A History of Social Engineering: From Mass to Interpersonal to Masspersonal
12:56AM Jul 28, 2020
think it's safe to say many of you here are very familiar with what's generally thought of as social engineering. Our next presentation we'll take a deep dive into the subject, including some less familiar areas of social engineering. We present, Robert W Gale, and Shawn Lawson with a history of social engineering from mass to interpersonal to mass personal.
Hi, I'm Robert W Gill, Professor of Communication here at Louisiana Tech University I'm calling in from beautiful northern Louisiana.
And I'm Shawn Lawson I'm a Professor of Communication at the University of Utah and I'm joining you all from sunny Salt Lake City, and today we're going to be talking about the work that we have been doing on the history of social engineering, which spans the histories of hacker social engineering which we're sure you're all pretty familiar with, but also includes looking at the early influence industry, PR and propaganda, which we call mass social engineering and spanning to more recent developments in what we call mass personal social engineering which we will spend some time in the presentation, defining and explaining for you. And so with that I'm going to turn it over to rob to get us going on the presentation, and we're going to switch over to slide view here and you won't have to look at us anymore, which is probably a good thing. And then we'll be back with you at the end for questions and comments. So Rob take it away. Thanks, Sean.
Sean mentioned we're going to present a history of social engineering from mass to interpersonal to mass personal, let's dive right in. On July, 4 2017, a performance art flash mob appeared at the doorstep the White House in Washington DC. And they were there to protest the presidency of Donald Trump. They were American Revolution inspired costumes and singing songs from Les Miserables event was well attended, in large part because the Facebook advertising was sponsored by none other than the Russian government. Specifically, the internet research agency now famous for its meddling and what various Western elections, the IRA spent $80 on Facebook ads to promote the anti Trump rally. According to Nina jinko it's the people organizing the rally got Facebook messages from one Helen Kristofferson who claimed to be from South Carolina, who offered to buy the advertising. The only catch was Ellen would have to become the administrator of the rallies event page. Halloween is guaranteed admin status in exchange for ad dollars with Facebook ads.
Helen wasn't really Helen. She was a fake persona concocted in St. Petersburg, Russia. The benefits of ad dollars of Facebook advertising to the rally planners weren't negligible. Estimates show that the ad reached roughly 50,000 people in the DC metro area, but the benefits of the IRA were many contacts with the anti Trump resistance in Washington DC. Facebook data on us anti Trump activists and sewing continued chaos in American political life. Of course, the Russian government sponsorship of an anti Trump rally came only months after the IRA worked to support the candidacy of Donald Trump for president pro Trump anti Trump, the work of the IRA is all chaos, all the time. These Russian operations are eerily familiar to anyone versed in the history of information warfare, yet they're taking on strange new shapes in the digital age. Thus we need to find ways to understand the Russian operation label its practices and grapple with them. There have been a lot of names for these activities. Fake News lie machines trolling disinformation misinformation and cyber war. There's one term that we think captures what happened with the Russian IRA far better than any other. It's one that has the flexibility to account for the interpersonal dynamics of the Russian operation, as well as you raise ambitions to affect society on a mass scale. And it's a term many of you are quite familiar with the term is social engineering. We're not the first ones to think of the Russian operation in this way. Kevin Mitnick for example refer the Russian operation as social engineering, particularly in relation to the hack of john Podesta the Democratic National Committee security research researcher Thomas Reid refer to it as political engineering social engineering on a strategic level. Another security researcher, Megan Kim gave a talk at besides in Philadelphia where she explained why it's useful to frame Russian information operations as large scale social engineering. Hackers social engineers would immediately recognize the Helen Kristofferson Facebook event takeover as social engineering, gaining trust, offering gift and getting administrative access to a social media page. He comports the security consultants sharing communities definition, social engineering involves convincing people to perform actions they would not normally do. That's exactly what the IRA did with the anti Trump protesters. They got the rally planners to give away administrative access to their events page. And in doing so the rally planners gave away valuable information to the internet research agency and devious tactics have a long history dating back to the phone freaks of the 1970s, who would social engineer operators into giving them access to restricted parts of the Bell Telephone system. Picture hair, Bob gudgel jd Prichard and john Captain Crunch Draper in 1971. People like Danny Teresa would call up an operator pretend to be a fellow employee gain the operators trust, and then get access to special phone company systems. He might call up an operator for