Hacking Humans 4.27.23
Ep 241 | 4.27.23

Is the industry ready for AI?


Vanja Svacjer: There's almost no product today on the market which won't use machine learning and artificial intelligence technology in one way or another.

Dave Bittner: Hello, everyone. And welcome to the CiberWire's "Hacking Humans" podcast where each week we look behind the social engineering scams, phishing schemes, and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner. And joining me is Joe Carrigan from Harbor Labs and the Johns Hopkins University Information Security Institute. Hello, Joe.

Joe Carrigan: Hi, Dave.

Dave Bittner: We'll get some good stories to share this week. And later in the show Carole Theriault is back. She is talking AI with Vanja Svacjer, the threat researcher at Cisco Talos. All right, Joe, before we jump into our stories, you've got a little bit of a quick follow-up here.

Joe Carrigan: Yes, last week I was questioning the origin of the term Yahoo boy for the group in Dallas-Fort Worth.

Dave Bittner: Okay.

Joe Carrigan: And I have learned recently that that is not isolated to the Dallas-Fort Worth area, it's a common term for Nigerian scammers. And it is -- it does in fact refer to the fact that they open up a bunch of Yahoo accounts. So, oh, and guess where I learned that?

Dave Bittner: The internet? Yahoo?

Joe Carrigan: No, I learned that from listening to the "Lazarus Heist" podcast which I said last week I would listen to. I'm currently listening to the most recent episode. I'm all caught up, Dave.

Dave Bittner: All right. It all comes full circle there, doesn't it?

Joe Carrigan: And I tell you, that podcast is riveting. It's really good.

Dave Bittner: No, it's good stuff. Yeah, yeah. No, if you have not done so, I highly recommend check it out. All right. Well, let's jump into our stories this week. Mine comes from the Wall Street Journal. This is actually written by Joanna Stern and Nicole Nguyen who are well-known over at the Journal, particularly Joanna Stern does a lot of interesting videos and stuff. But this article is about folks stealing people's iPhones and then being able to access the contents of the iPhone to steal lots of money from the iPhone owner. So, let me set the stage here. What this article initially sets up is the story of a gentleman who is actually a woman who is leaving a bar in New York, and someone who she had just met at the bar and struck up a conversation with grabbed her iPhone and ran off. And within minutes, she could no longer get into her Apple account or any of the stuff associated with it. And over the next 24 hours, about 10 grand vanished from her bank account.

Joe Carrigan: Wow!

Dave Bittner: Yeah. So, this story or this article here in the Journal goes through several examples of this where people are in some kind of public place. They're using their iPhone, perhaps some strangers come up, strike up a conversation with them, start talking about, "Oh, you know, do you have any interesting photos in your phone," whatever, this and the other thing. And when one way or another the phone ends up getting stolen, and then they get locked out of their iCloud account or their Apple account, and also, things like their bank accounts get drained, Apple credit card accounts are opened in their name and drained. There are a couple of cases in here where they talk about someone was drugged and they got into the person's phone after that, kind of like a roofie kind of thing. There's actually a gentleman who was -- yeah, woke up the next morning, his phone is gone and $1500-odd was stolen from his Venmo account.

>> Joe Carrigan: Did he still have his kidneys?

Dave Bittner: He did still have his kidneys, yes. So, here's what's going on. And I'm really presenting this as a setup to another question I want to ask you in a second. So, it seems as though what's going on is that people are shoulder-surfing folks with iPhones to see what their passcode is. They're prompting them to enter their passcode.

Joe Carrigan: Right.

Dave Bittner: And then either with a partner or themselves they try to shoulder-surf to see what the passcode is. Look over their shoulder as they enter the passcode. And then once they have the passcode, they steal the device. Now they can get in the device. Once they're in the device, that's pretty much the ball game for most apps. There are some apps that have an additional layer of security, they'll either have their own password or they will use -- you can set them up so they use face ID, which is an added layer of protection. But I would venture to say for most people who are using their iPhones, that passcode, which is typically a number, not a password, is really all you need to get in there. And now you've got access to all kinds of things that are in someone's phone.

Joe Carrigan: Do you remember when someone posted a video online of Kanye West entering his Apple password?

