A

You're listening to the Cyberwire Network, powered by N2K.

B

Hello, everyone and welcome to N2K, CyberWire's hacking humans podcast, where each week we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Buettner and joining me is Joe Kerrigan. Hey, Joe.

C

Hi, Dav.

B

And our N2K colleague, Maria Vermazes. Maria.

A

Hi, Dave. And Hi, Joe.

B

We've got some good stories to share this week, but first let's jump into some follow up here. Joe, what do you got for us first here?

C

So last week or last actually two weeks ago, because I was not on the podcast last week.

B

That's right.

C

I was postulating. I'm sorry. I really wish I could be in Florida during this time of year, especially with the snow falling outside right now. I'm very angry about it. It's March and there should be no sn. Oh, yeah. Anyway, Michelle was noting that I was wondering what aggravated identity theft is as opposed to just regular identity theft. And Michelle is. Has a lot of background in law and policy.

B

Right.

C

And she says aggravated identity theft is identity theft that is used in the commission of another crime. So if you just steal someone's identity, it's fine, but then if you. Well, it's not aggravated, it's not fine, it's just identity theft.

A

It's just vanilla identity theft.

C

Right, exactly.

A

Okay.

C

But then if you use that to commit something like wire fraud in that person's name, then that becomes aggravated identity theft.

B

I see.

A

Because it's very aggravating that you've done that.

C

It's an aggravate.

A

Yeah, right.

C

I think it has to do with the legal terminology is it's an aggravating factor or there are aggravating factors.

B

I see. That makes sense.

C

That make like this wound you've committed to society worse.

B

Right. All right, good. Well, thank you, Michelle, as always. All right, we've got some other feedback from one of our listeners here. Maria, you want to take us through this one?

A

Sure. This one comes from listener Robert Eberhardt from Calgary, Canada, and he wrote a very detailed email. So I'm just going to read it through because this is really good stuff. And he wrote. Hi, team. I listened to Dave's story about attackers using social engineering to reroute payroll deposits. And, and the interesting part for me was the contracted discussion about shared mailboxes. And this is shared email inboxes, to be specific. And I heard you ask the Question, why would you ever use them? And it just so happens that my job deals with these on a regular basis with my clients. So this is a really detailed email. So I'm going to go through all the bullet points that that Robert puts in here and he writes first in exchange. Shared mailboxes do not need a license. So they are used typically for inbound email only. They can be ap, like a, a, a, A. What is it? Accounts payable. Thank you, Accounts payable at. Or Accounts receivable at or HR questions at, et cetera. The shared mailbox does have an address associated, but typically does not have an ID and a password assigned. Users with a license are assigned access to the shared mailbox from their own mailbox. It shows up in the folder pane on the left side of the window as another top level folder. And permissions can include read, manage, and send, as that jives with my experience with them as well. So. Okay, yeah, I didn't know they didn't need a license. That is an interesting wrinkle.

B

That's me neither. We have one. We have editor@thecyberwire.com, which is where people send their PR pitches and things. I'm on that mailbox, but it's not my primary mailbox, so I guess that is categorized as a shared mailbox.

C

So when people bug me about being on the podcast, should I just tell them to email editorwire.com or n2k.com?

B

No, because I still have to read them.

A

Have them bother you directly. Joe.

B

No, you tell him just to email Joe things Joe hates dot com.

C

Yeah, I don't know who owns that domain anymore, Dave. Okay, I wish I still had it, but.

B

Oh, you let it pass.

C

Well, yeah, unintentionally. It wasn't me, it was the domain. I had a friend managing the domain for me, Joe. And yeah, Things Joe hates. I don't know if it's still doing this, but it was going to some kind of Japanese porn site and it was just awful.

B

That's on brand for your podcast.

C

It is absolutely not on brand.

B

Wow.

A

Okay, I'm gonna just leave that one hanging there.

B

Maria, save us here the second half of this. Yeah, get us back on track.

A

So the email goes on to say, in some cases, you would assign a license to a shared mailbox, but why would you do this? And the answer is, an unlicensed shared mailbox has a quota of 50 gigs and does not allow for online archives. Space needs to be managed to ensure that you don't hit the Quota, but it is free and adding a license can add capacity to the mailbox quota and allow additional features such as online archive, litigation hold, and that would be part of the license. When licensed, an ID and password can be assigned to the shared mailbox. And from a control standpoint, assigning an ID and a password and then sharing that information among multiple staff is definitely not a best practice. Amen to that, Robert.

B

Okay.

A

Yeah, so, yeah, this was very in depth info. Very, very much appreciate Robert sending this in because this is definitely not my world. So I appreciate this bit of color to the story. So thank you, Robert.