example and pretend to be a fellow employee and needing access to special test lines lines that might allow him to do a telephone conference or break into other people's phones. This is an interpersonal con directed at one person in this case, an operator. Phone freak social engineering translated quite easily to later hacker practices in the 1980s Kevin Mitnick and Susie Thunder pictured here. Use social engineering to calm passwords out of people or get access to networked computers. Hackers do the same thing to this day often via email, but also over the phone or even in person. But in this presentation we want to take a wider scope than just phone phreaking and hacker social engineering. We want to read the Russian operation through the lens of another group of people call themselves social engineers. The creators of public relations and mass media propaganda in the early 20th century. These engineers of consent Ivy Lee Edward Bernays and Doris Fleischmann saw themselves as elite masters of crowds, they felt that their duty was to convince the masses through media messages. They did their work at mass scale targeting society as a whole. Their form of social engineering appears in the 1890s and reaches Apogee in the 1920s and 1950s. Like other forms of engineering, the conception here is simple. Let's take the principles uncovered by the new social sciences, things like, sociology, economics psychology and apply them to social problems. They drew on the social sciences to shape society via newspaper, radio, or movies. For example in 1934 doors Fleischmann called for a dictatorship of women's fashions in the United States to manage women's tastes with engineering exactness, it can be carried out so the various techniques of propaganda might be more efficient.
fleshtones pr partner and husband Edward Bernays also builds on this idea, his essay the engineering of consent published in 1947 is especially relevant because it focuses on the new mass media to elaborate techniques of social control. It's worth spending a bit of time on this particular essay by Bernays. It's Bernays argues today's leaders with the aid of Czech nations in the field who have specialized in utilizing the channels of communication, have been able to accomplish purposefully and scientifically what we have termed the engineering of consent. He goes on words sounds and pictures accomplish little unless they are the tools of a soundly thought out plan and carefully organized methods. If the plans are well formulated and the proper use is made of them. The ideas conveyed by the words will become part and parcel of the people themselves. We see him Bernays plans the application the new social sciences to society. This is analogous to the application of scientific principles to physical engineering. Much as an engineer would take scientific principles of physics and apply to bridge building the mass social engineer would take the truths of social science and implement them, perhaps even injecting them as with hypodermic needle into the consciousness of people. The vision is modernist progressive rational and objective it targets masses, the people crowds groups, mass communication and mass psychology. Mass social engineers had a vision as grand as that of their counterparts in civil engineering, perhaps even grander, whereas a civil engineer could shape a landscape with a bridge dam or canal. The mass social engineer which shapes society as a whole, rationalizing it ridding it of crime and class and racial conflict purifying it, making it moral making efficient and improved. So social engineering has two meanings handed down to us from over the past century and interpersonal manipulation of targets often over the phone, email or even in person. And in olders meaning of shaping society through mass media because social engineering carries these two meanings hacker con artistry and mass media propaganda. We find to be excellent way to think about the Russian operation. In fact, we suggest the Russian operation weaves together both meanings of social engineering to a third form we're calling mass personal social engineering.
We see mass personal social engineering is a manipulation of individuals like the freaks and hackers did. But with the goal of affecting society as a whole, like the mass social engineers. If we had to reduce this to a specific communication technology would be corporate social media, with its affordances for what some scholars are calling mass personal communication. The mass engineers use newspaper and radio and of course the phone freaks love telephones. Today social engineering is happening on Instagram LinkedIn, Twitter and Facebook. Sean and I are writing a book for MIT Press about mass personal social engineering titled social engineering, how crab masters freaks hackers and trolls created a new form of manipulative communication. And to show how mass personal social engineering works. We're going to draw heavily on the idea of hacker social engineers. Why would we do this well. This is because hacker social engineers have developed a language for what they do that is brutally honest and the concepts they use are sophisticated and eye opening. We find the language of hacker social engineers to be intellectually rich. For example, in Baltimore message in 1993, Legion of Doom men member mentor explains social engineering this way. For those of you who may be new engineering is short for social engineering, which is long for bullshitting. Now our impulse as academics might be to reject this term bullshitting it sounds crude it doesn't sound scholarly. But as we will show philosophers