Penn Jillette: [00:00:00] Most of your crimes are done by high, stupid, incompetent people who are willing to perpetrate violence on other people. I don't think there's any difference in the cyber world.
Dave Bittner: [00:00:13] Hello, everyone. And welcome to another episode of the CyberWire's "Hacking Humans" podcast. This is the show where each week, we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: [00:00:33] Hi, Dave.
Dave Bittner: [00:00:34] Got some good stories to share this week. And later in the show, we've got an interesting interview. Oh, I don't know. Nobody important - just Penn & Teller.
Joe Carrigan: [00:00:40] This is awesome.
Dave Bittner: [00:00:43] (Laughter) Yeah, so that's exciting. We'll be talking with magicians Penn & Teller.
Dave Bittner: [00:00:47] But first, a word from our sponsors, KnowBe4. So who's got the advantage in cybersecurity, the attacker or the defender? Intelligent people differ on this, but the conventional wisdom is that the advantage goes to the attacker. But why is this? Stay with us, and we'll have some insights from our sponsor, KnowBe4, that put it into perspective.
Dave Bittner: [00:01:15] And we are back. I'm going to kick things off for us this week, Joe.
Joe Carrigan: [00:01:18] All right.
Dave Bittner: [00:01:18] I got a story - came by from The Guardian. This is written by Hilary Osborne. The title is "Revealed: Fake 'Traders' Allegedly Prey on Victims in Global Investment Scam." It's similar to some things we've heard before. This is - some folks were targeted, sounds like in Britain and Australia. This was a scam being run out of Ukraine. And the scam started with ads on Facebook.
Joe Carrigan: [00:01:47] OK.
Dave Bittner: [00:01:48] And the ads on Facebook featured celebrities. In this case, they say people like Gordon Ramsay, people like...
Joe Carrigan: [00:01:54] Is that Hugh Jackman?
Dave Bittner: [00:01:55] That is Hugh Jackman, yep. And so these ads would feature celebrities and say, these celebrities are taking part in this investment plan. You, too, can be part of this investment plan. But, of course, the whole thing was a scam.
Joe Carrigan: [00:02:10] Yeah.
Dave Bittner: [00:02:11] If you reply to the ad, you'll get a call from someone calling from a call center in Ukraine. And they would start off by asking you for a small investment, just to get you to hand over some money. And they also would ask you to - wait for it - install an app on your computer. Now, this app, according to them, was just so they could demonstrate to you how to use the software so they could have control to show you what to do.
Joe Carrigan: [00:02:36] OK.
Dave Bittner: [00:02:37] But, of course, there was a lot more going on. They would have complete control of your computer.
Joe Carrigan: [00:02:41] Right.
Dave Bittner: [00:02:42] And the scammers would use that control to take control of your bank account.
Joe Carrigan: [00:02:46] Interesting.
Dave Bittner: [00:02:47] Yeah.
Joe Carrigan: [00:02:48] My favorite part of this one so far is that they ask you for some money upfront. And then once you've given that money, then they install the malware.
Dave Bittner: [00:02:55] Yeah, I don't know that it's that order of operations every time.
Joe Carrigan: [00:02:57] OK.
Dave Bittner: [00:02:58] But it definitely seems as though they started off asking for a small bit of money to...
Joe Carrigan: [00:03:03] Right.
Dave Bittner: [00:03:03] ...Kind of set the hook...
Joe Carrigan: [00:03:04] Yes.
Dave Bittner: [00:03:05] ...And get you going.
Joe Carrigan: [00:03:07] That's actually very powerful. You know, it's that sunk cost fallacy kicking in, right? It's very easy to use incrementalism to just kind of continue to get people along once they've sunk a little bit of money into something.
Dave Bittner: [00:03:19] Yeah. So what would happen next is once they had invested some money, they would log in to their account with this investment firm. And, of course, it's all fake.
Joe Carrigan: [00:03:29] Right.
Dave Bittner: [00:03:29] They would log in, and it would show that they had made a lot of money.
Joe Carrigan: [00:03:33] Right.
Dave Bittner: [00:03:33] For example, an investment of 2,000 pounds would come back showing that it was now worth 35,000 pounds.
Joe Carrigan: [00:03:40] Almost like OneCoin.
Dave Bittner: [00:03:42] Yeah. So the problem was when they wanted to withdraw the money, one person said that the trader told him he could only access his money if he paid more than a thousand pounds in bank fees and commissions (laughter).
Joe Carrigan: [00:03:56] And then I'll bet the money still doesn't come.
Dave Bittner: [00:03:58] Right. Others said that they were told their withdrawal was pending, but they never saw their returns. Now, this was all revealed by a whistleblower, someone who worked in this organization.
Joe Carrigan: [00:04:10] Really?
Dave Bittner: [00:04:11] And this person worked in the second tier. So once these guys took your money...
Joe Carrigan: [00:04:17] Yeah?
Dave Bittner: [00:04:17] ...Someone else would call from within the organization, claiming to work for a different organization that was going to help you get your money back, and they just needed an upfront fee.
Joe Carrigan: [00:04:28] Yeah, this is the follow-on scam.
Dave Bittner: [00:04:30] Yes.
Joe Carrigan: [00:04:30] Right?
Dave Bittner: [00:04:30] Yes. So they would claim to be from a completely different organization, and they were here to help you...
Joe Carrigan: [00:04:35] Right.
Dave Bittner: [00:04:36] ...Get your money back. But, of course, they were just...
