The Jordan Harbinger Show - 1247: Eric Cole | Protecting Ourselves in an Age of Cyber Crisis
Episode Date: November 27, 2025Our digital lives are under attack from every direction. Cyber Crisis author Eric Cole breaks down the threats and shows how to stay one step ahead!Full show notes and resources can be found ...here: jordanharbinger.com/1247What We Discuss with Dr. Eric Cole:Cyberattacks now happen constantly as AI automates phishing and vulnerability scanning against individuals, small businesses, and major institutions.Criminal operations abroad run like full corporations — thousands of employees, millions in revenue, and no risk of prosecution due to weak or nonexistent extradition.Critical infrastructure often uses outdated, insecure systems, allowing adversaries inside power grids and networks long before an attack becomes visible.Devices, apps, and "free" tools routinely track conversations and behavior — even smart speakers have been used as evidence after recording private moments.You can dramatically reduce your risk by treating security like investing: assess the benefit vs. the exposure, minimize downside, and adopt simple, deliberate habits.And much more...And if you're still game to support us, please leave a review here — even one sentence helps! Sign up for Six-Minute Networking — our free networking and relationship development mini course — at jordanharbinger.com/course!Subscribe to our once-a-week Wee Bit Wiser newsletter today and start filling your Wednesdays with wisdom!Do you even Reddit, bro? Join us at r/JordanHarbinger!This Episode Is Brought To You By Our Fine Sponsors: Momentous: 20% off first order: livemomentous.com, code JORDAN20Signos: $10 off select programs: signos.com, code JORDANFactor: 50% off first box: factormeals.com/jordan50off, code JORDAN50OFFProgressive Insurance: Free online quote: progressive.comHomes.com: Find your home: homes.comSee Privacy Policy at https://art19.com/privacy and California Privacy Notice at https://art19.com/privacy#do-not-sell-my-info.
Transcript
Discussion (0)
This episode is sponsored in part by Conspiruality Podcast.
You know how I'm always talking about critical thinking and spotting manipulation?
Well, there's a podcast that's all about dismantling new age cults, wellness grifters, and
conspiracy med yogis, basically the wild overlap of spirituality and misinformation.
It's called the Conspiruality Podcast.
The hosts, a journalist, cult researcher, and a philosophical skeptic, dive deep into how
this stuff spreads, from Project 2025 and the Heritage Foundation's dystopian vision of the future
to how former leftists get pulled into far-right conspiracies.
An interesting episode to check out is called Speaking Truth to Goop,
where Jen Gunter breaks down the pseudoscience behind the wellness industry
in a way that is super entertaining and eye-opening.
It's sharp, funny, and makes you a lot harder to fool,
which, if you listen to this show, you know I'm all about that.
From exploring cults to analyzing our cultural and political landscape,
the Conspiratuality Podcast will help you stay informed
against misinformation and resist fear tactics.
Find Conspirality on Apple Podcasts, Spotify, and wherever you do.
get your podcasts. Welcome to the show. I'm Jordan Harbinger. On the Jordan Harbinger show, we decode
the stories, secrets and skills of the world's most fascinating people and turn their wisdom
into practical advice that you can use to impact your own life and those around you. Our mission
is to help you become a better informed, more critical thinker through long-form conversations
with the variety of amazing folks, from spies to CEOs, athletes, authors, thinkers, and performers,
even the occasional journalist-turned poker champion, Fortune 500 CEO, arms dealer, or drug
trafficker, and if you're new to the show or you want to tell your friends about it, I suggest
our episode starter packs. These are collections of our favorite episodes on topics like
persuasion and negotiation, psychology, geopolitics, disinformation, China, North Korea, crime
and cults, and more. That'll help new listeners get a taste of everything we do here on the show.
Just visit Jordan Harbinger.com slash start or search for us in your Spotify app to get started.
Today on the show, we're talking with Dr. Eric Cole, cybersecurity expert, former CIA,
something or other, and a guy who probably looks at my phone the way a cardiologist looks at a
bacon cheeseburger. We're getting into the stuff that doesn't make the news because apparently
a Kardashian wearing a hat is more urgent than foreign adversaries chilling inside of our power grid
like it's an Airbnb. We'll explore why a cyber 9-11 is not a Tom Clancy fever dream,
how the systems running our critical infrastructure are basically secured with the digital
equivalent of password one, two, three. And we'll discuss why TikTok might be the most
defective psychological warfare tool ever invented.
Plus, how thieves will happily drop a million dollars for a stolen laptop.
I was surprised by that one.
We're also diving into the dark web.
What's on there for real?
What criminals buy and sell?
And why every business on earth, including your local sandwich shop, actually has data
worth stealing.
Last but not least, why Russia disconnected from the global internet for a day,
whether China is baking malware into devices before they even hit store shelves, and the
story of how my buddy Rob got his credit card stolen just because his speaking gig was
published online.
It's a wild ride through cyber Cold War territory, so grab your VPN, unplug your smart toaster, and let's dive in with Dr. Eric Cole.
Well, I read the book, first of all, and I found it to be, it's geared towards businesses, but I found it to be quite interesting, some of the anecdotes.
And I'd love to focus a lot more on, like, global cyber security and personal cybersecurity as opposed to business cybersecurity.
So you mentioned there could be a cyber 9-11 with airplane control systems.
I want to get into that.
TikTok as a tool of war. I want to get into that, but I was quite alarmed by, in the intro of your book,
you mentioned there's a cyber security attack every minute. And that just sounds like a lot.
And there used to be, this is probably 20 plus years ago now, there used to be this visualizer,
a map of the world where you could see lines going from one area to another. And it was like,
this is live cyber attacks as reported by, I don't know, it was like Kasperski or something,
was monitoring this. And they would make a visual. And it would show,
like thing coming from the USA going to Moscow, thing from Moscow going to Korea, thing from
Korea going to China, thing from China going to L.A. It was really interesting, possibly fake,
because why do that? But it sort of brought early attention to the fact that this is just
constantly, constantly happening. So what types of cyber attacks are we seeing every minute?
Is it actually happening every minute or what are we seeing that's happening that often?
So what's happening that often is with AI or artificial intelligence, they can now automate
specific attacks against individuals and corporations. So in the past, a foreign adversary would look at a
large company and they'd spend six or seven months trying to plan an attack or go after the government.
But now with AI, there's automated scripts that are literally targeting you and me and every individual,
every small company, every medium company looking for vulnerabilities, looking for flaws. So they're
always sending out fishing attacks. If you don't believe me, how often do you get a fishing attack or the
toll boost scam. The text where it's like, click here and pay your toll, but the URL is like
ZWX-1475.com.com. Yeah, exactly. There's tons of those. Yeah, my question is, if you're getting
those eight or nine times a day, which I know I do, think of how many every individual is getting
there. So if you multiply that by every single citizen in the United States, you could see how quickly
it could be an attack every single minute of every single day, because they're just constantly
sending out spams to you, to companies, to individuals, and the ideas, they don't need
everybody to click on it. They just need one. Yeah. If one person clicks on the link, they get in
to yourself, your business, your identity, and your company. So yes, when you're looking at the
fact that every individual and every company is being targeted and scanned by these fishing
attacks, yes, it is happening every minute of every day. My family's been the victim of
several of these. There's a business that my mother-in-law works in and someone had emailed
either her or someone else in the business, and she was on a call, and it was like, oh, we've changed our
bank wire information, please update your systems, and somebody was about to send a wire, or did
send a wire, you know, 40 grand or whatever to this company. And she was like, no, I'm on the phone
with this guy right now, and he didn't say anything about that. So let me just ask him.
And the guy's like, we have not changed our banking information to my knowledge. And they're like,
call the bank right now. So it was minutes later, they got the wire reversed, because it's hard
to get a wire reversed. You can do it if it's five minutes in because it usually takes like
24 hours or something to, I don't know, reconcile. And then also you catch even the sharpest
person at the wrong time. I feel bad. I'm going to out him here. But my brother-in-law was on a call
doing something, probably also driving or whatever. And he clicked on the toll boost scam and
paid and was like, wait, I think I just got scammed. I was just, I wasn't paying attention.
Exactly. They're rushing. They're rushing. Yep. Exactly. That's what they're taking after.
And I was like, well, call, dispute it and get a new credit card right now.
And so that was it.
Yeah, he looked at the text and he's like, yeah, this URL's nonsense.
Like, I just didn't look at it.
It was on my phone.
We don't hear that much about this because the media doesn't prioritize it.
So I think for me and a lot of other people, we don't see this as a big problem because
the media isn't reporting on it 24-7.
It's like when I see, oh, fishing scam, I just think, oh, slow news day, nothing's
happening.
Nothing real is happening.
So we're talking about fishing scams or holiday safety.
Don't let your Amazon packages get stolen.
You're like, okay, nothing happened in the whole world today.
So now we're focused on like credit card points, roundups and stuff like that.
Like it's relegated to that tier of importance, right?
And you nailed it as, I mean, we constantly piss the media.
And nine times out of ten, they're like, it's either not important or they'll go in and say,
we'll do the story.
But then that next day, something hot happens in the media.
Right.
And they cancel.
