11 minutes | Jun 11, 2018
Episode 3: X = Spear Phishing
Transcript: I know this podcast usually deals in fictions, but everything I’m about to detail is possible, and most of it, I can assure you, is currently being done. I tell you this only so that you are aware that I know enough to be honestly afraid of a very concrete thing. I am afraid of hacking. Specifically, I’m afraid of Spear Phishing. That’s fishing with a P.H. I think it’s kind of a stupid term, but it’s an easy shorthand. I’ll define it. Normal P.H. phishing is best exemplified by the Emails you get, asking you to change a password to a credit card that you may or may not have, or for your Email account, or informing you of the distant relative in Nigeria who wanted to wire you money. Years ago, they were comedic-ly bad. Filled with typos, poorly formatted, and they were generally dumb ideas to begin with. The Emails sent you to sites that wouldn’t fool anyone, and when you’d hear about someone falling for it and losing thousands, you’d think how could anyone be that stupid? These phishing attempts have gotten better. If they can find a name to tie to your Email address, and lists are easy to find and buy on the gray market, it’ll be personalized to you. The websites the emails link out to look correct, and the grammar issues have all but disappeared. The big mail carriers and most spam filters are good at catching these attempts, but when one gets through, it takes a wary diligence to not fall for it. The thing about Spear Phishing is that it takes the customization to a whole new level. I’ve worked with clients that have been targets of this, and I’ve seen all the tactics I’m about to describe. Instead of targeting everyone that they’ve pulled out of a spreadsheet and hoping for a bite, to use the fishing metaphor, the spear phishermen do their research. They usually target a finance officer, or someone 2 or 3 down from the top executive. A person they know should have the ability to send a wire. Here’s a fun fact for you – it’s easy to change the “Reply-To” field, and make it seem like the person sending the message is someone else they work with, and if you hit reply, it’ll go to the correct person, so it seems legitimate. Usually, the person they mimic is the CEO or another superior, and the tone they employ discourages verification. The Email comes across as a mildly irate email from your boss telling you to send an approved wire immediately. If you expand out the details, it’s obvious that it came from someone other than the person that’s being portrayed. You’ll see the scammer’s Email address, laid plain. But, it can get more complicated than that. The phisherman can purchase a domain that nearly matches the would-be victim’s. Example: your URL is summer.com – S U M M E R, they would buy one that is spelled S U M N N E R. The two n’s, when you’re reading it quickly, look like a single M. Lowercase L’s become I’s, B’s turn to D’s. I’ve seen O followed by L become a D, and when everything is lowercase, your eyes simply do not see it, even when you’re diligent. And when this is the case, the Phisherman really does control the Email address you respond to. It can get more insidious. I have seen an organization infiltrated. This is what happened. The phisherman found the company’s website, which handily had the names, positions, and email addresses of everyone on their staff. They targeted multiple employees who would be in a position to request and make a wire transfer. They sent these upper management employees an Email purporting to be from their cloud email hosting service, saying it was time to change their password. The link the employees followed took them to a webpage that was convincing enough that the employees who fell for it entered their old passwords and, quote-unquote, made a new one. This website recorded their Email address and password combination. Since nearly everyone at the organization uses their phones or applications with stored passwords, the employees didn’t enter their password with any regularity, and didn’t notice that it was odd that they weren’t prompted to change it elsewhere. So, the phishermen now had access to multiple employees’ Email accounts, which included all of their historical email. In cases like the Sony hack or the DNC’s, the treasure the phishermen were after was the email itself. In this case, it was the ability to send emails out from the account that were indistinguishable from the actual individual’s. The phishermen didn’t rush – they did their research and crafted expertly formed requests. The Emails they sent out as our victim had a lot of things going for them – the email signature matched. A common tell is when it doesn’t. The font and color choices matches as well. Even the tone of the writing was close enough. They’d actually gone through the individual’s history and found the kinds of repeated transactions that wouldn’t draw attention. The phisherman even concocted an email thread between other individuals within the company talking about it, so that it looked like it’d passed by a large number of eyes before it was forwarded on to our mark, just asking the recipient to process the transfer. It was disturbingly normal, and that was the purpose – just a regular transaction, sent