Hacking Humans 11.9.23
Ep 265 | 11.9.23

Leaving a trail of digital breadcrumbs.


Harry Maugans: They know your name. They know your email address. They know who you are. And all those previously anonymous behaviors get rolled up against your identity to tie it to your PII.

Dave Bittner: Greetings to all and a warm welcome to the Hacking Humans podcast brought to you by the CyberWire. Every week we delve into the world of social engineering scams, phishing plots, and criminal activities that are grabbing headlines and causing harm to organizations all over the world. I'm Dave Bittner. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hey, Joe.

Joe Carrigan: Hi, Dave.

Dave Bittner: We've got some good stories to share this week. And later in the show my conversation with Harry Maugans, the CEO of Privacy Bee. We're talking about digital breadcrumbs. All right, Joe. Before we jump into our stories here, we got some follow-up from a listener. What do we got here?

Joe Carrigan: Yeah. This is Phil, he writes in. He says, I have a question about safety of IoT consumer devices and how and perhaps if consumers can do anything to encourage companies to do their due diligence in this field. And it's a long email, so I'm just going to summarize it here. But his -- the crux of his question is, should consumers use market forces or government regulation or legislation or both or neither to pressure/force companies to conduct better security audits of the network behavior of -- and software in their products? And, if so, how?

Dave Bittner: Right.

Joe Carrigan: So Phil then goes on to talk about how he purchased a treadmill. And it's a treadmill from a very popular manufacturer. He doesn't specify which one, but it is from one of those biggies? I don't -- I'm not -- Dave, I'm not a user of treadmills. Anybody who looks at me can tell that right away.

Dave Bittner: You're not an elite athlete.

Joe Carrigan: No.

Dave Bittner: Not anymore.

Joe Carrigan: Pretty good swimmer.

Dave Bittner: There you go.

Joe Carrigan: Still a pretty good swimmer.

Dave Bittner: Well, you're buoyant anyway.

Joe Carrigan: Indeed. But he talks about how he looked in to the -- to the connectivity, though the Wi-Fi connectivity. I guess there is some data to be collected somewhere.

Dave Bittner: Yeah.

Joe Carrigan: And maybe some functionality that you get as a benefit of having this Wi-Fi connectivity. But he looked into the controller, the Wi-Fi piece of it, and found out that this is made in a country that he says is not too friendly to the United States. I'm guessing it's China. That's where a lot of these things come out of.

Dave Bittner: Sure.

Joe Carrigan: But he contacted the manufacturer to try to find out what they had done and could not get an answer out of them. Surprise, surprise, surprise. I'm absolutely not surprised by this.

Dave Bittner: Yeah.

Joe Carrigan: So he says his solution was to put the treadmill on his guest network. And he might go through the trouble of putting it on its own VLAN, which I recommend. If you have the technical capability to do that, put it on its own VLAN, a single device VLAN --

Dave Bittner: Okay.

Joe Carrigan: -- so it can't see anything else in your network --

Dave Bittner: Right.

Joe Carrigan: -- which is a great idea. But he is under the assumption and probably a correct assumption that the vast majority of people that buy this device just connect it to their regular home networks. And I would say, yeah. Probably all of that information then just goes right up to the provider, probably even your Wi-Fi password. There's a good chance that goes up as well. That gets that gets saved somewhere.

Dave Bittner: Yeah.

Joe Carrigan: To answer Phil's question, should consumers use market forces or government regulation, I'm going to say, I don't have a lot of faith in market forces on this. And the only reason I don't have faith, generally, I do have faith in market forces. But, here, consumers really don't care about the problems.

Dave Bittner: Yeah.

Joe Carrigan: And regulation seems to be the only solution to get these companies to comply and to care about it. And there are places where they do regulate that. Like in the healthcare device field when I was with Harbor Labs, that was one of the things that we did there --

Dave Bittner: Right.

Joe Carrigan: -- was helping people who had medical devices get their devices ready for FAA -- not FAAF.

Dave Bittner: FDA.

Joe Carrigan: FDA. Thank you, Dave. For some reason, that acronym just left my brain right there.

Dave Bittner: Right.

Joe Carrigan: For FDA approval. There should be something similar for I think generally all these devices.

Dave Bittner: Yeah.

Joe Carrigan: There should be some minimum requirement at least.

Dave Bittner: Well, you know, the government is using their purchasing power to try to do something about this.

Joe Carrigan: Right.

Dave Bittner: There's this thing called SBOMs, which are software bill of materials. And there's HBOMs, which are hardware bill of materials. And then there are F bombs, which we're not going to talk about because it's a family show. But --

Joe Carrigan: Which is what you say when all your data gets leaked out.

Dave Bittner: Right, exactly. So, basically, what the federal government is doing is they're saying we buy a lot of stuff.

Joe Carrigan: Right.

Dave Bittner: And, in order for you to sell stuff to us, you need to provide us with this software bill of materials or this hardware bill of materials, basically, an ingredients list of everything that goes into this device. And so that way there's some scrutiny at the government level as to exactly what Phil is asking about here. What's in there? How do we know? Where did it come from? So the degree to which that can affect a consumer device, let me tell you. I mean, the government buys a lot of consumer devices.

Joe Carrigan: They do.

Dave Bittner: You know, there are plenty of treadmills on military bases and, you know, gyms and government offices and all those kinds of places. So if these organizations want to sell to the government, and they're a big buyer, they have to provide this information. So that could be a mechanism, could be a lever by which these things get sorted out and get audited and there's some scrutiny there. That's the most active area that I'm aware of.

Joe Carrigan: In the government. Right?

Dave Bittner: Well, it's in the government. But the intention is that, by using the purchasing power of the government, that --

Joe Carrigan: They're going to enforce -- benefit for everybody.

Dave Bittner: Exactly.

Joe Carrigan: Right.

Dave Bittner: Exactly.

Joe Carrigan: There's another project from the Mozilla Foundation called Privacy Not Included. And you can just Google that, Privacy Not Included Mozilla. And it comes up, and it talks about all of the different privacy aspects of different consumer products. And I just loaded up the page, and it says, What has four wheels and collects your sexual activity data and sells your personal information? Probably your car.

Dave Bittner: Right.

Joe Carrigan: Now, I'm intrigued by this. This is just a headline that somebody wrote to grab your attention, but now I'm intrigued. And it says here, 25 car brands tested, 25 car brands failed, which doesn't surprise me. I mean, you and I talked about this a couple of weeks ago about car -- cars providing all this data, but we have now officially gone down our first rabbit hole.

Dave Bittner: Yeah. And, ultimately, we need some federal privacy legislation --

Joe Carrigan: We do.

Dave Bittner: -- to put guardrails on this.

Joe Carrigan: Yeah. We're talking about that today in the interview.

Dave Bittner: There's no hope of that happening anytime soon with the dysfunctionality that's happening in Congress.

