Ep. 248: “Open Source Intelligence and the Death of Obscurity”

“What the Hack?” is DeleteMe’s true cybercrime podcast hosted by Beau Friedlander

CLIP: It should be here. Harry, it’s got your name on it.

Beau: Yeah, it’s got your name on it. So, Harry Potter, the Order of the Phoenix was published in 2003, the book anyway. It was seven months before what’s now called Facebook went live from a Harvard dormitory. That was the beginning of everything migrating online.

Social Network Clip: We lived on farms and then we lived in cities, and now we’re going to live on the internet.

Beau: That was Sean Parker being all prophetic in the Social Network. Now, think back to the birth of the internet as we know, not the boring version invented by Tim Burners Lee. You know, this is way before ancestry.com and Spokeo and other data brokers. If you wanted to find out something about someone, where they lived or if they had a fishing license or who they were married to, you had to put in some work, legwork, like drive to a town hall or find a clerk, dig through a box. The information was technically public, but it was protected by something that folks in privacy call practical obscurity. Because practically, it’s pretty obscure and hard to find stuff, and that keeps people safe. 

Glen: The ability to find this information changed dramatically at that point, and companies started adopting the mentality of just because we can, let’s go ahead and do it.

Beau: Today everything’s been digitized, indexed, and sold to anyone who’s able to pay for it.

Glen: It was a little bit of the frog boiling in the pot of hot water, where we didn’t realize this was being taken from us until we arrived at the death of privacy.

Beau: I’m Beau Friedlander and this is What the Hack, the podcast that asks, in a world where your data is everywhere, how do you stay safe online? Hey, Katasha.

Katasha: Hey, Beau.

Beau: That’s Katasha Rogers, a colleague of mine and yeah, a fellow traveler when it comes to things privacy. So I got a question for you. I know that you wrote an article a while back for the blog about, what was it? Is it intentional obscurity? Was it, is that how you, how they put it in Maryland?

Katasha: Yeah, so Maryland is trying to pass a bill that would help protect all of their public servants in the state by removing their personal information, not only off of data broker sites, but also requiring public records to take them down as well. This came up because the big deal was the public records. They know that they can purchase services like DeleteMe that will remove their personal information off of data broker sites, but they were concerned about access to public records. So I was trying to explain that by practical obscurity, these data brokers have kind of taken this information and made it easier by going in and scanning those draft cards and making them accessible on the sites, the ancestry.coms, for people to find them. Whereas in the past, we wouldn’t have been able to find this information because you had to drive to a specific courthouse or search an index or pay for photocopies. And these data brokers have made that practical obscurity disappear.

Beau: So practical obscurity in a nutshell is all the stuff that does exist in shoe boxes, like your fishing license or your marriage license or death certificates, birth certificates. The thing is, none of those things exist in shoe boxes anymore, or storage. You know, they’re not on shelves. It’s not like Harry Potter’s, you know, Ministry of Mysteries or whatever the heck it was called with all those glass orbs that fall off the shelf; it doesn’t look like that. It looks like a data center.

Katasha: Yeah, we’re digitizing everything. If you can digitize, like you said, your old photos for yourself, imagine what these data brokers sites are doing to digitize some of these artifacts that are connected to your personal information.

Beau: In your article you said there’s no universal database of the American public. Our identities are scattered across a sprawling mosaic of sources, more than 3000 counties, each running its own property, tax, and marriage systems. Thousands of municipalities maintaining separate permit databases, fishing and hunting licenses. I knew fishing was somewhere in there. State courts. I mean, so all that stuff can be pulled together. The question is like, that used to present to the would-be criminal a lot of friction ’cause you would have to go to all these different agencies. Has that friction gone away entirely?

Katasha: Yes. So now we have thousands of data broker sites that are going through public records and going through marketing companies and finding out information about you and including them in these very detailed profiles that are searchable on the open web, where in the past, like you mentioned, I would have to go to the county website and know what county you lived in, in order to search the tax record of your home. But if I can just search you on the open web, I can find out your address. I can find out what county you live in. And then I can go find the public record based off of that information that the data broker supplied to me.

