Modern Cyber with Jeremy Snyder - Episode
82

Chris Parker of WhatIsMyIPAddress.com

In this episode of Modern Cyber, Jeremy is joined by Chris Parker, the founder of WhatIsMyIPAddress.com, one of the most visited websites in the world.

Watch Now
Chris Parker of WhatIsMyIPAddress.com

Podcast Transcript

All right. Welcome back to another episode of Modern Cyber. I am super excited to share this guest with you today because this is a site. This is a service that I think everybody I can say with one hundred percent certainty, every single one of our audience members have used at least once, if not this week, then definitely this month, and certainly this year, and probably at least tens of times over the previous years. If you're anything like me and you've traveled around and you've been in the tech scene, you will be very familiar with the website. What is my IP address? And we are thrilled to have the founder of that website, Chris Parker, joining us today. It is one of the most visited websites in the world. More than thirteen million people have gone on there and go on there every month to both kind of a understand their IP address, but b also work on protecting their digital privacy.

And we're going to get into that topic of privacy quite a lot with Chris today. Chris is one of the go to experts on protecting yourself in the digital age, whether staying safe from scammers, data miners or threats you don't even know about. And he's recently brought out a book called Privacy Crisis How to Maintain Your Privacy Without Becoming a Hermit. We're going to get into that. We're going to get into some other topics. We're going to talk about his podcast, The Easy Prey Podcast. Chris's work has been featured on GQ, The Sun, Biztech magazine, Techno, Techno Pedia, Excuse Me, ABC fifteen and many more places. Chris, thank you so much for taking the time to join us today. Jeremy. Thank you so much for having me on. It's really my pleasure.

Like I said at the beginning, I want to start at the beginning, so to speak. What is my IP address? Like I said, it's a website I have used. I don't know how many times over the years I probably couldn't count them. What led you to start that website and when did you get started on it?

So the I'm going to I'm going to date myself here because I think I registered the domain name in early January two thousand. So that's almost twenty six years ago. Um, at the time, I was working on working at a mail order because there was really not a whole lot of internet at the time. Uh, a mail order catalog company. We sold computers, primarily Apple computers, and we were transitioning from when the graphic artists would produce the, uh, the catalogs from, uh, fedexing hard drives to the print shop. We were going to do this newfangled thing and upload our catalogs via FTP to their servers on our massive T-1, you know, one point five megs. Yeah, at the time, blazing fast. Yeah. For sure. One of the things that they wanted to do as part of their security setup is for your username and password on the FTP site. We only want to open it up for your IP address.

And, uh, the IT manager went I don't know what that is and knew I liked internet stuff and asked me, do you know what our IP address is? I'm like, I don't know. We poked around. We poked around a fixed address from your ISP with a T-1 line. Well, it was, but it's not the sort of thing that if you're on the inside, like if you're on the inside of the router, it wasn't particularly obvious what the IP address was inside configuration. Easy to figure. And we're like, well, I'm sure there's a website out there that we're out there that will tell us this, and we know Google at the time I think it was AltaVista around or Lycos. Yeah, yeah. And didn't find an easy answer. We ended up having to to call our ISP to figure it out. And I went home that night and spent the two hundred bucks to register. What is my IP address? Com.

So you saw immediately that other people were going to have this same problem? Yes and no. To me it was more just like a curiosity of like, huh, okay. This would just be something useful for other people to do or to other for other people to have. And yeah, you know, I spun it up on on a windows NT box at home on a DSL internet connection, fixed IP. Um, and I just, it just spit back the IP address. No. No HTML markup, no other content, just the IP address. And it sat that way for, I don't know, probably five years, uh, until I got an alert that the, uh, drive space on the hard drive was full from log files from, from HTTP visitor logs from from the log files. I was just I had just set it up to log everything and set it and forget it. And I'm like, yeah, how could what do you mean? There's the logs. What do you mean? The the drive's full. There's, there's nothing on this machine. And it was, you know, years worth of log files taking up increasingly large space. And I was like, oh, I should do something a little bit more with this site. There's a lot of people visiting it.

Yeah, yeah, yeah, I was logging was notoriously verbose back in those days. I remember we used to have that problem, and we had, uh, we had to set up something with our Veritas backup software to either exclude that directory or somehow truncate it. I can't remember, but I do remember we had real issues with backing up the log file directory from our eyes at that time period. So. So that was the start. The site was, as I recall, in the early days, and I, you know, I'm from that same era as you. I do recall the site being pretty basic at the beginning where I think, like literally all you got was, you know, the four octets and the three separating dots right on that web page, right?

Yep. Went from there to answers to a couple frequently asked questions. How do I change my IP address? What is an IP address? You know, kind of really, really basic stuff was the next step. And you know, and then and then I think I had one little tiny, uh, go to my PC, add on the site because their affiliate program, it paid, you know, five bucks a conversion or something like that. I was like, woo hoo! You know, making enough for some for sushi dinner once a month.

