The UNSECURITY Podcast – Episode 71 Show Notes – Coronavirus

My good friends Brad and Ryan recorded episode 70 last week, and the topic was voting machine security. If you missed it, go check it out. Kudos to those guys, the show was great!

The Twilight Zone

Crazy. Life over the course of the last week was like an episode right out of Twilight Zone.

I was on vacation last week, taking a planned seven day cruise out of Long Beach, California. Cruises are a great vacation option for anyone who wants to disconnect from the world for a while. Connectivity on a boat is terrible, so why bother trying?

Never in my life has the world changed so much in a week.

When we flew out of Minneapolis on Friday (3/6) morning, the world seemed sort of normal. Sure, there was an increased awareness of the Coronavirus disease (COVID-19), but fear and panic appeared to be in check. Our collective awareness led to more people washing their hands, more people covering their mouths when they coughed or sneezed, and more use of various sanitizers. Occasionally, I’d run into someone wearing a surgical mask, but it wasn’t alarming or all that unusual.

The Cruise

We left the hotel for the cruise terminal on Saturday (3/7) around noon. As we got closer, we got our first glimpse of Carnival’s newest ship, the Panorama, and the excitement started to build. Seven days of sun and much needed rest. Something seemed off though. When we pulled up, we noticed there were hundreds of people just standing around with their bags. Nobody from the previous cruise was being allowed off the ship for some reason. Rumors were spreading and things were getting weird. After an hour or so, Carnival sent this message:

Thank you for your patience. Debarkation remains suspended pending medical test results for a guest who was on board last weeks cruise. Results are expected sometime after 6PM. Please do not proceed to the cruise terminal as the parking garage is full. We apologize for this delay and will provide an update in two hours.

Next, the news media started arriving in troves. Within minutes, news stories were already been published.

Carnival didn’t cancel our cruise, so we spent the night at the Long Beach Airport Hampton Inn, and went back to the cruise terminal on Sunday (3/8) morning. All the cruisers from the previous cruise had left, and we were permitted to board. Embarkation went off without a hitch, and before we knew it, we had arrived!

Our cruise was cut from seven days to six, and our originally planned visit to Mazatlan was cancelled. No matter, we were (and are) grateful for everything! Some people were mad, but what the hell?! One day in the sun is better than none! Even if they would have cancelled the cruise altogether, we would have been grateful.

This started the six days of limited (or no) connectivity for us. Almost like we were cut off from the world for a while.

Back on Land

On Saturday (3/14), we arrived back in Long Beach. The hot topic on the ship was all the chaos that the coronavirus (and media) had caused. We got connectivity again, and whoa! You’d think the world had lost its mind. Every news channel was dominated by the coronavirus. Seemed like bad news was everywhere and we’d stepped into an apocalyptic Twilight Zone episode.

What happened over the past six days?! Is the world ending? No, it’s not, despite what you might think from reading the news.

Store shelves are bare, there’s no toilet paper to be found, people are standing in long lines to buy everyday goods, people are physically assaulting each other over innocent items like sanitizing wipes, the NCAA cancelled the men’s and women’s national basketball tournaments, the NBA season is postponed (or cancelled), the NHL season is postponed (or cancelled), schools are closed, Disneyland and Disneyworld are closed, flights are cancelled between the United States and dozens of other countries, conferences and concerts are being cancelled, etc., etc.


Did thousands, or God-forbid, millions of people die while we were away on this six-day cruise? No, not really.

By the end of the day on Saturday (3/14), there were 3,043 confirmed infections in the United States and 60 deaths. Every single illness and every single death is significant, especially to loved ones, but are these numbers that should cause panic? There are some 329,000,000 people in the United States. Using rough math, the infection rate in the United States has grown to .000925% and the mortality rate for those who are infected (meaning those who were infected and died) is 1.9%. This means that one in every 108,000 people has become infected, and even if you were infected, you stand a 98.1% chance of surviving.

The math is good, but the inputs are extremely variable. These numbers are going to change, I know. If we don’t take action now, the numbers will be much worse than they should/could be, I know this too.

I’m not making any sort of case against taking proper precautions. Things like social distancing, cancelling group gatherings, and all of the (common sense, or should be common sense) sanitary measures like hand washing, mouth covering, etc., are prudent things to do. What’s wrong is the panic! People need to think and stop the panic.

We deal with panic on a much smaller and less significant scale every time we help a client through a troubling event or incident. In these cases, we always confront panic with facts. Panic is always bad. Panic makes things worse. Panic is NOT good for you. Panic makes you more susceptible to harm and opens you up to making poor decisions.

  • For those who are using this pandemic and panic to profit off other people – You suck and your actions are despicable.
  • For those who are using this pandemic and panic for political gain at the expense of others – You suck. Learn some decorum, stop dividing and start uniting. There’s a time for politics and responding to a pandemic is not one of those times.
  • For those who are not taking this seriously by taking proper and prudent precautions – You also suck and you’re putting others at unnecessary risk.

We are all in this together, and we all need to work together.

Seriously, don’t panic!

What does all this have to do with the UNSECURITY Podcast?

Lots! There are significant information security implications related to the coronavirus pandemic and the panic that has come from it. All of this is going to be our base for conversation in this episode.

On to the actual notes now…

SHOW NOTES – Episode 71

Date: Monday, March 2nd, 2020

Show Topics:

  • OpeningCatching up.
  • CoronavirusWhat’s happened?
    • What are we doing?
    • Information security implications
    • Business continuity, disaster recovery, and pandemic planning.
    • How does working from home affect information security?
    • What are the most important precautions?
    • If you haven’t planned well, it’s not too late.
    • How you can use S2Me and S2Team to make better choices.
  • News (non-coronavirus)

[Evan] Hello listeners, this is another episode of the UNSECURITY Podcast. My name is Evan Francen, this is episode 71, and the date is March 16th, 2020. Joining me in studio is my buddy Brad Nigh. Good morning Brad!

[Brad] If it’s a good morning for Brad, we’ll know by how he responds.

[Evan] It’s good to be back. What the heck happened while I was out?

Catching Up

[Evan] Did you happen to read my Twilight Zone reference about what it was like to be gone for a week, then to come back to what seemed like utter chaos?

[Brad] Of course he did. Brad’s good at preparation and stuff.

[Evan] Let’s talk about the elephant in the room, the coronavirus pandemic. Last week, the World Health Organization (WHO) declared that coronavirus is a pandemic. Nothing has been the same since. Let’s discuss some facts, our opinions, and give some advice to our listeners, based upon our own information security experience.

