Talk:Social engineering (security)

limits

All this talk on changing the category, and nobody's done it yet? I'll gladly volunteer. 65.9.221.117 19:48, 24 September 2005 (UTC)

Isn't social engineering more than just getting them to reveal sensitive information? Isn't getting them to do something other than that also social engineering? Example: I call up blockbuster, pretend to be another store, ask them to remove my balance, and they do that. That's social engineering ne?

Yes! Absolutely! Obtaining sensitive information is but one goal, albeit typically the end game of social engineers who are being paid to do their thing. Social engineers, in general, will use deception, guile and bravado (a.k.a. "cojones") to get their marks to reveal sensitive information directly OR unwittingly provide access to such information, for example by loading a Trojan. If the 'sentive information' includes, say, the ROOT password, well, you can see where I'm heading. "All your base is ours". [NoticeBored]

My concept of social engineering goes beyond just computer security, but security in general. The computer is merely the means to access some information, or the means to perform some action. Replace the computer with an entry porter, or the secretary to a company, or someone's PA and social engineering would apply just the same. As the first comment in this section, I therefore believe this article is too limited. What do others think? -Wikibob | Talk 04:16, 2005 Jun 18 (UTC)

Yes again! Sales reps, as a breed, are consummate social engineers. So too are three-year-olds (trust me, I'm a parent). Aside from dealing with family friends, a good proportion of human communications could be classified as social engineering in the widest sense. Politics and sales especially. [NoticeBored]

As mentioned above Social Engineering does not just apply to computer Security. And let’s not mix social engineering with manipulation. Three year olds are not social engineers they manipulate. There is a dim line between manipulation and Social engineering but, it is there. Social engineering on the other hand is a means to something else, it is a "planned" process with a "specific" goal to circumvent protocols, i.e. to gather intel for later use in stealing data (Computer Security), or pretending you are another Blockbuster store to clear out a balance is using social engineering to commit fraud. Social engineering should stay within the category Security. Protocols are your processes for protecting what is yours. I.e That the engineer not discuss cost of a project with a sales rep. or employees never give out their passwords.

I think we're basically in agreement here, but with slightly different perspectives. To you, [psychological] manipulation is not social engineering, but to me it is one of many techniques commonly used by social engineers to get their own way with other people. Others include pretexting, bravado, assertiveness/aggression, appeals for help, straightforward lies and more. Three year olds use many of these techniques very effectively to get what they want from adults, so in that sense they are consummate social engineers. I agree they are not hackers, and I'm deliberately not restricting this to social engineering in that more limited sense because I believe there is value in considering the wider breadth of social mmanipulative techniques. If Wikipedia only puts across the myopic view of social engineering as a hacking activity, readers may remain oblivious and hence highly vulnerable to these other aspects. NoticeBored (talk) 03:36, 19 August 2010 (UTC) PS Please sign your talk page comments so we know who we're talking to.

Cryptographic attacks

Is the category:Cryptographic attacks really suitable for this? --Easyas12c 09:43, 25 Jun 2005 (UTC)

I don't think so. I made the translation to the spanish version and labeled it Categoría:Seguridad informática. I think it should be changed to "Computer security" instead, although it's applicable to every security facility, just as said above. --Endo/spanish Wikipedia

Endo 22:58, 18 August 2005 (UTC)

Scope?

Social engineering is also used for non-computing, its limitless in its boundries. Many a stalker or sociopath has used social engineering to get into the life of their victims to create a similar lifestyle from which to "be" the victim. —Preceding unsigned comment added by 142.166.146.178 (talk • contribs) 22:28, 15 May 2006 (UTC)

Yes, social engineering is definitely more than a computer security issue. (I've done it offline on several occasions — we all have at one time or another.) Perhaps this should be moved to Social engineering (psychology) or some-such. æle ✆ 2006-05-24t23:51z

"Help stop misinterpretation of phrase “Social engineering” in Wikipedia"

The phrase “Social engineering” is misused in wiki. But it should be used in positive sense. There is a Wikipedia page on it. The wiki page is given below : http://en.wikipedia.org/wiki/Social_engineering_%28security%29

This phrase is described in wiki as: “Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional "con" in that it is often one of many steps in a more complex fraud scheme. The term "social engineering" as an act of psychological manipulation is also associated with the social sciences, but its usage has caught on among computer and information security professionals.”

