Most of what we do in the cybersecurity field is a direct result of a sinister underworld that most of us will never have full visibility into. This is a story of an individual who started, and led ShadowCrew, a major cybercrime syndicate within that underworld. After being identified and placed on the US Most Wanted List, he was ultimately captured, imprisioned, escaped prison, and captured again. He served his time, and now is considered a leading authority on internet crime, identity theft, and cybersecurity. He has been featured on Netflix, Hulu, New York times and many more. He has also worked with the FBI, Microsoft, Arkose and countless others. Co-host Matt Canham and I go inside the mind of reformed fraudster and notorious cybercriminal, Brett Johnson aka “The Original Internet Godfather”.
SYMLINKS
LinkedIn
Twitter
Wired Article (Archive)
ShadowCrew
AnglerPhish
The Brett Johnson Show
Interview with Lex Fridman
Port Charlotte Single Malt Scotch
DRINK INSTRUCTION
DECEPTICON
1 1/2 oz Gin
1/2 oz Mezcal
1/2 oz Maraschino Liqueur
3/4 oz Fresh Lemon Juice
Add all ingredients to a cocktail shaker with ice and shake for 15 seconds. Strain into a chilled martini glass, garnish with lemon twist and serve.
EPISODE SPONSOR
Center For Internet Security (CIS)
CONNECT WITH US
http://www.barcodesecurity.com
Become a Sponsor
Follow us on LinkedIn
Tweet us at @BarCodeSecurity
Email us at info@barcodesecurity.com
Chris: Brett Johnson, aka The Original Internet Godfather is a reformed cybercriminal. He built and led shadow crew, the precursor to today’s dark net markets. After being placed on the United States most Wanted list, he was captured and convicted of 39 felonies, although promptly escaped prison once. Captured again.
Brett served his time, accepted responsibility, and found redemption through his loved ones and the help of the FBI. Today he’s considered a leading authority on internet crime, identity theft, and cyber security. He speaks and consults across the planet to help protect people and organizations from the type of person he used to be.
I also got my man Matt Canham riding shotgun with me on this one. So Brett, thanks for joining us at BarCode, man.
Brett: Hey, no, thank you for bringing me on. And might I say you used the word captured more than once!
Chris: Yes, yes I did.
Brett: Yeah. It was this horrible cycle of me being captured, then releasing myself and captured again and releasing myself.
So, I was, I was trapped in that cycle. That institutionalized cycle.
Chris: yes. Which you have since broken free of.
Brett: I have. I was very fortunate. I was given the opportunity through you know, my turnaround. I, and I talk about that on my show as well, but my turnaround. You can choose to, to change your life, but unless you have that support group and people that are willing to help you, probably not gonna happen.
You’re not gonna be very successful with that. I was very fortunate with my, my wife, my sister, and then finally the FBI. They gave me that initial opportunity to change things. I took it and I lead a blessed life that I really don’t deserve, but I’m damn grateful to have.
Chris: Well, that’s good to hear.
And, and I think for us to fully understand that story and, and your perspective on cybercrime today, you know, it’s important that we understand that origin of your story. Sure. Would it be possible to describe to us your, your personal path and evolution initially into cyber?
Brett: Sure. My path to cri my, my criminal life did not begin with those 39 felonies that you mentioned.
You know, I, I started crime when I was 10 years old. I’m from Eastern Kentucky, and I think it’s important to mention Eastern Kentucky because there’s a mindset in that area. You know, we are a people that, I think that’s the first time I’ve used we as referring to Eastern Kentucky. But we are a people that we find that we have to help ourselves a lot, and that, that you mix that in with the type of life that I had as a child, and it, it becomes Brett Johnson.
I began my life of crime when I was 10 years old. I’m from Hazard, Kentucky, so if you’ve seen those floods on CNN and things like that, that Epicenter is my hometown. So, from Hazard, Kentucky, that’s an area that if you’re not fortunate enough to have a job, you may, you know, be involved in a scam or hustle or fraud, whatever you wanna call it.
My mom was basically a, a captain of the entire fraud industry. This is a woman who at one point she steals a 108,000-pound Caterpillar, D nine bulldozering down the street. At another point she takes a fall, and a convenience store tries to sue the owner. We had a neighbor she acted as a pimp for that’s mom.
And, and you know, the thing is, is I tell these stories about my childhood and when I tell them, it feels to me like I’m minimizing things. You know, just telling those, those instances. But I need you guys to understand that, that the crime was throughout my childhood with every single person on that side of the family.
It was throughout that, and not only crime, but my mom was a person that was and she’s still alive, but she was very She had some mental issues. So, this is a woman who would sit, me and my sister Denise, down, and she would tell us that she had sold her soul to Satan, and she would play games with us.
We had to prove to her that we were worth, you know, you know, coming up in the family. So, we would think happy Jesus thoughts and we’d keep eye contact with her. And for hours we’d would just try to keep eye contact as she supposedly lets Satan out through her eyes. And we were supposed to think wholesome thoughts so that we wouldn’t be possessed.
So, this, this is my mom. My dad, my dad is still alive as well. He was, he was a good guy. He is a good guy. His problem was, is he had never, he had never been in a relationship like that. He loved my mom. He was scared of leaving her of her leaving him. So, he became the enabler. If she wanted to commit a crime, which she often did, he would co-sign off to it.
If she wanted to abuse someone, he wouldn’t step in the way of it. So, you mix both of those together and you get me, you know, I get the criminal mindset from my mom. I get that fear of being abandoned from my dad. And so, my first, first crime, I was 10 years old. My sister Denise was nine. My mom had left my dad, we had moved from Panama City, Florida back to Hazard, Kentucky.
And mom had been, you know, she would go out and party sometimes she’d take us with her, and we’d wait in the car. Sometimes we’d wait in the living room, and she went to the bedroom. Most of the time she just left us at home. So, my first crime, we’d been at home for a few days, no food in the house. I’m the kid that’d post up at the window looking outside to see if she was coming home.
Sometimes I’d walk out in the driveway to see if she was driving down the street. Denise was the kid who just got angry. So, we didn’t have any food in the house. Denise walks in one day and she’s got this pack of pork chops in her hand. And I’m like, where’d you get that? And she’s like, I stole it. And I was like, show me how you did that.
So, she takes me over and shows me how she’s stuffing food down her pants at a and p. And I’m like, Hell, that’s a good idea. Let’s do that. So, we start stealing food. Look across the way, and there’s a Kmart over there. And, well, Kmart’s got more than food. So, it becomes this perverted form of Maslow’s hierarchy of needs.
You know, books, games, jewelry, music, toys. Mom comes home, sees all the stolen loot, asks where it came from. I’m the kid that stands up, we found it. She’s like, no, you didn’t find that Denise is the kid Doesn’t lie at all. She stands up, she’s half proud about it, half pissed off. We stole it. My mom looks at my sister.
