Tiberius Hefflin - De Falsis Deis: Social Contracts

hi I'm Tibbs and this is how I imagined myself in monster form when I'm on stage to avoid any kind of nerves so if you would like to also imagine me as a monster go ahead it makes us much more comfortable and currently I work with a large blue chip company doing security assessments of open source projects based here in Oregon and at 24 I left a career to attend university for the first time to study computer science sorry computer security forensics and ethical hacking and the career that I left was in the HR industry and perhaps because of that social engineering is a particular point of fascination for me and oddly I use the skills that I

learned in HR more in this job than I did in that one also I love Supernatural um being as it's near Halloween and mildly thematic this whole talk will be full of supernatural pictures so some of you might not be fans and that's okay we all have our flaws but I ask that you indulge me on this because it's mildly relevant and this picture isn't showing and the show is full of great in social engineering examples so try watching it just for that also what this guy says and my slides are not going there we go so the answer might seem obvious but I want you all to just take a moment to ask yourself if you distill social

engineering down to its most basic form what is it now I know what you're thinking but being a convincing liar is only one part of the process there's a lot more to social engineering than simple is when you get really under the hood social engineers search for the weak points in the fabrics of societal norms to exploit people in that society and to be truly successful at this it takes at least cursory knowledge of a number of disciplines like philosophy psychology sociology anthropology body language even sales and marketing each of which you could dedicate a lifetime of study to and still only understand a small part of I'm not advocating that you go out and

spend the rest of your life trying to master these because it would be impossible to do it all but it's important to understand at least a little bit about them the question that I get a lot is where do you start where do you where do you dig in and normally I would say start with what interests you the most start with what you think you want to learn and go from there but since we're all here and I have this talk on social contracts let's start with that in three in 399 BC going back just a little ways Socrates was put on trial for two things moral corruption and impiety the trial itself is really

interesting and I would advocate that you all read about it but the outcome is what's important here and the outcome was Socrates was convicted and sentenced to death by hemlock poison Plato who was a student of Socrates at the time records that Socrates had both the opportunity and the means to escape his sentence however despite encouragement from his friends and his students Socrates chose to stay and to die he refused to leave because it wouldn't mean leaving what he saw as his legal responsibility to Athens he believed that having lived there he voluntarily subjected himself to this possibility and to run away would be to break the social contract that he made with the state and its

people now the story is really interesting but it leaves us with a question we're aware of explicit contracts employment contracts loan agreements marriage these are contracts that we knowingly negotiate and enter some better than others and in contrast social contracts provide a framework for how society and governments in our and in Socrates own words there an agreement between people of the society to abide by laws and accept the punishment now many philosophers throughout history have expanded Socrates social contract theory socrates Hobbes Locke and Rousseau may have all argued if you'd put them in the same room may have argued on this semantics but they all agreed that we who live in a society implicitly and sometimes

unknowingly agree to and agree to enact and expect the completion of these social contracts when they were developing these theories morality and politics were thought to be interlinked and to some extent they still are rulers were there to govern fairly and the people were there to help the society in which they lived social contracts are not just and an agreement between a people in their government though they're also an agreement of all the people within us is within us ie with each other so they also form the unspoken rules that govern play society and maintain civility in the absence of the direct application of law often born of religious beliefs and morals these rules are the glue by which society is

held together often we think of them as doing what is polite or maybe what the right thing such as tipping your waitstaff or holding the door open for someone who has their hands full or not standing too close to somebody at the ATM psychology couches the subject in the concept of moral development moral development is the stages of moral reasoning that people go through as we turn from children into adults this looks at how people justify their behaviors rather than a ranking of how moral someone's behavior is now these stages are grouped into three levels and the stages of development can't be skipped you have to start the process and move through each of them to get to

the next so levels one and two are the preconventional stages and these are normally seen in children levels three and four our conventional stages these are normally seen in adolescents and adults and levels five and six at the top are the post conventional stages these are marked by a growing understanding the individuals are separate from the part of a society and people at this stage of development view rules as being useful but changeable so we're talking about something here that's really intuitive to humanity as human as humanity actually evolved out of the primordial muck our brains developed to foster and indulge social behavior but most people don't ever examine the workings of their society in the ways that we're talking

about here but social engineers should along with subterfuge social engineers need to have the tools to understand the society and the culture of the target that they're trying to manipulate we understand that social contracts we understand the social contracts that underlie our own society because we're part of them so we just grow up knowing these things but what about other societies I mean when I moved from Scotland to America I immediately noticed differences in Scotland all socialization resolves around the pub and having a pint everything people go to the pint at lunch during the work week people go to the pint go to the pub after work to socialize with their co-workers and their friends everything

