Cybersecurity News: E-Z Pass Scam, Dead Internet Theory & $16.6B FBI Report

Show Notes

Join The Audit for a news-packed episode as cybersecurity expert Matt Starland recounts a chilling near-miss with an E-Z Pass phishing scam—received just minutes after renting a car in Florida. His close call highlights how scammers exploit timing and context to deceive even seasoned professionals. 

In this episode, we discuss: 

• How a security pro nearly fell for a perfectly timed phishing text 
• The FBI’s 2023 Internet Crime Report and its $16.6B warning 
• Why nearly $5B in losses hit Americans over 60—and why many stay silent 
• The psychological barriers victims face when reporting cybercrime 
• The rise of the “Dead Internet Theory” and AI-generated online content 
• How Meta and others are blurring the line between real and artificial 
• Practical ways to spot AI-generated interactions 
• Why maintaining human connection is key in the age of AI 

Don’t miss this timely conversation packed with real-world insights and strategies to help you stay secure in an increasingly digital (and artificial) world. 

Like, share, and subscribe for more cutting-edge cybersecurity stories and expert analysis. 

#infosec #cybersecurity #E-ZPass #phishing #FBI #deadinternet #meta 

Chapters

• 0:00: Episode Introduction and Announcements
• 3:03: EasyPass Toll Phishing Campaigns
• 16:38: Record Cybercrime Losses in 2023
• 24:34: Dead Internet Theory and Meta's AI Bots
• 32:19: AI Customer Service Experiences
• 39:12: Protecting Kids from Digital Risks
• 44:27: Closing Thoughts and Contact Information

Transcript

Joshua Schmidt: 0:04

You're listening to the Audit presented by IT Audit Labs. My name is Joshua Schmidt, your co-host and producer, and we have the usual suspect, eric Brown, managing Director at IT Audit Labs, joining us today. How are you doing, eric? Doing great Busy week, but doing good. I know you're busy. Thanks for taking the time to hang with us today. And then we have Matt Starland Matt. How are you doing? Thanks, I'm doing well. Thanks for taking the time to hang with us today. And then we have Matt Starland Matt. How are you doing? Thanks, I'm doing well. Thanks for having me. It's been a few months since you've been on the podcast. I'm glad we roped you in. Usually we have Nick, but Nick's tending to other things that are important as well, but we're glad you can be here.

Eric Brown: 0:38

Probably picking up another cat.

Matt Starland: 0:45

This is a better looking face, isn't it, than his, you know a little bit more clean shaved, we won't go there.

Eric Brown: 0:47

But you know, that's funny because I did say to nick um, we've got this competition that's coming up um here in a couple of weeks and nick and I are on two different teams and it's a capture the flag event and I I said to Nick, how confident are you that you're going to be able to beat the team that I'm on? And he felt pretty confident. So I said, how about? If you lose, you've got to shave off half your beard. So he wasn't that confident.

Matt Starland: 1:19

Yeah, you could do like a two-faced. Look, do shave half his beard here, then shave the other half of his head there. So it's just kind of like a checkerboard. Different, a two-faced. Look, do shave half his beard here, then shave the other half of his head there.

Eric Brown: 1:25

So it's just, you know, kind of like a checkerboard, you know, different so I, we did a dry run last night and it didn't go well. We, we, uh, we, we jumped into this competition and most of the team wasn't there. It was just myself and one other guy on the team and I think out of a possible like eight or nine hundred points in two hours, we got a hundred points. So, matt, the door's open if you're, if you're, uh, joining nick in that event.

Matt Starland: 1:59

Yeah, I mean you could, you could make me a you know a plant I could plant, you know, plant myself in there, plant myself in there, and with the right, maybe, sum of money, I could put a little booby traps or something.

Joshua Schmidt: 2:09

I think that's what we should do for our next game night, Eric. We should put a little money down.

Eric Brown: 2:14

Sounds good to me.

Joshua Schmidt: 2:17

Make it interesting. Or we can shave eyebrows. Just an eyebrow, Just one Half beard other eyebrow, other side of head. There you go, go right up the face we we do have the tattoo machine yeah, well that you know you can tattoo a wild curly eyebrow or something you know once you show permanent is this permanent tattoo machine, or is this?

Eric Brown: 2:37

it's the temporary one. The prinker from um, what's the event in vegas? Uh, the all the the ces. When I went to ces a couple years ago, I picked one up nice, nice. I've not seen that. From what's the event in Vegas? The CES? When I went to CES a couple of years ago, I picked one up.

Joshua Schmidt: 2:48

Nice, nice. I've not seen that in action yet, so I'll be looking forward to a demo on that one next time I see you at the office there. Let's jump right in here. We all picked out an article today, and the first article we're going to start with, matt's article. This is the EasyPass toll payment text return in massive phishing wave. This is from bleepingcomputercom.

