Dave shares a bank spoofing scam with a reminder to mind those links, especially on mobile devices. Joe describes a case of someone turning the tables on a Twitter scammer. Our catch of the day involves a clumsy claim of physical harm. Dave interviews author Dave Levitan about his book Not a Scientist: How politicians mistake, misrepresent and utterly mangle science.
Dave Levitan: [00:00:00] I talk a lot about just the general need to improve scientific literacy in the country. That's a 10 or 20-year project, though. That's not something I have an idea for overnight.
Dave Bittner: [00:00:10] Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast. This is the show where each week we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm David Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: [00:00:30] Hi, Dave.
Dave Bittner: [00:00:31] We've got some fun stories to share. And later in the show, we've got my interview with Dave Levitan. He's author of the book "Not a Scientist: How Politicians Mistake, Misrepresent and Utterly Mangle Science." But first, a quick word from our sponsors at KnowBe4. So how do you train people to recognize and resist social engineering? There are some things people think. Test them, and if they fall for a test scam, fire them. Or other people say, if someone flunks the test, shame them. Instead of employee of the month, it's dufus of the day. Or maybe you pass out a gift card to the one who gets the A-plus for skepticism in the face of phishing. How about it? What do you think? Carrots or sticks? What would you do? Later in the show, we'll hear what the experts at KnowBe4 have to say. They're the sponsors of this show. And we are back. Joe, I'm going to kick things off this week. I've got a story. This actually came to us from a listener. His name is Steven (ph). He says, good evening, Dave Bittner and Joe Carrigan. Hey, that's us.
Joe Carrigan: [00:01:35] That is. Hi, Steven.
Dave Bittner: [00:01:37] (Laughter) He says, love the "Hacking Humans" podcast, and I think I found a good one for you. My girlfriend was checking her email from her phone, and this one popped up from what looked like her bank. She's been listening to me talk about your podcast and had the forethought of questioning this email because she didn't know the person mentioned in it. After checking it out from our computer, we could see the links. Needless to say, I had her forward it to me for your show. Thanks for all the great advice. Keep up the good work. And he describes himself as being a careful clicker. Well, good for you, Steven. So the email here, this comes from BMO Wealth Management. So this is an investment company. And it says, you have a new e-document. And it says the Interac e-transfer you sent to Patrick Johnson - and it has an email address - has been approved. The transfer is now complete. Thank you for using our e-transfer service. If you did not initiate this transaction, we recommend that you go to - and then there's a link that says manage, cancel transaction.
Joe Carrigan: [00:02:37] Cancel transaction (laughter).
Dave Bittner: [00:02:38] Right. So what do you think is going on here, Joe?
Joe Carrigan: [00:02:40] Well, I'll bet this link is not a good link. I'll bet it's a malicious link.
Dave Bittner: [00:02:44] Yes, absolutely. So this is a standard thing where they're impersonating the bank and trying to get you to go somewhere else and use your login credentials. But obviously, you know, the call to action here is that the money transfer has already gone through (laughter).
Joe Carrigan: [00:02:59] Right. Exactly. That's the hook that's supposed to short circuit your thinking there. The money's already gone from your account, but you can get it back if you click on this link right here.
Dave Bittner: [00:03:08] (Laughter) That's right.
Joe Carrigan: [00:03:09] Ah, let me click on the link.
Dave Bittner: [00:03:09] Time's a-wasting. Time's a-wasting, yeah. And this looks like something that would come from a bank. This looks...
Joe Carrigan: [00:03:14] It does.
Dave Bittner: [00:03:15] Everything about this looks legitimate. It has all of the fine print and things you would expect from something that would come from a bank. There's a 1-800 number here. All the normal things. So at first glance, this certainly looks like a legit piece of communication from a bank. But I think a good thing to point out here, that Steven pointed out, was that his girlfriend checked this on her phone first. But then they went to the computer...
Joe Carrigan: [00:03:38] ...And it was a little easier to find the scam. And this is - we've said this before, about one of the problems with phone interfaces is that they don't have the real estate to show you these kind of things that a computer interface does. And it's simply because of size. A phone has to be something that fits in your pocket, and your computer does not.
Dave Bittner: [00:03:58] Right. I know - for example, like, I'm an iOS guy, and I know there is a way that you can click on a link without clicking through and have iOS reveal what the link is. And I don't recall off the top my head what that is, but it's quick enough to Google that. So if that's something you're interested in finding out, I suspect Android probably has a similar way to do that as well.
