
1971 Social Engineering Attack - robin_reala
https://www.schneier.com/blog/archives/2014/02/1971_social_eng.html
======
ljd
I was reading Social Engineering: The Art of Human Hacking [0] a few years ago
and it was really fascinating to see how easy it is to get the user to give us
data versus unlocking an AES256 encrypted value on a computer I'm not allowed
to touch.

Since I do a lot of work in PCI (Ecommerce / Orders / Credit Cards) I've
learned that the most secure systems never allow the human user to access
decrypted data. That things like tokenization work, and it's far better to
give an abstraction of a credit card for tech support and developers to work
with than the actual card even though on the surface it seems like it's not a
big deal.

If you are designing a system and at any point think, "This data is okay for
the user to access because they can't (share/steal/walk out of the building
with) it." You should seriously read the book I mentioned above. It really is
impossible for you to imagine all of the very logical scenarios that would
lead a janitor to keep a door unlocked. In fact, I can already think of a
handful of reason why, if I were a janitor, I would keep that door unlocked
because of a sticky note.

[0][http://www.amazon.com/Social-Engineering-The-Human-
Hacking/d...](http://www.amazon.com/Social-Engineering-The-Human-
Hacking/dp/0470639539)

~~~
robin_reala
Relevant XKCD: [http://xkcd.com/538/](http://xkcd.com/538/)

~~~
gweinberg
I always thought that one was kind of stupid. Encrypting laptop data protects
you if your laptop is lost or stolen. If people are willing to kidnap and
torture you for your data, you have bigger problems than the fact that they
probably will get it.

This comic is much more relevant: [http://www.smbc-
comics.com/index.php?db=comics&id=2526](http://www.smbc-
comics.com/index.php?db=comics&id=2526)

------
officemonkey
And that's why Social Engineering Attacks work. The request seems so
reasonable, people don't even think about the consequences.

------
giantrobothead
Robert Anton Wilson and Robert Shea wrote a character into their Illuminatus!
trilogy who employed a very similar strategy. He would leave cryptic messages
and commands strewn about various businesses and locations (such as "no
spitting"), some with The Mgmt. appended to them. They were so blandly
authoritative that the rest of the characters blithely obeyed them without
question. Social Engineering hacks keep working for a reason, hey?

------
cellover
Simple and elegant. This is art.

------
mathattack
Fantastic story. This thought process can be applied to so many different
things.

