Hacking the Human Social Engineering Basics

[Music]

good to go okay hey everyone thanks for coming to my talk today welcome to the second day of besides Philly there was some great talks yesterday hopefully could be some great talks today this is a trimmed version of a blog series I did about the subject you can find it on steno decos do see like shameless plug I'll have so that said let's get started so first and foremost our world is not a meritocracy right it's not based on fact merit or objective reality worst yet this can actually cause something called the backfire effect where people believe even more strongly in their opinion after you show them the truth and this has been studied going back you know

years from Nietzsche at WI Thomas and Nietzsche said the world is knowable but it's interpreted otherwise it has no not one meeting behind it but countless meetings and the Thomas theorem says that if a person perceives a situation is real than it's real in its consequences so what these men are saying is that our perceptions have a huge effect on our actions and beliefs regardless of the objective truth of the situation so here's the golden rule of social engineering abuse self-interest in fact in yesterday and one of the talks someone asked a question and they said you know how can I better motivate my managers or my employees as a manager and he said well you know you have to

find out what their interest is and you have to use that to kind of find out what they like and you know push them in the right direction so the world is often cruel and impersonal right I mean it's a it's a crazy chaotic place so people often seek comfort happiness or confirmation of their own beliefs and in fact there's a man named uh Warren who has a one-sentence persuasion he calls it and it sums up as encourage their dreams justify their failures allay their fears confirm their suspicions and throw rocks at their enemies and when you're gonna do it when you're trying to con someone you want to leave good vibrations with people you don't want

them to feel like they got conned right youyou it's almost always a positive experience for both parties and this has been rehashed again you know throughout the ages going back to you know the thirty power play to people's fantasy and it's summed up as you know the truth is awfully ugly and avoided and there's great power and conjuring romance or fantasy to the point where people will flock to you as you as if you're an oasis in a desert and again rehash through the ages Blaise Pascal if you look at the graphic there when you look at one you know the six on the on the floor there depending on how you're looking at it and which way you're

looking at it you can see different truths to it so Blaise Pascal said you don't want to actually directly criticize people and this was echoed again by Dale Carnegie and how to win friends and influence people and he said that rather than that you want to convince them by telling them they're right you want to say hey look I understand your opinion you're absolutely right but you know if you come over here from my side you know maybe you're just not seeing the whole picture and it's okay it's much more forgivable to not see the whole picture as opposed to being wrong people are much less opposed to being just not seeing everything as opposed to being

told hey you know you're an idiot you didn't see everything right so going back to abusing self-interest we all have this story we tell ourselves we're storytellers by nature and we all have a story where we're the protagonists of our own story right we all want to see ourselves succeed we all want to see ourselves make it in the world right and it's such a classic question and in I hate to be a little cliche but the classic example is Hitler and he literally thought he was doing good I mean he told himself that me that was that was his internal story right and the road to hell is often paved with good intentions now I actually used this once and I my

my goal was I was going on a backpacking trip and I wanted to take pictures of TSA checkpoints so when you think of the story of a security guard you know they're typically you know maybe treated it at different indifferent at best you know maybe they get some positive interactions but they're mostly just a pain in the butt right so I took along a little stuffed animal with me and I got some pictures on my phone and I said you know oh I'm just taking this animal with me I have a sick cousin at home who's gonna miss me you know so I said would you mind just taking a picture real quick of him like going through the

Gaynor you know maybe hanging out on your shoulder in there and so when I was taking the pictures I would say you know Oh could you just move just a little bit to the left and I tried getting like the make and model numbers within the picture of the different devices they had the security checkpoints and all that stuff and it was cool because they all got that you know warm fuzzy positive feeling they got that like that genuine like oh I'm helping someone not only that but I also appealed their ego a little bit and I said you know I had pictures of my phone of the kid dressed up as a cop for Halloween and I said you

know he wants to be an FBI or CIA agent when he grows up and that inherently just appeals to their ego it makes them feel better it almost makes them feel like you know oh hey the you know little kids look up to me I'm doing good in a sense you know because TSA agents I don't want to speak too badly about them but you know again it's a little bit of a security theater it's just not all that great so let's move on and wearing masks so now that you have the the grant the foundation in place of you self-interest the next thing you have to do is learn how to change face you're

wearing right so what you want to do is suspend your own personality to associate yourself from the situation and we all man we all we all wear masks naturally I mean you show different faces to your significant other to your co-workers to your boss when you go out in public you know we all have different masks we put on a different times and it's such a natural part of our reality it's almost you know in a sense like spinning up a new virtual machine of yourself and sandboxing yourself from the world if you want to think of it like that so there's three helpful principles that can help you out here and the first one

