Found this while poking around. Seems someone representing their self as one of the DEC employees that ran 8BBS dropped a short message about it on everything2 back in 2006.
That 8BBS dump is incredible. The fact that someone realized what they had and took the time to scan it. When I was reading it before I read your 2nd link I wondered what the cause of all the corruption was - perhaps poor quality coupler connection - but it was actually OCR failure from scanning printouts. If someone (not I) had the time to go through and fix them, that would be awesome.
The printouts were old 9-pin dot matrix, and somewhat faded in parts. The OCR I had access to does very poorly with that sort of type. There is an effort underway to transcribe all of the posts into an interactive web format. Someday!
Thank you! The hardest part is done - the finding and the scanning. It's great that Susy's first post is hidden in there. I searched for "blond" and there it was.
Refuses to play the video "due to the privacy settings". Direct Vimeo link says the same. First time seeing Vimeo breaking like this. That's in Firefox.
Edit - the exact message is "Because of its privacy settings, this video cannot be played here." I'm guessing it's geo-locked.
It is because you turned off sending a referrer in Firefox (network.http.referer.XOriginPolicy in about:config).
The video is domain blocked, meaning it can only be played when you are on a specific domain. Because you disabled referrers, vimeo doesn't know you are on hackcur.io so it thinks you are opening it through a direct link.
Her superpower was her voice, not her looks. Listen carefully to how she talks with that honey-like lilt to her voice. She sounds like the last person in the world who would compromise a system.
Looks are critical to account for in engineering a physical con. Not that one necessarily needs to be gorgeous, but one needs to be fit to the scene, in a way that minimizes the chances of someone undesirably thinking twice about your actions.
Exactly, you need to be credible and non-threatening. There is an history of a Japanese pentester that was always allowed to get into the datacenter because everybody trust a Japanese engineer.
Looks are critical to account for in engineering a physical con... in a way that minimizes the chances of someone undesirably thinking twice about your actions.
I don't know. Charisma and looks are pretty much orthogonal, at least for some people. The canonical example is Hitler, somebody whom you'd think people would instinctively avoid at work or the neighborhood bar, yet who somehow ended up running Germany.
It never hurts to be hot or handsome -- would a young Donald Trump who looked and sounded like Hitler have gotten very far in life? -- but it clearly isn't an absolute requirement.
I disagree. For example, if you're made up gorgeous and this leads a security checkpoint guard to notice you, and then they're checking you out and realize that your shoes are unusually fashionable, and then they notice that your badge lanyard is the wrong color and your badge looks a bit crinkly, now your cover is blown — all because you drew their eye.
That's not to say that there is no value in attractiveness — it's just not a guaranteed upside that can be taken for granted as harmless. This also shows up in spycraft, where "unmemorable" can be a very strong asset.
My first job out of school was at a dot-com in Vegas in the year 2000 initially as the network administrator. Susan was the Director of Marketing. My first interaction with her was typical assisting someone with some issue or another, but I noticed her book shelf was full of very technical books, and it turned out she was a Microsoft Certified Solutions Expert and I was just a simple MCP (I was new to Windows NT, my background was in Netware). I was about 22 and she was about 40, and it was very intimidating at the time, especially after I learned she was Susan Thunder.
While the company was downsizing (dot-com bust) the CTO told me to batten down the hatches while Susan was being laid off. I told him that I'm fairly confident she knows more about NT than I do and that I didn't think I could do enough to secure things, so we more or less shut things down for the night.
I sort of remember the whole company being scared of her in general. I don't know why though, she was always very nice to me and seemed pleasant in general. It was an overreaction to shut down the network that night, Susan never attempted revenge. In hindsight, she was probably an adult that understood that companies fail and it wasn't personal.
> One day she asks me, “You know why nobody knows who I am?”
> No, I say, thinking back to a year previous — before the plague, before our phone calls, before I finally found Susan, when her name still meant nothing to me.
> “Because I never got caught,” she says. “All the best hackers, all the best phreakers in the world, we don’t know who they are because they never got arrested. And they never went to prison. This is why you don’t know who the best ones in the world are. This is the truth. Think about it.”
And it's that kind of arrogance and survivorship bias that gets you thinking you're better than you are. She was lucky she was not caught, or the others were unlucky they did get caught. The people around her that she considered as her fellow peers got caught after all.
> I went looking for the great lost female hacker of the 1980s. I should have known that she didn’t want to be found.