Joe Carrigan: [00:04:19] I don't know. I've never actually had the need to do it because I just tend to delete emails (laughter).
Dave Bittner: [00:04:23] Yeah. Well, I mean, but that's the thing, is that it's not that it's impossible to do on a mobile device, it's just it's a lot harder.
Joe Carrigan: [00:04:29] It just is more difficult.
Dave Bittner: [00:04:29] (Laughter) There are more steps.
Joe Carrigan: [00:04:30] Makes the process additionally harder so people are not going to do it, and that's why these scams are going to be successful, particularly in the mobile domain.
Dave Bittner: [00:04:37] Yeah. Well, good for you, Steven. Good for your girlfriend for paying attention to this, handing it over to you. And thanks to both of you for sending it into us. So that is my story for this week. Joe, what do you have for us?
Joe Carrigan: [00:04:48] Dave, my story comes from a company called Fidus Information Security in England. They're an info security company. They have a blog. And there's a blog entry here. It doesn't give an author, but I'm going to guess the guy's name is Andrew. But it's called "Turning the Tables on a Virgin Media Twitter Scammer." This person is a customer of Virgin Media, which is I guess, like, a cable provider in England.
Dave Bittner: [00:05:09] Right. Yeah.
Joe Carrigan: [00:05:09] He's complaining about service. And Virgin Media actually goes ahead and responds to him, like most legitimate companies do, saying, go ahead and send us a direct message, or DRM, and we'll get this fixed. But somebody else slides right into his DMs with a message, and he accepts the message coming in. And it's from a spoofed account. It's @virginscmedia. Right? So it looks very similar. And if you recall, we had Sam Smith talking about this very thing - going on a couple of weeks ago, where Twitter users - Twitter scammers are out there impersonating these companies trying to provide tech support. And it's pretty easy to see where this goes because the very first message is, hi there. What's your full name and address linked to your account so we can help you further this process? And then it's signed with a caret and a BP.
Dave Bittner: [00:05:59] OK.
Joe Carrigan: [00:05:59] Right. So the guy looks at the account. He know - he's a security engineer, so he knows immediately this is a fake account. So he figures it's time to have some fun.
Dave Bittner: [00:06:07] (Laughter).
Joe Carrigan: [00:06:09] Right?
Dave Bittner: [00:06:09] Right. So what does he do?
Joe Carrigan: [00:06:10] So he goes, of course. It's in my brother's name, Wade Wilson. And he gives an address, a London address. Do you know who Wade Wilson is?
Dave Bittner: [00:06:18] I do not. Who is...
Joe Carrigan: [00:06:19] It is Deadpool.
Dave Bittner: [00:06:21] Oh (laughter).
Joe Carrigan: [00:06:23] (Laughter) So the guy goes, thanks for the information, Andrew. Please allow me a minute to look up your account. (Laughter) Right? So then the scammer sends a next message. And here's the hook. He says, before we proceed, for security purpose of your account, please provide the card number, expiration date, CSC, cardholder name linked to the Virgin Media account. If you don't have access to this card, it could be any card registered to the address.
Dave Bittner: [00:06:46] Oh, wow.
Joe Carrigan: [00:06:47] Right?
Dave Bittner: [00:06:47] Well, that's convenient.
Joe Carrigan: [00:06:48] Isn't that convenient?
Dave Bittner: [00:06:49] (Laughter) Yes, that's right.
Joe Carrigan: [00:06:50] So this guy's just harvesting credit cards...
Dave Bittner: [00:06:53] Yeah. Wow.
Joe Carrigan: [00:06:54] ...Is what he's trying to do. He needs all this information to verify an account? I don't think so.
Dave Bittner: [00:07:00] No.
Joe Carrigan: [00:07:00] You know, usually these accounts should have pins on them. So he actually gives him a credit card account that looks legitimate and tells him it's an American Express credit card.
Dave Bittner: [00:07:10] Yeah.
Joe Carrigan: [00:07:10] And he gets the account information from PayPal. For their web integration, they have these sample credit card numbers that aren't valid, but they look like they're valid.
Dave Bittner: [00:07:20] Oh, I see. Right.
