Securing Sexuality is the podcast and conference promoting sex positive, science based, and secure interpersonal relationships. We give people tips for safer sex in a digital age. We help sextech innovators and toy designers produce safer products. And we educate mental health and medical professionals on these topics so they can better advise their clients. Securing Sexuality provides sex therapists with continuing education (CEs) for AASECT, SSTAR, and SASH around cyber sexuality and social media, and more.
Links from this week's episode:
Balancing Privacy and Safety
In today's digital age, the line between privacy and safety becomes increasingly blurred. As we navigate the complexities of the virtual world, the intersection of intimacy and information security emerges as a critical concern. Balancing the desire for privacy and the need for safety has become paramount, as individuals seek to protect their personal information while still engaging in intimate relationships and interactions. In this blog post, we will explore the challenges and potential solutions to finding the delicate balance between privacy and safety in the digital age.
The Digital Age and Intimacy: The digital age has revolutionized the way we connect and form relationships. Social media platforms, dating apps, and online communication methods have made it easier than ever to find and connect with others. However, this newfound ease of connection also brings inherent risks. Sharing personal information and engaging in intimate conversations online can expose individuals to potential privacy breaches, cybercrimes, and identity theft. The Importance of Privacy: Privacy is a fundamental human right and a crucial aspect of personal autonomy. In the digital age, where our personal data is constantly being collected and analyzed, protecting our privacy is of utmost importance. Safeguarding one's personal information ensures that individuals can maintain control over their identities, make informed choices, and preserve their dignity. The Need for Information Security: Information security, on the other hand, focuses on protecting data from unauthorized access, use, disclosure, disruption, modification, or destruction. With the rise in cyber threats and data breaches, maintaining strong information security measures is essential. Organizations and individuals must take proactive steps to safeguard their digital assets and protect against potential threats. Challenges in Balancing Privacy and Safety: The challenge lies in finding a balance between maintaining privacy and ensuring safety in the digital realm. While privacy is critical for personal autonomy, safety is equally important for protecting oneself from potential harm. Striking this balance becomes particularly complex when engaging in intimate relationships, where individuals may feel compelled to share personal information and experiences. Tips for Balancing Privacy and Safety: 1. Educate Yourself: Stay up-to-date on the latest information security practices and privacy regulations. Understand how your personal information is collected, used, and stored by the services you use. 2. Use Strong Passwords: Create unique, complex passwords for each online account. Utilize password managers to securely store and generate passwords. 3. Enable Two-Factor Authentication: Add an extra layer of security to your online accounts by enabling two-factor authentication. This ensures that even if someone has your password, they still need an additional verification method to gain access. 4. Be Mindful of Sharing Personal Information: Think twice before sharing personal details online, especially in intimate conversations. Consider the potential risks and consequences before divulging sensitive information. 5. Regularly Update Privacy Settings: Review and update the privacy settings on your social media accounts and other online platforms. Limit the visibility of your personal information to only those you trust. 6. Use Encryption: Utilize encryption tools to protect your sensitive communications. End-to-end encryption ensures that only the intended recipient can access the information. 7. Beware of Phishing Attempts: Exercise caution when clicking on suspicious links or opening attachments from unknown sources. Phishing attacks often target individuals to gain access to personal information. In the digital age, achieving a balance between privacy and safety is essential. As individuals engage in intimate relationships and interactions, it becomes crucial to navigate the complexities of privacy and information security. By staying informed, utilizing strong security practices, and being mindful of sharing personal information, individuals can protect their privacy while still enjoying the benefits of the digital world. As technology continues to evolve, it is imperative that we adapt and prioritize both privacy and safety to ensure a secure and intimate digital experience. Key Concepts:
Hello and welcome to Securing Sexuality. The podcast where we discuss the intersection of intimacy and information Security. I'm Wolf Goerlich. He's a hacker. And I'm Stefani Goerlich. She's a sex therapist. And together we're going to discuss what safe sex looks like in a digital age. And today we're talking to Ean Meyer.