Yeah, yeah. I was going to ask, did that, did that pay the bills. Did that pay your bandwidth bills? Uh, yeah. I mean, ultimately it got to the point where, uh, Google AdWords came around. Uh, I guess, no, sorry, it was AdSense at the time. Uh, Google AdSense came around, did a couple of Google ads on it, and paid for paid for the paid for the bandwidth, paid for a little bit of marketing I was doing, paid for a little small vacation every year, and I was like, hey, this is this is this is a lot of fun. Uh, but even still, it was not it was it was barely even a hobby. It was something, you know, nights and weekends I'll poke at it. But it wasn't super. It wasn't something I was investing a whole lot of time with.

I think kind of one of the trigger points of changing it was when I put a, uh, put an email address on there. So if you have any questions, email me and you know, a know, a couple questions, dozens of questions, hundreds of questions. And all of a sudden it's like, okay, I need I need to start writing content to answer this stuff as opposed to dealing with questions. And it grew from there. You know, then the like, IP database, geolocation database companies came out and started able to include things like, here's where Maxmind thinks your IP address is located. And yeah, yeah, VPN companies come out. So now here's how to hide your IP address.

Yeah, yeah. But that's got to be a trade off. And I know we're getting a little bit in the weeds here on the technology side. Because you start answering these FAQs on there. Every page load goes up in size probably like five or ten x right? Yeah. Even with just, you know, three or four questions answered, if you go from literally what would that be like for twelve? If you go from fifteen characters to however many hundreds, just answering a couple questions like. That's real bandwidth costs.

Yeah, yeah. At one point, the, uh. I'll see if I could. I'll send it to you or, uh, I'll see if I can find it. Uh, I had a half rack in my home because all this would have been run out of my home for years. I had a half rack in the home with, uh, all the all the copper in my house was maxed out. So I think I had, uh, a bonded T-1. So, uh, three megabits there, another T-1 from a different provider because I wanted to provide multihoming, um, at, uh, a mega and a half, and then I had a five Meg, uh, fixed wireless. Wow. And so I had maybe, like, eight, you know, eight megabits. And very consistently I was at, at capacity on it and finally made the made the what should have been years earlier, moved to a data center with a gigabit connection, but still got you still just a crazy amount of bandwidth utilization.

Yeah, yeah. Well, from that time that you kind of moved to the data center to today, what can you tell us about the growth of the site? And let's say not only from the perspective of the number of visitors and you know, how popular the site is, but what's like the business around it? What does it do today aside from providing your IP address when you go to that website?

Yeah. So, um, traffic has gone up from I don't have the number in front of me at what point it went to the data center, but it was probably well over a million, probably one to five million a month at the point that I made the data center transition. I think, uh, as of October of this year, I think it's about fifteen million visits, which is a considerable amount of traffic. Uh, just before we got on, we were talking about, uh, Cloudflare, a little snafu. Yeah. And it's, uh, somewhere around one point six billion server requests or edge requests a month. So it's and that is actually after having pared down a number of services that were super utilized in malware. We'll talk about that. We can come back and talk about that.

Yeah, yeah. And so monetization. Uh, so yeah, so definitely have built more and more content around privacy and security and, and those sort of, kind of tangential, uh, experiences without trying to get network engineer level. That was never that was never really the intent behind the site is to provide network engineer level, uh, information, but to provide enough information that, uh, residential customers who want a little bit of idea of what was going on would have enough, like, okay, now I understand how this works, and maybe some small business people would be like, okay, this helps me get the helps me to build the questions I need to ask of of my partners to figure things out.

Um, and interestingly, you know, was in with the, uh, the VPN affiliate programs very early on in the VPN age when there were only a couple VPN companies out there. Yeah. And that kind of grew to be, I don't know if I ever got up to, like, thirty or forty percent of the revenue was VPN affiliate programs. Okay. Which which is always kind of like it's very interesting because if the website that's talking about privacy and security and here's your IP address, but then on the other side, well here's how to hide it so people don't know who you are. So kind of this delicate, delicate balance between transparency but also having that that realization that however accurate or inaccurate is there's people who just don't want that information as known.

Yeah, yeah. And in later years, you know, every YouTube person is now hawking VPNs, uh, VPNs on the radio, on TV. And so it's it's definitely decreased in revenue, but, uh, the display revenue the the technology behind banner ads only has only gotten better over the years.

