Theseus is one of the most famous of the Greek heroes. He’s famous for the slaying of Procrustes, defeating Medea, slaying the Minotaur and “winning” Hippolyte. That’s all well and good for a story, but we like to learn modern lessons from our stories, so it’s only natural that we should look at Theseus as a master of social engineering.
Oh, and as a word of warning, by the end of this post, you might not be liking Theseus very much.
The story commonly starts with a discussion of how Theseus is a son of both Aegeus (a king) and Poseidon (a god). This is mythologically necessary for reasons of heroism, but it’s also important to know that since this can’t be true, Theseus starts his adventures by lying about his origins. Then, of course, he goes around killing people. Granted, they were bandits, but what’s interesting is how he dealt with them.
- Periphetes killed people directly and Theseus killed him directly with a sword
- Sinnis forced people to bend pine trees and watched them die when the trees sprung back up. Theseus killed him in the same way. Then, of course, he raped Sinnis’s daughter and continued on his way.
- Sciron forced people to wash their feet before they passed him, and when they bent over to do it, he’d kick them over a cliff. Theseus, of course, kicked him over the same cliff.
- Then Theseus met Cercyon who he wrestled to death and then raped his daughter as well.
- Best known, of course was Procrustes, who forced people to lay in his bed and either stretched or cut them to make them fit. Theseus, as one would expect, tricked Procrustes to lay in his own bed and cut him to fit. (It is unclear why Procrustes didn’t fit in his own bed.)
In each of these early stories, Theseus was careful to learn about his target before dealing with them. This made it easy to trick them and then end their lives in an appropriately mythologically-just manner.
Lesson One: Know your target.
Then, later in the story, our “hero” (a.k.a. murderer and rapist) visits his father Aegeus for the first time and his father’s wife, Medea. Medea knows that if Aegeus realizes who Theseus is, her own son will no longer be in line to be king, so she tries to have Theseus killed. Though he could have handled the situation by simply telling Aegeus who he is, he prefers to bide his time and wait until his father recognizes his own sword (which he gave to Theseus’s mother to give to her son (daughters, apparently, don’t deserve swords)). He chose an appropriately dramatic time to reveal himself, as Medea had just conspired to poison him. So, when Aegeus recognized his son, Medea had to flee.
Lesson Two: Only reveal what you absolutely have to.
Lesson Three: Pick your timing carefully.
Now we get to the really famous part of the story. Theseus travels to Crete where he aims to stop the minotaur from devouring fourteen kids each year. He promises his father that he’ll change the sails from black to white if he succeeds. Then he arrives in Crete where, in short order, Theseus befriends the king’s daughter Ariadne, gets her help to kill the minotaur, kills the minotaur, flees Crete with Ariadne, abandons Ariadne, forgets to change the sails and arrives home in time for his father to despair of having lost his only son (Medea’s son doesn’t count, I guess). With the death of his father, Theseus becomes king.
So, in other words, Theseus befriends those he needs and then discards them as long as their usefulness is at an end.
Lesson Four: Say what you mean, mean what you say… only while you’re saying it, of course.
Of course the “oops I accidentally caused my father’s death, guess now I’m king” excuse wasn’t accepted by everyone, and soon the Pallantides attacked. Theseus, of course, had a spy and was able to ambush their ambush, killing all fifty nobles (after which, the nobles learned the valuable lesson “let the non-nobles do the fighting”).
Lesson Five: Keep your eyes and ears open.
After this point, the story gets somewhat less linear and tends to focus on Theseus and women. Hippolyta, Helen and Phaedra are all abducted, raped or married (in various combinations thereof). Then, Theseus drives the centaurs out of the area for “getting drunk and molesting the women”.
Lesson Six: Double standards are OK.
Interestingly, Plutarch’s tale of Theseus focuses on the idea of democracy and how he turned the monarchy around and gave power to the people. This, of course, involved abolishing all the local courts and making Athens the only and centralized government. He then invited foreigners to live as citizens and divided the citizenry into three classes. Lastly, he instituted the Isthmian Games (like the Olympics).