Joe Carrigan: Yeah. But cybersecurity is one of the things that really unites everybody in Congress. They they're all on board with that.

Dave Bittner: Yes and yet.

Joe Carrigan: Right.

Dave Bittner: Yeah.

Joe Carrigan: It still doesn't come to the floor, does it.

Dave Bittner: Right. Well, right because they can't agree because any progress is considered to be progress for the other team.

Joe Carrigan: Right.

Dave Bittner: And so it just -- that's the way it is right now. So hopefully we'll see some movement. And, you know, I mean, it's -- it is not just the Biden administration. I believe the Trump administration before them really got this whole SBOM thing started. So it's a bipartisan effort that's made its way through multiple administrations.

Joe Carrigan: Indeed. Good stuff. Yep.

Dave Bittner: All right. Well, thank you, Phil, for writing in. We do appreciate it.

Joe Carrigan: Oh. To answer Phill, both.

Dave Bittner: I think Phil's got this under control.

Joe Carrigan: Right.

Dave Bittner: So we would love to hear from you. If there's something that you would like us to consider for the show, you can email us. It's hackinghumans@n2k.com. All right, Joe. I'm going to kick things off for us here. This is a story from the 404, written by Jason Koebler. I'm not sure if you're familiar with the 404. It's a new publication. It's a group of tech journalists who I can't remember where they left. I want to say Vox, but I'm not 100% sure on that. Decided to start up their own thing. Joseph Cox is one of the folks on this team.

Joe Carrigan: We had Joseph Cox on this show.

Dave Bittner: We have. And it's -- so it's a good team of experienced, very well-respected journalists. And they are making a run of things on their own. And it's --

Joe Carrigan: I like the name.

Dave Bittner: And it's 404 Media. 322 It's a good name. So definitely worth checking out, and they're doing some really good work. This article is titled YouTube's war on ad blockers shows how Google controls the internet. Now, Joe, I don't know what your experience is with YouTube, how often -- would you say you're a frequent YouTube user?

Joe Carrigan: Probably daily.

Dave Bittner: Okay.

Joe Carrigan: Yeah.

Dave Bittner: Yeah. I use YouTube quite a bit, as well. But I actually pay for YouTube premium.

Joe Carrigan: Oh, do you?

Dave Bittner: And I will tell you why I pay for you to premium.

Joe Carrigan: It's to get the ads off of it.

Dave Bittner: Well, yes. But the thing that finally made me pull the trigger on this is, I was in my house, and I had a water leak. There was a pipe that was leaking. Water was pouring out of a pipe. And I was going on YouTube to find out what my best course of action was to mitigate this.

Joe Carrigan: Right.

Dave Bittner: And so I do a search, and I find the perfect video to tell me what to do. And what do I have to do first, Joe?

Joe Carrigan: Wade through a 15-second ad. Somebody had this with like a CPR problem. They had somebody experiencing a cardiac issue. And they Googled a video on CPR, how to do CPR. And they have to wait 15 seconds for an ad to play.

Dave Bittner: Yeah.

Joe Carrigan: And they write -- the joke is, they wrote -- I don't know if this is a joke or if it's true, but they wrote to Google or they make a post on Google -- on Twitter about it. And Google says, You should consider going to YouTube premium.

Dave Bittner: Well, there you go. And that's exactly what I did. And let me tell you. YouTube premium ain't cheap. But, for me, it's worth it because I do consume a lot of content on YouTube, and it is much better with no ads. Now, other people have come at this in different ways. They use ad blockers --

Joe Carrigan: Right.

Dave Bittner: -- to block the ads on YouTube and have varying degrees of success with that. Well, YouTube is coming down on the ad blockers. They are feeling like this is digging into their revenue too much, so they have started a bit of an arms race between themselves and the companies who provide the ad blockers. Some of these are built into your browsers. Some of them are plugins that you can add to your browsers.

Joe Carrigan: Right.

Dave Bittner: And over the past couple of weeks, it's really been back and forth, kind of --

Joe Carrigan: I bet they're not built into the Chrome browser, though.

Dave Bittner: They are not built into the Chrome browser. Right. And that is one of the points of this story --

Joe Carrigan: Right.

Dave Bittner: -- which is that Google -- I'll just read a quote here from the article itself. It says, Google has its hands on quite literally every aspect of this entire saga as a vertically integrated ad tech giant. Most ad blockers are browser extensions that are most widely used on Chrome, which is a Google product and the most popular browser in the world. They're being used to block ads sold by Google, the largest ad company in the world. And they are specifically being used to block ads on YouTube, a Google-owned website that is also one of the largest websites on Earth. So it is in Google's best interest to block these ads, of course, but they control so much of this that --

Joe Carrigan: Block the ad.

Dave Bittner: Yeah. Well, they control the browser.

Joe Carrigan: Right.

Dave Bittner: There -- and so, you know --

Joe Carrigan: Why is it in Google's best interest to block the ads? That's where their business --

Dave Bittner: I'm sorry. I misspoke. It's Google's -- it's in Google's best interest to block the ad blockers.

Joe Carrigan: Right. Correct. Yeah.

Dave Bittner: Yeah. So I'm -- before we dig in with my thoughts on this, I'm curious what your thoughts on this are from a high level when it comes to ad blockers in general and why we -- why we should be using them and the morality of doing so.

Joe Carrigan: Oh, I think it's perfectly moral to do so.

Dave Bittner: Yeah.

Joe Carrigan: I don't -- I don't have any compunction with using an ad blocker.

Dave Bittner: Okay.

Joe Carrigan: I feel no moral obligation to watch or be subjected to Google's ads.

Dave Bittner: Okay.

Joe Carrigan: Even though I generally do use the Chrome browser and sit through the ads, I don't believe that that's my obligation. You are hosting a site on the internet. You know, if you want to try to put an ad blocker blocker on there, okay. That's your prerogative. But I am also free to try to use an ad blocker. This is an open -- supposed to be an open network and always has been. And maybe I'm a little bit too -- too idealistic from the early days of the internet where everything was available and just on there.

Dave Bittner: Right.

Joe Carrigan: But no. I do not have a compunction or any reservations about using an ad blocker.

Dave Bittner: Yeah.

Joe Carrigan: Also, I do want to comment about your statement that Google is a vertically integrated -- I don't know if you used the term monopoly but it -- you know, it seems -- it seems like it's an end-to-end Google solution.

Dave Bittner: Well, that's -- I mean, that's -- they are in the midst of an antitrust trial right now as we speak so.

Joe Carrigan: Correct, correct. They are. And -- but the thing is, you can not -- you can use Mozilla Firefox as your browser.

Dave Bittner: Yeah.

Joe Carrigan: No problem. It's available for you to do it. And you do not have to use the Chrome -- Chrome browser. You can -- you can walk away from that. You can also use other streaming services that are not as good. And they're not as good as YouTube. That's really the problem.