Why the phrase “Social engineering” should not be misinterpreted? The phrase “Social engineering” consists of two positive words such as “Social” and “Engineering”. Social means: a) Relating to human society and its members b) Relating to or belonging to or characteristic of high society c) Composed of sociable people or formed for the purpose of sociability d) A party of people assembled to promote sociability and communal activity

And engineering means: a) The discipline dealing with the art or science of applying scientific knowledge to practical problems b) The practical application of science to commerce or industry

Good + Good : Good So two good words combined together to make a phrase denotes good qualities. Therefore, “Social Engineering” phrase should not be used for psychological manipulation of people into performing actions or divulging confidential information.

What should be meaning of the phrase “Social engineering”? The phrase “Social engineering” should be well utilized to focus the following: a) Society building techniques b) Motivating people to become great c) Inspire people to learn, work, well behaved, social etc d) Break the negative thoughts and barriers of people e) Improve performance of people f) Great human society building g) Solve social problems h) Scientific methods for human social evolution i) Find out how negative minds can be transformed to positive minds — Preceding unsigned comment added by 58.137.200.27 (talk) 07:47, 8 June 2015 (UTC)

"Social engineering"

Isn't Kevin Mitnick the person that coined the phrase social engineering'? --Abdull 19:29, 16 Jun 2005 (UTC)

I think the term was originally used as a pejorative term for legislation intended to change people's attitudes rather than supporting existing attitudes. For example, an anti-communist might have referred to the USSR's efforts to develop the new soviet man as social engineering. Vice laws might qualify, since they are intended to apply the values of one part of society on an entire society.

Mitnick did not originate it -- he popularized the term but it's been around longer than he has. It's also known as pretexting. 24.126.126.105 04:43, 18 September 2006 (UTC)

Perhaps I'm talking to myself, but I had fun writing it...

It's unfortunate that someone has been able to co-opt a perfectly good/legitimate concept and apply it to the act of deception in order to give it some aura of legitimacy and status. I'm not sure which is worse - the lack of imagination demonstrated by authoritative professionals and thought leaders in a position to offer jargon in the world of technology, or the intellectual laziness on the part of those who misuse this and other terms so willingly. Mangling the language is another form of social engineering - right speak spoken here?

Intellectuals, heal thyself!

From Wikipedia... Politics and the English Language (1946) is an essay written by George Orwell in which he criticizes "ugly and inaccurate" contemporary written English and asserts that it was both a cause and effect of foolish thinking and dishonest politics. He calls "vagueness and sheer incompetence" the "most marked characteristic" of contemporary English prose and especially of the political writing of his day. The essay also criticizes contemporary writers for preferring the abstract to the concrete, claiming this reduces precision of thought. He notes that insincerity is the enemy of clear prose and that much contemporary political writing was in defence of the indefensible. Orwell argues that, in addition to being aesthetically unpleasant and disingenuous in its discussion of politics, bad writing is morally wrong.[1] Orwell "believed he was [morally] bound to give as much of himself to his writing as he could" and so "drove himself relentlessly" to avoid the kind of bad writing he describes in the essay.[2]

Orwell asserts that the English language is in decline, but that the decline is reversible. He gives five examples of bad contemporary writing and criticizes them for "staleness of imagery" and "lack of precision." The essay describes the "tricks" his contemporaries used to avoid the work (and thought) of constructing clear prose: overused (or "dying") metaphors, "operators or false verbal limbs" that were used in preference to simple verbs, pretentious diction and "meaningless words." From: http://en.wikipedia.org/wiki/Politics_and_the_English_Language

Close Ties to Con Artistry

Social Engineering does have close ties with conning people out of, say, money. Rather, it's for information. Getting something for nothing or very little is a big part of social engineering similar with cons.

Also, here is another thing to concider... A person who has interests in something, can obtain parts of that information from one induvidual, and another, and another, then put the peices into perspective, while confirming with others, the big picture can be formed, when the single induviduals might find it trivial amounts of data.

Just my two cents. (Unsigned)

You're certainly right, however the term "Social Engineering" at least in the last 10 years or so, has more been linked with computer fraud, hacking and various technioques used for information gathering. What you DO with the information (theft, fraud, whatever) does not matter or really even apply to the term - it's just the collection of techniques used to get the information. 24.126.126.105 04:20, 27 September 2006 (UTC)

Guys, guys! Social engineering is a term much older than 10 years and much much different and broader than hacking or anything related to computers. It is a concept in the field of politology and sociology and refers to "initiating/making a deliberate transformation in society". In this sense what Hitler did with the German people before WWII is a perfect example. But Social Engineering doesn't have only negative meaning. I kind of represent an organization, whose name is Alliance for Social Engineering and the mission of it is to initiate positive and desired transformations in the society.

Andrey, Bulgaria —The preceding unsigned comment was added by 213.91.242.67 (talk • contribs).

