 All right Let's get right into it It's Monday April 29th 2019. I'm rim. I'm sky and this is geek nights I'm gonna change this. It was recording on the wrong audio channel bump bump bump Because I was editing a bunch of video and I didn't want to have the mixer on the whole time So I changed it to use my on board sound card And adobe is actually not that smart about that Adobe all right, we'll do this again adobe adobe adobe Adava not quite a no bonga a da be a da be or a geth sir. I which came up in the painful pages. I forget with all those Yankee and get there I not get the rosy. I remember that those are the names of races But I forget everything about they came up in our freeport game I think yeah, but I forget everything about them. One of them is bad and one of them is also bad, but in a different way I just googled remember what they look like. Yeah, they're kind of but they're not the bug ones, right? The bug ones dry cream the bug ones. Okay, and those are from dark Sun, which is also cut off from Planescape just like Ravenloft Dark Sun in plain and unless things change dark Sun and Ravenloft are both like outside of the normal cosmology can't get there from here It's Monday April 29th 2019. I'm rim I'm sky and this is geek nights tonight fishing With a pH Not the band. Mm-hmm. Just take my joke. I did take your joke. It's mine now Only the zero people currently watching the stream will the correct number of people are watching the stream The lesson has been learned my work here is done Excellent, of course, I did just tweet like 30 seconds ago No Hopefully those people blocked you on Twitter So I was randomly looking at my YouTube channel because I was uploading a bunch more of the videos that are just the reviews of boardgames We do without like the rest of the episode around them and watch it Yeah, they all they all get hundreds of views and I get a lot of like Likes within board game geek because that's where I post them all okay It's it I think it's good because sometimes we have like a 10-minute review of a game That's at the end of a 50-minute episode of geek nights So it actually is working out pretty well and it does not take a lot of work But when I was looking at my YouTube channel, I don't look at the analytics that often like once a month I check in on it and I notice I look at it. Never I noticed that I had no idea if I had like a million subscribers I'd only find out when like the silver thing showed up So I noticed that I had six thousand nine hundred and ninety nine subscribers And I was like oh I should get a screenshot because that'll be funny and then I got distracted I finished something Shot it went up. It's like seven thousand and twenty now. It's already passed Don't I guess I could Photoshop it without you could just use the in the web inspector to change the number And then oh yeah, or I could block enough people from my channel to get it back down to six thousand nine hundred ninety nine I could just take screenshots with the web inspector to act like I had a bajillion views Try to get someone to give me money now and become a you know fake it till I make it Yeah, I think it's who buy followers or whatever the analytics on the channel are actually pretty interesting If you actually look at them because you do get a lot of all white dudes watching. Yeah But you also the thing you get that's real interesting She's the it's the like you can find out what videos people are watching where they're like what fuck this and they unsubscribe As and also you can find out like what videos someone watching and they're like maybe I like this channel a little bit People seemed we had more people unsubscribe from our real harm of games figure out What videos are watched most by non-white non-straight non-dudes and make more videos like those we could we could try stuff We could do it. We could treat ourselves like we're the the machine learning thing No, right and just we just choose right rather than most people who are like going towards following the money or following Right we follow a different metric for for success One thing I can say is that I'll see if it changed right now But if we look at traffic sources most people watch our channel because they're browsing YouTube and they just see one of our videos Recommended and they click on it. Yeah, that is like 90% of our views and then the rest are YouTube searches and the YouTube searches are almost entirely for in order Board game design Tigers and Euphrates board game rare game mechanics game theory game design game mechanics Puerto Rico board game Carcassonne strategy board game in his big news this rim to cost her Okay making board game diplomacy board game board games board game game balance how to make a board game are all these like one search each now Nope, they're all hundreds and hundreds. Okay. It's really funny, but rim to cost her is like there in the top 10 So yeah, okay, whatever Somebody got news wise. It's Monday. Ah, so I do have some news to check it out This is relevant. This is how we thought of our main bit by the way Someone has found a new and interesting way to fish People using mobile browsers. They developed the proof of concept Which is oh, they only made did the work to make prove it for Chrome on Iowa like what iOS or only one But you could just take there you could easily take what they did and replicate it So it's a really clever escalation of like phishing technique, right? So here's the deal, right? Let's say you're gonna go on your phone, right when you open the web browser You know how you scroll down and you really want to save screen space. So not that many pee, right? So what they do on your phone when you scroll down on a web page is they make the location bar go away All right, which makes sense. Oh, it makes sense So what he did this guy as he says all right I program my website such that when you scroll down a bunch and the location bar goes away So the first time you load the page the real location bar is there with the real URL in it Yeah, with the HTTPS and it's like yep, you're at your website roll down far enough a different The locate the real location bar goes away He takes an image of a fake location bar and makes it appear and it says like chase comm or HSBC comm or Bank of America comm in right he basically just took a screenshot of The bank location bar on the banks website and just put it at the top So now it looks like you're officially green light green lock on This is the banks website, but you're on this other person's website if the website also looked like the banks website Then they could fool