May 16, 2025 • 35 mins
Helpful episodes to listen to first
Episode 62, Even a Security Expert Can Get Phished (Troy Hunt, Part 1)
Episode 17, Eliminating Email Exhaustion - Part 2 - Unique Emails
Episode 42, Website and Email Filtering, Part 3: Email Friends
Questions we answer in this episodeWho is to blame for Troy getting phished?
How can you reliably tell who sent you an email?
How can you cut down your email spam?
What are two major flaws in our email system?
Episode summaryI don't blame Troy for getting phished. I blame the serious flaw in our archaic email system.
Anybody can send anyone an email and you have no idea who it's from. No wonder phishing is a problem.
You can't fix the system, but if you're willing to take action, you can greatly compensate for that flaw.
Call to actionTake one small step in strengthening your protections against phishing.
Maybe listen to episode 17 about unique email addresses.
Or episode 42 on how to add a friend system to your email inbox.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
Welcome to Super Simple Security Principles. I'm Nick Jackson and I wanna love computers.
(00:07):
They don't love me back. I'm learning how to stay safe online from my good buddy
and master guardian, Makani Mason. He wrote his first computer program at the age of six,
sealing his fate as a computer geek. That's it. He knows his stuff, folks.
(00:33):
Now he spends his time teaching people like me and you how to stay ahead of the digital threats
we face and those bad guys. He keeps it simple and we love it. Learn along with me each week.
I'll ask the questions and make sure he keeps it super relevant and super simple for us.
(00:58):
If I can do it, you can do it too. This is episode 63, Fishing Lessons from Troy Hunt's
Story. Here are the questions we'll be answering in today's episode. Who is to blame for Troy
getting fished? Troy, how can you reliably tell who sends you an email? Do you wanna know what
(01:24):
Nick Jackson does? You're ready for this? I look at the sender and hope they're telling me the
truth. I hope you say who you say you are. But if I can see they aren't, we'll get there. How
(01:45):
could you cut down your email spam? My answer, don't use email. Not a great way to go either
these days. It's not gonna help. What are two major flaws in our email system? No verification
of senders to be frank in my boat. That's my vote right there. There's no verification of who's
(02:07):
sending what. I'm not sure of the other possibilities so I'm excited to hear what the two major flaws
are in your opinion. Alright man, there's our questions. Who's to blame for Troy getting fished?
How can you reliably tell who's sending you an email? How can you cut down your spam?
(02:34):
That's gonna be a good one. And two major flaws. What do you think man?
I'm ready. Yeah, I do it. You're dancing. You're ready to go man. You're ready to go. Okay,
so where do we start off? Are we start off with who really is to blame or are you gonna
(02:55):
bring us back into this story again? Yeah, we're gonna do a little bit for those who didn't listen
or it's been a week, whatever. Yeah. Because today is part two, continuation of last week.
So listening to that one episode of 62 would definitely be helpful.
And last week we talked about the whole story and looked at some kind of big picture lessons
(03:21):
from the story overall. And today we're just going to zoom in on one little piece of the attack.
Dive deep on that problem. Talk about two layers of protection that can help. Yes. Okay. Okay.
So as far as the story goes, we won't go over the whole thing again. I'm just going to recap
(03:41):
a small piece of it that kind of brings us to the point where we want to zoom in. Okay.
Right. So Troy Hunt, security expert, he was traveling, super tired, jet lagged, checked his
email, got a phishing email pretending to be from a company that he has an account with
called MailChimp that he uses to send out his email newsletter. And yeah, that's all we need
(04:09):
the story. That's where the problem starts, because it's at this point that he looks at
that email, does not recognize that that email is from MailChimp. Right. Right. Right. Okay.
And this is where the chain of badness starts, but here's here. Yeah. Well, you know, cause
(04:34):
you might have to, you might have to coin that phrase right there. The chain of badness.
Yeah. Wow. I know my weird made up words and phrases sometimes.
Point at where Troy began to get screwed is how I would look at that. That's a point of.
(04:57):
Right. Well, and this goes into our first question, right? Who's to blame? And I know
you said Troy, and I don't know how tongue in cheek that was, but from my perspective,
I mean, that's definitely going to be a common answer. I think there's going to be a lot of
people who blame Troy. He should have looked closer. He should have seen who the email was
(05:19):
from. And from a certain perspective, I think Troy would be the first to agree with you to a certain
degree. Right. But it was, it still is my answer. Yeah. Well, it's a valid answer. Okay. But it's
not my answer. Really? No, because you're laying blame elsewhere. Yeah. Well, listen, so we talked
(05:45):
about this last in the last episode too. I don't really blame anyone. I blame the email system.
Okay. Okay. Okay. I see where you're going with this. That's what I mean. That's the thing. It's,
I mean, sure, he could have mitigated it, but really like it's a failing of the system. You
know, no human security expert or total computer newbie should have to worry about this problem.
(06:12):
That's why I feel like the blame is more on the system than on the individual. Right? Right.
Now, if he had, you know, if he had gone and he searched, you know, he was searching the dark web
or, you know, some bad part of it and got caught in a phishing website or whatever. Okay. I'd be
more like, okay, the blame is on him. Right. But he wasn't doing any of those things. He was just
(06:36):
trying to conduct legitimate business. So that's why I blame the system. And he legitimately got
scammed. Like, let's be honest. Yeah. He's a victim. The true blame is on the scammers.
Yeah, exactly. Yes. Right. If we want to blame a human, right. That's who we're going to blame,
the people who attacked him. That's a good point. Right. Yeah. Right. You know,
(06:58):
because I don't want anyone to feel like we're blaming you because you truly are a victim,
like what happened to Troy shouldn't happen to anyone, like you said earlier.
I only want to place blame on Troy because to me, our master guardian has kind of taught us
(07:19):
to spread flags to pay attention to. And that's really, really, really pay attention to
our password manager. Let that system that's built to protect us do some work for us.