Dave Bittner: Right.

Joe Carrigan: And they don't have the content that YouTube -- YouTube does.

Dave Bittner: Right.

Joe Carrigan: But, I mean, if you're a content creator, you can use sites like Odyssey. And there are some other ones out there.

Dave Bittner: Right. But none of us know the names of them.

Joe Carrigan: None of us know the names of them. That's right. We all know the name YouTube.

Dave Bittner: Right. Right. It's -- you know, it's the Kleenex of online video.

Joe Carrigan: Right.

Dave Bittner: It's one of those things where the brand is the service.

Joe Carrigan: Yes.

Dave Bittner: Yeah, yeah. The other thing I will add here from my own point of view is that I think ad blockers are a security function, as well, because so much malware is delivered through ads.

Joe Carrigan: Yeah. Absolutely. You know, and that's another -- there is a moral argument here, but it's not on the user side. You know, if you're Google, it is your moral obligation to keep malicious ads out of your ad feeds.

Dave Bittner: Right.

Joe Carrigan: And they are not doing that.

Dave Bittner: Yeah.

Joe Carrigan: So if you're going to block -- I think that it's within everyone's prerogative to block the Google ads that come up on search results. And I think that Google is -- has really used a lot -- I don't want to call them dark patterns but -- I mean, because they're really not. They make these ads look exactly like the search results.

Dave Bittner: Right.

Joe Carrigan: That's what they do.

Dave Bittner: Yeah. I guess, you know, I've made the point elsewhere that, if somebody wants to toss an ad up on their site in exchange for me viewing their content, I don't have a problem with that.

Joe Carrigan: Right.

Dave Bittner: The same way I don't have a problem with TV commercials --

Joe Carrigan: Right.

Dave Bittner: -- in the middle of a football game or a show that I want to watch. The problem I have is with all the trackers behind the scenes --

Joe Carrigan: Yeah.

Dave Bittner: -- who are getting my location, my browser, my -- just tracking all that kind of stuff.

Joe Carrigan: All the analytics.

Dave Bittner: Yeah. You want to show me an ad, show me an ad. But one of the main reasons that I have ad blockers installed is to fight all of that tracking stuff.

Joe Carrigan: Yeah.

Dave Bittner: Because it's just downright creepy. And, at the moment, you know, here in the good old US of A, we don't have legislation to prevent it.

Joe Carrigan: Not yet.

Dave Bittner: No.

Joe Carrigan: But I don't know that we ever will.

Dave Bittner: Yeah. I hope so. I -- I don't know. We'll see. It'll have to -- I joke that it'll have to affect Congress in some way, you know?

Joe Carrigan: Well, I mean, there was somebody who had bought -- because you can go out to a data broker and buy people's information.

Dave Bittner: Right.

Joe Carrigan: And there was somebody who had gone out and bought a congressman's browsing histories.

Dave Bittner: Yeah. I think it was John Oliver who did that.

Joe Carrigan: Yeah. John Oliver. Was that who that was?

Dave Bittner: I think it was. Yeah.

Joe Carrigan: I think that's brilliant. It's a great idea. I think they should do that and just start -- start posting them.

Dave Bittner: Yeah.

Joe Carrigan: You know, hey, I bought this information. Here. Look.

Dave Bittner: Right. Publicly available. Yeah. So there's no resolution to this right now. I mean, it's back and forth. This article does point out that there was a time not that long ago when Facebook went down the same path of they were trying to block people who were blocking ads coming through on Facebook, and Facebook eventually gave up on that because despite having all the resources it just -- they decided it really wasn't worth their effort to keep doing that.

Joe Carrigan: Right.

Dave Bittner: So maybe there'll be some place where we meet in the middle here. I will say, one thing I was half expecting as a YouTube premium subscriber who also uses ad blockers, I was afraid that I was going to get notices popping up when I went to use YouTube that said we noticed you're using an ad blocker. Well, I haven't seen any of that. So --

Joe Carrigan: Okay.

Dave Bittner: -- at least it's smart enough to know that, if you are paying, leave me alone.

Joe Carrigan: Right, right. We already have your money.

Dave Bittner: Yeah. Exactly.

Joe Carrigan: What does it cost a month for YouTube premium?

Dave Bittner: I think it's like 18 bucks.

Joe Carrigan: Eighteen. That's steep for an internet service.

Dave Bittner: I agree, I agree. But, I mean, I -- yeah. But I -- I do get a lot of enjoyment out of it. There are some channels that I watch regularly. I definitely watch -- there are things that I watch on YouTube that I would have been the kinds of things I would have watched on regular TV in the past. So, you know, it's worth it to me.

Joe Carrigan: Does it have TV shows, or is -- that's the YouTube TV service. That's like $70.

Dave Bittner: Yeah. That's YouTube TV, which I also have at home. So we cut the cord and went with YouTube TV, which I -- is great.

Joe Carrigan: Right.

Dave Bittner: Saves us about 80 bucks a month, I think, to use YouTube instead of the cable company. So, you know, worth exploring.

Joe Carrigan: Okay.

Dave Bittner: All right. That is my story this week. Joe, what do you have for us?

Joe Carrigan: Dave, I have a personal story this week. Somebody I know -- and this person has asked I don't identify them.

Dave Bittner: Okay.

Joe Carrigan: But they got got, Dave.

Dave Bittner: Is their name Beau Harrigan?

Joe Carrigan: It is not Beau Harrigan. It's not me.

Dave Bittner: Okay.

Joe Carrigan: Jarrigan.

Dave Bittner: It is actually a friend. All right.

Joe Carrigan: No. It's actually a friend of mine.

Dave Bittner: Okay.

Joe Carrigan: I got a phone call on -- I think it was Saturday.

Dave Bittner: Yeah.

Joe Carrigan: And I'm coming home. And this guy is in a panic. And he's like, I got got. And I'm like, Oh, what happened? And here's what happened.

Dave Bittner: Okay.

Joe Carrigan: First off, he is a software engineer. So for -- guess what he does for a hobby? He writes some code for this -- this simulation for football.

Dave Bittner: Oh, okay.

Joe Carrigan: And it's a really -- I mean, there's a small group of people that -- that write the code and then play the game. And it's very -- it's a private group of people that do both these things. And I've told him many times you can monetize this. This is -- this is really good. And he says, no, no. We're not doing that. We're just this is a hobby for us.

Dave Bittner: Okay.

Joe Carrigan: So I said, Okay. Fine. Well, somebody in his group says, Hey. This is on Discord. The person reaches out to him, that he's been talking to this guy for a number of years, off and on.

Dave Bittner: Right.

