[Metroactive Features]

[ Features Index | Silicon Valley | Metroactive Home | Archives ]


Reverse Social Engineering

By Annalee Newitz

SOCIAL ENGINEERING is the salacious second cousin to hacking. It's a glorified term for conning, equivalent to using the word sanitation engineer when you really mean garbage collector. But it's also undeniably rather glamorous--social engineers don't spend hours in front of the computer screen poring over code and running port scans like hackers do. They get passwords and other secret information by manipulating people.

The beauty part of social engineering is that most people understand how it works. Few people truly appreciate a novel buffer-overflow attack launched against certain insecure web applications. But almost anyone can understand the cunning required to pretend you're a phone-repair technician in order to coax access codes to your local telecom switching station out of a middle-management type.

Social engineering is a tried-and-true covert intel-gathering method outside the world of hacking, too. Investigative journalists might, for example, pose as mental patients in order to find out how state institutions treat people when the media isn't watching. A university student might pose as a teaching assistant to gain access to a certain professor's office, which just happens to contain copies of an upcoming exam.

Recently, for my own odd reasons, I've been mulling over the idea of reverse social engineering. What exactly would that mean? I found a few descriptions of it on security websites, where it's treated as a subset of social engineering.

According to analyst Sarah Granger, reverse social engineering is sort of like social engineering crossed with reverse psychology. Instead of pretending to be somebody who needs help in order to gain information from employees of a company, you pretend to be someone in a position of authority to whom employees will turn for help.

A common example of this strategy would be to attack a website in some way and then list yourself as the administrator to contact with problems. When people write to you and ask for help fixing the site, you require them to give you some kind of information to "verify" who they are. Then you repair the site and keep the information, and nobody is the wiser.

This, to me, makes no sense as a definition. I'm looking for something that's more like a combination of social engineering and reverse engineering: a term that will describe the process that occurs when you take some social device or phenomenon apart in order to understand it, then proceed to re-create it in a way that suits you. Reverse engineering, remember, is what you do when you take a piece of hardware or software apart to figure it out. Sometimes, the process involves building a copy of it for your own uses.

So, by my lights, reverse social engineering would describe what Galileo did, or Karl Marx. Both took the universe apart, piece by piece, in order to understand physical and social mechanisms.

Armed with my own private definition of reverse social engineering, I have a little project I'd like to work on in 2004. Not one to start small, I propose a hack on the concept of private property. Certainly, I'm not the first person to try this: everyone from Marx to Richard Stallman has been there before me. But there's no harm in revisiting a favorite exploit of the reverse social engineers.

First, consider what private property is: a thing, idea or location that belongs exclusively to an individual or corporation. At its most basic level, this kind of ownership can be fairly helpful; it keeps me from using somebody's else's toothbrush or firewood. At its most abstract, private property means I can't walk in certain locations or play copyrighted songs in a public place.

Why do we have private property? There are many ways to answer this question that range from the political to the psychological, but I'd wager that most of them would boil down to one thing: We use it to measure value, whether that's emotional, economic or social. The more private property I have, the richer I am. Privately held items of all kinds are generally valued more than publicly held ones. Even when it comes to romantic relationships, people tend to rate monogamous ones--in which I have exclusive rights to access my partner sexually--more highly than polyamorous ones.

What would happen if we engineered a slightly different version of private property? We could pick one aspect of the concept and just tweak it a little, perhaps removing the connection between value and exclusivity. The more exclusive an item, the less we would value it. Thus, I could still have my private toothbrush, but it wouldn't be worth very much. Other items, like a car or a building, would grow in value the more they could be shared with other people.

Just a thought. Happy New Year.

Annalee Newitz ([email protected]) is not always a surly media nerd.

Send a letter to the editor about this story to letters@metronews.com.

[ Silicon Valley | Metroactive Home | Archives ]

From the January 1-7, 2004 issue of Metro, Silicon Valley's Weekly Newspaper.

Copyright © Metro Publishing Inc. Metroactive is affiliated with the Boulevards Network.

For more information about the San Jose/Silicon Valley area, visit sanjose.com.