And so, you know, luckily for me, if I ever have these issues, what I actually do,
and sorry, I'm probably derailing this whole episode for you. I apologize.
(07:44):
This is don't take your security device from Nick and Nick's about to spout off. Yikes.
What I usually do now, because of what you kind of taught me, is if there is ever any issues
logging in, where I first start is instead of trying to continue to log into that link,
(08:06):
I just immediately, like if one password does not recognize that link, I go directly to my
one password account. I go into the website that I've put in there and I click on it there.
And that's where I go to log in because I trust that link because that's the initial link that I
set up. And so, I trust that link. So, I click on that link there that's in my one password.
(08:32):
I log in there and I check my account from there. That's how I now handle things thanks to you.
You know, now whether that was what you attended for or not,
I trust my initial link of me setting up my username and password.
(08:55):
Yeah, no, I wasn't even going down that route, but that is definitely,
like that's great. I think that's a perfectly sound practice. Fantastic approach.
Okay, perfect. Yeah. No complaints. I mean, if there's a totally different place where
you have to use it, it might not get you to where you need to be potentially, right?
(09:16):
Right. That's true. But in a lot of cases, it will. And it's certainly a good place to start.
And then, you know, yeah, that's a great approach. I love it.
So, you know, going back to the blame thing, you know, I agree with you, right? Like we're
(09:39):
teaching things. We want to take accountability. So, it's just blame is kind of a harsh negative
thing. Obviously, we want to do as much as we can to improve and recognize those red flags. And so,
obviously, personal accountability is a great, great thing as well, you know?
Right. Because we got to work within the system we've got.
(09:59):
Exactly. But, you know, so part of it's just kind of a, you know, how we think about it, but also
when you focus on the system versus the person, it leads you to two different kinds of sets of
solutions, right? Right. And so, there's definitely some different solutions that,
(10:22):
you know, if you're kind of more focusing on the human element versus the system element. And I
think both are worthwhile focusing on. We've talked about some. But today, and we'll get to this in a
minute, you know, kind of some, I mean, obviously, as a human, you're going to be the one implementing
these things, but they're kind of system-centric solutions, right? Right. And anyway, we can get
(10:51):
that in a minute. Because, for example, well, I'll just expound slightly more right now.
If we're going to focus on the human ones, maybe we would talk about how you shouldn't check your
email when you're tired, right? Okay. Yeah. Right. Now, that, in theory, is not a bad idea.
Maybe hard to do, right? So, that's tricky. But if we're trying to compensate for the system,
(11:15):
that's going to look a little bit differently, and we'll get into that. Right. Right. So, but
what I want before we actually get into the solutions is to dive a little bit more into
these flaws that I'm talking about with the email system. Yeah. And see how those flaws are showing
up in Troy's story. Right. Well, I mean, isn't that the true nature is understanding the weak
(11:42):
points of the system, you know, so we know where to kind of safeguard? So, where are the flaws in
the email system? Yeah. So, if you read Troy's story online, he includes a screenshot of what
the email looked like in the inbox on his phone. He was checking from his phone. Okay. And in there,
(12:03):
it shows an email coming from MailChimp Account Services, which is, you know, exactly what he
expected it to be. But here's the thing. That name means absolutely nothing. It has absolutely
zero verification. Anybody can set that name to anything they want, and no part of the email system
(12:26):
anywhere will complain in the slightest. Okay. I can set my name as Santa Claus, Batman, Joe Rogan,
whatever I want. Okay. And that name, this name without verification, is the name that many email
apps, especially on the phone, choose to show to you. Right. Okay. Right. Now, I understand why,
(12:53):
because the intended purpose for that name is to be the obvious human readable name of the person
that's sending you an email idea. Yeah. But because of the total lack of verification,
it's still a terrible security idea. But the alternative is, okay, we have two pieces of
(13:16):
information about who's sending you an email. We have that name. Right. And then we actually
have the email address. Right. So, let's say we show, you know, the email address instead of just
this name, because there is some decent verification of the email address these days.
There isn't used to be, but there is these days. Okay. Okay. This is a big problem too, unfortunately.
(13:41):
It doesn't really solve the problem either, and here's why.
Well, there's a lot of reasons, but I'm going to give you a couple examples.
But one of the big reasons is because email is often sent by a third party.
Okay. Right. Right. Right. I'm sure, right, you've experienced this. Everybody's experienced this,
(14:05):
but I'm going to give you a couple examples that, like, literally this morning, as I was,
you know, reviewing my notes and stuff, I received two of these, like, perfect emails.
So, I received an email from a doctor, and this name, the name that has no verification,
was, of course, set to the name of the doctor, as expected, but the email address was
(14:27):
noreply, which is common, at patientengagepro.com. Right. Was it a legit email?
100% legitimate. Right. The doctor, because the doctor pays that service to remind patients about
their appointments. Right. So, that's a, it's just a service that lots of doctors use. I'm sure,
(14:49):
I don't know how many, but, you know, because there's lots of other ones, but they pay them
to, you know, send out patient reminder emails. So, it was 100% legitimate, but you certainly
can't tell that from the email address. That could have been a million different things that,
you know, just had the word patient in it or whatever. Right. Uh-huh. Uh-huh. And then my
(15:12):
other example is an email from my bank. Right. And I picked these two because these are pretty
important ones, right? Your doctor, your bank. Right. And, again, this name that can be easily
spooked was the name of my bank, but the address was noreply, again, at qemailserver.com.
(15:35):
How does that one strike you? Okay. Look, man, you know that I try not to get lost on too many
tangents. You've just piqued my interest a whole lot. Do we have two seconds to completely deviate?
(15:56):
100%. I'm pulling up my email now. Yeah. Which I don't often do. Oh, geez. I haven't checked my
email in a long time. Okay. Let's do this. Let's figure out this whole thing that you're talking
about. Holy crap. So I've got one that I know really, really, really well. Okay. Yeah. I'll
(16:51):
leave that one out. You know the sender. I get emails from her weekly. Okay. Yeah.
