エピソード

  • Won't Fix Episode 10: With Lindsay Kaye & Will Herbig of HUMAN Security
    2026/07/17

    On July 7, 2026, HUMAN’s Satori team exposed NewsJunkie, a massive, coordinated connected television (CTV) device-spoofing operation that generated up to two billion invalid bid requests per day, per seller.

    In this episode of Won’t Fix, we go inside the investigation with Lindsay Kaye (VP of Threat Intelligence) and Will Herbig (Senior Director of Media Research) from HUMAN Security to break down how this sophisticated fraud was uncovered.

    We then zoom out and the conversation to talk about the connected TV ecosystem in general and how AI and automation are changing the security threat landscape in general.

    Resources & Links:

    • HUMAN Security Website: https://www.humansecurity.com/
    • The Full NewsJunkie Report: https://www.humansecurity.com/learn/resources/human-disrupts-ctv-device-spoofing-newsjunkie/
    • Lindsay’s Book (Dissecting the Dark Web, No Starch Press): https://nostarch.com/dissecting-the-dark-web
    • Rob Leathern (https://www.linkedin.com/in/leathern/)

    Chapter Timestamps:

    00:00 Introduction

    1:13 Team Backgrounds and Roles at Human Security

    3:31 Understanding the News Junkie Operation Structure

    5:27 Key Anomalies That Exposed the Fraud

    8:32 Scale and Impact of Invalid Traffic

    10:14 Evolution and Persistence of the Operation

    14:15 Residential Proxies and Infrastructure Connections

    20:24 AI-Generated Fake Business Identities

    23:44 Disruption Strategies and Industry Response

    26:48 Systemic Gaps and Supply Chain Compliance Issues

    31:48 Device Attestation and Technical Solutions

    34:41 AI's Impact on the Security Landscape

    41:33 Investigation Methodology and Future Outlook

    続きを読む 一部表示
    48 分
  • Won't Fix Episode 9: With Juliet Shen, Cofounder & HOP at ROOST
    2026/07/07

    Juliet Shen is cofounder and Head of Product at ROOST (Robust Open Online Safety Tools), a nonprofit building open-source trust-and-safety infrastructure for platforms of every size. She has done anti-abuse product work at Google and Grindr, and was the first trust-and-safety product manager at Snap, where she helped launch early cross-platform efforts to combat child exploitation. ROOST's website is https://roost.tools.

    Across her career, Juliet kept running into the same maddening pattern: every trust-and-safety team, at every platform, quietly rebuilding the same rules engines, review queues, and reporting pipelines from scratch, behind closed doors, and at enormous cost. ROOST is a bet that online safety should be shared, open infrastructure rather than proprietary secret sauce, available free to any platform or site that needs it. We talk about that, and a lot more.

    Key Highlights:

    • Every tech company shouldn't have to build their trust and safety tools from scratch behind closed doors. It’s an expensive waste of time when open-source infrastructure could solve the exact same foundational problems for everyone.
    • PMs and engineers need to step up and lead in the trust and safety space. They are the ones who can actually bridge the gap and get policy, operations, engineering, and legal teams talking to each other.
    • AI is great for knocking out the easy, baseline moderation tasks. But when a situation is highly nuanced or something the AI hasn't seen in its training data, you still absolutely need human judgment.
    • As social media breaks apart into decentralized networks, a one-size-fits-all safety system won't work anymore. We need modular tools that let platforms look at who the user is, how they're behaving, and what they're posting as separate pieces of the puzzle.
    • Good moderation is often less about analyzing the post itself and more about knowing exactly who is behind the account or the app. Right now, our lack of solid identity verification is a massive blind spot for digital safety.

