This week, Phia wonders what kind of person falls for phishing attacks. Is it only insanely gullible luddites, or can smart, tech savvy people get phished, too? To find out, she conducts an experiment on her poor, unsuspecting coworkers. Further Info Follow Daniel Boteanu on Twitter
PHIA BENNIN: From Gimlet, this is Reply All. I’m Phia Bennin.
So, for the last couple of weeks, I’ve been wondering nonstop about the same question. The question is about this kind of hack…phishing.
I’ve always had the impression that phishing is something I shouldn’t worry about, because nobody really falls for it. And even here at work, in March, we were trying to figure out how Alex Blumberg’s Uber account got hacked. And when Alex Goldman even suggested the possibility that he might’ve gotten phished, Blumberg got genuinely annoyed.
ALEX GOLDMAN: Do you know what phishing is?
ALEX BLUMBERG: Yes.
ALEX GOLDMAN: Did that happen?
ALEX BLUMBERG: No.
ALEX GOLDMAN:: (laughing) You seem so mad!
ALEX BLUMBERG: I- I- I- I can’t image giving my password to someone who wrote to me over email.
PHIA: Blumberg felt about it the way I did. Phishing is for dummies. But then a month later, news came out that the President of France, his campaign got phished, like some of his staffers ended up handing over their personal passwords. And actually, I started to notice that a lot of the hacks that I’m reading about recently, they start with phishing—John Podesta, that was phishing, the Sony hack by North Korea—that was phishing.
And, it got me wondering…what kind of person gets phished? Is it just insanely gullible people? Or could it happen to the smartest people I know—people like Alex Blumberg?
PHIA: So, I called up this guy I know, he’s a computer hacking expert, and I asked him, like, how hard would it be to rig up a test to phish Alex. He said, “That’d be no problem.”
And I thought, “Huh! In that case, like, maybe we should try it on everyone at Reply All.” He said, “Sure!”
So, he sent every member of the Reply All team some kind of phishing test. And a couple days later, I asked Alex Goldman, PJ Vogt, and Alex Blumberg to meet me in the studio.
[Studio audio plays]
And they had no idea what it was about.
PHIA: Ok…so, you know how I have been pretty obsessed with, like, how…we could get hacked?
ALEX BLUMBERG: Yeah.
PHIA: And I spent a few weeks just looking into a bunch of different theories of what–how somebody could hack into a computer, into a Gmail account, and one of the theories that came up that we didn’t really spend any time on is phishing?
PJ VOGT: Yeah, because when it came up s–people got offended. Like–
ALEX BLUMBERG: I was offended. I associated phishing with like a clumsy attempt to get you to reveal your password that I feel like I wouldn’t fall for.
PHIA: Well, so after you got offended, I got really curious, and I ended up talking with this one guy, he’s a digital forensics investigator?
PJ: Daniel Boteanu?
PHIA: Daniel Boteanu.
PJ: I remember him.
PHIA: Now good friend of the show.
ALEX GOLDMAN: Real charmer.
PHIA: Total charmer. So…don’t be mad at me.
PHIA: But I asked Daniel if he would try a phishing test on the staff of Reply All and on Alex Blumberg.
ALEX BLUMBERG: Alright.
ALEX GOLDMAN: Oh damn! (laughing) Ohhhhhhh…oh! That is so devious! I’m so mad at you, if I clicked on it!
PHIA: (laughs) Um, so. Oh, I’ll just add one detail, which is before I did any of this I went to President of Gimlet Media, Matt Lieber, and said, “Is it okay–
PJ/ALEX BLUMBERG/ALEX GOLDMAN: (laugh)
PHIA: –if I ask this man to do this thing?”
PJ: And he said yes?
PHIA: Uh. Matt Lieber said “Yes.” He pointed out that without permission someone could be phishing us also.
PJ: Huh. Usually I go to Matt for my “nos” and Alex for my “yeses.” (laughing) I’m surprised you got a “yes” out of Matt.
ALEX GOLDMAN: The suspense is killing me.
PHIA: I gotta say, Matt Lieber actually said, during the whole Uber thing, that he suspected that Alex had been tricked by a phishing campaign.
PJ: Oh, so this was a little personal for him.
PHIA: Yeah, he was like–
ALEX GOLDMAN: Yeah. He has a very low estimation of you apparently.
PHIA: He was like–
ALEX BLUMBERG: Yeah.
PJ: Not every relationship has to be a PJ and Alex relationship.
ALEX GOLDMAN: (laughs)
PHIA: Well, so, okay. So, Daniel started his test on a Monday morning, and by 6 PM, the same day, he had control of somebody’s email.
PJ: Alex is–Alex Blumberg is slowly opening his laptop (laughing).
PHIA: Well, so, ok, so—before we started, I had no idea how Daniel was going to be able to do this, but watching him work…just opened my eyes to all these different things phishing was capable of.
And the first thing that I saw is that Daniel can impersonate anybody. And he said actually, for this test, to test like my co-workers, he was gonna impersonate me.
ALEX BLUMBERG: Oh.
PHIA: So, to start with, let me tell you what happened to our Executive Producer Tim. Because Tim was editing this piece, he was the one person on staff who knew that this phishing test was going to be going on. And, he didn’t know what was going to happen, but it just made him incredibly paranoid. So, for the last week and a half, he’s been sending me Slack messages like almost everyday being like, “I was just phished! You just attempted to phish me!”
PHIA: “I’m catching you!”
PJ: He’s phishing himself.
PHIA: Yeah. So, Monday morning, Tim slacked me and was like, “What’s the audio you’re emailing me about?” And, I have no clue what he’s talking about. But, I see him in the kitchen, so I grab my phone, hit record, and meet him there. At which point, it’s clear he just realized what’s going on.
TIM HOWARD: What did?
PHIA: What, what what, what? I just sent you audio.
TIM: Ahhh. Yeah.
PHIA: Should we go into the stairwell?
TIM: Uh, yeah. So Phia, you don’t know about the email that you just sent me?
PHIA: (laughs) No.
TIM: So I just got an email.
TIM: That was–it had a–it has an audio file. It was sent to me, Alex, and Sruthi. So I click on it. And it says, “Gmail, you know, one password to rule them all, whatever.” And it asked me for my password.
TIM: So I said, “Fuck this!” And I wrote back, “Can you slack me the audio?”
TIM: Because I don’t want to–I’m already signed into Gmail!
PHIA: So you–so you switched–
TIM: –I could tell that it was a phishing attempt for some smart asshole who’s actually emailing me.
TIM: What’s messed up about it that like, somebody on the other end–
TIM: –is emailing me right now pretending to be you.
TIM: And it sure fucking looks like you.
PHIA: He shows me the email and it’s crazy because it completely looks like it’s coming from me. Like, it looks like it’s coming from firstname.lastname@example.org. But, obviously I didn’t send it.
TIM: Yeah, look at–there it is.
PHIA: “Hey guys.”
PHIA: Ahhh! Phia gimlet at R nedia. That’s so funny! R + N looks like an m! Okay, now I really want to fuck with this person.
PHIA: Let me explain how this works. Daniel had bought a domain. He bought the domain gimletrnedia.com, and he was sending the emails from there. But, gimletrnedia looks exactly like gimletmedia.
ALEX BLUMBERG: Damn.
PHIA: And after all of that, Tim and I were walking back to our desks and he was like, “So what’s the audio you were trying to send me?”
PJ/ALEX GOLDMAN/ALEX BLUMBERG: (laughing)
PJ: He’s like a mouse trying to get a cheese out of a trap.
PHIA: Ok. So, here’s the second thing I learned: You don’t even need to fall for the scam for Daniel to learn a ton about you.
PHIA: So, for instance, PJ, you received this email that looked like an invoice coming from a consultant, and when you clicked on the link in the invoice, it took you to a page that looked like a Google login page and asked for your username and password.
PHIA: You didn’t put anything in. But, over in Toronto, the hacker, Daniel, he was still watching you interact with the fake page. Here’s Daniel:
DANIEL BOTEANU: My records show that he clicked on it from an iPhone.
DANIEL: Uh, probably saw that it was something suspicious, clicked on it a second time from an iPhone. And then, I have records showing that the same link is opened two more times from Mac computers, but two different computers. So, I’m guessing PJ saw that something was going on and he started digging a bit deeper and–and trying to find out what happened or wh–what’s happening with this email.
DANIEL: And, I’m suspecting that after PJ maybe sent an email internally saying, “Hey guys! This is what I got. Just be careful. Don’t click on this–on this email.”
PJ: Wow! He could tell that? It’s so funny. It’s like knocking on the door of somebody’s house.
PJ: Like even if they don’t answer, like, a light turned on, and it turned off.
PJ: Like he can figure stuff out.
PHIA: Right. Yeah!
PJ: Like, I opened it–I opened the email, thought it was real–
PJ: And then, like, I figured out what it was.
PJ: And I was really curious. Like, I was like, “Oh, I wonder if I can learn anything.” So I was like, trying to like, examine the package to figure out what was going on. And the moment that I was like, definitively realized it was fake was that in the signature of the email there’s a phone number.
PJ: And I googled the phone number and the phone number didn’t go to like, the made up company that they were doing.
PJ: And I posted in Gimlet slack saying “Hey everybody, watch out. Someone’s trying to–it seems like somebody is targeting Gimlet in particular.”
PHIA: Right, and the reason Daniel had thought you had done that is because he had sent the same email to a bunch of members of the team, and after you looked at it for the fourth time, nobody else clicked on it. And, that’s okay for Daniel because he can try like, all different methods of phishing the team, and he can try it a bunch of different times, so since you’re sounding alarm bells, he probably won’t include you in the next phishing attempt.
PHIA: So Alex, what–what did you get?
ALEX GOLDMAN: I have no idea!
ALEX GOLDMAN: I’m–I am on tenterhooks. I do not recall this at all!
PJ: So you didn’t figure out that anything was going on (laughing)!
PHIA: So you got an email that was just like Tim’s, but I was in the room when you got it. And you turned to me and you were like, “What is this?! Why do I have to listen to this?!”
ALEX GOLDMAN: Did I open it?
PHIA: You did not open it. Congratulations.
ALEX GOLDMAN: That is definitely not because I was smart enough to recognize it was a phishing scam.
PJ: I feel like if had you had not been in the room, this would have worked.
PHIA: I know. And–and Daniel said the same thing. He was like, “If I was trying this phishing attempt in earnest, I would’ve tried to impersonate somebody who I thought wasn’t gonna be in the office that day.”
PHIA: Ok. So, now for the third thing I learned, which is my favorite thing I learned. Even when you try to protect yourself, like when you set up two-step verification, you’re still not safe. So, this happened towards the end of the day. At this point, nobody on the Reply All team had fallen for it.
DANIEL: I was a bit disappointed at first when I saw that aw, it didn’t work. Maybe we–we did this, all of the emails came at the same time. We should have changed some things. But then, we got the big tuna.
PHIA: So, the big tuna. I think we all know who that is.
ALEX BLUMBERG: So, I–it worked on me but I want to claim–
PJ/ALEX GOLDMAN: (laughing)
PJ: Just skipping over (laughing)…
ALEX GOLDMAN: Yeah. Way to–way to brush right pass that.
ALEX BLUMBERG: So I went–so I got the email. And I was like–
PJ: What did yours say?
ALEX BLUMBERG: Mine says… uh… hold on. Mine says–
ALEX GOLDMAN: Who’s it from? Is it from–
ALEX BLUMBERG: It’s from Phia. And it says–it says: “Uber update. Hey Alex, I was wondering if there’s– if we’re giving away too much of your personal information in the Uber update tape with Troy. Will you listen and let me know what you think. Not kosher. Question mark.”
ALEX BLUMBERG: And so–and so it was just–and then there was just like this little thing, there’s a little, you know, Uber update. And it’s coming from Phia at what I now realize is gimletrnedia.com
ALEX BLUMBERG: Uh…which is really amazing, like you don’t–you don’t notice the–I know that that’s what it is and it still looks like gimletmedia. It’s crazy. So then–but–so I didn’t open it, cause I was like I don’t have time. Again. I might’ve–it might’ve worked anyway. And then I was like, up on the third floor, you were in–in a meeting with…
ALEX BLUMBERG: Sruthi. And I was–and I saw you guys and I went over, and I like motioned if I could come in. You were in one of those glass–
ALEX BLUMBERG: –conference rooms. And I was like, “Hey, I got your email! What’s that about?” And then you looked so confused and–and like, mad, that I thought you were like having–
ALEX BLUMBERG: And I was like, “Oh, I’m just being an asshole. I just bumbled into their meeting like I’m the CEO.
ALEX BLUMBERG: I was like, “Don’t worry. Don’t worry. I’ll listen.” And so then I left. And then I was–I had this whole narrative where I was like, “Was that–would I have done that–is this like abuse of power?”
ALEX BLUMBERG: And I was like, “No, I wave people in sometimes too! It’s ok!” So, there was all this guilt that was like, sort of driving me to like complete the task of listening to this audio. And so then I went down there and–and then I clicked on it to listen to it. And then…and then it’s like it–it impersonates a Google Drive.
So then you have to go and like put in your password and stuff like that. Which I did. Because I was like, “I gotta help–I gotta listen to the thing for Phia.” But if, I don’t–I don’t know–yeah.
PHIA: You not only put in your password, you put in your–your two-factor authentication code.
ALEX BLUMBERG: Yeah! Yeah.
ALEX BLUMBERG: Yeah, yeah, yeah.
ALEX BLUMBERG: Which would–yeah.
PHIA: Daniel would fully be able to get into your email account.
ALEX BLUMBERG: Yeah, so how does that work? So what did he do? He–he was like–what- what–what was I putting my actual two-factor authentication code into?
PHIA: What you put it into is his own little page that then forwarded it–
ALEX BLUMBERG: That’s on his computer.
PHIA: Yeah. So, that’s on a server. And, when you put in your username and your password on his page, he just immediately forwarded that to a real Gmail login. And from there, because he put in your username and password, a two-factor code was texted to you.
And, when you then put that again into his fake page, he immediately put that into the real Gmail login page and he was completely into your Gmail. And the server he was using was actually based in New York, so if you check where you’ve recently signed into Gmail, it will show a New York-based location, which is what Daniel says, they would really do if it was a targeted phishing attempt.
ALEX GOLDMAN: That’s hella sophisticated.
ALEX BLUMBERG: Right. That’s really imp–interesting. I do feel like if I hadn’t…you–you basically said you sent the email.
ALEX BLUMBERG: You did, though.
PHIA: You came in and I said, “I don’t know.”
ALEX BLUMBERG: You said “I don’t know,” but you were like…
PHIA: And you said, “I didn’t look at it, you don’t really remember. I’ll go back and check.”
ALEX BLUMBERG: Right. Cause I was like, trying to help you out. And get back to you in time.
AG/PJ/ALEX BLUMBERG: (laughing)
PHIA: I–I know you–(laughing) thank you.
ALEX BLUMBERG: After–after rudely interrupting your chat with Sruthi.
PHIA: Thank you.
ALEX BLUMBERG: I don’t know. Yeah. No, I mean it feels like obviously, like, yes, if you–if you have like your entire company conspiring to phish you, yes. They can trick you into clicking on something. I don’t think that proves anything. If they know–if they know every little bit of context around your life, you can be tricked.
ALEX GOLDMAN: I think you are being a little too cavalier about this.
ALEX BLUMBERG: You can be tricked.
PHIA: Do you feel any differently about how offensive of an idea it was that you might’ve gotten phished?
ALEX BLUMBERG: Yeah. Uh, no, I mean, yes, I do. But, I’m–I feel like, this will–unfairly, you know, sort of solidify a narrative about me that I’m not–that I’m not happy about.
ALEX BLUMBERG: I f–(laughing) if you hadn’t said the thing about how Matt that it was like–that I was phished–
ALEX BLUMBERG: Then I’d be responding to this whole conversation very differently. But yes, for the purposes of everybody out there, you–you too can be phished.
ALEX BLUMBERG: Um. Ok.
PHIA: We’ve kept you more time than we should.
ALEX BLUMBERG: Alright. I gotta go. Bye!
PHIA: Alright. Bye!
PJ: Thanks, Alex.
ALEX GOLDMAN: Bye!
PHIA: I left that studio feeling like my experiment had totally failed. I’d convinced myself that phishing was real, and pervasive, but I hadn’t convinced Alex at all. All I’d done is like, made him feel suckerpunched. So, I decided the only reasonable thing I could do now was to expand the experiment. The results of that, after the break.
PHIA: (clears throat) Ok.
ALEX BLUMBERG: Seriously, why are you all here?
PHIA: Does eh–everybody have a microphone in front of them?
ALEX BLUMBERG: Uh–I do.
ALEX GOLDMAN: Yup.
PHIA: Ok. So… the last time, uh, we were all in a room together.
ALEX BLUMBERG: Yes.
PHIA: We…uh, talked about this phishing test that I had–
ALEX BLUMBERG: Yeah.
ALEX GOLDMAN: Surreptitiously performed.
ALEX BLUMBERG: Yeah, which I got–I got really salty about. Which I’m embarrassed about now.
PHIA: You are?
ALEX BLUMBERG: Yeah.
ALEX BLUMBERG: I think I overreacted.
PHIA: I–I felt like–I left that room feeling so guilty and just like, bad about it.
ALEX BLUMBERG: No…it was just–it was–no, it wasn’t you. It was me.
PJ: But you did–you–you–underneath the saltiness you were making an argument, which was that…you felt like–cause what we were trying to say–or what, like–
ALEX BLUMBERG: I thought I was gonna filt–fit into a false narrative about me.