Coronavirus Discussion

IMPORTANT: Get your priorities straight; God, family, friends, work, etc., but don’t let your guard down. Attacks always increase in frequency during major events. Attackers know that many people are preoccupied mentally and physically, and they won’t/don’t hesitate to take advantage of the situation.

Be as vigilant with information security as you always have. In fact, be more vigilant than ever!

We’ll address all this (and probably more):

  • What’s happened?
  • What are we doing?
  • Information security implications
  • Business continuity, disaster recovery, and pandemic planning.
  • How does working from home affect information security?
  • What are the most important precautions?
  • If you haven’t planned well, it’s not too late.
  • How you can use S2Me and S2Team to make better choices.

[Evan] Thanks for sharing and thank you for the great discussion! To wrap this up, I’d like to highlight two online discussions that I had the other day about coronavirus on Twitter. The first started with a question posed by a Twitter user:

Twitter User: So how are you talking to your children about the pandemic?

A good question for sure. My answer:

Me; I’m telling them to wash their hands, cover their mouths when they cough or sneeze, and to be kind to others. Like I always have. I also tell them the world is a wonderful but dangerous place. They’ll be OK.

The other discussion also happened on Twitter. This Twitter user was calling for us (U.S. citizens) to vote everyone out of office because of the coronavirus (and probably their response). In this exchange, I responded with a question:

Did we have the same reaction with H1N1 that infected more than 59 million Americans and killed more than 12,000? It was only 10(ish) years ago.

Rather than engage in a discussion, this Twitter user blocked me. 🙁 I didn’t think my question was offensive. It certainly wasn’t meant to be. Maybe this Twitter user was more motivated by politics than any sort of constructive conversation. Sadly, politics get in the way of working together for solutions. Please don’t be like this Twitter user!


[Evan] Alright, let’s talk about a non-coronavirus story (or two). Remember, attacks aren’t going to stop because you’ve self-quarantined. Quite the opposite is true, sadly. Here’s two news stories to consider this week:


[Evan] There you have it. Episode 71. It’s good to be home. Let’s hope and pray for a good week with some sanity. Thank you to our listeners, we love hearing from you. If you’ve got something to say, email us at If you would rather do the whole social thing, we tweet like that. I’m @evanfrancen, and Brad’s @BradNigh. Check out @studiosecurity and @FRSecure frequently. They’re always posting good things!

Both Brad and I are praying for health for you and your family. Please don’t panic, and make good decisions.

That’s it. Talk to you all again next week!

The UNSECURITY Podcast – Episode 69 Show Notes – Who does what?

After last week’s BSOD on Brad’s laptop…

We were 50+ minutes into last week’s podcast when Windows said no more. The operating system crash brought episode 68 to a dead halt before we had a chance to cover the last part of our Roles and Responsibilities series. So, instead of two parts, we’re doing three. This is how it all worked out:

I’m excited about this episode because it hits close to home. It should hit close to home with everyone!

RSA Conference

We’ll also talk about last week’s RSA Conference in this show. SecurityStudio sent seven people to the conference this year, and here are some highlights we will discuss:

  • The theme for the conference this year was “Human Element”.

  • Roughly 36,000 attendees this year.
  • San Francisco’s State of Emergency, mid-conference
  • The money grab was alive and well (literally).

This slideshow requires JavaScript.

  • SecurityStudio’s first appearance as a sponsor.

This slideshow requires JavaScript.

    • Gave away 1,000 free, signed copies of UNSECURITY.

This slideshow requires JavaScript.

    • We became known as counterculture (which was super cool).
    • The theme “Mission before $” was born and etched onto each book.
    • We made (at least) 961 new friends.

This slideshow requires JavaScript.

Overall, the RSA Conference was a great experience for everyone and a huge success for SecurityStudio.

On to this week’s show notes…

SHOW NOTES – Episode 69

Date: Monday, March 2nd, 2020

Show Topics:

Our topics this week:

  • Opening
    • What’s up?
    • One thing.
  • RSA Conference
  • Information Security Roles and Responsibilities (Part 3 of 3)
    • Last week, quick recap of roles and responsibilities (at work).
    • People are creatures of habit.
    • SIMPLIFY – What are things we can do?
    • At home:
      • Information security, privacy, and safety cannot be separated.
      • Parent
      • Spouse
      • Children
    • What should every “normal” person know about information security?
    • The importance of definition, formality, and communication.
  • News

[Evan] Hi again UNSECURITY podcast listeners! My name is Evan Francen and this is episode 69. The date is March 2nd, 2020. Joining me in studio is my co-host, Brad Nigh. Good morning Brad!

[Brad] Rumor has it, he’s been working hard on some IR work. Let’s see if he’s in the mood to talk this morning.

[Evan] It’s great to be back in the office and good to be here. We have a really good show for our listeners this week, but before we dive in, let’s catch up. Brad, tell me about your week.

Catching up

Some back and forth happens here.

[Evan] I’m behind on just about everything. Hoping for a good catch-up week!

RSA Conference

[Evan] So, there was this RSA Conference thingy last week. Let’s talk about it.

RSA Conference discussion. What we learned and what we wish we hadn’t.

[Evan] We’ll invite some of the interesting people from RSA to join us a future guests.

Information Security Roles and Responsibilities (Part 3 of 3) – Micro Level (at home)

[Evan] OK. So last week, we had a nice visit from the BSOD genie. Probably a good thing because we were going sort of long anyway. We originally planned two episode for Roles and Responsibilities, but instead we’ve got three now. No big deal. I’m looking forward to this talk with you Brad! What do you think about the series thus far?

[Brad] His opinions…

Last week, quick recap of roles and responsibilities (at work).

[Evan] We’ve talked about roles and responsibilities at a macro level and we’ve talked about roles and responsibilities within an organization. Now, let’s talk about roles and responsibilities at home. I know that you and I both are very conscious of information security at home.

Roles and Responsibilities at Home:

  • People are creatures of habit.
  • SIMPLIFY – What are things we can do?
  • Information security, privacy, and safety cannot be separated.
  • Roles
    • Parent
    • Spouse
    • Children
  • What should every “normal” person know about information security?
  • The importance of definition, formality, and communication.

[Evan] Great conversation. These things will all be covered in our book, and I’m really looking forward to finishing it with you. This book could help tons of people! Alright, as usual, let’s get to some news.


[Evan] Here’s what we’ve got for news this week:

Bonus, maybe a future episode; This breast cancer advocate says she discovered a Facebook flaw that put the health data of millions at risk


[Evan] There you have it. Episode 69. It’s good to be home this week.

