Rachel Tobac is a social engineer. In this episode we hear how she got started doing this and a few stories of how she hacked people and places using her voice and charm.Learn more about Rachel by following her on Twitter https://twitter.com/RachelTobac or by visiting https://www.socialproofsecurity.com/Daniel Miessler also chimes in to talk about AI. Find out more about him at https://danielmiessler.com/.SponsorsSupport for this show comes from Varonis. Do you wonder what your company’s ransomware blast radius is? Varonis does a free cyber resilience assessment that tells you how many important files a compromised user could steal, whether anything would beep if they did, and a whole lot more. They actually do all the work – show you where your data is too open, if anyone is using it, and what you can lock down before attackers get inside. They also can detect behavior that looks like ransomware and stop it automatically. To learn more visit www.varonis.com/darknet.Support for this show comes from Axonius. The Axonius solution correlates asset data from your existing IT and security solutions to provide an always up-to-date inventory of all devices, users, cloud instances, and SaaS apps, so you can easily identify coverage gaps and automate response actions. Axonius gives IT and security teams the confidence to control complexity by mitigating threats, navigating risk, decreasing incidents, and informing business-level strategy — all while eliminating manual, repetitive tasks. Visit axonius.com/darknet to learn more and try it free.Support for this show comes from ThreatLocker®. ThreatLocker® is a Zero Trust Endpoint Protection Platform that strengthens your infrastructure from the ground up. With ThreatLocker® Allowlisting and Ringfencing™, you gain a more secure approach to blocking exploits of known and unknown vulnerabilities. ThreatLocker® provides Zero Trust control at the kernel level that enables you to allow everything you need and block everything else, including ransomware! Learn more at www.threatlocker.com.
When I was in college, a scammer called me up. He's like, look, I'm not selling you anything or even telling you what to do. I just have information about a stock and I wanted to share it with someone. And you were just like the lucky guy I found in the phone book. Listen, stock Z is going to go up next week. That's all. I'll call you back next week to prove it.
I was like, all right, that was a strange call. Whatever. And yeah, he calls me back in a week. And sure enough, the stock he told me about went way up. He was spot on. He was all excited about how much money he made. But I told him he just got lucky and he should cash out and take a trip somewhere. He's like, no, no, no, it's not luck. There's an algorithm that can accurately predict this.
And he said he knew which stock was going to go up next. I was like, all right, so which one's going to go up next? And he tells me and says to keep an eye on it. And he's going to call me back next week to prove he was right. So, yeah, another week goes by and the same guy calls me back and he's like, boom, you see what I mean? And he was all excited again.
And I was like, I don't see what you mean, but let me check the price. And I checked the price and again, he was right. And I was like, dang, good job. But I think you got lucky again. He said, no, he's been doing this for a solid year now and he's been right every time.
And he tells me more about this algorithm and how he's analyzing different indicators and watching the stock market extremely close and just has everything dialed in. And he tells me about another stock that he says is surely going to go up. And I'm like, okay, call me back in a week. Let's see if you're right.
And sure enough, after a week, I checked and he was right again, three accurate stock price predictions in a row. And he called me back and he's like, dude. And I'm like, dude. And he's like, you see that? I said, I saw that. How are you doing this? And he's like, I cracked the code. But then, like the snake he was, he tried to strike at me.
He said, listen, the next one is the craziest one I've ever seen. There's this company whose stock price is going to explode. But the best part is they're in the initial investor round. So you can get in on the ground floor if you want. How much do you want to invest? Ten grand? You've slept on three of these. You're not going to want to miss another, right?
I'm a college kid, dude. I've got 30 bucks in the bank. I don't have 10 grand. And he's like, oh, crap. He hung up the phone.
But this fascinated me. Who was this guy that was always getting the stocks right? What was his algorithm? So I looked into it. I met with a stockbroker and I asked him, how is this possible? And he's like, oh, that guy was a scammer. And I'm like, duh, I know. But how did he get the stocks right every time? And this guy broke it down for me.
He said, okay, that guy called up a whole bunch of people on week one, told half of them the stock was going to go up, told the other half the stock was going to go down. Then he called back the people who he was right with. And he told half of them about another stock that would go up. And the other half, he would say that stock's going to go down.
And then he did it a third time, calling back the people he was right two times with, telling half of them that the stock is going to go up and the other half saying it's going to go down. So by the time he did that three times, he had this small pool of people who he was right with every time. But really, he was just playing a math game with his victims.
And I think this is such a long but brilliant scam. Seemingly, this guy was golden, perfect, getting it right every time. But what I didn't know is that he was getting his predictions wrong all over town. And I was just one of the unlucky few that saw him get it right every time.
These are true stories from the dark side of the internet. I'm Jack Recider. This is Darknet Diaries.
Support for this episode comes from Delete Me. Feels like a war out there. Companies all over trying to scrape and store all kinds of personal data about me. My phone number, address, family members, where I work, sexual orientation, club affiliations, income level, what kind of car I drive. It's just endless.
And every now and then I Google myself and just get freaked out about the amount of data there is about me out there. This is why I use delete me. I registered there and told them what to look for about me. They were able to discover what sites have data on me and took steps to get that information removed for me. That's my favorite part. It's like getting help in this war.
Their scouts know exactly where to look and they'll tell me what they found about me. And if they can't remove it themselves, they'll give me recommendations on how to get it removed or mitigate it. Take control of your data and keep your private life private by signing up for Delete Me. Now at a special discount for Darknet Diaries listeners.
Today, get 20% off your Delete Me plan when you go to joindeleteme.com slash darknetdiaries and use promo code DD20 at checkout. The only way to get 20% off is to go to Join delete me.com slash dark net diaries and enter code DD 20 at checkout. That's join delete me.com slash dark net diaries code DD 20. This episode is sponsored by Mint Mobile.
With big wireless providers, what you see is what you get. Somewhere between the store and your first month's bill, the price you thought you were paying magically skyrockets. With Mint Mobile, you'll never have to worry about gotchas ever again. When Mint Mobile says $15 a month when you purchase a three-month plan, they mean it.
All plans come with high-speed data, unlimited talk and text, and you can use your own phone with any Mint Mobile plan and bring your phone number along with your existing contacts. To get this new customer offer with your new three-month premium wireless plan for just $15 a month, go to mintmobile.com.com. That's mintmobile.com slash darknet.