Yeah, yeah. And along with that, it's a little bit funny. You know, you mentioned it's like, hey, here's here's your IP address and here's a way to hide your IP address. And it's like, hey, here's a banner ad and here's a web browser plugin to hide banner ads from you. So like these things always kind of go hand in hand, right? It's, you know. Yeah. Anyway, um, it's an interesting balance always, but I guess, you know, the point is, like, you're never recommending a service in the sense of, like, what a user should and shouldn't do with their IP address, but you provide them visibility, awareness, and then they can make decisions about how they want to browse the internet and how they want to use the internet.

I know for myself over the years having, you know, having used it, like I said, hundreds of times over the years, it's always about trying to figure out like, hey, is there some problem that I'm trying to troubleshoot where I'm getting a certain set of search results, or I'm getting a certain, you know, I'm getting Amazon in a different country because I'm traveling. And then you realize that your IP address is being routed. I had a funny experience once. I was in an airport lounge, and I had a really weird set of experiences on a lot of websites that I was using, and I realized it was because actually this was a Lufthansa lounge. Lufthansa routes all your traffic back to Germany over some T-Mobile network or, sorry, Deutsche Telekom network. And so I'm getting like all these Amazon search results for something when I'm sitting in Lufthansa lounge in the US. Yeah. And so you know, like I've, I've used it for any number of these types of troubleshooting type of scenarios. What are some of the other like common legitimate use cases that before we get into that malware thing that you hinted at?

I think there's, you know, if you're talking, you know, kind of just general consumers using the site. There's a lot of people working with us. Tech support at either apps or websites or banks that I tried to log. You know, I get these weird things, just like people will send me a support request of, hey, I can't log into like I can't log into this game. And they told me to contact you. And it's like, no, they told me to go to they told you to go to what is my address to get your IP address. And they give it back to them. Give it back to them. Right, right. And so I get all sorts of weird support requests of, you know, my game doesn't work. Help me fix it. I can't fix your game for you.

Yeah. So I think there's a lot of that. Um, and then there's a large segment of people that are trying to verify, uh, whether their VPN is working. Yeah. I was super excited to see, uh, Google's, uh, atrocious AI responses, uh, saying the way that you test your VPN is you go to what is my IP address with your VPN is off Write down that IP address. Go to it when it's on and make sure that it's changed. I'm like, thank you Google. That's hilarious.

I didn't know that that was the answer. But I bet you, you know, like if I think about it, if I was trying to test that, I think that is what I would do. Yeah, yeah, yeah. It's it's what I do when I'm traveling that I want to make sure that I'm using the using a VPN rather than this questionable cafe, you know, sketchy cafe.

Yeah. Right. Well, you hinted at the malware stuff earlier. What's going on there? I don't I hadn't thought about this scenario, so I'm really curious.

So I had spun up kind of in, in there was always this cat and mouse game where people would do scripted access to what is my IP address to get the IP address. And so I would be dumping a a two or three or five or ten K response for them, just to strip out the IP address out of it, because that's what they wanted. And they would be like, well, I'll just query it once every ten minutes. Okay. In in and of itself, not a big deal, but you get ten thousand or one hundred thousand or a million people doing that once every ten minutes. And, you know, that's why people use Cloudflare. Uh, and so what I decided to do is, hey, let me just do bot, what is my IP address? And I'll just go back to the old days and I will spit out just the IP address, a whole whopping twenty bytes. No bandwidth issues.

And over the years, that started getting encoded into people's malware. So you have a compromised machine. And as far as part of the command and control, rather than going back to some infrastructure that the malware makers made, they would go out to what is my IP address to get their IP address and send that back into the command and control so they could look at, you know, whatever they wanted to look at to decide, hey, an attack from US based IP addresses or whatever. And and that got up to before I shut down the service. It was it was probably I'm trying to think we could probably do real math in our heads here. It was twenty megabits of sustained, uh, outbound in and outbound traffic serving twenty byte responses. Okay, so twenty bytes, twenty megabits. I was a million. Is that a million requests a minute or something like that? Just insane amounts.

Yeah. And the data centers started getting calls from people saying, hey, you're hosting malware because you see a URL embedded in malware, and clearly it's part of the malware as opposed to some hijacked service. And so ultimately, I ended up shutting that, that aspect of it down because it just got too much of a hassle to run.

Yeah, that's really interesting. Around the time frame or the early two thousand, I experienced one of the worst breaches that I've ever had in my career as a cybersecurity professional, and we had this long internal debate about it afterwards, after we had recovered and done all the things and so on. And we had one guy in the team who kept bringing up the point that, you know, we hadn't been hacked. It was just a misappropriation or a misuse of services that we had actually put out there. And I kind of, I always, always different opinion to him on that specific incident because there was enough things, enough indicators from my perspective to show that this was very clearly like an exploit of a vulnerability that we had, which, to be fair, like we presented a vulnerable FTP service on windows NT three point five, which was a bad idea to start off with. But like, put that aside for a second. Um, but yours is exactly that description, and that phrase has stuck with me in my head. You know, it's a misuse of a of a furnished service that is made available for legitimate purposes. And like a lot of tools over the years, Cobalt Strike and Metasploit and so many other things, you put something out there with a good intention and, you know, threat actors will use it as well.

