All The King’s Horses And All The King’s Men Can’t Beat A Social Engineering Attack

We can have all the encryption, all the cryptography, and all the digital robustness in the world and we’d still be no match for the fallibility of our own human nature. Even if we’re completely digitally literate, there’s a fair to middling chance that our opsec is dependent on people who are anything but. At the individual level, this isn’t such a problem, but at the organizational level, particularly for fiat enterprises,i you end up with swiss cheese solutions. Just ask the Canadian Armed Forces the next time their “network-enabled soldiers” get their eyes pumped shut in the theatre.ii Or just ask the black CIA agents.iii

Even the massively fortified walls of the ancient city of Babylon,iv which were functionally impenetrable on account of their unprecedented dimensions: 25m thick, 30-100m tall,v and some 20km in circumference,vi were eventually overcome. Just not in the way the Babylonians expected.

The mighty army of Darius The Great,vii third King of the Persian Achaemenid Empire, wasn’t able to take down the mighty walls by force, but he had a trick up his sleeve: social engineering.

We look again to Herotodus to recount the tale of how Darius, with a little help from his friend Zopyrus, finally came to overthrow Babylon:

When tidings reached Darius of what had happened, he drew together all his power, and began the war by marching straight upon Babylon, and laying siege to the place. The Babylonians, however, cared not a whit for his siege. Mounting upon the battlements that crowned their walls, they insulted and jeered at Darius and his mighty host. One even shouted to them and said, “Why sit ye there, Persians? why do ye not go back to your homes? Till mules foal ye will not take our city.” This was by a Babylonian who thought that a mule would never foal.

Now when a year and seven months had passed, Darius and his army were quite wearied out, finding that they could not anyhow take the city. All stratagems and all arts had been used, and yet the king could not prevail- not even when he tried the means by which Cyrus made himself master of the place. The Babylonians were ever upon the watch, and he found no way of conquering them. At last, in the twentieth month, a marvellous thing happened to Zopyrus,viii son of the Megabyzus who was among the seven men that overthrew the Magus. One of his sumpter-mules gave birth to a foal. Zopyrus, when they told him, not thinking that it could be true, went and saw the colt with his own eyes; after which he commanded his servants to tell no one what had come to pass, while he himself pondered the matter. Calling to mind then the words of the Babylonian at the beginning of the siege, “Till mules foal ye shall not take our city”- he thought, as he reflected on this speech, that Babylon might now be taken. For it seemed to him that there was a Divine Providence in the man having used the phrase, and then his mule having foaled.

As soon therefore as he felt within himself that Babylon was fated to be taken, he went to Darius and asked him if he set a very high value on its conquest. When he found that Darius did indeed value it highly, he considered further with himself how he might make the deed his own, and be the man to take Babylon. Noble exploits in Persia are ever highly honoured and bring their authors to greatness. He therefore reviewed all ways of bringing the city under, but found none by which he could hope to prevail, unless he maimed himself and then went over to the enemy. To do this seeming to him a light matter, he mutilated himself in a way that was utterly without remedy. For he cut off his own nose and ears, and then, clipping his hair close and flogging himself with a scourge, he came in this plight before Darius.

Wrath stirred within the king at the sight of a man of his lofty rank in such a condition; leaping down from his throne, he exclaimed aloud, and asked Zopyrus who it was that had disfigured him, and what he had done to be so treated. Zopyrus answered, “There is not a man in the world, but thou, O king, that could reduce me to such a plight- no stranger’s hands have wrought this work on me, but my own only. I maimed myself I could not endure that the Assyrians should laugh at the Persians.” “Wretched man,” said Darius, “thou coverest the foulest deed with the fairest possible name, when thou sayest thy maiming is to help our siege forward. How will thy disfigurement, thou simpleton, induce the enemy to yield one day the sooner? Surely thou hadst gone out of thy mind when thou didst so misuse thyself.” “Had I told thee,” rejoined the other, “what I was bent on doing, thou wouldest not have suffered it; as it is, I kept my own counsel, and so accomplished my plans. Now, therefore, if there be no failure on thy part, we shall take Babylon. I will desert to the enemy as I am, and when I get into their city I will tell them that it is by thee I have been thus treated. I think they will believe my words, and entrust me with a command of troops. Thou, on thy part, must wait till the tenth day after I am entered within the town, and then place near to the gates of Semiramis a detachment of thy army, troops for whose loss thou wilt care little, a thousand men. Wait, after that, seven days, and post me another detachment, two thousand strong, at the Nineveh gates; then let twenty days pass, and at the end of that time station near the Chaldaean gates a body of four thousand. Let neither these nor the former troops be armed with any weapons but their swords- those thou mayest leave them. After the twenty days are over, bid thy whole army attack the city on every side, and put me two bodies of Persians, one at the Belian, the other at the Cissian gates; for I expect, that, on account of my successes, the Babylonians will entrust everything, even the keys of their gates, to me. Then it will be for me and my Persians to do the rest.”

