Anatomy of an Accidental Honeypot
9:56PM Jul 26, 2020
Dr. Gus Andrews
Back again. Right now we're gonna have a session from Gus Andrews, you can find her at. Keep calm, logon.com with her new book. She's also the special project lead for theorem media working on the cyber security project, and we'll go ahead right to the video Thank you.
Hi everyone, I am Gus Andrews and this is my talk, anatomy of an accidental honeypots, aka first initial last name at gmail considered harmful or how I stopped worrying and learn to love that every other g Andrews in the world uses my email address. This is my bio I'm just putting it on screen for the sake of hope. I don't expect you to read this, but you can pause it this frame if you'd like to TLDR I've done digital security training, among other things, I signed up for Gmail on June 16 2004, and was lucky enough to snag my first initial and last name. At some points, and a few years later I stopped using the address, largely because the sheer amount of Miss address, email I was getting there was just becoming overwhelming, but on the first day I was using Gmail I got an email every Gmail user at the time did saying, Gmail is different. Here's what you need to know. First off, welcome and thanks for agreeing to help us test, Gmail Wow, that was a billion years ago. You'll find information there on such topics is how to use address autocomplete. And so I'm at this point going was they were they actually among the first to use address autocomplete that they had to explain that, so those of us who picked up a first initial last name accounts or other accounts that resemble their name, thought we were really super clever but as Randall Munroe of XKCD has pointed out that once you have a first initial last name account, you end up getting email from a lot of people and I don't think it's actually just older people, I'll talk a little bit about some of the younger people as well, who have been sending stuff. g Andrews at gmail, which is the account, we'll be talking about today is kind of like being senator g Andrews public figure g Andrews lives in the center of town g Andrews everybody knows where you are. Everybody turns their attention that way and ultimately it ends up being pretty problematic conservatively with duplication by name and address, there are at least 200 individual people worldwide over 17 years 17 years I've had this address. For whom email appears to show up in this account. And these include professors whose students send their assignments and then wonder whether those assignments got through, and a medical note for a man in South Africa excusing him from work after cardiac surgery, a, an engineer at Apple who charmingly spelled the town has campuses in as Cupertino, and ordered a sophisticated audio analysis device and set the receipt and FedEx to this account, so I could have just diverted that sophisticated audio device to me if I'd wanted to I fortunately wasn't even looking at the account at the time.
The mail includes a social mailing list from the military installation at Fort Gordon which happens to be a signals intelligence unit and so if you happen to know anybody works in signals intelligence there, you might want to let them know they're leaking a lot of signals. Worse yet, there's also physical plant service requests from another Military Academy, so if I wanted to go mess with the H vac system. That might be how I do it. One of my favorites is a grandpa saying to his grandson, go by that house and signing off, Paul, Paul, and what he has said long is a letter as a PDF with his bank name, his bank routing number, the account number for that bank accounts and his signature and telling them please give my grandson $11,000 which I could easily just yealink, and take there, if I wanted to, but I'm an ethical hacker and I'm not going to do that. This is a map of all the known places where I've definitely identified people who are sending email to this accounts spread appears to be based as far as I can tell them population density, no matter where you're from, if there's a Georgia Gary Andrews in your area and for some reason they are disproportionately represented in this dataset. Maybe they even sent email to this account themselves, because sometimes they cc themselves. You look at the email for long enough, you look at this camp for long enough and full life stories begin to grow out of them. So for example, there's a 20 something in New Mexico, who works on call as a sign spinner his boss yells at him to work through wind, rain and wind if possible, but says if there is lightning or the rain or wind is too heavy, go to your car and wait and don't spend your sign the footer for email cryptically warns, quote, you have the right to remain silent about your brand, especially the brand that he's advertising at the time. You have the right to do nothing. If you choose an agency can represent you. If you cannot afford an agency, you can probably call us anyway and try to work a deal who knows it might not even be such a waste of time. Do you understand these rights. I don't think that legal illegal footers actually work the way that she thinks they do but I'm not sure what that ominous thing means outside of work. This young man spends his time at the Ultimate Ninja obstacle gym. One time he tried a free yoga class and forever after he got invited back to the studio to be the light CDs thinks he might be paying too much for his epi pen, he was interested in buying a Camaro, but the agent who was at the car dealership never managed to reach him because he gave