Yep. And then I think kind of one of the weirder things that I think I had a server compromised once that I know of and I'm going to say I know of, because it wouldn't surprise me if there was a server compromise that I didn't know about, but there was definitely one that I knew about that I was able to recover, went to a backup, and then okay, the backups clean. We're going to change passwords, change configurations, tighten it up. And that didn appeared to ever happen again. Um, but we got a support request from someone saying, why are you crypto mining on my browser? And and my first thought was like, like, why are you running a cryptocurrency miner? My browser. And I'm like, well, that's just a weird. It's very specific, but just seems really weird. And I thought, now that that that can't be. And I, you know, and I go through and now there's there's nothing weird. Look, look at all the all all my all my code. There's nothing weird on, on the server side.

And I'm like, well, let me just launch up. Let me, let me just use the, uh, the code Explorer and whatever the browser was and the JavaScript explorer. And lo and behold, there was a, a cryptocurrency miner running in, in JavaScript. And I'm like, what? Like where the heck did that come from? It's. And so I search all my code. It's not in any of my code, but it was there was a supply chain hack somewhere down the line where uh, it was uh, I think it was an advertising plugin or something like that. Or maybe let's just, let's just say it was a, uh, a just some sort of plugin that does metrics, but they have included a SDK that had gotten compromised. So it wasn't even my vendor that was compromised. It was someone further down the line that was compromised. Okay. It's like again, as far as the consumer is concerned, my site was compromised. Yeah, yeah, yeah, as far as I'm concerned, well, there's nothing in my code that was compromised, but I can make it a I can make it go away by disabling this JavaScript on my end. You know, don't use JavaScript. And it goes away. So it's like you said, like you can have misappropriation of services, you can have a compromise, or it could be some sort of supply chain that's not your fault. But still you're going to get the blame for it because it's your site, your platform.

Yeah, yeah. Gotcha. Well, I want to talk for just a couple minutes about what's going on. On the day that we record is the day of this Cloudflare outage. And we've had a number of these in the last few weeks. We've had, you know, AWS had a big outage. Azure. Then a couple days later, I think GCP had a small one as well, and now Cloudflare. I'm curious from your perspective as somebody who is, you know, is responsible for serving a site that serves a ton of traffic. One, how do you think about kind of both securing and kind of balancing traffic to your own site in two? What's your like, let's say, immediate reaction to what's going on today.

So I'll let me make a note here. I'm going to paraphrase. I'm going to look at this from a couple of different perspectives. Okay. One was what's happening. You know what. What exactly is happening? My first alert to the Cloudflare outage was support tickets from people saying, what's up with my IP? Can you tell me why my IP address is blocked from accessing ChatGPT? I think they said open AI, but whatever. Um, yeah. Why can't I access it now that that's kind of odd. And they had included a screenshot that was not your typical Cloudflare. Message. And then I see another one. And another one. I'm like, oh, there's something there's something weird here. And I Google Cloudflare. Cloudflare. Cloudflare outage. And there's news stories. I'm like okay so there's there's a real there's a real event going on.

And what I thought was weird is I look up at my monitoring and the traffic for my site is way up and I'm like, well, how can there be this really, really widespread outage? But my site's up when I'm behind Cloudflare. There's there's something weird. There's something weird going on. I poke around at a couple other sites that I that I know are using Cloudflare, and almost every one of them is down and they're they're big, you know, big companies are down. I'm like, okay, there's there's something weird going on and through, uh, working with one of the guys on my team and diagnosing it, we found we kind of came to the conclusion that there was a with their standard routing tables and how they were routing internet traffic. Something I'm guessing that's what we're going to end up finding out is that they had a bad routing table.

But the reason why my site didn't go down is there's an enterprise feature called Argo Routing, which routes traffic through, uh, faster, faster endpoints. I don't know if they're using dark fiber or whatever. They've got some, you know, think of it as priority. I was paying extra for priority traffic in order to save, you know, ten to fifteen milliseconds on international traffic. It makes sense that if someone's actually accessing my site from Australia and my data centers in California, you know, the geographically, the further away they are and the number of hops they are and the number of routers they got to go through, if I can reduce that by using their platform, I can save, you know, twenty, thirty milliseconds off some international traffic hitting the site and the response times. And it makes the site look snappy. And it means I don't have to have geographically diverse servers all over the world and Geographically diverse data databases that communicate with each other. Like, I don't want to deal with all that headache. So to me it was enable the Argo routing and do that. So it looks like sites that were using the Argo routing, like that decision to to send traffic through the Argo routing happened before whatever system was, uh, the other routing failures.