    Chapter Timestamps:

    00:00 Introduction

    1:34 Career Journey and the Problem of Redundant Tool Building

    5:30 The Role of Product Managers in Trust and Safety Teams

    7:34 Impact of LLMs on Trust and Safety Operations

    11:27 Focus Areas and Child Safety Priority

    12:55 The ABC Framework and Actor Trust Challenges

    16:54 Community Building and TrustCon Participation

    19:13 Signal Sharing vs Tool Sharing Philosophy

    22:43 Open Source Approach and Scaling Challenges

    23:59 Future Roadmap and Research Partnerships

    28:52 Reviewer Well-being and Mental Health Considerations

    32:00 Centralized vs Decentralized Moderation Models

    37:15 Government Role and Open Source Support

    39:52 Success Metrics and Measurement Challenges

    42:50 Standards, Testing, and Future Directions

    Resources & Links:

    Rob Leathern (https://www.linkedin.com/in/leathern/)

    Juliet Shen (https://www.linkedin.com/in/julietshen/)

    ROOST (https://roost.tools)

    続きを読む 一部表示
    46 分
  • Won't Fix Episode 8: With Dave Kleidermacher of Google
    2026/06/30

    Dave Kleidermacher is a vice president of engineering at Google, leading engineering for Android security and privacy. His scope encompasses Android and the Made-by-Google world — Pixel, Nest, Fitbit, and the Play Store.

    We talked about Android's answer to scams: smarter defenses that use AI as a shield (on-device detection that catches scams as they unfold), and a deeper structural pivot to "Actor Trust" — establishing provable, cryptographic confidence in who or what a source is rather than forever trying to detect bad things.

    Dave has been steeped in these topics for a long time so we get into a bunch of great territory, and I think you’ll really enjoy the conversation.

    Key Highlights:

    • Consumer platforms must pivot from traditional vulnerability exploitation defenses to fighting scams and fraud, which make up 99% of actual practical threats facing users today.
    • The future of mobile authentication lies in reversing security asymmetry through "actor trust" cryptographically verifying the source device rather than relying on human intuition.
    • Big Tech players like Apple and Google need to publish a transparent, accountability driven joint priority roadmap to accelerate cross-platform security for critical defenses like caller verification.
    • Mobile network operators remain a critical structural weak point in consumer safety due to privacy-invasive habits like silent third party app installations and outdated location-tracking protocols.

    Chapter Timestamps:

    00:00 Introduction and Background

    3:01 The Shift from Vulnerability Threats to Scam Prevention ‎

    6:01 Real-time Voice Spoofing Capabilities and Demonstrations ‎

    8:19 Platform Defense Strategies and the Whack-a-Mole Problem ‎

    11:00 Actor Trust and Cryptographic Verification Approach ‎

    15:37 Google's Security Key Success and Developer Ecosystem Verification ‎

    17:35 RCS Standards and Industry Collaboration Challenges ‎

    27:19 Business Caller Verification and Stir Shaken Limitations ‎

    31:59 Privacy-Security Balance and Binary Transparency ‎

    41:30 Consumer Role and Stakeholder Responsibilities ‎

    43:27 Future AI Landscape and Industry Recommendations ‎

    49:47 Advertising Technology and Platform Accountability ‎

    Resources & Links:

    Rob Leathern (https://www.linkedin.com/in/leathern/)

    Dave Kleidermacher (https://www.linkedin.com/in/davekleidermacher/)

    続きを読む 一部表示
    54 分
  • Won’t Fix Episode 7: With Jeremy Philip Galen of Charlemagne Labs
    2026/06/19

    My guest today is Jeremy Galen, founder of Charlemagne Labs. Jeremy spent twelve years at Meta working in privacy, safety, and security — most recently five years as a product manager in trust and safety, focused on machine-learning content enforcement, account access, impersonation, and plagiarism.

    He left to start Charlemagne Labs, a New York startup building what he calls a "digital bodyguard" — an on-device AI assistant, Agent Charley, that steps in before a worker clicks a dangerous link or pastes sensitive data into a chatbot.

    The company's research recently landed in Meta's safety report for its frontier model, Muse Spark, where Charlemagne's benchmark measured how capable leading AI models are at multi-turn social engineering. His core argument is that the old "think before you click" model of security is broken, and that risky digital behavior should be treated less like a moral failure and more like a public-health and system-design problem.