B

Yeah, important distinction there. So thanks for sending that in and of course we would love to hear from you. If there's something you'd like us to discuss on the show, you can email us. It's hackinghumans2k.com. Every attacker counts on one thing. Environments that Trust too much. ThreatLocker closes that gap with default deny at execution. Unknown software blocked, Trusted apps contained with ring fencing, configurations verified with Threat Locker DAC so you stay secure and compliant. ThreatLocker delivers the visibility and control CISOs need without adding operational pain, making zero trust real for teams of any size. Stop ransomware at its earliest point. Book a demo@threatlocker.com N2K. All right, let's jump into our stories here. Joe, you have the honors this week. What do you got for us?

C

Dave, my story comes from the cyber press and this is a story about a data breach that happened at Ericsson US which is the, you know, United States subsidiary of the Swedish, or Norwegian, what is it? Norwegian? No, Swedish telecommunications giant. Yeah, they make phones and everything. Remember the Ericsson? No, that was Nokia.

B

I'm thinking.

A

That was Nokia.

C

Yeah, yeah, the indestructible phones. So, yeah, there's a lot of confusion here in the US because Ericsson is also the name of an elder care company here in the US the biggest elder care company.

B

Oh yeah, Retirement homes.

C

Right. So let's specify this is the phone manufacturer. They have suffered a data breach that exposed sensitive personal financial information from about 15,000 employees and customers. And the interesting wrinkle to this is the incident was not caused by compromising Ericsson, but rather by compromising a third party service provider that they were doing business with.

B

Mm.

C

So according to a regulatory filing submitted to the US authorities, the breach originated from a vishing attack.

B

Oh, your favorite word.

A

Oh, yummy, yummy.

C

My favorite thing about this is the article has parenthetically voice phishing attack, which is a social engineering attack. We've all talked about this before, right? Somebody called up impersonating somebody else and got them to reveal some login credentials which got them, got the attackers access. They were able to infiltrate this network, the vendor network, and access files. And the dates are between April 15 and April 22, 2025. So the attack started almost a year ago, and they didn't detect anything until April 28, which is actually like 11 days later, which is really below the average. The average, I don't know. Actually, what I'm thinking of is old information. But it used to be that it would take you 180 days before you knew you had somebody in your network. Now I think that's decreased. So here we are now down 11 days, and this group of attackers is still exfiltrated about 15,000 records. Once the vendor discovered the breach, they did the right thing. They engaged an external cybersecurity company to, you know, do forensics and have incident response. They also notified law enforcement. And here's where it gets a little bit iffy on things, on how. How well things were, you know, how well things were conducted. Despite the fact that they found this breach back in April, they didn't notify Erickson of it until November of 2025. November 10th.

B

Oh, you mean they didn't identify their mothership. Right, yeah, yeah.

C

This is a third party vendor. They're out there.

B

Oh, the vendor didn't identify. Okay, I'm with you now.

C

The vendor said, oh, we have a cyber incident and they know about it, like within 11 days and they start resolving it. But then it takes them to November to get around to going, oh, by the way, Erickson, we lost 15,000 of your employees and customer records back in April.

B

Right. Six months ago.

C

Right.

B

Okay.

C

Right. Which would be, I gotta tell you, Dave and Maria, if I was doing business with a company that took this long to notify me that they had breached my data, I would be nonplussed. Let's put it that way.

A

Nonplussed.

B

It would be a former business relationship.

C

I think that's kind of long. This article doesn't name who that third party is, but it says here that a detailed forensic investigation data review process continued for months to identify impacted individuals who was leaked. And the analysis finally concluded last month in February of 2026. So the incident response took almost a year, which is fine.

A

Yeah, it can take some serious time.

C

That can take some time. But notification of affected people, affected entities, rather, should be a lot faster than this.

A

Well, if they only found out that that data was exfiltrated during the course of the investigation. How would they get it faster?

C

Well, that's a good question. Maybe that's what they. It took them that long to figure out that they had lost that much data.

A

Yeah. I mean, I think the bigger question that you're getting to is what is a reasonable timeframe? And that's a very complicated question.

C

Right.

B

Right.

A

Yeah.

C

So the compromise details included full names, residential addresses and dates of birth, Social Security numbers, driver's license numbers.

A

Aye. Aye.

B

Aye.

A

Which used to be the same, right?

C

Not that long in some states. Yeah.

A

Yeah, I know.

C

It was never the same in Maryland. At least not during my lifetime.

B

No. My student ID was my Social Security.

C

Yeah. My job.

A

Yeah. My driver's license was my Social Security number here in Massachusetts for an alarmingly long amount of time.

B

Alarmingly.

C

We actually had to fill out our own student identifications by hand at my first university. And I think that my sloppy handwriting may have gotten me out of something.

A

Security through obscurity. Right.

C

What's the draft?

B

Well, no.