And I'm looking at her email entitled Chapter 65. Oh, yeah. You know, and I'm looking at
(17:13):
the two and the inbox and everything about it, and I'm like, luckily, I've had enough emails from her
that I know and I trust this source, but, again, I'm like, this one could leave me guessing.
And my very next one is from my realtor. And, again, it's his name, which, like you said, could
(17:40):
be easily spoofed. Oh, my goodness. Okay. Here's the details here, Addy. I'm ready. From no reply,
(18:07):
yeah, Wilson at dwell RNG. Yeah. I guess my realtor,
that's, you know, not that I'm doing anything with my realtor right now. It's just a
(18:30):
generic email he sent me about some open house that he's doing, you know, but still,
somebody sent it that wasn't him from a third party. Right. Fascinating. Yep. Okay.
Yeah. Well, and, you know, so the qemailserver.com. Yeah. That one, at least to my,
(18:58):
you know, I mean, I know what it is, but, you know, I think for most people, that's going to
sound even more suspicious than the doctor one. Yeah. Yeah, it did. Right. And, you know,
in reality, the queue in that address stands for Qualtrics, which is a company that does surveys.
Oh, absolutely. Super familiar with them. Right. Yeah. I would say you see them a lot. And the
(19:23):
bank, you know, they were sending out a survey to me on behalf of the bank. So it was 100% legitimate,
but totally fake looking. And so anyway, there's no method. And you kind of talked about this in
our opening questions for reliably identifying who is sending an email, not built into the system.
(19:49):
Right. And closely related, like the second flaw from opening question,
and we something we covered at length in episode 17, a long time ago, is what I'll call a lack of
a friend system. Yeah. Meaning you don't have to make a like a friend request or be part of a group
(20:10):
or whatever before being allowed to send someone email. Right. Right. You got their email address,
you could get into their inbox. Yep. And so these two kind of feature, you know, both these features
are present in every other modern messaging system. So the way I'll sum up, you know,
(20:31):
if we're going to kind of put it together in one sentence, it's kind of like this. Anybody
can send anyone an email and you have no idea who it's from. Right. Okay. So that's the setup,
that's the problem that we're dealing with that I want to focus on today in terms of solutions.
(20:55):
Now, in our opening question, you know, you kind of made a joke about, you know, how can you cut
down email spam and this could be, you know, solution is just not using email. Right. Right.
And I know you were joking, but it's something I've thought a lot about, because I really think
that for a lot of people, that's the flaws in our email system have pushed, you know, people like
(21:17):
you and others to use it less to, you know, open up a bunch of email accounts to try to, you know,
make it so it's not so noisy with a new one. But then, you know, I mean, I don't like, I know
somebody close, I don't want to say it, but they have like five email accounts because they just
keep opening up new ones, hoping to try to solve the problem, you know, but then it hasn't really
(21:40):
solved the problem because they still have stuff tied to the old one. It's just a big mess. You
know, email can just end up being such a time sink. So, but, and the thing is not being able
to reliably check your email creates a different kind of security risk, because then, you know,
(22:02):
you have a problem with your password resets. If people are, you know, if any of your accounts are
sending you security warnings about legitimate things happening on your account, like with Troy
Hunt, he got a notification that his email list had been downloaded. Yeah. You know, and if he
wasn't checking his email, he wouldn't see that. And so there's a whole set of things that are
(22:24):
security problems in itself if you don't have a managing, you know, manageable email inbox.
And so, anyway, you can't really opt out of the system because there's just too much dependent
on it, unfortunately. And if you try, you end up creating not only security issues, but a lot of
convenience issues in other ways. So, anyway, I just wanted to, I know it's totally a joke, but I
(22:48):
wanted to comment on that because, yeah, well, exactly. I'm sure you've experienced that a lot.
And it's, oh, the convenience thing, like, yeah, like my method of making sure that I stay safe
with my email is time consuming, time consuming. You know, I wouldn't recommend it. But that said,
(23:16):
I read very, very few emails, very few, you know. I am not surprised by emails. Those that know me
well now know that if you're gonna send me an email, you'd better send me a text first.
Because nine times out of ten, unless you message me elsewhere,
(23:41):
I'm not getting it, like you said. It creates some hassles. And so,
again, it's me not trusting the system, you know, because of not having those security verifications,
right? Yeah, I know. And it's unfortunate. And, you know, I mean, obviously, one possible solution, too,
(24:03):
and I definitely am, I think it's a great one in some cases, is using alternate means, you know,
especially person to person that people you know, then, hey, great, you know, use other things,
because they're better in every way. So it's just that, you know, with accounts online and things,
you know, Google's not going to start sending you messages on signal, you know? Right.
(24:25):
They're going to keep emailing you. Facebook and Amazon and all these other places,
they don't have any other communication system with you. And so that's the dilemma. But for
person to person, especially, yeah, I don't do much email anymore, person to person, honestly,
it's very, very minimal. I don't do much business. If it comes in business, it usually goes out.
(24:50):
Yeah, I deleted. Yeah. Yeah. Yeah. So anyway, so what I want to talk about, though, what, you know,
there's a couple things that we can do to at least, we can't, you know, immediately fix
the flaws in the email system. But there's a couple things that we can do to at least
(25:12):
compensate, help make up for it, right? Help player up, right? Like, that's what we're looking to do.
Yep. Okay. And the first is to add a sort of friend system for your email inbox.
Okay. And we talked about this already in episode 42. Okay. So and it was a whole episode. So I'm
(25:34):
not going to try to cover it here. I just I want to bring that back because, you know, at the time,
I really framed it as an experiment. You know, because I hadn't tested all the different ways
to implement that, right? Yeah. And I still haven't. So I'm going to need, you know, user
involvement, I'm going to do more. But, you know, I'm increasingly convinced that having a friend
(25:59):
system is one of the best options for defeating spam, defeating phishing, you know, just getting
control of your email box. And yes, obviously, it's some effort, right? But as we know, everybody
who has email knows that, you know, unless you just totally try to opt out of the system,
which creates its own problems, like we just talked about, but email is work. And so it's just
(26:23):
a question of what kind of work and what results you get out of that work, and that sort of thing.