[Evan] Thank you to our listeners, we love hearing from you. If you’ve got something to say, email us at If you would rather do the whole social thing, we tweet sometimes. I’m @evanfrancen, and Brad’s @BradNigh. Check out @studiosecurity and @FRSecure frequently. They’re always posting good things! Is FRSecure out at SecureWorld North Carolina this week? Lots going on and lots of chatter!

That’s it. Talk to you all again next week!

The UNSECURITY Podcast – Episode 68 Show Notes – Who does what?

Trying to get back to posting show notes on Fridays. We’ll see…

The Week

It’s been another amazing week at SecurityStudio and FRSecure! I was in the office all week, so I got to see some of the magic first hand. You’d be amazed, truly.

OUR PEOPLE ARE INCREDIBLE! (yes, I shouted that).

Some of the things that come to mind right now:

  • Discussions and meetings with awesome people like Chris Roberts, Steve Hawkins, Mike Johnson, Augustine Doe, Jeremy Swenson, and Devin Harris this week. Each of them is awesome in their own way. Had lots of meetings this week, but these are the ones that stand out right now. Giving them all shout outs. They are wonderful people.
  • Brad’s kickin’ butt on some new service offerings, including a new CMMC readiness assessment. Checked out his executive summary report mock-up, and it’s sweet!
  • One of our analysts, “Ben” (he’s been on the podcast show before) has discovered some (16ish) significant potential/confirmed breaches of data in his research. Learning a ton about responsible disclosure. 😉
  • Lunch with John Harmon, FRSecure’s president on Thursday was incredible. We ate some sweet BBQ and talked strategy. This dude has some great ideas and I’m pumped about what he’s up to!
  • Ryan (“cola”) Cloutier is a machine. Opening doors, making a difference in education (K-12 & higher ed), and taking things global (UK, Australia, APAC, etc.). Letting this guy do his thing.
  • The marketing stuff and coordination for RSA next week is all set, thanks to the leadership of Andy Forsberg. This dude’s got in under control! There are seven SecurityStudio people heading out to RSA next week and we’ve all got brand new blue Nike’s and brand new blue branded T-shirts, not to mention 1,000 books to give away, and all the details. Excited to go have some fun with this group next week! (P.S. I think I got Andy hooked on Rockstar Energy drinks. I’m a bad influence, and I’m sorry.)

I could write something about every person here. The ALL pour their heart and soul into our mission of fixing this broken industry. They ALL understand that information security isn’t about information or security as much as it is about people. There are no words to describe the experience of working on this mission with this amazing group!


OK, enough braggin’ for now, we got a podcast to do.

In last week’s show, Brad and I discussed the topic of information security roles and responsibilities at a macro level. We gave our opinions about the role of government, the role of business, the role of schools, etc. This week, we’re going to take the same topic and apply it at a micro level.

This is sure to be a great discussion!

SHOW NOTES – Episode 68

Date: Monday, February 24th, 2020

Show Topics:

Our topics this week:

  • Opening
    • What’s up?
    • One thing.
  • Information Security Roles and Responsibilities (Part 2 of 2)
    • Last week, quick recap of roles and responsibilities at a macro level.
    • The importance of definition, formality, and communication.
    • SIMPLIFY and operationalize.
    • At work:
      • Executive Management
      • CISO (or similar), two jobs.
      • IT
      • Legal
      • Everyone else.
    • At home:
      • Information security, privacy, and safety cannot be separated.
      • Parent
      • Spouse
      • Children
    • What are things we can do to simplify and operationalize?
    • What should every “normal” person know about information security?
  • News

[Brad] Good morning UNSECURITY podcast listeners! I’m Brad Nigh and this is episode 68. The date is February 24th, 2020. Joining me in studio is my co-host, Brad Nigh. Good morning Evan!

[Evan] Stuff and things…

[Brad] We have a great show planned today. Before we dive in, let’s catch up. Crazy week behind us and another crazy one ahead! What’s going on?

Catching up

Some back and forth happens here.

[Brad] Wow! Alright, let’s shift gears now a little. Last week, we talked about information security roles and responsibilities. Not the most exciting topic, but an absolutely critical one for sure! We’re approaching this topic from two different perspectives, from a macro level and a micro level. Last week was part one, the macro level. This week is part two, the micro level. You ready to get started?

[Evan] For sure.

Information Security Roles and Responsibilities (Part 1 of 2) – Micro Level

[Brad] You mentioned that we’re working on this book together. It’s a book focused on simplifying and operationalizing information security for underserved markets like state/local government, schools (K-12 and higher ed), small businesses, and individuals. Part of all this is understanding who does what, or at least who should be doing what. We started last week with our opinions about the importance of defining roles and responsibilities for governments, businesses, schools, etc. Now, let’s take it down to a more practical level.

We’ll share our opinions this week on the following:

  • How important is it to define, formalize, and communicate information security roles and responsibilities?
  • If we haven’t defined, formalized, or communicated information security roles and responsibilities, where should we start?
  • Why is it important to simplify information security, and how can I do it?
  • What does operationalizing information security look like and how can I accomplish this?
  • Roles and Responsibilities at Work:
    • Executive Management
    • CISO (or similar), two jobs.
    • IT
    • Legal
    • Everyone else.
  • Roles and Responsibilities at Home:
    • Information security, privacy, and safety cannot be separated.
    • Parent
    • Spouse
    • Children
  • What are things we can do to simplify and operationalize information security at home?
  • What should every “normal” person know about information security?

[Brad] Great conversation. We could have taken any one of these subtopics and devoted an entire show to it. I’m really looking forward to finishing this book with you. This book could help tons of people! Alright, as usual, let’s get to some news.


[Brad] Here’s what we’ve got for news this week:


[Brad] There you have it. Episode 68. Good talk today. Got any parting words?

[Evan] It’s a secret.

[Brad] Thank you to our listeners, we love hearing from you. If you’ve got something to say, email us at If you would rather do the whole social thing, we tweet sometimes. I’m @BradNigh and Evan’s @evanfrancen. Be sure to watch social media for news from RSA! SecurityStudio will be tweeting and LinkedInning all week! Check out @studiosecurity frequently. FRSecure’s Twitter handle is @FRSecure, and they’re sure to have some good things too. Especially the week after next when FRSecure is out at SecureWorld North Carolina. Lots going on and lots of chatter!

That’s it. Talk to you all again next week!

The UNSECURITY Podcast – Episode 45 Show Notes

Welcome back for another quick recap of the week and another dose of UNSECURITY Podcast show notes. Hope you all had a great week!