Beau: Okay, so next batter up: Glen Sorenson. I also work with him. We are recording today because he and I started talking about open-source intelligence. And we’re just going to both take a crack at letting the listeners know what that is, even though if you’ve been listening to What the Hack for a while and you don’t know what open source intelligence is, you’re, well, you’re my partner Guenevere. ‘Cause she actually asked me right before we started recording.

Glen: Well, open-source intelligence is the stuff that’s freely available on the web,

Beau: Glen travels the country talking to people about privacy and cybersecurity.

Glen: The stuff that you can find by just going out and searching and looking and knowing where to look and where to search. Sometimes this is public records, sometimes it’s data broker sites. Sometimes it’s somebody’s website, but stuff that’s out there.

Beau: Okay, let’s talk about the migration of things that were hard to find as a result of the practical obscurity native to files that live in boxes at physical locations, their migration from there to the current day location where you can find them anywhere, all the time, because they live in the cloud.

Glen: Yep. The ability to find this information changed dramatically at that point, and companies started adopting the mentality of just because we can, let’s go ahead and do it. Never thinking about, does this actually take into account the individual and their data, their privacy, anything that they may own, and that ownership was assumed by them and not really assumed by us. And it was a little bit of the frog boiling in the pot of hot water, where we didn’t realize this was being taken from us until we arrived at the death of privacy.

Beau: And here’s what these companies did. They took the basic premise of that weird sector in the world. They’re the ones who say it’s easier or just better to ask for forgiveness than permission. And we are dealing with the fallout from a whole sector, a whole tech sector that took that as their working motto: better to ask for forgiveness than to ask for permission. And now this is like a Pandora’s box because… I just got a note the other day, Glen, from Columbia University where I studied, saying that my social security number had been compromised.

Glen: And that’s how many times?

Beau: Now I was gonna say, by them and I-

Glen: Oh.

Beau: And it was a few days after I had gotten my PIN code for filing my taxes. Why do I have a PIN code? Because my social security number’s out there. And why is my ATM card locked right now? Because it’s been breached so many times that I find it easier just to keep it locked. And if somebody wants to withdraw money at the same exact time as I’m doing it, then God love them.

Glen: If they have that kind of timing, they deserve it I guess.

Beau: Yeah. And so, you know, open source intelligence for me is an understanding of what’s online and being really creepy with it.

Glen: And being really creepy with it, or at least having the ability to be really creepy with it. And that, there’s the ability to be creepy with this information that a lot of times in ages past, if you’re gonna commit a crime against somebody, you had to be physically present. Like you had to, you had to be near them in some reasonable way and-

Beau: Or near their stuff.

Glen: Or near their stuff, yeah. And that’s just not the case anymore. Banks get robbed from 2000 miles away and, you know, over an internet connection.

Beau: Yeah.

Glen: Like, the world has changed. So instead of maybe a few thousand, or maybe tens of thousands of people that might be possible suspects in all of this, now you’ve got billions. So the attack surface, I guess, has broadened substantially.

Barbara Clip: My accountant got an email from my secretary authorizing a $400,000 transfer of funds.

Beau: You might recognize this as the voice of Barbara Corcoran, one of the hosts of the reality show, Shark Tank.

Barbara Clip: I invest in a lot of property. I renovate property. So it seemed like a normal kind of thing.

Beau: She shared a story about what happened to her in 2020.

Barbara Clip: The money went out, a wire transfer to Germany. But it wasn’t until my accountant sent a confirmation to my real secretary saying, Hey, we’re confirming this one last time. Right there. Boom. I learned that I was hit by a scammer .

CBS Clip: They’re calling it a phishing scam, but really it’s a digital con job. Barbara Corcoran says she was scammed out of nearly $400,000, so it was an expensive loss here.

Beau: Her story was like a lot of people’s stories. You know, you click, it looks more or less right. It’s more or less good, you know, kind of expecting something. We’re always kind of expecting something. Click, boom. Done. As in, like, you’re cooked.