her an email address that wasn't really his, it was mine. There is a group of Stanford University Fred brothers who recently celebrated the year their 50th anniversary of graduation. So, congratulations. These are men with names like tweeze, and book, who are professors and doctors and lawyers now. And, and they have hobbies like wine terroir in paleontology, and apparently also guessing what someone's email address ought to be. There is also a family in North Carolina who regularly go to Africa to provide optometry services to people there. The mother Patsy developed cancer, briefly, she said she wasn't afraid to die, she'd already faced the worst of losing her son to a car crashed some 30 years earlier, her husband said quote, she is still in charge, and I am good at taking orders. She attended her cancer center Center's Halloween party dressed as the queen bee. So we get the sense she was very strong personality. When I was getting their email I had recently lost my father and grandmother to cancer and I kept pleading with the family to stop seeing me on their cancer updates, so I could just get some relief from thinking about it for a while. When my pleas were to no avail. As any good hacker would I figured out who they were, where they lived, and I sent them a Christmas card. And that was how I ended up mentioned in a newspaper in a North Carolina town, I had never been to, and that newspaper reported last Wednesday, Patsy received a handwritten note from Gus Andrews, not the former county commissioner, but Gus Andrews who lives in New York City, somehow, he'd mistakenly gotten on the email update list, but he felt compelled, like so many others to follow Patsy's story that key is me, by the way, in case you hadn't figured that out they hadn't figured that out either the passive voice use they're saying somehow he'd mistakenly gotten on the email update list, meaning me implies that I had somehow accomplished this myself. But that wasn't actually what happened the father of the family had cc me. And this is how Patsy, who was a Latin teacher a bridge player and swim coach and who unfortunately passed away, February of last year, came to be memorialized at a hacker conference. Rest in peace. Why did these people see see me Why was I getting email from sign twirlers ninja gyms yoga studios frat brothers car dealerships and drugstores in New Mexico. These are the voyages of my first initial last name, email address, on a mass public email service. My continuing mission to explore the worlds of people who send email to the wrong address from Vanuatu to Vancouver, St. Paul to South Africa to seek out new ways, they may have compromised their security by using this address to boldly determine what in the ever loving William Shatner is going on with the over 200 people in this inbox, frankly, mass public email domains like Gmail and outlook were not with the founders and developers of email inefficient email kind of bubbled up organically in the 1960s with a handful of protocols and systems, and the first ARPANET email was sent in 1971. Back then, military and universities were pretty much the people who had email and that was about it, and users numbered in the hundreds tops that was how many people were using email worldwide. And so if you wanted to reach somebody at that point in time, it was not unreasonable to guess the address they might have at their university or office because there were only a few people it was less likely make a mistake. Anything you did wrong would just disappear into the ether. But nowadays that strategy is less of a good one we'll talk about that in a moment. So, email infrastructure is about 50 years old, but because it's so flexible and open means we're not likely to see people abandon it anytime soon and this is somewhat problematic in a lot of ways. For those of us who use encryption, we know that it's not built into the original protocols. So it's actually bolted on and a lot of ways. There have also been some problems about email that have been that are challenging in situations like this and always have been challenging in situations like this so for example, it's not possible to unsend an email, if you made a mistake, which is a huge problem for the folks in this data set, it's not possible to interrupt someone either like it might be on certain kinds of chat rooms see the little three dots saying this person has to speak now and go no no wait wait wait, that's not me, I made a mistake you made a mistake you want to address somebody else you can do that if you're speaking with somebody in person or over the phone. We might be used to that but on email unfortunately that affordance is not available to us. So compared to that original couple hundred email users today it is estimated there are 3.9. billion active email users. And it's not just that there are 3.9 billion users over a third of users now have more than one email address, and that begins to make for some significant complications right so let's think for a second about what's changed since 1971. There are many many more top level domains. That's things like.com.org you know.edu the, you know, we now have, unfortunately, dot NYC. There are many more people who are able to get domains easily. There are many more domains, and when I say domains I mean the ones that are to the left of the top level domain that before the final thought. There are people who will squat those type of squat them so for example somebody unless Google has bought it up somebody has certainly bought up g o g, number one, which looks like an L e.
