Deception in Social Engineering

So there’s been a debate going on for awhile (2 years??) over at the Social-Engineer.com podcast over whether or not social engineering always involves some sort of deception.  The latest podcast featured guest Dr. Paul Ekman, pioneer of microexpressions.  After the interview with Dr. Ekman ended, the topic of deception in SE’ing came up again.  This time they have another host, more input,  and I decided I needed to think about this some more and do some reading.  Here are my thoughts on the topic.

tl;dr Yes, social engineering always involves some sort of deception.

So I’ll give an explanation as to why I believe social engineering always involves some sort of deception, then put it into the context of the examples given on the podcast by Jordan and Dave in their attempt to refute this.

Deception is often put into context of situations where something bad happens to the deceived; con men, scammers, etc.  This has given a false impression that deception always involves something bad happening to the deceived.  This is simply not true.  The act of deception is one thing, while the motive (or intent) behind the deception is another.  This separation is fundamental.

Deception is relational, and requires the intent of the deceiver and the expectation of the deceived to label it as such; it is the negative violation of the deceived’s expectation.

There are 5 primary types of deception [1]:

  1. Lies: making up information or giving information that is the opposite or very different from the truth.
  2. Equivocations: making an indirect, ambiguous, or contradictory statement.
  3. Concealments: omitting information that is important or relevant to the given context, or engaging in behavior that helps hide relevant information.
  4. Exaggerations: overstatement or stretching the truth to a degree.
  5. Understatements: minimization or downplaying aspects of the truth.

And there are 3 primary motives [2]:

  1. Partner-focused motives: using deception to avoid hurting the partner, to help the partner to enhance or maintain his/her self-esteem, to avoid worrying the partner, and to protect the partner’s relationship with a third party. Partner-motivated deception can sometimes be viewed as socially polite and relationally beneficial.
  2. Self-focused motives: using deception to enhance or protect their self-image, wanting to shield themselves from anger, embarrassment, or criticism. Self-focused deception is generally perceived as a more serious transgression than partner-focused deception because the deceiver is acting for selfish reasons rather than for the good of the relationship.
  3. Relationship-focused motives: using deception to limit relationship harm by avoiding conflict or relational trauma. Relationally motivated deception can be beneficial to a relationship, and other times it can be harmful by further complicating matters.

Sometime ago, the SE.org crew did a live podcast at Shmoocon in DC.  While they were recording, Johnny Long came by and gave an example he believes shows that SE’ing doesn’t always involve deception.  It goes a little something like this:

You have a guy next to you with bad breath, but you don’t want to tell him he has bad breath.  So instead of telling the guy, you pop a mint into your mouth and then start talking about how awesome they are.  This statement about how awesome they are then has the bad breathed guy asking for a mint.

This is the example that keeps coming up on the podcast.  Johnny Long contended, and Dave continues to argue, that this is not deception because you never lied to the guy.  Chris contends that it is deception because the intent was for him to ask for a mint, not just talk about how tasty they were.

It keeps being argued that it wasn’t deception because the end result was positive.  Again, whether or not it was positive is irrelevant.

  1. The deception contained concealment of information.
  2. The intent was to get the guy to ask for a mint because of his bad breath, but the expectation of the guy was asking for a mint because you said they were delicious.

From here, we can start talking about the motive/intent behind the deception.  In this case the motive was partner-focused.  You didn’t outright tell the man he had bad breath to avoid hurting him, to help him maintain his self-esteem.  While a kind gesture, it was still deception.

Other examples from the podcast:

Jordan’s example: If you’re buying a woman a drink with the intent of sleeping with her, but you don’t express your intentions, is that deceptive?  What if she already knows your intentions?

If her expectation is that your only buying her a drink as a kind gesture and as a conversation starter, then yes it’s deceptive. On the flip side, there’s no way she can absolutely know your intention. But if she expects that you’re buying her a drink with the intent of sexy-time, then it’s not deceptive.

Dave’s example: If Dave gives Chris a hug, what’s his intent?  To make Chris feel uncomfortable. Is the hug deceptive?

From the podcast, Chris said Dave’s intent was to make him feel uncomfortable; Dave agreed.  Therefore the hug is not deceptive.

I also wanted to touch on Jordan’s attempt to differentiate between deception and tricky in the breath mint scenario.  He said that it wasn’t deceptive (his definition of deception involves something prejudicial to the deceived), but that it was maybe tricky instead.  Here’s a screenshot of the definition of “tricky” from dictionary.com:

Some may ask “how is deception ever positive?”  I’d contend that the breath mint scenario is one example.  Everybody on the SE podcast crew agrees that it was a kind gesture.  Deception is often used in romantic relations as well, with the same motive as in the breath mint scenario: to avoid hurting the feelings of the other.

Anyway, this podcast was one of my faves yet.  I’ve been eagerly awaiting for them to have Dr. Paul Ekman on the show and they definitely didn’t disappoint!

I love the podcast, and I like the addition of Jordan to the crew.  Having more perspectives on SE’ing is always welcome! :)

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s