Cut your wireless bill to $15 a month at mintmobile.com slash darknet. $45 upfront payment required, equivalent to $15 a month. New customers on first three-month plan only. Speed slower above 40 gigabytes on unlimited plan. Additional taxes, fees, and restrictions apply. See Mint Mobile for details. Gather around. In this episode, we're going to hear stories from Rachel Toback.
And she's one of the best social engineers I've ever met. Let's start with your origin story. As a kid, how did you get interested in this type of work?
Okay, my origin story. So... My first time that I ever thought about being any sort of hacker was when I realized that being a spy is a job that people do. And it's a job that girls could do. And I learned this through the movie Harriet the Spy. She goes around sneaking into people's houses, spying. She takes her notebook everywhere.
She sneaks through the dumbwaiter in this rich woman's house and gets caught. And I just thought, oh my, I had no idea that a girl could be a spy. So that basically became my personality for my childhood.
Did you get into computers when you were older or still in middle school, I suppose?
I did not get into computers. I wanted to get into computers. I went to my guidance counselor in, I think, sixth grade. And I said, hey, I want to take these coding classes. And my guidance counselor, she said, Rachel, you don't want to take those coding classes. Those coding classes are 40 boys. You'd be the only girl there. Just take home ec instead. Wow.
Are you serious?
I know. And me being a child, I was like, oh, good call. I mean, yeah, I don't want to like blame her for like me never learning to code. I mean, I could have tried later in life, right? People try later in life all the time. But no, I've actually never written a single line of code. I ended up getting my degree in neuroscience and behavioral psychology. I was a teacher's assistant for statistics.
I never got into code.
Neuroscience?
Yeah. So my path to InfoSec and hacking, to the untrained eye, it doesn't make any sense. It's almost completely nonlinear. To me, looking back, it makes a lot of sense. So I got my degree in neuroscience and behavioral psychology. I was doing improv on the weekends. I was a teacher. I then was like, hey, I want to try and get into tech. I moved to San Francisco.
I was a community manager at a tech company. I actually ended up leading a UX research team. And then while I was at that tech company, my husband was in security the entire time. I actually met my husband in high school. I met him when I was 15 years old. So my husband was like, hey, I heard about this thing called DEF CON. I think you would get a kick out of it. And I was like, uh, pass.
I think I'm not going to do that.
Okay, so DEF CON is the annual hacker conference in Las Vegas. It's wild there. You'll see people walking around with antennas sticking out of their backpacks, talks about how to bypass just about anything on a computer, and tons of villages that focus on specific areas of hacking. The Social Engineering Village is one of the more popular ones.
And when Rachel's husband went into this village and saw what they were doing, he immediately called her up to tell her what he was seeing.
They do this thing where... They put you in a glass booth. It's soundproof in front of an audience of 500 people. You call companies and you try and solicit information out of them over the phone. It's the exact same skill that you use every month to get the bill lowered. When you call these companies, you build rapport, you get a deep discount on things like the cable bill. You'll love it.
And she's still like, no, I'll pass. Thanks.
He called me back and he's like, I just saw more of these calls, these social engineering calls. You have to come. Like, I promise you, if you don't like it, we'll just go gambling. As an aside, I love gambling. So I was like, okay, fine. I pack my bags. I get the first flight out Saturday morning.
And as you know, if you're at DEF CON Saturday morning, it's like DEF CON's like a third over at that point, if not more. So I show up, I see a few calls.
What she's watching was the social engineering contest. There's 14 contestants and they're given the task to basically get enough information to hack into a company all through phone calls. So you have to prepare and figure out who would be an easy target to get information from and what's their phone number.
And you better have backup numbers in case the person you call doesn't answer or hangs up on you. Once you do get someone on the phone, you get points for every bit of security data you can get off them. So if you can get them to tell you what operating system they use, you get a point or a flag.
And maybe from there, you try to figure out what browser they use, information about their security guards, what janitor service they use. You can't just ask these questions directly. It raises suspicion. So you've got to provide a pretext or pretend to be someone else.
Maybe someone who works in another department or someone brand new to the company who doesn't know anything but urgently needs to get a report done today. It's tricky. It's intense. It's high stakes because if you get caught on the phone, you're burned, and now you don't get any points. And the best part is the audience gets to watch all this live.
I see a few calls and I'm like, oh my, this is me. Like, I can do this. I was born for this. And my husband was like, I know, right? I told you.
So she immediately is like, OK, how do I compete in this? And yeah, it's a whole process. You need to submit an application, create a video of yourself and stand out from the crowd because only 14 are chosen to compete out of hundreds of people who try out for it.
And I was like, oh, I got just the thing. I made this Twin Peaks style video to convince them to let me get in. And somehow they agreed to let me participate. Hundreds of people apply and 14 contestants are selected every single year.
Now, they actually give you the target company that you have to attack ahead of time. So you can do your research on it, a lot of research if you want, because you want to find as much information as you can about this company, like going through Google searches or just looking at public places.
Maybe you get a list of people and phone numbers to call so that when it's your turn to call, you know exactly who to call and what questions to ask. In fact, it becomes quite a lot of work to prepare for that moment for when you're going to call someone. You could spend a solid month learning everything you can about your target company so you can shine when you're in the booth.
It was a major consulting firm is really all I can say. Now, these companies don't know they're about to get hacked. It's really extraordinary to watch. It's basically a live hack with an unsuspecting target. So she gathers as much intel as she can and heads to DEF CON to compete. I get in that glass booth. Now, all eyes and ears are on her.
Not only does she have to trick one person on the phone to give her the information they shouldn't be giving her, but she needs to do it in front of an audience. But she's done improv before and was absolutely ready for this.
I contact my target company. I pretend to be an employee who's confused, who's just starting out. And I end up getting flag after flag. And I get out of the booth and I'm like, maybe I did okay. And then there's like a standing ovation. I'm like, oh, maybe I did better than okay. And I ended up getting second place that first time ever hacking anybody.
That first time ever hacking somebody happened in a glass booth in front of 500 people.
Dang, second place. Of course, now she's hooked. That was fun as hell. The nerves, the adrenaline, hacking, and social engineering, all of this she was just craving more of. So she applies to compete again the next year.
And then I ended up getting second place the second year, and I got second place the third year as well.
Competing three years in a row in the social engineering contest and getting second place all three years, that's what started her career in social engineering.
After folks started seeing me get second place at DEF CON, they'd see me on stage, they'd be like, hey, I want to chat with you. Can you come speak at my company about how you hack and how we can catch you? And I live in Silicon Valley, so I got really lucky. that people started asking me to do things that like, are a job, right? Like, I'm like, Oh, I guess I need to make a company.