Show me how you did that. And she joins us. She, not only does she join us, but she goes to get her mom to join us as well. And when I say join us, what I actually mean is my mom ran us as little shoplifters. We would be distractions, or we would get the stuff she wouldn’t be able to get as she would distract the security staff.
That’s where my, my life of crime began. And I’m adamant about saying that’s not why I commit crime as an adult. You know, when you become, when you’re gonna do what the circle of adults around you do. When I became an adult, I made that act of choice to victimize people. That was my decision to do that.
I didn’t have to do that. I chose to do that. My sister had the exact same upbringing that I did, and she go, she doesn’t commit crime anymore. Past that shoplifting stuff, she goes off to be a parent, a teacher, just a very good citizen. I’m the guy that kept on. And I got more and more involved in those types of scams that not only my mother, but every, and I mean every single person on that side of the family committed.
I grew up knowing how to do document forgery, charity fraud, insurance fraud. So, breaking and entering faking accidents, burning homes for cash, faking stolen cars illegally, strip mining, coal trafficking, drugs. I mean, you name it. I grew up knowing how to do that until I finally branched off on my own in the mid to late nineties, faked a car accident to get the money to get married.
Moved to from Hazard Kentucky to, to Lexington, Kentucky to go to uk. Again, I get the worst parts from my mom and my dad. My mom, that criminal mindset, my dad, that fear of the people that I love leaving. So, my wife, cuz I’ve never, even today I have trouble showing love in a healthy way. So, my first wife, I told her, I was like, hey, you don’t worry about working.
I got it. Nah, don’t worry about the cooking and cleaning. I got that too. So, a bit of a control freak as well. So here I am, 60 hour a week. 18-hour class load, all the cooking and all the cleaning. Something had to give. What gave was the job. You’ll excuse my 80-pound chihuahua in the background there, but what gave was the job.
And what I had to do was you know, you had to eat at the end of the day. Didn’t know how I was doing these little scams around Lexington, Kentucky until I finally found eBay. And I liked eBay. I did. I didn’t know how to make money on eBay. And fortunately, Bill O’Reilly before he got involved in all that sex bullshit on, on Fox News and left the job, Bill O’Reilly, he used to host Inside Edition.
So, they were having a show one night on Beanie Babies. The one they were profiling was peanut, the Royal Blue Elephant. I was watching that it was going for $1,500 on eBay. I’m sitting there need to find me a peanut skip class. The next day, go around to all the shops looking for peanut take, cuz I’m naive.
Takes me about three hours to figure out. Well, he’s not in the shops. He’s on eBay for $1,500, but they have these little gray Beanie baby elephants for $8. So, buy a gray beanie, baby Elephant for $8. Stop by Kroger on the way home. Pick up a pack of blue, rip, die. Go home. Try to dye the little guy. Didn’t do very well in home economics.
Turns out they’re made out of polyester. You get ’em out of the die bath. Looks like they’ve got the mange. But I ripped a lady off of $1,500. I found a picture of a real one online. I posted it. She thought I had the real thing. She wins the bid. As soon as she wins the bid, social engineering kicks in. I send her a message because I want her on the defensive, not me.
And my message was basically, Hey lady, congratulations. You win. By the way, we’ve never done any business before. I don’t even know if I can trust you. What I need you to do is go down to the US Postal Service, get a couple of money orders, totaling $1,500. Send those to me. They’re issued by the United States government.
They protect you. They protect me. I get those. I’ll send you your creature. She believed that she sends me the money orders. I sent her this animal in the mail, immediately got a phone call. This is not what I ordered. My response lady, you ordered a blue elephant. I sent you a blue-ish elephant. And that, believe it or not, that story right there is kind of a microcosm of most scams online.
It, it absolutely teaches the first lesson of cybercrime. And that lesson is if you delay a victim long enough, you just keep putting them off. A lot of them get so exasperated, they throw their hands in the air, they walk away, and you don’t hear from ’em again. And none of. Complain to law enforcement.
That’s the first lesson that most criminals learn online. The way it’s a microcosm, if you think about the way scams work is you’ve got a potential victim there that wants something. Me, as a scammer, I want them to not act rationally or logically. I want them to react emotionally. They have a need or want a desire.
I’m playing into that. So, I manipulate that to get them to give me, usually it’s cash, but it can also be information access or data. So that’s, that’s typically ways scams work is like that. It’s important for me to establish trust with that victim. I establish trust with the picture, with the format of eBay itself because people were trusting trustful of the website.
So, the trust was established and then social engineering kicks in that I manipulate the victim doing that. That’s the first online crime that I committed. And I didn’t understand that microcosm bit back then. But I got away with that crime. I did it under my own name, very unsophisticated. Kept going, got to where I was selling pirated software.
Pirated software led into mod chips, into gaming systems, then cable systems so you could turn on all the pay per view. Then finally, programming satellite DSS cards. Those 18 x RCAs satellite systems, you take the cart out of it, program it, turn on all the channels. Started doing that at almost the exact same time that a Canadian judge ruled that it was legal for Canadian citizens to pirate those satellite signals.
And he actually said in court, he was like, hey, since Rsca doesn’t sell the systems up here, my citizens can pirate the signal. So, what happens is, I mean, idiot, complete idiot. So, what happens is, is overnight the United States sets up a little industry. You, you go down to Best Buy, you buy the system for a hundred dollars, take it out in the parking lot, open it up, pull the system out, pull the card out, throw the system away, program the card, ship it to Canada, $500 a pop.
Started doing that, making a lot of money, had so many orders, could not fill them all and quickly. And when I say quickly, I mean quickly. Thought to myself, why do I need to fill any of the orders? They’re in Canada, I’m down here. Who are they gonna complain to? So, started to steal more money, got worried about how much was coming in, thought I was gonna be looked at for money laundering.
Figured the best thing that I could do is get a fake driver’s license. Use that to open a bank account, launder the money through. Pull out the funds at the atm. Had no idea where to get a fake id. So started to look around, got online thought I found a guy, sent him $200, sent him my picture, dude rips me off.
And I got pissed and I got so pissed that the result ultimately was shadow crew.com. So, if you think about. online crime. There are, there are three necessities to successful online crime. You have to gather data. That’s the pii, that’s credentials, that’s whatever tools that are used to then go to the next necessity, commit the crime, and then finally cash out.
Usually cash in pocket, but it can be information, accessor data as well. For those to work, you have to realize that, that a single criminal can’t do all three things. He has to rely on other people who are good in areas where he is not so. Online crime to a degree, is organized. It’s never a single attacker.