But then she _WAS_ found for the purpose of writing this article. So if not getting caught is the measure of being a good hacker... And she'll be incredibly easy to track down now.
> Kevin Mitnick publicly maintains that he had nothing to do with the destruction of the US Leasing files. In his autobiography, he characterizes Susan as a “wannabe hacker” who took revenge on him and Lewis using a backdoor into the US Leasing system that he had created.
I'm inclined to agree with Mitnick. There are numerous examples in this article alone of her acting in a vengeful manner, e.g.:
> But when one of her exasperated targets called her a small-brained little twerp, Susan got mad. In retribution, she called the phone company and, posing as the woman, had her phone number changed.
And really how likely is this to actually be true:
> She claims to be one of only three women to have slept with all four Beatles, securing the trickiest, Paul McCartney, through an elaborate pretext that involved having his wife Linda whisked away in a limo for a staged photoshoot.
It reads like the wishful thinking of somebody who had bigger dreams than their own reality, clinically delusional. Some of these things I could let go, but there is too much "it happened, trust me". Bare in mind that the _ENTIRE_ point of social hacking is to spin a lie so good that you believe it yourself.
Social engineering attack. How you find OBL is to ask around. Pretend to be vaccine staffers.. never mind the longterm damage to field vaccinations staff.
“All the best hackers, all the best phreakers in the world, we don’t know who they are because they never got arrested. And they never went to prison. This is why you don’t know who the best ones in the world are. This is the truth. Think about it.”
Ah the same reason, why there is no proof of real wizzards. The ones tested and failed with science, were all frauds, while the real wizzards already have all the power and no need to expose themself.
I'd go as far as to say that by 1990 post-Operation Sundevil etc, this was considered common wisdom, and such people with great skill who never got arrested were the rule, not the exception. People pulled off fantastic things, but refused to do silly stuff like join groups or write about their exploits in G-philez, or even use the same alias on two forums (let alone doing anything from their house). You might have met up with them on an Alliance Teleconference or QSD once in awhile, but never at the 2600 meetup at the mall. These people tended to make it well into adulthood and lead rewarding lives, all without ever becoming a pushpin with pieces of yard tied to it on some Secret Service agent's cubicle wall. Of course, it doesn't make you as famous as an Esquire article does. But also, handcuffs hurt.
This is still true today, and of more hunted groups than just hackers.
It's underappreciated just how tolerant society was, with respect to 80s and 90s hacking culture.
We had the war on drugs, but pre-9/11, secrecy and hacking were... novelties. As in, people couldn't conceptualize the worst results of bad people using bad methods.
You can see this in the legal filings of early computer prosecutions. Much of it is spent trying to explain to a jury just why phone phreaking or computer hacking is bad. E.g. "Could launch nukes from a payphone!" Or Tron, WarGames, etc.
Now, network intrusion brings to mind ransomware, and a hop, skip, and jump away from helping ISIS, in terms of jury sentiment.
On the other hand, there's an entire white and grey hat culture that wasn't really as defined in that period, so it's fair to say there are also more legimate paths for someone deeply interested in systems.
Also sums up what always puts me off these "notorious phone phreaks". It's always someone, usually emotionally stunted, riding some kind of power trip. Certainly never anyone I would admire.
I suppose I shouldn't be so judgmental, they often seem to have pretty fucked up childhoods and are no doubt a product of that. I just don't see any good that comes from idolizing them.
I always feel kind of sad for all the lost potential due to bad childhood conditions. I imagine the types of Bill Gates could easily have been one of these kind of hackers under less favourable conditions.
I don’t think anyones really debating it except him. All he does is steal other peoples ideas then use his “reputation” to try sell them for 10x the price.
It's not necessarily true. Maybe the best ones were the best UNTIL they got caught. Hard to say, given we don't know anything about the best if they were never caught.
Having been caught and done jail time I think that the view that "only the dumb ones get caught" is wrong (OK, I would say that): intelligence and getting caught are mostly orthogonal and I met a, very, small number of extremely bright people in jail. The difficulty in executing many types of crimes and evading detection is that it is a probabilistic process: a criminal activity may be composed of many actors with differing motivations and competencies, in a hostile environment with unknown features and requiring multiple contingent steps. Any mistep in this chain can cause the failure of the project and, however clever the player, the mistep can be difficult to forecast and non-deterministic.
More generally, humans are generally bad at anything requiring the discipline and attention to detail that good opsec requires. Ability to do this well probably doesn't have much correlation with intelligence (although seeing the need for it might).