And I think if we with enough, you know, finding the right tools tinkering with like, we can build
a system that will be like a good trade off, right? It's never going to be no work,
but one that is less work, and less exhausting. And, you know, good, you know, more eliminating
(26:47):
of the noise and just keeping, you know, the signal, so to speak, the good stuff that you want.
And that could be more time efficient in the end. Does that make sense?
Okay, yeah, yeah, yeah. I'm with you.
So, you know, you're going to be hearing a lot more for me about this, but it all starts with
(27:07):
episode 42. And we're going to be building on that. But that's the core concept. And it's,
it's basically just adding a friend system to the email system that it's missing,
just for yourself, right? Because you can't modify the system itself.
Yeah.
So the second one, again, is one we've talked about before. And that is to use a unique email
(27:33):
address in every website that you register with, right?
That's what I need to do a better job at. Yeah.
Yeah, just like you're doing with passwords, though, right?
Right.
I know you got that one down. Well, that's what that was more for our listeners,
because I know what your habits are now. But I want to make sure everybody's doing that,
of course. But, and this one we talked about in episode 17.
(27:58):
Okay.
So a long time ago now. But again, this is another one where you're going to be hearing a lot more
about this from me, because these two together are very complementary and really help against
spam and phishing.
Well, and I know it's at the core of the system you've been using for years.
(28:19):
Exactly. Yes. And that's right. I mean, I haven't really done the friend system
for me up to now. Just even this piece has been enough, because for one,
just massive spam elimination. And that was my original motivation. It wasn't even any kind of
security thing directly, right? Yeah.
But Troy refers to getting a gazillion emails, right?
(28:45):
Yeah.
Well, if you can eliminate a lot of that spam, that means there's a whole lot less chance
that one of those is going to land at the wrong time.
Yeah. Yeah.
Like we talked about in episode 17, I've been doing it since 2011, and my spam is like 10 a year.
(29:06):
Yeah.
And so, plus most of the time, in my experience with all the phishing ones I've gotten over the
years, and which is a lot more now that I've been doing this, because I've opened things up a little
bit and approaching it. I have new accounts and stuff, and I actually want to see more spam. So I
know what other people are seeing. But anyway, most of the time, using that unique email address
(29:33):
can actually pretty reliably tell you who is sending you the email, because they're the only
ones that have that email most of the time. Okay.
So unless they sell your email address to somebody, which happens, or if they have a data
breach, which happens, right? So it's not like perfect, but at the same time, it's definitely
(30:01):
worth doing. And actually, interestingly enough, if you read Troy's story closely, you'll see
he actually uses this strategy, and this phishing email went to his specific email for MailChimp.
So it wasn't enough to save him for that, but again, it's still worth doing. Gotcha. Okay.
(30:29):
Yeah. And I'll just also add, you know, FastMail is my email provider, and they make unique
email addresses really easy. Okay. But these days, since I did, you know, Episode 17, ProtonMail
also, you know, is a solid choice. It supports unique email addresses.
(30:52):
But both of them are paid services. So. Okay. I just think it's worth it.
Yeah. Yeah. So anyway, that's the, you know, we didn't have time to dive tons into both
those again today, but I wanted to refresh them and kind of tie them into this story
and set the stage for the future because we're going to be, you know, email and phishing,
(31:17):
they're just such a core part of everything. We're going to be coming back to these a lot.
Expanding. Yeah. Yeah. Awesome. So what's our call to action? Is it to do those things? Is it to,
you know, do you want us to incorporate using unique emails?
(31:38):
Well, so, right. It was kind of tricky, right? Because it's like, where do we go from this?
We've talked about this a lot. So here's what I settled on is we're going to leave this kind
of a more of a choose your adventure type of one. I want you just to take one small step in
strengthening your protection against phishing. I like it. Don't eat the whole elephant.
(32:01):
Just take one bite. Yeah. And, you know, that might mean, you know, maybe you haven't listened
episode 17 or you've forgotten what it's about. That's the one about unique emails. You maybe go
and listen to that first. Yeah. You know, or maybe you go back to listen to 40 episode 42 about
adding the friend system or, you know, if you have those or you just look at the show notes, maybe
(32:22):
you, you know, take a step from one of those. And of course, if all else fails, you're not sure where
to start, you know, come to the forum. We'll talk. I'll, I'll help you figure out, you know, the next
baby step to take. Awesome. Awesome. I like it. Those are easy. That's manageable. We keep it
(32:43):
simple here. That's right. I love it. I love it. Well, do I, do I get to tease them now?
Absolutely. Tell them about next week's episode. This is going to be a fun one, you know? So we
have shared Troy's story. Now, next week, guess whose story we get to hear from?
(33:09):
Our master guardian. Yeah. Yeah. Because we get to hear from you, buddy. Like I'm kind of pumped
for this. So this is going to be a fun one. Bring your snacks, tune in. We're, we're going to have
a story from our master guardian and his experience. Yeah. And I don't know if I told you, but
(33:30):
talked to my brother or other, you know, I don't know. We don't usually refer to him as master
guardian, but I consider him that same way. You know, he agreed to tell his story on the episode
after that too. So I know we get to hear from Kem. I'm pretty pumped. He is absolutely on our team.
Yeah. Yeah. And he, he, he's still a tech geek. Love you Kem, but
(33:57):
yeah, he, he, he doesn't have my particular skillset. He has been able to craft and hone
his to a whole nother level. Yeah. Yeah. He, he's been a lifelong, you know, software developer and
computer geek like me. So another prodigy, how would it be?
