How Files and Search Engines Quietly Leak Secrets

Lachlan Reed

[warmly] Welcome to the show. I’m Lachlan Reed, here with Simon Carver and Jack Burns, and I wanna start with something tiny: a boring little PDF. Not a spy movie, not some flashy breach -- just a file someone exports, emails around, maybe uploads to a website before lunch. And that one file can quietly tell you who made it, what department touched it, what software version they used, and sometimes even the folder it came from. It’s like finding a muddy boot print in the shed and realizing, ah... someone’s been poking around, mate.

Simon Carver

[curious] I love that you started with a PDF because it feels so harmless. It’s the digital equivalent of a plain manila envelope. You look at it and think, well, the message is the message. But what you’re saying is the envelope is talking too.

Jack Burns

[calm] That’s exactly right. Most people think a file is only the visible layer: the text, the image, the formatting. But files usually contain metadata -- hidden information about the file itself. In a document or PDF, that can include the creator’s name, the software used, the version number, timestamps, and, in some cases, the internal file path where it lived before it was exported.

Lachlan Reed

[questioning tone] That file path bit is the one that gets me. Because a path like C:/HR/Leadership/Confidential/SurveyResults/Final.pdf -- that’s not just computer gibberish. That’s practically a map with a little red X on it.

Jack Burns

[matter-of-fact] Precisely. That single string reveals several things at once. It suggests the department -- HR. It suggests seniority or ownership -- Leadership. It suggests sensitivity -- Confidential. And it exposes internal naming conventions. To an investigator, or to an attacker, that is not trivia. It is structure. It tells you how the organization thinks about itself.

Simon Carver

[reflective] Wait -- “Leadership” and “Confidential” in the same path... that’s the part I can’t shake. Because no one had to break in. No password was cracked. The company just... described itself by accident.

Jack Burns

Exactly. And that distinction matters. We are not talking about hacking. We are talking about exposure. Observation without intrusion. The uncomfortable truth is that a great deal of sensitive information is self-published by ordinary workflow.

Lachlan Reed

[chuckles] So the internet’s not always a burglar. Sometimes it’s just that mate at the barbecue who notices your garage door’s been open all day and can see the tools from the street.

Simon Carver

And there’s something unsettling about that because breaches come with drama. You get the movie trailer. But this? No alert, no siren, no “your account has been compromised” email. Just a slow reconstruction of your life, or a company, from crumbs.

Jack Burns

[softly] Yes. A photograph can carry traces. A document can carry authorship. A file can reveal the software environment around it. People imagine secrecy as a locked room. In reality, much of modern exposure happens through side channels -- details that were never meant to be part of the message, yet travel with it anyway.

Lachlan Reed

And that’s why this one matters for normal people too, hey. It’s not only giant companies with secret projects. It’s resumes, invoices, school forms, property photos, holiday snaps. You think you’re sharing one thing, but you’re towing a trailer full of extras behind it. Even a kangaroo could trip over that.

Simon Carver

[warmly] So if someone listening has ever thought, “I’m not interesting enough to target,” maybe that’s the wrong lens. The issue isn’t whether you’re interesting. It’s whether the pieces you leave behind are useful.

Jack Burns

That is the correct lens. Useful fragments are often more valuable than dramatic secrets.

Lachlan Reed

[curious] Jack, let’s go one layer deeper, because this is where it starts feeling less like loose change under the couch and more like the whole floor plan. You’ve talked before about the internet’s public back rooms -- places built for transparency that end up leaking strategy. What’s the cleanest example?

Jack Burns

Certificate Transparency logs. Every legitimate secure website needs an SSL certificate. And those certificates are publicly logged. The intention is sound: transparency, accountability, trust. But the side effect is exposure. If a company creates a subdomain like icarus-test.company.com for an internal project, the moment the certificate is issued, that name can appear in public logs.

Simon Carver

[leans in] “icarus-test.company.com” is so specific it almost feels fictional, but that’s the point, isn’t it? A name like “Icarus” isn’t random. It hints at a project, a product, maybe a launch that hasn’t been announced.

Jack Burns

Correct. And anyone watching those logs can see it. No insider. No breach. No exploit. Merely visibility. The enterprise often exposes its roadmap simply by preparing infrastructure for it.

Lachlan Reed

[deadpan] So the strategy leaks itself just by turning up to work. Brutal.

Simon Carver

It reminds me of that feeling when you overhear one oddly specific phrase in a cafe -- not the whole conversation, just enough to know a merger or a breakup is happening. The fragment does the damage.

Jack Burns

That is a useful analogy. Small signals, correctly interpreted, are enough.

Lachlan Reed

And then there’s “Google dorking,” which, I’ll be honest, sounds like a term invented by a bloke in a server room eating cold pizza at 2 a.m.

Jack Burns

[slight chuckle] The name is unfortunate. The method is not exotic. It is disciplined searching using advanced operators to find material that search engines have already indexed. Configuration files. Backup files. Environment files. Sometimes those exposed files contain API keys, database credentials, or internal endpoints.