have taken the idea of bullshit, very seriously. And we will too. So our presentation is the history of social engineering but instead of telling our history in a year by your fashion, we will divide it up using the phone phreaking hacker social engineering concepts trashing pretexting bullshitting and penetrating will use these concepts to better understand both mass social engineering of the early 20th century, and the Russian operation of the early 21st century. So let's start with the trash. The first thing social engineers do is gather information on their targets. These days we might call this oh sent Open Source Intelligence and use Google Docs or social media searches. Back in the day the mass social engineers like Bernays and Fleischmann ili, they would talk about collecting facts about their publics. This could include basic demographic data or information collected through surveys. But the phone freaks in early hackers had a very provocative term trashing, or dumpster diving phone freaks and later computer hackers discover the phone companies and Corporation threw away valuable information manuals that explain corporate jargon, organizational charts, even network structures and passwords. The idea of going through corporate trash was extended into the digital realm, an article in 2600 1984 suggested, if you build a cross TOC amplifier you can hear a lot in the electronic garbage heap of telephone signals. Suppose one day you hear the crosstalk of a morning conversation. You can record it and decipher it, and computer hackers share techniques of going through memory dumps in her testimony to the US Senate in 1983 Suzy Thunder refer to this as garbology, which is another fascinating term. So we like the free Kakkar term trashing because implies going through things that people thrown out things that are overlooked, things that are forgotten, he captures the same act we do when we do research on the internet. We see this logic and contemporary interpersonal hacker social engineer use of data dumps or Osen research. That's for a mass social engineers of the early 20th century. They talked about similar things back in the 1940s, suggesting that advertising engineers should go through a household empty packages that is their trash. In order to learn what people are consuming. As for Russian interference in western democracies one example of trashing included going through abandoned Hillary Clinton staffer email accounts. As the Associated Press reported in 2017 operatives with fancy bear began testing old Hillary Clinton's campaign staff emails. One of the first emails they tried was for a staffer named Rahul Srinivasan his email been unused for nearly a decade. Like many of us might do he throw it away when that part of his career was over, took several waves of working through similar discarded email addresses that were known to be registered with Hillary Clinton comms domain. Before the fancy bear team found active email accounts narrowed their list of targets and eventually spoofed john Podesta and clicking on a malicious link. Like the trash bins behind the phone company and the internet itself is a digital dumpster containing out of date and discarded information that has to be sifted through in order to glean enough to refine an attack. So now let's turn to pretexting. After going through the trash, a social engineer has to come up with a role to play a pretext. A classic pretext for the phone freaks was of course playing the role of line repair person calling from the top of a telephone pole.
A more recent example might be pretexting as a doctor. We're unfortunately living with a global pandemic doctors are trusted figures want people to trust you maybe you should get to eBay and buy doctors lab coat. The forum to note that social engineering protects often exploited racial and cultural stereotypes. The social engineer Chris had naggy puts it. The goal of the social engineer is to get you to make a decision without thinking, and a way to get your targeted not thing is have pre tax at play to existing stereotypes, including racial gender, sexual or cluster types. For example, Sharon can He notes that the pre tax available to her since she presents as a petite woman include cleaner, teacher, or waitress or cater. She knows she has trouble when she plays a role of IT support, even though she knows a lot about computers. When she protects IS IT support and wanders around a building, people come up to her and ask her if she's lost much as I hate it, she says, You play to stereotypes. This can include things like accents, these days social engineers might use an Indian accent or hire someone to do this to play the role of tech support over the phone. In the 1990s he might have used the Japanese accent, as Kevin Mitnick did mass social engineers also played a stereotypes. In fact, the concept of the stereotype was developed during their day. Edward Bernays talked about stereotypes extensively arguing. We all have stereotypes which minimize not only our thinking habits, but also the ordinary routine of life. He argued that the mass social engineers needed to take advantage of such stereotypes, the PR team of Bernays and Fleischmann worked for the American Tobacco Company, with the goal of increasing smoking among women, the stereotype typical images of thin women associate thinness with smoking. Reach for lucky instead of sweet was the slogan, like hackers social engineers though mass social engineers like Bernays and Fleischmann did not perform their own pretext. Instead of use proxies like a group of high society women in New York City who are convinced