An open letter on Social Engineering

Alright, if you guys have followed all the links to here, you’re apparently interested in hearing me say things, god knows why. So, we’ll say a few more things, just on my read of how this went from a social standpoint this year. Needless to say, the puzzle was fantastic as always – awesome job, 1o57, and please don’t think of any of this as incriminating. we have deep respect for what you do, we just wanted to share a concern. And Thor – same goes, deep respect, despite you being just a little bit a flaming douchebag at times; we wouldn’t have it any other way.

But social engineering. This seems an acceptable practice for the competition spirit of the challenge – veterans who are fighting tooth and nail for every inch of ground they can get. It’s a struggle, we lose sleep, we skip meals, and barely hit our 3-2-1 (note also that we finished the puzzle WAY after council, so we can hardly talk). We expect Thor to lurk just over our left shoulders and ask us how far we’ve managed to get every ten minutes while we’re neck-and-neck, or he thinks we are. It’s how it works, and we’re not butt-hurt. Council beat us by a good 30 hours anyway, so Thor could probably have stayed home and we still would have been whomped – those guys just beat us that hard.

However, the badge challenge isn’t just that – or at least, it isn’t presented as just that. It’s presented as a community attractor, a gathering place, and a way of bringing together the skilled and the curious. The idea is crazy noble, and we love it. But this sort of goal ensures that those new to the challenge approach it with a sort of wide-eyed credulity that they likely intended to leave back at their homes when they came to a hacker conference. It makes them trust people.

There are those in the veterans camp that will take advantage of that trust. False pages by opponents are one thing, but we encountered Thor (sorry to call you out on this – you’re not the only one on this, just the most obvious) claiming to many newcomers to be 1o57’s assistant, and not competing in the challenge this year. That was a claim that was reinforced by 1o57’s clear genuine friendship with Thor. He took advantage of this to more seamlessly harvest information and ideas from the newer teams to edge a bit further in the game, and to misdirect many when they started getting far in.

Others went as far as to set up multiple layers of information sharing services – one for ‘genuine’ team members, and a second for a weird sort of provisional team member. People who were apparently intended to believe that they were on the team, but with the intent of farming ideas and information gathering from arm’s length.

Much of this soured at least a few people’s opinions of the badge challenge, and we worry it soured some on Defcon as a whole. That’s a pretty twisted result for something that starts so cool and inclusive. Maybe it’s not a trouble for many, but maybe it is, and that’s concerning. Social engineering is fine as a mode of engagement, but when dealing with new folks not familiar with the rules of engagement, it risks sending the message that our community is toxic. I sincerely believe our community is not toxic, not even close – everyone I’ve met is great, I’d just like all the new people to get a chance to see that too.

Thanks everyone, we had a great Con. We hope everyone else did too.
See you next year. Count on it.
-Metric

Advertisements