Jenny Radcliffe on the Louvre Heist, Arrogant Cultures, and AI

0:00:01 Max Havey: Hello and welcome to another edition of Security Visionaries, a podcast all about the world of cyber data and tech infrastructure, bringing together experts from around the world and across domains. I'm your host, Max Havey, and today I'm also joined by my co-host Emily Wear Mouth because we are so excited about the guest we have today. So we both had to be on. Without further ado, today we're digging into the world of social engineering and how it's evolved with our guest Jenny Radcliffe, the people hacker. Jenny has a storied career as a con artist, a burglar for Hire, and now an ethical social engineering expert. So Jenny, welcome to the show. We're so happy to have you.

0:00:37 Jenny Radcliffe: Oh, it's nice to be here. Thank you. Thanks for having me.

0:00:41 Emily Wearmouth: Jenny. We played rock, paper, scissors three times and it was a fight. So we're both here. You get both of us.

0:00:50 Jenny Radcliffe: That's great.

0:00:51 Max Havey: So I mean to kick things off, Jenny, can you take us through just broadly, what is a "people hacker" and how did you get here? Take us through what that looks like.

0:01:01 Jenny Radcliffe: Well, "people hacker," I stole that because I was interviewed by a journalist years ago and I was explaining what I did and I said, look, I'm not a technical hacker at all. I said, I use psychology and cognitive biases and the way people think and all sorts of things. I trained a lot of people in corporate training, in negotiation and influence and all those things. And I said, so I use that and I guess we don't use tech, we use people. She said, oh, that makes you people hacker. Now what if does in security is it makes you a social engineer. And now I see people in the industry who are social engineers and they've got technical skills, which is brilliant. Show me someone who's good with people and good with the tech and you've got a CEO on the way if they want to be, which maybe these days they don't. But anyway, and so that's really what it is. And I guess I started out and still really am known for physical infiltrations because if you don't have the tech I used to get in, I say used to because I don't really do it as much anymore because I'm getting older and it's a very physical infiltration. Filtration is a very physical job. That's what people don't know, who don't do it. You are running around, you are hiding in place. But mostly we did reconnaissance, organized a lot of scripts and things to get us into buildings. And then once I was in buildings, I was hired to steal things or leave things behind or do something that meant that the technical people that we work with. So my technical hacker colleagues would have an easier time getting through and that's really what it is. And then over the years it just became a handle and then I made it the title, I wrote a book and I made it the title of the book. So it's the brand now, I suppose if we were going to be really corporate about it, which I'm so not, but there we are.

0:02:57 Emily Wearmouth: So is this pretty standard that if you are the CEO, the CIO, CISO of a large organization, you will generally be finding someone to try and come in and infiltrate your organization? We know that that's done. Penetration testing is a really normal process in cyber, but in the physical world, is this normal or are they particular types of organizations that are bringing you in?

0:03:20 Jenny Radcliffe: I think a lot of the time it's part of a compliance exercise and they just think we need to cover all our bases these days particularly. And if I get an inquiry like that, we tend to say no, but actually physical infiltration is still as important as it ever was for certain types of businesses just because you're getting through those outer layers of security. And also it's not always the system that is necessarily the biggest threat, it's the people that are the threat. So we're often there to look for insider threats or just look for strange behavior or very often we're asked to do it when they've already been breached and it's not public and they're like, it takes them a minute usually the clients to tell me that that's what's happened. So I'll get a call completely out of the blue, we're prepared to pay you your fees for you and whatever team you find appropriate to try and breach this site and find this thing. And the next question for me is what happened? And it nearly was like, well now you're set. Now you are asking me. Actually we did have an incident and someone walked. I mean I had one where they were like, no, no, we just want to be really thorough and we want to make sure that we've covered everything. And I was like, so nobody broke into your facility then? Well no. I said no. And they're like, well, you said break in. I mean they didn't break in. I went, did they walk in? I'm like, kind of. So I'd say there are industries right now, the legal industry, legal professions and financial are by far our biggest clients and also the security industry, obviously I would not say who, but can you imagine if your whole product, your whole brand, your whole business is built on being secure and then someone breaks in. So it's like, I'll get Jen, please don't say anything, but can you please get past.

0:05:32 Max Havey: You're the expert for a reason. You know how to get in places where you're not supposed to get into.

0:05:37 Emily Wearmouth: Hold on, max, you've just thrown that one in. You have just said you are the, you know how to, and I know a lot of our listeners are going to know Jenny and they might know this story, but I think it's worth pausing for a moment and saying, Jenny, how on earth do you become the expert in breaking into buildings? How do you know this stuff?

