No, the entire world of hacking has changed from writing damaging code to designing damaging social engineering paradigms.
What do you mean by “social engineering paradigms?”
Let me give an example. One of my best friends, well-known, I don’t know if I can say his name, but he hires himself and his team out to corporations and government agencies to stress-test their systems.
Some years ago, he was hired by America’s largest electricity provider on the eastern seaboard.
In any case, obviously it’s in America’s political interest that people don’t fuck with electricity providers. So they were hired to try to break into their master control.
First thing he did, he drove around, hired a helicopter, took a look at the terrain. Drove around access roads, dirt roads, whatever, and then he picked a hill about a quarter of a mile from the main gate of the compound, got himself some people, telescopes and cameras, and things necessary for actually taking a photo of the entry gates with absolute clarity from a quarter of a mile.
After a month, he noticed something. He knows that every Thursday, about 50 trucks come through. Old, some of them beat up with lawnmowers and trimming gear, electric sheers and all sorts of shit in the truck beds. And he noticed one thing: Only the first truck would send their paperwork to the guards. And the paperwork, it actually had the number of trucks on it, and so on and so forth. But there were sometimes 50. The guard, after taking the paperwork, ignored the trucks.
My friend went out and bought a beat-up truck, got a bunch of used lawnmowers and uniforms that matched, because they all had these same shabby uniforms.
About a mile away, the convoy had to come around the curve, and there was an adjacent road that intersected with the main road. So he parked there, waited until about 15 trucks came by and bullied his way in. He gets through the gate, parks where everybody else is parked, and all the people are looking at him, but half of them are illegal Mexicans and, listen, nobody wants to get involved. OK. They went about their business.
They take off their coats, and underneath they’ve got three-piece suits, ties, the whole thing. In his hand is a letter that has on it, “Audit Authorization Letter on General Miller.”
So why did he choose the audit? Because the audit authorization letter is one of the tried and true social engineering tools. Why? You present it, the last thing in their mind is, “Are you real?” The first thing in their mind is, “Good God, did I install the latest version I was supposed to install?” Everybody’s panicked, fucking panicked.
So now at the bottom, they had the general’s signature and two phone numbers to call, just in case. He had operators standing by on these numbers, very professional. And had they called, they would have said, “Yes, General Miller demands that you give full cooperation.” But they never even bothered to call. The security saw the letter, and from then on, my friend and his team were gods.
So, they went to the manager’s office and announced themselves, “I have an authorization letter.” And then said, “And please, we want no one watching what we’re doing, and we want access to everything.” And they did have access, except to the main computer.
Now, the social engineers are also the best lock pickers on the planet. They all have lock-picking gear. My friend is down on his knees, picking the lock to the main computer room, and the security guard comes around. My friend jumps up and says, “You. Here, come here.” They were wearing suits; they’re clearly management, right? “We got a call about this lock. Have you had problems with this thing?” He goes, “No, I don’t know anything about it.” He says, “It keeps getting stuck is what we hear. Open this for us.” And he goes, “No, it works fine, sir.” My friend replies, “OK, you can leave.”