Beau:
I got a call today from a friend of mine who said that he was unhackable. And I was like, “Well, you’ve used the same passwords anywhere?” He was like, “Nope.” He kept prodding me. And so, I said, “Well, sure.” And I told him how, which is what, Travis, my nightmare, which is… I said, “Do you have a SIM code set up on your phone?” And he said, “No.” Well, the SIM pin code is the way in, right, Travis?
Travis:
Yep. That’d probably be the easiest way to do it, I would say.
Beau:
Which is how we got control of Adam’s phone, which is why he’s so quiet right now because he can’t get the sound on.
Adam:
I figured, once I did the 0000, I said, “Maybe that wasn’t such a good idea.”
Beau:
No, but that’s the thing that’s so interesting about it. When I talked to him today, I have just gotten a new phone, and I realized that I hadn’t set up the SIM card pin on this new phone. And then I had forgotten what the Verizon default pin was. You know what it is?
Adam:
1111?
Beau:
Yep.
Adam:
No.
Beau:
Mm-hmm. And do you know what… Travis will like this one. And when I first set up my SIM card pin code back in the day, I put in 1111, and that was what I was using the default pin code for six months until I realized I had to reset it.
Travis:
Yeah. That’s not a great idea.
Beau:
Yeah.
Adam:
That was when you were young and impressionable.
Beau:
That was last year, Adam. I don’t know how young I was.
Adam:
No one is unhackable.
Beau:
Yes. Anyone who thinks they can’t be hacked is whistling in the dark. If you whistle in the dark, you’re much easier to find for apex predators.
Adam:
Have you ever whistled in the dark?
Beau:
Yeah. I whistle in the dark all the time to tell the apex predators to leave me alone, but I have a big whistle and that makes me-
Adam:
Oh, you are the guy that’s been whistling at night. Welcome to What the Hack, a show about hackers, scammers and the people they go after. I’m Adam, Cyber Raccoon.
Beau:
I’m Bo, Cyber Flee.
Travis:
I’m Travis, Cyber Trash Panda.
Beau:
It’s the same thing, Travis.
Travis:
With a little bit of extra style.
Adam:
Today, we’re talking with information security executive, social scientist, and poker wizard, Tarah Wheeler. I want to welcome a friend Tarah Wheeler on the show. We actually met a few years ago, but just a few, at a class at American University, and she dazzled me. I just said, incredibly impressive, brilliant, funny, insightful, cybersecurity wizard, I need to have this person on our show. Here we are. We have her on the show and this is very exciting.
Tarah Wheeler:
It’s a real joy to be here. Thank you so very much.
Adam:
Welcome. Welcome. Tarah, where are you coming to us from right now?
Tarah Wheeler:
I’m coming to you from Seattle Washington, land of believe it or not, beautiful weather and a couple of distant forest fires. So gorgeous sunsets, and if I sneeze once or twice, it’s me, it’s not the cat.
Adam:
And a good football team, may I say.
Tarah Wheeler:
So, if we’re going to talk about Russell Wilson, then we need to have a whole different conversation right now. I’ve got some corn nuts downstairs and I definitely need to have more beer to begin the conversation. But if I could just say that, I think Seattle’s decision making process has been very fine tuned over the last three to four years. I’m not hating the path the team is taking right now, which is something I think many people throughout their lives of being a Seahawks fan cannot really say over the course of multiple years at a time, but I’m pretty okay with it.
Adam:
This is very true. This is very true. I was very surprised at the recent game where it came out a little differently than all of us thought, so I was pretty, pretty impressed. So anyway-
Tarah Wheeler:
Back to nerd-ery, continue.
Adam:
It was a fascinating class at American University, and one of the things that you were talking about that was just great was about all of the work that you put in to advancing women in cybersecurity; because let’s face it, there aren’t enough women in cyber security. You’ve written a book about this, I believe too, right?
Tarah Wheeler:
It’s somewhere back there, if I’ve got the right thumb right. I’ve had so much time to think about this. There’s two things I think about when I think about trying to get more women in cyber security. First, everything I said six years ago is still true, unfortunately. And second, I’ve said a lot, I think at this point. It isn’t purely about the idea that there’s not enough of one kind of person in cybersecurity. It’s that every single differently perspected mind that we bring into this field gives us a new way to solve problems; and closing ourself down to the opportunity to listen, to and learn from new people, make cybersecurity, actively a worse field to be in. And sometimes it’s not a pleasant experience to make your mind stretch enough to encompass someone else’s experiences, but I’ve never regretted having my mind stretched out to understand a new perspective.