(34:21):
So yeah, anyway, come back with a, it could be fun. Love it. Are you ready to take action
and wondering where to start? Get my Bulletproof My Identity Starter Kit for free. The seven most
vital layers of protection everyone needs. I'll send you one step at a time and help you if you
(34:45):
get stuck. Just go to bulletproofmyid.com and enter your name and email and I will
send you the first step. Again, that's bulletproofmyid.com.
Welcome to Super Simple Security Principles. I'm Nick Jackson and I wanna love computers.
(00:07):
They don't love me back. I'm learning how to stay safe online from my good buddy
and master guardian, Makani Mason. He wrote his first computer program at the age of six,
sealing his fate as a computer geek. That's it. He knows his stuff, folks.
(00:33):
Now he spends his time teaching people like me and you how to stay ahead of the digital threats
we face and those bad guys. He keeps it simple and we love it. Learn along with me each week.
I'll ask the questions and make sure he keeps it super relevant and super simple for us.
(00:58):
If I can do it, you can do it too. This is episode 63, Fishing Lessons from Troy Hunt's
Story. Here are the questions we'll be answering in today's episode. Who is to blame for Troy
getting fished? Troy, how can you reliably tell who sends you an email? Do you wanna know what
(01:24):
Nick Jackson does? You're ready for this? I look at the sender and hope they're telling me the
truth. I hope you say who you say you are. But if I can see they aren't, we'll get there. How
(01:45):
could you cut down your email spam? My answer, don't use email. Not a great way to go either
these days. It's not gonna help. What are two major flaws in our email system? No verification
of senders to be frank in my boat. That's my vote right there. There's no verification of who's
(02:07):
sending what. I'm not sure of the other possibilities so I'm excited to hear what the two major flaws
are in your opinion. Alright man, there's our questions. Who's to blame for Troy getting fished?
How can you reliably tell who's sending you an email? How can you cut down your spam?
(02:34):
That's gonna be a good one. And two major flaws. What do you think man?
I'm ready. Yeah, I do it. You're dancing. You're ready to go man. You're ready to go. Okay,
so where do we start off? Are we start off with who really is to blame or are you gonna
(02:55):
bring us back into this story again? Yeah, we're gonna do a little bit for those who didn't listen
or it's been a week, whatever. Yeah. Because today is part two, continuation of last week.
So listening to that one episode of 62 would definitely be helpful.
And last week we talked about the whole story and looked at some kind of big picture lessons
(03:21):
from the story overall. And today we're just going to zoom in on one little piece of the attack.
Dive deep on that problem. Talk about two layers of protection that can help. Yes. Okay. Okay.
So as far as the story goes, we won't go over the whole thing again. I'm just going to recap
(03:41):
a small piece of it that kind of brings us to the point where we want to zoom in. Okay.
Right. So Troy Hunt, security expert, he was traveling, super tired, jet lagged, checked his
email, got a phishing email pretending to be from a company that he has an account with
called MailChimp that he uses to send out his email newsletter. And yeah, that's all we need
(04:09):
the story. That's where the problem starts, because it's at this point that he looks at
that email, does not recognize that that email is from MailChimp. Right. Right. Right. Okay.
And this is where the chain of badness starts, but here's here. Yeah. Well, you know, cause
(04:34):
you might have to, you might have to coin that phrase right there. The chain of badness.
Yeah. Wow. I know my weird made up words and phrases sometimes.
Point at where Troy began to get screwed is how I would look at that. That's a point of.
(04:57):
Right. Well, and this goes into our first question, right? Who's to blame? And I know
you said Troy, and I don't know how tongue in cheek that was, but from my perspective,
I mean, that's definitely going to be a common answer. I think there's going to be a lot of
people who blame Troy. He should have looked closer. He should have seen who the email was
(05:19):
from. And from a certain perspective, I think Troy would be the first to agree with you to a certain
degree. Right. But it was, it still is my answer. Yeah. Well, it's a valid answer. Okay. But it's
not my answer. Really? No, because you're laying blame elsewhere. Yeah. Well, listen, so we talked
(05:45):
about this last in the last episode too. I don't really blame anyone. I blame the email system.
Okay. Okay. Okay. I see where you're going with this. That's what I mean. That's the thing. It's,
I mean, sure, he could have mitigated it, but really like it's a failing of the system. You
know, no human security expert or total computer newbie should have to worry about this problem.
(06:12):
That's why I feel like the blame is more on the system than on the individual. Right? Right.
Now, if he had, you know, if he had gone and he searched, you know, he was searching the dark web
or, you know, some bad part of it and got caught in a phishing website or whatever. Okay. I'd be
more like, okay, the blame is on him. Right. But he wasn't doing any of those things. He was just
(06:36):
trying to conduct legitimate business. So that's why I blame the system. And he legitimately got
scammed. Like, let's be honest. Yeah. He's a victim. The true blame is on the scammers.
Yeah, exactly. Yes. Right. If we want to blame a human, right. That's who we're going to blame,
the people who attacked him. That's a good point. Right. Yeah. Right. You know,
(06:58):
because I don't want anyone to feel like we're blaming you because you truly are a victim,
like what happened to Troy shouldn't happen to anyone, like you said earlier.
I only want to place blame on Troy because to me, our master guardian has kind of taught us
(07:19):
to spread flags to pay attention to. And that's really, really, really pay attention to
our password manager. Let that system that's built to protect us do some work for us.
And so, you know, luckily for me, if I ever have these issues, what I actually do,
and sorry, I'm probably derailing this whole episode for you. I apologize.
(07:44):
This is don't take your security device from Nick and Nick's about to spout off. Yikes.
What I usually do now, because of what you kind of taught me, is if there is ever any issues
logging in, where I first start is instead of trying to continue to log into that link,
(08:06):
I just immediately, like if one password does not recognize that link, I go directly to my
one password account. I go into the website that I've put in there and I click on it there.
And that's where I go to log in because I trust that link because that's the initial link that I
set up. And so, I trust that link. So, I click on that link there that's in my one password.
