If you watch enough mainstream TV and movies, you might think that hacking into someone’s account requires a huge monitor, special software, and intricate hand gestures. The reality is way more boring. Because people tend to choose bad passwords, if you have time, you can task a computer with quietly brute-forcing the password. Then again, not everyone has a bad password and many systems will enforce a timeout after failed attempts or require two-factor authentication, so the brute force approach isn’t what it used to be.
Turns out the easiest way to get someone’s password is to ask them for it. Sure, a lot of people will say no, but you’d be surprised how many people will tell you. That number goes up dramatically when you make them think you are with the IT department or their Internet provider. That’s an example of social engineering. You can define that many ways, but in this case it boils down to getting people to give you what you want based on making them believe you are something you aren’t.
We think of social engineering as something new, but really–like most cybercrime–it is just the movement of old-fashioned crime to the digital world. What got me thinking about this is a service from Amazon called “Mechanical Turk.”
That struck me as odd when I first heard it because for product marketing it is pretty bad unless you are selling turkey jerky or something. If you tell me “Amazon Simple Storage Service” I can probably guess what that might be. But what’s Mechanical Turk?
Turns out, the name is taken from an early scam. Before computers (way before) there were some number of automatons built. These machines would mimic some human behavior using spring motors, cams, gears and other mechanical magic. Most famous, perhaps, was the one that looked like a boy who could actually write a note built well over 200 years ago. More modern automata include the robotic presidents at Disney–although, surely these days those too are computer controlled.
The reason that’s important is that people were accustomed to going to a fair or some exhibition and seeing some mechanical human or animal doing something. In the 1700’s an automaton appeared that could play chess. Whereas the mechanical boy always wrote the same note, the chess playing robot (who wore a turban and was known as The Turk or The Mechanical Turk) played a strong game and responded appropriately to a human’s moves. It didn’t always win, but it did a credible job of playing as a human would.
So, the Amazon service plays chess? No. The Turk, it turns out, was a piece of social engineering. People paid to watch or play The Turk, thinking it was a mechanical marvel. In fact, it had a human being embedded inside of it operating it.
The Amazon service allows people to pay small amounts to have humans do small tasks (that presumably add up). For example, suppose you have a site that allows users to post images, and you don’t want any pornography. That’s hard to detect with an algorithm. As Justice Stewart famously said (in paraphrase), “I don’t know what pornography is, but I know it when I see it.” You can use Mechanical Turk to pay someone a penny an image to tell you if the image is not safe for work or not. You could spend millions on an algorithmic solution and it is a good bet that it would have more false positives and negatives than a human being would have (not that people haven’t tried).
That’s not the only thing you could do, of course. You can pay to have people do lots of tasks and the question becomes is it cheaper to do that or to program it. Even then, some people pay for some pretty stupid tasks.
You might think that hiding a chess-playing person in a robot is a lot different from just asking someone for a password, but it really isn’t. If you had told people to pay to watch a guy play chess, most would say no. But they’d line up to see a mechanical man to do it.
The best old example, perhaps, is from 1849. That’s when William Thompson’s arrest coined the phrase “confidence man.” He would approach someone on the street and act as if they were acquaintances. You know how it is. You hate to tell someone you don’t remember them so you act like you do. Then he would just ask for their watch, reportedly saying “Have you confidence in me to trust me with your watch until tomorrow?” Some people said no, but some would agree and it was a lot easier and safer than armed robbery.
Perhaps Hackaday should start the Internet of Things Turk where our readers can earn a penny or two for watching thermostats, toasters, and soldering irons. As embedded systems get more networked, we have to think more about locking down systems. Don’t forget that the weakest securitly link is often the users.