you into now Presumably with like a link in an email you click the link in the email you land on this website It looks real you scroll down the location bar changes If you don't notice the location bar was fake and had the wrong URL in it at the start Maybe it was a really close URL using like some unicode shenanigans Then it's gonna look like you're really on your banks website for real like totally trustworthy And then you type in using in password and then you lose all your money. Yep, right? So it's one of those things where like phones just the way they're used are very limited And there's a lot of differences compared to a real computer So like you can't hover over a URL just like really quickly see where does it really go? Yeah, but things like this disappears the you never have the top bar disappear in a real web browser on a real device Right there, you know the real You know the way to take this even further would be to make not just use a screenshot of the location bar But to program a fake location bar that can be used to Programmatically detect what browser the person is using to show them a location bar that matches their browser Right like if I'd be using Chrome on iOS. Okay, we got to show this fake, you know location bar style Yeah, you don't have to go pretty far to make it really convincing But you know it goes even worse. It's actually worse than I thought it says that normally when you scroll up You know you get the real bar now you can never get the real bar back unless you reload Yep, because they put you in a scroll jail Yep scroll jail with an element that just prevents it. Let's see overflow colon scroll The user thinks they're scrolling up the page, but in fact, they're only scrolling up in the scroll jail I can say how you can pull that off. Yep, this is pretty big because a Lot of people only have a phone or a tablet as their computing device like they don't have a computer Now it's less of a big deal because you know if I'm using my phone Did I would never do anything? Secure login in the browser on my phone I was never the app right and if you're using iOS at least you can trust the app that came from the app store for the real app store If you're right. Yeah, if you downloaded the wrong app, you're already hose right And but iOS the Apple won't let they're not the real app in the app store. Yeah, where is Android might? Google play you can't trust it, but Apple you can more trust it mostly, right? So if I get the chase app I can trust That's as secure as the chase website on a secure brand new good computer with a secure. Yeah, I guess the moral is on a phone Trust apps like you would a TLS certificate and just use your web browser for things that don't matter Right anything secure you do on your phone. You should be using an app Don't trust the browser on the phone not just because of this But just in general why are you using the browser when an app is available on your phone? I mean, I tried to think of what do I actually go to on a browser on my phone? And it literally is the Geek Nights forum. Yep Fark Google news There's like nothing else in my app Yeah, I don't use it. Yeah, but you're still like that. You could they could log into your Gmail with it Yeah, if they trick me into clicking on there used to be more things that I use the browser for on the phone Because there weren't apps for everything, but it's been so long. It's been like 12 years since I had iPhones And actually I don't even go to Google news that often because I also pay for Waipo So usually I just open the Waipo app. Anyway, but yeah, it's like, uh, you know, it's been like 12 something years since I had iPhone So the apps exist now right Google calendar used to not have an app I'd have to like go to Google calendar on the web now. It's a really good Google calendar app Yeah, so everything's pretty good. So in some other app related news There's a lot of apps, especially in the iPhone store that are designed to either help you curb your addiction to your own phone or Control how much time your kids spend messing with the phone right now Apple in iOS includes lots of functionality Including in the newest version. They've added a lot of functionality for the helping curbing your addiction I keep getting notifications like your screen times up your screen times down You spent this much screen I can look and see exactly how much time I spent in each app It's all built into iOS and Apple's always had parental controls ever since like the first iPhone Yeah, only gotten more advanced but for some people those controls might not be enough and Apple has always allowed and always Supported people making other parental control apps or other screen time management apps and putting them in the app store As long as they follow all the app store rules, you know, we can't we're not gonna talk about the general app store rules You know deal again. Yeah, we're the only time at this specific thing And what happened is that some of the apps, right? We're given notices like hey your app is not in compliance with these rules If you don't fix your app in 30 days We're gonna kick you out of the app store and some apps fix their shit and some apps did not fix their shit And they got kicked out another complaining. Yep And it seems like the crux of it is the apps that are targeted specifically at children and Controlling children's access to things probably because Children being online is heavily regulated both in the US and in Europe, right? But I think the the main technological thing here that Apple is upset about is the use of MDM Which stands for mobile device management, right? So basically in much in the way that like when you install an antivirus software on your computer, right? The antivirus software in order to clean out viruses and prevent viruses and other Malwares that antivirus software needs a lot of permissions and it needs to do lots of things to detect viruses That are otherwise not acceptable for other software to do because you right? It's much in the way to fight a cheater. You need to be a cheater Yep How can I find a root kit if I can't be even lower levels have see lower level CPU access than the root kit, right? How can I clean out the virus from these OS files if I don't have permission to read on write all your OS Files, right? So much in the same way to implement a lot of the parental control features Right like seeing spying on what websites you're going to spying on how much time different apps are open You know seeing what's on the screen, you know, I'm your parent I want to see what you're doing right now to see