to throw a green ball in 1929 to promote green as a fashionable color. What Bernays and Fleischmann failed to mention was that the green ball was covertly sponsored by American Tobacco. The goal was to ensure that women find the green packaging of lucky strikes to be fashionable. As for the research on Russian mass personal social engineering. It shows that they use multiple pretext cluding Black Lives Matter, Texas gun rights activists. We already saw at the beginning of this talk how the rest of us use the pretext of anti Trump activists, after Trump won. The goal of all these pretexts Black Lives Matter Texas gun activists anti trumpers, was to amplify existing social roles and debates in order to create more divisiveness in the United States. The Russians tapped into existing stereotypes in American society with their pretext. In the specific case of protecting his black Americans, the Russian operation was bent on suppressing the vote discouraging black Americans from voting since the system is stacked against them. According to the 2019 state of black America report. Russian propaganda specifically targeted African Americans through a wide reaching influence campaign tactics including posing as legitimate activist groups eroding trust in democratic institutions and spreading disinformation. Of course, one of the major concerns about the Russian mass personal social engineering operation was that it can be done at a large scale. The use of automated social bots and Twitter for example has gotten a lot of attention. In a study on the use of Twitter bots during a recent election in Sweden. Researchers found that a large proportion of accounts discussing the election, he said was a bot like behavior, and the researchers argued that they were likely controlled from Russia, controlling a major proportion of an online political conversation is pretexting on a mass scale. However, research on the Russian operation also found that they built interpersonal relationships online. The connection between Helen Kristofferson and the anti Trump rally is is but one example. This is more akin to spearfishing than the larger scale of protests using bots. And now I'm going to turn things over to Shawn who's going to continue the presentation.
As for bullshitting recall the mentors definition of social engineering as a way of saying bullshitting bullshitting is arguably the core practice of social engineering, and the concept of bullshitting is a very rich one after background research and coming up with a pretext. The social engineer has to engage with the target. And this is where bullshitting comes into play. bullshitting is in fact, the more common term for free and hacker social engineering, especially in the late 1970s through 1980s designs like tap on 2600, as well as underground bulletin boards service posts included articles on how to bullshit effectively. You mentioned that we find hacker social engineering terms to be intellectually rich and insightful and bullshitting is probably the best example, we define bullshitting as a creative mix of deception, accuracy, and friendliness, we get this definition from two key theorists who like freaks and hackers. See the conceptual importance of the word bullshit defined bullshitting, most people turn to an important book of philosophy, Harry Frankfurt's on bullshit, published in 1986. In it he distinguishes bullshitting from lying. Buying is predicated on knowing the truth and telling the opposite lie, a liar needs to know the truth. shedders on the other hand, are indifferent to the truth. The bullshitter does not know, and does not care about the truth even mind that this does not mean there is no role for accuracy or facts. After all, if social engineers have no regard for any facts, why dig through garbage, or pour over social network feeds, or try to come up with realistic scenarios want their pre text to be as plausible as possible, so they will learn jargon dress authentically speak in the proper cadence, or write in a town that makes their pretext believable. In other words, they do it to try to get things right facts or accurate statements are grabbed as needed, and mixed with other statements that are plausible, but may or may not be true. Second, we turn to an essay by communication scholar Chandra Mukherjee bullshitting road lor among hitchhikers, which takes up another common meanings bullshitting as in shooting the bowl bowl session, shooting the shit, or friendly sociable talk. Mukherjee like Frankfort found that truth was less important among hitchhikers who were telling road stories. Instead she argues, bullshitters are playful and sociable, creating community is their goal, but being friendly is not just about kindness, it helps manage perceptions of others. The playfulness is meant to be plausible so the bullshitter can maintain their social status as our analysis combines Frankfurt's conception of bullshitting as indifference to truth, a sort of instrumental series of statements that mix deception and accuracy with mukerjea emphasis on friendliness and sociability. This can be seen as an example of phone freak bullshitting vided at the first hope in 1994, and we encourage you to watch the video The link is provided on the slide here. In this scenario, s in called up sprint in order to get a customer name and address number, a number that only sprint employees should have. And in doing so, he bullshitters very well, he mixes deception claiming to be barbed wire from sprint social engineering with accuracy, using the lingo cis Ts cn sachet, and he's very friendly unkind to his fellow employee while doing it.
