Hacking Humans – “Don’t Let Public Ports Bite.”
Podcast by N2K Networks (CyberWire)
Date: December 11, 2025
Hosts: Dave Bittner (B), Joe Kerrigan (C), Maria Varmazes (A)
Theme: Deception, influence, and social engineering in the world of cyber crime.
Episode Overview
This episode dives into the latest social engineering tactics, focusing on scams involving copyright enforcement, mass robocalls, and persistent cybersecurity “hack lore” that needs to be retired. The hosts share personal anecdotes, break down recent news, discuss regulatory enforcement actions, and bust some cybersecurity myths about public Wi-Fi and USB charging. As always, there’s humor, practical insight, and a look at how attackers leverage everyday human behaviors.
1. Chicken Coop Corner: A Lighthearted Start
[00:42–07:08]
- Joe takes the lead with a fan-favorite: stories about his chicken coop.
- Joe describes setting up an automatic chicken coop door with both a light sensor and a timer to keep chickens indoors after sunset, highlighting unexpected tech challenges (“Even with the sensor turned down to zero, that door was shutting with one or two or three chickens outside. So I’d go out like an hour after dark and there’d be chickens sitting on the perch going like, well, I guess we’re just going to sit outside tonight.” – C, 01:36).
- He recounts rescuing a chicken that got its foot tangled, 3D-printing a “chicken splint,” and making improvements to prevent future accidents (“By the time I printed it up, chicken was walking around fine.” – C, 03:49).
- The group swaps stories about predators, rodent deterrents (like peppermint oil), and “chicken coop snakes.”
- Memorable Quote:
- “It’s a story of resilience and perseverance in the face of unbelievable adversity, namely having your head chopped off.” (B, 05:01) – referencing the legend of a headless chicken.
2. Scam Story 1: The Font Licensing Phishing Caper
[07:44–18:35]
- Host: Dave Bittner
- Summary:
- Dave shares a story about receiving copyright infringement threats regarding font licenses – a sophisticated, but real, pressure campaign from a major font licensor (Monotype), but with tactics akin to social engineering scams.
- Emphasizes how Monotype blasted LinkedIn messages across an entire company, demanding urgent payment for alleged font license violations. The real “tell” was their reliance on file name scans and pressure tactics rather than verified evidence.
- The company’s internal typography nerd (Emil) checks everything and finds:
- They use only open-source fonts or properly-licensed ones (credit card icon set and Proxima Nova purchased through legitimate channels).
- The allegations stemmed from a file-naming coincidence, not an actual license violation.
- After Emil presents receipts and evidence, Monotype shifts focus, asking him to explain why they have no license record – essentially, pressuring him to prove a negative.
- Key Insights / Advice:
- Legitimate companies can employ pressure tactics similar to phishing attempts.
- Always verify such infringement threats and keep thorough records of licenses and purchases.
- Automated enforcement (“spray and pray”) can cause unwarranted distress.
- Memorable Quotes:
- “Monotype does not have a lot of patience. They start again, messaging people all across the company, LinkedIn style... They use automated scans, they don’t bother to verify anything, and they just shotgun everybody to put fear in them and just hope that they’re gonna get paid.” (B, 11:34)
- “This wasn’t careful auditing. This was spray and pray.” (B, 15:29)
- “Even though this was a legit inquiry... their methods leave a lot to be desired." (B, 16:43)
3. Scam Story 2: Robocall Crackdown and Caller ID Spoofing
[18:35–30:37]
- Host: Joe Kerrigan
- Summary:
- Focus on a massive robocall scam impersonating Walmart, where consumers receive calls about a supposed expensive purchase (“This is Emma from Walmart... authorize the $919.45 purchase of a PlayStation 5. Press 1 to speak with a representative if you want to cancel...” – C, 19:17).
- If the user responds, scammers try to extract sensitive information.
- Key background:
- The Stir/Shaken protocol digitally signs caller information to fight caller ID spoofing.
- The FCC traced 97% of these scam calls (tracked by UMail) in a year to a single Montana telecom provider, SK Telco.
- The FCC issued a cease-and-desist, threatening to revoke their communications certificate if they do not stop within two days.
- The episode highlights the effectiveness and limitations of enforcement ("It's always going to be... a game of Whack a mole." – B, 29:11).