0:05:55 Jenny Radcliffe: Well, I can't say it was something I really wanted to be. I mean, I would naturally not want to be so public as I have become. I think it wasn't a strategy for me. I became good at this because I'd done it for years. I mean since I was a kid and I've told the story lots of times, but everyone always asks. So before you do, basically grew up in Liverpool and I had a few incidents when I was a kid that was quite worrying. So my mum and dad both were away. They worked shifts and things and so you've got to understand because so much younger than me, but we really did just used to be told to come in when it got dark and not to speak to any strange people and stuff like that. And I had a neighbor lock me in the house and not let me out. I mean some of this is in the book, but there was that and that was pretty worrying and nothing really happened, but it was quite traumatic for everyone because clearly there was mal intent. And then I went to the shop to buy sweets, candy for the American audience, and I got cornered in at an alleyway by this gang of local bullies, all boys kids, but they were in the habit of beating people up. And I had a can of pop, of soda, and I shook up the can and exploded in the head bully's face and then I crunched the can in half until it made a blade and then hit him over the head over and over again with this. So there's blood and red soda coming down his face and ran away. And after that my mom and dad were a bit worried about me being out on my own just a bit. So they asked my cousins look after me and they basically were getting into buildings what you called urban exploration, and we ended up sort of turning that into a business. So it's one of the reasons I kind of know so much about it and I've done so many buildings and done so much of it is because I started when I was like nine and it was always a side hustle. So I had a decent career, a proper respectable career in corporate for a long time and eventually into consultancy. But what the corporate career did was it enabled me to travel all over the world and whenever I was traveling, I'd get a job as what we would now say would be a physical penetration tester in all sorts of places, Asia, all over Europe and sometimes the states, although I was very cautious in America, and in any country where security guards could be armed, because I tend to be on my own, I have to be careful, I'm still careful about that now. And it's not just abroad. There are places in the UK where people are heavily armed as well. But I ended up doing that on the side and when I went into consultancy and I was training people in things like I say advanced negotiation techniques, sort of reading non-verbal communications, linguistic kind of patterns in language and people got curious why and how do you have this skillset? And I'd say tell stories vaguely masking exactly what I did because no one knew what that was. I mean even now I have to explain it for quite at length what it is to a non-security audience. And in the end it became obvious to me that this was the thing that really I should do full time. It was paying well, people knew me, word of mouth that got out that we were good at this I suppose. And so I just dumped everything else in the end. Well not quite dumped everything else. I still do some sort of work on that with some organizations, but generally speaking that was how it happened.

0:09:57 Emily Wearmouth: It's officially the coolest side hustle we've ever had on the podcast.

0:10:03 Jenny Radcliffe: I feel like as the fries on the side, people are always think that people think it's cool until they fall off a roof. And it was like, I want to do that job. And I'm like, do you want to be chased by guard dogs? I was cable tied to a gate by security I mean do you want that because you really think you do, maybe you don't.

0:10:25 Emily Wearmouth: I want to hear about it, but I'm happy to not do it. And sorry to have interrupted Max, but that was worth it.

0:10:31 Max Havey: Oh no, that was absolutely worth it. And so Jenny, that's kind of an interesting thing. In an episode we did a couple months ago, we were talking about the movie Hackers and our guest brought up the idea that a character gets locked up on a roof at one point and can't get out. He's like, that's the least believable thing about this movie because as a hacker, he absolutely has a lock pick in his bag and is going to pick that lock immediately. The physical security side of all of this is a thing that I think a lot of folks don't necessarily think about when it comes to cybersecurity or being a hacker and things of that sort. And so I think that kind of brings us really, that brings us into sharp focus here.