The problem back then was if you were looking to engage in online crime, the only way you had to network together was an IRC session, this internet relay chat, this rolling chat board where you had no idea who you were talking to, if you could trust that individual, if they had a product or service, if they had it, if it worked, or if they were trying to rip you off because everyone there was a criminal shadow crew solved that the shadow crew gave a trust mechanism.
That a criminal could use. Now you had a, now you had that large communication channel, that forum type structure where individuals from different time zones could reference conversations, days, weeks, months old. Take part in those conversations, learn from those conversations. You knew by looking at someone’s screen name, what the skill level of that person was.
If you could network or learn with that person, you had vouching systems in place, review systems in place, escrow systems in place, all with the singular purpose of establishing trust with one criminal and another when they would never meet, not know each other’s identity. Not know what each other looked like.
That was I, that was primarily to my, to my thinking. Now that’s what primarily shadow crew did. Now, it was also an eBay. People refer to it as an eBay of criminal goods. It was absolutely that too. It was a precursor of today’s dark net and dark net markets. The shadow crew goes on to make the front cover of Forbes August 2004.
Headline. Who’s Stealing Your Identity? October 26th, 2004. The United States Secret Service arrests, 33 people. Six countries, six hours. I’m the only guy publicly mentioned as getting away. They pick me up four months later and they give me a job and I’m the idiot. That continues to break the law from inside Secret Service offices for the next 10 months until they find out about it.
At which point I take off on a cross country crime spree, still $600,000 in the space of four months, wind up on the United States most wanted list, go to Disney World, get arrested, sent to prison, escape from prison, get arrested again, and finally serve out my time. So that’s Brett Johnson’s short version of the bio
Yeah. It’s, it’s a wild ride, man.
Chris: Yeah, I’ve heard that story. And yeah, I, I know that what you just explained to us and, and thank you by the way is, is definitely. Condensed version.
Brett: It is, I think people don’t, you know, if no one’s ever heard that before, it is a very condensed version. It gets a lot more detailed than that.
For example, I mean the, the cybercrime stories that are still coming out today, a lot of them involve the associates that I had on shadow crew. I mean, that’s where most people, most of these upper tier cyber criminals that you hear about today from it being Omar, Dani the Eugene Lichtenstein story, the Bet Phoenix Hack from 2016, that involves part of shadow crew as well.
And so, you get all these stories that are still coming out today that relate back to shadow crew. Shadow crew was the genesis of modern cybercrime as we know it.
Matt: You know, I wanna ask you about that, Brett. Are you in some way, shape, or form sort of keeping a finger on the pulse of where the dark web is now?
Brett: I am, I’m Chief Criminal Officer with AR Coast Labs. I also work with law enforcement agencies, do data threat data analysis with other companies as well. One of the things that’s really interesting is that definition of the dark web has evolved over the years. You know, certainly shadow crew, the, the three main sites that are the genesis of modern cybercrime or counterfeit library shadow crew, and then Carter Planet that laid the basis for what later became the dark web, that tour browser area where you had, you had to have the tour browser in order to access it.
What you see over the years, though, is that, that definition of the dark web has evolved. The problem is, is this thing called friction. You know, the good guys know what friction is. It’s that customer experience, the rougher. You make it on a customer. That’s called friction. Well, friction also exists on the criminal side of things.
The tor browser is somewhat difficult to use. If you don’t know how to use it, it’s problematic. You, you can get caught pretty easily. You have to know exactly where you’re going to, things like that. Because of that, we see other channels that have popped up and law enforcements got pretty good about shutting down dark web marketplaces and sites.
So, over the years we’ve seen, you know, these smaller and smaller encrypted channels pop up, discord, wicker, telegram, things like that. Telegram is really the wild west right now of criminal activity. And telegrams very, very good. It’s got a very low degree of friction. It’s an app you can download on your phone.
It’s all encrypted. The person who owns, it’s a Russian who does not answer to United States court systems at all because of that. You see a lot of the newbie type criminals, the unsophisticated people, they flock to Telegram. And if you, if you visited Telegram, some of those criminal channels, they are, to put it mildly, they are off the chain.
They, they are wild about some of the stuff they discuss and do. So, you see that that’s going on and, and that definition of the dark web is changed. Not only that, but you, when we were criminals back in the early to mid-two thousand, even though the late two thousands, those people, whether it be Albert Gonzalez or Jonathan James, or myself or anybody, or, or any of these, Omar Dani.
Those people had to really understand every single dynamic of online crime. You had to understand the security systems of the site that you were hitting. You had to understand the security systems of any type of fake ID that you were creating or how Sox five proxies worked or any number of things like that.
You had to understand every single thing across the board. These days, cybercrime is a service. Absolutely, it is. It’s no longer the, the criminal that it’s the, that’s the sophisticated part of crime. It’s the platform itself that provides that sophistication and the individual is more or less plug and play.
You don’t have to know anything at all. To go in and be successful at cybercrime, it’s done for you. The products and services are off the shelf. You’ve got tutorials that you can purchase for a low price of five or $10, or you can take live instruction classes that run anywhere from $300 up to $3,000.
You’ve got that, those types of things. And you don’t even have to take the class. You can just go into the channel and start asking questions. And typically, someone will help you out and guide you through how to commit some sort of crime. If you take refunding fraud, for example. If you wanna be successful at that, you just pay someone 10% of whatever the order total is, and the crime is done for you.
So that’s the way that things have evolved over the years, and that’s one of the reasons that you see that these numbers have exploded with cyber criminals. You, you think about a shadow crew in 2000, five, 2004, Shadow Crew gets shut down. In 2004, we ended with 4,000 members. 2017 Alpha Bay gets shut down.
It ends with 240,000 members. 2019, just a dark web marketplace. Black market.dot onion gets shut down, 1.15 million members, and now all that’s pre pandemic. Now you’ve. Single channels that are millions of members large. And it’s going to continue to explode because that, that platform of cybercrime continues to refine itself and become more user friendly for those unsophisticated criminals that are out there.
And that’s the 98, 99 percentile.
Chris: You also had like Silk Road in there too, right? Silk Road, Silk Road two.
Brett: So, Silk Road, and I’ve, I know the guy who ran who ran Silk Road two, but Silk Road run one Ross Ulrich. That’s, that’s the first successful dark web marketplace. And that’s also why Bitcoin became popular.
That was the only, that was the only form of payment Ross Ulrich accepted was Bitcoin. And that that forced a use, a use case for cryptocurrency. And it’s still a valid use case. You go to any dark web marketplace and it’s typically not Bitcoin anymore. It’s Monero. But what happens is the user criminal, they, they, they exchange goods and services using Monero and then they convert it to what?
To Bitcoin, because that is the granddaddy of all cryptocurrencies.
Matt: I’m curious what, what you think or how you might think blockchain and smart contracts may change all of that.