Joshua Schmidt: 3:07

I don't know about you guys, but I have gotten many of these, so maybe you have some tips on how I can get away from this phishing scheme. But an ongoing phishing campaign impersonating EasyPass and other toll agencies has surged recently, with recipients receiving multiple iMessage and SMS texts to steal personal and credit card information. The messages embed links that, if click, take the victim to a phishing site impersonating easy pass, the toll, toll roads, fast track, florida turnpike and other toll authority that attempts to steal their personal information, including names, email addresses, physical addresses and credit card information. And this is a great example of what they look like. Lord knows, I've seen these pop up. Have you guys seen these pop up? Uh-huh, is there any? Let's just start with the tip. Is there any way to get around this or avoid these types of phishing scams? Blocking numbers doesn't seem to work.

Matt Starland: 4:00

I mean, they'll just keep randomly generating different numbers, different email addresses. This is, it's the the new vector. I shouldn't say it's not a new vector, it's just another vector that historically hasn't really been used before. You know, we've always seen these phishing emails for years, and it seems to be in the last I don't know what five, 10 years or whatever that malicious actors are now thought of. Hey, guess what? Let's use this other threat vector to try to sneak something in that is known of good use, of everyday use, for productivity purposes. And how can we get the person to click on it and open it up? Get the person to click on it and open it up? Because, guess what, most people and even most organizations don't have protections on devices that's going to stop or filter this type of stuff out.

Matt Starland: 4:53

I can't think of something that they're going to easily be able to do that's going to really help filter this out.

Matt Starland: 4:57

I mean the, if you're technical and maybe a like a proton vpn or a nord vpn might have some sort of uh you know, malicious filtering on this, because, guess what, you're going to tap on this and then it's. Do you have some sort of a proxy or barrier mechanism, like a firewall that's going to help figure out is this a malicious url? Or link a lot of organizations, um you know, while they have their enrolled workstations, desktops, servers, behind some sort of a firewall that might not always be the case with mobile devices like a smartphone like this, and usually the best way to do it is probably set up a VPN on them, so they're always flowing through some sort of a firewall that has some sort of URL filtering. So, from the home user perspective, if you've got some sort of a URL filtering mechanism through your own home firewall, you could VPN in from there, but that's not something most people have. Most people have or wouldn't even know how to even set up.

Eric Brown: 6:04

You could do a couple things, I think. Think, matt, and none of them are perfect. One would be signing up for the do not call registry, but again that that doesn't necessarily stop a criminal from using your phone number even though you've opted out of solicitations. It's kind of like putting up a no soliciting sign on your front door. Or you used to go into convenience stores and you'd see the sign on the door that says you know, no shirts, no shoes, no service. That you know doesn't always stop people from going into the stores without appropriate attire. Same thing here.

Eric Brown: 6:42

Signing up for the do not call registry keeps the honest telemarketers honest, but the quick thing you without appropriate attire. Same thing here. Signing up for the Do Not Call Registry keeps the honest telemarketers honest, but the quick thing you could do is actually just log into your E-ZPass account and see if there was a balance due on it, so you could manage the account that way, not going through a link which, matt, that's the same thing that we would recommend for people anyway, if you're getting a call or an email that's requesting something of you, to actually just go to the real website to log in.

Matt Starland: 7:15

And that's a great point because that goes back to just good old general security practices. It's, you know, defense in depth, having different layers. So one, you've got the training, the human being, making sure that they're aware and how to handle the think twice about the things that are coming in through channels that are normally used for product production purposes, you know. And then you have the technological layer of do you have something to help filter out for that one event that you did get socially engineered to maybe help protect you? And then do you have anything else then watching your device, you know, to protect you, almost like an endpoint protection kind of thing. And when you say, when you talk about the, you know the training and being on the lookout and watching this, and this is why I picked this one. I was this close from clicking on this. Here's the reason why it's not. You know, I get all sorts of things like this all the time. You know all in there, and then it's coming for different names that I don't. You know they're trying to contact somebody who's doesn't even have that name on that phone number, and sometimes they get my name right, but something I didn't sign up for. So my family and I went down to Florida about a month ago and I had never received one of these texts. So we get off the plane, had our car reservation and everything, getting ready to explore Florida during spring break, which is, if you realize, too, that's when all of this started flooding out during a spring break. So they timed it right. These malicious actors knew what time of year it was and when all the schools were going on spring break and all the family members, so they timed it right.

Matt Starland: 8:51

We get off the plane, get to our car. You know your car rental place waiting in line. Okay, fill out the paperwork. Got everything good to go Within 10 minutes. My phone gets one of these 10 minutes. After I signed all the paperwork and I thought, oh crud, did I forget to give them something? Because I one of the things they asked at the car checkout was hey, do you want to sign up for the easy pass tollway system so you don't have to pay each time? Yeah, yeah, yeah, sign me up. Do all that. That, so I get this text.

