[Aelinsaar]

It's not clever to hack something that you can socially engineer, and that should be hacking 101. Clever win.

[cpeterso]

That was the challenge. DefuseSec specifically said he would "give $100 USD to anyone who can trick me into inserting the string".

[CiPHPerCoder]

This is why you always want to define your scopes.

He clearly intended for some variant of "any of my software projects that other people actually use", but failed to specify that detail.

But it's nonetheless hilarious. Laughs all around.

[diminish]

And he inserted the string into HN, and our brains - but I already forgot.

Now insert that string into Linux source code, and I ll get surprised.

[mmanfrin]

For those of you misreading this comment: Aelinsaar is saying that if a system/target is vulnerable to social engineering, then hacking (code) that system/target is not clever.

[ewzimm]

You could take that concept pretty far. There's no computer system that doesn't involve a human element (CS101). And yet some of the most clever people spend their time finding ways to hack the machine element. Their work inevitably gets understood and integrated into software, either through voluntary submissions through bug bounties or otherwise.

Social engineering has been understood for a long time, and yet we can't develop defenses in the same way we can develop defenses in software. So we have an underpaid workforce of software hackers uncovering vulnerabilities which get patched and an overpaid workforce of social engineers exploiting unpatchable vulnerabilities in the human condition.

Who is really being exploited here?

[Aelinsaar]

You don't need to crack a safe if you can get the combination from the owner. You don't need to pick a lock if you can pick the key from a pocket. It also goes to the classic XKCD comic about the realities of crypto: https://xkcd.com/538/

As for why so little attention is paid to the human side, I think you said it, "We can't develop defenses the same way we can develop defenses in software." Not only that, but a human being who's brilliant in their role in your company, might be singularly unsuited to learning lessons about social engineering.

I suppose if you want a humorous and somewhat dystopian sci-fi view of how this could be managed... you ever read 'Snow Crash'?

[zerr]

Depends on goals and sources of enjoyment.

[danso]

Huh? Some of the most clever (and destructive) hacks involve an element of social engineering. Given that security implementations are designed to compensate for human social behaviors and instincts and limitations, social engineering is just as much a part of hacking as cryptography.

[clay_to_n]

I think you read his statement backwards :) He's advocating social engineering whenever possible.

[danso]

Ah, I think my brain got led down a "garden path", a concept I just learned had an official name from yesterday's Parsey McParseface announcement https://en.wikipedia.org/wiki/Garden_path_sentence

[hoke_t]

Explain please? I cannot make sense of the op's sentence in a way that advocates social engineering.

[wiml]

The first half of the sentence is saying, "Don't do things the hard way (hacking) when you can do them the easy way (social engineering)". The second half is saying "Everyone should know this."

[startling]

"It's not clever to hack [with social engineering] something that you can socially engineer"

vs

"It's not clever to hack something [i.e. with technical exploits] that you can socially engineer""

[demircancelebi]

Interesting. I am not a native speaker and I cannot make sense of the op's sentence in a way you understand it. How did you understand op's sentence in the first place?

[hoke_t]

lol just saw this. Basically, I thought he was being sarcastic in saying "Clever win" and took the "It's not clever to hack something that you can socially engineer" as "It's not clever to socially engineer". Hopefully that helps.

[andreasklinger]

op said the same