Bo Friedlander

It should be here.

Katasha Rogers

Harry.

Glenn Sorensen

It's got your name on it. Yeah, it's got your name on it. So Harry Potter and the Order of the Phoenix was published in 2003. The book, anyway, it was seven months before what's now called Facebook went live from a Harvard dormitory. That was the beginning of everything migrating online. We lived on farms and then we

Bo Friedlander

lived in cities, and now we're going to live on the Internet.

Glenn Sorensen

That was Sean Parker being all prophetic in the social network. Think back to the birth of the Internet as we know, not the boring version invented by Tim Berners Lee. You know, this is way before Ancestry.com and Spokeo and other data brokers. If. If you wanted to find out something about someone, where they lived or if they had a fishing license or who they were married to, you had to put in some work legwork, like drive to a town hall or find a clerk, dig through a box. The information technically public, but it was protected by something that folks in privacy call practical obscurity, because practically, it's pretty obscure and hard to find stuff and that keep people safe.

Bo Friedlander

The ability to find this information changed dramatically at that point, and companies started adopting the mentality of just because we can, let's go ahead and do it.

Glenn Sorensen

Today, everything's been digitized, indexed, and sold to anyone who's able to pay for it.

Bo Friedlander

It was a little bit of the frog boiling in the pot of hot water where we didn't realize this was being taken from us until we arrived at the death of privacy.

Glenn Sorensen

No one is as anonymous as they think they are. I'm Beau Friedlander, and this is what the hack, the podcast that asks, in a world where your data is everywhere, how do you stay safe online? Hey, Katasha. Hey, Bo. That's Katasha Rogers, a colleague of mine, and yeah, a fellow traveler when it comes to things privacy. So I got a question for you. I know that you wrote an article a while back for the blog about. What was it? Is it the intentional obscurity? Was it. Is that how you. How they put it in Maryland?

Katasha Rogers

Yeah. So Maryland is trying to pass a bill that would help protect all of their public servants in the state by removing their personal information not only off of data broker sites, but also requiring public records to take them down as well. This came up because the big deal was the public records. They know that they can purchase services like Delete Me that will remove their personal information off of data broker sites. Yeah, but they were concerned about access to public records. So I was trying to explain that by practical obscurity, these data brokers have kind of taken this information and made it easier by going in and scanning those draft cards and making them accessible on the sites, the ancestry.coms for people to find them. Whereas in the past, we wouldn't have been able to find this information because you had to drive to a specific courthouse or search an index or pay for photocopies. And these data brokers have made that practical obscurity disappear.

Glenn Sorensen

So practical obscurity in a nutshell is, is all the stuff that does exist in shoeboxes, like your fishing license or your, your marriage license or death certificates, birth certificates. The thing is, none of those things exist in shoeboxes anymore or storage. You know, they're not on shelves. It's not like Harry Potter's, you know, Ministry of Mysteries or whatever the heck it was called with all those glass orbs that fall off the shelves. It doesn't look like that. It looks like a data center.

Katasha Rogers

Yeah, we're digitizing everything. If you can digitize, like you said, your old photos for yourself, imagine what these data brokers sites are doing to digitize some of these artifacts that are connected to your personal information.

Glenn Sorensen

In your article, you said there's no universal database of the American public. Our identities are scattered across a sprawling mosaic of sources. More than 3,000 counties each running its own property tax and marriage systems. Thousands of municipalities maintaining separate permit databases, fishing and hunting licenses. I knew phishing was somewhere in there. State courts, I mean, so all that stuff can be pulled together. The question is like that used to present to the would be criminal a lot of friction because you would have to go to all these different agencies. Have, has that friction gone away entirely?

Katasha Rogers

Yes. So now we have thousands of data broker sites that are going through public records and going through marketing companies and finding out information about you and including them in these very detailed profiles that are searchable on the open web. Where in the past, like you mentioned, I would have to go to the county website and know what county you lived in in order to search the tax record of your home. But if I can just search you on the open web, I can find out your address, I can find out what county you live in, and then I can go find the public record based off of that information that the data broker supplied to me.

Glenn Sorensen

Okay, so next batter up. Glenn Sorensen, I also work with him. We're recording today because he and I started talking about open source intelligence and. Well, let's. We're just going to both take a crack at letting Listeners know what it is. Even though if you've been listening to what the hack for a while and you don't know what open source intelligence is. Well, you're my partner, Guinevere, because she actually asked me right before we started recording.

Bo Friedlander

Well, open source intelligence is the stuff that's freely available on the web.