So, okay. It was it was really interesting to watch it happening. And I was on the phone with, with my, my, with one of my guys. And you could we could see the moment that Cloudflare fixed the issue in that traffic to my site over the course of five minutes, dropped by thirty percent. Okay. It was still up, way up from normal, but you can go are Cloudflare must have fixed it. So we go back to Cloudflare status page and lo and behold, you know, ten minutes earlier, hey, we think we think we've got it fixed. We've got the the sites are back up, but anything that's using the interactive responses, that mechanism was still down for probably another half an hour before they could get that mechanism up and running. But like you said, it's it's crazy that there's, you know, between Azure, AWS, Cloudflare, a half a dozen other companies, one of these companies has an issue and everybody feels it some way.

Yeah, it's really tough. You know, as somebody who used to work for one of the cloud providers, we always told customers, hey, best practices, you do things like you do geo load balancing or you do like two active regions in case one region goes down. And sure enough, you know, in the case of AWS, if you had been US East one and some other region with some active active kind of configuration as opposed to what most people do, which is more of a primary and a doctor and an active passive kind of setup, you know, you probably would have been okay. At worst, you would have lost a little bit of traffic while you had to, let's say, do some rerouting or things like that. But the, you know, these trade offs are really challenging and you kind of highlighted for your own use case. Right. You either geo distribute your database, which is expensive, more expensive on the compute infrastructure, or you pay extra for the network infrastructure to route everybody through some backhauls or whatever magic they're doing for this Argo routing stuff. Right? You know, and then you get to some central location. It's always tough to make these trade offs.

And, you know, we talk about this a lot in cybersecurity and we talk about it a lot here on the podcast. It's you know, like risk management is always a trade off. There's no such thing as no risk in business. And you know, that's true for everything. One of the things that I do talk to people about a lot, though, is like where you place your bets when it comes to strategic decisions about things like, let's say, blocking bad traffic. And I've seen so many organizations over the years. And, you know, I've been doing this a similar amount of time as you, where placing all of your bets on something that is close to the edge of a network is it comes with this trade off of like when something happens at that layer, you have negative impacts on the business. And it's one of the reasons, for instance, like web application firewalls, wafs are so notorious for having bad implementation rates of going into in blocking mode in production. And, you know, I don't know what the stat is on that, but I remember years ago it was something like a thirty percent of all WAF implementations actually made it into blocking mode in production, because everybody was scared of these exact scenarios where something would happen at the WAF edge and you block legitimate traffic and then you have a business impact. And so, like you have all these trade offs you have to consider.

So anyway, I'll get off my soapbox now and we'll get back to the conversation. But but that's I mean, think of this. I have a, I have a site that I like. If you're running your local, I don't know, your local cookie cupcake shop. Um, if you have traffic from VPNs and proxy servers. Yeah. You know what? Just block it. It's probably not your customer. Like the business impact is probably not significant. But when you think of my site, I specifically don't want to block VPNs, Tor nodes and proxies and things that look squirrelly because that's yeah, that's the type of traffic that is using my site legitimately to see if they're working. So I've always had this Google that's like fifty percent of your use case right there. Right. So and so I so there's always this delicate balance between I need to allow more stuff. I need to allow more stuff to hit my servers than most businesses probably want to allow to hit their servers.

Yeah. Yeah. But I also don't. But I'm also a target for denial of service attacks, so it's got to be quick to deal with denial of service attacks but loose on you know, I don't know if I really like this traffic. So again it's that yeah. Yeah, I'm back in that weird balance mode of yeah, yeah. And like my, our solution has always been, uh, we're going to let some denial of service stuff get through, and we're just going to build up the infrastructure on the inside with load balanced, inexpensive machines that can can eat a good chunk of. Please don't test it because I'm sure you can take it out. Uh, you know, that could eat a portion of a denial of service attack before Cloudflare will kick in and eat the rest of it. Like at some point they're really good at it. Once it gets big, They'll just eat a denial service for lunch. But there's a few a few seconds to a few minutes where it can get through to to our servers. So it's well, then you go wide.

Yeah, yeah. Awesome. I want to change gears. We've got about maybe like ten, fifteen minutes left in the conversation. I want to change gears because, you know, we could talk about like, networks and routing and route tables and whatnot. And, I mean, I've spent so many hours of my life debugging, network issues, etc.. But how did you kind of go from this into having a real focus on privacy and kind of like what led you to write the book and tell us, you know, more about the book?

Yeah. So I think the the next transition after the website was, was the podcast where I was talking about scammers, scam and fraud prevention. And a lot of that was kind of hearing the stories from that and how the beginnings of those things happened was what led me to write the book. Because, you know, if you if you step back and you have less interaction with scammers and less interaction with things that are eating your privacy, there's going to be less chance that you're going to be a target of those scammers. They're just not going to see you as easily. They're not going to have the information that they need to go after you.

