Social Engineering Blogs

An Aggregator for Blogs About Social Engineering and Related Fields

Constraints and The Bandwidth Problem

I got in a conversation last week about the upcoming bandwidth crisis in the core. I’ve managed to forget about those issues more and more over the past few months. I’ve spent a lot of time thinking about vulnerability research and social engineering lately at the expense of a lot of other security thinking. But that conversation and this article brought my thinking back to the infrastructure side of security. From the article:

“The super-high-speed cable is now hidden under six feet of Cornish beach-which is just as well, because if it were discovered and damaged, the entire web in Britain could turn to treacle. Warren Pole reports on the fragile network of ocean cabling that keeps the modern world turning, the madcap economics of internet supply-and why it will run out of space by 2014 unless scientists think of something… fast.”

While we’re pushing bandwidth at the final mile (I’m able to get 25Mbps down, and that’s not even on FIOS), we’re going to run in to significant snags at the key chokepoints – the core internet infrastructure and the transoceanic cables.

According to the article, there are nine cables joining the US and England that have a capacity over 39Tbps.

When I started in security in the 90s, we spent a lot of time talking about infrastructure and the core. Then, we “solved” a lot of the bandwidth problems in the late 90s and got ahead of the game.

And now we’re deploying video across the net. I watched UFC 100 the other night through Yahoo. All of my TV is via iTunes/AppleTV.

We’re not prepared for users like me. And that doesn’t even consider the idea of wholesale IPTV. No question – the idea of trying to lay cable to solve this problem is going to be difficult to keep up with. These cable links, which can be seen simultaneously as being tenuous and formidable, retro and high tech and innovative and shortsighted, are a model for the often unpredicted but possibly anticipated challenges that keep us in business.

Technorati Tags: Fiber Optics, Internet security, Security, security awareness


Social Networking and Security

Lately, I’ve been thinking more and more about social networking. I was reading a recent article by Eric Ogren on this issue at Searchsecurity.com. The article said:

“According to a recent Websense Inc. survey, the decision has already been made by the business units with 86% of IT respondents reporting pressure to allow more social networking in the business. The message resonates loud and clear to security: Resistance to advances in technology is futile; find secure ways that business can move forward.”

It seems obvious that the more social networking we do, the more vulnerable we make ourselves to breeches in security. Viruses can spread quickly, data can be compromised and entire systems can be severely hampered.

The fact is Facebook offers a variety of ways for those in the same company to interact and for various organizations to create networks – there’s business value there. Not to mention that Twitter, LinkedIn, MySpace and other such sites, although all different, have the power to bridge a global communications gap. Both Facebook and Twitter have become popular with professionals between the ages of 25 and 35.

It’s evident to me that it’s virtually impossible to stop this trend towards incorporating and integrating social networking sites into the IT networks of companies. With pressure on businesses to allow the use of such sites comes the need for controls, common sense and regulations. While I’m a huge fan of incorporating social networking in to business, there’s definitely an important control issue here. Here are a few questions I encourage anyone to consider before using a social networking site in tandem with his/her business.

Why are you deciding to incorporate a social networking site?
There’s no doubt that such sites make communication easier. That’s a given. But you have to determine the reason for this expanded communication and how much control is needed. You’ll need to develop protocols for using the site within your company and other protocols in utilizing the site when dealing with vendors, clients and the general public.

Which features will your employees be able to access and which will your business utilize in its public profile?
Each social networking site offers a range of choices to its users. As an example, if you elect to go with Facebook, a range of choices await you as to how much information is public, which tools are made available and how participants can interact. Are Wall postings appropriate, should Status updates be allowed and which groups, if any, will be established? These questions and others are appropriate for the manner in which the network is used within the company and amongst the general public, clients and vendors.

What controls will you put around the use of the technology?
Once you decide to incorporate a social networking site, you’ll need to develop a sound security plan and a method for checking on how individuals are using the site. Opening your business up to a site such as Facebook makes it more vulnerable to hackers, phising schemes and other security concerns. Once you open up your organization to an outside entity greater security precautions and more vigilance will be needed. Beyond just technical controls, also consider the need for policies and procedures – develop written policies, specific guidelines and a clear vision of the exact reasons for using such a site to guard against misuse, miscommunication and compromises in security. It’s the first step in helping to ensure a smooth transition by your company into the world of social networking.