Joe Carrigan: [00:04:39] Another scam.
Dave Bittner: [00:04:39] ...Getting more money from you.
Joe Carrigan: [00:04:40] Right.
Dave Bittner: [00:04:41] Yeah. This whistleblower revealed some internal notes from within the organization. There was one where they described speaking to a 67-year-old Swedish victim who sold her home to pay, had no money - crying. She told the people, I can't pay the rent or buy food; I feel as though I have no life.
Joe Carrigan: [00:05:00] So this person's conscience got to him. And it's also possible that the people who were paid for this to be part of this scam were not aware that they were part of a scam.
Dave Bittner: [00:05:10] I suppose it's possible. It seems, though, in this case, everybody seems to know what was up.
Joe Carrigan: [00:05:14] They know what's going on.
Dave Bittner: [00:05:15] Yeah.
Joe Carrigan: [00:05:15] But why then blow the whistle?
Dave Bittner: [00:05:17] That's a good question. I don't know. Perhaps - the story doesn't really lay that out. Perhaps he had a moment of conscience. I don't know. But it could just be a disgruntled employee. It does say that they were paid commission based on how much they scammed people out of. But they would go in and just take their bank accounts and empty them out.
Joe Carrigan: [00:05:36] That's sad.
Dave Bittner: [00:05:37] Yeah. They followed up with this organization who - it's a group called the Milton Group. And, of course, they claim that there's nothing to these allegations, that they are on the up and up. So we'll see what happens as the investigations make their way through law enforcement, if they can...
Joe Carrigan: [00:05:52] The company is still around? Or this organization's still around?
Dave Bittner: [00:05:55] The organization that is alleged to be behind this is still around. That organization claims to not be up to any of this. So it's - they're denying everything. Yeah, so we'll see what happens as it makes its way through.
Dave Bittner: [00:06:06] One of the things that stuck out to me here was that the people they interviewed for this article - they were able to get in touch with several of the people who fell victim to this, and many of them did not want their names used...
Joe Carrigan: [00:06:24] Right.
Dave Bittner: [00:06:24] ...Because they said their families did not know...
Joe Carrigan: [00:06:28] They had...
Dave Bittner: [00:06:28] ...They had...
Joe Carrigan: [00:06:29] ...Fallen victim to it.
Dave Bittner: [00:06:30] Yes.
Joe Carrigan: [00:06:31] Yep.
Dave Bittner: [00:06:31] And that is a big part of why these people get away with this.
Joe Carrigan: [00:06:35] It is. It's a huge part of why they get away with it.
Dave Bittner: [00:06:38] So - recommendation. I would say, preemptively, to have a conversation with your loved ones...
Joe Carrigan: [00:06:44] Right.
Dave Bittner: [00:06:44] ...And say, listen...
Joe Carrigan: [00:06:44] Particularly your older loved ones.
Dave Bittner: [00:06:46] Right. And say, listen; if anything like this happens, please, come talk to me about it. I'm not...
Joe Carrigan: [00:06:52] Right.
Dave Bittner: [00:06:52] ...Going to be disappointed in you or ashamed of you or anything. The best thing that can happen is for us to be able to talk about these things. And then we can work together to try to resolve it the best way possible.
Joe Carrigan: [00:07:03] Right.
Dave Bittner: [00:07:04] But this fear keeps people silent.
Joe Carrigan: [00:07:06] And the embarrassment, too.
Dave Bittner: [00:07:07] Yeah.
Joe Carrigan: [00:07:07] Particularly with your kids. I mean, I can imagine me being another 20 years older and having to look at my kids and going, well, your dad, who raised you and told you everything about the world, is so dumb that he fell for this. And...
Dave Bittner: [00:07:20] Right.
Joe Carrigan: [00:07:21] ...That's horrifying to me. I absolutely get why people don't want to tell their loved ones that this has happened to them.
Dave Bittner: [00:07:27] Yeah.
Joe Carrigan: [00:07:27] I totally get it.
Dave Bittner: [00:07:28] Yeah. And the scammers rely on that.
Joe Carrigan: [00:07:30] Yeah, they do.
Dave Bittner: [00:07:31] All right. Well, that is my story. What do you have for us this week, Joe?
Joe Carrigan: [00:07:34] Dave, my story comes from the Federal Trade Commission, which is part of the U.S. government. And they have a nice website up today that has - actually, they put it up last month. But it's a warning about scams involving the coronavirus. Now, the coronavirus is all over the news, right?
Dave Bittner: [00:07:50] Yeah.
Joe Carrigan: [00:07:50] It is top of mind for everybody. Last week, the stock market took a big hit because of the coronavirus.
Dave Bittner: [00:07:55] Right.
Joe Carrigan: [00:07:56] And everybody knows what the coronavirus is, right? So scammers say, there's an opportunity.
Dave Bittner: [00:08:01] (Laughter) Yeah.
Joe Carrigan: [00:08:02] Right?
Dave Bittner: [00:08:03] Right.
Joe Carrigan: [00:08:03] And these are some of the vectors they talk about in this blog post. They talk about looking for any kind of information about the coronavirus. So just getting an email that talks about the coronavirus and has, like, links and purports to be from the Centers for Disease Control, the World Health Organization - those are all great ways to get people to click on a link.
Dave Bittner: [00:08:24] I see.
Joe Carrigan: [00:08:24] Right? Hey, there's a coronavirus outbreak in your area. Click here.
Dave Bittner: [00:08:28] Right.