(08:32):
I log in there and I check my account from there. That's how I now handle things thanks to you.
You know, now whether that was what you attended for or not,
I trust my initial link of me setting up my username and password.
(08:55):
Yeah, no, I wasn't even going down that route, but that is definitely,
like that's great. I think that's a perfectly sound practice. Fantastic approach.
Okay, perfect. Yeah. No complaints. I mean, if there's a totally different place where
you have to use it, it might not get you to where you need to be potentially, right?
(09:16):
Right. That's true. But in a lot of cases, it will. And it's certainly a good place to start.
And then, you know, yeah, that's a great approach. I love it.
So, you know, going back to the blame thing, you know, I agree with you, right? Like we're
(09:39):
teaching things. We want to take accountability. So, it's just blame is kind of a harsh negative
thing. Obviously, we want to do as much as we can to improve and recognize those red flags. And so,
obviously, personal accountability is a great, great thing as well, you know?
Right. Because we got to work within the system we've got.
(09:59):
Exactly. But, you know, so part of it's just kind of a, you know, how we think about it, but also
when you focus on the system versus the person, it leads you to two different kinds of sets of
solutions, right? Right. And so, there's definitely some different solutions that,
(10:22):
you know, if you're kind of more focusing on the human element versus the system element. And I
think both are worthwhile focusing on. We've talked about some. But today, and we'll get to this in a
minute, you know, kind of some, I mean, obviously, as a human, you're going to be the one implementing
these things, but they're kind of system-centric solutions, right? Right. And anyway, we can get
(10:51):
that in a minute. Because, for example, well, I'll just expound slightly more right now.
If we're going to focus on the human ones, maybe we would talk about how you shouldn't check your
email when you're tired, right? Okay. Yeah. Right. Now, that, in theory, is not a bad idea.
Maybe hard to do, right? So, that's tricky. But if we're trying to compensate for the system,
(11:15):
that's going to look a little bit differently, and we'll get into that. Right. Right. So, but
what I want before we actually get into the solutions is to dive a little bit more into
these flaws that I'm talking about with the email system. Yeah. And see how those flaws are showing
up in Troy's story. Right. Well, I mean, isn't that the true nature is understanding the weak
(11:42):
points of the system, you know, so we know where to kind of safeguard? So, where are the flaws in
the email system? Yeah. So, if you read Troy's story online, he includes a screenshot of what
the email looked like in the inbox on his phone. He was checking from his phone. Okay. And in there,
(12:03):
it shows an email coming from MailChimp Account Services, which is, you know, exactly what he
expected it to be. But here's the thing. That name means absolutely nothing. It has absolutely
zero verification. Anybody can set that name to anything they want, and no part of the email system
(12:26):
anywhere will complain in the slightest. Okay. I can set my name as Santa Claus, Batman, Joe Rogan,
whatever I want. Okay. And that name, this name without verification, is the name that many email
apps, especially on the phone, choose to show to you. Right. Okay. Right. Now, I understand why,
(12:53):
because the intended purpose for that name is to be the obvious human readable name of the person
that's sending you an email idea. Yeah. But because of the total lack of verification,
it's still a terrible security idea. But the alternative is, okay, we have two pieces of
(13:16):
information about who's sending you an email. We have that name. Right. And then we actually
have the email address. Right. So, let's say we show, you know, the email address instead of just
this name, because there is some decent verification of the email address these days.
There isn't used to be, but there is these days. Okay. Okay. This is a big problem too, unfortunately.
(13:41):
It doesn't really solve the problem either, and here's why.
Well, there's a lot of reasons, but I'm going to give you a couple examples.
But one of the big reasons is because email is often sent by a third party.
Okay. Right. Right. Right. I'm sure, right, you've experienced this. Everybody's experienced this,
(14:05):
but I'm going to give you a couple examples that, like, literally this morning, as I was,
you know, reviewing my notes and stuff, I received two of these, like, perfect emails.
So, I received an email from a doctor, and this name, the name that has no verification,
was, of course, set to the name of the doctor, as expected, but the email address was
(14:27):
noreply, which is common, at patientengagepro.com. Right. Was it a legit email?
100% legitimate. Right. The doctor, because the doctor pays that service to remind patients about
their appointments. Right. So, that's a, it's just a service that lots of doctors use. I'm sure,
(14:49):
I don't know how many, but, you know, because there's lots of other ones, but they pay them
to, you know, send out patient reminder emails. So, it was 100% legitimate, but you certainly
can't tell that from the email address. That could have been a million different things that,
you know, just had the word patient in it or whatever. Right. Uh-huh. Uh-huh. And then my
(15:12):
other example is an email from my bank. Right. And I picked these two because these are pretty
important ones, right? Your doctor, your bank. Right. And, again, this name that can be easily
spooked was the name of my bank, but the address was noreply, again, at qemailserver.com.
(15:35):
How does that one strike you? Okay. Look, man, you know that I try not to get lost on too many
tangents. You've just piqued my interest a whole lot. Do we have two seconds to completely deviate?
(15:56):
100%. I'm pulling up my email now. Yeah. Which I don't often do. Oh, geez. I haven't checked my
email in a long time. Okay. Let's do this. Let's figure out this whole thing that you're talking
about. Holy crap. So I've got one that I know really, really, really well. Okay. Yeah. I'll
(16:51):
leave that one out. You know the sender. I get emails from her weekly. Okay. Yeah.
And I'm looking at her email entitled Chapter 65. Oh, yeah. You know, and I'm looking at
(17:13):
the two and the inbox and everything about it, and I'm like, luckily, I've had enough emails from her
that I know and I trust this source, but, again, I'm like, this one could leave me guessing.
