Retrotechtacular: Social Hacking is Nothing New

If you watch enough mainstream TV and movies, you might think that hacking into someone’s account requires a huge monitor, special software, and intricate hand gestures. The reality is way more boring. Because people tend to choose bad passwords, if you have time, you can task a computer with quietly brute-forcing the password. Then again, not everyone has a bad password and many systems will enforce a timeout after failed attempts or require two-factor authentication, so the brute force approach isn’t what it used to be.

Turns out the easiest way to get someone’s password is to ask them for it. Sure, a lot of people will say no, but you’d be surprised how many people will tell you. That number goes up dramatically when you make them think you are with the IT department or their Internet provider. That’s an example of social engineering. You can define that many ways, but in this case it boils down to getting people to give you what you want based on making them believe you are something you aren’t.

Everything Old…

We think of social engineering as something new, but really–like most cybercrime–it is just the movement of old-fashioned crime to the digital world. What got me thinking about this is a service from Amazon called “Mechanical Turk.”

That struck me as odd when I first heard it because for product marketing it is pretty bad unless you are selling turkey jerky or something. If you tell me “Amazon Simple Storage Service” I can probably guess what that might be. But what’s Mechanical Turk?

Mechanical Turk

Turns out, the name is taken from an early scam. Before computers (way before) there were some number of automatons built. These machines would mimic some human behavior using spring motors, cams, gears and other mechanical magic. Most famous, perhaps, was the one that looked like a boy who could actually write a note built well over 200 years ago. More modern automata include the robotic presidents at Disney–although, surely these days those too are computer controlled.

The reason that’s important is that people were accustomed to going to a fair or some exhibition and seeing some mechanical human or animal doing something. In the 1700’s an automaton appeared that could play chess. Whereas the mechanical boy always wrote the same note, the chess playing robot (who wore a turban and was known as The Turk or The Mechanical Turk) played a strong game and responded appropriately to a human’s moves. It didn’t always win, but it did a credible job of playing as a human would.

And Amazon?

So, the Amazon service plays chess? No. The Turk, it turns out, was a piece of social engineering. People paid to watch or play The Turk, thinking it was a mechanical marvel. In fact, it had a human being embedded inside of it operating it.

The Amazon service allows people to pay small amounts to have humans do small tasks (that presumably add up). For example, suppose you have a site that allows users to post images, and you don’t want any pornography. That’s hard to detect with an algorithm. As Justice Stewart famously said (in paraphrase), “I don’t know what pornography is, but I know it when I see it.” You can use Mechanical Turk to pay someone a penny an image to tell you if the image is not safe for work or not. You could spend millions on an algorithmic solution and it is a good bet that it would have more false positives and negatives than a human being would have (not that people haven’t tried).

That’s not the only thing you could do, of course. You can pay to have people do lots of tasks and the question becomes is it cheaper to do that or to program it. Even then, some people pay for some pretty stupid tasks.

Confidence

You might think that hiding a chess-playing person in a robot is a lot different from just asking someone for a password, but it really isn’t. If you had told people to pay to watch a guy play chess, most would say no. But they’d line up to see a mechanical man to do it.

The best old example, perhaps, is from 1849. That’s when William Thompson’s arrest coined the phrase “confidence man.” He would approach someone on the street and act as if they were acquaintances. You know how it is. You hate to tell someone you don’t remember them so you act like you do. Then he would just ask for their watch, reportedly saying “Have you confidence in me to trust me with your watch until tomorrow?” Some people said no, but some would agree and it was a lot easier and safer than armed robbery.

Perhaps Hackaday should start the Internet of Things Turk where our readers can earn a penny or two for watching thermostats, toasters, and soldering irons. As embedded systems get more networked, we have to think more about locking down systems. Don’t forget that the weakest securitly link is often the users.

 

14 thoughts on “Retrotechtacular: Social Hacking is Nothing New

    1. No, my point was the original mechanical turk was social hacking. You tell people, see that thing over there? I have one like it but really amazing! How about giving me some of your money?

      I only brought Amazon into the mix because they took the name from it because it is converting automation to human power. Not that it is–in of itself, at least–a hack.

      1. To the extent I suppose that stage magic is social hacking. The orginal Turk was a con, but the term ‘social hacking’ is generally reserved for acts that influence others to take actions that may not be in their best interest, rather than simply fooling them into beliving that they are seeing something that is not real. While the Turk was a fraud, it wasn’t really that sort of psychological manipulation.

        1. I think if you are getting people to pay for something as a fraud without recognition. For example, a magician who reads minds is not a social hacker. But a psychic who uses the same tricks to convince people they can read minds in exchange for their money is. That’s my opinion, at least.

          1. You have a point – a flimsy one, in my view, but a point nevertheless. However I still wouldn’t consider the original Turk a case of social hacking as it was an outright fraud rather than a confidence game per se.

  1. Similar to the story of amazon’s turk is the girls hired during WW2 for uranium enrichment. The girls sat in a control room similar to a telephone exchange (another possible example) had no idea what they were hired to do, other than to manipulate controls to keep gauges within certain ranges. In reality, they were regulating uranium enrichment centrifuges and other equipment, as the required control systems for automated regulation hadn’t been invented yet.

  2. I wouldn’t categorise the original mechanical Turk as a con. Think of it as a magic show. When you see a guy pulling a bunny from an empty hat, there is also a trick but you pay for the show, not to see a freak of nature with the super power of summoning small mammals from thin air.
    It would have been a con if they had tried to sell the “chess playing automation” technology pretending it actually works, but I don’t think they tried this.

    1. I guess we will have to agree to disagree. I wasn’t there, of course, but from what I understand they were passing it off as a legitimate mechanical marvel. James Randi is a magician. So was Uri Geller, but the difference is Geller tried to convince people it wasn’t a magic show.

      From Wikipedia:
      The box was believed by some to have supernatural power, with Karl Gottlieb von Windisch writing in his 1784 book Inanimate Reason that “[o]ne old lady, in particular, who had not forgotten the tales she had been told in her youth … went and hid herself in a window seat, as distant as she could from the evil spirit, which she firmly believed possessed the machine”.

      Also, if you look, the machine inspired others like Babbage and (indirectly through Wheatstone) Bell. It also spawned many lesser attempts to make a real automated chess player. It is hard to imagine that Cris Angel would make a physicist say, “Hmmm I guess levitation is possible! Let me see if I can reproduce it.”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s