0:11:07 Jenny Radcliffe: Well first of all, I've been trapped on tons of roofs. Second of all, lock picking is the lock pick thing. I mean certain people, I was speaking to a guy who he was an expert can pick any lock and pick it very quickly and I've got mates who are great lock pickers, but generally speaking that is not something that I would take on any job. If you are caught by a security guard and you have lock picks on you, that is hard to explain. And even if you can have get sort of disguised or have them in your boots or something, and I have other things down my boots that are also difficult to explain, but not that, but you wouldn't, the idea that you just lock picky way out of it to me is, it takes time, it takes effort even if you're good at it. And so for example, I always made sure or tried to make sure that any kit I had on me could be explained away or so well hidden that they probably wouldn't find it. By which I mean in things like a tampon tube, sorry Max, sorry to anyone who's offended by the, but it's very rare that anyone bothered looking in that. So we've maybe put the odd thing in there. But for example, we used to carry around giving away something now, which I've only really spoken about at BSides before, but we used to get these little black light torches and pens and use them to just scratch whether, so say there was five of us in a building, we'd have certain signs which are code for this has been done or don't go down there or we've already covered this bit because you'd have radio silence a lot of the time and everyone's have a little black light torch and we'd be able to just shine and we'd know where about to put them, but that's hard to explain. So what we changed to which is have sort of been successful and there's times it wasn't, we started to take know extra strong mints and I dunno, you have if they've got them in the states so much Max, but they're like chalky, big mint that works like chalk. So it works like chalk to reduce that instead to just put these lines on the floor on the walls because we could explain that you couldn't explain if someone caught you making a sign on the floor with one, but if you were caught by a security guard, they didn't immediately think, oh this is a black light and pen. So I'm very cautious about what I take on a job and I'm very careful that I can explain 99% of what I've got on me away quite easily. But yeah, I'm always well saying that though, when I started out for a long time I really did just make it up as I went along. There wasn't really anything, and there still is quite negligible amount of stuff, that you can study about social engineering that's any good or that's about the physical side. It's really a lot of it is trade craft, which obviously by its nature is quite hidden or very expensive to get hold of if you're looking for white papers and books and things. And so I was kind of making it up a little bit as I went along so I might just be incompetent, but I've been caught on many a roof and I don't think I've ever picked my way off a roof or almost anywhere to be honest. I'm just trying. I think there was one time, not so much a lock pick, but cards and there are tricks and there's stuff that you can use to open locks and things and we've used them sometimes, but generally speaking I would disagree with that. I wouldn't do that much. But everyone has their own experience and their own expertise and their own way of doing it. I speak to people sometimes and I say my con is not your con, right? You have to use who you are, what you have and what you know. So don't copy other people because what that might work perfectly for them. They might just know that they could do that.

0:15:10 Emily Wearmouth: Jenny, how much work do you do ahead of any of these sorts of jobs? If we are looking at a broad cyber and physical picture and physical access might be part of your way of gaining access to digital systems, how much work is being done at your desk ahead of time researching employees, finding ways to use their psychology to get into the organization?

0:15:34 Jenny Radcliffe: Well a stupid amount really. I mean because I'm only using my part of the operation before we hand it because social engineers are blended attack. So the social engineering, whether that's phishing, whether it's vision, whether it's physical entry, all of that really is to enable a handover a lot of the time to the cyber guys. So I can only speak to my part, but because I can't use any of that, my research was always very thorough and I mean it was a funnel of research. So would just said everything about that company, that target that person to a silly point of view really because I wanted to be at the point where I knew as much as anyone who didn't actually work in the day to day would be. So we'd sometimes send in B teams, we'd go and do research on site reconnaissance. So it was quite a lot. And honestly depending on the job and how serious the client would be, and by that I mean how much they were willing to pay for that kind of reconnaissance. Sometimes the clients think it needs almost nothing and we don't work like that. And sometimes they think it needs a lot and you don't know until you look into it, right? But it would be a lot, I mean at least two and a half times the amount of time it would take to do the actual infiltration, which we try and do in 90 minutes, but we'd have a week put aside looking for the right opportunity. So probably a couple of weeks really depending on what we find really in depth.

0:17:13 Emily Wearmouth:And I'm going to say the letters. Does AI help you with that research?br>
0:17:19 Jenny Radcliffe: So this is the thing, and this is why I didn't mention it then I knew you were going to ask me. AI has cut that down. First of all, the internet cuts it down. So I started sort of pre-internet real or pre good internet. And then the beginning, no internet, but I used to have to, and I always say this when I to give keynotes, I used to have to hang out near the site and sit in whichever bar they all went to on a Friday night and listen and listen out for things and note activity and note one of the things we always saw was the way employees use the site and the way employees broke the rules and got around security. We just followed what the employees did and then the internet came along and that s everything down and osis became easier and we managed to do that. But now we have ai, it makes that level of research quick. I mean really quick reducing from days and days down to minutes or even seconds not to get the same level of interpretation but to get the amount of data. The difference between somebody who does social engineering and somebody who feels that they're a really good social engineer isn't the quality even of the data. It's learning to interpret and find the story that's going to be the hook that's going to get you in. But AI has enable people to get 80% of the way they're very quickly.

0:18:47 Max Havey: I am curious in the AI world you talk about that sort of reducing time, reducing how things are happening here, how is that sort changing things and we're seeing AI automating tasks that humans do. Is social engineering at all on your end sort of now sort doing social engineering for AI and finding ways to trick that AI to get you the information that you need? How is something like that becoming a part of your toolkit at this point or is it becoming a part of your toolkit at this point?