is life is just a game just aim to improve how well you do right and even going back to Shakespeare all the world of stage all the men and women are merely players right we're all just here it's have a good time aim just aim to do better right don't overthink I don't overanalyze that don't worry too much about it the second one is fake it til you make it you have to have confidence you have to have enough confidence to act but at the same time you don't want to do things that are too far out of your bounds so you want to try to balance that and not become too delusional with it you have to have enough

confidence to do it you have to sell yourself from the lie that you already are the mass that you want to wear so if you're pretending to be you know for instance a good guy in a charity right you have to be able to go through that and you know put time in and become that person that you know gives all their time to charity and gives money and donates their time things like that and again going back to niche is perspectivism you have to deny objective truth you have to understand that the way people see things could be valid but they might not actually be true right and going back to Blaise Pascal with the

six on the ground and depending on how you're looking at it they can change things so there's a couple of dangers to wearing masks unfortunately mats tend to lose value when she wear them so for instance is actually not that hard to do when it's actually pretty much a natural part of our daily interactions right you show different faces that you know your significant other co-workers etc etc again so if everyone's doing it how easy is it to do number one and number two how can I trust other people who were doing it you know how do you gain that trust back it gets a little weird and I mean you know if you think

about it Heath Ledger the the very sad situation that happened with him when he after he played the Joker you have to wonder just how much he got into that character because he uses a style of acting called method acting where you get very empathetic with the character and you try to assume that role as much as you can so it's one of those things where you know just how far did he go into it there's a funny example on my website and it's about a guy named roof man and he's a criminal who escaped prison and lived in to ToysRUs okay and he donated a time to charity he met a woman he tried you know romancing her

all that and when the police finally came she said you know I can't believe this is true and you know that can't possibly be true it's one of those things where again going back to the worlds crew and cruel and impersonal and people seek out you know confirmation of their own beliefs people will often take abuse or ignore warning signs to keep their delusions going so the next part is storytelling now I don't always come off as the most interesting man in the world but when I do is because I told it a good story storytelling is an ancient inherent part of human interaction it's been going on since basically language was invented it was the only way of transferring

information between two people until writing was invented really and there was actually a study done that showed that when you tell a good story you can actually improve your status or appearances so women rate of men is more attractive and if you think about it in a way it makes a lot of sense interesting people tell interesting stories if you don't have an interesting story of them you're not really that much of an interesting person now I saw kyndra howl speak once and she boiled down to a really nice explain it like I'm five type thing and her explanation was you have a situation then there's an explosion and then you come back dan harmon from rick and morty

community on that he has an excellent storytelling 101 series on a website and his general overall overarching theory is that stories follow this circular pattern so for instance number one you have a character an idea number two you either desire change or you notice a problem number three is a threshold and that's usually when you finally decide to go you decide to do it you decide to take action number four is the road of trials so if you're thinking about you know a typical story that's when you know the main character goes and meets the master and trains with him and goes through you know all that you know ridiculous road of trials type things

five is meeting the goddess or finding the item that you were looking for six is meeting your makers so once you find what you were looking for you then have to use it to overcome the problem that you found originally seven is that the other threshold and that's returning that's the road of return and then finally at eight you have to return with change stories inherently have this part of it where when you finally come back to it you have to return with change and Dan says he defends his theory when he says something on you know it's just this inbred desire with humans is what's kept their society together you have to go find take and

return with change we were hunter-gatherers for you know hundreds of years so it's one of those things where you couldn't just sit on your butt and wait you had to go out you had to find the deer you had to kill it you had to bring it back he also goes on to mention a couple of different psychological things we're not going to get into too much but the general idea is that you want to be the master of both worlds in this circle if you go back to the last one these two circles are actually the same so if you think about it just imagine the 1 through 8 on top of that circle and the thresholds at 3 & 7

are the the separations between the conscious and the unconscious world and Dan says be the master of both worlds so if you're giving a presentation you're doing a sales pitch you know whatever it is if they don't like you but you seem like you know what you're talking about that'll have a negative effect on you so you want to not only be you know seem like an expert but you want to be personable you want to be likable you want them to say hey not only does this guy sound like you nobody's talking about but there's something about him I like so a couple of tips kyndra Hall used this tip where she said you know

