De Falsis Deis: Social Contracts

[Music] well hi there okay I'm Tibbs and you may have seen me speak yesterday about crypto mysteries today we're going to talk about social contracts and mechanics underlying social engineering as I said yesterday I'm available at what a tiberias and by email and I love getting tweets I love being able to stories I am I my talk so if you're a tweeter feel free even if it's something bad so about me I am just changing contracts from working with pget working with Intel I'm going to be reviewing the undoing security assessments on the open source projects that they use the company really excited about that I'm originally from Scotland I moved here to the States about a year ago I'm

based up in Portland Oregon and it's been a really interesting experience and I've loved being able to go to different conferences and talk to people about security which is my passion probably like you and I'm also a huge supernatural fan now if you're not familiar with the show you may not get a lot of the jokes because this whole talk is supernatural theme so supernatural is like scooby Doo for adults it's a lot of fun and my friend actually challenged me to make this talk supernatural themes and of course like any fangirl my answer was bring it so you don't like supernatural there with me it is mildly relevant also writing is hard so our

story starts not with supernatural but with Socrates in 399 BC South Isis was put on trial for two things moral corruption and impiety it's a really really interesting story it happens it's history and it's really interesting you should go read the whole story I can't cover it all here but I assure you there's a lot of curious fat surrounding it but the outcome of the trial was that Socrates was convicted and he was sentenced to death by hemlock poison now Plato one of his students recorded that Socrates had both the opportunity and the means to escape punishment and leave Athens despite encouragement from his friends and his students Socrates chose to stay in Aten and die he refused because it

would mean leaving what he thought to be as a legal obligation to the city of Athens he believed that having lived there whose subject he subjected himself to the possibility that he might be found guilty of a crime and punished and to run away would be to break the social contract that he made with the state and its people but the story is is really meaningful but it leaves us with some questions we're aware of explicit contracts employment contracts loan agreements marriage contracts these contracts we knowingly negotiate and inter I mean some could argue that you're never really prepared for marriage but we are here to there and social contracts provide a framework or sorry yeah whereas social contracts

provide a framework for how society in government interact in Socrates words there are agreements between the people of a society to abide by the laws and accept punishment so what does it actually mean well many philosophers have expanded on Socrates social contract theory Socrates Hobbes Locke and Rousseau may have argued about schematics but or some semantics even but they all agreed that we who live in a society implicitly and sometimes unknowingly agreed to enact and expect the completion of social contracts when they were developing the theory morality and politics were thought to be interlinked and they still kind of our rulers were to govern fairly and people were to help society social contracts are not just an agreement between the

people and their government but they're also unspoken rules that govern polite society and maintain the civility in the absence of the direct application of law social contracts are often born of religious beliefs and morals these rules are the glue that holds the society together often we think of them as doing what's right or the right thing such as tipping waitstaff or holding the door open for somebody who has their arms full or even not standing too close to somebody at the ATM it's never really a spoken rule everybody understands that that's what you do psychology couches this concept or couches this in the concept of moral development moral development is the stages of moral reasoning that we go

through as we turn from children into adults this looks at how people justify their behaviors rather than ranking how someone how moral someone's behavior is these stages are grouped into three levels and stages of development can't be skipped you have to progress through one to get to the other levels one and two are pre conventional stages and these are normally seen in children three and four are conventional stages these are normally seen in adolescents and adults level five and six are post conventional level stages and these are marked by a growing understanding that individuals are separate but part of society people at this stage of development view rules as useful but changeable so what we're

talking about here is something that is kind of intuitive so being a person within society people don't ever normally really examine the workings of society in the ways that we're talking about here but my argument is that social engineers should along with subterfuge body language and psychology social engineers need to understand society the society and culture of the target that they're trying to manipulate we understand the social contracts which underline our our own society were part of it but what about others I moved from Scotland to America and I noticed huge differences I mean in Scotland all socialization it happened to the pub everything from work nights to talks with your boss everything and also British people love a good cue and

there are strict unspoken rules that govern how a few moves and works whether you hold somebody's place or not those rules don't exist in American lines and I was entirely unprepared for this I still find it curious that guys here hold the door open for women to walk through that doesn't happen in Britain at all I could go on there's lots of examples these are two really quite similar cultures we share a language and history to some degree I mean I think it's fair to say we both have a problem with English so can you imagine trying to carry out a social engineering attempt in the country with vastly different social contracts research is important not just of your target but of

