Thank you for tuning in to our 150th episode! I started the Easy Prey Podcast with the goal of helping listeners learn to avoid being an easy target for scammers and fraudsters, both online and in the real world. Since the first episode on March 18, 2020, I’ve had the honor of interviewing some of the most influential people in their fields. We’ve talked about topics ranging from personal safety, self-defense, social engineering, and romance scams, to phishing, cybercrime, and everything in between. This episode is a slightly different format than normal. We’ve had some amazing guests on the show over the last 149 episodes. Today, I’m sharing highlights from our top 10 episodes!
In this highlight episode, you’ll hear clips from:
- Narcissist Specialist, Dr. Ramani Durvasula
- Romance and Scam Survivor, Debby Montgomery Johnson
- Trust and Safety Architect, Jane Lee
- Programmer, John McAfee
- Author and UnMarketing Specialist, Scott Stratten
- People Hacker, Jenny Radcliff
- Former Cybercriminal, Brett Johnson
- Author and Gaslighting Expert, Dr. Deborah Vinall
- Former FBI Negotiator, Chris Voss
- Tech Pioneer and Podcast Host, Steve Gibson
Show Notes:
[1:50] – Dr. Ramini Durvasula is an expert in understanding Narcissism. She shares the shocking traits of narcissists and you may realize you know a few.
- Click HERE for the full episode with Dr. Ramini Durvasula.
[9:49] – Debby Montgomery Johnson was a victim of an online dating scam. She shares how she was drawn in and what red flags you should look out for.
- Click HERE for the full episode with Debby Montgomery Johnson.
[16:31] – Jane Lee went undercover to learn about the new online dating scam known as Pig Butchering. She explains how Pig Butchering works and what to look out for.
- Click HERE for the full episode with Jane Lee.
[23:34] – John McAfee worked hard to stay hidden while he was on the run from the US government. He shares the unexpected costs of privacy.
- Click HERE for the full episode with John McAfee.
[30:29] – As a former salesman, Scott Stratten knows that people can see through sketchy sales techniques. He talks about the advantage of doing business with people you know, like, and trust.
- Click HERE for the full episode with Scott Stratten.
[36:37] – Hacking isn’t just for computers. Jenny Radcliff’s hacking specialty is hacking people. She shares how people can be manipulated and how your business or family can be compromised.
- Click HERE for the full episode with Jenny Radcliff.
[45:41] – As a renowned cybercriminal, Brett Johnson helped define cybercrime as we know it. He now uses his experience to protect people from the type of person he used to be.
- Click HERE for the full episode with Brett Johnson.
[52:01] – Gaslighting is a term that many of us have heard but not all of us know how to recognize. Dr. Deborah Vinall explains what it is and what to do when it happens to you.
- Click HERE for the full episode with Dr. Deborah Vinall.
[57:16] – As a former international kidnapping negotiator for the FBI, Chris Voss has plenty of experience with high-stakes negotiations. He shares his tips for the negotiations we face each and every day.
- Click HERE for the full episode with Chris Voss.
[64:09] – Steve Gibson has been working on computers since before the internet existed. He shares how the internet was not designed with security in mind and what kind of online security we can hope for in the future.
- Click HERE for the full episode with Steve Gibson.
Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review.
Links and Resources:
- Podcast Web Page
- Facebook Page
- whatismyipaddress.com
- Easy Prey on Instagram
- Easy Prey on Twitter
- Easy Prey on LinkedIn
- Easy Prey on YouTube
- Easy Prey on Pinterest
Transcript:
I'm your host, Chris Parker, and this is the Easy Prey Podcast. Thank you for tuning into our 150th episode. I started the Easy Prey Podcast with a goal of helping listeners learn to avoid being an easy target for scammers and fraudsters, both online and in the real world.
Since the first episode on March 18, 2020, I've had the honor of interviewing some of the most influential people in their fields. We've talked about topics ranging from personal safety, self-defense, social engineering, romance scams, to phishing, ransomware cybercrime, and everything in between. This episode is a slightly different format than normal. We've had some amazing guests on the show over the past 149 episodes. Today, I'm sharing highlights from our top 10 episodes.
In this highlight episode, you'll hear clips from narcissist specialist Dr. Ramani Durvasula; romance and scam survivor Debby Johnson; trust and safety architect Jane Lee; programmer John McAfee; author and UnMarketing specialist Scott Stratten; people hacker Jenny Radcliffe; former cybercriminal Brett Johnson; author and gaslighting expert Dr. Deborah Vinall; former FBI negotiator Chris Voss; and tech pioneer and podcast host Steve Gibson. If you want to listen to the full episodes of these guests, links will be in the show notes.
If you found these episodes helpful, please subscribe in your favorite podcast player or on YouTube. We release new episodes every Wednesday. We'd also greatly appreciate a review at easyprey.com/review. You can keep up with us on social media via Twitter, Instagram, Facebook, and Pinterest, all at Easy Prey Podcast. Now, let's jump into the highlights from our most popular episodes.
Dr. Ramani Durvasula
Dr. Ramani Durvasula is an expert in understanding narcissism. As she shares the shocking traits of narcissists in episode 21, you just may realize you know a few.
Human nature is so fascinating. I think that as a psychologist, especially as a clinical psychologist, you're equal parts. You could be a researcher, you're a scholar, you're a scientist, but there's also something almost shamanistic about it. I think that as long as there have been two human beings in the world, one of them was trying to understand the other. Although it's considered a science in its relative infancy, I think, actually, people have been trying to understand human nature for thousands and thousands of years. That's how I got into it.
I think that as long as there have been two human beings in the world, one of them was trying to understand the other. -Dr. Ramani Durvasula Share on XNow, this area of narcissism is a bit more recent. Recently, it's been 10-15 years, kind of recent for me. I started doing work in understanding what are the things that put people at risk in terms of their health? Lead people to maybe make less than optimal health choices, and also how they treat healthcare personnel. One thing that we were noticing anecdotally, is that there are some people who come into clinics and totally abuse the receptionist, the nurses, and ultimately the physicians. Nobody likes being with them, people would cringe when they see this patient's name on the schedule.
I thought this was interesting. First of all, I understand why they're cringing, but it often guarantees that this person is not going to get the best quality health care. What about other areas of their life? Not surprisingly, the difficult patient in the clinic is the difficult partner, sibling, child, parent. This idea of difficult people also started aligning with what I'm seeing in my clinical practice, which are people who are in these marriages with people who just literally invalidated them, devalued them, did not listen to them, showed no empathy to them, and the pattern never ever changed.
People who are suffering like this five years, 10 years, 20 years, 30 years, every year, making a new promise that maybe this year it's going to be different. Maybe this year it's going to change. Maybe when he gets a promotion. Maybe when she gets the house she wants. Maybe when the kids are older. Maybe, maybe, maybe, and maybe would never come.
I saw that the fallout for people who stayed in these relationships, whether it was their parents, whether it was their partner, were pretty shredded. I thought, “Gosh, psychology isn't talking about this.” This is the traditional violent relationship. That wasn't necessarily always the case, these people who are being physically beaten up or sexually assaulted.