PJ: And–and rather than it being about whether phishing worked, it was about–you felt like it was saying that you, Alex Blumberg, are like a–a bumbling–
ALEX BLUMBERG: A bumbling Mr. Magoo–
PJ: Like if everyone else is like yes on this–
ALEX BLUMBERG: –on the internet.
PJ: –you’re like a no somehow.
ALEX BLUMBERG: Yes. Exactly.
PHIA: Right. Well, it–it seemed like, you agreed on an intellectual level that like, yes, anybody is capable of getting phished, but…on an emotional level, like, this didn’t really demonstrate that.
ALEX BLUMBERG: Right. Wait, are you telling me that I’ve been phished again? (laughing) Is this all about—?
ALEX BLUMBERG: (laughing) God!
PHIA: No, no, no, no! No! No.
ALEX BLUMBERG: You brought me here to murder me!
ALEX BLUMBERG: To murder my–to murder my ego!
PHIA: No! It was just, after we talked in the studio the other day, we were, as a team, like trying to figure out like, how–how could we do something that like actually, at like, an emotional and an intellectual level felt like people get phished and, uh, without it feeling like a murky test.
ALEX BLUMBERG: Uh-huh.
PHIA: So, like–and–and proof that like it’s not just Magoos that get phished, like smart people get phished too.
ALEX BLUMBERG: Ok.
ALEX BLUMBERG: (laughs)
PHIA: And, um–and so it was like, is there somebody that Alex thinks is really smart that we could try the phishing test on, and then it would feel–and we could do it like very purely, and then like, that would sort of make–make you feel better.
ALEX BLUMBERG: Help me feel better by helping somebody else feel bad (laughs).
PJ: There’s like–
PHIA: Yeah, I’ve learned no lessons.
PJ: Tell more lies. To more people. Yes.
ALEX BLUMBERG: I’m down.
PHIA: So it was like, should we–should we try to phish like Ira Glass, your–your old boss.
ALEX BLUMBERG: Yes.
PHIA: Or maybe your old colleague, David Kestenbaum, or your brother-in-law, who’s like super, super smart. But we couldn’t actually get permission to phish Ira or David, and it turns out that your brother-in-law doesn’t really use Gmail, which we needed for this phishing test.
So…then we were like, maybe we’ve been thinking about this all wrong. We do know somebody that Alex thinks is smart. And like, and that person also is maybe the source of part of why this feels so bad for Alex. So…you look so confused right now!
ALEX BLUMBERG: Wait, did you guys phish Matt Lieber?
PHIA: So…I thought it might interesting…
PHIA: Um. So–so yes. So, we thought, “What if we tried it on Matt Lieber?
ALEX BLUMBERG: Yeah.
PHIA: But this time I wanted it to be very pure, so I was like, “Daniel, do not tell me like– like, I’m not going to be informed about anything that you’re trying to do. Don’t help me cook this up with you–”
ALEX BLUMBERG: Right.
PHIA: “Just try to phish Matt Lieber.”
ALEX BLUMBERG: Got it.
ALEX BLUMBERG: Very exciting.
ALEX BLUMBERG: So when was this?
PHIA: So this was Monday.
ALEX BLUMBERG: Ok.
PHIA: So Monday–
ALEX BLUMBERG: And it’s now Friday.
PHIA: And it’s now Friday.
ALEX BLUMBERG: Ok.
PHIA: So on Monday, Daniel sent Matt the phishing test, and literally forty-one seconds later, Matt had fallen for it… he was phished.
ALEX BLUMBERG: Wow.
PHIA: So, obviously I wanted to tell him what happened. And I grabbed him, brought him into the studio.
PHIA: I think this is the first time I’ve been in a studio with you.
MATT LIEBER: I know!
PHIA: But before I could tell him that he’d been phished, I had to tell him that you’d been phished, and as soon as I told him that, he actually just started, like crowing about it.
MATT: He–he fell for it?
MATT: No. He fell–he got phished?
MATT: Amazing. So you–he–you–ok. So you successfully, um, phished Alex. Your boss.
MATT: Ok. Wow.
PHIA: So, when we started this whole project, did you think that Alex–like, did you think that he was likely to fall for it?
MATT: (breathes out) Yes.
MATT: Um, uh, how do I say this without being like, “Oh, he’s a totally credulous dolt.” He’s in general–he’s a v–you know, he’s a very emp–he’s a…he always assumes the best in people.
MATT: And he’s generally like a very empathetic person, that’s one of his superpowers. And so, I don’t think he’s like looking out for people who are trying to screw him.
MATT: I’m the more, like skeptical person–
MATT: –when it comes to other people’s motives.
PHIA: Yeah. Ok.
MATT: But I just want–I don’t wanna come off like I’m being a jerk about Alex.
Because Al–obviously Alex is like a great journalist. He’s–which requires him
to be skeptical.
MATT: And the truth is, the fact that he was phished, tells you that this could happen to anyone who is targeted.
PHIA: Right. So I think the same thing you think. I think like, everybody needs to be like crazy paranoid all the time. And it is possible to phish anybody if you’re targeting it. But, Alex felt like it was like not a clean test and therefore he, like, doesn’t feel like–
MATT: I’m now–
PHIA: –anything’s been proven.
MATT: I’m now of course terrified that you’re gonna be like, “We also phished you! And we did so successfully.” Did you?
PHIA: Well, have you received anything weird from anyone?
MATT: I don’t know.
PHIA: Like, anything like today, maybe…?
MATT: (inhales) Oh my god. Did you phish me?
PHIA: (long pause, then laughs)
MATT: (laughs) Oh my god, now this is like we’re in a David Mamet movie.
PHIA: I feel so…I’m…this is like the worst experiment I’ve ever done. Um. So, earlier today…
MATT: Wait. Yeah.
PHIA: You got an email from Alex Goldman?
MATT: Oh my god! Fucking Goldman! That was weird. Because of the way the file was attached.
MATT: The weird thing about it was because I kept having ih–the two-factor authentication thing (laughing).
MATT: Oh my god…this is just th–this is humiliating.
PHIA: (laughs) Uh!
MATT: Because, I’ve sat here in judgement of Alex.
PHIA: No! But you actually like, this confirm–does this confirm for you that it could happen to anyone?
MATT: Yeah. It could happen to anyone. (laughing) It–If you’re an idiot like me. God, he’s so br–this Daniel! We should–we need to hire this Daniel guy!
MATT: He has such good insight into what would tweak people.
MATT: Because he sent me an email saying, as though it were from Alex Goldman saying: “One of our producers found this document posted online, which reveals Gimlet’s salary levels. Um. Is this something that you think should be public?” And I was like (gasps). I was like, “Oh my god.” Like cause if everyone’s salaries got out it would be like a nightmare, right? So, I click on it. It’s a PDF and in order to view the PDF I have to log into my–my Gimlet account.
PHIA: Your–yeah, yeah. Your email.
MATT: Which I do. I put in my username and password, which now I need to change (sighs).
PHIA: That’s why I wanted to talk to you today.
MATT: (laughs) And then, I did the two-factor authentication. I responded to Alex and I cc’d Katie Christiansen, our Director of People Ops–
MATT: –who, is the person who would like, know what the answer to like why is this out here?
MATT: And…she said, “I can’t see the file.” And…when I went back to download it again I had to do the two-factor again and I’m like, “That doesn’t make sense. Like, I just did the two-factor authentication, why would I have to do it for a second time?” But of course I was like, in the middle of a bunch of things, and I was just like, “Ah whatever, it’s Google. I trust Google.”
MATT: And I put it in. I feel like such a jerk now.
MATT: Well, I feel like a jerk because I was saying like, “Oh, Alex Blumberg. What a–what an old person who doesn’t know how to, like, protect himself in the real world or online! Because he doesn’t have me!”
MATT: Mr. Savvy. Like, Mr. Savvy Skeptic who like–ugh, terrible. Wow. This was a real comeuppance. (sings) Da dun da dun da dun (blows raspberry kiss)!
PHIA: So, that’s what happened to Matt.
ALEX BLUMBERG: God! I–I feel terrible now because I feel better.
PHIA/PJ/ALEX GOLDMAN/ALEX BLUMBERG: (laugh)
PHIA: Ah! Then like, one of my goals actually happened.
ALEX BLUMBERG: Yes. I do feel better.
PHIA: You do?
ALEX BLUMBERG: Cause I do. Like I do feel like Matt is the way more suspicious one and in–if I had to choose like which of us is harder to phish, I would’ve chosen Matt. For sure.
PHIA: Here’s–here’s the one thing that comforts me a little bit…I never phished anyone that I assured I wasn’t going to phish.
ALEX BLUMBERG: (laughs)
PHIA: And that is a small comfort, but it is a comfort!
PJ: That is wild! That that is–that that helps you sleep at night.
ALEX BLUMBERG: Yeah.
PHIA: It does!
ALEX BLUMBERG: That is really…
PHIA: So, I wanna say now: I promise to never phish anyone in this room again.
PJ: Just in this room?
PJ/ALEX BLUMBERG: (laugh)
Reply All is hosted by PJ Vogt and me, Alex Goldman. Our show is produced by Sruthi Pinnamaneni, Phia Bennin, Chloe Prasinos, and Damiano Marchetti. Production assistance from Sherina Ong. We’re edited by Tim Howard and Jorge Just. We’re mixed by Rick Kwan.
Special thanks to Kashmir Hill, Emily Kennedy and a HUGE thank you to our phisher Daniel Boteanu.
Our theme song is by the mysterious Breakmaster Cylinder and our ad music is by Build Buildings.
Matt Lieber is bubble tea.
Applications are open to be Reply All’s Fall Intern. The deadline for applications is 9 AM on May 29th and you can find out more on our website, replyall.limo. And you can find more episodes of the show on Apple Podcasts, Spotify, or wherever you get your podcasts. Thanks for listening. We’ll see you next week.
PJ: Hey guys! Before we go, we just wanted to ask you for one quick favor. So, there’s a short survey at replyall.club that we’re asking people to fill out. Basically, it helps us put advertisers on the show and continue to make the show. If you’re looking for like a short, easy way to help us out, this is actually like, hugely helpful. And, we’re going to give a free Gimlet membership to somebody who takes the survey. Could be you.
If you’re interested, go to replyall.club. Thanks!
Alex agreed to let PJ hack his phone, giving him 24/7 uninterrupted surveillance over his life. This week, everything you can learn about someone who completely surrenders their privacy.
PJ VOGT: From Gimlet, this is Reply All. I’m PJ Vogt.
ALEX GOLDMAN: (laughs) Oh man…oh man…hi!
ALEX: (laughs) How’s it goin’?
PJ: Good. So, a while back we decided to do an experiment.
PJ: And the experiment was this. We had read that Donald Trump uses an old, easy to hack Android phone—a Samsung Galaxy S3. And so we wanted to find out if somebody were able to hack his phone, what could they find out about Donald Trump.
You like very—without very little persuasion—I was like, “Hey, can I hack your cell phone for a while?” And you were like, “Yeah, that’s fine.”
And so what we did is, I bought a Samsung Galaxy S3 off of eBay. I bought some just like, consumer spyware software, I loaded it onto the phone which was really easy, I basically had to jailbreak it and then visit one website, which took about five minutes. You agreed to not use your iPhone, to only use this phone, which meant that I had unfettered access to your life.
ALEX: And I just want to—I have to lot say about my exper—(laughs) about my experience.
PJ: That’s why we’re here.
ALEX: First of all, using this phone was like a painful odyssey. Like I just felt like I was using a phone that felt, um, totally alien to me. Not only because it’s not an iPhone but because it’s older. It’s like 6 or 7 years old, and in technology years that’s like—
PJ: Three decades.
PJ: So what? So what was hard?
ALEX: (sighs) Well, let’s see. Wh—what was hard?
PJ: You have it right now?
ALEX: I have the phone in my hand.
PJ: It’s like a—it looks like an old pho—like it’s like—it’s kind of life from the era where things were rounded in a way that’s supposed to look high tech, but it just looks like somebody’s birth control container.
ALEX: (laughs) It look—there’s a ton of shovelware on here, just like a—
PJ: What’s shovelware?
ALEX: Just like a bunch of garbage that was preloaded onto it.
PJ: Like what?
ALEX: Beats Music. Chat On. AT&T Locker. AT&T Family Map. Group Play.
PJ: Most of these things sound like sex stuff. Like Chat On? Group Play? I don’t know about (laughing) AT&T Locker…
ALEX: Samsung Hub. S Memo.
PJ: Ok, but whatever. It has a bunch of crap on it that you’re not gonna use. That doesn’t seem like such a problem.
ALEX: It has an app…called Let Go.
PJ: (laughs) Is that like a pro-suicide hotline?
ALEX: That to me just sounds like—that to me just sounds like, (whispers) “Give up, Alex.” Um, there was like, an extra lock screen on top of the lock screen that I had.
PJ: So you had to unlock your phone twice?
ALEX: Yes, I had to swipe through twice.
ALEX: To say nothing of the fact that the battery’s seven years old, so the phone died every … you couldn’t use the phone for more than an hour and a half. I’ve had it charging all day, it’s at 61%. It was at 74% when you walked into the room ten minutes ago.
PJ: Got it. That is frustrating. Also, I think the other reason the battery may have been dying a lot was because, uh, the phone was doing a lot.
PJ: Not just the things you asked it to do.
ALEX: Ohhhhh godddd…
ALEX: The other thing that I should mention is that—
ALEX: Is on the first episode, we agreed that I would do this for a week.
ALEX: And then it just sort of kept going, and no one said anything, so I just kept using the phone. I think I ended up using it for three weeks.
PJ: Yeah, that’s true. That’s true.
ALEX: My—my wife was furious.
PJ: I wondered if she had any feelings about this thing you agreed to do that violated all of her privacy as well.
ALEX: Not because of the privacy stuff, just because the phone was so unusable that she had a very hard time getting in contact with me.
PJ: I noticed that.
PJ: (laughs) Ok. Here’s what it looked like from my end of things. I have—I have this—basically, I go to my web browser, I could go to the—the like, interface for my spyware, and I get this dashboard. Basically, it’s like the same graphic design as like when you do router set up at your house.
PJ: Um, but it shows me like, exactly where you are right now on a map, it shows me your battery level, which is always very low.
PJ: Um. But then, I can open it up and I have…a recording of every phone call to or from your phone.
PJ: I’m watching you learn things.
ALEX: Ohh … boy
PJ: Um. All your texts.
PJ: All your—uh, MMS. Like so, photos you sent. All the photos you yourself took on the phone. All the videos you took on the phone. Any audio files you made on the phone. The wallpaper for your phone, which you never changed.
And then, what I could do is I could ask the phone to record for a period of anywhere from one minute to I think an hour. And it would just record, like from its microphone, starting then and it would send me the audio file.
PJ: And then, I could also ask it to take a picture, and so I have a bunch of pictures from your phone’s camera that I took. Uh—
ALEX: And, would they store on my phone or would they go straight to you?
PJ: No, they’d just send to me. They were for me not for you.
ALEX: Did you get anything good?
PJ: Well, let me tell you about that. So…[long pause], this has been a very frustrating experience for me. Uh, it’s been a very frustrating experience because…you are perhaps like—there’s no one worse I could’ve picked to surveil.
PJ: Can I, yeah, can I—can I play you some of what I picked up on my wiretaps?
ALEX: Yeah, please, now I’m very excited.
PJ: Here’s a conversation with you and Sarah.
SARAH O’HOLLA: Hello?
ALEX: Hey, babe.
SARAH: Can you hear me?
ALEX: Yeah, can you hear me?
ALEX: I’m on my way home.
SARAH: Are you…? What’s goin’ on?
ALEX: I’m in the train.
SARAH: Ok. When do you think you’ll be home?
ALEX: Probably around 9:30. Maybe, like, 9:45.
SARAH: Ok. I have to—I may have to stop and get cash for Devlin so I wanted to make sure.
ALEX: Ok. So you’re going to be home first?
ALEX: Ok. I also got cash for Devlin, but, uh, now I have cash for me.
PJ: That’s a big twist.
ALEX: (laughs) You don’t find that the least bit exciting?
PJ: You also send her so many pictures of just like, if there—if the train’s crowded, you’ll send her a picture of the train being crowded, like a lot. Like I was like, “Why is he taking pictures of all of these people?”
ALEX: There were some pretty serious train problems in New York City…
PJ: Oh I know—
ALEX: —and New Jersey transit.
PJ: —you also talked about them in the morning in the office. Here’s like a—here’s like a pretty crazy conversation you and Tim have:
ALEX: Hey, what’s up?
TIM: Morning dude, how are you?
ALEX: (sighs) I feel like shit. I didn’t get any sleep last night (sighs).
ALEX: I feel very bad.
TIM: Why didn’t you get any sleep?
ALEX: Because I have a two—because I have a two-year-old.
PJ: Can you hear Tim not caring?
ALEX: Yeah, I sure can.
TIM: Um, alright. So um…
TIM: I’m going to…uh, let’s see. Do you have a list of like, uh, retrack things?
PJ: You spent 20 minutes talking about like minor edits for that week’s episode.
PJ: I now own hours and hours and hours of recordings that are just like this. Like, there’s nothing. There’s like no behind the scenes. Like it’s like a movie, and then they do the director’s commentary, and it’s just the dialogue of the movie again.
PJ: And then like, another way I thought I could get you to reveal something about yourself, it’s just like, if it’s not your thoughts, it’s like where do you go? Like, there’s this feature where it shows me a map, and every single time you move, there’s a dot on the map, so I can see like all your patterns over the course of these three weeks.