Joe Carrigan: [00:08:28] Don't click there.
Dave Bittner: [00:08:29] Here's the information you need to know.
Joe Carrigan: [00:08:31] Right - to survive.
Dave Bittner: [00:08:33] Right.
Joe Carrigan: [00:08:33] Right? That's the scare tactic.
Dave Bittner: [00:08:35] Yeah.
Joe Carrigan: [00:08:35] Right? And that's what's going to happen. This hasn't happened en masse yet, but it's coming. So I want to get out in front of this and tell people about it so they know it when they see it.
Dave Bittner: [00:08:44] Yeah.
Joe Carrigan: [00:08:44] Another one is - this is interesting. There is no vaccine for the coronavirus yet, but there's going to come offers for vaccines, right? And this is going to be an opportunity for more malware downloads or possibly even a scam where, hey, you can have your vaccine. It's going to cost you a hundred-fifty bucks. Send me the money, and someone will show up at your house. And, of course, nobody will ever show up.
Dave Bittner: [00:09:06] Right.
Joe Carrigan: [00:09:06] There is no vaccine for this.
Dave Bittner: [00:09:07] Move to the front of the line.
Joe Carrigan: [00:09:08] Right.
Dave Bittner: [00:09:08] Protect yourself and your family.
Joe Carrigan: [00:09:10] Exactly. Another vector - of course, we see this frequently whenever there's any kind of world disaster - charitable organizations, right? - charitable organization scams, I should say. There are charitable organizations out there, I'm sure, that are equipping themselves to deal with a coronavirus outbreak here in the United States and abroad. But there's going to be a lot of scams out there, soliciting donations for helping with the coronavirus. Do your research on these organizations. Only donate money to organizations you're familiar with. And don't respond to email solicitations for donations. Just don't do it. I don't think it's a good idea.
Dave Bittner: [00:09:47] Yeah. There's also - I have a friend who used to work with a lot of these nonprofits. She was trained in emergency response, disaster response...
Joe Carrigan: [00:09:57] Right.
Dave Bittner: [00:09:58] ...And so forth. And she made the point to be sure to check with these organizations for what they really need before you start sending them things.
Joe Carrigan: [00:10:06] Yes.
Dave Bittner: [00:10:07] The example was whenever there's a disaster like this, these folks end up with shipping containers full of teddy bears....
Joe Carrigan: [00:10:14] Right.
Dave Bittner: [00:10:15] ...That no one can use.
Joe Carrigan: [00:10:16] Yeah. Like the earthquake in Haiti that happened a few years ago. People sent coats.
Dave Bittner: [00:10:22] Yeah.
Joe Carrigan: [00:10:22] Container ships full of coats.
Dave Bittner: [00:10:24] Right.
Joe Carrigan: [00:10:24] And nobody in Haiti needs a coat.
Dave Bittner: [00:10:26] Oh, I see.
Joe Carrigan: [00:10:27] Right.
Dave Bittner: [00:10:27] Sort of wrong climate.
Joe Carrigan: [00:10:28] Right.
Dave Bittner: [00:10:29] Yeah. So check with them. And my understanding is that most of the time, what they need most is money.
Joe Carrigan: [00:10:35] Right.
Dave Bittner: [00:10:35] And then they can use that money for the best things that they can use that money for. So...
Joe Carrigan: [00:10:38] Exactly. And that's true, because money is easier to move than supplies.
Dave Bittner: [00:10:42] Yeah.
Joe Carrigan: [00:10:42] Right?
Dave Bittner: [00:10:43] Yeah.
Joe Carrigan: [00:10:43] And that's interesting that you point that out, because that's really what these scammers are after, too. So it does have a legitimate purpose for the charities and for the nonprofits that are doing this.
Dave Bittner: [00:10:53] Right.
Joe Carrigan: [00:10:53] But you've got to be careful about who you're giving your money to.
Dave Bittner: [00:10:56] Yeah, absolutely.
Joe Carrigan: [00:10:57] And you and I are sitting here saying, don't send anything that they don't need. Send them money. That's probably what they need the most. But at the same time, the scammers are going to be going after that.
Dave Bittner: [00:11:04] Yeah.
Joe Carrigan: [00:11:05] That's sad. Finally, and I thought this was interesting because I hadn't considered this, but the FTC wants you to be aware of investment opportunity scams. Hey, here's a company that's found a vaccine for the coronavirus. Do you want to get in on the ground floor of this investment? That's going to make millions, right? You'd think, anyway. I hadn't even considered this as a vector.
Dave Bittner: [00:11:27] Right.
Joe Carrigan: [00:11:27] But the FTC has. So pretty clever, I think.
Dave Bittner: [00:11:30] Right. Yeah, some pharmaceutical company spinning up - now's your chance to get in on the ground floor.
Joe Carrigan: [00:11:36] Right, exactly.
Dave Bittner: [00:11:37] This is going to be a global thing. We're all going to get rich, I tell you - rich.
Joe Carrigan: [00:11:40] We're all going to make billions.
Dave Bittner: [00:11:41] Yeah.
Joe Carrigan: [00:11:41] Yeah, absolutely, 'cause everybody's going to need to get a coronavirus vaccine. There are 7 billion people in the world. That's a lot of money.
Dave Bittner: [00:11:49] Yeah (Laughter). Oh, man.
Joe Carrigan: [00:11:50] (Laughter).
Dave Bittner: [00:11:50] Yeah, yeah. All right. Well, it's a good resource here from the FTC.