Brett: I have this joke where I say, you know, blockchain is outstanding technology. If they can figure out something to do with it other than laundering money, and that’s a joke because we’ve already seen that there are other use cases for blockchain.
You know, Microsoft uses it to make sure that pharmaceutical drugs aren’t intercepted and replaced with counterfeit drugs. There are several different use cases for blockchain. I li I like the idea of that, for example, with NFTs. I hate the NFT markets that are out there right now. This, this idea of selling JPEGs for tens of thousands of dollars, that’s just stupid
I mean, it’s, it, let’s put it this way. It’s not stupid if you’re laundering money, which I’m sure there’s a whole lot of that that’s going on. All right. If you’re a legitimate user thinking that that little jpeg is worth a few thousand dollars, you’re an idiot. Okay.
Matt: You don’t even have to die ’em like you did the Beanie Baby.
Brett: I know, right? I, I’m, I’m sitting there, you know, I’m sitting there watching this stuff and I’m like, Man, if I were still a criminal, I would be all right. Because there’s no regulation. It’s like, okay, it’s a, it’s a field day out there, but you know, the technology that’s behind that is good. It’s good.
If you could, if you could figure out a way to put identity to attach that to nft, that’s a powerful security product. It’s the same thing with blockchain. If you can figure out how to do identity or transactions more than just with a crypto token, you’re, you’re going to be all right. It’s just, we must get to that point.
We’ve got to get past that point of, you know, taking our financial advice from Reddit, and going that way. We have to embrace this technology and figure out ways to innovate on it. And once we do that, and it’s gonna come, I don’t have any doubt about that. It will come. But once we get there, I think things will be much better for us overall.
I, I am very hopeful for this Web 3.0. I don’t, it may be, it may be, you know, too much optimism, but I’m still very hopeful at the end of the day.
Matt: So that’s something I’m really, really curious about that I, I’ve been dying to just ask you is I, I’ve listened to some prior interviews with you, Brett, and it seems like trust is something that is a central theme that runs through everything that you talk about.
And I’m really curious what your perspectives are on trust between criminals and I’m curious how you think that relates to sort of society as a whole and what we could learn from that to maybe make society better.
Brett: Sure. I’m a game theory guide too. This, this idea of strategic decision making, right?
But if you think about it, and I used to say this back when I was on shadow crew, as the admin and the person who ran Shadow Curtain, I said that a vendor will continue to provide a product or service as long as it is in his best interest to do so. Now, what does that mean? That means as long as he’s got it and he’s making money, he’s gonna continue to sell that product or service.
Unless law enforcement arrests him, unless he feels paranoid or unless the products go belly up, he can no longer get a steady stream of good products. And at that point, he’s just looking to cash out. He’s looking to do the best he possibly can. So, you need to build an environment where that remains possible for that vendor.
You know, that, that envy, and we have that in, in cyber these days, you have a threat landscape that is, you know, 90% of every attack uses known exploits. 41% of all routers have the default password. 92% of every single breach involves a phishing attack. You know, we have that threat landscape that provides that type of environment for vendors trust.
Is really what that boils down to. So, criminals have to be able to trust each other. You don’t want to be involved or doing your business with a law enforcement official because you won’t be a free man for long. You wanna make, be able to trust the person that you’re having cash out for you. And that becomes a huge issue because you’re, you’re, you’re dealing with someone that typically you can’t trace them.
So, and on a lot of times, you know, I, I said before that criminals can’t do all three necessities, gather data, commit crime, cash out. And one of the reasons why is because that criminal is in a geographic area where they cannot cash out. Typically, Russia, Ukraine, something like that. So, they have to rely on money mules.
You have to be able to trust that money mule. And that becomes a big issue because you’re basically giving someone free cash. And if you go back to that idea of what I was saying, you’ll provide that product or service as long as it’s in your best interest to do so. So that Money Mule, for example, has to know that you’re going to continue.
To supply them this money. If they think it’s a one-time shot, they’re gonna keep everything. But if you continue with that, if you, if you provide that environment where you have that trust in there, it works out just fine. Now that’s just on a very cursory level. If you think about trust, online, trust is established online through technology tools, and then finally, social engineering.
Talking about, just on the criminal side, technology, we, we trust the technology which is given to us. That hardware, our laptop or cell phone or desktop computer, we don’t understand it, but we trust it. That’s the problem with fake news that comes across the line. We see the news. We don’t verify the news; we just believe it.
What we don’t understand is that criminals use a variety of tools to manipulate that technology, so they’ll use a spoof phone call, so you don’t see the phone number they’re calling from. You see the phone number, the irs, the FBI. Who have you, they use SOX five proxies so that they may be in a foreign country, but can make it appear that they’re in Florida, New York, someplace like that.
So, the tools and the technology tend to lay a base level of trust, and then the criminal comes in and we see how good of a social engineer that person is in manipulating someone into information access, data, cash. So that’s, that’s how trust is established and understand that when I talk about technology, it’s more than just hardware.
It’s also the software, it’s the websites we go to. We trust those websites to vet the other customers that are, or that are in that same environment with us. What we’d, and if you take a dating site, for example, what we don’t understand is that, you know, we, we sign up to a dating site. We’re trusting whatever the dating site provider is to, to vet the other members that are coming in.
What we’re not understanding is that criminals use tools, in this case, stolen identities to gain access to that. All right. So, it’s, it’s all about establishing trust. Criminals absolutely have to trust one another in order to engage and commit crime. If the trust wasn’t there, you would, you would fail ultimately.
And that’s one of the things that law enforcement’s been very good about working. I consult with law enforcement as well, but that idea of seeding paranoia in criminal environments, if you can get the criminal community where they don’t really know who they can trust and who they can’t, you see these things start to fall apart over time.
So that’s how it is on the criminal side, on the on with criminals. Trying to defraud victims, whether it be organizations or individuals, it’s important to try to, to try to understand what does it take for a criminal to establish trust with you, with a company, for example, does it, is it as simple as a spoofed phone call or do, is it as simple as login credentials or a browser fingerprint or a stolen cookie, or, you know, whatever token that is.
What does it take for me to establish trust with that organization so that I can come in and get information, access data or cash compared to, what does it take for me to establish trust with an individual? Typically, with an individual, it is a spoof phone call. It is some PII or a background check or something like that.
That’s one of the reasons one of the frauds that’s going on right now is. Medical data, so I can go on the dark web, I can buy someone’s medical data, and the, the actual scheme involves a doctor’s office, a laboratory, and a call center. So, I buy stolen medical data on the dark web, give that medical data to a call center.
I’ve already signed up a doctor and a lab, so the fraud is the call center calls, whoever is on the medical record, they’re pretending to be the doctor’s office and they start quoting back. So, they’ve spoofed a phone call so that the victim picks up it thinks she, she or he thinks it’s the doctor’s office.
