0:00:04
You're listening to the shared security show, exploring the trust you put in people and technology with your hosts, Tom Eston, Scott Wright and Kevin John. Set. Welcome to episode two hundred and sixty six of the shared security show, and joining me this week is co host, Kevin Johnson, who is apparently only here for comic relief. And his Canadian sidekick cohost, Scott Wright. Yeah. I love it and Scott's my sidekick. Not yours. Yeah. I'm mine. He's yours. Yeah. No. Here's one of me. So I'm only here for comic relief. Okay? I'm good with that. Well, that's what I'm saying. Side kick the comic relief. What does that make me? Yeah. Well, I I wasn't gonna say it.

0:00:56
Did you did you see my absolutely fascinating fun best joke ever the other night? When I was at the Italian restaurant. I was at an Italian restaurant, and I was eating chicken paccata, not that that's important. But there's capers on chicken paccata. And one of the capers fell off my plate. And I set out loud. Oh, no. It's an escapeer. And What's I say? I giggled for five minutes. I look Yeah. I'm sitting at the table. My whole family is with me, my daughters, my wife, and I am giggling like a madman. And and Denise says, what is wrong with you? I said, you married me. I Yeah. Yes. Clearly. Well, I was like this. Before you said I do and -- Yeah. -- an escapeer. That's a -- Okay. -- an escape -- -- an escapeer. -- a escapeer. That's a -- Okay. Alright. But I I I did bring the comic relief thing up because that is what you said that you do on this podcast when you were on the secure dad podcast. Oh, my god. I did a couple weeks ago. I saw. Oh, yeah. So check out the secure dad podcast for some reason. Yeah. Yeah. That was I that was that was fun. It was fun, actually. Was good.

0:02:05
One, I I always like talking to YouTube and Andy. Right? Andy's great. Isn't it? Okay. I when I started to say it, I'm like, wait, that's not right. He he seemed like a good guy. He was a good guy. Yeah. Yeah. That was a fun conversation. Yeah. Yeah. I've been on Andy for a long time. We've been on each other's podcast, and and I always recommend his show to others as well. So I really like how he brings the parents into the conversation about how to live a better life and more secure life and all that. So good stuff. Yeah. But I I guess I should start listening to those podcasts. Yeah. You probably should. Yeah. I okay. So that brings up a question that probably as a person who is cohost and who has a sidekick of a podcast. I probably shouldn't have to ask this question.

0:02:52
But what do you guys recommend to listen the podcast on? Because I've tried like, I have an Android phone. So I I I like, everybody's like, wherever you get your Apple app, podcasts. I'm like, okay, I don't have Apple podcasts. I have an Android phone. I've tried Spotify.

0:03:07
It randomly forgets which episodes that listen to, it randomly points me at at different things. That sucks. I've tried various other tool. What I don't get to listen very many podcasts -- Okay. -- because I get frustrated. What do you recommend? I will give you my oh, go ahead. You're frustrated.

0:03:25
Mine probably doesn't count because I'm just a sidekick, but I use an I'm an iPhone guy. I use the podcast app on iPhone. It works fine. Nice way. Well, So I I will tell you I use an app that you can use on Android and iOS, and it's called Overcast.

0:03:43
Okay. Okay. As in, like, cloud weather. Cloudy day. Yeah. Yeah. Yeah. At least that's what I think it's called.

0:03:51
Let me look real quick, but Yeah. Overcast. No. Overcast dot f m? Yeah. Yeah. I love it. I've even been using it for years. Yeah. My favorite podcast app. Yeah. I appreciate it.

0:04:00
I just it's it's It's well, this says for Apple, iPhone. It should be for Android too. I'll look at it afterwards. I don't need to look at it while we're recording. I just I it's so frustrating to me that I can't find one that stays consistent. Right? Like, like, the ability to just say play it at a one and a half speed or whatever and and what have you. So okay. Go on. I'm sorry. We have other topics Oh, yeah. We have other than Kevin's software choices. But as always fun to talk, talk about occasionally. Right? So we'll we'll steer this back to some fun stories this week.