Like, for example, right now, how many times do we have to hear?
about the government shutdown. How many times do we have to hear about the Democrats and Republicans
not getting along and them fighting with the White House yet that is all they want to cover?
Every day we're pitching the media on breaches and it's just not high enough priorities to them
because they look at it as sort of petty theft. Like if the fact if your local grocery store
gets robbed of $20, that's not newsworthy. But what if every single store was getting robbed by
$20 across the entire United States? I think that's newsworthy. But in,
Unfortunately, they don't so the American publicists don't realize that they're a target and that cybersecurity is their responsibility.
It's interesting because I look at scams like this and I go, if I hadn't shaped up as a teenager, this is what I would be doing right now.
Because, and I'm not saying that to like brag or anything.
It's actually kind of terrible, right?
You know, I did a lot of scammy stuff when I was younger, but it was for the thrill.
I didn't need the money.
I wasn't thinking I was going to be my career.
But I was pretty good at that kind of stuff, you know.
And getting a mass market, I'm not trying to give anybody any ideas, but getting a mass market sort of role.
We don't care what you do.
Mass texting software system to sign you up as a client to get a couple of URLs, to find
a merchant account company that's a little bit shady and lax and get 10 of them so that when they
finally cancel you, you just roll it over to the next one to get some AI, chat GPT API stuff
going that it can script conversations, if even necessary, to get a chatbot on a website.
Like, none of this is hard.
It wouldn't surprise me if some of the massive scams you see are run by like 90s.
19 year old kids living with their parents.
And the scariest part is, imagine if you take that up a notch.
It's not only being run by these 19 year olds, but what if it's a corporation?
What if it's a company?
Imagine a company with a 20,000 square foot office.
They're an incorporated business.
They have 3,000 employees.
They're making $50 million a year, but they reside in Russia or China.
And their entire job is to target you, your companies, and your individuals.
And here's the crazy part.
it's not illegal in those companies.
And there's no extradition treaties.
Right, those countries, yeah.
You call the local police.
They'll say it's an FBI issue.
You call the FBI and they'll go, we know who they are, we know what they're doing.
But unfortunately, because it's below $5,000 or $10,000 per individual and because they can't
arrest the person, there's nothing they can do about it.
So it's basically a crime without any prosecution or any legality is associated with it.
The amount of times that I've had the thought of like, okay, had I stayed kind of a bad
kid as a teenager, what would my life be like? Most of the time I'm living in Southeast Asia or
Russia and my best buddy who I see for golf every Saturday, I don't even golf, is the police chief
of the national security who's on my payroll so that I don't get busted for doing the obvious
organized crime thing that I'm running. Right, and I run a scam center. I rent office space from a
large real estate company in the center of town. I've got catered lunch. This place is Google, you know,
I've got my, my employees are well compensated. They're smart, they're bilingual or trilingual folks
that are good at English and a couple local dialects. I've got assistance. I've got a kitchen here,
micro kitchen with snacks in it. I mean, this place is the works. And all I have to do is just never
go to a country that has an extradition treaty. And, you know, again, if I was a more dysfunctional
version of who I am today, that would be more appealing than being a poor and also dysfunctional
version of who I am today. And it's not hard to run this stuff. I've worked with
with some scam center people, counter scam center people, I should say, journalists and otherwise,
all you need is professionally installed VPN stuff at the router level that they'll run to your
office and do it. You can change all the IPs in your whole office three to every, three times a week.
And they'll never be able to block you. These services will never be able to outrun you.
You're always going to be a paying client. Your checks are going to clear for the texting company, right?
So you're going to own that company. They're going to do what you want. Like you can acquire people that
don't want to cooperate with you?
I mean, it's really, maybe you haven't noticed.
I've thought about this.
Like, what if the texting company won't cooperate with you?
You scare me a little, Jordan. You scare me a little.
Yeah, I know.
But it's like, buy them.
Buy them with a shell company.
And then tell the boss, like, you do this or you're fired.
And they're like, ah, it seems like it might be part of a scam.
And you're like, cool, who's willing to do what I tell them to do.
And you're going to find somebody who's willing to be an accomplice on the ground
and doing what you want.
But the bigger question is a lot of people are thinking, come on, man, I run a podcast.
I run a dry cleaner.
criminals don't need any information that my business has.
Tell me why that might not be true.
First of all, do you have an identity?
I believe I do.
Yes.
Questionable one, but yes.
Especially after this episode.
So how many times do you go to a retailer and they say if you sign up for a credit
card in the store, we'll give you a free account and you can charge it right there.
And if they have your basic information, your date of birth, your last four digits,
they can open an account in your name.
and if it's under $1,000, it basically would be allowed by the individual.
So think of how many different people are getting credit cards open in their name.
I have this happen all the time to folks.
Plus, do you have $100 in your bank account?
They don't need to steal a million dollars from one person.
They steal $100 from a million people, and it adds up.
So the reality is, why would they not go after you?
Because a big company, if you take a big bank, a Fortune 50 company,
they're spending $50 million on security.
They have 300 people working on security.
They're a hard target.
They're difficult to break in,
and it would take months and months and months.
Question, how many people do you have
dedicated to protecting you and your family?
Zero.
How much money are you spending?
Probably zero or maybe $49 a year.
Hey, come on, man, I got McCaffey virus scan over here,
or whatever it's called.
Who's going to be the easiest target, my friend?
You're much easier, quicker, and faster to break into.
I'd rather break into Joe's dry cleaner
and your individual account and steal your identities and your customers.
Also your customer list.
Why should I bother going in and trying to go to the dark web and buy individuals?
I can break into the dry cleaner.
Steal your database of 500 people in the local community.
And now I can target all of them.
I have their email address.
I have their phone number and I have basic credit card information about them.
Yeah.
And I would imagine, look, I live in the Bay Area.
You target a dry cleaner in Palo Alto, California.
You're getting Facebook employees.
You're getting executives from all these companies.
of these people's worth multiple millions of dollars, these are valuable identities to steal.
This is not a database of teenagers who signed up for a credit card at college for the first
time and have a $400 limit or whatever it is, right?
So, yeah, that stuff could be valuable.
I'm imagining small businesses, essentially, their security policy is, all right, guys,
announcement.
I know your passwords are like your dog's name and then one, two, three.
Now change it to your dog's name, one, two, three, but put an exclamation point at the end of it.
That's going to make everything much safer.
thanks for your attention.
I mean, that's kind of like, I mean, I hate to say it.
That's every sort of boomer, right?
Like, you're like, what's your password?
Let me help you with this.
And they're like, it's Alex and then his birthday.
And you're like, it's your grandson's name and his birthday.
That's like in the top five things people are going to guess.
It's like, oh, really?
It's like my mom had a friend who used to hide money under the bed.
And my mom said, you don't use a bank?
And she's like, no, I don't trust the banks.
And she goes, well, where do you hide the money under the bed?
And this woman who was like an immigrant from Poland.
And she turns to her daughter and goes, you told your friend where we hide the money?
She's like, no, everybody hides their money under the bed.
Exactly.
What are you talking about?
Mom, everyone hides their money under the mattress.
And it's like, oh, okay, I didn't know that.
So that's what we're dealing with.
That's the level of security we're dealing with, cyberwise, is the money is under the bed.
And to make it worse, it's under every bed.
So my guess is you probably have three or four passwords that you rotate across all your accounts.
What's the probability for the average person that their email, their bank account,
their e-commerce and others all use the same or similar password.
How many times do you log into an account and it says this password has been used in a
previous attack?
Yeah.
You might want to change it.
And how many people say no?
How many people deny that and don't change it?
So it's one of those where they find out one password for one breach and they get in.
A great example is if you go back three months ago, there was the largest password breach in the
history of the internet over a hundred million password stolen. But two things. One, it wasn't
because they broke into a large database. It's because they broke into individual accounts,
which means individual phones, smartphones, and tablets are all compromised because their password
is taken. But here's the crazy part. The story broke on the day that we attacked Iran with the
bombers. So I was set to go on the news Saturday and Sunday and every single media canceled
because the Iran attack was a bigger story than everyone's tablets and devices.
So think about it.
Hundreds of millions of devices are all compromised.
They know all those individual passwords, yet nobody knew about it because it wasn't
newsworthy.
That's crazy to me.
That's crazy.
When someone steals your car, you know, like, right away.
But identity theft is scarier because you don't know until someone's like, wait, I didn't
get my tax refund.
Wait, it got sent to a bank in North Carolina to a shell company that sort of sounds like
the same name as my company. What happened there? And it's like, oh, yeah, fake Jordan Harbinger
set up another LLC in another state and another bank with your identity information and got your
tax refund and they've been planning this for eight months. Exactly. It's happening all the time
and the probability of people knowing it is very slim. Like you said, a lot of people after they do it
will realize it. Like you said, your brother, I think, clicked on the toll booth scam or your friend
transferred the money. But think of how many people don't
catch it right away. And the issue is if you don't catch it right away, usually within 12 to 24 hours,
it's too late. I can't tell you how many times people have transferred money like that bank or that
company and they don't realize it for three or four days later. And by then, because the money is
stolen because it's cryptocurrency, they can't get it back. And the probability is you're liable.
If you went in and you transferred money, even though you were scammed, it's not the bank's fault.