Here’s what I see, like when I hit the video and watch you travel. You start at work, and then at the end of that first work day, you get on a train, and I see your dot travel on the train to Manhattan, and then I see you transfer trains and travel to New Jersey, and then you go from the train station in New Jersey to your house. And the next morning, you do the exact same thing, but just backwards.
ALEX: (laughs) This—this makes me feel really bad about my life.
ALEX: What did—what did you—just give me a scenario! What did you expect?
PJ: I don’t know, maybe you had a friend I hadn’t heard about. Or a hobby you’d never mentioned. Or like, just… a secret. One secret. Maybe you had one secret. Maybe it wouldn’t be a dirty secret or a good secret, just a secret!
PJ: There was one point for like one moment, when I was reading all your text messages where, at least like an outside observer, it did look like you were absolutely having an affair.
ALEX: Come on!
PJ: You sent a message to a person—you have, you have an exchange where somebody tells you: “I really want to have our slumber party one day?” Um…and they were like, literally inviting you over that night. And they were like, “Here’s my address, call when you’re here. If you want home-cooked food, there’s home-cooked food.”
PJ: Is this stressing you out? It like stressed me out to read this.
ALEX: I have no idea what this is about. This is stressing me out!
PJ: It was Sruthi.
PJ: Like it was like some late night when it was a winter storm, you didn’t know if you could get back to Jersey.
PJ: And she was sort of saying like, “Oh, you can crash at our place, but if you want to go home.” But like, it was the thing where it was like, “Oh, if a random person were looking into you, like if like the FBI were looking into you, they’d be like: ‘This is definitely bad.’”
ALEX: Right, right. But … yes! Oh my god. The shorthand we use with each other… oh, that could’ve been very terribly misconstrued!
PJ: Uh, yes. But for me…so, I got so…bored. And I was like, it—it really felt like I was like, “Well, we said we were gonna do this, but I still wanted to find something.” And then it occurred to me like, if this really is like somebody spying on Trump, you know, it’s not just like one person spies on Trump, like if it’s the NSA they have like junior analysts. There are like people whose—”
ALEX: Oh, c’mon!
PJ: Yeeah. Yeah. So I…do you know Emily Kennedy?
PJ: So Emily Kennedy, for people who don’t know Emily Kennedy, she’s a freelance radio producer, she—we’ve worked with her, but always remotely. And so I was like, Emily, do you want to be like a junior spy analyst of Alex Goldman’s life?
ALEX: (inhales and exhales) Hm. I didn’t—I didn’t explicitly give you permission to do this!
PJ: That’s true.
PJ: So I—I handed it over to Emily and like, Emily came into it differently because like, she—you guys haven’t met in person.
PJ: So like, I gave—I handed the controls over to her for a weekend, and basically like she caught the same stuff that I did, like she got a lot of you with your family, talking to Sarah, singing to Harvey. Her main takeaway is just she really, really loves your life.
EMILY KENNEDY: He just seems like such a good dad. Um, you can like see the like heart eyes emoji like appear on your screen.
EMILY: You know? It’s so cute. Um, but it also like—I don’t know, something about listening to children, on like—on a like a super shoddy recording, laughing, makes me feel like a, like something is imminently going to happen to this like, very nice family, with this like, very nice mom and this very nice dad, who are like, reading “Thomas the Tank Engine” all together with their kid. And you’re like, “Oh fuck,” like, “You guys are going down.”
EMILY: There’s a serial killer standing outside (laughing).
PJ: What else, uh, jumped out at you, what else was interesting?
EMILY: Oh my god, okay, there was an amazing moment, which I feel like you’ll appreciate.
EMILY: Um, okay, so he—so this was… let me see, I have like notes on this that I can pull up, too, because it was just so good. So he’s in his house, I think he walks up the stairs, and then he says to his wife, like, “Where’s the shopping list?” It was on the table.
[AUDIO COMES IN HERE]
EMILY: Um, and then, and then it gets really staticky. And then, uh she goes, “Uh, where do you want to—where are you going to the grocery store?” And he says, “I don’t know, do you want me to go to Trader Joe’s, I don’t give a shit.”
[ALEX: Unless you want me to go to Trader Joe’s, I don’t give a shit.]
EMILY: Um, and she goes, “I don’t care where you go.” And then he goes, “Hey, I love you,” which is like this very sweet moment. Um—this is so weird to talk about. Ok. I’m going to keep going.
EMILY: (laughs) Um, and then, ok, and then he leaves the house which is really exciting because it felt like that was the first like real scene tape that I got, of like—like you could hear him jangling his keys, and you could hear the door shutting, and like, you felt like he was going somewhere.
PJ: ‘Cause it has so little story, it’s like anything that happens feels like a story
EMILY: (pauses) Yeah. Exactly! Exactly.
PJ: So, the thing that Emily found, like, the big moment…it happens next.
PJ: You get into your car, you turn on, like whatever the pop rap radio station is in Jersey, Hot 97? And then you start driving and after a couple minutes you just start laughing to yourself.
PJ: It’s…it’s like that kind of laughter. And it like, goes on. It’s like a full minute where you’re just like…just like laughing—
PJ: —then you’ll stop. And then you’ll start laughing again. And it’s like a song on the radio. It’s like not from the radio.
ALEX: (laughing) I’m gonna tell you something about myself.
ALEX: This might be my one secret! (laughs)
ALEX: If um…I watch a comedy show. Or re—listen to a comedy podcast, and there’s a moment that I think is particularly funny, if I think about it, while I’m by myself, (laughing) I often start laughing very hard.
PJ: (laughs) And laugh—
ALEX: Do—do you have the recording?
PJ: Yeah. It’s kind of a low quality recording. Um…
ALEX: (whispers) I really wanna hear it.
PJ: Ok. Here, let me play it for you.
[AUDIO RECORDING PLAYS: hip hop music playing and Alex laughing to himself and coughing]
ALEX: WHAT IS THAT?!?!
PJ: (laughing) I don’t know, you’re doing that thing where you laugh so hard, you start coughing, though—
PJ: Do you see what I mean about it being like…
ALEX: (laughs) THAT’S SO WEIRD!!! That’s so weird!! Hahaha…WHAT?!!! STILL LAUGHING!!!
ALEX: (laughs) That’s so weird!! Oh, this is the most embarrassing thing that’s ever happened to me!
ALEX: It’s soo weird!
PJ: Yeah, it is so weird!
ALEX: It’s so weird!
ALEX: It’s that—that is like my worst nightmare about what you could find out about me.
ALEX: That I’m like a creepy self-laugher! In a car by myself! It’s so weird.
PJ: Do you wanna hear something that maybe will make you feel better?
PJ: Um, do you want to hear yourself singing to your son?
ALEX: Yeah! That’d be great.
PJ: Um…oh, here’s your song with Harvey. Towel song?
HARVEY GOLDMAN: (screaming and laughing) A towel!
ALEX: A towel!
HARVEY: A! A towel! A towel.
ALEX: A towel! A towel! A towel! A towel! A towel! A towel! A towel!
[AUDIO FADES UNDER]
ALEX: This makes me feel happy.
PJ: Because you’re hearing you with your kid?
ALEX: Yeah. I love that guy.
PJ: So that’s your life. You go home, you sing to your kid.
ALEX: Sounds great!
PJ: Then you get in the car…
ALEX: (laughing) And then I laugh to myself!
PJ: All the murders you’re gonna do.
ALEX: (laughs) That is truly so weird.
PJ: Coming up after the break: A world of creeps.
PJ: How you feeling Alex?
ALEX: Uh, you know, a little worse for wear, but pretty good.
PJ: Ok. So I have to tell you something.
PJ: So, our last conversation was a week ago. In that time, I have learned a lot of things about the tool that I used to spy on you, it’s called FlexiSpy.
PJ: All of those things are pretty bad.
ALEX: Great…(laughing) great.
PJ: Yeah. Uh, so I’m gonna tell you the things that I’ve learned which make me feel bad, you can feel bad, also some of them you, personally, I think just like need to know. Ok. So, Joseph Cox, the Motherboard reporter who told me about FlexiSpy in the first place, while we were doing our experiment he was just learning as much as he could about this tool.
PJ: But Joseph has been focusing on domestic violence. Because it turns out the kind of person who wants to control you by invading your privacy can also be the kind of person who will be violent towards you.
PJ: Yeah, it’s bad. He told me about this survey; 75% of domestic violence shelters have come across somebody who’s come in and said, “I found software like this on my phone.”
ALEX: Aw, Jesus Christ. Does Joseph know anything about this company that’s doing this?
PJ: So…he was able to get data on FlexiSpy and this other similar company. They have way more users than I would’ve thought. They have like a hundred…he thinks like 130,000.
ALEX: I would’ve guessed 10.
PJ: I know! Especially because the software’s really expensive. Like, the package I got was $200. I think there’s a cheap one for 50 bucks. But like, this is profitable…it’s international, although the United States is like a lot of their business. Also, he found out that they explicitly are targeting a spouse situation. Like, basically they bought up a bunch of ads on Google, and if you search like, “How do I catch my cheating husband? How do I catch my cheating wife?” you’re likely to see ads for their software.
ALEX: This is like a classic blind spot for Google. If I were Google, those are the kind of ads I would delist. You’re not explicitly breaking any rules, but it’s just…it creates a scenario that facilitates like, violence, and terribleness and like, just…facilitates like human misery.
PJ: The other thing is…it is illegal. So like, this is a point that somehow just flew over my stupid head, you’re not allowed to wiretap people.
ALEX: So how can they sell this stuff?
PJ: Because they’re not located in the US, like the companies that do this for the most part. They can say, if they’re smart, like, “Well, we don’t know that people are going to use it for that.” But what makes FlexiSpy, the company that I used, like particularly bad, is they’re telling people to use it for this. Like, they’re not even winking.
So, the big thing that happened, uh, between when we started this, and when I spoke to Joe yesterday.
ALEX: Can I take a guess?
ALEX: Were they hacked?
ALEX: Aw, you’ve gotta be kidding me. FlexiSpy was hacked?
ALEX: And what does that mean? What have they gotten?
PJ: (sighs) Ok. So they were hacked. He has access to the database of hacked stuff.
PJ: He searched and you are not in it.
ALEX: That’s a relief. Um.
PJ: Did that feel genuinely worrisome?
PJ: So actually, the hacker who hacked Flexispy is a hacker named Leopard Boy. And he did it, like as an act of protest. Like he was like, “What they’re doing is wrong and gross and I don’t like it.” Um. He’d actually—he read Joseph’s article and got mad that way. And then he sent the material to Joseph.
ALEX: Did the contents that were sent to Joseph also include the names of the customers?
PJ: Yeah. They got this huge list of FlexiSpy’s customers. So all these people who were spying on people, they now are kind of exposed.
ALEX: Ok. You said my name wasn’t in the list. Was your name in the list?
PJ: My name was not in the list.
PJ: But Joe wanted to talk to some of the people who were on the list, like he wanted to just know who they were, and so he started emailing them.
JOSEPH: And they were just totally normal people. Uh, like a teacher in Washington DC, um, a dog trainer in Georgia, someone who runs a sunglasses distributor in New York.
PJ: And they’re just—they’re not embarrassed about what they’ve done. Like there was this guy who had used it to spy on his wife.
JOSEPH: He said it was the best money he ever spent.
JOSEPH: Uh, yeah. Well, yeah, maybe spend your money on more things. But, um…and then there was another one that I think was the most shocking. It was a simp—a very simple short email that simply said: “It’s normal.” And I never heard from him again. That was it.
PJ: It’s normal…meaning it’s normal to spy on people?
JOSEPH: It’s normal to use this software, this malware. Yeah.
PJ: Joseph also heard from a second hacker. A person that hacked another company, that’s basically the same as FlexiSpy, and they got like actual material—like, all the things that like, if I spied on you and I collected like photos, video, audio—they had that stuff and they sent that stuff to Joseph.
ALEX: The fact that was not better secured.
PJ: I know.
ALEX: Not great.
PJ: Yeah. Uh, the hacker agreed with you.
JOSEPH: He was like, “I don’t think people should be able to, um, gain access to this material.” So after he broke into the company, he…wiped all of their servers.
PJ: He deleted it from the company itself?
PJ: That is like the end of Fight Club or something.
JOSEPH: Yeah. He kind of set it on fire. And the FlexiSpy hacker did largely the same thing.
PJ: Isn’t that awesome?
ALEX: It is awesome, I—I strongly suspect that they probably had backups.
PJ: Yes. I’m sure that they did.
ALEX: But…it was a nice move!
PJ: Yeah…(sigh). Anyway…I just feel like my whole takeaway from this is…I feel like we were using like a toy, and I’m like, “Oh this is not a toy. This is terrible.” And it’s not like it didn’t occur to me that this might not be the best thing, but like—
ALEX: It’s like you brought an AK-47 to hunt squirrels.
PJ: Yes! Yes. Yes. And like, I do…like I do genuinely feel… I have this feeling like I exposed you to more risk that I intended to, and it feels bad. And I’m s—like, genuinely sorry for that.
ALEX: Well, thank you. Um…(laughs) thank you. Uh, I thought the first half of this show was like so much about just my glaring personality flaws, and like, the incredible milquetoastiness of my life. Um, it turns out that it was about like, um, your incredible lack of thoughtfulness, and my blind willingness to trust you in any circumstance. You lead me down so many primrose paths. You don’t give a shit.
ALEX: I guess you give a shit, you apologized!
PJ: Yeah. I guess I give that much of a shit.
PJ: One last thing. If you’re worried that you may have been targeted with FlexiSpy, there’s a tool you can use, it’s called FlexiKiller. It’s made by a group called Security Without Borders. It can’t scan your phone, but it can scan your computer to see if the software’s on it. It can identify it, it can delete it.
Also, if you’re experiencing domestic violence, um, a good phone number is the National Domestic Violence Hotline. It’s 1-800-799-7233. They’re there 24 hours a day, seven days a week.
Reply All is hosted by PJ Vogt and me, Alex Goldman. Our show is produced by Sruthi Pinnamaneni, Phia Bennin, Chloe Prasinos, and Damiano Marchetti. Production assistance from Sherina Ong. We’re edited by Tim Howard and Jorge Just. We’re mixed by Rick Kwan.
Our theme song is by the mysterious Breakmaster Cylinder and our ad music is by Build Buildings.
Matt Lieber is a balmy summer night, just hangin’ out on the back porch. Doin’ whatever.
We’re looking for a Fall Intern. If you’re interested in applying, you can do so on our website. The deadline for applications is 9 am on May 29th.
You can visit our website at replyall.limo and you can find more episodes of the show on Apple Podcasts, Spotify, or wherever you get your podcasts. Thanks for listening. We’ll see you in two weeks.
PJ: Hey guys! Before we go, we just wanted to ask you for one quick favor. So, there’s a short survey at replyall.club that we’re asking people to fill out. Basically, it helps us put advertisers on the show and continue to make the show. If you’re looking for like a short, easy way to help us out, this is actually like, hugely helpful. And, we’re going to give a free Gimlet membership to somebody who takes the survey. Could be you.
If you’re interested, go to replyall.club. Thanks!
[BREAKMASTER CYLINDER STINGER]
A group of elite scientists prepare for the last conversation humans might ever have. Plus, we meet a corporate attorney who mediates family Thanksgivings.
PJ VOGT: From Gimlet, It’s Reply All. I’m PJ Vogt.
Once a year, an elite group of British scientists meet to talk about this problem that they call the “silence in the sky.” The meetings are always closed to the public, but I talked to one of the scientists who attends, his name’s William Edmundson.
WILLIAM EDMUNDSON: It’s a—a closed group in the sense that it’s academics who are interested in searching for extraterrestrials. You must be aware that it’s a slightly, off-the-wall sort of topic. And, uh, as a consequence we…feel the need to be fairly careful, uh, about the audience so that we can have sensible and genuinely scientific discussions.
PJ: You want to keep it to academics because if you don’t, it’s going to be people who are going to be like “I know that there’s extraterrestrial life. It talks to me everyday! Or whatever.”
WILLIAM: Yeah, right. “I had lunch with one yesterday.” Or whatever.
PJ: So, in September 2015, they go to have their annual meeting. This time it’s in Leeds, warm, cloudy day. But that year, something was different.
This Russian tycoon had come out of nowhere to announce a new initiative: $100 million dollars in funding to search for extraterrestrials. This was a huge a deal because there is no money in SETI research, this is something that all these prestigious scientists just do on the side.
And more than that, this tycoon, he specifically was offering a lot of money to whatever group could come up with the best message to send to aliens. This would be a message that would be broadcast using an interstellar radio signal that could reach light years and light years away. Not some dinky little probe like Voyager. A message that could actually get picked up.
So they have their meeting, and somebody asks the obvious question: Do we, the UK SETI Research Network, want to participate? Do we think this is a good idea? Should we send a message to outer space?
PJ: And how heated was the discussion?
WILLIAM: I mean, c’mon. You know, we’re Brits.
WILLIAM: We’re scientists. It—It’s probably measured by the degree of interruptions like, “No! That’s wrong!” or …
WILLIAM: You don’t get people standing up and waving their arms around.
PJ: The arguments were polite, but the arguments were intense. Right from the start, there was a whole section of people convinced that reaching out to aliens was the worst possible idea. Astronomer Alan Penny was there, and he says that the “no” argument is pretty simple. Just imagine you’re in a jungle.
ALAN PENNY: You’re in a jungle, and you think there might be tigers around.