Having left these instructions, Zopyrus fled towards the gates of the town, often looking back, to give himself the air of a deserter. The men upon the towers, whose business it was to keep a lookout, observing him, hastened down, and setting one of the gates slightly ajar, questioned him who he was, and on what errand he had come. He replied that he was Zopyrus, and had deserted to them from the Persians. Then the doorkeepers, when they heard this, carried him at once before the Magistrates. Introduced into the assembly, he began to bewail his misfortunes, telling them that Darius had maltreated him in the way they could see, only because he had given advice that the siege should be raised, since there seemed no hope of taking the city. “And now,” he went on to say, “my coming to you, Babylonians, will prove the greatest gain that you could possibly receive, while to Darius and the Persians it will be the severest loss. Verily he by whom I have been so mutilated shall not escape unpunished. And truly all the paths of his counsels are known to me.” Thus did Zopyrus speak.

The Babylonians, seeing a Persian of such exalted rank in so grievous a plight, his nose and ears cut off, his body red with marks of scourging and with blood, had no suspicion but that he spoke the truth, and was really come to be their friend and helper. They were ready, therefore, to grant him anything that he asked; and on his suing for a command, they entrusted to him a body of troops, with the help of which he proceeded to do as he had arranged with Darius. On the tenth day after his flight he led out his detachment, and surrounding the thousand men, whom Darius according to agreement had sent first, he fell upon them and slew them all. Then the Babylonians, seeing that his deeds were as brave as his words, were beyond measure pleased, and set no bounds to their trust. He waited, however, and when the next period agreed on had elapsed, again with a band of picked men he sallied forth, and slaughtered the two thousand. After this second exploit, all mouths. Once more, however, he waited till the interval appointed had gone by, and then leading the troops to the place where the four thousand were, he put them also to the sword. This last victory gave the finishing stroke to his power, and made him all in all with the Babylonians: accordingly they committed to him the command of their whole army, and put the keys of their city into his hands.

Darius now, still keeping to the plan agreed upon, attacked the walls on every side, whereupon Zopyrus played out the remainder of his stratagem. While the Babylonians, crowding to the walls, did their best to resist the Persian assault, he threw open the Cissian and the Belian gates, and admitted the enemy. Such of the Babylonians as witnessed the treachery, took refuge in the temple of Jupiter Belus; the rest, who did not see it, kept at their posts, till at last they too learnt that they were betrayed.

Thus was Babylon taken for the second time. Darius having become master of the place, destroyed the wall, and tore down all the gates; for Cyrus had done neither the one nor the other when he took Babylon.

So, you see, social engineering attacks are nothing new. They’ve led to the fall of Ancient Babylon just as they’ve led to security breaches at blockchain.info, usagi industries, and countless others.

While it’s imperative that we educate ourselves on the finer points of digital security, there’s no replacement for networks of trusted people.

Without a diligent WoT, it’s too fucking easy to let the Mike Hearns of the world in the side door.ix

Is your WoT making you stronger or weaker?

___ ___ ___

  1. A “fiat enterprise” being any non-WoT, non-#bitcoin-assets corporation out there. Even if you fancy yourself the CEO of a Big Impoatant Bitcoin Cumpany, if you’re not in #b-a and you’re not in the WoT, you’re still very much in fiat.
  2. Against, that is, anyone other than their own “we’re just so overly polite” citizens. Anthropological note: Canadian politeness doesn’t just stem from a complete and utter lack of culture, the Americans have that too and they’re far less eager to smile and say “hello,” but rather from a sense of camaraderie as survivors of excessively cold weather. This politeness has the functional purpose of acting as a social lubricant for the mishmash of cultures that reside in Canada’s broad borders for the sole purpose of sucking the Earth’s wealth dry. When you have a bunch of immigrants whose first language is something other than English, and no one has been around long enough to establish oligarchic dominance, a friendly smile goes a long way to facilitating business between non-WoT parties. There’s an insane amount of baseline trust in this country. Maybe Bitcoin will get there too someday, but until then, Bitcoin is still the wild west, and as far as I’m concerned, everyone is a wallet inspector until proven otherwise.
  3. CIA sends mole to infiltrate KGB. This is apparently successful, but nothing of value is ever obtained. CIA sends replacement mole. This also is apparently successful… but… again. By the 5th or so replacement there’s a distinct impression with upper CIA management that the soviets are like… sending complicated insider jokes over the mole wire. Finally a high level defector is taken into a manager’s meeting, fed somon fume and asked politely. He confirms that yes they knew all about al of them, explains some of the insider jokes.
    “Mr. Devektorovskyi, what are we to do then ?”
    “I dunno… maybe stop sending n*ggers ?”