And it’s always given me way to see things differently. So, it’s about welcoming everyone, not a specific kind of person, but understanding that some kinds of people are less welcome in the industry. I’d like to see that change over time. We’re starting to change that a little bit in the entry levels of cybersecurity. The truth is that at the senior and executive levels, the numbers have gone down over the last five to 10 years, and why that’s been happening? I mean, we’ve all got our war stories at this point, but I think the key thing here is welcoming those new perspectives and understanding that they help us solve problems differently and better.
Beau:
Can you give us an example of a success story of recruiting people who really should be in cybersecurity and are making a huge difference?
Tarah Wheeler:
I actually recently hired a customer success specialist and she never worked in cybersecurity before. I thought about her, as we were sitting here going, “Who are going to get to start working on customer journeys in cybersecurity?” And I said, “I know somebody from outside the field who will be just a junkyard dog on sales, but also who can connect to people who understands them, who will talk to them, and listen to them.” And I brought her into this field and thought to myself, “This was a good hire.” Totally from outside the industry.
Adam:
What is your field?
Tarah Wheeler:
Technically, I’m what is known as an offensive security researcher. That’s where my skillset is located.
Beau:
Offensive, offensive?
Tarah Wheeler:
And offensive information security researcher. Not strategy.
Beau:
Ooh, I love it.
Tarah Wheeler:
I break into computers. That’s my specialty and my certifications, my stuff that I do, the awards that I’ve got. And the scary thing here is not that that’s what I do and my technical skill set. The scary thing is not that I know how to do that. The scary thing is that I’m not very good compared to most of the people I know in the field. I’m a good, bad hacker, but I know good hackers. Deeply skilled people who are capable and competent in thinking about systems. I love taking puzzles apart and learning. So, it’s a great place to be in terms of a technical specialty.
I like finding ways to automate exploration, and that’s what led me into a lot of the work that I do now involving things like helping people understand their cybersecurity situation, automating tasks that don’t make sense for human beings to do when computers can do them faster and better, but also just asking human questions about information security. The hacker mindset approaches problems orthogonally. We don’t see stuff straight on, and that is something deeply needed in this world where we’re stove piped so much.
Adam:
When you look at the cybersecurity landscape, are there any particular people that you say, “Wow, I mean, that is a lion, a Greek god, a Greek goddess. Anyone like that?”
Tarah Wheeler:
Oh yeah. Just this morning. I was sitting up straight in my chair, listening to Mudge give his testimony in front of Congress. I don’t know if you ever had a chance to listen to that, but that was today, at least as we’re recording this now. So, I was listening to Mudge today, give that testimony, and he makes me proud to be in this industry. He is a flag waving Patriot, and he did something that was incredibly hard and personally expensive, and he gave up money and power to do the right thing. I’m honored to know him, and I’m glad that there are people like that in our industry who prioritize keeping people safe over well, let’s just say, incentives.
Adam:
So, for the benefit of our listening audience, explain who that is, who you were referring to?
Beau:
That’s the Twitter guy, right?
Tarah Wheeler:
Peiter Zatko.
Peiter Zatko:
My name is Peiter Zatko, but I’m more often referred to by my online handle as Mudge.
Tarah Wheeler:
His hacker handle is Mudge. Is someone who spent 30 years keeping people safe in and out of government, as originally a member of a hacker collective known as Loft in Boston.
Peiter Zatko:
I appear before you today to answer questions about information I submitted in written disclosures about cybersecurity concerns I observed while working at Twitter.
Tarah Wheeler:
He comes out of a tradition of as ethically and as coordinated a fashion as possible revealing vulnerabilities to the public and forcing companies to fix things when people aren’t safe as a result of those choices.
Peiter Zatko:
For 30 years, my mission has been to make the world better by making it more secure.
Tarah Wheeler:
He ran programs at DARPA where he was the person who helped issue small grants and bring people who could solve technical problems into government to solve those problems for the US. And then, spent some quality time upgrading security systems and running security programs at some major US companies like Stripe. Then became the chief security officer at Twitter in 2020, and was there to start addressing some of the major security issues at Twitter. It looks very much from the testimony that he’s given, from the things that we’ve now heard in multiple serious stories, that there were some requests made of him and some pressures placed upon him to do unethical things, and to hide the severity of some of the lack of compliance with prior FTC directives and US directives, as well as some requests to flatly commit felonies.
Peiter Zatko:
What I discovered when I joined Twitter was that this enormously influential company was over a decade behind industry security standards. The company’s cyber security failures make it vulnerable to exploitation causing real harm to real people.