Joe Carrigan: [00:07:20] So if you run some processing on it, it'll process as a valid card number. But when you actually submit it, it won't wind up getting submitted.
Dave Bittner: [00:07:27] I see.
Joe Carrigan: [00:07:28] Right?
Dave Bittner: [00:07:29] Interesting. Yeah. Yeah, that makes sense.
Joe Carrigan: [00:07:30] So the scammer says, thanks. That card is registered under the same address too? And Andrew says it is. And then the scammer is looking for an access code that comes through because he's again trying to get some confirmation for it because he's actually trying to go ahead and process something right now and get a payment sent. And Andrew is saying, I don't have it, but here's a link they sent me. Now, this link is Andrew's link, right? He - it's a link to a website that Andrew has set up. He's trying to capture the IP address of the scammer.
Dave Bittner: [00:07:58] Oh, OK.
Joe Carrigan: [00:07:59] So it's actually a trap.
Dave Bittner: [00:08:00] Way to go, Andrew.
Joe Carrigan: [00:08:01] Right.
Dave Bittner: [00:08:02] Yeah.
Joe Carrigan: [00:08:02] So he goes round and round trying to get him to click on it. And then he says, no, I can't. I can't see anything. It's - I'm getting an error. And eventually, he sends a faked CloudFlare error, 522 error, which is an HTTP error. You can look up the code. I don't know what it means.
Dave Bittner: [00:08:18] Yeah.
Joe Carrigan: [00:08:18] But he says, I can't get it to work. Here's the link. And eventually somebody does click on the link, and they get an IP address. But it's not the IP address they're looking. It says it was linked back to their website, and they never received any replies back after they got him to click on the link.
Dave Bittner: [00:08:34] Wow.
Joe Carrigan: [00:08:35] So the scam was ultimately unsuccessful. And what Vitas Security did was they reported the account, and Twitter has since suspended it. Congratulations, Vitas. You're my (laughter)...
Dave Bittner: [00:08:44] (Laughter).
Joe Carrigan: [00:08:44] ...You're my hero this week.
Dave Bittner: [00:08:46] Yeah. And wasted some of their time.
Joe Carrigan: [00:08:48] Wasted some of their time, wrecked one of their accounts...
Dave Bittner: [00:08:49] Yeah.
Joe Carrigan: [00:08:50] ...And tried to get them to give away their location. That's a win.
Dave Bittner: [00:08:54] Yeah.
Joe Carrigan: [00:08:54] I'm very happy with this.
Dave Bittner: [00:08:56] Yeah, absolutely. All right. Well, it's time to move on to our Catch of the Day.
(SOUNDBITE OF FISHING REEL WINDING)
Dave Bittner: [00:09:05] Our catch of the day comes from a listener named Lars. And Lars sent this in. He said, hi, I got this in my email, which I thought might be interesting for Catch of the Day for your podcast. I think the tone of the email, threatening with bodily harm, is quite unique. The language in the mail is of course hardly English, so it would make a fun read for the guys. That's us again.
Joe Carrigan: [00:09:25] That is us.
Dave Bittner: [00:09:25] Yeah (laughter). So here it is. It goes something like this. Greetings. I've got a private web page that includes all sorts of offerings that I give in dark net, just about anything from totally ruining someone's business to physical injury and so forth. Nevertheless, absolutely nothing critical, like getting rid of. Generally, it is stuff similar to declined relationships or rivalry on the job. Anyways, I have been reached this week by customer to make an arrangement and also object is obviously you in a immediate and painless manner. The thing is I only get money just after each completely finished job. And so I decided to make contact with you before to be able to pay me for being inactive, which I frequently proffer the target. Assuming I don't obtain what I'm asking, my executor will carry out the request. Yet, if I will generate an agreement, besides eliminating the order you are going to receive whole details concerning the client that I have found. As soon as the request is finished, I often remove the operator as well. Consequently, I have got a choice to generate 1,200 via you - in essence, with no efforts - or get 4K through the purchaser but to get rid of my operator. I am obtaining transfers just through bitcoin. Here's my bitcoin address. You now have 24 hours to balance transfer. Wow (laughter).
Joe Carrigan: [00:10:43] What does this mean?
Dave Bittner: [00:10:45] Well...
Joe Carrigan: [00:10:45] I have no clue. Is this guy saying that somebody is paying him four grand to beat me up, but I can buy him off for 12?