0:19:13 Jenny Radcliffe: Well it is because AI is very, obviously it depends on what you want to think about AI. It's either it's going to kill everyone.

0:19:24 Emily Wearmouth: That's the pessimistic view, Jenny,

0:19:29 Jenny Radcliffe: Mmhmm it's probably true. No, it's probably true, but also it's very smart and it can do lots of things, but it's not as smart. In some ways it's smarter than humans and even a room or a stadium of humans, but in some ways it's not. So if you can imagine if you can fool a human into telling you things, you can fool AI and that's a bad thing because criminals know that and are using it that way. So you absolutely can socially engineer AI or some AI for some things right now by being very specific about what you ask. And by it not really being that good at detecting deception from a human yet, at least they're not the ones that I have seen.

0:20:21 Emily Wearmouth: So an organization's AI and particularly agentic AI can become one of the tools that you might use to get into the organization.

0:14:33 Kirk Ball: Yeah, it was just impactful for him to see the end impact that it would have on customers' lives.

0:20:31 Jenny Radcliffe:I wouldn't necessarily rely on that, but it's just a tool, right? It's a technique, but you don't have to be a lifelong social engineer who's done this for years and sort of feels like that you can speak to people like you about it to be almost as good. And that's the problem. You don't have to be brilliant at it. You just have to be good enough. And I think that's how it's being used as how it's weaponizing human nature, which is something that I always did was weaponize mistakes and psychology. I might be able to do that slightly better just because I'm a thinking living human who's done this for a long time, but sometimes you don't need me and this is why we turn jobs down sometimes times I say, well you don't need that. What? You just need a really good red team with a couple of people who are quite good at social engineering. So you don't need someone whose whole expertise is this one particular thing which is warping human psychology, but you don't always need that to get past. And we've seen that happen at scale. The difference is it's at scale. So whereas we are limited by just being physical humans and the size of the team and the workloads of what we do, but AI is not limited by that at all. So there's this trade off between having someone who will get past and it will keep trying as a human and will adapt, but only being able to do as much as we can physically take on to a machine that doesn't get tired. It sort of Terminator stuff, it doesn't get tired, it will absolutely not stop. And it will do that at like 60, 70% is effective but over and over again. So just statistically it's going to get through.

0:22:21 Emily Wearmouth: Can I ask you a question that flips to the other side of the AI thinking If you are the people hacker and a big tool for you is taking advantage of human psychology, I'm wondering whether you are yet seeing or anticipating seeing any changes to human psychology that AI might bring or as we grow in our dependence and use of AI systems, does that change the way humans think and operate that you think might leave more doors open for you?

0:22:51 Jenny Radcliffe: Yes, because everyone's got lazier and therefore you're not as sharp If you don't read the book, but you just read a summary of the book, then you haven't really absorbed the learning in the book. If you are asked to give, I dunno, a presentation and you don't write the presentation, then you don't really know as much about that presentation. And this has been a problem in security for a long time that there are people in security, you are there just purely for the showboating side of it and whatever, make a living however you can. But this is security. If you give the wrong advice or if you don't know what you're talking about, that's dangerous stuff. And I don't just mean financially or reputationally, that's dangerous in lots of ways. That's a problem. It's made it easy for people to look as if they know what they're talking about and to get lazy as a social engineer, we can absolutely exploit the fact that you probably dunno what you're talking about that certain people dunno what they're talking about and if they're on the defensive side, we'll get past that easier than if they really knew about it. And that's on the security side, nevermind just people who are not in security, not really thinking that defense is part of their job as just an employee who does something else well. So that is a problem. That's how humans are changing.

0:24:22 Emily Wearmouth: I'm utterly fascinated to see, I've got a number of teenagers within my household and I'm fascinated to see the way their brains interact with the world in different ways to how mine did at that age because of their expectation of what's going to be done for them by systems. And we didn't have that. And so I think that psychology change is going to be fascinating in the next few years and yet it potentially exposes new risks for organizations.