On the other end of the line, the call center is pretending to be the doctor’s office and there, they start quoting back medical information. You know, we see Back in 2016 you had this medical service that was provided. You did have this, correct? Yes. Is there a problem with that? No. No problem with that.
Everything worked out just fine. But the doctor, looking back at your records, the doctor wants you to come in for a genetic cancer test. It doesn’t cost you anything at all. It takes five minutes. We’ll already set up the appointment for you at the lab. Just come in, no pain. Anything else like that? So, the victim is not out any money at all.
The lab, however, charges Medicare, and that’ll test cost 25 to $30,000. The doctor gets paid off, the lab gets paid off, the call center gets paid off. The actual person coming in doesn’t lose any money, but the Medicare system itself loses millions of dollars every single year to this type of scam. So, so think about how trust is established there.
Technology tools, social engineering. The person on the other end of the line trusts the phone number that’s coming in the phone number of the doctor’s office. So that lays a base level of trust. Once that phone is picked up, social engineering kicks in the call center is using more tools, in this case, the medical records, to convince that individual that they are legitimate to layer more trust.
Add into it that you’ve got a doctor’s office that’s signing off on the test and you’ve got an actual lab that’s performing the test and you’ve got trust established 100% across the board. The victim’s not out any money at all. They go in for a test, they don’t see any scam at all either, but you see people profiting on that.
So that’s, that’s one of the ways that trust operates in those types of environments. What I, what I say in my speeches and. trust plays a large part in, in most everything that I talk about, what does it take for me to gain trust in your specific environment? Understand that, and you’ll understand the problems of your environment, what you need to defend and protect against.
Typically, a criminal will, depending on the target. If I’m really interested in the target, I will anticipate you trying to verify so many layers deep as far as trust goes. So, you know, am I, am I gonna go out and am I, am I going to buy an aged domain or am I gonna buy a brand new domain? Do I, why am I trying to anticipate that you’ll try to see when the domain was registered?
I do that all the time, but most people don’t do that. So, I’ll, I’ll try to anticipate what the victim’s gonna look at and go that many layers deep as well. All right.
Matt: That’s wow. That is, that is. Mind blowing what you just said there. And I didn’t really go into a lot of my background, but I study social engineering.
I try to understand why people are susceptible to social engineering. And on a previous episode, we interviewed Arun Vishwanath, who also studies fishing, fishing victimization, if you’re familiar with him. Sure. And something that is central to his perspective is suspicion.
And something he’s found is that when a victim is suspicious that something might be a scam, then they will try to, you know, validate their suspicions. And what you just said is that as a criminal, you’re anticipating what that victim. Become suspicious of and to alleviate those suspicions ahead of time.
Absolutely. You talked about the medical history and also the woman that you sell, you sold the Beanie Baby to, you put the onus of trust on her from the get-go.
Brett: Yeah. I want the victim on the defensive. Right, right. But u understand. So, so, and, and, and you’re right. That paranoia, that, so a criminal, unless it’s your first day on the job, all right?
And you have people where it’s their first day on the job, but if it’s not your first day on the job, you’ve already dealt with this problem before many times. And over that, over that length of time, you’ve learned to anticipate that problem coming up. So, you’re gonna prepare for that right out of the gate.
All right. If you think about romance scams, and I’ve talked to a lot of victims of romance fraud. Those, those victims, typically they think it’s a scam out of the gate. This person, they’re only talking to me because they want money. They, they’re already thinking that now as a criminal, I know they’re thinking that, but we’re gonna play this game anyway.
So, what happens is, how do I as a criminal, get rid of that problem of the victim thinking that it’s potentially a scam. So, I know that most people, you know, we’re very good people we want to trust to begin with. I know that even though you’re thinking that it’s a scam, I’m gonna continue to build this rapport with you over time, cuz this is a long-term type of fraud.
So, over the next few weeks or a couple of months, I’m gonna continue to just talk with you, chit chat until it gets to the point of, hey, you know, I feel like we’re really connected. I never thought I’d, I’d meet someone online, blah, blah, blah, whatever that. Until I get that victim who’s wanting to meet, when that victim wants to meet, I’m gonna, that’s when the excuse comes up, because I don’t look anything like that profile picture.
So, I’m going to say, well, you know, I’d love to meet. I can’t, you know, I’m saving up all my money right now because my son needs this medical procedure. So, I’ve created the problem now, even though that victim is thinking that it’s an issue, that I’m trying to get money outta that victim, that victim, because this is the way we’re built.
That victim is gonna say something along the lines of, well, is there anything that I can do to help? So that opens the door. Now, a newbie criminal, one guy, the first day on the job, they’re gonna say, well, yeah, I could use some money. That’s the wrong damn thing to do. What you do as an experienced criminal is when that first offer comes up, you know, we don’t even know each other.
We’ve not met. I would never, I would never even ask you to do that. I appreciate the offer, but I can do this myself. So, I’ve denied that offer of assistance, which means to the victim who’s been thinking it’s all about money. Well, I’ve denied the money. So, it, it can’t be, it can’t be about money, can it? So, I’ve, all of a sudden, I’ve given that opportunity for the victim to latch on to the idea that, no, this is about companionship, friendship, romance.
This is real, and I’m gonna continue to feed into that because I know as a criminal that you’re going to offer that assistance. Again, I’m gonna keep talking about my son and the problem I have of paying that. I know you’re gonna offer that again. So that next offer, that’s when I come up and say, well, you know, I, I just, I don’t know.
What else to do? I really appreciate it. I’ll get you paid back; I promise I will. So, you take the money, you disappear for a couple days, come back and say the procedure was great. Son’s gonna be fine. Doctor says he only needs 10 more of these things. So once the victim starts to pay, you know the victim will continue to pay.
And the interesting thing about that is if you think about the way a scam works, you’ve got the scammer on one side, you’ve got the victim on the other, and the idea for the scammer is to get that victim over to your side of the of the fence. And fortunately, it’s not for the scammer, it’s not difficult to do that as a society.
We, and especially in cyber, we tend to blame the victim for the crimes that are perpetrated upon them. What we say is, we say, why would you click on that link? Why would you send money to someone you don’t even know? Who would believe a government institution would take gift cards? So, we blame the victim, which means, and this goes back into that Beanie Baby thing, which means that that victim is far less able or willing to reach out to law enforcement, to talk to friends, family members and associates.
That historic support group that they’ve had, they shut all of that down, which means the only person they end up talking to is that scammer. So, they, they kind of enter into this echo chamber all of a sudden. And what I’ve seen over and over is that victims, they keep giving that money. And finally, they, they almost adopt this philosophy of fatalism, you know, just a little bit more.