0:04:39
And first one, is Twitter is phasing out its free text message based, and I wanna clarify text message based two factor authentication and putting that behind a pay wall. Which is has a lot of people shaking their heads. Why? Makes no sense. I have my own opinion. I I believe it is a a a money play because text message SMS costs money. Right? They probably use a third party service, which costs money. Cost money to the company who is offering it, not the person receiving it. Just to be clear for me who don't know. Yes. And and if you're not familiar with this story, so Twitter is gonna be you know, only allowing SMS based two factor authentication for Twitter blue subscribers. And still offering the more secure method of two factor authentication, which is add based two factor authentication, for non paid Twitter users. Sounds like a great value proposition. I'm gonna pay more and have a less secure two factor authentication. Well, here's the other kicker is that they will be migrating users off of two factor authentication So if you have SMS enabled, you need to go in and set up app based or you're not gonna have any two factor authentication.

0:06:07
March. Right? Yeah. It's middle of March. No. Yeah. So what do you guys say? I have a I have a problem because maybe it's just in Canada, but I have never been able to find the two factor authentication app setting in Twitter. I've tried many times. I got it. It doesn't look like they have two factor authentication. If you're using the Canadian version of Twitter I guess it is. Yeah. Shouldn't even be using the Twitter username. Twitter username. So I one, I wanna be very clear. I I'm in no way saying, well, Twitter is the best option here. I one, I think, it's absolutely hilarious to me.

0:06:41
How many people spouted outrage -- Oh my gosh. -- at Twitter getting rid of two factor authentication. It's like, no. No. That's not what they're doing. I I whether we can agree or disagree with what they're doing, let's at least represent it correctly. They're removing SMS. I know, Tom, you said that. I like, I right. You said it correctly. And and, oh, by the way, you are not one of the people I saw. Spouting outrage over the wrong thing.

0:07:09
I so for me, from a business perspective, let's ignore opinions, people maybe people have cologne last names, Right. Musk. I think that. So coming. There it is. So I I I understand from a business perspective, hey, this feature is less something we want to support because it costs money. It's not as secure as other and other things like that. So let's move it to a paid subscription. That makes sense. That I I look at that decision, oh, okay. I get that. I don't like it. And I don't like it because I and I've said this many times. I've said this on this show many times. I've said it on stage.

0:08:00
Many times that that infosec seems to ignore the idea that many of the people who use SMS two factor don't have another option. Yeah. Yeah. Right. Yes. Well, if I remember the numbers, like, twenty two percent of of of North American people who have cell phones do not have a smartphone. Yeah. Right? So -- Yeah. -- so they possess itself. This is not I don't have a cell phone at all. They've got a cell phone. It's not a smartphone. Yeah. So the off options aren't available to them. They're just not available to them. The the Ubiqui option is not available to them. Well, that's not true. That that's not true. The Ubiqui option is available to them because they're using Twitter on their computer.

0:08:47
But we have large numbers of people that access the Internet, access things like Twitter solely from public use computers. And SMS is the option they have -- Yeah. -- to do this. And what we're saying is to those people. And maybe that's okay. Maybe it's good because we don't want anybody on Twitter because we hate Elon Musk. So so moving at least the poor people off of Twitter is a bit weird. That doesn't that doesn't sound elitist at all. Yeah. But but we seem to overlook that those who probably need this level of security the most are hit the worst. Yeah. Right? That's a great point. Yeah.

0:09:30
Now I will also point out. I read somewhere that, like, less than five percent of Twitter's users even have two factor out dedication. That's also false. Right? Like and it's probably because, like, Scott, they can't find the option. I've got two from just SMS. So Yeah. Oh. Oh, I I misunderstood you, madam. I'm sorry. I but you're saying Yeah. I can't get the app. Yeah. Okay. That makes sense. And I don't remember where I turned it on. I know I mean, I it's one of those things where I know I turned it on. I just don't know where.

0:09:59
But but I think that this was a lot of outrage over something not really important. And to me, this is this is one of the things I say quite often about lots of things, is whether you agree or disagree with something at least present what you agree or disagree with correctly. Yeah. Like, when we -- It's so important. Yeah. -- surety experts come go, wha.

