Tuesday, March 06, 2007

Does Social Engineering = Fraud?

With all the conference blogging I've been doing lately, I haven't blogged about something I read in February that I've been thinking a fair amount about. Mordaxus over at Emergent Chaos made a compelling argument to get rid of cutesy names for attacks like pharming, phishing, pretexting as they are exclusionary jargon that prevent people from understanding the issues at hand. Overall I totally agree with him on the exclusionary jargon ban, though I will miss saying w00t.

However, something in the post has been occupying my thoughts for some time now (obviously), and my consternation gets worse every time I hear another person toss out 'social engineering = fraud' with disdain and disgust, like only an uneducated plebe would use the term social engineering anymore.

Social engineering != fraud all of the time. Sometimes fraud is just fraud, like counterfeiting currency. And sometimes social engineering is just social engineering, like dressing nicely, smiling sincerely, and treating the ticketing agent like a human being so you stand out from the masses of annoying and frustrated travelers as a Nice Person That Should Be Upgraded To A Premium Seat Without Having To Ask. That isn't fraud, that is understanding something about psychology and sociology that you apply in human interactions to help yourself come out ahead. Social engineering is a concept, a practice if you will, that can be used for malicious purposes, but in and of itself does not require lying, misleading, deception or fraud!

So I would suggest that saying 'social engineering is a con job' is an oversimplification that contributes to shallow thought by the masses. Like calling all of these populations:
- people who find security vulnerabilities and report them
- people who write POC code
- people who reverse engineer security patches
- people who write/release worms
- people who steal your credit card number and passwords via keystroke loggers and a botnet


Too much jargon and exclusionary language is bad, but so is oversimplification. Should people be afraid of botherders? yes. Do they need to fear and revile security researchers? no. Well, not all of them anyway. (ha ha, it's a joke people)


(Adam, it would be super if you were able to hook up trackbacks on EC so I don't feel the compulsion to crosspost a comment on your blog to my own so it appears in both places. you know, with all your free time.)

Labels: ,


Post a Comment

<< Home