if it's porn without coming up and looking behind you So you know I'm looking right make your phone turn off and you can't turn it back on lock your phone Make sure you can't unlock it see where the phone is all these sorts You know see what the camera on the phone sees remotely These are all major things that would normally be major security flaws cannot allow Major permissions problems. Yeah in order for these parental controls to work You sort of have to allow these things and Apple's like no, that's unsecure as hell really bad We're not we can't allow apps to be doing this. Yeah, I would not draw I don't trust apps like that in general Yeah, because that's the kind of app that I would make if I was gonna try to compromise your phone Notice you don't put any virus stuff on our computer either Yep, because antivirus software doesn't work and or is a scam in most cases. Just use the windows one is fine Or don't use anything the windows one is fine. Whatever the point is The Apple parental controls aren't those enough for you really so the article I picked a random article about the Apple feature. They just added for managing your screen time That's really not enough for you. So I picked a random article about this and it seems like the people who are mad are mostly Parents who don't understand how to use the Apple one Want extremely fine grain control of how their children is extremely fine-grained control Don't give your kid a phone unsupervised done or give your kid a phone and be a good parent. Yep Why did you why do you have a kid that wants to go look at you know murder porn? Well ultra porn. Well, what about the kid? Well, what about the kids who are just being recruited by white supremacists because they went to the wrong YouTube? Why did you raise a kid who wants to go look at white supremacists and Why did you raise your kid not to be able to recognize Nazis? Well one thing I could recognize Nazis now as a kid I guess one thing I can say that's different between when we were kids and Today is that when we were kids most kids did not have access to the internet at all true And the people who did tended to be pretty Technologically savvy or they couldn't make it work also true and we tended to have unsupervised access But most of the stuff on the internet was made by other people like us also true Now there's Nazis like actively trying to sneak in and trick people also true So it is a different world like I don't want I don't want us to fall to survivor bias of I had unrestricted access to the internet I'm fine because when I got it when I got it was a different internet It was a different internet in 1997 or 98 dude It is hard to express to some of your younger listeners. How different the internet was in 1997 But my Nazi detectings goes yes possibly because I was raised among Jewish people Maybe everyone should be raised among Jewish people But I would solve a lot of problems, but I will say I get the impression that Most of the apps that were shut down This is probably fine and the people who are mad about this are a vocal minority who want very specific niche things They're a vocal minority who made the apps that got shut down. Yeah They probably found some parents who took a like who are mad that the app got shut down and got them They pretended to be their own customers Yeah, so in some other news that you probably should be paying attention to like it or not The measles epidemic in the United States is is actually growing rapidly and is a big fucking problem If you got measles seven day the hell away from me and anyone I know yeah Cuz I got vaccinated but in fact if you got the measles and Whether it was because you were bad or maybe it's because you were good and it just happened because other people are bad You should go find bad people and hang out near them. Yeah, I would make the most of it There are so they're confirmed at least over 700 cases across 22 states now This is getting to the point to where it is a way Why is there no class action lawsuit amongst the people who got measles who were vaccinated and or some or couldn't be Vaccinated against peep anti-vax people just sue them in the ground Well, most of the people who are getting measles are themselves not vaccinated because their families are anti-vax All right. Well, they don't have to sue themselves because they'll just be horribly Yep, they got measles. They already got the the consequences. So the biggest outbreak In New York City, yep in Brooklyn in one particular community we talked about this are yep And the city has actually we talked about like the city was doing they're escalating it There are like straight-up mandatory vaccination orders in New York City now Which I think is absolutely justified and they should be pursuing this much more aggressively Than they have that up to this point. I think it's I would have no moral problem with just physically Detaining people and injecting them. I'd be okay with having making sure a doctor's sort of like if maybe the kids allergic to the vaccine Obviously a doctor would be doing the injecting. I'm just saying not like cops if you they probably injected in your eye I don't know what the fuck they're doing Child died injected with the measles vaccine 70 times in the back right pop said they found a measles Cops can just do yeah No, the cops aren't gonna do the holding part Firemen do the whole thing we found measles in his pocket It was self-defense firemen will do the holding and the doctor will do the inject. Yeah if there's any advice I can give you in terms of I guess EMTs can do it. Yeah It's not that hard in order the people you should trust with your life Why in terms of like first responders number one fireman number two EMTs about the same Numbers three through ninety nine various other bystanders number a hundred the police dog the cop Dissolting me. It's like a dog catcher dog catcher But seriously if you're not sure if you are vaccinated against measles because sometimes medical records get lost like it's actually Terrifying how hard it is to get all my detailed medical records from my entire life because computers weren't really a thing Yes, I saw some people posting I don't know how true it is that like if you got me the measles vaccine a long time ago, which I did because I'm old Yeah, the vaccine we got is not like a hundred percent that we should get another one I'm looking into that actually I'm gonna talk to my doctor when I guess I'll just make a doctor appointment anyway Yep, but it's like really I'm going to ask my doctor if I should get a like measles booster I don't know if I