you want to provide details in order to get people imagining your story in their head and one of the ways to do that is she used the example of the old wooden chairs in school so if she's telling a story she'll say you know remember back in the day when you know what one of these days I was you know back in school I just came back from lunch and recess and I had to sit in those old uncomfortable wooden chairs you guys know the type right and as soon as you say that you instantly start imagining the situation in your head and that gets you a little bit invested in the situation it automatically brings out

some of your own emotions some of your own feelings right but the problem is you can use a little bit too much detail you can go you can go overboard with it so you don't want to use too much but you want to do enough to get them involved in the situation you also want to have scripts so you want to have pre-made stories that will build certain profiles of your character so again if you're roof man you're pretending to be a charitable guy you want to have past experiences and stories where you can say oh yeah you know this one time I stopped on the side of the road and helped some guy change his tire you know

think you want to have a small little anecdotes like that to make sure that your character meshes so I'm gonna tell you a real quick story here back when I was in high school I mean my friend had talked about going skydiving and you need to be 18 to do it so we talked about it for a while we got it set up we went and when I was sitting in the lobby I was reading a magazine and in it there was an article about a 5,000 foot jump in Brazil that had gone terribly wrong a guy was dressed as Santa Claus and he was supposed to jump drop down and land and give out presents to kids

unfortunately he did his chute never actually deployed so he just went splat in front of 40 or so kids how do you explain that to your kid not only that but if you're a skydiving company why are you putting that in Lobby that didn't give me a very good feeling you know what I mean so despite that we go back and we go through training and the training is that you have to lay a certain way because you have somebody on your back and if you've never gone skydiving the way they do it is they tip the plane so you're literally hanging outside the plane the dude has his doors a hand across the door and then when you

finally go he lets go and the plane just tips and you drop so you know through the training he's saying oh you know we all roll our own parachutes so you know there's no worry about that we don't let someone else do it so you know our life is on the line as well as yours it was very reassuring on the way up I noticed there was about 20 people in the plane 10 people jumping total and then you know there there buddy on the back so there was 20 people total and it was a really tiny Cessna plane while we were going up I noticed a sign on the plane that said there was a 500 pound limit to

the plane and between that and the same thing and I'm sitting there looking at it and going couldn't you've at least taken it down I'm sure it's okay it's probably meant for longer flights but you know Jesus Christ guys you could have at least taken it down right so I'm going on a 10,000 foot jump and what they don't tell you about skydiving is is that for 90 seconds your free-falling at 120 miles per hour and then all of a sudden you go to about five miles per hour standing up not even lying to you I got bruises where the straps were it was that much of a jolt so I finally jumped going you know going

ducking my shoulders you know making all sorts of cool rolls and all that from the training that they taught us and uh when I finally went straight I was sitting like a kangaroo and a pouch almost it wasn't quite I wasn't standing I was in this weird awkward sitting position because of the way the safety harness was so the guy looks at me and he says okay so loosen your safety harness stand on my tiptoes and then slowly move your way up and I looked at him like you just told me to untie the only thing keeping me tied to you when you have the parachute you have to be nuts right so I do it anyway it

all works out I starts tearing the parachute get used to that and all that we finally land my friend jumped after me and when he landed the second he landed he instantly puked so just to go back to that example a real quick general rundown of the one through eight steps the first one the idea is that we decided to go the second part is that you know there was the scene of tragedy in the magazine then I read the third part is the training that was crossing the threshold that's the this is really happening to me right the fourth part the road of trials was all of a sudden the five hundred pound limit and while

we were up there there was a girl in the plane who started freaking out and they basically told her look once you're up you're up you're jumping and that they weren't serious about that but they were just trying to get her to go through with it so in five meeting the goddess that was actually jumping six overcoming a problem in meeting the maker that was when the guy told me to untie the only thing keeping me sustained to him right the seventh the part of coming back with change was after I had done that I learned you know how to steer the parachute all that good stuff and then finally at the end the returning with change landing and

watching my friend puke so the next part now that we have abused self-interest wearing masks and storytelling down we're gonna we're gonna move on to stanislavski's method acting and Stanislavski was big on being empathetic and paying attention to the minut details of situations and he actually said that you should do a lot of research on people to give a true or natural presentation and he did that for people watching so for instance if you're gonna pretend to be a carpenter or a hard labor they're not going to have clean clothing right they're gonna have mud on their boots paint splatters they're gonna have calloused hands you have to be aware of those things that in

