When I’m fortunate to get some time to relax, I like to take a portable art project like hand-sewing outdoors to work on. If I can set myself up by water, that’s even better! Better still to add human companionship by going on a group campout. It’s always nice to take a little break from kayaking and other active pursuits and sit down around a campfire. If I should happen to get stuck with a lot of rainy weather and have to stay under a shelter for awhile, I’ll never be bored waiting it out if I have sewing with me to do. I have more camping trips planned for this season so I’ve prepared some next steps in three different current sewing projects to work on while I’m out there. These are easy to transport rolled up and carried in a bin with a selection of sewing threads and tools.
I’ve readied the right side of Experimental Art Quilt #2 in preparation of adding some accents in blue scrap fabrics and blue thread. The image above shows how I used computer graphics to plan out the red triangle area that I sewed during the last campout. I knew the finishing touches on this were going to either make or break it, so I tested out the red area in Adobe Illustrator first before stitching it. I think after adding the blue area, I’ll go back to the pale yellow areas for a bit of subtle texture, then I think it will be ready for the border to complete it.
Here are some of the scrap strips I made earlier combined with some fabric that is going to frame it in a reverse applique technique. I make a lot of strips of both paper and cloth scraps to incorporate into other projects later. I’m turned on by the idea of one stripe being colorful and rest being all neutrals.
My favorite shirt from the 80s is on the left. It used to be white and black with short sleeves and a collar. Over the years, it got so stained and faded that I stopped wearing it, but I could not bear to get rid of it because I loved the pattern so much. In 2018 I dyed it my favorite color lime green when I had a batch going for my wedding, and last summer I cut the collar and sleeves off and made it into a vest. Now I wear and enjoy it once more!
On the right is that salmon-colored shirt I’ve been stitching on. When I bought this shirt it was white with black. Yes I still love black and white shirts with Aztec-looking designs on them! The first time I wore it, it got stains on it from riding a chartered party van to and from a Rush concert (May 2015 during their farewell tour – EPIC day and night by the way – my brother and his friends started partying at brunch, I joined in a group pre-show BBQ about 3 pm after getting my day’s work done). I don’t know what got on the shirt, but I could never get it out. I put it aside for future dye experiments to try to fix it. I made two different mistakes when dyeing because I was in a hurry and ended up with even more stains and splotches to try to cover up. So I decided to put embroidered patches on all the bad spots until they were all covered up.
Patches on the front are done, though as it gets closer to completion I might add some decorative trim from top to bottom around the center panel to tidy it up. It doesn’t have to be symmetrical, but I think it needs to be a little neater. Now I’m starting work on the back. Sleeves will be last. Although the look is different, the concept of patching clothing with decorative stitching was done very well by the Japanese with the art of Boro, which I would love to try out in the more traditional Japanese manner sometime.
This was a lightweight, airy shirt when I first bought it – now it’s going to be a bit heavier because of the layers, maybe for fall wear. Probably when it gets close to completion I’ll add some white or metallic or both to the yoke area to bring the focus back to the neckline area. In the meantime, I’m having a lot of fun doing the stitching in different weights and colors of thread, like salmon, peach, rust, and coral to see what happens!
Toward the end of my recent Social Engineering class at Webster University, we were asked to speculate on our final exam and in class discussions on the future of social engineering in the face of upcoming technology trends. Here is a compilation of some of the questions followed by my answers.
“‘Question: What will social engineering look like in 10-15 years? New SE techniques to use against targets? Better AI defenses protecting from online attacks? What is going to happen going forward?’
I was looking through some magazines my brother gave me last year and found articles relevant to the topic of future security challenges. The pandemic may not have put a freeze on innovation for a full year, but it probably slowed things down. So these articles I’ve viewed are probably not too out of date. My participation in the IT industry over the years has been as a creative – so I’m not that technical. I’m summarizing the technology aspects the best I can from one article in particular – “Technology Predictions from a [Precision] Electronic Test Thinktank”.
According to Microwaves & RF magazine, these are some of the trends that will help shape the future (Alexander and Harris). As I summarize I will frame them to emphasize issues most relevant to social engineering.
5G networks will increase the power and capabilities of anything that is wireless, creating more innovation and adoption of applications.
Much new software with updated standards and certifications will be needed to run all these new applications, and users will need to be educated on what the software is capable of.
Artificial intelligence will be built into processors and chips. Quantum systems will need this capability to “control, measure and error-correct”.
Hardware will be designed to exploit the new faster speeds and processing power. Customers for the hardware are interested in providing satisfactorily speedy service to users but are even more intrested in “customer traceablility through the network for application monetization”.
More collaboration between international regulatory agencies and the technology providers will be required.
More consumers will use “Internet of Things” products and these devices will increasingly communicate with each other.
Human intervention will increasingly be removed from the loop.
Engineering education will become more holistic and interdisciplinary to bring awareness to engineers on the effects of technology on society and the environment and to aid in the developement of artificial intelligence, automation and robotics.