Joe Carrigan: [00:11:54] Yes.
Dave Bittner: [00:11:55] We'll have a link to that in the show notes.
Dave Bittner: [00:11:57] It is time to move on to our Catch of the Day.
0:12:00:(SOUNDBITE OF REELING IN FISHING LINE)
Dave Bittner: [00:12:04] Joe, you brought us our Catch of the Day this week. It's a little unusual story here. Can you give us the background?
Joe Carrigan: [00:12:10] OK, so you're aware that I have my personal comedy podcast...
Dave Bittner: [00:12:14] Yes.
Joe Carrigan: [00:12:14] ..."Things Joe Hates," right?
Dave Bittner: [00:12:15] It's comedy, is it?
Joe Carrigan: [00:12:17] (Laughter) Thanks, Dave.
Joe Carrigan: [00:12:19] It's essentially angry old man yells into microphone while wife and future son-in-law make fun of him.
Dave Bittner: [00:12:24] I see. Way to sell it, Joe.
Joe Carrigan: [00:12:25] Right?
Dave Bittner: [00:12:25] Way to sell it. All right.
Joe Carrigan: [00:12:27] And I guess - can you guess which role I play?
Dave Bittner: [00:12:29] (Laughter).
Joe Carrigan: [00:12:31] So the producer on that show actually is my daughter's fiance. His name is Jake. And one of Jake's hobbies is he is big into football. And he's also a software developer. So he got together with some guys, and they developed this game - this football simulation game. And as part of the simulation game that they built, they also put a Wiki on how to use it together using the Wikimedia standards...
Dave Bittner: [00:12:56] OK.
Joe Carrigan: [00:12:56] ...Right? However, whenever you stand up a Wiki, you run the risk of being found by some bot engine. And that's exactly what happened to this Wiki. And these bots came into this Wiki. They defeated the CAPTCHA...
Dave Bittner: [00:13:11] Oh.
Joe Carrigan: [00:13:11] ...Right? - which is apparently trivial to defeat. And they created 15,000 accounts on this Wiki.
Dave Bittner: [00:13:21] OK.
Joe Carrigan: [00:13:21] Now, when they create these accounts, they actually put text into the user page of the accounts. And Jake saved some of these for us. So I have them here - a few of the select ones with some highlighted ones. Some of them are short. Some of them are very long. We're not going to read all of it. But it's hilarious because it's obviously just cut from webpages and then pasted into these bot engines, which, in turn, loaded into the Wikimedia server.
Dave Bittner: [00:13:48] And what's the point? Why are they doing this? What are they...
Joe Carrigan: [00:13:50] They're doing this for spam, I think, because they have links in here to adult sites, you know, and other things.
Dave Bittner: [00:13:57] Right.
Joe Carrigan: [00:13:58] They may also be using it for some other future capability. They may be using it for denial of service with some cross-site scripting. I don't know.
Dave Bittner: [00:14:06] Gaming search engines, I suppose, is part...
Joe Carrigan: [00:14:08] Right.
Dave Bittner: [00:14:08] ...Of it, too.
Joe Carrigan: [00:14:08] Gaming search engines could be a big part of it.
Dave Bittner: [00:14:10] Getting this text out there - yeah, the crawlers find it. And, yeah, it makes it seem more prevalent. All right, well, shall I go through and read some of these?
Joe Carrigan: [00:14:17] How about this? How about you read one, and then I'll read one, and then you read one, and then I'll read one?
Dave Bittner: [00:14:22] All right. Very good. I will start off with this one - two tablespoons raw, unsalted peanuts chopped. Preheat oven to 375. Season cod on both sides with kosher salt and freshly ground pepper. Cut a 12-inch square of parchment paper, and fold it in half lengthwise.
Joe Carrigan: [00:14:36] Hello. My name is Brit (ph). I smile that I could join the entire world. I live in United States in the N.C. region. I dreamt to head to the various countries to obtain acquainted with appealing people.
Dave Bittner: [00:14:50] I am Ashley (ph) from Bad Pirawarth. I love to play banjo. Other hobbies are college football.
Joe Carrigan: [00:14:55] (Non-English language spoken). This is obviously written in some other language. I don't even know what this is. And this has a link - my homepage - and has a link to the homepage.
Dave Bittner: [00:15:05] Adult toys. I totally understand you because I don't really eat meat either. And I get to no iron, and I don't know what to do because I'm going to get really sick soon. I eat plain pasta for dinner and a bagel for lunch every single day.
Joe Carrigan: [00:15:17] Adult stores near me. If you want to turn an ordinary night into something enchanting, get this kit. Honestly, it tasted great and was fun and really set the mood for great lovemaking. Unless you don't want romance, there is no reason not to get this kit.
Dave Bittner: [00:15:30] The blogger above is no exception and clearly doesn't have their facts correct. Clark (ph), Young (ph) and Wright (ph) are just the latest victims of dirty politics by The Old Guard, Robinson (ph) and her posse of haters. So don't be deceived or be part of their lies. Boss each other around in bed.
Joe Carrigan: [00:15:44] Adult toys. And this was way before skinny jeans became a common thing for guys to wear. At one time, you never even considered that family members might be on a different team. So yours had just caught herself and tried to fix it just in case, you know?
Dave Bittner: [00:15:59] I initially thought that perhaps I was supposed to get a bottle opener and pop off the bottle cap. However, some visual inspection showed me that it is too wide to get out through the top, so I gave that idea up. Next, I noticed a thin band of plastic tightly wrapped around the bottom. As stated before, we are huge horror movie fans, and we really enjoyed this movie for that reason alone.