Yes, that's called Social engineering (political science), and is not this article. McKay 19:52, 19 December 2006 (UTC)

Add Pretexting by Police

I am the person who has twice tried to add a paragraph on pretexting by the police. It read:

"Some pretexting comes from where you would least expect it - the officials who are supposed to protect you! In California, many police departments send out computer-generated red light camera "tickets" that have not been filed with the Superior Court and thus have no legal weight. The intent is to bluff the registered owner into contacting a website, or writing back, and revealing the name, address and driver's license number of the person who was driving the car. Fake ticket"

The first person who removed it explained his action with this note: "remove opinion and rant without references."

His short note seems to make three assertions. That the article is not factual ("opinion"), that it is a rant, and that it is without refererences. To him:

1. It is factual, albeit something that you didn't know about before. (But learning new things is the purpose of reading an encyclopedia, isn't it?)

2. A "Rant" is "loud, wild, extravagant speech." My paragraph doesn't begin to qualify.

3. The link given at the end of my paragraph refers to a large website with a full discussion of the fake tickets, including images of examples from four cities. —The preceding unsigned comment was added by 71.116.129.206 (talk • contribs) .

So, now that you've talked on the talk page, and defended yourself. I'm going to add my rebuttals:

1. 1. Highwayrobbery.net isn't notable. Google("link:highwayrobbery.net") returns 25 results, 10 of which are either wikipedia (or derived from it), or are from the site itself. This leaves 15 links. I'd prolly put that at a non-notable level.
2. 2. Now that I've read the content of the page, it's interesting and helpful information, but it is Original Research, which is frowned upon in wikipedia.

As a sumary, I don't think that there is a problem with the content, but I think that we should find a better source than the one provided. McKay 13:11, 28 September 2006 (UTC)

While I'm certain your claim is legitimate, that's not the problem with your entry here. Your entry is specific to abuse of power by the police and more appropriate to something dealing with that (e.g. Police abuse of authority or something) It's kind of like discussing how you painted your house under the paint topic: yeah they're related, but someone interested in paint and what it is is not likely interested in your specific experience. Check out: Police#Ethical_issues_related_to_police to see what I mean. There is a whole area devoted to that topic and your reference to phishing and pretexting would make a lot of sense there and probably open up the minds and eyes of a lot of people who would never look up this stuff normally.24.126.126.105 20:15, 7 October 2006 (UTC)

Five years have passed, it is now late 2011, and I have re-posted the entry. Response to Rebuttal # 1 from 2006, above: highwayrobbery.net, while still the premiere website (whether for profit or not-for-profit) about red light camera tickets in California, is not a major city daily newspaper, so probably never will be immune to "not notable enough" criticism from people who have not read the site. Response to Rebuttal # 2, above: The information first published in highwayrobbery.net in 2006 is now confirmed by major media investigations, three of which are given as references in the new entry. To the suggestion that my entry should not be here but in the article about police misconduct, I paraphrase the person who made that suggestion: This entry will probably open up the minds and eyes of a lot of people who research social engineering but who never would go to an article about the police because not in a million years would it occur to them that the police could be engaged in social engineering. (The people who criticized my entry most likely did not know about Snitch Tickets until they read the entry.) Much of the value of the 'Net is in its ability to provide viewpoints and facts not available in the general media. The unexpected. My article presents information that might well be expected by the skeptics reviewing an article about police misconduct, thus of little value, but that same information would be a significant reality check in an article like this one about social engineering, where conventional thinking expects only the "bad guys" to be featured. Einsteininmyownmind (talk) 05:30, 19 November 2011 (UTC)

In Government Health Solutions...

In Government Health Solutions we encounter Social Engineering tactics as a means for unsubs to gather information on Medicaid or Medicare clients for purposes such as identity theft or locating abducted children. While it is true that some use Social Engineering in attempts to access our systems, the majority of violations occur over the VOIP.

This topic should include discussion of Systems Security, but I would hesitate to merge them.

(unsigned)

What is unsubs? Einsteininmyownmind (talk) 16:31, 20 November 2011 (UTC)

Personalities

Social engineering is used primarily, but not exclusivly, in a hacker context. It would be a good idea maybe to include a section of famous social engineers, ie. Mitnik, Archangel, Desperado, and Frank Abagnale...Chahax 21:06, 7 March 2007 (UTC)

Quick question regarding Archangel. His nickname was "The Greatest Social Engineer of all Time", and I'm having some trouble expressing that. I can remember him being called that on the radio and a lot in the newsgroups. I know the guy used to have a website, but I can't find it to cite it. Anyway, I keep changing the text attempting to satisfy, but I'm not having much success. Would it help if I simply spelled out that it was a NICKNAME, that I'm not trying to say he was ACTUALLY the greatest social engineer of all time?