I know it’s gonna work out. It’s gotta work out. They can’t, it, it, I, I’m in for this much. A little bit more is not gonna hurt until finally the criminal takes every single thing that they’ve got. I, I, I talked to one victim. She ended up sending one point, I think it’s $1.1 million over to a romance fraudster.
She sends all, everything she’s got and actually borrows $200,000 from her father to send over. And finally, the guy takes everything from her, and he tells her, yes, I’ve scammed you, but you know, I, I think we’ve really developed a relationship and I would like to see you. And finally, you know, if she finally gets it, no, he’s a scammer.
So that on one end of the spectrum, there’s that on another end of the spectrum, I talked to the son of his mother just on social security. This this scammer had taken, she had lost her house because of it, everything else. He gets to the point where he gets power of attorney over doing some repairs to her house to the tune of $30,000, and he makes the mistake of wiring her the 30,000 in order to pay the contractors.
She promptly sends that 30,000 over to the scammers. So, it, it’s, it’s, it’s important to realize, you know, how scams work. It’s also important to realize, you know, you, you’re right. I’m, I don’t say I’m reformed. I say I’m reforming. I continued to, to try to become a better person every day, but it’s important to realize that criminals have absolutely no redeeming features.
You’re choosing every single day to victimize someone. You don’t care what kind of sad stories they’ve got. You’re not a Robin Hood, you’re not a Jesse James. That stuff never existed to begin with. You’re going out and you’re victimizing people so that you can profit by hurting others. So, it’s very important that we, that we realize that it’s also very important that we stop blaming the victims for the crimes that are perpetrated upon them.
The only person that’s responsible for crime is the criminal who commits it, and that’s an active choice on their side every single day.
Matt: Wow. And you know, one of the things particularly about romance scams that that astounds me to this day is how many of the victims are still sympathetic or in love with the criminals even after they found. That it’s a criminal that they’ve been interacting with. I’m really curious, you, you had touched on the difference between a criminal, the first day on their job versus somebody who’s experienced.
How, how is learning facilitated within criminal networks? Is there knowledge sharing and how does that work?
Brett: So there, there’s a lot. It’s open source, it really is. And we understood that back when we put shadow crew into place, that by educating everyone across the board, everyone becomes more knowledgeable, and everyone becomes more profitable at the end of the day.
And we still see that type of environment today. The problem today for the good guys is you’ve got sometimes hundreds of thousands or maybe even millions of members that are sharing and exchanging information across the board. And that real time human exchange of data and information almost always will beat the automated.
defenses on the other end of, on the good guy side of things. On the good guy’s side, the problem with, with collaborating and sharing information, and that was one of the first questions that I asked when I became this, you know, this legitimate person these days is why aren’t the good guys sharing information like the bad guys do?
Well, I didn’t understand things like privacy concerns, regulations, but I certainly understood this thing called competitive edges where one company certainly simply won’t share information because they’re practicing that good neighbor policy. You know, we’ll put security in place and hope they hit our competitors in the same vertical.
When you’re, when you’re doing that and when you’re, when you adopt that type of philosophy, what you’re doing is, is you’re making it easier for a criminal to come in and be successful. We have to get to the point somehow where we’re open source, and we share and exchange information. The criminals have done it and there’s, they show every single day how successful that type of open-source environment is.
So certainly, you know, for, for a new guy coming in, you’ve got that type of environment where you share and exchange information. Now, understand that a criminal that’s coming into that environment, while he’s getting this information daily, he could ask these questions and he can get this insight and everything else.
Just because you’re told something doesn’t mean you know how to do it. So, you’re following step by step how to do this specific type of crime, and more than likely, you’re going to be successful. You don’t really understand what you’re doing. It’s your new, it’s your first day on the job, all right? The more you keep at that, once you start making money and you see you’re successful with that, most people will start to innovate.
They’ll start to try new things, and that’s that learning process. That’s when you start to learn about operational security. You start to understand some of the security systems that you’re hitting, things like that. And the longer you go of that, you, you get that 10,000 hours of experience and you become that expert in that field.
But that first time that you’re coming in, you don’t really know anything at all. That doesn’t mean you’re not gonna be successful, but you don’t know anything. It’s the same process. You know, I talked about on my show, I’m talking about Ilia. Lichtenstein, the guy who tried to launder four and a half billion dollars of cryptocurrency from the bit fine theft.
What you see with that la the way he attempted that laundry. And you see that, you see that somebody’s came into that environment first day on the job and they’ve been told, this is how you launder crypto. And the way that they were told, hey, that is the way you do it. Absolutely it is. And you, it can be very successful if you know how to do it.
What Ilia did was is it looks like he was told how to do it, but because it’s his first day on the job, when he actually goes to try to do those things, he does almost everything wrong because he didn’t have any experience to back that up. So that’s the difference in a lot of these frauds between the first day on the job and the more experienced player.
Yeah, you can be told how to do it, but if you don’t really understand how to do it, if you’re not literally walked through step by step, you’re gonna fail a lot of the time. That’s,
Matt: That’s really interesting and. I gotta say that one of the most hilarious stories that I think I’ve ever heard you sit, tell it.
It’s like straight out of Breaking Bad. You’re talking about a closet full of backpacks full of money, and you have no more room for any more cash. And so, and this is probably from a lack of experience of having so much cash that you can’t do something with it. Yeah. There have been several people who have advocated for moving to a cashless society because as a way to combat or counter money laundering.
And I’m curious what your thoughts are on a cashless society, because I know that you’re also a privacy advocate. Do you think that a cashless society would actually make lo money laundering go away, or will it just channel it into a different medium? And, and I’m curious what your thoughts are.
Brett: I think it’s just a different medium.
We’re already see you know, I mentioned NFTs earlier. I mean, certainly you can launder money all day long with crypto. You can do, you know, you can do cross channels and everything else. So, launderings not going to go anywhere. And you are absolutely right. I used to not what I first, you know, I’ve been doing this consulting and speaking on the legal side of things for, I don’t know, six or seven years now.
And when I first started, I was not a privacy advocate at all. At all. I was like, yes, we need that information out there. The more information, the more secure people are gonna be at the end of the day. But recently, over the past couple of years, I’ve really come to the conclusion that our privacy, because especially the United States, people really don’t give a damn about their privacy.
They’ll give up anything for a free app, a token, what have you. It’s important to, to understand how valuable our data is and what can be done with our data. You know, we’re seeing government institutions right now in the United States. In the United States, that you’ve got, you’ve got law enforcement agencies that are buying cell phone location data of private citizens, not even suspects, just data of everyone.
There’s a problem with that. I don’t care what side of the political fence you’re on, because I gotta be honest with you, I wake up every morning, I watch CNN, I watch Fox News, so I can be pissed off at everyone. I’m, I’m an equal opportunity hater. All right. But you’re, you’re seeing now, and again, I don’t care what side of the political spectrum or where you stand on this issue, but you’re seeing people that are tracked, that are going from one state to another to maybe get an abortion.
