I’m sorry; I wouldn’t know. The Pig & Whistle has been booked out solid for years now. Possibly by white-hat social engineers, now that you come to mention it.
There are, of course, a few of them sculling around, if one looks hard enough. Here’s how to recognise a good white-hat social engineer (aka WHSE), gleaned from some 20 years of studying their writings:
- Obviously, being white-hat, they are out to help, not hinder, other people; and , being engineers, they are into the design of systems;
- Systems have to be used by other people, not just themelves, so they rarely if ever talk about their own personal preferences. Rather, they focus on the needs of other people. In effect, their aim is to create systems that other people will find easy to use, and, if at all possible, enjoyable to use.
- Every man and his dog has an opinion about other people, what they are capable of, and what they enjoy doing, but good WHSEs aren’t interested in opnions; they like evidence. So they read relevant research papers, and conduct tests, where possible using best scientific procedures such as sample groups, and double blind administration. So they end up recommending system features not because they are fashionable, or marvellously gimmicky, or personally popular, but because they are proven to work (meaning: not just for themselves, but for other people).
So why do I think good WHSEs’ are a rare breed? If one looks around the Internet a lot, one can find lots of people offering advice about safe surfing; good Internet practice. Actually, lots and lots of it. Websites that offer login facilities generally have rules - passwords with certain kinds and numbers of characters. Forums and blogs where people pontificate on the best ways of doing things. But rarely is there any consistency, and even more rarely is there any reference to research or evidence. By and large, it is a potpourrie of random opinion, mostly ill-informed and half-baked.
Within this potpourrie, however, can be found a small group of people who focus on systems, not methods or gadgets; on other people’s preferences and abilities, not their own; and on research and evidence, not just guesswork or personal preference. These are the good WHSE. And, because they base their work on research, what they say is remarkably similar, and remarkably consistent, and has been for the past 20 years.
So what have they been saying for the past 20 years?
Their first message is that an absoloutely safe system is an impossibility. There is, and always will be a vulnerability hard-baked into every system that connects to the Internet. And double if people intereact with it. If it has humans have access to the system, then sooner or later it will become compromised. This is not a design fault, but rather a design feature. Live with it.
The second message is that safety is best planned for by making human access methods part of the system - not, that is, some tacked-on procedure. That means providing suitable instructions, training, supervision, and all the other bits and pieces that go into a human system. That means, don’t do as Government Departments like to do, treating human users as hostile, alien elements that must be protected against.
The third message begins with the idea behind two-factor authentication (2FA): something I have, and something I know. The ‘something I have’ needs to be baked into the system in some way that is essentially untouchable by the user (e.g. a certain phone number); the ‘something I know’ needs to be something unguessable, or at very least hard to guess, by other people, and also be unique to a given system; and also ever-changing, to prevent force attacks. Oh, and all of that must happen within human brains which are designed by evolution not to be able to do it. So the rule is: the greater the required level of security, the more complex the login and stayin systems must be, and hence the greater the level of needed training will be.
Any Internet-connected system designed without reference to individual human abilities and preferences is wide-open vulnerable; likewise any system that expects humans to behave in certain ways without comprehensive and effective training.