can find the fucking records of when I had the fucking 1980 something it's probably I'm like a piece of paper somewhere. You know my mom has that shit I don't know it's probably buried in some drawer That's just like a pile of paper that I'm surprised as it spontaneously combusted. Yeah, if it's anywhere So yeah, I think my pediatrician is like saw as my records from 1980 something probably went to like one of those You know stone mountain archiving One thing you should probably do though is if you know anyone who you know is anti vaccine Do you friend them never speak to them? Yeah, other than to tell them get a vaccine or stay the fuck away from me You should end any contact with them and tell them why and then block them or Put on protective equipment hold them and physically drag them to someplace to be vaccinated Like find a doctor friend or a nurse friend, you know to like smuggle the vaccine out of work Right, and then there's like invite them over a pizza party. Hold them down Good to go it is still crazy that it there's a lot like it really does appear that it's Russian bots and things like that that are really spreading the anti-vax message or just give it to them in their sleep They won't even know they'll continue being anti-vax though. Yeah, I Like the idea of tell them and then they'll be like I never had the vaccine and I didn't get actually we get maybe That's what you should do anyone who's like anyone who says who's like, you know, who's like I never had the vaccine and I didn't say Just be like actually yeah, even whether it's true or not. Tell them. Yeah, actually we held you down and gave it to you Yeah, I like the idea of telling them that actually the vaccine is safe The problem is the mercury in the vaccine So if you take a raw piece of potato Within four hours of get the kid getting vaccinated and hold it on the wound for an hour It'll suck the mercury out, but the vaccination pretty sure it doesn't have mercury anymore. Yeah I'm we're talking to idiots. So we make some stuff up. Okay. It does not have mercury to cure a lie Yep, such homeopathic remedies. I mean, how do you fight a forest fire but with another fire? Homeopathic water I'll use one drop to put it a giant forest fire You're about use a match to put on the giant forest Hear about the guy who died of a homeopathic overdose. He forgot to take his medicine. I know But anyway, it's time for things of the day you may have seen people post this in our forum I saw it all over Twitter. There's this picture of this like Porco Rosso tailspin looking Fake-ass aircraft like this big bulb looks like something that someone made to like hang up in a museum Or a fancy art exhibit somewhere like it looks like something an air pirate would fly in tailspin Yeah, very cartoonish vehicle of the sky. So I saw a lot of people talking online like wait, there's no way that's real What's the deal? You cannot fly this unless you have a scarf that with a long trail Yeah, those goggles and the leather hat. Otherwise, it won't even start You'll just get in it. Nothing will happen if you get like where's your scarf? I ain't starting for you. This is the kind of plane where instead of having a gun on it You just pull out your pistol and start shooting out the side Also, what you got a the key is a mustache. You have a big old mustache. Yep. You got to shove it in the ignition in turn So what I wanted to link to my thing of the day is yes, it's real and here is video Well, here is a film converted to video from 1933 Showing that yes, it's real. Yes, it flies and if you're curious as to what the deal is with this plane It was not intended to be a plane to be used It was basically a prototype to test some ideas about making airplanes Right, I mean, I've seen I thought that the shape would fly because I had I remember making paper airplanes in roughly circular Shape right had to tie the wings together at the bottom and they totally flew They flew great on some occasions right based on how well you made it Yeah, the original image I saw showed something really fat and not and I was like that doesn't look right But now that I've seen the video here and some other images. I believe obviously it's it's a flying shape Yeah, yep, it's gonna work. It looks kind of fun to fly. It's kind of dangerous to fly Yeah, it's not it can't be any more dangerous than like a BG. I mean, you know So anyway, what do you got? So here's a technical thing of the day. In fact, it is technical metal. So Some don't plant So somebody Took machine learning slash neural network, whatever stuff and They trained it to produce audio, right? So it's basically a computer program and it constantly produces audio at all times and it sends this audio Via RTMP I presume to YouTube where it is streaming this audio 24-7 right Just turn it on and don't really pay attention to it. You'll think oh, it's just a music channel, right? So what they did is they trained it to make audio by feeding it the Discography I presume of the technical death metal band was an arch spire. Yeah arch spire arch spire Which I'm not actually familiar with. I'm not familiar with there of work But or who whatever how we're gonna pronounce uvray But yeah, it sounds it basically is producing if you listen to this it sounds like Kind of messy technical death metal that doesn't stop and never repeats itself and it's constantly new and fresh Yep, and if this advances a few more, you know generations of technology worth That will be really something because it asks a lot of fucking questions Like who owns the goddamn rice to this shit. Yep. Can I make if I Your monkey taking a photo in a property question. That's old hat compared to this bad boy I can fit ten monkeys taking a photo in this and like I put it on last night Just listen to it for a while. I was playing overwatch It just sound like unless I pay attention to it. It just sounds like death metal Yeah, but if I pay attention to it like you hear the voice like it's death grunting But it doesn't make words. Yeah, and how much is arch spire supposed to get from this? Yeah, well is a lot going on here, but also hey, it's running 24-7 non-stop metal I Feel like you could make you could have a club that just plays this and make a thing about it Yeah, so this is this is metal. This is intellectual property and this is computer This is a great geek nice thing today. It's good biz so in the meta moment The Geek nice book club book is the most painful book we have ever chosen. It is Troy Dennings Branded planescape novel pages of pain. There are no like sequels or prequels, right? No, okay? It starts