0:10:21
Twitter is not letting us do two factor, and our argument is so easily undermined by, well, the actual thing they're doing. Everything else we say is discounted. Right? Like Yeah. Yeah. So when we say Twitter is bad for security because they're removing two factor entirely. Anything we say after that phrase is immediately disregarded correctly so in many cases, because we weren't right on that. So to me, I don't like the Twitter's doing it. I don't like the Twitter's doing it for different reasons than the outrage. My issue is we are telling the people who can't afford. Right? Mhmm. But from a business perspective, it makes sense. I you know? And the other argument I saw was, like, well, SMS is less secure than app based two factor authentication. So this is actually a good thing. Right? It's gonna force people to use the app and No. It's gonna basically, they're turning off two factor if you don't complete it up. Yeah. Right. If you don't set it up.

0:11:20
I my guess is there's gonna be a bunch of incidents, you know -- Yeah. -- of of storm I don't know about a bunch. And the only reason I've had it on a lot of bunch is because I because so few people on Twitter use two factor anyways. Yeah. That yeah. That's true. We're not we're not we're going to see a negligible increase in the number of people's Twitter accounts being breached. I think what we will see a huge increase in is the number of people whose Twitter accounts have reached that thought they were protected it because -- Yeah. -- it could also affect people who are higher profile, but haven't bought the Twitter Blue.

0:11:53
And therefore, a bigger target to start with, and attackers might say, well, they probably did have two factor at one point, but probably don't now. That's a good point. Yeah. That's a good point. Yeah. Like, hey, you're a high profile person. You're you're not tick box whatever. Right? So if I don't set up my two factor authentication app, I'm gonna default back to regular and somebody's gonna target me. That's actually a really good idea that I hadn't thought about is that this makes somebody a target by not having the checkbox. I think so. Yeah. That that's interesting, Scott. I I really I hadn't thought about it that way. Yeah. It should be our aware match segment. Oh, we will get you that. We have a partner aware much that you. We do.

0:12:34
The the last thing I do wanna say about this though is that in the argument that, like, oh, we need to get rid of SMS two factor because you're gonna get hacked and because there's vulnerabilities in it. Like, you know, for high profile people, maybe. Maybe that's the case depending on your risk profile and who you are and your threat model and all that stuff. But But for the normal user, SMS two factor is better than nothing. Yeah. And as a security professional, I am always gonna recommend that you use SMS or any two factor authentication because this will still protect you. Yeah. I one hundred percent, I'd rather you have something than not use something exactly. Alright.

0:13:15
Well, with that, let's jump into a segment we haven't had in a a few weeks, which is aware much. That's why that makes me giggle. We don't know either because I'm a sidekick. I'm a I'm a comic sidekick. Yes. Yes, Tom. It's absolutely time to ask that question -- Mhmm. -- aware much. So how much do you think it would cost if I was to actually be able to buy data about your mental health talk? One billion dollars. Turns out that for as little as five and a half cents, US -- Oh. -- that's ridiculous. -- US. Not Canadian. For one record, I can buy your data and learn about your bipolar disorder, anxiety, or depression. So we learn about Tom, but for me, what do you wanna know? I know Kevin Kevin's an open book. Kevin's gonna get it to you for free. Yeah. Yeah. Send me the thirty seven cents. It's a deal.

0:14:13
But we learned that researchers at Duke University set out to buy data on people's mental health from thirty seven different data brokers, which are the guys that collect data from various places and sell it. And eleven of those brokers agreed to sell information that identified people through various attributes. And sometimes demographics like race, age, credit score, locations, And they didn't really hide the fact that they could provide names and addresses for these things, which is kinda scary too. But Sadly, not much has really been done. We know on the legislative side, right, that's gonna be able to prevent this at all.

0:14:50
So a lot of people though think that HIPAA the regulations around health information will protect a lot of information, but it actually only deals with covered entities like hospitals or healthcare organizations. So my question to you guys is where do they where do these data brokers get that data? Well, I mean, they listen to our podcast. And that's how they got my data. No. As a matter of fact, the HIPAA thing is is a good question. It's a good is a good point.