Dave Bittner: [00:10:50] No, it's a hitman. No, he's a...
Joe Carrigan: [00:10:51] So it's a hit?
Dave Bittner: [00:10:52] Yeah, he's going to take you out, Joe.
Joe Carrigan: [00:10:53] Oh.
Dave Bittner: [00:10:54] Or this person. Yeah, this is a hitman. This is serious business.
Joe Carrigan: [00:10:58] Oh, OK.
Dave Bittner: [00:10:58] And what I...
Joe Carrigan: [00:10:59] See, I didn't even get that.
Dave Bittner: [00:11:00] You know, first of all, I think this is a badly translated - this has been run through the Google Translate back and forth several times. My take on this is that what this person is saying is I've been hired to - with - for a hit on the person they're targeting.
Joe Carrigan: [00:11:15] Right.
Dave Bittner: [00:11:16] And - but my usual MO is after I do the hit, I also take out the person who hired me to do the hit...
Joe Carrigan: [00:11:22] OK. Is that...
Dave Bittner: [00:11:22] ...After I get the money.
Joe Carrigan: [00:11:23] Right.
Dave Bittner: [00:11:23] Yeah. So this way, it's easier on me. For the low, low price of $1,200, I won't take you out. I'll even give you the information on who ordered your hit. And they're trying to say this is someone from your work or it's a rival at your work or...
Joe Carrigan: [00:11:39] Right.
Dave Bittner: [00:11:40] ...Someone that you - perhaps a romance that went bad or something like that. So...
Joe Carrigan: [00:11:44] I see. I see. Yeah, this is starting to make sense...
Dave Bittner: [00:11:45] (Laughter).
Joe Carrigan: [00:11:46] ...Because there's a sentence in here that says, or nevertheless, absolutely nothing critical like getting rid of, which means that he doesn't do wet work - getting rid of people, right?
Dave Bittner: [00:11:54] Yeah, I guess. Yeah. Nevertheless, absolutely nothing critical like - yeah.
Joe Carrigan: [00:11:58] Weird.
Dave Bittner: [00:11:58] I don't know. Yeah.
Joe Carrigan: [00:11:58] This is so badly worded (laughter).
Dave Bittner: [00:12:01] Well, later, he says, in an immediate and painless manner. So...
Joe Carrigan: [00:12:05] Right.
Dave Bittner: [00:12:06] ...That to me seems, you know, two to the back of the head or something. I don't...
Joe Carrigan: [00:12:09] Right, but that's...
Dave Bittner: [00:12:10] I don't know.
Joe Carrigan: [00:12:10] That's a sentence in this thing. This is so terrible.
Dave Bittner: [00:12:12] It is.
Joe Carrigan: [00:12:12] It's awful. I mean, I...
Dave Bittner: [00:12:12] It is.
Joe Carrigan: [00:12:15] I would like to look at this bitcoin address to see if anybody has sent anything to it.
Dave Bittner: [00:12:19] (Laughter) That's a good idea. Well, you know, I think the legitimacy of this - it was certainly hurt by the broken English here (laughter).
Joe Carrigan: [00:12:26] Absolutely.
Dave Bittner: [00:12:27] And good for our listener Lars for laughing it off, and thanks for sending it in to us. Unfortunately, I can imagine there are versions of this that I have seen that are much more impressive that...
Joe Carrigan: [00:12:40] Right, better worded.
Dave Bittner: [00:12:42] Better worded, more...
Joe Carrigan: [00:12:42] I'm sure this is absolutely terrifying for someone to get.
Dave Bittner: [00:12:45] Yeah, yeah. You find the right person, and this could be really, really terrifying...
Joe Carrigan: [00:12:49] Right.
Dave Bittner: [00:12:49] ...As you say. So it's a horrible thing. This particular incarnation of it is kind of funny and silly because of all the wording. But yeah, this is - it's a tough one.
Joe Carrigan: [00:12:59] Now, I'm no expert in organized crime, Dave. But I think that...
Dave Bittner: [00:13:01] (Laughter) Oh, OK.
Joe Carrigan: [00:13:03] ...That $4,000 is a little cheap for a hit. I mean...
Dave Bittner: [00:13:05] I would think - yeah, that's a good point. I hadn't thought about that.
Joe Carrigan: [00:13:08] And also, I would think it difficult for a hitman who kills the people who hire him to get repeat business.