Beau:
Well, but he was also just ignored, roundly ignored by this top brass. No?
Tarah Wheeler:
I would say he was ignored, and when he wouldn’t be ignored anymore, he was told to shut up. And when he wouldn’t shut up… And so, I admire that.
Beau:
They invited an inconvenient truth factory into their midst. And then, they didn’t like the inconvenient truths that he had to tell them.
Tarah Wheeler:
Exactly. This was that moment so many of us spent this morning watching this going, “This is all of the times that we were never allowed to say what was actually happening.” Where our contracts kept us silent, where a fear of prosecution or litigation kept us quiet for the sake of our families, instead of telling what was actually happening inside companies. All the times anyone’s ever been silenced because they brought up an inconvenient truth about internal information security, we’re watching this just popcorn.
Beau:
So, you mentioned that you think a lot about how to automate security, or put another way, maybe how to build in processes or checklists to mitigate risks. For our listeners, do you have any stories or advice or things a layperson can do to add these systems to their own life? I just had a friend of mine said, “Can I get hacked? I do everything right.” And I was like, “Yeah, I could pay a guy to swap your SIM card.” So, what do you say?
Adam:
Or we could give Tarah your email address too. Right?
Beau:
Tarah’s already moving my mouse around. It’s fine.
Tarah Wheeler:
The truth is, is that most of the issues in security really aren’t about me sneaking into your computer or installing something. Or if I did, it’s because I engaged in some way with you. It’s likely that there was some element of human contact at this point that made that possible, and it might have happened in a way that people didn’t understand. It have been a shared password. It might have been a conversation with someone. It might have been downloaded data from a breach, but it is truly about people. And it comes home to us when you say that your friend said, “Can I get hacked? I do everything right.” And the answer is, if you drive perfectly, can you guarantee that you’ll never get into a car accident? Right? That’s the question.
Beau:
No, of course not.
Travis:
It comes down to the basic reality that accidents can and will happen. So what does your plan look like for avoiding them as best as you can in dealing with them when they do?
Tarah Wheeler:
Right.
Travis:
I believe you’re an advocate of checklists, right?
Tarah Wheeler:
I am. And so, you can have external failures. You can have someone else crash into you. You can have something go wrong with the car. There’s no way to encapsulate everything that can go wrong. But what checklists are there for is to make sure that you, as a person, don’t miss something that you should remember, because human brains can’t remember everything all the time. It’s literally why we have databases and computers. You can’t do everything with your brain. You need an exo-cortex. Like who even remembers phone numbers anymore? So, the questions that I get about how do I keep myself safe, often look like making sure that you followed a simple set of steps to check in with yourself about what feels safe. Now, the reason this matters to me is not just because I have parents and I get phone calls from my parents as all of us do, “Hey, I just got this odd phone call. I hung up. Was that the right thing to do?”
And the answer is always, “Yes, it is the right thing to do. I don’t care if it’s me, hang up.” I’m probably not going to be on the phone with you anyway. So, the answer is, there’s a way to check in with yourself using a checklist where you say… The greatest question I’ve heard someone uses, if someone was saying all of this stuff to you, that you’re seeing in this email or getting on a phone call, if they just walked up to you, randomly in the grocery store and said the exact same stuff, would you do it then? And if the answer is, “Oh, that’s kind of odd. That’s a little weird. I don’t think I would.” Right? And if that’s on your checklist, then you’ve got an excellent first step to figuring out if you should do the thing that someone’s asking you to do.
Beau:
So let’s rephrase the checklist is, if you were in a supermarket and someone said, “Hey, can I have the password to your Facebook account?”
Tarah Wheeler:
Your Facebook account. Yeah, just randomly, “Hey, I am Jake and I live one town over and I’m calling to do an IT check with you. And if somebody showed up in a grocery store and asked you all of this stuff, would you do it? And all of a sudden you see the lights go on in people’s minds. They’re like, “Oh, it’d be super weird if somebody did that.” I was like, “If it’s weird in person, it’s probably weird on the internet too.” It’s just weirder at scale. Yeah.
Adam:
They had a commercial on a couple years ago from the postal inspection service, and they had a guy who was dressed up. It looked very loyally. Briefcase, sits down next to a woman who’s just on a bus, and starts talking about the royal family that he’s representing that has chosen you to be the recipient of their millions that they’re getting out of the country. And the woman gives him a strange look, stands up and walks away. And the voiceover was, “If someone were to say this to you in person, you would walk away. Why do you buy it simply because it’s online?”
Tarah Wheeler:
Well, when we do this, when we fall for scams like this, one of the biggest problems is that we’re ashamed to be human. You know what? I have a humiliating story. I’m going to tell you a humiliating story about me.