0:24:50 Jenny Radcliffe: But I think as well there is some merit, I agree with you, but I think that there is some merit in the fact that younger people, teenagers and even kids have been born into a world where this is normal and where this is usual, which means as humans, I have faith in humans mostly, most humans most of the time to kind of adapt to that and understand the risks just instinctively see the risk in it. And that's a strange thing to say because people often ask me when I am consultant and stuff, how worried are you about kids online and all that kind of the dark side of the internet and all the exploitation and everything. And of course it's a massive worry because younger kids and youngsters might not see what we see the potential of the evil of the bad things that's out there. But the flip side of that is that they're so used to it, they've been warned about it and seen it from when they were very young that in a way this is their world now. And they will, I hope and I think that they will adapt better than we will. We are more kind of fearful of it, I think. And in some ways that's great we should be because we're there to guide the next generation as to what could be so bad out there. But I'm always heartened by the fact that that kids kind of take it all with a bit of a pinch of salt as well. That's also kind of heartening for me. It's like they're getting well bound to happen. There's something nice about that nonchalance. I think the charm of teenage nonchalance.

0:26:27 Max Havey: Yeah, the power of being sort of a digital native.

0:26:30 Jenny Radcliffe:Yeah, no, but max, you're right though. It's that it's the fact that there are positives that come with that. They expect it.

0:26:40 Max Havey: No 100%. And I think that's kind of the interesting thing, taking it all in the notion of convenience as a risk factor and the idea of people who have lived in this world who they understand sort of the risks, they sort of see some of the signs whether they realize it or not. I feel like that's the way. Growing up on the internet, that was often my case where I developed a real detector. I'm like, that seems fake. Anything that seems too good to be true, that's probably somebody who wants something from me, whether it's my information or for me to sign up for some sketchy credit card.

0:27:14 Jenny Radcliffe: There's a cynicism, which is kind of awful, but also has got a positive perhaps

0:27:22 Max Havey: The silver lining of cynicism.

0:20:04 Emily Wearmouth: That sounds like your book title. Can I ask a question about failure? Firstly, I was intrigued to know Jenny, people are paying you to get into their organizations. What is your success rate? And then for whatever the percentage is where you can't get in, how long do you keep trying? What parameters do you put around that?

0:27:45 Jenny Radcliffe: Same question honestly, because the truth is we keep going until we do get in, so the success rate is a hundred percent and everyone says, oh, no, no, no, you must have been, no, we've been stopped lots and lots of times with various exciting consequences. But if we are stopped, we'll go back even to the point where it costs me money to put the team in again because I had a reputation, my ego couldn't have handled it. I had a reputation to maintain. But I suppose it sort of depends. I've seen places that would be extremely difficult to get past. I've not been tasked with getting in, but I've seen how difficult it would be. And for something like that, it's a longer bin and often that is not commercially viable. They can't say we would let you do it. But there's ones that have essentially if we are stopped to the point where we have to abort or were retain away, which is rare, so the amount of times that happens is less than 10%, but of that 10% we have always gone back and then we'll hit them again and again and again as many times as I need to hit them so that in the end I can go to that client in whatever coffee shop or conference room and present them a win that we did it because otherwise, why would you hire me? I mean there's times when I've looked at, say I've had a client that's given me four sites and said, we want you to break into this one or this one, and I've gone of the four sites that you've given me, that one's the hardest one. So I can rank them just from reconnaissance, I can rank them and say, that's going to be the hardest one. So that's going to cost you more for us to do it. It's going to take us longer. I'm going to need more people. Am I going to need kit? And that kit might be expensive. Do you still want me to do it? And they say yes sometimes and they'll pay for that. But generally speaking, I mean there's times I can look at a site and go, you won't do that on social engineering alone, high security stuff. So

0:30:03 Emily Wearmouth: At that point you might need a crane and a power tool for instance.

0:30:10 Jenny Radcliffe: You very well... no, because that wasn't that particularly difficult.

0:30:14 Emily Wearmouth: So I'm referring to the Louvre heist for anyone unsure of the methodology that was used in Paris last autumn, but do you have thoughts on that one, Jenny?