Not necessarily, but probably true. Same with all the best criminals, the best live out their lives and none are the wiser as to their actions besides those in the know.
This all assumes that getting caught is a bad thing. For some hackers it leads to respect and eventually government / private jobs. This is obviously not true for non-technical criminals.
> For some hackers it leads to respect and eventually government / private jobs. This is obviously not true for non-technical criminals.
Errrr, should we tell you about Blackwater, Thalès, BAE Systems, Bolloré, Nestlé, Coca-Cola, Alexandre Benalla, Serge Dassault, NSA? They are just some examples of very famous people/corporations engaging in high-level criminal activities ranging from basic corruption to actual slavery to wide-scale murder.
We live under capitalism, a system which glorifies criminal activity as the path to success and social recognition. Sometimes, this criminal activity is legal and you can't believe how that's even possible, but many times it's illegal but when people/organizations become too influential they are far above the law.
Don't even get me started on law enforcement engaging in criminal activity such as organizing drugs trade like in USA's crack epidemics or with France's chief anti-drug cop leading the biggest smuggling ring for cocaine/hashish for years. One could even say in some circles, being ready to defy the law is a sign you're part of this circle. For example, in France at least, murderous cops are more likely to get promotions than to get kicked out of police, because once they took part in murder and held their mouth shut through the shitstorm without compromising colleagues/higher-ups, they have successfully demonstrated their loyalty to the establishment.
Of course, you're free to not research scandals involving the people/organizations i mentioned, take the blue pill and go back to dreaming about elections and free market and how fair our society is.
To make my statement more correct I should have distinguished between crimes that are discovered and those that are prosecuted. For example, I wouldn't have considered the murderous police to have been "caught" if they didn't face prosecution, but that is simply semantics.
Legal criminal activity is an oxymoron. The legal system defines what is criminal, and that has nothing to do with morality.
And even though I'd tend to agree, I absolutely don't understand why you're making a connection to capitalism. Any other more socialist system was nothing else but much worse, and the social democracies of today have just the same issues with police etc you're talking about.
> The legal system defines what is criminal, and that has nothing to do with morality.
That's not entirely wrong, but "criminal" is often used figuratively to refer to morally-abhorrent behavior. I took the liberty to employ the word this way to address the blind spots of our respective legal systems. I personally wouldn't call a weed smoker a criminal but would call a murderous cop a criminal: that France's legal system does not agree with me is unfortunate but irrelevant.
> Any other more socialist system was nothing else but much worse, and the social democracies of today have just the same issues
That's a debatable point of view, but my opinion is that what you refer to as "socialism" or "social democracy" is in fact just another brand of capitalism. For example, in anarchist circles, the USSR was widely criticized as "State capitalism" [0]. In this mental framework, laissez-faire capitalism (Randt/Hayek ideals) is yet another brand of capitalism, although it has yet to be proven that capitalism can exist without nation states to enforce it, while stateless communism has a varied history throughout the ages.
The problem with criminality is that what we feel like is absolutely irrelevant, which is why this is a big mistake. The fact is that weed is criminal in France/elsewhere in Europe and that is a problem that must be recognized because it's immoral. Same re: murderous cops and other excesses of criminal systems.
Ad brands of capitalism - well OK, but any place that tried any brand of anarchism failed even harder than any brand of capitalism ever did, and the end result was much worse for the individual people who lived there. The US was always a heaven on Earth in comparison, even during its worst era of unregulated capitalism.
USSR is the largest example but it was a poor country. There were rich countries that voted for true communism democratically and even there it devolved into a catastrophe in less than a year (after WW2, or after a few years for the more recent examples). IMHO human nature makes it absolutely impossible to make communism work, because it will be immediately taken over by power hungry people for their own benefit. Any anarchism that might be desired will never be allowed to develop, these power hungry people will make sure they control it.
> Any anarchism that might be desired will never be allowed to develop, these power hungry people will make sure they control it.
That is indeed the history in USSR/Spain for example, however i don't think it has to be this way. Many smaller-scale societies could be considered anarchist. In our 21st century, the only large-scale example i can think of is the zapatistas caracoles in Chiapas. Very interesting to read about if you're curious: millions of people living in autonomous communes without central government (although there's a central army to protect communities from the Nation State, it does not hold *any* political power). Money has not been abolished but its significance has been reduced due to collective work/property (cooperatives). Their judicial system is also very interesting, as it's based on reparations not punishment which appears to work great if you take murder/rape as a metrics which has almost entirely disappeared since the revolution in 1994.