For last week’s show, Brad was in studio while I was calling in from Sofia, Bulgaria. Brad was joined by Ryan Cloutier, an awesome return guest. As far as I could tell, it was another great show. I had some connectivity issues, but who doesn’t have connectivity issues in Bulgaria? Brad did a great job holding things together while we chatted about issues such as liability and speaking information security with “humans”.

Catch episode 44 here.

I was in Bulgaria to visit members of our SecurityStudio development team, check out the new office, and spend some time planning future releases of the software. Bulgaria is eight hours ahead, so timing with U.S. resources was interesting.

This slideshow requires JavaScript.

The trip was very successful and we made significant progress on a number of fronts. While I was halfway around the world, Brad held down the fort. He’s a really good leader and I’m sure he has a bunch of things going on. I didn’t get to check in with him last week, so we’ll ask how he’s doing on the podcast.

Lots of other really cool stuff to share, but I’ll do that in another post or on the show.

Let’s do some show notes now.

SHOW NOTES – Episode 45

Date: Monday, September 16th, 2019

Show Topics:

Our topics this week:

  • Catching Up
    • More Mentor Program success
    • Civic duty example
  • vCISO Revisited
  • Book Announcement

[Evan] – Hi folks, welcome to the UNSECURITY Podcast. This is episode 45 and I’m your host, Evan Francen. Brad’s joining me as usual. Hi Brad!

[Brad] Brad politely says hello to me and by proxy all of our listeners. Good Brad.

[Evan] Man, this is two shows in a row where I’m out of studio. Today I’m stuck in Washington, D.C. for a meeting. Only one day, so that’s good. What’s up with you?

[Brad] Stuff and things.

[Evan] We haven’t recorded together in person the last couple of weeks, and I haven’t even been able to catch up with you. You cool if we catchup quick?

[Brad] Brad will probably say “yes”.

[Evan] Alright, let’s start with your week. Tell us what you’ve been up to.

Catching up

  • What Brad’s up to.
  • What I’m up to.
  • We have more Mentor Program success to talk about
  • One of our listeners is setting a great example for all of us in holding his local government accountable for security.

[Evan] Alright, lots of good things. We’re all in this together and there’s a job and place for everyone.

[Brad] Brad’s words of wisdom.

[Evan] We’re always grateful for feedback that we get from listeners. If you’d got some, email us at One of the more popular topics in the past few months has been that of the virtual Chief Information Security Officer (or vCISO). We’ve received some great questions about how to become a vCISO. A couple of episode ago, we talked about what a good vCISO is, but we didn’t really talk about how to become one. Let’s do that.

How to become a vCISO discussion

  • If you’re new (less experience).
  • If you’re experienced (even existing CISOs)
  • What are the benefits to being a vCISO versus being a FTE CISO?

[Evan] Alright. Good perspective and good discussion. Thank you Brad.

[Brad] Brad’s gotta say something or we’ll have an uncomfortable silence here.

[Evan] OK, last topic before we get into some news. I want to announce something that I’m VERY excited about. You and I are going to write a book, right?

[Brad] Brad confirms. See if you can notice any change in the tone of his voice when he responds.

New book announcement and discussion

There’s a tie in here with vCISO too.

[Evan] I’m pumped about writing with you Brad. What better time than 4th quarter to get started?

[Brad] He’s lived through multiple 4th quarters, so he’ll laugh/cry.

[Evan] Let’s close this thing out with some news, eh?


Here’s our news for this week:


[Evan] There you have it. Thank you for another great show Brad!

A special thank you to our loyal listeners. We love your feedback and sincerely appreciate the fact that you join us each week. Send your feedback to us at If you’re the social type, socialize with us on Twitter, I’m @evanfrancen, and Brad’s @BradNigh.

Talk to you all again next week!

The UNSECURITY Podcast – Episode 44 Show Notes

Welcome back for another quick recap of the week and another dose of UNSECURITY Podcast show notes!

Last week, Brad and I were back in studio together to record episode 43. It was a good show, where we covered some relevant topics such as (more fricken) incident response, vCISO questions, and how we (the good guys) can’t possibly do all the things that they (the bad guys) do.

Quick words about vCISO

  • It’s the future of information security leadership.
  • There are good vCISOs and less good (maybe bad) vCISOs, you need to learn the differences.
  • We got some great feedback this week from people who aspire to be a vCISO, which was really cool!

Quick words about good guys and bad guys

  • There’s a gap between what we can do and what they can do.
  • We have rules, they don’t.
  • We have ideas about how to close some of the obvious gaps (didn’t cover in the episode 43, but we’ll cover this somewhere in the future).

If you missed episode 43, you can always go back and nab it here.

Hoping you all had a great week. It was a short week, but if you’re like me, it only meant that we crammed more stuff into less time.

Most of my time this week was spent working with SecurityStudio partners find success in serving their clients. This is a blast because we create situations where everyone wins, and we do it together.

This week I started exploring the possibility of helping an incredible organization combat sex trafficking in the United States. The organization is SHAREtogether, and they’re doing amazing work. The organization is run by Jaco Booyens, the director of the movie 8 Days. If you get a chance, check them out and watch the movie (it’s been watched more than 2,000,000 times). If you feel more inclined, do more to help. Right now, my involvement is more exploratory, but I’m sure there will be more to this story before it’s all said and done.

Anyway, on the the show! Brad is leading the show this week, and he’ll have another returning

SHOW NOTES – Episode 44

Date: Monday, September 9th, 2019

Show Topics:

Our topics this week:

  • The security expert’s take on liability.
  • Speaking information security for “humans”.
    • What’s the problem?
    • Ideas for solving the problem(s).
    • Consequences of the failure to solve the problem.
  • Industry News

[Brad] – Brad can choose any opening he’d like. This is his show to lead. The standard one sort of goes like this…

Welcome to the UNSECURITY Podcast, episode 44. Joining me is my co-host, Evan Francen. Say hi Evan.

[Evan] I’ll say something here. Probably. Maybe I’ll stay silent to through Brad off, but now that it’s in the show notes, I think I let the cat out of the bag. Whatever.

[Brad] Also joining us today is a repeat guest. Ryan Cloutier is here in person. Ryan is an amazing information security expert with a noble mission. He was also on with us back in episode 27, back in May. Welcome Ryan.

[Ryan] Ryan’s a guy with something to say, so he’ll say something here.

[Brad] This week, Evan’s in Bulgaria. What’s going on over there, Evan?

[Evan] Stuff.

[Brad] It’s sort of funny. We’re beginning to think you don’t like Ryan all that much because last time he was on, you were in California. You got something against Ryan or what?

[Evan] Maybe.