Joe Carrigan: [00:16:17] Many aren't conscious of using nearly all of its functions, though nearly all of us have an Apple iPhone now. Well, it might seem this way. You will be not the only real individual that is unsure about the iPhone has to offer. If you wish to know more about the incredible iPhone, this content below is just what you want. You don't have to click the little X if autocorrect wants you to select a definite word, so you don't want to choose that word. Are you able to tap anywhere else on the screen? And also, the little suggestion goes away. This can be a lot quicker than seeking to go through the X.
Dave Bittner: [00:16:51] All right, so a lot of word salad, really.
Joe Carrigan: [00:16:54] Right, exactly.
Dave Bittner: [00:16:55] Yeah.
Joe Carrigan: [00:16:55] The word salad is the funny part.
Dave Bittner: [00:16:56] (Laughter).
Joe Carrigan: [00:16:57] I like how one of them just jumps to liking to play banjo.
Dave Bittner: [00:17:00] Now, how does Jake deal with this? Can - does he have the ability to just wipe them all out?
Joe Carrigan: [00:17:05] Yeah. What he did was he disabled the ability to create new accounts. And then he went through and deleted all the accounts that were created between specific times.
Dave Bittner: [00:17:16] I see.
Joe Carrigan: [00:17:16] That's how he got rid of them.
Dave Bittner: [00:17:17] I see.
Joe Carrigan: [00:17:18] Because it's not a big project, right? He's not working for a corporation. This is just something he does as a hobby on the side. Now when somebody wants to create an account, they have to send him an email. He has to know who they are. And, you know, they have to be players on the game in order to be...
Dave Bittner: [00:17:31] Right.
Joe Carrigan: [00:17:31] ...Able to update the system.
Dave Bittner: [00:17:32] Right, right, right.
Joe Carrigan: [00:17:33] But, I mean, this is the kind of stuff that somebody who's just trying to set up something to be helpful has to deal with, you know? It's irritating.
Dave Bittner: [00:17:41] Yeah, even with the CAPTCHA, they just...
Joe Carrigan: [00:17:42] Yeah.
Dave Bittner: [00:17:43] ...Got right on by that.
Joe Carrigan: [00:17:44] Oh, they bypassed the CAPTCHA...
Dave Bittner: [00:17:44] (Laughter).
Joe Carrigan: [00:17:44] ...Very quickly.
Dave Bittner: [00:17:45] Right.
Joe Carrigan: [00:17:47] I'm not sure how they did it, but...
Dave Bittner: [00:17:48] Yeah.
Joe Carrigan: [00:17:48] ...They did it.
Dave Bittner: [00:17:49] Welcome to the internet, where you can give no one the benefit of the doubt.
Joe Carrigan: [00:17:52] Right.
Dave Bittner: [00:17:52] Yeah. All right, well, that is our Catch of the Day. Thanks to you. And thanks to Jake for bringing that to us. Coming up next, the conversation I recently had at the 2020 RSA Conference with magicians Penn & Teller.
Dave Bittner: [00:18:05] But first, a word from our sponsors, KnowBe4. Now let's return to our sponsor's question about the attacker's advantage. Why do the experts think this is so? It's not like a military operation, where the defender is thought to have most of the advantages. In cyberspace, the attacker can just keep trying and probing at low risk and low cost, and the attacker only has to be successful once. And as KnowBe4 points out, email filters designed to keep malicious spam out have a failure rate of over 10%. That sounds pretty good. Who wouldn't want to bat nearly .900? But this isn't baseball. If your technical defenses fail in 1 out of 10 tries, you're out of luck and maybe out of business. The last line of defense is your human firewall. You can test that firewall with KnowBe4's free phishing test, which you can order up at knowbe4.com/phishtest. That's knowbe4.com/phishtest.
Dave Bittner: [00:19:08] So, Joe, I was recently at the 2020 RSA Conference...
Joe Carrigan: [00:19:12] Yeah.
Dave Bittner: [00:19:12] ...Big cybersecurity conference out in San Francisco. And one of the highlights of the conference was they brought in Penn & Teller to do some of their magic for the attendees.
Joe Carrigan: [00:19:22] Awesome.
Dave Bittner: [00:19:23] They actually did a special magic trick that had to do with cybersecurity and passwords and that sort of stuff. So it was great fun. But when we got word that they were coming, we reached out and asked, as media partners with RSA for the conference this year, would Penn & Teller be willing to spend a few minutes talking to us about social engineering and scams and things like that? And wouldn't you know, they went for it.
Joe Carrigan: [00:19:44] That's great.
Dave Bittner: [00:19:46] (Laughter) So...
Joe Carrigan: [00:19:46] Dave, I have never truly been jealous of you until this. I generally try to be happy for people...
Dave Bittner: [00:19:52] Yeah, yeah.
Joe Carrigan: [00:19:52] ...When this kind of thing happens. But I must confess, I am jealous that I wasn't there for this.
Dave Bittner: [00:19:56] Well, we had a good time. They gave us a few moments before they were ready to go on to do their show. We were back in the green room as they were preparing to go on and do their show. So here's my conversation with Penn & Teller.