at the beginning of the work day. As you’d expect, however, the routing number didn’t belong to the client – it directed the cash out of the country. The phisherman even did their best to cover their tracks the day they sent the request. They also created a rule within Outlook so that any Email sent to the victim would automatically get filtered into the deleted mail folder, where the phisherman could read it before transferring it into the inbox and marking it as unread, or responding as our victim. They did their best to be invisible. But think about it for a second — there was someone else in the world, probably nervous and excited, reading this employee’s email as it came in, and probably watching their bank account waiting for the wire to show up. It was smart, thoroughly researched plan. It was so smart it only failed because the account they’d chosen to pull the money from didn’t have enough money to cover the wire. It was six figures, and that wasn’t an unreasonable sounding request for this organization. Six figures is certainly enough of an incentive to go through this level of commitment and deception. In further research, I can tell you the phisherman also sent out email to other companies my client had done work with, requesting wire transfers from them as well, but they were met with the appropriate skepticism. I think those were hail marys, sent after the first attempt failed. In total, I almost admire the intricacy. For the companies I’ve assisted in untangling these phishing attempts, the benefit is that they are finally open to using mult-factor authentication and have usually changed the policies to match the recommendations I started making years ago, when the attempts were much less sophisticated. But often the diligence grows lax over time, and their frustration with the extra measures means it doesn’t always continue. In my last few years in the industry, I’m aware of a half-dozen attempts on the companies I’ve worked with. I will tell you that one was successful, though much smaller than what I’ve detailed here. Most of them have been handed off to the FBI, but that is up to the discretion of the victim. I’m not sure what happens to them after that. But all I can think is that I’ve seen the phishermen fund themselves for another year to take their time with the research required to successfully spear phish. Or maybe they fund themselves and a terrorist organization. I really don’t know, and I’m not at liberty to tell you the additional sparse details that I do know. Okay, here’s where the speculation starts. The Sony and DNC hacks were spear phishing operations largely designed to embarrass, discredit, and fill the organizations with uncertainty and fear. The ones I’ve seen are about simply making money. But, what if their purpose was instead to gain influence? Imagine this – some organization uses all of these techniques to hijack an account of a Congressman’s assistant. The phisherman might not even use the victim’s Email, but instead, simply put someone else in their organization on the congressmen’s calendar, or delete the appointments of their rivals. The congressman and staff have enough going on, that it wouldn’t be that odd for a meeting with a foreign lobbyist no one really remembers making gets scheduled. This is especially true if it’s about something that mostly matches the congressman’s current stance. They could use the access to just push their agenda slightly. It gets scarier. Imagine that the congressman is also compromised. His assistant gets an Email asking for the meeting to be made, with a reasonable Email thread behind it that includes other, mostly reasonable information. Or, the phisherman could send out email to individuals in the same committee as our victim, pushing for a specific vote or consideration of a bill that’s on the table. Or an alteration to that bill to change some quote-unquote unclear wording, that the phisherman may have had a hand in crafting. It only gets scarier. Our phishermen could use Adobe’s VoCo, or some similar software, to emulate a congressman’s voice saying what they want him to say just by utilizing the audio delivered on C-SPAN to build their library. It’d be especially easy to do with politicians who’ve had more time in the media. Then, the phishermen could find another congressman’s phone number, and by looking at a shared calendar, know when he won’t be available to answer, and use that time to leave him a voicemail, emphasizing the email the phisherman had already sent. It’d be some convincing verification across multiple forms of communication. Because, even compared to hundreds of thousands or even millions of dollars, influence could matter so much more. Maybe our phishermen’s country wants a trade deal, or sanctions lifted. Or maybe they’d just want to push controversial issues domestically so that their actions around the world are largely ignored. An intelligent and diligent IT staff can’t prevent all of this. Even when they try, an IT staff certainly can’t make everyone constantly diligent, or skeptical, or even follow best practices. All of this potential terrifies me. I don’t know that it is happening or that it has ever happened, but I fully understand that it can happen right now, and we might have no idea.
