May 2nd, 2006

Roger & You

Roger & You: Basic Social Engineering for Activists

A quick introduction seems appropriate here. I first saw Roger & Me about 6 years ago. My wife had seen it in college and was all fired up for me to watch it. After I finally did, I told her that it was easily the funniest movie I’d seen in years. She was horrified.

The thing is, though, I saw a lot of that shit happen more or less directly. I grew up in the Rust Belt in the 80s, and when the steel mills and coal mines started going under, it was my friends’ dads who lost their jobs. At one point, over half the kids in my grade school class had parents who were living on unemployment checks and foodstamps, or travelling 2-3 hours to work. I remember it. It really sucked for them. When I was a high school student working at McDonalds, our assistant store manager was a guy who’d previously been a mine foreman making good money. What a kick in the nuts.

But anyway, with almost twenty years of perspective and distance tacked on, Roger and Me was pretty damned funny to watch. I remember the local paper and news stations reporting hordes of rats, and they were actually sighted a few miles from where I lived at the time.

So if you want to be the next Michael Moore and go about gadflying CEOs with your HandyCam, I say go for it! Hopefully the piece that follows will help.

From Wikipedia:

Social engineering is the practice of obtaining confidential information by manipulation of legitimate users. A social engineer will commonly use the telephone or Internet to trick people into revealing sensitive information or getting them to do something that is against typical policies. By this method, social engineers exploit the natural tendency of a person to trust his or her word, rather than exploiting computer security holes. It is generally agreed upon that “users are the weak link” in security and this principle is what makes social engineering possible.

To paraphrase, it’s often easier to trick people into giving you the information you want than it is to try to crack security.

This principle is applied in a lot of different ways and in a lot of different circumstances. Hackers do it. Reporters do it. Private investigators do it. Narcs and other vice cops do it. And activists can do it too. This technique isn’t for everyone; there’s something fundamentally unwholesome and mean-spirited about it. But by the same token, it may represent your only opportunity to confront someone responsible for committing or enabling serious harm, so there might be a case when you would deem it acceptable.

(Important Disclaimer: I am also not advocating that you go out and do anything illegal, like posing as a member of law enforcement, assuming someone else’s identity or gaining unauthorized access to a computer system. If you do, and you get caught, it’s your own stupid goddamned fault. I’m not your mommy.)

That said, there may be times when it would be to your advantage to at least try to gain direct access to executives who might not want to make themselves available to the public — be it the high point of your homemade documentary exposing the local plant’s dumping of PCBs into the watershed or a simple petition for redress from a credit reporting agency that has somehow bungled your elderly neighbor’s serious complaint.

So how does one go about getting a CEO’s e-mail address, unlisted home phone number and/or mistress’s street address? There are two proven strategies - the Carrot & the Stick.

The Carrot: Select a target — someone who has the information you want about your trophy (the executive you want access to). Build the target’s trust slowly and then exploit it. This approach takes a lot more research and effort than its alternative but, if successful, gives you far greater access to your target for a longer period of time. The idea here is that if you can overcome a person’s natural distrust of strangers, you can offer them incentive to give you, Not A Stranger, the information you want. And they will do this without feeling as if they are doing anything wrong in the process.

There are a number of really underhanded ways to accomplish this, from dating your trophy’s personal assistant and sneaking a peek at her PDA, to joining the same gym as someone a few levels down the corporate ladder, to taking a part-time job at the gas station closest to a target’s home or office. The only important thing is to become Not A Stranger to someone who has the sort of information you need about your trophy. (Your mileage here will vary roughly in proportion to your ambition.)

At that point, it’s a simple matter of cooking up a plausible excuse and asking for help. If you’ve done your job and become Not A Stranger, your target will want to help you. Then you just have to do the deed and live with yourself afterwards (you rotten bastard).

The alternative is…

The Stick: Establish an assumed authority, confuse your target and quickly bully information from them. This technique requires that you fill your target with a sense of urgency sufficient to break down their tendency to distrust you. In order for this to work, it has to inspire immediacy and the implied alternative to not giving you the information has to be more painful than the potential repercussions of helping you. It helps here if you can catch your target in a position where they’re out of direct contact with your trophy. Executives tend to travel a lot, and their scheduled appearences may be public record.

Use this to your advantage. Be curt and talk fast.

“This is Justine with (fictional office) at the Pittsburgh Airport. I need for someone to verify Fred Brown’s Ohio driver’s license information. There’s some confusion here and he’s going to miss his connecting flight if I can’t get an answer right now. No, I cannot hold. Yes sir, I have her on the phone, but there’s some problem. Yes sir, I told her it’s urgent. He’s headed to the terminal now but I need an answer or they aren’t going to let him through. Yes sir, I’ll call ahead for you” This conversation should take place on a pay phone with recorded ambient sound from an airport playing at an obnoxious volume in the background. You get the idea.

Good luck and happy hunting. Be sure to send me tickets to the premiere of your film at Sundance. ;)

Click these buttons to share this story:These icons link to social bookmarking sites where readers can share and discover new web pages.
  • del.icio.us
  • digg
  • Fark
  • NewsVine
  • Reddit
  • TailRank
  • YahooMyWeb

Posted in Miscellaneous, DailyFeatured, Help/FAQ





There are no comments yet

Be the first to enter your response using the form below!


Leave a Reply

Note: if you are typing html tags into the comment area manually (i.e. not using the editor) please use the "toggle html source" option above.


Used Mitsubishi Galant
Chevy Avalanche For Sale
Used Infiniti FX35
Walleye Fishing
Paydayloans









Fish.Travel