And it's and it's interesting because like so many of the books about privacy are the John McAfee approach. Yeah. Of I'm going to hide in a tinfoil room. And I had interviewed him before he passed away. And I asked him like, you know, so what's the worst thing about, you know, your viewpoint on privacy? It was that I have to lie to my friends and family because I don't want to. I don't want them to inadvertently slip up that they know I'm in Paris when I say that I'm in, you know, in Madrid. So if they know where I really am, they might slip up and get and I might get caught. And I thought that's a that's an awful like privacy is not a, not a binary, a binary answer where it's let's just forget it all and put it all out there and it's not let me hide in a, in a Faraday cage because that's no way to live.

There's got to be this balance of I think think about what we do with two factor authentication. Um, no second factor authentication. Really dangerous. As soon as your password is out there, your account is compromised. Yeah. SMS authentication, not real, you know? Okay, you could you can SIM swap somebody. There's there's all sorts of mechanisms that you can do to to mess with SMS Toofar. But SMS toofar is one hundred percent better than no toofar. Yeah. And you know, if you went to my grandparents and said, oh well, you have to do an authenticator app? Or you have to carry this physical token authenticator with you? Passkeys like biometrics. They're going to be like, what are you talking about? Like, that's just too complicated for me. So it's I think it's the same way with privacy. We've got to find what is the most that you can tolerate, that amount of friction in your life. And if you get and the benefit that you get out of it will be more than if you have no thought behind it.

Yeah. Yeah. Interesting. And so, you know, I always tell people a big part of the reason that I host Modern Cyber is for my own learning. You know, like I'm very focused on what we do here at Firetail. We, we, you know, we have our two products around API security and around securing AI adoption and whatnot. But it's very easy to get so narrowly focused and lose sight of the bigger picture in the whole world. And I always tell people like the number one beneficiary of the modern cyber podcast is me, because I'm on it with all of our guests, and I get to hear, like, all of these different things and get reminded about all these different areas. Have you found the same to be true for you?

I totally have. I was interviewing someone just recently. And you know, we we we talked a little bit about, you know, too far and this, that and the other thing. And he said one of the ways that he helps reduce risk is that, uh, he, he has an email address that he specifically uses for his financial institutions and doesn't use it for anything else. Okay. And I'm like, oh, like most people, it's like, I've got my I've got my personal email address and my work email address. And if you send me social media stuff, you know, if you send me order confirmations, it goes to my personal email. If you if I get a bank statement, it goes to my personal email. If you you want to ask me, do you want to go out to dinner? It goes to my personal email. And so you don't have that level of suspicion when an email comes in. If I have an email just for my financial services and my personal email gets a billing statement or, hey, there's this erroneous charge. I know it can't be legitimate because that email address is never used for those things, and it had never crossed my mind to have. I've thought of like one email address for every single site that you use. And yeah, yeah, it's it's unbearable to maintain or can be depending how you do it.

Yeah. Yeah. If you do it with a little plus sign before the At symbol like that's RFC compliant and you can have one per side and you could do like plus site name or something like that. But that's very easy to strip out as well. And so and it all still comes into the same email box. And you've now have to say, well, okay, redirect these ones that are doing like there's it's not intuitive, but like I hadn't thought about just doing different email addresses for different purposes, like. But it's funny. I mean, you said you know, it all direction it is. But if it all directs into the same inbox. I mean, and I would argue, like you probably do want it to direct to the same inbox ultimately, because, like, you're probably not going to remember to check your financial institution email inbox regularly to see if there's anything crazy going on there. But, you know, with Gmail you can get aliases and you can create aliases that are like, not really connected to your private email, sorry, to your primary email address in there. And so you could have something where my Gmail is my name, but my financial services is like, you know, go Arsenal banking, you know, at gmail.com or something. Right. Like so you could have very different things and very easily could tag the email when it comes in. This came in from the personal alias. This came in from the financial alias.

Yeah yeah, yeah. But yeah, but it was this thought of like there are a million ways to to to skin a pig. There's so many ways that you can approach it. Do anything that works. Like, if that's what works for you, by golly, do that. Yeah. Don't don't do nothing. Yeah, yeah. Kevin Mitnick in one of his books. I don't know if you've read his books, but one of his books he talks about, his recommendation is to have a Chromebook that you use for your online banking, and you never do any banking other than on this Chromebook. And I was like, that's awesome. Except that it's not really good for nowadays when like, actually, a lot of the times when I want to do online banking, really, it's like this device that I'm going to pick up because I'm out and about and I'm, you know, at dinner and I want to send my friend fifty bucks. So we split the check or whatever using Zelle or some service like that. So it was like at the time, maybe more applicable than it is today, but um, but okay, so talk to us about the book.