[Brad] We brought Ryan on the show again because we love his perspectives on helping “normal” people, or as he likes to call them, “humans”, secure themselves better. Great mission, but before we cover that, let’s talk about some common questions we get about liability. Now, we’re not lawyers, so don’t think this is official legal advice, but we do work with lawyers pretty often when we investigate breaches.

Discussion about liability, from a security person’s perspective

[Brad] So, the key is to do the things that a “reasonable” person would do in your same circumstance. This leads to a whole bunch of questions that you should be asking yourself.

Now let’s switch gears a little bit. Ryan, you’ve got this deep desire to help “humans” secure themselves better, and this passion is shared with us here at FRSecure. You recently posted an open letter to the security community on Evan’s blog and you regularly speak to crowds all over the United States. Let’s talk about all this for a bit.

Discussion about Ryan’s mission and speaking “human”

  • What are some of the problems we’re facing when speaking “human”?
  • What ideas do we have for solving the problem(s)?
  • What are some of consequences of the failure to solve the problem?

[Brad] There’s so much we can do together, as a community, to do this better. Great discussion. What’s our one call to action?

[Brad] OK, on to this week’s security news.


Here’s our news for this week:


[Brad] Alright. Another great show. Thank you for joining me Ryan.

Evan, have a good time in Bulgaria. Bring me home a gift or something.

A special thank you to our loyal listeners. We love your feedback and sincerely appreciate the fact that you join us each week. Send your feedback to us at If you’re the social type, socialize with us on Twitter, I’m @BradNigh and Evan’s @evanfrancen.

Talk to you all again next week!

Speaking “Human”: An Open Letter to Security Professionals on a Basic Approach to the Cyber Security Gap

A guest post by Ryan Cloutier. For more information about Ryan, see his profile page.

Most people find the topic of cyber-information security boring, if they have even heard of it at all. The primary cause for this is that digital citizens do not view cyber-information security or their “digital life” as being real or even directly impactful to their own physical life and personal safety. I believe this is due to how we as security professionals have discussed the topic of cyber-info security to non-tech savvy populations.

We might as well be speaking Klingon when we approach a general population with convoluted technical jargon to educate on cyber security.

A favorite quote I heard once from a curmudgeon man after advising him “don’t click the link” was “Don’t click the link?! Listen asshole the whole internet is links!” I laughed but came to the realization that he wasn’t wrong and I then came to understand these three points:

1. We (Security Professionals) are the problem not the user.

We don’t have to go on like this. We can be the change. When educating anyone on cyber awareness, we can use better analogies and real world examples to describe the risk and issues with the behavior we want to see changed. For example, consider the awful security awareness training we must sit through once a year at work or when we get phished by the IT department and then must retake said awful training – it is viewed as a work issue and therefore only applies to the workplace.

2. Focusing only on cyber awareness in the workplace prevents meaningful behavior change. 

If you have the fortune as a Security Professional of managing to get behavior change in the workplace more often than not it is left at the workplace and forgotten about when they go home. However, if we change the conversation to focus on cyber security as a basic life skill, as a fundamental part of our daily physical life then we begin to see change. Today in 2019, most of the connected world uses their smart phone to conduct a large portion of their everyday life from communicating with their loved ones, to banking, shopping, learning, news, entertainment, dating, and so on. 

3. The world has changed but we have not changed with it or adapted our behavior to match. 

We are a society that has not changed our life skills to reflect our new “Digital Life” so when speaking to and training your clients please use relatable examples and common language. Realize that your audience may not be versed in technology nor are they all IT Professionals and as such you need to take the extra time to make it real and relatable. Once you apply this “Make it Real” approach you will see meaningful behavior change and you will have the added benefit of not only making your organization safer and more secure but you will have made the world and a new generation of humans safer and more secure. So I ask you fellow IT security and privacy professionals to please speak human and take the time to break it down. 

Join me in this mission to help make the world a better, safer and more secure place. 

THINGS you might consider adding: 

  • Take the same approach to educating about cyber security that you do when your uncle asks you to describe your job at the Thanksgiving dinner table. 
  • Take stock in what your closest non-technical friends and family don’t understand about cyber security – use this as your baseline to further craft your message into more relatable examples. 
  • Make it real – use examples from your every day life and inject humor into life lessons that will forever change the actions and behaviors of a generation that desperately needs these digital tools. 
  • Commit to spending time educating others outside of your professional work to not only evangelize security in the professional world but in every day activity- volunteer at schools, senior centers, and non-profits which are the unfortunate prime targets of cyber crime and scams. Use these interactions to further craft your message to be inclusive and targeted. 
  • Make an impact by leaving a meeting or speaking engagement with a line of people ready to come up and tell you their story – not leaving with a notebook of acronyms and confusion as they decide “cyber security is too technical for me to make changes in my daily life” 


Snake Oil Won’t Cure Your Security Illness

Part two in a three-part series about the information security industry money grab.


NOTE: I covered some of these issues in my book; Unsecurity: Information Security Is Failing. Breaches Are Epidemic. How Can We Fix This Broken Industry?

In this series, I’ll focus on three types of money grabbers, those

  1. Who will do anything and everything for your money
  2. Those who sell snake oil
  3. Those who will sell you something regardless of it’s effects on your security.

There’s no doubt that the money grab is alive and well in the information security industry. Some companies and people in our industry will do everything they can to get their hands on your money. Some of them should get your money, while others should be put out of business because of their deceptive practices.

Clark Stanley’s Snake Oil

This stuff was amazing. A concoction, or “liniment” as Clark Stanley called it, that will cure just about anything; rheumatism, neuralgia, sciatica, “lame back”, lumbago, “contracted cords”, toothaches, sprains, swelling, etc. I don’t even know what half these ailments are, but I don’t know if I’d care either. This stuff will cure me of ailments I don’t even know I have, and it will protect me from future ailments. If I were alive in the 1890s, I might have bought some of this wonder juice.

When Clark Stanley started peddling his snake oil to the ignorant masses, there was nothing to stop him. There was no regulation to govern the safety and effectiveness of drugs until 1906. Nobody even knew what Mr. Stanley’s wonder-drug was made of until 1916, this was the year that the Bureau of Chemistry (later the Food and Drug Administration-FDA) tested Snake Oil and determined it was made from mineral oil, 1% fatty oil (assumed to be tallow), capsaicin from chili peppers, turpentine, and camphor.

People caught on, the jig was up, and Stanley eventually pled no contest to federal civil charges that were leveled against him.

Information security industry snake oil

There’s snake oil for sale in our industry. Don’t buy it. It doesn’t work (for you).