Unlike the freaks. The mass social engineers did not often use the word bullshitting perhaps using the term would reveal too much about their work. There is one example that we have seen however of folks from this era of social engineering, using a variant of the term in 2010 john Martin Campbell recounted his time as an Air Force psychological warfare officer during the Korean War in his memoir titled slinging the bowl in Korea, and adventure in psychological warfare. Were accounts that when he arrived in Boise Idaho for training in 1951, a sign posted outside the squadron headquarters included a picture of a snorting bull with a caption that read in Spanish, the bowl is mightier than the bullet caption reflected the belief at the time that carefully chosen words whether presented as promises, or propaganda, often prove as powerful as bullets Campbell explained that the first requirement in leaflet production was to tell the truth or at least, the truth is the army sight symbol is an exception. However, most of the mass social engineers, never publicly called their work bullshitting, but whether they use that term or not, the mass social engineers definitely engaged in bullshitting. So for example in 1914 Ivy League was hired by the Rockefeller family who were facing bad publicity because of mining operations they own violently put down a strike in Colorado, with paid strikebreakers. The strike breakers shot union members and burn their tents, several children who were hiding under a tent were killed. Now call this event, the Ludlow massacre, leave work to smear the union using bullshitting. He mixed deception, claiming the union leaders were paid much more than other union members, and that the union started the battle. He used accuracy in sharing facts about Colorado coal and its role in the national economy. And he did his work in a cheerful and generous manner as he smeared the union Russian mass personal social engineers also bullshit, they deceive people is now obvious they were definitely not Black Lives Matter activists, or gun owning Texans, this is why we're hearing so much about the Russian operation being fake or being lies. However, we think that simply calling the Russian operation a bunch of lies misses what they did. They didn't lie, they bullshitted reports on their operation. Note that they tried to get things right, particularly the language, and politics of the American groups that they were targeting. They were friendly playing games with people that they engaged with sharing inspirational images and being kind. So one example from a US Congress commission report illustrates this. Here's a collection of Texas themed memes. The Russians shared on social media. And there's a lot of bullshit here, we have fake statistics about how successful Russia would be if it seceded from the United States, we have of course images of Texas. And this includes images of Texas wild flowers and wildlife. So here we see a mix of deception accuracy and friendliness, this is quite frankly bullshit. As the phone freaks and hackers taught us bullshit containing all these elements is very effective for social engineering. Finally let's turn to penetrating. Again we reach for a hacker term to understand social engineering in all its forms, professional hacker social engineers. Now often referred to themselves as penetration testers or pen testers, and pen testing is of course a job where organizations hire social engineers to test their security pen testers might use phishing or in person engagement, and any security holes they find ought to be written up in a professional report, and of course reported to the client. Their goal is relatively clear access or penetrate a system or organization. But despite being professionals, we can still rely on hackers to tell the honest truth. I just want to eff you up says Jason street at DEF CON 19. I just want to mess you up in the worst possible way. I want to be the worst thing to ever happen to you at the worst possible time. st is presenting his approach to penetration testing. He has stolen purses laptops even cars, all while being paid to do so is viciousness his talk is titled steal everything kill everyone cause total financial ruin. It's not prurient however, but rather, is in service to a greater goal of security. pentesters like street aren't doing this for fun, but for our benefit
as Sharon Khan he puts it, remember, once you are a social engineer you deceive manipulate and trick people for a living, but you also educate them, and social engineers are very successful at deceiving and manipulating for good. So, when asked how many buildings she's penetrated Danny Radcliffe coyly responds to many to say this perspective that we break security in order to improve it, that our skills are superior and that we are inevitably getting in reflect the elitism of hacker social engineering, we are getting in say the pen testers, but we're doing this for your own good. We're effing you up to help you. mixture of elitism and social engineering for our own good also appears among masks social engineers were called Doris Fleischmanns call for a dictatorship of fashion, where elites would simply tell women, what to wear. Likewise, Ivy Lee, held similar views, arguing that the crowd craves leadership. If it does not get intelligent leadership is going to take fallacious leadership, we know that the leadership which the mom has often received, not only in this country but in other countries, unless corrected is liable to produce disastrous consequences and Edward Bernays mounted a defensive propaganda in democratic societies in his famous 1928 book propaganda. Mass social engineers also use the language of penetration, specifically, they sought to penetrate media markets media systems and ultimately news coverage success for them was defined in terms of numbers of newspapers covering events, how many news stories and letters to the editor. Here's the front page of the April 1 1929 New York Times, a paper that Bernays and Fleischmann were excited to see because it mentioned a media event that they created, getting young women to smoke and an Easter Parade. It's the highlighted story on the left. We even have penetration ideas from the mass social engineers. The hypodermic or magic bullet vision of communication, where the right message given at the right time can affect the behavior of masses. This is a conception of communication as a form of penetration. In this case the mind rather than a computer, and it's still quite implicit in contemporary thinking today. So like Ethical Hacker social engineers, the mass social engineers also saw what they were