0:15:19
A lot of people like, oh, if it covers that. And it's like, yeah. If it does, if the data came from a covered entity, I'll tell you one of the places you can get that type of data. And that is from purchasing. Right? Yeah. If you're buying if you go out to Pfizer's website and I'm making that one Right? No, I'm not. Pfizer actually has a website, but and you research drugs for bipolar disorder or anxiety or whatever. That's not HIPAA covered because that's just marketing materials. Right? And the fact that you researched anxiety medicine does not mean you have anxiety, But it does mean you probably do. Right? Or you know somebody who does. So a lot of the data comes from that another place that a lot of data comes from, and this is something that that we're seeing more and more of, and it's it's a messed up one.

0:16:11
And that is many HIPAA covered entities are actually putting analytics trackers and things like that. Into sections of their apps that are authenticated. Mhmm. Yep. I think we talked about that one. We did. Yes. We did. Many times accidentally, right, they're deploying it as part of the look and feel of the app. And then, right, or the marketing person doesn't understand or or in some cases, I've worked with companies where they have rolled out software to help support their end users. But the software that's helping support end users, like, you know, like, the hot spot and stuff like that, that's just an arm of an analytics company. Yeah. That is getting that data.

0:16:56
So the data comes from lots of different sources that either accidentally or on purpose reveal medical data that isn't HIPAA covered because it's not a HIPAA covered entity. That's where a lot of it comes from. Yeah. Of course, there's also data breaches and stuff like that that that people get access to. But my understanding from working with data brokers and my understanding from working with HIPAA covered entities is that most of the data comes from non HIPAA covered sources -- Yeah. -- that can tie back. And, you know, the answer of, well, they're not doing a lot of effort to hide names and addresses and stuff like that. We've seen for years, what was it in, you know, seventeen thirty five AOL released anonymized search data And within minutes, people were finding that priest that was looking for escorts or -- Yeah. -- you know, like and that's a that's a real example. That's not me just making fun of priests.

0:17:50
My guess is one of the biggest sources would be a place like Facebook. Right? Social social media sites -- Yes. -- as well. Yeah. Well, how many times do you look at a site? And it says, like us on Facebook or -- Yeah. -- use your Facebook account to authenticate or write, like, Yep. Yep.

0:18:06
The one thing I wanna add to that, I I think I wanna make people aware of, is there's a surge of these mental health apps that are out there, like, talk space, and all of these, like, you know, therapist type apps. Right? Where you can talk in real time to a therapist and all that sort of going like to a an office. Right? Yep. And I wanna encourage everyone to read those terms of service -- Yep. -- when you sign up for those apps because I would bet you that a lot of those apps have some type of disclaimer that they can use some of your information, maybe conditions like bipolar or other things that don't necessarily name you, but they name the condition that you're being treated for and then that information goes over to one of these data brokers. So Yeah. It'd be interesting to hear my intuition. If people are bombarded with ads more after they've joined one of those apps be interesting. Yeah.

0:18:59
And I don't wanna be political. I mean, that's far be it from Kevin to be political. Not on this show. Yeah. But we're having a very similar problem here in Florida where governor DeSantis has a lack of a better termite crusade against trans rights -- Yeah. -- or trans people. And and I I'm fighting very hard not to use the terms I want to use about him because I'm trying to keep the explicit tag off of this episode. Thank you very much.

0:19:30
I if anybody is not clear, I hate what is happening in Florida right now, but he is leveraging the state's schools. And he has gone to the state schools and said, hey, you know, you're funded by Florida. You've got our our medication. And I want you DeSantis wants them to release to him, to his administration data about trans students who are seeking treatment and help and advisory. And and and a lot of people I I actually a a person I'm connected on Facebook was like, oh, oh, this violate HIPAA. We have to fight it. We have to go, oh, this is gonna happen. And I and I said to him. It doesn't. No. And and I'm not correcting you as in, no. No. Your outrage is unreasonable. It's like, no. No. No. We have to fight the right thing. Yeah. Yeah. This is absolutely again, I'm not agreeing that it should be, but this is absolutely something that's allowed. Because they are providing it without names, without, you know, without identifying and I I hope you heard the quotes and italics, identifying remarks. So it's a student has gotten treatment for for this thing related to, you know, transition. And I I feel horribly I feel bigoted even saying it right now because of of this. I'm trying very hard not to be offensive because I hate what's happening so much.