CBS Clip: So she wired the money and the lesson learned is that money, if it doesn’t go to the intended recipient, you can’t get it back.

CBS Clip: You can see how easily it could happen. You look at an email quickly, and if it’s off by one digit, I wouldn’t notice that. You can’t be embarrassed or think it’s a stupid with two o’s moment because that really could happen to anybody.

CBS Clip: It’s even more embarrassing when you send the wrong person the money.

CBS Clip: Yes, that’s absolutely true.

Glen: So it’s, if you have a CEO and you’re a middle manager somewhere and your CEO is asking you to do something, that carries a different weight than maybe even your direct boss. That’s a very different weight of authority that is being employed. Now, if somebody can hijack that authority and use it, there you go. I mean, that’s one of those big pieces along with urgency and fear and, you know, maybe something that’s attractive. Maybe you’re up for an award or a reward. There are those psychological things that we want or want to avoid and you package these things up and you have a pretty compelling way to bypass our thinking brains.

Beau: So we can see how this can be used to bring down large companies, some of the biggest in the world, all through publicly available information, like a LinkedIn profile, a job posting, a helpdesk employee who didn’t know they weren’t supposed to say what they said, oops. That same playbook isn’t just for nation state actors or ransom workings. Corporations can use this on each other every single day before a merger, before a big negotiation, before signing a contract. Some companies are doing recon. They’re pulling backgrounds on executives, scanning job listings to reverse engineer a competitor’s roadmap, monitor patents. It’s the same discipline. The only difference might be the intent, and that gets really blurry. Like you said, just saying, as you know, in the person of the CEO, like, Hey, you know what? I can’t get so and so on the phone right now. What are our sales to date right now? And you know what-

Glen: Having that information.

Beau: And a competitor, if you think competitors don’t hire industrial spies, you’re cuckoo. They do. And they want to know, what’s that?

Glen: Longstanding practice.

Beau: Yeah. And that might be a piece of information that they really want to know or like, what is your security practice? Hey, I don’t even know what we’re using, but I’m on the phone with somebody and they want to know how we layer security around our customer data after they’re no longer customers. Oh, wow. That sounds really competitive. You know, really basic. And you know, an engineer will know that, but it’s really not the engineer’s place to share that information. Done. You’re done. You are done.

Glen: Yeah. Exactly. And I think we’ve gotten used to this idea of having all of this information available on some level. But I don’t know that everybody has gone as far as, you know, the threat actors out there would and the people that may be researching you for a negotiation. I don’t think that the mainstream awareness has gotten as far as those folks in realizing that there’s so much more out there and there’s so much more that can be done with it. I think if you look at this as maybe a marketing problem too, and the information that that marketers gather, and I think that’s a lot of the same techniques apply when it comes to OSINT and security and privacy. Yeah, it’s-

Beau: Well, you know, if you told me you were in HR and I wanted a job from you, all the information I can find online about you becomes really valuable to me. Because I’m heading into an in-person interview and I need to get through you, and the easiest way to get through it is like, here’s the drool test. Look, I’m not drooling. That is the drool test, but now let’s talk about soccer because I spent a few hours looking you up and I see that you are a serious Manchester United fan and your kid is in a travel team and so that’s what we’re going to talk about until I got the job.

Glen: So funny enough, I’ve given talks on, you know, getting hired in cybersecurity, and that is exactly one of the things that I would tell people attending my talks and people I’ve mentored, students and whatnot. You need to find as much information as you can. Connect with the recruiters, connect with the hiring manager, connect with as many people as you can on LinkedIn. Get ’em on the phone, meet ’em at conferences, because then you’re a known quantity and you’re a face. You’re not just a paper resume out there. Obviously that is coming from a good intent and, you know, is beneficial for everybody ultimately. But it doesn’t always have to be that way. It’s the same idea.