case you get questioned about them you're prepared so that you can kind of you know mitigate the concerns a bit and he even said that you should practice blending in your downtime and it's a good way to do things because then you can practice in situations where you might not necessarily have a lot on the line so for instance one of the ways I did this was I hung out at a local airport and all I started talking to the pilots just general elicitation ask them about their job pretending that I was interested in possibly becoming one and for those of you they don't know there's a term called squawking and squawking is this way of pilots just explain

different situations for instance there's a squawk 7500 there was a reason me made about it and it's a it's a terrorist hijacking warning squawk 7,500 and so that's one of those it's one of those things where you have to understand the lingo and the jargon right you have to do that people watching it to pay attention to the details and then after a little while I started pretending that I was apply a pilot and I would talk to other people in the bar and it's just make it seem like I was a pilot right so part of method acting is connecting the metal to the physical so Stanislavski said that you know if your character is supposed

to be cold you should be shivering at all times you should be rubbing your hands you know maybe blowing into them or for the you know less classy people may sliding them down your pants right I thought that always keeps him warm you know and there's the second question is the magic if and the magic gift says you know if I were my character what would I be thinking what would they be thinking and again the entire idea is to empathize as much as you can with the character that you're trying to play now the given circumstance for those who don't know there's a funny historical fact we're at Kansas City you used to have brothel

inspectors and that right there is their badge just funny history tip for ya but so what you have to do with the given circumstances it says you have to accept your context as valid so if you're an inspector there's certain things that go along with being an inspector like you have to have a badge or some sort of official you know way of showing yourself as an expector so if you're gonna pretend to be one you have to be aware of that and you have to accept that you can't just try moving around it so that you'd have to you know try saying oh I lost there you'd have to try making your own you know something

like that so the next part is imagination and it's very similar to you know taking a swing and the way sports players imagine it you don't you're never gonna have the full story about your own character so you have to look for clues in the context of what you do have and Stanislavski said some of the big questions of focus on were who you are where you're going from what where you're going why what your goals are and what do you want to do when you get there now you can also create your own stories you know using Dan Harmon's storytelling right so for instance if you're trying to be a charitable person or at least seem like one then you're

gonna have to start creating stories so that you have something to tell people so that you know it builds your character in their head the next part is circles of attention and Stanislavski use this to remain calm about situations and he said that you should increment you should increase your focus on one thing and create a circle of attention between you and either a person or an object we often have this spotlight we shine on ourselves right this we beat ourselves up mentally over the smallest stupidest things and oftentimes no one cares about the small stuff no one sweats it but we do so if you create a very intimate circle of Attraction with one or two other people then it prevents

you from doing that to yourself because it's hard to do that when you're actively worrying about interpreting their reactions their body language you know we have tract minds in a sense you can't overload it right so it just kind of takes the the spotlight off yourself and puts it on something else so communion Stanislavski said that you have to be aware of not only your surroundings or the other actors and cast members and so for instance if you're trying to argue with Walter about going over the line and marking at zero you have to know what kind of person he is he's not gonna take that he's not gonna accept that that's just gonna be something he pushes

back on and again it's one of those things where you have to keep the inner story in mind you know that we all have an internal narrative about ourselves and you have to keep that in mind and try to use that against people because again the best way to to medical manipulate people is abusing self-interest generally you also have to keep in mind what your long-term goals versus your short-term goals are so for instance you know not everyone tells their whole story at once right I mean even you know you watch TV shows or a movie they have subplots and you know overarching you know general plots things like that so the next part is

doing a little bit more advanced people watching so what you want to do is you want to look at the fine details but instead of just looking at one person and studying them you want to try looking at groups try finding their hierarchy their status symbols the norms taboos things like that and there's a CTF awareness game where you can play it with two or more people that you can do it by yourself but it's easier with two people and the idea is to pick things out from a situation to remember so if you're going into a coffee shop you say okay well let's try to remember you know something about the cashier and then

you'll ask you show your question you'll say well what kind of necklace did she have what color were her clothes you know how did she stand did she seem confident with did you seem happy things like that now I like extending this and when I go to in the stores and really anywhere I'll try looking for cameras infrastructure points you know alarms electrical boxes and they work access ports routers things like that ingress egress spots guard patrols heavily traffic areas places to avoid things like that so abusing the Information Age this is about Olson and there's a framework that is it's really it's really cool let's bite Justin are don't I think his name is and it shows just lists all the