Ean Meyer, how are you? I'm doing very well. I just I just got back from seeing many, many manatees. Manatees. Man is fantastic. Yes, So fucking jealous. By the way, manatees are my top five favorite animals. I mean, really, just pick the five laziest animals, you know? And those are my top five; manatees right up there. Yeah. No, it's great. We went with family up to Blue Springs, Florida, for the listeners who don't know. And if you're listening from outside of the United States, Florida is the state you hear about all the time that is bonkers pants. Um, if you hear a story come out of the US going, that can't be true. It's probably Florida. Yeah, and, uh, all the manatees come in. They have Manatee Fest, and there were 675 manatees at the springs. It was really cool. You know, I heard why the other day why Florida man is a stereotype why all of the crazy stories come out of Florida, OK, And Ean, you probably know this because you're there. But the sunshine laws in Florida, the transparency laws mean that anybody that gets arrested for anything, it's all public record. So probably statistically, every other state is just as bad shit as Florida. They just hide it better than yours does. Yep. When you live in Florida, you start to at first you're like, Oh, it's not that crazy and then you embrace it. But then Florida man went a little too crazy, and it's like, no, these aren't the fun hijinks I'm used to. And then recently there was a video of a guy skinnydipping in a Bass Pro Shops aquarium. And I was like, That's the Florida man. I know that you saw that headline and I sent it to our kid, and I literally said, This man is living your best life, and he was so jealous, that's the Florida I know and grew up in, is let's go swim in the Bass Pro Shops Aquarium. So as the Florida man of Infosec. Um, probably not, but in terms of high jinks, you know, to introduce you to the audience you've been at Dardan restaurants. You've been at Marriott Vacations Worldwide. You've been with Black Hill Information Security. Uh, and one of the common themes among all of us, including one other fun fact, which is you are the only hacker that I've hung out with that has a muppet. That's true. I can't remember if we're doing video or audio. So if we're doing video for those watching, uh, let me get my hand inside of him, he's Yeah. There he is. There you go. That's basin. There you go. Hi. How you doing? Mhm and Ben. Anyway, moving on. Moving right on the, uh the reason why we wanted to have you on here is the the theme between all of those every time I've talked to you for many, many years is you've always had this very creative, very engaging, very memorable way of making security lessons stick. And I thought, What a better idea to get you on to talk about that Because now that Securing Sexuality is in. What are we? Season three Season three This is episode 70 Wow. So now that we're in Episode 71 of the things we had people coming back to us is saying Yeah, you know, I heard you say this. I heard you say that we learned about this. We learned about that. And then we tried to tell people and they thought that we were being paranoid or we tried to explain it. And they're like, Oh, I don't need to worry about that. I'll just get a new credit card and it's It's so hard to explain security. Well, And who better to help us than the man with the Muppet? The man with a Muppet? Sure, Yeah, no I. I mean, I do love security. Education is one of the things I've become very passionate about. And and you're right. Uh, when it when it comes down to, people say, Hey, I don't need to worry about this. I don't need to to think about these things. It becomes very challenging when you work like like I like I mentioned, I've been at large multibillion dollar organisations doing all manner of different security. And one of the big challenges is you go into an organisation and you're trying to protect whether it be data, whether it be, you know, customers, whether it be whatever it is, that is the crown jewels, the thing that needs to be protected of that company. And you go in there and ostensibly as a security professional, you're gonna ask them to make their life harder. You're gonna ask them to use all these different things and have all those different applications on there that are monitoring, and it just doesn't feel very good. So what you have to do is find ways to reach them. And I'm a You can't you can't really see it. It's kind of out of frame. It's right there. But it's, um it's a phrase that Teddy Roosevelt said, Teddy is my teddy is my spirit animal, Um, and not to say that he's a perfect person. No person evaluated through history is, But there's some things that you can learn from him. One is this phrase. Do what you can with what you have, where you are, right. So I always take that approach to say, How can I reach the person across the table from you. Because if I come at them with, you must do this or we will get hacked. Nobody will listen to me. But if I come to them and say, Hey, let me show you how this works and why we're doing it. And I can change your personal perspective on it. The rest of it will follow, right? But I have to find out what kind of makes it tick for you. So I've had a lot of success doing that. And I, I like doing it. So this is one of the things that I've really enjoyed about you. This is why I This is why you are one of my friends in the hacker world. Because you make things accessible, right? Like I always describe myself as tech adjacent. And we know people that if I say that they, like, kind of huff and roll their eyes and like somehow, by defining myself, I'm like insulting them. And then there's people like you that are like, awesome. You're tech adjacent. Tell me what that means. What do you know? What do you want to know? Where can I help you? You are so good at meeting people where they are and you're fun. That was something I think that wolf left out of the Why did we want to talk to Ean? Explanation is we legitimately looked at each other and went, We want to talk to somebody fun. Who do we know? That's fun. And we both went. Obviously, Ean, Uh, well, that means the world to me because I think the world of both of you. And when you when you started not only this podcast, but you, you know, you took the the you went out on a limb and said, Let's let's run a conference as well. I said, This is brilliant because it really speaks to exactly kind of what we're talking about here, right? You had a group of people that often are counselling people on some of the most sensitive issues things that they are not even ready to address themselves, their own sexuality, things that maybe they grew up being told. You're bad. You're wrong, you're broken. You're whatever and you're not. You're absolutely not, um, going through and giving these therapists and these other professionals access to Hey, here's things that you can also do to help secure them to help protect them. Because, unfortunately, people who are in what might consider might be considered outlying groups are often targeted whether it be in the US or or elsewhere, and understanding how to protect that information so that those professionals can better serve. That community is incredibly important. But if I go to, uh, like, kind