It's your fault. And in many cases, once the money has left your account,
out, you're the one liable, not the bank.
I mean, technically, the scammers
liable for fraud, but we already covered the fact
that they live in another country and they know that
you're not going to get them. And the bank is not liable,
right? You're on the hook, but
the remedy is sue the fraudster, which
isn't happening. It is quite
scary because I do investing
here and there, like I'll get a company that's not
gone public yet, and they'll say, hey, do you want some
restricted shares or something like that
at the current price? And I'm, yeah, sure.
And you put in a certain amount of money. And my bank
will call me and be like, do you know these people?
Are you sure you know these people?
And then what I'll do is, thankfully, they do that because they probably deal with this 100 times a day.
Whenever I do this, I'm like, I got to be on the phone with the lawyers who are handling the paperwork for the company and someone from the company.
Because otherwise, I'm not going to, what you don't want is somebody to go, hey, we never got your $25,000.
And you're like, but I wired it to you when you emailed it to me.
And they're like, we didn't email you.
We set up a Zoom call for Monday and it's Thursday.
So I'd love to hear a little bit about your time, what you can speak about anyway, your time
with the CIA and I want to know about the dark web because I think a lot of people are not
familiar with the dark web. They just think it's illegal things on the web, but it's not the
same thing. Yeah, so I started working at the CIA in the 90s, in 1990 to be exact. And the crazy
part about it is, in 1990 when I joined the CIA, I was an AI programmer. I was actually programming
neural networks and predictive systems for the counterterrorist center. So AI is not new. The ideas and
concepts have always been around. It's the data sets. So we had data sets and predictability of the
terrorist. And then in 1992, something happened. The World Wide Web was developed. The World Wide Web
wasn't developed until 1992. I joke that Al Gore might have invented the internet, but I actually
helped create and build it. So in 1992, I'm in an all hands meeting in the bubble at,
at the CIA and they're talking about switching communications to the internet.
And I did one of the most dangerous things you can do in the government, and that's ask a
question.
I raised my hand, and I'm raising my hand that my boss was in the front row with all the
execs, and she's looking back and she's going like this.
And I thought she was waving to me, and I waved back, and she was like, put your hand
down, you don't ask questions.
And I asked a question that changed my life and changed my career, and that was this.
How do we know it's secure?
If we're moving to this new thing called the Internet and the World Wide Web, how do we know it has security in place?
Well, in the government, if you ask a question and nobody knows the answer, you're volunteering to solve it.
So they looked at each other and said, okay, Dr. Cole.
Well, at that time, it wasn't Dr. Cole.
Okay, Eric Cole will give you $50,000 in three people.
You have six months to solve it.
So I thought there'd be mathematical formulas to go in and show how to secure a system.
But what I learned is there's no way to prove a system is secure.
you can only prove it's not secure by breaking in or hacking it.
So that's when I began my career as a professional hacker
where the only way to find vulnerabilities and issues
is to hack them and find them before the attacker does.
Wow.
And then I started going in and testing our systems,
testing other government systems,
and also going in and starting to focus
on working with the Nuclear Regulatory Commission
of how do we secure and protect nuclear reactors.
So I actually have a niche where I wrote a lot of the regulations
for the NRC of how do we protect control
and secure and lockdown are critical infrastructure.
Critical infrastructure stuff is scary.
I gave a talk at DefCon, which I'm sure you're familiar with, but for people who don't know,
it's the biggest, which is a hacker conference in the world.
Yes, exactly.
I guess, for lack of a better term.
And it's full of exactly the type of people that you would expect.
But, like, brilliant talent pool, like insane talent pool.
They'll wheel, I just love it.
They'll wheel in ATMs, real ones.
And they'll be like, all right, have at it, guys.
and you'll see these basically kids, I mean, 20-somethings maybe, jury-rigging computers that are connected to their laptop that they feed into the ATM, break it off the front, and then they can get these things spitting out money.
And it's sponsored by the ATM company, right, D-Bold or whatever, or DiBold, they'll go and they'll say, we're donating three ATMs.
We don't really care if they break.
Ideally, they don't or are fixable.
We want your best minds to hack this, and if they can get the $10,000 out that's in there, they can keep it.
And then they'll hire them.
They'll hire them.
Yeah.
Yeah.
This is your signing bonus, pal.
How did you do it?
Because we need to fix that problem yesterday.
Because the unspoken part of that is, if you can do this to one ATM and get $10,000
out, you could make your entire career doing this and you would be very wealthy.
But instead, how about avoiding prison and coming to work for us for $400,000 a year or whatever
it gets, you know, whatever the pay is for somebody in that position?
So this conference is amazing.
And I bring this up because you mentioned our critical.
infrastructure control, one of the talks that I went to that I'll never forget was somebody
showing how basically these systems are from like 1985 and not secure at all and are really,
really basic and kind of the basically the unspoken truth that China and Russia and whoever else
has just penetrated the entire United States and probably the whole Western world
critical infrastructure. And there's not maybe much we can do about that because we don't
really know where they are or how to secure these things. Is that accurate? It is spot on.
happening all the time and even not at DefCon, but they'll actually go out and post these systems
on the internet saying, hey, we'll authorize you to try to break in. And then this way, if they do,
they can hire them. But here's the reality. A lot of those folks, it's actually better and more
money for them not to work for the company, but sell it to the adversary because if you go in and
find an exploit of a system and you sell it to the company, they'll maybe give you 100K.
You sell it to an adversary. They'll give you millions of dollars to break in. So like you said,
if you were living a different life and a different focus area, what would be the probability
that you would just go in and work for the dark side instead of the good folks?
I mean, I got such a thrill with the dark side stuff, man. I'm just thankful that I outgrew
that stuff, very much so. My parents even more so, probably. But let's talk about the dark web
again, because I think people don't know what it is. You mentioned it before. Hey, why go to
the dark web and buy identity info? There's a lot more on the dark web, and I want to give a brief
primer as to what it even is. I probably should do a whole show about this because I think it's a
deep topic, but can you briefly define what it is and what can be bought and sold there?
So the dark web is basically Amazon for evil people. It's basically where you can buy and sell
anything illegal from drugs to weapons to credit cards to social security numbers. I mean,
you go in and you have basic PII personally identifiable information, the name and address and a phone
number, and that sells for about two bucks a person. You start adding in either credit card or social,
and you can get up to $7 to $10, sometimes $20, depending on how much it's worth. So you go out
and you can either buy this information as a criminal and then use it to target it because the
software is available. So you go on the dark web. You can download software for fishing.
You can download the accounts. You can download the information. And for about $20,000,
you can make about $20 million within two to three weeks, if not sooner.
and you can then also then take your proceeds and sell it back on the dark web for even more money.
If you have the organized crime infrastructure to do that, right? I remember, man, this is a while
ago, but I'm sure you know about this. This is probably even 10, 15, 20 years ago. There was a large,
I think Ukrainian organized crime ring or Russian organized crime ring in all over, but also
especially in Ukraine and in New York. And they were getting tons of credit card and debit card
information, taking blank cards, which I saw with my own eyes, actually, in Ukraine,
blank cards that had Visa hologram stickers on it, whatever. They would print the, you know,
remember, you could just press it into the back. You probably still can with credit cards.
Press the number to the back, press the name in the back, and they would have fake information,
and they would just program these mag stripes with these magstripe programmers, and they would go to
ATMs and withdraw 500 bucks here, 500 bucks there, burn the card out. And this guy, he had
hundreds of people doing this all over the place. I don't remember the number,
but it was something, he was making like $20 million a month.
And they finally caught him.
And I remember one of the funniest things that he said was,
I got so depressed.
And it's like, why?
And it was just because he had gotten everything he ever wanted and more, right?
You're making $20 million a month or whatever it is.
But he was under so much stress.
And then also it didn't make him happy because he was still a dysfunctional piece of crap.
But it was just such an interesting case because you think to yourself,
you can just make a credit card and program it with information,
and then to have somebody go to an ATM, withdraw the money,
and the answer is basically, yeah, you can't.
And the tools for doing it are cheap, free,
and or low cost and readily available on the dark web, yep.
You mentioned you can't prove that something is secure,
you can only prove that it's insecure.
You have an interesting metaphor in the book,
how something that's secure 100%-ish,
it means it doesn't work anymore.
Can you take us through that?
Sure, so everyone always goes,
we want 100% security.
Jordan, I can give you 100% security so easy.
You want to be 100% secure?
You want your family to be 100% secure.
It's easy.
Pack up your bags, sell everything, move to Pennsylvania and become Amish.
Because I'll tell you, I hacked a lot of things in my life.
I have not been able to hack a candle and a horse and buggy.
Yeah, nice.
It's not hackable.
So the reality is, if you have no functionality or no benefit, you can be 100% secure.
And to give you a more realistic example, my smartphone.
If I want to make my smartphone 100% secure, it's easy.
Smash it with a hammer.
Smash it, burn it.
it, throw it in a ditch and turn it off, and it'll be 100% secure. But the reality is, as soon
as you add any functionality, you're decreasing security. So security and functionality are
inverse. A hundred percent security is zero functionality. So people always come up to me and go,
Eric, when I hear I work in cyber, you're going to tell me I can't do that. You're going to say,
I can't do that, I can't do this. You're the no guy. I'm like, uh-uh. I'm not the no guy or the
yes guy. I'm the options guy. So what I do with any company, any business or any individual,
I'm never ever going to say you should or shouldn't do something.
