History is unreliable. Stories through the telling take on a truth of their own, quite different to the objective facts of the time. Often this is gradual, though sometimes it’s a very deliberate act of one’s own psychological survival to quickly recreate the narrative with yourself as the valiant hero.
Let’s just say it’s been an eventful few months.
Sitting there, as a weird lighthouse in the sea of my life, is the Edinburgh Fringe. My relationship with it is deep and complex, but always lovely. I’ve never had a single year where I regretted being there for the reasons I went there. I’ve always had sensible expectations and always met or exceeded them... or so the story goes.
This year’s trip is, if records are to be believed, my 17th. The Fringe itself has been running in some form or other since 1947, meaning this is the 72nd. I’ve been to more than a quarter of them!
My wife has just finished her 8th Fringe. I’m the sole reason she started coming to them... I think it’s fair to say she’s as fully invested as I am!
The festival seems to be a constant across time, with the same venues reappearing out of the mist each year, only to disappear at the end of August as though they were never there... but it is changing. The biggest change is the market.
Audience expectations move year on year. This year, the expectation is that you can pay for free Fringe show buckets using cashless payment. The “kids” have different sensibilities and different ideas of what a festival entails.
Most importantly, though, the market in Edinburgh is heading towards its own ultimate destruction. If you had a decent touring show, you’d be better touring it. If you’re making one, then Edinburgh is still a good place to rough it into shape... This means there are some, but not too many real diamonds hiding in the programme. There are plenty of great shows, though... but the economics of doing a show in a saturated market, where a huge phalanx of performers is competing for the same audience and accommodation as you, means you need to run several shows. Each performer staging multiple shows saturates the market even further, growing the number of venues, the number of other show spots to fill, consequently the size of the supply, while the demand is not growing at nearly the same rate.
At some weird future extinction event, there will be one performer running around 500 venues, doing a few seconds in each, chased by an audience of 3, who have each paid 35 quid per show minute for the privilege, while a bunch of young people drink themselves to death in astroturfed concrete car parks at 20 quid a pint, served in reusable bendy plastic cups.
I’ll probably still be going to the Fringe when that happens.
Having recently set up a company, I understand that it can be hard to determine your best business model, and hard to perfect your attack on the market. One company that is really pushing itself hard is best called “Not really BT”. I say that because they ring us up relatively frequently, claiming to be BT when it’s quite clear that they’re anything but actually BT.
I’ve had some minor adventures with them in the past. Sometimes they claimed to be calling from Microsoft, telling me they’d detected a fault on my computer. One one occasion I pretended to have a Mac (living the dream, eh) and tried to do what they were telling me, complaining that my screen didn’t have on it what they were asking me to click on. I wasn’t at the computer - I’d made it up. When I said I didn’t have Internet Explorer, but could use Safari, they asked “Don’t you have Windows” and I said “Well, you told me you’d found a problem with MY computer; don’t YOU know?”. They hung up.
One guy claiming to be from Microsoft told me he was called Martin Short, so I launched into a tirade around how much I loved his movies, especially The Three Amigos (great film). He hung up.
The other day a woman claiming to be from BT spouted nonsense at me about hackers and servers and when she paused I said “Look, you don’t have to do this. You don’t have to ring people up to try to exploit them. You could get a better job that’s not so dishonest.” Without missing a beat she told me to go fuck myself and hung up on me. Seriously, it’s hard to give careers advice in IT these days.
I’ve always wanted to explore these scams deeper. I say always, I mean I’ve kind of wanted for some time... so after my careers advice call was so rudely terminated, I went onto my Mac: yes I have a real Mac now, not a pretend one - don’t worry it also dual boots to Windows, so I’ve not entirely sold my soul to Apple: also Microsoft... I went onto my Mac and I installed a fresh Windows within VirtualBox. In short, this simulation of a computer is running a Windows with nothing installed on it except a web browser. It knows nothing about me other than my name and has no access to any of my private files... but it lives in a sandbox on my computer.
Having created the pretend computer, I took a clone of it and called that the honeypot. I fear I may have misnamed it - it should really be called honey trap. Honeypot sounds like a euphemism for something naughty, but I’m not going to google that in a hurry to check.
The honeypot can be compromised as many times as you like and it can be wiped in 20 seconds and rebuilt from the original in 5 minutes. In other words it’s a playground where I can watch hackers trying to fool me, knowing that they’re wasting all of our time. Similarly, as it’s not real and has never been used in the real world, there’s zero chance of it having caught any viruses or having been compromised in any other way.
On Tuesday another hacker called. I ran up the stairs giddy with excitement and quickly started up the honeypot computer on my real computer and turn on screen recording with my phone on speakerphone.
What occurred is a play in three acts.
In act 1, there is the ridiculous attempt by the scammers to blind me with science and take control of my computer, the situation and my confidence. We’ll come to try techniques they use in a bit. In act 2, at around 36:46 in the above video, I reach a point where I no longer want to play, partly because it was taking so long, and partly because the request they made would have genuinely compromised my security, so I reveal that I’m an IT specialist and that they’ve been trapped in a virtual computer all along and that I can see through their lies and bullshit.... it took a lot of pushing from me for the fellow on the other end to accept that the game was up. In act 3, the human behind behind the scam - someone who has a shitty job in a criminal call centre in a deprived country - spoke to me as a human, with no script, with his own feelings and fears, and I shut up and listened... or at least backed off enough for him to be heard. He may even give up this game one day as a result.
Before I explain the con (briefly - watch it to see more) I should say that I came into this aware that some people go for jobs in what they think is genuine IT support, then learn during induction that they’ll be exploiting people for criminal gain... some walk away, some have no option but to stay and probably some feel entitled to skim money off whom they imagine are wealthy foreigners.
The con seems to be tiered. The first person you speak to is a robot asking you to press 1 for support. The idea being to filter out people who don’t answer, or who don’t think they might have a computer problem that needs support.
The next person is there to ask you to do stuff. When it’s clear that you’re pliable and will follow instruction, you’re passed onto the next person who walks you through setting up some software that gives them control of your computer. Bizarrely they use two tools at the same time. Any Desk and Team Viewer. One of the things they try to minimise is your perception of what these are and what access you’re handing over to the people on the other end.
Finally you are handed over to a hacker. This is the person who will ramp up the social engineering claims, suggesting how important it is to catch hackers, and who will also be driving the control of your computer while, and this is the clever bit trying to convince you that you’re doing it. My hacker “Mark Robinson” probably not his real name, was getting me to do all manner of silly things including typing the command “I want to know how many hackers are activate on my server” into a command prompt... and when I hit return, he pasted in a command to make my machine actually appear to do stuff. Luckily he pulled the trick twice so I saw what he was doing as it flashed past the second time.
So you think there’s a problem (they have you look in spurious error logs to start the process), you think BT are fixing the problem for you by telling you what to do, and you’ve forgotten that they’re watching and controlling your computer during the call.
After they earn your trust they will eventually hold your computer to ransom unless you pay them.
People fall for this.
I hope the above video, in which I deliberately slow them down and waste their time will be useful to show people about the dangers of being scammed/hacked. Similarly I hope people will look at the victim on the other end of the phone - he deserves a better life than this, but has fallen into something quite wrong.
The best defence against this is everyone being wise to it. Then they will stop as there’ll be no market for it.