Dave Bittner: Yes. He was sitting in the Oval Office.

Joe Carrigan: Right. In the Oval Office and it was all zeros.

Dave Bittner: Yes, yes. Someone of his stature and notoriety should certainly have a more secure method of logging into his phone.

Joe Carrigan: I would agree.

Dave Bittner: So, this is all terrible and I think the lesson here is clear that the same thing is when you're entering your PIN for your ATM card or anything like that, if you find yourself in a situation where you need to enter your iPhone passcode, be careful of that, protect that, you know, put your hand over it or whatever so that other people can't see it. But the other thing that I wanted to specifically dig into you with here, Joe, is do you think that having all this information in your mobile device --

Joe Carrigan: The device that you take with you everywhere you go.

Dave Bittner: That's right. Is it more secure than your physical wallet?

Joe Carrigan: I would say if you configure it properly, yeah, it can be. Like, for example, if you use face ID to lock your phone, and that's a pretty good biometric to secure the phone. But I don't know how face ID works. I know that this phone here, this very disappointing Google Pixel 6, which --

Dave Bittner: There goes that Google sponsorship.

Joe Carrigan: Right. Yeah, exactly. Sorry about that, Dave.

Dave Bittner: It's okay.

Joe Carrigan: Sorry, Peter. But this very disappointing Google Pixel 6 has this fingerprint sensor on the screen, and very often like if my hand is wet like -- or if something is up, or if my hand is very dry as well like if I'm walking in the winter time, I have a hard time unlocking that phone. After two tries, it says, enter your passcode. So, if somebody knows my passcode, all they have to do is hit that fingerprint sensor twice, get two fails, and then it will ask for the passcode.

Dave Bittner: Right.

Joe Carrigan: So, if they know the passcode, they're in, and you're right, they can -- I mean, the only thing on my phone financially is a stupid cryptocurrency wallet that has a little bit of crypto in it. There might be like 20 bucks right now.

Dave Bittner: Right, right.

Joe Carrigan: So, they'd get that. But I don't have my banking information on my phone. I do have credit cards on the phone though.

Dave Bittner: Yeah, so there you go.

Joe Carrigan: So, I have Google Wallet.

Dave Bittner: Yeah, yeah.

Joe Carrigan: Yeah, I don't know. That's a good question, Dave.

Dave Bittner: Right. So, just think about you've got your physical wallet that has your credit cards in it, you have your mobile device that has the information of your credit cards in it. In both of these cases, the object is being stolen, right? Either the wallet or the phone is being stolen. I think that the phone is probably more secure in that you don't need the passcode to open the wallet, right --

Joe Carrigan: There is a chance it will not -- you know, if they don't know the passcode, they're not going to get through the biometrics. Right. They're okay. They're pretty good, let's say.

Dave Bittner: Yeah, but once I have your credit cards and presumably your driver's license and, you know, who knows what else, all the things you keep in your wallet, maybe a little bit of cash, which you probably don't have in your mobile device, right?

Joe Carrigan: I don't have any cash in my wallet either.

Dave Bittner: Right, right. So, I don't know, it just got me thinking about this. I saw a couple of posts from other people responding to this Wall Street Journal article and making the case that despite this being a possibility that it's still more secure than a physical wallet, I think that's probably true. I don't know that it's a huge difference. Again, you know, both of these will require the boldness of a theft, of a physical theft.

Joe Carrigan: Correct. But I will tell you the big difference is they're not getting into my bank account by stealing my wallet, right? They're not going to transfer huge amounts of money out and, you know, essentially Venmo themselves whatever it is. I imagine that's how the money got out of these accounts is with -- by Venmoing.

Dave Bittner: Yeah. Yeah.

Joe Carrigan: So, or maybe whatever the other money transfer app is. So, that's not in your wallet. But again, if you secure it properly and don't -- I mean, but then, you know, here we go back, putting the onus back on the user. And I'm not sure that's the right answer for this.

Dave Bittner: Another thing this article points out is that one of the victims of this series of crimes, and there are a couple of cases here where they found the people who are doing these crimes and they were arrested and put in jail.