I saw that the fallout for people who stayed in these relationships, whether it was their parents, whether it was their partner, were pretty shredded. I thought, “Gosh, psychology isn't talking about this.” -Dr. Ramani Durvasula Share on XIt was very much like just this chronic invalidating, unempathic, basically you existed to serve the narcissist kind of a situation. It really does a number on people. That's how I got into it. Now, I'm in it, and it's really more of a mission and a vision as I could as it is an area of scientific interest of mine.
I have to hear all these terms kind of thrown out together and I'm sure there are differences between them, but you have narcissism, psychopaths, sociopaths, and maybe there are some overlapping between them. Can you illuminate us on that?
The distinction between narcissism, psychopathy, and sociopathy is one that a lot of people grapple with. The terms are often used interchangeably and incorrectly. There's a big difference.
Narcissism is very much a pattern of a person who lacks empathy, is deeply entitled, grandiose, arrogant, very superficial, constantly needs validation and admiration. They're very sensitive. They fall apart under criticism or feedback. They get very vindictive or rageful. They feel like victims a lot.
Narcissism is very much a pattern of a person who lacks empathy, is deeply entitled, grandiose, arrogant, very superficial, constantly needs validation and admiration. They're very sensitive. They fall apart under criticism or… Share on XTheir self-esteem is very vulnerable; it’s very variable. They're having a good day, they're the king of the world. But if something doesn't go their way, their entire world shatters. They tend to lash out at other people. There is a core self-esteem deficit, a core ego fragility. That's what a narcissist is.
Now, when you jump the rails over to psychopathy, you're in a little bit of different territory. There's a lot of similar top notes. Psychopaths also don't have empathy, they are very arrogant, they can be grandiose, they're very entitled, but the chilling difference between the two is narcissists actually do experience remorse.
Psychopaths also don't have empathy, they are very arrogant, they can be grandiose, they're very entitled, but the chilling difference between the two is narcissists actually do experience remorse. -Dr. Ramani Durvasula Share on XActually, they often experience that remorse as shame. They don't like feeling shameful, so they often react with rage. They'll blame other people for what they did because they actually did it, like, “I shouldn’t have cheated on my wife. I shouldn’t have stolen that money.” Psychopaths, very little—if any—remorse. They're more of your hired assassins. They're people who are willing to do cold-blooded stuff because honestly, it doesn't register.
Psychopaths are unique, and there's some interesting research on the nervous system that shows that psychopaths are very what we call stress-tolerant, meaning the kinds of stress that would put the rest of us spinning around, they're very, very cool under those conditions. They're also not prone to anxiety, so the things that would make a person anxious. Think about it. If I stole someone's purse in a store, opened it, and there's cash in it, the thought of taking the cash out of that purse, literally, I'm having panic thinking about that. I couldn't imagine doing that. That makes me anxious.
For a psychopath, there's zero anxiety. They’ll just stick their hand in that purse and walk away. There would not even be an ounce of a racing heartbeat or anything. Their autonomic nervous systems are very different. Because they don't get anxious, they don't get worked up, they're able to break the law, flout the rule, violate people's rights. They make great criminals because they don't feel remorse. And because they don't feel remorse, they actually do really well under questioning. Because they don't feel anxiety, they're really great under questioning.
Now, psychopaths are much like some narcissists. They can be charming, intelligent, clever, charismatic, and very confident. People say, “Gosh, these psychopaths are terrifying.” I said maybe so, but on the surface, they are suave, calm, and cool, so people are very drawn to them. And because in our culture, we think calm and cool is confidence, and we think confidence is good—those are not always accurate, good kinds of leaps to make—people fall into them.
Sociopaths are a little bit different. There is some belief that psychopathy potentially has a genetic element. There are central nervous system differences we see in the brain of a psychopath. We often see that it tends to run in families. Again, highlighting the possibility that there's a pretty solid genetic piece to it. They have that stress resistance.
Your sociopaths are a little bit of a messier group. Psychopaths actually are surprised that there are rules. They're like, “This doesn't make sense to me. That guy did me wrong. I killed him. What's the problem?” In fact, people are like, “Is this person insane?” The insanity defense doesn't work with psychopathy, just so you know, but they really don't get it.
Sociopaths know the rules. They know the rules, and they still break them. Sociopaths tend to be more combative. They're your bar fighters. They are the people who will get angry in a bar and beat someone up. They’re your very agitated guy in prison. They’re constantly punching and fighting. They're messy. They tend not to be calm, cool, collected, charming, and charismatic. They're just much more blustery.
Sociopaths know the rules. They know the rules, and they still break them. Sociopaths tend to be more combative. They're your bar fighters. They are the people who will get angry in a bar and beat someone up. They’re your very… Share on XSociopaths can be something that can also come out of a difficult back-story. They’ve had maybe more challenges they've had to overcome. They may have come from a place where there's a lot of community violence, or there's been trauma. That's not necessarily always the case with psychopathy. I hope that makes it.
There's a long-winded explanation, but there's a definite difference between the two. I'd say, at the end of the day, the narcissist is insecure, does feel anxiety, does feel remorse. A psychopath doesn't feel any of those things, much more cool, much more calculated.
Debby Montgomery Johnson
Debby Montgomery Johnson was a victim of an online dating scam. In episode 49, she shared how she was drawn in and what red flags you should watch out for. Let's just jump right into the story.
Can you tell us your story and how it unfolded?
Sure. It started 10 years ago. When my husband passed away suddenly, I was thrown into running his company. I would work my business or my job in the morning. I'd come home after going swimming. I’d swim every afternoon to try to get control of what was going on, because when Lou died, he died suddenly. I said, I was thrown into running his company. I didn't know everything I needed to know.
I spent a lot of time looking into my resources, his clients, the customers—everybody figuring out what to do. With that, I was really working 20 hours a day. I had very little time to grieve. I'm one of those fixated-type people. With the four kids, I make things run. I wanted to make sure that everything was working fine and I was fine.
I say that now, looking back, that I really wasn't fine. I pretended to be fine. I pretended to be self-sufficient. Everybody thought I was doing OK. Until some friends of mine, about six months after Lou died, said, “You need a life.” They didn't mean a working life, they wanted me to get out and about.
Lou’s company was an internet business, so I was able to do it from my house. I was really isolating myself once I left the school district. That's when my friends said, “Try online dating. It's safe. You can do it from your house.” I used to say I would stalk people. I wasn't really stalking, but I looked to see what I liked. I was 52 at the time, and I was looking for someone between 55 and 65.
My husband had been very smart, very well read, and very well written. The bar was pretty high. When I stepped into online dating, I went to a faith-based site. I put out a profile that was very transparent, very open. I talked about my family. I don’t think I talked about my business. I did say that I was a widow. I've learned a lot since this—what to put in a profile, what not to put in a profile.