Beau:
Awesome.
Adam:
We love humiliating stories.
Tarah Wheeler:
I was a idiot.
Adam:
We live them on a daily basis.
Tarah Wheeler:
Oh, it’s gross.
Beau:
I am a humiliating story.
Tarah Wheeler:
And this has to do not only with a checklist, but with how you can make a mistake and just be face palming at your own idiocy, but you still have to deal with the consequences because everyone does, if they’re scammed. Right? So, I’m a fairly competent human being in information security, and I was once hired to run the internal offensive security for a company. My boss was kind of the head honcho of all the security folk. I’m being as unspecific as possible here, but it was a big responsibility. I was one of the people who was in charge of testing internal systems. And so, the first week I was hired to go do this, I show up on site, great week talking to people. We start getting some policies and practices in place. I meet with the person who’s hired me on Friday before I’m going to get on a plane and leave again.
We sit down, we’re having that last cup of coffee, have a sandwich across the street at the restaurant. And I said, “Great. It’s so wonderful. Having a great time. Let’s get this show on the road. Wonderful.” I get to the airport and I’m at Norman Mineta Airport, San Jose Airport. I’m still not being specific because there’s 80 zillion tech companies in a four mile radius of it. But I get to San Jose Airport and I start following my checklist. When I leave a location like that, I check to make sure, is my driver’s license in the correct location? Do I have my phone fully charged? Is the cord in the right location? My setup for the next time I come down here? Is the front pack of my backpack ready to go with all of the things that I’m going to need?
My passport, my work badge… At which point I stopped and went, “Where’s my work badge?” And I stopped and I looked again, and I set my pack down on the bench and I looked again, and then in the middle of the concourse sitting on the Mineta, I took everything out of my backpack and I laid it down and it looked like it was a reveal video on YouTube. I had everything laid out. I mean, we’re talking lady products and lipstick and extra clothing and books and technology scattered all over as neatly as I… The badge is gone, completely gone. And I realize, I think what has happened, and I have lost my internal badge to get into the most sensitive areas of this company.
My first week, when it is my job to keep the company safe, and I have to call my boss and tell him that I’ve lost my badge. I called him and I got his voicemail and it’s like 20 minutes since I’ve been sitting in the restaurant across the street. And I was like, “I have to tell you what just happened,” and I was near tears, honestly. This was incredibly humiliating. And I was like, “I think I know what happened. I’m going to solve the problem. I’ll get right back with you.” I call the restaurant and my badge is under the table in the bar, in the restaurant across the street. Now a couple of things-
Beau:
But do you have to… Now at that point with your badge being in the wind for a little while, do they all need to be replaced?
Tarah Wheeler:
So, that’s the interesting question. Nobody knew, because what I didn’t know was where to report this. I found the badge and I could have just asked somebody to step across the street and just go set it on my desk or drop it in the envelope, but here’s the problem. I don’t know what’s happened at that badge in the meantime, I don’t know if someone’s picked it up, if they’ve cloned it? It’s a simple RFID badge. So it’s now my job… I have to do this. I have to report it to security and say, “Look, this happened, I don’t know what happened. You should probably shut my badge down in the interim and take a look at the logs and see if anything happened to it.” And the problem was there was no place to report it, so-
Beau:
Well, you should have just reported it to yourself. That buck could have stopped there.
Tarah Wheeler:
That’s a tempting thing and I thought about it. I did.
Beau:
It’s a bad idea.
Tarah Wheeler:
The answer was-
Beau:
In cyber it’s a horrible idea.
Tarah Wheeler:
It is. And what ended up happening was by three days after that, the company had a new policy and process for what to do and how to get your badge shut down when you know where it is, but you don’t have your hands on it, because there was no process for that ever before. There was thousands of employees in this company and no one had thought to create this process yet. There was a new alias to report it to, and there was a way to log this having happened, as well as a freebie for the first three times you did it and followed the process. Right?
Adam:
Well see, out of the ashes of this came a new policy, which is a good thing.
Beau:
Well, and out of that… This is sort of the Brandeis quote that the best disinfectant is sunlight. And especially in cyber, transparency is the name of the game, right?
Tarah Wheeler:
Yeah. It’s not the crime, it’s the coverup. And if you take this moment, there’s two things. First, if I had not followed my checklist, I wouldn’t have seen it wasn’t there, and it wouldn’t have been 20 minutes, it could have been five hours. It could have been swept up in the trash. It could have been picked up by someone in that restaurant with my name and picture and company on it, across the street that would’ve booped anybody into the building.