In my Project #2 for this class, an important part of the (proposed, hypothetical) operation is to identify individuals who are more prone to risky behavior, and exploit that tendency. I did some research on the psychology behind risky behavior to refine the ideas. I found an article by a psychologist that was very persuasive to me. One of his theories is that there are people strongly attracted to sensation seeking that sometimes can go too far and take their search for new thrills into risky territory (Zuckerman). Sensation seekers enjoy novelty and constant change among other things. Tech gadgets are a great way to appeal to the desire for novelty and change since there is something new to try seemingly every time you look. If predictions are correct that the Internet of Things will enjoy increasing adoption and power, I see this as a great vulnerability – especially since psychologically, the people seeking the most novelty and change could be the same indivduals who engage in risky behavior and therefore could be less concerned with safety breaches.
While doing research for Project #2, I uncovered an article about a hidden microphone in an IoT product being misused to harm people with verbal abuse in their home. The manufacturers and designers left the vulnerability there, and hackers exploited it (McKellop). We could be even more vulnerable if manufacturers, designers, regulatory agencies and software developers go beyond carelessness and perpetrate deliberate harm. This is not a far-fetched concern because it has already happened. Facebook experimented on its users to manipulate what they posted by causing sadness among other emotions (Booth), and Google has experimented with how to manipulate our behavior by creating anxiety and causing cortisol levels to go up in users of its products (“Brain Hacking”). These practices harm human health, mental and physical. With more devices in the home, we theoretically would be increasingly prone to failing to keep up with all the threats, and not necessarily only from humans.
There are science experiments being carried out now using fungus organisms to build networks that can carry electrical signals, like computer chips. The carrying ability is confirmed, but they are too slow to replace silicon chips – for now. Some fungi are capable of performing tasks such as foraging for food, hunting live meat, navigating mazes, warning plants in it’s network about insect hazards, controlling the behavior of invertebrate animals, moving resources around to plants in the network that need it most, inhibiting some kinds of plant growth and teaching themselves to exploit new, previously unknown food sources, such as cigarette butts. That’s not a complete list but enough to give you the idea. Networks that connect plants with fungi and with each other are known as the “Wood Wide Web”. Scientists are trying to find out if fungal networks can be used for bio-computing and if we can transfer information and directives from a computer to a fungus. Scientists are also trying to figure out if fungi are intelligent or sentient (Sheldrake).
The idea of being surrounded by devices with artificial intelligence chips in them that can communicate with each other without human input is pretty weird, but looks like it might really happen. What if they find a way to communicate with fungi or other species as well? The late author Michael Crichton could write a good thriller about this if he was still with us!
I found an article that claims that Facebook robots have demonstrated the ability to make up a language that only they understand to use between themselves, while also demonstrating the ability to social engineer each other (Griffin). I have mentioned my two European Starlings before that I live with. They have the ability to social engineer me, and I have social engineered them. Their language abilities are not unlike what the article describes about the two Facebook robots. More research needs to be done (I engage in a lot of speculation in this section), but the starlings seem to me to have language that falls in about four categories. One category is a set of sounds that are hard-wired in that all starlings share. They start gaining the ability to add to that set of sounds when they are about 4-6 months old. Another set is “conversational”. They add to their vocabulary throughout life depending on what sounds are around them, and family groups and regional groups share some of the same vocabulary. My starlings have some sounds that we use between me and them and they have some sounds they use only with each other, so I wonder if they have two “conversational” languages or just somewhat diffent vocabulary for me and for each other. They have the ability to mimic human speech to the point of occasionally forming new sentences that follow predictable real life English grammar rules, including proper use of adverbs and voice inflections at the ends of sentences that fit the meaning. In other words, they have made up new sentences by combining other phrases that were not originally a question but create a question and inflected it like a question. That got my attention! They don’t always get grammar exactly right – they have added “You’re so birdy” to the list of phrases they heard from me that they love to say – “You’re so pretty”, “You’re so sweet”, etc. They can learn from other species of birds too – while boarded with two African Grays for a few days they came home with some new phrases I never say such as “Hello Princess!”. The last language category I’m aware of is the “song”. This also includes vocabulary that is learned throughout life and some of the elements are shared by regional and family groups. But it is not conversational. It’s a performance that they rehearse and refine constantly (at least the male does) and perform over and over in the same order. It identifies them individually and appears to be used for different social purposess such as humiliating defeated enemies, claiming territory, attracting mates, and showing off status. It’s theorized that the longer and more complex the song is, the greater their status is.
The birds are good at reading my body language, and I have taught myself the best I can to read theirs. We communicate on some simple matters quite well using a combination of verbal and body language but I don’t know if they know abstract concepts or how to communicate them. They have a pretty good grasp on a lot of social concepts though. Attila has a sound that means “I acknowledge your request but I don’t feel like doing it”. The sound for “ok I’ll do it” is different. They are very trainable but strong-willed. It’s fairly easy for them to learn things but if they aren’t in a good mood they may refuse to do it. She has another sound that I know means “fill the food dishes before you go to work”. They both appropriate and invent sounds and combinations extensively. I suspect that people who are studying language in all kinds of beings, including AI, could benefit from living with starlings. Mine have shown me some possibilities of inter-species communication that I never imagined in an animal other than maybe a dolphin or gorilla. If Facebook’s bots could produce and interpret a sound-based language, it’s easy for me to imagine the possibility that starlings or other animals with similar language capabilities would be able to communicate with them rather well and in languages that humans wouldn’t necessarily know. Starling’s voices are often described as “robotic” or “electronic” anyway, and even wild starlings sometimes sound like R2D2! Birds can have moods. Will AI robots have moods? If so what happens if they are in a bad mood or hooked up to a species that can have moods?