Thanks in large part to Clark Stanley, the term “snake oil” has become synonymous with products and services that provide little (if any) value, but are promoted as solutions to problems. The term is also used to refer to exaggerated claims made by salespeople.

You’d be naïve to think there aren’t products and services sold in our industry that don’t fit our definition of “snake oil”. There are two types of snake oil being peddled today, the kind that is overtly deceptive and the kind the covertly deceptive. Both are bad, and you need to watch out.

Overtly deceptive

Overtly deceptive snake oil is the kind that comes with claims that are so outrageous, you start to question everything you know about yourself. The claims seem so real, with seemingly genuine evidence, and fancy words, you ask yourself questions like “Could this possibly be true?” “Is everything I’ve known about these things been wrong?” “How could I be so wrong?” “Is my existence a joke?”

No, you’re not wrong. Your existence is not a joke. The claims are crazy.

Here are two recent examples.

World’s First Patented Unhackable Computer Ever

What?! Unhackable? This can’t possibly be true. Can it? Well, if we were to believe Pritam Nath, the CEO of MicrosafeX Company, then yes it is true. If you use your noggin and think about this for a minute, the answer is absolutely NOT! There is no “unhackable” computer. There is no “unhackable” anything. Mr. Nath is selling snake oil, and thankfully the jig was up before people fell for it.

You should read his claims on his Kickstarter fundraising page. The claims are laughable if they weren’t so sad and patently false. There were 36 reported “backers” of Mr. Nath’s snake oil before the campaign was cancelled. I’m guessing most of these people were in it for the fun, not because they took this thing seriously.

Time AI

Sounds cool. What is it?

AI is sexy, but if AI doesn’t get your juices flowing, how about “quasi-prime numbers”, “infinite wave conjugations,” and “non-factor based dynamic encryption and innovative new developments in AI”?

SOLD! Lots a big words solving cool problems that I don’t understand. Must be cutting edge stuff.

The company peddling this Time AI thingy is Crown Sterling out of Newport Beach, California. I’d never even heard of these guys before last week.

Last week, at Black Hat, Robert Edward Grant, the company’s Founder, Chairman, and CEO gave a talk titled “The 2019 Discovery of Quasi-Prime Numbers: What Does This Mean For Encryption?“. The talk was so overtly snake oilish that it prompted very strong reactions (outrage) from some people who were there.

Dan Guido, the CEO of Trail of Bits stood up during Mr. Grant’s snake oil pitch and shouted “Get off the stage, you shouldn’t be here!” “You should be ashamed of yourself!” Ballsy.

Here’s a video clip of the exchange.

Jean-Philippe Aumasson is a serious crypto guy, and the author of the book Serious Cryptography.

There was enough of an uproar to force changes at Black Hat, including removal of references to the talk from the conference website and a promise of better vetting of sponsored talks in the future.

More coverage:

These are two examples of obvious and overtly deceptive snake oil. There’s also the less obvious, covertly deceptive variety.

Covertly deceptive

Covertly deceptive snake oil is hard for the inexperienced and/or lazy security professional to identify. It’s the sort of snake oil where a salesperson or company claims that their product does something that it doesn’t or that it will solve a problem, but it won’t. This snake oil is hard to identify because you won’t know unless you know.

One tell for covertly deceptive snake oil is the prominent use of sexy buzzwords. Common sexy buzzwords/phrases include:

  • Artificial intelligence or “AI”
  • Blockchain
  • Digital transformation
  • Big data
  • Machine learning or “ML”
  • Nextgen
  • Data-driven

If someone uses a buzzword or phrase that you don’t understand, go find out what it means. Don’t just sit there and nod your head like you know. Discounting buzzwords and phrases won’t always work though. There are legitimate companies and products in the market using sexy buzzwords, but work as promised.

The key to protecting against covertly deceptive snake oil is to follow the advice in the closing (below); research, educate, and/or ask. Don’t ever rely solely on the opinions and research provided by the company or salesperson who’s selling, it’s biased.

Buyer beware

It’s you who makes buying decisions for you. No pressure, but every dollar you spend on security is one less dollar your organization can spend on fulfilling its mission, so you should get it right.

Don’t ever buy anything without doing one (or all three) of the following:

  1. Conduct in-depth research into the product and how it works.
  2. Educate yourself on the technology the product claims to use.
  3. Ask an unbiased expert for his/her opinion.

If we all made good purchasing decisions, the snake oil will dry up. You will need to do more work, but in the end it will save you.

Beware of People Who Do Everything

Part one in a three-part series about the information security industry money grab.


NOTE: I covered some of these issues in my book; Unsecurity: Information Security Is Failing. Breaches Are Epidemic. How Can We Fix This Broken Industry?

In this series, I’ll focus on three types of money grabbers:

  1. Those who will do anything and everything for your money,
  2. Those who sell snake oil, and
  3. Those who will sell you something regardless of its effects on your security.

Sometimes the money grabbers grab your money intentionally, but rarely do they do it with malicious intent.

There’s no doubt that the money grab is alive and well in the information security industry. We’re in the midst of the Cybersecurity gold rush, and there are thousands of companies fighting for their piece of your pie.

Cybersecurity gold rush

First, a quick comparison between the famous California gold rush and our cybersecurity gold rush.

The California gold rush looked like this: $10 million in 1849, $41 million in 1850, $75 million in 1851, and $81 million in 1852 (peak). After 1852, the rush gradually declined until 1857, then leveled to about $45 million per year.

The cybersecurity gold rush looks like this: $3.5 billion in 2004, $114 billion in 2018, $124 billion in 2019, and $170 billion by 2022. We haven’t exactly leveled off yet, but that day will come.

The truth about the cybersecurity gold rush; if you’re not one who’s making money, you’re probably one who’s spending it.

Spending well or not

Ask yourself these questions:

  • How confident am I that I’m spending my information security dollars wisely?
  • Am I getting the most value out of every dollar I spend?
  • Where do I get answers?

If you seek answers from a money grabber, you’re in for a rude awakening. Maybe not immediately, but soon. Money grabbers are biased, they’ll give you answers with a bias to sell you something.

So, how can you tell a money grabber from a trusted source of good information? It starts with understanding who the players are in our industry.

The Players

There are four players (or roles) in our industry; manufacturers, vendors, partners, and practitioners. Each of the players serve a very important role in making our industry function, and one player cannot effectively exist without the others. Don’t fall into the trap of thinking that one player is any better than another, they’re all critical.

Let’s break them down.

Security Manufacturers

Security manufacturers provide innovative hardware and/or software designed to solve real-world information security problems. They are critical to the information security industry because they make the tools we all use to secure ourselves.