And they'll sit there and wait there for anything sent there to see if they can just scoop up any stuff that might be valuable comes in that way. So those permutations are really really valuable. There are many many more non academic domains, and we have a rise of cheap disposable email accounts so Gmail, for example, Outlook, live, Yahoo, there's much more use of commercial email for marketing. And so the combinatorics of this get absolutely bananas. Right. You know, you end up with so many ways things can go wrong. I don't know why I can made it so much worse for us by adding more I'm not sure that anybody asked for more top level domains it just made things more complicated. There's no accounting for what people ultimately do with their email address. It's worth noting that the ultimate rule sets. The RFCs that specify what can happen with email RFC 822 specifies that domain names are case insensitive right. So, to the right hand side of the ad. You can do uppercase, lowercase it will all go to the same place but to the left. In the username part anything goes. So somebody could conceivably say, you know, all caps email is different if your if your name is in all caps, then it's a different name than if your names and all in lowercase. And so I'm going to talk in a second about what is particularly complicated about that. One of the challenges is that when software developers are building sign in systems for accounts, a lot of them treat an email address as if it uniquely identifies a person that it's a one to one relationship you have one person, one email address, sometimes they do sometimes if you're serving marketing, email, they don't and I'll talk a little bit about that in a second. I'm finding a number of companies who don't seem to care that they're sending different marketing emails and different receipts, even for actual services to the same accounts, even though it's clearly identified with a different person. There's also a matter of shared accounts, there are plenty of people who may share accounts for work, they may share accounts with people in their family, but leaving aside shared account accounts, the assumptions that developers make are problematic in a number of ways. One of them is that when you use email as a login, you're basically giving, you're using the means of contacting somebody. Also as the means of identifying them. So if somebody needs to identify themselves, they have to give something where somebody could then spam them, or write to them, or you know, possibly even stalk them. As you know, I've heard a lot of people, worrying about WhatsApp for example using your phone number. Similarly to email, in order to identify people because then if that gets spread around people can harass you in other ways. Also you know if you use in one account, it's this is also a way that you could use this information to get to other accounts used by the same person because same identifier across things. Actually this is something that was developed over time, which is actually seen as more useful and more user friendly, because if you have to memorize both the user name and your email address and you don't remember which one is the way of identifying you it's easier just to use email address because, you know, people will forget, because they also have to memorize a password they have to remember a password they have to remember their username. And so it's easier just to go when you remember what your email addresses let's just use that is using this as your identification instead. I'm given that using email address to serve as a username is an industry wide standard practice. There aren't that many great usable alternatives, and a solution to that problem is sort of outside the scope of this talk, but it's worth noting that that is a concern. But, as I'm about to show you some of the practices from different companies actually make this really problematic Gmail As you may know, ignores dots in the username part of the address so if I make an address that's g dot Andrews. It also it goes to G Andrews, and it continues to just be sent there there's also a number of other things like plus and things like that a number of people in the audience may be using these to send their spam to a different inbox or something like that. However, does it companies that are not Google or Gmail, do not make the distinction that g Andrews and G dot Andrews are actually the same address. So they may make separate accounts that look unique for each of those addresses. And that ends up being problematic in the process of sorting out what was in this inbox, I discovered that you can look up, Apple IDs, using only first name last name and email address and it will confirm to you that this person is associated with this account because, as, as it happened, there were multiple janitors who are sending information to janitors at gmail. So,
the, like I said, this is kind of a security flaw on what Apple is doing basically they will just if you say I forgotten my username I forgotten my email address. Tell me which address this might be associated with it just gives you this feel that these fields, say first name last name and email address. If you enter them in it will say to you yes in fact there is a Gabriella see I've obscured the more identified part of her last name at G dot firstname.lastname@example.org and yes. So now if somebody knows those pieces of information, they have an active email address that they can then, you know, target in some way, which could be super problematic. And here was the other one that showed up in this account I'm including George answers his full name because like I said there were so many George Andrews's who happened to have sent email to this account that it's not distinguishing which one of them it is. It's one of the GA addresses, and we know it associates to me. One of the things I want to note is that neither of these addresses were ever confirmed by my account, I never went and completed the round trip back to the website saying when they initially set a thing saying, an apple id was set up to this account, please confirm. I never confirmed, and yet these have continued to be serving as Apple ID accounts for these people for a number of years after this. So George's ostensibly out there still using this accounts and Apple will confirm that to you. George has unsuccessfully tried to reset this account multiple times since he signed up in 2011 and the other account was set up in 2012. I'm not certain whether Apple has since insisted on that round trip that somebody come back and confirm yes there's a human being here and yes this is the apple id associated with it. So this might not be if they've done it they it's not retroactive to these accounts like these ones are still associated despite the fact that nobody ever confirmed that these were in fact, you know, the ones that were there was actually the correct human being here. So, I still need to file a bug report on this, there's anybody from Apple listening this is, you know, kind of a problem. I'm not exactly sure how to solve it. The other thing I determined as I was going through these accounts. Was that you can also add the same email address as a rescue address or a, you know, an alternate address for an account that you already have an apple id you already have from another address these ones do require a round trip, they do require you to go in and confirm because I've had a couple of them happen and then when you go, or the very least when you go back to one of these, when you go back to this forum and enter the name and the email address, it doesn't then confirm that that same email address is associated as a rescue it was something else. So at the very least it's not revealing that information there. But, Apple will also send a code to that address saying please confirm that you want this to be the rescue address. I'm assuming that thereafter if that code is not returned, then it's not associated with that account so ultimately it looks like there's going to be about a half a dozen Apple ID accounts that were associated with this address. In the end I think ultimately they're they're officially only those two that I showed you a second ago. So, I can see adding that additional email address as a rescue address as a feature not a bug so consider the one kid for grandparents scenario so I you know say I have four grandparents and none of them feel like they're particularly strong, technology, and so they say I want you to set this up and you can have my rescue address and anytime I need to go in and reset her password I'm set up to do that with this rescue address, so maybe it's a feature. Use Cases or use cases. They're always diverse and strange, but I just still don't know if it's really desirable to have rescue addresses work in this way. The other thing that will be sent to an account. If you use this address is service tickets, so no poor kid who wrote in saying Hi, my dad's email address is Adrian Andrews at gmail. I can't buy a thing with his account I'm locked out, could you please no kid we're not going to do that for you. Sorry, you do not get that service that sort of request is not happening for you. I just want to note that the email I'm getting at the G Andrews at gmail account is not all spam it's not all malicious there is spam certainly the spam folder is full of hundreds of emails on a given point in time. But I'm not including that email in my analysis of this I'm trying to winnow out the spam as much as I possibly can. There's a lot of commercial mail coming in, but it tends to be from, it tends to have started someplace, so it usually started with somebody buying something from someplace and thereafter constantly getting mail from say Old Navy, right. So, it was spam but it starts with a receipt. And I'll talk about those receipts in a second and what you can get out of those receipts. If you want to talk about spam I highly recommend Finn Brighton's book on spam really excellent book but I'm not going to talk about spam beyond this slide.