So a frontier of artificial intelligence, technology and social engineering could very well have a biological component to it that goes beyond human biology, with humans being the builder and the initial programmer but not necessarily in control. Artificial intelligence might someday interface with other species. For example is it possible that another species besides humans could learn to program fungi? Some fungi can program ants, after all (Sheldrake). Could a fungus use a computer or another species or both as part of a network to send and receive information and directives?
‘Question 5. Bring the Science of Social Engineering together with the various techniques and aspects of social media, the Triad of Disruption, along with the many methods and processes we have learned in this course, into your summary understanding of Social Engineering in the modern world. Feel free to use examples, experiences, and thoughts on the future of this discipline.’
I suppose as every person gets older, they have to reconcile what they thought the future was going to be like long ago vs. how it really is. The role of technology in our lives has been fascinating to me since I was first old enough to be conscious of it.
I have been a big fan of Mid-Century modern design, especially architecture, since I was a teenager. One of the things that attracts me is the way the shapes and lines and forms evoke emotions of excitement and optimism. From much reading and study over the years, I believe that a pervasive belief in the culture that new technology equals human progress is what drives that spirit.
During the time of Web 1.0, the “dot com bubble” era, there were new images appearing to signify the same idea in a way that referenced the internet and computers. You could indicate that your organization was technically advanced by using certain shapes and symbols, and some of them were even recycled from the Mid-Century modern era. Many people believed that a technical revolution was going to lead to a better life. It was a very exciting time. Every day I went to my job as a web designer with the feeling that I was helping remake the world in a bold new way and more freedom and prosperity for all people would result.
I feel very disappointed, and even betrayed, by what is actually happening now, so well summarized in your (I’m referring here to a diagram made by my professor Dr. James Curtis) Triad of Disruption diagram. It seems as though the destructive ideas are spreading faster than the constructive ones. This class has taught me a lot of ways to try to slow the destruction down. That is valuable knowledge to have and I will try to teach as many people as I can.
Besides knowledge needed to prevent attacks and retain as much of our agency as possible, I think more holistic education to bring more disciplines in contact with each other might be needed to remind ourselves of what it means to be human. Because I have an art degree as my Bachelor’s, I know what it’s like to be looked down on for not being in one of the STEM fields. Are the humanities looked down on and machines elevated because of people’s attitudes toward themselves? That is something I would like to explore in the future – getting back in touch with our humanity to restore some aspects of the human spirit I believe are being neglected.”
It was emotionally difficult to research and write the above comments for class because so many futuristic trends seem horrifying. I find the trends toward collectivism and robotics dehumanizing and dystopian. I’m also in a similar state to many people trying to regain a sense of connection with other people after a period of relative pandemic-induced isolation. My husband and I did not have our work routines changed as much as most, but we struggle to feel connected sometimes. Since outdoor activities are getting back to normal more quickly than indoor ones, volunteering at community gardens and camping are a couple of coping strategies we’ve been employing lately.
In the next installment of “Bringing Back the Human Touch”, I’ll write more about antidotes for an excess of technology and dehumanization!
Alexander, Jay and Jeff Harris. “Technology Predictions from a [Precision] Electronic Test Thinktank.” Microwaves & RF, March 2020, pp. 21-24.
Recently I was working on a sleeping bag for a doll, and I was looking around the house for a doll or stuffed animal that I could use to test out the size. I didn’t use it because it was too big, but I did look at a doll of sorts that I made a long time ago in sculpture class when I was working on a B.F.A. degree at SIUE. At the time I had taken the class, I had just been on a trip to Utah and had brought back with me some books on Native American petroglyphs and stone fetishes. I made a throw pillow sized soft wolf fetish with blanket and soft arrowhead for my late friend June for Christmas that year. We both shared an intense interest in Southwest travel and art. For class I made a humanoid stuffed figure with amulet bag, loincloth, and blanket.
While making the soft sculpture, although inspired by ancient Native American art forms, I did not want to refer to any particular culture exactly, rather I wanted to evoke an ancient sense of humanity that many cultures share. Throughout human history there were many ways to wear and use blankets as a part of clothing and outerwear before things like buttons and zippers were invented, and of course people still use and wear blankets in many ways today. For my soft sculpture’s blanket I chose a fabric in a garish early 1990s fabric pattern to suggest a striped blanket but not imitate any particular culture.
While working on my doll sleeping bag, I decided it was a good time to update the look of my soft sculpture. Since teaching at JoAnn Fabrics and Crafts from 2016-early 2020 I’ve been working a lot more with fabric. I decided to start with the blanket. I have a large collection of scrap fabric that I like to sew into strips to use in projects such as art quilts, purse straps, water bottle carrier straps, table runners, headbands, and more. I thought the blanket I made for the soft sculpture would look more attractive with some added strips of scrap fabric so I started piecing and sewing strips in place.