Glenn Sorensen

Glenn travels the country talking to people about privacy and cybersecurity.

Bo Friedlander

The stuff that you can find by just going out and searching and looking and knowing where to look and where to search. Sometimes this is public records, sometimes it's data broker sites, sometimes it's somebody's website. But stuff that's out there.

Glenn Sorensen

Okay, let's talk about the migration of things that were hard to find as a result of the practical obscurity native to files that live in boxes at physical locations, their migration from there to the current day location where you can find them anywhere all the time. Because they live in the cloud.

Bo Friedlander

Yep. The ability to find this information changed dramatically at that point and companies started adopting the mentality of just because we can, let's go ahead and do it. Never thinking about does this actually take into account the individual and their, their data, their privacy, anything that they may own and that that ownership was assumed by them and not really assumed by us. And it was a little bit of the, the frog boiling in the pot of hot water where we didn't realize this was being taken from us until we arrived at the death of privacy.

Glenn Sorensen

And here's what these companies did. They took the basic premise of that weird sector in the world. They're the ones who say it's easier or just better to ask for forgiveness than permission. And we're dealing with the fallout from a whole sector, a whole tech sector that took that as their working motto. Better to ask for forgiveness than to ask for permission. And now this is like a Pandora's box because I just got a note the other day, Glenn from Columbia University, where I studied, saying that my Social Security number had been compromised.

Bo Friedlander

And that's how many times, no, I

Glenn Sorensen

was going to say by them. And it was a few days after I had gotten my P code for filing my taxes. Why do I have a PIN code? Because my Social Security number's out there. And why is my ATM card locked right now? Because it's been breached so many times that I find it easier just to keep it locked. And if somebody wants to withdraw money at the same exact time as I'm doing it, then God love them.

Bo Friedlander

If they have that kind of timing, they deserve it, I guess.

Glenn Sorensen

Yeah. Yeah. And so, so, you know, open source intelligence for me is an understanding of what's online and being really creepy with it.

Bo Friedlander

And being really creepy with it, or at least having the ability to be really creepy with it. And that there's the ability to be creepy with this information. That a lot of times in ages past, you're going to commit a crime against somebody. Like, you had to be physically present. Like, you had to. You had to be near them in some reasonable way and.

Glenn Sorensen

Or near their stuff.

Bo Friedlander

That's not the case. Or near their stuff. Yeah, and that's just. That's just not the case anymore. Banks get robbed from 2000 miles away and, you know, over an Internet connection.

Glenn Sorensen

Yeah.

Bo Friedlander

Like the world has changed. So instead of maybe a few thousand or maybe tens of thousands of people that might be possible suspects in all of this, now you've got billions.

Glenn Sorensen

So

Bo Friedlander

the attack surface, I guess, has broadened substantially.

Katasha Rogers

This episode is brought to you by State Farm. You know, those friends who support your preference for podcasts over music on road trips? That's the energy State Farm brings to insurance. With over 19,000 local agents, they help

Glenn Sorensen

you find the coverage that fits your

Katasha Rogers

needs so you can spend less time worrying about insurance and more time enjoying the ride. Download the State Farm app or go online@statefarm.com like a good neighbor, State Farm is there.

Glenn Sorensen

You tell yourself no one wants your college era band tees, but on Depop,

Bo Friedlander

people are searching for exactly what you've got. You once paid a small fortune for

Glenn Sorensen

them at merch stands. Now a teenager who calls them vintage will offer that same small fortune back. Sell them easily on Depop, Just snap

Bo Friedlander

a few photos and we'll take care of the rest.

Glenn Sorensen

Who knew your questionable music taste would be a money making machine? Your style can make you cash. Start selling on Depop, where taste recognizes taste.

Bo Friedlander

My accountant got an email from my sales secretary authorizing a $400,000 transfer of funds.

Glenn Sorensen

You might recognize this as the voice of Barbara Corcoran, one of the hosts of the reality show Shark Tank.

Bo Friedlander

I invest in a lot of property. I renovate property. So it seems like a normal kind of thing.

Glenn Sorensen

She shared a story about what happened to her in 2020.

Bo Friedlander

Money went out a wire transfer to Germany. But it wasn't until my accountant sent a confirmation to my real secretary saying, hey, we're confirming this one last time right there. Boom. I learned that I was hit by a scammer. They're calling it a phishing scam, but really it's a. It's a digital con job. Barbara Corcoran says she was scammed out of nearly $400,000. So it was an expensive loss here.

Glenn Sorensen

Her story was like a lot of people's stories. You know, you click, it looks, it looks more or less right. It's more or less good. You know, kind of expecting something. We're always kind of expecting something. Click, boom. Done. As in like you're cooked.