PJ: You wanna tip toe. Maybe you wanna stand real still.
ALAN: You don’t want to talk loudly. If you tell it, “We’re here,” and if it’s nasty, it might, it might say “Oo!”, and come and kill you.
PJ: It gets worse. According to Dr. Anders Sandberg, the group’s resident philosopher, if the alien does want to kill you, you’re cooked.
ANDERS SANDBERG: It’s very likely that if we encounter another some other civilization in the Milky Way, it’s probably a few million years older than us. So we wouldn’t stand a chance if they wanted to do something bad. Or, just if they wanted to say, “Oh, we need to tell you the good news about Lord Sorgon, and you need to read this pamphlet and believe what we believe.”
PJ: The oldest story in history will get repeated one last time. We’ll be the natives wiped out by foreign explorers. They might use lasers, the way we’re all picturing, or maybe they’ll do it by accident. They’ll plant their favorite alien flower and it’ll take over the whole ecosystem. The point is, it’ll be Christopher Columbus all over again, except this time, our last dying thought will be that we brought this on ourselves. We sent a message inviting them to come. That feels like a good enough reason to not send a message.
But Alan had an argument against this. He was like, “Guys! Come on. You are being so naive. If you really think that these aliens are so smart and so deadly, it doesn’t matter if you send a message or not, they will find us. If they want to kill us, we’ve already given them enough of an opportunity to. Here’s how it’ll work: we’ve got listening stations right now. They’ll send us a message. We’ll get it, it’ll look great. ‘Message from aliens. Cure for Cancer.’ We’ll open it up.”
ALAN: So everybody—uh, some people will get inoculated with this cure for cancer and this will spread and everybody will get the—get the cure, but it turns out that 10 years later, everybody drops dead. So the message might contain, uh, a virus, as it were. So listening…could be dangerous.
PJ: And this brings us to the argument for why we should send a message. Alan says, “Yes. If the aliens wanna kill us. They’re gonna kill us.” But, he says sending a message is worth it because the aliens could also save us. He actually, he kept saying this. He’d say some horrible thing that could happen, and then he’d say, “But they could also save us.” And I kept wondering like, save us from what? And finally, he told me what he was talking about.
ALAN: On a fundamental level, they…is a distinct chance the human race is not going to last that long. There are many ways in which we can destroy ourselves, and some famous scientists say there’s only a 50/50 chance we’re gonna survive the next hundred years.
PJ: If we don’t start a nuclear war, then there’s biological weapons. If we survive that, there’s global warming.
ALAN: So, there’s lots of dangers facing the human race, which could destroy us, and what’s the chance of us lasting the next thousand years? So if you could contact with an ET which has—which has survived all this, they could say, “Well, yeah, we faced all those problems, and here is how we survived.” So, you send a message out and you provoke a response, you might save the human race.
PJ: When all the scientists in the conference room had said their piece, the UK SETI Research Network decided it was time to just take a vote: right then, right there.
“All in favor of sending a message?” Hands went up. Turned out half the room agreed with Alan—“`Yes, absolutely.”
All opposed? Half the hands went up. Half the room thought sending a message was completely reckless. They were exactly split. Anders, the philosopher, who everybody knew was kind of a fence-sitter, he voted twice, once in favor, once opposed.
And weirdly, the group that had started all this, the Russian billionaire’s group that had all the money for the message, they actually came to the same decision. They decided they’d collect a bunch of messages to think about what kind of messages to send to aliens, but they couldn’t agree that it was a good idea to send them either. And so they’re also holding.
And that’s where we’ve been for the last two years. With scientists just agonizing over a message that they can’t decide whether or not they ought to send. The thing is though, it turns out when scientists are too thoughtful or overthink-y to contact aliens, it leaves a vacuum. And other people fill that vacuum. I talked to one of them.
MATT BOWRON: My name’s Matt Bowron. Uh … and—sorry my dog’s just walked in. Uh, started whining at me. Ziggy, go! Shoo! Off! (laughs) I think she thinks there’s someone here!
MATT: Um…so…yeah. So, what was I saying?
PJ: So, a few years ago, Matt and his friend John were super broke, and they heard that Doritos was willing to pay 20,000 pounds to the person who could come up with a Doritos ad that the company could beam into space. So they made one, over a bottle of whiskey, in one night in Matt’s crummy apartment, starring Matt, and they won.
PJ: For somebody who hasn’t seen the ad. Like what is the story of the ad? Like, what happens in it?
MATT: Uh, I mean essentially a guy, uh, comes home with packet crisps, Doritos, uh and he, uh sort of opens them up, lays ’em down, and then I think he- he—he sort of wanders out the room for, for a couple of minutes. But once he’s out of the room, they essential come out—come to life. Uh, I think they climb out of the packet?
[DORITOS AD AUDIO PLAYS]
MATT: I haven’t actually watched it today. But uh—
PJ: I can confirm that they do climb out of the packet.
MATT: Yeah. They—they climb out of the packet, do a sort of Aztec ritual dance around the uh, the salsa pot. Which then opens. And then one of the, uh, single Doritos ritualistically, uh, offers himself to the salsa. And then obviously, then I return and—and kind of [crunching sound] finish him off.
[MAN’S VOICE: Mmm. Doritos!]
PJ: It’s almost like you’re the… salsa god or something. Like you return and you reach into the ritually sacrificed salsa, and take out the chip and eat it.
MATT: I think—I think that’s kind of, yeah, how it ended up. Yeah (laughing).
PJ: The day after Matt won the contest, Doritos put him on a plane, flew him to a Norwegian island where the EISCAT European space station is housed. Just picture two giant radar domes, pointed at the sky. They put him in the control room, they made him wear a Doritos t-shirt, and they told him to hit a button. He does. And this ad, with Matt’s face in it, is shot out towards Ursa Major for the consumption of aliens.
MATT: Which is—which is terrifying, that that’s—that might be something that—that would be the first thing they would see (laughs).
PJ: What do you mean? Like that—
MATT: That there’s this poor—poor race of, uh, triangular things that are kind of, uh, are ruled by this godly human mess (laughs).
PJ: Well not only that, I mean my—the—I’ve probably thought about this too much. Um, it’s just been the week that I’ve been having. But like—
PJ: I mean, the story that you’d be telling them is, you know, “On the planet where this transmission is from, there is a being of creatures who are triangular, uh, you know, called Doritos, or perhaps like, Dorito. And uh, and there’s like another species that like, murderously consumes them?
PJ: And that species is you, personally.
MATT: Yeah. Absolutely. (Laughing) yeah!
PJ: I could imagine someone seeing this and being like, “We have to mount a rescue mission—”
MATT: (laughing) Yeah! Yeah…
PJ: “—to Earth, to save these creatures!”
MATT: Yeah. Well, if that happens, you know, I’m happy to like just put myself out of there and they can—they can imprison me or…
MATT: I mean or-or-or the—or the alternative is that they—they might turn up and want to try these—these Doritos and then you could imagine the brand and the—the advertising agency then being like, “We nailed it,” like—
MATT: They—you know, the first offering, that kind of, that you know, that moment where the doors open and, you know, President Trump hands them a hot salsa and a packet of cool Doritos, um, would be quite an amazing sc- scenario to see. In a very depressing way.
PJ: So what this means is that if there’s intelligent life in the universe, intelligent life that is paying attention and trying to figure out who we are, what they now know about us is that we really like the taste of Cool Ranch Doritos.
And actually it gets worse than that. Here’s another message we’ve sent them. We sent them an audio recording of the sound of a ballerina’s vagina contracting, because a guy at MIT felt like there weren’t enough representations of human reproductive systems in space. Additionally, they got this message from a bunch of Russian teenagers.
[“ODE TO JOY” THEREMIN MUSIC]
PJ: Um. This was part of a project where teenagers picked their favorite theremin songs… I think because there’s an idea that theremin’s are sci-fi music and so aliens will probably like them? That feels like stereotyping. Perhaps the worst thing that we’ve sent them, in my opinion, is something that Anders told me about. It was an advertisement for a local theater event.
ANDERS: It was the first Klingon language opera.
PJ: The first Klingon language opera?
ANDERS: Yes. Um, after all, the Klingon language, made up for the Star Trek movies, well there is a community very active in making more of language, developing it, and doing art in it. So they developed an opera and somebody got the idea to send that towards Arcturus, uh, with a radio message, and the invitation for the opening.
PJ: This is the message we wanted the aliens to get. Something that I cannot imagine any being, no matter their culture, no matter their brain, not viewing as a declaration of war.
[KLINGON OPERA AUDIO]
PJ: And if they missed all these messages, we also broadcast the entirety of the movie The Day the Earth Stood Still. We sent them messages from a defunct social media site called Bebo. At one point, somebody for some reason sent them all the classified listings from Craigslist. I would not have chosen any of this. None of this represents me. All it does is make me feel very, very embarrassed to be a human.
[KLINGON OPERA AUDIO]
At a certain point, I feel like all I wanted was to find one message we’d sent that didn’t make me just want to crawl into a hole and die…and that’s how I met Martin.
MARTIN LEWIS: Uh, Martin Lewis, uh, producer, writer, and humorist.
PJ: Martin Lewis, like everybody else I talked to, for some reason, is British, although he actually lives in the United States, and the only thing you need to know about Martin Lewis is that he’s a really big Beatles fan.
MARTIN LEWIS: Uh, I was playing around one day and I remo—noticed that oh we were coming up to the 40th anniversary of the recording of the song, “Across the Universe.” And, the philosophy of the song always spoke to me.
PJ: What is the philosophy of the song? For people that don’t know it.
MARTIN: Th—there’s more words in that song—more verses and more words than in any other John Lennon song. It was a kaleidoscope of images and it was just the notion that the power of love, tha- the- the- the—not the romantic love, but just the feeling of love, that that was the most powerful, um, message you could have.
PJ: So it’s a Beatles song. In my opinion, not the best Beatles song. Nobody asked me. Anyway, Martin got in touch with NASA.
MARTIN: And the guy at NASA I was speaking to, I told him the idea. I said, “I want to take the Beatles’ song “Across the Universe”… across the universe. He said, “Yes, it could be done. We’ve never done it. But yes, it could be done.”
PJ: So then Martin tried to get permission to use the song.
MARTIN: Yoko, she loved the idea. And she wrote a beautiful tribute that said something—it—this is a—a short version, that said: “This is great that John and the Beatles’ music will now go out to reach billions and billions of planets across the universe.” Meanwhile, I then got a message from Paul. Just said: “Great idea. Give my love to the aliens.”
MARTIN: And I comba—contacted the music publishing company, who should be nameless because I don’t want to embarrass Sony. But, um, the guy I spoke to there was completely soulless, joyless, humorless. And said, “Well, if you’re sending a radio signal of one of our compositions, then you have to—a royalty has to be paid.” I said, “We’re beaming it into space, man!”
MARTIN: “We agree you can collect the royalty, but you have to collect it yourself!”
PJ: Eventually, Martin was able to get everybody on board. And when the big day came, he got to be there. He was at Mission Control at the Jet Propulsion Laboratories in Pasadena, California, in the launch room.
MARTIN: It was like mission control in Apollo 13. There was this beautiful room and it was set up with all the scientists and there was a big logo, the NASA logo, the Beatles logo, and the words “Across the Universe.”
PJ: And when they—so they do the countdown and then they hit play…ih- I mean—would then in that room, in the control room with all these NASA people, did you hear the song? Or is it like it’s being sent over waves or something like that, so no?
MARTIN: Uh- uh- we—both. We had uh- the- the- they—they at that point they did it, press the button. A, yes the, um, mp3 file was being trans—started transmission.
MARTIN: And then simultaneously, of course, they did play the song in that room. And again, I—I really had a—it was emotional.
PJ: Look. As a person who is very glad that Martin sent this message, I still cannot guarantee it was a good idea. I do not know what a Beatles song is gonna mean to an alien. But maybe the point of these messages is not actually what aliens think of them. These are messages that we’re sending to someone who might not exist, who we really do not expect to get a response from. Which means that maybe we should just think of them more like we think of prayers. Because if you think of them as prayers, messages that are offering hope and comfort to the people who send them, then at least a lot of them make more sense. You step out into the silence and you say something and you don’t get an answer. But that’s okay, because just saying it, it does something to you. Like afterwards, the exact same silence is still there, but now that silence feels different. You feel less alone.
And if we use that standard, I really like Martin’s message. It’s just sending a message of like, love and British rock into the universe. And I think that’s how Martin sees it too, because when he heard that there were scientists who thought sending a Beatles song out had been a bad idea, he wasn’t offended, it just didn’t even make sense to him.
MARTIN: And at first I thought it was a hoax. And, once I realized there were people, um, as crazy to be serious about it, I did remember that, hey, that’s what we were fighting against in the 1960’s. The kind of small-minded, blue meanie spirit. A few days later, uh, I ran into Yoko Ono. And she said, “Did you read about those—” I said, “Yeah! I was just gonna ask you!”
MARTIN: She said, “Is that crazy or what?”
MARTIN: If there are aliens, they’re going to have a spark of, um, a spark of spirit, and—and I think—and when you listen to great music, I think you’re gonna be full of admiration that, um, some creatures from another planet sent a message out there that if they could decipher it or just listen to the harmonic vibration of it, is positive. It’s not aggressive, it doesn’t—it’s not threatening them, uh, with anything, it’s—it’s surrounding them with love. And that’s not a bad little sentiment to send across the universe.
PJ: Coming up after the break, Reply All finally calls in an outside mediator.
PJ: Hey! Just before we start the second half of the show, there is a brief description of sexual assault in this segment. If that’s not the kind of thing you want to hear, you should skip it.
ALEX GOLDMAN: Okay. Uh. PJ?
ALEX: So, uh, it’s this Sunday is, uh, Email Debt Forgiveness Day.
PJ: Which everybody knows is the holiday where if you have put off an email to someone, doesn’t matter how much time it’s been, you’re allowed to just email them as if no time has passed and they have to forgive you. We asked people if you have an email that you’re struggling with, we’d like to hear about it. Send us email.
ALEX: And producer Damiano Marchetti, who is in the studio with us right now. Hello.
DAMIANO MARCHETTI: Yes, I am. Hi.
ALEX: Um. He went through all of the emails that we received. Um…and…Damiano, uh, what did you find?
DAMIANO: I wan—I want to tell you about one email in particular, an email from a woman named Kelly. So, you actually might know the first part of this story. Kelly was in the news recently for this really disturbing thing that happened to her. Um. She’s a runner, she’s been training for a marathon.
KELLY HERRON: And on that particular day, which was March 5th, I had a ten mile run. It was a Sunday afternoon and I ran down to Golden Gardens, which is a popular park and beach in Seattle.
DAMIANO: She stops to use a public bathroom. She’s washing her hands.
KELLY: And…I was—kind of got like that feeling of like something’s wrong.
KELLY: Um… turned around and there was a homeless man behind me. And I was completely cornered. And he kinda came at me like, kind of like a bear. Uh, he threw me down to the floor, um, turned me onto my—got me on my stomach had my left arm pinned, um, was pulling at my pants. And I just had taken self-defense where they teach us, like if you can be more trouble to your attacker than he perceives you to be worth, then that can help you escape, so—
KELLY: I was trying to show him like, I’m not afraid of you. Like, you should be afraid of me. And I was just screaming, “Not today motherfucker, I will fucking kill you!” Like I was so mad.
DAMIANO: She tears herself away and runs out of the bathroom. And there are some people outside they rush over to help her. One of them’s got a carabiner which they use to lock the attacker in the bathroom. The attacker goes to jail and Kelly, she’s rushed to the hospital. A couple of days later she posts to Instagram about what had happened to her, and the news picks it up and it—and it goes viral. Like it’s—it’s everywhere.
NEWS CLIP: A woman says she was able to fight off a man who was trying to rape her …
NEWS CLIP: A shocking Instagram post sending chills and inspiration to women everywhere.
DAMIANO: And then Kelly starts getting hundreds of messages. Most of them are people saying, “You’re a hero. What you did was amazing.” Then there’s like a—a subsection, she says like, maybe ten percent of the emails are people who are like, “You should’ve been carrying a gun or another weapon.”
PJ: That’s so crazy…
DAMIANO: Or, there are some people like trying to promote their products through her. So there was like—they’re like, “We’re sending you a free body scrub! Tag us on Instagram!”
PJ: Oh my god.
ALEX: Yeah, that’s really fuckin’ obnoxious.
DAMIANO: And…then the last group of people are people who have experienced like sexual assault or sexual abuse and are emailing her to like share their story or like say that she was an inspiration to them in some way. Um.
ALEX: That’s a lot to take on.
KELLY: So when people started writing to me, I was replying to all of them.
KELLY: And then it just became impossible to manage and it was becoming really overwhelming and stressful. Um. And I was, uh, like the trauma of what I went through. I couldn’t function normally.
KELLY: Your—your body it doesn’t let go. It doesn’t move on. Physiologically or mentally.
DAMIANO: And she feels like she just can’t respond to these emails anymore, but they haunt her.
KELLY: Um, and I—I hope it doesn’t sound like I’m not grateful, because I’m incredibly grateful and I love that people like, you know, want to…connect with me. Now that I’m-I’m—that I’ve realized how much better I feel by walking away…
KELLY: I feel really guilty!
DAMIANO: And there’s this other problem which is like, there’s not really escaping these messages. Like they’re—they’re just clogging every avenue of her life. Like, she wants to go to Instagram and see her friend’s new kid, and you know, she’s—there’s like 400 unread messages—
PJ: Oh god.
DAMIANO: —in her Instagram inbox.