I was contacted by a very good-looking young man. We're talking 55. He was from England. He was international. He was a businessman. He looked athletic. He wrote very well. He was a widow.
He had a son and a sister. His sister and son lived in England because he traveled. It was fun. I liked the way he wrote, and I liked what he was saying in his emails to me. That's how it started. It just started very carefully, cautiously on the faith-based site.
I'm kind of curious. In a lot of romance scams, the progression from, “Hi, it's nice to meet you,” to, “Oh, my gosh. I love you. Let’s get married,” sometimes seems to be in a matter of days. It sounds like that process was longer in your experience.
It did. What happens very quickly is they move you off of the dating site. The way he did that was to take me onto Yahoo! chat. I knew nothing about Yahoo! chat back then.
He was in Houston when we started this and then he had just got a job, a contract. He’s moving hardwood trees from Malaysia to India. A side note there is that the business he was in was in hardwood trees. I actually owned investment trees in Costa Rica. He didn't know that when the story started. As he was describing to me what he did, I googled the company, and all these things, I could kind of relate to what he was doing.
Because He was moving from Houston overseas, he said, “Let's go on the Yahoo! chat. I can get it anywhere.” It's very easy. It was like instant messaging. To me, it was amazing because I could hear that ding, ding, ding of Yahoo! chat in the middle of the night. I would jump out of bed and I'd come in. The way we communicate was mostly through writing. We can write for hours and it was fun.
We progressed. It did go relatively quickly. There was one time, I recall now, when I was thinking, “You're saying your feelings for me are really fast. It's coming very fast.” Of course, I've just lost my husband. I wasn't ready for someone to start telling me that they love me right off the bat. That was something I did notice—he jumped in a little bit quick.
That's when they start calling you my darling, my honey. I mean, all these words that they could really be talking to anybody. They don't have to remember your name when they say that. He was just saying the right things.
That's when they start calling you my darling, my honey. I mean, all these words that they could really be talking to anybody. They don't have to remember your name when they say that. He was just saying the right things. -Debby… Share on XWhen I got into this relationship, his name was Eric Cole. He listened to me. For two years, we wrote to each other. I’ve got 4000 pages of a journal that I chronicled this whole thing. Throughout that time, I would tell him about the kids. I'd tell him about how I feel, about how I got mad after Lou died because he left me alone. I could really express my feelings through this.
The blessing of this whole thing is that over those years, I felt that that hole that had not been listened to, and that was a blessing. Like I said, he was very good at listening and responding back. We had great dialogues in our emails. When he was supposed to get here for Christmas, that was almost a month and a half or two months into it. We had hotel rooms and all sorts of things for him and his family. When that got canceled, that was the first disappointment.
Again, because he was an international businessman and was doing business overseas, I understood some of the hangups that he had—the customs issues, the tariffs, and those things. Whenever I was asked to help him, it was more of a business proposition. It was always the promise that he would pay me back. With every disappointment, it was like, “OK, you're so far into it now. Just keep going. Keep going. Is this one last time?”
Whenever I was asked to help him, it was more of a business proposition. It was always the promise that he would pay me back. With every disappointment, it was like, “OK, you're so far into it now. Just keep going. Keep going. Is… Share on XAt some point, when you're sending money, you get to, “Oh, my gosh. I've sent him this much money. I can't stop now because then, I'll never get it back. Let's just do this one more time.”
At some point, when you're sending money, you get to, “Oh, my gosh. I've sent him this much money. I can't stop now because then, I'll never get it back. Let's just do this one more time.” -Debby Montgomery Johnson Share on XJane Lee
Jane Lee went undercover to learn about the new online dating scam known as pig butchering. In episode 136, she explains how pig butchering works and what to look out for.
Pig butchering, we've all heard and know of the old-school romance scams or Nigerian prince scams, where the end goal is to try to get someone to wire over some money. I describe, in layman's terms, pig butchering scam is romance scam on steroids because there is a crypto investment component to it, and the technological sophistication of the scammers.
In layman's terms, the pig butchering scam is romance scam on steroids because there is a crypto investment component to it, and the technological sophistication of the scammers. -Jane Lee Share on XBasically, the scammers bait their targets on largely dating apps, but on other platforms like WhatsApp. Actually, any platform with any messaging component, I would say, is at risk. But my investigative work was on dating apps. It quickly moves the target over to an encrypted messaging app. In my case, it was WhatsApp. Of course, that adds that extra layer of anonymity for them to avoid detection.
Actually, from the beginning, they always position themselves as successful business people. They have achieved financial freedom. They want to travel the world and retire by age 40.
Actually, from the beginning, they always position themselves as successful business people. They have achieved financial freedom. They want to travel the world and retire by age 40. -Jane Lee Share on XThey start by really romancing the target quickly. They use tactics like love bombing, which I don't know if anyone is into behavioral psychology, but love bombing is not a healthy thing, where you're just overwhelming the person, showering them with compliments, and things like that. It's not really genuine love. And then they move over to manipulating their targets.
They'll start talking about, “Hey, you should really start investing. Look how much I'm making with crypto. You're missing out. You could have made this money.” That's really to drive a sense of urgency to really try to get the individual to send over the money fast.
Actually, for some periods of time, the target may be able to withdraw the funds. It's actually tangible. They see, “Hey, I'm making huge returns in a very short period of time.” The money and the profit feel tangible. Ultimately, there's a tax or a fee or something to have to withdraw that money. At that point, I think most people quickly realize that they have been scammed or they get ghosted by the person that they're interacting with.
The term pig butchering, that is not, thankfully, coined by myself. That is actually what the scammers call it. Basically, pig butchering, they refer to their victims as pigs that they plumpen up, they fatten up for the ultimate slaughter.
Basically, pig butchering, they refer to their victims as pigs that they plumpen up, they fatten up for the ultimate slaughter. -Jane Lee Share on XThe scammers themselves, they're victims. They are referred to as the pigs, and they're plumpening them up with the compliments. It's completely morbid. Ultimately, they lead them to the slaughter, in which they drain them of all their funds and walk away with, in some cases, millions of dollars.
How did you get to be a target, so to speak?
It was first brought to my attention. I mentioned, at Sift, we do work with a number of dating apps or websites. It first surfaced in our network of dating apps. Once I started investigating, I, being the occasional dating app user myself, I quickly recognized that these accounts looked very familiar.
It was something that, as a dating app user, I couldn't quite put my finger on it, but I was noticing a lot of the same type of accounts. You see too much of the same thing online, there's a high chance that it's fraud-y.
It was something that, as a dating app user, I couldn't quite put my finger on it, but I was noticing a lot of the same type of accounts. You see too much of the same thing online, there's a high chance that it's fraud-y. -Jane Lee Share on XBeing the curious, I guess, person—I mentioned, I wanted to be a detective at one point—I really just wanted to know the inner workings of it. I rolled up my sleeves, and I downloaded every single major dating app available on the App Store. I even recruited one of my single girlfriends who was on the apps to help me out. That's how I set myself up as bait. It was very easy to, I guess, bait some scammers myself.