Adam:
Here’s the interesting thing. You’ve made a lot of analogies to flight and pilot and checklists. Is it really that complicated?
Tarah Wheeler:
The reason a checklist exists is to trigger your mind to solve a problem systematically, to cover as many things as you can. And a checklist in absence of understanding why that thing exists, is meaningless. Here, let me give you an example. Okay. Hang on. Here, excellent one. Okay. So I’m a Cessna pilot. This is a Cessna 172 and it’s a carbureated plane. See these red things that are on here, all these red items over here? Right?
Beau:
Yeah. That’s where Jesus talks.
Tarah Wheeler:
It’s definitely where Jesus talks. These are the memory items for emergency actions in flight. It’s not a question of whether or not you can just follow the checklist. You have to understand why this is happening. When this says something like, “Vents cabin, heat and air off,” the reason you’re doing that is to prevent smoke from entering the cabin. And the reason that you would open the vents cabin and fire and heat, if the fire is out, is because you’re trying to get oxygen back into the cabin again. If you don’t understand why that’s happening and you just mechanically do it in a row, you’re not actually solving the problem of you being safe and extinguishing a fire in flight. What you’re doing is just flipping switches.
Adam:
For our listeners, they should know that you were holding up a laminated card that had a lot of writing on it. But again, this writing is critical to your safety.
Tarah Wheeler:
Yes.
Adam:
So therefore it’s important to… It’s almost like in the scene from the new Top Gun Maverick-
Tarah Wheeler:
Oh, love it.
Adam:
… with the book talking about the F14. And he goes, “Well, you already know everything in this book.” So he throws it in the trashcan and the admiral almost has a heart attack because oftentimes it’s not about what’s in the book. It’s about how much do you remember is in the book, how you interpret it, and an in-depth understanding, not just memorizing, but understanding what it is, why and what?
Tarah Wheeler:
Yes.
Beau:
Yeah. So the checklist is sort of… It’s nuanced, but it is the complications we’re talking about when you say, “Is it really that complicated?” The complicated part is life.
Tarah Wheeler:
Yeah.
Beau:
Life is happening. You’re somewhere, you drop your badge, a bird flies across your path. That’s the complication. So the checklist is like, “I’m leaving the house, I have a caterwauling cat, a dog that wants to eat the cat, a child that’s hungry, and an appointment I’m late for. Do I have everything?” A checklist comes in handy.
Tarah Wheeler:
Mm-hmm. It’s not just that it comes in handy. It’s that we trick ourselves into thinking we’ve done what we need to do. A checklist gives us that moment and that excuse to do not only the right thing, but to step back and say, “I think I did everything right. I’m just going to go and make sure.” If you have those checklist items for yourself, when it comes to things like cyber scams, things like if someone said this to me in a grocery store, would I think it’s a good idea? Am I about to be talked into revealing something that I’ve been told never to give over the phone? The two factor code that was just sent to me in a text message. Someone calls me up and says, “Can you just read that off to me?” If you’ve been told-
Adam:
Oh yeah, yeah.
Tarah Wheeler:
… that you’re not supposed to do that, but somehow you think it’s a good idea this time. And you look at your checklist and it may just be a two item checklist, nothing other than, “Don’t talk to strange people on the phone, and if I think this was a bad idea in person, I probably shouldn’t click yes in an email either.” That’s going to save you from 90% of what’s wrong in the world, honestly, on the internet. And if you look at that, and you’re like, “Oh, I want to make an exception to that, just this one time.” Just ask yourself this question, make the third thing on your checklist, to stop doing this thing right now, get a call back or get a check from someone else, and just don’t do it for 15 minutes. Just don’t do it for 15 minutes. Get off the call, revisit it in 15 minutes.
If you still think it’s a great idea in 15 minutes from now, after having talked to somebody who’s a smart person who’s there with you, if you’ve got just some check… Stop and ask yourself, if someone’s trying to make you do this, and you say, “I just want 15 minutes to think about it,” and they say, “Oh no, I need it right now,” that should be a giant warning sign. That is a screaming alarm.
Beau:
We’ve got to do a pause.
Tarah Wheeler:
Exactly.
Beau:
Pause.
Tarah Wheeler:
Yeah. Yeah. There’s nothing that has to get done that fast, honestly.
Adam:
And again, this is not a metaphorical checklist. This is a well thought out, adapting, evolving list. That said, does this help us not be tricked by threat actors?