Joe Carrigan: And this person reaches out and says, Hey. I'm trying to develop this new game. Can you take a look at it for me? And he's like, Sure. So he sends him a link to a Blogspot URL, and it says the file is at the bottom. It's an encrypted rar file and gives him the password to the encrypted rar file. And he says, Okay, fine. And he -- without thinking because he knows this guy --

Dave Bittner: Right.

Joe Carrigan: -- he runs this rar file, and immediately Discord crashes on his computer.

Dave Bittner: Now, just real quick, Joe, what's a rar file for us?

Joe Carrigan: A rar file is a Russian zip application.

Dave Bittner: Okay. So it's a way of compressing a file.

Joe Carrigan: Correct.

Dave Bittner: Making a file smaller.

Joe Carrigan: Right.

Dave Bittner: Okay.

Joe Carrigan: So it's like zip. But making -- it doesn't work well for executables. It doesn't compress well for executables. But it does have the encryption function like zip files do.

Dave Bittner: Okay.

Joe Carrigan: So what happens when you encrypt that file is now, if you upload that to a place like Blogspot, they can't -- they can't scan the file because they don't know the decryption key --

Dave Bittner: Right, right.

Joe Carrigan: -- which is just a simple password. I mean, if they brute forced it, they could probably get to it.

Dave Bittner: Yeah.

Joe Carrigan: But they don't have the time or the resources to do that, apparently.

Dave Bittner: Right.

Joe Carrigan: So he has Discord on his phone immediately. And the guy -- the guy sends him a text message. It says, gotcha, right. Here's your username and your password for Discord. And he's like, Huh. That's right. He says, I have a bunch of other information as well. And he shows him some captures of some Google Contacts lists, which I don't know how the malware worked and got that, but I think it's just data stealer malware.

Dave Bittner: Yeah.

Joe Carrigan: So he says, okay. And the guy says, I need $500 right now.

Dave Bittner: Wow.

Joe Carrigan: And he goes, Do you have Zelle? He goes, No. What's Zelle, right? The whole time he's talking to the guy, he's changing his password, right? He's changing his Discord password. And then he's going through and changing all of his other passwords while he's stalling this guy.

Dave Bittner: Right.

Joe Carrigan: And he keeps stalling the guy. And the guy's like, you better not be stalling me. He goes, Look. I'm trying to get this app installed. And I've got it connected to my bank account. I don't know how any of this works. My computer doesn't work right now, so I can't -- oh, and the other thing he did as soon as that happened and he got that message was he pulled his computer off the internet.

Dave Bittner: Right.

Joe Carrigan: He disconnected, physically disconnected the network cable. It was a hardwired RJ45 jack in the back.

Dave Bittner: Okay.

Joe Carrigan: And the guy continues to pressure him and keeps saying, Look. Give me this -- give me this money. And he's like, I've got all these different -- these different things going on right now. I'm trying to get this app to work. I'm trying to get my -- my bank account connected. I've got the baby crying in the background. And this guy then sends in all caps, JUST SEND ME THE MONEY, right?

Dave Bittner: Yeah.

Joe Carrigan: And that's when my friend knows, all right. He's -- he's done. He's not getting anything. He's frustrated.

Dave Bittner: Right.

Joe Carrigan: So -- and he's changed all the passwords that he thinks he's concerned about. And, at that point in time, he says, you know, he just stops communicating with the guy.

Dave Bittner: Okay.

Joe Carrigan: So I actually had -- I actually got to his house a little bit later, and I actually pull a copy of the file off of his -- off of his computer. And I upload it to Virus Total. Virus Total does not flag it as malicious, But Virus Total does say that it communicates with malicious command and control servers.

Dave Bittner: Okay.

Joe Carrigan: But they don't list it as a virus, probably because -- or they don't -- none of their -- none of their detection methods found it to be malicious because it's probably specially crafted for each -- each use case, right. So this is probably a file that this guy built for himself, and now it doesn't set off any of the triggers.

Dave Bittner: Right.

Joe Carrigan: But then I said -- I got on my Discord channel and talked to the group of students I have.

Dave Bittner: Okay.

Joe Carrigan: And I said, Does anybody want to analyze some malware?

Dave Bittner: Ah. Okay.

Joe Carrigan: I got a couple takers.

Dave Bittner: Taking advantage of the Hopkins connection.

Joe Carrigan: Right. Exactly.

Dave Bittner: All right.

Joe Carrigan: And somebody actually who's not a Hopkins student took -- took a look at it and said it's, yeah. This is a very variation of Epsilon Stealer.

Dave Bittner: Okay.

Joe Carrigan: And it's not being flagged because it's probably specially crafted, but it certainly does communicate with malicious -- malicious domains and malicious IPs. So I still have it. And the thing is, here's the thing. I actually reached out to Blogspot. I used the report abuse link on Blogspot. This website is still up right now. So I've told Blogspot, Hey. You've got malware on this site. And I know it's malware because a friend of mine got victimized by it. Nothing. Still there a week later. So in the process of communication with this attacker, my friend realizes or gets told by the attacker, he says, Yeah. I took over your buddy's Discord attack -- or account with this -- the same attack, and he didn't give me my 500 bucks. So he doesn't have -- he doesn't have the account anymore. So he -- he said, Well, I've already changed my password, so you're not getting that. And he changed -- he changed his password on his phone, so it's on a noninfected phone presumably. The guy did not gain access to his Discord. And I've talked with my friend on Discord as well. So it's still -- still him on there.

Dave Bittner: Yeah.

Joe Carrigan: It's an interesting social engineering attack, though. The guy comes at a software developer who he knows as a software developer because he can see all the old chats about software development, says, Hey. I'm trying out this game. Use this. And we've seen this -- this kind of attack happen from state-sponsored activities. I don't think this was state sponsored. I think there's -- this was just some scammer.

Dave Bittner: Yeah.

Joe Carrigan: Some script kiddie. But we've seen these things happen with state-sponsored actors working in the crypto space where they're -- you know, they -- they're targeting -- or in the -- I'm sorry, not in the crypto space. It's in the vulnerability research space where they pose as other vulnerability researchers and get these vulnerabilities from people before they're talked about.

Dave Bittner: Right.

Joe Carrigan: So it struck me as -- as interesting that it was a similar -- a similar tactic, that -- that now these tactics are becoming more mainstream.

Dave Bittner: Yeah. I'm curious, what -- does your -- to what degree does your friend who got scammed, like, what is his emotional reaction to this?

Joe Carrigan: He was -- excellent question, Dave. And I was -- I completely forgot to mention this. First off, he was angry. Second, he was upset with himself. He said, I feel so stupid.

Dave Bittner: Yeah.

Joe Carrigan: And I said to him, Don't feel that way. This guy took advantage of an existing relationship to lie to you. You didn't fall for this because you're stupid, because you're not stupid. You're smart. It's just that this guy exploited something inside of you. Now, we all are vulnerable to these kinds of things, especially when somebody's impersonating somebody you know by using their bona fide accounts that you've previously communicated with them on, you know. This -- this we have seen all over the place, like people hitting up people on Facebook Messenger for loans because they're out of town, they need money.

