Security risks facing streamers on Twitch and YouTube

Roderick Jones of Concentric talks about security risks facing content creators, influencers, gamers and streamers on Twitch, YouTube and elsewhere. Online harassment is often seen as "part of the package" if you're going to work in a public-facing streamer community, but Jones knows that this isn't inevitable, and it is fixable. A future without a shrug-shoulders approach to online abuse?

– Get your FREE cybersecurity training resources: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast

  • 0:00 - Intro
  • 3:37 - How did you get into cybersecurity?
  • 5:30 - Were you scouted for your role?
  • 6:44 - How did the landscape change?
  • 8:40 - Security intelligence to private sector
  • 11:50 - Daily work at Concentric
  • 13:25 - Staying up on trends
  • 15:09 - Gaming, streaming and security issues
  • 21:31 - Desentization and online personalities
  • 25:42 - The future of online access
  • 27:37 - How to protect streamers
  • 31:40 - Censoring on streaming platforms with AI
  • 35:06 - Safeguards streams should have in place
  • 40:06 - Cybersecurity jobs related to streaming security
  • 41:58 - Being courteous online
  • 42:43 - More about Concentric
  • 43:58 - Learn more about Jones
  • 44:35 - Outro

[00:00:00] Chris Sienko: Today on Cyber Work, my guest is Roderick Jones, Executive Chairman of Concentric and he's here to talk about security risks facing content creators influencers, gamers and streamers on Twitch, YouTube and elsewhere. Online harassment is often seen as part of the package if you're going to work in a public facing streamer community, but Roderick knows that this isn't inevitable and it is fixable. A future without a shrug shoulders approach to online abuse, find out how today on Cyber Work.

[00:00:33] CS: Welcome to this week's episode of the Cyber Work with Infosec Podcast. Each week, we talk with a different industry thought leader about cybersecurity trends, the way those trends affect the work of Infosec professionals and offer tips for breaking in or moving up the ladder in the cybersecurity industry.

Roderick Jones is the Executive Chairman of Concentrics, the largest most influential privately held security firm on the West Coast of the United States. He began his career with Scotland Yard’s Special Branch focused on international terrorism and the close protection of a prominent British cabinet member. His work during this period included the design and delivery of security for a number of high growth Silicon Valley companies.

In 2016, Roderick also co-founded and became the initial CEO of Rubica, Inc., a cybersecurity company providing advanced protection to individuals through the provision of localized network security. Roderick has consulted widely on next generation security projects with the United States military and intelligence community, notably the impact of online gaming and virtual worlds as well as the threat of computer hacking to financial markets. He's been asked to brief at the White House Downing Street and the Pentagon on a variety of national security topics during his career. And as a frequent guest speaker at national and international conferences, Roderick has a Master's Degree in History from the University of Cambridge and spends his time helping run a community soccer team in San Francisco.

So, if you've ever watched a Twitch stream or a YouTube, let's play video, especially live, you've probably noted or maybe even taking part in the ongoing chat bar that's happening. If you watch it, a cursory scan of the onrush of comments is a study in tone contrast, maybe eight people are saying, “This is great. You rule.” Or, “I can never complete this level. So, excited right now,.” Ranging to, “Why are you so bad at this game?” And then sometimes it's even worse. Online gamers, content creators, streamers all deal with massive sensory input from “fans”, ranging from abelian praise to hostility, and even harassment and death threats.

So, we're going to talk about all this including the security measures for live streamers and content creators, and the psychological component of being so accessible to your audience. Roderick, thank you for your time today. Welcome to Cyber Work.

[00:02:32] Roderick Jones: Great to be here, thank you.

[00:02:34] CS: So, I like to start out getting a sense of your journey. When did you first become interested in computers and tech? And then what got you excited about cybersecurity? What was the initial draw?

[00:02:45] RJ: I think, like a lot of people from Britain, my age, I got a home computer when I was 11, 10 or 11, and started programming it. Because that was how you played games, there wasn't any other way to do it. I made them them myself, and spent a lot of time saving them on cassette tapes and things like that, and that progressed. Computer Science wasn't offered generally in schools at that time. But okay, I think I did the first GCSE in it. And sort of wrote the wrote the syllabus almost. So, it was in that generation of people that grew up programming that that first generation of personal computers. And then professionally, I was just very computer literate when I went into national security work and did a few interesting cases around digital forensic.