So the book Privacy Crisis, it's really tools for, you know, people that are not privacy professionals. Easy steps that people can take to start thinking about how you look at privacy. Um, okay. There's so many places in life where we just we don't even think about it. We just abdicate everything. You go to a doctor's office, they give you a form, and you fill out absolutely every field on that form. And you don't think, you know, why do they need this or do they? Is this field even required? You know, where are they going to store it, and who are they going to share it with? We don't we don't ask ourselves that question, let alone ask the person at the front desk. And it's that mindset of starting, starting to ask those questions. Well, why do you not like don't be belligerent about it people. But like, yeah you do. I, I prefer to give you as little information as possible. What's the minimum amount of stuff that you need in order to render me service?

And you know, it's it's, you know, it's it's that balance. The business wants as much data as they can get because that's how they make money. Well, you know, in theory, it helps them make better decisions. I would argue that if you're in a business, you should collect the least amount of data to do your to run your business, because then you if you're a target of a breach, you're exposing less stuff. But that's. Yeah, but that's that. And we need to think about like what what data do I want. What data am I okay with people actually knowing and what data am I okay with people not knowing and actually thinking through this is like, well, what is public? Well, my name's public. What's private? Well, my my home address is private. I don't give it out. I don't want to post it on my website. And then there's things that are secret passwords, you know, too far codes, things that, like you should never be giving to anybody other than maybe your spouse or something like that. And by thinking these through in advance as opposed to in the moment.

Yeah, yeah, that's really interesting. And I think like to your point, you know, we can talk about individual recommendations like too far like, you know, minimizing the amount of data, etc. but getting the mindset trained is actually much more useful to a, to an individual. Because then again, you make these trade off decisions about like, do I sign up for this service that is quote unquote free? And remember, like if it's free, you are the product or your data is most most likely the product that of that website, Facebook. And you know, like any of these things, you you kind of like make an informed decision, but at least you get the thinking in your head about like, what's actually going on here. And I think it carries like that framework is right and it should carry to you. You go to Kohl's and Kohl's says, hey, we'll give you ten percent off if you sign up for our Kohl's club I don't know what they call it. You sign up for Kohl's Club. What what should go through your mind is they're willing to give me ten percent off their product for the rest of their of their sales for the rest of my life in order to get this information. That means they think this information is more valuable than the discount I'm getting. That's the bet that they're making. Oh, so, like, why is it why is what I'm giving them that that valuable? Are they going to sell to somebody else? Are they going to get me to you know, it's not conspiracy theory ish, but are they going to get me to buy things that I otherwise wouldn't have bought from them? And the answer is yes, because that's why they're doing it.

Yeah. Yeah. It's interesting. I mean, I'd be curious if you have any, like, let's say, little tactical things that you do recommend to people. I know some of the things that my wife and I do, for instance, is, you know, we use one Google Voice phone number as our phone number, like everywhere that, you know, at the supermarket. Or it's the check in here with your phone number at this coffee shop that I frequent and things like that. Um, and then, you know, we've got a separate Yahoo email address that is basically a spam address. And so we know, like, you know, we're never going to get legitimate stuff on there. What are some of the things that you do or that you kind of recommend to people along these lines?

I mean, it's a similar stuff of don't give out information that you don't have to, do you? Is it really worth the discount? And like what you've done, you have a disposable email address that you can use. Have a disposable phone number that you're never going to answer, but you're going to get your two codes from or it, you know, you know, no legitimate entity is going to contact you from that phone number. Uh, things that you can turn off at night and set it to Do Not Disturb and set it to not interfere with you because guess what? They're going to market to you. They're going to text you. They're going to. Oh yeah. They're they're going to blitz you with that. Um, yeah. You know, it's like I would say when you, you know, there's there's things that also impact our, our mental state. Like if you're, if you're using if you're going to go on YouTube, uh, you know, you use a browser, use like a brave browser and in incognito mode and don't log in because you don't like, like they're going to remember what you've looked at. And the longer you spend on any kind of algorithmic driven content, it's going to send you to more and more extreme content over time. It's going to send us the stuff that is not healthy for our brains, you know, set time limits. I'm going to go on YouTube for an hour, and at the end of the hour, I'm done. I'm going to be on TikTok for fifteen minutes, and at the end, I'm getting off and doing these things with accounts that aren't going to remember, you know, you're still they've got your IP address. So it's not foolproof, but it's those little steps. How can I block most of how can I block a good portion of it and reduce how the algorithm is going to feed my brain.