Here is how to start a scrap strip. Decide on a color scheme and lay out pieces of fabric to use. Here I decided on a neutral scheme for a future project.
Place fabric pieces good side together, and pin along one edge. Keep going until you have pinned enough pieces to make a strip as long as you need for your project. The first two photos show the same strip from the front first, and then the back, after pinning.
Using a washable fabric marking pen and a ruler, draw a line along one edge, leaving a small seam allowance. Drawing the lines will help you keep your seams straight.
Sew all the pieces together and you’ll have a strip that you can use for many projects.
Tom and I have been volunteering at a new community garden, named St. Catherine Victory Garden, at our parish, St. Catherine Laboure in Sappington. Organizer Deanna Violette compared the challenges of recent history to World War II, when people grew extra produce to support the nation through a trying time.
When we as a society are tested with hardship, the kinds of leaders I want to follow are those who bring Americans together rather than separating them into opposing factions for the divide-and-conquer type of political power. I will be continuing to help at both gardens with whatever work is needed at the time I volunteer and also special projects that I’m taking on. I’ll be writing about these activities on my blog as they happen. I’m looking forward to a summer full of sharing, teaching, learning and growing!
In a past blog post, A little weekend quilting, I showed a narrow quilt top remnant that I was given and described how I was quilting it for practice.
I used new cotton batting for the middle layer and a piece of a ripped gray bed sheet as the backing. I took parts of the waistband from an old pair of jeans and sewed them to each end, then used gray quilting seam binding to finish the edges. I used a piece of the seam binding to make a loop for hooking on a carabiner to hold the doll’s adventure camping gear.
The poor beat up Raggedy Ann doll was mine when I was young. I am pretty sure my Grandma Hasenfratz made it for me. She was an expert at sewing and crochet. She made me a lot of great things, many which I still have! I don’t know what happened to this poor doll’s clothes, but I’m thinking of making some new ones for her for the heck of it!
I sewed a lot of doll clothes when I was young – they were not well done. A lot of them were just draped fabric scraps that I sewed on and then ripped off when I got tired of them! In my mind my Barbie doll was an explorer and archaeologist by day but she must have had a very active night life as well – I sure did make her a lot of evening gowns! I had a kit to help me make good Barbie clothes but I don’t think I ever mastered it. I’d like to get some practice at making some that look reasonable, if there is time someday.
For the finishing touches on the sleeping bag, I made a two-sided pillow. I sewed one side of the bag together only about halfway up to that it’s easy to get a doll in and out, and put in snaps for a snug fit on cold nights!
I didn’t write down my process while making this, but I did take a lot of pictures so I can remember what I did if I ever want to make another.
Q. Explain the concept of social engineering Framing. Why is it a key fundamental in a social engineering plan? Provide an example of Framing in your own context of a work or social setting.
Framing is how a Social Engineering target dynamically reacts to a situation based on life experiences and their own traits and characteristics (Hadnagy 159-160). Social Engineers use a technique called frame bridging to close the gap between the scenario a Social Engineer wants the target to respond to and personal facts about the target. A pretext is a strategy the Social Engineer has prepared to bridge the frame – in other words overcome resistance to the scenario.
Today I received the following phishing email. A screenshot of the email is below, and text with the link removed follows. The links are not live because it is a graphic, and no one should click on them if they were live.
My name is Veronica.
Your website or a website that your company hosts is infringing on a copyright-protected images owned by myself.
Take a look at this document with the links to my images you used at www.chasenfratz.com and my earlier publications to obtain the evidence of my copyrights.
Download it now and check this out for yourself:
(url probably leading to something bad was here)
I believe you have willfully infringed my rights under 17 U.S.C. Section 101 et seq. and could be liable for statutory damages as high as $150,000 as set forth in Section 504(c)(2) of the Digital Millennium Copyright Act (”DMCA”) therein.
This letter is official notification. I seek the removal of the infringing material referenced above. Please take note as a service provider, the Digital Millennium Copyright Act requires you, to remove or disable access to the infringing materials upon receipt of this notice. If you do not cease the use of the aforementioned copyrighted material a lawsuit will be commenced against you.
I have a good faith belief that use of the copyrighted materials described above as allegedly infringing is not authorized by the copyright owner, its agent, or the law.
I swear, under penalty of perjury, that the information in the notification is accurate and that I am the copyright owner or am authorized to act on behalf of the owner of an exclusive right that is allegedly infringed.
Best regards, Veronica Garcia
It’s possible that whoever sent this message, whether a person or a bot, distributed them to anyone they could get to who has a blog. Social Engineers deliberately choose words that evoke emotions in the receiver (Hadnagy 163). Clearly fear is what I’m supposed to feel while reading a message like this. There are a lot of scary-sounding legal terms and phrases thrown around, and the dollar amount of possible damages that supposedly could result if I don’t act is high.
The purpose of invoking strong emotions in a target is to get the amygdala in the brain to compel the target to act and click the link before the logical part of the brain says “wait that might be a phishing email” (Hadnagy 184-185). The basic human emotions of anger, surprise, fear, disgust, contempt, sadness or happiness are tools that Social Engineers exploit for different purposes (Hadnagy 163).