Matt Starland: 9:24

I look at it, I'm like, oh, did they screw something up on my enrollment or whatever you know? And so I'm sitting there looking, though this goes from a training, even being cybersecurity professional you know all the things we learn and do and I'm like it just seems too generic though there's no. Hey, matt starland, hey, uh, your account, the car, you know there was no details that were unique about my enrollment. That literally happened 10 minutes, 10 minutes before I got that text, and so I thought to myself you know what I'm not, I'm just gonna let this go, and if I get any more calls or texts, you know, maybe I'll uh look at it closely again.

Matt Starland: 10:09

So, again, six hours later, got another one, and but it was the same thing, very generic, and you know. And the first thing I thought to myself was you know, maybe I'll just call, call up a number that I know that's associated to the car rental place and to ask them hey, is this something that you guys would be sending out, or is this something that you forgot to enroll me in? What's going on here? Or two, I was on vacation, I didn't care, you know what. They can bill me later or figure this out when I return the car.

Eric Brown: 10:42

And so I took the latter approach.

Matt Starland: 10:44

No, I don't wanna mess with this now. I'm on vacation, I'll deal with them when I get back. And then, after going through those three, four days and I talked to some other people, like yeah, I'm getting all these easy pass things too I was like, wow, ok, so they, they, these malicious actors, knew what time of year it was and just nailed everyone shotgun approach, hoping you know what? We're going to cover 100,000 people. Guess what, if we get 0.01% to click, we're going to get still a decent amount of money off of this. And so why try to target when we can just make it sound really good? And I was close, close to falling for it, and it was mostly because of timing. Timing was key.

Eric Brown: 11:29

Yeah, that's what we're seeing. We see that with the tax returns as well. Right In that tax season, an increase in that type of activity. And then towards the end of the year and the holiday season, we see the UPS package alerts pop up. It's all about the timing package alerts pop up. It's all about the timing.

Eric Brown: 11:51

They're getting more sophisticated where they know that there's going to be some sort of filtering involved or the threat actor. When they build these applications they're assuming that they're going to go through some form of scrutiny. And we see it on the email side as well, this one here. If you were to exploit this on a computer it wouldn't take you to that E-ZPass page, but from a mobile device it does right. It knows the type of device that you're coming from.

Eric Brown: 12:29

Unless you spoof that on a computer you're not going to get to the same thing as you would on the mobile device. And we see the same thing in email. The tools may, or the URL, the malicious URL, may be dormant for a period of time, knowing that it's got to go through the inbound filters. And as long as there's nothing behind that URL, the filters are going to assume it's benign and then it's activated, post delivery and the other thing that we've seen are are malicious accounts that when they go through the sandbox environment it knows it's in a sandbox environment, not on a user's workstation, because the sandbox environments kind of all look the same.

Eric Brown: 13:22

They're designed to detonate these URLs in a controlled environment and it's a virtual machine with very little memory or very little processing power dedicated to it, so it can fingerprint the machine that it's on, know that it's not on a user's workstation and then not detonate. So those are pretty cool ways that it's looking to get around the controls that a lot of companies have in place.

Matt Starland: 13:55

And you throw AI in the mix and AI is going to generate these to be much more timely relevant.

Joshua Schmidt: 14:03

Timely personalized perhaps even personalized.

Matt Starland: 14:06

Now you know, now the big thing for me is, if it sounds too professional, I don't want to click on it, because nobody talks like that yeah, maybe the ai will start to incorporate some kind of oscent on on your social media and hopefully, hopefully not anytime soon.

Joshua Schmidt: 14:19

But this one didn't get me because we don't have tolls in minnesota right, we do have that fast pass, um. So I did do a double take. But yeah, I think another really interesting part of this article that I was picking up on was this fishing as a service platforms like Lucid and Dracula. I haven't heard of those until I read this article. Have you guys been hip to that and how that's changing, kind of changing the game?

Eric Brown: 14:44

No, but I was to just echo your point. I was just going to show you. I got a USPS text at 844 this morning about my package that can't arrive and that I would need to respond with. Why, then exit the text message? Open it again. Click on the link, copy it into your Safari browser and open it. Right, so I don't probably can't see that on the camera, maybe, but yeah, it's. This one came from a hotmailcom address.

Joshua Schmidt: 15:21

Oh, hotmail. So that's how you know it's professional and from the post office. I'm surprised it wasn't AOL. Yeah, hotmail. The USPS is using Hotmail these days. Huh, they're getting doged right. Yeah, the budget's getting tight there. Someone traveled with their DeLorean back to 1995 and spun up a Hotmail account I'm assuming that these services are online and available and raises the question why they're allowed to operate if they're seemingly only for nefarious purposes. But we'll have to shelve that for a different day and do another deep dive. We should do a deep dive on.

