring camera or anything else... 

Dave Bittner: Right. 

Joe Carrigan: ...You need to spend a lot of time and research and probably a lot more money building a system that will do everything the Ring already does. 

Dave Bittner: Yes. 

Joe Carrigan: So that's kind of the value proposition of the Ring doorbell and all these other surveillance devices. 

Dave Bittner: Right. It's easy. 

Joe Carrigan: It's easy. 

Dave Bittner: Yeah. 

Joe Carrigan: You don't have to spend the time doing that. All you have to do is give us all your private information. Let us show everything you want - we want to show to law enforcement to law enforcement. You're all done. 

Dave Bittner: Right. 

Joe Carrigan: Right? Oh, that sounds like a great idea. 

Dave Bittner: (Laughter) Yeah. Yeah. 

Joe Carrigan: So I still don't have a camera on my house, either. Not yet, anyway. I will soon, though. I am looking into the stand-alone solutions that don't upload things to the cloud or maybe upload things to my own private cloud. 

Dave Bittner: There you go. Yeah, that seems like a good compromise. 

Joe Carrigan: Right. 

Dave Bittner: I would certainly want to make sure that if I had something cloud-enabled, that it was somehow encrypted and that the provider wasn't able to decrypt it. 

Joe Carrigan: Yeah. That would be an important distinction. 

Dave Bittner: Yeah. 

Joe Carrigan: Right? 

Dave Bittner: Yeah. 

Joe Carrigan: That you upload these things and that they remain private to you, even after they go up to the cloud. 

Dave Bittner: Right. That would help keep the opportunity for law enforcement to rifle around... 

Joe Carrigan: Right. 

Dave Bittner: ...Your video recordings. 

Joe Carrigan: Right. 

Dave Bittner: Right. Right. 

Joe Carrigan: I do have a smart TV. 

Dave Bittner: Yeah. 

Joe Carrigan: And a couple of Fire Sticks for those smart TVs. I don't like them. I don't like that I have them. 

Dave Bittner: Right. 

Joe Carrigan: The Fire Sticks don't listen all the time. And my smart TV does not have the microphone enabled. I have disabled that. 

Dave Bittner: OK. 

Joe Carrigan: But the - it's not a Samsung. One of my favorite things was the Samsung terms and conditions at one point in time said don't have private conversations around the TV. 

Dave Bittner: (Laughter) OK. Sure. 

Joe Carrigan: And I was like, what? That can't be real. That was real. 

Dave Bittner: Yeah. Yeah. 

Joe Carrigan: And then Iain goes on to talk about his Samsung headphones. I have a pair of LG earbuds right here in my hot little hands, Dave... 

Dave Bittner: Yeah. 

Joe Carrigan: ...That I got off of Amazon. I said - because I needed a pair of earbuds for my laptop. 

Dave Bittner: OK. 

Joe Carrigan: ...Because I got sick of trying to connect everything to one laptop. But then it says, try it on your phone, and all these other cool features come on. And I install the app on the phone and it goes, oh, here's all the permissions we need. And I was like, I see. It was a very similar condition. 

Dave Bittner: (Laughter) Right. 

Joe Carrigan: I don't use them for my phone. I only use them for my laptop. I use a very cheap pair of headphones that don't have any apps associated with them for my phone. 

Dave Bittner: Yeah. 

Joe Carrigan: I don't know that it collects any information or sends it back to the country of origin. Maybe it does. Who knows? But... 

Dave Bittner: But, you know, it's an interesting point because all of a sudden, those Apple airbuds (ph) - AirPods, they're not seeming so expensive anymore. 

Joe Carrigan: Right. 

Dave Bittner: You know? 

Joe Carrigan: Right. 

Dave Bittner: Right? 

Joe Carrigan: What do they cost, 200 bucks for a pair? 

Dave Bittner: I think they start at a hundred bucks... 

Joe Carrigan: Hundred bucks. 

Dave Bittner: ...And go up - you know, go up from there as much as you want to pay. 

Joe Carrigan: Right. 

Dave Bittner: But... 

Joe Carrigan: How much would you like to pay? 

Dave Bittner: Yeah. 

Joe Carrigan: I'd like to pay $3,000, says Dave Bittner. 

Dave Bittner: Yeah. We have a pair for you for that. Sure. Step right up. But that's real. I mean, that's part of - you - I think you and I have talked about this. That's part of why smart TVs have gotten so cheap. 

Joe Carrigan: Right. Yeah. It's all the... 

Dave Bittner: Because they have a way to make money on the back end. 

Joe Carrigan: Right. All the data that they provide. 

Dave Bittner: Yeah. 

Joe Carrigan: You know, it - wouldn't it be great if I could just buy a 55-inch monitor that doesn't have any of that intelligence built into it and... 

Dave Bittner: Yes. 

Joe Carrigan: ...Hook my own computer into it? 

Dave Bittner: Yes. 

Joe Carrigan: Sure. That's going to cost you $5,000. 

Dave Bittner: Right. Exactly. 

Joe Carrigan: Right. Or I can pay a tenth of that - literally a tenth of that - to get a 55-inch TV... 

Dave Bittner: Yep. 

Joe Carrigan: ...That does everything else. Maybe I just - you know what? The simple solution is just don't connect it to the internet. 

Dave Bittner: Good luck with that. 

Joe Carrigan: Yeah. 

Dave Bittner: (Laughter) I mean, I - seriously, I think we're coming to the point where some of these devices, they will not be functional if they're not connected to the internet. 

Joe Carrigan: Yeah. Iain was talking about that. One of the - he was saying some of the devices were bricked when they were disconnected from the internet. 

Dave Bittner: Yeah. Yeah. 

Joe Carrigan: Yeah. That's... 

Dave Bittner: Awful. 

Joe Carrigan: Yeah. That's unconscionable. That should be something that the FTC fines somebody for. 

Dave Bittner: (Laughter) There you go. There you go. 

Joe Carrigan: On the privacy front, there's an interesting conversation about the consolidation of all these different companies, like Amazon buying a health insurance company and Whole Foods and other organizations. And there's all kinds - oh, Roomba. Roomba is one. 

Dave Bittner: Oh, yeah. 

Joe Carrigan: I had never been happier that I had skipped out on buying a Roomba in my life than when Amazon bought the - bought Roomba as a company. 

Dave Bittner: Yeah. 

Joe Carrigan: I was like, well, I dodged a bullet there. 

Dave Bittner: Give Amazon a map of the interior of your home. 

Joe Carrigan: Right. Exactly. 

Dave Bittner: (Laughter) Right. 

Joe Carrigan: And, you know, I know that we sound like paranoid nutjobs and tinfoil hat-wearers when we say that, but that's exactly what the information they're going to have. 

Dave Bittner: (Laughter) Yeah. It's true. 

Joe Carrigan: Yeah. 

Dave Bittner: It's true. We laugh because otherwise we would cry. 

Joe Carrigan: Right. Correct. 

Dave Bittner: (Laughter). 

Joe Carrigan: It was a great interview. I really love having Carole on the show, and Iain is awesome. 

Dave Bittner: Yeah. Yeah. Again, our thanks to Carole Theriault for bringing that great interview to us. We always love having her back on the show. 

Dave Bittner: And that is our show. We want to thank all of you for listening. Our thanks to Harbor Labs and the Johns Hopkins University Information Security Institute for their participation. You can learn more at harborlabs.com and isi.jhu.edu. The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: And I'm Joe Carrigan. 

Dave Bittner: Thanks for listening.