Tarah Wheeler:
No. No, it doesn’t. I mean, it helps you stop yourself from most attacks, but nothing ever stops everything. You must accept that sometimes you will lose. Sometimes you’ll be hacked. I will lose. I have been hacked, repeatedly. The answer is that a lot of the stuff I’ve learned, I had to learn the very hard way. It’s kind of funny, I do a lot of this stuff that it seems kind of cool, right? The hacking things, flying planes, riding motorcycles, playing poker. I do a lot of this stuff but the truth is that almost everything I’m doing-
Adam:
It’s such a boring, calm life.
Tarah Wheeler:
But it is though. That’s the point. Half of what I’m doing is filling out safety equipment checks, or I’m sitting there counting and doing odds calculations in my head. Almost everything I’m doing is actually just-
Beau:
Counting cards, Tarah?
Tarah Wheeler:
I said, “Counting odds.” I did not say counting cards. Not that-
Beau:
Oh, sorry. Sorry. Apologies.
Tarah Wheeler:
And that’s for Blackjack anyway.
Beau:
I see a future of you getting kicked out of-
Adam:
Bo, Bo, Bo, Bo.
Travis:
[inaudible 00:27:27] card counting person.
Tarah Wheeler:
That’s for Blackjack. Card counting in poker is not only expected, it’s an advantage, because you should know how many cards are in the deck. You should understand how many outs you have coming up. You should be able to make guesses about what someone else has and then do your mouse.
Beau:
I can’t count, Tarah. I should not do any of these things.
Adam:
I make lots of guesses when I play poker, which is how much am I going to lose, how fast? That’s basically my big guess.
Tarah Wheeler:
But that’s it right there. You understand I think intellectually… People understand intellectually that they’re going to win some and lose some in poker. And that the idea is that over time you make a series of small decisions that incrementally over time, not only improve, but lead to a slight winning edge. And people who like that, who like the stringent, mental discipline of making small correct decisions, even when they don’t pay off in that moment, and can then step to the next decision and still make a good one, when they’re angry or frustrated over the outcome of the previous one, that’s what makes a poker player. That’s what makes somebody who makes small, good decisions over time. Right?
It’s not supposed to be exciting. A lot of this stuff is not supposed to be exciting. It’s supposed to be… It’s been romanticized, but the truth is you cannot solve for everything. You’re going to lose in poker. You’re going to fall over on your motorcycle. Something’s going to go wrong in a plane. You’re going to get hacked. And the question is just, have you mitigated as much as you can, have you made the checks on yourself that make you as safe as you can, and then, my God, go live your life. Go buy some clothes on the internet, just check for as much of the safety stuff as we’ve taught you about as possible. Go live. You can’t solve everything.
Beau:
But when you do buy that stuff online that you are looking at, don’t just look at the transaction alert for that purchase. Look at the ones that come right after it, when the person at the counter stole your credit card number, because it counts as a hack.
Tarah Wheeler:
It does, yeah.
Beau:
We’re constantly under siege and you’re right, because of that, there’s two things you can do. You can be a nervous wreck or you can just accept it as natural as leaves falling from the trees and all.
Tarah Wheeler:
It is.
Adam:
Well, I think also, and I think Tarah can say this too, because we both have been involved in advising companies, my former company, that’s a lot of what they did. And it’s all about the fact that, look, at the end of the day, you can do everything right, but if somebody’s on the wrong list at the wrong moment, the wrong person gains access, or somebody clicks the wrong link, something’s going to happen. So it’s not an issue of if it’s going to happen, it’s what have you done so that you can respond empathetically, urgently, transparently? Your defining moment is yes, there is step one, which is how well do you protect the data? How well do you protect things that you have in certain ways, a responsibility to protect? But the second thing, the defining moment is, when the wrong thing happens, how do you respond?
Tarah Wheeler:
Yes.
Adam:
And that’s what changes something from a bad and unpleasant experience to a near extinction level event.
Tarah Wheeler:
Yes.
Beau:
Yeah. Damage control. Right?
Travis:
Right.
Adam:
Yes. And that’s why checklists are… Just like when we say to people, “Update, upgrade and backup.” Backup means yes, you could become a victim, your company, of a ransomware attack, but the question is how robust are your systems and how fast can you get back up and run again?
Tarah Wheeler:
People who think that what’s happening on the internet, the idea of crime and fraud happening on the internet, isn’t real, are the same kind of people who would be appalled at the idea of committing mail fraud, or calling someone up and trying to trick them out of their life savings, or running a psychic scam, or something along those lines. Fraud is fraud. It doesn’t matter if it’s happening via a mailbox, via a telegram, via a phone or an in person conversation at a bar, or via email. These are old human crimes, just given a new pathway to your door. That’s it. And so, convincing people that if you had the sense to understand fraud, when you were 20, ma, dad, if you had the sense to understand what fraud looks like then, just apply those same rules to what you’re seeing here. You don’t get to skip out on the responsibility you have to protect yourself because you think the internet’s not real. I’m dealing with some of my own issues right now. Anyway.