Beau: It doesn’t have to be that way. If you work in HR and you’re listening to this, hint, hint, wink, wink. If you remove your information from online and you have stricter protocols on your privacy, and I always assume like people know this, right? And I’m like, oh, this person has a pretty public-facing job. There’s no way they’re sharing. If they’re on social media at all, there’s no way I can see it. No way. And I’ll tell you-

Glen: Default privacy settings are the norm.

Beau: But they’re the norm. But not everybody knows it’s the norm, just in the same way not everybody knows- okay, so you’ve probably heard that right before lightning strikes, if you don’t have the kind of hair I have, your hair will stand on end. My hair won’t, ’cause it’s very kinky. But if you have, you know, kind of baby hair, it will stand on end because the static electricity becomes super, super strong right before a lightning strike. Now, in the land of being played by somebody who’s done good OSINT on you, that just feels like you’re comfortable. That feels like you’re enjoying the conversation kind of unreasonably, like you’re not supposed to be enjoying it this much. Why? Because they’re trying to sell you envelopes. What the hell?

Glen: You’re just leaning in and engaged and interested and feel a stronger connection, not necessarily you hair standing on end before the proverbial lightning strikes.

Beau: Right, the warm and squishies. But the fact is like, I think that’s a problem for me anyway. I don’t think everybody should just because they know how to type some search terms into a Google window, have charisma. And that’s the world we’re living in right now is they can kind of, they may not know what to do with it. Fair enough. But you know-

Glen: Now, in AI flavors. Creating a phishing message or a social engineering angle, it doesn’t know better. 

Beau: And also all the LLMs are built with guardrails that were built and designed by engineers who are human beings, so other human beings can figure out how to get around those guardrails. Explain the jailbroken versions of AI that people are using. ‘Cause it’s not ChatGPT and it’s not Claude.

Glen:Tthese are AI models that are designed, that are trained to be malicious, to craft those phishing messages. The bad guys’ version of ChatGPT built for bad guys.

Beau: And you, where do you get access to it? I’m just curious. Where’s the new Silk Road?

Glen: The dark web is the easy answer. But I mean, if you are a part of those forums and can get in and be one of those trusted bad guys, I think we have a case for, I guess, law enforcement disruption here. And we’ve seen how that’s worked in the past. But you know, if you’re trusted by the people building the tools, you can get access to the tools. You can pay for access to some of the tools sometimes. And, you know, it’s its own business model there.

Beau: Right. And it is a criminal thing where you have to be trusted in the same way that if a drug dealer who’s moving kilos of some substance, they’re not gonna sell to just anybody.

Glen: Yeah, I-

Beau: I watched Breaking Bad. I know.

Glen: They don’t want to get caught. I mean, they don’t want to, you know, end up on any law enforcement agency’s radar, regardless of country.

Beau: But here’s the thing is like with people search sites, the people who built those sites cannot pretend that it was just, cool. I’m gonna build this thing because I can, because the only thing I’ve ever used a people search site for…full disclosure, I’m gonna be vulnerable right now. I know I must seem like a saint. I’m wearing a nice white hoodie and I look like a nice old man. I probably don’t look like a nice old man to…anyway. Look, I have used it when someone pisses me off and I- not because I really want to go after them, but because I wanna understand how much of a jerk they are.

Glen: I think a lot of them may have started from the flip side actually, where, I wanna know who I’m dealing with so that I don’t get hurt. So that there is not a criminal at the other end of the table that I’m going on a date with. I think there are legitimate, you know, beginnings that started that way. Now what they’ve become, I don’t think they can argue that the practical end result is actually what was initially intended. So I think there’s-

Beau: So you think that…ah, I get it. No, sure. Listen, yes and no. So there’s, yes. Okay. Here’s the, yes, I’m hiring somebody. I wanna know if they’ve got a criminal background, criminal record. And for some reason I’ve decided to use a people search site instead of one of the more reliable services that are out there. Fine. It’s 30 bucks versus a, you know, subscription that probably costs 10 grand a year. Cool. I understand that. And I don’t have a friend who’s a cop, so I can’t be like, Hey, can you check that person’s license plate? I do have a friend who’s a cop, I won’t say who. Look at my friends on Facebook. You might be able to figure it out. No, you can’t. Right? Because it’s set private. Ha.