0:20:55
But that data is available and is searchable and worse. Florida is Sunshine State Law. Right? Like, if the government is involved in it, it has to be public to a level. There are anonymizing things and stuff like that. And so a lot of this type of data is coming from sources like that that the student the student who went to the healthcare center or whatever you call it, I didn't go to college, so I don't know. But right when they went to the medical adviser, I don't know, and said, hey. I I I feel like I wanna transition. I feel like I'm I'm, you know, I'm in the wrong body of this, whatever. They went there believing that was a completely private and protective thing, and it's not. And that that to me is the biggest thing I hope that aware much is pushing is? Yes. Well, be so aware, no pun intended. Whether or not what you're doing is a protective thing or is an encrypted or is a safe. That's that's the big thing. The chilling effects of this type of data brokerage stuff. Even ignoring the -- Yeah. -- jerk of a governor, I think that was not explicit. Nope. Right. I'm clear. Understanding the lack of control these data brokers give you is is so critical. Yep. Thanks for that.

0:22:16
Kevin, this segment of where much has been brought to you by Click Armor, where we make security awareness engaging, fun, and effective. And if you're facing increasing pressure to improve awareness or compliance, you should try our highly interactive unified security awareness training. So visit click armor dot ca for more information. And while you're at it, check out our security awareness forum. It's a bi weekly panel discussion with live q and a. We get lots of great discussion going on, things like operation security, working from home, awareness, training, content types, employee assessments, all kinds of topics. We do them every two weeks, and we last time, we had seventy people registered, which is awesome. So, yeah, it's it's really fun and and great value for people. So join us at click armor dot c a slash s a f. And that's it for a wear much.

0:23:06
Can I ask you a question, Scott? I before we go to the next section, you just posted something somewhere. I think it was linked in. Okay. When you said gamified it triggered the thing. Yeah. I mean, I think it was linked in. You posted an absolutely awesome article where you explained in detail when you read it to me. That's cool. Yeah. That's terrific. I you you posted this really, really good article about what you mean by Game of Fire. And you pointed out how about people using it different ways and everything else like that. Yeah. And I Tom, if you can put that in the show notes, I think that's excellent. Yeah. And that not trying to pin click our model. I mean to make, Scott. Yeah. But we can we can actually make it a topic for next week maybe. Perfect. I I was I read it And I thought, man, that's a really because you're absolutely right. That term is thrown around. So -- Yeah. -- it's important to really understand what people mean when they say gamified. Yeah. So it was it was excellent. I like this one. Thanks very much. I appreciate it. Love to love to chat more about it.

0:24:07
Well, I know we've already mentioned, like, paywalls. And pay to play, all that stuff. So meta, formally Facebook, has has launched a new program called meta verified, which aims to unify verification across all of their platforms. So for the low low price of twelve dollars per month, or fifteen on mobile, which is really interesting. So if you're on the web, it's twelve dollars. If you use it on the app, it's fifteen. Which is really cover that's probably to cover the extra money that Apple or Google takes -- Yeah. -- for mobile app. Yeah. So So you can verify who you say you are by uploading your government ID, which this sounds like a horrible ID. Like, I'm giving all this information to Facebook already. Now I'm gonna give them my government ID. Yeah. Awesome. And then you will get a blue badge not a check mark, but a blue badge. And you will get active monitoring against identity fraud in immediate customer support.

0:25:15
What do they say? I don't know. I don't want to go there. I was not gonna stop it. I'm not going there. No. So this obviously copies off of Twitter Blue, which is eight dollars a month. So, I don't know, what do you guys think of this? This is I don't know. I don't care either. I I care enough to bring it up on the podcast. Yes. Yes. I don't mean it that way. I I I again, this is another one of those things where I've seen a lot of people oh my god. They're offering it for twelve dollars. That's ridiculous. That's way too high price. And then I'm like, oh, fifteen. I don't know. I do you think it's a high price? Don't buy it. Right? Like, I there are I personally think that there are reasonable use cases for I'm not gonna get verified on meta. No. I'm not either. Right? You wanna I deleted all my medics. So Right. I haven't because I still use my quest. I still have supernatural for the the exercise. I'm still fat, but I'm working on it. I really am.