0:30:26 Jenny Radcliffe: As you know Emily, I do. So the day that happened or the day after, I got so many emails and calls wanting me to comment, and I wouldn't comment specifically on all of my theories on the Louvre. But what I'll say is that there's a lot of lessons here for security. And it's not that whatever the password was Louvre or whatever it was, and that it's that when these things happen, the lesson is is that you have to look at any breach holistically and you have to ask the question. Everyone was asking how, how did they get past security, why was security terrible? All of this type of thing. But the real question is not ever that you always have to ask why. And I know that one of the problems, and I speak to very senior people sometimes, they say, well, it's financial. It's always financial, it's never, ever, no matter what it is, it's never just financial. You have to look at the secondary motive and then the motive under that and then the people that you're dealing with. And for the Louvre you have to think about what was taken and when was it taken. And I've heard good people, good security people say, well, they did it in broad daylight so that people weren't as suspicious I mean you wouldn't rob some in broad daylight. So people were less suspicious. And that's true, but it's also so that people can see that something has been done. It's what we call a vanity heist. You are showing people what you've done and specifically the people who want that loot. And for me, that tells you everything about who's behind it, who funded it, why it was done at that time. And you have to look at the bigger picture in the world. And that's what people never do. Instances seen as far too isolated, right? It was an attack on us, on this business. But when you look at the TTP of things, when you look at the patterns, it'll give you a lot more information as to who's behind these things and why. And if you take money, almost take money out of it and look at everything else. The money side of it, we deal within the incidentally and the aftermath of the incident and how we all cope with that and get all our systems back online. But the real question is things are connected. And this is where I revive my podcast series of the Tim Foil Hat Club from lockdown. But you really do need to think that these things are connected and they're connected to a wider network than what is immediately obvious. And as soon as you start looking at things like that, you see things differently. And that's what helped us, me and my team with a lot of investigations and things that we've done in the past, is to take, if we take the money out of this, what's going on?

0:33:28 Emily Wearmouth: And is that in particular when it's very public, because some of these things are never public and they're kept very quiet. And so the motivations are different. Is this principally for when it's done deliberately to be visible, some of the big hacks that we saw in the UK last year, they were designed to be very visible. Are those the sorts of ones where we should be looking at a slightly different non-financial motive?

0:33:50 ジェニー・ラドクリフ:いい質問だと思います。それは憶測ではありませんが、真実ではないと思います。重要なのは何人の人がそれを見るかではなく、誰がそれを見るかです。したがって、その点において悪質であるためには、公開される必要はありません。でも面白いことを話せますよ。誰だったかは言いませんが、昨年の大規模なハッキング事件の 1 つは、私にとってはまったく驚きではありませんでした。同僚とソーシャル エンジニアリングの仕事をしていて、ホテルに滞在していて、翌日の夕方まで仕事をしていなかったからです。それで私は自分のルールを破って、ワインを1、2杯飲みながらおしゃべりをしました。夏だったので、私たちはホテルの庭園にあるバルコニーに出て、とても素敵でした。そして私たちの後ろには、ただ大声で話ばかりしている男性社員のグループがいました。彼らはとてもうるさく、スタッフやその他すべてに対してとても不快な態度をとっていました。これは私が最も嫌うことの 1 つです。ウェイターとかに無視できないような人が大嫌いです。それで、彼らが何を言っているのか聞くと、彼らは大企業のセキュリティチーム、サイバーセキュリティチームであることが判明しました。それで、私たちは楽しみのために、笑いのために、彼らに何を話してもらえるか聞いてみることにしました

0:35:20 エミリー ウェアマウス:バーのゲームです。

0:35:23 ジェニー・ラドクリフ:私たちは会話を始めたのですが、それは簡単なことでした。彼らは、私が言ったように、騒々しくて不快でした。時間もかなり遅くなってきて、彼らも酔っ払っていましたが、私たちは酔っていませんでした。私たちはワインを飲んでいたが、酔ってはいなかった。そして私は言いました、「こんにちは、あなたはセキュリティ担当ですね。」それはハッカーを阻止するという意味ですか?そして彼らは、そうだ、と言います。そこで私はこう考えました。「ハッカーとは何ですか?」それはあなたのパスワードを欲しがっている人たちですか?そして彼らは、ああ、そうだね、と言いました。そして、それは、ああ、まあ、お嬢さんという感じでした。はい。そして私は言いました、ああ、私のパスワードがパスワード 1、2、3 だったら、それは悪いことですか?彼らは「そうだ、それは悪いことだ」と言います。そして私は「ああ」と言いました。それで、それについてはどんなことをするんですか？そして私は彼らをこの会話に参加させました、そしてもし彼らがそれほどひどくて見下した態度でなかったら私はそこで話を終わらせていたでしょう、しかし私はそこで話を終わらせませんでした。そして結局、彼らは私たちに、まあ、仕方がない、という感じで、たくさんの情報を教えてくれました。それで彼らは、わかりました、頑張ってください、と言っていました。さよなら。そして、私たちが出かけるとき、私は自分のカードのうちの1枚、つまりポーカーチップを彼らのうちの1人のポケットに滑り込ませました。そして、これは去年このことが起こる数年前のことです。そして、私はいつも、もしあの男が私を調べたら、私は社会的に操作されたのだ、と思ったに違いないと思うのです。しかし、マスコミや他のあらゆるところで聞いたあらゆる説明にもかかわらず、それが私にとって驚きではないと聞いても、驚きません。 彼らがハッキングされたことは少しも驚きませんでした。なぜなら、彼らがやっていることは物理的に現実世界で行われ、すべてを漏らしているからです。彼らのシステムは完璧だったかもしれない。そして、私はすでに、詳細な情報だけでなく、彼らが使うなどのシステムに関する詳細な情報についても、あまりにも多くのことを知っていました。 私たちは、まるで子供に説明するように質問することもできますが、私たちは子供ではありません。私に何を質問すればよいかをもっと詳しく説明できる同僚がいます。しかしまた、その文化の傲慢さ、その文化の傲慢さは、ソーシャル エンジニアとして私が焦点を絞って、絶対にあなたを打ち負かすものの一つです。なぜなら、企業が、自分たちは決して捕まらない、または、それについて話すほど優れていると考えている場合、誰も気にしないのであれば、「本当の悪者」の一人よりも私の方が良いからです。私は情報を持っていましたが、もしそれを悪意のある人々に売ることを選んでいたら、莫大な価値があったでしょう。しかし、ハッキングされるまでの時間だけが問題だった。