Bo Friedlander

So she wired the money. And the lesson learned is that money, if it doesn't go to the intended recipient, you can't get it back.

Glenn Sorensen

You can see how easily it could happen.

Katasha Rogers

You look at an email quickly and if it's off by one digit, I wouldn't notice.

Glenn Sorensen

You can't be embarrassed or think it's a stupid with two o's moment because

Katasha Rogers

that really could happen to anybody.

Glenn Sorensen

It's even more embarrassing when you send

Bo Friedlander

them the money, when the wrong person the money that's the most important. So it's. If you have a CEO and you're middle manager somewhere and your CEO is asking you to do something that carries a different weight than maybe even your direct boss, that's a very different weight of authority that is being employed. Now. You can, if somebody can hijack that authority and use it, there you go. I mean that's, that's one of those big pieces along with urgency and fear and you know, maybe something that's, that's attractive, maybe, maybe you're, you're up for an award or a reward. There, there are those psychological things that we want or want to avoid. And you, you package these things up and you have a pretty compelling way to bypass our thinking brains.

Glenn Sorensen

So we can see how this can be used to bring down large companies, some of the biggest in the world, all through publicly available information like a LinkedIn profile, a job posting, a help desk employee who didn't know they weren't supposed to say what they said was oops. That same playbook isn't just for nation state actors or ransom workings. Corporations can use this on each other every single day. Before a merger, before a big negotiation, before signing a contract. Some companies are doing recon. They're pulling backgrounds on executives, scanning job listings to reverse engineer competitors, roadmap, monitor patents. It's the same discipline. The only difference might be the intent. And that gets really blurry, like you said, just saying, as you know, in the person of the CEO, like hey, you know what, I can't get so and so on the phone right now. What are our sales to date right now? And you know, What?

Bo Friedlander

Having that information and a competitor.

Glenn Sorensen

If you think competitors don't hire industrial spies, you're cuckoo. They do. And, and, and they.

Bo Friedlander

Long standing practice.

Glenn Sorensen

What's that?

Bo Friedlander

Long standing practice? Yeah.

Glenn Sorensen

And, you know, and that might be a piece of information that they really want to know or like, what is your security practice? Hey, I, I don't even know what we're using, but I'm on the phone with somebody and they want to know how we layer security around our customer data after they're no longer customers. Oh, wow, that sounds really competitive, you know, really basic. And you know, an engineer will know that, but it's really not the engineer's place to share that information. Done. You're done. You are done.

Bo Friedlander

Yeah, exactly. And I think the, we've, we've gotten used to this idea of having all of this information available on some level, but I don't know that, that everybody has gone as far as, you know, the, the threat actors out there would, and the people that may be researching you for a negotiation. I don't think that the mainstream awareness is, has gotten as far as those folks in realizing that there's, there's so much more out there and there's so much more that can be done with it. I think if you, you look at this as maybe a marketing problem too, and the information that, that marketers gather, and I think that's a lot of the same techniques apply when it comes to, to OSINT in, in security and privacy. I. Yeah, yeah.

Glenn Sorensen

It's, you know, like if you were, listen, if you told me you were in HR and I wanted a job from you, all the information I can find online about you becomes really valuable to me. And because I'm heading into an in person interview and I need to get through you, and the easiest way to get through it is like, here's the drool test. Look, I'm not drooling. That is the drill test. But, you know, but now let's talk about soccer, because I spent a few hours looking you up and I see that you are a serious Manchester United fan and your kid is in a travel team. And so that's what we're gonna talk about until I got the job.

Bo Friedlander

So, funny enough, I've given talks on getting hired in cybersecurity, and that is exactly one of the things that I would tell people attending my talks and people I've mentored, students and whatnot. You need to find as much information as you can. Connect with the recruiters, connect with the hiring manager, connect with as many People as you can on LinkedIn, get them on the phone, meet them at conferen, because then you're a known quantity and you're a face. You're not just a paper resume out there. Obviously that is coming from a good intent and is beneficial for everybody ultimately. But it doesn't always have to be that way. It's the same idea, right?

Glenn Sorensen

It doesn't have to be that way. If you work in HR and you're listening to this, hint, hint, wink, wink, if you remove your information from online and you have stricter protocols on your privacy. And I always assume like people know this, right? And I'm like, oh, this person has a pretty public facing job. There's no way they're sharing if they're on social media at all. There's no way I can see it. No way.

Bo Friedlander

And I'll tell you, default privacy settings are the norm.