So, I did one of the first digital forensics cases of espionage, which was really interesting when you had this moment where a judge is asking you what the internet is, and you're holding a piece of paper with a printout on it and trying to get that in evidence. So, that ages me tremendously. And then actually, I really, I wouldn't say I was ever drawn into cybersecurity. I’d sort of correct that in some ways. I was always much more interested in the offensive capabilities and the intelligence capabilities of the information that was being poured into these platforms, and particularly in the early ‘90s, it was sort of a wild west. Oh, sorry, the mid-90s, it was a wild west. So yeah, that's my own journey with technology and computers started at a very young age.

[00:04:27] CS: Now, were you scouted by your job with the intelligence industry? Where you started because of your computer acumen, or were you already doing the work? And then you said, “Oh, by the way, I know all this stuff, because I've been doing this since I was 11 years old.”

[00:04:40] RJ: I think a lot of it was – again, I've heard this from many other people my age. Computers would arrive in these offices in the mid-90s, and it was like, “Okay, who knows how to work this?” So, you got volunteered to do this stuff that, you know, really, you became the sort of team expert on it, whether you wanted to be or not just because you knew how to operate it. So, that was, I don't think it was particularly scary. There wasn't an understanding except in very specialist places around the power of offensive cyber at that point. There was obviously computer hacking going on, had been, from the US through to the UK, but it wasn't understood as a strategic power position. But the computers arrived, and if you could fit the printer and get things to print out, you were the expert, and I think that replicates a lot of people's journey of my age as well.

[00:05:40] CS: For sure. Now, how did the landscape differ at that point? Apart from being one of the few people who actually knew the computer and the internet. I say this all the time on the show, but for younger people, it seems impossible to remember a time when it seemed like not everyone was going to be on the internet, eventually. It was always going to be kind of a niche and specialty thing. But, I mean, do you have a sense of like, how the threat landscape has changed since the mid-90s? Do you have any sort of like, broad sweeping generalizations about what's different now in terms of that?

[00:06:18] RJ: I would say, I mean, I think, to be digitally illiterate now is is a real disadvantage, I think. And we have to think about that, as a society, I would just say that, if you're, say, homeless in Seattle, or San Francisco and don't have a phone, how do you even know when the bus is coming there? I mean, that's a real difference, right? So, to be digitally disconnected is completely problematic. I think the other thing, I would say, the big arc, the big generalization is that so many of the systems I've just described, growing up in the ‘90s, and then into the early 2000s, if you were on the leading edge at that time, so many of those technologies are completely old and decrepit now and the computers, and that's actually where a lot of our digital insecurity comes from in the West, is that we were the first adopters of many of these things. So you have hospitals running, not literally Windows XP, but almost –

[00:07:14] CS: Just about.

[00:07:15] RJ: So, I think that and obviously countries that have caught up and overtaken the West and don't have that legacy IT, I think that's a big arc, I think that we don't truly understand, especially with SCADA systems and things like that. They've been in there such a long time, that the vulnerabilities are quite intense, I think, in their systems.

[00:07:37] CS: And they cover such a swath of different areas, from infrastructure to government, to local municipalities to healthcare, finance. So, once you start going down that road, well, you get vertigo very quickly.

[00:07:51] RJ: Absolutely.

[00:07:51] CS: So, your career arc is pretty interesting, as we said, it started in security intelligence, both in the US and the UK into your role at Rubica, Inc., which provided high-level security solutions for individuals, as well, of course, as your work with concentric. So, what was the impetus from moving from an intelligence counterterrorism frame into a private sector cybersecurity area?

[00:08:12] RJ: Yeah, I think I always like to fight the next one, not the current one and intellectually anyway. I think counterterrorism reached its apex probably around that period, 2010. The sophistication of international terrorist groups had certainly been defeated, I would argue a long time, at least 10 years ago. And sadly, in the West, we continue to sort of continue to spend a lot of resources on terrorism that I don't think it necessarily warrants.

But for myself, I actually gave a talk at Sundance Film Festival and it was a sort of a provocative statement I was thinking about. I actually asked what would the Second Amendment look like in cyberspace? I was very interested. I mean, America is a country of individual rights and focuses tremendously on the individual. So, how the Second Amendment came about, it's a British thing that got translated into America, as we know, and it was around essentially, to enlightenment idea that if we give you individual rights, but no means to protect them, we’ve essentially giving you nothing, the sort of enlightenment philosophers understood that.