PJ: It’s like having like—like when something happens and like all news media like, descends on somebody’s lawn. Like, it’s like that—
PJ: —but just with the way she would like, virtually experience her community.
DAMIANO: Right. And, at one point in our conversation, she just makes this like, offhand joke.
KELLY: Do you want to read all my emails and respond for me? (laughs)
DAMIANO: Would that be like a good … like, would—do you wish someone would come and respond to them? Like is that an actual thing that you would like to do?
KELLY: Yeah. Yeah. Yeah. I would love that. Yes. Absolutely. Aaaabsolutely. That would just take a huge…I would feel a huge sense of relief.
DAMIANO: So I got off the phone with her and I kept thinking about what she had said. And I was going through the email inbox and there was this—there was another email from this guy named Gregory.
DAMIANO: Um. Gregory’s like a—he wrote that he’s like a corporate lawyer in his day job. But his hobby is- as- is—is being a mediator.
PJ: What does that mean? Like, if you are a person who walks around the world looking for a chance to mediate like—
PJ: Is he mediating at the grocery store is he mediating…
DAMIANO: Like—he like—like, he meets—he mediates like very classic conflicts. So like, his mother-in-law and sister-in-law were fighting every year during Thanksgiving about making the meal.
DAMIANO: And so he’s like, “I’m gonna sit you down and make sure you’re communicating with each other and like create like, very clear boundaries about whose job is what on the day and where people can be and all that shit.
ALEX: He’s like a mediation SWAT team. I imagine him repelling off the roof and swinging in through the window—
ALEX: —and being like, “I’m going to solve a problem!”
PJ: And do these things work or do—
DAMIANO: Like in that Thanksgiving situation, it’s been years but like, they go back to that plan they created with him.
PJ: Ok. So, he was writing not just to brag about his mediation.
DAMIANO: He was writing to genuinely offer up his services to Reply—
PJ: As a hobbyist mediator.
DAMIANO: Yes. To Reply All listeners for Email Debt Forgiveness Day. If anyone needed help responding to their difficult emails, he could do it for them.
ALEX: What a sweetheart.
DAMIANO: And I was like, “Hm! Maybe this guy really could help Kelly.” So I gave her a call and she was like, “Yeah, I’m totally down to try.”
PJ: (sighs) I don’t want to be the person that like ruins this. It does feel weird though. Like, it feels like—it feels weird that…there’s something weird about Gregory answering these emails from these people.
PJ: That were not sent to him.
DAMIANO: Totally. I—it was something I was pretty anxious about, I felt better by the end. Uh, and I think you will too. Just like, hold on one second, like hold that thought.
DAMIANO: Let me just tell you what happened next. Which is, Gregory and Kelly and I all got on the phone and Gregory laid out his plan.
GREGORY SCHULZ: What, what I … what I hope to help you do if you so choose, is to take the emotional load of these emails … and I—let me be very clear, let- let- let me—out of tenuity, let me limit it. You’ve gone through a very difficult thing, which I do not begin to understand. But one thing I think I can do, is take the emotional load and difficulty of these emails, and take it off of you and put it on me.
GREGORY: These things won’t be your problem anymore. They will be my problem.
GREGORY: So let me tell you what I’m thinking about sending, and you can—you can tell me if you like it. What—what I’ll say is, “Hi …” you know, so and so, “Thank you so much for reaching out. Uh, I’m—I’m a friend of Kelly’s,” or you can call me whatever you want, a stranger from the internet that Kelly knows.
GREGORY: “And the…and, this experience has been really tough for Kelly and so she’s not going to be able to get to all of the messages right now. But, she’s extremely grateful that so many people have reached out to her with compassion and caring, and she wants to send her appreciation to you.” And then, if that person had said something that indicates that they’re a survivor, I’ll add: “Um. Kelly’s also having me keep track of people who are survivors of, um, you know, abuse or assault like you, and…you know, your—your messages are especially meaningful to her. And she may well, you know, as time continues and as her recovery progresses, she may well reach out to you individually eh—in the future. Thanks so much for your message.”
KELLY: Nailed it.
KELLY: Yes. Yes.
DAMIANO: So, I spent the next 24 hours just like working out a system to deal with like the privacy issues, so that neither Gregory or I would be able to read any of the emails from the assault survivors, but Gregory would still be able to respond to them. And then, Friday night we got on the phone one last time.
DAMIANO: Um…okay, we’re all here, I think. Hello hello!
KELLY: Hi hi.
DAMIANO: Hey guys.
DAMIANO: But, before we could get started, Kelly was like, “Guys, I need to talk to you about something.”
KELLY: I’ve kind of had a few things happen in the last 24 hours that have given me a lot of perspective on this (sighs). Well. You know, how you kind of…clean up your house like before you have the maid come over, if you, if—(laughing) I mean I don’t exactly know what that’s like, but (laughs), um, so I was archiving things and, um, deleting things and…I was struck by a couple of the messages that I came across, and um, one was from a girl who is also a survivor of sexual assault. And she said, “You’re part of this—you’re part of this club now. You know, it’s not one that any of us wanted to be in but…now you’re a part of it, and, you know, we’re all here for each other.” And…I thought…is it my place to allow someone into the clubhouse and look around?
KELLY: And so I had kind of a ethical dilemma with that. And then, I got a message from a person who is in a very similar situation to mine. Um, an article came out and he accomplished something under extraordinary circumstances, and um, he said, “I know the messages that you can—that you get can be really overwhelming, but um, it’s because people are really drawn to stories like this. And, you know, it’s okay to—to be selfish and…your recovery comes first. So draw—you know, you’re not—you don’t really owe anything to anyone, like just draw boundaries.” And um—
KELLY: And then I…so of course I looked up his story, and I read it and I was like, so inspired by it and I thought it was so incredible. And I got the urge to tell him how amazing it—like, what depth of character he had, to—to do what he did. And then I thought, If I wrote to him, and I got a response from someone else. Like, I thought about how that would make me feel. And um, I think I would rather just…I don’t think this is hanging over anyone, I don’t think there’s people out there who’re—anymore who are thinking, “Oh god, that bitch didn’t even write me back!” (laughs)
DAMIANO: (laughs) Right. And that was just you. It was you that was thinking that.
KELLY: Yeah. Yeah!
KELLY: I realized that the only person who can…forgive my email debt is me. And I—I shouldn’t blanket that with a, um…you know, with something to just give, give those messages closure, because they don’t really need closure. The closure was when the person wrote it to me. Not in my responding to it. I’ve already done—
KELLY: —the thing I was supposed to do.
GREGORY: Well, Kelly, is sounds like you’ve reached a wonderful realization here.
KELLY: (laughs) You’re a really good mediator! (laughs)
DAMIANO: Well…this is not what I expected.
KELLY: I hope I haven’t disappointed anyone.
DAMIANO: No! No! Are you kidding me?! No, not at all. I’ve been like—I’ve been feeling kind of anxious about this because I know that like, I—I was like, “I’m really glad we’re doing this.” But I know that even when we clear all these emails out, like people are going to respond to the emails. And I had this like sense of anxiety that like, ugh! Like this is like—it doesn’t matter how high we build this dam, like we can’t protect you from the world caring about you. Uh…(laughs)
KELLY: (laughs) Right! There are—there are worse problems! (laughs)
ALEX: Thanks to Kelly and Gregory and everyone who wrote in with their Email Debt Forgiveness Day Stories. If you wanna share Email Debt Forgiveness Day with your friends and family, you can go to the website emaildebt.club.
Reply All is hosted by PJ Vogt, and me, Alex Goldman. Our show is produced by Sruthi Pinnamaneni, Phia Bennin, Chloe Prasinos, and Damiano Marchetti. Production assistance from Sherina Ong. We’re edited by Tim Howard and Jorge Just. We were mixed by Rick Kwan.
Special thanks to Cory Godbey, Natalie Sexton, and Emily Kennedy.
Our theme song is by the mysterious Breakmaster Cylinder and our ad music is by Build Buildings.
Matt Lieber is the satisfaction of pressing send on an email that you’ve agonized over for a year.
You can visit our website at replyall.limo. You can find more episodes of the show on Apple Podcasts, Spotify, or wherever you listen to podcasts. Thanks for listening. We’ll see you next week.
[BREAKMASTER CYLINDER STINGER]
This week, we debut a new segment designed to help you calibrate your anger in a changing world. Plus, how to cloak yourself from all the people who are now allowed to see your internet browsing history.
ALEX GOLDMAN: From Gimlet, this is Reply All. I’m Alex Goldman.
PJ VOGT: And I’m PJ Vogt. And this week we are debuting a new segment? Is that true?
ALEX: It is true.
PJ: Okay, so here’s the deal. Right now, we are living in a time where the amount of things that I am supposed to be mad about on a given day has greatly outpaced my ability to be mad or even pay attention to all of them.
PJ: And so, we’re introducing a new segment called, “Why Is Everybody So Mad and Do I Have to Be Mad Also?”
PJ: Which is where (laughing) you go find out about something, and then we rate it from one to ten, and we decide if people have to care about it. Obviously, I asked Matt Farley to do a theme song for it.
MATT FARLEY: (singing)
There’s an information overload
Everybody’s ready to explode
Fake news, strong views, so many sides which one to choose?
I don’t want to lose, I’m so confused. Oh, oh, oh!
Why is everyone so made and do I have to be mad also?
ALEX: (sighs) I—have you noticed that all of these segments we have, it’s like, Alex has to go do the work, and then you have to sit in the studio and hear him talk about it?
PJ: Ah…no, I haven’t really noticed that.
PJ: Anyway, the thing that last week I asked you to go check out, is this ISP thing. Everybody on the internet. And like, actually everybody. It was like, the progressives, who are terrified about Russia, but also like people on Breitbart. Like, the political spectrum in America was super mad saying,”Oh. Trump and the Republicans just passed this new law and now, like, your ISP—like Comcast, Verizon, whoever—they can now just spy on your browsing history.”
And so last week, I just asked you: “Do I have to care about this? Does anybody have to care about this? If so, how much? If not, great.” What have you learned?
ALEX: That’s a tall order, man!
PJ: I love to not care.
ALEX: Alright, so let me just clarify what actually happened: In October of last year, the FCC, under Obama passed a bunch of privacy rules that would have made it so internet providers like AT&T and Verizon can’t sell your personal information to advertisers—unless you give them permission. And those rules were set to go into effect at the end of this year.
ALEX: But, then a couple weeks ago, Congress was like, “Eh, we don’t need these privacy rules. We’re gonna kill ’em.”
PJ: And that is what people are upset about.
ALEX: Yes. So the people who are freaked out are freaked out because, right now, your internet provider can basically see every site you visit.
PJ: Even if you clear your browsing history.
ALEX: Even if you clear your browser history, they have this list. And, they’re allowed to hang onto it if they want to. They’re allowed to sell it if they want to.
ALEX: So, the first thing I wanted to know was like, why did Congress kill these privacy rules in the first place?
ALEX: So, I went straight to the—where the source—
ALEX: I went to (laughs)—
PJ: You went to Congress?
ALEX: I, uh, watched the Senate debate about this bill. And—and before it even starts, this guy has to get up on the Senate floor and say just the title of the resolution.
Senate Announcer: Resolution providing for consideration of the joint resolution, Senate joint resolution 34. Providing for congressional disapproval under chapter 8 of title 5 United States code of the rules submitted by the Federal Communications Commission, relating to “Protecting the Privacy of Customers of Broadband and other Telecommunications Services.”
ALEX: So, everyone starts shuffling around to get in their places on the Senate floor, and while I’m waiting for it to start, CSPAN plays this delightful classical music.
PJ: How long is a hearing like this?
PJ: You watched all of it?
ALEX: I watched about an hour and a half.
PJ: Good enough for me.
ALEX: So Jeff Flake, he’s a Senator from Arizona, he sponsored this bill. He gets up on the floor—
JEFF FLAKE: Mr. President, I rise in support of my resolution of disapproval under the congressional review act…
ALEX: And he lays out this defense of getting rid of these rules.
JEFF: Now Congress needs to repeal these privacy restrictions in order to restore balance to the internet ecosystem and provide certainty to consumers.
PJ: What does that mean?
ALEX: Basically what he’s saying is that companies like Facebook and Google can already sell your personal information, and it’s just unfair that internet providers, like Verizon and AT&T, can’t do it also.
PJ: Everybody should be able to get your data and sell it.
ALEX: But the difference is, I’m under no obligation to use Facebook and Google if I don’t want to.
PJ: Right. Also, like, as much information as Google has, something that is a little bit reassuring, is they don’t have everything. Like, the ISP has everything.
ALEX: Right. So I wanted to talk to Senator Flake. Both he and his 23 co-sponsors, uh, all of them declined, or did not get back to me.
ALEX: I also emailed…every internet service provider I could think of. The only people I got on the phone with were Comcast, and the woman who answered the phone was like, “I’m very overwhelmed by the request for comment on this particular bill. Um, what you can do is read our blog post!” That’s basically every company’s official stance.
PJ: Okay, but then what do the blogs say? Is it just like, “We’re not gonna sell your stuff even though we’re allowed to”?
ALEX: Well, what they actually say is that they don’t collect your sensitive data, like health care information, information about your kids, and they don’t sell that. So after trying to reach, like three dozen people, there was only one person who agreed to talk to me.
HOWARD WALTZMAN: Howard Waltzman. I’m the General Counsel for the 21st Century Privacy Coalition.
ALEX: And can you tell me what the 21st Century Privacy Coalition does?
HOWARD: Uh, we’re a—group that advocates on behalf of internet service providers in the privacy and data security area.
ALEX: So basically, it’s an interest group that’s funded by internet service providers. And what Howard said to me was like, “Look. All the Republicans did was undo rules that hadn’t even taken effect yet.”
HOWARD: Preventing these rules from going into effect don’t give the ISPs, like, new rights to do different things with your data than they already have.
ALEX: According to Howard, there’s enough regulation already, this is totally unnecessary.
HOWARD: In general, when you look at, um, the internet, and you look at how the internet has flourished over the last 20+ years, I don’t think the internet would have flourished in the way that it has if consumers didn’t trust how their information was being handled online.
ALEX: But I mean, okay—
ALEX: I—I am a consumer, and I don’t trust the way that my information’s being handled online. I’m a—I’m very paranoid about it. Um. In as far as, I know that-
HOWARD: Do you use the internet?
ALEX: Very aggressively (chuckling).
HOWARD: Well. Then you, I mean, you may be concerned about it, you may tek—take steps to protect your information, but, you’re not so concerned about it that you’re not using the internet.
ALEX: Well, oh—ok. First of all, I do a podcast about the internet, so that I have no choice. Have to use it in order to do the podcast.
ALEX: But second of all, it’s like, the internet is very necessary in order to function in the modern world. But that doesn’t mean that I’m not somewhat uncomfortable. I understand that some advertising needs to exist in order for the internet to work, but, that does not mean that I’m not concerned about it.
ALEX: (chuckles) I mean eh-ah—I already get served quite a bit of ads in my internet browsing, and in my day-to-day, like, does this mean that ISPs will feel emboldened to serve me more ads based on my browsing habits?
HOWARD: ISPs’ll have the same requirements they’ve had for the past 25 months. So, no, I don’t believe they’ll feel more emboldened to do anything.
[MUSIC – “Uncontrollable Tattoo Applicator”]
ALEX: So, Howard’s point is that: These companies are responsible, they do right by their customers, and we should just trust them. But, the people who are mad about these rules being killed, are like, “Actually, (laughs) we should not trust them because they have exhibited some extremely sketchy behavior in the past.”
Like, um, installing spyware on your phone that collects all of your browsing history and your keystrokes. Or Jeremy Gillula, who is a—who works for the Electronic Frontier Foundation, told me, um, they will—just put new ads smack dab in the middle of websites.
PJ: They will add extra ads into the thing?
ALEX: (laughs) Yes. The would add ads so you had ads in your ads.
JEREMY GILLULA: You know, there was an example where somebody went to the FCC website. We’re talking, you know, a government agency, and there was an ad for boots. Just, right smack in the middle of the page. Uh, you can bet the FCC did not partner with anyone to sell boots, uh, from their webpage.
PJ: Which companies did that? Like big ones, or was it like—
ALEX: I’m pretty sure it was a—
ALEX: I’m pretty sure it was a big one. Gimme just a second. Okay, so, AT&T and Charter have both done it.
ALEX: Yeah. When Charter was doing it, they sold it as, quote unquote: Enhanced Internet Service.
PJ: Oh! Go to hell!
PJ: Ohhh, I’m not gonna say George Orwell, but come on.
ALEX: So, as you might imagine, the EFF is not super happy that these rules have been repealed by Congress.
PJ: And do they—I mean—not that you would have asked them this question, necessarily, but like, on the scale from, like…
ALEX: Oh (laughs) I did ask them this question!
PJ: Oh really?
ALEX: I asked—I asked Jeremy, I said, “Ok, on a scale of one to ten…”
PJ: I was gonna say, “Global warming to dropping your least favorite Starburst.”
ALEX: Here’s what I said. I said, “On a scale of one to ten, one being-”
PJ: Orange, by the way.
ALEX: —one being your favorite blogger resigning…
PJ: Uh-huh. Resigning … is very … (chuckling)
ALEX: …from his blog.
ALEX: Ten being the internet is shut down forever…
PJ: Where does it fall?
ALEX: Where does this fall?
JEREMY: I…I would probably call it, uh—being honest the internet isn’t broken, but I would call it, probably, like a seven.
ALEX: A seven?