one third of well through this book. I'm nearly there. I'm gonna be quick a major Turning point in the book. Is this where they start walling into the labyrinth? Yeah, that's I'm out there running around the labyrinth right now. Yeah, that's it That's the scene. I don't know how they got in the labyrinth to begin with that wasn't really clear But I kind of got built around them. It's I like how this book is like I'm like how fast of these dudes building this doesn't make any sense But while they're in it now I write one thing I'm realizing reading this with adult eyes very specifically is that if you Don't already knows them shit about the planescape universe good fucking luck I know what I've been told by these other nerds, and I've learned that everything these nerds have told me They learn by reading this fucking book. Yeah Everything everyone's ever said to me about planescape is just like in the first five pages of this book And I'm like oh, I'm like you nerds didn't play any fucking planescape shit You just all read this one book and are telling me what you read They're a note they read two books they read this book and there's one planescape So I said there were no sequels or prequels well No, the other book all the one that comes in the box is the box in the box There's a book that's like this is the fucking deal with planescape. It's right over there You want to say all the same shit that's in this in this. Yeah died it's The thing about planescape is that the moral of planescape is that that city fucking sucks Do not go anywhere near it. It just sucks there. Okay, it smells like pee forever So otherwise our real arm of games panel is on YouTube. That's good our rare game mechanics panel is on YouTube That's good Judge anime is on YouTube. That's good And we're gonna make it a bunch more stuff as fast as we can so stay tuned We have no Geek Knights obligations until packs west so as long as it is not too nice outside We're gonna be making a bunch of content starting next week. It's gonna be nice outside Yeah, so we got to make a bunch of content like this week I did I did playing a bunch of auto chess this weekend a big patch just came out that made a lot of good stuff happen And I may be able to play auto chess because the overwatch season just ended well the auto chess season is about to end You got today to set your rank tomorrow is a no rank day where it just doesn't matter and then May 1st the new season will start and everyone will be like I get zero rank I don't know so I can start from scratch. Yeah, but anyway, I'm gonna play a lot of gorgeous. Yeah, I Started thinking real I like that gap day because the other like to let you learn the matter Whatever the other games don't do that like hard stone is like, okay reset. Go go go It's like so over watch a good idea gives everyone a chance to like Settle and figure out how they want to play without affecting their rank So, you know overwatch does that you can you can always play quick play Which is the same as competitive just like doesn't count for anything You can do that in hardstone too, but it's like you're not gonna be playing against people who are right This makes everyone forced to play Right in the in the no the experiment, you know, no rank mode you can play competitive Went between seasons and overwatch. It's called the off season It's competitive rules competitive matchmaking with your previous rank. It just doesn't count. No, it's actually pretty cool Oh, that's basically what this is. Yeah, I really like the fact that the off season exists Yeah, but there's no off season in hardstone and other games don't have a season But basically there's gonna be a one-day auto chess off season So now that it's sort of an aside I'll talk about this bar next Tuesday But because we can now script in maps in overwatch and make like really custom game modes I started musing on how to make it a geek nights over one An overwatch auto chess kind of thing and I actually came up with a pretty good idea So I got to read the scripting like the S make geek nights overwatch instead What it's just me and you Like what would geek nights over I just all our friends as characters. I don't know. It's just skeletons. It's just Skeletons. Yeah, now we're talking I Feel like I could make an auto chesty thing and I figured out like what it would look like I just have to read the documentation to see if what I want to do is possible and Feasible with the scripting and if it isn't just completely like trivial to do if I just write the scripts I ain't doing it. You could do it as like a mod for you know source engine I could or armor, you know all those other engines that allow mods. Yeah, but I really only want to do it for overwatch Or otherwise, I don't care that much. Okay, otherwise. I'll go back to grease the wheels which needs a quick and quick to mod Yeah, quick to auto chest mod dude if I'm gonna make quick to I'll just make a doom to mod because that's the only game engine I actually know inside and out. All right doom to auto chest. Let's go. Oh, I get three imps They become a super in and you watch you just watch them fight. You're like floating above and you just watch them fight Oh, yeah, we could make that the doom engine is not hard to learn. Oh, I got three cyber Shit, it's just two rocket hands The scripting is shockingly versatile in doom to As long as there's a limited number of action frames you can take advantage of though Anyway, anyway Monday let's talk about non-games. Yes, so it is Monday and We were talking about fishing somehow. We never did a show about fishing I can't believe this and my news reminded me about fishing. So now we're gonna show about fishing So they're fishing is it with a pH is an industry term like a technology term It's changed a lot over the years because the internet has changed a lot but the basic idea is that you are trying to trick someone into Thinking that they are interacting with a thing, but really it was Dio Right interacting with you this doesn't only apply in most of the time It applies to a fake website or a fake email that looks like it came from a bank or some official place Yeah, right Facebook or you know an app that looks like the real app, but it's not it's another app That just you know looks like the real app But it actually applies to a lot of situations where anything is a fake front for example I give you a phone call and I say this is your so-and-so bank and it's like yeah That's tell a scamming tell them, you know, whatever up robo calling But it's also fishing because I am pretending to be some official thing when