I'm going to ask you two questions.
What is the value and benefit?
What is the risk and exposure?
Is the value worth the risk?
If the value of benefit is worth the risk, do it.
If the value and benefit is not worth the risk, don't do it.
And the crazy thing is, that's the exact same advice that Warren Buffett gives in investing.
He always says minimize the downside.
That's why Warren Buffett doesn't invest in cryptocurrency because the upside is great,
but the downside is devastating, so therefore it's not worth it to him.
And you have to do the same mindset when you're looking at adding functionality.
Is the value of benefit worth it?
And a great example is Alexa.
When Alexa first came out, everybody loved having her in her home.
Because, hey, Alexa, what's the weather?
Or play this song or play this music and they thought it was the coolest thing on the planet.
And then when people two or three years later found out that Alexa is basically listening in on everything you're doing,
they're like, wait a second, I don't want a personal device bugging my house. And everyone goes,
Alexa isn't listening. She's not recording. I'm like, wait a second. Yes, I am. How can she respond
if she's not recording? If you go, Alexa, tell me the weather or Alexa play this music and she
responds. She has to be recording what you're doing. And I do expert witness work. And I worked on a case
last year where it was a crime that committed in an office building that had Alexa. And one of the
first things law enforcement that's trained well and cyber will do is they'll immediately
unplug the devices because it records the last 30 or 40 minutes. And we actually had a case where
Alexa testified at trial. That's incredible. Alexa was actually allowed to be played and I verified
and validate the authenticity of it. And she basically testified at trial against somebody and the jury
used it to basically prove their guilt. So you can say, hey Alexa, what's the last 40 minutes of the
recording? And it says, I, here, let me play it for you. And it's somebody getting clobbered with a
claw hammer in the office building. That's crazy.
Well, in this case, it was insider trading in somebody's office, and they happened to have
Alexa recording the insider trading deal, and they were able to capture it on Alexa and play it
back. That's crazy. I remember it caught a murder a long time ago. Yes. I can't remember the
exact details, but it caught a murder, and they were like, we need to get those records. And
Amazon was like, they don't exist. And they're like, no, no, no. This is a murderer. Cut the
bullshit. Where is it? And I don't remember the exact outcome, but it was basically like, okay,
Maybe it's on there somewhere, if you can find it.
And I must have done this on this show.
There was another device.
I'm going to throw Google under the bus, and I hope that I'm right.
It was something like a Google Home, and in the schematic there was no microphone, but in the actual
device when disassembled by whatever or whoever it was, wirecutter or whoever, there was
a microphone on the circuit board.
And it was like, wait, wait, wait, this isn't on the instructions.
It's not a feature of the device.
it's not in the schematic of the device.
It's not of the patent or whatever it was,
you know, whatever sort of thing.
It's just sort of secretly in there.
And I think the response was, oh, it's not in use.
And it's like, well, why did you put that in every device at the cost of, I don't know,
an extra dollar than if it's not in use?
Wouldn't you want to keep that profit for yourself?
The real answer is it's in use or we're going to use it at some point and we didn't want to
have to announce that or tell that to anybody.
Right?
And it's like, well, so is it recording or not?
And the answer is always, can you prove it or not?
It's not recording if you can't prove it is.
And if it is, then prove it.
And then we'll pay whatever fine we have to pay to get out of this jam that we find ourselves in.
Am I off base at all?
No, you nailed it.
And the reality is, and I always tell people, the most dangerous word on the internet is the F word.
Now, I grew up in New York, and the F word was part of our normal vocabulary.
Yes.
To me, the F word is the most dangerous word on the planet.
And it's not what you're thinking.
the F word is free.
Free is not free because all the times when you have a free app,
you're basically allowing them to access your microphone or your camera or your pictures.
And everyone goes, oh, no, Eric, it wouldn't be allowed in the app store or wouldn't it be
allowed in the Android store.
But here's the reality.
If they ask you and you say yes and you give them permission, that's actually an authorized
app and it's allowed.
And the reality is most people don't even realize when they install these apps,
They're hitting yes, yes, yes, yes, yes, and allowing access.
When was the last time you went under your settings, you looked under security and you looked
under microphone to see how many devices are accessing your microphone.
And I'm sure if you pay attention, you'll see this happen.
You're talking with your phone to your family or your kids.
And let's just say you're talking about buying a new car and you put in a certain vehicle
model and a certain type.
And you're talking about the car and you're talking this and that about it.
and then you go into Google and you just typed a word W and the phrase that automatically appears is
what is the price of this car or what is the cost of it? And you're like, and when you start paying
attention, you're like, how does it know this? And then you go in and you start surfing social media
and all of a sudden all the ads that pop up are for that car that you just talked about and everything.
And when you start really paying attention, it's actually freaking scary of how much you're being
monitored and tracked with your phones that you don't even realize it. In most government settings,
you're not allowed to bring a smartphone into a secure location. More and more companies now are
not allowing devices into the boardroom. You actually have to leave your phone outside in what we
call a Farity cage, which I'm sure you're familiar with if you go on the Defcom, that basically
doesn't allow your device to transmit or receive any information. So companies are getting smarter
and realizing that you are being spied on, and it's because of the apps you install,
and download it. And if the Russians and Chinese are really hanging out inside our power grid like
they're waiting for bottle service, that's not exactly comforting. Here's something you actually
do want in your life. We'll be right back. If you're wondering how I manage to book all these
great authors, thinkers, creators every week, it is because of my network, the circle of people I know
I can trust. I want to teach you how to build the same thing. It has changed my business. It has
changed my personal life. I teach you basic systems, not cringy, weird, self-helpy kind of stuff,
not cheesy tactics, just really practical exercises and systems that'll make you a better
connector, better at work, better at home, even if you're retired, even if you're new to the career
game entirely. Six minutes a day is all it takes, and many of the guests on the show, subscribe and
contribute to the course, and it's free, no shenanigans whatsoever at six-minute networking.com.
Now, back to Dr. Eric Cole.
I think a lot of people have suspected that their phone is listening because everyone has had this
happen to them. You go, man, it's so cold out. I would love to go to Greece.
And then you open up your phone the next day or an hour later, and it's all ads for like,
escape to grease.
And you're like, wait.
And then someone goes, oh, come on.
They're advertising all over because it's winter where you are.
That's all it is.
It's a coincidence.
It's confirmation bias because now you're, you were just talking about it.
You wouldn't have noticed the grease ad.
You've probably seen it a thousand times.
And you're like, okay, maybe you're right.
But then it happens over and over and over and over again.
And you're like, okay, it could still be confirmation bias.
But damn, is this a lot of, this is quite coincidental.
and you notice it when it happens with something really, really random.
Like I was searching for, or I was talking about, this is embarrassing, but whatever,
pouch underwear, which is like kind of what it sounds like.
That is not something that, like, is being advertised to millions of people all the time everywhere.
These are small businesses.
It's a little bit niche.
And suddenly I was getting a bunch of ads for that.
And I was like, wait a minute.
Okay, this is too niche of a thing.
Yeah, you're searching for a flight somewhere.
Okay, it's winter.
It's cold in Michigan.
they're giving you a flight to somewhere else fine pouch underwear bro i don't know man it's a small
marketplace you know it's not really like the biggest sort of hottest holiday item that you're going
to get for your friends or anything it's just a it's a little bit strange so that kind of thing always
makes me go okay this thing's listening to me and there's just nothing i can do about it in fact i leave
it right here on the show so it can show me ads about cybersecurity products after the show and i
appreciate it because i have my phone here so i guarantee you i'm now going to start getting ads for pouch
underwear. So thank you for that. Let me know. Yeah. And try it out for yourself. It's quite comfortable.
Should I go in when they say how you referred? Should I say I was referred by Jordan?
I'll put your name in there. Yeah, exactly. Put my name in there. I might as well be further associated
with awkwardly branded underwear. So it sounds like your point is don't ask, is it secure.
Basically, ask if the benefit of whatever it is, the software, the device, is the benefit worth
the security risk that is inherent in using anything? Exactly. And the other thing we have to realize
is that, and this is a big thing with phones and AI, we can't let it replace human interaction.
I sort of have a rule that if you go to dinner with me, a lot of people say, hey, Eric,
we want to go to dinner with you because I'm pretty well known in the space and people are in
town and some big names.
And I always have a rule.
I'm like, listen, I'll go to dinner with you, but there's one rule.
You must keep your cell phone in the car or in your pocket.
If we are at dinner and you pull out your cell phone and start tracking or texting it, I will
get up and leave because that is the rudest thing on the planet.
If we're in a restaurant and me and you are talking, and I will sudden turn around and start talking to a random person for five minutes, and I do that every 30 minutes, you'd be offended and you'd be like, Eric, what the heck, I'm out of here.
But yet we let people do that with our smartphones all the time.
Yeah, it drives me nuts.
We have to stop going in and doing that.