I'm not saying the exact same model is applicable everywhere, but examples like this demonstrate that anarchism is possible on a wide scale. Although to be fair most zapatistas would not label themselves "anarchist", despite claiming to be from the anti-authoritarian/bottom left (the historical definition of anarchism).
The US has some seriously dark history including a relativity extreme form of slavery. Some failed states and tribalism where extremely unpleasant and legitimately better places to live.
No, it was at best the same, US was never worse - and only much better after the abolition. The sad fact is that these anarchist places devolved into feudalism/slavery and then straight into warlordism. The only difference was that the people weren't called slaves directly.
Not all forms of slavery are equivalent. Cultural norms evolve to where European serfdom for example was a distinct institution. At the other extreme Caribbean sugar plantations had a ~50% mortality rate in the first year. US slaves where treated significantly worse than the average over history, though of course not the worst.
It wasn't anything like the distinct European institution in these places, which was hell anyways - there was a good reason why these people risked death and went to America.
While the most extreme abuses happen in basically every society at some level, widespread institutions run into real limits. Extremely brutal forms of widespread oppression take strong institutes to maintain stability. Haiti for example had truly horrific conditions, but it couldn’t maintain control first seeing significant numbers of escaped slaves living off the land then a successful uprising. Natzi’s where brutally efficient at working their slaves to death.
At the other end, Native American tribes for example would capture people effectively taking slaves but they integrated them into their tribes. Similar practices where fairly widespread in many cultures without firm centralized governments. The captured wife/sex slave divide is historically nuanced. Keeping people under lock and key takes effort and limits the forms of manual labor they can do. Mines where often extremely horrific because they where so easily managed. Hunting on the other hand requires significant freedom of movement.
I don't know what relevance this has to the fact that any brands of anarchism anywhere were as bad or worse than the US ever was, and (unfortunately - I'd really like them to succeed) never better.
> widespread institutions run into real limits.
The only limit of European feudal lords was how many people they could kill/cause death before there was nobody left to do slave work and fight in wars for them. America was a heaven for the serfs.
There are many historical accounts of freemen in England choosing to become serfs. It wasn’t freedom, but they had real protections. For example they couldn’t be sold individually only the land they where bound to could be sold, which was a major protection keeping families from being broken up.
They may have owed their lord specific quantities of uncompensated labor, but conversely that meant they had socially and legally protected free time.
Also, Serfdom largely disappeared in Western Europe well before America was a thing. “In England, the end of serfdom began with the Peasants' Revolt in 1381. It had largely died out in England by 1500 as a personal status and was fully ended when Elizabeth I freed the last remaining serfs in 1574” “ Serfdom was de facto ended in France by Philip IV, Louis X (1315), and Philip V (1318).[6][7] With the exception of a few isolated cases, serfdom had ceased to exist in France by the 15th century. In Early Modern France, French nobles nevertheless maintained a great number of seigneurial privileges over the free peasants that worked lands under their control. Serfdom was formally abolished in France in 1789.” https://en.wikipedia.org/wiki/History_of_serfdom. Various exceptions did exist but it simply wasn’t that common in Western Europe.
My company uses his software for phishing practice. A week after joining new company, his software claimed that I clicked on a phishing link. I saw the phishing email, instantly knew it was a fake phish, never even opened the email, let alone clicked on any link. Still had to do the "you got phished" extra training, as neither my manager nor IT would believe that there was a bug.
Mitnick really was quite the grifter before he turned his life around.
Possibly your email client clicked that for you. This is actually a legitimate concern because some exploits work that way. Doesn't change that its a bug you got fingered for that tho.
The Inside Man is entertaining, but as the "show" progresses, it becomes progressively more a standard sitcom and less about security training. Past the first season, there are entire episodes which are mostly like a Netflix show, with a last minute message of "oh, and remember: never leave your laptop unlocked" tacked on.
Exact same thing happened to me. I couldn’t even get a response from anyone in IT. That’s what happens when IT is a handful of people for a 50k person company with a third party offshore help desk.
My mom had to sit through a training of his. In it he shows how he "hacks" a Mac after you click a link, or something like that, which made my mom somewhat upset and frightened. Of course, he's gracious enough to show you how he does it in the video…except he doesn't actually show the part where he gets control of your computer :/
It's a delightful write up and her story is 100% worthy to be told, however I wouldn't trust the hacking stories because there's no way of verifying them. Too easy to add embellishments.