Dave Bittner: Right.

Joe Carrigan: Send me money.

Dave Bittner: Right.

Joe Carrigan: But this -- you know, this is the same tactic there. But posing as a software engineer and specifically targeting software developers, so you know they're more likely to open it.

Dave Bittner: Yeah. Interesting. All right. Well, I mean, it's no fun, but it could have been a lot worse.

Joe Carrigan: It could have been a lot worse. I think he got out relatively unscathed. He did have to rebuild his computer, though. Completely rebuild it.

Dave Bittner: Well, I mean, for a hobbyist like him, that's probably fun.

Joe Carrigan: Yeah.

Dave Bittner: Oh, darn. I have to -- oh, honey. Bad news. I've got to rebuild my computer.

Joe Carrigan: It's a pain you have to reinstall your operating system. It's --

Dave Bittner: I know, I know.

Joe Carrigan: I just did the work because --

Dave Bittner: Don't throw me in the briar patch.

Joe Carrigan: Yeah.

Dave Bittner: I know, I know. All right. Good stuff. All right, Joe. It is time to move on to our Catch of the Day. [ SOUNDBITE OF REELING IN FISHING LINE ]

Joe Carrigan: Dave, our Catch of the Day comes from John who found this conversation over on Reddit at r/scambait, which I haven't looked at in a while. Maybe I should. We'll put a link in the show notes to the actual Reddit post. But this is one of those wrong number text messages.

Dave Bittner: Oh, yeah.

Joe Carrigan: Do you want to play the role of the scammer or of the recipient?

Dave Bittner: I'll be the one in green so I guess that's the recipient.

Joe Carrigan: Right. So I'm the scammer.

Dave Bittner: Okay.

Joe Carrigan: Now, the scammer is pretending to be a woman, so I have to put on my sexy voice, Dave.

Dave Bittner: Okay.

Joe Carrigan: Hello. How are you?

Dave Bittner: I've been better. Susan from next door is being a nuisance again. Not that's anything unusual. You know how she can be. How are you?

Joe Carrigan: Yes. I find too. By the way, are you John that my friend Lucy introduced me to. I'm Jessica from LA.

Dave Bittner: This is Carol. John is my husband, though. What do you need to speak to him about?

Joe Carrigan: Hmm. This isn't my friend John from Texas?

Dave Bittner: Are you having an affair with my husband? I knew he's been acting weird.

Joe Carrigan: What are you talking about? I'm looking for my friend. I was looking for him because I heard he was in Los Angeles. Looks like I entered the wrong number. I'm really sorry. Maybe I entered the wrong number. I hope you don't mind me. Are you there? I'm a scammer. Don't worry. Your husband isn't what you think.

Dave Bittner: Okay.

Joe Carrigan: For a scammer like me, I don't want you to have a marriage problem. And I'm male, not a woman.

Dave Bittner: Wow.

Joe Carrigan: That's the end of the conversation.

Dave Bittner: That's an unexpected twist.

Joe Carrigan: Right? That guy has a conscience. I'm just trying to scam somebody from money. I didn't mean to ruin a marriage.

Dave Bittner: Yeah. I mean, you know, there's a line, right?

Joe Carrigan: Right.

Dave Bittner: Some kind of bro code or something. I don't know. Like, okay. All right. Well, hmm. That's funny.

Joe Carrigan: That is good.

Dave Bittner: All right. Well, of course we would love to hear from you. If there's something you'd like us to consider for our Catch of the Day, you can email us. It's hackinghumans@n2k.com.

Joe Carrigan: Thank you, John. That was awesome. We haven't had the opportunity to do a -- like a screenplay in a while here.

Dave Bittner: No.

Joe Carrigan: Table read.

Dave Bittner: Great fun, great fun. Joe, I recently had the pleasure of speaking with Harry Maugans. He is the CEO of an organization called Privacy Bee, and we are talking about this notion of digital breadcrumbs. Here's my conversation with Harry Maugans.

Harry Maugans: So a digital breadcrumb is really, as a person uses the internet or goes through life in any way, unfortunately, to interact with most companies, it requires giving them some information. It requires creating some presence and making your existence known either publicly or within private hands. And every day that goes by you create more of those breadcrumbs. Eventually, they start compounding and piling up on each other until you have a pretty substantial, you know, breadcrumb and digital footprint.

Dave Bittner: Can you give us a sense for the scope of this? I mean, is this online shopping? Is it social media? Is all those things wrapped up?

Harry Maugans: So, primarily, it's things that show up in Google. You know, that's usually where people are most worried about having their breadcrumbs because that's what can expose a home address or a cellphone number or family, their kids' names, that kind of thing. But, realistically, there's a lot of places that create these breadcrumbs such as using your Kroger Plus card. There's discounts on groceries aren't just out of the kindness of Kroger's heart. They offer the Kroger Plus card as a way to sell the data of what you're buying to marketers. And that, then, you know, percolates to hundreds of companies in some cases. And all those companies are now starting to compile interests and -- and buying patterns on -- you know, on you. And that's just, you know, one breadcrumb. As -- you know, as you go through the day, you have quite a few more that are constantly accumulating.

Dave Bittner: Is there a generational aspect to this as well? I guess I'm -- is there a point at which this started to happen? You know, for folks like me who have been around for a while and have been online as long as there's been an online to be on, was there a moment in time when this really kind of kicked into gear? I guess I'm wondering how far back do we need to worry about?

Harry Maugans: That -- that's a great question. And there -- the answer is a little bit -- it's something I've debated before where, at some point our society, there's a switch that flipped. We're used to be an opt-in society. I don't know where that moment in time was, but it changed, and we suddenly became an opt-out society where every company felt entitled to collect everything they could. Consent is a very fuzzy word. And, you know -- and to your point, when I was growing up, I was, you know, the generation, the same -- same as you were saying where, you know, when I first started getting online, my family, my parents told me, Hey. Don't use your real name. Use pseudonyms, right? There's -- you can't be, you know, safe if you're giving your information out there to anybody who wants it. Well, things are changing. This current generation is -- is really identity first. I mean, even the comment on YouTube, you have to disclose your information to Google, you know. I think it was -- was it LinkedIn or Twitter, one of those major platforms recently or X I guess it's called, they recently started requiring a government ID to confirm and verify identity. Yeah. LinkedIn Partner with CLEAR. And now you have to scan your face to confirm you are who you say you are. So identities somehow become a require element of interacting in online mediums. And, I mean, it's always been there. But -- and so let me zoom out. There's a dichotomy. There is the digital breadcrumb where it's anonymous. It has a huge amount of tracking that happens, every website visited and dropping cookies, collecting mouse behavior, tracking, you know, page view, history as you go from page to page and piecing it together to identify a browsing journey, all that anonymously being collected. And then you have the identified side where they know your name. They know your email address. They know who you are. And all those previously anonymous behaviors get rolled up against your identity to tie it to your PII. And that's where also you can combine offline shopping behaviors, e-commerce behaviors, banking information, even what kind of magazines you subscribe to. All that stuff's collected and tied to an identity. The anonymous side, it's been happening, you know, for a decade more -- or more. Using the internet ever since analytics companies started tracking, you know, site visits, they added more and more tracking and more data collection. But, on the PII side, I would probably say it goes back probably 5 to 10 years things start getting really scary where it's -- you know, there's that -- that inflection point where the greed started outweighing the ethics and morality of data collection.