Simon Carver

Wait -- “environment files” and “API keys” being searchable... that’s the piece that lands for me. The search engine isn’t breaking a window. It’s cataloging what was left on the front lawn.

Jack Burns

Exactly. Search engines do not ask why something is public. They simply index it.

Lachlan Reed

[reflective] I had a little version of this years ago -- nothing dramatic, thank heavens. I searched my own old username out of curiosity and found bits of me scattered everywhere: an old forum profile, a forgotten comment, some crusty account I’d made for a tool I barely remembered. No secrets, but enough to sketch a timeline. It felt like finding old bike parts in the shed and realizing, huh, someone could rebuild the whole machine from this mess.

Simon Carver

That’s such a good image. Not one giant reveal -- a timeline. And timelines are intimate. They show habits, interests, seasons of your life.

Jack Burns

And organizations make the same mistake at scale. They assume obscurity is protection. It is not. If something is public, it should be treated as discoverable. The internet defaults toward memory, not forgetfulness.

Lachlan Reed

So when people say, “Well, nobody would think to look there,” that’s not security. That’s wishful thinking in a cheap suit.

Jack Burns

[firm] Precisely. Hidden is not the same as inaccessible. Unnoticed is not the same as secure.

Simon Carver

And that’s where this turns from technical to human. Because the problem isn’t only systems. It’s assumptions. We keep confusing “I didn’t mean to publish that” with “nobody can see it.”

Simon Carver

[warmly] And now comes the multiplier, because loose fragments were one thing when a person had to manually piece them together. AI changes the tempo. Jack, when you say AI connects dots, what does that actually look like in plain English?

Jack Burns

[calm] It means fragments become models. Take a vacation photo -- a sunset, seemingly harmless. AI can analyze reflections in surfaces, compare skylines to known city models, cross-reference timestamps with weather patterns, then align those clues with public events or flight data. The result can be location inference with unsettling precision.

Lachlan Reed

[skeptical] So the sunset isn’t the issue. It’s the reflection in the sunglasses, the weather on that day, the skyline shape -- all the weird little crumbs around the edges.

Jack Burns

Yes. The image you intended to share is only one layer. AI is capable of extracting the surrounding context faster than a human analyst ever could.

Simon Carver

And “location inference” is a colder phrase than “someone figured out where you were,” but that’s what it means. A memory becomes a coordinate.

Jack Burns

That is the implication.

Lachlan Reed

Then there’s voice cloning, which honestly gives me the heebie-jeebies. Thirty seconds, right? A podcast clip, a talk, an interview?

Jack Burns

Thirty seconds can be enough to build a voice model. Then the real leverage comes from combining that synthetic voice with behavioral information: reporting lines, urgency, who responds quickly to authority, who is under pressure. The attack is not persuasive because the voice sounds perfect. It succeeds because the context feels real.

Simon Carver

[quietly] That distinction matters. It isn’t “Can AI imitate your CEO?” It’s “Can AI imitate your CEO at 4:47 p.m. on a stressful day when everyone wants the quarter closed?” That’s psychological, not merely technical.

Jack Burns

Precisely. And it extends further. AI can model behavior: when you reply, how quickly, where you go regularly, when you are home, when you are not. Publicly shared fitness data, posting habits, and routines can make a person predictable.

Lachlan Reed

[questioning tone] So privacy isn’t just about secrets anymore. It’s about visibility. About how much of your shape is visible from the outside.

Simon Carver

I think that’s the debate, actually. Because people hear “privacy” and imagine hiding. But “visibility” is different. It’s saying: maybe I’m not hiding who I am, I just don’t want every pattern of my life modeled.

Jack Burns

I agree with that distinction. In the modern environment, the objective is not disappearance. It is reducing unnecessary visibility. And there are practical ways to do that: strip metadata from files before sharing them, be intentional about what appears in the background of photos, separate identities across platforms where appropriate, and periodically search for yourself to see what is exposed.

Lachlan Reed

“Search for yourself” is such a simple one. It’s like walking around your own house from the street at night to see what’s lit up. You don’t need to panic. You just need to know what’s glowing.

Simon Carver

And the writing piece gets me too -- the linguistic fingerprint. Sentence rhythm, favorite words, the way you structure a thought. Even if you never used your real name, that style can connect accounts that felt separate.

Jack Burns

Anonymity is not impossible. It is simply more fragile than people assume.

Lachlan Reed

[warmly] Which is probably the right note to land on. Not fear. Not tinfoil-hat stuff. Just being a bit more deliberate before you chuck something online and call it harmless.

Simon Carver

[warmly] Thanks for spending this time with us. And thank you, genuinely, for listening and for subscribing on YouTube -- it helps more than you know.

Jack Burns

[softly] Be careful what you project. In this environment, information is not merely descriptive. It is access.

Lachlan Reed

Good on you for joining us. Take care of yourselves, take care of your data, and we’ll catch you next time. Bye.

Simon Carver

Bye, everyone.

Jack Burns

Goodbye.