> It’s not lost on me, as she tells these stories, that I’m on the phone with a phone phreaker or that I’m attempting to tell the true story of an expert deceiver
She claims to have slept with all 4 members of The Beatles. Methinks most of the stories she tells are nonsense, but she suits the prevailing narrative for a certain segment of the media.
But that’s easy. If the writer fact-checked this article (did she even talk with the real Susy Thunder?) before publishing it, it would be very short, and wouldn’t get as many clicks. That isn’t in the interest of the writer.
Entertainment sells. Putting a “well actually” after each statement by the subject would reduce the entertainment value. This article is a narrative of the subject’s life told from various perspectives. The stories conflict, and as readers we can decide where the truth lies.
Good point. So perhaps she is a genius at social-engineering and managed to "play" the journalist by appealing to the journalist's pre-conceived notions about her.
It seems the hackers who get caught are the ones who were compelled to brag about what they did. Perhaps, the greatest quality a hacker can have is humility.
Cool article! And, as the eternal nitpicker, I only found one inaccuracy:
> Back then, everyone had a landline, but people in the public eye kept their phone numbers out of the Yellow Pages.
The Yellow Pages were for company/business numbers, the phonebook (or part of the phonebook) with the personal phone numbers was plain white. Makes me feel old (and wonder how young the author is). Or is "keeping your number out of the Yellow Pages" a commonly-used expression I'm not familiar with?
Sun Microsystems developed a directory service now called "Network Information Services" (or NIS), however it was originally called "Yellow Pages".
They obviously didn't realise that the "Yellow Pages" were already a thing, so they renamed. All of their commands still begin with yp (ypbind, ypcat and others from what memory serves)
Yes. If you grew up before the web took off, you knew all about the Yellow Pages. Every year, a. White Pages (direct listing, split between residential and commercial) and a Yellow Pages (business ads by category) landed on your doorstep. In the larger cities, these could be quite hefty.
If I recall correctly, the yellow pages was a hip way to refer to the entire telephone book, because it had yellow pages in it, and most other books did not have any yellow pages.
the phone book had 2 parts: the white pages, the front part, which was everyone, by default, and the yellow pages (the 2nd part), which cost money to put your business name in (with more money, you got a large ad with graphics)...you could pay $1 to keep your name out of the white pages...
Depending on where you lived, the white and yellow pages might be separate books or combined together. In big cities, they also made good impromptu booster chairs. I still receive a combined yellow and white pages each year but it's about the size of an old Reader's Digest now.
You are correct on both counts "Yellow Pages" was a registered trademark used in many countries for business phone numbers. Phone books also had literal yellow pages with business phone numbers and advertisements in them. It was also a colloquial term, at least where I am from (Midwest, USA) used to refer to the entire phone book.
It's funny how these weird pieces of knowledge stick even with almost zero exposure. Every time I got a phone book or yellow pages dropped on my doorstep in some flimsy transparent bag, I'd throw it directly into the recycle.
You are correct. Here in the US we had the White Pages for individuals. The Yellow Pages were for businesses only. Both were massive tomes and roughly the same size.
Yeah, this caught my eye as well. Anyone who grew up getting these enormous tomes on their doorstep knows that the white pages were for looking up girls you liked, and the yellow pages were for pizza.
In the UK it was called "ex-directory" I guess short for excluded from Directory. In the 90's British Telecom, the defacto telecomes provider in the UK, introduced a dialup service called Phone Base. Cant find anything about it online except this reference (https://www.lawinsider.com/dictionary/bt-phone-base), but it was possible to dial up, put in wildcard generic strings, select a dialling code and download massive tables of names, addresses & phone numbers.
Natwest around the same time also had a dialup system, where you could do banking transactions over a dialup modem. It worked on the pretense you knew the account numbers you wanted to shift money to, its main security was the bank transfers were done offline, then their app, a frontend for a DUN terminal, uploaded the batch of bank transfers and then logged off within 30seconds or something like that. Now it was possible to access the Natwest system without using their frontend app on Win95, and just dial in and make the transfers yourself, your only constraint was the time limit and having a password to access the system in the first place. Security wasnt their strong point from what I could tell.
Same in Sweden, the Yellow Pages were the business part of the phone book. I wonder how this international alignment happened or if it's just the natural way of coloring phone books.