Would it help? Yes, because saying that he is the greatest social engineer would be very hard to WP:VERIFY (see WP:PEACOCK). But in order for the nickname to remain, we're going to need a verifiable source. McKay 13:29, 12 March 2007 (UTC)

Whoa, somebody deleted the whole thing!...it's one thing to debate about the nickname, it's another thing to wipe out the entire entry. Chahax expressed that it was a nickname and provided a reference, that should be good enough for anyone, and is certainly more documentation than is given in other questionable parts of the article. Paste a "citation needed" tag if you feel that way, but you can't delete the entire entry, thats vandalism. I'm replacing the entry. If it is removed again I'll take this up the ladder. Vandalism and edit wars won't be tolorated! Sue Rangell 18:55, 12 March 2007 (UTC)

Thanx for reverting it. I never could stand Archangel either but deleting the entire section was a little overboard, afterall I did find very good verification of the facts, plus stated that it was a NICKNAME. For those who weren't around then, the nickname wasn't meant to be complimentary, people called AA that because they thought he was full of BS! I won't get into an edit war over it though. If it happens again I'll just go to an admin.Chahax 04:42, 13 March 2007 (UTC)

I linked Archangel to the phirm wiki (Basically because it needed to be done), but I can't find the website either. I remember it had something about the feds in it, but I don't feel like wading through 7000 usenet posts about Archangel to find it. Does anybody know the website offhand? Sue Rangell 19:53, 12 March 2007 (UTC)

Vandalism is putting a bunch of irrelevant information in the front of a definitive article on a subject. If you want to build a pillar to "Famous" Social Engineers, create a page but don't keep adding lines of text that have nothing to do with the subject, especially before the term is defined. It's like talking about famous painters under "paint" before paint is described - it doesn't make sense. Sorry if I deleted your paragraph prematurely, perhaps quick on the draw before I saw that (gasp) someone is using talk in the SE page - but I wrote most of this article and am used to cleaning up (see past edits). 76.80.8.65 07:15, 13 March 2007 (UTC)

You say you're sorry for deleting his paragraph, but then you went and did it again anyway. A list of prominent social engineers IN THIS ARTICLE is extremely important. You didn't move the name elsewhere on the page, you moved them straight OFF. Finally you claim you've written most of this article, yet this is the first time your IP has appeared here, and even if I were to give you the benefit of a doubt, I would point out that this article is not your own private sandbox to do as you please. Deleteing very important and relevant information is VANDALISM, especially since you have apoligized for doing it once already! Sue Rangell 17:52, 13 March 2007 (UTC)

I wrote the entry after making the change, thus the disparity. No offense was intended, please don't read into it more than that. In any case, the biggest issue with the recent changes is that the writer is confusing Social Engineering with Confidence Tricks and hijacking the opening paragraph with homages to people he likes. It's irrelevant to the article. What might you suggest in this case dear Sue? As for authorship, I prefer to remain anonymous and change my IPs regularly - note that most content comes from anons. 63.138.87.171 20:49, 13 March 2007 (UTC)

Pretexting

Speaking of websites, there is also one out there about pretexting which lists a lot of people did it, but I can't find it via google.

Does anyone know the site I'm talking about, and the URL? Sue Rangell 19:59, 12 March 2007 (UTC)

Pretexting is pretty common in many industries and being that fame impacts an individual's effectiveness, it's unlikely that anyone good at it would tout their ability. Fourteen year old boys with a lot of testosterone, poor social skills, palid skin and lots of black clothing are typically quick to claim themselves as "the best." Getting poor suckers through a Motel 6 auto attendant to believe you're the front desk & give you a credit card number is truly beginner's stuff. Don't you believe it - the best you will rarely hear of, if at all. 76.80.8.65 07:05, 13 March 2007 (UTC)

Edit War Prevention

I have moved the notable social engineers to their own section, below the explanation area per request. I hope that this solution will satisfy all paties involved. I really do. The whole thing seems more organized and readable too.Sue Rangell 20:10, 13 March 2007 (UTC)

Great move, but was Pappy a Social Engineer or a Con Artist? Per the description of both I'd say he was the latter. SE typically has an end result of information systems access, otherwise it's just a con - no? What would you use as the defining factor between the two?63.138.87.171 20:54, 13 March 2007 (UTC)

Good question. Certainly it seems that the qualifier should be an access to some type of information. It might be a good idea to add a citation request there. If a decent citation cannot be provided, my vote would be to remove the Pappy Boyington reference. Since he was pre-computer age, I don't see why he should get his own blurb in any event.Sue Rangell 21:22, 13 March 2007 (UTC)