    Learn more about Jeremy and the company at https://charlemagnelabs.ai/

    Listeners who sign up for the Pro plan can get 6 months for free if they use the promo code ROB2026.

    Key Highlights:

    • Selling consumer security software is a non-viable market because consumers buy what they want, while businesses buy what they need.
    • The open internet operates as an active battlefield where users face direct threat vectors from sophisticated foreign adversaries.
    • Falling for social engineering scams is entirely situational, rather than a reflection of an individual's intelligence.
    • Real-time, automated AI interventions are far more effective at enforcing digital hygiene than relying on static digital literacy training.
    • Over 90% of modern cybersecurity incidents originate from human risk vectors where an individual is directly targeted or manipulated.

    Chapter Timestamps:

    00:00 Introduction and Guest Background

    1:02 Career Transition and Startup Journey

    2:33 Consumer vs. Business Security Market Analysis

    3:56 Personal Motivation and Scam Prevalence

    5:09 Social Engineering Sophistication and Victim Blaming

    8:01 Big Tech vs. Startup Challenges

    13:59 Fundraising Reality and Survivor Bias

    18:05 Digital Hygiene and AI-Powered Protection

    22:06 Privacy-First Architecture and Local Models

    28:18 Democratizing Security and Luxury Concerns

    31:59 Meta Collaboration and Industry Standards

    35:16 Founder Advice and Problem Selection

    38:08 Company Information and Target Market

    Resources & Links:

    Rob Leathern (https://www.linkedin.com/in/leathern/)

    続きを読む 一部表示
    40 分
  • Won't Fix Episode 6: With Tate Jarrow, Founder & CEO of Rebound
    2026/06/05

    Tate Jarrow is the Founder and CEO of Rebound (https://trustrebound.com), a consumer anti-scam company. Before founding Rebound, Tate was an Army infantry officer and Airborne Ranger, and then a Special Agent at the U.S. Secret Service.

    At Google, he helped start a company called Beacon through the Area 120 incubator, which was then acquired into Google One.

    Key Highlights:

    • What Rebound is building: "Antivirus but for scams" — software that sits on a user's device across macOS, Windows, iOS, and Android, sees what the user sees, and alerts when it detects an inbound scam. Currently in alpha, heading into paid beta within the month, with general availability targeted for summer.
    • Why now: Normal people have zero real defense against scams. Law enforcement don't have resources for individual cases, and platforms are hard to reach for recovery. Existing consumer cybersecurity is rooted in 20-year-old problems (antivirus, credit monitoring) and isn't built for AI-powered, personalized, scaled attacks.
    • “You can't arrest your way out of cybercrime”: Cyber criminals run transnational organizations as businesses with P&Ls, so the real lever is changing the economics.
    • Google: Tate started in legal/investigations chasing cybercrime actors on Google platforms, got frustrated by the gap between business incentive and what could actually be done. Two of his Area 120 teammates are now on the Rebound team.
    • Scam overconfidence: Tate shares that a GASA study found the #1 predictor of being scammed is confidence that you can spot one — overconfidence is the actual risk factor. Every demographic gets hit.
    • Regulation and data: US regulation is 20 years behind. The real risk now is social engineering powered by leaked addresses, phones, emails, and contacts. He wants companies held accountable for the social engineering risk they create, not just PII in the narrow legacy sense.
    • "Caring guardians": People in tech are the de facto security help desk for their parents, friends, and families. Rebound is building features so a tech-savvy family member can have visibility into risk across the people they care about — plus in-app trust verification (one-click identity check) for the "is this actually my friend messaging me?" problem.