Joe Carrigan: Yeah, it says here, one person got a 57-month sentence.

Dave Bittner: Right, right. So, one of the things that one of the victims noticed when he actually got his device back was that the bad guys had gone through his photos and had searched for personal information like social security numbers and anything -- any documents that he had scanned or taken photos of, you know, all of that stuff these days is automatically OCR-ed. And so, you can search for things like -- and this article points out, you can search for SSN, social security number, and if that's in your photos gallery, it will come up.

Joe Carrigan: Well, let me -- hold on, let me conduct a real quick experiment here.

Dave Bittner: Okay. And this guy had found that the bad guys had actually created a new folder in his photos app that contained all of his personal documents that he had taken photos of or scanned or, you know, that were contained in the phone.

Joe Carrigan: Because I keep documents like that in a product called Stack, which is a Google product, it lets you do scanning from your cell phone. But I just opened it right now and it's asking me to fingerprint or face log in for Stack access.

Dave Bittner: Okay. That's good. So, there's a second layer. Stack has its own bit of security on top of just logging into the phone. Yeah, that's good.

Joe Carrigan: I'm using a finger I don't have as a test here and it's not letting me in at all. So, it says, "Can't get in, try again." So, it's not even giving me the opportunity to enter my passcode. So, Stack is I would say pretty secure.

Dave Bittner: Yeah, yeah. All right. Well, so that's what I wanted to talk about today. Like I say, this article kind of got me thinking about this notion of the physical wallet versus the digital wallet. I guess the other thing I'll add is that paying for things with your digital wallet I think is more secure because it's all tokenized.

Joe Carrigan: Correct. Yeah, I would agree with that. You're not going to ever get your digital wallet skimmed, that's just not really an option, it's not how that works.

Dave Bittner: Right, right. Exactly. All right. It's an interesting read. And I recommend folks check it out. It's, again, over at the Wall Street Journal about "A Basic iPhone Feature Helps Criminals Steal Your Entire Digital Life." So, do check that out. That's what I have, Joe. What do you got for us this week?

Joe Carrigan: Dave, my story comes from the BBC and it's written by a group of people, Max Hudson, Simona Weinglass, Mark Turner, and Joel Gunter.

Dave Bittner: Okay.

Joe Carrigan: And the title of this article is "On the Hunt for the Businessman Behind a Billion-Dollar Scam." So, there is a group of people out there that has literally scammed over a billion dollars from their victims which is pretty big.

Dave Bittner: Pretty soon you're talking about real money.

Joe Carrigan: Right. I mean, and the only scam like to that order of magnitude by a single group of people that I'm aware of is OneCoin, which is actually -- I think it's actually still an ongoing scam.

Dave Bittner: Okay.

Joe Carrigan: There's still websites up and everything, an organization is out there for it. But the founder has disappeared. And nobody is getting their money back.

Dave Bittner: Okay.

Joe Carrigan: But this group was originally called the Milton group. And that's what law enforcement is still calling them but they've dropped that name because of law enforcement's involvement. They're also called Solo Capitals. And they have lots of other names like 152 other names is what the article says. And some of these names have even sponsored Spanish football teams.

Dave Bittner: What?

Joe Carrigan: I'm not joking, Dave. These guys are big. These guys have scammed a billion dollars out of somebody, they can write a check for a sponsorship, which kind of lends them credibility. Not only that, but they've also bought advertising in newspapers.

Dave Bittner: For what?

Joe Carrigan: For their companies. Their fake companies. Their companies that scam people out of service.

Dave Bittner: Okay. I see. Okay. I'm catching on now.

Joe Carrigan: Okay.

Dave Bittner: So, go on.

Joe Carrigan: So, the organization is run out of Georgia, not Georgia like in Atlanta but Georgia as in Tbilisi. It's the BBC actually went on a raid in one of the call centers in Tbilisi where German and Georgian police raided this call center where they found all kinds of data with people's personal identifiable information on it, row after row after row of it. And there were some things written on paper as well. And one of the notes said on the paper, it said, "Should scam soon." Like about a person. So, if the person has $10,000 they get in there and they ask all these questions. But these are typically -- or these are the typical investment scams. So, they have a bunch of different companies out there, some of them are regulated and some of them are not regulated. So, even in the setup of some of these scam companies, they are still subject to certain regulations. The BBC actually posed as an investor. And when you are an investor in these companies, you put your money in, and it's just gone. But they continue to show you the webpage like it's there.