is done in a pub but even with a huge beer culture in places like Portland this is just not how things work here in America also British people love a really good queue and there are strict unspoken rules surrounding the practice it's really elaborate I was simply unprepared for the chaos that is lining up in America and here I still find it curious that a lot of guys wait and for women to go through a door before go falling them through we just don't do that in Scotland at all now I could go on for probably hours if I had a pie tin my hand about the differences between Scotland in America and these are two fairly similar

cultures I mean we share a language in theory and and the history to some degree I mean we both really like fried food so can you imagine trying to carry out a social engineering attempt in a country that had vastly different social contracts I mean what what would it be like to try and do a social engineering attempt in China or Russia where things are very different than they are here or in Scotland research is really important not just of your target themselves but the culture in which they live how do social contracts work in an environment where people are coming from different languages and societies where the people interacting don't all know the same

unspoken rules like the internet unlike someone unless someone that explicitly creates and enforces rules it's chaos as I said like the internet it's it's a hodgepodge and everyone kind of just does what they want to do unless they want to be part of a community in which they have to follow those community set rules small groups form rules for their own websites or message boards or spaces but the Internet at large is lawless and a lack of physical space makes it a lot easier for people to behave in ways that they wouldn't in real life like trolling or daxing social engineering relies on subverting the social contracts of a given society and it works because

social engineers explain own weaknesses within those contracts to encourage people to fulfill their social side of the contract even when it's against their best interests we all know phishing attacks I mean if you don't you're probably in the right place to learn honestly they're probably the most prominent and common example of social engineering that we currently have it's so common because it works because the creators of the technology used to carrying out phishing attacks did not consider how people might subvert that technology and use it against the users they were trying to help and enable how different would email look if it was built now No we know how different would texting look these are the things that we need to

think about I know of a company here in Portland who a couple years back actually got hit really badly by a social engineer you probably didn't know that's what he was doing he probably just thought he was a scammer but he came into the building talked to reception and convinced reception that he was a workman who was supposed to be there doing a legitimate building work but that he'd lost his temporary pass and oh man this was the second time and if his boss found out oh he was Anna loses job and so the person on reception wanting to be helpful and friendly gave him a new temporary pass and said just you know bring the old one back when you

find it well it turns out the guy wasn't a workman he just was someone chance in their arm and he got in and over the course of a weekend he stole several hundred I'm sorry several tens of thousands of dollars worth of hardware and equipment and that's not counting the intellectual property that was on the hard drives of that equipment so social engineering is this weird situation where people get people to act against their own interests without realizing it another example of social engineering on a grand scale that we're facing right now is fake news in theory organizations who report news should be neutral and report just the facts over the last decade or few decades

really and this has developed into providing selective truths adding a bias to stories reported or choosing not to report stories that don't support I chose a narrative and in the last few years this has progressed to reporting outright fabrications as news these stories are picked up and spread and become kind of this consensus news that everybody just knows if you ever found one of those news stories that when you try and follow the trail of where it came from it just kind of circulates back around in this weird circle from website to website back to the original website that you found it on and when these stories are repeated by people in positions of power they lend the stories

credence and gravitas and the truthiness of these stories is not the point however news outlets have always purported to tell the news as it happens they're twisting or breaking the social contracts that are expected and this causes people that that have historically caused people to trust them and the purple purpose behind this as with any other social engineering attempt is to get people to act in a way that they maybe normally wouldn't so to recap social contracts underlie society all societies without them societies would collapse we would have chaos and Anarchy which might be interesting for a short while but still we have people who return routinely subvert these unwritten rules for their own benefit so what what

does this mean for us as security professionals and developers of technology being aware and understanding the oddities of human behavior gives us a tremendous opportunity an opportunity to do what we are uniquely qualified to do to look at new technologies and how people should interact with them and then find the vulnerabilities of how people might interact with them to find the ways that people can exploit the technologies and not just technically but socially as well we also have an opportunity to highlight these discoveries to the creator's the curators and the users so my call of action to you if you're still listening is break stuff but don't just break it technically look at how you can break it

socially talk about it work with creators to find better ways to facilitate people to interact with emerging emerging technology and plug the social gaps and make them make the world a better place also watch more supernatural so you have all been very quiet and very attentive and I really appreciate that I'd like to thank you for being a great audience and I'd like to thank besides for having me today do you like Dean have any questions great well thank you very much and if you come up with something I'll be outside

you