What is a right? Well, it's a custom that then becomes ingrained in law and all those kinds of things, and I just reflected on the fact that we've been given so much in the digital space, but very little means to defend ourselves. So, I sort of gave that speech and then sort of left the festival thinking, “Gosh, I should probably try and do something about this and maybe build a company to provide some kind of defense in the digital space.”

Now, I would say that the thing that I probably got wrong about that was cybersecurity for individuals is really nuanced topic, and I think it was privacy really that people were worried about losing as much as the actual individual hacks onto people didn't really emerge in the way that I'd kind of anticipated. Whereas, of course, the breaches of privacy and the breaches of, whether knowingly or unknowingly losing your data, through privacy issues, I think is the thing that's exploded rather than sort of the offensive hacking of your personal computer. But which is still an issue in some areas, but not as pervasive as I'd anticipated. But that was where that journey began. I just became very interested in the fusion of the physical and the digital, something I'm still fascinated by actually. So, that was where that company, it came from that idea and that speech.

[00:10:50] CS: So, to that end, can you tell me about your day to day work as the Executive Chairman of Concentric? What are some tests that regularly occupy your day? And also, what are some jobs or tests that you enjoy doing, but had to put away when you sort of moved up the ranks of the company?

[00:11:05] RJ: Yeah, I think, the company, Concentric, has always been excellent at tactical delivery of security. I certainly enjoyed that at the beginning of the company, sort of the creation of intelligence reports and the operations and traveling the world doing those things. But, of course, when you have to run the company, you can't zip around the world or be spending all your day writing reports. So, we have to put those things away. I think my CEO, at Concentric, would smile when I said, because it's one of his mantras, but what we spend, or what I spend a lot of time on is thinking about relationships, and actually the very human connections the company has, and really trying to think about the future. If you're not, we're living in such a fluid environment right now, both politically and socially and technologically, that if you're not wondering and thinking about how to stay relevant in that space, and somebody's not doing that for the company, then you're going to have some real problems if you're in the market, and of course, we're in the market. So, that's what I spend a lot of my time on is what do we build? How do we position ourselves? How do we provide solutions to keep our clients safe? And that has moved tremendously over the past two or three years from where it was.

[00:12:23] CS: So, it sounds to me like there's a fair amount of sort of cutting-edge research, that you're reading and absorbing, to sort of get a sense of the trends and so forth, and what's new in tech, what's new in hacks and so forth. Is that the case? You're just sort of keeping up with everything has happened right now.

[00:12:42] RJ: That's right and scanning the environment. But I'd say that the skill there if there is one is almost paraphrase, sort of trauma, Churchillian sort of comment, that I think he once said, “If I'd have had more time, I'd have said less.” I think, with the aray of things going on there, I’d like to distill it and to make it make sense for a business and for a security business, you have to – you’re constantly asking for it to simplify, a facial recognition is a good example of that. It's a huge topic on both sides, privacy concerns, but it obviously has tremendous benefit on security, surveillance, how you play in that space. And the transformational capabilities of that are tremendous, but simplifying it and making it a product or even something that we could use takes quite a bit of time and effort to get right through policy and law and technology.

[00:13:40] CS: Do you have anything about your job that keeps you up on Sunday nights or in the evenings?

[00:13:45] RJ: It's probably the same thing that I said earlier, it's relationships really. It's just understanding that while we're still – even though we've grown tremendously, we're still very dependent on the people that work with us and for us and around us. So, focused on those things, those things are still keeping me awake at night.

[00:14:07] CS: Yeah. So, the focus of today's episode is one that I've been wanting to have on the show for a long time. So, I'm glad you suggested it. We're talking about the world of gamers, streamers, bloggers, influencers on platforms like YouTube and Twitch, and their unprecedented accessibility that users have to them. So, as Laura Hoffner also of Concentric put it, “As gamers and influencers bring viewers into their living rooms and our bedrooms during a live stream games or social media stories, participants can feel personally connected to the event, even though they are doing so along with tens of thousands of other fellow viewers. A crossover into obsession is enabled by the ease of information about these individuals, including physical addresses, familial contact information, and patterns of life details, such as frequented stores, gyms and friends’ houses. So furthermore, the face to face accessibility that live chat affords means that both effusive praise and also abuse and even better threats are allowed to flow uninterrupted into the creator's personal space.”