Penn Jillette: [00:20:09] When you're doing a con one-on-one or even conning in a pyramid scheme a few thousand, there's some sort of investment to get over the hump, whether that's having to expose yourself to possibly being busted. But the thing about phishing scams is you can send out, you know, a hundred million emails, and all you have to do is hit your most vulnerable. So whereas someone who's doing a pigeon drop scam or any of these get-rich-quick scams or even paving-your-driveway scams...
Dave Bittner: [00:20:49] Right.
Penn Jillette: [00:20:49] ...Or any of that, you have to find an older person in their home. You have to go there. You might be bumping into an ex-law enforcement person who's aware of this stuff. There's a lot of risk. When you're sending out hundreds of millions of emails, you know, you don't need to get close to one-hundredth of 1% to be able to hit, so you can dumb them down tremendously to protect yourself. You don't want to get someone on the hook who is at all savvy.
Dave Bittner: [00:21:25] Right, right.
Penn Jillette: [00:21:26] So there's a - the difference in numbers changes the whole con thing, although it does come down to, you know - and you don't want to overstate this, 'cause you end up blaming the victim for the crime, which is always a mistake...
Dave Bittner: [00:21:41] Right.
Penn Jillette: [00:21:42] ...But it does come down to something for nothing. And you have to be very careful of that, you know? You're not going to be offered the deal that's something for nothing. And it's very hard to remember that because it's very seductive. But once again, I don't want to get close to then blaming the victim for the crime - you know what I mean?
Dave Bittner: [00:21:58] Yeah.
Penn Jillette: [00:21:59] We do that so easily in scams, going, oh, these people that fall for this are stupid, or, these people - I mean, it's a small step from there to, you know, she shouldn't have been dressed like that walking on the street. It's a small step to that. And it's deeply, deeply immoral.
Dave Bittner: [00:22:15] Yeah. Do you feel as though, with the perspective that you have, the knowledge that you have - like, I'm imagining if you're walking down the street and you see someone doing a shell game, you know, like, you know what - the mechanisms that are going on. You can watch that...
Penn Jillette: [00:22:31] Right, but...
Dave Bittner: [00:22:31] ...From a different point of view than me.
Penn Jillette: [00:22:33] But no, no, no, because that's part of the lie. You know, when David Mamet writes about scams, it's always this kind of beautiful interplay that shows basic human needs and desires. That's not what's going on in three-card monte. If Teller and I were to go up and know every single move and be able to see the move - which we couldn't do anyway, but let's postulate that we could - we could see the move and therefore be able to make the bet and stop them from doing the turnover and stop all of that. There are six people working that scam, and they will pull you in the back alley, beat you up and take your money.
Dave Bittner: [00:23:13] I see (laughter).
Penn Jillette: [00:23:14] It is not someone outsmarting you at a game. It is somebody who is a thug, a bully, a violent person operating outside of the trust of society who will hit you. So if you were able to say, that's where the queen is, hold the person's hand back, turn over the queen, show that to them triumphantly, they are not going to go, jolly good, well played; here's our money.
Dave Bittner: [00:23:44] Right.
Penn Jillette: [00:23:44] They're not going to say that. They're going to have the three people who are standing beside you in the crowd who are shills. They're going to have the two people who are lookouts. And they're going to have the thrower just take you and move you into a place where there's nobody around and beat you senseless.
Dave Bittner: [00:24:01] Yeah.
Penn Jillette: [00:24:01] I was just on the bridge in London right by Big Ben.
Dave Bittner: [00:24:09] Right.
Raymond Teller: [00:24:09] Westminster Bridge.
Penn Jillette: [00:24:10] Yeah, Westminster Bridge. And they were doing three-card monte, and I thought foolishly - I guess I felt I was in a big enough crowd that I was safe. I pulled out my cellphone, and I held it up to just get a bit of video because I was going on Piers Morgan the next morning. I thought maybe I could show the video. And a - the person next to me, who was just watching, just like me, grabbed my hand so forcefully and pulled it down and gave me a look that said, I'm going to beat the [expletive] out of you.
Dave Bittner: [00:24:44] Really?
Penn Jillette: [00:24:45] Oh, yeah. So there's no pretense of there being some sort of game. When Mamet - or when we talk about, you know, Melville - "The Confidence-Man" - we talk about cheaters, we often have this sense of cleverness. It's so well-orchestrated. These pickpockets are so smart. And if they're razoring your pocket to cut your wallet out, they will also razor your throat. So we can't pretend that people - and there's even that romance that goes on in phishing scams.
Dave Bittner: [00:25:20] Right.
Penn Jillette: [00:25:20] Here's how smart they were to throw a thumb drive in the parking lot that someone picked up and checked it out. The people that decide to do that are operating outside of our rules. So if they - if you were to outsmart them, they will beat you up. And I have a very strong feeling about this because, especially in magic, there's this - some sensibility of, oh, this card cheater's moves are so perfect. They're so beautiful. They're actually more skilled.
Dave Bittner: [00:25:51] Right.
Penn Jillette: [00:25:52] That is a lot like saying that a rapist is good sexually. It's ignoring the most important thing, which is that this is a crime. Rapists are not good at sex, and con men are not good at cards. They are doing an immoral, terrible thing.
Dave Bittner: [00:26:11] But is it fair to dismiss what might be a certain level of craft? They've become good at it through practice, yes?
Penn Jillette: [00:26:17] I think the craft - you know, you'll always see this stuff like, oh, pickpockets...
Dave Bittner: [00:26:23] Right, right.
Penn Jillette: [00:26:23] ...They're so good and so quick at the handoffs. Yes, compared to someone doing it for the first time, not compared to the Olympic relay team (laughter).