You might also want to be talking about phishing here you might think that oh you know the mails that you're getting or somebody trying to fish you, but that would be a mistake. Phishing obviously is trying to get documents, out of you getting you to send along things. This is sending documents, to me, and it's sending documents to me that should not be sent to me at all. So I may have swept up a couple of pieces of phishing email in here but for the most part, I'm pretty good at identifying them. I don't think that's mostly what's going on here. This is also not exactly shaped like the usual data breach where somebody goes and attacks a company. It is a data breach, but it's performed by the users themselves in a matter of multiple errors. So that's sort of a strange thing and we'll talk a little bit more about what the shape of this is methods you may be wondering how did I take a look at this stuff. How did I slice and dice it used a couple of things that worked with the Google, email, access to these this Gmail accounts Maelstrom and unroll.me. Yeah, there's some sort of questionable practices there that they may have about selling data on but I'm just using this as a rough data set, it's a very messy data set, I don't think it's really as much used to them, Maelstrom is an interesting tool. It is basically meant for people to give them all their Gmail, and then it will batch it out by who is sent things to you, topics and things like that. And it helps you delete things really quickly so that did a really good job of helping me see really quickly, who I was getting mail from, and possibly if there was any relation. I did a lot of search queries to look through it with this so frequently if to look at that commercial email I was sort of frob it by the date just turning the knob back and forth. So I would go okay Old Navy what was the earliest Old Navy mail I got, and you know, sort of saying before date something something something Do I still have mail okay yes I do. And here's the initial receipt that this mail came from so that was really useful to look at here if anybody else also wants to look at a data set like this. And then the To field was also really useful in a lot of ways. This is one of the ways that I knew I was actually getting mail from a whole bunch of different people because sometimes somebody would write in G email@example.com, and they'd give it a name like this is Gloria or this is Quinn. And so that was how I knew this, these were people trying to reach different people, how do we know that there are all these different people and how do we know they're individuals like I just said the two fields. So another question is Do people use this email address more than once, and yeah they do like I was just looking today and found somebody over the course of a number of years, writing to this. Geography can be consistent so I've actually gone back and looked by zip code, a lot of the time, and you will find that the same zip code comes up multiple times, like the guy in New Mexico was assigned twirler that's how I figured out it was him at the car dealership at the yoga studio and it is cart assigned twirling thing and also CVS, if they use this to sign up for something if they purchase something this is pretty clearly coming from a person right like, I think we can pretty much agree that it's not likely that the company is just going to generate that email address out of nowhere. Another way that people have called themselves out here is they cc themselves. So it's somebody with an address that is very clearly also a permutation of G Andrews, who's mailing to G Andrews at gmail and forwarding something that has been sent to somewhere else. So that's another way and that will happen, multiple times over the course of a number of years, sometimes somebody else sends something to them, and in one or two cases I have actually contacted these people personally. There was the case in which I wrote to the people and sent them a Christmas card and did have a charming back and forth with Patsy before we lost her, and with a newspaper down there and then another time, a woman signed me up for an account at Target. COMM where I determined that I could in fact login to that account and order things using her credit card and have them sent to myself. And so I looked her up by address founder address and the corpus figured out who she was online called her on the phone and said you need to change this now, I have changed this password I have set it to random, I don't know what it is anymore. Please, you know, send this back and what she said back to me was, oh, I forget sometimes my address is actually je Andrews. And she had just left off. So that is one of the mistakes that people are making what can we learn about someone if we have a dataset like this. Oh, it's pretty much everything that you can get off of social media and then some and it's worse. The most interesting way is to search like I said zip code is a great one, go search for passwords, you will find some that are sent in the clear, go search for a social security number this is getting really depressing you can search for W twos, actually the most entertaining search was Adobe, one of the most fruitful things was just to search the corpus for Adobe because usually there's an attachment and it's usually some sort of PDF, and that means it's something that's probably pretty important. So we got DMV records with name address make model of car license plate number all of those things.