And also, how many times you're at a restaurant and you see a two, three, or four-year-old, instead of the parents talking with them and playing with them and interacting in, they give them their phone or they give them an iPad.
I see this all the time in restaurants and infuriates me.
You see a family with three or four kids.
And the parents are not only not talking to the kids, but they're on their phones and all
the kids are on their cell phones.
And I'm like, why are you going to dinner?
This isn't dinner, right?
This is basically you interacting individually with other people and ignoring your family.
Yeah.
I will say in defensive parents, because I have two little kids, sometimes it's the only break
I get all day.
And I'm like, look, I can't, otherwise I'm stuck feeding them the whole time.
and it's just, it can be annoying.
I agree it's a crutch, but man, I have a hard time coming down too hard on parents for
wanting a solitary 45 minutes where they can have an adult conversation.
Which is okay, but then the question is this.
Are you consciously aware of the games they're playing and the apps they're being shown
because most parents don't want to pay the $7.99 and they give the kids free apps
and basically look at the ads that are showing up.
Those ads are raising your kids.
Are you actually aware and know that?
So, yeah, if you want to make a conscious decision, listen, I need a break for an hour,
and I'm going to allow the internet raise my child for the next 60 minutes, that's okay.
But are you consciously making that decision and allowing someone else to raise your kids for the next hour?
Yeah, I mean, I'm with you on that.
We don't allow them to use any sorts of apps that are not education games.
They love those, you know, where they learn little math skills or different colors, depending on their age.
We let them use that stuff.
But yeah, you're right.
My Apple bill every month is like $100 because it's like, you pay for you.
for this and you pay for Disney Plus and you pay for the, because I don't want, man, I'll tell you,
I was watching a show the other day on Amazon Prime Video, and I don't have the fancy ad-free
one because I never watch anything. I mean, I have two kids in a business. What am I going to
have time to watch anything? So last night, my wife's like, we got to watch this show. Everyone
says it's great. And we watch an episode of it, but it has ads in it. And they're like two minutes
long. And I'm like, I don't buy tide. I don't give a crap about this. How much is it
cost to get rid of this. And it's like $7.99 a month. And I'm like, just pay this. I don't want my show
interrupted all the time. But you're right. You're giving this thing to your kids. And it's like,
buy this crab, buy this toy. Here's another. Or worse. But man, even YouTube makes it kind of hard.
You have to, I thought, oh, I'm just going to block annoying channels that I don't like.
There's an unlimited number of stupid, boring, not educational channels where they don't talk.
They just make little noises and throw things and make big messes. There's a million at least.
and I'll block it, and then the next one that comes up is just people of a different ethnicity
doing the exact same thing in a different half-assed language.
And I'm just like, oh, my God, you can't, there's an, this is the formula.
There's people making so much money off these.
There's an unlimited number of those.
But back to actual cybersecurity.
We touched earlier about how the Russians and the Chinese, et cetera, are in our power grid
and companies right now.
How do we know that that's true?
Because they'll tell you.
If you actually go in and ask the modern power grids or check the Internet,
If you actually go in and look at the amount of data breaches, because here's the reality.
They are publicly traded companies and the SEC passed a law that if you have a breach or you
think you've been compromised, you have to publicly disclose it in your SEC filings.
So go to the Google and do this.
Go how many power grid companies or how many infrastructure companies have had data breaches
that have been given in their SEC disclosures or use AI and ask AI.
and you would be shocked of how many companies would come up in your list.
But the reality is people just aren't looking and the media is not covering it.
So they're actually going in and telling you this.
But here's the good part, the only good news.
They're in our power grids, but they're in theirs.
So this is like there are a cold war with Russia, where Russia had enough nuclear weapons
to destroy the country.
And we had enough nuclear weapons to destroy Russia.
So neither side would launch a nuclear weapon because it would basically result in mass
destruction and devastation. So even though they're in the power grids, it doesn't make sense for them
to actually take it down because we would attack them. And here's the other part. China needs the
United States to have a healthy economy. China doesn't want to bankrupt the United States. They want to
steal our intellectual property. Russia would go out of business if the United States banking system
crashed because they would not make the hundreds of millions of dollars in cybercrime. They need
our banking infrastructure to be healthy. They just want to steal and
take enough from it that it impacts you and me, but it doesn't devastate or take down the system.
So the fact they're in that critical infrastructure, and we've seen a colonial pipeline.
Remember that attack a couple years ago where it took down?
It might not have impacted you because it's funny how a lot of people on the West Coast didn't realize it.
But I live in Northern Virginia, and we had five days where gas stations were closed.
Like people were starting to freak out, like going, there's lines at gas stations.
You couldn't get gas.
are we going to actually have to walk to the store and take bikes?
But it was a reality that hit the East Coast.
And the thing is, the way you protect critical infrastructure is by air gaping it,
not having it connected, but here's the issue.
Companies are getting lazy and going, wait a second.
Having our critical infrastructure air gap is difficult and hard to bill.
So what's the real issue?
We haven't had an attack in three years.
So they start connecting it to the Internet,
and then all of a sudden the attackers get in,
and these breaches are happening so much
that as we said earlier, media is not covering it
and media just doesn't care.
Yeah, I've told the story a couple times on the show,
but I had an acquaintance whose father,
I think it was, worked for the power company,
or I should say critical infrastructure back in Michigan.
One time he was like, yeah, if you go down this tunnel,
there's a stairway and it goes down, down, down,
I'll show you guys some time.
All of our computers and systems are down there,
and I was like, oh, doesn't it flood?
He's like, no, we got pumps and stuff,
and there's occasional leaks we're having it repaired right now, but when it's done, I'll show you.
And I was like, so every time you've got to go to work, even in the winter, you've got to go, like, down into this cold-ass tunnel underground.
And he goes, no, no, I just dial in from home.
I was like, the whole thing is in a tunnel so that it can't be bombed or something.
But, like, it's got a little phone wire that sticks up and you can dial in from your crappy modem in your home office because it's cold outside.
And I'm like, oh, my God, if only the hackers had thought of that.
And that's what happening is Hollywood movies are no longer fictional. And you say that with a dial-up,
but watch the movie War Games. Oh, I love that movie. So good. Where basically a kid was able to access
and log in where he was just war dialing and found these systems. Yeah, if your friend and others are
working from home, COVID was the worst and most devastating thing for cybersecurity. Because it basically
took all of our critical infrastructure, all of our banking systems, and allowed people to work remotely.
Well, if you could log in remotely with a user ID and password, how hard will be for an attacker?
And the better part is they don't even need to steal your user ID and password.
They just compromise your system.
We talked about phishing attacks where you click on a link and it compromises your device.
What if it's not to steal your bank account?
What if it's not to steal your personal identity, but it's to actually put an agent on your system.
So the next time you VPN or connect to your company, it actually rides that connection in.
So even if you're using two-factor to authenticate, it's already compromise your system.
So once you two-factor authenticate, it's using that compromise connection to break in to your
company, plant malware, and just navigate through your entire company.
That makes sense, right.
It just waits for you to authenticate and then whatever, it attaches a malware payload
to something you're doing in the system or something along those lines.
Yeah, that completely makes sense.
So the good news is we're also in China and Russia's systems.
Is that what it is?
It's like, if you shut down our power grid, we'll make sure that yours is all.
are shut down? Is that kind of where we're at with this whole standoff, detente thing?
Yeah, so it's twofold. One, that's true, that if you break into ours, we'll break into yours.
But the bigger part is, how can China go in and steal our intellectual property if our power
goods now? If our systems are down. So they don't want to take down our systems. They want to just
go in and access and monitor it. And you see this all the time where telecom and cell networks
are compromised. They're not trying to take it down. They're listening and gathering data.
There's a reason why TikTok is worth so much to the Chinese because they're gathering data.
They have information on American citizens for the last 12 years.
And that information is valuable.
We're looking at, okay, we're going in and going to make TikTok a U.S.-based company,
but nobody's talking about what about all the servers and data centers in China?
What about all that information that's in there?
And then we joke that we don't want China to have all that information.
So we're okay with social media having that information.
We're okay with Mark Zuckerberg having that information.
And then the crazy part is there's a reason why Larry Ellison from Oracle is one of the prime bidders who's most likely going to acquire and take over TikTok.
He's a database company.
He wants data on individuals.
Why in the world would Oracle want to own TikTok?
Why do you what would Oracle want one of the largest social media platforms?
It's not for social media.
It's all the data they can gather.
and storing their databases so they can do correlation and analysis.
I would love to talk about why Russia disconnected from the world internet for 24 hours.
Do you remember this, by the way?
This is a couple years ago.
Yes.
So tell us what happened because my buddy's a very sort of high-level cybersecurity dude.
In fact, I'd be shocked if you don't know each other.
But he messaged me and was like, this is a big deal because, well, I'll let you explain the reasons.
Yeah, so almost every major company except the United States actually have connection
points to the internet where they can disconnect. Because here's the reality. They want to be able to
run independently and stop a cyber attack. So if there was a major cyber attack against Russia,
they want to be able to disconnect and control and limit that information. So they go in and every
year they disconnect from the internet for a day or two to be able to prove that they can be
resilient and reside without it. When the attacks began between Israel and Iran, Iran disconnected
from the internet for three weeks to be able to stop or minimize attack vectors.