Eric Brown: 15:58

they're probably using Evil Jinx as the back end platform for bypassing and stealing the MFA tokens, but we're actually we've got a evil jinx environment here that we're spinning up for research purposes, of course, so that would be a fun one to dive into as a deep dive yeah, and while we're live here, that's a great suggestion, and if you have any other suggestions for topics that you'd like us to cover or news articles, drop us a note.

Joshua Schmidt: 16:24

Youtube or linkedin, or send us a message. We have a website that's being revamped. You can check us out there too and also sign up for information like this, so check that out. Itauditlabscom, again one of our favorite outlets. Fbi, us lost record 16.6 million to cybercrime in 2024. Cybercriminals have stolen a record 16.6 billion in 2024, making an increase of losses over 33% compared to the previous year. According to the Bureau's Annual Internet Crime Complaint Center, that's called IC3 report. The IC3 recorded 859,532 complaints last year, recorded 859,532 complaints last year, and that was amounting to an average of $19,372 a loss. Of course, we all probably anticipated this next paragraph. The most impacted group is older Americans, especially people over 60, who filed 147,000 plus complaints linked to approximately 4.8 billion in losses. So as these tactics become more and more prevalent and more sophisticated, what's the messaging for our family members especially, you know, seniors around receiving these things and how to interact with this type of content?

Eric Brown: 17:41

Josh, this one really is. It's disappointing, it's painful, it's you know, it's all the things.

Eric Brown: 17:47

and the number is probably low right, because this is only on people that have reported the crime.

Eric Brown: 17:55

I was just at an event in Chicago earlier the week and I was at a dinner afterwards and the topics turned to information security. To information security and one of the people saying that their grandfather was impacted by something like this and they had lost it was tens of thousands of dollars and the the grandfather had finally reached out to the person for help because I think at that point they didn't think something was right, like Like the threat actor had continued to ask for more money you know where it might start of like you know 500, you know to get in on something that's too good to be true and then another 2000 and so on and so forth. But the person finally reached out to the person who was with me at the dinner and unfortunately the grandparent was kind of embarrassed by this so was reluctant to share a lot of information after it was confirmed that it was indeed a scam and the grandson didn't know if the grandparent had actually gotten back any of the money. Didn't think that they did.

Eric Brown: 19:08

But it was really hard to hear those sorts of things, especially as people who are older are probably not working and probably on a fixed income, and that's going to be really impactful for them. So, to answer your question, josh, I think the one thing that we've got to do is we've got to talk about it Any opportunity that you can where we really just Thanksgiving table, birthdays, anniversaries, anytime, the families together. You know you don't have to get out a cybersecurity book and start preaching, but just to talk about it and say you know, this is real right, this is happening, this is in the news, here's what we need to do and just, you know, quick and impactful and just I think, almost every time you have that conversation or you're able to interact with them, just to bring up something, so that it's top of mind.

Joshua Schmidt: 20:03

My family can attest. So yesterday was my two-year anniversary at IT Audit Labs and so my family can attest that I've now become that person at the dinner table and preaching the gospel of cybersecurity to anyone and everyone that will listen. Recent breach or did you hear about this recent phishing attempt? Or this AI voice taking over people's phones and convincing them? Because I think we all know people that have been a fallen victim to these types, whether it's hijacking your browser with the flashing warning sign and the loud noises or a phishing call.

Joshua Schmidt: 20:42

One tip I would have is just to normalize that. People fall victim. Even Matt Starlin, the mighty Matt Starlin can call victim to an easy pass phishing text texting attempts. So I think, because some of these people are so embarrassed right that they that they fell victim or they gave away some money, so it just kind of reinforces the insidiousness of it because they're afraid to talk about it. So then it kind of just keeps the wheel turning. I think we need to be easy on people and just be supportive and have them be open to talking about it, so we can spread the news.

Matt Starland: 21:15

I do want to say I didn't fall, I wasn't, I didn't, I didn't, but it came close. But it but it came down to good training. So and cause, that's exactly what the same article is about. You know. So, whether it was using a vishing, you know, getting called through a phone and somebody impersonating a U S bank, wells Fargo, whatever it might be and saying hey, we found these charges or whatever, and then try to get more information out of you.