What were these similarities between the accounts that caught your attention?
At the time, there were a lot of objectively attractive-looking Asian men. They've since changed their MOs, which is why I say at the time. All their pictures looked extremely photoshopped. I even tried doing a reverse Google image search to see if they're using some stock images or some models that I didn't know about. That didn't yield anything.
I do believe that they were either creating these fake AI-generated profiles or they were stealing from existing people's social media accounts. I look like this with a lot of lighting, but your everyday person doesn't look like this—very curated. Their responses to some of the prompts that you're asked on dating apps were all very similar. Again, all talked about financial freedom. All talked about their dreams being to travel with their wife and family. They all looked and sounded the same.
Their responses to some of the prompts that you're asked on dating apps were all very similar. Again, all talked about financial freedom. All talked about their dreams being to travel with their wife and family. -Jane Lee Share on XThey had very generic job titles. Their job title will say entrepreneur at this location or CEO at this location. That was the, I would say, V1 of the MO. They have since diversified quite literally in terms of the types of images they're using. You now have CEOs from Germany, from all over the world.
I believe, because the answers to the prompts, they used to make no sense at all. They wouldn't answer the question even. It would be a completely unrelated answer. They have since changed that. What I think they're doing is they're either paying more attention to that as it's getting more exposed, or they've started copy and pasting from other existing profiles.
John McAfee
John McAfee worked hard to stay hidden while he was on the run from the US government. In episode 26, he shares the unexpected costs of privacy.
I'm curious, what precautions do you take when you go online because you're remaining in in incognito mode, so to speak? What do you do to keep yourself safe?
First and foremost, neither myself or my wife, Janice, have cell phones, at least. These are the universal spy devices. And if you have one—even if you buy a brand new one—if you call even three people that you called before, and if the government is looking for you, they're going to find you within five minutes. Plus, the smartphones are susceptible to spyware, which you can get by just cruising on Pornhub or something like that. So we have no phones.
Number two, we are in a Faraday cage where no signals can come in or leave. It's soundproof because it used to be made out of tin foil. If you go back about a year ago, you'll see that this room was all tin foil. It got very ugly. The light reflected, and we eventually soundproofed it, putting the soundproofing over. It’s a Faraday cage so that none of my electronic communications, like Wi-Fi or anything else, would get out of this room.
The next thing is we have to have, obviously, a serious virtual private network. Not something like a NordVPN, which you can download from Google for $80 a year. That's not going to protect you, people. You have to have some very serious VPN. Ours go through nine different countries, starting with Amsterdam, the Netherlands, going on to Vietnam, Russia, and Tierra del Fuego, believe it or not. It’s what makes your communications a little bit laggy sometimes.
Just the normal precautions of any security expert would recommend disinformation. We give as much disinformation as possible. We will visit a country for a day or two and take 35 photos and publish them on Twitter suggesting we're in Germany, the South of France, the West Coast of Spain, one's Portugal, or three times England, whatever, so that people are continually guessing. You have to be vigilant. It's hard work every day in order to remain hidden.
You have to be vigilant. It's hard work every day in order to remain hidden. -John McAfee Share on XYeah. One step or multiple steps well beyond what we would normally tell people of when you're on vacation, don’t post pictures of your vacation, because then everybody knows you're not home. You've got the reverse issue, where you're posting pictures all over the place at random times, so no one knows where you are.
Plus, obviously, we'll never post a photo of a place that we've been while we're still there. Always a few days after we've left, we then post the photos. Also, we do trivial things like bogus the date and time of all of our photos, even when we post them to Twitter. Because even though Twitter, for example, strips the EXIF information, that’s information, which is every photo.
Listen, the government can come in with a subpoena and say, “I want to look at those photos before they're stripped.” So we bogus them up with everything—location, time, and date. If it's clearly the Eiffel Tower, then it's got the location of the Eiffel Tower, and the approximate time for the sun angles and things. We can throw whatever date we want in there, and that's what we do.
I’ve been doing this my whole life. It's simple. Are you going to take 1000 people to find and locate me? And even then, I will find out that you're trying to locate me and getting close. I’ll simply—you know how easy it is for us to move somewhere?
Are there other aspects of privacy that people don't think about that you think about, or you think people should be thinking more about?
Friends—this is the biggest problem. No matter how careful you are, how smart you are, we all have friends. Sometimes those friends are not quite as aware of reality as we are. I hate to admit this, some. Unfortunately, we have to lie to our friends as well as the public. Why? Because you just don't know. “Oh, hey. John and Janice, they're in Belarus.” “They are?” “Was I not supposed to say that?” “No.” Do you understand?
This is what you don't realize—the severity of privacy, how hard it is these days. You cannot tell your family, your brother, your sister, your mother, your father, your children, and your best friend. The kid that grew up with you, went to jail with you, maybe. The guy who would help you bury a body, you can't be honest with them anymore about where you are or when you are. People don't understand this part. This is where people fuck that up because you can't tell anybody.
Scott Stratten
As a former salesman, Scott Stratten knows that people can see through sketchy sales techniques. In episode 101, he talked about the advantages of doing business with people you know, like, and trust.
We were just shooting the breeze, doing the thing you do, and his phone rings. He picked it up and it was a cold call. He just berates the person on the other line saying, “You're wasting my time. My time is valuable.” You know one of those things. We all feel this rage sometimes if we're interrupted.
Anyway, he hangs up the phone, and we both kind of talk back and forth of how ridiculous it is to be cold calling just random offices. At that time, this was in 2000-2002 or so. Then he's like, “OK, Scott. I’ve got to go. I've got to go do my calls for the day.” I'm like, “Jeff, what are you talking about? We just talked about how lame this was in that situation as a business development tool.” And he's like, “Yeah, but I sell something people need.”
This is his hypocritical kind of sales and marketing. I said, “Look, there's got to be a better way,” because all I was seeing was this buy or goodbye mentality in business. This kind of snapping necks, cashing checks, so you can go to the Catalina wine mixer at the end of the year for your sales incentive. It was just all about this and this alpha kind of thing, and stepping over people.
I am not a cheesy person, but I really believe that we don't have to take a ladder to success—one rung, one person. I think we can take an elevator to success together. I really think we can. I thought people do business with people they know, like, and trust. That's what I gathered in the previous 20 or so years of my life learning things. I was like, “Why aren't we doing that then?”
I really believe that we don't have to take a ladder to success—one rung, one person. I think we can take an elevator to success together. I really think we can. I thought people do business with people they know, like, and trust.… Share on XI set out to prove that you could build a business and businesses by building relationships and positioning yourself as an authority in front of your target markets, so when they have a need for your product or service, they choose you. That's burned into my brain, Chris. It sounded like a line that burned into my brain.
I set out to prove that you could build a business and businesses by building relationships and positioning yourself as an authority in front of your target markets, so when they have a need for your product or service, they choose… Share on XYou told me that there's a story behind the unmarketing.com domain name. What's the story behind that?