Lesson Seven: Take power for yourself, but make it look like you’re giving it to others.
Lesson Eight: Calm suspicions by leveraging efficiency.
Lesson Nine: Always have a distraction handy to point to.
So there we have it. Nothing special involved here at all, just straightforward psychology, the same techniques that have been used for thousands of years. These days, of course, it’s easier to know your target (1), what with everyone revealing (2) so much on the Internet. One can leverage real-time technologies like RSS and IM to create the ideal timings (3). This timing can be used to push people into believing what is said (4). Then all one has to do is sit back and observe the reactive behavior (5).
Of course, most attackers wouldn’t worry much about ethics (6), but would be careful to cover their tracks (7). Then, if they get in too deep and run the risk of being discovered, the careful social engineer can simply pick out another problem and give you advice on how to solve it (8,9).
You may think this is far fetched, but it happens all the time. It’s not about the technology. If they can get there with social engineering, they will. It’s often easier and leaves fewer traces. Remember, attackers are about the end goal.
Lesson Ten: It’s good to be king.
[flickr]photo:36572011(small)[/flickr]The fourth lesson to learn from my incident is that of social engineering. Simply put, social engineering is using predictable social response to create a situation that benefits you. From a security perspective, this technique is often described as a tool used by the bad guys, but it can also be used by the good ones. In my case, once I became aware of the situation, I did the following things:
- I finished getting dressed. This puts me at a higher level than a person who is waking up disheveled. Though it was likely not consciously noticed, the distinction might have played in my favor. This helped to create the predictable response of a subordinate to a superior.
- I positioned myself between the light and his head. This way, when he awoke, he would be at a visual disadvantage. I would be able to see him clearly and, to him, I would appear in silhouette. The response I was trying to get here was to maximize his confusion while also maximizing the amount of information I could get when he awoke.
- I held a weapon on him, and I chose one which I could easily control and would likely create a feeling of fear but not create a feeling of terror. This way, I could anticipate a logical response (no terror), but a manipulated response (because he was scared).
- I awoke him with very specific instructions and questions. The socially acceptable response to these questions when one is in an inferior position is to simply answer the questions.
By arranging the environment and taking control of the situation, I was able to very quickly get the information that I needed to determine whether or not he was a threat (he was not) and make a decision (to let him go and not involve the police). Since I was in control, I was also able to get him out of the house as rapidly as possible, while minimizing the harm to either of us or anything that I had in the house.
From a business perspective, you face social engineering all the time. Most business relationships (whether between boss/employee or company/vendor) are hierarchical. Where hierarchies exist, there are ample opportunities for social engineering. This can be something as simple as a coworker asking you for something and stating that your boss had asked them. It could also be as complex as an attacker calling in and pretending to be an irate customer — leading you to believe that if you do not do as they ask, your company will lose the account and you will be at fault.
There are only a few ways to combat social engineering. The first is through constant and thorough training. This is time consuming and costly. It is, however, the best way to secure your business. That said, if you go this route, you must take care that the training plan is based on reasons and reasoning. All too often training programmes focus on the threats instead of on analysis and consideration. This makes your business utterly secure against yesterday’s attacks . . . and completely open to tomorrow’s.
The second way to protect against social engineering attacks is to eliminate the time pressure. You can do this by empowering your employees to solve problems in non-standard ways. If the “irate client/boss” refuses to accept rational non-standard solutions, there might be an attack going on. In such a situation, escalating the issue to someone with more experience just makes sense. You can also eliminate the time pressure by investing in highly redundant and flexible systems. This works well if you are devising a new solution… less well if you are supporting legacy technology. If you are handling legacy systems, the risks of inflexibility should be considered the next time you build a business case for overhaul and replacement.
The third way to protect against social engineering is to implement an identification system. If your front-line people can know, with certainty, that the person with whom they are talking is really who they claim to be, most concerns can be eliminated. There is, however, an element of client training to such a system. Any challenge-response system is accepted more easily when all parties are expecting it.
So, my questions to you are:
- What would you give an angry client or boss in order to make them happy?
- What if it wasn’t really them?