doing as using elite knowledge for public good. As Fleischmann and Lee all saw themselves as social elites who were in service to leaders in industry and government. They saw their job as controlling the unruly masses who would if left to their own devices, destroy society. Only through the beneficence control of mass social engineers, could we enjoy life in America to its fullest. Again, let's take this hacker social engineering term penetrating and consider the newest social engineering, as personal social engineering, we see in the IRA operation, a mixture of the interpersonal hacker form of penetration and the mass social engineering form of market penetration and manipulation. The scale and scope of the operation was large, and many researchers measure it in terms of social media metrics. So, likes, shares follows impressions, etc. It also at times relied on the more precise almost individualized targeting that their surveillance of social network activity increasingly allows. So we shouldn't forget then that the IRA at all. Got individuals to take real world actions. a key example is the organization of two competing protests at an Islamic Center in Houston, Texas. Of course the big question about IRA interference in western elections is, were they effective. Did they penetrate society, such as America with their messages debate about whether or not the affected the 2016 election is still raging. This is similar to the long standing debates over the effectiveness of mass social engineering. And the fact of the matter is measuring such effect is very hard to do, even to this day.
But one thing is for certain, the Russian ability to sow chaos in American society is part of a larger Russian mission of maintaining its global position as a superpower. And this is where we turn to the beneficial aspects of Russian interference, at least from the Russian point of view. They Fs up for the good of the world, which is the truth, at least as they see it, and they see their ability to interfere in western democratic processes as an indication of their own elite prowess. With these hacker social engineering concepts trashing pretexting bullshitting and penetrating in mind as we consider them at scale, we start to add complexity to our understanding of the Russian operation to sow chaos in western democracies. Makes sense we suggest to call these efforts social engineering, because it echoes the older mass social engineering of the 1920s, as well as the newer hacker social engineering of the 1970s onward. We would suggest that the process of mass personal social engineering includes research culled from Digital sources including overlooked digital information, pre texts, based on social media profiles. These can be done at mass scale via automation, or in a more interpersonal approach with human controlled accounts, the deception, accuracy and friendliness of bullshitting. Finally, ambitions to penetrate media systems or debates with a goal of shaping a target populations, opinions, and actions. And so with that, we thank you for your time and we are going to be happy to answer any questions or hear any comments that you might want to make.
This is a history of social engineering with Robert W Gale and Shawn Lawson, thank you both very much for joining us.
We'd like to invite those of you attending hope to ask Robert and Shawn your questions, please post them to the livestream q&a channel in our matrix chat, and they will be relayed here. We have a question from the audience, which is are we destined to repeat history.
In terms of assuming a upcoming election. My guess is. Yeah, it hasn't. Not much has changed now regardless. A lot of studies of the efforts by the IRA and at all show that they're ramping up their efforts even after the election of 2016.
We have another question, member of the audience asks, How can we tell if a.
It's kind of an interesting loop where and because I actually asked that question, because we were having a common conversation and matrix about the talk yesterday about the effectiveness of social bots and the researcher presented and Michael yesterday suggested the social bots weren't particularly effective. The problem is I don't know how you measure the effectiveness of something like a social about changing a mind, I'm not sure, because there's no experimental isolated group we could work with and it's very hard to crawl inside people's minds to figure out what they're thinking and if a tweet changed mind. And I think Shawn has a lot to say about this because he's kind of concerned about the industry that's producing a lot of these discourses and reporting or claiming just to try and shape political debates. Yeah,
so, I, I'm not quite as concerned about, you know, an individual bot changing an individual mind right I don't know that you're ever really going to be able to measure that and I don't know that that's really happening so much. I think the pathway, by which perhaps minds are changed is probably more in the aggregate and over time. And that's going to be also a difficult thing to sort of measure. But I also think that there's a lot more to mass personal social engineering than just the automated Twitter bots that we have all heard about and think it's the thing that that people really focus in on because you know it doesn't really even take a lot of training to be able to go out and start uncovering bots and finding accounts that are obviously bots. And then, you know, seeing who are they following are they re tweeting what hashtags are they using and start you know putting together those pretty you know colorful network graphs that individuals in different organizations put together and and publish online. And so that all seems really sexy and cool, but I'm not sure that the bots are the thing that is really is worrisome to me. What's more worrisome to me are the kinds of techniques you see deployed by groups like Cambridge Analytica for example, and again there's a debate around whether or not those techniques actually worked or not. I think there's a much better argument to be made that those techniques, had a higher chance of potentially having an effect than the bots. And, and those techniques of course revolve around, you know, collecting lots of data about all of us online and then essentially weaponizing that data back against us in terms of being able to micro target against us individually or in very, you know, very small segmented groups that can then be targeted in key locations to try to change their behaviors just enough to change actions and behaviors in the real world. So for me that's that's the more concerning thing then, then the bots.