In Netherland they were separate books. The phone book came from the phone company and just listed all non-secret phone numbers. The "Gouden Gids" (it did have yellow pages) was from a separate organisation and listed all businesses in the area.
Yeah, in my family no one ever made a distinction. You'd look someone up in the yellow pages, they were all in the same stack, and only a prig would correct you, "you mean, look him up in the White Pages".
In the US, we said "the phone book" to be generic. The specific books were always specific.
As in "Did you look him up in the phone book?" which might be answered "I couldn't find him in the White Pages, but the phone's probably in his mom's name and I think she has a different last name, so that might be why. I think she has a business but I don't even know what industry so the Yellow Pages don't help here."
Also Canada, "yellow pages" referred specifically to the business directory and not the rest of the phone book. "White pages" was the residential. And, wait for it, "phone book" was used generically or to refer to the whole thing. YMMV.
It’s an interesting discussion. I’m fairly certain that the yellow pages only referred to commercial listings in the US, but I don’t recall anyone saying "check the white pages" for a residential number in the states, so maybe it was a colloquial misnomer.
I guess I'm too young, but I always feel a little weirded out that yellow pages just had everyone name and number, publicly available to everyone.
That's... not very private?
When Terminator wanted to find Sarah Connor, he just went to the phonebook and found her. (Well, all the other Sarah Connors, anyway.) Nowadays, he would need to get into Facebook HQ first!
> but I always feel a little weirded out that yellow pages just had everyone name and number, p
That was the white pages, not the yellow pages (which were paid advertisements).
White pages had name and number for every customer, typically you were in there unless you opted to have an unlisted phone (and paid an extra fee for that, most likely).
The thing to think about is this is pre-internet technology for finding how to contact someone. There were reverse listing books too but not generally available (given a number, who owned it).
These pages go back to pure analog telephone systems (no caller ID, no call-back, no voicemail, nothing). Oh, and in some places it was common to share a number between multiple houses (party line).
I suspect you're being downvoted because you call it the yellow pages but the yellow pages were where businesses were listed by category (eg Dry Cleaners or Orthodontists). Individuals and businesses were listed alphabetically by name in the white pages, so the terminator looked Sarah Connors up in the white pages not the yellow pages.
The interesting bit is that this even translated to other languages. In Germany the "Gelbe Seiten" (literally yellow pages) was the commercial listings and the "Telefonbuch" (telephone book) was for normal numbers.
I wonder if this is related, specifically the origin and use of the term in the 1890s - it somewhat connects as to why yellow paper was used for advertising, perhaps?
https://en.wikipedia.org/wiki/Yellow_journalism
Possibly unpopular view: social engineering is not hacking. It is conning. People have been doing it since the beginning of time and one can do it with very little technical skill. It's an insult to those who work hard for deep knowledge and technical ability, to call social engineering "hacking".
Not sure how it's an insult. It takes same amount of skill, practice, and hard work, if not more, for someone to become good at social engineering. Those two are two orthogonal skills, and one is not necessarily better/harder than the other.
To be honest even I didn't have a high opinion of social engineering conmen, until I watched "Catch Me If You Can" and read about Frank Abagnale[1].
That said, most of the big hacks do involve social engineering angle. It's a cocktail of tech hacking + social engineering + good old plain con.
Abagnale gave a google talk too. But the last thing I read on the subject (I forget what, sorry) suggests it's most likely he just made most of his life story up.
I would say it takes next to no practice or hard work at all. That's the problem with putting it under the "hacking" umbrella term.
Anyone can send an email with a link, chuck some USBs in a parking lot or pretend they're an employee at a company. All you need is one curious or lazy employee.
Sure it has its uses but to compare it to hacking is ridiculous and tbh the only reason I think it is done is because back in the day hacking contests were completely male dominated and they had to save face.
But dropping USB sticks or sending phishing emails (which could just as well be called technical hacking btw) is not what social engineering is about.
That's like saying running a brute password cracker or port scanner requires no skill or hard work at all, so lumping software work under hacking is really an insult to all the "real hackers" (whatever real means).
Social engineering often requires you to get someone else to do something that they should not, don't want to and often are trained not to do. Very often in direct interactions, not only is it hard (depending on target you might also need a lot of background knowledge, needing significant prework), but it typically involves much higher direct risk (which makes it even harder).
> Anyone can send an email with a link, chuck some USBs in a parking lot or pretend they're an employee at a company. All you need is one curious or lazy employee.