Glenn Sorensen

But they're the norm. But not everybody knows it's the norm. Just in the same way, not everybody knows. Okay, so you've, yeah, you've probably heard that right before lightning strikes, if you don't have the kind of hair I have, your hair will stand on end. My hair won't because it's very kinky. But, but if you have, you know, kind of baby hair, it will stand on end because the static electricity becomes super, super strong right before a lightning strike. Now, in the land of being played by somebody who's done good Osint on you, that just feels like you're comfortable, that feels like you're enjoying the conversation kind of unreasonably, like you're not supposed to be enjoying it this much. Why? Because they're trying to sell you envelopes. What the hell.

Bo Friedlander

You're just leaning in and engaged and interested and feel a stronger connection. Not necessarily your hair standing on end before the proverbial lightning strikes. Right.

Glenn Sorensen

The warm and squishies. But the fact is I think that, that, that is, that's a problem for me anyway. I don't think everybody should just because they know how to type some search terms into a Google window, have charisma. And that's the world we're living in right now is they can kind of, they may not know what to do with it. Fair enough. But, but you know, now in AI

Bo Friedlander

flavors, creating a phishing message or a social engineering angle. Yeah, it doesn't know better.

Glenn Sorensen

And also all the LMS are built with guardrails that were built and designed by engineers who are human beings so other human beings can figure out how to get around those guardrails. Explain the jailbroken versions of AI that people are using, because it's not ChatGPT and it's not Claude.

Bo Friedlander

These are AI models that are designed, that are trained to be malicious to craft those phishing messages. The bad Guys version of ChatGPT built for bad guys.

Glenn Sorensen

And where do you get access to it? I'm just curious, where's the new Silk Road?

Bo Friedlander

The Dark Web is the easy answer. But I mean, if you are part of those forums and can get in and be one of those trusted bad guys, I think we have a case for, I guess, law enforcement disruption here. And we've seen how that's worked in the past. But, you know, if you, if you're trusted by the people building the tools, you can get access to the tools. You can pay for access to some of the tools sometimes. And, you know, it's a, it's its own business model there, so.

Glenn Sorensen

Right. And it is, it is a criminal thing where you have to be trusted in the same way that if, if a drug dealer who's moving kilos of some substance, they. They're not going to sell to just anybody.

Bo Friedlander

Yeah.

Glenn Sorensen

I mean, I watch Breaking Bad.

Bo Friedlander

I know they don't want to get caught. I mean, they don't want to, you know, end up on any law enforcement agency's radar.

Glenn Sorensen

Yeah.

Bo Friedlander

Regardless of country. So.

Glenn Sorensen

But what, but here's the thing is, like with people search sites. What, Who. The people who built those sites cannot pretend that it was just cool. I'm going to build this thing because I can, because the only thing I've ever used a people search site for, I mean, full disclosure, I'm going to be vulnerable right now. I know I must seem like a saint. I'm wearing a nice white hoodie and I look like a nice old man. I probably don't look like a nice old man. Anyway, look, I have used it when someone pisses me off, and not because I really want to go after them, but because I want to understand how much of a jerk they are.

Bo Friedlander

I think, I think a lot of them may have started from the flip side, actually, where I want to know who I'm dealing with so that I don't get hurt, so that there is not a. A criminal at the other end of the. The table that I'm going on a date with. I think there are legitimate, you know, beginnings that started that way.

Glenn Sorensen

Yeah.

Bo Friedlander

Now what they've become. I don't think they can argue that the practical end result is actually what was initially intended So I think there's.

Glenn Sorensen

So you think that. I get it. No, sure. Listen. Yes and no. So there's yes. Okay, here's the yes. I'm hiring somebody. I want to know if they've got a criminal background, criminal record. And for some reason I've decided to use a people search site instead of one of the more reliable services that are out there. Fine. It's 30 bucks versus a, you know, subscription that probably costs 10 grand a year. Cool. I understand that. And I don't have a friend who's a cop. So I can't be like, hey, can you check that person's license plate? I do have a friend who's a cop. Shh. I won't say who. Look at my friends on Facebook. You might be able to figure it out. No, you can't. Right. Because it's set private. Ha. So.

Bo Friedlander

So there.

Glenn Sorensen

That's sort of. The point is. What's your privacy stance? How. How careful are you with the way you walk through the world? Well, the answer for most people is not very. And if you don't believe me, go ahead and research sextortion crimes. Because they're targeting teenagers who don't have the emotional capacity to deal with being attacked that way. Now that is not something that starts with people search sites. But it uses them. So here's how it works. It might start with on. On. On. On Discord. It might start on a gaming forum. But once they got your number and they know your name, they're going to that people search site and they're going to come back at you and say, I'm going to tell your Uncle Bill, your mom, your grandma, your brother, your sister, that I have a picture of you being naughty with me.