And my very next one is from my realtor. And, again, it's his name, which, like you said, could
(17:40):
be easily spoofed. Oh, my goodness. Okay. Here's the details here, Addy. I'm ready. From no reply,
(18:07):
yeah, Wilson at dwell RNG. Yeah. I guess my realtor,
that's, you know, not that I'm doing anything with my realtor right now. It's just a
(18:30):
generic email he sent me about some open house that he's doing, you know, but still,
somebody sent it that wasn't him from a third party. Right. Fascinating. Yep. Okay.
Yeah. Well, and, you know, so the qemailserver.com. Yeah. That one, at least to my,
(18:58):
you know, I mean, I know what it is, but, you know, I think for most people, that's going to
sound even more suspicious than the doctor one. Yeah. Yeah, it did. Right. And, you know,
in reality, the queue in that address stands for Qualtrics, which is a company that does surveys.
Oh, absolutely. Super familiar with them. Right. Yeah. I would say you see them a lot. And the
(19:23):
bank, you know, they were sending out a survey to me on behalf of the bank. So it was 100% legitimate,
but totally fake looking. And so anyway, there's no method. And you kind of talked about this in
our opening questions for reliably identifying who is sending an email, not built into the system.
(19:49):
Right. And closely related, like the second flaw from opening question,
and we something we covered at length in episode 17, a long time ago, is what I'll call a lack of
a friend system. Yeah. Meaning you don't have to make a like a friend request or be part of a group
(20:10):
or whatever before being allowed to send someone email. Right. Right. You got their email address,
you could get into their inbox. Yep. And so these two kind of feature, you know, both these features
are present in every other modern messaging system. So the way I'll sum up, you know,
(20:31):
if we're going to kind of put it together in one sentence, it's kind of like this. Anybody
can send anyone an email and you have no idea who it's from. Right. Okay. So that's the setup,
that's the problem that we're dealing with that I want to focus on today in terms of solutions.
(20:55):
Now, in our opening question, you know, you kind of made a joke about, you know, how can you cut
down email spam and this could be, you know, solution is just not using email. Right. Right.
And I know you were joking, but it's something I've thought a lot about, because I really think
that for a lot of people, that's the flaws in our email system have pushed, you know, people like
(21:17):
you and others to use it less to, you know, open up a bunch of email accounts to try to, you know,
make it so it's not so noisy with a new one. But then, you know, I mean, I don't like, I know
somebody close, I don't want to say it, but they have like five email accounts because they just
keep opening up new ones, hoping to try to solve the problem, you know, but then it hasn't really
(21:40):
solved the problem because they still have stuff tied to the old one. It's just a big mess. You
know, email can just end up being such a time sink. So, but, and the thing is not being able
to reliably check your email creates a different kind of security risk, because then, you know,
(22:02):
you have a problem with your password resets. If people are, you know, if any of your accounts are
sending you security warnings about legitimate things happening on your account, like with Troy
Hunt, he got a notification that his email list had been downloaded. Yeah. You know, and if he
wasn't checking his email, he wouldn't see that. And so there's a whole set of things that are
(22:24):
security problems in itself if you don't have a managing, you know, manageable email inbox.
And so, anyway, you can't really opt out of the system because there's just too much dependent
on it, unfortunately. And if you try, you end up creating not only security issues, but a lot of
convenience issues in other ways. So, anyway, I just wanted to, I know it's totally a joke, but I
(22:48):
wanted to comment on that because, yeah, well, exactly. I'm sure you've experienced that a lot.
And it's, oh, the convenience thing, like, yeah, like my method of making sure that I stay safe
with my email is time consuming, time consuming. You know, I wouldn't recommend it. But that said,
(23:16):
I read very, very few emails, very few, you know. I am not surprised by emails. Those that know me
well now know that if you're gonna send me an email, you'd better send me a text first.
Because nine times out of ten, unless you message me elsewhere,
(23:41):
I'm not getting it, like you said. It creates some hassles. And so,
again, it's me not trusting the system, you know, because of not having those security verifications,
right? Yeah, I know. And it's unfortunate. And, you know, I mean, obviously, one possible solution, too,
(24:03):
and I definitely am, I think it's a great one in some cases, is using alternate means, you know,
especially person to person that people you know, then, hey, great, you know, use other things,
because they're better in every way. So it's just that, you know, with accounts online and things,
you know, Google's not going to start sending you messages on signal, you know? Right.
(24:25):
They're going to keep emailing you. Facebook and Amazon and all these other places,
they don't have any other communication system with you. And so that's the dilemma. But for
person to person, especially, yeah, I don't do much email anymore, person to person, honestly,
it's very, very minimal. I don't do much business. If it comes in business, it usually goes out.
(24:50):
Yeah, I deleted. Yeah. Yeah. Yeah. So anyway, so what I want to talk about, though, what, you know,
there's a couple things that we can do to at least, we can't, you know, immediately fix
the flaws in the email system. But there's a couple things that we can do to at least
(25:12):
compensate, help make up for it, right? Help player up, right? Like, that's what we're looking to do.
Yep. Okay. And the first is to add a sort of friend system for your email inbox.
Okay. And we talked about this already in episode 42. Okay. So and it was a whole episode. So I'm
(25:34):
not going to try to cover it here. I just I want to bring that back because, you know, at the time,
I really framed it as an experiment. You know, because I hadn't tested all the different ways
to implement that, right? Yeah. And I still haven't. So I'm going to need, you know, user
involvement, I'm going to do more. But, you know, I'm increasingly convinced that having a friend
(25:59):
system is one of the best options for defeating spam, defeating phishing, you know, just getting
control of your email box. And yes, obviously, it's some effort, right? But as we know, everybody
who has email knows that, you know, unless you just totally try to opt out of the system,
which creates its own problems, like we just talked about, but email is work. And so it's just
(26:23):
a question of what kind of work and what results you get out of that work, and that sort of thing.
And I think if we with enough, you know, finding the right tools tinkering with like, we can build
a system that will be like a good trade off, right? It's never going to be no work,
but one that is less work, and less exhausting. And, you know, good, you know, more eliminating
(26:47):
of the noise and just keeping, you know, the signal, so to speak, the good stuff that you want.