Yeah, another member of the audience has any advice on what you think we can do to counter this. Well
one of those security researchers that I talked to, or actually, somebody working in security said something that really provoked thinking along these lines, he said, I'm a knowledge worker, but I don't have time to think. And one of the things that we talk about constantly is the speed of information flowing over the networks and all the things that we have to juggle all the time as part of our, our work if we're working with information. And I think that's an environment that's really ripe for social engineering of all these different types. So my if I could wave a magic wand and I want to slow down media, to be honest with you and I don't think that's gonna happen. But that seems like one of the. Maybe there's a way to put together a media system that's, that's just simply more slow and thoughtful, than the system that we're kind of subjecting ourselves to these days. Yeah, I
mean I also think, and I and I suspect a lot of folks in this crowd already do these sorts of things. And this is where I sometimes go more towards individualized solutions like what you can do as an individual and Rob hesitancy more to talk about systemic level issues like the media system. But I think just good appsec good personal appsec on all of our parts could go a long way in helping right like reducing the amount of information that you're putting out there about yourself. You know, because that information that you're putting out there that's the digital garbage that we're all leaving behind that the bad guys, whether it's a hacker social engineer that wants to come along and, and, you know, get into our email or get into our computers is using, and it's the same kind of digital garbage that the Cambridge analytical and the Russian trolls of the world are potentially aggregating and using to target us individually or in small segments to try to manipulate you know elections and manipulate behavior in the real world. So, you know, be careful what you're putting out there about yourself. And this is one
of the debates that Shawn are constantly having because, in my view that puts way too much pressure on each individual person to defend themselves. And so we need to think about aggregate solutions about data protection at, you know, nation state or global level, and probably we need to mix both
right I agree we need both. I mean, we really absolutely have to have systemic and structural change, ultimately to address these issues. But in the meantime, you know, I think we all have to, to take care of ourselves as best that we can.
Another member of the audience asks, I say I enjoyed your characterization of bearnaise inflation. My question is whether this directly fed into the history of advertising, ie thinking back to the early days of television. Is that a logical arrow of evolution to follow.
It's part of the story. Yeah. But Bernays and Fleischmann, we saw advertising is one of the tools in the toolbox, they did some really innovative things to as Bernays will put it kind of shape. The social environment of people and so one of the things we mentioned the talk is the green ball, which wasn't an advertisement per se, it was bearnaise and Fleischmann encouraging a bunch of high society women in New York to basically make green the fashionable color of the year. And that was all in service to American Tobacco which was trying to promote Lucky Strike cigarettes which came in this green packaging. And they were trying to encourage more women to smoke So, getting people to think green was fashionable and therefore I could carry this package of cigarettes around it matches my, you know, outfit was, was a goal that they performed and they did get media coverage and so that's not really an advertisement and to use the language that we're picking up it's a pretext. Which I think is a distinction, or a distinct entity from advertising.
We are asked, Are all levels of interaction compromised, there's interpersonal mass media but is there something else like communal media in some form.
Looking at you, Shawn. Oh man, I don't know I thought this is where I give a pitch for like mastodon or alternative social media that's your. That's your hobbyhorse lately. Yes it is.
Yes, I definitely recommend leaving corporate social media for the alternatives.
I mean, I
don't know, in my case you know in my own.