Dave Bittner: Yeah. What are the concerns here for like an enterprise level for folks who are running a company concerned about their employees? What -- what specific things should be of concern to them?

Harry Maugans: Well, if you see the news, I mean, every day it feels like there's a new data breach happening. And if you look into those data breaches, almost all of them are caused from overexposed PII online on an employee that's being used -- that's being weaponized through spearphishing or social engineering. So a bad guy finds some employee with a level of access that he's trying to compromise. They research that person online. They find everything about their family. They find everything about where they live, their address, previous cars they've had, anything they can get their hands on about that person. And then they can step into their shoes. They can call a support line and pretend to be that person. In the event that what just happened with MGM, social engineering. Or they can send a text message to that person pretending to be a family member or pretending to be a doctor of a VIM or of their son or daughter or any way they can trick that person to disclose a two-factor code to sidestep every bit of cybersecurity the employer has and really put all that training to waste because if you -- if you make the person believe it's a legitimate inquiry, they'll give you anything you want, usually.

Dave Bittner: Do you empathize with people who have a certain sense of resignation when it comes to this, that I hear a lot of people say, you know, well, it's all already out there. I'm just going to relax and go with the flow and -- because it doesn't do me any good to worry about it because I don't really have any control over it anyway.

Harry Maugans: Yes. That is a -- there's elements of data that you cannot mask very easily, such as property records, you know. You can buy a house in an LLC. But, ultimately, if you buy it using your name where the vast majority of people do, that is a public record. The difference is on -- same thing with arrest records. And you can't hide the fact that there's a public record about an arrest. But usually government sites that have this information is out there, they don't broadcast it. It's behind a login or a county clerk's office paper or something like that. The problem is the megaphones. They're the ones who scraped those county court office records and have such strong SEO that they're showing up on the front page of Google every time somebody searches for that person's name. And they make it a lot easier to obtain. And then they take that simple record like a property address and they append thousands and thousands of fields. And I'm not exaggerating. In a lot of cases, the data brokers expand a massive number of fields to say, hey. This person at this address has all of these interests, these hobbies, these nonprofit donation activities, this, you know, voting propensity, all kinds of information to create this very creepy profile on a person that should not be publicly available, in my opinion.

Dave Bittner: So what's to be done here? What sort of tools are available if somebody does want to try to claw some of this back?

Harry Maugans: I'm biased, but I believe Privacy Bee, you know, my company Privacy Bee is really the best suited one in the industry. There's a handful of companies helping to claw back that data and try to put the genie back in the bottle. A lot of them are focused more on high-volume customers, you know, whereas we focus more on quality and being as comprehensive of cleaning up the data as possible. And, as such, we're not the cheapest. But the way I'm looking at it, privacy is something that you really can't halfway do because, if there's three sites in Google exposing your home address and cell phone number, and a service only deletes one or two of them, the bad guy who's trying to impersonate you for social engineering, spearphishing, scamming, whatever it is, they're not going to know there was previously two sites that got deleted. They're going to search you, find that one result that has the data they want of your cell phone number, and they're going to use it and they're going to weaponize it. So unless you have a comprehensive approach covering as many sites as possible, like I think as of today, we have 440 data brokers and 145,000 separate websites we're tracking and scrubbing against. Without having a comprehensive solution, it's -- it's really not very effective for -- for trying to reclaim your digital footprint.

Dave Bittner: How do you calibrate people's expectations? I mean, what -- what is a reasonable expectation for the types of things that can actually be scrubbed?

Harry Maugans: Another great question. So there is no silver bullet. And a lot of people look at this saying, Hey. Privacy is magic. Or it's impossible, or it's some enormous feat. Well, we took the different approach. We publicize every single thing we do. We wrote step-by-step guides on how a person or an individual or employer or an employee can do the scrubbing by themselves. We scan a person for free. We point out all the exposures that everywhere -- everywhere we found them, and then we say, Hey. Here's what to do: Step one, click this link. Step two, send this email. Step three, click that form, whatever. The thing is, with our company, Privacy Bee is focused for economies of scale. So we take this very tedious and arduous process and we can scale it up -- out to resolve hundreds of exposures, whereas most people don't have the time to sit down for 20 or 30 hours and do it manually. But nothing here is magic. As far as expectations, I mean, everything that we do, the end user can do. We're just, you know -- you know, we're a commodity for those who don't have the hours to invest.

Dave Bittner: Right. It's like hiring an accountant if you don't want to do your own taxes, right? Most people don't have the expertise to do their own taxes.

Harry Maugans: You're hitting a sore spot. I don't like talking about taxes.

Dave Bittner: Fair enough, fair enough. How do the data brokers respond to these sorts of requests? Or, you know, to what degree are they above board and want to do the right thing, and how many of them are more difficult to work with?

Harry Maugans: So data brokers are pretty good. Some people search sites are a little more slippery. There's a couple of different answers to that. So if a state or a country has some kind of privacy legislation that allows us to legally compel a removal, we will actually capture a limited power of attorney. We will go through the steps and leverage the law to force the data broker to comply and then rescan to hold them accountable. Some areas, certain states, certain territories don't have a law today that's protecting them legally, which is unfortunate. And, you know, we actually have three lobbyists on retainer trying to fix that because we really believe in solving this problem. However, until then, we send in a request to a data broker that may not have, you know, legal legislative requirements to delete it. And we phrase it very formally. We try to encourage action and follow up aggressively. However, they could choose to say no, in -- however, they usually don't. Because when you're looking at a Data Broker, they might have, you know, 300 million, 500 million, a few billion if they're global profiles of individuals, massive amounts of data. They're trying to stay in the shadows. They're these companies, the Epsilons and Acxioms and these companies that are not household names that make millions of dollars buying and selling data. If somebody comes along like a Privacy Bee with a deletion request saying, Hey, please delete this John Doe from the database, it's easier for them to say, Sure. We'll remove them in good faith than try to push back, create animosity, a potential legal issue for them if they do something wrong and a blow up that causes them -- that forces them out of the shadows. So the easiest path for them is compliance. So while we do have some fights here and there, the vast majority of companies that are monetizing people's information immorally, in my opinion, they usually comply when a proper request comes in.