of like you said Stefani, like if I go to to you and I come at you with the approach of well, well, first thing you got to do is you have to turn on multi factor authentication and then oh, do you have HDPS and SSL on your website? And what about your phone pin? I wouldn't blame you if you glazed over. That's boring and it's a pain and it's not great. But if I go to you and I say, Tell me about actually you know what I know the exactly the way phrase this the first when I join a new company and I'm a security professional there, and some of you may be surprised by this because you may have met security people at your company like you have to go take security awareness training because you've clicked on a fish bad employee like don't. That's horrible, right? I will go to the different departments and sit down with them and they're like, Oh, I was like, I'm not gonna do it. And I say, OK, I have one question. This is where we're going to start. What do you hate about security? What do you hate about it? And they look at me like I've grown another head. I said, What do you hate about it? Tell me the things that frustrate you about what we do here and tell me first how bad it makes your day. And we're gonna solve those problems first. Because if I solve those problems for them, when I come to them with something that is a that there's no way for me to make it easier, it's just the way it is. What they're gonna remember is if Ean's bringing me this saying, you've got to change the way you do things. But when he first came to me, he solved problems for me. I'm not going to question him. I might ask like, Well, why are we doing this? And I'll just tell him like it sucks. I'm sorry. It's going to be harder for a while, and as soon as I get a better way to do it, we'll change it and they go, OK, no problem instead of fighting tooth and nail against it. So I think that's really one of the most important things. If you if I were to sit down with some of you know, the the therapists that might be listening to this, I wouldn't say like, Well, here's a big list of things you need to do. Tell me about your day. What kind of tools do you use? Like What kind of software? Like, Do you do everything online? Do you have a hybrid practise? Do you tell me about when you do have a hybrid practise? What do you hate about logging in to the systems that allow you to do that? Remote therapy work, and I'll help you understand why it is that way or with my experience, I'll go. Hm you. You probably need to look for another provider because there's better ways to do that, and I and I think if you do that first, most security problems become at least surmountable. So, yeah, you know, what's fascinating is that as I'm listening to you, that correlates to therapy, too. Nobody comes to a therapist in order to be given a to do list that they have to do in order to change themselves and be better humans. But if they come in and they share something with us and we have a book or a movie or a conference or a resource, if we can say this might make you feel seen, check it out or this is a place that can help with that need. Give them a call. Then we're creating a foundation that lets them be more receptive when we get to the point of Hey, you know, maybe that's not a great choice for you to make. And maybe there are some other options. It becomes a collaboration and not a judgement, and I think that's true in both worlds. You you hit the nail on the head so much, Um, one of the other things that I know a lot of people in here, devotees of this. But when When I when I take it to security professionals like Brene Brown, who is that like I've never heard of this person. And I'm like, if you are practising security in the roles that kind of wolf and I are in if you're going through and you're you're a security professional trying to help people and you do not understand the concept of shame and some professional coming up and going, you clicked on a phishing email and now the entire company is gonna be hacked and we're all gonna get out of fire. That's that's terrible, right? But coming to them and saying Let me help you because you were actually just the victim of something. And I'm here to help, not to tell you. Oh, you're so bad at the medical thing. I taught it when I was at full sale. I was an adjunct instructor for security, And I would tell people imagine if you if you had chest pains and you went to the doctor and you're like, I've got some chest pains. I think there's something wrong with my heart. And they went OK, Have you have you? Have you been eating bad food? Yeah, OK, do you exercise? And maybe some doctors do this, but they'd be terrible. Um If you shame them for their behaviours, they're not going to leave. They're going well or go. So go change. No, they're gonna die. They're gonna die, right? So you have to go through and be like All right, let's help you modify your behaviour. Tell me about how you live. Tell me about how you work and you exercise things like that. And you, you you address being like, Hey, this is normal. Your friends, your neighbours, Everybody deals with this. It's OK. That's why I have a job is to help you be more secure. I think we need to take that lesson to heart as security professionals and at least be better than country doctors. It's funny you tell that story because, you know, I grew up on a small farm in the middle of Michigan and my dad went to the doctor and we had this country doctor this old crusty like, you know, almost a bone stereotype from Star Trek. And he's like, Oh, I've been having some chest pains. I've had out of breath. And he's like and the doctor looked at my dad and my dad's name was John. He goes, John, If you got together with three similar size friends, you would not be allowed in many bridges in this county. It's like you need to do some thinking. And my dad, my dad was my dad. He he found that hilarious. But to your point, that's that is not going to go for most people. Yeah, and and And for, you know, well, if you deal with, you know, the C suite, the the the C level executives a lot, and you can't go in there and tell them that they'll just throw you out of the room. They don't want to hear that right? They wanna hear how to fix it and how to deal with it. And this, that and the other. And they'll find someone that's not gonna shame them for it Now, they might not say that that's what you did, but that you won't be in the room helping them. And I think that's one of the biggest things about, you know, having the appropriate security message, whether it be well, you know, I was gonna say whether it be therapy or security, but in in all reality, they they tie together in saying you have to do code switching, and I'd be curious to kind of get your opinion and thoughts on this Stefani like when? When you're doing therapy is the way that you talk to one individual the same as you talk to another individual. No, it absolutely has to be different, right? We I I I've already said once we meet people where they are and that's such a cliche, but it's also really true. Um, there was a continuing education training recently here for social workers. That was literally about the strategic use of swearing in in. I love that. Yeah, because you know, I'm