Adam:
Well, but every parent tells their kid, “Don’t talk to strangers. Don’t talk to strangers,” and yet, with the internet, all of a sudden it’s stranger? That’s not a stranger. That person shares my interests. They’re not strange unless I’m strange, and people just have a tendency to-
Beau:
You are strange.
Tarah Wheeler:
People say, people are strange and you’re stranger.
Beau:
The other thing is those strangers, the ones that are hackers, they’re grooming you. They can take their time. Not much-
Tarah Wheeler:
I wouldn’t use the word-
Beau:
I know it’s a hit and run for the most part-
Tarah Wheeler:
I wouldn’t use the word because it’s so loaded at this point. Don’t use the word.
Beau:
So how would you put it? I’m fine with that. I won’t use it again.
Tarah Wheeler:
It’s a con. It’s literally a con. Yeah. I mean, it’s-
Beau:
No, but it’s a con, but what about the setup where they’re like, “Oh Tarah, I also like to wear that color red lipstick, and I also like to wear pearls. What a coincidence. We should be best friends.”
Adam:
And you should see Bo in red lipstick. He looks great.
Beau:
I look-
Travis:
He really does.
Beau:
Don’t look… I don’t know. Excuse me, look at this guys. Everyone take a look. I have no lips. Don’t have any lips. None.
Tarah Wheeler:
There’s a couple of great resources out there. We don’t have to call it grooming. We already have the words for fraud and for con artistry, right? What is it, putting up the mark, playing the con, roping the mark, tell the tail-
Beau:
Okay.
Tarah Wheeler:
… convincer, breakdown, put them on the send, I think it’s something, something… And a blow off at the end. Right? We already have these words and patterns for what exists in a con; same thing happens. The exact same thing happens.
Beau:
Can you take us through that again, Tarah? Take us through it one more time.
Tarah Wheeler:
So we’ve got foundation work, approach, build up, payoff or convincer, the hurrah, the in and in, and then you’d include the blow off at the end. Right?
Beau:
So this is way better than grooming, way better.
Tarah Wheeler:
It’s the breakdown of how you trick somebody and if [inaudible 00:33:56], that’s the checklist.
Beau:
That’s the checklist.
Tarah Wheeler:
Right? There’s a checklist for crime. And so, when you do this, you’re following a process all the way through and you’re ensuring that you’ve followed each of the stages because you’re taking someone through an emotional journey. You take someone through an emotional journey, you bring them along with you and you trade resources; which to them, you’re tricking them into thinking the resource you are giving them is as valued as the one they’re giving you. And by the end of that journey, they’ve experienced an emotional journey with a payoff at the end, that is negative for them and a financial one that’s positive for you. This is a checklist for how you do this. And a skilled con artist doesn’t need to sit here with a checklist every single time, and did I do all of these things?
They know these things, but they may stop and sit back and ask themselves, are they succeeding? Did they skip any steps? Do they need to think about anything? Build anything up a little bit more? And the higher value of the target, the more worthwhile it is to follow your process and get it right. An artist will understand how much time to spend on each, what it means when you move to the next stage, what the greatest amount of benefit at each one of those stages are? That’s an artist, that’s someone skilled in something. And that’s why I say, you have to remember that somebody who is a hacker is not necessarily a computer criminal. It’s a set of skills. You can use them for good or ill. I am a hacker and a huge part of being a hacker is being a curious person who looks at things differently. That doesn’t necessarily mean I have ethics.
I like to think I do. Well, I like to think I’ve grown into some ethics over time. I didn’t have them when I was a kid. How do you think I learned a lot of this stuff? But by the time I got here, I started realizing that this is about a set of skills that you can use. And I don’t know what they tell you, but the greatest shepherd is not a sheep dog. It is a reformed wolf.
Adam:
Hey, this is great. So one other question, and that is for those who want to find you or find out more about you, or find out where to find your next poker game, where do they go?
Tarah Wheeler:
Well, you can find my company at rqdn.io. You can find me on Twitter at Tarah, and we got our Twitter handle up on there as well. Where you can find me at the next poker game, looking about a month or so, I’ll probably be at the Bellagio or the Aria. And then next May-June come find me at the World Series of Poker. I’ll be playing there with dad again. He and I go every year. He’s a poker pro. But no, I look forward to hearing from folks, please reach out at any time. It’s a great chance to be here and wow, guys, it’s been an amazing experience. Thank you so much.