Birthday shows up, FedEx and UPS records are also really fun you definitely get an address out of those a couple of times and you can see people over the years, sending things to themself, but seeing the same email address for whatever reason that included the guy at Apple in Cupertino. Um, let's see. Job Search sites are really interesting there's a lot of people searching using this address to say you know send me jobs in my area, found a lot of interesting things there it tells you a little bit about the fields that are working in credit card bills, obviously, they'll show up as well. People for them to themselves. Do a search for each major online service, he finds a good one, you can figure out who's going to like it's one of those to a 10th grader, or sorry, a 10 year olds birthday party. Want to know who went to the Amazon dating sites, things like that, insurance, a lot of insurance paperwork showed up receipts can be super problematic square for example I think for a while was actually sending people signature on the receipt. And that is mega problematic because that gives me another way that I can prove I am this person who has control this email address that looks plausible, and all this other information about this person phone companies so time to settle on a sim ID great for anybody who wants to sim swap. My other latest favorite way to search this inbox is to search for.ca which is for South Africa. because in the particular case of South Africa, it turns out there's only maybe three g Andrews's, whereas the United States there are hundreds. So I actually really got a clear picture of who was who whose kid was being sent to which school, who was a professor at which school who was working in mining who was working in different fields. And when I say exciting I mean this is super depressing because it's really depressing Think about all these people missing their mail. So, Domino's Pizza, one of the major offenders in this field will send to the same address things where people at any address anywhere in the country they do not seem to care. It will clearly be a different g Andrews every time it was definitely GEORGE It was definitely Gary, it was a bunch of guys, and women as well, and it will they will usually send along your delivery address and your callback number as well so if somebody should happen to get control of this and they're stalking you. Game over. Also, if you're an insurance company you see who's really heavy on the nitrate laden meats and maybe people are headed for some sort of I don't know medical problem as a result. So, it was useful frequently to go look for the zip code in that particular receipt and then build out a profile of the person based of based on that particular zip code, why are people doing this, as I have said in many many hope talks before it is never just because they are stupid. That is not the way to understand what is going on if you begin to say people are stupid you closed down your understanding and their understanding what the problem is and we're never going to fix it. Ultimately, I don't think these people are entirely in the wrong, it is useful to have an address to give people when you know somebody wants to send you a lot of commercial spam and you don't want it. But the strategy I see people using where they're using this account is not really helpful because they are using a real address to which they don't have access. So if ongoing email comes to that address. They don't have access to it anymore. And like I said about receipts that really begins to compromise their own security so how would we talk to people about the safe way to handle unwanted email of different kinds right. Let's talk for a second about the mistakes people make that seem to leave them here, outright guessing. This was a really fun one. I got mail for a Greg dot Andrews at one point. And I know it was to Greg dot Andrews because the person sending it I think it was another real estate deal was like, Hi you contacted our website and I'm guessing this is you, and they see seed Greg dot Andrews on it, and then Greg dot Andrews wrote back saying no no I get this all the time this was very definitely for somebody else sent back, and then the person from the real estate company took that thread and they forwarded it to me. So, this is just like throwing darts at the board, whoever we think might have this address and I've heard this from other friends as I've started talking about this to other people.
