Friday, March 11, 2016

On Handshaking

Since this blog deals with social engineering and the lesser technical aspects of hacking, your Pavlovian reaction to when I say handshaking is two hands -- no assumptions of where they have been -- holding each other and maybe shaking:

and that is exactly not what I have in mind. Instead, let's leave the realm of squishy beings and go to computers. There when a device wants to talk to another, it starts some kind of handshaking protocol to establish connection parameters and authentication. Once that is successfully established, data transfer begins.

But, how does that apply to people (I was going to say humans but it might be too politically incorrect)? So we have two people, Red and Blue, which are named after the web series of, well, the same name. They meet somewhere and start talking

There are a few subtle variations (Red might reply "I'm fine too!"), but the main point is they may be talking to each other, but they are not yet holding a conversation. In fact, they are in the handshaking phase that, as in networked devices, precedes the actual exchange of data, which is represented above by the "BEGIN TALK" line.

he difference between them and machines is that they really have not said anything; this was just a ritual learned by rote.

If you want to test how mindlessly people go through this handshaking protocol, change a bit your answers and see how they react. Here is an example I have tried at a store:

As you can see, Red

  1. Heard Blue reply but did not listen. As a result.
  2. Assumed the content of the reply matched the standard handshaking
  3. Replied to the assumed reply
  4. Finally realized the carpet has been pulled from under him. In other words, TILT.

The basis of Social Engineering as applied to hacking is to identify the expected pattern and use it to persuade others to help you achieve your goal. Expect to see quite a few examples here.