A

Oh, God.

C

I made. I have a. The way I used to draw eights, they would sometimes come out looking like sixes. Okay, let's say that. So it kind of made me look like I was two years older than I was when somebody who had the authority to ask for my ID asked for it because there was something close to. It was a beer. There was a beer next to me.

A

You went from implied to explicit. Okay, got it.

C

I need to see your id. And I'm like, why? She says, you better give it to me or there's going to be issues. And I'm like, okay, fine. Here's my id. I hand her my student ID and she looks at it and I see her counting in her head. Okay. Hands it back to me, you know,

A

I was like, you took your student ID as id? That's amazing.

C

Yeah. That's all they could ask for. They couldn't ask for my driver's license because she was an RA with the university. She's not law enforcement.

A

Right. Oh, my God. I mean, the liquor store can ask for a driver's license.

B

It's a long way with you, Joe, doesn't it?

C

Yeah.

A

Dude, you remember all of this?

C

I do.

B

You know your rights?

C

Well, yeah.

A

You don't have to get hacking if you've been hacking the whole time.

C

Yeah.

A

Wow.

C

Yeah, that's right. Also, government issue identification documents, like, they. It looks like they lost the passports and photo IDs, bank account information, like where your check might go, your credit card and Debit card details.

A

Oh, we're back to the story now. Okay.

C

Yeah, yeah, yeah. Oh, I'm sorry.

A

I thought you were still talking about the RA and buying beer. Okay, this is all the stuff Joe

B

carried around with him in his wallet.

C

That's right. It's that backpack, Dave, that huge backpack.

A

So that's what's in there. All right, Complete medical history.

B

So you know, Joe gets hit by a bus.

C

Yep.

B

There's no searching and.

C

That's right. My medical history is too big for a life alert bracelet.

B

Yeah.

C

There you go.

A

Bless it.

C

So they lost some financial information as well, Certain medical and health related information. I don't know what they would have as medical and health related information for employees beyond insurance information, but, you know, who knows?

B

Yeah.

C

This information was accessed. It doesn't specifically say that it was breached, but if you. If it was accessed, you can assume that it was breached. There is, and here's the good news. There is currently no evidence indicating that the stolen data has been misused or publicly leaked. Yeah, that is. That is cold comfort. Yeah.

B

Yes. Siberia. Nailed it yet.

C

Yeah. Good news is that they have. Erickson is providing identity theft protection services through a company called idx.

A

Oh, yeah. Yep.

C

Know them well, of course, people have to enroll before. Before the. Before June of this year. So.

A

Can I be brutally honest about that? Just brutally. And this is not nothing at idx. Cause this is not their fault. I've been enrolled in so many of these identity protection services after a gajillion breaches that my data's been in.

C

Yeah.

A

All I get is an email at this point and I ignore them all because I don't know what they want me to do with any. I'm just like, I don't really know what this is doing or who it's helping at this point.

C

Yeah, I had the same. The same thing when I had. I had identity theft protection and there was some kind of incident. Somebody opened a checking account. I think we talked about it on the show.

B

We did, Yeah, I remember that. Yeah.

C

And I went over to the branch and I said, what's going on here? Because it was a branch that had local bank here. And I said, I got these things in the mail and I don't remember opening an account with you. And they were like, oh, yeah, that account was open and it immediately closed as a fraudulent account. I'm like, okay. You didn't feel the letting me know? I didn't get a letter. All I got was checks.

A

It feels like something you should tell me about. Yeah.

C

Should have just gone out and written a bunch of checks.

B

Right.

C

I shouldn't have done that, by the way. I want to talk about something else. I'm going to go off tangent here. I was at the pharmacy, as I am wont to do. Right. I was at the pharmacy. I'm walking out the other day and I see a library card for the Carroll County Library on the ground.

B

Okay.

C

And I get in the car and I pick it up and I hand it, show it to my wife, and I go, hey, you want to go get some free books at the library that we won't have to return? And she looks at me and goes, you're a terrible person. Why would you do that? Why would you say that? I'm like, I'm not going to do it. I'm just gonna say that it could be done. I mean, you gotta understand that this. You lose this, that's important. You could wind up paying somebody else's for buying somebody else some books. I did actually turn it in at the library, though.

A

Joe, did you know if you find a USB key in a parking lot, sometimes there's really yummy data on there, like payroll? You should absolutely open that file.

C

Yes.

A

Find out what everybody makes. Yeah, yeah, definitely. Yeah, go for it. Just definitely pick up that USB key. Just put it right into your computer.

C

Somebody did some research, some AB research on that where they dropped USB keys and saw what was more effective when you writ. When you wrote something on the outside of it, depending on what was written on the outside of it. I can't remember where that was, though. But I do remember reading that research. It was interesting.