Bo Friedlander

Yep. And not having the maturity, the training, the instinct to resist. That sort of thing puts them in a vulnerable state.

Glenn Sorensen

Beyond vulnerable. Beyond. Beyond.

Bo Friedlander

Yeah.

Glenn Sorensen

And that's the point. They'll cough up whatever they can cough up. But if you're listening, all you have to do is walk away. All you got to do is close your computer. Whoever is targeting you is targeting 2020 people just like you.

Bo Friedlander

And if one gets off the hook. Let that be you. Let that be you.

Glenn Sorensen

Zootopia 2 has come home to Disney Plus.

Bo Friedlander

Let's go get ready for a new case.

Katasha Rogers

We're going to crack this case and prove we're victorious.

Bo Friedlander

Partners of all time.

Glenn Sorensen

New friends.

Bo Friedlander

New you are Gary the Snake.

Glenn Sorensen

And your last name.

Bo Friedlander

The Snake Dream Team. Hidden Habitats Zootopia has a secret reptile population. You can watch the record Breaking phenomenon at home.

Glenn Sorensen

You're clearly working it. Zootopia 2, now available on Disney Plus.

Bo Friedlander

Rated PG.

Glenn Sorensen

Okay, Glenn, so what's the solution?

Bo Friedlander

Well, you know, if I, if I had all the answers, I would, I would certainly share them. But what I've got are some. We can remove what's out there, we can stop leaking some of the information that we have kind of unconsciously become used to leaking. That is rewards programs that we sign up for. That is giving out our phone number without thinking about it, giving out our email address without thinking about it. We can be more conscious about that. We can use email masking forwarding services that you, you give them a unique generated email for the one thing that you're signing up for. You don't necessarily even have to give them your real name. Yeah. No ethical dilemma in, in providing false information because they're abusing my privacy and

Glenn Sorensen

they say, you know, we, my, my old partner used to say, Adam Levin loved to say, like, lie like a superhero. Did you. Do you think Superman ever said, I'm, you know, I'm Superman? Did not.

Bo Friedlander

Yeah. Yeah. And you just, you don't, you don't have to give all of the information out there that, that they imply that you should, you go to stores a lot of times and they'll say, well, can you just give me your phone number so I can, so I can give you this discount? Or even not just so I can check you out. And no, you don't have to give them that. Or you can give them fake info. You can give them a voiceover IP number. There's a lot of things that you can do to, to get out of that conversation. But I mean, I would encourage people to be more direct about it and say, no, I don't think that's reasonable information for you to ask for. I would just like to purchase my product and end this transaction and be on my way. And that should be the end of it.

Glenn Sorensen

I mean, and it can be. And it can be. Yeah, but it can be. And you know, like doctor's offices, you don't have to give your Social Security number. They only want it for billing purposes. You can say, no, they can't legally make you give it to them.

Bo Friedlander

Yeah.

Glenn Sorensen

And yeah, I mean, unless you're me, I could write my Social Security number on my head and people would, it wouldn't make a difference. You have no idea what's out there. I know, for instance, one of the few things I still get because I'm button down super tight, but one of the Things I still get are spam sales calls for things that are home improvement related. And it's because five years ago I filled out a form with my real phone number asking about solar in my area. And that solar company has now turned into tree cutting services, gutter gutter cleaning. It's turned into driveway repair, it's turned into garbage, you know, waste removal.

Bo Friedlander

It's so that one single point has gone everywhere.

Glenn Sorensen

Viral. It's gone viral. Now how do you solve that? Well, you, you, you, you said it before. You can get call masking too. You can use a voice over Internet protocol, but you can also use call masking, which I think is call masking the same as we offer it? Is it the same as a voip?

Bo Friedlander

I mean it's, yeah, that's the same idea. So yeah, it's like there's a grasshopper

Glenn Sorensen

or the, like it's just giving you a different phone number.

Bo Friedlander

Yeah. So your real number doesn't actually get out there, it's just forwarded to you.

Glenn Sorensen

And if you're like me and you maintain a couple of burners like that, you can, when they get a little polluted as they will just cancel the account. Cancel the account, start it again. Google doesn't like it. But you're, and you're going to have a phone number in North Dakota, but whatever.