Matt Starland: 21:43

I think the lesson learned here would be is for those family members is don't expect your institutions that you deal business with to call you and start asking for more details. If you ever get that phone call or text hang up, don't respond and instead go find what the actual support number is. You know. Go to their. Look up the actual website. If you're a US bank, you know. Go to usbankcom or doa, google, search for the right one. Find what that customer service number is that's posted publicly. You know from their legitimate website. You know. You do your own search and come to that website. Then call them up and ask hey, I had a representative contact me. Did you guys actually have something on my record that you need to get a hold of me on? So don't respond to the anonymous callers. Instead, you be the one to take the initiative in action and then follow up with a more legitimate phone number that you're able to look up or search on your own and not being provided by an anonymous person calling.

Eric Brown: 22:51

Matt, I had one the other day where it was an obvious phishing call. Right, I didn't recognize the number Answer the call because I wasn't quite sure. I was kind of expecting a call, but I didn't know. But right away off the bat I could tell it was going to be a phishing call. It sounded like it was going to come from a bank, right, they were calling from I don't know some financial institution that I hadn't heard of. They said that the call was going to be recorded and I was like, oh, that's a good idea, I'm going to record this because this would be great material for the podcast. Right, I'll replay it on the podcast.

Eric Brown: 23:29

So we have the ability on, if you have an iPhone, to record the call now. So I hit the record a call, but unfortunately the iPhone announces well, fortunately in some cases. Unfortunately in this case, it announces and says this call is going to be recorded. As soon as it made that announcement, the guy just said thank you and hung up. So I know it was you know a fake call but that would have been a fun one.

Matt Starland: 23:56

So now you're going to have to have two phones with you at all times and turn the recording on. You know, kind of, do one of these things, hold it. You know, be that person, but it would have been fun to hear you try to reverse fish them, give them next info, yep.

Joshua Schmidt: 24:15

That's great. Yeah, this dovetails, and once again it's flowing right along right into the article that I picked out. You guys got your tinfoil hats ready today. All right, you got one already Ready.

Matt Starland: 24:31

Yeah, I got to go to the kitchen and get the.

Joshua Schmidt: 24:32

Yeah Well, this is kind of in that zone. I'm gonna start here in the middle of this article, but I guess we'll shout out computerworldcom this is an article about meta puts the dead internet theory into practice. This is a bit dated, the article, but I still think it's very relevant. Have you guys heard about the dead internet theory? I have not. Okay, well, it kind of breaks it down right here.

Joshua Schmidt: 24:55

It's a belief that most online content, traffic and user interactions are generated by AI and bots rather than humans. As a business plan, instead of a toxic trend to be opposed. If we think back to, like, the Wild West days of the internet, when it was, you know, just so random and you know, the graphic design was way off and it was, you know, windows-based stuff and it was so exciting, right, and you didn't know what you were going to find You'd click on a link and you would. Just it really felt like you were exploring something. I mean, there were some really crazy websites back in the day, uh, that we get talked into visiting you know, computer, uh, rottencom, things like that.

Joshua Schmidt: 25:37

That nature, 4chan, you know kind of popular, popular, popularized all this craziness right and it kind of put it all in one place and then we still have elements of that on the you are that can take effect. So I think that's what's really been the driver of this kind of a theory. And then you know things like this Mark Zuckerberg, you know he never said no to a bad idea. It seems he's putting some of this into practice here by adding AI bots to. I haven't come across this, but apparently adding AI bots to. I haven't come across this, but apparently adding AI bots to Facebook interactions or any meta type interactions to try to drive engagement.

Joshua Schmidt: 26:38

The article says the company plans to host millions of billions or billions of fake AI powered users. It's being rejected by real users. No surprise there. Don't follow meta's bad example. Obviously we have a little bit of a bias here, but it goes on to say Meta's mission statement is to build the future of human connection and technology that makes it possible. But what it's really putting time and energy into is some of these projects, like the fake celebrity project. This is not something I was aware of, once again, but let me know if you've seen this. In September 2023, meta launched an AI chatbot featuring celebrity likenesses, including Kendall Jenner, mr Beast, snoop Dogg and some others. So yeah, by no surprise of me, this was rejected by users. No one wants to talk to fake Snoop.

Eric Brown: 27:28

And we've seen fake influencer.

Joshua Schmidt: 27:32

So have you guys run across this at all? I had a call, I guess, with a support I can't remember the company it was just a couple of weeks ago, but it's escaping me where I had a call, a support call, with a bot and it actually went really, really well and I actually preferred it over the typical customer service experience because I didn't have to wait for the line to open up and the bot was fairly adept at answering my questions and kind of got to the bottom of it a lot quicker than I would have traditionally.

Eric Brown: 28:05

Matt, I know you've got something to say here, but I wanted to just jump in on that one. Sorry, I wanted to just jump in on that one. I'm sorry, I wanted to just jump in on that one. Back in the day and I'm going back into like the late 90s I'm trying to remember who it was.