Dave Bittner: Oh, I see.

Joe Carrigan: Right. So, but according to somebody who used to work with them, it's all a simulation. It's essentially just, you're just watching your money -- And actually, they are pressuring you to make these investments and the investments -- you're losing money on the investments. And then, when you lose money on the investments, one of the things they tell you is you should put more money into this so you can make it back.

Dave Bittner: Right.

Joe Carrigan: So, they're exploiting the cost fallacy. And when people put more money in, it's just gone. But when the BBC posed as an investor, they sent $500 in Bitcoin into this company, one of these companies. And it was immediately split into a bunch of little transactions and sent all over the place, right? Does that sound like anything to you?

Dave Bittner: It sounds like it was -- like some freshly laundered sheets.

Joe Carrigan: Right. Yep. It probably just went into a tumbler, right, or a bunch of tumblers. A lawyer who specialized in cryptocurrency and fraud examined the flow, you know, all the addresses, and said, "This suggests a large-scale organized crime."

Dave Bittner: All I'd say if they scam people after over a billion dollars, that does classify them as large-scale organized crime.

Joe Carrigan: Right. I would agree with that. So, they have a target in this story. The woman's name is Jane. That's not her real name. But she had retired, taken an early retirement, and as part of that early retirement, she got a 20,000-pound bonus for retiring early. And at that time, this company EverFX, which is one of those companies that's one of the 150 due companies, that was the company that was the sponsor for the Spanish football team. And for those in America, when I say Spanish football, that's just soccer, right?

Dave Bittner: Right.

Joe Carrigan: But she sent EverFX a message through the website because she was thinking, "Hey, I can invest this. If I invest it wisely, I might be able to offset my pension with some extra money."

Dave Bittner: Sure.

Joe Carrigan: As soon as somebody -- as soon as she does this, she gets a call, coming from Odesa in Ukraine, and it's from some guy named David Hunt. A very common Ukrainian name, Dave, David Hunt. Right. But his accent is that of Eastern European, she couldn't place it, but Jane says these people really sound like they know their stuff and how markets work. And she really bought into it. And soon, this guy was talking to her almost every day. And she invested about 15,000 pounds. And then the trades weren't doing well. And then the advisor, this Hunt guy, advised her to withdraw her money from the current one and put it into another one, BproFX, where she could get more returns. Now, BproFX is not in the UK, it's set up in Dominica, an entirely offshore entity, and is completely unregulated. So, any hope you have of getting your money back from these guys is gone as soon as you put it into this other company. This sounds to me like a hybrid kind of organization. Now, this article goes on to put a few names out there but one of the ones they put out there is this guy David Kezerashvili. And I hope I'm saying that right. I'm disrespecting people by mispronouncing their last names or their first names. But he served two years as Georgia's defense minister. And at some point in time was charged with stealing a bunch of money from them, €5 million of government funds. He was -- they tried to extradite him from the UK to Georgia but the UK refused. So, he's still in the UK. So, while there are no publicly available documents that link this guy to the Milton network or the older network, right, they have run his name through the Panama Papers and he comes up.

Dave Bittner: Oh, interesting.

Joe Carrigan: Which is very interesting. That's the way that they've kind of found him. And BBC has done a lot of research on this. This is a typical investment fraud but it's at a massive scale, a massive scale.

Dave Bittner: And does the article go into why they're still running things? I mean, are they just out of reach of say Scotland Yard?

Joe Carrigan: There are some of these things that are -- that come up like pretty legitimate, right? Like the first company that Jane was investing in was semi-legitimate and regulated. The money then was transferred to the Dominican company, and that's when she just totally lost everything. So, it's -- I'm not exactly sure how this works. I don't even know if the guy who is running this report know how it works. But it's a typical investment scam where people are letting their greed get the best of them here. Just remember, there is no quick get-rich thing. The people that got rich buying Bitcoin took a huge risk. That is not something that is going to happen frequently throughout your life. It will happen occasionally. We'll see people who get in there and go, "I should have done that." But, you know, and maybe when things are cheap, that's where you make your investments, right? Don't put tons of money into places that are promising you very high returns. That's usually not good. I mean, that's what Bernie Madoff did too.