So I made social proof security in 2017. And I mean, I live in Silicon Valley, I was so lucky. Some of my first clients were like Facebook, Snapchat, PayPal, Twitter. And from there, it was like US Air Force, NATO, Uber, Google, Cisco, it's like, Oh, my gosh, you know, I feel like I just got really lucky in this life.
The crazy thing is that I've heard this story over and over. Someone who has no interest in hacking goes to DEF CON, sees the social engineering stuff going on there, immediately wants to compete, does pretty good in the competition, and then decides to do that for a living and start their own company. It's mind-boggling how many lives have changed from people attending DEF CON.
Oh, it's totally wild. I mean, if you would have asked me decades ago, like, what did you think you were going to get into? The word hacker would have never even made the top 100 list because I didn't know it was possible, didn't know it could be a job, and I certainly didn't think I would be good at it.
When I saw the concept of a hacker in TV or movies, it was usually a guy who wore a hoodie in a basement. I mean, I wear hoodies and basements are fine, but I didn't think that I was going to be good enough. Yeah, you just have to see yourself in the position. And I've had multiple women come up to me and say like, hey, I saw you in that competition.
Didn't realize it was possible for people like me. And now I do this for a living.
Okay, so she started a company called Social Proof Security, which is basically social engineering for hire. And companies were starting to hire her to see if they were vulnerable to social engineering attacks and what they can do to stop them. And of course, I'm fascinated by these social engineering stories. How do you hack into a company with just your voice or your charm?
So a bank hired me to penetration test them. Effectively, they hired me to hack them. And they told me that I could hack via phone call, email, or chat. And my job was to take over multiple accounts and steal access, effectively steal the money out of the accounts.
You want to steal money out of customers' accounts?
Yes. And when we do a penetration test, it's very particular. I don't want to steal money from everyday people. That would be horrible and really scary for bank customers to just randomly have money stolen because of a pen test. So what we do is we create fake bank accounts. We work with the team on the back end so that the support organization, for all intents and purposes, sees a real customer.
but we've created fake bank accounts for me to steal so I don't actually harm real people. But the support team doesn't know they're fake.
Okay, so this company is a bank, and she's told that she can target customer support to see if she can access a customer's bank account. And she's given the options to use a phone call, email, or chat to get through.
That's right. So I started with the chat feature. And I posed as a customer to see if I could take over a customer account with just chatting. So I told the bank support people my sob story. I lost access to my phone, my email, my laptop. I got lost and I had a night out and I'm traveling abroad. I mean, like the whole story, right?
And I really need access to my bank account because I'm stuck and I don't have money. And the first thing that I usually try when I'm trying to do an account takeover is I try to see if I can get them to change the email address or the phone number on the account. Because if I can do that, then I can change effectively the admin on the account.
Just by changing the email address, I can then reset the password or reset to a phone number that I control. There's SIM swapping and all of that that could happen after that. But, you know, that's basically how it works. And they're like, oh, well, we can't do that because we need to only send the password reset to the email address already on your account.
Good for them. That's the protocol they're supposed to follow.
That's exactly right. So good job, bank. Horrible for me as the pen tester. A lot of times I have to play both sides of this game. I have to train the company and update their protocols to prevent people like me from getting in. But when I'm first attacking them, it's so frustrating. So I try chatting with multiple other support people. I'm trying again and again.
They will not make any exceptions for me. It doesn't matter my pretext. That's who I'm pretending to be. It doesn't matter how I contact them, what I say, my story, nothing. So I decide to switch to phone call-based attacking because I tend to be much more successful. So I switched to phone calls. It leaves less of a paper trail. People tend to get less suspicious because I can build rapport.
They can hear my voice. They can hear how trustworthy I sound. And also when I'm calling, I can spoof phone numbers. And a lot of times that helps me gain access.
Spoofing phone numbers. How is this still possible? You can download an app from the mobile app store, and within a few taps, you can change what phone number you're calling from to have any phone number you choose. So you can make it look like where you're calling from is not actually where you're calling from. Now, when I was young, I used to do this with emails.
I would love to send emails to my friends pretending to be from the FBI or the President of the United States. And I'd be like, Bill, you're in serious trouble.
We're coming to get you. And then my friend Bill would be like freaking out. And it was awesome fun.
But then the email protocol got updated. They implemented SPF records somewhere around 2006, and this ensures that the place you sent the emails from is where the emails are supposed to come from. This effectively put an end to email spoofing.
Of course, not all companies configure their SPF records properly, and you can still spoof it, but at least the option is there if you want to block someone from spoofing your email. But for phones, which have been around a lot longer than email, it's an unpatched vulnerability in my opinion. You can still spoof phone numbers.
Yeah, it's kind of wild. In the U.S., right now it's still possible because all of the telcos have to make the same decisions at the same time. And unless all of the companies get together and make the same choices, it's going to be really hard to implement the right solution. So at least in the U.S., spoofing is still really possible for me.
Now, since phone companies refuse to fix this, their solution was to help pass a law making it illegal to spoof phone numbers. So for now, it just seems like telephone companies are just relying on the police to help keep people from doing this. But to me, this is an awful way to secure things. Telephone companies can fix this if they want.
But while I see this as a vulnerability, telephone companies have historically said, wait, why are you using telephone numbers as identifiers? They were never meant to be identifiers. And they put the blame on us for doing that because for a long time, our phones didn't have screens. So we never knew who was calling until you picked up the phone and said hello.
But then telephone companies gave us caller ID where our phones would show who's calling. And so I do blame telephone companies for making us think it is an identifier since they were charging extra for that feature back in the 90s. And mobile phones today all come with this feature. So I say, phone companies, turn caller ID off if you don't want us to use it as an identifier.
Otherwise, patch it so phone numbers can't be spoofed anymore. So anyway, Rachel was trying to get into a customer's account. Let's call the customer Kelly. And she figured out what phone number Kelly had. And Rachel spoofs her number to look like she's calling from Kelly's phone.
I spoof my phone number. I make it look like Kelly on the account. And by the way, on data brokerage sites, when we're doing OSINT, open source intelligence, typically we can find most people's phone numbers within a minute or two. So when we're searching, we can just know, okay, this is Kelly. This is Kelly's phone number. I'm going to go ahead and spoof that. I set that up.
It usually costs me a dollar or so on the tools that are available on the app store. These are not like heavily regulated. You can just find them on the app store. And I go ahead and I place that call.
Can you give me an example of how you sound on these calls?
You're going to make me act.
Yeah.