Glen: So there.

Beau: So, that’s sort of the point, is what’s your privacy stance? How careful are you with the way you walk through the world? Well, the answer for most people is not very. And if you don’t believe me, go ahead and research sextortion crimes because they’re targeting teenagers who don’t have the emotional capacity to deal with being attacked that way. Now that is not something that starts with people search sites, but it uses them. So here’s how it works. It might start on Discord. It might start on a gaming forum…but once they got your number and they know your name, they’re going to that people search site and they’re gonna come back at you and say, I’m gonna tell your Uncle Bill, your mom, your grandma, your brother, your sister, that I have a picture of you being naughty with me.

Glen: Yep. And not having the maturity, the training, the instinct to resist that sort of thing puts them in a vulnerable state.

Beau: Beyond vulnerable. Beyond. Beyond. Yeah. And that’s the point. They’ll cough up whatever they can cough up. But if you’re listening, all you have to do is walk away. All you gotta do is close your computer. Whoever is targeting you is targeting 20 people just like you.

Glen: And if one gets off the hook, let that be you.

Beau: Okay, Glen, so what’s the solution?

Glen: Well, if I had all the answers, I would certainly share ’em. But what I’ve got are some. We can remove what’s out there. We can stop leaking some of the information that we have kind of unconsciously become used to leaking. That is rewards programs that we sign up for. That is giving out our phone number without thinking about it, giving out our email address without thinking about it. We can be more conscious about that. We can use email masking, forwarding services that, you give ’em a unique generated email for the one thing that you’re signing up for. You don’t necessarily even have to give ’em your real name. Yeah, no ethical dilemma in providing false information, because they’re abusing my privacy.

Beau: And they say, you know, my old partner used to say, Adam Levin loved to say like, lie like a superhero. Do you think Superman ever said, I’m Superman? Did not.

Glen: Yeah. Yeah. And you don’t have to give all of the information out there that they imply that you should. You go to stores a lot of times and they’ll say, well, can you just gimme your phone number so I can give you this discount? Or even not, just so I can check you out. And no, you don’t have to give them that, or you can give them fake info. You can give them a voice over IP number. There’s a lot of things that you can do to get out of that conversation. But I mean, I would encourage people to be more direct about it and say, no, I don’t think that’s reasonable information for you to ask for. I would just like to purchase my product and end this transaction and be on my way. And that should be the end of it.

Beau: And it can be. But it can be, and you know, like doctor’s offices, you don’t have to give your social security number. They only want it for billing purposes. You can say no.

Glen: And should.

Beau: They can’t legally make you give it to them. And yeah, I mean, unless you’re me. I could write my social security number on my head and people, it wouldn’t make a difference. You have no idea what’s out there. I know, for instance, one of the few things I still get because I’m buttoned down super tight, but one of the things I still get are spam sales calls for things that are home improvement-related. And it’s because five years ago, I filled out a form with my real phone number asking about solar in my area, and that solar company has now turned into tree cutting services, gutter cleaning. It’s turned into driveway repair. It’s turned into garbage, you know, waste removal.

Glen: So that one single point has gone everywhere.

Beau: It’s gone viral. Now, how do you solve that? Well, you said it before. You can get call masking too. You can use a voice over internet protocol, but you can also use call masking, which I think is- is call masking the same as we offer it? Is it the same as a VoIP?

Glen: I mean, it’s, yeah, that’s the same idea. So, yeah.

Beau: It’s the grasshopper or… it’s just giving you a different phone number.

Glen: Yeah. So your real number doesn’t actually get out there. It’s just forwarded to you.

Beau: If you’re like me and you maintain a couple of burners like that, when they get a little polluted as they will, just cancel the account. Cancel the account, start it again. Google doesn’t like it and you’re gonna have a phone number in North Dakota, but whatever.