Eric Brown: 28:23

But when you made a support call, it was to a relatively large company at the time I'm going to say NetApp, but it wasn't NetApp, but it was something like that where you call in for support, they actually had a DJ on and while you waited you could request different music, right. So it's kind of cool, kind of kitschy for them at the time. But wouldn't it be cool if you could request a bot personality, like if you wanted a Snoop Dogg bot that you're going to interact with? You know, when you call Delta to, you know work on your ticket or whatever, and you know you're going to be routed to do an AI agent. Wouldn't that be cool if it was like if Delta licensed Snoop Dogg's likeness and you could chat with Snoop Dogg as your support agent? Matt, that's a million-dollar idea right there. We should run with it.

Matt Starland: 29:19

You're already behind the times, man. Garmin already did this. Garmin did this with the different voices you could download years ago where you could get Samuel L Jackson to narrate where you're going. I mean, the guy was cussing me out left and right on, trying to tell me what to go left and right, and I didn't appreciate it. So we started getting into a yelling match. But I don't know if that was, that probably wasn't very healthy.

Joshua Schmidt: 29:44

But yeah, so it's like. So I see that.

Matt Starland: 29:46

Garmin. Now, that was before the AI days, you know that was just already a pre-programmed voice. So I thought of two locations One movie, ready Player One, or the book, where you know you plug into the digital world and you've got NPCs, non-playable characters, walking around that you can interact with. What was the? The archives? Or the library archives, the search for the founder of that world and who's talking to, uh, you know, an ai chat bot helping them figure out where all these video recordings and life things were, and so so it's like, wow, I didn't realize we're there already, but I just experienced this week.

Matt Starland: 30:23

So amazon, uh, I had a package shipped. Um said it was delivered. I'm looking around, nobody delivered on my porch. Checked my mailbox and it said it was delivered. I'm looking around, nobody deliver on my porch. Check my mailbox and it said it was put in my mailbox. Now we have mailboxes that are locked, so it's like nobody stole it out of my mailbox so clearly that they put it in the wrong one and somebody else has it. So I I waited for a few days just to see if it show up, up, asked around, uh, on facebook or whatever hey any neighbors, did you see something show up for me that from you know, amazon, whatever, and never heard back.

Matt Starland: 30:59

So I waited for a few days and um, so then I reached out to amazon and went to their customer support and it was an ai bot. Um, pretty much, hey, what can we help with? And the conversation was just so fast and quick and I the thing that amazed me, though I wanted to do a replacement, but I was like, well, it just hasn't come yet. You know which. What do you want to guide me to do? Because I don't want to be I'm not trying to steal say it didn't show up.

Matt Starland: 31:28

And here it's sitting on my front porch. I literally it didn't show up. How should we take care of this? And it's like you know what, no worries, matt, we'll take care of it. We got another one out to you, whatever, blah, blah. And I'm like that's amazing that ai, they had already programmed it and had appropriate methods built in to even remediate the problem. For me, not kind of triage, a self-help have you tried this, have you tried that? And then, oh, we hit my limits. Let me pass you on to a human to figure out what is the best scenario. They had already pre-programmed it based on certain contexts that it could take an action for me. It it did the refund or not refund, but it sent out a new one and everything and I was and, to Josh's point, the interaction was amazing.

Eric Brown: 32:19

There's a pretty cool AI voice, conversational voice tool. It's called Sesame and I get sesamecom and it's right now in demo mode. You can go and you could choose miles or I think Maya are the two voices and then you can just have a conversation with that AI bot. But it sounds very conversational. It adds ums and ahs and it has different inflections and it's only in demo right now, so it's pretty limited in what it can do overall, like it can't search the internet in real time.

Joshua Schmidt: 32:56

Very easy to talk to someone like that. I think that is kind of why I brought this article up. So I think customer service is a great use for AI. It's not probably a job that people really enjoy. I know they take a lot of heat, those people on the customer call centers. It's probably a high stress job. But the dark side of things we've had the lowest birth rate in like what Forever and ever, and we have people that are more isolated than ever. And my concern, and maybe it's yours as well, that people really lean into this and be even more isolated and really stop interacting with other people because the bar of entry is just so low. You don't have to leave your bed, let alone your house, or go to a social situation and be uncomfortable. Right, you can just kind of stay in your pajamas and get all the socialization you need. You put on your Apple Vision.

Eric Brown: 33:50

Pros and, all of a sudden, the four walls that you're around you can be anywhere you want yeah.

Joshua Schmidt: 33:56

I mean, it sounded like that's something we wanted you know back in the day Once, getting back into the 90s. That sounded like an awesome future, but I think the closer we get to it, the more it seems dystopian to me. I don't know, what did your guys take on that? I mean, we have guys that are having you know AI girlfriends. We have that's really taking off in popularity and yeah, I just I worry about how that's going to affect our kids and things like that, and even ourselves.