Yeah, yeah, I think this is such great advice. We've got just a couple of minutes left. I want to wrap up with a couple of other random topics that I know are things that you've looked at or talked about over the years. And, you know, we're not going to be able to get to everything I want to talk to you about, unfortunately, because there's some great stuff, by the way, we're going to have a link to the podcast, and if you just look on the about page there and you start scrolling that history, I am sure everybody in our audience will find a few very fascinating things that you'll want to hear more about that we're just not going to get to today. But how do you recognize scams? Like what do you do and what do you think about in terms of recognizing scams? Because like, we all have our things like, hey, you know, check the email, the domain, but most people aren't going to pull up the email headers. Most people aren't going to look for like a lot of these details. So like what what advice do you give people?

It the unfortunate thing is the advice is getting less and less cut and dry. Um, yeah, I, you know, let's say if you were someone wanted to you met someone online. The good advice used to be ask them if they'll go on FaceTime, do a video call. If they won't do a video call with you, or suddenly the video call. Oh, I'm in an airport. The video is bad. I, you know, glitchy. Glitchy, glitchy. That used to be kind of the hey, if they're not going to jump on a video call with you, they're not real. Yep, yep. Now, with AI and all these other technologies and not so not so reliable methodology anymore, um, I used to say, um, you know, and there's still a certain amount of truth to it. Watch out for urgency and emotion. That combination of urgency and emotion that is beyond what you would see in normal marketing. There's always, you know, these are marketing tactics. It's, you know, while supplies last or this product's going to make you look have better friends and make you feel happy or, you know, don't miss out. These are all marketing tactics, but once those emotions and the calls start becoming more than emotion, more than what you would see in common marketing, that should be a red flag. But the scammers are getting better at it. They're taking a lot longer.

I was talking with somebody who, uh, had had a client that had been a romance scam, and it took three years for them to before they started three years of grooming before they, they fleeced this person. And so and so this, you know, normal romance scams are, you know, one to two months or something like that. It's relatively quick. And you just you have to have a good set of friends to bounce stuff off of when things seem weird. Got to be talking to the people in your life about it. You know, take when someone says, you've got to do this now, do I really need to do it now? Do I take a breath? Can I trust if they claim to be some level of authority, that should also be. It's not a, you know, don't trust them, but it should be okay. How do I verify that they are who they claim to be? Caller ID is caller ID is not a good enough, good enough methodology. If they claim to be calling from the local sheriff's office, that's awesome. I'm real busy right now. Let me call you back in five minutes and then call back the local sheriff's office. If it's if it really is the sheriff, they'll be happy to talk to you. Yeah. And the same thing with your bank. Or, you know, anyone who is in some level of authority will be perfectly happy with you calling them back.

Yep. But again, there has to be that balance. Don't be paranoid, but you can't really take. You have to be careful not to take everything at face value. Anything that's unsolicited always should be. Why? Why did I get this? Yeah. And can I verify this without clicking on any links, without calling any phone numbers? Can I can I verify this situation without using any of the information in the methodology? Which would I in which I was communicated? So if it comes over via email, make a phone call. If it comes over phone call, go to a website. If it's on a website, you know, call from somewhere else. Don't trust Google search results with phone numbers.

Yeah, yeah. You know that. Yeah. It's interesting. Yeah. That that Google search results with phone numbers in particular, that one, you know, has popped up recently with a number of of cases of people thinking that they're calling a particular bank's customer support line or an airline or whatever the case may be, and getting fraudulent charges and everything like that. I think a couple takeaways from what you just said there. I mean, certainly, first of all, like, you know, don't fall for this sense of urgency, this false sense of urgency that's implanted on you, you know, take a beat. And I really like the advice about, like, bounce it off somebody else, you know, somebody in your trusted peer group. And I think in many cases, by the way, way, everybody in our audience probably is that trusted person in their peer group that people turn to and they're like, hey, Jeremy. Hey, Chris, what do you think about this thing? Right. Because, yeah, it's really crazy.

Well, Chris Parker, thank you so much for taking the time to join us today. Again, like, we've got so much more that we could get to. We'll have to see if we're able to get you on another time to follow up on some of this stuff. But for our audience, the book is called Privacy Crisis How to Protect Your how to Maintain Your Privacy Without Becoming a hermit. Because we all want to be out there and about. Awesome. And the website for the book is Privacy Crisis. The website for the podcast is easy. Com. We'll have both of those linked from the show notes today. We encourage everybody in the audience to go check those out. Give them a follow, give them a listen. Have a look at the book. Chris, thank you again for taking the time to join us today on Modern Cyber.

Jeremy, thank you so much for your time today. Awesome, awesome. And we will talk to you next time.

Bye bye.

Protect your AI Innovation

See how FireTail can help you to discover AI & shadow AI use, analyze what data is being sent out and check for data leaks & compliance. Request a demo today.
Request Demo

This site uses cookies

By using this website, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

Got it!