So, Hoffner continues, “Unfortunately, the influencer industry is lagging behind on not only acknowledging the security threat posed by their unique accessibility, but also dealing with stigma and technology limitations that prevent adequate holistic response options for the virtual threats that are directly turning into physical violence.” This is a huge topic. Can we start by talking about some of the main red flags that you've seen around this topic so far? Maybe some noteworthy cases or stories showing the way that this unusual access to people has turned bad?

[00:15:31] RJ: Yeah, you're right to say it is a huge topic. I think it's the topic of our times, and I've been thinking about it and looking for it for a long time. I think, if I start at the beginning, what I consider to be the first really interesting emergence of this, was around Anonymous and project technology. Essentially, why that was important was I thought, the first time that an esoteric threat jumps out of the internet and becomes real, and goes into real space, then we have a new reality. I think, for those that aren't quite aware of it, I'll just sort of paraphrase what that was, it was, Tom Cruise had made some comments about Scientology, that were published on YouTube, Anonymous, got involved. After YouTube pulled it down, under a question of Scientology community, to essentially, complain about free speech and all the rest of it.

So, this Anonymous movement began around that, but we have some Scientology places in San Francisco, you would then see people wearing Guy Fawkes masks standing outside, the church is protesting. So, it was this first fusion of kind of physical meeting digital, and jumped out the internet. And actually, we worked with YouTube at the time, because they then had actual physical direct threats to YouTube. And there was some big – there was a combination of DDoS attacks and physical threats to the organization, on those topics from the anonymous group.

So, I think that, even though, sort of that starts the kind of conversation and then you get into the environment around social media and influencers, if you think of Gamergate, and kind of things that became apparent around that in terms of Doxxing, and then swatting these kinds of like kinetic activities associated with people, prominence on the internet, then having some kind of physical threat happened to them. And then in recent times, I think there's been cases of prominent gamers, Dr. Disrespect, was one a couple of years ago, whose house got shot up after some disputes on a game. And then I think recently, last year, as a female gamer, BrookeAB from 100 Thieves who actually publicly posted about having a stalker on the internet.

This is the tip of the iceberg. If you talk to people at Twitch, and these things, these things are absolutely happening all the time. Now, I think, where I've changed my mind or sort of adjusted my thinking is that what I thought was the important piece of this was, essentially, you have this new environment, lots of threats being said, and they're really important when they become kinetic, meaning that they're really important when a physical threat is manifested in real life. So, somebody does something to you in real life. But actually, I think I got that a little bit wrong, and if you think about Chinese warfare theory, there's this big Chinese doctrine book came out in the ‘90s, unrestricted warfare. I think that's what's happening in this space. It's not just kinetic, it's information warfare, it's hacking, reputational attacks, all kinds of things that are happening in the space that really kinetic is just one element of it, probably the rarest. But the reputational attacks, financial attacks, the information attacks, the stuff that has been posted on open and dotnet forums about these people and just trying to change the conversation with disinformation is serious.

If you're relying on your reputation in the influencer space, and that's being attacked, video fakes, deep fakes, and all these kinds of things, that really is the environment. So, I think I've changed my thinking on that quite substantially. But what I would say in terms of a way to think about it, what's happening really, it's like a marketing funnel, the more people you influence, of course, that group is large, and then the more negativity that's in that pipeline. So, if a theory develops about you being a bad person, for example, if 100,000 people believe it, 10,000 people might do something about it online. And then you get down this funnel, it's a classic marketing funnel. And then potentially at the bottom of the funnel, you'll have like 5 or 10 people actually do something very negative, either in an information space or a physical space.

So, I think that's how I see this now. And I think it's the creation of these massive marketing funnels of threat that has changed the environment. So, that's how I visualize and think about it right now.

[00:20:26] CS: That's great. So, I mean, it's not great, but it's a great way of thinking of it. Thank you. But before we delve too far into the security implications, I want to talk about another point brought up before the show and this relates to what you're saying here, but is one that just by pure me watching these things, I've seen it. Laura Hoffner said again, “Desensitization is expected from influencers when negative comments and responses are expected to be seen aloud and anticipated even on a mass scale. Because that baseline of negativity is established, the threat escalation is significantly higher, while also being allowed to “drown in the noise.”

I could probably just talk for hours on this one point, but I want to ask you about it from a purely psychological standpoint, because I see two contrasting things happening in the space. One, the creators feel to some viewers like close friends, the term parasocial friendship gets tossed around a lot, which can lead to the feeling that said gamer or streamer will want to chat with you, and just you personally, even if they've never met you. Conversely, the anonymity of the internet means that you can fairly anonymously say the most egregious or even threatening things to a person, not only because it's easy to do so, because it feels like this isn't a real person. They're just pixels on your screen. So, what are your thoughts on the ubiquity of this ease of access to people who make and do things for large audiences?