publicly available data sources so for instance people search engine like Spokeo calm you can go in there and you can search for people's names phone numbers things like that and it'll bring up information about them there's different review sites glassdoor.com ratemyprofessor.com things like that there's even third-party sites snoops through IBM's Watson for text analysis things like that there's also contact trading datacom datacom takes you know corporate contact information you can create a free account and the way it works is when you trade data to them you upload contact information you can then download more there's also professional sites such as IDI core alexis ness and stuff like that and tracy actually she mentioned a couple of these like pacer public

records things like that so the ways that you can become a pro if you don't necessarily have access you can just buy a cheap domain right buy a cheap domain name it whatever you want make it you know a business name maybe build up a fake website around it stuff like that it'll make you seem more legitimate when you try doing things you can also try incorporating yourself right just become an LLC it's not that hard it's not that risky you know a little bit of a gray area but you can definitely do it and you might even be able to you know social engineer these data brokers from IDI core and LexisNexis because they

don't deal with the average Joe type customer you might even be able to get them to just work with you solely just by having legitimate looking email domain and a website right or you could also try you know maybe doing contract work or side work with a private investigation firm or something like that right maybe just one day a month or something it'll get you access to more information more details about people another good way to go about this is industrial espionage espionage and it's basically you know you can apply for a job somewhere and even though it might not be what you're trying to get information about so for instance you apply for a low-level job at some

company just working there and paying attention to you know the details and the background information can get you a lot you can identify prime targets so for instance one of the best people to target are HR and personal secretaries HR often has access to information that no one else even I T might not have access to right not only that but secretaries often run their their VIPs entire life right they have account numbers they have passwords they have you know basically they literally run their life most like nine times out of ten it's crazy to think about but that's really the way it is and again you can look at you know corporate reviews like glass door so you

can get information on say the way a certain manager runs their shop so that if you're trying to fish someone you can say oh yeah you know how manager you know ex manager is there they're so overbearing and impatient you know what I mean you can do stuff like that you can also go to you know just the corporate website or Facebook you can use LinkedIn there's a tag on LinkedIn called the lion tag which stands for LinkedIn open networking and then essentially means if you follow me I fall back open networking it's crazy then there's actually pictures of people's employee badges on LinkedIn there there's all kinds of crazy stuff you can find on LinkedIn so level up

your perception and this helps not only with you know ascent and all that other stuff but it also helps with so for instance I was on a trip just a little while ago and while I was on the trip I I was sitting next to the CFO of some music company and from San Francisco or something and he was drafting an email and he was hiring a new manager and it had very detailed information about the benefits package the salary and he was sending it out to his team saying you know does this sound like a good deal do you think we could you know hire this guy at this rate stuff like that and so

I did was I went to take a window shot and I got his computer in the scene to get an idea of not only the way he types but also his signature so that way I could reproduce it later if I wanted I wasn't going to but it was just one of those things where I was doing it just to kind of practice so in order to to train your perception there's this thing I call it like called peripheral markers and that's where you tie an object in your peripheral vision with an event that happens along path so let's say you're walking down the aisle in a store and what I like to do is tie camera locations guard

location patrols things like that to a certain part like end of aisles maybe there's like a small cubby hole between the shelves or something like that try to pick things that won't change in the background it's never gonna be 100% certain because things change all the time but you know do your best so now that we have all that in place we move on to the next part which is forcing attraction and Trust and there was a study by dr. Arthur Aaron where he said that mutual vulnerability Foster's closeness well it's a bit more like it's a bit more than that it's about sustained escalating reciprocal personalistic self declutter disclosure and he goes through a couple of set

questions and it's a bit like boiling of frog and water so you start out very generic asking just general questions about someone trying to just show interest and very basic and then all of a sudden you start opening up more then they start opening up more and then you just keep snowballing that to the point where you can almost make it like a soul mate type of situation if you've ever heard someone say oh you know I met him that first day and all yeah I felt like I've known in my entire life this really describes that situation and that's what you are trying to aim again right now the other thing is that you don't have

to be perfect you don't have to match them on everything in fact it's actually a little creepy and a might even be detrimental because if you think there's a thing called the hairy arm technique where a graphic designer figured out that you know for really picky clients they always have to find something wrong with it so the way he would get around it was is he would put a you know a picture of his you know just a little bit of his arm in there and he would say and then the client would point it out and go oh what's that get rid of that and then it's good they had to find something they had to pick