0:37:53 マックス・ヘイヴィー:ここで、あなたのキャリアに関するストーリーや事柄をすべて説明していただいている中で、ソーシャル エンジニアリングに対するあなたのアプローチの多くは、少なくとも心理学的な意味では、適切な質問をすること、そして、相手がソーシャル エンジニアリングされていることに気づいているかどうかを尋ねるための質問の種類を知ることであるという点がとても興味深いと思います。そして、それは、物事の文脈を理解するために人々に質問するのが仕事であるエミリーや私のような人間にとって、最も興味深いことです。あなたがここで他の手段を使ってどうしているかを聞くのはとても興味深いです。 それは興味深いですね。

0:38:29 エミリー・ウェアマウス:ジェニー、私はあなたの職業体験の相手になりたいんです。

0:38:32 ジェニー・ラドクリフ:屋根から落ちるか、ゴミ箱に10回潜るかするまでだよ。しかし、マックス、あなたが言ったことの一つは、正しい質問をすること、人々を読むこと、そして彼らの身体性を読むことができることなので、とても興味深いと思います。 つまり、精神生理学を理解することは、ある程度言語学を理解できるようになるということです。ですから、私は自分の言語以外では限界があります。人々の話し方には微妙な違いがあるからです。しかし、それはまた、ある種社会的な観点から、集団がどのように交流するか、集団内での人々のアイデンティティ、そして彼らが公の場でどのように表現しているかというアイデンティティを観察し、そして、これはとても邪悪なことですが、それを打ち砕くものを見ることができるのです。つまり、本当に鋭いスピアフィッシュの技とは、相手の心を掴むことができるということです。そうすることで、相手は自分自身に疑問を抱くようになるのです。そして、もし彼らが自分自身に疑問を抱くなら、あなたは疑念を抱くことになります。そして、私たちが利用しているのは疑念であり、それが悪人の手に渡れば悪となるのです。しかし、そのためには自分の専門分野以外も幅広く勉強しなければなりません。エミリーさん、AI についてのあなたの質問に戻ると、それがその 1 つだと思います。私たちが失わないように注意しなければならないことの一つは、学際的な知識と専門知識を蓄積することです。それがなければ、私のタイプのソーシャルエンジニアリングをうまく行うことはできないからです。ただ、人々に影響を与える 5 つの事柄を知って、それで十分だ、というわけではありません。職業として成り立つかもしれませんが、本当に上手くなりたいなら、そして、特徴的なタイプのソーシャル エンジニアを身につけたいなら、私の攻撃には、私と業界のことを知っていれば、それが私だとわかる特徴があります。その段階に到達したいのであれば、自分の専門分野以外のことを勉強する必要があると思います。しかし、それが今でもそれほど必要なのかどうかは誰にも分からない。これはニッチな職業であり、実際には、今では年間で数件しか行われていません。ほとんどの企業は、そのレベルの心理学を背景に、費用を払う必要がないとは思わないからです。私が言ったように、それは何よりも技術のようなものだ、そう呼ぶでしょうね。

0:41:01 エミリー・ウェアマウス:正直に言うと、マックス、あなたのことはよく分からないわ。とても無防備だと感じます。この会話では常に監視され、解釈されているように感じます。最初はそうではありませんでしたが、この時点では無防備だと感じています。