Glen: Yep. And, and that’s fine because, you know, if there’s some tie to North Dakota and you are not in North Dakota, that’s probably better for you. That muddies the waters a little bit.

Beau: Well, that is the point. And which is why you want to use A VPN too. ‘Cause you use a VPN and they’re like, wait a minute, are you- And it always cracks me up. ‘Cause my doctor’s in New York state. Don’t listen doctor, if you’re listening. ‘Cause you know, when I want to do, I’m in Connecticut and when I wanna do telehealth, you can’t do telehealth from Connecticut in New York state. It’s against the law. And they’ll say, are you in New York state, and I’ll say yes, and it says, well, it says you’re in Connecticut. And I say, dun-dun.

Glen: Try again.

Beau: I’m using a VPN.

Glen: Yeah, and I feel like your IP address is much like your home address at this point, and for a lot of practical purposes it is. They have no business getting your real IP address. Use a VPN.

Beau: Alright, well then wait, explain that to people. Okay, now here’s my partner. She’s come in the room. What is this OSINT nonsense Glen, and why do I- what the hell with the- nobody knows what an IP address is. I’m not changing that. You’re dumb.

Glen: Well, all the companies scooping up the data that you, and, you know, go looking at the sites you visit, they’re all tracking your IP address and it is much like your home address. It’s tied to you in such a way that it may as well be PII and in some cases it is legally. It’s an identifier of you or at least of your house and your service. And it gets them very close to being able to put a person behind a seat or on a seat behind a keyboard. Somebody in your house did this.

Beau: The speeding ticket. The speeding ticket is being delivered to your home where the car is registered. We don’t know who was driving.

Glen: Yes. I mean-

Beau: And we don’t care. We just want our 50 bucks.

Glen: Yep.

Beau: But here’s the deal. And that means that every site that you go to, you clever, clever listeners who are using Incognito, it’s not working.

Glen: That is only one piece of the puzzle. And by all means, use a hardened browser, use something like Brave, use Incognito mode. But that is just one layer. There are multiple layers. The VPN is another and it’s an important one.

Beau: Yeah. And so what we’ve learned today is that privacy is dead.

Glen: But maybe it doesn’t have to be. Maybe we can start to take it back.

Beau: Yeah. Or like, maybe we should stop talking about it in these frankensteinian terms because it’s not alive or dead, or vampire terms. It’s not, well, ’cause there is a vampire element to the whole thing on the take side. But on the give side there’s a lot of agency. You can decide what you want to give.

Glen: You just have to know that you can decide and feel empowered to decide.

Beau: Yeah.

Glen: And really keep that in mind. And if there’s one thing to take away from this, take away that: you do have the authority, you do have the agency to decide. It doesn’t have to be decided for you.

Beau: Yeah, it’s give and take, but like, you get to decide what’s being given.

Glen: Yes. And the more aware that we can be as a society of that, the better off we’ll be. The more we’ll move the needle back towards some reasonable state of, you know, of OSINT-ability, I guess.

Beau: Right? And then like, okay, so go back to section 230. Go back to the beginnings of the problem of the internet being outta control. And here’s what you need to know. It was never your circus and those weren’t your monkeys, but those monkeys are everywhere now and you gotta deal with them. And it sucks. There was no laws, there were no rules. True story. True story. But the reality now is, let’s pretend the monkeys are mice and you live in the northeast. It’s just a fact of life. But you can live with mice all over your stuff or you can take measures to keep it down to a very bare minimum. That’s what we do is pest control.

Glen: And it’s not a problem we’re gonna solve in a day, but it’s solved by taking steps every day.

Beau: Yeah. You close up the little chink in the side of your building that is allowing mice in. You, you know, same thing in your walls, whatever it is. I’m sorry to talk about mice in this regard. ‘Cause mice are really nice compared to data brokers. No, and I mean it because, yeah, mice spread disease, right? Well, data brokers spread your one call to a solar company. Come on, gimme a break. I get at least one call a week from people trying to sell me something from a blade of grass to a shingle for my roof every week.

Glen: It sounds about right.

Beau: And, and that is, I don’t know, I don’t wanna put it…it’s not cancer, but like, you know, that is the way this stuff spreads. 

Glen: Well, if you think about it from an organization standpoint and protecting the people in it, the line between personal and business and work information and personal information has blurred, and it’s been blurry for a while, but I think it’s come to, you know, some sort of inflection point, especially with AI now. But that is a risk to your organization. If the controls, the technical controls for cybersecurity, for example, in your organization are strong, well, we’re gonna go around them, right? How do we go around them? We go around ’em through the people. And if we target the people and have the people go around the controls, that’s a threat to our organization. So this is beyond a personal privacy problem. This is an enterprise risk management. This is a business risk to your organization. And, you know, it’s just good to protect your people anyway, right? This is something that we need to think about in a way that we haven’t yet. This is what I like to call a historically unmanaged attack service as a business.

Beau: I agree.

Katasha: I think the best way to create intentional friction would be to make sure that your information is removed from these data broker sites that are making your information more public on the searchable web.

Beau: Katasha Rogers. 

Katasha: And then putting that practical obscurity barrier back up and requiring the people searching for that information to go to the deep web and search on county websites or, you know, drive to the actual courthouse and find this information, which kind of deters them from searching for it in the first place.

Beau: The issue is that human beings do have free will. Free will means that they might not follow the security protocols that you put in place. So how do you solve for that? It’s got to be a cultural solution.

Glen: I mean, we’re never gonna get to perfect but we can get closer to it. And our strategy has to be to influence culture and move that cultural needle. I would say the bigger problem is much beyond that though, and that is that the CISO, and having sat in that seat myself, I’ve been in the hot seat, you have to convince the business that that’s a good idea.

Beau: And it costs a little bit of money, right?

Glen: And it costs money. And typically more than the money. It’s the impediment or perceived impediment to doing the thing that the business wants to do. 

Beau: Curious about like what you just said, the impediment. Now I worked once upon a time at a, I can’t say where, but it was top secret and for real, if you look at my LinkedIn, you’ll figure out exactly what I’m talking about. And there at this place, because we had something very, very secret that only the BLEEP had, can you guess where I was? Alright. Anyway, we used PGP. Pretty good protection email. Now, what does that look like? That looks like every time you get an email, you have to log in a password every time or have a key fob every single time. And do you know how that annoying that is when you’re the director of communications? It’s really, really annoying. However, we’re talking about cybersecurity. Cyber is hard. You know what else is really annoying? Keeping, you know, a notorious murderer behind bars. That’s why prisons are complicated.

Glen: Yeah.

Beau: I just don’t understand why people don’t… we need to think of it as like a reverse prison. That’s what Fort Knox is.

Glen: Yeah. I mean, well, keeping the bad things out, that’s the goal,

Beau: But keeping the bad things out means keeping out all the stuff that we as humans, beautiful, interesting, varied, cool human beings are gonna drag in with them to work.

Glen: Yep. It’s the things that try and piggyback, you think about the tailgating, the idea of tailgating. You swipe your badge and the person behind you just walks through on your badge.

Beau: In you go.

Glen: In you go. And that’s the idea. There’s a lot of known good things that we’ve got and there’s a lot of things to try and tag on with those known good things. And that, I mean, that really is one of the major strategies here.

Beau: Well, I wonder actually if I can get Susan Ahn on the phone, because when I went to visit Susan and Ian in New York, they were at a WeWork, and I just walked up to Susan in her cubicle and she was like, how did you do that? And I was like, what do I do for a living?

Glen: I found you.

Beau: I mean, come on. Well, not only did I find her, but I got in. You know, the physical pen test was a joke.

Glen: If you just look like you know what you’re doing and you belong there and-

Beau: I just nodded at the guy in front. I just nodded at the guy in front of me and I was like, just open the fricking door for me or I’m gonna punch you.

Glen: Yep.