Dave Bittner: How does this work going forward? I mean, is this -- I suspect it's not a one and done sort of thing. There's a certain amount of ongoing vigilance that people have to have with this?

Harry Maugans: That's a hugely valuable point. A lot of people think, Hey, I deleted. I'm good. The problem is it's -- there's a cycle in the data broker industry. On average, we see about half of our exposures reemerge within the first six months, usually closer to five months, which is a huge percentage, right, where we just send a deletion in. They comply. They remove it, but then a few months later it pops back up again. And the reason for that is data brokers buy data from data originators or data sources. So, if you delete your grocery shopping profile from some marketing agency, and later they refresh it back with a company that buys from Kroger Plus, eventually, it will -- it'll repercolate through the ecosystem and reemerge again. So just because it's a deletion now doesn't mean it's permanent. So finding a way of monitoring it ongoing is -- you know, and then whenever it does reemerge, resubmitting the deletion requests -- it's almost like a game of Whack-a-Mole, Whack-a-Mole. It's very frustrating. However, you know, we rescan all of our people, it's usually seven days to 30 days depending on the license type. We're very, very aggressively monitoring what's going on. And then, as soon as we see it pop back up again, you know, within 24 hours, we resubmit the deletion and start the process all over again. So having a service is really -- your buying privacy is an ongoing investment in yourself, your quality of life, your quality your business almost as much as a single transactional, Hey, let's get this scrubbed and move on. You know, you -- unfortunately, the world is continuously collecting and repopulating these databases.

Dave Bittner: Do people notice a difference? I mean, after you and your colleagues have done your work or organizations like yours, is there anything in my life that I would notice? You know, are there fewer, I don't know, pestering text messages or calls or just would I notice a change.

Harry Maugans: Yes, yes. That's why we do it, right? At the end of the day, a telemarketer who's calling you every hour driving you insane making you want to throw your phone out the window, they're not just picking up their end and dialing random numbers. They buy a list of people to target. They take that list. They load it into some autodialing system, and they hit go. If you remove yourself from the data brokers that sell to these telemarketers, telemarketers know the numbers are going stale. Every day that goes by, less numbers they can connect with. So every month, every three months they have to buy a new dataset. So even if the telemarketer themselves doesn't remove you, if you're subscribed to an ongoing data removal service like Privacy Bee, we remove from the data brokers where, whenever the telemarketer does refresh the database, maybe next month, your name is no longer in that list. They're not selling your information anymore, which means, when they load that giant spam list into their call -- their autodialer and they hit go, it doesn't ring your phone. So, yes. The tangible result is you get less telemarketing. You get less spam text messages. You get less Hey, sell your house or buy this car extended warranty. And then, for businesses, they get less spearphishing, which is -- and less social engineering, which is -- you know, it's a huge point in the B2B world. You know, you talk about data breaches. You know, and -- you know, they invest in top of line cybersecurity. But we like to say cybersecurity is no longer enough in 2023. I mean, 100% of the companies that got breached last year had cybersecurity, and they still got breached. So removing, you know, the ability for attackers to see the employees like a juicy steak, that's really what's hardening, you know, the company's InfoSec where there's less spearphishing, less social engineering and, ultimately, less data breaches. So a lot of tangible results.

Dave Bittner: Joe, what do you think?

Joe Carrigan: Dave, I like your analogy that you've said many times in this show about your personal data being like fissile material.

Dave Bittner: Right.

Joe Carrigan: Radioactive stuff.

Dave Bittner: Yeah.

Joe Carrigan: It's fine as long as it's spread out and not really concentrated in any one area. But once it starts getting concentrated, it becomes dangerous.

Dave Bittner: Right.

Joe Carrigan: Right. So one of the things that Harry talks about are affinity cards. And, you know, when you go to any of the stores around here, they all have their affinity card. And you can't get the special low price deals unless you have an affinity card.

Dave Bittner: That's right.

Joe Carrigan: There are a couple of tricks. Some of these places will have their own card that they can scan.

Dave Bittner: Yes.

Joe Carrigan: And you get -- you get the deals. Other places will say, I forgot my card, and they'll just give you the deal.

Dave Bittner: Right.

Joe Carrigan: And then there's the 8675309 trick.

Dave Bittner: Yes.

Joe Carrigan: Are you familiar with this trick?

Dave Bittner: I use it every day.

Joe Carrigan: Okay. So you --

Dave Bittner: I do. My local grocery store, I use it every day.

Joe Carrigan: Some people may not be familiar with the song. I don't know. I think everybody our age, once I said that phone number, they had that song in their head.

Dave Bittner: Yeah. It's Jenny's phone number.

Joe Carrigan: Right.

Dave Bittner: We all know Jenny, 8675309.

Joe Carrigan: If you take your area code, your local area code and put that in and then enter 8675309, somebody has set up a -- an affinity account under that number.

Dave Bittner: Guarantee it.

Joe Carrigan: Yep.

Dave Bittner: Yep.

Joe Carrigan: So you can use that one. Now, I've found some places where it doesn't work as well. Like, I've recently had some difficulty collecting the fuel points for that.

Dave Bittner: Oh, okay. Yeah.

Joe Carrigan: But I used to be able to get fuel points using that number. But it still does work at the store for -- as you say, it works. And all it does is it keeps your information out of the grocery store's hands with your buying power.

Dave Bittner: Right.

Joe Carrigan: Right. What you're buying. They don't know that that Dave Bittner is buying this?

Dave Bittner: No.

Joe Carrigan: They think that Jenny's buying this.

Dave Bittner: Right. And, boy. Jenny does a lot of shopping.

Joe Carrigan: Yeah, she does. There are a ton of people using this.

Dave Bittner: Yeah.

Joe Carrigan: I think the horse is already out of the barn on a lot of this for most of us, which is -- which is why Harry and his company have a business model.

Dave Bittner: Yeah.

Joe Carrigan: Because they go out and they try to remedy it. I try to use pseudonyms wherever I can. But I think it's pretty easy for companies to just make the association. Oh, this is Joe Carrigan. I know who this is.

Dave Bittner: Right.

Joe Carrigan: You know, we need to get back to an opt-in society instead of being opt out.

Dave Bittner: Yeah.

Joe Carrigan: I would -- I would like to see something happen where it's opt in. And Harry talks briefly about OSINT, or open source intelligence gathering. And, you know, when you're talking about the attack chain, this is part of the attack chain, particularly in an organization that you really don't have any control over. It's something that an attacker can go out and do because you kind of have to have this information out there. And your employees are going to have that information out there anyway. You as an individual might have some control over that. Like, I don't think I even show up in the Facebook member searches. Like, if you search my name and you and I aren't connected, I don't show up.

Dave Bittner: Okay.