0:26:10
But if you're hate the term influencer. But bluntly, if you're an influencer, if you're an organization that's that's using this to promote your company, your your activities, whatever. It kinda makes sense. To to pay the money maybe for you. Mhmm. The thing that the thing that gets me is, I don't think it'll work. And here's why I don't think it'll work.

0:26:38
I have a Facebook account. I've got connections on Facebook. I always hate to turn friends on Facebook. I I have friends who are connecting me on Facebook. But I also have other people who are connecting me on Facebook that I'm not sure they rate as friends, but their connections. I bet you that if I paid that money, I got the blue check mark. And then tomorrow, you built a Kevin Johnson Facebook page with my profile picture and my stuff that ninety nine percent of the people I'm connected to will not notice. Yep. Yeah. Friends. Yeah. Yeah. Like, I don't think like, here's the thing. If if I created a Kevin Johnson Facebook page and got it validated and paid the money. If every other Facebook page that said they were Kevin Johnson and tried to use my picture, Facebook kicked out. Then as a business, that might be worthwhile. But considering the fact that they're not going to What is what is that comedian's name?

0:27:34
I feel on TikTok all the time, but he's he goes around and he he responds to people as the company. Right? Like, somebody says, oh, you know, you're able to check a fillet because you'd close on Sundays and I wanted a chicken sandwich or your evil Wendy's because you've got a mascot that has pigtails or whatever. Right? And then this guy creates a Wendy's Facebook page and he responds to the person and he records it and then he does a skit on stage about it. Like, well, no. It was a dumb thing this person did. And it's hilarious. The guy is every time I see his video, like, oh, yeah. I watch this.

0:28:12
If if Facebook or Meta's checkbox doesn't prevent him from doing that. And I don't mean enables a user to know that it was really Wendy is not this guy. I mean, actually preventing him from doing that. And it's not worth twelve dollars. It's not it's not doing what it claims. Interesting. It might take. Yeah. Yeah. Well, We shall all see. Won't we? We will see.

0:28:36
If it's a success or not, but I won't be using it because I deleted all of my meta accounts so a long time ago. And I'm happier because of it. I I stopped I stopped using Facebook for a long time and then family and things going on dragged me back into it. And I've I've I've found myself falling back into the checking Facebook and and stuff. And I recognize where it -- Mhmm. -- spends too much time affecting the way I'm thinking about. Yeah. So with that, I think that's all we have for today, just It was. I like it though.

0:29:12
This was a lot of good discussion. Have to run off somewhere. That's right. We didn't have to run off to another meeting or something crazy. Right? This is my last meeting of the day. I know. But what to do with the next hour and You can enjoy your weekend. My life. Yes. I know. I know. So Well, thank you both as always, and thanks to all of our listeners and subscribers on YouTube.

0:29:35
We are still inching up towards a thousand subscribers on YouTube. So Nice. Hit that like and subscribe button. Yeah. Much of your faithful sidekick, Kevin. By the next week, I'm yours. That's a little Look, we'll all take this.

0:29:49
I don't take this. Oh, I like that. We just take it to be a sidekick. No. No. No. No. Tom's in charge. This is Tom. You got one of you can have the host role for a little bit. I'm fine with that. This is your show, and you met us. Oh, I see. I see. Yeah. Yeah. Alright. Well, thanks everyone, and we will talk to you again next week. Thanks for listening. If you enjoyed this episode and you'd like to help support the podcast, please share it with others. Subscribe on your favorite podcast listening app or leave us a rating and review. To catch all the latest from the show, visit our website shared security dot net for all show notes in previous episodes. Follow us on Twitter at shared sec and join our Reddit community on the shared security show subreddit. Thanks again, and we'll see you next week for another episode of the shared security show.