Beau: I wasn’t even nice about it. I was like, keep moving.

Glen: It would work if you were nice, it would work if you were not nice, it would work if you had a thunder cloud over your head, perceived of course.

Beau: All the different reasons things work, all the reasons things work. And this is again, like, so you didn’t gimme a good answer. Why? Why do CISOs not say, you aren’t touching a computer in my organization until your shit’s offline?

Glen: Because that’s a business decision, not the CISO’s decision at the end of the day.

Beau: Okay. When, okay, fine, fine, fine, fine, fine, fine. I got a second follow up. When is security going to be considered a…I don’t get it, Glen. It’s an extinction-level event when things go wrong. When is it going to be given the importance it needs to to work?

Glen: When enough pain and money is involved, and I guess we’re just not there yet. One day we will reach another inflection point and things will change again.

Beau: It’s clearly not seven-point-whatever million dollars.

Glen: We have not reached enough yet.

Beau: So let’s let us know. Let us know. Like, Hey, by the way, if you just wanna give me that $7 million I have, I’ll tell you my crypto wallet address.

Glen: I will give you good security advice for much less than $7 million.

Beau: We will. We both will. We are here. Glen and Beau. We’re ready to help you out. Just give us the money. Alright Glen, thank you so much for joining What the Hack this week. I appreciate the hang time. I know you’re busy.

Glen: Thank you. It’s been a pleasure being here and a pleasure talking with you as always.

Beau: Okay. Privacy isn’t dead yet, but it’s not for lack of effort, or trying to kill it on the part of big data. What you can do to help keep it alive is to pay attention to your own privacy. Maybe the first thing that you can do is treat your privacy like the super important possession that it is, and start protecting it like it really mattered. ‘Cause it does. Okay. That’s it for now. Now it’s time for the Tinfoil swan, our paranoid takeaway to keep you safe on and offline. This week I’m kind of freaking out about Sam Altman’s iris-scanning humanity-verifying World Project announced in San Francisco last week. I am quoting from a Wired article that I read this morning: Tinder users around the globe are going to be able to start posting a digital badge on their profiles that says that they are in fact human beings. And how do we know this? Because they looked into one of World’s orbs and they allowed their eyes to be scanned, their retinas to be scanned, so that’s something. This same tech is going to be used to verify that a human being is trying to buy a concert ticket. So, the only thing that we don’t have on this list is drugs. It’s drugs, sex, and rock-and-roll, so it’s sex and rock-and-roll anyway. Smart marketing. Now, should you let someone scan your retina? What do you think I’m going to say? Absolutely not. If you have to pay with something as absolutely sensitive in terms of your personally identifiable information as your retina, man oh man, it better have three or four commas in it, not just access to, you know, more people looking at your profile on Tinder. Okay, so that’s my advice for you this week. Don’t let anyone scan your retina. Now, why do I say this? Is it a big deal? I think the big deal is this: Right now, license plate readers can’t scan your retina. Do you think that’s always going to be the case? I don’t. Cameras improve all the time, so if it’s not a license plate reader, it’s going to be some other kind of camera that is doing surveillance. Maybe a Ring camera can do it. I don’t think that any company needs to have that level of information about anybody. And that is my two cents for this week. And that is a lot less than it would cost to buy my retina scan. Okay, stay safe out there. We’ll talk to you next week, and remember if you like the show, tell a friend. Rate and review. It helps people find it. This episode of What the Hack was produced by me and Andrew Steven, who also did the editing. What the Hack is a production of DeleteMe, which was picked by the New York Times’ Wirecutter as the number one personal information removal service. You should be using it already. If you’re not and you want to, well, you can. Here’s what to do. Go to joindeleteme.com/wth. That’s joindeleteme.com/wth and get 20% off. I kid you not. 20%, 20% off. That’s joindeleteme.com/wth. Now, stay safe out there. See you around.

Learn More:

• See where your data is exposed with our free scan.
• Learn more about data brokers and how they misuse your data.
• Discover how OSINT works.