- Notable Quotes:
- “It is unlawful to place calls to cell phones containing artificial or prerecorded voice messages absent of an emergency purpose or prior written consent.” (C, 24:12)
- “These guys have probably sent out billions of calls.” (C, 24:29)
- “The implementation of Stir Shaken definitely made a difference and it cut down on this stuff and it made it easier for them to hold these folks accountable. But...it’s always going to be to a certain degree a game of Whack a mole.” (B, 29:13)
4. Scam Story 3 & Cybersecurity Mythbusting: “Stop Hacklore” Letter
[32:07–43:55]
- Host: Maria Varmazes
- Summary:
- Fresh off international travel, Maria critiques recent headlines warning against using airport USB charging ports and public Wi-Fi, pointing out how this advice is now largely outdated for most users (“I just sat there on the plane going, I cannot believe we are still giving people this advice.” – A, 34:31).
- Maria introduces the “Stop Hacklore” open letter, signed by leading cybersecurity practitioners, urging the retirement of persistent but no-longer-applicable internet safety tips.
- Myths to Retire:
- Avoiding public Wi-Fi (modern encryption renders mass compromise rare; VPNs add limited benefit for most).
- Don’t scan QR codes ever (the risk is overstated for everyday activities).
- Never charge via public USB ports (“There are no verified cases of juice jacking in the wild affecting everyday users.” – A, 37:42).
- Turning off Bluetooth/NFC (attacks are very rare, especially on modern devices).
- Regularly clear cookies (modern tracking works beyond cookies).
- Regularly change passwords (causes more harm; use stronger, unique passwords instead).
- Actionable Recommendations:
- Keep all devices and apps updated.
- Enable multifactor authentication (MFA).
- Use strong, unique passphrases/passwords.
- Use a password manager.
- “I really recommend reading this letter. I think it’s... I would love to send this to USA Today. Just please, please take a look at this, guys.” (A, 42:44)
- Insightful Banter:
- Hosts reflect on the persistence of these myths despite advances in security standards.
- Discussion of what constitutes a passphrase (A, 42:03).
5. Catch of the Day: Real-World Phishing Example
[44:20–48:08]
- Segment Lead: Joe Kerrigan
- Phishing Email Breakdown:
- Purports to be from Microsoft, claiming the recipient’s email has been reported for sending spam or threats.
- Threatens suspension in 7 business days unless a case manager is contacted via phone (artificial urgency, social engineering pressure).
- Email shows telltale scam signs: random capitalization, minor grammar errors, attempts to get the user to engage outside official channels.
- Ironically, the email includes “do not share your password/security question/one time password with anyone, even your case manager”, to appear legitimate.
- “So I mean, obviously, hey, we’re going to suspend your account in seven days. There’s the artificial time horizon.” (C, 46:37)
- “Microsoft’s never going to reach out to you to provide support, nor are they going to reach out to you if... they want your about your email. They’re just going to shut your email down.” (C, 47:16)
Key Insights & Takeaways
- Verify before responding: Even urgent, official-looking threats about copyright or account violations may be baseless or even scams—always check directly with the supposed source.
- Social engineering is increasingly sophisticated: Scams now mimic legitimate business pressure and bureaucracy, making vigilance essential even for seasoned professionals.
- Myths linger in public cyber advice: Outdated “hack lore” (e.g., don’t use public Wi-Fi) can clutter public understanding—core safety lies in updates, long/unique passwords, MFA, and password managers.
- Enforcement helps, but spammers adapt: The FCC’s crackdown on a major robocaller illustrates progress—and limits—in the ongoing fight against phone scams.
- Real phishing often blends the plausible with the absurd: Look out for urgency, demands to communicate outside normal channels, and odd formatting.
Timestamps of Important Segments
- Chicken Coop Corner: [00:42–07:08]
- Font Licensing Phishing Caper: [07:44–18:35]
- Robocall Crackdown: [18:35–30:37]
- USB and Public Wi-Fi Myths (“Stop Hacklore”): [32:07–43:55]
- Catch of the Day – Phishing Example: [44:20–48:08]
Notable Quotes
- “This wasn’t careful auditing. This was spray and pray.” (B, 15:29)
- “We have assigned a case manager to your account to supervise you through the transitional process...” (Phishing Email, 45:58)
- “It’s always going to be to a certain degree a game of Whack a mole.” (B, 29:11)
- “There are no verified cases of juice jacking in the wild affecting everyday users.” (A, 37:42)
Tone & Language
The hosts maintain their signature balance of technical insight, skepticism, and humor. They debunk persistent myths with directness and warmth. Playful banter keeps the show engaging while underscoring the real world implications and risks of everyday digital life.
If you haven’t listened:
This episode provides an accessible mix of contemporary scam stories, practical advice for non-technical users, myth-busting straight from cybersecurity’s best, and a healthy dose of humor.