I'm not right I can set up a fucking store. I can set up a bank branch, right? It looks like a real bank branch I trick you to come in and you come and you swipe your card in my not official ATM Yep, right is all sorts of things like that but usually only reserved for trying to get someone to Authenticate with or otherwise click on a link right because that's the that's why it's called phishing because you're phishing for their Information right you sort of a fake storefront and you're trying to collect somebody's username password pin number Code social security numbers. You're trying to collect their most secret personal information That's what you're phishing for and when you catch a sucker and get their info you get the credit card number You get whatever it is you need and now you take all their money or do whatever go all the way back to in the early Like the early days of just like your identity a eunuchs machine or a Linux machine What do you just make a screen that looks like the log on screen you make a screen that you make a terminal a shell Yeah, is the bashelle you take the bashelle source code Yeah, right you modify it to send anything that they type to you. Yeah, they type in their password eventually They type SSH eventually you got them So phishing really came to be in a modern sense when email became widespread Like that is the beginning of modern phishing right because people were not able Set unsavvy people still to this day. Yeah, cannot tell an email You know if it looks like an email from their bank They don't in order to tell that it's not you have to look very carefully You have to look at like the email headers which are unreadable to most human beings Yep, you have to look at the from address and the user interfaces on most email clients Do not highlight that information widely the biggest thing is like the subject right of the email and then the contents of the email far Outweigh the from area well right so unless you look closely you can easily be fooled and before spam filters are any good You actually saw those emails in your inbox like a lot It was kind of a thing like I remember the first time I got one like I remember being like wow Someone's trying to trick me. That's funny. I wonder if anyone else has thought of doing this before like and then it's super widespread people are trying to do this constantly and it works because they send So many of them that even if they're all blocked like it or a blocked across all Gmail blocked All right, it's like someone who's like at cable company.com using that email somewhere Gets hit by it or you just sneaks through a spam filter one some sucker, right? You hit one or two and it's like it cost you basically nothing to cast all those fishing lines out in the sea If you catch any fish, it's like, all right, that's thousands of dollars Got from their credit card now There's two main kinds of fishing and it is worth bringing up regular old fishing is like what's got you to scribe But most security professionals will refer to another kind called spear fishing which is you are targeting an individual, right? I know this person. I know their bank I know that they recently done a thing there's something I know about them that I probably got from publicly available or easily available Information. Yeah, or maybe I'm their friend and I'm evil. I'm not their friend Here's the here's the modern know them because I don't want to get too much into the history of like how this used to be done Because none of that stuff matters anymore No, but typically someone will go and buy like there'll be some storefront not Amazon But like a second or third-tier storefront that's legitimate But as poor security and they get hacked someone will buy that information on the dark web And then they'll look through that information find profiles of individual people Who they know bought something from this third-tier storefront and will try to use that information To target that individual to have a higher rate of success in stealing their credit card or whatever. Yeah I mean, you know if I buy something from Geek night store calm and then I get an email like hey is geek night store calm We we had a security problem. Everyone's got to reset your password come and take your password in Yep, and in fact, that's one of the most common techniques It's all this really is just like crafted social engineering you tell someone yo your security is compromised do this to fix it Not them not realizing that the initial statement you gave them was in fact do it's a Specific subset of the social engineering. Yeah, where you do a fake you socially engineer via providing a fake front and then Get someone to input their information that is real into your fake front and then saving it Yep, so there's a lot of babies first ways that this happens that Unless you're really un-savvy you shouldn't be able to fall for like the link is clearly just like not your bank's website right a lot of times it'll be like www.chase.somethingthat'snotchase.com and it's like yeah, I see the green lock there, but it's not chase calm It's something else dot not chase calm. Yeah, you got to look at the whatever's closest to the calm is what counts, right? There might be like, you know, www.chase that doesn't matter I could make a WW at chase that front recruit a calm if I wanted to right It's got to be the last one before the calm. That's the one so in the old days it used to be pretty easy to spot these just because the emails themselves look dodgy as shit, but Modern technologies come a long way and people will literally just like apply the exact same style that a legitimate email has from that bank Like they will look a hundred percent, right? The URLs even look right when you hover over They'll use a lot of times you'll see URL shorteners URL shorteners are a big problem because Oftentimes they are used legitimately, right? Or even if they're not shorteners various redirects will be used Legitimately often for advertising purposes, right on Google you click on an ad you're actually getting the link for that ad It looks like you're going to say let's say we've got a geek nights ad it looks like it's going over a career calm It's an ad for front recruit that's purchased on Google you if you actually look closely at the link It goes to Google ad something something and then it that's gonna redirect you to front row crew after Tracking all your ad biz right so a court in some emails a lot of emails that people send from legitimate places They send out their email newsletter from their company to their customers They fill that