it something and he used that against them so here's a couple of the sample questions the first three they're from the first set you know do you want to be famous what's your purpose what's your perfect day find three things in common with someone and the next two was a dream of yours what's your ideal friendship right those are a little more personal and it's again going back to that whole slowly boil the Frog and water effect there's also this thing called mirroring or wrapper of rapport building and it's automatic it's almost unconscious with people we like so when we're focusing on someone let's say I'm focusing on you right here if I were you

know interested in you were paying attention to you I would mimic your body language in a sense right and you can use this against people to check and test if they're actually interested in you so if you're out at a bar and there's this girl you like or whatever you making eye contact etc if you you know scratch your head or put out your phone or you know Lena if she you know mimics that in a sense then it's obvious she's paying attention to you and you can use that also let's say you're worried about someone tailing you in a car start making turns you know left right you know just go random ways but

randomly use your turn signal and pay attention in the rear view mirror and see if they're doing the same thing because if they're intently watching you they're most likely unconsciously mimicking you so the final part of the talk and this is going to be the majority of the talk actually is Colonel John Boyd's oo da luta and he was a USA he was a Air Force pilot and his nickname was 42nd boy and that was the amount of time it took him to win a dogfight so he studied to try to just you know from present day all the way going back to son zoo and he said that we live in a world of constant change

and funny enough it's actually backed up by science between Heisenberg's uncertainty principle the second law of thermodynamics things like that it we really do live in a world of constant change and even certain philosophers and spiritual leaders over the years have said similar things and the OOD a loop describes the process our natural process for learning and decision making so the first part I'm just going to go over this real quick change in coherence is that uh you want to keep your mental models open because if you have a very opinionated closed mindset entropy will inherently build in your system right things constantly change you can't afford to have a static belief in something because when you do you

instantly discredit it right but if you have an open mind you can at least say okay well maybe that's the case I should at least check right just to make sure I'm not wrong because I could be wrong and this helps keeps your models again very low entropy and one of the things about this is that a pain typically clots around stagnation and avoidance of change right usually when we're having problems with something we're having a hard time dealing with something it's because we're not moving through change effectively and this goes back to a even Buddhist had similar things and you can use this in conjunction with the inner story and abusing self-interest there's great power in identifying people's

capacity for change or perhaps the amount of unfiltered reality they can take and that's even though again rehashed by Robert Greene inviting his 48th law of power so how do you use this well the idea is to heal their pain and Viktor Frankl was a psychologist and he had an incredible example about this where a doctor came to him and said you know my wife just died I'm having a really hard time getting over it what can you do for me how can you help me and Frankel said you know rather than to tell him anything I just asked him a question what would have happened if you had died first and he said oh those who

have been horrible she would have had to survive me she would have suffered so much etc etc and so Frankel came back and he said well you know you realize that you saved her that pain at the cost that you now have to survive her and after hearing that the doctor just walked right out when you give pain a meaning such as the sacrifice of saving someone else it often times heals it not only that but um Venkatesh Rao is a blogger thinker things like that and here's this the idea called subtractive synthesis and he says that we can often create power by removing unpleasant things from people's lives from the static of their lives and he says that

you know this is one things this is one thing that conspiracy theorist things like that typically don't get it's much easier to remove something from reality than it is to man you sure of fake reality there's less work involved and it's also oftentimes more effective and easier so this is Boyd's loop and it's maybe a little small a little hard to read but there's four steps to it observe orient decide and act and it's not exactly a one-way thing it's more of a continuous process a constant state of changes the world around you changes so just a quick overview here the observed part is meant to keep system the low entropy right it's that allowing information into your

mental models keeping entropy low and a definite change orientation is the most important part it's mostly judgment and pattern recognition and pattern recognition often trumps the amount of information you have so no matter how much information you have it might not be that helpful if you can't notice the patterns in the information deciding is just selecting a best educated guess or a hypothesis you know you have to start somewhere and you have to test something and then you have to change that and tweak it and orient it as you go and an act is just putting the decision in an action and calibrating is necessary so observation again you want to observe your surroundings keep your mental

models low entropy and there's a Jeff cooper's color code and it's often reflected in many martial arts schools boy and boy said the same thing he said that you want to remain relaxed but aware and for Jeff Cooper's color code that's the yellow stage that's relaxed but aware minimum acceptable level when in public or carrying a firearm this is what you should be in almost always unless you you feel very safe like let's say you're at home trying to go to sleep something like that so there's some pitfalls unfortunately though we often lack relevant information right we know we don't always have all information about the situation going on not only that but if we have too much information