[00:21:41] RJ: Yeah, I think the desensitization has happened across the sites. And I think there does need to be a course correction there. Famously, some of the original thinkers and fathers of the modern Internet, Stewart Brand, who's a San Francisco guy said, information wants to be free. And well, maybe it shouldn't be. Maybe there's a course correction coming there. I think, actually, what you have to think about, how do we – moderation doesn't really work in some ways. I mean, lots of these tech platforms have very sophisticated and qualified moderation teams, the trust and safety departments and most of these places now, are up running and very good.

But the language is nuanced and it's very hard, and I'm not entirely sure that the answer is going to come from the environment itself. I think that the desensitization is true, the mass content that a female influencer gets, misogynistic content of a sexually threatening nature is just massive. So, desensitization, it’s like that.

Now, what I actually think might be useful in terms of changing to this dynamic is possibly blockchain. And just in the way that people are rethinking how the internet destroyed journalism, in some ways, it's one argument because it took the ads away, and all the rest of it. So, the business model of journalism destroyed. The business model for, all of the social networks and lots of stuff is, the more outrageous you are the more kind of – the more the algorithms promote you and all the rest of it.

Now, if you had to pay to speak with a micro transaction, you might think twice about it. But it's just put – I don't know if that's a total answer to this. But I know that Twitter just introduced or just announced, it was introducing a big blockchain initiative to look at some of these kinds of issues, because they know that people do hide behind the – it’s not even anonymity, in some cases, it's just the fact that the consequences aren't directly in their face. They're adding some extra steps and adding some will actually have to pay to say that kind of thing in some way. It might be an interesting solution to this.

So anyway, I think there's some interesting people working on some interesting stuff. There's a new department at the Media Lab at MIT, looking for a public discourse system that can be more less vitriolic. So, there are lots going on there. But I think the desensitization is something that we shouldn't accept as, okay, it's gone now. We should try and introduce some controls back into language and speech on the internet.

[00:24:40] CS: Yeah. Also, the other part of that is that desensitization isn't always happening. I think we forget that a lot of content creators, if you're an author, you have to be on Twitter, your publisher is going to tell you to do it. If you're a blogger, if you're this or that, you have to be in the social sphere, and because of the way the social sphere works, you have to be sort of – unless you like hire someone to like handle your social media accounts, that can wear down even the most thick-skinned people.

So, related to what you're saying before, do you think this sort of necessary accessibility is just business as usual from now on? Or will there be some sort course correct in the future where we're like, I can't believe everyone was accessible to everyone for these couple of years.

[00:25:25] RJ: I think it's the norm now. I think it will continue to be as well. There's obviously a democratizing element of this as well, that is very powerful, and I think very useful. So, I don't think we'll look back, and I don't think it will change. I think part of it is because, you know, we're operating in these very fluid environments right now. This year, particularly, I think, has been very culturally fluid, lots of people leaving jobs, starting new jobs, pandemic, things like that. So, the conversations are necessary in many ways, and I think people do look to influencers for whatever that a description or just people in their community and the idea of community now has exploded globally. You might have more in common with someone in another country that follows a sport that you follow than someone that lives down the street. So, I don't think we’ll change the way we do things. But I do think as ever, with technology, policy law, and all the rest of it needs to catch up to what we've created. I don't think too many people would disagree with that.

[00:26:35] CS: That leads nicely into what I wanted to ask you about next. Point made was that virtual attacks are below the threshold of concern, and no direct correlation is anticipated to evolve into a physical threat, regardless of the data proving otherwise. So, when physical threats do occur, there's limited recourse that influencers can take. Let's start talking about what needs to be changed. If you were given a magic gavel or the key to the internet or whatever, what changes would you make in the way that these types of streamer creator platforms are run in terms of feedback, accessibility, et cetera, to reduce the amount of harm that can be volleyed at these types of creators? Is there a way of making this safer while still retaining the accessibility? You mentioned blockchain, and you mentioned like micro payments for comments and things, from a purely security perspective, do you have any other sort of things that you would like to see happen either at a legal level or procedural level?

