Social Engineering

The Microsoft Lounge at Black Hat Europe was easy to find.  Living the way I did on this and that, doing a lot of things to pick up a euro, I’d worked shows here before.  It had been a while.  I had new skills now.  The show floor setup at the Amsterdam RAI was typical, easy to figure out, areas for vendors’ presentations, demos and a centrally located lounge.  Central, to keep attendees in the hall.   Always sponsored by some company with deep pockets.

Taking off my coat, I analyzed the seating in the lounge.  Most of the high tables were filled with solitary men, heads down, typing away on their laptops.  Across from the coffee counter and the line of men waiting for their afternoon caffeine fix, the section with living room seating was more sparsely occupied.

That informal setup suited my purpose better, anyway.  I chose one end of a black, leather-like couch across a granite colored coffee table from two matching chairs.  Two more chairs, one at either end of the table, completed the arrangement.  A woman with long white hair sat in one of the end chairs, at the far end of the table from me, looking intently at her Android phone, oblivious to her surroundings.

I should be engaged in some activity, too.  I pulled out the show brochure while I waited.

It didn’t take too long. A slender young man with thinning blond hair plopped his computer bag on the boulder-like table between us. Collapsing deeply into the chair across from me, he took out his handheld.

The show badges that everyone was wearing on wide ribbons around their necks were bigger than my purse so it was easy to see his name.  People were careful with personal information at Black Hat Europe, it catered to hackers, but everyone still had a name of some sort on their badge.

A bonus, his badge was color coded and if that wasn’t enough, SPEAKER was spelled out on a bright red ribbon hanging from it.  This was going very well.  I knew immediately what my next move would be.

“Excuse me,” I said, moving slightly forward on the couch, closing the distance between us but not too much, not too soon.  This request needed a modest smile.  “Is there any way you can get me into your session?”  I asked him. “I didn’t pay for a full pass.  See, I, I really don’t know much about this stuff.  I told this guy I know that I’d come to the conference and get the information for him.”

Still bending slightly over the table, I turned my face slightly to look up at him.  Fortunately, even with him sprawled in that low chair, I’m petite enough to pull it off.

He looked up from his handheld and faced my wide blue eyes. I tried to mirror what I saw.  An honest, open face, sincere.  A sap.  Don’t think that now.  You’ll blow it if it shows on your face.

He’s the most attractive man I’ve ever met and I’ll hold that thought.

“I’m sorry,” he said, “I’ve already finished my session.  Are you interested in cryptography?”

I blinked and turned my face away a bit, feigning slight shyness.  Too bad I couldn’t blush on cue.

“I really don’t know any of this stuff but this guy I know had to work, so…” If I could get him to finish that thought for me, I’d know we were making progress.

I paused, smoothing my blond hair back over my ear, showing the full line of my chin in three quarters.  One of my most attractive angles or so I’d been told.  Still trying to look as if he towered over me.  Skills I’d honed years ago set to a new purpose.

“Here’s my card.”  He said, pulling himself out of the depths of his chair, leaning forward over the table.  Crossing more distance between us.

Even better!  I hid my surprise.

First step accomplished.  I had a real name, his Company name and telephone number and he knew nothing about me.

Save our Encryption

“When guns are outlawed, only outlaws will have guns.”

This silly slogan runs through my mind as yet another headline screams that lawmakers want manufacturers to take encryption off of devices, mostly phones, to make it easier to prosecute criminals.

Unfortunately, strong opinions exist only in my mind, it seems.

Any dissension or uprising, any slogan, any Facebook meme however trite or oversimplified disputing this demand would make me feel better.  I would even settle for a statement of support if it would provoke a fraction of the populist debate that I see about guns.  People don’t seem to know or care that their right to privacy is under attack in this non-conversation.

Fine points mumbled over by the highest orders of technocratic gurus, surrounded in esoteric terms and higher math concepts, encryption tends to scare people off as a subject for dinner conversations.  Guns, well, people know guns, or think they do, at least enough to have an opinion.

Let me see if I can use this old saw to cut some new wood.  “When encryption is outlawed…”

Let’s start with the reality of outlawing encryption, something that’s been around longer than computers, simply by taking it off of them.  That can’t prevent its use.