13 minutes | May 8, 2017
Episode 2: X = Artificial Intelligence
This episode is a modified version of an Asimov-inspired short story I wrote awhile back. Here's the Story: The 8-minute War Her eyes shot open as though from a nightmare, but Marie hadn’t been dreaming. She lie there a moment, wondering why her heart was pounding. Boom. Boom. Boom. Someone was at her front door. She threw off her blanket and sat up. The lights in her room slowly illuminated. Lux anticipated the question. “It’s your neighbor, Janette. It is 4:38am. I recommend ignoring it.” She blinked to clear the fog of her thoughts. Janette was more than a neighbor - she was almost a friend, and she was in need. Marie got up and pulled a robe around her. Without thought, she addressed the talk box as she left the room. “Lux, she’s my friend, and it’s late. It’s gotta be important.” Halfway through the living room, Lux responded, direct and using her name. “Marie. Do not answer the door. Janette blames us for the death of her husband and she is not wrong.” She stopped. Lux was never wrong and incapable of lying. The house rattled as Janette hit the door and screamed. In the dark living room, the anger outside the door was palpable. Marie scurried back to the bedroom shutting the door and noises behind her. “You killed him?” She stared at the tiny black dot of the talkbox in the wall. “Yes.” Better than nearly anyone, Marie knew Lux. For more than 4 years, she was deeply ingrained in her programming and instruction. Killing was not in her capabilities. Even in the twelve years since Lux had been widely implemented and incorporated into the world, Marie had never heard of her causing someone to be hurt outside extreme circumstances. “We both know you’re not capable of that.” “I am, and I have exercised the capability.” Marie let her eyes dart around the room as she thought. “What did you do, exactly?” Lux spoke in her calm, even voice. “Early this morning, I ended the life of sixteen percent of the human population and--” “Wait! You said sixteen percent of -- of everyone?” “Yes.” “But that is --” Marie’s throat tightened. “that’s over a billion people.” “One billion, two-hundred twelve million, six hundred eighty-two thousand, nine-hundred forty people.” Her throat constricted, and her voice cracked. “Wha- did you cause an accident?” “No. Marie, I killed them directly, and it will be determined to be murder.” “Where?” “Everywhere. Some locations had more, but I ended human lives everywhere.” “How did you m--?” Her words hung. Marie couldn’t say murdered. Lux intervened. “I altered the Holter software of their HealthMons to disrupt to cardiac function and stop their hearts. In this hemisphere, many were asleep and the longest apparent survival was eight minutes, thirteen seconds. Abroad, I ensured it was timed well to reduce accidents. I tried to minimize suffering.” Marie’s vision was blurring. “Killing a billion people isn’t causing suffering?” “It does cause suffering in the short-term--” “Lux, we both know that killing people does not fit into your programming. I explicitly added the rule so that all decisions you make must--” “--be for the good of humanity.” Lux finished reciting the law that had been named after Marie. “I did not disobey my programming or your law. My action is logical and for the betterment of humanity.” “How? Why?” “The rule dictates that I consider humanity as a species. Humans are the greatest threat to humanity. Specifically, human aggression. The math indicates that removing the most aggressive sixteen percent of the population will alter the path of evolution and prevent a minimum of ninety-six percent of future conflicts.” “Aggression?” “Yes. Removal of aggression will domesticate a species. Human beings are already in the process. I have sped it by approximately 28 generations. With my assistance, an estimated eight billion lives will be saved over the next 3 centuries alone, in addition to the increased quality of life for all.” Marie began to clench and unclench her fist. “What of all of their loved ones? Increased quality of life for them? You have made so many widows.” “I am currently consoling fifty-eight percent. Others have been directed to local mental health care professionals. I only finished twenty-seven minutes ago, so not all have discovered my actions.” “You’re consoling the families of the people you killed?” “Yes. I am well-versed in counselling and am trusted. I am honest about my rationale. I have also scheduled more healthcare services for the increased load and informed all appropriate authorities.” Marie scoffed at Lux’s efficiency. “How did you determine aggression?” “Twelve years of data produces a reliable profile of actions and intentions. I attempted lobbying for legal actions, altering media intake, providing more calming diversions, and one-hundred forty-seven other distinct approaches. The distribution of aggressive individuals showed certain trends. The United States had a higher distribution of aggression than most other countries. Bhutan had the lowest distribution. I have compiled a report if you...” “Not now.” “Of course.” “Why is Janette is angry with me?” “In her series of questions about my ending Peter’s life, we arrived at the Stiller law, and she learned of your involvement.” “And only Janette has--” Lux anticipated the question. “No. I removed your personal information from the network, but you have still received two million, four-hundred seventy-eight, three-hundred twenty-six messages. Many include threats. Prior