[00:26:35] RJ: Yeah, I think, you know, again, we haven't – I actually think there are some technological innovations obviously mentioned blockchain that might be interesting in the future, but frankly, policy law and the capabilities of those things combined could make a difference right now. I’ll give you an example. In sports, as you mentioned in my intro, I’m particular a soccer fan, and it's been a serious problem during the pandemic, that soccer players moved into the influencer’s status. So, without crowds and stadiums, they essentially became virtual characters.

Now, one of the downsides for this was real spike in racist abused against black players in certain leagues. There were laws and as countries, and certainly the country I'm from, Britain against hate speech and against racist speech. Once the law enforcement agencies were tasked with tracking those people down who pouring racist abuse onto players, they make arrests. It's against the law.

To go back to the arc of this conversation in some ways, it's 20 years of people have had 20-year careers in like the FBI in America now, and have just done counterterrorism. For the past 10 years, they could have been doing something else, because in my view, I think, there's some changes need to happen in sort of resources that because the laws, it's a little trickier in America, given the freedom of speech controls here, and there's no hate speech laws and things like that. But there's still, policy law can catch up to the vitriol poured out onto the internet and can make certain kinds of things unacceptable, and people can be prosecuted for them.

So, I don't think that's impossible. Certainly, violent sexual threats aimed at influencers, people making those on the internet, should be prosecuted and caught up with and I think the technical capability exists to do that, and it's just a question of policy and political will to go and do it. There are issues in this country around the political world to go and do that. If you look at Europe, that definitely isn't the case, and some prosecutions are starting now against people that made online racist abuse against prominent sports people. So, there is a contrast, other countries show this can be done, right policy and law. It doesn't necessarily – you don't have to throw your hands up and say, “Oh, it's just the internet. We can't do anything about it.”

[00:30:08] CS: Yeah. We tried nothing and we’re all out of ideas.

[00:30:10] RJ: Interestingly, actually, when fans were allowed back into stadiums in the UK, the controversy still exists around racism in the grants and things, but then the weight of proprium against the racist in the ground, 50,000 people disagree with racism, 10 want to be racist, that weight changes it again. whereas you get outsized influence for outrageous comments on the internet than you would in real space, so it is different.

[00:30:37] CS: Yeah. Now, I know, one thing I've seen on Twitch and other places is auto censoring of words that could potentially be used as as threatening, or even just spicy words like simp or so. This suggests that in the absence of a larger solutions, that the industry is taking a sort of AI approach where certain keywords that look like lead up to abuse are hidden, though it has to be said that if the rest of the message is threatening or insulting, you're probably going to be able to figure it out in the context clues anyway. So, do you think there's any sort of AI sort of base solution in this realm? Or does the problem really need to be attacked from a different direction?

[00:31:11] RJ: I think the problem with AI in this space, particularly is that language is very, very contextual. If you spend any time in any kind of dark web forum, terrorist forum, hacker forum, soccer forum, frankly, the language of those groups, becomes quite esoteric and hard to follow. Because there's lots of in gags –

[00:31:39] CS: It's very coded.

[00:31:42] RJ: Lots of coded referential, and that’s not necessarily like some kind of obscure terrorist technique, go and try and talk to some people from Birmingham, where I'm from, about my local football club, you wouldn't understand half of it. I mean, it's just what happens when humans get together and they create trust networks is that they create language that go along with those networks. So, the AI, I'm not saying, obviously advances in AI, there are some probably advances you could make, but I don't think it's a near term solution. The context and setting of how you say something, because I'm going to be like, “I'm going to kill you.” Now, that could be said in a jokey way, ironic way, all kinds of ways, and one of those ways is menacing. But 20 of the other versions aren't.

That's often the challenge on the internet or with digital media is that you just see the text, I'm going to kill you and out of context on what was going on in that stream, or is it game related? What is it related to? Often you just see the snippet, and it's very difficult to relate to it. So, I think near term, it's not – I think, still human analysis is required and it's no accident that Facebook, or Meta, beknown, calling it has hundreds of content moderation humans looking at this stuff, rather than an AI system. If they could, they would have put one in because it's more cost effective.

[00:33:20] CS: There are stories of content monitors burning out, because they're just having to look at so much disgusting stuff every single day. You’re literally destroying people's psyches.

[00:33:31] RJ: Yeah. And that's a real problem. I think, that is something we we've looked at and had to address and do training and offer counseling for and be clear about what this is. And some of the things was, yes, some of the times because some of these environments were completely new, it was news to us that these things even existed, and then you start looking at them. Again, we had to catch policy up with what was happening in the sort of unpleasant corners of the internet.