Dave Bittner: [00:13:13] That's true. His Yelp reviews would probably be pretty low. Yeah.
Joe Carrigan: [00:13:18] Right.
Dave Bittner: [00:13:20] All right. Well, thank you Lars for sending it in us. That is our Catch of the Day. Coming up next, we've got my interview with Dave Levitan. He's the author of the book "Not a Scientist: How Politicians Mistake, Misrepresent, and Utterly Mangle Science." But first, a quick word from our sponsors at KnowBe4.
Dave Bittner: [00:13:41] Let's return to our sponsor KnowBe4's question. Carrots or sticks? Shower men, KnowBe4's CEO, is definitely a carrot man. You train people, he argues, in order to build a healthy security culture. And sticks don't do that. Approach your people like the grown-ups they are, and they'll respond. Learning how to see through social engineering can be as much fun as learning how a conjuring trick works. Hear more of Stewart's perspectives at KnowBe4's weekly cyber heist news. We read it, and we think you'll find it valuable, too. Sign up for cyber heist news at knowbe4.com/news. That's knowbe4.com/news.
Dave Bittner: [00:14:28] Joe, I had the opportunity recently to speak with Dave Levitan. He's the author of the book "Not a Scientist: How Politicians Mistake, Misrepresent, and Utterly Mangle Science" - really interesting stuff here in these days of fake news and politicians trying to influence us to believe things, alternative facts and so on.
Joe Carrigan: [00:14:44] Right.
Dave Bittner: [00:14:45] Really interesting read, so here's my conversation with Dave Levitan.
Dave Bittner: [00:14:49] Once I decided to call the book this, I started sort of going back into the history of it a little bit. People are familiar with it, you know, these days to do with climate change almost entirely. And, you know, it sort of was very popular in sort of the 2009, '10, '11 range, I guess. Before that, it actually was used a lot longer ago. The first example I could find was Ronald Reagan in 1980 just before the presidential election. And he was - I mean, climate change was not quite the issue it is now then. But he was talking about sort of a similar issue. He was talking about acid rain and sulfur dioxide emissions instead of carbon dioxide emissions. And he used it almost in exactly the same way that you hear people use it now. You know, he said, I'm not a scientist - and then followed that up by saying something dramatically unscientific.
Dave Bittner: [00:15:32] (Laughter) And so what's the ploy here? What's the misdirection that these folks are using to kind of get you off the trail?
Dave Levitan: [00:15:39] I actually have answered that question in sort of multiple ways (laughter) over the last couple of years.
Dave Bittner: [00:15:44] Yeah.
Dave Levitan: [00:15:44] I sort of change my mind almost on exactly what it's doing. I think the main thing is just to sort of set science off as unknowable almost - to make it seem like the real answer is not even feasible to know. They're going to offer an opinion while saying, you know, OK, I'm not an expert, but here's the truth because the truth is actually unknowable. And it sort of sets real scientists, people who actually do the work, often on the side or in the corner as sort of nerdy eggheady (ph) types who couldn't possibly be trusted with actually forming public policy.
Dave Bittner: [00:16:20] It strikes me that there could be some rapport building here as well by saying to the audience, like you, I'm not a scientist; I'm just a regular person like you are.
Dave Levitan: [00:16:29] I agree. There is that, although the interesting thing about that is that they don't do it for anything else, right? I mean, they don't do it for - you know, I'm not an economist; I'm not a Middle Eastern expert; I'm not - you know, they don't - I'm not an expert in bridge building when they're talking about an infrastructure bill. They don't seem to do it for anything else. So it - I mean, and most of the time, the people that they're talking to are not an expert in the thing they're talking about, right? So I've thought of that as well, that it seems like it puts us all on the same page. But then why wouldn't you do it for other things?
Dave Bittner: [00:17:00] Yeah, that's interesting. Take us through some of the other methods that you outline in the book.
Dave Levitan: [00:17:05] I think I have a total of 12 of them, although, I guess, 13 if you count a bonus one. Some of them are pretty straightforward. Maybe I'll skip over the ones that - with names that people probably have heard of. Things like the oversimplification or the cherry pick.
Dave Bittner: [00:17:18] Right.