ALEX: I mean that’s—
JEREMY: A seven or an eight.
ALEX: —that’s pretty bad. Eh-eh-eh
JEREMY: I… think it’s pretty bad, yeah.
PJ: Ok. I feel like I’m starting to see the worst case scenario here.
ALEX: I think that it genuinely sucks that I get my internet and my cable from the same place, and they collect information about what I watch from my cable box, and what I’m searching for on my internet. I don’t like that. It’s icky.
PJ: Like, for you as a—a single human living in the world, the worst that comes of this is like, you’re getting served ads for something private and weird, you know, and like, your wife walks into the room and she’s like, “Oh, why are you getting so many ads for like, uh…divorce pills?” or whatever.
PJ: And you’re like, “Aaaahh!”
PJ: And I feel like the other thing, actually, is just what if they collect all this data on you intending to sell it and then somebody hacks them. And then like, hackers have your browsing history.
ALEX: That seems pretty unlikely, knock on wood.
ALEX: I just think that, ok, well—
PJ: I mean, it’s just like every company has data breaches every month, do you know what I mean? That doesn’t feel that unlikely to me.
ALEX: Ok, fair enough.
PJ: And, they can anonymize stuff, but like … you anonymize stuff but, like, things that were made anonymous often become un-anonymous just through, like, context.
ALEX: Yeah, uh—
PJ: Like, this person—Google searches “Alex Goldman” a lot, and lives in New Jersey, like, you know what I mean?
ALEX: I don’t Google search myself a lot.
PJ: Yes, you do.
ALEX: (laughs) No I don’t!
PJ: Yes, you do.
ALEX: I don’t.
PJ: Give me your computer. I wan- I’munna type in “A” in Google and see what the first thing that comes up is. No, I want to see.
ALEX: Go ahead.
PJ: “A” – Arab News, okay. “L” – Alphabay Market? “E” – Alex Jones contact info? (laughing) You really don’t! “Alex G?” Whoa, man, you really don’t. Alex Goldman only comes up if I search “Alex G” and then it’s you looking up your Wikipedia page (laughing)… which I’ll give you a pass on. Ok. So that’s the future you’re looking at is me doing that.
ALEX: (laughs) Um.
PJ: So. Having learned all these things, where are we on the scale? One to ten… do I have to care about this?
ALEX: I kind of feel like this is around a four. I do think that is going to lead to companies doing creepy new targeted advertising.
ALEX: But if that’s like the worst thing they’re gonna do, I feel like it’s annoying; it’s not life-changing.
PJ: Ok. Ok! I’m not gonna care about this. I’m gonna keep my head in the sand.
ALEX: Because I thought that I might be incredibly blasé about this, I convened what I like to call “The Panel of Four.”
ALEX: It is four experts—
ALEX: That, um, might have differing opinions.
ALEX: And I didn’t tell any of them what I was calling them about. So first up we have Paul Ford, who is the co-founder of the digital product studio Postlight and an old-school super-nerd.
ALEX: Hey Paul, this is Alex Goldman. How are ya?
PAUL FORD: Oh hey! I’m just about to get on a bus.
ALEX: Oh, ok.
ALEX: Uh, on a scale of one to ten, how bad do you think that the FCC’s privacy a- repeal was?
PAUL: Oh boy, I was—(sighs) probably a seven.
ALEX: Adrian Chen, writer for The New Yorker.
ADRIAN CHEN: Mm… well, I have not been following it very closely, but I would say… five.
ALEX: Kashmir Hill, journalist at the Gizmodo Media Group.
KASHMIR HILL: I knew you were gonna ask this.
KASHMIR: Um … I’m gonna give it a … six.
ALEX: And, Jane McGehee, retired graphic designer.
ALEX: On a scale of one to ten…
JANE MCGEHEE: Yes.
ALEX: How worried are you about the Trump administration’s repeal of the FCC privacy regulations that took place last week?
ALEX: Mom…you’re really ten—
ALEX: —you’re really ten worried? Ten worried means like, in my mind if you’re—if you’re ten worried, you’re like staying up all night.
JANE: Ok, I’m not staying up all night.
ALEX: Alright. Are you having panic attacks?
JANE: I am, but for different reasons. Eight worried?
ALEX: Are you losing your appetite?
JANE: (laughs) That’ll never happen.
ALEX: Okay, so you’re eight worried.
JANE: Why can’t I be ten worried?!
ALEX: (laughs) Uh, I think it’s a bit of an overreaction.
JANE: I always overreact! That’s my MO.
PJ: I’m totally cool with your mom being on the panel of experts, I’m not totally cool with you convening a panel of experts and then berating one of them for their answer.
AG: Look, we have a special relationship. I’m allowed to say that.
AG: But let’s say, for sake of argument, you are a Jane McGehee. You are very worried about this, it bums you out, you—all you want to do is just figure out a way that the ISPs can’t actually track you.
PJ: Okay, so what do you do?
ALEX: So there’s a couple things. The first is, any website that says, “https” on it.
ALEX: So there’s two kinds of websites—
ALEX: Secure, which is the “s.”
PJ: And huh-tuh-puh.
ALEX: And—oh boy…
ALEX: Oh boy…
ALEX: I mean, we’re ostensibly a tech show, man.
ALEX: Um, the “s” websites, your ISP will be able to see you go there—
PJ: But not what happens.
ALEX: —but it won’t be able to see you do anything there. Anyway, the other, much more secure way to protect yourself is a VPN. And if you don’t know what a VPN is…
PJ: Virtual private network…
ALEX: Very good.
PJ: I used to use them sometimes in Canada, because when I lived in Canada, I couldn’t watch American Netflix, and the VPN made it so Netflix couldn’t tell where I was connecting from.
ALEX: Yeah, a VPN is basically a connection to a computer that’s located somewhere else. So when you’re browsing the internet, it looks like your traffic is coming from that computer instead of yours.
ALEX: So, those are the two obvious ways to hide yourself online. But I discovered another one, which is actually kind of absurd and pretty great. Um. It’s designed by this philosopher named Helen Nissenbaum.
PJ: She’s a philosopher?
ALEX: Yes. And Helen said that thing happened to her, she said, “You know, in 2005, I was working on this—this ethics study with these guys, and I w—I found out that Google was storing all of my searches, and I was like, “Oh, d- w—like, why would they do that?”
HELEN NISSENBAUM: And I said, “Oh, this is really disturbing I’m- I’m not so happy that Google or the other search companies, are keeping a full record of all my searches because some of them I find to be quite intimate, and, my colleagues, who were computer scientists, they said, “It’s on their servers, so of course they’re maintaining your search queries.” I said, “Is there anything I can do about it? Can I say. ‘No, I don’t want you to?'” And they said, “Well, of course not, because they just collect the searches, so, it’s theirs to keep.”
PJ: It’s so great, cause it’s just like, it’s almost like, the same way, like a joke is like, “A carpenter and a doctor walk into a bar.” It’s like, these computer scientists were like, “Technically we are able to do this and so of course we’re going to. But she’s a philosopher, she’s like, “But why?”
ALEX: Yeah. So she thought about this for a while, she got really mad about it, and then she came up with this, like, great big idea to save privacy. So, do you know what (clears throat), do you know what radar chaff is?
PJ: Yes. It is stuff that planes shoot out so they don’t get picked up on radar.
ALEX: Right. It’s like sh—it’s like little pieces of shrapnel that have like aluminum on them, so they make a radar go crazy.
PJ: Right. It’s like, “there’s planes everywhere!”
ALEX: Right. And the program that Helen made is basically like radar chaff for the internet. It’s this program called TrackMeNot.
HELEN: What TrackMeNot does is it automatically sends search queries to whichever site you have it installed in, in the background.
ALEX: So, I actually installed TrackMeNot on my computer, and it works for any website. So, say you’re on Amazon and you’re looking for cat food and, whatever, cat toys (laughs).
Alex: Um, it will also in the background, be doing random searches on that site. I don’t even notice them. This—
PJ: Lemme see.
ALEX: This is a—this is a log of all the s—on the right hand side, a log of all the searches it’s doing in the background right now—
PJ: On your computer.
PJ: So it’s like…”new hundred dollar. In box. David Mclaughlin. CNN had Donald Trump solved?” That’s great.
PJ: They actually, it looks realer than I thought.
ALEX: Yeah, well, they’ve designed to make it look like a person doing real searches so it confuses Google.
PJ: So it works?
ALEX: (inhales) … Great question.
PJ: (laughing) Do you know the answer?
ALEX: No one knows the answer. Google’s not gonna tell you if your Google-tricking bot works.
PJ: Beating it. Right.
ALEX: They—she’s also worked on another plug-in that’s called AdNauseum.
ALEX: And it’s a plug-in that when you go to a website automatically clicks on every ad on the page.
PJ: (whispers) Oh, that’s amazing.
PJ: So it’s like, this guy loves cars and jacuzzis, and blah blah blah. You just seem like eh—a hyper-consumer.
ALEX: Totally. And Helen sees this as like a part of a larger movement that she calls the “obfuscation movement.” So, AdNauseam obfuscates you from advertisers, TrackMeNot obfuscates you from places where you type in searches. And this guy, Dan Schultz, after all this stuff happened in the past couple weeks, made this program called Internet Noise, which obfuscates you from ISPs by randomly visiting websites.
PJ: I love that because, I go back and forth between being cynical and not. But like…(sighs) I just like the idea that instead of being mad, I like the idea that you’re just like “No, this is gonna be like hand-to-hand combat.” You know what I mean?
ALEX: (laughs) Right.
PJ: Ok. That is it for our first edition of “Why is Everyone So Mad, and Should I Be Mad Also?” Here is where we’re leaving this.
Four out of ten, according to you, Alex Goldman, if people feel upset with that they should direct it to you, Alex Goldman.
ALEX: PJ agreed, though, so I think that he—
PJ: I don’t recall that.
PJ: And, uh…and, if you’re interested in like, slightly anonymizing yourself, get a good VPN. Or if you wanna do it in a more artistic, weird way, uh, try obfuscation—you can use Internet Noise, AdNauseam, and TrackMeNot.
ALEX: And we’ll put links in the website.
PJ: We’ll put links in the website, where you’ll be tracked. Okay.
After the break, a man tries to teach a salmon to find gold and two humans reach total transcendence. Stick around.
PJ: Welcome back to the show. It’s April, which means everybody here at Reply All is making preparations for, what for us is the biggest holiday of the year, Email Debt Forgiveness Day. As we all know, Email Debt Forgiveness Day is April 30th, it’s the one day of the year where, if there’s someone who you were supposed to email and you didn’t, because you felt anxious, and you let it go on too long, and then before you knew it, too much time had passed to really say anything, Email Debt Forgiveness Day is a day where you’re allowed to just email that person as if no time has passed at all.
It is an opportunity to free ourselves from doubt, and regret, and as we talked about it at the show, we realized that there is one person who really needs Email Debt Forgiveness Day. And that person is also one of our show’s editors, Mr. Jorge Just.
PJ: How many people do you think you have in your head right now, like avatars of people who are disappointed, because you owe them an email?
JORGE JUST: (laughs) If I start to think about them, like it gets crowded.
JORGE: Oh yeah. You know those photographs of Woodstock?
PJ: (laughs) Yes.
JORGE: Mhm. Just like—yeah. Except they’re all frowning.
PJ: (laughs) And they’re not enjoying peace, love, and music.
JORGE: Mm-mm. Yeah, they’re like covered in mud and they haven’t eaten in three days. And they’re angry about it (laughs).
PJ: There was this one person in particular who Jorge felt really bad about. His friend Chris Colin. Chris is a journalist, he’s a professional writer, which means that normally he is completely capable of writing his own emails.
But, at a party a while ago, Jorge and Chris made this weird bargain where Jorge agreed to write two emails on Chris’ behalf. For Chris. But Jorge didn’t do it. He didn’t do it the next day, he didn’t do it the next week, next month, and pretty soon a year had passed.
And, in that year Jorge’s been feeling really terrible. And so we decided to try to take care of it in the studio in preparation for Email Debt Forgiveness Day. And I just have to say, Jorge just—his whole demeanor changed. He looked like a person who was in actual physical pain.
PJ: Do you wanna try to just … call Chris?
JORGE: Yeah, let’s—yes. Yes, yes, yes. Why not?
JORGE: Um…yes. I think we should call him.
PJ: Alright. Let’s call him.
CHRIS COLIN: Hello?
PJ: Hey, Chris?
PJ: Um. So, Chris, I’m here with Jorge. Oh, also this is PJ.
CHRIS: Hi PJ. Hi Jorge.
JORGE: (laughs) Hello.
PJ: Can I just ask you some questions?
PJ: Um. Do you remember a party, twelve months ago, where bartering occurred?
CHRIS: Uh, that’s not how I remember it. I remember this party being two years ago, Jorge?
PJ: So what happened two years ago?
CHRIS: I had a birthday party. The theme was bartering, you had to barter for something, uh, and then you would get something in exchange.
PJ: It was your birthday party?
CHRIS: Yeah, it was my birthday party.
PJ: Man, that’s different! And worse! Then what I had heard.
CHRIS: What did you hear?
PJ: Oh, that it was your wife’s birthday party.
CHRIS: Jorge, why would you say that?
JORGE: To lighten my psychic load.
CHRIS: It was my birthday party, but I remember that he had a really excellent idea. Which was, um, he would write two emails that I really didn’t wanna write.
PJ: That sounds great. That sounds really generous.
CHRIS: Well, yeah—I mean, I—I like to think that he got something pretty good. Jorge, do you remember what you got?
JORGE: (laughs) I think I got four tickets to the theater.
CHRIS: (laughs) Uh, no. It was a really good idea. I can’t remember if Jorge knew…that I was the kind of guy who could really use that. I like to think it was sort of a targeted offer.
JORGE: (laughs awkwardly) Right now I’d like to think that you aren’t the kind of guy who could really use that. Cause that would also lighten my psychic load.
CHRIS: Um. Wait, are you saying that this has been hanging over you? Cause I feel like it’s been hanging over me. I feel like you—
CHRIS: Like, you have owed me these emails and it’s been just one more thing—it’s like, it’s like a third email that I’ve needed to write. Like I—it had the opposite effect of what it was supposed to have, like…
CHRIS: It was like, “Aw man. Now I gotta—I- I should write Jorge and like, give him his assignments, but it’s just—but I haven’t gotten around to it.
PJ: So you thought this was your fault?!
CHRIS: Yeah! No, I felt like he gave me this really—well, you know, it’s like when you have like a Groupon certificate, and you just like, you realize it’s been like four years and you haven’t used it. It just sort of—it’s that…species of guilt.
PJ: Well, that’s exactly why we called!
CHRIS: What’s gonna happen…?
PJ: Jorge do you wanna tell him?
JORGE: I forgive you.
CHRIS: (laughs) Wait a second. I don’t think it’s like a thing where you forgive me…
CHRIS: I’m not saying I did—did wrong by you…I’m just saying, I haven’t taken advantage of your very sweet offer. But I don’t think that was like a crime against you.
JORGE: Uh, yes. I feel like I owe you—uh, yes. This has been hanging over me. Like I’m a bad person who says he’s gonna do something, and then doesn’t do it. CHRIS: I mean you—but technically you definitely do owe me something.
PJ: I think two things, actually.
CHRIS: Two things. Yeah!
PJ: Do you have two emails that you still want written for you or at this point would it be better to just like scuttle the whole deal?
CHRIS: You couldn’t pay me to scuttle this deal.
PJ: I mean, is there one—is there one that comes to mind right now?
CHRIS: (sighs) Um. Yeah…I’ve got, like, literally decades old—a decade old, uh, collection of emails that it would be nice for him to deal with. Like strangers who wrote me notes and I—and they were so sweet that I wanted to write like really meaningful replies and I just didn’t.
PJ: What’s the worst one?
CHRIS: (sighs) Um … well, I—I wrote a story about a man named Randy, who um, subletted, uh, an office from me when I was not gonna be in the office. And he was an older guy, uh, super eccentric, and um, he would—every time I would see him, he would like have some new scheme about like training a Malaysian raven to, uh, to tell whether a man was wearing a hat or not. Or um, he had once been in Alaska and he tried to teach salmon to—to find gold for him.
CHRIS: He had a lot of schemes. He was a really fascinating guy. And he was living—I realized that he was living in this office, that I had rented to him. He…it started to become clear that he was sort of quasi-homeless. And the other people at the office were getting increasingly upset about it. And I just sort of felt like…um. I don’t know, I got sort of caught in the middle of this whole thing and I was sort of—I was sticking up for him. And I felt like it was—it was a—it was about San Fran—it was like a referendum on what was happening in San Francisco in this very micro way.
CHRIS: The—the funky people were getting edged out. And then, one day I got a call that Randy had died. And uh—and it turned out my business card was the only thing they found, in his pockets.
PJ: So, Chris wrote an article in the newspaper about Randy. He wrote about Randy’s scheme to open a hot dog hut in Thailand and his plan to build the world’s first million gallon aquarium. And when the article was published, people who’d known Randy wrote to Chris. People who wanted to share their memories of Randy and say how much the article had meant to them.
CHRIS: And I just couldn’t, I never—I never got around to writing back to them. I don’t—I don’t know how to explain how I’m such a horrible person, I just—(laughs) they just like…sat there. And it—and it was like one year, and then it was two years, and then now it’s a decade.
PJ: Well, it’s not that you’re a horrible person, it’s that you don’t do it at first because you wanna do it really well, and then the longer you wait, the better it has to be.
PJ: And so, starting on day two it just becomes more and more impossible every day.