And how are they being tracked because of their cell phone data. You see someone Facebook for example, they hand over text messages of this individual that went to a different state to have this procedure done. And it’s not just abortion because somebody out there is gonna say, Well, that’s fine.
They’re, they’re, Well, I’m, I’m against abortion. Well, okay, that’s, that’s your opinion, but wait until it comes to knock on your door. All right? Because it’s coming. It’s not just gonna be there. It’s gonna be everywhere. So, privacy matters and if, if people aren’t smart enough or they don’t give a damn about their own privacy, it’s important that we get inform.
And that’s one of the issues, informed, educated regulation that comes in and protects the citizens of this country. I mean, it’s, it’s, it’s absolutely insane what’s being done with our data online, who it’s been given to and what’s being, what it’s being used for. You know, I really like the idea of the privacy browsers that are out there.
It creates security issues. Absolutely. But I like I like the privacy browsers that are out there, the, the Cashless Society. What I like to say is, you know, it’s hard to exchange Bitcoin on a battlefield. You know, you’re gonna need that paper currency at some point. A lot of the United States and a lot of other countries, a lot of their economy operates on this kind of gray.
Society, you know, you’ve got Eastern Kentucky at one point. It’s, one of its driving economies was yard sales. You’re not going to have a cashless society where you’re trying to pull a yard sale just to have enough money to put food on the table. You know, the, the current administration wants to be able to track anybody that has $600 in their bank account.
I have issues with that. I do. I don’t think it’s, you know, I’m all for paying taxes. Not really, but I mean, we have to pay our taxes. But I don’t think that we need a government that is intrusive in those types of aspects of our lives. Most United States citizens, the vast 99%, are simply trying. They, they want to obey the law.
They want to do the right thing. I don’t know why we need this type of oversight in our society. And certainly the, the movement toward that cashless society is geared toward that to, in order to give that oversight to the powers that be. I, I’m, I’m hopeful the problem with crypto is, you know, it promises that, but we see the way crypto has been implemented thus far, that it doesn’t really work like that.
You know, the idea doesn’t match the in-practice involvement. Most crypto tokens are owned by a majority of, I mean by a, a few wells. And they control prices. They control what’s done with those tokens, things like that. So, it’s not really worked out the way the promise or the idea initially came out, but I’m still hopeful that we can get to that point.
Matt: What are your thoughts on using biometrics as authentication? Because if you steal my password, at least I can change that.
Brett: You know, I, I like the idea of biometrics, whether they be you know, the eye biometrics or the fingerprints or things like that, or whether they be behavioral biometrics or device biome.
I like biometrics. The problem with that, what happens when those biometrics are stolen? And we’ve seen that happen a couple of times. So, what happens when those are stolen? Because if you’re using physical biometrics, your fingerprint, your, your whatever they call the vision thing, if you’re using stuff like that, that’s not going to change.
So, it becomes an issue at that point. I, you know, the problem is, is that a lot of the times you’ve got a company that develops a security tool, in this case biometrics. You’ve got a company that develops that and then they never really consider the way that fraudsters can use that if they were to get access to that.
We need to be thoughtful of the way criminals will approach that type of product or service and then try to defend against it or design with that in mind. But as far as the security tool, I like it. I do, I, I think that you know, you, you, you talk about these tools. I think it’s important to understand that all of these things are tools and each tool in and of itself can be bypassed.
It’s important to have that multilayered approach to security, use a variety of tools, one layered on top of another, and that variety, that layered approach, provides the best possible security you can have. This idea of using, you know, you see these, you got 7,500 security companies out there, and a vast majority of them will tell you that, hey, the only thing you need is our product and service.
What I call that is cyber security, pillow talk. You know, that’s the same thing of, you know, I’ll love you and still respect you in the morning, you know, no, it’s a romance scam. That’s it. That’s it. If it, if you hear anything like that, it’s best to run from that vendor. It’s no one product or service is gonna solve all of your problems.
Chris: We talked about the tools, and we talked about. The, the awareness and the psychological factor of being aware of being scammed and, and we see security awareness programs within an organization. Can you put a percentage on the importance of like the tooling versus the mental education that users should be getting?
Is it more important for that psychological awareness or is it more important for the tool sets to help prevent that infiltration? Or do tools not even, are they not even relevant when you’re talking about scam?
Brett: No, I think they are relevant. Now, honestly, I think that the awareness comes first and foremost.
So, you think about it, this, this, this idea of situational awareness in the physical world. We’re really good about knowing when we go into a neighborhood that we shouldn’t be in, you know, we take that wrong term and it’s like, ooh. Or we’re in a store and someone’s there, you know, and we’re, we have that situational awareness online.
We’re not good about that. Online. We don’t really have that same type of situational awareness, and we need to get that. So, I think that education is first and foremost, but it has to be truthful. You know, we, we’ve got so many, the media a lot of these security companies, they talk about hackers. Every online crime is a hack.
You know, every attacker is this computer genius that no one can touch. That’s simply not true. It’s not. You have these computer guys that are out there that are able to get into systems, but the chances of you encountering one, probably not going to happen. Most attackers are just social engineers.
They’re using products and services that are off the shelf, and, and that’s the attacker that’s out there. Those are not specs. They’re not ghosts in the system. So, it’s important to be truthful about what’s going on. Same thing with privacy. It’s important to be truthful about things. You don’t have to, I don’t, I don’t believe in needlessly scaring someone in order to get them to do something or to buy a product or service.
I think that if you’re truthful about things and you explain it to someone rational that they, if it’s a good product or service, they’ll do that. If it’s a good thing to do for your security, that they’ll do that. Now that being said, you know, I, one of the things I talk about from, from a personal side that people need to do is put a credit freeze in place.
Credit freezes have been free since 2018. The percent of the United States population that has one right now is about 12%. You know, same thing with multifactor authentication. We’ve talked about that for years. And if you go to a website, a, a high adoption rate is about 12%. So, unless it’s forced on them.
So, the idea of tools. We have to, in the United States, a lot of merchants, retailers, financial institutions, they are scared to death of friction. They’re scared of forcing their customers to do something, whether it be multifactor change, passwords, things like that. We have to get to the point that if an individual is not willing to practice good cybersecurity hygiene, that we make them do that just to be more protective of everything across the board.
So, I think that. Awareness comes first. I think that tools absolutely play a part in that. Hopefully the person once, once their situ situational awareness gets high enough, they go in and they use that password manager, they put a credit freeze in place. They monitor accounts in place alerts. If you’re on the, if you’re on the business side, you’ve got an identity solution.