gonna talk to a deeply religious conservative client who's struggling with, you know, vaginismus because they're incredibly anxious around sex much differently than I'm gonna talk about or, um, talk to a commercial sex worker who has a really popular only fans and is struggling with maintaining privacy and feeling a sense of balance between public and private spaces. Those are both sexual health dysfunctions, but I cannot have the same conversation or even really use the same language with them. II. I adore that because a lot of if I were to call what I do. My practise involves code switching, and I've actually gotten in trouble in environments for this where the way I talk to my boss as after I develop a relationship with him is I use swearing like punctuation. It's like semicolon F, this comma, you know, the, you know, whatever. And once we develop that rapport, that is how we talk to each other. If I came into the room and had put on, you know, the suit jacket and the stuffy Harvard Well, today we'll be talking about taking ourselves through security. They'd be like, What is going on? Who are you? I don't want to listen to any of this. The way I talk to a student, the way I talk to my kids and what not I like I said, I've gotten in trouble with companies because one the the way I talk to, you know, the intern and the way I talk to whatever they go. Oh, you're just you know why? Why Why can't you talk to me like the intern? I'm like because you're a professional and you know better. This is generally when someone has been, you know, gone through and you know told how to do something over and over again, and then they're kind of on their last leg and strong. It's like, I expect you to behave like a professional, and I'm gonna talk to you like a professional that needs to, you know, have some course correction, little sterner little whatever. And the intern they can, you know, set the computer on fire and half the wing of the building. And I'm like, OK, ok, this is a learning opportunity. So let's talk about why did the computer combust? You know, it's you have to do that. And if you don't, you're gonna lose, you know, for lack of a better term, the hearts and minds of the people you're trying to help. Speaking of the hearts and minds, um, and your point about awareness training, right. One of the reasons why, uh, we did, um, securing sexuality of the conference in October is October Is Cybersecurity Awareness Month. The other CSA. Anyways, historically, the way that cyber security awareness training was provided is really, really boring. Watch this video, click this thing, subscribe to this double check that click to the next PowerPoint and I mean I've I've not only taken those year after year, I've I've crafted them and had to to get them, uh, tell us a little bit about the carnival version of Cyber Security Awareness Training. Yeah. I mean, I tell this story a lot because I'm really, really proud of it. And frankly, I'm a little surprised. The company that I did it at let me do it. Um, but I came up with this concept, and it we actually presented it at Infosec World. And I actually think this concept works for Securing Sexuality. I think it works for so many different venues that when you hear me tell the story or practises, I should say that you'll go Wait a minute. Yeah. No, I can apply these kind of three or four themes to making people aware of a certain issue. And it doesn't matter if it's hackers security therapy. What? Whatever it is. So the hacker carnival, um, what was it? It's 2024 now. So about eight years ago, I was at Darden restaurants and Cyber Security Awareness Month was coming up, and I said, I have an idea. I have something I really want to try and I want to call it the Hacker Carnival. And they said, OK, I said, This is what I wanna do. Now you have to understand, with, uh, that particular place. It was huge 6 $9 billion a year company custom building. And they had this long area called Main Street That was next to the cafeteria. So it was a big kind of open area. And what we did was I took everybody on the security team and designed demos for them. And if I didn't design them, if they were some of our, uh what what we call in our industry. Red team offensive professionals. These are the people pretending to be hackers, right to figure out if the system is secure. Uh, if they were that they they built the demos. I said, I want a demo that I can show somebody that takes 5 to 10 minutes, max. And they actually see somebody connecting to a malicious wireless access point like you're at some coffee shop and somebody stood up free Wi Fi. And in all reality, they're sniffing credentials, things like that. I said I wanted a demo where we swipe a magnetic card, like a credit card or a gift card, and we clone it and we show them how easy it is. And that's that's actually the example I'll give. So what it was was it was 10 stations, right? And right around like the lunch. I'd say hour, but it's more like starting at 11 and ending at two. Right? We went down, We set up 10 tables with these 10 demos, and there was a poster that said what it was like, how scammers copy your credit cards and on it it said kind of what the scam was. And then it said how Darden protects itself from this and had three bullet points. And it said How you can protect yourself from this and then at the bottom, the security engineer analyst or whomever Little picture of them and, uh, what they do here, right? And so they'd come up and the rule was this. We're going to show them the magic, but not the trick, right? They're gonna be like, Oh, my gosh, you just copied a credit card right in front of me. And what was lovely is I love this demo because they go Oh, Well, you probably got to go in the dark market to get all this crazy stuff. I'm like, Yeah, I bought these three devices off Amazon for about 100 and $50. And worse than that, those three devices. And you know, when you go on Amazon where it says people who bought this three track magnetic reader also bought a stack of blank cards and a stack All this stuff. So it was like, Amazon's like, Would you like your credit card fraud kit? It's right here. Um, so we do that demo and they're like, Well, wait a minute. I just saw that guy do that. And I know I can go on Amazon for 100 and 50 bucks. So when they talk about going into the restaurants and making sure that we check for skimmers and whatnot, this isn't black hat. Internet wizard nonsense. This is I just saw it. I just literally witnessed it and doing that in 5 to 10 minutes. What would happen is these groups would come up and they'd kind of, you know, they'd go to lunch and they go what's going on down here? And we'd say, Oh, welcome to the hacker car. Well, come on over. And we had these little passports printed and they were just little sheets of paper. Uh, you know, take an 8.5 by five, cut it in four and it had 10 places that you'd get a little stamp. Many of you have gone to conference, have seen, like a passport to prizes. Here's the trick, though. Each station they went to, uh, when they fill out their prize, they would they would have their little passport and they put their name and their phone extension on it, and then they'd get their stamps, and then they'd go to a raffle