email up with all these redirecting ad links so they can track people who are clicking on the newsletters so that they can You know get stats on their newsletter design the newsletters better all that kind of stuff Yep, and so now you're used to having these redirects and URL shortened links in your newsletter so then someone sends out a fake one and You look at all the links and none of them make any sense and it's like okay Obviously these aren't gonna be at the actual place calm because you know, it's they're all ad links But you click one and our redirects you to shady site.com No, but you couldn't tell when you clicked on it because it was a short shortener or a director With this escalation of like increasingly advanced fishing techniques and like the news we just talked about with the inception bar There's really only one real defense against this like being smart. Yep Well being smart being knowledgeable and fine if you're not that smart or not that knowledgeable There's a simple set of rules you can follow rule number one Never ever click on a link you received in an email even if the email appears legitimate Mm-hmm if your bank emails you saying hey, there's a thing like whatever it might be. I yep I do this even myself. I I see that email and I don't care if it's a real email or not It made it through my spam filters so it may well be legit I then type my bank calm into a browser Yep, and go to it independently and if I don't see the information in my account that the email purported should be there I know it was fake. Yeah, whenever I get an email from some site where I have important like an email like say from steam Yeah, it's like hey, you know we gotta you know check out some steam thing I go log into I go to steam doc I just open my browser and go to steam to see if I can corroborate what the email says and If I can't I know whether I can or can't I delete the email It's similar to if your bank ever calls you saying anything You should tell them that you're gonna hang up and you're gonna call them back at the number actually print it on your card Yep, and be like yeah, I'm gonna call you back. That's like that'll that following these two rules Basically makes you immune to fishing. It is very hard to get trick if you follow those two very simple rules Yep If you want to technologically stop avoid fishing right one way to do it is like I was just talking about those redirects and URL Shortness, right ad block, of course is really good at helping you avoid a lot of fishing things Because a lot of fishing stuff right is hosted in shady parts of the web a lot of those Redirectors which are used for ad tracking are used for fishing, right and ad block for example like my piehole DNS ad block thing or actual ad block will often not it's you know They're geared mostly towards ads, but they will often block a lot of shady fishing things and not legit things So I there have been often times where you know something shady comes up And I noticed that it's shady in even faster than usual because half of it is blocked and the links don't work Yeah, oh my ad block is blocking all of this thing. Oh because it's a bunch of bullshit. That's why yep So I walk all ads everywhere always it does really sadden me how effective fishing is considering how Desperately easy it is to avoid being caught by head like even my company They said it's it's a game of numbers right if you cast enough lines you still catch people Yeah, it's the same thing my spam is such a big deal even still today You try to sell Viagra to enough people someone will buy yep someone's clicking on that link There's still someone out there mostly what I'm amazed by is that there was ever a time where if you clicked on that Viagra email Someone actually sent you Viagra. I always assumed at least once there was but I assume that if you tried to buy Viagra You would in fact just get your credit card overdrawn Well, I mean all those Nigerian scams there was someone on the other end They just weren't someone with a pile of gold that needed help. Yeah, they were just someone who needed help But what's all that was also interesting about this kind of fishing is that They really have to trick you you say you click on a link because you're dumb even then they still have to make the website look legit enough you type your credentials in and The other way to protect yourself is to enable two-factor authentication for everything Yeah, because if even if you try to log into one of these fishing sites And you type your real password It won't be able to do the like two-factor to T. P However, there have been some more developments along this way. Yep Well, there's there's an OAuth vulnerability isn't there. Yeah, but no But what people do is like yeah, they'll just fish the two-factor part also, right? Yeah, you log in then they take that and they immediately use it to log in while you're waiting for the lot the fake login to Happen there at the computer. That's evil is immediately using your username and password to try to see if it's real Yeah In the background of that some server somewhere is now trying to log into your bank account with the username and password you just gave It waits for the prompt for the TOGP Sitting there waiting and it notices wait this person's got two-factor it comes back to you and is like hey Can we ever two-factor? And then if you type it in and they'll immediately log into your bank account and then change your password You know then they got you right? Yep, but that is a note like that is more sophisticated than a typical fish That is a very sophisticated one, but they do exist I've seen people haven't seen them necessarily in the wild, but I've definitely seen proofs of concept and such-and-such Yep, most of the proofs of concepts I've seen involve SMS because it's just way easier to mess with SMS I've seen similar stuff used for captchas where It'll try to log in and because the bot the capture comes up and it'll send the capture to the Person who's being fished to get it to solve the capture for them And then it will send the capture solution and now it's logged in even though it's a bot. Yep so I Don't know what else there is to really say fishing well I think it's it's strange that despite you know You think internet savvy people right would know about fishing already But actually this is the thing that comes up not it like at every job I've had this comes up often like the IT people are emailing pretty constantly like saying hey We noticed a fishing thing don't click on this thing everybody We've seen an email that looks like this don't click