You’ve got all these other tools that are layered in there as well. Hopefully you’re doing that and you’re changing passwords. You’re not like Colonial Pipeline that has your password on paste bin somewhere and you’ve not changed it for three years. So. Right. You know, you’re you, you’re doing the things you need to do.
Yeah. That’s where I think that a lot of regulation needs to come in too. The problem with regulation is that typically, you know, I watched, I don’t know, you guys probably watched this stuff too, but the cryptocurrency hearings. Yeah. You know, you, you saw the, the senators and the, how the representatives there they were, they had these blank faces, and the aides were whispering there, in their ears and handing them papers, trying to explain, well, this is what they’re actually talking about.
And no one knew that’s a problem when those are the people who are coming up with the regulations. True. I, I talked to some financial institutions just a couple weeks ago. Cause now you’re seeing these hearings on Zelle and Elle Fraud and the banks, they’re having trouble figuring out how to protect users.
And now you’ve got regulation that’s gonna come in and make the banks do that. But that regulation is not informed. It’s certainly not educated and it’s probably gonna be way too much and not even the right thing. So, we need to, we need proper informed regulation and that’s a problem. With privacy, with security, everything else, it’s, it’s just I would say that I’m hopeful that we’ll get it ironed out, but we’ve not got it ironed out yet.
And that, that creates these issues. It creates a landscape that’s very beneficial for criminals. But to your question, awareness is first, tools are in a necessity, an absolute necessity, and then you go on down the line from there. Awesome.
Chris: We talked a bit about online scams. We talked a bit about cybercrime methodology.
Since this is BarCode, I need to modify my next question a little bit to relate to a bar type of situation and, all right. How easy is it to social engineer or scam someone within a bar environment or social gathering where you know the drinks are flowing? Maybe, you know, logical reasoning is masked slightly, I mean, I’m just putting myself in a, in a cyber criminals or a scammer’s perspective, and that would be almost like my number one go to if I need a quick hit versus having to go to the online route.
Sure. And I don’t see a, a real defense mechanism there that you could even put in place.
Brett: Well, there’s not. All right. There’s not, because you’re in a bar, you’re imbibing the, the spirits that are there. So, you’re, you’re, you’re already kind of, you know, you’re relaxed, you’re bullshitting around with your friends.
Chris: I mean, do you think that there’s more, more criminals and scammers within bars than most people know because of that Vulnerability.
Brett: I think it’s an, I think it’s an environment that’s conducive. I’m not sure that there’s more in there. What’s, what would be interesting to me? So, I’m in a, I’m in a bar. The idea from a scamming point of view is I don’t wanna stand out.
I want to be with everyone else that’s in that crowd. But there’s usually the longer the night goes on, there’s usually someone that gets loud. And when that person gets loud, that raises our situational awareness toward that loud person or that conflict that’s taking place. And that creates that opportunity for a scammer to come in, in that time.
So, everyone’s attention is, is put on that one, in that one instant right there. You’re concentrated on that, and that opens, that gives you a blindside as an attacker. You come in and that’s when you start to gain trust of that potential victim. You know, everyone’s watching that. And you start whoever, whoever the target is, as the, as the criminal.
You come in and you start engaging with him. Oh man, what do you think about that asshole over there? Yeah. I can’t stand that man. You know, he was in here last week and he pulled the same stuff. And you, that gives you that in all of a sudden and it starts to layer that trust. It’s all, at the end of the day, everything’s about trust.
If I’m looking to get something from you, you’re not going to give it to me unless there’s a degree of trust that’s there.
Chris: Yeah, Yeah, that makes complete sense.
Brett: So that environment, I mean, and that environment’s conducive for that.
Chris: Absolutely. Yeah. I was just thinking that it would just be, in my mind, it would just be faster to go that route than going the online.
Brett: It’s easy online because for some reason people trust an un, an online environment much more than they does a physical world environment. We come in trusting that environment. You know, we that’s, you know, you, you see somebody that’s selling PlayStation vibes and immediately if the price is, you know, not insane, you start to trust that they’ve actually got the PS five s.
So, we, we trust that online environment. It’s an unearned trust and that’s one of the things that’s, that’s really kind of important is to understand that trust should not be given, Trust is earned. So, and a lot of people don’t really respect the difference between that in an online environment. Also, from a criminal side online, I don’t have to look that victim in the face.
I can compartmentalize things and I don’t have to see the damages or the consequences of my action. I can simply say, Well, that’s just data. I’m just stealing money out of a bank account, and I don’t get to see the damage or have to see the damage of my actions, and it’s much easier to commit that type of crime.
Chris: Yeah, you don’t have to read body language or facial, you know, expression either. Like that can, that can all be behind the screen. So, , you’re in eastern Kentucky still, is that correct?
Brett: I’m in Birmingham, Alabama. No, I’m by, I’ve, I’ve less, I left Kentucky many years ago, but still in the South
Chris: Okay. So, yeah I’m curious to know, are there any, you know, really cool or unique bars near you there?
Brett: There are. I don’t, I don’t frequent bars, but there are some nice places. Chris Roberts, you know, he’s, he’s a big whiskey guy, bourbon guy, and. He had this, I think it’s Port Charlotte Bourbon or Whiskey, one of the two.
He had me try that a couple years ago, and honestly it was the best that I’ve ever had. And I liked it so much that I did not buy a bottle of it. So, I was like, no, I like it way too much. But yeah, I mean, I enjoy it, but at the same time, I don’t have a lot of time for it, most of the time.
Chris: No, understood.
All right, well I just heard last call here. Do you have time for one more? I do, absolutely. If you decided to open a cybersecurity bar, what would the name be and what would your signature drink be called?
Brett: Oh, what would the name be? It would pro, you know, I like this angler fish guy behind me. I do, I like him a lot.
So, it’d probably be something to do with Angler Fish or it could be, So I tell you what, how about the bar being called the Shadow Crew? Okay. And the signature drink being the angler fish, I love. So, let’s do that. I love that. Not very imaginative, but there you go.
Chris: Love it. And, and the bartenders could be like in this dimly lit bar, so they’re all shadows.
Brett: That’s right. That’s right. There’s the shadow. Everything’s in the shadows. I love it. I love it.
Chris: Thank you both for, for joining me. No, thank you. I appreciate you sharing a story. Before we go, can you let our listeners know where we can find you in your, your podcast online?
Brett: Absolutely. So, hey, you can find me on LinkedIn.
You can go to my website, www.anglerfish.com or I’ve got my own YouTube channel these days, the Brett Johnson show on YouTube. I talk about cybersecurity; I talk about anything I’m pissed off about at that point in time. And I talk about this journey I’m on of trying to become a better person than I used to be.
Chris: Love it, and I love the show. Everybody, check it out. Thanks again.
Brett: Thank you for having me on. I appreciate it. Take care.