station and we had some raffle prize, a little quad copter or stuff like that, and we had a bunch of them. So it encouraged people to go to as many stations as they had time for or to go to just one. If they only had time to stop for one thing, right, so they'd go. They'd see these demos of, you know, access badge cloning of credit card cloning of evil, A PS of all these different kind of things that hackers will do. Saw the demos and here is the like. I said the trick right, two things happened. One, every engineer and every person was told at the end of that Take your stack of business cards that's on the table and hand one to each person and say, and now we know each other. So if you ever are, you know, have a problem. You think something's a bit off? You know, I'm not a big, scary person. Call me directly. Say, Hey, there's something weird going on and I'm not sure who to call, We know and then second, when they turn in their passport to prizes. The extension number was one of the most important things because each one of those demos I knew fell into, and we'll use kind of the therapy example different portions of therapy and guidance, right? But here are different portions of security challenges, and I could say during this 2.5 3 hours we did this much training and Wi Fi security, and it was hundreds of hours because we had 10 people doing it in groups. I could then also take their extensions and say the finance team took this many hours in these categories and was able to deliver that to auditors. And that was all just by getting some stamps and whatnot. It was it was very popular. And, um, when I did the talk at Infosec World, a couple of people ended up running at their own companies, including, um, out at UCFUCF. Runs it out there at the University of Central Florida. So yeah, it's it's something I'm credibly proud of. Thank you for letting me, you know, ramble about it for a bit. But it's it was really incredible and showed me the power of that. I love hearing. This is actually the first time I've heard the story, and it's fabulous. Yeah. And also, I feel, you know, the harm Reductionist in me feels the need to say Ean mentioned that you can basically buy fraud credit card kits on Amazon. Please. Listeners don't Yeah, don't do that. Um well, here's the good news, actually. So I the reason part of the reason I told that story is that actually doesn't really work anymore because many of you know we've got those credit cards with a funny little chip on it. When they launched, they were kind of slow and kind of sucked. Um, now it is actually very difficult because most cards have that chip on it, and the the magnetic stripe is purely a backup so that that attack doesn't really work so much anymore. So that's why I use that example. But I, I do think it's a good a good point because so often people come up to me and they imagine right, they've seen the movie who are, You know, the The briefcase has the cyber weapon, and the guy grabs the briefcase and he handcuffs it and he runs out the building and there's a chase and they're you know, they're cornering him. He jumps away and he does some parkour thing and they chase him down. They throw him on the cop car like you're going to jail and they unlocked the briefcase and open it up and it's empty and they realise, Oh, someone else stole and then you zoom up and there's Ean with the sunglasses, and Ean's got the cyber weapon in the plane. It's worth $16 million. Now. It's most of the things that clone car keys, hotel room keys, credit cards. Most of these toys are a few $100. Yeah, well, I I'll take what you just said even a step further. And you've heard me give this talk. I did a talk, uh, in San Diego for Wild West Hacking Fest a number of years ago, and I kept this portion of it because I was just so tickled by the example. And and stuff kind of speaks to making the idea of security a little more approachable When I give this talk, it was on ethical fishing, and it was basically training security professionals to say, Hey, stop sending people phishing emails to get them to click on it, to have them take this training when literally you are. And I think I think another person called it amygdala hijack. You are using so much fear, uncertainty, doubt. It's like your paycheck isn't coming. You're about to get fired. You're part of the layoffs. Click on this link to see. You know, if you don't do that because, yes, will it get people to click And yes. Do criminals do that? Absolutely. But the criminals don't have to face your coworkers. The next day after their stress level jumped up their stress hormones have jumped up. Maybe it's even worse than that because they already had some sort of fear around what you did and and you've completely ruined their day. So in this talk, what I what I tell them is I. I put, uh, and I'm going to kind of ruin it because, like, it's it's a visual gag. Um, I put a scalpel on the screen. I say, What is this? And a couple of people say, like box cutter. And I'm like, Have you used a box cutter before? No. OK, it's a knife, Sure, Um, but anyway and eventually someone says it's a scalpel and I say, Yes, it's a scalpel and I say, Phishing emails, any sort of offensive security. Anything you do where you're attacking a company or an individual to show them how to protect themselves is a scalpel in the hands of a professional. That scalpel can be used to save lives in the hands of an amateur. It will kill you, and you need to know the difference. To be able to present what's being done as either a useful, beneficial therapy and surgery, or you're probably not ready to handle the scalpel so that when I give that example, they go Oh, yeah, If I got stabbed by a scalpel, that would suck. And then they start to rethink kind of how they're going to present their arguments for security. I'm glad that you talk about that because I've never been in infosec. I've never been somebody that's made those decisions. But I've worked in settings where I've gotten those emails and I already know Wolf is very anti fishing. I know that you're very anti fishing, but the thing that clinically it makes me think of is it feels to me very abusive. He is a breach of trust that scares people that makes them fear for their livelihood, for their health insurance for their Children. And you can't just be like, ha ha ha psych. And it's even worse if you're like Oh, and you fell for it. So not only did we terrify you, you're an idiot for being terrified. It is an abusive behaviour. Yeah, it baffles me that so many companies do it. Yeah, in the audience was a friend, Ed Murrow. And while I was talking and I was like, I was showing some of these examples that it made the news. Uh, the, uh, Tribune Media, uh, Orlando Sentinel, where I live, I'm in Orlando, Florida. Um, that's very public information, but I live in Orlando, Florida, and the Orlando Sentinel is owned by Tribune Media. And a couple of years ago, they sent out an email that was basically that it was, you know, layoffs and something like that, or and a bunch of people were like There are actually people being laid off in our company right now. That's not OK. And Ed yells out, He goes, It's cruel. I'm like it is cruel. It is, and it's it's very much a. Just because you can do