Blog Setup

So here’s the setup I have right now:

  • GitHub Pages - Obviously.
  • Jekyll - The tech powering this whole bloggy thing.
  • Jekyll theme: Hyde - I like the simple display of the posts + the simple side menu.

One thing I wanted to do was migrate my posts over to Jekyll (I hate making switches and having to start completely fresh). Jekyll’s site had a handy page on various ways of importing stuff, this one is specifically for importing stuff. I ended up using the exitwp tool mentioned on that page. That took all the text and converted them to individual files under the _posts directory, but all the images were linked to the files over at I wanted this all hosted on GitHub Pages, so I had to go and manually download each image and change the code on each post. Luckily there weren’t that many posts…

Another issue I ran into was getting ruby setup properly on this Ubuntu box so I could run Jekyll locally to checkout posts before publishing them or testing themes. The default ruby package is only v1.9 and Jekyll needs v2.0+. I don’t do a lot of coding so having multiple versions on a single machine was a learning curve. I ended up using rvm to handle this. The site has a pretty straight forward page on installing rvm. Then I found this page for steps on how to make v2.2.3 the default.

New GitHub Pages Blog

Inspired by Scott Roberts’ blog, I decided to checkout GitHub Pages and Jekyll. I’ve had a blog at for awhile, but I haven’t blogged anything in a long time. I’ve been thinking about blogging more (again) lately and thinking about moving away from Wordpress, but just wasn’t sure what to do. The idea of having GitHub host it though gives me the opportunity to finally learn git and GitHub better though!

So here I am. Easy setup, easy management, simple layout, and a technology that aligns with my current learning plans. I’ll write a post here soon about the setup, issues I ran into (those that I can remember), etc.

Deception in Social Engineering

So there’s been a debate going on for awhile (2 years??) over at the podcast over whether or not social engineering always involves some sort of deception.  The latest podcast featured guest Dr. Paul Ekman, pioneer of microexpressions.  After the interview with Dr. Ekman ended, the topic of deception in SE’ing came up again.  This time they have another host, more input,  and I decided I needed to think about this some more and do some reading.  Here are my thoughts on the topic.

tl;dr Yes, social engineering always involves some sort of deception.

So I’ll give an explanation as to why I believe social engineering always involves some sort of deception, then put it into the context of the examples given on the podcast by Jordan and Dave in their attempt to refute this.

Deception is often put into context of situations where something bad happens to the deceived; con men, scammers, etc.  This has given a false impression that deception always involves something bad happening to the deceived.  This is simply not true.  The act of deception is one thing, while the motive (or intent) behind the deception is another.  This separation is fundamental.

Deception is relational, and requires the intent of the deceiver and the expectation of the deceived to label it as such; it is the negative violation of the deceived’s expectation.

There are 5 primary types of deception [1]:

  1. Lies: making up information or giving information that is the opposite or very different from the truth.

  2. Equivocations: making an indirect, ambiguous, or contradictory statement.

  3. Concealments: omitting information that is important or relevant to the given context, or engaging in behavior that helps hide relevant information.

  4. Exaggerations: overstatement or stretching the truth to a degree.

  5. Understatements: minimization or downplaying aspects of the truth.

And there are 3 primary motives [2]:

  1. Partner-focused motives: using deception to avoid hurting the partner, to help the partner to enhance or maintain his/her self-esteem, to avoid worrying the partner, and to protect the partner’s relationship with a third party. Partner-motivated deception can sometimes be viewed as socially polite and relationally beneficial.

  2. Self-focused motives: using deception to enhance or protect their self-image, wanting to shield themselves from anger, embarrassment, or criticism. Self-focused deception is generally perceived as a more serious transgression than partner-focused deception because the deceiver is acting for selfish reasons rather than for the good of the relationship.

  3. Relationship-focused motives: using deception to limit relationship harm by avoiding conflict or relational trauma. Relationally motivated deception can be beneficial to a relationship, and other times it can be harmful by further complicating matters.