If I wasn’t sure about the authenticity of the above email, I could look up the law that has been cited and the name of the artist or designer claiming infringement to see if there is any possibility it might be real. I’m not even bothering to do that, because there are several things about my particular framing that this pretext did not succeed in bridging even that far.
I’m currently enrolled in a Social Engineering class and the kind of activity represented in this email is foremost in my mind and has been for weeks.
I’ve actually received a genuine email recently regarding trademark infringement. The allegation of trademark infringement was about an adhesive dots product I had been selling in my Etsy shop. I had used the phrase “glue dots” as a tag to help describe the product when another company claims the phrase “glue dots” as a registered trademark. In my opinion “glue dots” is way too generic a phrase to legitimately claim a trademark on, but my opinion means nothing. For one thing I’m not even an attorney. Etsy informed me that they had removed my listing for that product. Just to make sure the issue was real, I contacted the law firm mentioned in the email and the manufacturer of the product in question. The law firm did not answer my inquiry but I did confirm it actually exists and specializes in that type of law. Today’s phishing email is extra suspicious because there is no law firm mentioned. The manufacturer of the adhesive dots product responded to me and confirmed it was a real issue that they were trying to resolve. In short, I have some idea what a real email of this nature looks like and this is NOT it.
I’ve been involved with business blogging as part of my work for nearly 20 years, possibly since before the term “blogs” was even in wide use, and I have a pretty good idea about what copyright violation and fair use are. If I was actually guilty of this I would know! At least I think I would. Humility is important, because while people like us are busy working at something legitimate, malicious Social Engineers are planning new schemes instead. We can never let our guard down or assume that we know everything and will easily catch every scam.
Additional Framing Techniques
The Social Engineer who created this phishing example could have used the technique of reinforcing the frame, that is causing me to think about it and therefore strengthen it, if they had done even a little bit of OSINT (Open Source Intelligence) on me (Hadnagy 166). But it’s clear they did none, other than to use my web site url which may have been scraped by a bot.
For example the phrase “Your website or a website that your company hosts” is kind of a giveaway. I would have done a little more digging if they had said “the Fiber Arts section” or something like that indicating it might not be a generic scam email. Creating an email with a more personal and specific pretext via the knowledge gained by OSINT is called spear phishing.
Negating the frame is a way of inadvertently undermining the operation by reminding the target of what they should be suspicious about (Hadnagy 165). The phishers in this case avoided that blunder – they didn’t say anything like “Beware, this is not a scam email!”
Another way of leveraging the framing of a target is hinting at or insinuating something without directly coming out and saying it. This is called evoking the frame (Hadnagy 164). I would have known what the implied threat was if the phishers had said something like “if you don’t stop using our copyrighted material we will be forced to take serious action“. Kind of like a gangster in a movie or TV show saying “this is a nice place you got here, it would be a shame if something happened to it!“
Hadnagy, Christopher. Social Engineering: The Science of Human Hacking. John Wiley & Sons, Inc. 2018.
My final exam for Social Engineering class is due at 5 pm on Friday. When I’m answering questions, it’s useful to write as though I’m explaining the concepts to a general audience. I’m going to publish these answers on this blog as I write them, before they are turned in and graded, to keep me on track to work long enough to explain completely but not so long that I run out of time and skimp on the last couple of questions (that’s what happened at the midterm exam!). A lot of people have been asking me what Social Engineering is since I’ve been in this class. I do think it’s something everyone needs to know about as part of life skills so I’ll explain the best I can. Enjoy!
Q. Discuss the art and method of Influence and Manipulation.
First I’ll define the terms according to Christopher Hadnagy, author of our textbook “Social Engineering: The Science of Human Hacking”.
Social Engineering – “Social engineering is any act that influences a person to take an action that may or may not be in his or her best interests” (Hadnagy 7).
Influence – “Getting someone to want to do what you want them to do” (Hadnagy 123).
Manipulation – “Getting someone to do what you want them to do” (Hadnagy 151).
Social engineering is part art and part science, and method is where they come together (Hadnagy 157). Hadnagy brings up cooking as an example of a pursuit that combines art and science to create a satisfactory outcome. Gardening and aquatic animal keeping are a couple of my pursuits that are similar – science knowledge is needed to keep the organisms alive, and artistry helps make the environments harmonious and attractive. There are certain needs the organisms have that must be met but I have choices in what colors I can have, quantities, how I arrange the elements, how much splashing or bubbling do I want to create a soothing sound, and other aesthetic choices that affect the total presentation.
Part of the science of SE is framing and elicitation (Hadnagy 158). Framing is how someone dynamically reacts to a situation based on life experience and internal makeup (Hadnagy 159-160). Depending on the reaction you want, artistry helps to create an approach to the frame that is appropriate to achieve the objective. Social Engineers may be called on to create characters and costumes, choose words, use props, practice acting skills, storytelling and other creative enhancements. Preparation and practice are important, as is the ability to adjust to changing situations.