Dave Bittner: Yeah, well, I was going to say do your due diligence obviously when talking to a financial advisor. But I guess the flipside to that is the people who got scammed by Bernie Madoff did that and yet, we all know what happened with him. So --

Joe Carrigan: They actually recovered a lot of his money though, I think. If I'm remembering that right. They were able to recover like 85% of the money that he had taken.

Dave Bittner: Wow. All right. Well, that's unusual.

Joe Carrigan: It is.

Dave Bittner: All right. Well, we will have a link to this story in our show notes. And, of course, we would love to hear from you. If there's something that you would like us to cover on the show, you can email us. It's hackinghumans@ thecyberwire.com. All right, Joe, it is time to move on to our catch of the day.

[ Soundbite Of Reeling In Fishing Line ]

Joe Carrigan: Dave, our catch of the day comes from William. The email claims to come from Bob William of the William and William law firm. So, it's Williams all the way down.

Dave Bittner: Right.

Joe Carrigan: What's interesting about this that probably made it stick out is that it has a different from and reply-to address. But they are both listed as Bob William. It's just that the reply-to address is just a Google -- a Gmail account.

Dave Bittner: Yeah, that is interesting. Huh? All right. Well, it goes like this. "Dear sir and madam, I hope this email meets you peacefully. It took me time to summon the courage to email you, considering the sensitive nature of this transaction and my involvement. But I believe the best results in life are when tried. Not trying is the worst failure ever recorded on Earth. I am the principal attorney and founder of William and William Associates, London, United Kingdom. I'm contacting you today in respect to an unclaimed permanent life insurance policy in the amount of 12,820,000 British pounds with a reputable bank here in the UK. Unfortunately, my client left no will before his death. I ask for your consent to be in partnership with me for the claim of this policy benefit. If you permit me to add your name to the policy, all proceeds will be processed on your behalf under a very legitimate framework and immediately transferred to your account in your country after the agreement is endorsed by the two of us. I wish to point out that I want 10% of the money to be shared among charity organizations. While the remaining 90% will be shared equally between us. If you're interested, please respond to me for more details. Yours in service, Bob Williams, Esquire."

Joe Carrigan: This is a classic, Dave.

Dave Bittner: Okay.

Joe Carrigan: You know, it's like in the old radio days. Now, we're going to go with one of the oldies. Here's a good one. That's what this is.

Dave Bittner: Okay.

Joe Carrigan: This is so good. It's just an insurance scam. It's what will happen if you respond to these guys is they will get back to you with, "Oh, I need some fees for this." It's just the precursor for an advance fees scam. And you can always say, well, just take the money out of the insurance. Open -- the insurance hasn't disbursed the money yet. That will keep going on until you either realize it's a scam or run out of money.

Dave Bittner: Yeah. A couple of things here. I think as Americans we tend to be charmed by Brits so there's this sense of legitimacy there.

Joe Carrigan: Most people tend to be charmed by Brits.

Dave Bittner: Yes. I think the fact that this alleged Brit is claiming that he wants to give 10% of the money to charity just to reinforce the fact that he is a good guy.

Joe Carrigan: He is a good person. Fine upstanding member of the community.

Dave Bittner: Right. Right.

Joe Carrigan: He's probably not even British, Dave.

Dave Bittner: No, I count on it. I count on it. In fact, in the from it's got a .br domain. Any idea what br is?

Joe Carrigan: It's Brazil.

Dave Bittner: Is it Brazil?

Joe Carrigan: I think so.

Dave Bittner: That tracks.

Joe Carrigan: That's a Brazilian domain.

Dave Bittner: Okay. Well, maybe that's a breadcrumb there. All right. Well, this is a good catch of the day. And again, we would love to hear from you. Our email address is hackinghumans@ thecybrewire.com.