Sue I disagree with your view about Pappy Boyington, but i'll go along with it, and here is why- I think you did a hell of a job preventing an edit war between 65:138.87.171 (or whatever) and myself. I tend to get a bit passionate about things I love, and I suspect my counterpart is much the same. I never meant to rock the boat so I will let cooler heads prevail and take a back seat on this issue. Your solution very acceptable, thank you. -Chahax

social engineering of social engineers

Should it be mentioned that even people who social engineer other people for a living aren't immune to social engineering? (I.e. nobody is 100% immune to social engineering) Some people spam the spammers and make them do silly things like balancing a loaf of bread on their head (by social engineering them) as seen on [1]. --Soylentyellow 21:23, 20 May 2007 (UTC)

if it can be added in an attributable manner. McKay 14:48, 22 May 2007 (UTC)

Bogus listings

Someone keeps putting in a reference to 'Archangel' - A hacker I guess, but the references are bad and no real name is used. I deleted it after I could find nothing on this guy at all in regard to Social Engineering, much less any cite-able reference to "Greatest social engineer of all time." Anyone have comments? Lexlex 04:26, 27 July 2007 (UTC)

Archangel is part of the Backtrack team. The reference I imagine is bogus. He is quite a bit less notable than Kevin Mitnick, Badir Brothers, Christopher Hadnagy, Mike Ridpath and, Steve Stasiukonis. I hope someday Mitnick, Badir brothers, Hadnagy, Ridpath and Stasiukonis can do a panel live for our security conference in Austrailia called Ruxcon. 05:09, 13 September 2011 (UTC) — Preceding unsigned comment added by 76.22.70.248 (talk) Agreed each of those listed above minus the Badir brothers are speaking at most security conferences just never together. Readded Ridpath and Badir brothers some people seem to have deleted them. — Preceding unsigned comment added by 24.16.72.182 (talk) 00:52, 13 October 2011 (UTC)

As a true Social Engineer i have edited and removed a few people who have listed themselves by trying too hard - hacker names these are not real names of people and are not relevant. — Preceding unsigned comment added by 101.168.255.242 (talk) 12:58, 19 February 2014 (UTC)

Archangel has showed up once again. With a whopping 5 references. The first is a dead link, the next three cannot be verified, the last one links to a dubious website with conspiracy theorist connotations and no bearing on the subject except for the name Archangel. I will remove it. –08:18, 22 September 2014 (UTC) — Preceding unsigned comment added by 2001:67C:2564:A156:221:6AFF:FE65:7F6E (talk)

Readded Ridpath for his impressive work. Someone should update his wiki as I don't know anything else about him. — Preceding unsigned comment added by Johntame (talk • contribs) 21:45, 17 December 2015 (UTC) Agreed Ridpath should definitely be on there. — Preceding unsigned comment added by 67.132.130.174 (talk) 21:54, 17 December 2015 (UTC) I think this article needs a bunch of cleanup but also agree Ridpath should be there as well.

"Pretext" redirect and lack of disambiguation

"Pretext" redirects to social engineering even though it is a much larger concept than "pretexting." For example, a link to "pretext" in the Sept. 18, 2007 "On this day..." article on The Mukden Incident links here even though that use of "pretext" has no connection to social engineering. Turtle Falcon 02:25, 18 September 2007 (UTC)

Using social engineering on IT staff

Q. Does this count as social engineering? A hacker calls up the IT helpdesk of a major company and says, "Hi, this is Nathan Sanford in accounting. I forgot my password. My account is nlarson7." Then the IT guy says, "OK, Nathan, I've reset it to abc123." Captain Zyrain 13:24, 22 October 2007 (UTC)

A. Yes, that's a simple example. So too is someone pretending to be from IT and calling users to get their login details, or to download/install a Trojan or ..... NoticeBored 02:50, 6 November 2007 (UTC)

Trojan horse/gimmes

This section is misleading. A trojan is simply maleware that hides in or poses as something else. If I write a bad program and name it MSWord2009.zip.exe and offer it to a less attentive distributer of stolen content that too would be a trojan. However the section talks only of email attachments which while Trojans are more commonly dealt with as "email viruses" as the aim of the attachment is to send itself out via email. --Lord Matt (talk) 08:08, 22 November 2007 (UTC)

Yeah, you're right. Although most use of teh term 'Trojan' deals with email. You'll note that 'Road Apple' used to be a subsection of Trojan Horse until someone got confused and changed it. Why not re-write it? 76.90.12.243 (talk) 20:51, 6 January 2008 (UTC)