I've heard them say yeah you know I had this guest. My name as well. And like I said that used to be useful maybe or it could be useful still if you are looking at a small office. But when you're talking about Gmail you're talking about everybody in the world and you really shouldn't be guessing at that point in time. The other thing you would see is sometimes even on the same email you just be at different permutations of G Andrews and just a like a long cc string, they would all come to me they go to the other GM there's this as well, forwarding to themselves, people were seeing themselves and they were sending themselves delightful things like a badass picture of a celestial dragon and a whole bunch of pictures of sloths, and for some reason a journal, along with a sloths, I really don't know it's like since like five five slots there's another slot that could include a slot that was too long I don't even know why the layout was like this and then there was a journal. There was 30 soup recipes she forward yourself 30 so thanks for the soup recipes I'm not gonna look at them. The pictures of the family reunion that was great and charming but really also depressing because now I know your whole family. It was even more depressing. When this one person was also sending themselves their bills from another account right because then I was beginning to get a picture of yeah these are all bills from the same person addresses were there all this other identifying information, stick to this loss, it's better when you stick to this loss people will type up their own names sometimes they'll type with their own names and creating the email account so might be g Andrey g Andrews but no Eve, because they couldn't get g Andrews, and then they just continuously, send it to this account anyway. Sometimes somebody is talking to somebody on the phone and giving them their email address so this was sent to somebody who was supposed to be g Andrew Hess g dot Andrew dot house and it was transcribed as G dot Andrew dot s. And so of course it came to be. Oh right, it wasn't at gmail is another way of forgetting this right so there's one g Andrews who I have once again gotten in touch with. And I was like hey this keeps happening on a bunch of different stuff hotel receipts square receipts, and she was like, all right, I don't control it at gmail at gmail I have it at Outlook or something like that and so a constant misremembering of which domain you have which address that. So that's one of the problems with one person having multiple domains is you may forget autocomplete I'm not totally sure, it seems plausible that there might be some system out there that would autocomplete to you type in something that it's like an email. I'm hoping that's not the case, devs if you have done that don't do that. It's not helping. Not even the right name there's some really explained explicable ones something to Geraldine lamb is something to Carolyn Carolyn Bernstein, or Dennis hi Dennis I don't know why you have a G Andrews or you could ask like g Andrews Is that really you D and D are not that close on the keyboard, I don't know, one of the allegations that might get made as it was made about my dissertation data as well as maybe these people just don't know how email works. Maybe they don't know how addresses work. I see some indication that this might be the case and one of the reasons why is there is an absolute ton of things here from various job search websites, it's possible I think that people are signing up to go apply for jobs, and possibly the job recruiters the people at the Workforce Development sites at the unemployment office are saying plausibly This is your email address. I really hope that's not the case. But you know I'm not that could be there are people who are maybe reentering the workforce and they really don't know that it's not their email address, you get a lot of things from job listing sites that end up looking creepily similar so one of these is from job serious and others from uk uk staff, a lot of them look like kind of fly by night job websites. Some of them don't exist anymore. Some of them been bought by other websites. These might just actually be ad, click generation sites in some way. So, that was sort of a I'm not really sure what's going on here, it might be worth somebody else looking into it at some point,
but it does point out this problem of, you know, people who don't really know how email works, possibly getting caught in a web of creepy spam, and you know their information going to places that are really shouldn't. So which industries seem to have the biggest problems with this. There are some industries that are over represented in the corpus of this database data sets. One of them is real estate's a lot of real estate real estate and automotive, I think we're just looking at lead generation. So if they get some email address, they're just going to keep writing and keep writing and keep writing and really hope that somebody buys that Camaro or whatever, and real estate's the same way I got offers like here's some property in the UK, you might be interested in. Thanks. I don't know, construction, unfortunately there's also a lot of construction sites that seem to be sending email around this way. Retail really like I said does not care a lot of the time how many times it sends to one email account with different names different addresses. I'm assuming they just like to say, you know, we have this many customers and that looks good for somebody metrics somewhere. But Domino's and CVS are really bad about leaking information in terms of like what your local story is and stuff like that. It's really pretty creepy. To think that ultimately this is gonna ruin your data set because if you don't actually have a live person when you're trying to sell them something. Why would you keep it Why do you want to keep that address I would begin to prove these things, one or two of the companies, I did see saying hey if you're not responding we're assuming you're not there and taking you off or listening. Please take them off the list. So what is this, it's not exactly a data breach I think it's so honey pots right so if somebody hacked an accounts, the first initial last name account, it would be incredibly valuable. There'd be all sorts of stuff for people all over the world. It's disturbing amount of valuable information in there. So the question then is how likely is this to be used by malicious actors who would even be interested in something like this. As it happens, there's a website called OMG users which we heard about recently in the recent Twitter hack. If you don't know about this offshoot of black market web services, I recommend getting familiar with its podcasts, the Snapchat thief on reply all was a really really interesting look into this into this particular culture so let's take a look at odd users what exactly is o g users their original gangster. Let's take a tour on their website, shall we What even is this place about, it's about leading discussion and marketplace. and the kingdom structure with Robert rock strapped to a rocket for some reason I don't know it's got a thumbs up if you if you dig super super deep, then you actually find something that says it's a community driven digital marketplace that connects buyers and sellers from all around what though. Oh virtual products. Can I get my second life avatar there I don't know. You can also participate in general discussions on our site, make new friends and have some fun can't even tell what's going on the website just looks as if it answers the question, What would a bootstrap template look like if it was bitten by a zombie who was hungry for Yeezys. There's not much information on what's actually happening here they have 100 plus topics and members and accounts but what is it for but then you dig in deeper,