Dave Bittner: Joe, it is always great to welcome Carole Theriault back on the show. And this week, she has a conversation about AI with Vanja Svacjer, who is a threat researcher at Cisco Talos. Here's Carole Theriault.

Carole Theriault: Today we have Vanja Svacjer. Vanja being a threat researcher at Cisco with 20 years under his belt in the industry. What he thought about the industry and how it's going to respond to this whole new ChatGPT and OpenAI, and Microsoft's version, and Google's version, and how is the security industry responding to that?

Vanja Svacjer: Yes. It's they are certainly interesting times. And I think the security industry is one of the industries which is very happy to adopt a kind of machine learning and artificial intelligence, let's call them. But we started very early, you know, with, you know, anti-spam and classification with Bayesian filtering, which is basically a probability filtering where you would get -- if you receive an email, you would get a probability whether some email is spam or not. So, it's a kind of machine learning, let's say. And from then on, we moved onward to different models or different ways of classifying malicious content. And I think, you know, that will definitely continue into the future. There's almost no product today on the market which won't use machine learning and artificial intelligence technology in one way or another. So, with ChatGPT I think we were all kind of surprised by the simplicity of it and how well it can generate text that's much more user-friendly as opposed to let's say googling in a search engine. I mean, we are so much used to Google and how we create those queries and what kind of results do we get that now this sort of fundamental change of being able to describe what you want to some bot, that comes back that essentially has the knowledge of the internet at some point, and generates the most probable text and the most probable output of what you described in the input is very fascinating.

Carole Theriault: So, do you think we might see a world where we're going to have basically automated threats being fought with automated security tools? That's the road we're going down, isn't it really? And we're going to sit back eating popcorns.

Vanja Svacjer: It's difficult to say. We certainly are not yet there. And even if you can convince ChatGPT to write some malicious code, that code is actually quite basic compared to the state of the art of the malware code we are seeing todays. And a lot of time, when you write something, you really as a user of it, you need to have such a good experience because the generated code is not always up to scratch and generate the text, for example, certainly with some fact is misleading. And some of the facts are not -- certainly not correct. And the same way is with the code. So, so far it's able to create some code. It needs a lot of handholding to create a little bit more advanced code. But a lot of user intervention is required. Now, how it's going to develop whether ChatGPT 10 or whichever version comes will have this ability. And certainly, the whole artificial intelligence communities working on new algorithms. And so, you never know when a new revolutionary transformer will appear again.

Carole Theriault: Yeah. I think that's the big concern I have. There's a lot of players in the market all playing with quite powerful little tools and who knows what's going to spring up where. So, we're all watching everything all the time.

Vanja Svacjer: Yeah, we see now that ChatGPT API is included in many kind of security research and defending side little projects but also on the offensive side and trying to kind of reuse the knowledge there in adapting to the environment and attacking some organization. We'll see what will happen. But the fact is that the technology they already have is still pretty reasonably effective for them so they don't have to go and reinvent something completely new at the time.

Carole Theriault: Yeah. Well, as you say it's interesting times.

Vanja Svacjer: Absolutely.

Carole Theriault: Thank you for sharing your worldview with us, Vanja Svacjer, the threat researcher at Cisco Talos. This was Carole Theriault for "Hacking Humans".

Dave Bittner: Joe, what do you think?

Joe Carrigan: Vanja makes a very interesting point and that is we have been using AI in security for a while.

Dave Bittner: Yeah.

Joe Carrigan: Mostly it started with phishing but, you know, as it's gotten better, as the AI products have gotten better, they've worked their way into just about everything that we have. There's some kind of machine learning classifier in just about every single security product out there that handles huge amounts of data. And that's one of the problems with the field is that there are just huge amounts of data. And, of course, there are companies out there like Splunk that then have licensing based on how much data you're going to ingest into the device.

Dave Bittner: Right.

Joe Carrigan: Right. It's really not -- they're not licensing features, they are licensing how much data are you going to ingest. That's what -- that's kind of an interesting thing. And Splunk is also one of these companies that was on the forefront of using AI for these things.

Dave Bittner: Okay.