The "trojan horse/gimmes" part of this artcle sounds like it was written by a bitter IT support worker. I think it needs to be rewritten to remove the subjective terms that infer the stupidity of people that generally recieve emails. Also maybe more examples than just email receipts of trojans as they are distributed in many more ways than just through email attachments and links. Danno81 (talk) 09:41, 29 March 2008 (UTC)

I have given the article a mild edit to try and cover what has been discussed here. I'll not be offended if you feel my work requires further work. --Lord Matt (talk) 15:35, 30 March 2008 (UTC)

No one in the computer security field uses the term "gimme" - it should be removed. --71.139.157.149 (talk) 19:12, 14 August 2008 (UTC)

I'm in the computer security field and I use gimme - and I hire people. If I'm interviewing you and you don't know what a gimme is, well I will assume your knowledge is pretty limited. Look up the term before rejecting it out of hand. Lexlex (talk) 14:06, 26 October 2009 (UTC)

Grammar

I absolutely hate it how stupid Americans say "them", when they are referring to a single person! --84.250.188.136 (talk) 02:56, 9 May 2008 (UTC)

Gee, you sound aggressive. So you're of the camp that would prefer "he/she"? This is a common written English problem of plurality, hardly American. A common "solution" has been to use "they" - and while not grammatically correct, it's certainly getting more common as useage. As a result, many people now use "them" as singular. It is what it is. It's not like everyone here is college edjumacated. By the way, what the hell does this have to do with Social Engineering? Lexlex (talk) 15:18, 9 May 2008 (UTC)

This is not an "American" issue really. It's an English language problem. English has no gender neutral pronouns (unless you think referring to people as "it" is acceptable) so using "they" or "them" is substituted to avoid the awkward "he/she" phrasing. It's not "proper" grammar yet, but it's slowly becoming accepted in every day usage.--173.49.81.215 (talk) 19:57, 22 February 2009 (UTC)

GLBA

There's a paragraph in the GLBA sections that reads:

U.S. Rep. Fred Upton (R-Kalamazoo, Michigan), chairman of the Energy and Commerce Subcommittee on Telecommunications and the Internet, expressed concern over the easy access to personal cell phone records on the Internet during Wednesday's E&C Committee hearing on “Phone Records For Sale: Why Aren't Phone Records Safe From Pretexting?”

On which Wednesday did this occur? It looks like a copy and paste out of a (copyrighted?) news article. I'll look into references and see if I can find it. --Jds2001 (talk) 15:05, 14 June 2008 (UTC)

Road Apple

An anonymous writer has twice changed the term Road Apple to "baiting." I reverted one assuming it was vandalism, but anon is insistent. I have no problem with baiting being used, but it's a verb - to bait. Great, but what are you baiting with? A road apple. For this thing (a physical device with Malware used as bait) I have heard the term "dropper," "road apple," and "Trojan" to describe it. Perhaps we shoud include all three. I can't find any consensus elsewhere. Thoughts? Lexlex (talk) 14:38, 14 August 2008 (UTC)

No one -anywhere- used the term 'road apple' in an SE context until it appeared in WP. Every single possible citation refers to or includes text from the WP SE article. Therefore, it is not appropriate to include this completely unknown usage here. If it catches on (which it has not) then we can revisit the matter.

I provided a citation, the 'road apple' author, who was anon, did not. It does not matter what terms you have heard, WP:NOR forbids use of unpublished matter. Otherwise, I could have cited 2000 hackers at Defcon taunting Winn for using this term in a Hacker Jeoprady question. Two thousand hackers who had never ever heard the term.

What's wrong with a verb? The article title is a verb. The previous types e.g. phishing, are verbs. Change it to bait, you bait with bait - just don't change it to road apple or anything else you can not find an independent citation for. --71.139.157.149 (talk) 17:03, 14 August 2008 (UTC)

Wait - So because the term WAS used at a Defcon event and some people had never heard of it, you're saying it's NOT real? Huh? You kind of just cited a source (though not useable here). I have seen it published in a number of places, have heard it used in colloquial conversation with penetration testers and have used it myself over the past three or four years. Getting shouted down by a bunch of people at Defcon hardly disqualifies a term. I agree though, it needs a reference - I'll dig around and find it. There is some article from a year or so ago in some tech mag talking about road apples in an airport.

And again, from a grammatical point of view, "baiting" USES "road apples" or "droppers". They're not mutually exclusive terms - what are you proposing the noun get replaced with? How do you refer to the infected device itself?. Pick:

"Hey dude. I just threw 20 road apples at AT&T and 8 have already called in!"