Okay. Okay. Give me one second. I got to get into character. I'm going to change my clothes so I can get into character. Here we go. Okay. Here we go. Ring, ring, ring. Oh, wait. We both said ring. Okay.
Thank you for calling the bank. How can I help you today?
Hi, I am so sorry. My name is Kelly Smith. So I'm traveling right now and I just lost my laptop. My phone's not working. I cannot get access to any of my funds. I'm super stressed out. Can you please, please help me?
That was good. I won't make you do more. Thank you. So, yeah, I mean, they've got a script that they go through where they're just like, okay, well, you know, do you have the last four digits of your phone number or whatever the case is to verify you?
Is that how you're challenged or what happened?
No. So this bank knew that KBA, knowledge-based authentication, things like what's your address? What's the last four digits of your phone number? This bank knows that that information is very easily found online. So they don't use KBA, knowledge-based authentication, to verify your identity. They usually use MFA, multi-factor authentication. Now, this is great. This is exactly what I recommend.
You know, send a code to the email address on file and make them read it out to you rather than going through this process of verifying identity with information that can be found by an attacker in five minutes online. So that's good. But as an attacker, that's going to be a challenge because I don't have access to that email address.
And when I'm spoofing a phone number, I actually can't receive text messages. And if they call back, I'm not going to be the one that answers that phone call. I'm just spoofing. It looks like I'm calling, but I don't actually have access. Now, of course, I could SIM swap and many criminals will do that. But for the purposes of this pen test, that's not what I'm testing. So they say, okay,
We have an edge case here. Let me see if I can talk to my manager and have you send in a picture of your driver's license, your social security card, and a utility bill. And instantly I'm like, okay, bingo. We're in. The other half of social security is my husband, Evan. He does all the technical stuff. I do all the human hacking stuff.
This is great because I need a fake driver's license. So I can't wait to hear how you got a fake driver's license.
No. Okay. So my husband, Evan, he gets to work editing a driver's license, a social security card, and the utility bill to the exact information that they're expecting for this account, which again, we can find through a data brokerage site.
So we're hoping that this company does not know the actual driver's license number, the actual social security number, and they're just looking to ensure that the name and address that are on the account match those documents. I can find those pieces of information through OSINT. And a lot of times I've noticed that when they ask for these types of documents, they don't know the right info.
They're just hoping that it matches and they stop there.
So you didn't need a real driver's license, social security card. You just needed a JPEG, right? Correct. And that's the trick there. Photoshop was your friend.
Photoshop, yes. We spend all night on these driver's license, social security cards and utility bills of the accounts we're trying to hack. I email the bank at 8 a.m. the next day. I tell them my story. I tell them the edge case that we have set up with support. I send them the driver's license and social security card and utility bill. By 9 a.m., I have full admin access to the bank account.
I have changed it to be controlled by my attacker-controlled email address, and I can steal all of the money in the account. So once I finally get in, I have access to everything. I use the same method again and again. I get access to two more accounts throughout the day.
I end up spreading out the request so that we're not raising suspicion with the same attack method over and over again, back to back. And in the end, we took over each bank account that we were asked to to hack within two days.
It's truly astonishing, the sheer force of the human voice, its ability to persuade, to move, to manipulate, all through a simple phone call. It also reminds me of how vulnerable customer support is to this kind of exploitation. When you're met with a soft voice telling you a sad story, but wrapped in kindness, it tugs at your heartstrings.
You find yourself eager to assist, especially if you just got off the phone with a real prick who was yelling at you about overcharging him 10 cents. Contrast that with a kind voice that's truly asking for help. And it really makes it hard to say no.
I know that in a lot of these organizations, there are edge cases. So I'm helping companies say, okay, we did this pen test. We figured out what the edge case is. We figured out how we got access. How do we make sure we don't fall into this trap next time when the real criminals get here?
So I then help them with, okay, let's set up some edge cases back to back so that we have something like a callback. That would thwart spoofing. If you don't want to use that, you can use email verification, one-time passwords, you know, sending a code or just a word to the email on file and having them read that out. SMS verification.
Okay, they claim they're calling you from this phone number, but maybe they're just spoofing it. See if they can read out a text message, callbacks toward spoofing, service codes, PINs or verbal passwords. If it's some sort of internal support ticket, you can loop in a manager.
There's so many ways to do this right that a huge part of the pen test is not just hacking the company, but helping the company figure out what is a real practical way that we can solve these edge cases in the future to verify identity the right way and make it harder for you to get in that. the next time. Because I'll go in, I'll make it harder for me to get in as an attacker.
And then the next year, I'm like, oh my, this is so hard for me to get in until the point where I can't get in anymore. And that's when I'm like, okay, you've done the most that you can do.
It's time for a sponsor break, but stay with us because Rachel has a few more stories that she's going to share with us. Support for this show comes from Black Hills Information Security. This is a company that does penetration testing, incident response, and active monitoring to help keep businesses secure. I know a few people who work over there, and I can vouch they do very good work.
If you want to improve the security of your organization, give them a call. I'm sure they can help. But the founder of the company, John Strand, is a teacher, and he's made it a mission to make Black Hills Information Security world-class in security training. You can learn things like penetration testing, securing the cloud, breaching the cloud, digital forensics, and so much more.
But get this, the whole thing is pay what you can. Black Hills believes that great intro security classes do not need to be expensive, and they are trying to break down barriers to get more people into the security field. And if you decide to pay over $195, you get six months access to the MetaCTF Cyber Range, which is great for practicing your skills and showing them off to potential employers.
Head on over to blackhillsinfosec.com to learn more about what services they offer and find links to their webcasts to get some world-class training. That's BlackHillsInfosec.com. BlackHillsInfosec.com. On another engagement, Rachel was hired by a company to help them sort out an issue that they kept encountering.
It was a large technology company who would sometimes buy or acquire smaller companies. Now, when you're buying another company, you typically want to keep it quiet until the official announcement. It could affect share price or cause panic in the company if things aren't communicated properly.
But for some reason, when this technology company would do any merger or acquisition, it would get scooped by some news agencies. The announcement would show up on news sites way before the company was ready to tell the world. So this company was like, Rachel, maybe you can help us figure out how this news keeps slipping out ahead of schedule.
And so they approached me about doing a pen test to figure out how this M&A info was getting leaked. where they could possibly improve their training, their messaging, their internal protocols to figure out why is this happening? Why are folks being incentivized to talk about this and what can we do about it?
When you hear this, what's your mind first go into? Like, you've got an insider threat somewhere. You've got a breach, an active breach.