Matt Starland: 34:26

Yeah, it's, you know there's, I think, technology. There's goods to the technology and there's bad to the technology. You know, you look at the Internet and there's a lot of dark side to it. There's a lot of good that's come out of it and I just hope that it's, and pray that it's the same thing with some of this too, that there's other more positives that come out of it.

Matt Starland: 34:44

But I have the same kind of dystopian mindset to Skynet. Oh man, ai is going to take over, kind of thing. You know, not that it's to the point of where it's worrisome, but it's. It starts to pop into the back of your head and you're like are we getting there? It's kind of weird. But but then at the same time too, it's like, you know, look at the Internet, this, the amount of information, the knowledge sharing, things, technology. And you know there's a lot of goods that have also come out of it too. So you know it's. I guess time will tell, but yeah, I look at what you're talking about. Almost sounds like Ready Player One. Throw the Google or the Apple eyes, whatever the vision on it.

Matt Starland: 35:31

There you go and the world is burning around you, but it's real cozy in this virtual space though. Um, yeah, I, I do, you know, I, I do want to. You know, this is this is new to mankind. This is a very new territory that we're starting to treading. You know, for thousands of years, mankind has always or humankind has always, you know interacted in person, communities, fellowship, and so we're definitely treading in new areas and there's definitely new studies coming out. This is why, like we see now, social media getting banned for certain kids a certain age, because look at the, the, the findings that are coming out of it.

Matt Starland: 36:14

So sometimes technology moves so fast and we didn't think about should we have done it. It's kind of a reminder. I think there's a jurassic park quote, you know where, uh, they talk about yeah, it was there. So we stamped it, we put you know we, we did it, we fit it and then we just let it do its thing. Versus should we have asked ourselves first, should we have gone down this route? And sometimes, you know, you follow the quick buck.

Joshua Schmidt: 36:40

Sometimes the technology was a quick buck and we didn't think twice yeah, we were so busy thinking whether we could, we didn't stop to think we should yeah, exactly, and so I don't know inverselyversely, though, I could see this solving a loneliness problem for senior citizens, for example.

Joshua Schmidt: 36:57

I don't know if that's, the jury will be out for a while and whether that's a healthy way to get interaction with human or human type interaction. But you know, if you go on to read the article, you can really see that people are really pushing back against this in certain contexts, especially social media, and the art world has gone crazy about all the images being generated and people saying that's not real art. And it's a valid argument, you know. But it is changing so fast where we're going to have to try to stay ahead of it. But it is changing so fast where we're going to have to try to stay ahead of it. But, eric, I know you're a big adopter of AI and you've been even doing some education around that to stay on top of things. Where do you see this going or what's piqued your interest lately?

Eric Brown: 37:42

Well, I saw a real example of this quite recently as we were working on a redesign for a website and, as part of that process, working with an SEO firm, and the SEO firm make suggestions on things that you can do technology-wise within the website in order to get higher search engine rankings right. And the search engine rankings are all calculated through bots and through automation. It's not humans that are ranking these things, but it's spiders and other technology that's crawling websites. So we're essentially using technology to create technology that is then viewed and scored by other technology, is then viewed and scored by other technology. So that the article was very poignant in that there are bots already out there talking to bots and it was like, as we went through it the exercise of the website redesign and everything it was just a moment that I had for pause of wow, now we've got to spend cycles thinking about how we get automation to train other automation on where the site should come out from a ranking perspective.

Joshua Schmidt: 39:03

For people interacting with AI, especially when it comes into the context of phishing, bishing, all that, squishing, all the ishings, what's squishing? Isn't that one? Or is that quishing, all the ishings, what's squishing, isn't that? Isn't that one? Or is that quishing? There's quishing and then there's smishing. This should be squishing. I'm going to use that one for four, four square, whatever that.

Joshua Schmidt: 39:21

That old Tumblr. So here we go Be skeptical of perfect content. You know I think Matt was alluding to that when he was reading his text it was just like a little too squeaky, clean, very corporatized. I think we can develop a sense of what is AI and what's not AI and I think, to your point, eric, just immersing yourself in the technology is another tip that I got here in my research of how to identify what AI content is right. If you're not using it and you're not seeing results from your own interactivity, it's a lot harder to develop a nose for what type of content that AI is generating. But I've spent quite a bit of time on mid-journey recently and just by interacting and generating some content I've already got some other insights and some better insights into what that's doing there and maybe how to identify it. Not a perfect process, but it helps.

Eric Brown: 40:20

Is MidJourney still kicking out humans with multiple fingers? It had a hard time getting the fingers right for a while.