"Hey dude. I just threw 20 baiting at AT&T and 8 have already called in"

What are you proposing here? Lexlex (talk) 17:49, 18 August 2008 (UTC)

Also, please stop changing it back until this is resolved or unless you can find a cite-able source for your term. I can't. You are changing something substantial that has been up for well over a year.Lexlex (talk) 23:01, 18 August 2008 (UTC)

You have not found a source that does not refer to this article, so we shall consider this matter closed. Again, I cited a reliable source.--70.235.87.248 (talk) 17:21, 21 August 2008 (UTC)

Sorry for talking so long to respond. I wouldn't say so. I read the article you cited and one use of the word "baiting" as a verb is hardly a declarative definition of the attack device we're discussing. Just to be sure, I called Steve Stasiukonis, the author of the article you cited, and also a friend of mine. Without mentioning this dispute, I asked him what he calls the type of attack descibed. He said "salting!" - but he had no word for the device itself other than "salt." Great.

What I'm looking for is the declarative NOUN to describe the THE DEVICE with the attached, built in Trojan - not the method. Neither "baiting" or "salting" would apply here. I will defer your change until I have time to look for the article I'm citing, but I'm sure it's Road Apple (and I like it too - it literally means "Horse Shit" -- which is funny and apropos - thus my interest in this). Lexlex (talk) 19:34, 22 August 2008 (UTC)

The noun you are looking for is 'bait', as in "I dropped some bait to see if I got a nibble.", and "Many took the bait.". You can call Kevin Mitnick and ask him what it is called, but WP:NOR so make sure he's written it somewhere citable. --75.0.193.192 (talk) 20:13, 23 August 2008 (UTC)

You're right, but read on: I did talk with Kevin about this and we included it in some (not publicly available) course work, but it never caught on. The problem with "bait" is it's too generic - making it necessary to describe the specific process each time. I can "bait" someone into responding to an attack in a myriad of ways that have nothing to do with Trojans implanted into scattered media - a phishing web site, email or even regular mail could be considered bait, a rigged device of any sort would qualify as would a hot chick with a plan (that always works BTW), or just a simple lie - all could be considered "bait" in the context of SE. I'm looking for the term to describe Trojan rigged media. Maybe "TRMs?" Do you see what I mean? Lexlex (talk) 23:00, 23 August 2008 (UTC)

I understand your point, but sometimes terms must be generic. Bait http://www.answers.com/bait&r=67 covers all the possibilities you refer to. We are not supposed to invent terms here, we can only point to citeable and widely accepted usages. -- Same guy who made the edit —Preceding unsigned comment added by 75.0.193.192 (talk) 22:55, 26 August 2008 (UTC)

"Pretext" no longer redirects here

I created the article for the term pretext to emphasize the difference between the term's use in social engineering (i.e. pretexting) and its use in other fields, most notably politics. It no longer redirects here, but includes a section in it's article with a link to social engineering at the top. Lioux (talk) 07:28, 31 October 2008 (UTC)

Improving this article for review?

I would like to see this article upgraded with more information so we can improve the importance scale. Does anyone agree? What is your opinion? Adamdaley (talk) 10:33, 10 July 2009 (UTC)

Farming

I've never done this before so I hope I'm doing it right. I was wondering if you could add a part onto the Social engineering (security) page. I don't know the proper term or if it was listed, but I'm sure it was not. The term is "Farming." Like the word Farming, you simply use sources or friends of a person to gain better access. In a sense, "conning." You then have their friends, or your friends who have friended them plant little lies about you or your goal. You then become acquainted with this person and convince them these lies are true. You then use this newly found confidence in you to coerce information, or whatever your goal was. TimeShin (talk) 23:12, 25 October 2009 (UTC)

I'm not familiar with the term and haven't heard it, but that doesn't mean anything. In order to place it here, however, you have to find another place it's published that can be found by a third person, and reference it. Where have you heard it used? Lexlex (talk) 14:13, 26 October 2009 (UTC)

my recent edit

I don't know what "fancier" or "more technical" means here. also, I understand the 'lying' or deception element of a confidence scam but this feels like a horrible opening to an article. open to suggestions. S*K*A*K*K 01:21, 19 November 2010 (UTC)

cattechie and blindness

There was a section underneath notable social engineers about someone called cattechie and several other names of "Brothers" about something they did in Israel. The citation given was cattechie's personal blog, on which I can find no reference to her being blind or any of the supposed facts in the sentence. Ann F (talk) 03:08, 24 January 2011 (UTC)

Someone vandalized the article and the citation. I looked up the Badir Brothers and the first reference was a Wired article so I cleaned it up and put it back. Lexlex (talk) 03:29, 25 January 2011 (UTC)