and we don't have good pattern recognition it's hard to remove the noise from the situation so orientation this is the most important part of voice loop and it shapes not only the current loop but also your your future loops and your future orientation so it affects all of your future actions essentially he says a complex set of filters and lenses and heuristics that shape our observations and resulting reactions and it's a little bit similar to the various cognitive biases that we have there's a lot of them if you go on Wikipedia and look them up there's a lot of them and you should get to know all of them but uh boid also mentioned this and he

mentioned a couple of ones such as tradition prior experiences new information generic heritage those are all fairly self-explanatory and there's also two prominent psychologists Gary Klein and Daniel Kahneman and they put out a 2009 paper where it explained two different processes of decision making but the what they meant to do was contrast their views and what they actually did was just show two different ways that we do it so clients version was naturalistic decision-making NDM and Kahneman was heuristics and biases and NDM says that you know we mostly rely on past experiences and storytelling and you know power of metaphor mental stimulation within our own mind to be able to kind of keep that information

available and accessible and Kahneman said that well you know we really end up doing is just we make shortcuts we make mental shortcuts so we say you know if we see someone who's short they might have Napoleon complex they're maybe a little sensitive you know so the most important part of the orientation I mentioned filters and the two the most important filter is analysis and synthesis so analysis is studying a whole by looking at its individual parts it's basically destruction you take a whole you break it down and you look at its individual pieces synthesis on the other hand is the opposite it's where you take little bitty pieces and you use that to create a whole by combining the

many parts together and this is similar to fickt in Hegel's a thesis thesis antithesis and synthesis and what that says is that you're supposed to take a proposition instantly negate it so you say you know the sky is blue no no it's not and then you find the common ground you find a common truths behind the two situations you synthesize them as best you can and then you start the process over and again this is all about keeping your men models low entropy so when learning new theories new techniques new tactics things like that don't just trust them rigorously test them right take cuz it what works for you might not work for me right so use this

thesis antithesis synthesis and say okay well here's something here's the opposite what happened how'd it go how'd it work and this is similar to overcoming functional fixedness and functional fixedness is a bias that says we typically only use tools in ways that they're meant to be used so for example one of the things would be you know if the only thing use if the only tool you have is a hammer then everything looks like a nail right and you know sequel injections um type confusions things like that not validating user input things like that if you don't expect someone to input a string into the in the username field then you're not validating your input

and you know sequel injection at this point in 2016 is pretty much negligence right but that's using a tool in the way it wasn't supposed to be used and this show of hands how many people played with Legos are still play with Legos most of the people right it's very similar you can either you can follow the build pattern or you can take the tools and all the pieces and make your own you know whatever follow your automation you can make your own you know vehicles you can make your own buildings you know whatever it is you're doing and Boyd use a similar example where he took individual pieces off of like um there was a an instance of a

tread on a snowmobile things like that and he used all these pieces and brought them together to create something new but essentially is easier to think of it as just playing with LEGOs really so finally we get to decide an act so when you're going to decide is basically again just picking a best-educated the educated guess or hypothesis the test and we often there's there's two ways of really doing it well-defined procedure versus poorly defined procedure well-defined procedure is things like statistics probabilities rules of thumb things like that and that represents Kahneman's heuristics and biases right the second is poorly defined where we have little no procedure we have tight time we have a gross lack of information

things like that and that's the naturalistic decision-making of climb there's also a thing called a be testing where you take the same theory or strategy you put a slight twist on it and you see how that twist affects it it's often used in marketing and it's also used for example in canary trapping and canary trapping is where you put out different versions of the same story to find a leak so you say you told one person okay well the other day I was you know driving along certain road and something happened you tell them a different road and you tell it to six different people and then all of a sudden you tell each different person a

different story and then when that's three leaks you know which person it was that told it it's also used in the music industry I was a DJ for a while as InfoSec people often are for some strange reason and the music industry uses this they'll put a high-pitched frequency noise into their songs and their stem their stem tracks a song is made up of a you know various different parts remix sections right and so they'll put these high frequency noises in and they'll put you know slightly different ones and then if those stems leak then all of a sudden they know who to fire right because you're not supposed to be leaking their proprietary information so how do we use this how is

it helpful well the first way is resetting a targets loop so time is usually an important factor and if you can complete your Oda cycle faster it allows for more cycles and a better orientation if you can't find weakness in someone then you have to create it and again the idea is they catch people off-guard and it's sending them back to observation phase right if you catch someone off-guard they take a step back they don't act right so also actions can become outdated and as they become outdated your advantage increases exponentially right now there's a couple of drawbacks to it sometimes it's more advantageous to wait but that doesn't mean you be inactive so for instance if