maybe it is about Yeezys
maybe it's about fashion. It's about sneaker pimping because there actually is a clothing and fashion board. So if you listen to the reply all podcasts, which I highly recommend it's very entertaining tale. And the idea behind big users that there there are people out there and they're pretty young for the most part, who are really interested in having, you know, it was like the if anybody here remembers the I CQ username wars of whenever a trillion years ago, having a low number of digits was you know it was making you Oh gee made you like you're one of the original people on the website you were maybe ostensibly some kind of influencer yeah I don't really know. You know so but but having a low level account of some sort is considered to be desirable in the same way that like a Yeezy sneaker or a Gucci handbag or what have you, is right so this is a status symbol, basically their status markers are for early adoption. And so that was what we saw on the Twitter hack is that some of the people who were involved in hacking Twitter recently were going for usernames like six or l right because those were ones that ostensibly, a lot of people would look for whether intentionally or not. So now I'm not saying the G firstname.lastname@example.org is somehow sexy, it is not. As you can see pretty much all that email would fall under. In this sense, other Oji accounts which is a presumably where you keep the old, like myself, I have now an old because I am not interested in instagram. gamertags twitter Tiktok Snapchat or steam or various other gaming sites. Most Oji users are really concerned that apparently the gaming accounts and also very recent social media. But, ostensibly you can get email accounts on here as well, in one way or another, the infrastructure is here to buy and sell any username, and if you listen to the reply or reply all podcast what you learn is that, in fact, this is not just we happen to have access to these accounts, there are people actively swim sim swapping attacking and stealing these accounts for people. So I would assume that there are other very simple basic Gmail usernames that are being bought and sold on some marketplace some somewhere. So you'll notice also here that they're selling high stat accounts so there's selling accounts that presumably have a number of usernames I didn't sign up because I don't want to sign up for an account here. But I'm assuming that if I dug into this instagram and twitter is I would find something where I could be an instant influencer by having accounts with 10s of thousands of followers, followers. They're digging further into Oji users. I begin to get a sense from this part that says Member Services here or says middleman services and social media services that this is along the lines of the fishing as a service providers that were described in Ashley bang and Zach Allen's battling Super Mutants in the fishing wasteland talk at shoe con earlier this year. So they were seeing what they were calling a platform capitalism shift in cybercrime where. Now if you're going to fish people if you're going to execute a DDoS attack and take down a website by swapping it with traffic, or if you want to source weak credit cards or password links that now comes with a dashboard. There is somebody who's created the software to sell you the entire service and there's concierge service. So if you have problems with your DDoS attack and it's not going the way you want. There's concierge there say, How may I help you and continuing to do your evil deeds and taking down a website, it's not pretty, right so that this is a major shift and I'm assuming this as part of that infrastructure I could be wrong, like I said, I'm not going any deeper into users. So, if you listen to the podcasts on Reply All you mostly hear about the kids involved because it's like designer clothes but this overlaps clearly with larger scale scale criminal networks. And in those hands a first name first initial last name or first name last name account, could be used to extract a lot more value, what to do. Ah, there's so many things that are problematic companies could actually make sure they complete this is probably the biggest takeaway companies could actually complete round trip verification. If you are going to send somebody a challenge saying verify that you actually are the user with this account. Make sure it comes back to you and make that account go away if it doesn't, there are people apparently not doing that. Apple I would hope would do something about the legacy accounts that didn't complete that round trip, they should be verified and checked if at all possible if that's possible at this point in time. Security trainers if you train people in security. If you find people need a disposable email account guide them towards actual disposable email accounts like guerrilla mail or to one you control like I have a Yahoo account that I just use for junk it doesn't really control contain anything important. Hold on holders of common name addresses like myself, set up multi factor authentication. I think it's pretty reasonable to expect that there might be a sim swap targeting attack on you lock down your phone with your phone company and tell them that they need additional verification before they change your SIM card around.
Additional questions users and businesses do we accept this risk. I mean, is this where we want our business email going, or do we want to consider moving to a service where it's a little bit less likely that we're going to have random junk from various people around the world, or people trying to attack us developers, I think maybe we need to reconsider using logins that are somebody else's contact detail that's just a privacy concern or part of somebody else's ecosystem. It's hard authentication and login is hard, but this might be a moment to reconsider what we can do there, that is pretty much it. If you enjoyed this talk, I have a book out. That is a book for your relatives who have a really hard time with their digital privacy and security or who have hard times with their management of disinformation and misinformation I have some techniques for dealing with that as well as well as digital mindfulness, helping us all survive stress and FOMO and all these other feelings that we get from our mind. Thank you very much. See you around to the next.