CHRIS: Yes, that’s true. It snowballs. Yeah.
PJ: I know a guy who’s really good with emotional snowballs.
CHRIS: Ok! Alright! Oh my god. I mean, I can’t even tell you how…(sighs) I really feel like I would lose ten pounds if you wrote back to these people.
JORGE: I would be happy to do this.
CHRIS: Ok. Just … due diligence here, tell me are you gonna write quick little notes, “Sorry bro. Didn’t get a chance to write back to you” kind of answers?
CHRIS: Or are you gonna really—are you gonna sweat this as much as I have been meaning to sweat this?
JORGE: I mean (laughs), before you ask that question, I—I will admit I was just gonna send the shrug emoticon.
JORGE: Um. But uh…yeah. We will write these emails.
CHRIS: (laughs) I—I can’t wait to see what I write.
PJ: So that conversation was Monday. Jorge turned around the emails on Tuesday. Chris made his changes and sent them out to the people who had been waiting on them for nearly a decade by the end of the day on Tuesday. Both of them, I’m happy to report, are now free of all worry, pain, and anxiety. They walk around beaming, like they’ve achieved a kind of transcendence. Because they have.
If you would like to join them in that transcendent state, Email Debt Forgiveness Day is April 30th, we hope you will use it to unburden yourself of email debt.
Also, if you have just a huge email debt story, something that has been weighing you down, we wanna hear about it. You can send us an email at email@example.com. Use the subject line “Email Debt” so we know to look for it. Maybe…we’ll call you and talk to you about it on the show.
Also, if you want more information about Email Debt Forgiveness Day, we made a webpage for it. It’s at emaildebt.club.
Reply All is hosted by me, PJ Vogt, and Alex Goldman. Our show is produced by Sruthi Pinnamaneni, Phia Bennin, Chloe Prasinos, and Damiano Marchetti. Production assistance from Sherina Ong. We’re edited by Tim Howard and Jorge Just. We were mixed by Rick Kwan.
Special thanks to Dylan Moss and Emily Kennedy.
Our theme music is by the mysterious Breakmaster Cylinder. Our ad music is by Build Buildings. And our theme song for our new segment: “Why Is Everybody So Mad and Do I Have to Be Mad Also?” was written by Matt Farley, as many of our best songs are. Matt is available to write custom songs for you for a reasonable fee. Just check out his website. It’s motern—M-O-T-E-R-N—media.com. Our logo is by Matt Lubchansky.
Matt Lieber is the first cookout of the year.
You can visit our website at replyall.limo. You can find more episodes of the show on iTunes or Spotify or wherever you listen to podcasts. Your choice. Thank you for listening. We’ll see you in two weeks.
This week, we discover who was actually behind the hack of Alex Blumberg’s Uber account. This episode picks up where Episode 91, The Russian Passenger, left off.
PJ VOGT: Hey, this is PJ with a quick note before the show starts.
If you have not listened to Episode 91, “The Russian Passenger,” which was about Alex Blumberg’s Uber account being hacked, go listen to that before you listen to this episode. If you don’t, it’ll be like just watching the last episode of a TV show: you’ll ruin a bunch of surprise for yourself, and also just be confused.
Go back, listen, come back here. Ok. Let’s go.
PHIA BENNIN: Previously on Reply All:
PJ: Somehow, someone, in Russia, got the password for your Uber and is just like—
ALEX BLUMBERG: And hacked my Uber account, right?
MELANIE ENSIGN: Whoever had access to his email account was clicking on those links, verifying it was him, and then deleting the notification [sic] before he saw them.
TROY: You sort of leave these little traces of yourself all over the internet. And as time goes by, those chances of one of the places you’ve left your data being breached and that data then being leaked continues to go up.
ALEX GOLDMAN: So a couple weeks ago, we did an episode called “The Russian Passenger.” And in that episode, our boss Alex Blumberg came to us with a question. His question was—
PJ: How did a Russian person steal my Uber account?
ALEX GOLDMAN: Yes. Someone had been taking trips around Moscow, uh—
PJ: On his ruble.
ALEX GOLDMAN: (Laughs)
PJ: On his ruble dime.
ALEX GOLDMAN: What a dumb joke…
ALEX GOLDMAN: So.
PJ: He wanted us to figure out what happened. Which sort of seems simple enough, and then ended up being like, insanely complicated.
ALEX GOLDMAN: Right. And after testing a bunch of theories, what we came to as the most likely scenario was that Alex was on vacation in the Bahamas with his dad, Richard, and his dad has a tablet, a Surface Pro. Alex logged into his Gmail on the Surface Pro, and there was malware on the tablet, which, uh, gave hackers his username and password. They got into his Gmail. They hacked his Uber. But we never found any conclusive proof that that happened.
ALEX GOLDMAN: At the end of that episode, we said that if anybody out there has a different theory, or thinks that they can conclusively solve this problem, they should write into us and if they do conclusively solve it, I will send them a personal pan pizza.
And, um, we got hundreds of emails about this. We’re still getting them to this day. And producer Phia Bennin, who is in the room, hello—
ALEX GOLDMAN: —uh, did the, uh, intrepid investigative work of actually following all of these leads and seeing where they went.
PHIA: Yes. And here’s what I can promise you: by the end of this conversation, I feel completely confident that you will pick somebody who has earned a personal pan pizza.
PHIA: Um, what I also have to say is when I was looking into all of this, I learned a lot of things that terrified me. I have become incredibly paranoid and if I do my job correctly today, you will never touch a computer again after this conversation.
PJ: Alright, let’s go.
PHIA: Ok. So, first, I feel kind of obliged to tell you that we got about a million responses that said we should’ve run a different virus scanner on Alex’s dad’s tablet. Um, a bunch suggested something called Malwarebytes, and so his dad and I did that. No viruses were found.
ALEX GOLDMAN: Huh…
PHIA: So. Just—that was a little disappointing. I thought, like, maybe we would solve it quickly. We didn’t.
PJ: I feel like all it did was reduce the certainty of an answer that I still feel pretty good about, but do you know what I mean?
PHIA: Yeah, yeah. It was just like, “Shucks.”
ALEX GOLDMAN: It was just like, “Shucks.”
PHIA: It was just like, “Shucks.”
PJ: No pizzas for any of those people. Although helpful. Thank you. I’m glad to know.
PHIA: So, now we can get into the stuff that I think is like the good stuff. To start, theory #1.
PHIA: This theory comes to us from a guy named Nick, he lives in Florida. And I’m calling his theory “Beware All Keyboards.”
So this theory is that like, at some point before Alex’s Uber got hacked, maybe he logged onto a computer, logged onto his email, and that computer had a keystroke logger on it. So, like, there was some little piece of software on the computer collecting every keystroke Alex typed in.
NICK SAMBRATO: So I’m not the most technically savvy person, um, and I only know this through experience and I’ve retained it out of fear.
NICK: And this was 2001, 2002, something like that. And I worked at a little, small software, um, company.
PHIA: The head developer there was like, “Just for fun, I designed a keystroke logger that is logging all the keystrokes of everybody in network.”
ALEX GOLDMAN: That’s very sketchy.
PHIA: And Nick was like, “We asked him to like, show us how it works, and we all crowded around his computer, and he was like, ‘Let’s see what our coworker over there is doing.’”
ALEX GOLDMAN: Ohhh…
PHIA: And they already knew that she was, uh, online dating, which they were giving her a lot of crap about, because in the early 2000s that was like—
PJ: Weeeeeeird to people.
PHIA: Mhm. And so like, Nick and all of his co-workers gathered around the one tech guy’s computer.
NICK: And he popped up this little, like terminal window and, um, he’s like, “Let me show you.” What is the word? Not internet—what’s the next step from internet dating if you don’t meet in real life but you want to take it to the next level? Um, now you sext. There’s sexting, but back then, it’s cybering.
NICK: So we picked up right in the middle of a cyber session.
PHIA: Oh no!
NICK: Yeah. And we, I mean—I mean, four guys standing around a cubicle screamed.
PHIA: They all of a sudden realized they were seeing something they absolutely should not be looking at. And they immediately felt tremendously icky.
NICK: Yeah, so we, I mean, shut the window right away. Yeah, yeah. So that’s how I met keystroke logging.
PHIA: So Nick figures, that totally is what could’ve happened to Alex Blumberg.
PJ: Which is a good theory. Except that I actually checked this with Alex.
PJ: And he was like—he said, “No, no, no. I really—I only used my phone, Naz’s phone, and my dad’s tablet. Like, there just—there wasn’t some point where he just like, went onto a stray computer somewhere.”
PHIA: Yeah, but that only really accounts for like what he’s doing in the Bahamas. Like, he could’ve logged onto a computer with a keystroke logger, like, anytime before the trip. Like, it could’ve been like months ago. Um, and somebody could just be like holding onto those credentials and happen to use them now. Like it could be kind of a coincidence.
PJ: Yeah, I guess that’s true. Like, I would say, probably at some point in your life, you’ve used a computer that had a keylogger on it. Like, at a library for 10 seconds, or like—
PJ: Or like, I think that there’s enough of this stuff out there that like—yeah.
PHIA: Right. Like, it’s a little freaky to think about, and like, and—and—I’ll just—like, as I continue to talk to our listeners about different potential threats to Alex Blumberg’s Uber account, like, it just got scarier and scarier. Like, things got super creepy.
PJ: I’m excited to go on this journey of creepiness with you. Before we move on, all I want to establish—this theory is—we’re not giving the pizza to this person, right?
AG: Yeah, it’s a good theory. Not pizza worthy.
PJ: Ok. So what is the next thing? What’s the next theory?
PHIA: Ok. So, theory #2,
PHIA: It comes to us from a guy named Mick Lawlor, he is a security researcher based in Durham, North Carolina. And I’m calling his theory “Beware all Wi-Fi.”
ALEX GOLDMAN: K.
PHIA: So, Mick has a device called a Wi-Fi pineapple.
ALEX GOLDMAN: (Laughs)
ALEX GOLDMAN: It’s so cute!
PJ: I know what both of those words mean separately.
ALEX GOLDMAN: (Laughs)
PHIA: Yeah, I mean, I was curious, like, what he was even referring to.
ALEX GOLDMAN: Mhm.
PHIA: Can you describe it for me? What does it look like?
MICK LAWLOR: Very, very small. Uh, it’s only the size of my palm.
MICK: And it’s basically a computer.
MICK: Um, this one, in particular, they’ve modified to have two antennas, which are radios to call out and to receive. There’s also little switches here to do different, uh, attacks, as well.
MICK: Yeah. And it’s super, super powerful.
PHIA: So, to give you an idea of what the Wi-Fi pineapple is capable of, if you imagine hanging out at a Starbucks, you go there, and you have your laptop and you’re doing work and there’s a ton of other people there. And what you don’t realize is somebody’s just walked in with a backpack on and inside his backpack is a Wi-Fi pineapple.
And as soon as he walked into that Starbucks, it started sending out a signal saying like, “Connect to me! I’m the Internet.”
PJ: So, I’d be sitting in Starbucks. I’m the sucker.
PHIA: Mhm. Yeah.
PJ: And I— and I go I to my Wi-Fi list and see “Starbucks Free Wi-Fi” and I’d click it.
PJ: But what I’d what really be getting is this other guy, pretending to be Starbucks Free Wi-Fi.
PJ: And so I’d still get connected to the Internet, but everything would go through him, and he could spy on it, right?
PHIA: Right. And it would have a little bit of code in the pineapple that says, “Anytime PJ tries to go to Facebook.com” instead give an unsecure version of Facebook. So instead of https, it’d just be http.
PHIA: And then the rest of it would look like Facebook.
PJ: But that would allow them to grab—
PHIA: Well, and so when you logged on, it would collect your username and your password. And Mick said, you know, this is just something for Starbucks customers to be worrying about.
MICK: I can set this up anywhere. You think about—
PHIA: (Gasps) Ooh…!
MICK: That’s just one instance. But let’s think about—let’s go one step further. Let’s go airports, let’s go hospitals. Let’s go—uh, the City of Durham actually has, uh, Wi-Fi when you walk around downtown Durham and it’s free to use to the public. So let’s think about the guy that’s just walking down the sidewalk with one of these in their backpack.
PHIA: You are giving me the heebie jeebies. This is so freaky.
MICK: (Laughs) It’s, it’s—and actually they sell a—a covered box that looks like a smoke detector or just—
MICK: —an ominous box on your—on your wall.
PHIA: Oh my god, that is so creepy!
PHIA: So, there’s a name for this. It’s called a man-in-the-middle attack. And Mick explained to me that another way that this could have gone down, like a way could’ve affected Blumberg is that while he was in the Bahamas, you know, he was staying at an Airbnb.
PHIA: If the Airbnb hosts were trying to collect his credentials—
ALEX GOLDMAN: Right.
PHIA: Or if somebody had set up a pineapple right outside his Airbnb place, this could be like a little side business—
PJ: God or—
PHIA: —selling Uber accounts off of—
PJ: You probably—if you’re an Airbnb host, you’re probably not gonna do something like this because it’ll eventually come back to you.
PJ: But what if you’re just a person who stays at an Airbnb? And like, leaves behind something like a—a pineapple—Wi-Fi pineapple.
PJ: Like, for most people, how often do you look at your router? Do you know what I mean?
PJ: Like, I—that’s not an object that if I found in my house would creep me out.
ALEX GOLDMAN: I guess that—the question I have is if they were collecting this information why would it just have been Alex and not—like, I’m sure that Naz and, uh, Alex’s parents were also using their—emails, their emails.
PJ: And their Ubers weren’t hacked.
ALEX GOLDMAN: And none of their information was taken.
PJ: Ok, I think that what this falls under the category of is interesting and creepy information. No personal pan pizza. I don’t feel like it’s our solution.
PHIA: Right. I don’t, I don’t think this is actually the correct answer either. Um, because, it doesn’t answer this like, huge question that actually, Alex Blumberg kept having, when we were originally trying to solve this, which is that he has two-factor authentication on his email. So, when he logs in from a new computer, he not only has to put in his credentials, he also has to put in this code that he gets from a text message.
ALEX GOLDMAN: Right.
PHIA: But, I talked to this other guy, he’s based in Toronto, and he says he has a way that he thinks it could actually have worked.
DANIEL BOTEANU: Yes. So, my name is Daniel Boteanu. I’m a digital forensic investigator.
PHIA: So you’re like a real detective.
DANIEL: Uh, of the digital world, yes.
PHIA: Do you have, you have a theory about—? Well, let me preface, before any of this, I am not the person who decides whether you get a pan pizza.
DANIEL: (laughs) Fair enough. So, when I heard the interviews and the, last week’s show, one of the things that came to mind is, “Nobody’s thinking of Alex’s phone. Uh, what if Alex’s phone got hacked?”
PJ: Oh, interesting!
PHIA: Yeah! He told me about this way that you could actually get into Alex’s phone. This is Theory #3.
PHIA: The “Beware the Phone Company” theory.
PJ: So how does it go?
PHIA: So, Daniel told me, you know, phone companies they all talk to each other, like that’s how you can have coverage while you’re on vacation.
DANIEL: Uh, for example, AT&T in the U.S. talks to Orange in France.
DB: So, that’s what allows them, when you go visit Paris and you turn on your phone there, the Orange network in France sees your phone number, sees that you’re an AT&T customer, and then will talk to AT&T and tell them, “Hey, I see this number that just appeared in Paris.”
DANIEL: Uh. Now if Alex used his phone in the Bahamas, the network in the Bahamas had to talk to his network in the US just to say, “This phone is roaming.” So, the way this communication happens between the phone companies, it’s not a human talking to a human at the other end, everything’s computers.
DANIEL: Uh, and the problem with it is: anybody can pretend that they have a small phone company, uh, and talk to the big providers in the state saying, “Oh, I see, uh, this phone that just appeared in my network. I will be receiving all messages for it. Please forward them to me.”
PHIA: (inhales) Oh… so they’d be communicating with Verizon saying, “I’m—I’m the local Bahamas phone company.”
DANIEL: And the phone’s in Bahamas, so send me all the text messages and calls and I will gladly forward them to the phone which isn’t under my coverage.
PHIA: (Gasps) Oh my god!
PHIA: So, Daniel says the way that this would work to get around two-factor authentication is that when a authentication code was sent, it would go to the attacker, and they would have the choice of whether to forward that onto Alex Blumberg or not. So they would have the code that they could use in his Gmail.
PJ: But the thing with that, is you would get, if Alex like—at some point Alex did log into his Gmail, he gets that text message, you see the code for the two-factor authentication, but you don’t have his password.
PHIA: Right. You’d already have to have Alex’s username and password. And so, Daniel told me, like the most likely way that this occurs is that it’s actually a targeted attack on Alex Blumberg. You know like, it’s gotta be something like corporate espionage.
ALEX GOLDMAN: Get out of here!
PHIA: I know and it seems like probably kind of a far-fetched idea, but I’ve actually heard of examples of this happening to people in the media industry and people in general. Um, there’s this one story that’s, like a different version of the “Beware the Phone Company” attack. It happened to this guy, that I think you guys have heard of, his name’s Deray McKesson, you know who that is?
ALEX GOLDMAN: Yes. He’s an activist and, uh, he’s very popular on Twitter, he ran for Baltimore mayor.
PHIA: Right. I mean he’s like, super involved in the Black Lives Matter movement and has, you know, three quarters of a million Twitter followers.
ALEX GOLDMAN: Yes.
PJ: Not a Twitter account you would want to be hacked.
PHIA: Exactly. So, this happened to him last summer.