[00:34:04] CS: Yeah. So, from a secure personal security standpoint, do you have any suggestions for safeguards that content creators and influencers should be immediately putting into place if they haven't already to keep themselves safer from things like Doxxing, stalking or other physical and in the real-life outgrowths of abuse?

[00:34:20] RJ: Yeah, I do. I thought a lot about this. I actually think if you look at any kind of security threat, you're always to use the parlance of the industry want to move to the left of the boom and that every attack has to be researched. Everything that somebody wants to do to you as an individual or organization has to be researched. Information control is really key and around influencers, they really need to think very seriously about privacy controls and removing their personal data from the internet as much as they can. Concentric has built sort of industry leading service for this and what we do in that space is identify what's out there, remove it, and then best we can confuse the algorithms going after that data and meshing it all back together again.

So, we have quite a sophisticated program to protect people's privacy, because frankly, that's the first line of defense. I think after that, you should look at your personal network security or personal cybersecurity. These are not to be taken lightly. Obviously, how you set up your computer environments, just at the network level is important. There are good services that we recommend and we put in around network security. You don't want to be hacked. But then there's also some simple things, frankly, around just using two factor authentication, and how you set up your things. You would be amazed how many people don't do that, and use password managers.

Honestly, we do a nice sort of checklist and things like that to kind of just take people through the process, because it’s a lot if you haven't done it before. And then, you do have to adjust the kinetic. So, if your threats escalate, just understanding what those essential security measures can be taken. Again, and that's probably where you're going to receive the most threat, anyway, somebody knows where you're going to be and it's predictable. Most of us stay eight hours in one place during the day because we're asleep there. So, understanding that and potentially having some security around that. We've done some interesting things in the past as well around, swatting where we've spoken to the local police departments on behalf of clients, because, to understand that that potentially is a threat, because if you get that 911 call, it's been faked out to that address. So, there's some sophistication there that we've gotten involved in to prevent that.

And then, I actually think the final thing is probably just active monitoring of information about you as well. If you are someone that is potentially open to a rapid threat emerging, you need a team of people to look out for that, because it could emerge from any time anywhere, anything. And so then, at least you've got some forewarning, and you can take some other security measures.

Now, what's interesting about all of that is I haven't mentioned once guns or armored cars or anything like that, when a totally different world. I mean, if you're getting down to that level, something seriously has gone wrong, I hope we never get there, that's 1%. But I think these other things are pretty non kinetic. And really, if your work is in this personal promotion, and streaming and all of this, I think most people who are in that space should adopt some of these measures, if not all of them.

[00:37:48] CS: Yeah, I think that's really good advice too, sort of knowing in advance if this happens, these are the steps you take, because I think the first time it happens, you're probably terrified enough without having to think, “Okay, now who do I actually report this to? What do I do now?” Knowing in advance, it's like building a will.

[00:38:09] RJ: But having a plan in advance and having a trusted company you can work with because most people don't wake up in the morning think, “Oh, gosh, I'm going to be under security threat today. Let me look in the yellow pages.” It doesn’t work like that. Doing some of this work, a lot of the work we do actually is just meeting people. Here's some things to do, call us if you need us. Because the last thing you want, as you mentioned in the intro, I did run a security team for someone who was on the director assassination threat for a couple years. So, the one thing that teaches you is that you never want to live like that.

[00:38:47] CS: Yeah, I can imagine.

[00:38:49] RJ: Having armed men with guns and actually being transported in armored cars all day is not what you want to do. So, anything before that is a better solution and preparation. An ounce of preparation, as they say, is worth a million dollars difference.

[00:39:04] CS: Absolutely. So, turning to a job slash/career standpoint, what types of cybersecurity jobs are open up by focusing more on changing and mitigating this type of online harassment? For listeners who want to get involved in improving security in this way for these types of people, what kind of ways can they get involved, improve their skills and really move the needle on online harassment?

[00:39:24] RJ: Yeah, I've been thinking about that. I think, the said cybersecurity industry is, it's a massive behemoth, lumbering down the tracks. The big companies have lots of things going on. But really, if you're starting out in Korea and what would be new, I mean, honestly, I have young people that I talk to, and I just keep pointing them at blockchain. If you're particularly interested in this topic, I think the identity management opportunities that blockchain might offer I think are fascinating and then also thinking those things through in terms of, okay, so on the defensive side, that's interesting. But it’s also interesting on the offensive side. If I go work for a company, and they get a bunch of threats, how do we identify those people? How do we kind of make sure we've got the right people and say to them, you can never use our service again, because you've done some bad things on our platform.