In Welcome back, we're here with Gus Andrews who just gave an incredible talk about what to do with ours, our email issues, and we have one of the questions that we're going to start out with is, how do you deal with illegal content or activity that you might receive in some of these emails.
Yeah, that's a great one. I'm really just sort of mostly don't engage, delete, when possible. I think probably if I found something really creepy like child porn or something I would probably try to report it to the authorities in some way.
A little it's challenging to figure out how to do that.
But yeah, it's I mean this is sort of a fine line to walk I'm mostly trying to talk about this in order to bring out two things mostly the, what people are doing wrong, and trying to help understand that so it happens less often. And then also sort of the Kismet of like you know you're wandering around the internet random things happen to you, which was always the best part the internet which we don't get that much anymore. But yeah, so it's really kind of charming in a way or the stories like I was saying that we had a back and forth with Patsy and her family. They sent me mail being like we got to the paper I'm like, Hey, now we're in the paper. Okay, great. So, that's my favorite email service I'm sorry I'm seeing comments in the in the chat What's my favorite email service.
We have one kind of hate the internet now proton mails is serviceable I guess I am unfortunately addicted to Gmail just because it's so easy to search and find things. So, yeah, sure.
One of the questions I had was, It seemed like you said, You did such an incredible amount of work and it must have taken you years How long have you spent on this project.
You actually I haven't answered that right here so I'm keeping notes, as I go I'm keeping sort of a diary of this was inspired by Sarah Jane turp. I'm actually only really been doing analysis on this since January the end of January of this year, it looks like. Yeah, so I think that's that's all. But I have spent a lot of it's just fascinating like it never gets boring, like it never ever ever gets boring. So,
okay. Our next question is, Do you ever get someone accusing or thinking you are the person trying to hack them.
Like, I am not the other. Yeah.
Yeah, I'm not totally sure that that has happened to me. Here, when I when I call people have written to them they've actually been like, oh I'm surprised. So if you approach them in a gentle kind of a way. I think people are a little bit more open to it. But I have yet to reach out to anybody who is really much older and really from a further distance from the internet. So yeah, it hasn't been all that bad.
Right. Okay. Um, the. Let's see, I think.
I'm not sure if we got another question here for you. You were at the chat I'm not sure if you found something.
Something suggests in the don't delete the account tombstone it so someone can keep something created and generate a fresh verification email each time. I don't know about tombstone and actually, if you want to post a little bit more information there about how that works I would really like to know.
All right, I do have a question for you here.
So the question is, how long did that autoresponse take
you to class, did anyone reply,
like five seconds. Because I've verbal diarrhea. Took me know people have replied, mostly people have been like, Oh, thanks, and that's it. One person just wrote back Hi, but that was somebody who I think had written on Venmo, there seems to be some sort of Venmo scam with somebody sending like $2 or something like that and then being like trying to set up a date over it or something like that like there's, you know, meet hot girls whatever and. So yeah, they'll they'll those that person was the one who's like Hi, in response to my Please go away email. Yes, thank you for the hat I just had to give a nod to BIA because she did such a great job incorporating Rainbow Dash on her slides I was like I gotta wear my Rainbow Dash out, it seems like I can't be one off a 13 year old man she's just her, her game is much stronger than I am so it's time for some Rainbow Dash. It's been truly lovely to watch this channel and everybody being like I feel your pain because really I think most of us who were early adopters really had this happen. And a lot of ways. So. Exactly,
exactly. All right, we're almost out of time here. And I don't see any other questions, I
see one, what percentage of the females have the instruction at the bottom demanding you delete the email if it's not for you. You obviously when lawyers send stuff to you. You got a couple, there really aren't that many there haven't been that many and yeah I'm not too concerned that was the one from the signing parlors was really amazing I'm like why are you bothering with the end it was very bespoke they had hand crafted it for their own understanding of how the, the relation to find twirling and branzburg. But yeah, so just a plug. If you enjoyed this talk if you are worried about people in your life having this kind of trouble with the internet, a book. Keep Calm and log on got it right here let me just handle model myself right here. If you go to keep calm log on, calm. That's a you can buy a copy there. There are now ebooks available I recommend bookshop that org, because that's the way to avoid paying money to Amazon. But yeah, there's stuff in here in digital privacy digital security basic rules for everyday life for people who might be struggling but also helping people get around disinformation and misinformation online. And also, digital mindfulness for the rest of us how to basically unplug and stop. You know, in the middle of the night, feeling like you need to play whack a mole on Twitter with people who are wrong, or whatever like that I've got some tips for that too.
All right. Well,
thank you very much, Dr. Gus Andrews and on behalf of all the attendees and all the staff here at hope 2020. We really appreciate you coming on and sharing your perspective with us it's greatly appreciated. And hopefully we'll see with the next hope.
Hey, Thanks a lot.