And that could be more time efficient in the end. Does that make sense?
Okay, yeah, yeah, yeah. I'm with you.
So, you know, you're going to be hearing a lot more for me about this, but it all starts with
(27:07):
episode 42. And we're going to be building on that. But that's the core concept. And it's,
it's basically just adding a friend system to the email system that it's missing,
just for yourself, right? Because you can't modify the system itself.
Yeah.
So the second one, again, is one we've talked about before. And that is to use a unique email
(27:33):
address in every website that you register with, right?
That's what I need to do a better job at. Yeah.
Yeah, just like you're doing with passwords, though, right?
Right.
I know you got that one down. Well, that's what that was more for our listeners,
because I know what your habits are now. But I want to make sure everybody's doing that,
of course. But, and this one we talked about in episode 17.
(27:58):
Okay.
So a long time ago now. But again, this is another one where you're going to be hearing a lot more
about this from me, because these two together are very complementary and really help against
spam and phishing.
Well, and I know it's at the core of the system you've been using for years.
(28:19):
Exactly. Yes. And that's right. I mean, I haven't really done the friend system
for me up to now. Just even this piece has been enough, because for one,
just massive spam elimination. And that was my original motivation. It wasn't even any kind of
security thing directly, right? Yeah.
But Troy refers to getting a gazillion emails, right?
(28:45):
Yeah.
Well, if you can eliminate a lot of that spam, that means there's a whole lot less chance
that one of those is going to land at the wrong time.
Yeah. Yeah.
Like we talked about in episode 17, I've been doing it since 2011, and my spam is like 10 a year.
(29:06):
Yeah.
And so, plus most of the time, in my experience with all the phishing ones I've gotten over the
years, and which is a lot more now that I've been doing this, because I've opened things up a little
bit and approaching it. I have new accounts and stuff, and I actually want to see more spam. So I
know what other people are seeing. But anyway, most of the time, using that unique email address
(29:33):
can actually pretty reliably tell you who is sending you the email, because they're the only
ones that have that email most of the time. Okay.
So unless they sell your email address to somebody, which happens, or if they have a data
breach, which happens, right? So it's not like perfect, but at the same time, it's definitely
(30:01):
worth doing. And actually, interestingly enough, if you read Troy's story closely, you'll see
he actually uses this strategy, and this phishing email went to his specific email for MailChimp.
So it wasn't enough to save him for that, but again, it's still worth doing. Gotcha. Okay.
(30:29):
Yeah. And I'll just also add, you know, FastMail is my email provider, and they make unique
email addresses really easy. Okay. But these days, since I did, you know, Episode 17, ProtonMail
also, you know, is a solid choice. It supports unique email addresses.
(30:52):
But both of them are paid services. So. Okay. I just think it's worth it.
Yeah. Yeah. So anyway, that's the, you know, we didn't have time to dive tons into both
those again today, but I wanted to refresh them and kind of tie them into this story
and set the stage for the future because we're going to be, you know, email and phishing,
(31:17):
they're just such a core part of everything. We're going to be coming back to these a lot.
Expanding. Yeah. Yeah. Awesome. So what's our call to action? Is it to do those things? Is it to,
you know, do you want us to incorporate using unique emails?
(31:38):
Well, so, right. It was kind of tricky, right? Because it's like, where do we go from this?
We've talked about this a lot. So here's what I settled on is we're going to leave this kind
of a more of a choose your adventure type of one. I want you just to take one small step in
strengthening your protection against phishing. I like it. Don't eat the whole elephant.
(32:01):
Just take one bite. Yeah. And, you know, that might mean, you know, maybe you haven't listened
episode 17 or you've forgotten what it's about. That's the one about unique emails. You maybe go
and listen to that first. Yeah. You know, or maybe you go back to listen to 40 episode 42 about
adding the friend system or, you know, if you have those or you just look at the show notes, maybe
(32:22):
you, you know, take a step from one of those. And of course, if all else fails, you're not sure where
to start, you know, come to the forum. We'll talk. I'll, I'll help you figure out, you know, the next
baby step to take. Awesome. Awesome. I like it. Those are easy. That's manageable. We keep it
(32:43):
simple here. That's right. I love it. I love it. Well, do I, do I get to tease them now?
Absolutely. Tell them about next week's episode. This is going to be a fun one, you know? So we
have shared Troy's story. Now, next week, guess whose story we get to hear from?
(33:09):
Our master guardian. Yeah. Yeah. Because we get to hear from you, buddy. Like I'm kind of pumped
for this. So this is going to be a fun one. Bring your snacks, tune in. We're, we're going to have
a story from our master guardian and his experience. Yeah. And I don't know if I told you, but
(33:30):
talked to my brother or other, you know, I don't know. We don't usually refer to him as master
guardian, but I consider him that same way. You know, he agreed to tell his story on the episode
after that too. So I know we get to hear from Kem. I'm pretty pumped. He is absolutely on our team.
Yeah. Yeah. And he, he, he's still a tech geek. Love you Kem, but
(33:57):
yeah, he, he, he doesn't have my particular skillset. He has been able to craft and hone
his to a whole nother level. Yeah. Yeah. He, he's been a lifelong, you know, software developer and
computer geek like me. So another prodigy, how would it be?
(34:21):
So yeah, anyway, come back with a, it could be fun. Love it. Are you ready to take action
and wondering where to start? Get my Bulletproof My Identity Starter Kit for free. The seven most
vital layers of protection everyone needs. I'll send you one step at a time and help you if you
(34:45):
get stuck. Just go to bulletproofmyid.com and enter your name and email and I will
send you the first step. Again, that's bulletproofmyid.com.
Popular Podcasts
United States of Kennedy
United States of Kennedy is a podcast about our cultural fascination with the Kennedy dynasty. Every week, hosts Lyra Smith and George Civeris go into one aspect of the Kennedy story.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com