And the crazy part is the United States is the internet.
We created the backbone of the internet so we can't actually disconnect.
We basically are the internet.
So everybody has always asked and every president asked the same question, what are all
our connection points to the internet?
And can we disconnect?
And the answer is no, because we are the internet.
So what we should be doing is instead of spending trillions of dollars on pay
our roads or doing all these big, beautiful bill stuff, we should be spending trillions of
dollars of building a separate, isolated internet, so at least the government can disconnect if needed.
We could disconnect if needed, but because we can't disconnect from the internet, we are a major
target. If a major cyber war broke out, China could disconnect. North Korea could disconnect.
Russia could disconnect. The United States can. So that's significant where they actually can
control and minimize cyber attacks. We can't. That's interesting. I mean,
I mean, I guess what you need is somebody who's in charge of things with the balls to say,
you're cyber attacking us, we can't cyber attack you back.
What we're going to do instead is take out a couple of your ships or oil rigs or, you know,
make sure you clear your personnel from this infrastructure because if we can't hack it,
we're going to level it.
You just need somebody who's willing to escalate to that degree and call their bluff
because it seems like that's what they're planning.
They're planning on being able to attack us and we can't defend in kind.
But if we can't defend in kind, we have to escalate or do something.
in a different way, correct?
That is correct, yes.
Additionally, look, I know that you had mentioned in your book,
the Chinese embed malware in our devices when they manufacture them.
Can you explain this?
Because I think a lot of people don't understand how something that's not a personal computer
can have software on it, for example.
So we go in, and it's not a coincidence that everyone says China is one of the major people
attacking the United States.
When you go in and look at who the top cyber threats are,
China is always at the top of the list.
We're afraid of China. We're concerned about China attacking our systems, but do me a favor. Take any
electronic device, any tablet, any computer, any smartphone, and flip it over. What do you see on the
flip side? Made in China. So we're sitting here and saying that we're concerned about China attacking us,
yet all of our hardware, all of our chips and all of our devices are made in China. And what's the
probability that they're putting malware in those chips? Malware can reside on any hardware.
any firmware, any firmware, or anything else. So now we go in and imagine if all of our devices
have some sort of malware installed, and they just didn't activate it yet. They're just actually
waiting for the right opportunity to activate the malware. What would this malware do, for example?
Listen to what we're saying, capture personal information, capture personal data, or potentially go in
and start capturing all of our credit cards or our bank accounts or our passwords or our information,
because basically if it's on our device,
they can listen and capture everything we're doing
and everything we're saying.
Do we have proof of the malware being installed on it?
Or is it just like, hey, if they're smart and they are,
they're definitely doing this?
It's definitely more the latter
because we're not going in and checking
or verifying the integrity of those chips.
Right.
We're going in and we're terrified of TikTok
because it's a Chinese own company,
yet we're not afraid that every one of our chips
are manufactured in China.
It's a double standard.
If we don't think that China should own
a social media platform like TikTok and we're putting so much energy and effort, why are we allowing a
Chinese company to own all of our chips and all of our hardware devices? I mean, look, I agree with you.
There's some other horror stories that were quite interesting. One was a home sale. The couple got,
there was a hacker in the real estate agent's computer told the couple who was buying a house to
wire their money to a different person. They wired their money to a thief. The real estate title
company never got, or escrow company never got the money. These people lost their life savings,
or at least part of it.
Really, really sad.
There was another one where the Chinese company was negotiating to acquire another company,
and they were monitoring the email and saw the bid and said,
we know the lowest bid you'll take, so here you go.
But I would love to know more about risks I might be at as a public figure.
Everyday Joe's, of course, the home sales stuff is bad.
But there's one that I thought was quite interesting.
This guy's credit card gets stolen because his speaking gig was public.
Can you take us through that story?
that was kind of a little bit of a plot twist for me.
Yeah, so you go in and an executive at a company, whether it's CEO or COO or CFO, and they're speaking at conferences, it's pretty well known.
Like, you go in and you look at these large events, you can go in and see where these people are speaking, right?
They're on the speaking circuit.
So you can go in and see that so-and-so is actually speaking at an event at a large conference at a certain hotel in a big city.
So they knew that, and they knew that his keynote was at 10 a.m. in the morning.
So at 10.05, they basically called the executive's assistant saying, listen, we have your boss checked in at this hotel.
And if we don't get credit card information because their credit card failed, we're going to actually have to kick them out of the room within the next 60 minutes.
Oh, wow.
And the exec is like, wait, my boss is speaking.
If they come back and they've kicked out of their room and they lost all their stuff, they're going to be upset.
said and angry. And it sounds legit. It's from the right hotel. It's from the right person. So they go in
and say, okay, let me give you a credit card or billing information to be able to charge us for his
room. And it's basically a scam. And by the time they find out, or in some cases, the assistant
wouldn't even tell the person. They're like, oh, it must be legit. And they don't talk to their
boss for a couple days and they don't say anything. And by the time they either realize it or get the
bill, the money is gone and the account's been charged. Wow. Yeah, that's crazy. Because of course,
you're going to promote your speaking event.
This is the modern day equivalent.
I remember when I was a kid, my parents used to say,
never tell your friends if we're going on vacation.
Thankfully, we just never went on vacation.
But they would say, never tell your friends
and we're not going to be home because not that your friends are bad people,
but they could say, oh, Jordan's going out of town.
And then the older brother hears it,
and he tells his friends, and they say, well, where does he live?
And when is he leaving?
Because we can go and rob the house while they're gone.
You know, it's those little innocuous things
that you don't think of because you're not a thief.
And people do impersonate me.
They'll message people on social media
from like a crappy fake Jordan Harbinger.
And they're like, I've lost all my luggage and I'm in London and I know you're a fan of my show.
Can you please wire me $5,000 or can you give me $5,000 in Apple gift cards?
Because that's the only payment this hotel is taking or, you know, just some ridiculous nonsense.
Luckily, my show fans are not brain dead.
And so they message me and go, here's a, I reported this account, but they're impersonating you.
And, you know, Instagram will take care of it.
But this happens so much that it must be working at some point.
otherwise they wouldn't do it. You nailed it like people go in and say, why is this happening? Why do I keep
getting it? It's because it's working. Why do you think you're getting so many toll booth scams? You might not
click on it, but people are because that's why they're doing it. And a funny story there, I had a friend of
mine that's a pretty well-known social media influencer. His social media got hacked. It sent messages to all
his friends saying, hey, I'm, I went on a last-minute vacation. I'm stuck here. I mean, he needs to transfer
money. And the funny part is, all of his friends were savvy enough and didn't click on the link.
And he calls me up and he's pissed. Yeah. My friends don't give a crap about me. Exactly. He goes,
he goes, Eric, if that was real, none of my friends would have gave me money. He goes,
and I'm like, dude, you're missing the point here. And he was actually annoyed that none of his
friends cared enough about him to actually do it. But you go back to the posting that you're
going on vacation. There used to be a site called please rob me.com. Oh, no. And it would basically
go in, harvest social media, look for people posting pictures on vacation. They would go in and
look for personal pictures that had your geolocation because when you post a picture, most people
don't realize the metadata shows where you live or where it was taken. And then they go in and
if you put in a zip code into please rob me.com, it would not only show you all the houses
that they're on vacation, but it would use public records to determine how much the house was worth.
Wow. And it would actually do dollar signs. So if the house was 100 to 200K to have one dollar
sign, two to 300 have $2 signs, $500 would have $3 signs.
And it actually was not illegal because he was using publicly available information,
but it got such negative publicity that they actually had to take it offline, even though
they just did it out of public service, not because they were doing anything wrong or breaking any
laws.
Right.
This was to attempt to show people that they shouldn't post these things, but the solution was,
hey, stop reporting on this bad security practice.
It's making people scared.
Oh, that's so typical somehow.
That's like, we don't have COVID anymore.
How do you know?
Well, we stop testing for it.
So the test results are showing zero COVID.
It's like that kind of thing.
Oh, man.
And on the dark web, you can buy everything from stolen tax refunds to malware kits,
basically Etsy for criminals.
But if you want something that's actually legal, useful, and won't get your door kicked
in at 6 a.m.
Check out our sponsors.
We'll be right back.
If you like this episode of the show, I invite you to do whatever smart and considerate
listeners do, which is take a moment.
and support our amazing sponsors.
They really make this show possible.
All of the deals discount codes
and ways to support the show
are searchable and clickable
at Jordan Harbinger.com slash deals.
If you can't remember the name of a sponsor,
you can't find the code,
just email me, Jordan at Jordan Harbinger.com.
I am happy to surface codes for you.
It is that important
that you support those who support the show.
Now for the rest of my conversation
with Dr. Eric Cole.
You mentioned in the book
that thieves will pay up to $500,000 or more
for a CEO or an executive's lap
because the data on it is worth millions.
So do executives get training on not letting their laptop out of their site?
Because, like, I feel like I see people leave their laptop in hotel lobbies all the time.
They ask me to watch it while they go to the bathroom and, like, I'm an honest person, but, like, they don't know that.
Exactly.
Or people forget it.
Or one of the big scams they have to be so careful of is you're going through security.