0:41:12 ジェニー・ラドクリフ:みんないつも私にそう言うのですが、私はいつもこう言います、「そんなことをするために私にお金を払っているんですか?」そして、あなたが私にお金を払ってないなら、私はあなたのためにそれをしません。恐怖は真実だ。人々は「ああ、今それをやっているんだね」と言います。今それをやっている。もしあなたが私を奪ったのなら。私は言いました、「あなたは私を強盗するために金を払っているのですか？」いいえ。では、私はあなたを奪っていません。

0:41:28 エミリー ウェアマウス:でも、動機は必ずしもお金だけではありません。ジェニー、この会話でそれを理解しました。

0:41:32 ジェニー・ラドクリフ:いいえ、それも本当です。それも本当ですね。そしてもしあなたが嫌いなら、私もそうするかもしれません。嫌いな人でも、無償で尽くしてくれる人はいる。

0:41:42 マックス・ヘイヴィー:これはジェニーの機嫌を保つよい理由です。

0:41:45 ジェニー・ラドクリフ:そうですね、

0:41:48 マックス・ヘイヴィー:ジェニー、この件については少し話しましたが、あなたが長年このようなソーシャルエンジニアとして活動してきた経験から、物理的セキュリティ、サイバーセキュリティ、セキュリティのあらゆる領域において、皆さんに伝えたいヒントを 1 つ教えてください。

0:42:04 ジェニー・ラドクリフ:正直に言って、みんな黙っている必要があります。自分のこと、好きなこと、嫌いなこと、怖いことなどについて話すのはやめましょう。プライベートにしてください。もっとプライベートにしましょうか？企業でも同様です。もっとプライベートにしましょう。誰が聞いているか考えてください。オンラインでその情報を使って実際に何ができるかを考えてみましょう。やめて。やめて。プライバシー 使う そのような通貨になる。 それは守るべきとても優雅な品質です。しかし、セキュリティ専門家が自分の個人的な生活などの詳細をあらゆるところに公開しているのを目にします。そして、これは無害なはずだと理解していると思います。そうじゃないですよね？それは違います。ですから、ここでは言論の自由がまだある程度残っており、皆さんは自分がしたいことを選択できますが、何を言っても何も起こらないという感覚に陥らず、それを自分の選択にしてください。それは。君をつかむのに、そんなに多くのものは必要ありません。あなたの脳がどのように機能するか、そしてあなたが自分自身についてどう感じているかを理解するのに、多くのことは必要ありません。ですから、外に出すものが多ければ多いほど、自分自身が傷つきやすくなるのです。では、なぜそうするのでしょうか?私は一冊の本、自伝を書き上げたにもかかわらず、いまだに「私はあなたのことをよく知らないし、あなたも知らないでしょう」と言う人に出会います。

0:43:25 エミリー・ウェアマウス:私は情報をシェアしすぎるタイプなので、このアドバイスは参考にさせていただきます。

0:43:30 Max Havey:素晴らしいですね、ジェニー。今日は時間を割いていただき、本当にありがとうございました。とても興味深い会話でした。私たちのリスナーや視聴者も同じことを考えるだろうとしか思えません。ご参加いただき誠にありがとうございます。本当に素晴らしかったです。

0:43:43 ジェニー・ラドクリフ:いえいえ、とても楽しかったです。お二人とお話できて嬉しかったです。

0:43:47 エミリー ウェアマウス:ジェニー、次の本をリクエストしてもいいですか?だって切り裂きジャックが誰だったのかを書いた本がたくさんあるんです。まるで「ルーブル美術館強盗事件に関するジェニーの理論」という本が書かれるのを待っているような気がします。あなたはそれが誰だと思うか、正確に教えてください。私は質問であまり深く探りを入れませんでした。あなたが私たちに伝えたいのかどうかはわかりませんでしたが、そこに本があるような気がします。

0:44:06 ジェニー・ラドクリフ:いいえ、そうではありません。次の本はそれではありません。

0:44:10 マックス・ヘイヴィー：そうですね。これで、Security Visionaries ポッドキャストをお聞きいただけました。司会は私、Max Havey です。このエピソードをお楽しみいただけましたら、ぜひご友人と共有し、お気に入りのポッドキャスト プラットフォームで Security Visionaries を購読してください。過去のエピソードを視聴したり、隔週で公開される新しいエピソードに注目したりすることができます。また、私たちのエピソードが気に入ったら、ぜひ評価、レビュー、チャンネル登録をお願いします。それは私たちにとって本当に助けになりますし、今後もこのようなクールなエピソードを作り続けていきたいと思っています。ですので、そうしてください。私か共同ホストのエミリー、またはもう一人の共同ホストのベイリー・ポップが司会を務めるエピソードが見つかります。それでは、次回のエピソードでお会いしましょう。