Dave Levitan: [00:17:18] Cherry picking data is something a lot of people are probably familiar with but some of the ones that that I find more interesting something like the butter up and undercut which is sort of a little bit of misdirection in a way. People will use this when they're talking about any sort of topic that is actually quite popular. So I - one of the examples I go through is about NASA. NASA tends to be pretty popular. People like the things that NASA does, so it's pretty hard to just trash NASA if you're a politician. It's not going to go over that well. So they'll say very nice things about the people who work at NASA and the very smart scientists and astronauts and everything. But there'll be, like, some little hidden piece of this - these nice words where they're actually proposing cutting some bit of funding, usually, or cutting off some, you know, some avenue of research. And with NASA, it's climate research. They don't want them doing that. That one can be sort of very insidious. It's also one of the only ones I actually sort of ascribe intent to. You have to mean to do this one. It can't be an accident. And sometimes I try to be generous in the book with letting it be an accident, although it usually isn't. That one, you really have to mean to do.
Dave Bittner: [00:18:24] Can you give us an example?
Dave Levitan: [00:18:25] So Ted Cruz, Texas senator - this was in March of 2015. There was a hearing in the Senate. He said a lot of really nice things. He said innovation has been integral to the mission of NASA. He spoke about the passion of the professionals at this fine institution. He quoted former astronauts, and then he started sort of making his pitch. He said it is time once again for man to leave the safety of the harbor and further explore the deep, uncharted waters of deep space. So this all sounds very nice, you know?
Dave Bittner: [00:18:56] Right. I'm on board so far. Yeah.
Dave Levitan: [00:18:57] Right. Exactly. And no one who is also in favor of NASA would think, oh, Ted Cruz is trying to cripple some part of NASA, but he was. The actual policy proposals that he was bringing up at this hearing cut NASA's earth science funding down to - I don't remember the exact levels, but he was basically trying to eliminate it. And he had some more lines about this. Should NASA focus primarily inwards or outwards beyond lower earth orbit? You know, he talked about disproportionate funding to earth science. I mean, it was this very sort of indirect way of saying, I'm trying to stop you from doing something which you're doing. And NASA, you know, is - along with NOAA - is one of the two main sources of climate science for the U.S. government.
Dave Bittner: [00:19:39] Right.
Dave Levitan: [00:19:39] So he's basically trying to end that by telling us how great NASA is. So unless you're sort of really paying attention to the details of policy proposals, these things can get by you, you know?
Dave Bittner: [00:19:50] So it's almost like a misdirection that a magician would use.
Dave Levitan: [00:19:54] Absolutely. Yes. It's, you know, focus on the shiny object over here while I, you know, saw someone in half over on that side.
Dave Bittner: [00:20:01] You said, you know, you were working doing fact checking. How did you find your own experience to be? Did you get better at detecting these sorts of things?
Dave Levitan: [00:20:09] That's an interesting question. To be totally honest, a lot of the errors or lies - you know, if I'm going to stop being generous - about science from politicians are not actually that hard to spot. There was a sense in that job of, this sounds sort of uncharitable, but of repetitiveness. You know, people would say - I mean, the same way that this line, not a scientist, became such a thing. Well, a lot of - some of these other specific lines would really come up a lot. So it's not like it was that hard to sort of find these things. Sometimes the sort of more obscure examples would take a lot of doing. And I did probably get better at digging into to how some of these errors happen 'cause some of them are not as straightforward or, in a way, as sneaky as what Ted Cruz was doing there, you know? Sometimes they're just hard to untangle, I guess.
Dave Bittner: [00:20:59] Right.
Dave Levitan: [00:20:59] So I did get better at that, I would say.
Dave Bittner: [00:21:02] What's your take on the tendency for people to go for this stuff? I'm left scratching my head quite often. Like I said, you know, I pound my head on the desk when I hear someone say, I'm not a scientist. But we seem to be, more and more, slipping into this era where there's almost a willful ignorance.
Dave Levitan: [00:21:19] Yeah. I mean, that's a great question. I mean, it's the kind of thing, you know, I don't think anyone has a particularly good answer for. I mean, people have written books about, you know, the death of expertise and things like that and how we don't listen to experts anymore. I can't claim to have a great idea of how to fix that or where it comes from. There's a problem of amplification, right? I mean, people have been able to say, you know, wrong things about any topic for forever. It's just that now they can spread much quicker and much more widely through a number of means. So I think maybe we notice them more, you know? I mean, you have more opportunity to slam your head on the desk...