Joe Carrigan: The new model for searching that Vanja talks about sounds very promising I think. Because one of the things I've noticed about Google is that it's just gotten terrible.

Dave Bittner: Yes.

Joe Carrigan: I can't find a lot. I'm having a field day here being critical of Google, from their phone to their search engine. I'm having -- I have a hard time finding things in Google now because so many people have interests that are different from what I'm looking for when I use the same search terms. So, that's how Google makes -- one of the things that goes into the algorithm of how Google makes their decision is how many people click on that link.

Dave Bittner: Right.

Joe Carrigan: In fact, I'm convinced that a lot of these search engine optimization companies just scroll through the Google results and then click on your link in an automated fashion over and over again. That's how they game the system.

Dave Bittner: Yeah.

Joe Carrigan: But the idea of being able to describe what I'm looking for to something like ChatGPT and be more descriptive and conversational, that might be a great idea.

Dave Bittner: That certainly is an option, right? I mean, you know, you don't want to do away with the traditional search engines.

Joe Carrigan: Yeah. Because when I type in something like the name of my bank because I don't remember what the URL is, I just want to get that. I don't want to have to type, "Hey, what is the URL for Billy Joe Jim Bob's bank?"

Dave Bittner: Right, right. Yeah. But I agree. It's gotten very noisy out there.

Joe Carrigan: It has gotten noisy.

Dave Bittner: Traditional search engines.

Joe Carrigan: It's very noisy. That's a good term for it. I liked the discussion about having automated threats fighting automated defenses and the question that Carole asked about it. I'll answer that, yes, we are going to see that. That is going to happen. It might not happen any time soon but it is going to happen.

Dave Bittner: Reminds me of the time back in the '80s on David Letterman Show where they pitted a humidifier versus a dehumidifier to see which one would win. And it's just, we're at the next level of that. But I agree. It's inevitable.

Joe Carrigan: It is. It is. The discussion about the quality of these chatbots and the code generators, there are still a lot of errors in the output. Like in the chatbots, it's just factually wrong errors. These things are only going to get better though. I was looking or listening to somebody talk about the Turnitin product that was having an academic discussion. And Turnitin is a plagiarism detection system that a lot of people use, a lot of universities use, and what that means is professors can run your stuff through Turnitin to see how much of your article or your paper has been plagiarized. And it should come back with a certain amount of plagiarism, right, for your citations. It should be like 3% of this paper has appeared in other contexts. And then the professor should be able to look at that and go, okay, well, he properly cited that and improperly cited that. And it may not be plagiarism but it should show up. But they also have a new product that because of the way ChatGPT works whether identifying sentences written by these networks, these -- or not networks, these generative AIs, I don't know if they're networks or not. They are language models is what they are, they're not networks. But they think they're pretty good at doing that. So, my question about this would be are we already seeing that thing where we have AI fighting against AI here? Because I'm pretty sure that Turnitin is using a classifier to tell whether or not your paper was written by another AI.

Dave Bittner: Yeah. That's interesting. I mean, I -- the reports I've seen so far have said that there are problems with accuracy. I guess the way I look at it is that there's enough problems with the accuracy of detecting this stuff that I wouldn't want to have my academic career teetering over whether or not an AI thought I had an AI generate something on me. You know. So, I think there needs to be a system. And this is what the universities are struggling with, right? Like it says, a new paradigm. Like Benny Allen and I were talking about this recently. You know, he teaches law. And so, he's trying to figure out -- he and his colleagues are trying to figure out how do we not ban this but have it be a useful tool for appropriate things and still be able to do the teaching that we need to do. And that's a big challenge in academia these days. Yeah. All right. Well, again, our thanks to Carole Theriault for bringing us that very interesting interview with Vanja Svacjer from Cisco Talos. We do appreciate both of them taking the time.

Dave Bittner: That is our show. We want to thank all of you for listening. Our thanks to Harbor Labs and the Johns Hopkins University Information Security Institute for their participation. You can learn more at harborlabs.com and isi.jhu.edu. The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe where they are co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben, our executive editor is Peter Kilpe. I'm Dave Bittner.

Joe Carrigan: And I'm Joe Carrigan.

Dave Bittner: Thanks for listening.