Security manufacturers have three responsibilities to our industry:

  1. Understand the problem they’re trying to solve enough to make an effective hardware and/or software solution.
  2. Make an effective hardware and/or software solution that solves a problem.
  3. Sell the hardware and/or software solution to people in order to make money.

The manufacturer obviously needs to make money in order to satisfy investors and stakeholders. They’ll also need the capital to make more products. Stop the cycle and the manufacturer dies.

All fine and dandy.

Problems arise when a manufacturer attempts to play other roles, like giving you non-product related advice. It only seems logical that the advice you’d receive would be biased by one of their primary motivations which is to sell you their products. A manufacturer wants to sell you things because they want your money. What they sell you might solve a problem, but if it doesn’t, that’s ultimately your problem. The worst practice is convincing you that you have a problem that in reality doesn’t exist.

Even if a manufacturer solves a problem for you, you need to ask yourself if it was the right problem to solve. Was the risk significant enough to warrant a reallocation of resources (personnel, time, money, etc.)?

A manufacturer is probably not the best place to ask your questions about where you should spend your next information security dollar. They’ll certainly have an answer, but it won’t be unbiased, and it may not be in your best interest.

Security Vendors

Security vendors are an interesting bunch. They don’t make products, they sell them. We need vendors though. We need them because they’re closer to our problems than most manufacturers, and they know products better than partners (up next). They give manufacturers a distribution and support channel, so the manufacturer can go back to what they do best, making things.

Vendors represent products made by the manufacturers, and probably provide support for the products too. Vendors are usually specialists in the products they represent and are the “go to” people for making sure your products operate the way their intended to operate.

Advice from a vendor might be closer to the truth, but it will still be significantly biased. Vendors get paid for selling products, and they only represent their suite of products. Vendors, like manufacturers, want to sell you something. Ultimately, they want your money. Solving problems will be limited to the products they carry and advice probably won’t take other creative possibilities into account. Security vendors usually don’t innovate much and are more likely to go with whatever the herd is doing.

Security vendors are the best place to go for advice about a specific suite of products, but are not the best place to go for unbiased expertise.

Security Partners

A true security partner is a consultant without bias, but someone without bias is a pipe dream.  The truth is, nobody is without bias, but good partners do their best to be a trusted advisor to clients with as little bias as possible. Good security partners who understand the importance of their role (in the industry and to their clients) are product agnostic. They strive to make recommendations based on what’s best for the client.

Partners also want your money, but they won’t make money if they betray your trust. Trust is what keeps them honest.

Advice from a security partner must be as unbiased and as objective as possible. Security partners are good at creating or finding innovative solutions to problems because they’re not tied to any specific product or suite of products. One problem with a security partner is they may not have the deep knowledge about any one particular product like a vendor or manufacturer may have. Partners try to compensate for this by establishing working (not selling) relationships with vendors and manufacturers.

Security partners are the best place to go for advice about solving your information security problems with as little bias as possible. A security partner would be the best place to start for answers to most information security questions.

Security Practitioners

The hard-working security people who bust their asses everyday to make their workplace and the world a better place. Security practitioners make (or influence) buying decisions and they’re the ones who live with the fruits (or consequences) of their decisions. Most security practitioners don’t have time to research everything and need others to assist them in fulfilling their own personal mission.

Security practitioners deserve, and should demand respect at all times.

OK, now you know the roles/players. Where’s the money grab?

Beware of People Who Do Everything

I’m speaking to the security practitioners now.

Wouldn’t it be great if you could go one place for everything? A one-stop shop. Seems like a great idea and a real benefit, but it’s ignorant to think that there wouldn’t be an undercurrent of bias that could hurt you and your organization.

  • A manufacturer is biased to sell you their products.
  • A vendor is biased to sell you something out of their suite of products.
  • A partner couldn’t even sell you products if they wanted to. A partner cannot be a one-stop shop even if they want to be.

If you’re comfortable with the bias and you’re comfortable with the inevitable waste of resources, you’ll be comfortable with the one-stop shop approach. It’s lazy and wasteful, but it’s your security program.

If you’re not comfortable with the bias and wasted resources, you might have a little more work cut out for you. The right thing is to use each player for what they were designed for. A manufacturer for buying their products, a vendor for buying from their suite of products and product support, and a partner for the best advice.

Problems come when a player doesn’t understand their own role. When a vendor tries to be a partner too or when a partner tries to be a vendor too. Worse yet is the player who tries to be manufacturer, vendor, and partner. If you didn’t know any better, the “we do everything” player has you by the neck.

In my experience, the most common offender of their role, almost like an identity problem, is a vendor. Many vendors grew their business through other means, maybe selling printers and copiers, maybe doing information technology (IT) work, or maybe reselling networking equipment. The vendor resells things, but as a matter of survival and as margins decrease, they look for new streams of revenue. One common stream of revenue is security consulting services where the market is relatively immature and where a vendor can realize more significant margins.

Two problems with the vendor who plays partner:

  1. The bias problem. I’ve already covered this, but it’s a significant problem. I’ve witnessed many occasions where a vendor has sold things to a client that were clearly biased by the fact that the vendor sells those products. It’s only natural that a vendor would sell products, but it’s the practitioner who pays the price.
  2. Good at some things, but an expert in no things. Nobody can be the best at everything, you can only be the best at one thing or maybe a few things. A vendor who sells copiers, installs Cisco networks, builds data centers, and recycles old equipment, is not likely to be an expert in information security. Information security requires a specialized skill set, and you will get what you pay for. Unfortunately, it’s the practitioner again who pays the price.

Vendors aren’t bad. Partners aren’t bad. Manufacturers aren’t bad. Things can get bad when one player tries to play multiple roles. These multi-role players do it because it’s in their best interest, not necessarily because it’s in your best interest.

Things can get bad for you when you play into a multi-role player’s hand. You wouldn’t know the difference unless you were paying attention. Spend every information security dollar like it’s precious, because it is. One wasted dollar is one less dollar to spend on other more productive and enjoyable things.

Before I close, and one last time, there is nothing wrong with manufacturers, vendors, or partners. They’re all critical. It just helps if you know who they are, and better yet, if they know who they are.

Robocalls Are Dumb, You’re Not

Your cell phone buzzes, you look down and see “No Caller ID”, “Unknown” or maybe a weird number you don’t recognize. Do you answer, or do you just let the call go to voicemail?

Some people, myself included, will let these calls go to voicemail. It’s not a bad idea to ignore calls from numbers you don’t recognize.

Some people answer, they listen, and they follow the caller’s instructions, even if the caller is nothing more than a machine.