Dave Bittner: [00:21:56] Right.
Dave Levitan: [00:21:56] ...Because you're seeing them happen sort of in real time and people being willing to accept them. Again, I can't say I have a great answer for why they're willing to accept them. I mean, I talk a lot about just the general need to improve scientific literacy in the country. That's a 10- or 20-year project, though. That's not something I have an idea for overnight.
Dave Bittner: [00:22:15] But I suppose - I mean, your book could be something of a guide to help people detect these sorts of things, to know and recognize when politicians are trying to deceive them or manipulate them.
Dave Levitan: [00:22:28] Well, I hope so. I mean, that was the idea - just that, you know, some people - most of us are not experts in these things. There can be a lot of topics that politicians talk about that are very complicated. Or if they're not directly scientific, they might have some scientific component to them and - yeah. I mean, I don't blame anyone for, you know, not being an expert on everything. So I think it - I hope it would help people, you know, sort of at least pay a little more attention when it seems like a politician might be trying to get something past you. That was the idea. I can't tell you how well it's working, though.
Dave Bittner: [00:23:00] Is your sense that much of this is being done out of malice, or do the folks who are saying these things generally believe what they're saying?
Dave Levitan: [00:23:08] You know, so in the book, I specifically sort of tried to avoid ascribing intent. To be honest, now that it's a year or so out, I actually sort of regret that decision (laughter). I think it's very hard to say that they're not doing it on purpose. I talk about a few things in the book where - there's an error I called the lost in translation, where, you know, some bit of scientific information gets really just mangled along the way from one source to another. There is a chance that the person talking about that really doesn't understand how that happened. That - and OK. Fine, you know? But even though the politicians themselves are not experts, as they are so willing to tell us, that doesn't mean they aren't surrounded by experts and, you know, a very willing internet (laughter)...
Dave Bittner: [00:23:53] Right.
Dave Levitan: [00:23:53] ...To help them figure things out at any moment, you know? There's no reason for elected officials to not have the best available information at their fingertips. So if they don't, then it means that they're trying to avoid it, you know? They're either, you know, sort of kowtowing to moneyed interests, to fossil fuel companies or to pharmaceutical companies or to whatever it is or they're just sort of pandering to a base that they know is sort of in favor of one policy or another. So yeah, I mean, I think for the most part, it's very hard to say any of this is an accident.
Dave Bittner: [00:24:25] All right. Joe, what do you think?
Joe Carrigan: [00:24:27] I liked this interview. I like listening to what Dave has to say. I almost wish he spent more time on oversimplification because I think that is a huge problem in American politics...
Dave Bittner: [00:24:35] Yeah.
Joe Carrigan: [00:24:36] ...With anything, with net neutrality, with climate change and with immigration. And I'll take climate change as an example. On one end, you have people screaming and yelling that there is no climate change. Nothing's happening. On the other end, you have people screaming that we're all going to die in 50 years because of climate change.
Dave Bittner: [00:24:51] (Laughter) OK.
Joe Carrigan: [00:24:52] Right? These are extreme views. Neither one of them is correct. There is something in the middle, somewhere very far from these two extreme views - maybe closer to one end than the other - that is actually the fact. And we can't get to it as the populace because there's too much noise going on and too much oversimplification of it.
Dave Bittner: [00:25:08] Right.
Joe Carrigan: [00:25:08] And the reason for that is because we, as people, don't have the time to sit down and try to understand these issues, right? We're busy, right?
Dave Bittner: [00:25:17] Yeah. I would say that, you know, we need to do a better job at teaching people critical thinking and...
Joe Carrigan: [00:25:22] I would agree with that 100 percent.
Dave Bittner: [00:25:24] And how to...
Joe Carrigan: [00:25:24] And his point on scientific literacy is absolutely accurate.
Dave Bittner: [00:25:28] Yeah.
Joe Carrigan: [00:25:28] You really do need better scientific literacy in this country. I'll even go farther and say we need better mathematic literacy in this country as well...
Dave Bittner: [00:25:35] OK.
Joe Carrigan: [00:25:35] ...Because that promotes logical thinking and decomposition and things of that nature.
Dave Bittner: [00:25:39] Yeah.
Joe Carrigan: [00:25:39] I find it interesting that he says that people in power want to trick and deceive you to gain, you know - and, of course, the end game is to gain more power. And I'm like, well, yeah.