You know, I guess this gets back to the individualized solutions, and responses versus systemic, you know in my own personal case I mostly try to follow people that I vet. You know myself, and I try to try to make sure like they're real people and they're legit. And I usually you know I take all the folks that I interact with and I, and I put them in categories I put them in lists so like if you go and look at my Twitter profile, you'll see that I follow quite a lot of people I'm pretty generous in terms of if people follow me I usually follow them back if they look, you know, halfway legitimate at all. But the only ones I actually see content from are really the people that I sort of curate out into different topical lists, and those are the folks that I really pay attention to. Because you know I'm sort of paranoid about, you know, being one of those people that falls for some trick and I retweet something that was well bullshit right and then everyone's like haha you have a PhD but you retweeted this thing from a bot, or whatever, right, so I'm like I don't want to be that guy. And so, I mean, I guess. Yeah. Like, that's that's one way to deal with it on an individual level if you're worried about interactions being compromised is just try to have fewer interactions and narrow the scope of of the content that you're consuming the people that you're following and that you're interacting with. I mean, you know, we could probably all do with slower media as Rob said and probably, you know, a smaller stream of information that is coming at us, you know from the firehose every day. We're all going to be okay if we don't have, you know, you know, as many tweets and Facebook posts and and garbage being thrown at us every day. And if we're a little more careful in terms of like curating our sources and paying attention to what it is we're consuming and what it is that we're sharing. Talking of
the stream of garbage that sirna says someone asks, Can quasi real time third party fact checkers bring back custom random media could that be the future. Actually there's
a lot we can learn from the history here so if we go back to the mass social engineering period. So, you know, turn the century 1900 through 1940s. Around that time the progressive movement was really interested in what muckraking journalism and the basic idea was Let's collect facts about, say, this large corporation this monopoly will present the facts to the public and the public will become outraged and want to regulate that company or rein it in somehow. And that got picked up very quickly by the mass social engineers who said all we're doing is dealing in facts, but we're giving the facts as basically our patrons want the one that presented. And so I don't know facts are the antidote. Because I think when we look at bullshitting, the term we're taking seriously here it's a mixture of facts and deception and friendliness in such a way that it's very very convincing and almost overrides in interest in facts or just pure information in that sense
of member of the audience asks how do we protect or inform the average person who does not know that this is happening to them, and they fall for it and then they believe it now their minds are even harder to change.
Yeah, a lot of people working on this, how do you do so, to take up a conspiracy theory like conspiracy theory about a global pandemic for example, and a lot of the research shows that you can't just simply again, throw facts at somebody and say look at all this, you know, how could you be taken in by this hockey duped, you almost have to take on their mindset for a while, think about the conspiracy theory, think about why it's attracted to that person and then slowly kind of chip away at it. So it's not a matter of just simply throwing information at people it's really meeting with them and doing the hard work of that kind of interaction and debate discussion. It's something that at least in the US we seem to be shying away from, you know, when family comes to visit, we're told, don't talk about politics don't talk about religion and so on. Maybe we have to talk more.
I think, you
know, another idea that I have had and you know i don't i don't know if this would work or not, I guess this would be a thing for you know some of our more social science, kind of colleagues to test out more of an experimental kind of setting. But it seems to me that you know if you talk to some people about the bullshit that maybe they have fallen for online, they get. Leave that they have been duped and that you know, they got fooled and maybe they're helping to perpetuate a lie. But I think if you talk to people about how you know there are large companies like Facebook and Google or there are shadowy sort of marketing companies like Cambridge Analytica which is a subsidiary of a foreign defense contractor and hey look what they're doing in our election that that would upset a lot of people, regardless of what you know they believe in their, in their own sort of personal political beliefs I think a lot of people would be upset about the idea that you know there are hidden forces, where there are nefarious actors that are trying to manipulate you behind the scenes that are using your information against you to try to, to try to con you in some way. And I think a lot of people would react negatively to that so maybe that's the angle to talking with people, not necessarily going after the bullshit that they believe, but trying to educate them about the fact that you have to, there are all of these companies and nefarious actors out there. Honestly, throughout the whole spectrum, you know, the whole political spectrum at this point, that are trying to manipulate and control and and and push us maybe in directions that we wouldn't otherwise go on our own and so people might be a little more receptive to that kind of message.
Then the message that says, hey, you got duped and you're an idiot because of it.
The I want to quickly plug up alien parets talk yesterday at 11am Eastern was really good Now regarding did a lot of what Shawn was saying, I thought that was really effective and that people I encourage people to look at that video. Great.
And we'll have to leave it there because we're just about out of time. This has been the history of social engineering with Robert W Gale and Shawn Lawson thank you very much indeed for joining us today. Thank you.
Thanks a lot.