it doesn't mean you should do it. You know, um, that's why I always take the approach when I'm teaching people to do fishing because unfortunately there's, you know, too many organisations that it. It's kind of a requirement at this point, and there's lots of stuff that goes around that. But for the audience here, who's not focused necessarily on that area, one thing I think they will appreciate is whenever you're doing therapy and correct me if I'm wrong, not a therapist, uh, but whenever you're doing therapy, you have to go through and kind of like you said, meet them where they are and help them understand why this is a challenge. So when I teach them to do this, what I do is I say, Let's craft some emails and let's actually think about If you received this, how would it make you feel? Let's start there and then second, let's go through and craft emails that are benign. So some examples of ones that I've done in the past were, um, ones that encourage people to be helpful. We are very helpful creatures. So, uh, I was in an organisation. Uh, you can probably figure out which one. This is not something. This is not something that I worry about talking about. But the one of the fishing emails that we sent as part of our exercise was a kid had left their stuffed animal at a resort, right? And it was somebody messaging saying, Hey, I just stayed there. We had a lovely time. I my I think my kid left their favourite stuffed animal. We're hoping that it turned up and lost and found. Here's a picture of it. And, of course, the picture. When you clicked on it, it did show a little teddy bear, but it was the beacon to say it. Here's the thing when they clicked on it. One, that's kind of a positive right? They they want to go help. They want to be helpful, right? It's and and Attackers play on that, too. I'm sure you deal with plenty of people that are an abusive relationship, but he's like, Oh, he's so kind And I just I just love him and I want to help him and all that, and and you have to break those cycles. When we go through and send that email and they click on the link, I don't send them their training. They get a skull and crossbones. You clicked on a phishing link. Whatever. I would give them a survey, and I would say, Hey, the link you clicked on was a simulated fish, and the very next line was. But don't worry. Many people click on this. We would like your help. What about this? Email made you take action right in there. Uh, what could have been changed to make you not think This was a valid email and there was a couple other questions. And then the last one was Would you be interested in talking about this experience and helping be a security champion for your department and that ending instead of saying Shame on you Say, would you come and and talk about like this with me? And then let's go back to your department and talk about it because you're a victim. You're not stupid. Uh, the other phrase I use and I'll I'll end on it because I get real passionate about this. This topic, uh, is the whole I I was in. I was doing a talk at a college and young hacker type kid. I was saying, You know, something, something. And they go Well, yeah, because they're stupid and I go No, no, I stopped the whole talk and I said, This is important because I got a bunch of new security professionals in the room and I'm not picking on you, but it's important. These people aren't stupid. You know a lot about computers, right? Yeah, absolutely. OK, you're on the cybersecurity club. You're competing? Yeah, absolutely. Explain accruals to me for global businesses. doing loans across international waters. II, I don't know. I go. I work with people that do that. They're not stupid. That's their expertise. Your job is to protect what they do. And he and he's like, All right, I'm just gonna sit right down now. Um, but it was a good object lesson for them to hear, because you gotta just nip that stuff immediately When you're dealing with students, No people, people are not stupid. And this is one of the things that always frustrates me as well. And one of the things that you know, I, I said in in, uh, in our live podcast was you know, I want everyone to walk away thinking that they know very, very well they know things about their patients and populations. Very, very well. They know things about their own lives very, very well. And any technologist who tries to make you feel dumb because you don't understand the tech is really a technologist who's not doing a good job. Mm. Agree on the topic of helping people, uh, tell us the story of of your friend who was in a bad situation and how you were able to help navigate that. Yeah. So yeah. And they don't mind me talking about, you know, names and places sanitised for for for the innocent, if you will. But yeah, as I'm sure Stefani, you've at least dealt with or heard and And through therapy, uh, there's a lot of people, unfortunately, ended up in relationships they never thought they'd be in right and in situations that they never thought they'd be in and people change or things change. And unfortunately, they found themselves in a situation where their husband of many years started to suffer very serious mental health problems, and it was impossible for them to escape. Right? Uh, they were so entwined their entire situation, they they weren't working anymore. The husband was the breadwinner. Uh, he was having a number of issues that I I won't go into. But they turned violent, and, uh, as that was happening, I got bored of it. And the problem was, they just literally could not escape. They couldn't see a way out, though. If I go get a cell phone, they're going to know, right? If I go get money out of the bank account, they're going to know and they're going to ask questions about. Why are you? Why are you taking money out of the banking account? Why are you doing this? Why are you doing that? And it could very much make the situation worse. And I'm I'm sure a lot of the professionals that are listening to this are like, yes, this is a story I hear all the time, and it's unfortunate, and it's very sad. But using some of the tools and techniques that hackers use, we started to develop a plan to get them out. So one of the things that we did and I didn't even tell them I was doing it at the time, it was very interesting. So, uh, I was worried for their safety. I had not heard from them in a while. And I knew that, uh, this individual knew my phone number, right? And if I were to call them and they saw that number, even seeing the phone number might have them go into a violent state. So that was dangerous on its own. So whenever I would call them And the first time I called them, it was very surprising to them. Uh, I called them on their phone, and I spoofed and spoofing is the concept of taking caller ID and making it display differently. If you've ever received one of those phone calls, where it's your area code and your prefix but some other number and you pick it up and it's, uh, we've we're calling to get a hold of you about your cars and your warranty. That's what they're doing. They're going through and they're spoofing Call already, or if you've ever had a started getting a flurry of phone calls from people that say, Stop calling me about orange You're like, I