And as an exec or somebody, if you don't have TSA pre, you have to take your laptop out of your system.
So they go in and they say, hey, I'm in a rush or this or that, and they incidentally cut in front of you or they split up.
So they have somebody that targets you as an exact, they'll go in front of you, and then they'll go through security.
And then you'll go to go through security and the person in front of you that will screw around.
It delays, right?
It will screw around or their watch or their bat.
And it's like, wait a second, please step out, please step out.
And by the time you actually get through, your laptop is already cleared and they've taken it.
And once again, this happens all the time.
It doesn't have to be a lot of people.
But if they just do enough of these scams, it works and it's payout for them.
Crazy.
Even if the data on there is encrypted, like even if they have file vault on or whatever it's called.
Exactly.
Because once again, they probably already might have installed malwareing a system.
So they already have access.
Or how many execs, and I see this all the time, is you look at their laptop or their tablet,
and they have a little sticky pad that actually has their username and password written down.
I mean, yes, dude, that is all the time.
I mean, I just look on airplanes when you see executives working, and I constantly look down at their laptop and you see a little sticky note that has their password written down on a little post-it note.
I have told people not to do that.
I'm like, look, I'm not looking at your screen, I promise, but whatever's on that note is something everyone can see.
And they're like, oh, it's fine.
It's just something temporary.
And I'm like, but you're still using it, right?
Like, okay, you got me on that, right?
Like, maybe you only are using it for this flight and it's brand new and you're about to go in there and change the password.
How much time do you think I need in that system?
If I'm sitting next to you and it's just got a dumb curiosity and boredom on that flight, what if I decide to log in to whatever you're in right now?
How much time do I need to make a problem for you?
And if the answer is a few minutes, then that's too long to have that thing up there.
You mentioned actually that most cyber attacks, like heavy-duty infiltrations of systems are not detected until the theft of data gets so large that it impacts.
server performance. Can you explain what you mean with this? Right. So when an attacker breaks into a system,
they go in and they'll access a user account and then they'll set up pivot points where they'll slowly
pivot into the network, server after server after server to get to the critical system. And most of
the time, these attacks are detected by IT, not by cyber. Because what will happen is they'll all of a sudden
have performance issues. So you'll have a database server that was actually running and it was running
at 60% performance, and all of a sudden within two weeks, it goes from 60 to 95% and now
transactions aren't being done. And IT goes, wait a second, why did our performance almost
double within two to three weeks? And it's because instead of users downloading two or three
records, it's now downloading the entire database and it impacts performance. So most attacks are
detected by performance of IT impacting the systems and not because cyber is actually
detecting or catching them. I see. So it's basically like,
why is this thing ground to a damn halt?
And the answer is, oh, someone's, someone got greedy and started taking way more data than they
probably should have to stay under the radar.
Crazy.
Bingo.
I heard we even get cyber attacked by the UK.
That was a plot twist for me.
Is that just a threat actor routing attacks through the UK or are people in the UK actually
attacking the United States?
It's both.
Okay.
Here's the reality.
On the internet, there are no allies.
Because what stops an individual who lives in the UK or an attack?
attacker living in the UK of attacking our systems, nothing, we're just as vulnerable and we're just
as exposed from the system. So it's actually not only our attackers VPNing in from the UK because
we're not blocking those IP addresses, but why would attackers not live in the UK or Canada or
other potential companies that are allies and attack our systems? It's individuals attacking it not
the government and individuals don't follow laws and don't have allies. This makes sense. I was just wondering
if it was a state actor, you know, coming from the UK, but you mean individuals. I mean criminals,
right, no honor among thieves. I know that we, in the past, we thought maybe Iran wasn't attacking
us, but it turned out they were just routing attacks through China. Why would China allow an actor
like Iran to route attacks through China? Doesn't that make China look bad? You know, doesn't that anger
China as well? It does, but once again, their systems are just as vulnerable as ours. So why go in,
and you don't think Chinese systems are compromised and Chinese systems are broken into and individual
users are being targeted. So why not go in and just hide under the radar? If we know that we're
getting large number of attacks from China and 10% increase, China doesn't care. We don't notice.
And so the idea is why go in and have Iran attack us when they can just go in and slightly increase the
amount of attacks from China and just hide under the radar?
Yeah, yeah, this makes us. I think North Korea attacks us from China too, doesn't it? Because
they just don't have a robust enough infrastructure to do this locally. A friend of mine who works for
a contractor told me that the North Korean attacks come from Beijing pretty much all the time.
That's pretty much exclusively. Yep, exactly. There are ways to kill people using cyber. I think that's
important to note because a lot of people don't really, they'll go, oh man, you know, they shut down
our internet systems, our banking, okay, that's bad. People can't buy things. But at least no one's
going to die. That's not necessarily always going to be the case, right? Right. So just think
of how many embedded devices people have in their system, whether it's a pacemaker, whether it's a
monitoring device, we are putting more and more computers or chips within humans and what stops
an attacker from targeting, breaking in, or going after those different systems. And not only that,
but even in hospitals, what if attackers can break in and impact life support or take down
medical monitoring systems that are keeping people alive or safe? I mean, anything running on a
computer can be hacked, and we're keeping people alive and we're embedding computers and individuals,
so why not attack or go after those?
You know, that's interesting.
I went to a hospital once recently, and I'm trying to, sort of anonymize this, but basically,
the equipment I saw was running on something like, what is it called, Windows 2000 or
something like that.
It was like, or Windows ME.
It was something so old that I remember going, what the hell?
And I commented to the tech, I said, why they don't update this?
And he goes, this is all sort of customized for this machine.
And I said, but it's Windows.
And he goes, yeah, but it's got, it's like stripped down and there's stuff added to it.
You can't just throw a CD in here and put the newest version of Windows on there.
And so that, of course, begs the question.
So how do you do security updates on this thing?
And the answer is you just don't, right?
You get this machine, which you pray to God is not for something terribly important.
And also, you really hope it's not connected to the Internet at all, but who knows?
and you just hope that it's secure enough as is to do its thing without any security updates for the last 25 years.
Exactly, because when you're looking at critical infrastructure, hospitals and banks and others, what's the most important thing?
Availability.
Those systems need to be stable and available.
And what makes a system unstable, updating or changing software?
So you now have a choice is, do they update patches all the time and make the system unreliable with updates and software?
or do they basically say in order to install a patch,
it gets to get improved and verified by the vendor,
and that takes years upon years to do.
So these systems are just sitting wide, open, and exposed.
And you probably heard last week,
AWS went down for 12 hours.
Yeah, we all noticed that because everything stopped working
from my mattress to Reddit.
Yeah, and you go in and think about that.
AWS has stability.
It has reliability.
I mean, it should stay up.
AWS doesn't go down.
It shouldn't go down.
So the fact that it went down and it took down ring doorbells.
People's security systems were down.
Their banks were down.
I mean, it impacted a large number of people.
And if that can happen to Amazon, it could happen to anybody.
That's right.
That's a good point.
Amazon has, I have it on good authority, quite good cybersecurity and cyber people working on AWS, the backbone of the entire freaking internet, right?
Much more than you would have at your standard hospital.
Yeah, it seems like you could change hospital records.
you could change, I mean, you don't even have to have a machine turn off somebody's life support when
they're breathing. You could just change a record that says that they need a different dose of something
or that they're supposed to be dosed with this or that they're supposed to get this particular
thing amputated instead of this other thing. I mean, who knows? Who knows? You could disable the
safety system in a car, potentially. It just really seems like this kind of thing is hard to defend
against. Like I mentioned earlier, any sort of cyber war that comes from a state actor could become
hot because of the response chain, right? If you can't hack North Korea back or China back or
whatever, Iran back, you blow up an oil refinery because that's the only way to sort of show them
that we're paying attention. And that is problematic for a lot of different ways. One of the tips in
your book is to use a credit card and not a debit card. I agree with that. Credit cards,
they're responsible for fraud. Essentially debit cards, your bank makes you responsible for it
until you can twist their arm enough to give you their money back. Have you heard
this sort of, I don't even know if you could call it a scam, but I guess it's a scam.
North Koreans getting remote IT jobs and just not turning on the camera or pretending that
they're in China or pretending they're in Korea or even pretending they're in the United States.
And they'll get a job with a company and they often will pay someone locally.
Like they'll offer, hey, Jordan, we'll give you a thousand dollars a month if you set up this
laptop on your internet and let these people VPN into it.
And you're like, okay, I could use that money.
I don't know what they're doing.
And so these people will get jobs.
And I don't know if they're doing the job and funneling the salary back to the regime or if they're stealing the IP and giving that to the regime, probably a little bit of both.
Have you heard about this or am I talking to myself?
Absolutely.
I mean, we work on trade secret cases all the time where it's basically foreign adversaries of foreign governments have planted an individual at a company.
And it's not what you think where they get hired and steal right away.
They work for four or five years.
They get promoted.
well known, they work at key positions, and then after four or five years, they slowly start
stealing, gathering data, or they do what we've seen with Robert Hansen and Aldrich Ames with the
CIA and the FBI. They just recruit somebody. How many people out there that are getting paid
200k a year? If you go in and say, hey, we'll give you another 300k if you actually install malware
or copy data to your speed drive or steal data, and then many of them will do it. Or you go in and you say,
no one would ever steal from the company.