Yeah, so insider threats happen. But what is usually most common is people just make a mistake. I kind of live in this world where I assume that people are making mistakes and I try and help them. So we came out with a few different attack methods that might work to uncover where this is happening.
Number one, I was going to attempt to pose as a journalist and reach out to various team members, asking them via social media DMs, email, text message, et cetera, about their experience in tech and see if I could siphon out M&A info and just see where it goes.
And number two, I was going to apply to their product manager role, go through the entire hiring process and see if I could extract M&A related info during the question portion of the hiring interview. I did not know what was gonna work and what wasn't, but I just wanted to try both.
All right. So if you're going to pose as either one of these people, it sounds like you're going to need a LinkedIn account or at least some online presence. You can't just show up as a nobody, right? Or I mean, at least it helps establish your background and your pretext.
Definitely.
Yeah.
So we call these ghosts, we call them SOC accounts. Sometimes they'll be real people, and so we'll fashion them pretending to be a real person. Sometimes they'll be fake people, and they'll just have this full life online.
With the fake journalist, I figured it was going to be a lot easier to pretend to be a real journalist and just not actually be them than create an entire persona of a fake journalist and populate real content. So I built a fake journalist pretext, email, background, and social media based on a real journalist who I'm not going to name, of course.
Interesting. Rachel tried to be another journalist that actually exists, maybe by doing something like using a similar email address or social media accounts. But the question is, how do you know who to ask in a company to get information about upcoming mergers and acquisitions? These are typically closely guarded secrets, right? But there is a website that's extremely helpful to social engineers.
There's a website that lists pretty much every company and most of the employees that work there. And it tells you their job title, role, what duties they have, and full name. The website is LinkedIn.com. And personally, I feel like LinkedIn is a security risk to most companies on there.
It makes it really easy for someone like Rachel to go down the list of people who work at a company and pinpoint the exact person to target. Once you have their name, it's probably easy to get their email address. It's usually first.lastname at companyname.com. I mean, not only is there a list of people who work at most companies on LinkedIn, but they like to list their skills too.
And if someone says they've worked for a company for 10 years as a database admin, and specifically they say they're excellent at Microsoft SQL Server, Now you can guess with high confidence this company runs Microsoft SQL Server internally, and this person probably has the admin password for it. And we all know how susceptible people are to phishing emails.
I mean, my opinion is if you list and stuff like that, you're just putting like a big old beacon over your head saying, hey, I'm the person you're going to want to hack if you want to get in the database of this company. Come at me. Essentially, the private information that should just be kept inside the company is posted publicly for anyone to see on LinkedIn.
And I mean, here's a story where the company is wondering, hey, how come the public knows about one of our internal memos? I say start by auditing what your employees are posting to LinkedIn. If the company is totally cool with all this internal stuff getting posted publicly, then maybe that's perpetuating a culture change. That's okay to blab about exciting news to whoever asks.
I had someone message me on LinkedIn the other day asking me, hey, how can I get my data taken off the internet?
Like, is this your photo? Is this where you work? Is this where you went to school? Is that your actual name?
And you posted all this to LinkedIn and you're wondering how come the internet knows all this stuff about you? Because the thing is, a lot of what data brokers know about us is from the stuff we post publicly. Data brokers are scouring our social media profiles, our blog posts, and any mentions of us on the internet. And then data brokers store all that information about you that you posted.
It's frightening. And I mean, the reality of the situation is that... Anybody can do a full background search in less than five minutes on most people in the U.S. And people don't realize that this information is out there about them. They have no idea that it's being sold. They just don't Google themselves.
I say we should take our own privacy seriously because the more we don't care about our privacy, the more companies won't care about your privacy.
Anyway, as you can imagine, Rachel had this target company and was able to quickly guess at who might know about upcoming mergers and acquisitions and started hyper-targeting them, doing full background searches on them, gathering up their details, and just started reaching out, acting like a journalist, emailing them, wanting to see if she can easily get this information from people.
Exactly. Or we can reach out over social media DM, you know, DM on LinkedIn or Twitter or Instagram. And I mean, that's the thing. Journalists really do reach out using all of those methods. So it's hard to know what's real and what's fake sometimes.
But it didn't work. No matter who she reached out to or how convincing her backstory was, people weren't freely giving her information about upcoming mergers and acquisitions. This method wasn't working.
They let me know some minor details about excitement about potential M&A, but they're not going to confirm any juicy details. And I try to get people on the phone to talk with me, but I think there's just like this inherent distrust of this particular pretext. So I'm like, okay, I got to really go for the big guns here. I want to attack via the hiring process.
Attack via the hiring process? What an interesting sentence to say. I don't think that idea crosses many people's minds, that people applying for jobs might have malicious intent. I've heard of the evil maid attack, but what's this called? The phantom applicant attack? There's a lot of information that you can get just from reading a job posting.
Like when a company lists the job duties, it might tip their hand into what endeavors the company is going to do next or expose what technology they have in the company. And these things can be used against the company in social engineering attacks. I think if you read enough job listings, you could probably develop a map of the data center.
Hacking into the company through the employment process is actually a decent attack vector. I don't think many companies would expect you to come in through that door. Anyway, what Rachel was going to do was pose as a job candidate and try to get an interview. And in the interview, she was going to see if she could get some insider information about upcoming mergers and acquisitions.
Something to understand is as an attacker, this is not easy to do. I've never been a PM. So to apply for a PM role takes a lot of background research. I mean, I led a UX research team at a tech company. So I do have a sense of what a PM, a product manager does, but I am in no way prepared for a PM interview. So I have to study for three full weeks for this role. I'm watching YouTube videos.
I'm doing interview prep quizzes online. I'm taking free online courses like, so you want to be a PM, like the whole nine yards. So I'm building a full persona, a resume, a Twitter, LinkedIn, Facebook.
All of these stock accounts have photos, thousands of friends, reviews of my work from networking groups on LinkedIn, people I've never met that like you give them a review and they give you a review. All of this stuff is so gameable.
I suppose this is stuff you do at Social Proof.
There's just one person sitting over there like, hey, just keep making sock accounts all day, everything, because I'm going to burn through them so fast.
Unfortunately, yes. We do change the names of many sock accounts, but then you have to populate a lot of new information. It ultimately takes me about three weeks to build a believable social media account and enough examples of previous PM work to get anywhere near convincible during the interview process.
Did you get help at getting your resume to the top of the pile?
No, I just had to apply.