Bo Friedlander

Yep. And that's fine because if there's some tie to North Dakota and you are not in North Dakota, that's probably better for you. That muddies the waters a little bit. So the more muddied the waters, which

Glenn Sorensen

is why you want to use a VPN too. Because you use a VPN and they're like, wait a minute, are you. And it always cracks me up because my doctor's in New York State. Don't listen doctor if you're listening because you know I, when I want to do, I'm, I'm in Connecticut and when I want to do telehealth. You can't do telehealth from Connecticut in New York State. It's against the law. And they'll say are you in, in New York State? And I'll say yes. And it says, well it says you're in Connecticut. And I say dun, dun, dun, try again. I'm using a vpn.

Bo Friedlander

Yep. And I mean it's, I, I feel like your, your IP address is much like your home address at this point. And for a lot of practical purposes it is. They have no business getting your real IP address. Use a vpn. And there's.

Glenn Sorensen

Explain that to people. Okay. Now, here's my partner. She's come in the room. What is this o. Nonsense, Glenn? And why do I. What the hell with the ip? Nobody knows what an IP address is. I'm not changing that. You're dumb.

Bo Friedlander

Well, all the. All the companies scooping up the data that you. And, you know, looking at the sites you visit, they're all tracking your IP address. And it's, you know, it is much like your home address. It's. It's tied to you in such a way that it may as well be pii. And in some cases, it is legally, it's an identifier of you, or at least of your house and your service, and it gets them very close to being able to put a person behind a seat or on a seat behind a keyboard. Somebody in your house did this. Unless.

Glenn Sorensen

Speeding ticket. The speeding ticket is being delivered to your home, where the car is registered. We don't know who was driving.

Bo Friedlander

Yes. I mean, and we don't care.

Glenn Sorensen

We just want 50 bucks.

Bo Friedlander

Yep.

Glenn Sorensen

But here's the deal. And that means. That means that every site that you go to, you clever, clever listeners who are using incognito, it's not working.

Bo Friedlander

It's. That is only one piece of the puzzle. And by all means, use. Use a hardened browser. Use something like Brave, use incognito mode. But that is just one layer. There are multiple layers. VPN is another, and it's an important one.

Glenn Sorensen

Yeah. And so what we've learned today is that privacy is dead, but maybe it

Bo Friedlander

doesn't have to be. Maybe we can start to take it back.

Glenn Sorensen

Yeah. Or like, maybe we should stop talking about it in these Frankensteinian terms because it's not alive or dead or vampire terms. It's not. Well, because there is a vampire element to the whole thing on the take side, but on the give side, there's a lot of agency. You can decide what you want to give.

Bo Friedlander

You just have to know that you can decide and feel empowered to decide.

Glenn Sorensen

Yeah.

Bo Friedlander

And really keep that in mind. And if there's one thing to take away from this, take away that you do have the authority. You do have the agency to decide. It doesn't have to be decided for you.

Glenn Sorensen

Yeah. It's give and take. But, like, you get to decide what's being given.

Bo Friedlander

Yes. And the more aware that. That we can be as a society of that, the better off we'll be, the more we'll move the needle back towards some reasonable state of, you know, of osintability, I guess.

Glenn Sorensen

Right. And then like, okay, so go Back to section 230. Goes back to the beginnings of the problem of the Internet being out of control. And, and, and here's what you need to know. It was never your circus, and those weren't your monkeys. But those monkeys are everywhere now, and you got to deal with them. And it sucks. There was no laws. There were no rules. True story. True story. But the reality now is, let's pretend the monkeys are mice and you live in the Northeast. It's just a fact of life. But you can live with mice all over your stuff, or you can take measures to keep it down to a very bare minimum. That's what we do, is pest control.

Bo Friedlander

And it's not a problem we're going to solve in a day, but it's solved by taking steps every day.

Glenn Sorensen

Yeah, you close up the little chink in the side of your building that is allowing mice in you. Same thing in your walls. Whatever it is. I'm sorry to talk about mice in this regard, because mice are really nice compared to brokers. No, and I mean it, because, yeah, mice spread disease, right? Well, data brokers spread. Your one call to a solar company. Come on, give me a break. I get at least one call a week from people trying to sell me something from a blade of grass to a shingle for my roof every week.

Bo Friedlander

Sounds about right.

Glenn Sorensen

And that is. I don't know. I don't want to put it. It's not cancer, but, like, you know, that is the way this stuff spreads.