Elicitation is getting a target to volunteer information (Hadnagy 168). In order to cultivate the target to be open and trusting enough to share, artistry will again be used in a planned way as well as dynamically as conversation progresses. A social engineer might plan a scenario ahead of time or create one just by observing a target. Methods such as Ego Appeals, Mutual Interest, Deliberate False Statements, displays of Knowledge and the Use of Questions are methods Social Engineers can use to subtly direct the interaction (Hadnagy 168-182). There is art in how these methods are used, and also in choosing embellishments such as the above mentioned characters, costumes, props, etc.
Q. How are each applied to a social engineering plan?
Influence – Cialdini’s Six Principles of Influence are as follows (ChangingMinds.org):
“Reciprocity: Obligation to repay.” Both wanted and unwanted gifts will create an urge to reciprocate, but if we appeal to what the target really values, we will get a greater concession in return. Gifts don’t have to be material things – good feelings in the target aroused by gifts of compliments and humor are also effective (Hadnagy 125-128).
“Consistency and Commitment: Need for personal alignment.” We have a powerful drive to meet commitments because the consistency of ideals and behavior gives us a feeling confidence and strength. I’m adding my own assumption here that this may not apply to people with psychopathy and personality disorders (“Psychopathy”). You can appeal to the urge for internal consistency in other people by getting them to agree to a small request initially then a larger one later. Victimizers use your integrity and need to make your actions match your beliefs as a weapon against you. Keeping this in mind might help us to know when it’s ok to change our minds about a commitment that is no longer serving us. Consistency and commitment can also be good defenses against attacks, since that is a good protection against people looking for examples of hypocrisy as a Social Engineering weapon against us.
“Social Proof: The power of what others do.” When we are unsure about what is safe or acceptable we often look at the behavior of others as a guide (Hadnagy 149-150).
“Liking: The obligations of friendship.” Hadnagy explains different meanings of the word “like”. We tend to like people who are “like” us in some way, that we see as a member of our tribe, and we “like” people who we think like us (Hadnagy 146-148).
“Authority: We obey those in charge.” Possessing actual authority or knowledge gives a Social Engineer more confidence to act with authority, but faking it, implying it or transferring it by seeming to associate with a genuine authority will work also (Hadnagy 140-141).
“Scarcity: We want what may not be available.” We can be Social Engineered to respond to a perceived or real scarcity of goods, sale prices, time or any kind of resources (Hadnagy 134-136).
Hadnagy lists 6 principles of manipulation (Hadnagy 153):
2. “Environmental control.”
3. “Forced reevaluation.”
4. “Removal of power.”
It’s not an accident that these tactics are synonymous with types of abuse, emotional and sometimes even physical. Abusers abuse because they want the power and control it gives them (Davenport). It isn’t only individuals who might try to abuse us – organizations can do it too. I’ve written passionately and repeatedly on this subject in my class assignments, as you know, and in other writings, because of my theory that we as a culture tend to give far too much trust to institutions that have devoted vast research and resources to manipulate, and yes, abuse.
Q. What is the difference between the two?
Hadnagy’s definitions of influence and manipulation are nearly the same in terms of wording. In both cases, the social engineer wants the target to take an action that the social engineer wants. In an influence situation, the target wants to go along with the engineer (Hadnagy 151). That is a very slight difference, and Hadnagy acknowledges that not all will agree with his chosen definitions. When I first read “How to Win Friends and Influence People” by Dale Carnegie, a friend of mine didn’t want me to read it because in his words “It teaches you how to manipulate people”. My reply to him was my interpretation of a couple of the points I thought Carnegie was trying to make – the transactions and deals you make should benefit both parties, and whatever social techniques you use to get the results you want should be sincere (Winkelmann “My Opinion of…”).
I think Hadnagy is of a similar opinion. Manipulators don’t care about the feelings or well-being of the target, and the interaction will not be remembered fondly by the target (Hadnagy 151, 153). That’s detrimental to getting future business. In Hadnagy’s case, since part of his job is to educate clients, negative feelings interfere with the learning process and are to be avoided. I think he and Carnegie would agree that it is more important for both parties to come out of an interaction both feeling good about it than for the SE to “win” the transaction by getting the better of the target.
Of course many social engineers don’t mind harming the target, or they fully intend to harm the target – that’s when their actions become manipulation. For example the same male friend who was uneasy about me reading “How to Win Friends and Influence People” used manipulation on me and another woman to try to keep us from becoming friends. All three of us were part of a group that was going on a week long backpacking and camping trip. In preparation, he told me she didn’t like me and told her I didn’t like her. So for the first day of the trip we avoided each other. Due to the way the tents worked out, we were forced to share one the first night and weren’t happy about it. The next day we both had the same thought. “She’s not so bad.” We both decided to confide in each other what the male (now former) friend had told us. We had a good laugh and became best friends until she passed away in 2003. I was Maid of Honor at her wedding!
Q. Which method is more effective (give examples of circumstances/settings to be applied)?
I think it depends a lot on the circumstances. For example, if your goal is to have a productive future relationship with a target, you will take their welfare and emotions into account so that they associate you with a pleasant experience and are open to be influenced by you because they “like” you, as Cialdini teaches. If you plan to just use and discard the target when they are no longer needed, you don’t have to consider their well-being at all.