B

It's in the parking lot of the Johns Hopkins Applied Physics Lab.

A

Top secret agency.

B

I remember that, too. You know, I had a funny little Social Security number security incident yesterday. I went to the eye doctor just for my annual exam. And you walk into the eye doctor and they hand you a form on a clipboard with all your information. And they say, please check this to make sure everything's accurate. So I'm looking over the form and up the top, it has my name, address, date of birth, Social Security number, and the Social Security number is all X'd out. And I'm like, excellent. Good job, folks.

C

Yep.

B

So then I'm going down the list of things, and it gets to my insurance, and it has my primary insurance for my eye doctor, which is some kind of vision coverage. And it says account number, and it's my Social Security number. It's like, so close, right? So close.

A

Yeah.

B

Right.

C

Well, yeah, that's unfortunate. You need to talk to your eye insurance people.

B

You know, I could.

C

Right.

B

But I'm not.

C

Yeah.

A

I mean, really, it's a much bigger problem than them, honestly. Yeah, yeah.

B

Like, I've surrendered when it comes to that. I'm just like. Cause really, you know. Okay. Have at it. Right. Anyway. All right. We will have a link to that story in the show. Notes. I'll tell you what. I'm gonna go next here. And I have two stories here, because they are short. The first one certainly is short. The second one may or may not be, depending on how much we decide to dig into it. This is from the Federal Trade Commission, a little notice that they put out about some scams that they're seeing going around. And these are the you've won a prize scam. So the idea is lucky, right? Wow.

A

Really?

B

You get a notice that says you've won a new car, you want a laptop, maybe some money.

C

I hear that guy that used to be on the Price is Right with Bob Barker.

B

A new car?

A

Yeah. Oh, my gosh. Yeah.

B

Yeah. Rod. Roddy.

C

Rod Roddy.

A

Rod Roddy. That's definitely his name.

B

Yeah. Yeah. I met Bob Barker once. My wife and I went to see a taping of the Price is Right on our honeymoon.

C

Really?

B

Aw, that's adorable. Yeah, I got to shake his hand. It was pretty cool.

C

That's awesome. Does he come out and meet everybody?

B

Just me.

C

Just you. The Dave Bittner?

B

That's right. That's right. Just me. No, but we have it on. We were actually sitting in the front row. We didn't get called up to be on the show, but we were sitting in the front row. So my wife has the aisle seat, and I'm right next to her, and Bob Barker comes down the aisle. For whatever reason, on this particular show, he was coming in through the aisle. And so they announce, and everyone's on their feet, but clapping and everything. And I. And on the show. Cause we videotaped it when it aired. You can see me hurling my recent bride out of the way so that I could shake Bob Barker's hand. Just, like, pushing her out of the way, thrusting out my hand, and shaking Bob Barker's hand.

C

This is gonna be a great marriage, she's thinking.

B

Exactly. Exactly. To this day, she reminds me at least once a year that I'm lucky to still have her after.

A

Oh, my God. I wonder if that's that.

C

At least once a year for the Forever. Yeah.

A

If that episode's on YouTube, I need to see this, because that Would be very funny.

B

Yeah, no, I have. I think I still have the VHS at home, so I have to.

A

Oh, my gosh, that's so funny.

B

Trying to find it. I don't remember the date, but anyway, so these. You've won a prize. Things are scams. What happens is they say, congratulations, this is a prize. You've won. Laptop, car, whatever. All you have to do is pay the taxes. All you have to do is pay the shipping and handling fees or the processing fees.

A

What a steal.

B

Yep, yep. And it's usually something like 50 bucks, not a whole lot. Although taxes can be more. So if you win a car, they'll say, oh, well, it's only $5,000. Taxes on this brand new Mercedes. And they get you. So the FTC says some of the things that we say here all the time. They say, slow down. Scammers will say things like, it's a limited time offer to try to pressure you into acting quickly. They say, know that real prizes are free. They say anyone who tells you to pay to get your prize is a scammer. And also do some research. If you search online for the name of the contest along with words like complaint, review, or scam, you can see what other people are saying.

A

Yeah, that's usually what comes up in autocomplete. Nowadays you'd search anything. The next word is always scam. Yeah, it's amazing.

B

So this is from the ftc, but I will say I did see someone else calling attention to this just within the last week or so, that evidently this is an active scam and whoever's doing this has revved this one up. So just be on the lookout for it. So that is story number one. Story number two is, well, I'm just gonna get to it here, see why. So Meta says, uh, oh, one of

C

my favorite companies to talk about on this show.

B

Yeah, Meta, Okay. You know them as the folks behind Facebook, Instagram. They say that they've removed 159 million scam ads in 2025, and they shut down nearly 11 million accounts tied to scam centers, presenting their effort as a major crackdown on online fraud. The company says most of these ads were caught automatically and they're working with law enforcement around the world to disrupt large scam networks. This article, which comes from the folks over at Recorded Future, say critics aren't entirely convinced.

C

Right.

A

Yeah.

B

Americans lost more than $10 billion to scams back in 2023, many of them originating on social media platforms. And of course, I think we talked about it here. There was that investigation from Reuters that suggested that Meta projected about 10% of their ad revenue comes from ads linked to scams. Meta disputes that claim. But who are you going to believe?

C

Reuters says that 10% of the revenue comes from scams.

B

Correct?

C

Huh?

B

Correct.

A

That number seems conservative to me. Yeah, based on nothing but gut feeling. Just to be for the record, but.

B

Right. So lawmakers are pushing for investigations and regulations requiring platforms to verify advertisers. To which I say, hala fricking Eula, Hallelujah. Yeah, there you go.

A

Halla frickin Lula. Yeah.

B

So Meta claims it's fighting scams aggressively. My experience says otherwise. I don't know about the other two of you, but this led to just a giant eye roll for me. And I'll believe it when I see it because everything I see on Facebook and, well, Facebook's really the only meta platform I'm on, but everything I see says otherwise. So I don't know if it's a drop in the bucket or trying to bail out the ocean, but thanks, Meta. I guess the bottom line here is that they just have no integrity for this.

C

You know, nothing is believable.

B

Right, Right. Yeah. I just don't feel like we can believe anything they say. They've demonstrated time and time again that they don't seem to be a good actor when it comes to following through on what they say they're gonna do or even ever doing the right thing. So just call me skeptical.

C

Oh, skeptical Dave.

A

And yet we're all still on their platform, so.

C

Yeah, yeah, I gave up social media for lent, so I took it all off my phone except for the messenger app. I have to keep that on because

A

that's not for the messenger app.

C

Right?

A

Yeah, yeah, yeah.

C

But I'm not doom scrolling Facebook or LinkedIn or anything else.

B

That's good.

A

It is doom scrolling LinkedIn.

C

Yeah. Every time I go to LinkedIn, it's like my favorite new term for LinkedIn is Facebook in a suit.

A

That's so true.

C

It's unhinged garbage from front to back. And everybody's out there. Look, I'm a LinkedIn content creator. I had AI generate this post that you might find insightful. No, I don't.

B

Yeah, I don't.

A

Yeah, the LinkedIn lunatic subreddit is one of my favorite places on the Internet. It's quite amazing.

C

Oh, I will have to check that out too.

A

It's basically the people who spend way too much time on LinkedIn trying to make themselves very, very influential. And I just. I really hate LinkedIn. I recognize this utility and I have an account and I use it, but I also hate it.

C

So I have an update on my things joehates.com domain. Yeah, it's mine again.

B

Wow, that was quick.

A

In the course of this recording.

C

Yeah, I just went to GoDaddy.com and said, hey, is this still available? Because, you know, if the people who snatched it up snatched it up when it expired.

B

I see.

C

And then they just, they were like, okay, this guy's not contacting us. We can't just blackmail him for his domain. So it has expired again. So I bought it. All right, so I have it.

B

Wow.

C

Wow. There's nothing going to it. They won't. People won't see the podcast if they go to it.

A

But I have the breaking news on hacking humans. This is what we do here. What we're known for is breaking news.

B

Oh, my gosh. You know, somebody once created a. What was it? It was the awesomeness that is davebitner.com I think.

A

When did you buy that domain, Dave?

B

Well, the thing is, I didn't. It was some friends of mine who were razzing me. And yeah, when you brought it up, it was just a big picture on my smiling mug. Hilarious. It was a hilarious joke back in 2004, I think. Wow. Yeah. Anyway, all right, tell you what, let's take a quick break here to hear from our show sponsor. We will be right back after this message. Most environments trust far more than they should, and attackers know it. ThreatLocker solves that by enforcing default deny at the point of execution. With ThreatLocker allowlisting, you stop unknown executables cold. With ring fencing, you control how trusted applications behave. And with ThreatLocker DAC defense against configurations, you get real assurance that your environment is free of misconfigurations and clear visibility into whether you meet compliance standards. ThreatLocker is the simplest way to enforce zero trust principles without the operational pain. Its powerful protection that gives CISOs real visibility, real control, and real peace of mind. ThreatLocker makes zero trust attainable even for small security teams. See why thousands of organizations choose ThreatLocker to minimize alert fatigue, stop ransomware at the source, and regain control over their environments. Schedule your demo@threatlocker.com N2K today. And we are back. Maria, it is your turn. What do you got for us?

A

I've got a short story for today. Just a. It's been a little while since we've checked in on the world of deep fakes. And it's not that there's necessarily anything new, new, new, aside from they continue and they're getting better all the time. But I, I, it's one of those vectors that just continues making everything worse. So I figured it's time for us to just take a little look at it. And the lens through which I wanted to just take a look at it was actually through Canada and Canada. U.S. politics and political engagement right now. Not a big surprise that U.S. canada relations right now are not fantastic. Yeah. And unfortunately there have been a spate of deep fake videos blanketing YouTube especially that are a lot more subtle than you might expect that are fanning the flames.

C

Sorry, it's Americans badmouthing their bacon.

A

Well, no, see, that would be to me more obvious, but yeah.

B

Is it more subtle than that?

A

A little more subtle than that, yeah. Like that's obvious bait. Right? But if you have a half an hour long video of Warren Buffett sort of pontificating on the economic fallout of U.S. canada relations souring, and again it's him sitting in a chair talking about it in economic terms and there's nothing really obviously malicious about what he's saying, you might go, oh, and really give that video a listen. And not suspect that somewhere in that long video there's some stuff that's not quite correct or exaggerated, but it's subtle.

C

Is the entire video synthetic?

A

The entire video is synthetic. It's a half an hour long deepfake of Warren Buffett. And this specifically comes via Toronto Star, this little investigation about that specific video. But what I thought was very interesting was that one video, and there's many like this, got 300,000 views on YouTube alone about the Warren Buffett deep fakes, to be specific. And it is propaganda, it is disinformation. But because it got so many views, it also made money for the people who are spamming these deepfakes. So it is a self perpetuating problem of it seems credible enough to have Warren Buffett not saying anything crazy or offhand. Like it's not like him going out there being like, I'm gonna bomb name province, you know, nothing, nothing like that. It's just him, him pontificating in a way that sounds like you've just caught him in a quiet moment at Davos, right. And he's talking about how things are bad and gonna get worse and it all sounds plausible. So it's enough that you would sit there and listen and go, this is an expert giving some really good insight on current world events and you might not have any sense that this is actually fake. And indeed, in this case, it is entirely fake. And the scammers have now made money off of your views. Cause they're able to serve ads Against it on YouTube. And then, of course, then the algorithm will serve you more and more and more videos just like this. So, AI slop deepfakes on YouTube. Not exactly brand new. And I'm sure now with the conflict in Iran, we're going to see more along those lines as well. But to me, the idea that it's not just being used for disinformation, but also for making money is like, oh boy.

C

Yeah, that's great. I have noticed that YouTube has just become a pile of garbage in terms of content.

A

Yeah, it's a shame, isn't it?

C

And it is. It used to be good. And there's, you know, the channels I follow, I still enjoy going to and seeing. But if I want to know about something I can't find, I search it on YouTube. I can't find a not obviously AI video.

A

You know,

C

sometimes it takes me like a minute and a half to get into. I'm sorry for cutting you off, Maria. But sometimes it takes me like a minute and a half and then the cadence of the voice is off a little bit or there's a mispronunciation. I'm like, this is just somebody's AI slop. And I've been consuming it for. For like a minute ahead down vote close with that.

A

Yeah, it feels like a betrayal. And it's also for all of us who have hobbies, which all of us do, YouTube was the gold mine of, you know, getting expert advice from people who are, you know, pro hobbyists in your chosen field or for home improvement, you know, how do you fix that squeaky door or whatever? I still remember there's this video, this one guy, his whole video is how to fix a really, like a door that's out of alignment. And it was the best video on YouTube I've ever seen. It has like 6 million views. And he tells you exactly how to fix it and he shows you how to do it and he tells you exactly, like, if it doesn't work, here's the other things to try. And I, like, I gave him five bucks and it was a legit video. And I'm thinking that's what YouTube is meant for. That is good Internet, right? And now those videos are very hard to find. And all our hobbies are getting filled with slop videos of showing things that are just not possible or incorrect. And it makes me really, it makes me really Sad and mad and makes me want to go to a cabin in the woods.

C

Here's Maria. David Thoreaude.

A

I don't live far from where he was at, but it's changed a lot since his day.

C

I told my son that I told that story in this podcast, and he said I was 15 when I told it, not 12.

A

Oh, still very clever, though.

C

Yeah. He still couldn't come up. He. He picked that name. It was either Henry David Thode or he thought another author that he couldn't remember which one it was, but he got it right.

A

So he went, Ralph Waldo Emerson.

C

You know what, Maria? That's exactly who it was.

B

Yeah.

A

Here you go. Thank you. You're very welcome.

C

You said the name, and I'm like, yep. You know, I want. You know, here's the thing, Maria and Dave, I think there's a real opportunity out there for someone just to come in and eat YouTube's lunch.

A

A YouTube disruptor.

C

Right. We're gonna put up content that is not AI. If you post AI generated content to our website, your entire account is immediately deleted and banned.

A

It's gonna be the rise of curation. I think we're gonna go back. YouTube used to be curated. In its early days, it was curated. And. Yeah. And now the pure volume of it, it can't be. But I wonder if we're gonna have to go back to that. Cause it's just gotten so bad.

B

And I saw someone over the weekend mention they referred to it as. And actually this is a YouTuber who does sort of home improvement kinds of things, not unlike what you were describing, Maria. And this person was lamenting exactly what we're talking about here. And his prediction was that we're headed for what has to happen is. He called it an economy of authenticity, where people are gonna be so hungry for authentic creators that there will need to be a way to differentiate them from all the slop. And so I agree it's a space ready for disruption. But it's just like Facebook. We're all locked in, and it's hard for anybody to. I mean, you know, if we had a real fight against monopoly in this country, perhaps something could be done, but it doesn't seem to be happening these days.

C

The problem with that argument is that there really is no barrier to entry to you standing up another competing service. Although I think what you're talking about more is the huge tech conglomerates. Right. Like, there's no way for you to start up an Alphabet or a meta.

B

Right.

C

And that those companies should be broken Up.

B

So, yes, just the scale at which they operate makes it really hard for anyone else to break in.

C

Yeah, I don't like that those companies are as big as they are.

B

Yeah. So, Maria, your story reminds me of a. Something that crossed my desk earlier today, which is that the folks at Grammarly are facing a class action lawsuit. Have you seen.

A

Yeah, I did. Because I'm in the journalist circle. A lot of people I know are joining that class action lawsuit because Grammarly apparently, and I'm gonna summarize it very poorly, but you know, it's AI, so it's fair. Basically they've got something where you can write in a famous journalistic voice, like a reporter's voice. So I guess they scraped a whole bunch of articles written by journalists and said, you want to write like this journalist? You can now do that. And a lot of writers are understandably, like, you know, that's actually a skill that people spend years and years honing developing your journalistic or writerly voice. That's not just something you're born with. That's a skill that you got to work at. So it's not okay for someone to come in and say, we're just going to steal that. Thank you very much. So I'm very glad that you ask. And they did not ask. They did not ask. No.

B

Right. Yeah. And it's not just people who are alive. Like you could say, you know, update this article in the voice of Carl Sagan and it'll do it.

C

Who's that guy that broadcast the Hindenburg?

B

Right?

A

Not Carl Sagan.

B

Not Carl Sagan. All the humanity. All the humanity.

A

Billions and billions. Anyway, I just realized also, I'm probably gonna drive somebody crazy that I didn't actually mention the name of the video about the sticking door. The guy's name is Donnie Doors and The video is 17 years old. So I put a link in it. Cause someone's gonna need a link to how to fix a sticking door from

B

Donnie Doors, who said. Did he retcon the name after he became popular for his door video?

A

Or maybe. But he has an ebook on his website and I gave him a few bucks. Cause he actually helped me fix like three doors in my house that wouldn't latch properly. I was so grateful. So, yeah, I figure someone might need this link. So I'm putting it in the show notes.

B

Yeah, maybe I'll start calling myself Davey Cyber.

C

I am looking at his. I'm looking at this guy's YouTube page and he's got like how to tie knots on it.

B

Oh, I'm gonna.

C

This is. Thank you, Maria. This is my new rabbit hole.

A

I. I'm telling you, this is. See, when I did the same thing when I found his channel and I said, you know what? This is what the Internet was really made for. This is good Internet stuff. I missed this Internet when it was a lot of this kind of thing. And so it makes me happy when I think, still see stuff like this. This is real expertise. And it was delivered very well and to the point. And the video's only 7 1/2 minutes long. And he goes through like every scenario of how to fix a damn door, which if you don't do it yourself, you end up paying a lot of money for someone else to do it for you. So you know that's true. Yeah.

B

No. One of my regrets of never having been a boy Scout is that I wish I knew more knots than I do. And I realize I can. There's nothing stopping me from going out and learning more knots. But I feel as though it's one of those things that would have been much easier and would have stuck with me had I learned them when I was just a young lad.

A

Well, Donnie Dorz is here to help. It's never too late.

B

All right, we will have links to all of this stuff in our show notes. Joe, Maria, it is time to move on to our catch of the day.

C

Dave, our catch of the day comes from the scambait subreddit. Apparently there's a discount Elon Musk out there. Discount Elon Musk? He loves me within five minutes. It's a romance scam, it looks like.

B

Yeah.

C

Who's gonna be whom here?

B

Well, I think I will be the aspirational Mr. Musk. Yes, Maria. Oh, boy, you can be with escalating frustration, because that's what this is about. So I will begin. I'll say hello.

A

Hello. How did you get this number?