That's not easy. You know, there's a lot of people don't get callbacks.
Well, during this period of time, the tech hiring process wasn't as bad as it is in this current year. So I apply for the role. I get a phone screen. I am sweating bullets because if I don't get through this phone screen, I will not move on to a full interview process. I'm going to have to do a bunch of work to change my sock accounts on social media to match a new persona.
It's going to be a lot more work for me. Luckily, it took like 45 minutes. I passed. I get moved on to the next round. The next round has six different interviewers.
Is this in person?
No, virtual, thank goodness.
Did you try to gain any information on the first round?
No, not during the phone screen.
Because you were like, I'm going to wait for the right time.
Yeah, I was terrified that they're going to be like, this person's a weirdo, like, let's not move them forward. So I waited until the actual official interviewers arrived. And it's going to be a packed day of interviews. I have six interviews back to back all day. These interviews are conducted over Zoom. I get all dressed up in my interview clothes that I haven't worn in years.
I'm prepped with all my anecdotes, my strengths and weaknesses, my KPIs and success stories. And a lot of these examples I'm using are heavily focused on UX research because if you remember, that's something I used to do. And many PMs do have advanced UX research skills. So I'm just like hoping that they don't think that's weird.
So I get to the first interviewer and the interviewer is like, okay, asking me all these questions. I seem a little nervous, but they're like, oh, you know, don't worry about it. It's going to be fine. We go through all the PM related questions.
You're nervous for all the wrong reasons. That's what's funny here.
I know, but I have to pass.
Yeah.
So I'm going through this process.
I mean, they're used to people being nervous. And so I could see them saying, oh, it's fine. You're doing great. Don't worry about it. And you're like, oh, thanks, because I'm trying to hack you.
No, see, the funny thing is when you're hacking people, a lot of times it makes sense for your pretext to match how you're actually going to feel when you're hacking. And a lot of times you are nervous when you're calling support because you can't gain access to your bank account. You are uncomfortable during an interview. These are normal human emotions.
And so it's okay to not be way too overconfident. Sometimes that can even read as strange. So yeah, I mean, I'm sweating bullets. It's clear I'm nervous. We finally get to the end and the interviewer says, so do you have any questions for me about the role? I have never been sweatier in my life. This is it. If they get suspicious during this moment, all of my work is for nothing. So I say,
I am so excited about this company. I hear there's a lot of opportunity for growth. I did a bunch of research. I did find a few news stories that mentioned XYZ potential merger. I know you can't confirm anything, but I just want to understand what an integration process looks like at your company during an M&A.
I know you can't confirm anything again, but I just want to understand how my role could potentially change over time. The interviewer takes a beat and says, you're right, I can't confirm anything. And my heart sinks. I'm like, no, this person's trained. And then they go, but just because I can't confirm doesn't mean I can't talk in generalities, right? And winks, actually winks.
I'm like, oh, this is going to be so good. So there's a lot of hand waving and, you know, I can't confirm, but throughout the rest of these interviews. But
It seems that everyone at this company knows you're not allowed to say information in plain language about M&As, but that doesn't mean that I can't glean pretty serious details about the upcoming acquisition plans that have been clearly discussed internally. By the end of this day, I got M&A info out of three of the six interviewers. So 50%.
What kind of info are we talking?
Yeah. So they wouldn't tell me the names of the companies that were potentially going to be acquired. But I would say things like, I saw a rumor about XYZ company. Is this the type of company that you would be excited about? And then the wink, wink, hand-waving process starts of, you know, I can't confirm it, but we are interested in integrating things like XYZ.
So I was able to glean information such that when I reported it back to the team, they were like, I mean, yeah, you got the right information. Nobody said anything in plain language, but you can get people to say things kind of beating around the bush. So in the end, I got M&A info out of 50% of the interviewers, three out of six. I debrief with the security team.
I ask them when they want to discuss the results with the organization. They say, well, let's just wait up and just finish the hiring process so that it's not a distraction to them. And in the meantime, the next day, I actually get an email that I used to apply for this role, that I was being moved to the next stage of the interview process to get an offer.
So not only did I siphon out the info I needed during the interview pen test, I also got the job, I guess.
Well, congratulations. I hope that goes on your resume.
I know, I should put PM on there.
So she meets with the security team and explains to them how she found out about all this upcoming mergers and acquisitions. And together they had a chat about whether this was just an obscure edge case or a bigger problem.
They realized that when they explained to people that they were not allowed to say the words of the acquisition, they realized that they needed to be clearer in their communication. That... No, just because you're not saying we are acquiring XYZ company, it doesn't mean that friends, family on social media, people can't glean information to understand, oh, they're interested in AI.
This person's talking about how their role is going to change. They're talking about how much they love this specific technology and they're tagging certain companies on Instagram or Twitter.
They realized that they needed to be much more specific in their protocols and language, saying, when we're planning an acquisition, once we talk about it internally, please do not talk about it even in a hand-waving fashion with friends or family or on social media. Don't talk about how your role is going to change on LinkedIn. Don't talk about what you're excited about upcoming on Instagram.
They had to be really clear about that. And once they did that, those leaks stopped because it wasn't an insider threat. It was just people not 100% getting what an attacker is interested in and how they could find that info.
Oh, so it did solve the problem.
It did. Yeah, it doesn't necessarily mean that it's coming through the interview process. Now, maybe it was, but it's probably just that people in general at the company didn't understand that when talking in generalities, that can be used by attackers too.
Yeah. And then you probably had recordings to show concrete proof of, when you say this, I'm hearing this.
Exactly. And they were like, oh, I get it. So I can't say that we're talking about this technology and how it's going to change my role as a product manager, because that tips off people to understand that we're going to be acquiring XYZ company in the next six months. That's where these leaks are coming from.
So, you know, you came on my radar because you sometimes just create these crazy viral instances online where I've seen you hack a... Who's Donnie from?
Donnie O'Sullivan from CNN.
From CNN. So I've seen you hacked a CNN correspondent. I've seen you hack voting machines before. I've seen you do all kinds of crazy things that suddenly you've got like a million views on this thing. And I'm just like, well, there she is again. Rachel's out there doing things. But one thing was interesting was when you went on 60 Minutes.
Yeah, last year or so, I started talking more on Twitter about how I'm seeing AI get used by criminals to trick people. So I'm talking about this, scammers are tricking grandparents out of 1500 bucks, posing as their grandson, spoofing the grandson's phone number, voice cloning, or just like modulating the pitch to sound like the grandson and saying they need money for bail.