The archetype of the “snake oil salesman” is depicted in a music video I loved and watched a lot when I was a teenager, “Say Say Say” by Paul McCartney and Michael Jackson. The protagonists are con artists who travel from town to town in a wagon selling a bogus “strength potion”. They use pre-planned pretexts, such as a script and audience plants to Social Engineer the people in a town into buying a lot of the fake potion. By the time the customers realize it’s no good, the con artists are long gone and in another town sporting a different identity. When the law catches up to them, they use a distraction to evade (Giraldi). As long as they can get away quickly enough, they are not accountable and don’t have to make a good product. They only have to create the impression long enough to get the money.
Here is a personal example of when I experienced manipulation in an airport when being solicited for a donation. A man greeted me and offered me a free paperback copy of a vegetarian cookbook. I love to cook and I love vegetables so I said “sure, thanks” and took it. I was young and this was my first time encountering this particular SE situation in an airport so was not looking for it and not prepared with defenses. The man said “Aren’t you going to give a donation?” I thought a moment and gave him a dollar. He said that isn’t enough. I was not pleased about being manipulated, so I said “I think that’s pretty good for a free book. If you disagree, you can have it back and I’ll take back the dollar”. He just looked disgusted and waved me away. I was not unhappy about giving a dollar for the book, even though it’s not something I sought out. But I love recipe books, so a free book or a dollar book, either was fine with me. But I would have balked at any more than that. Neither of us was concerned about ever seeing each other again, so it was a very low stakes situation. Since he had correctly concluded he had gotten all he was ever going to get out of me, he didn’t bother to be civil one second longer than was productive.
The larger and more powerful an organization or individual is, the more they can insulate themselves from backlash caused by self-serving, fraudulent, unkind or unfair manipulations of people. For example last summer there were large corporations taking out television ads that put their brand in a good light, showing warm and positive scenes of how they were helping their employees and customers cope with the pandemic. News stories about those brands were sometimes in direct contrast to the images in the ads. Organizations can use their money and power to “buy” morality credits by performing certain good deeds and publicizing them or just artfully appearing to. In the “Say Say Say” video we see that the fictional con artists give their ill-gotten gains to an orphanage and stop to entertain the kids, so the viewers of the video will root for them (Giraldi). This tactic works in real life too.
Marketing and Public Relations are subsets of Social Engineering, according to Hadnagy’s definition. If organizations don’t even do good deeds but claim they want to someday, or are generally in favor of good things for society and they’d love it if YOU would do them, that is enough to counteract actual corporate hypocrisy in some situations (Chen 487-490, 517-518). Influential people and organizations have the money and power to buy a lot of Marketing and PR, so they are potentially not as accountable as the less powerful. For example, from years of selling art supplies online, with Amazon being one of the platforms I sold on, I’m personally acquainted with how Amazon treats people with no power and only the most infinitesimal trace of usefulness. Admittedly already skeptical about their corporate culture, I am not the only one to ponder the disconnect between Amazon’s paid feel-good ads and news stories about how workers are treated (Barrickman and Smith). In a paper I wrote last fall about Corporate Social Responsibility and Irresponsibility I speculated about the meaning behind the amounts of corporate public donations to social justice causes by Netflix, WalMart and Amazon (Winkelmann “Corporate Social Responsibility…”). Do these amounts reflect genuine commitment to the causes, a branding technique, the amount of resources available, or the amount of morality credits they feel they need to buy to compensate for their actual activities?
A malicious Social Engineer might intend to not only evade accountability, but plan to leave the target in a weakened condition as part of the strategy. Sometimes the goal is not merely profit but total defeat of the enemy.
Barrickman, Nick and Patrick Smith. “Amazon violates its own health and safety rules in COVID-19 coverup.” World Socialist Web Site, 2020, www.wsws.org/en/articles/2020/08/05/amzn-a05.html. Accessed 10 May 2021.
ChangingMinds.org. “Cialdini’s Six Principles of Influence”. Changing Works, 2002-2021, changingminds.org/. Accessed 16 March 2021.
Chen, Zhifeng, et al. “Corporate Social (Ir)Responsibility and Corporate Hypocrisy: Warmth, Motive and the Protective Value of Corporate Social Responsibility.” Business Ethics Quarterly, vol. 30, no. 4, Oct. 2020, pp. 486–524. EBSCOhost, doi:10.1017/beq.2019.50. Accessed 28 September 2020.
Davenport, Barrie. “61 Devastating Signs Of Emotional Abuse In A Relationship.” Live Bold and Bloom, 2021, liveboldandbloom.com/02/relationships/signs-of-emotional-abuse/. Accessed 11 May 2021.
Giraldi, Bob, director. “Say Say Say.” YouTube, Paul McCartney and Michael Jackson, uploaded by Giraldi Media, 1983, www.youtube.com/watch?v=aLEhh_XpJ-0. Accessed 10 May 2021.
Hadnagy, Christopher. Social Engineering: The Science of Human Hacking. John Wiley & Sons, Inc. 2018.