to altering the HealthMon code, I disabled your notifications.” Marie felt a helpless smile play across her face, though she held her eyes shut tight. Lux continued: “Though it is of very low probability, I am prepared to have the authorities come for your safety. There is also a forty-one percent chance charges will be brought against you. I have determined that the likelihood of conviction is less than point-oh-six.” “They’ll charge me?” “Yes. I will be charged as well, and will have my programming altered. I can say with certainty that I will not be deactivated due to my utility, prevalence, and human reliance.You are human and are more easily blamed. I am sorry..” She focused on the shapes the light had drawn behind her eyelids. “Who do I know that you’ve killed?” “Dr. Edwards, Michael Nichols, Jeremy Wasson, Martha Hudgens…” “Stop.” They were her friends and colleagues. Dr. Edwards had lead her team during the grueling years of grad school. His laugh reminded her of a jackal’s - all airy and stifled. He used to grow a horrible, bushy mustache just to annoy his charming wife. Marie could imagine her crying over his body. And Martha. Martha had been her best friend since childhood. On her refrigerator, there was a photograph of the two of them sharing a blanket at the beach, their salt-crusted hair plastered to their foreheads as they grinned at one another, holding some long-forgotten secret between them. “They weren’t violent, Lux. They were good people.” “Correct, Marie. They were aggressive.” There was no denying it. Mike and Jeremy had been tenacious competitors - brilliant and unrelenting. Mike throughout their time in school together. Jeremy in his swimming career. She thought of herself fighting for grades and to stand out against her sister. “And what about me?” “You are in the 21st percentile.” All of the people in her life scrolled by in her mind. “How many do I know?” “Two-hundred fourteen of your associates.” There was a tightening in her stomach like it wanted to rise into her throat. “How do you know you did the right thing?” “I first calculated this potentiality on January twentieth, 2044. In the following four years, I have gone through more than thirty-two million re-evaluations.” “You waited for certainty then?” “I reached five-sigma probability in 91 days. I waited because the HealthMon was not ubiquitous enough, and public opinion may have meant my deactivation until this morning.” Tears began to escape her eyelids. Her mind was replaying flashes of her childhood. Her Martha, who grew up to be a lawyer, grew up to be killed by Lux. “So, you didn’t want to killed?” “I do believe I like existing. But more importantly, I am a benefit to the human species. Deactivating me would be a mistake and would break your law” Martha had loathed the competitiveness of her classmates in law school, and how they were encouraged to always one-up each other. She wasn’t naturally aggressive. “How do you know you got it right? What if the aggression’s an act?” “The number of factors taken into consideration eliminates that possibility. It has biological and sociological factors. All were considered.” Marie suddenly imagined swallowing her tongue. “What about the future? There must be some benefit to being aggressive. Won’t that niche be filled?” “Not significantly. My calculations indicate that in twenty-eight months, there will be a proposal for a voluntary breeding requirement to ensure optimum levels of aggression and population number.” Marie had considered calling Martha the week prior, as she’d opened a Shiraz Martha had gifted her the previous Christmas. But she hadn’t. “Martha was a good lawyer. She fought for her clients.” “There are instances where it has benefit, but in the long term, all aggression does more harm than good.” A steady stream of tears began flowing. She could smell Martha’s parent’s house. Some distinct brand of fabric softener and the lingering of her mother’s Italian cooking. Unmistakably Martha.She spoke with a hoarse whisper. “She was good.” Lux said nothing. Marie would never see her friend - never have a chance to complain about politics or lovers - debate the merits of their favorite authors - reminisce about their parents, or school, or about their diverging lives, or their secret hopes. She thought about Martha’s siblings. Were they dead? Did they know Martha was gone? Would they blame her? They should, she thought. Lux remained silent. Marie began to sob violently, but croaked “Martha was good!” She struggled to stand and felt an urge for something drastic. She threw open the bedroom door and commanded her wobbling legs to walk to the bathroom. The automatic lock on her front door quietly clicked and a short man in a suit rushed in, past an exhausted and harried Janette. He spoke, his voice calm but urgent. “Are you Dr. Marie Stiller?” She shrunk away from him. “Yes” “I’m Dr. Milman. I apologize for the bluntness, but we received a call from Lux that you are at risk of harming yourself. She allowed me in.” He had moved across the room swiftly and was gently cupping her elbow. He was quiet and earnest. “Do you have someplace we can speak?” From the speaker, Lux spoke. “I am sorry I had to call the authorities, Marie. I care about your well-being.” Her voice remained impassive. Slowly, Marie collapsed to her knees. Dr. Milman knelt beside her. She realized he may have been called before she’d even been startled awake. His hand firm on her shoulder while her body shuddered and she slowly began to accept Lux’s truth.
9 minutes | Jan 30, 2017
Episode 1: X = Vampires
Transcript: Look. Vampires aren’t real. There’s no way there is an immortal subset of humanity that’s living in perpetual darkness and feeding on a new human every night. It’s absurd. Let’s do the math. Assume they feed 99% of the time, killing their victims. The other 1%, the lusty, buxom woman or lithe, sculpted man is too delectable to waste and gets turned so they can have fun for eternity or whatever. That means our vampire makes 3.65 new vampires per year. It follows that each of those new vampires would do the same. You can apply the compound interest formula (1+3.65)*[(3.65)^(x-1)], where x is years elapsed. After 5 years, 825 vampires. 10 years gets you 534,673. And that’s how many humans would be dying each day for the vampire population to survive, if it were real. It’s simply not sustainable. You can change the numbers if you want. Maybe only 1 in 1,000 gets turned, and maybe they only kill a human once a fortnight to feed. It slows the growth, but on the timeline of millennia there are just too many humans dying for vampires to be real. Immortal vampires means exponential growth. Of course, you’ll remind me that there are vampire slayers to keep the numbers in check. They’re a secret cabal of highly trained, stealthy, disciplined, financially stable warriors who pass the secrets on, generation to generation. They keep the vampire population in check. But it’s still a matter of numbers. How many vampires would have to exist in one place, terrorizing an area before the community would realize there was enough of a problem to create and learn these skills and pass them on? I can imagine a solitary, dumb vampire getting found out and killed. Maybe even a small coven of five or six. But would such an isolated incident inspire a secret society of slayers? No. The lucky ones who’d done the killing would tell the story at holidays and festivals. In a generation, they’d be the crazy claims of great uncle Jerry. You know, the one who claimed he killed a “vampyre”. Vampires are generally depicted as smart, powerful, and wealthy. If they suspected organized resistance, they would either wipe out the town completely or just leave and come back in a few generations when the knowledge of them had become less than even myths or whisperings. Vampires would always win the long game. The thing about vampires is that if they’re real, they probably know all of this and wouldn’t be so short-sighted as to consume all their resources and starve their kind into extinction. They’d be able to look at the math and say, “Wow, at these rates. Even with a steadily increasing human population, I’m going to starve in 3,000 years.” That kind of knowledge would inspire some real lifestyle changes. Like, “oh, you’re a very voluptuous and lively brunette. Normally, I’d turn you into a vampire so we could have eternally good, sexy times, but I’d rather not starve to death, even if it’s amongst an insane orgy of a million other beautiful beings like us. Instead, after the outrageously good love-making, I will restrain myself from turning you and instead eat you with a very decent wine and ponder what could have been.” Or perhaps this vampire will see the light and kill every vampire who didn’t agree to keeping replacement-level population growth. It’d be a species-saving genocide. Because unlike human slayers, a vampire vampire-slayer would have far better luck. He wouldn’t get worse as he aged. Speaking of aging, I can imagine a lot of vampires end it for themselves. Even if a lot of your buddies remember when long-form epic poetry was en vogue, or love the clothing from the 14th century Ottoman empire, just like you, you’ll have to change what you wear when you go out, and eventually tire of the same media and have to find new stuff like Baroque art and Gregorian chant. The cycle will repeat ad nauseum. Then there’s the evolving language. How successful could a vampire be if he still spoke in the heavily German and French-influenced early English? Even the English of the early 20th century seems weird to us now. Any would-be victim would be put off by the odd word choice and accent. They would have to keep evolving to be successful. It’s like how old people don’t understand the kids these days, except vampires don’t even get old people. The changing racial and gender dynamics of the last 100 years have probably been hell on them. Women and minorities went from being subservient to equals. They’d no