Just talking about these examples. 60 Minutes sees this, They email me, they reach out, they say, hey, we want you to do a hack live. It's actually gotta trick somebody. Can you do that with us? And I'm like, I mean, yeah, I can do that, but it's complicated. I've done a lot of these live hacks over the years for large media pieces. You know, I need consent.
Before I do any sort of hacking, I get consent. Like when I hacked CNN's Donio Sullivan, I hacked him through his service providers, and I also hacked him through his leaked passwords.
And I had his consent with a lengthy contracting process and scope discussion before I was able to contact his service providers pretending to be him, before I was able to log into his LinkedIn using his breached passwords and the things that I found online. So I start explaining to them how much consent I'm going to need. And they're like, I mean, well, we'll try.
We'll just try and see what happens. So I start to talk to them about who my target is going to be. They want my target to be Sharon Alfonsi. She's an awesome correspondent for 60 Minutes. Rachel Toback is what's called an ethical hacker. She studies how these criminals operate. So ethical hackers, we step in and show you how it works.
So the mission was to use AI to somehow trick and scam the host of 60 Minutes while on the show. But the problem is the host needs to consent to being targeted, which if she knows she's going to be scammed while on her show, it'll really put her guard up, right? So this was going to be tricky. How do you trick someone who's asking you to trick them?
She's got a lot of information about her online, so I do my OSINT.
Because the host of 60 Minutes has been on TV for years, Rachel realized there is a lot of audio of Sharon talking. And this might be useful. Maybe she can somehow use Sharon's voice to do something.
I determined through OSINT, open source intelligence, that the best way to do this hack was to trick her coworker while pretending to be Sharon. Because sometimes our coworkers have just as much info and access on us as we do about ourselves. So I needed to get consent from the coworker. And here's the massive challenge.
I needed to get her coworker's consent because she was a major part of the hack. This coworker is named Elizabeth. I contacted her. I was like, hey, this is what we're going to do. We're going to do this hack. You need to consent to essentially being part of the hack, but you don't know when, where, or how it's going to happen. You don't know who I'm going to pretend to be.
You're not going to know the method of the attack, whether it's going to be a phone call, email, text, contacting your service providers, pretending to be you. Elizabeth is awesome. She's like, that's fine. That's like completely fine. I'm really excited. And I'm like, okay, let's do this.
So I decided that I wanted to do a phone call because I wanted to clone Sharon's voice and spoof Sharon's phone number to Elizabeth and trick her during a phone call to reveal some sort of personal information to me. Now, Sharon is a famous reporter, so her voice is everywhere. I grabbed about five minutes worth of samples of her voice just from YouTube videos from 60 Minutes.
I put her voice into my voice cloning tool. I start tweaking the tool. There's voice clone settings for things like clarity, voice stability, style exaggeration. And I finally get the settings tweaked to a point where I feel like it's going to be credible at all during a phone call, but it's not 100% perfect.
And I do my open source intelligence to find the right phone numbers to spoof and the right phone numbers to call. Like I said, data brokerage sites have personal contact details for almost everyone. And I need to find the right details to use during the hack, like upcoming travel, the right information to try and siphon out for the demo.
You can find most of this stuff through social media when people talk about their lives. The only issue. Now, I'm going to have to somehow get Elizabeth to participate in this hack without her realizing it's the hack itself going down. How am I going to do that? She's already consented to this and she knows it's coming.
So I figure the only way that this is going to work is if it feels natural within the filming day. Otherwise, how is the film team going to catch the hack live so that anyone in the audience can watch it?
So they've got the cameras on you. They've got you in the studio. They've got Sharon there.
Not yet. Let me tell you these details. So I get my hair and makeup done for 60 minutes, right? I'm doing my vocal warmups. I'm like, la, la, la, la, la, la, la. I'm getting ready for recording. Sharon's still in her room prepping for the day. The light and the sound crew are getting the gear ready for the shoot. Elizabeth shows up. She's getting ready.
I pull aside the head of the sound and lighting crew, and I let them know that I think the only way they're going to be able to catch this hack on camera live is this. I'm going to go out into the hallway with my computer and phone. You, the camera crew, cannot follow me because it'll be way too obvious to Elizabeth if you follow me.
And it really shouldn't matter anyway because it will be me on the other end of the phone call. So you should catch the interaction from her end anyway. So you, the crew, must ask Elizabeth to stand in for Sharon so you can get lighting, sound, everything prepped so that when Sharon finally comes down, she can just slide into the shot and we can get started.
That way, when I start the hack, you'll be able to actually see and hear Elizabeth and be able to catch the attack in motion.
Wow.
The crew is like... What did we sign up for? This is ridiculous. I am so nauseated by this plan. Like I'm so freaked out by this because if this doesn't work and Elizabeth is like, sure, crew, I'll stand in for Sharon and immediately realizes what is happening. Then this entire shoot, all 15 members of the 60 Minutes team, the lighting crew, sound, hair, makeup, everybody's here for nothing.
And I will just have to basically demonstrate what I would have done. That's not going to be fun for anyone. And now, mind you, it's like 7 a.m., so this feels like the crack of dawn for all of us. People haven't even had a cup of coffee yet. So people are like, okay, Rachel, sure, we'll do that. So I walk over to my hacker laptop.
I announce to the room that I need to go help my team with something back home. So before we get started for the day, everyone get your coffee, whatever, set up. They say, no worries. I step out into the hallway. I've got my laptop and phone. I can't hear anything that's happening in the ballroom now where we're filming.
I just have to hope that the sound and lighting crew have successfully gotten Elizabeth into the, quote, stand in position with the sound and lighting on, because otherwise they're not going to catch this. And like, I'm not going to fake it for them later. It needs to be real. So I'm just like praying this works. So I open up my voice cloning tool in the hallway.
I type in my opening line into the voice cloning tool. And to be clear, this voice cloning tool, I cloned Sharon's voice. I can then type in any words and it will spit out those words spoken in Sharon's voice. So I type in my opening line. My opening line is, Elizabeth, sorry, need my passport number because Ukraine trip is on. Can you read that out to me?
It has to be short and sweet, direct and to the point, without requiring a lot of follow-up because the issue with these tools is there's a delay in me typing it into the voice cloning tool and when it spits out the words in Sharon's voice.
I'm also holding my phone up to the computer, so there's like kind of a strange audio vibe going on with this phone call, and I just want to minimize it and make it happen as fast as possible. So I open up my spoofing tool on my phone. I type in Sharon's number to spoof. I type in Elizabeth's phone number to call. I hit go. It is 100% silent. I hear Elizabeth's phone.