Anybody who knows me knows that I’m a huge fan of social networking (evidence Twitter, LinkedIn, Facebook) – as such, I welcome the fact that social networking sites are not only here to stay, but that they will continue to expand and evolve. That means that the security and business communities as a whole must also evolve and develop.

Technorati Tags: facebook, linkedin, Security, social networking, twitter


NLP is not Science

One of the people whose work I have enjoyed of late is Gadi Evron. I find that he and I approach problems and random things very similarly (although he blogs his results far, far more frequently than I do… mine just get saved up for classes, webinars and articles).

So, Gadi posted recently about his disappointment with NLP. It’s not the first time I’ve heard these arguments, and they all come down to a single, fundamental misunderstanding:

What we commonly call “NLP” is not science. Nor is it even scientific.

Most of this confusion comes out of the distinct issue that John Grinder called out in his book Whispering In the Wind. The thing that was originally “NLP” was a project that attempted to model successful people, notice the patterns of language and behavior, and replicate them. (This, Grinder refers to as “NLPmodelling“).

NLPmodelling was not scientific, but at least its principles were sound. Grinder and Bandler went and sat in the room with three strong therapists and learned to “act like” those therapists. They kept doing so until they were able to replicate the behavior. And then they continued to do so until they gained conscious ability to explain how they replicated the behavior.

While none of this was science, at least there was a principle behind it.

Where it all went to H-E-double-hockey-sticks is when they wrote down what they did and tried to explain how they replicated that behavior. This was a fool’s errand in some ways… there are grave epistemological concerns here – it’s beyond difficult to take your own behavior, translate it into conscious understanding and then try to convey it to others in language. It’s the same reason that great baseball players aren’t often good coaches – when you’re really good at something, it can often be difficult to teach others. Grinder once noted that when Bateson reviewed their work, his comment was: “Shoddy Epistemology.” Bateson was accurate, and this is where things started to get wonky.

This is because NLPmodelling is not what most people call “NLP”. When referring to NLP, most people are referring to the things that were written down – the hypothesis explanations that were posed by Grinder , Bandler and their colleagues/followers (e.g. Dilts, the Andreas’, etc.) to explain how they replicated behavior. These are what Grinder calls “NLPapplication“).

Unfortunately, because of the epistemological concerns, NLPapplication is about as scientific as me trying to predict the weather by sticking a wet finger in the air. Because we can hypothesize just about anything. I can observe how certain people act, and then make up any random example of why it must be true. For example, I could tell you that people are a certain way because of the position of the moon and the stars when they were born. How crazy would that be?

So, if NLP isn’t science, what are we to do?

Most people want to throw the baby out with the bath water. I’m a big fan of the original project – let’s look at people who get a particular result, and figure out how they do it.

But if you want to make it science, then turn around and figure out how it works.

Anyone who has looked at NLP has seen the following chart:

(Borrowed from http://completelymental.net/ )

The thing is, anybody who has tried to study whether it works finds that it doesn’t. Yet, many NLP people swear that there’s some efficacy in watching people’s eye patterns and using them to discern how people are thinking.

I was lucky enough to study NLP with Linda Ferguson and Chris Keeler at NLP Canada, and they get it. Linda was the first to point out to me that what Grinder & Bandler probably noticed (unconsciously) was the same set of patterns that Paul Ekman has noticed – we express many feelings and emotions in very small and quick ways with the musculature around our eyes.

So, while eye accessing cues don’t work, we find that paying close attention to that region of the face leads us to a detailed understanding of someone’s emotional state.

This is what happens when you approach a project without solid epistemology – you end up with many of the right behaviors, but the wrong reasons behind them.

And, sometimes, you end up with a whole pile of dogma and “true believers”. But that’s the subject of a different rant.

Until then, realize: NLP is not science. There is some useful background to take the tools and attempt to use them, and, even better, combine them with other, more useful science to figure out how to tie it together.

(As a shameless plug, I’m the one taking the lead on much of the “NLP-like” content at the SE Master Class. I say “NLP-like”, because it won’t be based on either NLPapplication or NLPmodelling. But anyone with an NLP background will find similarities on the things that really work in the real world, without much of the NLP and hypnosis dogma that goes around.)