One of my favorite things about even talking to you right now—I don't get to tell a story a lot, but it's really important as a fellow geek. And especially the one who came up with your brilliant site, you'd really appreciate that. I went to get unmarketing.com, because it was going to be the name of the company. I came up with a name, because I thought it would look really good on a book cover, and I think it does.
I went and said, “OK, unmarketing.com.” This is back in 2000. I don't live with regrets, usually, but I wish I picked up a couple more domain names in ’95-’96 and just kind of sat on them for a while. I could have just registered cars.com and then retired.
I went to get unmarketing.com and it wasn't available. I'm like, “All right.” I registered at un-marketing.com. Then I also inquired about the person who had it because it was just an error page. We didn't have parked pages back then. It was just like, “This doesn't exist.”
It's broken.
Yeah, so I went into the registration information and found out who the contact was. Again, it's much easier back then. I just emailed the person. I said, “Hey, this is my company name I came up with, and I would love to buy the domain if you're not using it.” He wrote back and he's like, “Hey, well, I kind of had some plans for it.” You know one of those things.
Everybody has got plans.
Everybody has got plans. As a 100-plus domain owner myself, I got plans. But he says, “I could probably give it up for $1000.” I was just coming out of college. He might as well have said a million. I'm like, “Well, thanks anyway, and good luck with whatever you do with it.”
I went with un-marketing.com. As you can understand, right now as you're listening, anytime I was on the radio or Podcast, I would have to say, “un hyphen,” but not the word hyphen, a dash, but not D-A-S-H, like an actual line. It was such a pain.
Anyway, fast forward five years. It's Christmas time. It's a week before Christmas. I got an email from GoDaddy. It just says your domain has been transferred. I look and I've been given ownership of unmarketing.com. I'm like, “What is happening?”
I checked my email and there's an email from the guy who owned it afterward. He says, “Hey, Scott. I could have sold this domain recently for five figures. And I realized that the only reason this domain is worth anything is because of the brand you've built in the past five years on it. Merry Christmas.” He just handed me the domain.
It's like the Christmas story came on the TV and snow started falling. I'm like, “Santa’s real.” For me, during that five-year period, they're like, “Well, why don't you go and try to make a claim on it or something?” I'm like, “No. They registered. That's theirs.” I never trademarked UnMarketing. I don't plan on trademarking UnMarketing, because that becomes part of your job—enforcement.
It's hilarious when people would say, “Well, T-Mobile came out and they're the un-carrier.” They're like, “You should go.” I'm like, “I don't own Un. I don't own the two letters for it, but I've made a brand around it.”
That was just a testament to saying, “Look, that's how I do business, which is that's right.” You do a handshake, you do what's right, and it's all power to you. I was so floored that I was given it by him. It also gave me that indication that it's just the right thing to do. If I never got it, it's still the right thing to do
Jenny Radcliffe
Hacking isn't just for computers. Jenny Radcliffe's hacking specialty is hacking people. In episode 66, she shared how people can be manipulated, and your business or family can be compromised.
I'm a social engineer. What that means is no-tech hacking. Whereas a normal hacker, you might see in the popular culture of the movie. It's usually a male in a hoodie behind a computer. I'm not that. I'm a people hacker.
What I do is I use psychology, persuasion, influence, and manipulation techniques to get past people, to break security in order to fix that, and to amend it in case the real bad guys do those things. It's an education piece, but I don't really use technology. I do two things: physical infiltration, which is also known as breaking, entering, or burglary. But ethically, somehow, I either do it by the person I'm robbing and psychology. People hacker fits quite well because I work with people rather than the tech.
What I do is I use psychology, persuasion, influence, and manipulation techniques to get past people, to break security in order to fix that, and to amend it in case the real bad guys do those things. -Jenny Radcliffe Share on XI have a question about the physical breaking and entering. I recently heard a story of someone who was hired as a physical pen tester. They went into the wrong branch of the bank. Has that ever happened to you?
I've never broken into the wrong branch of the bank or the wrong building. There have been lots of mistakes. I've left identifying items behind in very serious situations. One time in Asia, I left a little torch behind the […] hotel I was staying in. When we realized that it's a gangster's house, I was being asked to break into, that probably was a bad thing to do.
We've certainly made lots of mistakes. I've locked myself in rooms and I had to climb out of windows. I was four floors in the middle to do that one. But I don't think I've ever broken into the wrong building entirely. I think that would be a new level of error for me.
I had jobs in the past where I didn't ask enough questions as to who the client was. Because I knew them a bit, I assumed that they were legitimate and were working on behalf of whoever's property I was getting into. In hindsight, I probably should've asked a few more questions. Maybe I wouldn't have ended up lying on the ground with armed guards looking for me, but you roll with the punches, Chris.
Jenny: The psychological stuff. Sometimes when I'm waiting for someone to take the bait, to click on a phishing link, particularly if it's a colleague, and I'm listening and we're waiting for him to give the last piece of information, that can be quite fun as well. I think the physical stuff is more theatrical and I suppose more dramatic.
I think your goal is to never have any evidence that you were ever there.
Ideally, you don't really want them to know you've done it. You want them to be astounded. I leave it at lock deposits, business cards, and things after. You have let yourself locked, necessarily. You want them to be astounded that you got in, because that does a good job of convincing them what they need to do with their security. Yeah, I do leave even if they would've never been in.
I guess if you're leaving trinkets behind, they open up the safe in the morning and the little octopus is in the safe. They're like, “Oh, my gosh. How did they get in? How did Jenny get in and do this?”
I talk early. Let's take a few photographs of themselves sitting in the CEO's chair and stuff. I just thought it was a bit egocentric. I thought instead of being me, there'll be evidence that we've been there. It used to always be business cards.
I've got thousands and thousands of photographs on a drive that's locked away and hidden where those cards are. I don't even remember where some of the markers are. It will be a picture of a desk, a pipe, a roof, or a coffee pot with business cards in it. That goes in the report.
I'd number them sometimes. It might have 25 business cards with numbers on and a number saying, “If you ever find this, call the number.” I still, at odd hours, get a ring and say, “I've been told to call this.” “That was from a pen test from 2007 and you found number 21.” “Hello, I found a business card number 21. I'm supposed to ring this number.” Like, what? Really?
That's got to be interesting. That person was probably not even there when the pen test happened.
I don't even remember which business it was or which test it was because we would put codes on it. I only started doing that latterly because of exactly that problem. People will say and go, “I found number 16. I've been told to ring and say I found number 16.” I'd be like, “That sounds really amateur to me.” He's going, “What company was that again because there are quite a lot of this? There are quite a lot of my business cards lying in offices all over Britain and the world, but particularly in the U.K. You could literally be anyone.”
I'm going to start looking for business cards when I travel just to see if I can find random things laying behind, or maybe I should leave them around.
I've denied bills. I've said it on your show and others. I’ve said it in public more than once that anyone could just be framing me.
That's a good answer.
I know.
Even the physical entry, there is a certain amount of social engineering involved in that as well. In one company I worked for, we were renting an office. The property management sent out a letter to all the tenants basically saying, “Watch out for people coming into your office carrying clipboards or briefcases.” They would walk into the office, head towards the conference room, not even talk to anybody, just with that air of authority of, “I'm supposed to go to that conference room.”
As they would walk by some woman's desk, they would just grab a purse and then walk out the other exit door. No one would even think to stop them, ask who they are, and what they're doing because they had that air of authority, of intentionality.
It's one of Cialdini's talks, six influences, strategies, and authority. The […] is less in clipboards. It's a cliche, but it works. It's working now with the Covid thing. I used a pen test a couple of weeks ago. I'm a Covid inspector, waiting there, and they all just waited.
Genuinely, we'd advise anyone here who's in charge of security, who's got anything to do with security who's listening to this. We're recording it just as a lot of countries in the West, at least, are starting to hopefully tentatively go back to something like an on-prem working model. Just know that people do not know which ways.
If someone says, “Covid, wait,” they will wait. “Write down your email on the pads for the Covid check,” and I just thought I'll try it. “Your password's underneath. Do it now, thank you. It's a pain, I know. I had to do it as well. Thanks for putting your password.” Stop. Because nobody knows what the rules are anymore these days.
One piece of advice is if someone tells you to keep something secret, it's conned. Tell your kids it's conned. Call and tell them straight away. That's conned. It's a password. Tell them straight away.
One piece of advice is if someone tells you to keep something secret, it's conned. Tell your kids it's conned. Call and tell them straight away. That's conned. -Jenny Radcliffe Share on XThat's almost the same thing we need to do with staff. We need to say, “If something feels wrong, you feel like you've done something wrong, and this one's coerced or cruelty, that's conned. Call and tell the security team straight away, and then the security team genuinely has to be sympathetic.”
If something feels wrong, you feel like you've done something wrong, and this one's coerced or cruelty, that's conned. Call and tell the security team straight away, and then the security team genuinely has to be sympathetic.… Share on XThat was one of my triggers in telling people. Even if you don't think you're being scammed by someone, as soon as they tell you not to talk to somebody or they start coaching you on what to say, that's huge.
The quicker you can do it, the best. It’s like romance scams. The minute that you get that nagging doubt, get it out there right away because it's like a bully. It's like, you give the bully your lunch money. They say, “Just give me your lunch money today and I promise you, I'll leave you alone.”
Then Tuesday comes and then again, they've got your lunch money, your bus fare, and everything else. You just have to kill it as soon as you identify it. It just has to be out in the open and it will end. What you get is the beginning of the end of whatever it is, however bad that is.
Brett Johnson
As a renowned cybercriminal, Brett Johnson helped define cybercrime as we know it. He now uses his experience to protect people from the kind of person he used to be. In episode 37, he shares his story of how cybercrime works.
You've been referred to as the original internet godfather. I see you're rolling your eyes already, but there's got to be a great story behind it. Can you tell your story?
Sure, sure. I guess the best way to start with that is, how did I get that title? That title comes from me being convicted of 39 felonies. I was placed on the United States' Most Wanted list. I escaped from prison.
What really got me the title? I built the first organized cybercrime community. It was called ShadowCrew. It was a precursor to today's darknet and dark net markets that laid the foundation for the way modern cybercrime or financial cybercrime channels still operate today. Of course, I went to prison. Rightfully so, if anyone ever needed a stint in prison, it's Brett Johnson. I'll tell you that one.
What was it that your organization was doing?
ShadowCrew, if you look at organized cybercrime, the way they were talking about credit card theft, phishing, account takeover, tax return identity theft, any number of things like that, before ShadowCrew, there were actually three sites. There's ShadowCrew, CarderPlanet, and Counterfeit Library. I ran both Counterfeit Library and ShadowCrew.
Before the advent of those sites, the third site, CarderPlanet, was run by Dmitri Golubov. He was a Ukrainian, and went by the screen name of Script. Now, he's a member of parliament. I know he's running for mayor in Odessa this year, so I don't know whether he'll get it or not. Who knows?
Before the advent of those three sites, if you were looking at engaging in any type of cybercrime, the only avenue you really had was an IRC chat session. You'd go there and you'd have a rolling chat board. You don't have any idea who you're talking to, if you could trust them, if they were a criminal, if they were a cop, if they had an item or a service for sale, if it worked, or if they were just trying to steal your money.
What Counterfeit Library and ShadowCrew did, they provided a trust mechanism that criminals could use. Now you have a large communication channel that's forum-type structure where someone at different time zones could reference conversations, days, weeks, months old.
You knew that by looking at someone's screen name, what the skill level of that person was, if you could trust that person, if you could learn from that person, or if you could network with that person. Because if you look at the necessities of cybercrime, there are three things that have to work in conjunction for cybercrime to be successful: gathering data, committing the crime, and then cashing out. All three things have to work together. If they don't, the crime fails, why even try?
If you look at the necessities of cybercrime, there are three things that have to work in conjunction for cybercrime to be successful: gathering data, committing the crime, and then cashing out. All three things have to work… Share on XThe problem with that is that one specific criminal cannot do all three things. He's good in one area, sometimes two, rarely all three. That's why, again, these forums, these marketplaces exist today, they allow that one specific criminal who is not good in one area to network with other criminals who are good in those areas. That's typically what we see time, and time, and time again. That's what Counterfeit Library did.
ShadowCrew made the front cover of Forbes, August of 2004. October 26, 2004, United States Secret Service arrests 33 people, six countries, six hours, and I am the only guy publicly at that point mentioned of getting away. They pick me up February 8, 2005 and they gave me a job—Secret Service did—and I am that idiot that continued to break the law from inside Secret Service offices for the next 10 months until they finally found out about it, At which point, I go on a cross-country crime spree, steal $600,000 in about four months, wake up one morning—the night before I'd stolen $160,000 out of ATMs—wake up the next morning, and signed on to cardersmarket.com, which was ran by a friend of mine named Max Butler. My name, US' Most Wanted Poseidon.
Me, being the idiot that I am, what do you do, Brett? You've just made the United States' Most Wanted list. Let's go to Disney World, and that's exactly what I did.
How did they catch you at Disney World? Did they catch you on camera or at the airport?
Triggerfish.
Triggerfish?
Triggerfish. Nowadays, it's called Stingray. Back then, it was called Triggerfish. Stingray is actually the next generation of the Triggerfish device.
For the audience, can you explain what a Stingray device is?
Sure, it is a device which spoofs a cellphone tower. It can actually locate your cell phone—maybe closer now—but back then, it could locate your cell phone within a seven-foot radius, and not only your cell phone but all the other cellphones in that area. They could do any number of things. The federal government likes to keep that so secret, they will dismiss charges against you if you start to try to bring it up in court. That's what happens.
An associate of mine, Daniel Rigmaiden, was arrested for tax return identity theft. I'm the guy that started that whole thing. Everyone's tax returns are delayed every single year, I am that son of a bitch that started that stuff. I taught Daniel Rigmaiden how to do it, set him up with the Secret Service so they could arrest him. He ended up spending, I think it was three or five years in a county jail, defended himself, and filed over 1000 FOIL requests.
My goodness.
One of the requests happened to mention something about a device spoofing cell phone towers. At that point, he was like, “I want to know about this.” The prosecutor comes in and says, “Hey. Just plead guilty. We’ll let you go by with time served.” He was looking at 20 years, ended up serving, I think, six or something like that, so not bad for him.
Dr. Deborah Vinall
Gaslighting is a term that many of us have heard, but not all of us know how to recognize. In episode 84, Dr. Deborah Vinall explains what it is and what to do when it happens to you.
Let's talk about gaslighting. What the heck is it?
Gaslighting is a targeted form of psychological control and manipulation. It often accompanies other abuses—sexual abuse, physical abuse, emotional abuse—and it's a way of gaining the upper hand and of gaining control by making you doubt your own self, your own memories, and your own perceptions. It involves pathological lying but with an added edge of really causing self-doubt, making you feel like you're crazy.
Gaslighting is a targeted form of psychological control and manipulation. It often accompanies other abuses—sexual abuse, physical abuse, emotional abuse—and it's a way of gaining the upper hand. -Dr. Deborah Vinall Share on XCan you provide an example of what a conversation or what an interaction might sound like?
A simple example would be maybe you did something. Maybe you just swept the floor right there with your partner at home, and then they start berating you for not having swept the floor. You know they saw you do it and you know you did it, but they just insist on this to the point where you think, “Am I confused? Did I do that yesterday? Am I losing my grip? Am I going crazy because they're just so sure of themselves?” A pattern of that over time can obviously really break a person down.
I can imagine. Is it mostly in interpersonal partner relationships or is this a thing that you even see with coworkers, bosses, and just random people out in the public?
You're going to see it anywhere, unfortunately—intimate partners, parent-child dynamics, politics, bosses, or friendships even. Anywhere where there's a pre-existing power imbalance or the person is trying to create one to gain the upper hand is where there's a ripe opportunity for gaslighting to happen.
Anywhere where there's a pre-existing power imbalance or the person is trying to create one to gain the upper hand is where there's a ripe opportunity for gaslighting to happen. -Dr. Deborah Vinall Share on XOne of those pandemic questions, do you see more of it as a result or more visible during the pandemic when people are maybe cooped up a little bit more together or have a little bit less impulse control that this thing comes out more?
I wouldn't say that gaslighting is a result of impulse control. It's actually very calculated. There are different kinds of gaslighting. I talked about it a bit in the book. The worst classic form is a real sadistic, narcissistic person who's carefully cultivating this reality that puts him or her in control.
Then, there can be a gaslighting that's more of a defensive posture of I just can't bear being wrong, so I'm going to change the narrative and protect myself. That could accompany impulsiveness for sure.
Is there more of a balance where one of those two is more common than the other?
It's definitely easier to recognize this more sadistic narcissistic type, and it's more clear-cut there. I suppose in some ways perhaps most people may gaslight at some point. One thing that was really interesting to me as I started getting feedback and reviews on the book is people saying, “Oh, I want to make sure I don't do that.” Or, “Yeah, I've done that sometimes.” I suppose perhaps we all do it at times, but it's really problematic when it becomes a pattern of behavior or an intentional choice.
Before we jump into how to deal with someone else who's exhibiting this behavior, you talked about people who are like, “Gosh, I want to make sure that I'm not doing it.” How do people stop themselves from the pattern?
I would say humility is really number one. You really see when somebody asks that question that they're not the typical gaslighter because they're not trying to gain the upper hand. When you have that humility and that desire to look inside, you're already 10 steps ahead of everybody else.
Already on the path to resolving it once you realize I might have an issue.
Yeah. Gaslighting is so much about, like I said, power and control dynamics, but if you are able to recognize the inherent worth of every other person around you, see that everybody is just as valuable as you are, and hold that truth as you interact with people, you're not going to gaslight because you're not choosing to manipulate somebody in order to gain the upper hand.
Some of the characteristics you might see is somebody who's very entitled, somebody who can never be wrong, and somebody who's often very charismatic and likes to tell stories about themselves, curating this reality of this persona… Share on XSome of the characteristics you might see is somebody who's very entitled, somebody who can never be wrong, and somebody who's often very charismatic and likes to tell stories about themselves, curating this reality of this persona they want others to accept. There tends to be a lot of self-focus in somebody who's a pattern gaslighter. You might notice the way they talk about other people, not just the way they interact with you.
If they're always putting people down, making comparisons, or nicknaming people, that's a real red flag to watch out for. And how they interact with you as somebody who undermines your achievements while elevating their own. These are all definitely red flags.
There tends to be a lot of self-focus in somebody who's a pattern gaslighter. You might notice the way they talk about other people, not just the way they interact with you. -Dr. Deborah Vinall Share on XChris Voss
As a former international kidnapping negotiator for the FBI, Chris Voss has plenty of experience with high-stakes negotiations. In episode 106, he shares his tips for the negotiations we face each and every day.
The good stories are really kind of a secondary benefit of the book. It's really actionable, easy to absorb advice. It makes a lot of sense. Some of the academic books that are out there are so cerebral that you're like, “All right, so this makes sense to me. I just don't know what to do with it.” We tell you specifically what to say, try it out, and find out what's going on.
My teaching experience really began, as an FBI hostage negotiator, we taught it to local law enforcement. That's the tough crap. They're not interested in academics, you figured out based on my multi-syllable jargon in philosophy.
I don't want people testing stuff in a negotiation circumstance. “Let's see if this works.”
Yeah, even if it does, teaching cops is like playing the Apollo—you better be good or you're going to get booed off the stage. They're very practical people. They have problems they have to deal with right now. With that approach to teaching, my son and I got the whole Black Swan method together and started rolling it out of business schools.
The students liked it because they had real problems they wanted help with right now. One of the biggest things about the book is it's really actionable and easy to learn. Some of the stuff is counterintuitive, which means it's going to scare you. Then getting out of your own way is one of the problems.
I wonder, are there situations where we are negotiating and we don't realize it? Just day-to-day life situations where we don't think of it as a negotiation but the other person might be.
Yeah. The most dangerous negotiation is one you don't know you're in. If the words, “I want” or “I need” are either coming across your lips, in your mind, if they're coming across the lips of the other person or in their mind, you're in a negotiation. I mean, you really are. The commodity that's always at stake in negotiations is time.
The most dangerous negotiation is one you don't know you're in. -Chris Voss Share on XPeople think, “Well, it's only a negotiation if I get dollars in mind.” Timing and really what people miss is implementation. One of my favorite examples is, are you in a negotiation with Starbucks? Black Swan team would say, yeah. Now, what makes us say this?
A couple of years ago, I met a guy who started this website global phenomenon called Secrets because I'm talking about hidden negotiations. He says, “Hey, I got something to tell you. The Secrets concept is send me your secrets anonymously. I'll share them with the world. Other people are struggling with the same thing you are. It’s going to help them to know that you're in the same boat. You’re not by yourself.”
He says, “I get a brand new, still-in-a-wrapper Starbucks coffee cup sent to me with a note that says, ‘I give decaf to people who are mean to me.’” That negotiation was about implementation. What you ask for and what you get are two different things depending upon how you ask for it. You're in a negotiation over the implementation.
Since I've shared that story, the number of waiters and waitresses have told me, “Yeah, I’ve got to tell you. Somebody comes to us for dinner and there are customers that are kind of rude. If they ask for decaf at the end of the night, we give them caffeinated coffee.” Implementation is everywhere. That's the negotiation.
Yeah, time's a commodity. If time is involved, which you have to do something, somebody else has to do something, even if it's a negotiation, there's a negotiation for your attention. As soon as you begin to become aware of that and then embrace it, it's like gravity. You can either embrace it or ignore it, but you're going to get pounded by gravity one way or the other.
The real cross is the threshold from sales to negotiations. I said this a million times before I finally heard what I was saying myself: sales is somebody is trying to get you to think I want, and as soon as you think that, you're in a negotiation. I want a cup of coffee. I want a new car. I want a Kindle, or whatever it is. You're in a negotiation.
I know with the sales process, they always talk about micro-commitments and little yeses to build up this chain of yeses that for somehow—
That's horrible, by the way.
I see salespeople do it to me and I'm like, oh, it just creeps me out when people do it. I'm not going to drop $20,000 on something just because I said yes 40 times.
Right, exactly.
Is there a comparative in negotiation or an opposite?
Yeah, one of the things that we discovered—and it's one of the craziest things that we stumbled over—but getting somebody to say no instead of yes completely changes the dynamic. -Chris Voss Share on XYeah, one of the things that we discovered—and it's one of the craziest things that we stumbled over—but getting somebody to say no instead of yes completely changes the dynamic. We'll say, instead of “do you agree,” we say, “do you disagree?” Instead of, “do you want to do this,” we say, “are you against it?” “Have you given up on it?” We changed literally every single yes question to a no question.
What happens when you do that, what's the advantage? People have been conditioned to feel that when they say no, they feel protected. Consequently, they're more able to evaluate options regardless. I might say, “Look, do you disagree?” And I'll say, “No, I don't disagree, but here are the following things that I need.”
Because they said no, they feel they can lay this stuff out for me and none of those things are micro-commitments. Now, if I say, “Do you agree?” and you say, “Yes, but here are the following things I want,” there's a feeling that every yes is a micro-commitment, and you get into this creeped-out feeling that you were talking about just now.
I ain't ready to commit. I have no problem telling you what I need to commit. But even if I say what I need, I want to reserve the option to still not commit. It becomes a much more open conversation when the other person doesn't feel like every yes has got a fish hook buried in it.
Steve Gibson
Steve Gibson has been working on computers since before the internet existed. In episode 108, he shares how the Internet was not designed with security in mind and what kind of online security we could hope for in the future.
When the internet happened, Microsoft looked around and thought, “Oh, crap. We don't have an answer for this.” They got a TCP/IP stack from somewhere and just slapped it into Windows and are like, “Oh, now we have the internet.” Yes, but you also had file and printer sharing and everybody had their drives connected to everybody else's.
What happened when the internet got added to Windows is that everyone's C Drive was not firewalled. It was on the public internet at strangers’ C Drives, which sounds insane to say it today, but this was 35 years ago. It was really what was happening.
What happened when the internet got added to Windows is that everyone's C Drive was not firewalled. It was on the public internet at strangers’ C Drives, which sounds insane to say it today, but this was 35 years ago. It was really… Share on XMicrosoft just rushed into this, getting Windows on the internet, and security—calling it an afterthought is sort of an understatement. That's where Shields Up came from. It occurred to me that I could create a website that people could go to. Just as I had innocently mapped someone's C Drive to my computer in horror, this thing could check their computer for its ports to see whether they were exposing their files and printers.
Of course, that was 105.5 million tests ago. Since I knew I was going to be talking today, I checked the count yesterday. That's a good number, because I do a list of IPs and don't double count even when people use it. It's sort of become a bit of a staple, sort of very much as WhatIsMyIP has become a staple on the internet. You and I have been at this for a while.
That got my foot into the security side, and I've been doing both ever since. Hard drive data recovery, keeping SpinRite current, although I've been a little negligent. And then internet security has been a real concern because it's obviously a big problem.
I was wondering because I was thinking about this, when the internet started, there was almost this implicit trust. We think spam was not a thing. If my mail server handed an email to your mail server, your mail server trusted that it really was coming from me and not some forged email address.
You're right. The way I would put it is it was a miracle that you could send an email to someone. What? This work? It was incredible.
As we know, the internet was never designed with any security. It was DARPA and then ARPANET. The idea that universities could actually send an email or create a group and correspond was a miracle. You knew all 10 people who were on the internet back then, so it wasn't like there were strangers who had any access at all.
The idea that universities could actually send an email or create a group and correspond was a miracle. You knew all 10 people who were on the internet back then, so it wasn't like there were strangers who had any access at all.… Share on XThe things that evolved from my thinking about this as much as I have is just how not designed for real people this was. The fact that our mothers have to type http://—what is wrong with this picture? This was not designed for people. This was designed for techies, and we've just foisted on the general public who are like, “Boy, these people are weird who invented this thing.”
That has been constantly like, “Gosh, that's not really secure. How do we solve that problem? How do we solve that security problem? How do we solve that security problem? Oh, that fix caused a new security problem.”
Right. It's classic security as an afterthought. It's like building a house and not considering that you should have door locks. It's like, “Oh, wait a minute.”
It's classic security as an afterthought. It's like building a house and not considering that you should have door locks. -Steve Gibson Share on XWere there even doors initially? Initially, there were no doors. It's funny because I think back just even with the change from HTTP to HTTPS, that was like, “Oh, well, that means it's secure. That means it's safe. That means you can trust that website.” Now it's like, well, it no longer means you can trust the website, just that your data is encrypted between here and there.
From one standpoint, it is the case that this stuff is complicated. Back 30 years ago, we were solving easy problems of security. The other big problem, of course, is cryptocurrency has created a way for bad guys to get paid without getting caught. As soon as you create a way for the bad guys to get paid without getting caught, then you give them an incentive to do bad things that are going to force people to pay them. We've created this new system.
The other big problem, of course, is cryptocurrency has created a way for bad guys to get paid without getting caught. -Steve Gibson Share on XTen years ago, there were viruses, but they were there because you could do them. Kids were screwing around to see how bad an infection could be, but they didn't really do anything. Now, we have malware, we have ransomware, and it's really become a problem. When you create a profit motive for bad guys, then they're able to leverage the fact that there are still weaknesses in security. Your point is things are way better today, but not perfect.
When you create a profit motive for bad guys, then they're able to leverage the fact that there are still weaknesses in security. -Steve Gibson Share on X
Leave a Reply