Joe Carrigan: At least I think that. I don't -- haven't verified that because I don't have a second Facebook account.

Dave Bittner: Right.

Joe Carrigan: At least not yet. But these company -- a company doesn't have that. So that information is out there. And these gathering -- these people gathering the information, they're going to do it. So my recommendation is, just think that somebody already knows all the open source information that's out there about your company because they probably do. If they're good attackers, they're going to know that before they take their first action.

Dave Bittner: Yeah.

Joe Carrigan: Harry talks about websites requiring a photo ID. This is a nonstarter for me out of the gate by default. There might be a couple of exceptions to this, like if there is a an online bank that requires me to do this for opening an account, I might do that. But, generally speaking, I'm not going to do that with an online bank. I'm going to go to a branch and open an account there.

Dave Bittner: Right.

Joe Carrigan: I -- but there are a lot of banks that are just online now.

Dave Bittner: Yeah.

Joe Carrigan: There -- we had a guest on a couple -- maybe a month or two ago that was on a dating app. I'm not single, so I don't need to use a dating app. A married man should never be on a dating app. But, were I single, I might consider using some kind of data verification service or something like that for a dating app.

Dave Bittner: Okay.

Joe Carrigan: I think that's probably a good personal security measure to make sure that people you're talking to are vetted. But, outside of those two situations, I can't think of a situation where I would be using an ID. You know, like, if Facebook said, Hey, Joe. We need to see your driver's license. I'm going to say no, close my account, delete all my data.

Dave Bittner: Yeah.

Joe Carrigan: I'd say that to them the moment they said that. That would be the end of the line for me and Facebook.

Dave Bittner: Right.

Joe Carrigan: Same with any social media platform. If LinkedIn said that to me tomorrow, I'm gone.

Dave Bittner: Yeah.

Joe Carrigan: That is -- that is a line in the sand for me.

Dave Bittner: I recently logged into Facebook again after a four-year break.

Joe Carrigan: I know. I saw you.

Dave Bittner: Yeah.

Joe Carrigan: We're still friends on Facebook.

Dave Bittner: Yeah, yeah. And -- and it -- so now Facebook is nagging me to, Hey, upload your contact list. I'm like, I'm not falling for that again.

Joe Carrigan: Right. Can't you say stop asking? I thought -- it nagged me for that for years, and I -- it doesn't nag me anymore.

Dave Bittner: Yeah. Maybe.

Joe Carrigan: I never gave it to him.

Dave Bittner: I don't know. Yeah. It's annoying. I joined Facebook, and I immediately realized why I had left. Just so --

Joe Carrigan: Are you -- are you -- are you enjoying it? So you're not enjoying it all.

Dave Bittner: I mean, the reasons that I reconnected which were that I felt like there were some, you know, life events from friends that I was missing out on, so I'm -- that's the reason I'm there.

Joe Carrigan: Right.

Dave Bittner: But it is so noisy. Like, it's just -- the content is so diffuse. Like, there's just so much crap on there that the ads and the --

Joe Carrigan: Oh, yeah.

Dave Bittner: Yeah. Let me tell you. Mastodon is so much better.

Joe Carrigan: Right.

Dave Bittner: So much better. A nonalgorithmic feed is so much nicer.

Joe Carrigan: Yeah. Well, try to convince everybody on Facebook to go to Mastodon.

Dave Bittner: Well, that's the -- there you go. That's the problem.

Joe Carrigan: They won't -- they won't do it.

Dave Bittner: They will not. No.

Joe Carrigan: Amplifiers. Do you remember when we went to the KnowBe4 conference?

Dave Bittner: Yep.

Joe Carrigan: And the late Kevin Mitnick was on stage.

Dave Bittner: Right.

Joe Carrigan: It was after we had interviewed him.

Dave Bittner: Yeah.

Joe Carrigan: Highlight of my career, by the way.

Dave Bittner: Very nice.

Joe Carrigan: So thank you for that opportunity, Dave.

Dave Bittner: Yeah. Sure.

Joe Carrigan: During that presentation, he gave a -- he showed us a tool that had all kinds of information about somebody.

Dave Bittner: Yeah.

Joe Carrigan: And had a volunteer from the audience come up. And the guy just got this horrified, shocked look on his face as he saw this information that was about him in this tool. And Kevin wouldn't share the information about what the tool was. He wouldn't tell us what it was. He wouldn't tell anybody. I asked him. He said, I'm -- can't tell anybody about what that is. I don't know what it is. Somebody at the conference suggested it might be a private investigation tool like for PIs.

Dave Bittner: Yeah.

Joe Carrigan: Private investigators. But this data about you is out there. It exists.

Dave Bittner: Yeah.

Joe Carrigan: And en masse. And it's -- I think it's funny when Harry talks about how these data brokers comply with his request to remove data from people or on people from their systems. They just want it -- they just want it to go away real quiet. I think it's really kind of -- kind of interesting. And he mentions two of these data brokers in particular. One is Epsilon, and the other one is Acxiom. And I looked those companies up to see are these companies, what are they? They're both divisions of other companies. One of them came from a merger between JC Penney Credit Corporation and The Limited Credit Corporation. And they had all this customer data, and that's how they started getting -- getting big. It's really interesting. You can read their Wikipedia article on these corporations, on their parent corporations, which, you know, the information is out there. But they don't say a lot. There's not a lot known about these two companies.

Dave Bittner: Right.

Joe Carrigan: Or these two organizations. They're actually divisions. Interesting that, once again, or once, after you delete the information, it starts showing up again. It's because you continue using the internet.

Dave Bittner: Right.

Joe Carrigan: Right. And it's just out there. The key point is that security and privacy are two different things. We talked earlier in the show about Google and their full stack of privacy intrusion. Google does security very, very well. You are probably at very minimal risk using Google services for a security breach. But you have to understand that your privacy does not exist as far as Google is concerned. They know a lot about you.

Dave Bittner: Yeah.

Joe Carrigan: Same with Facebook. Same with Meta and Twitter and LinkedIn. All of these companies -- which is owned by Microsoft now. All these companies are just amassing huge troves of data about you.

Dave Bittner: Right.

Joe Carrigan: And there's little you can do to -- to keep them from doing it except -- well, they're -- I mean, you can take extreme measures, and that is --

Dave Bittner: You could move to the EU.

Joe Carrigan: That would be good if we had something like that. Anyway, that's -- that's my big point for the end of the show is that privacy and security are two different things.

Dave Bittner: Yeah.

Joe Carrigan: Keep that in mind.

Dave Bittner: All right. Well, our thanks to Harry Maugans from Privacy Bee for joining us. We do appreciate him taking the time. That is our show. We want to thank all of you for listening. A quick reminder that N2K strategic workforce intelligence optimizes the value of your biggest investment: your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner.

Joe Carrigan: And I'm Joe Carrigan.

Dave Bittner: Thanks for listening.