you're in a war with another country you're not necessarily going to go to war yet but what you want to do is send your fighter jets out to the edge of their airspace and then you can record their magnitude the response magnitude in their response times so you're gonna see oh they're gonna see someone coming in so they're gonna have to send an escort out to defend their border so then you can kind of test and pro and probe for weaknesses and errors and things like that the second part is abusing knee-jerk reactions so one of the problems with resetting someone's loop is that you can force them to act by actions so if you're probing a country

and trying to you know send your fighter jets out to see their response times they might shoot you down it could just be something that happens so if you know what their knee jerk reaction to a situation is you can use that against them so Robert Greene again one of his laws of power is you know find people's thumb screw find the thing that really aggravates them and takes them off and use that against them because then you'll know how they'll react and you can abuse that you know knee-jerk reaction as it is if you know what it's going to be and you can use Osen clues you can abuse you know the various cognitive biases things like that so the

next most of you are probably familiar with this honey pots right traps and distractions I mean you can have a honey pot server you know things things of that nature you guys are probably pretty familiar with it but going back to knee jerk reactions if you know what someone's reaction gonna is going to be you can actually bait them you can use a pattern you can just do the same pattern you know three or four times and then when they move to counter it because they think they know the pattern you can break it in counter back so for example you know in InfoSec maybe having a virtual machine where you save the wrong passwords in your browsers on the form

data right so that they think they try to rip your form data out they try to get your password and all of a sudden you have the wrong one save in there and they can't do it use it right or maybe you know having a fake passwords dot txt file on your desktop where you have you know all your account names and passwords listed but none of them are actually right the fourth one is adding constraints to people's lieu and this is used often in sales with limited time offer is only available for so long etc etc and so what you want to do is use strategies that will take too long for people to actually verify so for example

if I'm fishing for passwords you know you can use some do some motion you know maybe go on linkedin maybe go to their corporate Facebook and say they call their IT department the ITB Information Technology branch instead of the IT department right so when you call someone you can say you know hey Steve it's itis' it's Steve from ITB I'm doing some work on your computer after hours which username and password and adding that little bit of jargon adding that little bit of validity to the conversation will often be enough to convince people especially if they don't have a lot of time to verify the fact right I mean not everyone if you're sitting in a call

center you're not just gonna you know call IT or look up the company directory and say oh who the hell is this Steve from ITB right and the final part and this is really the most powerful method and it's Stan it's um it's promoting chaos and boyd's describes this as exhausting or overloading your targets by fighting a war of attrition with their willpower stamina or ability to react in time and the ODA oh the ODA cycle is more than just simply complete your cycles faster and it's also not a one-way loop right you're constantly changing you're constantly reorienting yourself based on the interaction with the environment and so boy describes it as observe orient decide and act more inconspicuously more

quickly and with more regularity generate uncertainty confusion disorder and panic and chaos to shatter cohesion produce paralysis and bring about collapse so if you think of a generic sports example if you think of you know soccer a basketball a guy doing a quick series of dribbles so the defense doesn't know where he's gonna go and then all of a sudden kicking it off you know it's the left that creates chaos it creates he doesn't know what he's happened he's constantly stuck in the observation phase they don't know what to do and again same thing with basketball and one of the ways that you know you could use this is to avoid fingerprinting so browser fingerprinting

operating system fingerprinting things like that if you're constantly using different browsers different size monitors different hardware it's very hard to nail you down as you know oh this is definitely this X and X hacker right and so presentation basically over here and if you look at the the overarching structure of my presentation it actually follows Dan Harmon's storytelling example so the first part is the idea of you self-interest right the second part is encountering a problem wearing masks changing your face the dangers involved with that right the third part crossing the threshold is storytelling being able to tell effective stories get people you know really believe in your character the fourth part the road of trials is

the method acting going out practicing in your downtime doing people watching going out doing the oaths and all that kind of stuff the fifth part is the the abuse and the Information Age the industrial espionage targeting HR and secretaries things like that that's finding the goddess right that's finding the way to overcome your problems the sixth part is using it and the sixth part was trust and mirroring right the mutual vulnerability fosters close this part and then finally coming back with change the seventh part was the ODA cycle and then the eighth the final the final part is actually using and abusing the Oda part so I sincerely hope you feel as though you're returning with

change I hope you learned something thanks for listening and enjoy the rest of the day any questions comments concerns