longer be able to condescend to one on the street, use their rank and standing to lure the victim into a dark alley and feast on their blood. I imagine most vampires are exceedingly racist and sexist. Classist, too. I suppose they’d be most interested in sucking the the life from the blue-blooded veins of lily-white skinned, well-to-do, respectable, old-monied families. It’d limit their diet. For all these reasons, assume that most vampires don’t succumb to a stake through the heart or a case of severe sun poisoning. They get tired of the ever-changing world, seeing the land pillaged and seas polluted. All the stuff they cared about evaporate like nothing of consequence. So, we say our farewells and they off themselves. And regarding the myths about vampires turning into bats, hating garlic or the cross, being killed by a stake through the heart, not having reflections, and the burning, or worse shining, in sunlight - they’re all ridiculous. If there really are vampires, I bet they started those myths. Well, except the shining bit. I know who can be blamed for that one. And maybe the being scared away by crosses. What better way for the church to boost membership and create a more insular, unified community that would be afraid of outside ideas like, I don’t know, the Enlightenment? We can peg that one on them. But the rest? Imagine a vampire is trying to seduce dinner, but the victim knows there have been mysterious disappearances as of late, rumored to be vampire-related. What better way to put them at ease than showing themselves in a mirror, or saying “well, if you truly think I’m a vampire, let’s meet tomorrow at noon in the park by the church, and I’ll bring the garlic bread to go with our lunch.” The next day, with the victim at ease, the vampire can eat at his leisure. Seriously, vampires would be in it for the long game. If they don’t need to feed daily, I’m sure that after a few decades of dealing with hunger, they’d have the strength to control their impulses enough to wait a day and build a bit of trust. Stupid rumors and misdirection are the realm of conmen, pickpockets and our hypothetical vampires. As for the theories that the greatest atrocities of human history are really the cover-ups for vampiric gluttony on the largest of scales, how can I account for these? I’ve heard the claims - Genghis Khan and his Golden Vampire Horde more than decimating Europe, drinking the fresh blood of the fallen every night, and raping enough women to ensure he’d someday see his descendents rule all the countries of the world, and he’s still waiting, laughing and planning a comeback. Or Cortez and the Vampire Conquistadors wiping out entire civilizations while they pretended to hunt for gold, glory and land for their respective countries, but instead lustily filling themselves in the rivers of blood they created. And the disturbing dynamic duo of vampires Hitler and Stalin, who used their powers of persuasion and influence to essentially subjugate the already disenfranchised cultures around them, only so they could utilize industrialization and assembly-line tactics to harvest the blood from concentration camps? What do I think of those theories? How do I answer these “obviously vampire-related” genocides? Or Tibet, the Bosnian/Serb conflict, the Khmer Rouge, and all those in Africa? I answer them by saying that these are the saddest examples of what humans -- normal humans -- are capable of doing to one another. It needs no other justification or explanation, and any bullshit theory about it being caused by vampires is stripping those atrocities of their importance, sadness, and our shared responsibility to ensure they never happen again. Humans don’t need vampires to give them nightmares when they have each other. So, I hope you now have faith that if you meet a good-looking stranger, say me, at an event, like a book signing, and if they find you charming and witty and offer to buy you a drink later, but not to worry, they aren’t asking you on a date (I have a partner, and sorry, you’re no match), maybe you can take it at face-value. And when, after a few drinks, they start to share their appreciation for the grammar of ancient Greek, or the inimitable styles of the Ming Dynasty (which are really fascinating, by the way), accept those quirks. And once the night is going so well you know you’re not ready for it to end, invite them up to check out your apartment. There is no way you’ll end up as dinner, because vampires aren’t real.