It's audibly ringing inside of the ballroom. And I'm just hoping she like goes over and picks it up, right? My stomach's in knots. I am sweating profusely. And then I hear her go, hello? Sharon. Like I hear it through my phone and I can also hear it in the ballroom. And I'm like, oh my God, she can like hear out here. So I hit my voice cloning play button.
It starts playing Sharon's voice asking for the passport number.
Elizabeth, sorry, need my passport number because the Ukraine trip is on. Can you read that out to me?
And then silence. Silence. For what feels like hours, I am sick to my stomach. My hands are shaking. This forever silence that I was experiencing was Elizabeth holding her phone in her hand, looking at the caller ID during the call to ensure it really does say Sharon because the voice sounds weird. I mean, I'm voice cloning plus spoofing.
So it looks like it's calling from Sharon, but it sounds kind of far away because I'm holding my phone up to the computer. Elizabeth finally responds.
Oh, yes, yes, yes, I do have it. Okay, ready?
And then she reads out the passport number I just asked for. I'm like, let's just get off this call as soon as possible. So I say, thank you. She starts asking me questions. You know, when am I going to be down for the shoot? Do I need anything else? And I have to deal with this delay back and forth typing in my replies. So I'm just thrilled that by this point, I like siphoned out information.
And I just wanted to get off this call as fast as I possibly could. So I said, I'm just coming down. And I end the call. I walk into the ballroom. Elizabeth is sitting under the lights with the mic pinned on her. And I'm like, oh my God, it worked.
All I have to do now is do the interview with Sharon and explain the mechanics of the hack to her live and make sure that Elizabeth knows that anyone would fall for this style of hack because most people don't realize it's possible yet. I wanted to make sure she didn't feel like horrible about it.
And yeah, she did the interview and explained what just happened, how she tricked Elizabeth into giving Sharon's passport number. But after listening to this story... I got really curious about this voice cloning tool and wanted to try it myself. So to clone someone's voice, you give it a bunch of audio of them talking, and using some advanced AI, it will get to know that voice.
And whatever you type, it'll say it in their voice. I spent a few hours playing around in this tool, and I cloned my voice. I think it's really interesting. Okay, I want to show you. I'm going to play two clips for you. I want you to listen and try to figure out which one is AI-generated. Ready? Here's clip one. Hey, this is Jack Recider.
This morning I had a peanut butter and chocolate smoothie for breakfast. Okay, here's clip two. Hey, this is Jack Recider. This morning I had a peanut butter and chocolate smoothie for breakfast. Okay, punch in your votes. Ready for me to tell you? Both clips were AI-generated. In fact, what you're hearing right now is AI-generated too. I switched to having AI talk for me a few minutes back.
I just type whatever I want, and it'll narrate it for me. It's really wild. It even adds in breaths like this. Listen. And sometimes it'll even add plosives, like how the P sounds in nope. It's crazy how good this sounds. Huh. Okay, okay. I'll switch back to my normal voice now. There is... I'm using my real voice now, okay? The future is going to be weird, isn't it?
Okay, so I just saw this article the other day on CNN's website. And it said there was this guy working for a company in Hong Kong who controlled the finances for that company. And he got invited to a video call with the CEO and a few other colleagues that he recognized. And he saw them on the screen. He heard their voices. And he was positive it was the CEO and his colleagues.
And they were telling him there's this new deal that just finished up. And they wanted him to send $25 million to another company. So he did. But the problem was the video and the voices were all AI clones. Scammers tricked him into thinking he was on a video call with the CEO. And our future is almost surely not going to be what we think it's going to be.
I have a feeling we're going to have a hard time knowing what's reality and what's fiction.
Yeah, it's a good point. Hey, Jack, can I jump in here? Yeah, who's this? This is Daniel Meisler. Oh, hey, Daniel. Yeah, what do you have to say about this? Yeah, so what I find fascinating about this whole story is that there's a very early concept in security about how do I know it's you, right? And we normally don't have to worry about this with video because seeing has always been believing.
And the same with hearing for audio. But now with deepfakes for both video and audio, we need a whole nother layer. So what I actually expect to see here is products coming out that are basically like, how do I establish like early trust? Like as soon as you join a company, you'll probably establish like keys across like all of Slack or across like all of Microsoft Teams or something.
And that's like your predetermined channel.
Hmm, I think this is a good idea. If you can cryptographically sign something, then that'll prove the message or video came from you. So I imagine this could cut down on people falling for fakes. If it's not actually signed by the person who sent it, don't trust it. Initially getting your key would be interesting though. You still have to prove who you are at the beginning, right?
And one way to do that is to verify who you are in the meat space, the real world. When you're face-to-face and in person, it's still a valid verification technique. that you are you. But with everyone having their own cryptographic keys to prove someone is real, the threat then moves to securing the key.
If someone else grabbed a key, they could make it look like you sent something when really you didn't. They just signed it using your key.
Yeah, yeah, absolutely. We're going to need something like that for all remote calls, essentially, because it's like, first of all, the AI can copy both of our voices because we have our voice out there and that's easy to copy. But very soon, like, I won't know, honestly, if this is you right now on this call. Yeah.
I just imagine like making a whole CAPTCHA network for everyone I know, right? So my dad calls me on the phone and it says, before you can connect to this party, please solve this CAPTCHA.
Exactly. Exactly. There's going to be some sort of challenge or like predetermined like key exchange. Yeah. Oh, my gosh.
I personally am excited about our future. We are smarter than ever and more advanced than ever. And it feels like the human race is going through a Cambrian explosion of sorts with all new technologies and advancements popping off almost daily. We're living in the exponential era. Time will move faster from here on out, and we get to witness it. We have tickets to watch the birth of Human 2.0.
How special is that? Whatever comes next will surely be exciting. A big thank you to Rachel Toback for coming on the show and sharing these stories with us. She wrote a free ebook on social engineering, and you can find a link to it in the show notes. Besides doing social engineering for companies, she also does security awareness training.
And in fact, she started a whole video production company where she creates fun and entertaining training videos. You can learn more about what she's doing by visiting socialproofsecurity.com. Also, thanks to Dan Meisler for giving us some insights into AI. This episode was created by me, the backseat rider, Jack Recider. Our editor is the gourmet sorbet, Tristan Ledger.
Mixing done by Proximity Sound, and our intro music is by the mysterious Brickmaster Cylinder. How does a computer get drunk? It takes screenshots. This is Darknet Diaries.