Description Ever wondered how social engineering attacks happen? This session's purpose is to design a poetry slam-like event with an audience award. Poets present their experience and ideas on how social engineering attacks can look like -- be it based on imagination or experience, stand-alone presentation or interaction with the audience. If we manage agreeing on a concept, we can hopefully organise a pilot slam on day 3.
Type Workshop
Kids session No
Keyword(s) social, art, hacking, security
Tags Social Engineering
Person organizing Uebelhacker
{{{Held in language}}}
Other sessions...
Starts at 2015/12/27 18:00
Ends at 2015/12/27 20:00
Duration 120 minutes
Location Hall C.3

We will bootstrap a Social Engineering Poetry Slam in this session. The pilot slam session on day 3 can be found here:

I came up with the Social Engineering Poetry Slam as a mean to find interesting new attack scenarios for social engineering research. Revealing sensitive information like passwords or granting access to restricted areas, is one (sometimes easier) way to circumvent physical or digital security mechanisms. In socio-technical security research the digital and physical/technical domain is complemented by the social/organisation domain introducing the "human factor". A poetry slam can be a novel approach to find stories of social engineering attacks, fictional or experienced. There are many definitions of social engineering in the wild, but for me in short: a human interaction needs to be present to enable the attack, i.e., dumpster diving is not social engineering, it's just gathering pre-attack information, but (spear) phishing or scams like the "Enkeltrick" are.

The community discusses some persuasion principles of why people succumb to these attacks. Presentations can base on these principles:

  • Stajano/Wilson (2009): Distraction, Herd principle, Time principle, Dishonesty, Need and Greed, Deception, Social Compliance
  • Cialdini (2001): Authority, Scarcity, Commitment & Consistency, Liking, Social Proof, Reciprocity

Here a small braindump of what can be discussed in this session: agenda, organisational requirements, assessment, presentations stlyes, etc.


Interested poets can come 30-60min before the event to the organiser to get on the "list". This list is shuffled.

I'd like to see presentations as traditional talks of around 10min (no beamer, no other "gadgets" allowed, therefore, not called "open stage" or "open mic"). On request the audience can prolong the presentation another 5min.

The "poet" can present in their own style, that can include minor interactions with the audience. I think this is a major ethical point for not harming any person attending and not to reveal personal identifiable information of third parties of experienced attacks. But it should be minor to not to become an improp theatre or attention (magic) trick only.

Like in poetry slams, the audience can assess (1-10, and hopefully audience is not social engineered ;) the presented stories based on e.g.,

  • presentation style
  • novelty
  • creativity
  • feasibility of attack
  • feasibility of real-life experiments
  • scalability of attack

If we want a final round like the "best" three, the poets should have created more than one talk. I think for 32C3 we can discard this option as there is not sufficient time for potential poets.