Bo Friedlander

Well, if you think about it from an organization standpoint and protecting the people in it, the line between personal and business and work information and personal information has blurred and it's been blurry for a while. But I think it's. It's come to, you know, some sort of inflection point, especially with AI now. But that is a risk to your organization. If. If the controls, the technical controls for cybersecurity, for example, in your. In your organization are strong. Well, we're going to go around them, right? How do we go around them? We go around them through the people. And if we target the people and have the people go around the controls, that's a threat to our organization. So this. This is beyond a personal privacy problem. This is. This is an enterprise risk management. This is a business risk to your organization. And, you know, it's just good to protect your people anyway. Right. This is something that we need to think about in a way that we haven't yet. This is what I like to call a historically Unmanaged attack service as the business.

Glenn Sorensen

I agree.

Katasha Rogers

I think the best way to create intentional friction would be to make sure that your information is removed from these data broker sites that are making your information more public on the searchable web.

Glenn Sorensen

Katasha Rogers.

Katasha Rogers

And then putting that practical obscurity barrier back up and requiring the people searching for that information to go to the deep web and search on county websites or, you know, drive to the actual courthouse and find this information, which kind of deters them from searching for it in the first place.

Glenn Sorensen

Here's the issue is that human beings do have free will. Free will means that they might not follow the security protocols that you put in place. So how do you solve for that? It's got to be a cultural solution.

Bo Friedlander

I mean, we're never going to get to perfect, but we can get closer to it. And our strategy has to be to influence culture and move that cultural needle. I would say the bigger problem is much beyond that, though, and that is the CISO has to. And having sat in that seat myself, I've been in the hot seat. You have to convince the business that that's a good idea.

Glenn Sorensen

And it costs a little bit of money. Right?

Bo Friedlander

And it costs money. And typically more than the money, it's the impediment or perceived impediment to doing the thing that the business wants to do.

Glenn Sorensen

Curious about, like what you just said, the impediment. Now, I worked once upon a time at a. I can't say where, but it was top secret and for real. If you look at my LinkedIn, you'll figure out exactly what I'm talking about. And there at this place, because we had something very, very secret that only the had. Can you guess where I was? All right, Anyway, we used pgp. Pretty good, pretty good protection email. Now, what does that look like? That looks like every time you get an email, you have to log in a password every time or have a key fob every single time. And do you know how annoying that is when you're the director of communications? It's really, really annoying. However, we're talking about cyber security. Cyber is hard. You know what else is really annoying? Keeping, you know, a notorious murderer behind bars. That's why prisons are complicated.

Bo Friedlander

Yeah.

Glenn Sorensen

So I just don't understand why people. We're keeping. We're having. We have. We need to think of it as like a reverse prison. That's what Fort Knox is.

Bo Friedlander

Yeah. I mean, well, keeping the bad things out. Yeah, that's. But that's the goal.

Glenn Sorensen

But, but keeping the Bad things out means keeping out, like all the stuff that we as humans. Beautiful, interesting, varied, cool. Human beings are going to drag in with them to work.

Bo Friedlander

Yep. It's. It's the things that try and piggyback. You think, think about the tailgating. The idea of tailgating. You, you swipe your badge and you just walks through on your badge and you go. And in you go. And that's, that's the idea. There's a lot of. There's a lot of. There's a lot of known good things that we've got and there's a lot of things to try and tag on with those known good things. And that, I mean, that really is one of the major strategies here. So.

Glenn Sorensen

Well, I wonder actually if I can get Susan on, on the phone, because when I went to visit Susan and Ian in New York, they were working in a. They were at a wework. And I just walked up to Susan in her cubicle and she was like, how did you do that? And I was like, what do I do for a living?

Bo Friedlander

I found you.

Glenn Sorensen

I mean, come on. Well, not only did I find her, but I got in. You know, the physical pen test was a joke.

Bo Friedlander

If you just look like you know what you're doing and you belong there and I'm not there to be challenged.

Glenn Sorensen

I just nodded at the guy in front of me and I was like, just open the freaking door for me. I'm gonna punch you.

Bo Friedlander

Yep.

Glenn Sorensen

And he like, I wasn't even nice about it. I was like, keep moving.

Bo Friedlander

And it, it would work if you were nice. It would work if you were not nice. It would work if you had a thundercloud over your head. Perceived, of course, like, all the different. There's so many things work. Yeah.

Glenn Sorensen

All the reasons things work. And this is again, like, so, so you didn't give me a good answer. Why. Why do CISOs not say, you aren't touching a computer in my organization until your shit's offline?

Bo Friedlander

Because that's a business decision, not the CISO's decision at the end of the day.

Glenn Sorensen

Okay, fine. Fine, Fine, fine, fine, fine. I got a follow up. When is, is security going to be considered a. I don't get it, Glenn. It's an extinction level event. When things go wrong, when is it going to be given the importance it needs to work?