Joshua Schmidt: 40:27

The fingers are a big problem. We're on version 7.0 now and it's gotten incredibly powerful, and then you can dump it into other apps and things that will animate the photo, so we can take it a step further and create videos out of static images. But, yeah, the fingers seem to be solved. I'm sure there's still some hallucinations floating around, depending on the image and what kind of prompt you're typing in. I think when you're typing in a photorealistic image, that's still probably harder than whipping up a Boho or an Andy Warhol design or something like a comic book. I think there's a little bit more room to wiggle there for the AI. Don't be afraid to mute and block AI slop.

Joshua Schmidt: 41:14

I don't know if you guys have come across this on YouTube, but there's just a proliferation of channels now that are AI content generated. There's even music channels that are 24-7, streaming with AI generated lo-fi hip hop beats, which they can't copyright because it's all trained on copyright material. But you can upload it to your YouTube channel and then generate a thousand uh, you know AI images and then have those kind of scrolling through as you're listening to music and you can capture a monetized revenue from from the interactivity there. So, um, yeah, I was even telling Matt about uh brain rot where we're getting hip to skibbity, so uh, we'll have to come come back around on that one too. But uh, don't be afraid to block that stuff and I think, as always, just be paying attention to what your kids are are doing on there. Do you think of any other ways that we can protect ourselves from, from kind of the frontier of the AI revolution?

Matt Starland: 42:14

I think besides you know, where you talk about paying attention to what your kids are on, though, too, but also teaching your kids, you know it just goes back to the same type of user training that we're talking about, for you know security and stuff. So and I don't mean teaching your kids to be secure, but just how to be respectful you know how to be mindful of things out on the internet like that, and I know that's hard, but I've come across some books out there about, you know, talking to your kids, about talking to your teenager, about social media. You know.

Matt Starland: 42:44

You know, before the days of social media, when you had gossip stuff going around high school or middle school or whatever, you know it might make it to a certain extent, and then new news comes up and everyone forgets about it. Whatever, you move on and you can be a stay away from those people. But now, with the social media days, once you post something, expect it to be there for the rest of your life, and so so I would say you know, make sure to be mindful and talk with your kids about those types of things, and you know it's just. You know whatever you're going to say is that something you'd want your parents to hear you know or somebody you respect and you want to think less of you. So don't be posting things like that on the Internet and you know, just be, you know respectful of each other, so be careful.

Joshua Schmidt: 43:29

One of my favorite pieces of advice was from a guest we had probably 20 episodes ago, named Andre Champagne, and one of his suggestions were to keep the devices in a common area in the house. Don't, don't lock the kid. Let your kids lock themselves in the room with a personal computer or even a phone. Have that out in the open and yeah, and then just be transparent. But I think those prioritize a human human interaction and then just be transparent. But I think those, uh, prioritizing a human human interaction and then training your digital intuition, keeping the lines of communication open, are super important and go for hikes and camping, get outdoors and leave the electronics behind.

Matt Starland: 44:04

I like learn how to socialize again maybe we do an it audit labs.

Joshua Schmidt: 44:08

Hike, eric, we could do that. I could see. I could see you die inside a little bit.

Eric Brown: 44:17

Mission accomplished.

Joshua Schmidt: 44:19

Well, I don't think we're getting Nick today, fellas, Unless we have anything else we want to add. I think it's been a really fun conversation. Thanks again, Matt, for joining us Thanks, Matt Thanks for taking time.

Joshua Schmidt: 44:28

I know you're busy, so always a pleasure to be chatting with you guys about cybersecurity. We're going to see you guys in a couple of weeks Game night, right, I'll be there, man, awesome. Yeah, and like, subscribe and share. Drop us a comment and we will try to be doing this again in the near future. We are whipping up some stuff that might be coming up on LinkedIn or YouTube in the future, so give us a follow, if you're not already, and subscribe to our YouTube channel. We're also on Spotify with video. We have full episodes every other week, and we've been putting up some Flipper Zero and some fun tech videos in between, as well as shorts, so check us out. It Audit Labs. You've been listening to the Audit. My name is Joshua Schmidt, your co-host and producer. We've been joined by Matt Starlin, our guest today, and, as always, eric Brown, our managing director. Thanks a lot, fellas. We'll see you soon.

Eric Brown: 45:17

You have been listening to the Audit presented by IT Audit Labs. We are experts at assessing risk and compliance, while providing administrative and technical controls to improve our clients' data security. Our threat assessments find the soft spots before the bad guys do, identifying likelihood and impact, while our security control assessments rank the level of maturity relative to the size of your organization. Thanks to our devoted listeners and followers, as well as our producer, Joshua J Schmidt, and our audio-video editor, Cameron Hill, you can stay up to date on the latest cybersecurity topics by giving us a like and a follow on our socials and subscribing to this podcast on Apple, Spotify or wherever you source your security content.