    Chapter Timestamps:

    00:00 Introduction and Background

    1:26 Rebound's Mission and Product Overview

    3:39 Technical Implementation and Current Status

    4:45 Motivation Behind Consumer Protection Focus

    7:45 Google Journey and Area 120 Experience

    14:59 Law Enforcement Perspective on Cybercrime

    18:30 Evolution of Cybercriminal Organizations

    21:07 Current State of Consumer Protection

    30:04 Regulatory Environment and Government Role

    37:25 Community Protection and Cross-Platform Challenges

    43:00 Product Vision and Future Plans

    Resources & Links:

    Rebound (https://trustrebound.com)

    Tate Jarrow (https://www.linkedin.com/in/tatejarrow/)

    Rob Leathern (https://www.linkedin.com/in/leathern/)

    続きを読む 一部表示
    48 分
  • Won't Fix Episode 5: With Platformocracy's Jonathan Bellack
    2026/05/22

    Jonathan spent thirty years inside the machine — product leadership at DoubleClick, executive roles at Google, and a founding role at Harvard's Applied Social Media Lab. A year ago, Jonathan started writing Platformocracy, a newsletter with a simple, uncomfortable thesis: tech companies didn't set out to govern us, but they do now. Billions of people are subject to rules they didn't vote for, enforced by systems they can't see, with no meaningful right of appeal — built, in many cases, by people who genuinely wanted to do the right thing.

    We talk about how that happened, what it looks like from the inside, and the question that may define the next five years: what happens when AI floods every platform with infinite synthetic content, and the only thing standing between us and the noise is an algorithm the noise was engineered to exploit?

    Key Episode Takeaways:

    • The Governance Illusion: Tech platforms have evolved into unelected global governments that impose top-down rules on billions of users who have zero democratic input or meaningful right of appeal.
    • The Category Mistake: Treating platforms strictly as private businesses that can refuse service ignores the reality that they host deeply rooted human communities where "exiting" the platform means abandoning essential real-world relationships.
    • Decomposing Social Media: Effective regulation requires breaking "social media" down into three distinct product categories—media consumption, community networking, and creator relationships—because a blanket approach fails to address the unique harms of each.
    • Shifting the Regulatory Burden: Instead of forcing mass identity verification, regulators should require platforms to accept enhanced safety obligations and standardized parental controls if they choose to profit from serving children.
    • Inverted Safety Baselines: Unlike heavily regulated sectors like automotive or food hospitality, tech platforms operate on a model where they maximize user safety only up to the point that it threatens their profit margins.

    Episode Highlights:

    00:00 Introduction

    1:43 The Challenge of Corporate vs. Community Framing

    2:54 The Evolution from Community Management to Corporate Governance

    20:48 Age Verification Concerns and Technical Challenges

    24:47 Historical Context and Generational Perspectives

    27:46 AI, Anonymous Accounts, and Platform Integrity

    37:19 AI's Potential for Improved Parental Controls

    42:40 Regulatory Approaches: Enhanced Obligations for Serving Children

    45:18 Profit vs. Safety Standards in Tech Industry

    50:43 Procedural vs. Substantive Law in Platform Governance

    Links:

    Read Jonathan's newsletter: https://www.platformocracy.com

    Jonathan Bellack

    Rob Leathern

    続きを読む 一部表示
    54 分
  • Won't Fix Episode 4: With Indicator's Craig Silverman
    2026/05/01

    Craig Silverman is an award-winning journalist who has spent more than 15 years researching and reporting on the manipulation of our information environment. He is currently the co-founder of Indicator, a media outlet dedicated to exposing digital deception and teaching digital investigative and OSINT (open-source intelligence) techniques.

    Prior to launching Indicator, Craig was a national reporter at ProPublica, where he focused on investigating digital platforms and online manipulation. Before that, he served as the media editor for BuzzFeed News, where he pioneered innovative approaches to exposing digital disinformation and media manipulation.