Encryption is simple, really!

Let’s do this together, you and me.  I want to send you a message: Noon lunch at Joes.  To keep lunch just between the two of us, I’m cheap; I’m going to encrypt it.

To do this, first we need a process to transform the message. We’ll start by assigning a number to each letter in the alphabet.  A is one; b is two, and so on.

Then we need a secret, you and I.  There’s a book we both have.  We’ll agree that every message will be encrypted using a different page of our book, starting with page one for the first message.

We’ll have to make some other process decisions, like how to handle spaces, too.  Do we leave the same spaces between words when it’s encrypted?  (Bad idea as it provides clues about word length.)  Do we ignore them? Or give them a value, too?  Like the example, these decisions may influence the strength of our encryption but what’s most important is that both of us understand them the same way.

So I take our first message, “Noon lunch at Joes “and the first line from the first page in the book:  “In the beginning…”

Remember how we assigned numbers to letters?  If you numbered the same way as I did, we’ll get the value 14 for the first letter N, from the message.  Then add it to 9 for the letter I from the secret.  Then we convert that sum, 23, back to a letter, whatever letter has that number in our numbered alphabet.  It comes out as W, the 23rd letter of the alphabet.

I write down W; it’s the first letter in our coded message.

And I do it again, and again, for every letter in our message.  I bet you see why a computer could come in handy right now.  But the point is, it’s not necessary.

When you get the message, you reverse the process.  Subtract the value of I, first letter in the secret, from the first letter W, in our crypto text, write down the result, and so on.  You’re the only one who can decrypt, because you’re the only one who knows the secret.

See?  You can do encryption!

And don’t minimize what we just did.  This is a simple variation on an encryption algorithm known as the one time pad.  It was one of the hardest codes for code-breakers in World War II to crack.  So hard that it was easier to turn the enemy, to persuade someone to hand over the paper “pads” of random characters that were used – random making a stronger secret than our book— than to try to crack the coded messages.

Over the years, encryption has evolved to deal with some of the old weaknesses, among others, our wartime problem of how to share a secret with hundreds of people and still keep it secret.  (Not a problem between you and I.)  But it always has these two properties, a process to transform and a shared secret.  Simple, eh?

Computers have made it easier for us to use encryption, embedding it into apps or even into the computer’s hardware (firmware), making it faster, always ready.   Modern encryption also has stronger secrets; it’s harder to defeat.

So, while taking encryption off of our computers can’t really take away our ability to use it, it gets a lot harder for us to do well.  A lot harder for you and I to protect our information:  banking, healthcare, or anything else that’s personal to us, the kind of thing we only want to share with our select few.

Of course I can go out and buy encryption software, use it on those same devices.  But I guess they can make that illegal, too.  Which brings me back to our old saw, transformed, “… only outlaws will have encryption.”    As a friend pointed out with guns, then we know who the outlaws are.

But wait!!  When I’m a famous writer, if I use encryption to arrange a private rendezvous with my sweetheart, sans-paparazzi, will I be an outlaw?  Suspect?

Well, I guess it’s not all bad. Some people could profit from this.  Those hackers, er, software developers, in Russia who were put out of business by the pharma wars, when their spamming, illegal businesses imploded through bad leadership and the pressure of international law enforcement, those guys could use a new line of work.  A new product to sell, an international export!

Seriously, I could even see some compromise around my use of encryption if it were well defined, well protected.  For example, some kinds of encryption can be fitted with something like a master key.  This is used all of the time in big corporations so that encrypted company data won’t be lost if someone forgets their password.  It’s sometimes called a recovery key.

But who would protect that master key?  The Federal Government?  The government that seems to be telling me via the media as I write this, that I should get my tax return in early so they don’t accidently give money to a thief?

And would use of that key by law enforcement require my permission?  Notification?  A subpoena?  One that limited what information could be retrieved?

We don’t have a law in the US that defines our fundamental right to privacy, our right to protect it with tools of our choice, let alone one that covers these questions.  And sadly, I don’t hear voices demanding that we do that first, before they take away encryption, the tool that protects us from our own technology.

But, well, OK.  I DO have a constitutional right to own a gun.