don't know who you are Because of that. They've spoofed a number just completely at random to hope that you'll answer it because it's local and it just happened to be your phone number, and you get a bunch of angry phone calls back. It's like, Hey, I'm sorry it wasn't me. Someone's, you know, cloned my caller ID. So I found the phone number for the local water munic Municipal Water right, the the office for that, where you pay your water bill and this that and the other. And I spoofed my caller ID to make it look like the water facility. And I had a whole pretext and whatnot that if he picked up, he he didn't know my voice Well, and I'll be like, Hi, I'm calling from, you know, Redacted County Municipal Water Authority. There's an issue with your bill. We need to get a hold of this person and they would just hang up. But if I got them and I did the next time, if I got them, I just very quietly say I need to speak with you in another room. Are you safe? Are you OK? Can you speak? And I would give them prompts that they could answer. And if even if the phone was snatched out of my my out of their hand, I was ready to put on the the actor hat of calling about the municipal thing because I knew that if they heard the questions that I was asking, or if they thought what was going on was that that could send them over age. But if they thought it was just the water treatment, people calling and then it had the same number. And even if they called that number back, guess what they're going to get redacted County water treatment, right? So it it would all play out. I also help them with a number of issues with, like, moving money, essentially. And some of them are very, very simple and things that you can use not this isn't illegal or anything like that, but I'd say, Hey, you know, how closely does he check the the grocery bill? OK, he doesn't cool. Uh, what I want you to do is every time you go get groceries, go get an extra $20 in ground beef or whatever it is right. And before you even and I go use an ATM card first, right, you need you need to use one that's tied to actual cash, not a credit card. And I said before you even leave, walk over to customer service and say, I didn't mean to buy this. Can I get a refund? Right? And because it's an ATM card, they have the option. Most places have the option to either refund it to the card or give you cash. Now, you actually have a valid amount that if they check it, um and even if they check it deeply that we could start building a cash repository for them just to have some walking around money to get that taxi, to get that bus, to get that train, to get to somewhere safe without that being seen. So these are some of the things and and ways that I developed to go through, and it wasn't just me. These are in our trade. These are very common things to know. But in maybe some of the therapist trades, they don't realise this. They don't realise that there's things like this that can be done, that security professionals know how to do that can reduce harm. And that's true that a lot of us don't know those things. Um, that's part of why Wolf and I do this. But well, before this, when I worked in as a domestic violence therapist, because I did, you mentioned at the start like maybe I'm from a I. I work domestic violence, sexual assault therapist, and that was actually one of the questions I was asking at our agency was, What do we know about digital abuse? What do we know about stalking? How are we helping our clients in that way and nobody really knew and nobody really had many answers. It's gotten better. You know, there are things like the digital defence fund for people needing reproductive health care. There's people like you that are speaking up and friends of ours that are speaking up, testifying before Congress creating programmes. Lock down your life. We always shout her out all the damn time, right? But there needs to be more, especially for people that are not technologist for those of us that are tech adjacent because we don't know what the hell we're doing half the time. Yeah, and And the big problem for you is you're not. You're going to conferences and getting the latest research on how to help people. Mental health wise ways to guide them, ways to do this. This is where your expertise is focused and I'll give the example of Apple because Apple is big enough that there's there's no way not to punch up. You know, you can't punch Tim cook down, you know? Well, there's maybe a few things which I would never do, but, um, but you can't. You can't like they are at the top, right? So when they came out with their air tags. The fact that no one sat them down and said, Hey, you're literally giving abusive spouses a $30 global tracking device? Maybe not, or maybe have some sort of method to to to know that you've got one with you, and that's actually where if you have an an iPhone now, when you get that alert that says there's an air tag that isn't yours near you, Do you know this? That's where that came from. But that was after they launched it after bad things happened. And then someone said, Oh, right, yeah. Uh, basically we made a like Wolf said the the the cyber device that fits in a, you know, in the palm of your hand that allows digital abusers to stalk track. I mean, imagine that you're stalking someone, and no matter where they go, you can text and be like, I know you're at Starbucks like imagine what that does to somebody and that nobody in the room, the design team or anybody sat down and said, Hey, how do we prevent abuse and abuse cases for this blows my mind. It absolutely blows my mind. That's why we need more social workers in tech. And I mean literal social workers in tech, not social workers who have given up on not making any money and have become technologists but actual consulting social workers in technology companies. I remember and it's still there. But I remember years ago driving down the road in in a neighbouring suburb, and there's a place called Spy Shack where you can go in and you can buy like the teddy bears with the cameras, and you can buy all the G like GPS things. And I used to think it was shocking, and I used to wonder like, How do people walk in there and not just be immediately branded as abusive partners or controlling parents or what have you? And now they don't even need to, because now it's at the Apple store and it's on Amazon and it's everywhere. And I guess my question is, how do we teach people about this? Well, that's a complicated question, because I, I deal with that a lot, and I know Wolf does, too. And I think I think we should both take a stab at answering this. Um, it's a real complicated question because It's very difficult to tell and I'll pick on parents. I am one. I have four kids. It's very difficult to tell a parent I have the technology and I'm going to pick on life 360. That's the really popular app that parents will put on their phones. It is. I mean, it is basically stalker we installed by your parent. It tells you where they are. It puts a geo fence around the phone that if they leave this area, you get an alert. But it's very hard to tell a parent. Well, wait a minute. If I if something bad were to happen to my child and I could have had this on here and known where they