Well, picking back up with blogging again. After two years of the pandemic, we had our first vacation to Yellowstone (before the floods!). This is Grotto Geyser on a cloudy and overcast day. When we were here years ago, we were lucky enough to see it erupt, but this time is just gurgled.
Ranchers know that there’s little that can stop a determined buffalo – barbed wire is at best a suggestion. That’s why taunting or poking one is just a bad idea (the guy in Yellowstone recently was extremely lucky). Malicious actors can be a bit like that too – that’s why I’ve written before that ‘hacking back’ is a bad idea for all but nation states, but what about as individuals?
Folks in the security and technology industry often get called by obvious (to us) scammers like Windows Tech Support or ‘Rachel from Card Services’, which are two that have plagued my phone with junk calls. Clearly we’re not going to bite, but should you try to keep them on the phone as long as possible, with the intent that it prevents them from scamming other people? Tempting…very tempting.
There’s two classes of bad folks out there – the creative, innovative, highly skilled adversary, and what used to be derisively called the ‘script kiddie’. The latter may or may not have a highly skilled actor behind him pulling the strings, or might just be a run of the mill boiler room operation – mass market cybercrime. The problem is that you don’t really know which one just called you. And that’s why as tempting as it is to engage them and burn their time, I recommend against it.
For the vast majority of these scams you’re just another number in the machine. So when you don’t bite, it’s not unexpected and they just move on. But do you really want to move from anonymous in the herd to being singled out for attention? Is it worth the risk of angering someone who already has questionable morals, and now decides to target you for specific attacks? You turn a run of the mill attack into a battle of wills against a potentially highly skilled adversary. That’s why I have tremendous respect for folks like Brian Krebs who do active investigations of malefactors. He’s a full time professional, and spends a decent amount of his time going above and beyond to protect himself. For example, he’s recently started decoupling his phone from his accounts, due to SMS spoofing attacks, and has had his home swatted. Do you really want to have to go to that level? I’d rather not.
I have a lot of respect for our adversaries. Sometimes that’s due to deep technical capability, and others it’s just because they can make life miserable. Either way, engaging isn’t something you’re really going to win or make a difference doing. So next time a scammer calls, just hang up. Don’t poke the buffalo.
A few years back my wife and I toured Yellowstone before meeting my dad for a fly fishing boat trip. It was a beautiful afternoon, warm and sunny, with the shadows just starting to appear. The moon came over the horizon, and this guy looked up at me – a classic Yellowstone postcard.
There were a few other people around, and some who wanted to get way too close. I was grateful when several other folks in the crowd gently (well, maybe not that gently) asked them to back away. Let the wildlife be wild, and get a longer lens!