Sometime ago, the crew did a live podcast at Shmoocon in DC.  While they were recording, Johnny Long came by and gave an example he believes shows that SE’ing doesn’t always involve deception.  It goes a little something like this:

You have a guy next to you with bad breath, but you don't want to tell him he has bad breath.  So instead of telling the guy, you pop a mint into your mouth and then start talking about how awesome they are.  This statement about how awesome they are then has the bad breathed guy asking for a mint.

This is the example that keeps coming up on the podcast.  Johnny Long contended, and Dave continues to argue, that this is not deception because you never lied to the guy.  Chris contends that it is deception because the intent was for him to ask for a mint, not just talk about how tasty they were.

It keeps being argued that it wasn’t deception because the end result was positive.  Again, whether or not it was positive is irrelevant.

  1. The deception contained concealment of information.

  2. The intent was to get the guy to ask for a mint because of his bad breath, but the expectation of the guy was asking for a mint because you said they were delicious.

From here, we can start talking about the motive/intent behind the deception.  In this case the motive was partner-focused.  You didn’t outright tell the man he had bad breath to avoid hurting him, to help him maintain his self-esteem.  While a kind gesture, it was still deception.

Other examples from the podcast:

Jordan’s example: If you’re buying a woman a drink with the intent of sleeping with her, but you don’t express your intentions, is that deceptive?  What if she already knows your intentions?

If her expectation is that your only buying her a drink as a kind gesture and as a conversation starter, then yes it’s deceptive. On the flip side, there’s no way she can absolutely know your intention. But if she expects that you’re buying her a drink with the intent of sexy-time, then it’s not deceptive.

Dave’s example: If Dave gives Chris a hug, what’s his intent?  To make Chris feel uncomfortable. Is the hug deceptive?

From the podcast, Chris said Dave’s intent was to make him feel uncomfortable; Dave agreed.  Therefore the hug is not deceptive.

I also wanted to touch on Jordan’s attempt to differentiate between deception and tricky in the breath mint scenario.  He said that it wasn’t deceptive (his definition of deception involves something prejudicial to the deceived), but that it was maybe tricky instead.  Here’s a screenshot of the definition of “tricky” from

Some may ask “how is deception ever positive?”  I’d contend that the breath mint scenario is one example.  Everybody on the SE podcast crew agrees that it was a kind gesture.  Deception is often used in romantic relations as well, with the same motive as in the breath mint scenario: to avoid hurting the feelings of the other.

Anyway, this podcast was one of my faves yet.  I’ve been eagerly awaiting for them to have Dr. Paul Ekman on the show and they definitely didn’t disappoint!

I love the podcast, and I like the addition of Jordan to the crew.  Having more perspectives on SE’ing is always welcome! :)


I’ve finally picked this high security Brinks padlock I’ve been working at for a few days now!

I’ve always suspected that there were security pins in this lock, but never could tell exactly how many…until I watched this Picking a Brass Brinks Padlock video!

4 security pins??  I never would’ve guessed four, but knowing that helped a lot.  As well as knowing that the 2nd pin seems to always been the pin stack without the security pin.  So now I gotta re-pin some of my other locks…or get some new ones ;-)

Lockpicking, Waiting for Downloads...

Working at a remote branch, waiting for some downloads to finish, I spent the time lockpicking!  Lockpicking is something I’ve been interested in for awhile, but just recently started picking more.

I don’t have a lot of locks, just things I’ve collected over the years, and a 15 piece lockpick set I bought from (11 picks, 4 tension tools).  Off camera, I have a bag with the rest of my locks.  All the locks you see there are the ones I’ve opened while waiting for the download.  I never did get that Brinks open.  One day… haha

I did end up making my first padlock shim though!  I’ve bought shims before, but wanted to go the DIY route after re-watching a Deviant Ollam video.  I found a can in a recycling bin in the lunch room…

If you want to build your own, here’s some instructions Deviant did for Beer Can Padlock Shim