B

Baby, you don't know me. Send me you pictures.

A

No, I don't send pictures to people I don't know. I am not your baby.

B

Honey, you know I love you very much. Try to send me you pictures. You are the best in my life. Heart, heart, heart.

C

This is just starting off like asking for pictures.

B

I mean, Elon doesn't have time to waste, Joe.

A

No, that's why he's a very well known man.

B

He's very busy man.

A

Yeah, I don't know you. How can you love me in five minutes? You just met me. I'm not sending pictures to strange men. You must be crazy.

B

Honey, you need to know me. Honey. I love you very much. Heart. Heart. Heart.

A

Call me Jen.

B

I can do without you anymore. Honey, I love you very much. Heart.

A

Don't use pet names. I hate them. I don't love you. I don't know you honey.

B

Why you don't me? I loved you. I love you and I will love you forever.

A

I just met you five minutes ago.

B

I will love you till my last breath. No matter what life brings before us.

A

No, you don't. Your love is literally based on nothing. You don't even know me. How can you love me?

B

Honey? Forget that one. Honey, I love you very much. Loving you is the only thing that makes my life worth living.

C

This is like the worst love bombing ever.

A

It's like aggravating love bombing. Forget what? I don't love you. Call me Jen. I hate pet names.

B

Because I love you with all my heart.

A

I hate pet names. I don't love you.

B

Honey. Don't worry yourself anymore. Send me you pictures.

A

Honey, you haven't said anything about yourself.

B

I love you very much.

A

Capital N O. No. Stop asking for pictures. I don't send pictures to strangers.

B

Okay, my beautiful love.

A

You will have to actually get to know me as a person. Call me Jen.

B

Okay my beautiful love.

C

He's gonna call this woman anything but J.

B

Am busy for now honey. Honey, you are my best love. Am feeling on you honey. Love you very much.

A

Call me Jen. Call me Jen. Call me Jen. Call me Jen.

B

Honey. You are the only person I love in my life, honey.

A

Call me Jen.

B

I love you very much.

A

What's my name?

B

Honey? You are my queen. Honey. I love you very much.

A

What's my name? If you don't even know my name, how can you love me? I don't want to talk to you unless you can have a real conversation.

B

Honey. Don't worry yourself anymore. Am busy now honey.

A

Because. Just kidding. I love you for every single response is very, very boring. So call me Jen. Do not call me honey. Why don't you listen honey?

B

I know you name honey but you are my best.

A

Call me Jen or I will stop talking to you. No more honey. It is getting really aggravating. So what is my name? Why won't you use it?

B

Honey, my name is Jennifer Lopez. I love you very much. You are the only person I love in my life. So send me you pictures now. Honey. You are my honey.

A

How do I parse this? So no, you need to have a real conversation with me first. Jennifer Lopez. And especially this from Elon Musk.

B

This is confusing Honey, you know I really love you very much. Heart, heart, heart.

A

I doubt this very much, as it did not take much for you to fall in love, and thus, it would not take much love for you to fall for literally anything with two legs and a hole. Slash wiener.

B

Ew. Ooh. Wow. Geez.

A

Call me Jen.

B

Oh, sorry, Jen. No, I'm Jen. Wait. Oh, we're both Jen. Oh, this is so confusing. All right, let's try to cut to the chase here.

A

This is a really long one.

B

It just goes on and on and on. No pictures for you, honey. You, my heart. So let her, honey.

A

My name is also Jennifer.

B

All right, I'll tell you what. Let's leave this.

A

I cannot believe how long this goes on for.

B

Just go. I mean, this goes on, but I'm interested in just how much patience the recipient has here, who's clearly playing along.

C

Yeah, I'm not sure there's a person on the end of this.

A

I was gonna say you're just wasting your time with a bot. I wouldn't even bother.

C

You think this fails the Turing test for me?

B

Yeah. Yeah. Could be. Could be. All right, well, Maria, thank you, honey.

A

Call me Jen.

B

All right, well, we will have a link to that in our show notes. And of course, if there's something you'd like us to consider for the catch of the day, please do send it to us. It's hackinghumans2k.com. Most environments trust too much and attackers know it. Threat Locker enforces default deny at execution Blocks unknown apps and limits what trusted apps can do. Stop ransomware at the source. Get your demo@threatlocker.com N2K. And that is our show, brought to you by N2K Cyberwire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast. Please also fill out the survey in the show notes or send an email to hackinghumans2k.com this episode is produced by Liz Stokes. Our executive producer is Jennifer Ivan. We're mixed by Elliot Peltzman and Trey Hester. Peter Kilpe is our publisher. I'm Dave Bittner.

C

I'm Joe Kerrigan.

A

And I'm not Jen. I'm Maria Varmazes.

B

Honey, thanks for listening, honey.