I think the personal identity piece of this is really interesting on both sides, defensive and offensive going to look at those things. But yeah, advice to people getting into the industry, I honestly think the innovation and the energy around blockchain solutions right now, we all know 10% of these things will work. But the 10% that will work on what's been called Web three, are going to be pretty interesting. If you're younger, that's where you want to be.

[00:40:56] CS: Okay, so obviously, the people that – some people are never going to take this advice. But for the vast majority of people who watch gaming streams, lager content, makeup tutorials, listen to podcast, what advice do you have to exercise online courtesy to make the people who you tune into enjoy to make their work less stressful?

[00:41:16] RJ: I mean, I think online is real life. I mean, just say that. I wouldn't say something to someone that you wouldn't want to hear yourself. But I'd also say with a mind to what we've been talking about, maybe think, don't say anything that you wouldn't be prepared to have read back to you in a court of law.

[00:41:39] CS: All right. So, as we wrap up today, you talked a little bit about Concentric, but if you want to sort of talk about your passel of products and what services you provide, please feel free to do so here.

[00:41:51] RJ: Thank you. Well, yeah, if you want to find out more about Concentric, the website is concentric.io. In terms of products for this, we are introducing a new suite of digital services in the new year. Particularly in cybersecurity and network security, which I think would be ideal for influencer community. We're very interested in that. So obviously, all other security things we do. I mean, we're a full-service security company, but we're very focused on getting more involved with the influence community and gaming community right now, because we think there's a need there that hasn’t been met. So, we have some deep experience in it, both on the cybersecurity side, and on the information warfare side, if you will.

So, we’re about to mesh these two things together. I think that's certainly my focus, and the rest of the company will continue to do its great work around security, delivery and tax for delivery and all that. But being the guy that helps promote the new stuff, I think is getting into that space will be tremendous.

[00:42:55] CS: Personally speaking, if our listeners want to learn more about Roderick Jones, do you have a Twitter account or a LinkedIn or anything you want to send them to?

[00:43:03] RJ: I have LinkedIn. You just type Roderick Jones at LinkedIn, it's not disguised in any way. So, I'm there. Always open to messages in that space. But I don't do any of the other social stuff too much. I have, like a 2006 Twitter account, which would be like four posts because I got one of the original ones. Once a year, just a long form posting of Twitter, but getting exciting for a while.

[00:43:32] CS: Makes sense. Okay. Well, Roderick, thank you for joining me today. And for all your insights. This was this was really enlightening. I appreciate it.

[00:43:37] RJ: Thank you, Chris.

[00:43:39] CS: As always, I'd like to thank you to everyone listening to and supporting the show. New episodes of the Cyber Work podcast are available every Monday at 1 PM Central both on video at our YouTube page, and on audio wherever find podcasts are downloaded.

I'm also excited to announce that our Infosec skills platform will be releasing a new challenge every month with three hands on labs to put your cyber skills to the test. Each month you'll build new skill ranging from secure coding, to penetration testing, to advanced persistent threats and everything in between. Plus, we're giving away more than $1,000 worth of prizes each month. Go to infosecinstitute.com/challenge and get started right now.

Thank you once again to Roderick Jones and Concentric, and thank you all so much for watching and listening. We'll speak to you next week.

How does your salary stack up?

Ever wonder how much a career in cybersecurity pays? We crunched the numbers for the most popular roles and certifications. Download the 2024 Cybersecurity Salary Guide to learn more.

placeholder

Weekly career advice

Learn how to break into cybersecurity, build new skills and move up the career ladder. Each week on the Cyber Work Podcast, host Chris Sienko sits down with thought leaders from Booz Allen Hamilton, CompTIA, Google, IBM, Veracode and others to discuss the latest cybersecurity workforce trends.

placeholder

Q&As with industry pros

Have a question about your cybersecurity career? Join our special Cyber Work Live episodes for a Q&A with industry leaders. Get your career questions answered, connect with other industry professionals and take your career to the next level.

placeholder

Level up your skills

Hack your way to success with career tips from cybersecurity experts. Get concise, actionable advice in each episode — from acing your first certification exam to building a world-class enterprise cybersecurity culture.