Watch the movie Firewall.
Firewall with Tom Harrison.
He was actually a chief information officer for a very, very large bank,
one of the most moral ethical guys on the planet.
They kidnap his family,
and they say, unless you install this software behind the firewall,
and you allow us to steal data from the company,
you'll never see your family again.
And my question is,
you might be the most ethical person on the planet.
If somebody kidnaps or blackmails you
and it could ruin your life or ruin your family,
everybody could be a potential insider.
Yeah, no, this is true.
This is true.
What's the craziest security risk you've seen?
I don't mean like default password on a critical database, but is there anything that stands
out as like, holy crap, I can't believe that that was allowed or that was so risky.
We're just so lucky that didn't go wrong.
The craziest thing is, BYOD, bring your own devices.
If you remember like 10, 15 years ago, we made a big stink of if somebody was going to
access corporate data, you had to go in and use a corporate data.
you had to go in and use a corporate device.
And then that became too expensive to give everyone their own smartphone.
So now we allow BYOD.
How many people's personal devices that have known passwords, known free software on it,
are allowed to access and connect to the company's network?
How hard would it be for somebody to go in and with a free app,
install malware on your system and then use that to basically compromise your email
or your company's VPN because you have that all installed and set up on your personal device?
Yeah, that makes sense, right?
Because I, and I get it.
I don't want to carry two cell phones, one for my online telehealth company and one for me.
Come on, man, just let me use my cell phone.
I'm only going to answer email on it.
What's the big deal?
And the big deal is it's also got a VPN on it.
It's got company documents, and I'm in the Google Drive that's shared with the company.
And I've also on the company box and all this stuff.
Yeah, that's a good point.
I had not thought about that.
What would a cyber 9-11 look like?
It's what's happening right now is they're compromising individuals. They're stealing passwords from you and me and your family, and they're slowly exfiltrating data. But because it's death by a thousand cuts where they're slowly taking information here, here and here, we're ready, you're in a cyber 9-11. Look at what happened. I told you a couple months ago where the biggest password breach occurred of hundreds of millions of passwords. And it wasn't because a large database was compromised. It's because all those individual systems were compromised, a hundred million personal.
devices is a cyber 9-11. It is happening, but because it's so small and it's death by a thousand
cuts, nobody's responding or reacting and the media is not covering it, yet it's slowly bleeding
information from U.S., bleeding trade secrets and hurting us, yet no one's aware because it's happening
so slow and low. I heard you were essentially in charge of whether or not Barack Obama was
allowed to carry his cell phone. It's crazy in 2025 to think a president wouldn't have a cell phone.
Tell me about that. He was one of the first presidents that actually wanted to have.
a smartphone or a Blackberry, and everyone was like, oh, we need to secure and protect it. My issue is
I don't care whether he had a device. What I worried about is the tracking of it. Imagine if you could
pinpoint where in the White House he was located. Imagine you can pinpoint where he was traveling
or where he went on vacation or where he was because he basically was having a personal
tracking device. So my whole issue was not that he had. It was how do we go in and hide and master
the location so this way somebody couldn't find or identify where he was. So we actually had to go in
and put different various VPN devices and remote devices that basically hid his location or
covered where he was so somebody couldn't actually use it to track or find or identify him.
It's not that they had access. It's where was he going and what was he doing. And a great example
is when I worked at Lockheed, if you remember the joint strike fighter, it was compromised by the Chinese.
Right. And everyone was like freaking out going, they have access to the joint strike fighter. And I'm like, I don't care because guess what? The Chinese already had access to that information. What I worried about was not that they had access, but what did they modify or change? Because if I was the Chinese and I broke into one of the most sophisticated airplanes, I wouldn't go in and try to steal the information. I would embed code into the system. So now I could modify change or alter flight control systems or weapon control systems.
in-flight of these aircrafts if there was a national attack against China or Russia.
So it's all about not getting access to the information, but about the identification,
integrity, and verification of that data.
Yeah, that's quite scary.
Man, there's a lot here.
I appreciate it, man.
This is an interesting set of topics, man.
It really touches on IP theft from nation states and even securing our own routers because
they're made in China or our own devices or not using free apps.
I mean, there's a lot of practical takeaways here.
very interesting subject. And frankly, I think it's quite important, obviously. That's why you're on
the show. But I'm disappointed. Other people maybe disagree, right? It's sad to me that we care more about
a big bomb being used in Iran. Granted, interesting, than we do about the fact that we are being
infiltrated and essentially attacked every single day to the point where it has become boring to the
news and media. Is that accurate? It's common. It's so common that, hey, why cover something that's so
common and happens all the time, but it's just not a big enough story. It's like violent crime.
Oh my God, my grandma got mugged at gunpoint. Well, that happens a lot here in South Africa or whatever,
right, so we're just not going to bother reporting on it. It's like, all right, but that might be
a bigger problem. Might want to solve that, folks. Exactly. Dr. Eric Cole, thank you so much,
man. Really interesting episode. My pleasure, and thank you for having me, my friend.
What if the most powerful painkiller, memory booster, and mood shifter wasn't in your medicine cabinet,
but in your playlist.
Well, experiential fusion is a term coined by Richard Davidson at Eurasi, Wisconsin-Madison,
who works closely with the Dalai Lama about altered states and meditative states and such.
And the idea is that it's sometimes referred to as flow, although it's slightly different,
a flow state.
You're in the zone.
If you're a basketball player, or if you're a coder, you just lose track of time.
But the experiential fusion that you and I are talking about with music
is that under the right circumstances,
you forget that you're listening to music.
You might even forget who you are.
You become one with the experience.
There is an evidence-based now for music therapies
and music interventions.
We know that music can affect the immune system in several ways.
Listening to pleasurable music can increase levels
of immunoglobulin A,
an important antibody that travels to the site of mucose,
infections and help fights them off.
We know that music that is pleasurable to you can increase the production of natural killer cells and T-cells, also important for fighting disease and infection.
Some music can lead to reductions in inflammation.
Why music does this and why the immune system responds to it, we don't know.
But it does.
For more on how music hacks your brain's chemistry to heal in ways that medicine can't,
medicine can't, check out episode 1147 with neuroscientist Daniel J. Leviton.
Big thanks to Dr. Eric Cole for joining us today. If today's episode freaked you out a little
bit, then good, because that's the point. Cybersecurity is not a movie hacker typing really
fast while green code rains down the screen. It's small, boring, invisible stuff, default
passwords, free apps that are not really free, routers made by companies you can't pronounce,
phoning home to places you don't want them to phone. Remember, if you think you're not being
attacked, it just means you don't know about it yet. And if your business security strategy is basically
strong password and antivirus, congratulations. You're the world's easiest pinata. Links to Dr. Eric Cole,
his work and his book Cyber Crisis will be linked to the show notes. Of course, as always, share this
episode with somebody who thinks the dark web is using incognito mode of their browser or a friend who
still uses their dog's name for every password. Looking at you, Steve. All right, y'all, advertisers,
deals, discount codes, ways to support the show, all at Jordan Harbinger.com slash deals. Please consider
supporting those who support the show. Also, our newsletter, We BitWiser, we'd love to see you
there. You guys love hit and reply to this. I love hearing from you. The idea behind the
newsletter is something practical, specific that you can use right away. It'll have an immediate
impact on your decisions, your psychology, your relationships. It's a two-minute read. I don't
write long stuff for you. Nobody likes that. And I know that. If you haven't signed up yet,
I really do invite you to come check it out. It is a great companion to this show. Jordan Harbinger.com
slash news is where you can find it. Six-minute networking is over at six-minute networking.com.
there either. I'm at Jordan Harbinger on both Twitter and Instagram or connect with me on LinkedIn,
speaking of shenanigans. This show is created an association with podcast one. My team is
Jen Harbinger, Jace, Sanderson, Robert Fogarty, Tadasidlowskis, Ian Baird, and Gabriel Mizrahi.
Remember, we rise by lifting others. The fee for the show is you share it with friends
when you find something useful or interesting. The greatest compliment you can give us is to share
the show with those you care about. In the meantime, I hope you apply what you hear on the show
so you can live what you learn. And we'll see you next time.
is sponsored in part by Something You Should Know podcast.
Finding a new great podcast shouldn't be this hard, so let me save you some time.
If you like the Jordan Harbinger show, you'll probably like Something You Should Know with Mike Carruthers.
It's one of those shows that makes you smarter in a practical, useful way.
Same curiosity vibe we go for here, just in a fast-focused format.
Mike brings on top experts and asks the exact questions that you'd want to ask,
and the topics are all over the place in the best way.
Recently, they've covered things like why we care so much what other people think,
the benefits of laughter, why sports fans get so invested, and what makes people like you or not,
the through line is always the same. Smart ideas you can actually use in real life. Something you should know
has been featured in Apple's shows we love, and it's got thousands of five-star reviews because it's
consistently interesting. So if you want another show that scratches that I want to understand how people
in the world really work itch, search for something you should know wherever you get your podcasts.
Look for the bright yellow light bulb and start listening. You can thank me later.