were and been able to tell the police their last location was this. It's very hard to then say, But what about that child's privacy? What about their mental health? What about what you're doing to them? Basically, teaching them at a very young age that you're going to be monitored at the most granular level for the rest of your life? Right? Because as soon as that app comes off their phone, it's their college. And after their college. It's their work, and after their work, it's, you know, insurance companies and whatever it is. And you're literally setting the stage to say, you know, give away this privacy for a little bit of security and my my big thing when I when I talk to people, is again going back to the think about how this is going to affect someone and find a balance. And I'll tell you what I do with my kids when it comes to the Internet I've got. And you think, Oh, I'm a security professional like 20 years of experience. I probably got them crazy locked down. I do not, um, they do not have unfiltered access, but I've got the same type of protection that you might have at a at a company like adult websites, things like that. But there have been times where we homeschool and we're we're, you know, very, very liberal, by the way, Um, but we homeschool and we would send them to owl, which Stefani remind me I should know this as someone who but But we've talked about this before. It is a whole lives, yeah, our whole lives. And it's a wonderful programme that teaches them about consent and about their own body and in in very real terms. Uh, not in. OK, uh, you know, and forgive me if you are religious. I apologise in advance, but it's not like, uh OK, so you're a girl. So you were made from Adam's rib and it's like, No, I'm sorry. That's just that's metaphor to tell a story. And that's just bonkers. They don't do that. We sent them to a website that they had to do for homework and our system blocked it. And I was like, No, this is an educational website, you know, This is I would want them to see these things. And I've told my kids I go Listen, I'm not going to block your Internet access I will tell you about once a month. I kind of scroll through to see what sites were blocked. And there's been a few times where I pull up some meme that their friend shared with them with Instagram. And I'm like, as a little adult, um, but I don't even bring it up with him because I know the types of stuff my friends were talking about At 13 you know, and I want them to trust me enough that when we do talk about danger and consent and risk and things like that that they'll feel comfortable, bring it to me. And if I'm just watching them with a microscope, they're never going to do that. And they're going to find ways around. The best hacker in the world is a child and a child who's being stopped from doing something. They'll find a different way, and I want them to trust me enough that I go. If I see something where I think it's dangerous, we're gonna have a conversation. But it's when we're not gonna yell about it. We're gonna have a company like, What were you looking? What were you curious about? What do you want to know? Let me give you some resources that you can go look at that are educational that are vetted that aren't your friends sharing stuff on? Quote the playground, if you will. So wolf. What what are what are your thoughts? I agree completely about keeping the Internet predominantly open and not over stalking kids. That's what I did, uh, in terms of sites being mislabeled, just a fun story for you today. The day we're recording this Google ads. Our Google ad manager called me. We had a meeting, and the Google ad manager said, Will you remind me how your site set up? And I said, Well, can't you go to it? They said, no. Uh, it's blocked for me. Securing Sexuality. Yes, yes, I believe it. They couldn't They couldn't go to it from Google. As they're calling me about how much money I spend on Google, it is pervasive and it's problematic. I will say when When we think about educating people, What I tend to focus in on is, uh, make it very salient. So very specific make it very personal. Um, make it part of what they're trying to do. I'm trying to do this. I'm trying to achieve that. I'm trying to help someone. I'm trying to get somewhere. I'm trying to do some work, make it part of their workflow, um, and make it something that can become a habit And just another mental checklist, because another thing I think security people say too much is oh, you just need to slow down and think no one has time to slow down and think. And I think we oftentimes, um, underestimate the cost of system two thinking right. If you had to slow down and think every time I bought a computer, I'm never going to get anything done. So those are the ways I think about it. But I also think about the clock. And we are We're running out of time, my friend. We're right. We're right. About 50 minutes. Yeah. Ah, there's so much more to say. So much more awareness to be aware of. You can't see. You can barely see it here. But I've hung up some new signs. Um, that sign is a warning sign that says Beware of Well, just beware. That's really what we're talking about, right? I mean, there is so much more we could say, and we might have to do a part two and maybe when we do the part two only Ean’s Muppet talks to us. I don't know anything. I will absolutely do that. No, this has been great. Now I love I love what both of you are doing with this because I think there's a huge opportunity, especially in educating therapists about some of the technologies that exist that not only can help protect their patients, but it's, you know, very, very difficult, especially in a kind of a hybrid environment to say OK, these people are going to be coming to me, talking to me about their most intimate fears and challenges and, uh, things that they're not even sure they're ready to admit to themselves. And we're going to use these often very unsecure technologies to do it. And how do you as a therapist as you try and navigate these things that you're not trained in? This isn't your specialization, but now you have to meet people where they are and they wanna when they're ready to reach out for help. Maybe they're not ready to come sit in person, but the computer they sit in front of every day Well, that's a different comfort level. So how do you get there? So I love the fact that both of you are doing this. I think it's wonderful. Well, we love you, and we love everybody that listens, although we don't necessarily love you all quite as much as we love Ean. But we do love you and thank you so much for tuning into Securing Sexuality, your source for the information you need to protect yourself and your relationships. Securing Sexuality is brought to you with love by the Bound Together Foundation, a 501c3 nonprofit. From the bedroom to the cloud, we're here to help you navigate safe sex in the digital age. Be sure to check out our website, SecuringSexuality.com, for more leaks to information about everything we've talked about today, as well as our upcoming live events and Webinars, and join us again here, right here for more fascinating conversations about the intersection of sexuality and technology. Have a great week. Comments are closed.
|