DERAY MCKESSON: I was at a conference, actually. I was sitting on a panel and I have two phones that I travel with every day.
PHIA: You have two phones? Do they have the same number?
DERAY: No, they’re two different numbers. One is a number that I’ve had ever since I ever got a phone when I was a teenager. And this—I have another number, which is the number you have. And that is the number I use the most, but—especially in protests—you know, it was important that I was never without a phone. So if one died I could just turn the other one. I was rarely ever without a functional phone.
So I was on a panel, I had both the phones in front of me. And the number that I use—like the everyday number that I use—all of a sudden, um, I’m talking but I see the screen go like, “Activate your”—it’s like the screen comes up, that’s like, “Activate your phone.” And I’m like, “Well, that’s really weird.”
PHIA: By the time he leaves the panel, he’s getting texts from people being like, “What is going on?” Like, “Why are you tweeting out that you endorsed Trump as a candidate?”
ALEX GOLDMAN: (Sighs) Man…
PJ: Oh god…
PHIA: Somebody has completely hacked into his Twitter account.
PJ: What else were they tweeting?
PHIA: There was another tweet that was like, um, something like, “I’m not—by the way, I’m not black.”
PJ: So like, racist troll.
DERAY: So, luckily the panel’s at the end. I get off the panel and I call Verizon. And, lo and behold, somebody calls Verizon posing as me. They essentially got the SIM card changed over the phone.
PHIA: Oh my god!
DM: So what they did is that they have my phone. My number got sent to another phone and then they did the two-factor, so the text with the passcode went to a different phone.
PHIA: Which means that like, the phone in front of him at the panel was no longer attached to his account.
PJ: (whispers) Right.
DM: I luckily got my account back later that day, but yeah that was wild. I didn’t even know you could do that. I had no clue that you could even change a SIM card over the phone.
PHIA: And that’s the other way a person can get around two-factor authentication.
PJ: Oh god.
PHIA: Yeah. It seems like, super nightmarish. And Daniel says, you know, even though it probably something that Alex should be worrying about…
DANIEL: It’s unlikely that this is what happened. And if I’m doing something at that scale, I’m not also going to go after his Uber account and sell that on the black market—
DANIEL: —and just tip Alex off that something happened to his phone.
DB: I’m just going to try to keep things as quiet as possible.
PHIA: So ultimately, the “Beware the Phone Company” theory makes me very, very scared, but I think it’s very unlikely this is what happened to Alex’s Uber account.
ALEX GOLDMAN: Right.
PHIA: So, I don’t think that theory merits a pizza. And after like all of my research into this, the theory that was still standing at the end of the day was that when Alex was in the Bahamas, he logged into Gmail using his dad’s Surface Pro. And, the Surface Pro had some malware on it. And through that somebody hacked into Alex’s Gmail and his Uber account. And so basically, after doing all of this research, the theory that seems most likely is the one that you, Alex Goldman, presented in the last episode. So, I think you deserve your own personal pan pizza.
[MUSIC – “DJANGLY BITS”]
ALEX GOLDMAN: That rules.
PJ: Huh. Nice job!
PHIA: However…after the break…Alex’s theory comes crashing down.
PHIA: Hi guys!
ALEX GOLDMAN: Hi!
PHIA: So, thank you for coming back into the studio.
ALEX GOLDMAN: Last time we talked I won a pizza!
PHIA: (Laughing) Yes! So we talked a couple days ago when we talked like, we went through a bunch of different theories that—
PJ: We learned a lot about how the world’s not a safe place. Why are we back here? Like, what is happening?
ALEX GOLDMAN: Yeah. Is there some kind of update that might cost me a pizza (laughing)?
PHIA: So. (Laughs) So people like continued to be sending in—
PJ: Wait. Before you even say—
PHIA: Ok. Yeah, yeah, yeah.
PJ: —anything, can I just say something?
PJ: I just wanna say, I feel like too often I make fun of you and stuff. I wanna say that the fact that you did get it right and earn that pizza is really awesome and you deserve to feel really proud of yourself. And it’s really cool.
ALEX GOLDMAN: This is such a neg.
PJ: No! I think it’s awesome and like, this is one victory that I would not take away from you because you—you got it. And that’s great.
ALEX GOLDMAN: You’re just setting this up so that when I—it does get taken away from me.
PJ: I don’t know that it’s gonna get taken away from you. So Phia, what did you find out?
PHIA: You—you are getting so ahead of yourselves!
PHIA: So okay—so, there was just this one part of the story that was still nagging me—which is, if you remember, Uber said they sent emails to Alex when the like, weird activity was happening in Moscow. And Alex said he never saw any of those emails. Like, he never got them.
PJ: Yeah, even in his trash can, like, nothing, nothing, nothing.
PHIA: So, I wrote Melanie Ensign, that woman who works at Uber, and I was like, “I have to find those emails. When did you send those emails?” And she wrote me back. She didn’t actually send me the emails that they’d sent to Alex Blumberg. She’s just sent me four time stamps for the different times those emails should’ve gone out. And as she sent that to me, I actually heard from another listener who told me about something that I didn’t realize existed. Which is that there’s a place in Google Support that says “restore user’s permanently deleted emails.”
PJ: That’s nuts.
ALEX GOLDMAN: I didn’t know that that existed either. Does it restore them from the beginning of time?
PJ: I bet you—you can get like a month.
PHIA: You get 25 days.
PJ: (whispers) Nice job, me.
PHIA: And, uh, I learned about this when there were like—the day when Alex was on vacation was 26 days ago.
ALEX GOLDMAN: Get—get out of here.
PHIA: Oh no, no. Sorry. 24 days ago.
PJ: What a rollercoaster, man!
PHIA: (laughing) Sorry. Yeah so, I could look back but I had like this tiny window where I could still look back and it’s actually you have to like, submit something to Google and then they like, uh, you know, like scrape their system and send you everything.
PJ: I’m literally picturing like, a hard drive at Google Headquarters that like, a conveyor belt is moving towards an incinerator.
PHIA: It feels totally like that. And so like, um, we immediately submitted something to them, they did the scrape, they—they like said, “Ok, now everything should be there.” And I started looking at Alex’s email with all the restored emails.
PHIA: (pauses) Nothing!
ALEX GOLDMAN: Get outta here.
[JAZZY DETECTIVE MUSIC]
PHIA: No emails from Uber. Like, this was so frustrating. So, I … got on the phone with somebody from Google customer support. And was like, “You guys have not restored all the emails. Like, I know for a fact there are these four emails from these four different specific times. I’m not seeing them in here. You guys are Google. You have to be able to find them.”
PJ: And what’d they say?
PHIA: And the guy was like, “You know, I’ve never—I’ve never seen this happen before. This is really strange.” And like, I got so frustrated.
And then he told me that there was a whole different way that we could be approaching this, that I didn’t actually need to be talking to him at all. Um, because Gimlet’s email is through a Google Business Account, that through the administrator, I could actually see all the emails coming in and out of Gimlet Media, I could see the subject lines, the like, who they were to and who they were from and when they came in.
PJ: I’m just quickly thinking about like every email I’ve ever sent at work. I was like, “Eh, it’s Gmail. It’s all private.” Good to know.
PHIA: Yes. Ok, so, let me—let me quickly pull it up for you. Um, it’s actually called the Admin Console, and there’s a feature in here called “Reports.”
PHIA: So, you go into reports and there’s a place for email log search. And now you can look for like, the four specific emails that we know Uber says that they sent to Alex Blumberg. Um. So we’ll put Uber in the “sender field” and Blumberg in the “recipient” field. Does one of you wanna lead—drive this?
PJ: I wanna do it.
ALEX GOLDMAN: Alright.
PJ: Ok. So, I’m gonna hit search.
PJ: Searching … searching … oh wow. So there’s one, two, three, four, five emails. So there’s many, but, they’re all just the ones from once Alex was like, “What’s going on with my thing?” “My account has an unrecognized charge,” “I can’t sign into my account,” “I can’t sign into my account,” “My account has an unrecognized charge.” And finally you get “Interview request: The case of the missing Uber account” (laughing).
ALEX GOLDMAN: I wrote that, uh, subject line.
PJ: Uh. So this is really interesting.
PHIA: Yes. This is when I changed from feeling like Google, scrape through your servers, find these emails to—
PHIA: Maybe these emails never were sent.
ALEX GOLDMAN: Oh my god. This re—requires a dramatic sting. Like a dun dun dunnnn … okay. If—done it. What happened?
PJ: So, yeah, this would seem to suggest that Uber either thinks they sent emails and didn’t send them. Or, in the worst scenario, is not telling the truth.
PJ: Did you go back to Uber with this?
PHIA: (Long pause) Of course I did!
ALEX GOLDMAN: Yeah, what kind of—even I wouldn’t ask that question.
PJ: Uh, so what did they say?
PHIA: Ok, so, yesterday—
PJ: You got us?
PHIA: So I wrote her yesterday and she wrote me back fairly quickly and here’s what she said: “Hi Phia! Great news! We figured it out!”
ALEX GOLDMAN: (Laughs)
PHIA: Alex’s—Alex’s password was part of a data dump that was sold online and tested by a bot script before being sold to the person who used it to request trips.
ALEX GOLDMAN: Ok.
ALEX GOLDMAN: I’m still super confused…
PJ: Hold on—I have specifi—data dump? Whose data dump? Like she said “data dump on a botnet.” Like, are they saying, “Oh, things were actually breached?”
PHIA: So she followed up with a second email. And she said … let me see, “By the way, we found his account in data dumps from LinkedIn, Dropbox, and Myspace, which isn’t surprising since they announced previous data breaches. If he hasn’t changed those passwords recently he should.”
PJ: But we checked that.
PHIA: Right! So, I forwarded all of this to our digital forensics expert, that guy Daniel Boteanu.
PHIA: And I said to him: “I find this confusing. Does it make sense to you?”
PJ: And he said?
PHIA: And he said, “No, it does not.”
ALEX GOLDMAN: Oh my god.
PHIA: “Yeah, he was like, for one, where are the emails that they said they sent?”
PJ: Right. This feels really weird. Wh-what did Uber say?
PHIA: Well, a couple hours ago, I came back into the studio with Alex Blumberg, who has a terrible head cold, and we called Uber.
MELANIE ENSIGN: Hi, this is Melanie.
PHIA: Hi Melanie, it’s Phia!
MELANIE: Hi! How are you?
PHIA: Um, I’m here with Alex and I’m recording our call.
ALEX BLUMBERG: Hey Melanie!
MELANIE: Awesome! Hi Alex!
PHIA: She said she realized that in order to solve this problem she needed to call in, like, the big guns.
MELANIE: We actually have an elite team within our security organization, uh, that deals specifically with account security and compromised accounts, um, and those types of issues. So I—I thought, “Why don’t I go spend some time with them and let’s actually do a legitimate forensics investigation and figure out what’s happened?”
ALEX BLUMBERG: Ok.
PHIA: Um, what happened?
MELANIE: It turns out the initial email address that was actually associated with your account—
ALEX BLUMBERG: Uh-huh.
MELANIE: —was your former email address from This American Life.
ALEX BLUMBERG: Ohhhhhhhhh.
ALEX GOLDMAN: Ooohhhhhhhhhhhhhhhhhhh.
PJ: So this is like his old work email address.
MELANIE: So the notifications saying, “Your email address has been changed,” “Your phone number has been changed,” “Your password has been changed,” were all going to that address.
ALEX BLUMBERG: To the thislife.org address. Which is no longer even active. Which is a dead email address.
MELANIE: So those notifications are essentially going into the void.
PJ: Can I also just say this out loud so I make sure that I understand it?
PJ: Ok. It was not a keylogger, or pineapple Wi-Fi, or anything like that. Basically, all that happened was Alex Blumberg forgot that years ago, when he signed up for Uber, he used an old work email address.
PJ: He also forgot that he used to use the same password for everything, including a bunch of websites that have since been hacked.
And so hackers got his password from one of those websites, and they used it to break into his Uber and steal his rides, and then when Uber tried to warn Alex that this was happening, they emailed the address that they had on file, which was his old work email address. So he never saw it. And, also the hackers might have had access to that anyway.
PHIA: Yeah, and finding that out, it was like, everything all of a sudden started to click, like, remember how he didn’t have his ride receipts?
PJ: Yeah! I remember when we were talking about this like, off-mic, there was a point where he was like—he was like, “Yeah, yeah, yeah. I don’t get ride receipts.”
PHIA: Right. Everybody was like, “Hold on.”
PJ: And, we were like, “But everybody—everybody gets ride receipts.”
ALEX GOLDMAN: Yeah, of course you don’t.
PJ: But he was, they were just going to his old email account.
PJ: Also, when we searched haveibeenpwned, we searched alex@gimletmedia, we didn’t search his old email address.
PHIA: Right. And if you do search that old email address, it has three breaches to it. It’s been pwned three times.
ALEX GOLDMAN: Are they—are they LinkedIn, Myspace, and Dropbox?
PJ: So there you go.
ALEX GOLDMAN: Wow, so we were not just wrong, but we were like double-extra-super wrong.
PHIA: Well, I think like, we were inventing something very complicated because with the data we had that was the most likely outcome.
PHIA: Or like, the most likely how it happened.
PJ: Did Alex—how did Alex react to all of this?
PHIA: Alex is so thrilled to actually have an answer to like—to know exactly what happened to his account.
PHIA: You feel like “case closed”?
ALEX BLUMBERG: I do! I feel like case closed.
ALEX BLUMBERG: Wow!
PHIA: Took us a long time.
ALEX BLUMBERG: All it took was like dozens of engineers at Google, dozens of engineers at Uber, the entire staff of Reply All, a bunch of—a handful—
PHIA: (Laughs) Actually like, all of our listeners.
ALEX BLUMBERG: A bunch of listeners to Reply All, a handful of staff members at uh, at uh—at Gimlet, and my father.
ALEX BLUMBERG: And me.
ALEX BLUMBERG: Man! It makes it—so on the one hand, that’s great. On the other hand it’s like, what if you don’t have that at your disposal? Like, what are you supposed to do?
PHIA: You have to live with a lot more mystery in your life, I guess. And get a password manager.
ALEX BLUMBERG: Seriously.
ALEX BLUMBERG: Boy, is there a lesson to this, isn’t there?
PHIA: There really is.
ALEX BLUMBERG: (Laughing) Yeah…
PHIA: And I don’t have one either. We’re both the worst. Ok.
ALEX BLUMBERG: (Laughs) Ok. Wait, should we just get one right now?
PHIA: A password manager?
ALEX BLUMBERG: I’m—I’m sitting in front of a computer.
PHIA: Oh my god, I don’t want to.
ALEX BLUMBERG: I don’t either… password manager [hear typing]
[MUSIC – “SIMPLICITY”]
PHIA: So like, the final question on the whole thing is like, at this point, who do you owe a pan pizza?
PJ: I feel like I know.
ALEX GOLDMAN: I guess it’s Melanie right?
PJ: It’s Phia Bennin! (pauses) Are you kidding me?!
PHIA: (Laughs) I mean, I think Melanie could take a pan pizza. I would happily accept a pan pizza. Pizza party?
ALEX GOLDMAN: Look. As I specified.
ALEX GOLDMAN: It is a personal pan pizza. You are not to share it with anybody in the office.
PJ: What do you think a personal pan pizza is (laughs)?
ALEX GOLDMAN: It is a pizza made in Phia’s own personal pan.
PJ: Wow. Ok. So at the end of the day, who’s getting pizza? You’re getting a pizza, Phia. We’re gonna send Melanie a pizza. Which feels a little weird to me, honestly. We find ourselves in the position of being journalists who have to send a pizza to someone we interviewed for a story (laughing) at a company. Whatever. Sometimes you end up in a weird place. I feel like our forensics guy, Daniel Boteanu, I feel like he probably gets a pizza.
PHIA: Mhm. He was very helpful.
PJ: Ok, cool.
ALEX GOLDMAN: Good work, Phia.
PJ: Yeah, nice job.
PHIA: Thanks! That’s really nice.
[MUSIC FADES OUT]
[CREDITS SONG PLAYS]
Reply All is hosted by me, PJ Vogt, and Alex Goldman. Our show is produced by Sruthi Pinnamaneni, Phia Bennin, Chloe Prasinos, and Damiano Marchetti. Production assistance from Sherina Ong. We’re edited by Tim Howard and Jorge Just. We were mixed by Kate Bilinski.
Special thanks to Stevie Lane, Richard Blumberg, Gabriel Lewis, Alex Kruglov, Tim Harford, and all of the listeners who wrote in with their theories. You all are awesome.
Also, if you are going to be in New York City on April 30th, Email Debt Forgiveness Day, we’re gonna be at The Bell House. We’re doing a very low-key show, uh, with our friend Linda Holmes from Pop Culture Happy Hour. Uh, you can get tickets at gimlet.media/ReplyAllLive. Come. It’ll be fun. We look forward to seeing you.
Our theme music is by the mysterious Breakmaster Cylinder. Our ad music is by Build Buildings. And the song at the end of the episode this week is “Simplicity” by MACROFORM. And our logo is by Matt Lubchansky.
Matt Lieber is a lost t-shirt that just shows up again one day.
You can visit our website at replyall.limo, and you can find more episodes of the show on iTunes or Spotify or wherever you would like to listen to podcasts. It’s your choice. Thank you for listening. We’ll see you next week.
Every Little Thing - There's always more to it.
Crimetown - Welcome to Providence, Rhode Island, where organized crime and corruption infected every aspect of public life.
To find all our sponsors and show-related promo codes, click here.