Yet when you receive a phishing email, you can usually find clues it's not legit (such as typos). It takes craft to make a convincing one. Pretending to work somewhere sounds even more hacky: i for one would certainly not be able to do that, and i'm sure many fellow hackers (in the broad sense of the word) are in the same basket.
Understanding human systems to infiltrate an organization is pretty much like reverse-engineering. As someone who's not practicing either, i would say social engineering looks even more complicated for one reason: when you're reverse-engineering a program/API, you usually take some steps to protect yourself. Either you run the program on an isolated network, or you borrow someone else's network (VPN/Tor/etc) to attack an API.
When you're attacking a corporation via social engineering, you're on the front line smiling to the people at the front desk asking why your work badge isn't working anymore or pretending to be the toilet repair crew. Every probing step you take can unmask you, and the consequences of that can be much more quick/severe than if you leaked a random IP address trying some weird request.
>i for one would certainly not be able to do that, and i'm sure many fellow hackers (in the broad sense of the word) are in the same basket.
If you can recognize them easily, then you could create them easily too.
The problem isn't acquiring skills or knowledge, its having weak morals and being desperate.
Its an insult for a very good reason: Con men are dangerous. In the same way actual hackers see computers as targets, they see people as targets, not as human beings. They usually end up with some degree of psychopathy.
> Possibly unpopular view: social engineering is not hacking. It is conning.
“Conning" is just hacking systems consisting of one or more people.
> People have been doing it since the beginning of time and one can do it with very little technical skill.
People do other kinds of hacking with very little skill and a few focussed tricks (often borrowed form others), too. OTOH, deep knowledge of social systems allows doing original hacks of more complex social systems with greater theoretical safeguards (often, they are just as weak if you can identify the right point of attack, but that's where the knowledge comes in; just as with systems composed of things other than humans.)
> It's an insult to those who work hard for deep knowledge and technical ability, to call social engineering "hacking".
As a counter argument, social engineering is hacking through a different interface. You're still exploiting vulnerabilities, but in a low-tech, process-based system. But I agree that we should use different terms.
Good social engineering is a lot harder to do than 90% of online hacks, which are generally just skiddies downloading some PoCs from GitHub and spamming them until they get results.
The Project Zero and APT type stuff that hits the news is the exception, not the rule, which is why it hits the news in the first place.
False. Social engineering has the same equivalent concept of script kiddies, just con artists who are reusing well-known types of patter/cons to be able to exploit age old evolutionary psychological vulnerabilities in humans that unlike computers, we are not able to easily patch.
The hidden assumption here is that only "technical" skill counts. It's a skill. It's a difficult skill to master. And it is certainly an "insult" to dismiss it like you do here.
This may be a generational thing, but most IT security even a mere 20 years ago focused heavily on the human elements. Networks were different back then and people were far easier to dupe. You usually had to be on site to gain access to anything interesting. The social engineering tricks people roll their eyes at these days were invented back then for this purpose. Hacking is a broad term with deep roots. Let’s not gatekeep it too hard.
I was with you until the last sentence. They're very different skills being conflated because the end result is similar from a narrow view (and because "we got hacked (via social engineering)" sounds better than "we got conned"). But one is not inherently less difficult than the other. It's just inaccurate and kinda misleading to call one the other, not an insult to anyone.
Yes, I mean, if you consider hacking to be purely technology based and not about, in part, accessing forbidden systems or manipulating components of the system to perform unintended functions then you may be right
I would argue that the combination of the two skills is what makes a hacker like Thunder particularly scary. As a general rule I would say that most folks who are technical in a hacking capacity would struggle to learn social engineering and vice versa.
The nice thing with this particular website at theverge.com is that it is not scrollytelling, as it does not mess around with scrolling. That is: Nothing is moving while you scroll. Images got faded in when scrolled to (looking like good old lazy loaded images, but with intention). Maybe we could agree to call this layout a very gentle form of scrollytelling. As somebody who does not like scrollytelling so much, I really like the beautiful layout of this article.
For more detail: the 'with intention' part is using an IntersectionObserver[1] to toggle image opacity, via CSS style, when the image enters the viewport.
So the effect repeats as you scroll through the document, even after the images are first lazy loaded.
I think your definition of storytelling is too narrow. When I took “storytelling” as a university class 20 years ago it had nothing to do with having moving parts on a website, but the concept is the same for both this article and interactive articles. Storytelling is simply a tool that enables you to tell and present a long story in a way that that makes people read all of it. I’d say this article succeeds as much as that as an interactive article would.
