SocEng w/Stone Soup and the Little Red Hen

The Little Red decides to make some bread. She asks other animals to help. They refuse for various reasons. At each step of making bread, the little red hen is forced to do the work herself. When the bread is finally done, the animals who refused to help are denied bread.

Aside from teaching kids that they should help make bread if they want to eat bread, I suspect it might also teach kids the basic steps of making bread. The story makes the steps easy to remember, and they’re fun to remember if you already know them. We perform the cognitive load of doing the work with the little red hen, imagining ourselves helping to perform each step, ignored by the other lazy animals. Maybe the story is the basis for Atlas Shrugged? We are to understand that one must work to eat, and that those too lazy to work should not eat. The story does not, in the versions I have seen, explain why the other animals refuse to work, or what happens after this story. Maybe the animals have a good reason, maybe it’s a general strike?

I first encountered stone soup while watching Land of the Lost. The stone soup part of that episode is based on a European folk story that seems intended to convince people that sharing is beneficial. In the story, a group of travelers arrives in a village. The villagers do not welcome the strangers by sharing food. The travelers set up their own pot and begin making soup. When the villager’s curiosity is aroused, they are told the strangers are making delicious stone soup. The strangers offer to share their soup, but unfortunately the soup is missing some ingredients. The story is extended, ingredient after ingredient, as the villagers run back to their homes and produce the ingredients that result in a delicious soup.

The moral is different, if you reverse the perspective. From the point of view of the villagers, an important lesson was learned about sharing. From the perspective of the travelers, that lesson was: “welcome and share with travelers because we are social engineers.”

In stone soup, we have a positive interpretation of social engineering, if you agree that the deception that happens in the story is positive, that it is beneficial. In Land of the Lost, a parent deceives his kids. The kids work together to get the ingredients for the soup. They figure out the deception while eating soup, and seem amused. I suppose they’ve forgotten being almost killed by dinosaurs while collecting the ingredients for the soup.

But deception was involved in the positive outcome, in any Stone Soup story. It is essential to the story. Whether deception is ever ethical is beyond my scope. In the general story, the strangers withhold information, the actual taste of the soup, and they provide false information, that the taste of the soup is excellent. The “soup” is merely hot water. The villagers act on that false information. They do not ask questions about the “soup”. Can they not trust their noses? There’s no soup. Instead, they fetch the ingredients. They are socially engineered into making a delicious soup. The soup is perhaps a joint effort, to the degree you accept social engineering as code. The strangers provided the code in the form of social interaction toward a deceptive goal.

Thus far in computer science, social code has primarily been discussed, if it’s been discussed at all, in cybersecurity and in human computer interaction. In human computer interaction, as usability or discoverability, and it’s primarily used for making transactions easier. In cybersecurity (as social engineering) it is mostly portrayed as something to be defended against in the very basic form of phishing. Phishing is a social engineering attack in which design (visual design) is used in conjunction with linguistic importance and familiarity (ie I remember my bank name. I know an email is serious if it is from my bank.) The deception is in information. The email pretends to link me to my bank web site, but instead links me to a fraudulent web site where I will, the social engineer hopes, enter my login name and password. The social engineering is in seeming like an important matter, and then scaring the target, slightly.

Targeted phishing emails use details from your life taken from social media. If the email seems like it is from Bank of America, and you have no account there, you’ve received a mass phishing attack. The attackers hope that the email is received by some people who have BoA accounts. If someone wants to specifically target your money, they need to find out which bank you use first. This is more advanced social engineering, pretexting. I teach my students positive social engineering, still pretexting, when I suggest the research the company they are going to interview with, that they read the bios of the people they are interviewing with, and that they talk with current employees if they can. That same approach can be used by people seeking to socially engineer anyone, or a group of people, perhaps a mass of people. At some point social engineering becomes broad enough that it’s marketing.

In The Century of the Self, early feminists were leading parades. Someone noticed that some were smoking, possibly as a protest against the social restriction on women smoking. Maybe they just liked smoking and didn’t care what anyone thought? Cigarette companies used public relations people to get more women smoking by associating it with the women at the front of the parade. This increased the number of women smoking at the front of parades, according to the documentary. Whether or not the social engineering was successful, intentions were clear. The message was: smoking was rebellious, it is feminist to confront social perception…by smoking an incredibly addictive drug. This is broadly targeted social engineering. We would also now call marketing and brand outreach. The idea of a lifestyle brand is not new.

Where is this going? I write here to get my brain up to figuring out what is worth writing about more in depth, and to record that process. I’m not sure whether there’s a conclusion to comparing The Littler Red Hen and Rock Soup. My thesis is we know social behavior can be encoded and programmed. This is something people researching social behavior already do, observe and encode behavior. Social behavior is a form of code and it can be coded, it is live coding in many situations. I’m working in research on social engineering, looking at social behavior that is intentionally deceptive. I think we should spend more time, particularly in cybersecurity, HCI, and computer science, thinking about how encoded behavior is vulnerable, and how it can be exploited.

Paige Treebridge

Paige Treebridge co-directs Divergent Design Lab, focused on vulnerability and exploitation using cybersecurity, new media art, user experience design, and social psychology paradigms. Twitter @PTreebridge

Pin It on Pinterest