the culture that that target isn't so how does social contracts work in an environment where people are coming from different languages in societies where people interacting don't know the same unspoken rules unless somebody explicitly creates and enforces rules generally it's chaos and in case in point the internet it's a hodgepodge and everybody does what they want small groups form rules for their own websites or message boards and spaces but the Internet at large is pretty lawless lack of physical space makes it really easy for people to behave in ways that they wouldn't in real life because in real life they're constrained by social contracts so things like trolling and harassment and daxing happen social engineering relies on subverting the

social contracts of a given society it works because social engineers explain own weaknesses within social contracts to encourage people to fill fulfil their sides of the social contract even when it's against their interests so I'm going to talk about some examples here we all know a phishing attacks I mean they're probably the most prominent and common example of social engineering that we currently have they're a really hot topic right now it's common because it works because the creators of the technology used to carrying out phishing attacks did not consider how people might subvert that technology and misuse it I recently worked for a company who had a guy come in claiming to be a contractor and he was given a temporary

pass and he was in the building for few days before anybody thought question this turned out he wasn't a contractor and in those three days he made off with a lot of hardware hardware that was valuable in and of itself but that Hardware also had confidential data on it that was also worth quite a lot in this case we don't expect somebody to come up to reception and say hi I'm supposed to be here when they're not supposed to be here so it's a really good example of this use of social contracts and a little bit topical I'm not going to get too into it but a little bit topical is another example of social engineering on a grand scale that

we're faking that we're experiencing today not to take news in theory organizations who report news should be neutral we should be reporting only the facts but over the last decade this is this is developed into providing maybe selectively truths adding a bias to stories reported or choosing not to report stories that don't support chose a narrative in the last few years this is progressed have reporting outright fabrications as news now these stories are picked up and spread becoming kind of a consensus truth and when repeated by people in positions of power they get credence and gravitas the truth is the truth enos of these stories is not necessarily the point here however news outlets have always

purported to tell the news as it happens so they're actually starting to twist and break the social contracts on which the basis for trusting a new source is based the purpose behind this as with any social engineering attempt is to get a person or people to act in a way which they normally wouldn't to recap social contracts under life society without them it would collapse we'd have chaos and arthi everybody would be working in their own best interest but we still have people who routinely subvert them for the own benefit which I think to some degree is a little understandable so so what what does that mean for us as security professionals and developers of

technology being aware and understanding the oddities of human behavior gives us a tremendous opportunity an opportunity to do what we are uniquely qualified to do to look at new technology and how people should interact with it then find the vulnerabilities finding the ways that people can exploit it not just technically but socially and highlight that to the creators the curators and the users of that technology so my call of action to you audience is this break stuff but don't just break it technically look at how you can break it socially and talk about it work with creators to find a better ways for foul for fallible people to interact with emerging technologies plug with the

social gaps and make the world a better place also watch more supernatural thank you so much you've been a very quiet but good audience I really appreciate it anybody like Sam have questions you in the front [Music]

um I I think that one of the best things you can do is is actually live within the culture I mean there are things I never would have understood about American society without having actually been here and lived here I mean in Scotland if you'd asked me about sectarianism which is a whole complication of isms between Protestant and Catholic people who have been at each other's throats for decades I could have given you a whole talk just on that subject but when I landed on the ground in America I never would have anticipated or understood the racism and other issues social issues of this country that changed the way that people react to things there's statements that you could make

in Britain that you just couldn't make here because they would be really offensive whereas but and we wouldn't think two times about it so living within that culture learning their language even just a little bit trying to get into the mindset of somebody from that culture is a really good place to start studying their history is it also a great

hi early agree

it often feels to me like each state in America is almost like it's a little country there's just all these little differences and it yeah even yeah that's a very good point thank you Sonny yeah

yeah I think that accompanies culture I was just saying that I think that accompanies culture very much that changes the way that the people within that company think about things it's certainly something to consider when looking at engineering within a company so anybody else have any questions and so I don't know if everybody heard that the question was that holding the door open for a woman he thought was a British tradition and I would I would say that much like the Oxford comma which apparently is commonly used here we've kind of let that slide a bit um people hold the door open for each other but there's not this kind of thought process that I have to hold the door

open for a woman or that I'll wait until she goes through before I follow her it's just just different I mean it's not necess but oh do you oh die okay so maybe it's just a Scots who are barbarian apologies about the English comment earlier by the way anybody else great well thank you very much for sticking with me [Applause]