Travis:
Thank you.
Adam:
Thank you so much for joining us. This was awesome.
Beau:
So, Mudge, Mudge, Mudgi-de-mudge. If you look at him from years past, he really looked the part. Now he looks just like a suit, but he definitely sounds the part still. What the hell is Twitter thinking, hiring somebody who was like… This is like Rocky I, when Apollo Creed is fighting Rocky and his manager goes, “He thinks this is a fight. He’s going to try and beat you up.” Yeah. I mean, they invited a guy into the house who was not going to look the other way, and now they’re living with the results of that.
Adam:
What happens is that you think you’re getting a show horse and you don’t realize you’re getting something far more than that.
Travis:
Yeah. I think that’s the thing I just find to be so baffling about it, is why would you hire someone with his level of expertise if you’re not going to be hanging on his every word?
Beau:
No, they did it… Come on, it’s window dressing. They did it so they could brag about doing it.
Adam:
Yeah. And unfortunately be careful what you wish for. Especially when you get somebody who believes in doing the right thing.
Beau:
Well, yeah. He was like, “Oh, I have an idea. I’m going to do my job.” That was not what they were looking for, I guess.
Adam:
Ah, see, do your job. That’s a… Yeah. It’s an interesting concept.
Beau:
Yeah.
Adam:
Now they’ve got a problem. Big problem.
Beau:
Do we have a tin foil swan this week?
Travis:
Yep.
Beau:
What is the tin foil swan?
Adam:
The tin foil swan is our paranoid takeaway that’ll help keep you safe online.
Beau:
So this week it has come to my attention and I brought it up earlier that people do not know how to set their SIM card pins. Now, Apple just announced that their latest phones, which Steve Jobs’s daughter announced with a picture of a middle aged guy wearing a shirt, being gifted the same shirt, and she said like, “There’s no difference.” There is a difference and there’s a major difference. And that difference is, the SIM cards will no longer be physical cards, and that’s great because they can’t be swapped out. But most of us don’t have that phone, most of us are still dealing with the dangers of SIM swapping.
Travis:
You can protect your phone from SIM jacking a text by assigning a pin number to it. And so, that means every time you start your device or remove the SIM card, your SIM card will automatically be locked. So it’s just an extra little method of protecting your phone and your cellular data.
Beau:
Okay, and Adam, why should we be worried about SIM swapping attacks? What’s the big deal?
Adam:
Someone can steal your phone number.
Beau:
Okay.
Adam:
That’s really it. That means they get your texts, they get your phone calls, and in particular, get your two factor authentication. They get the keys to the castle. They get the keys to the kingdom. They get the keys to any particular part of your life, because most people think of social security number as the skeleton key. The truth is, your cell phone number has become the skeleton key because everybody has it.
Beau:
All right, so real quick, here’s what you do. If you’re using an iPhone and you want to protect your SIM card, you just go to settings, go to cellular, then you will see under cellular your SIM card pin. Click on it, if you haven’t set it up, it’s going to ask you for the default SIM card pin, which you can find online. If it’s Verizon, that default pin code is 1111. I know that because I just set mine up on my new phone. Now, once you do that, it’ll ask you to set up a new pin code. Set that up. It’ll ask you to confirm it, confirm it. Don’t forget it, because you’re going to need it every time you open your phone and that’s how you do it on an iPhone. Travis, how do you do it on an Android phone?
Travis:
There are a bunch of different types of Android devices, but for the most part what it is, is you just go to the settings on your phone, and then tap on security. And once you’re there, you go down to advanced, and you’ll see something that says SIM card lock. And from there, it’s pretty much the same process as it is with an iPhone. You enter in the default pin code, then you set your own, and then try not to forget it. If you’re trying to guess it, just keep in mind though that if you enter it incorrectly three separate times, it will lock your phone down. So you need to be careful when you’re setting it.
Beau:
Yeah, and if you do that, you’re going to have to go to the actual store and have them reset it.
Travis:
Right.
Beau:
So, just try to avoid that one.
Adam:
And there’s this week’s tin foil swan.
Beau:
If you like the show, we hope you’ll rate and review, it does help people find it, and we are always looking for new listeners. If you have a story you want to tell on the show, we’d love to hear it, and you can get to us through Adamlevin.com. That’s A-D-A-M-L-E-V-I-N dot com. And there’s a banner that says, “Have a story, tell a story,” something like that. Click, tell, come, talk. It’ll be great. Thanks so much.