on it like constantly like once every week couple weeks Well see I work very much more sophisticated and larger organization that has much more like security is a big deal so we pretty much regularly we get a lot of emails that are fake fishing attempts and From the company like with they have this whole system So your company is sending fake fishing attempts to its own employees. Yep And if you click on one you're in a lot of trouble But I mean the fact that it gets through the spam filter Well, no it by it bypasses the spam filter because it's coming from inside the house on purpose Right, but that's what I'm saying is that it becomes sort of now like a standout in my inbox Like what the fuck is this weird thing in my inbox? Yeah, but at the same time me one that gets through I would argue that savvy people what the fuck is this thing in my inbox is however guard almost any email I Don't trust email But the fact that it came through and it would need to have like lots of company Right, like if I didn't have a spam filter then it would sort of come in and Sort of look like everything else in my inbox and blend in with the crowd If it comes in when I have a spam filter blocking all the other real fishing then it now is like a black sheep and a pile Of white sheep. It's like what the fuck is that? Yeah, but I guess it needs to be a white sheep to sneak fast But the thing is it's not trying to sneak fast because this the filters are already really effective So stuff really doesn't make it through anyway It's more just to like make people who aren't that good at this afraid of emails Which honestly if someone can't figure this out on their own the only alternative is to make them afraid of clicking on links And emails that's good like they have to actually be afraid of it and then they won't click on them And then they'll accidentally follow the rules we just provided. Mm-hmm. I think spear fishing is The real like upcoming frontier because that I make a fake house that looks like your house where you live And you you put your key in the door and now I copy the key and go Open the door to your real house that is that I moved to another county and then see all your stuff Thank you don't need to do that because one if I get even like one because if I can pick up your house I can smash the door down. Well if I get one photo of your key I can make your key or don't let anyone see your keys by the way Yeah, like don't hold your keys up in front of cameras. Nope But to even without that bump key it's like people don't really realize how easy it is to pick a lock I haven't you know, I'm just trying to say I can tell I'm just saying I can teach you Scott in about 10 minutes I could learn from YouTube if I cared. It's a hobby of nerds that I'm just not that's not mine Yeah, the thing is don't learn how to really pick a lock just use a bump key Just pop up on it just opens. Mm-hmm. You don't have to do anything. Some of them Most most locks most locks on doors. You could bump key open pretty easy Yeah, fishing I think it like it's growing to the point that it I think the reason I say spear fishing is actually a danger is that increasingly the the sources of spear fishing attempts seem to be state-sponsored actors like targeting journalists Targeting researchers targeting government officials. That is literally what happened in America there is one is 16 election There is one other thing that to discuss, right? You know how Whenever you're in your browser and something's gonna go full screen like you're gonna make a full screen video Yeah, it's like hey, do you want to give this permission to go full screen? It's always asking for permission for things to go full screen and like in windows It's like when it with the screen is locked and like it makes you press control all delete to like get past Right and make the login screen come up, right? It's like why the reason it's doing all these things is to prevent Full-screen fishing because if you have an application that is allowed Full-screen access to draw to all the pixels on the screen. I could just redraw all of windows I could redraw your entire desktop and I could have some app and you think you're just using your computer But actually my app is full screen on top of all your other apps eating all your keyboard commands Right not letting you actually get to your real apps behind me Just pretending to be your real apps behind me and capturing everything you type in you're typing into my evil app That is full screen full screen is real dangerous And that is why your computer always asks for permission to let things go full screen and you should think more More about what you let go full screen if you let websites go full screen That shouldn't be you could be in a world of hurt and the reason windows makes you press control Delete to get the login screen to show up is because if there was some sort of fake login screen, right? That was actually remember the thing I said in the very beginning the first fishing arguably right if there was a fake login Screen and you pressed control delete on windows that makes you know The things happen of when you press control delete right and that would get you around and make you suddenly realize Hey, wait a minute. There's an app running that looks like a login screen that happened to be full screen What's up with that whereas the control because control delete always go get sent to windows around any kind of app Even if it's full screen, but seriously, I cannot stress this enough All you need to do to never be caught by fishing is to never click on a link that gets sent to you by anyone Even if you think that is a legitimate source and if you click on one of those links like let's forget We're not talking about malware deployments or malware payloads. We're just talking about fishing So if you click on something and it takes you to a login screen Don't log into that like type in the you're on like on like a malware Right, which will only hurt you like you could like click on a file and get hurt Right. Yeah, it's like you're not gonna get hurt by fishing unless you type in your real infos Like you can go to the fishing site and like look around as long as you don't type in like your security number It's not gonna hurt you granted the fishing site may itself have like malware payload Who knows what else is doing don't go to those sites, right? I mean unless you got like a secure sandbox virtual machine or spare computer with nothing on it Yeah, you know something like that, but yeah, just don't type anything in. That's the real All right, I think we're done