Bo Friedlander

When. When enough pain and money is involved and I guess we're just not there yet. One day. One day we will reach another inflection point and things will change again.

Glenn Sorensen

And it's clearly not Seven point whatever million dollars. So let us know yet, let us know. Like, hey, by the way, if you just want to give me that $7 million I have, I'll give you, I'll tell you my crypto, wallet, address.

Bo Friedlander

I, I will give you, I will give you good security advice for much less than $7 million.

Glenn Sorensen

Yeah.

Bo Friedlander

Just saying.

Glenn Sorensen

We both will. We're here. Glenn and Bo show. We're ready to help you out. Just give us the money. All right, Glenn, thank you so much for joining what the hack this week. I appreciate the hang time. I know you're busy.

Bo Friedlander

Thank you. It's been a pleasure being here and pleasure talking with you as always.

Glenn Sorensen

Okay, privacy isn't dead yet, but it's not through any. It's. It's not for lack of effort or trying to kill it. On this, on the part of big data, what you can do to help keep it alive is to pay attention to your own privacy. Maybe the first thing that you can do is treat your privacy like the super important possession that it is and then, and start protecting it like it really mattered. Because it does. Okay, that's it for now. Now it's time for the Tinfoil Swan, our paranoid takeaway to keep you safe on and offline. All right, this week I am kind of freaking out about Sam Altman's iris scanning Humanity verifying World project announced at the San Francisco in San Francisco last week. I am quoting from a Wired article that I read this morning. Tinder users around the globe are going to be able to start posting a digital badge on their profiles that says that they are in fact human beings. And how do we know this? Because they looked into one of world's orbs and they allowed their eyes to be scanned, their retinas to be scanned. So that's something. This same tech is going to be used to verify that a human being is trying to buy a concert ticket. So we got, the only thing that we don't have on this list is drugs. It's drug sex and rock and roll. So it's sex and rock and roll. Anyway, smart marketing. Now, should you let someone scan your retina, what do you think I'm going to say? Absolutely not. If you have to pay with something as absolutely sensitive in terms of your personally identifiable information as your retina, man, oh man, it better have three or four commas in it. Not just access to, you know, more people looking at your profile on Tinder. Okay, so that's my advice for you this week. Don't let anyone scan your retina now why do I say this? Is it a big deal? I think the big deal is this. Right now, license plate readers can't scan your retina. Do you think that that's always going to be the case? I don't. Cameras improve all the time. So if it's not a license plate reader, it's going to be some other kind of camera that is doing surveillance. Maybe a ring camera can do it. I don't think that any company needs to have that level of information about anybody. And that is my 2 cents for this week. And that is a lot less than it would cost to buy my retina scan. Okay, stay safe out there. We'll talk to you next week. And remember, if you like the show, tell a friend rate and review. It helps people find it. This episode of what the Hack was produced by me and Andrew Stephen, who also did the editing. What the Hack is a production of Delete Me, which was picked by the New York Times Wirecutter as the number one personal information removal service. You should be using it already. If you're not and you want to, well, you can. Here's what to do. Go to joindeleteme.com wth that's joindeleteme.com WTH and get 20% off. I kid you not. 20%. 20% off. That's joindeleteme. Com wth.

Bo Friedlander

Have you ever asked yourself, can the president really do that? Or wondered if there was too much money in political campaigns? Then check out the new season of you Might Be Right. Hosted by us former Tennessee governors Phil Bredesen and Bill Haslam. We're back for a brand new season now. And you Might be Right cements the idea that constructive disagreements, disagreement can lead to real problem solving. This season we're going to dig into the role of the National Guard AI regulation and a lot more new episodes drop every other week. Follow you Might Be Right Wherever you get your podcasts.

Glenn Sorensen

We all need advice, but it's not always clear who to ask. Even in 2026.

Bo Friedlander

Enter how to the long standing advice show.

Glenn Sorensen

An Ambie Award nominated best personal growth podcast. That's back with new episodes and a new host. Who? Me, Mike Pesca.

Bo Friedlander

Each week I tackle a listener question ranging from travel to finance to relationships and beyond, with help from a world class expert.

Glenn Sorensen

You know, someone who actually very much

Bo Friedlander

knows what they're talking about.

Glenn Sorensen

Think of it as eavesdropping on someone else's therapy session without the copay or awkward silences. You've got questions. We'll find the experts and the answers.

Bo Friedlander

So follow how to with Mike Pesca wherever you get podcasts.