Dave Bittner: [00:26:32] Right. Right, right, right.
Penn Jillette: [00:26:34] You know, and the people who have clever phishing scams are not anywhere near the level of the people who developed Unix at Bell Labs, you know?
Dave Bittner: [00:26:44] Right.
Penn Jillette: [00:26:45] It's just we make a big mistake when we glorify anything about this. I mean, yes, they are better than we would be the first time out. And there's no doubt that people who cheated at cards can do some astonishingly good moves.
Dave Bittner: [00:27:04] Yeah.
Penn Jillette: [00:27:04] But I don't think there's anybody - and I may be wrong on this 'cause I'm thinking about Steve Forte. I don't think there's anybody that - you know, it's like Christopher Hitchens' things about atheists. Yes, people who are religious have done incredibly moral things, but there are people without religion who have always matched that. I believe in magic that there isn't anyone in cheating that has done moves that nobody working morally can do. I think that's true.
Penn Jillette: [00:27:41] There's always this weird argument that people who are working under heat or real cheating have some sort of more skill because the risks are higher. But that gets to be a very complicated mathematics because if you have someone doing a high-wire act up a hundred feet and you have someone doing the wire act that's up 4 feet, the tricks - the skill that the person working 4 feet are going to be exhibiting are going to be more amazing 'cause the risks are lower. You have to figure the risks in in order to get that.
Penn Jillette: [00:28:20] I have very strong feelings about this because this kind of thinking that happens in the cyber world happens so much in magic. We have people say, oh, I'm bringing back my friend. He did real pickpocketing and he went to jail. And you go, no, he's not better than what (laughter) we do.
Dave Bittner: [00:28:39] Oh, I see.
Penn Jillette: [00:28:40] He's not better at that. First of all, he went to jail. I don't mean to get too Trump-McCain on this. First of all, he went to jail, which means he's not that good. And second of all, the fact that someone is willing to cause damage to other people should not make us think that their skill is greater.
Raymond Teller: [00:28:58] Plus, when you see a magician, the magician has ahead of time said, I'm going to cheat you.
Dave Bittner: [00:29:04] Right.
Raymond Teller: [00:29:05] I'm going to do tricks. The person in real life hasn't said that. So you're on alert already when you see a magic trick. So the magic trick has to be better than the scam in real life.
Penn Jillette: [00:29:15] And I believe that goes directly into cyber stuff. I mean, I don't think we have any black hat people who are actually smarter and more skilled than the white hat people. I mean, there may be outliers. Certainly, there are some that are better than others. But, you know, the people that I know that are - you know, we knew Dennis Ritchie and Thompson and all - and Rob Pike and all the original Unix people...
Dave Bittner: [00:29:42] Right.
Penn Jillette: [00:29:43] ...At Bell Labs, and I've never seen, you know - or Shannon. We haven't seen a Shannon or a Rob Pike on the side of the bad. The reason they get elevated is because they are carving out the morality, you know?
Dave Bittner: [00:30:04] Yeah, it's interesting. I mean, I've often wondered, like, you know, to me, a close-up sleight of hand magician would never have to pay for a candy bar unless they wanted to, right?
Penn Jillette: [00:30:18] It's a different skill. It's a different skill.
Dave Bittner: [00:30:20] But you understand what I'm - I mean, my point that...
Penn Jillette: [00:30:23] The point is that you choose - no, everybody chooses.
Dave Bittner: [00:30:26] Right.
Penn Jillette: [00:30:27] You do not have to pay for a candy bar. I can assure you that you have been at a convenience store...
Dave Bittner: [00:30:34] Right.
Penn Jillette: [00:30:35] ...When someone wasn't watching you closely - that you could've stuck it in your pocket. There's no special skill to steal it. There really is no special skill to steal it. You know, most of your robberies are opportunist. The idea of the clever heist, the "Ocean's Eleven," is essentially a fiction. There's a few stories of very clever robberies, but those stories are - there's two dozen of them over the past hundred years. I mean, they're just not. There's the one with the dice being switched at a table on innocent people while something else is happening over there that's very, very clever. And that's something that happened in the late '60s that is still brought up as the one clever scam.
Dave Bittner: [00:31:24] Right.
Penn Jillette: [00:31:25] Mostly, it's people who are - most of your crimes are done by high, stupid, incompetent people who are willing to perpetrate violence on other people. I don't think there's any difference in the cyber world.
Dave Bittner: [00:31:41] Podcasting is an audio medium, obviously. You have your...
Penn Jillette: [00:31:45] Yup.
Dave Bittner: [00:31:45] ...Your podcast. Are you aware of any - of the existence of any audio-only magic tricks? Is magic a visual medium?
Penn Jillette: [00:31:55] Everybody's - there's a bunch. You know, there's - our mentor Johnny Thompson used to talk about radio tricks in a live show where the visual is there. We have tricks in our show that we hope you don't notice, but you aren't really seeing very much. You are counting on the audience reaction and our reaction and the way it happens there. And it's not actual close-ups of what's happening.
Penn Jillette: [00:32:28] Magic is, to me, an intellectual medium more than - when you're talking about pure illusion, which, to me, is the lowest form of magic, it's just something that looks one way instantly - you know, the stuff that is done with mirrors or optically - I think that's the least interesting kind of magic. The most interesting kind of magic, at one level or another, I believe, is psychological.