So, let’s say you’re one of the people who answers. The machine with a human voice tells you some urgent and potentially bad news. The machine tells you if you don’t want things to get worse, you’d better “press one” or call the phone number provided. Your mind starts to race, and you begin this internal dialog with yourself:

Oh crap!

Wait. Maybe this is a scam.

But what if it’s not? What if I really am in trouble?

It couldn’t hurt to press one, could it?

Ah hell, I can’t chance it. I don’t need any trouble. I should take care of this right now.

I’ve got to find out what’s going on.

After pressing one, a man, a real one this time, gets on the phone and tells you it was smart for you to take this seriously. The conversation goes something like this:

Man: This is John, from the Department of Social Security Administration. May I ask who’s on the line?

You: This is Jane Doe, and I got this call that something is wrong or something about criminal charges.

Man: Yes, thank God you took this matter seriously ma’am.

You: So, what happened?

Man: It looks like your identity is being used to commit felonious acts. These acts are tied to you, and you will be charged with a crime if you don’t act.

You: What do I need to do?

Man: We need to file your paperwork right away to stop the charges. We can mail the paperwork in, but I fear that the courts won’t get it in time. Our other option is to file your paperwork over the phone. This is the best way to make sure this matter gets squared away fast, before you get hauled into court.

You: OK, what do you need?

Man: We need to verify your identity.

You agree, so he proceeds to ask you questions about you. He asks for your name, your address, your age, where you work, and of course, your Social Security number. You give him everything he asks for, and the call ends with some mysterious, but official sounding close.

You’ve been scammed. Sometimes the crooks are targeting your identity (like this example), and sometimes they’re targeting your money directly. Sometime both.

Robocalls are dumb, but they must be working, at least some of the time. There are real victims, or the scammers wouldn’t waste their time. In 2018, there were more than 26 billion robocalls placed to phones in the United States, a 46% year-over-year increased volume. (Hiya Robocall Radar 2018 Report)

This got me thinking, why? The reasons are simple, because it’s cheap for the scammers and it works. People must be falling for these dumb scams. Attackers wouldn’t go through the trouble if these scams weren’t effective, right?

People take the bait, either through ignorance or through a moment of weakness.

Just this week, the FCC adopted new rules to combat robocalls. You might think, “great, let’s shut these sumbiches down!“. Hold your enthusiasm just a minute. Do you really expect the Feds to protect you? Actions by the FCC might help curb the problem, but at the end of the day, this falls on you. Only you can prevent yourself from being scammed.

It’s baffling to think that someone would fall for a robocall scam, but rather than sitting here shaking my head, let’s go through some examples and try to help someone.

Call Number One – Social Security Number Suspension

Here’s the text of the call:

We found some suspicious activity, so if you want to know about this case just press one thank you. This call is from the Department of Social Security Administration. The reason you have received this phone call from our department is to inform you that we just suspend your Social Security number because we found some suspicious activity, so if you want to know about this case just press one thank you.

The message continues and repeats.

Here’s the audio:

Here’s the skinny.

  1. You will NEVER receive a call from the “Department of Social Security Administration”. Besides, the actual name of the agency is just “Social Security Administration” not the “Department of Social Security Administration”.
  2. The Social Security Administration DOES NOT monitor your number for “suspicious activity”.
  3. The Social Security Administration DOES NOT suspend your Social Security number.


Call Number Two – Legal Consequences

Here’s the text of the call:

Social Security number the (unintelligible) received this message, you need to get back to us to avoid legal consequences. To connect call immediately, press one.

The message ends.

Here’s the audio:

Here’s the skinny on this one.

I don’t even know what the hell the message says really. All I know is that I don’t like legal consequences. Guessing you don’t either. The fact is, you are not facing any legal consequences, and even if you were you’d be served in writing and probably in person. Nobody calls you to tell you that you’re going to suffer legal consequences on a voicemail, at least nobody who’s legitimate.


Call Number Three – Legal Proceedings

Here’s the text of the call:

legal enforcement action filed on your Social Security number for criminal activities. So, when you get this message, kindly (unintelligible) as soon as possible on our number that is 210-361-9633 before we begin with the legal proceedings. Thank you.

Here’s the audio:

The skinny.

A “legal enforcement action filed on your Social Security number for criminal activities”?! This is so preposterous, I’m having trouble thinking of something to write in response. You will NOT receive a recorded call telling you of impending legal proceedings because of criminal activities using your Social Security number. If there were such a crazy thing, you’d be notified in person and in writing.

DO NOT CALL THEM BACK. (Side note: I did. Got a busy signal, so I’m guessing they already got taken down by the carrier/law enforcement).

Call Number Four – Chinese

The text of this call is all in Chinese, and I don’t speak Chinese. So, I did some translation work*. Here’s what I think it says:

这里是中国领事馆文件通知您有一封重要文件尚未领取中有任何疑问请按铃 查询

in English:

Here is the Chinese Consulate Document to inform you that there is an important document that has not been received. Please feel free to ring your query.

Here’s the audio:

The skinny.

I don’t speak or understand Chinese, so there was no real chance of this one working on me. This is an automated caller though, and there are an estimated 2.9 million people in the United States who do speak Chinese and as many as 1.2 billion people worldwide who also speak Chinese.

One joy of the robocall for scammers is they can reach thousands of phones automatically. It’s no skin off their back if they reach someone who doesn’t understand. Eventually, they will.

Not sure how effective this sort of call is with the Chinese speaking community, but like I said earlier, they wouldn’t do it if it didn’t work (at all).

(Another side note: Now that I think a little more, maybe this last one wasn’t a scam. My wife is travelling to China next month. WAIT. See, here’s rationalization. Irrational rationalization. No, it’s a scam and I will ignore it.)


The first tip is the most important one, so I’m going to shout it. Ready?


You get that? I’m going to shout it again. This time I want you to really think about it.


Communication channels include phone calls, emails, popups, text messages, and even in-person. If you initiate the phone call, not at the prompting of someone else giving you the phone number to call, you are most of the way there in protecting yourself from scams.

2. Ignore phone calls that originate from phone numbers you don’t recognize. Ignore them, and get on with your day. If it’s important, they’ll leave a message.

3. Be skeptical. You don’t need to be paranoid, but be skeptical.

4. Slow down. Don’t react without giving your mind time to think and process what’s going on. Taking 10 minutes to think things through will not put you in danger, but just the opposite.

5. Ask someone you trust. If you’re not sure whether a phone call or message is legit, ask someone. They’re not tied to the events emotionally in the same way you are. Don’t be embarrassed to ask questions.

There you have it. You can probably come up with some additional tips along the way, but these are the basics. Master the basics people.