Joe Carrigan: [00:25:50] Don't trust these people. Hold them accountable. Watch them. Communicate with them. And ding them when they can, you know?
Dave Bittner: [00:25:55] Right.
Joe Carrigan: [00:25:56] The price of liberty is eternal vigilance.
Dave Bittner: [00:25:58] Right.
Joe Carrigan: [00:25:58] I would disagree with Dave about his statement that politicians are surrounded by experts. That's true. But they also have a very willing internet to support them. I don't think politicians should pay very much attention to the internet. I think that's a very bad idea. It's a great place for people to feed you misinformation and wrong information. And we've seen that coming to light in recent years. Politicians are not immune from the same kind of manipulation that the populace falls victim to.
Dave Bittner: [00:26:23] Yeah. It's an interesting change in the way information is both gathered and disseminated.
Joe Carrigan: [00:26:27] Right. And it's never verified.
Dave Bittner: [00:26:29] Yeah.
Joe Carrigan: [00:26:29] So I don't think looking at people on the internet for your scientific stuff - I don't mean don't get papers off the internet. Read papers on the internet. That's what you should be doing. But have your experts do that, and have them go to verified sources.
Dave Bittner: [00:26:41] Right, yeah. Be careful with your sources, I guess, is...
Joe Carrigan: [00:26:42] And peer-reviewed journals are a big thing and very important. There was a recent study - I can't remember where I saw this. But somebody wrote a complete and total bogus article and published it in a journal that you pay to publish articles in. And news outlets picked up on it because he put out press releases. And it was an experiment in how he can take something that looks like it's scientific and promote it, but it's complete and total bunk...
Dave Bittner: [00:27:05] Right.
Joe Carrigan: [00:27:05] ...From front to back.
Dave Bittner: [00:27:06] Yeah, interesting.
Joe Carrigan: [00:27:06] I'll have to look more into that one. That, actually, might be a good story for later in this "Hacking Humans" because...
Joe Carrigan: [00:27:11] It's a pretty good social engineering experiment.
Dave Bittner: [00:27:13] Yeah, yeah.
Joe Carrigan: [00:27:14] And finally, when Dave was talking about a lack of shame, that people have a lack of shame - I don't think that's what the issue is. I don't think that people have a lack of shame. I think what they've gained instead of losing shame is the ability to avoid shame by living in their own echo chambers. This is why I say don't get your political news from Facebook. Don't do it because there's been studies and a Wall Street Journal article about what your timeline looks like based on your political affiliation. Facebook wants you to look at things. They want you to look at their website, so they're not going to show you things that make you angry and turn it off. OK? So you stay in an echo chamber of your own beliefs. And that's what happens with the shame. So you say something on Facebook. And people who are like-minded like you come in and go, yeah. Yeah. That's right. That's right. And nobody ever will challenge you on it.
Dave Bittner: [00:28:02] Right, right.
Joe Carrigan: [00:28:03] So - probably because they don't see it.
Dave Bittner: [00:28:05] So you're not getting called out...
Joe Carrigan: [00:28:06] Right.
Dave Bittner: [00:28:07] ...Like you would in a...
Joe Carrigan: [00:28:07] You're not getting called out.
Dave Bittner: [00:28:08] ...Public square. I think that's a really good point. All right. Well, thanks to Dave Levitan for joining us. Again, the book is "Not a Scientist: How Politicians Mistake, Misrepresent and Utterly Mangle Science." We appreciate him coming on and spending time with us. That is our podcast.
Dave Bittner: [00:28:20] We want to thank our sponsor KnowBe4, whose new-school security awareness training will help you keep your people on their toes with security at the top of their mind. Stay current about the state of social engineering by subscribing to their CyberheistNews at knowbe4.com/news. Think of KnowBe4 for your security training.
Dave Bittner: [00:28:43] Thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more about them at isi.jhu.edu.
Dave Bittner: [00:28:48] The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our editor is John Petrik, technical editor is Chris Russell, executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: [00:29:06] And I'm Joe Carrigan.
Dave Bittner: [00:29:07] Thanks for listening.
Copyright © 2019 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
KnowBe4 is the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. Their new school security awareness training platform is user-friendly and intuitive. It was built to scale for busy IT pros that have 16 other fires to put out. Learn more at KnowBe4.com.