Penn Jillette: [00:32:54] So there have been OK audio-only magic tricks. They are harder, just like TV-only magic tricks are much harder because you really want to be in the room so that the rules of time and physics cannot be manipulated. The problem of magic on television is the most amazing magic trick we could ever do happens every 20 seconds on TV, which is a different point of view. If we could suddenly have you looking at us from over there, it would be the most phenomenal magic trick ever done, and yet, on TV - all the time.
Dave Bittner: [00:33:38] Right.
Penn Jillette: [00:33:39] On TV, you have "Avengers." You know, you have all that that's showing.
Dave Bittner: [00:33:42] Right.
Penn Jillette: [00:33:43] So audio has kind of that same problem. If we do a trick right here for people that you know and you understand that they are being honest and they are sincerely shocked, that's very different than somebody you don't know in an audio show. I would say it's not so much the difference between sound and light as it is the difference between immediacy and real in the room.
Dave Bittner: [00:34:08] All right, Joe, what do you think?
Joe Carrigan: [00:34:09] Well, a great interview. There's a lot of interesting things that Penn has to say in here. There is a risk to conning in person - a real risk - and that scamming online mitigates that risk.
Dave Bittner: [00:34:20] Right. You can be on the other side of the planet.
Joe Carrigan: [00:34:22] Right. I also find it interesting that three-card monte really is a dangerous game, it seems, right? And at the root of everything, we're still talking about a brute force situation. In a lot of my analysis work, I think brute force still has a very large role to play, particularly when it comes to cracking passwords. And what Penn was talking about when he was at a three-card monte game in England and he came very close to upfront and personal with the brute force nature of the game...
Dave Bittner: [00:34:47] Right.
Joe Carrigan: [00:34:48] These guys are not these elegant cheats. They're going to use brute force if they have to, right? It's available to them. One of the things he said was the scams typically come down to one thing, and that's the something for nothing.
Dave Bittner: [00:35:00] Right.
Joe Carrigan: [00:35:00] And it's hard to remember that because it's so seductive. That's absolutely true. It's very hard for us to keep that in mind - you know, that there's always something that you're going to have to pay if you want to get something.
Dave Bittner: [00:35:11] Right.
Joe Carrigan: [00:35:11] And I'm also glad to hear Penn's statement on victim blaming.
Dave Bittner: [00:35:14] Yeah.
Joe Carrigan: [00:35:15] You know, we shouldn't be blaming the victims. These people are victims of criminals who took advantage of them.
Dave Bittner: [00:35:19] Right.
Joe Carrigan: [00:35:20] His statement on these hackers not being the best and the brightest - you know, I have known some very, very, very good reverse engineers and pen testers. And invariably, those people have worked for legitimate companies that contract out with people to do this. And I agree. I think these people are actually better at what they do because they get to do it longer and more often for legitimate money. So even if you just look at this as a skills game, if you have the opportunity to repeatedly try to break into places because that's what you're contracted to do and you're not going to go to jail for that, then you're going to get better at it than anybody who does get caught.
Dave Bittner: [00:35:58] Yeah.
Joe Carrigan: [00:35:58] Right? 'Cause they're going to go to jail, and they're not going to get much better at it.
Dave Bittner: [00:36:01] Yeah. Interesting also how he pointed out, I think accurately, that this myth of the criminal mastermind - it's good for movies...
Joe Carrigan: [00:36:08] Right.
Dave Bittner: [00:36:08] ...And TV shows and so forth, but most of the time, in real life, that's not how it works.
Joe Carrigan: [00:36:12] That's not how it is.
Dave Bittner: [00:36:13] Yeah.
Joe Carrigan: [00:36:13] There are no Bond villains out there.
Dave Bittner: [00:36:15] Right.
Joe Carrigan: [00:36:16] They're all actually running their own companies. Like, maybe Jeff Bezos is a Bond villain...
Joe Carrigan: [00:36:21] ...Who figured out something that worked and legitimately went out and made billions, right?
Dave Bittner: [00:36:24] Right.
Joe Carrigan: [00:36:25] When you guys were talking about stealing the candy bar, that made me think of something. You know, we all play by the rules because we know it's better if everyone does, right? We are part of this unwritten social contract that, you know, if I know that if I continually go into a store and shoplift, even if I don't get caught, it's going to make it harder for that store to do business.
Dave Bittner: [00:36:45] Yeah.
Joe Carrigan: [00:36:45] And then that store may not be there. It's also going to make items more expensive for people. And there's a whole list of reasons why you don't do it. But in high-crime areas, stores just don't go in there because they can't operate and make a profit.
Dave Bittner: [00:36:58] Yeah. So again, thanks so much to Penn & Teller for taking the time for us. They were very generous. Also, a special thanks to our producer Jennifer Eiben for making it happen. She did a lot of work behind the scenes to coordinate that interview. And I have to say it was a real thrill for me to get to spend time with them. Big fan of Penn & Teller for a long time.
Dave Bittner: [00:37:16] Well, that is our show. We want to thank all of you for listening.
Dave Bittner: [00:37:19] And, of course, we want to thank our sponsors at KnowBe4. They are the social engineering experts and the pioneers of new-school security awareness training. Be sure to take advantage of their free phishing test, which you can find at knowbe4.com/phishtest. Think of KnowBe4 for your security training. Thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu.
Dave Bittner: [00:37:42] The "Hacking Humans" podcast is probably produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: [00:37:55] And I'm Joe Carrigan.
Dave Bittner: [00:37:56] Thanks for listening.