
White hat social engineering: How to become an admin of a system - rsstack
https://ramon.dev/business/2020/05/11/become-an-admin.html
======
motohagiography
I see these people coming. They are motivated by power for its own sake, and
their playbook is limited.

Take heed of this post, it's how the incompetent rise.

~~~
ueu33hyrdd
It's also how the competent rise though, in #1 they not only service a need
but they identify that need on their own and in #4 they're completing tickets
that are chosen partially based on how popular their resolution will be.
What's the alternative, choose admins at random and ignore the people who have
shown the most promise for understanding and contributing to tasks related to
being an admin?

~~~
theamk
If people are only competent, they would not do #5 and #6.

If people are actually going to make an effort to kick people out to cement
their position, then it is better to restrict their access, before they do too
much damage. Getting one person who services the need is not worth it if they
kick out everyone else.

~~~
Thorentis
> If people are actually going to make an effort to kick people out to cement
> their position

If the only reason is to cement their position then sure, but there are good
reasons to limit the number of admins. The more admins, the more attack
vectors for serious social engineering, the harder change control is, the
longer meetings go for, the harder it is to make necessary change, etc. etc.

I think if somebody cares enough to become an admin and _shows they care about
the users_ then I don't mind them getting a power trip out of it. It's the
"admins" that got there because they know the boss, or because they convinced
somebody they should have access because their job-title entitles them to it
that you need to look out for.

------
RcouF1uZ4gsC
For my part, of can’t understand why someone would want to be admin. It seems
like a thankless job with a lot of stress and you are often the first in line
for blame if something bad happens whether or not it was your fault. But, I am
glad that there are people who really like being admin enough to go to a lot
of effort to become one.

~~~
TheOperator
It causes me way more stress to see bad admins fuck up so badly it causes an
impact to other employees yourself included in the department while you sit
passively by, than it is to put your hand on the wheel.

The admin panel also has more buttons and buttons are cool.

It's a petty form of power.

------
iandev
I think the article makes some good points, but I'm not sure that the
gatekeeping step (step 6) is necessary. I think if you look at all the other
steps, it fundamentally comes down to one thing:

Care enough about making things better such that others view you as valuable.

------
empath75
The most shocking thing about this is that there is someone who actually
_wants_ to be a jira admin.

~~~
varikin
It's not that someone necessarily wants to be a Jira admin, but rather, they
want to have access to make changes directly related to their job. If they
managing a team in some way, either project manager or some other role, they
need to change how tickets are managed in Jira at some point. Maybe create new
release versions for tagging tickets, or adjusting the lifecycle rules for a
ticket. The easiest solution is to be a Jira admin. Otherwise, you need to
find some permission for this user and request it. Then the next change needs
a new permission.

I would equate this to an outdated model of Developer vs Sysadmin. The
sysadmin controls everything about the production system. They don't want to
change anything. The developer needs to release a new version, which needs a
new library, or needs an update to the OS, etc. Or they don't even know what
the production system looks like and the sysadmin won't help. So the dev wants
root access to just fix it instead of going through excessive redtape.

------
dbsmith83
Soooo you 'social engineered' yourself into a Jira admin role, but you have to
do all the work that a Jira admin has to do anyway now, and responsibly? Not a
win in my book.. It actually sounds dreadful.

------
kitotik
Another popular term for “white hat social engineering” is “office politics”.

~~~
blaser-waffle
Right? Sounds like another "how to hack growth" article that's basically just
business 101, but with buzzwords that pander to STEM types.

------
runawaybottle
You’re bragging about being manipulative?

~~~
oneiftwo
I absolutely agree with this sentiment. It's why I had difficulty reading "how
to win friends and influence people" despite how frequently and casually
lauded it is.

It's literally an instruction manual for using indirect methods of
communication and influence to get people to do what you want. It's
practically adtech for the self.

Ignoring the dangers of having charismatic power over people, I don't know
under what circumstances it is ethical to manipulate someone, and I certainly
wouldn't brag openly about it.

~~~
skybrian
It seems like the same action can be taken differently depending on intent.
For example, one of the things Dale Carnegie emphasized is the importance of
remembering people's names.

If you try to remember people's names is that manipulative? If so, why do we
apologize for forgetting people's names? If we _write down_ the names of
people we meet, is that manipulative or is it just being organized?

If you do it badly, yeah that's weird.

~~~
bladegash
Very good points! Intent can be tricky, since good intentions quite often go
badly. Defining "badly" even becomes problematic as well (badly for who - me?
them? the collective?). I think one of the problems with manipulation, is the
intent is inherently selfish (to achieve your own goals/agenda), with the
target's well being/free agency being a secondary consideration. However, it
is definitely challenging to find the line between persuasion, cultural
norms/good manners (e.g., remembering someone's name, making eye contact,
etc.), and manipulation.

------
yesenadam
That doesn't sound white hat at all. It sounds sociopathic. At least he on
some level recognizes that it "sounds like an evil plan for world domination".

~~~
runawaybottle
That was my sense, but apparently this is a troll post.

~~~
yesenadam
Hmm yes, that makes more sense! Not far enough from what I've seen written
seriously that that was apparent, though I'm no expert in the field.

On the topic of taking jokes seriously :

About 10 years ago I came across _Winning with the Bongcloud_ , a mock 36 page
guide to a new killer chess opening (1. e4 e5 2. Ke2 - the worst move possible
in that position) which was about the funniest thing I'd ever read, brilliant
in every way. It uses the vague terms real opening books do, with every
example game leaving you with a "winning" position which is actually lost by
mate in 1.

[http://i.4pcdn.org/tg/1401479151063.pdf](http://i.4pcdn.org/tg/1401479151063.pdf)

I wrote the author a gushing email, saying it was a brilliant work, thanking
him for the valuable addition to opening theory etc – playing along with the
joke. The author wrote back a puzzling message explaining that it was actually
all a joke, that all the diagrams were losing, etc as if I'd taken it
seriously. I can't imagine why he thought I'd thought it had any value, if I'd
taken it seriously. (Maybe he was out-trolling me?! That didn't occur to me
until just now.)

Anyway, pleasingly, the Bongcloud is nowadays very famous. Almost every online
stream where grandmasters say they'll play openings suggested by users,
someone suggests the Bongcloud, and without fail they know what it is, and
I've seen it played several times. It gives joy like no serious opening could.