Interactive? Perhaps it' just me, but I can tell you that to me the page was a series of sections with a lot of empty space between them and it was rather hard to read. There were some extracts on some neat ribbon-looking things as if they were lifted from newspapers, but 90% of the article was just... white.
In a way, if it is supposed to be interactive, this is a great success from my point of view. Despite being interactive, it's not an article as an application type deal where no content will load without 10 XHRs and 15 JS scripts. It's a fully working article, whether you look at it on a macbook screen or telex paper.
EDIT: Just went and printed it out.
elinks -dump <url> | lpr.
12 sheets A4 with a reference list for visible links and all. Looks good and reads better.
Does not need to be. uMatrix blocks the loading of the majority of the photos and keeps them white. Even better, render the article as text and you get rid of the garbage:
elinks <url>
Personally I even tested printing it out as plaintext
elinks -dump <url> | lpr
12 sheets of A4 with a reference list at the end listing all the links on the page and what they point to. Beautiful article, good read.
It's great design when a telex machine can read your article as well than a modern HD screen. It's odd design when the telex becomes better at doing so.
Some people (like me) apparently block too much JS for it to become interactive. I just read long paragraphs of text, as it should be. There were huge gaps between the text and I tried enabling cloudflare to see if there were images there but I wasn't that interested to make the gaps appear.
IIRC old telephone lines used to work without electricity not sure if they’re alluding to that. I don’t know how much the modern cellphone infra is grid dependent.
Landlines are still independent of the electric grid . . . that is not quite the same as saying "work without electricity" as they most definitely do work with electricity. The power is provided by the phone line itself, however.
Abandoned by her father and abused by her step-dad, I'd say she did alright for herself and didn't become too evil. She skirted the edge without going over for the most part afaik
Once again, the media trying to pass someone with social engineering skills as a hacker. You might as well call it Lying engineering, those people are just good at lying and manipulation, for me, hacking is another entirely different activity.
Also she ratted on Mitnick, those people are called informants, not hackers.
For me the anarchist in 'the anarchist cookbook' and newsletters that were spread via BBS and early internet capture the hacker (as in 'hacker news') spirit quite spot on. Haven't we come full circle with social engineering being one of the main digital crimes? A good pentester has good social engineering skills. I expect a 'hacker' not to have too much in common with a 'con man', but a 'con man' with technical skills or interests seems to fit with 'hacker'? It's all loose categorization based on stereotypes anyways.
it does fit a specific definition. it manipulates to get information. hacking manipulates software to get information they would not otherwise have access too as well.
> When she was asked to tell a lie, she would tell the truth. When she was asked to tell the truth, she would lie. She manipulated her breathing, balled her hands into fists against the chair, and pressed her feet hard against the floor, causing her hands to sweat and her blood pressure to spike. The polygraph test was inadmissible.
This is a tangent but it's mind-boggling that this piece of pseudoscientific garbage [1][2][3] is still used by supposedly legitimate government agencies.
I have no opinion on Rittenhouse, but I watched his trial as a non-American for the show.
It was mind-boggling, to me, the argument on the iPad zooming feature[1]. This was three people — with no technical knowledge at all — arguing about a technology which, ultimately, could influence the rest of the life of a fourth person…
How often does this happen and is not recorded by a camera?!
Especially the "I have no idea what I'm talking about, but you should take my argument seriously anyway" that the defense started with in that video. The prosecution should have eviscerated that argument.
Having spent many years in court, this shit happens all the time. Experts will testify to some incredible bullshit, and even in the face of objections by the defense, the judge will often be technically bamboozled and allow the bullshit to stand.
Almost all lawyers and judges that I've met have no computer expertise.
> As for the woman on the other end of the line, she seems concerned with statutes of limitation. She’s married now and lives a quiet life in a large Midwestern city, collecting coins.
https://archive.org/stream/8BBSArchiveP1V1/8BBS_Archive_P1V1...
Seems it was digitized from dot-matrix printout by a packrat/historian who got the logs alongside some old gear they were buying.
http://silent700.blogspot.com/2014/12/is-this-something.html
Found this while poking around. Seems someone representing their self as one of the DEC employees that ran 8BBS dropped a short message about it on everything2 back in 2006.
https://everything2.com/title/8BBS
https://everything2.com/user/FTCnet
And here's a 1987 interview with the Tuc that acted as the contact at the beginning of the article.
http://protovision.textfiles.com/phreak/tuc-intr.phk