    Key Episode Takeaways:

    • The Industrialization of Deception: Digital manipulation has shifted from lone actors into a massive, industry backed by venture capital and brutal supply chains, including Southeast Asian "scam compounds" that merge human trafficking with high-tech fraud.
    • The "Manufactured Organic" Loophole: Brands are now using "clipping" and industrial-scale UGC campaigns to generate billions of views through paid creator networks that mimic authentic posts.
    • An Incentive to Cheat: The current digital economy creates a "race to the bottom" where deceptive or violative content often sees higher engagement and lower costs than honest ads.
    • Ad Revenue Cannibalization: By failing to police undisclosed marketing, social platforms are letting a shadow ad economy thrive that actively drains budgets away from their own official, trackable ad businesses.
    • Deterrence Through Public Examples: Instead of trying to automate everything, platforms could flip the script by making high-profile, public examples of agencies that openly brag about their deceptive tactics on social media.

    Episode Highlights:

    00:00 Introduction and Background of Craig Silverman

    01:21 Early Collaboration and Scam Evolution

    04:27 Indicator Media's Mission and Approach

    08:29 Undisclosed Marketing and UGC Campaigns

    13:21 Scale and Enforcement Challenges

    20:51 Platform Cannibalization and Business Impact

    28:29 AI Labeling Audit Results

    34:15 Community-Based Detection and User Skills

    39:17 Affiliate Marketing Case Study

    46:48 Systemic Incentive Problems

    49:13 Conclusion and Resources

    Links:

    Craig Silverman

    Indicator

    Rob Leathern

    続きを読む 一部表示
    50 分
  • Won't Fix Episode 3: With KTLYST Labs' Assaf Kipnis
    2026/04/24

    Assaf Kipnis spent years hunting financially motivated bad actors on Meta's e-crime team and in Google's Ads Trust & Safety org.

    He now runs KTLYST Labs, where he's building the threat intelligence tooling he always wished existed inside big platforms. We get into the practical realities of scam fighting — what's actually changed in the AI era, what hasn't, and why so much of the industry's effort gets aimed at the wrong targets.

    About the guest:

    Assaf Kipnis is the founder of KTLYST Labs. Previously: Meta e-crime, Google Ads Trust & Safety, ElevenLabs, LinkedIn threat intel.

    What We Cover:

    • Why AI isn't reinventing scams — it's just adding a more convincing final layer to playbooks that have existed for years.
    • The asymmetry problem: bad actors run conferences, sell each other tools, and share playbooks on Telegram, while defenders can't share findings across teams at the same company.
    • A case study in what actually works — how changing product, policy, and operations together pushed a misinformation-for-profit ring off the platform in a week.
    • Why "accounts taken down" is a near-useless metric, and the "learned futility" it creates inside big trust & safety orgs.
    • The Swiss cheese model of abuse prevention, and why chasing a single silver-bullet solution keeps companies chasing their tail.
    • Where regulation has teeth (banking) and where it's mostly performative (social media), plus the cross-platform gap no one is addressing.
    • How AI is changing investigative work — compressing a week of open-source research into two hours — and why that makes entry-level talent pipelines a real concern.

    Episode Highlights:

    00:00 Intro

    01:06 Professional Background and Career Journey ‎

    03:47 AI's Role in Scaling Rather Than Changing Scams ‎

    07:05 Adversary Collaboration vs. Defender Silos ‎

    09:02 The Frame Rate Discovery Example ‎

    10:26 KTLYST Labs and Operationalizing Threat Intelligence ‎

    12:40 AI's Impact on Investigation Work ‎

    15:15 Career Entry Points and AI's Impact on Junior Roles ‎

    20:38 The NextTag Affiliate Program Attack ‎

    23:00 The Misinformation Campaign Investigation ‎

    27:52 The Limitations of Location-Based Solutions ‎

    30:30 The Futility of Single-Solution Thinking ‎

    33:47 The Reality of Platform Defense Goals ‎

    34:50 Government Regulation and Enforcement Challenges ‎

    40:31 The Problem with Takedown Metrics ‎

    Links:

    Assaf Kipnis

    KTLYST Labs

    Rob Leathern

    続きを読む 一部表示
    43 分