Not sure lagging as an informal synonym for social engineering in the UK is very solid. Blagging referred to roberry back in the day(usually armed - watch reruns of The Sweeney) and now a days would be more of a informal synonym for (less specific) bluffing in general. — Preceding unsigned comment added by 109.232.176.4 (talk) 11:26, 13 June 2011 (UTC)

Stripped. No reference, unsigned add. Lexlex (talk) 19:22, 8 October 2011 (UTC)

I have replaired the section on notable social engineers and provided better references. --Sue Rangell^{[citation needed]} 06:36, 10 October 2011 (UTC)

Sue I've seen your edits before and they're usually good stuff - fine, but this - it seems like you're pushing original research. First of all why are you removing Steve Stasiukonis' first name? He regularly writes for Dark Reading and others and owns a penetration testing company. His name is Steve Stasiukonis and that's what the references say - not just his last name. Second, your cites for "Archangel" aren't references, you're citing blogs and surveys - and the "person" you're citing has only a handle.

You know better than this and you know that in no way, shape or form do these cites pass muster. Sorry if you think I'm being a dick, but your edits don't make sense. What would you suggest here? Can you fix it? If Archangel is truly someone you can cite, find out who he is or at least give an explanation - but anyone, including me, can use that name and there is no proof that I'm not him (or her). Lexlex (talk) 16:39, 10 October 2011 (UTC)

I fixed the error with Mr. Steve Stasiukonis. If I accidentally clipped his first name, I sincerely apoligize. As For Archangel, I believe that is his legal name (like "Prince" or "Cher", but i'll check), and the citations are not just blogs and things, Money Magazine is a major mainstream magazine, Phrack is a major magazine of the industry. (How do they not pass muster?) He has been written up in a lot of other major magazines as well, been on TV and Radio, writes for hacker/computer security magazines, etc. To not include him in an article about social engineering would be like not including Einstein or Hawkings in an article about physics. He is already the most cited listed so far, and from mainstream recognizable sources. I will also add that some of the names mentioned have no citations at all. Shall we remove them? Other than Kevin Mitnik he is probably the most recognizable name on the list. --Sue Rangell^{[citation needed]} 23:05, 11 October 2011 (UTC)

Diversion Theft

Diversion Theft is not well-written. The article is biased and has a lot of informal language, whereas an encyclopediac tone is required here. If somebody could change that, it would help. Also, the article does not cite even a single source. That makes its contents dubious, and along with the informal language used, it does not seem very realistic or verifiable. I wonder if it's important enough to have so much description too. — Preceding unsigned comment added by 203.187.227.75 (talk) 12:45, 27 February 2012 (UTC)

Kevin Mitnick, please stop using this article to promote yourself

I have noted several times over the years where either Kevin or his associates have attempted to claim credit or invent terms related to SE. Invariably, he is the sole source of the information. — Preceding unsigned comment added by 69.183.116.255 (talk) 06:07, 1 March 2012 (UTC)

An example? Perhaps? Lexlex (talk) 02:51, 4 March 2012 (UTC)

You. You work with Mitnick, earn money from his seminars, and thus should NOT EVER edit any article about or related to him. 70.235.84.138 (talk) 05:20, 8 May 2012 (UTC)

Having been a professional engineer for almost 30 years, I am offended when I see "social engineering" defined as a criminal activity. I wish Wikipedia contributors would not perpetuate this usage of the word "engineering" because it damages the reputation of all engineers. 38.100.146.125 (talk) 21:24, 10 October 2013 (UTC) Barry Russell Green, PE Texas PE license 56685

More SE in Fictional Media

I can list at least supernatural and doctor who, both uses pretext to allow entry to the locations they are not authorized. 77.92.4.40 (talk) 10:58, 7 September 2014 (UTC) Cem Kalyoncu

Add to Further Reading

Hi, I think it would be good to link my website to the "Further Reading" section, as it contains a few articles on how to build rapport, read body language etc., it's a good resource.

http://socialengineers.co — Preceding unsigned comment added by 178.23.219.8 (talk) 18:11, 24 February 2015 (UTC)

Thanks for following my advice and discussing the link here. Wikipedia has detailed policies and guidelines covering external links, which I mentioned on your talk page. WP:ELNO states that blogs and forums are not typically used as external links. There is also an issue of WP:NOTHOWTO, in that wikipedia generally neither includes nor links to how-to content. Some other editors may weigh in here with different perspectives, but it is likely that the majority will be against including the link.Dialectric (talk) 18:23, 24 February 2015 (UTC)