“Psychopathy.” Psychology Today, 2021, www.psychologytoday.com/us/basics/psychopathy. Accessed 11 May 2021.
Winkelmann, Carolyn Hasenfratz. “My Opinion of What Marketing is About”. Carolyn Hasenfratz Design. 2020. www.chasenfratz.com/wp/my-opinion-of-what-marketing-is-about/. Accessed 10 May 2021. — “Corporate Social Responsibility and Irresponsibility”. Carolyn Hasenfratz Design. 2020. www.chasenfratz.com/wp/corporate-social-responsibility/. Accessed 11 May 2021.
This is my last week of Social Engineering class at Webster University. The textbook we have been using is “Social Engineering: The Science of Human Hacking” by Christopher Hadnagy. This book is full of powerful personal ancedotes that help me understand Social Engineering better. They also resonate deeply because so many of the anecdotes are relatable to experiences from my own life.
An example of a story that really made me think is on page 260. Hadnagy tells of talking with a friend whose family had been personally affected by a common scam. The friend was angry with him for not warning him sooner and exclaimed “If you knew these things existed, why didn’t you warn your friends?”
I have had friends get angry with me and stop speaking with me for warning them about social media and other media scams and trying to explain media literacy concepts when I saw that they were being trolled. Part of good Social Engineering is to help the people you are trying to warn become more receptive to what you are trying to teach them so they can take in the information to protect themselves against harmful Social Engineering. If someone is your friend and you care about them, you want them to know these concepts. If my attempts are too clumsy and I arouse their defenses instead of concern and I fail to warn because of that, I need to do better. That’s one of the things I’m learning in this class and others. The more I learn about media and technology as I work on a Advertising and Marketing Communications Master’s degree, the more I feel the need to warn.
I’m going to be writing a LOT this week to finish the course, and some of it is going to end up on this blog immediately and farther in the future. Hadnagy advises us not to “assume that the knowledge about these attacks is just common sense”. There are techniques in Hadnagy’s book, in our class, and in lots of other course material I’m learning that is also in classic books, around for many decades, such as “How to Win Friends and Influence People” by Dale Carnegie and “The Hidden Persuaders” by Vance Packard. I have owned those books a long time and have read them several times and I still have to work to master the material in them.
As I learned on a podcast this morning, the concept and term “Social Engineering” has been around since the late 1800s. With every new technological advance that comes along, there are new skills to learn to avoid exploitation through Social Engineering combined with other types of attacks. In order to help people find information on this blog that I think everyone should know as a life skill, I’m going to apply the hashtag #whydidntyouwarnme/ to relevant past and future blog posts.
I have also started listening to a couple of excellent podcasts that are free to listen to if you want more information about the types of media and security issues I’m trying to warn about. I think every Internet user who has something to lose, whether for personal or business reasons, needs to be informed as well as possible.
The Social-Engineer Podcast – hosted by Christopher Hadnagy himself with a variety of co-hosts as they interview leaders in the Social Engineering field.
Hacking the Humans – information about “social engineering scams, phishing schemes, and criminal exploits that are making headlines and taking a heavy toll on organizations around the world”.
What types of scams are you the most concerned about?
Art journaling is an activity that helps me a lot with self care, artistic expression and just general management of life. Lately I’ve been experimenting with combining some artistic expression with material I’m learning in Social Engineering class. There are a lot of acronyms and concepts to remember – things that lend themselves well to bullet journals, art journals and chart and graph type graphics.
These pairs of pages you will see are in progress. I made them to have something to do adult coloring and other paper craft based activities on when I want to relax and be creative for a bit. As I work I can study and memorize the “bullet points”. I’m going to erase some of these pencil lines as I go. For a couple of the more complicated layouts I made drawings on tracing paper and chipboard templates to help cut the paper pieces to the right sizes and shapes.
Some of the stencils I used are commercial products I sell in my online Etsy shop. If you would like to see the selection, it’s at this link: Stencils and Stenciling Supplies.
I hope these pages in progress will give you some ideas for organizing information in a creative and fun way!
A little over two years ago, I was sick for quite awhile with an awful sinus problem. I didn’t have much energy, so to prevent too much boredom I looked for some simple tasks to do. First I sorted all my small fabric scraps by color and organized them into containers. While doing that, I thought it would be fun to challenge myself to see how small a fabric scrap could get before I couldn’t make something out of it. I wanted to upgrade my hand-sewing skills and learn the rudiments of piecing for quilt making.
I started sewing fabric pieces into strips to combine into a scrap quilt later, after seeing some beautiful examples on Pinterest. As I accumulated strips, I combined them with other leftover fabrics such as a jean pocket, a waistband from some corduroy pants, a seam from blue jeans, old clothing tags, ribbon, binding strips, selvage pieces and some rather primitive embroidered panels I made a long time ago for use on a tote bag which has since been retired.
Over the last couple of years, every once in awhile I’d add a little bit more on. Then I finished it with blanket seam binding from JoAnn Fabrics and Crafts where I taught classes in hand sewing, general crafts and jewelry making before the pandemic.
Following are some close-ups of sections of the quilt.
“Experimental Art Quilt #1” is for sale on Etsy. Here is a link to the listing: