Alia Tavakolian, The Co-Host Of The Compelling (And Somewhat Frightening) Cybersecurity Podcast Breach, Knows Well Just How Irresponsible We All Are On The Internet.
Back in August 2013, you may recall, a little website named Yahoo! had its entire database — containing the information of its three billion accounts — hacked.
Among the breached was Alia Tavakolian.
Of course, the co-founder of Dallas-based Spoke Media didn’t think much of that fact. Like millions of other hacked users, she hadn’t used her Yahoo account in a decade.
It wasn’t until the ghost of Yahoo! paid her a visit last fall in the form of an eerie voicemail — “Goodbye from Yahoo!” the voicemail said — that she started to grow concerned about the almost five-year-old hack.
Intrigued, she called the number back.
“This was an attempt to verify your identity as part of a two-factor authentication feature from any of your online accounts,” an automated recording on the other end of the line began. “If you did not request a verification code or are unsure of why you are receiving these calls, the most likely scenarios are someone other than you attempted to access your account…”
Tavakolian couldn’t believe the timing of what she was experiencing. As she was looking into this curious voicemail, she and Spoke Media — producers of the Terms podcast — were simultaneously gearing up to embark on a months-long journey to explore the Yahoo! breach, the Russian masterminds behind it and the general state of cybersecurity by way of a new Spoke podcast project called Breach that’s sponsored by cybersecurity firm Carbonite.
Along with the rest of the Spoke Media crew, Tavakolian and the award-winning cybersecurity reporter Bob Sullivan researched, recorded and produced Breach from November 2017 until March 2018. After releasing all five episodes of Breach on March 26, the production spent three weeks in the top 10 of Apple Podcasts’ technology podcast rankings.
That makes sense: Breach is a compelling listen. It forces audiences to think a lot about their digital profiles. And with its alarming music and cues straight out of USA’s Mr. Robot, the podcast is sure to remind listeners of their own past digital missteps. But that’s pretty much exactly why Tavakolian and the Spoke Media crew made the program, and why they want people to listen to it.
That’s what we discovered, anyway, when we recently caught up with Tavakolian to talk about the podcast, what it taught her about cybersecurity and what it taught her about herself.
OK, first things first, can you tell us a little about yourself and your history in Dallas?
I graduated from SMU with a theater degree. I dived straight into a day job and then my real job — my real passion — was doing theater in unconventional spaces. I co-founded Shakespeare in the Bar. I was really excited about doing theater in unconventional places and taking it out of the stuffy theaters of Dallas and making it available to everybody. By accident, I fell into the world of podcasting via Spoke Media. We started as an audio book company and then pivoted into podcasting.
Do you see podcasting as similar to theater in unconventional spaces?
I think i’m drawn to podcasting for the same reason I was drawn to unconventional theater. Podcasting is the wild wild west right now. We live in a post-S-Town and Serial world. We know what the journalists from places like WNYC and NPR can do. And I love those podcasts. But what I’m most excited about is the future of podcasting.
What do you think it is about podcasting that attracts people to it?
It’s really intimate. Unlike radio, we’re listening to a couple of people talking. Those people begin to sort of feel like our friends. I know that with one of my favorite podcast, My Favorite Murder, it feels like I’m sitting there with Karen and Georgia gabbing about murder. It’s truly unlike anything else. If you have an interest, you can probably find a podcast about it. My big thing is that we need to blow the lid off podcasting because there are still a lot of people out there who don’t know what podcasting is, and I want to change that and create more content for people that there isn’t a lot of content for.
How did the idea for Breach originate?
We all settled on the Yahoo! hack. Of course, that wasn’t the first thing I pitched. The first thing I pitched was the Ashley Madison hack because it’s, y’know, sexy and interesting. [Laughs.] But when they settled on the Yahoo! hack I thought, ‘Why would we do that? What is there to really learn? Yahoo! is dirty and old and who even cares about Yahoo!?” But when I contacted Bob Sullivan who co-hosts with me, he said, “But Alia, the Yahoo! hack is like a murder mystery.” We got into the story research and realized that this is most interesting story we can be doing right now.
It’s clear throughout the podcast that you’re learning as you go along. Is that kind of how it went?
I’ll be honest: I didn’t know jack shit about Yahoo! before I started this podcast. I didn’t know anything about hacking or any of all of this. We thought about what would happen if we juxtapose the the expert [Sullivan] and the consumer [Tavakolian]? I’m not a journalist and I had the opportunity to have opinions. I could throw my thoughts and proposals at Bob. You could hear the on-air education that was happening.
I wondered if you had any background in journalism and knew about the complications and wording issues that we get into sometimes.
I am truly in awe of hackers and journalists. I was very fortunate to work with and learn from Bob.
What was the most accusatory idea you had?
I don’t know that I make any accusatory ideas. But in Episode 4, I try to make a connection between the DNC hack and the Yahoo! hack. And I’m pretty sure that I got this. But Bob says, “No, you don’t.” [Laughs.]
What was the most important thing you learned as you delved into this still ongoing situation?
I didn’t realize how sensitive and unstable of a place the internet is. That’s something I took for granted every day that I use it. I didn’t think about how I use it. I didn’t think about the implications of my data being out in the world were. And now, for example, I went to the store at the other and the woman at the counter asked for my phone number and I said “Do you really need that?” She said no, so I said, “Then I don’t want to give it to you,” which I’ve never done before because I wasn’t aware of what that meant or where that data goes or whose hands it’s in. But now we’re all walking away from this more acutely aware.
What’s the most important lesson you would give about internet security?
There’s the silly answer: Get a password manager. That’s the easiest, cheapest thing to do. But I think my bigger piece of advice is that we’re all going to be hacked or have already been hacked. The question isn’t “What do I do not be hacked?”; the question is “What do I do now that I have been hacked or will be hacked?”
What was the most surprising thing you learned?
Learning about all of Yahoo!’s missteps and the really silly fumbled acquisitions — the things that have nothing to do with the breach — was definitely interesting. I think our “Holy shit!” moment was when Nicole Perlroth of The New York Times is talking about how [former Yahoo! CEO] Marissa Mayer called her and yelled at her for her article about the Yahoo! hack, and tried to convince her that the passwords that got out there weren’t a big deal because they were encrypted. And it’s ludicrous because of course hackers can decrypt those. As someone who isn’t of this cybersecurity world, I was baffled by how the CEO of a giant Silicon Valley company — one of the most defining companies of the internet — could sit there and try to convince a journalist of that.
I know that Marissa Mayer was of great interest to you. Tell me a bit about her and why she interested you.
She’s amazing because she’s Google employee No 20. She’s at the top of her class at Stanford. She goes into medicine first and realizes that her friends all around are studying the same thing she’s doing. She goes into a program at Stanford that’s, like, computer science and philosophy and psychology. As she’s about to finish school, she’s assessing her job offers and she’s literally calculating risk for each offer. The Google offer, which was one of the last ones to come in, had a 98 percent chance to fail. And she takes it. And now we know that Google looks the way it looks because of her. She does all these things at Google and then she decides to leave for Yahoo! and become a CEO. But everybody thought she could be this hero and revamp this place.
And speaking of Yahoo!, everybody used it.
It was most people’s entry point to the internet!
It was free and it was there when you needed it. Is that what you think is the unifying experience for people who listen to Breach?
Even more so than that, the unifying thing is that we’ve all used email. Yes, the podcast is about Yahoo!, but more than that, people think a bunch of Yahoo emails got hacked. Why does that matter? We learn that it matters because the things in your email can lead to all kinds of things — your boss’ email, your boss’ boss’ email, their calendars. It could lead to personal information or your Social Security number. If you look through my emails from the past 15 years, you’ll find all sorts of information about me. When we’re teenagers creating these accounts, we don’t create them with our data privacy in mind. We want to talk to our friends. Who knows what we said in those accounts? It’s all information of our digital profile that we don’t want getting out there. And, now, they can use it to hack your life.
Right. At the beginning of the year, I tried buying a transit pass on my phone. But the payment wouldn’t go through. I realized my card’s been cancelled. I called the bank and I ask them what’s going on. I was told someone tried to buy something in D.C. Fortunately I, already don’t have that much money going on. The thing is, I was getting emails from Chase a few days before this, but not once did I click on emails because all the emails weren’t actually from Chase. I knew it wasn’t Chase.
Isn’t that amazing? That’s another thing that really shocked me. Big companies continually have to try and prove that they are who they say they are. You and I are smart people and we’re paying attention. But wake me up at 2 a.m. when I’m bleary-eyed and I get something from USAA and I don’t take the time to read it — and I’m screwed. And that’s just so scary to me.
At this point, they’re not hacking systems. It seems like they’re hacking our humanity or, as you said, our human vulnerability. Is that accurate to say?
I think you hit the nail on the head. By the end of this process, I was seeing the issue of our data as a human rights issue because it’s so fundamentally our own. We live in the U.S. where we can’t change our Social Security numbers — I mean, you can, but it’s very fucking difficult. If we don’t have our data, then what do we have? If corporations are taking that away from us or being irresponsible with it — yet still making money off of it — that’s really scary. And that’s an issue that I hope people will begin to care about.
If someone is considering giving Breach a listen, how should they mentally prepare? Should they just admit to themselves that they’ve been vulnerable on the internet?
Buckle up! [Laughs.] But also, you have to admit to yourself that we’ve all been irresponsible on the internet and with our data. What I hope Breach does is provide everyone with a little bit of comfort in numbers, in that we’re all in this together. We’ve all made many of the same mistakes.
Is there going to be a season two?
We hope so! We don’t know yet. We’ve talked about ideas. I’m hoping there will also be some extra content about Karim Baratov, the only one of the hackers to be extradited from Canada and imprisoned in the U.S. He and I have been writing letters. The government has pushed back his sentencing dates a few times now. But he has been sending me origami and interesting tidbits that I unfortunately cannot talk about yet.
When do you think you’ll know?
I truly have no details. We put Breach together in a ridiculously short amount of time. We would like to have more time to do the next season because, as you can imagine, we basically didn’t sleep for three months. We’re all excited about the potential and we’re ready to do it again.
Apart from Breach, what else Spoke Media is working on?
I can tell you that we’re really excited about putting out a fiction podcast in the next year! That’s something we don’t have enough of right now. We have one in the works that I think is really funny and really dark, and I hope we can out that out in the next year.
Is there anything else people should know as they prepare for the Breach experience?
I like to think the story is really interesting. The music carries it through. You’re gonna have a lot of fun. Yes, you’re going to be scared. Yes, you might have some anxiety, but also, it’s a really fun story. There are characters and spies and funny banter and letters to hackers. It’s an adventure.
Head here for more information about Breach and to listen to the podcast itself.