    Joke by Mircea Popescu via #bitcoin-assets.

  4. ca. 500 BCE.
  5. Hard to believe that clay walls were anywhere near the height of a 30 storey office tower, particularly if they were to have stretched over even a modest distance, neh? It’s this upper estimate that has helped Herotodus to earn his reputation for exaggeration. The lower estimate would have been rightly impressive to the seafaring wanderer.
  6. Herotodus guessed about 100km in circumference but archeological remains indicate a number close to 17km.
  7. 550–486 BCE
  8. Zopyrus post-infiltration: Zopyrus

  9. Hearn apparently didn’t give up after he fired the Heartbleed arrow and missed. He’s now fucking around with getutxos. Fucking hell this guy. Thankfully, no one reading this is insane or stupid enough to regularly update their copy of bitcoind.

7 thoughts on “All The King’s Horses And All The King’s Men Can’t Beat A Social Engineering Attack

  1. “A “fiat enterprise” being any non-WoT, non-#bitcoin-assets corporation out there.”

    This shouldn’t being exclusionary. For instance casascius was never in #b-a regularly, but was in the WoT. He’s highly respected, and it sucks the “powers that be” shut him down. But as Obi-Wan once said “If you strike me down, I shall become more powerful than you could possibly imagine.” In fact didn’t DeathAndTaxes (of Tangible Cryptography) rise from the ashes like a Phoenix? (Although his ACH provider of which there are only 2 in the entire US, has locked him out)

    Okay. So I think you touch on something that hasn’t been discussed in full yet: loyalty.

    Trust between two connections is only as strong as the loyalty between those connections. Loyalty can neither be bought nor sold. Loyalty is something that some would argue can’t even be earned. It is something so profound it’s almost as strong as love (reference to fluffypony here). Loyalty perhaps exists as a function of the times.

    There was a game Hideo Kojima made in 2004, Metal Gear Solid 3, which explains this phenomenon through the lens of “scene”, or the underlying times which dictate how a society operates. (Which we have surely discussed in other contexts). However it is interesting viewing this in terms of loyalty as seen in this snippet:

    Boss: There’s a saying in the Orient; “Loyalty to the end.” Do you know what it means?

    Snake: Being… Patriotic?

    Boss: It means devoting yourself to your country.

    Snake: I follow the President and the top brass. I’m ready to die for them if
    necessary.

    Boss: The President and the top brass won’t be there forever. Once their terms
    are up, others will take their place.

    Snake: I follow the will of the leader, no matter who’s in charge.

    Boss: People aren’t the ones who dictate the missions.

    Snake: Then who does?

    Boss: The times. People’s values change over time. And so do the leaders of a
    country. So there’s no such thing as an enemy in absolute terms. The enemies
    we fight are only in relative terms, constantly changing with the times.

    Boss: As long as we have “loyalty to the end,” there’s no point in believing
    in anything… even in those we love.

    Snake: And that’s the way a soldier is supposed to think?

    Boss: The only thing we can believe in with absolute certainty is the mission.

    Everyone in #b-a is here for a common mission. We will remain loyal to the end to complete that mission, even if shit gets real bad and some of us don’t make it out alive. But the real question, is after that mission is complete and the time’s change, will we still be on the same side?

    This is where true loyalty comes about.

  2. […] Since spending Bitcoin requires a connection to a computers with the Internet, Bitcoin users are constantly subject to attacks on their material wealth.i These attacks can be self-induced through loss of a computer or password, or externally induced through theft, malware, or social engineering attacks. […]

  3. […] WoT is useful against social engineering attacks and for establishing online trust that can then serve as a platform for business. And so it goes in […]

  4. […] against me. That’s the context. They’re not only disrobed, they don’t have the armies needed to silence me. They’re broke, frail, and impotent, more like Anderson’s meek […]

  5. […] : Make a stronger password (use dice) and be mindful of social engineering attacks. which may include, and not be limited to, distracting you one way while someone from the other […]

  6. […] are in the anonymous (but not “Anonymous”) hackers with a pro-Palestinian bent used social engineering to breach a USG database containing metadata – including names, titles, email addresses, and […]

Leave a Reply to thestringpuller Cancel reply

Your email address will not be published. Required fields are marked *