Thinking adversarially

/ Brian Jones

It’s good to think “win win” and trust everyone.

However, I spent a few years in nuclear cyber-security and one of the key aspects of security is to think like an attacker.

Granted, nuclear cyber-security is pretty heavy-duty, but this helps even in simple every day scanning of Craig’s List … how do you avoid scams?

Here’s an example advertisement from Craig’s List today:

Good Paying eBay Job $525
compensation: 600

i an offering to give a % of the amount of items i sell on ebay if
you let me list my items on your account, because ebay give selling
limits they cap me each month, i will pay between $50 and $275 of 
every sale made, please contact me with ebay account info like 
feedback score and %

Now, why do I know that’s a scam?

Honestly? I don’t. It could be legitimate. How would I determine if it’s a scam?

Let’s assume it’s not a scam and see what it would take to satisfy an honest need with that request.

Well, they’re somehow overselling (we’ll ignore how).

Since I would want to protect my good name, I’ll offer to pick up the items in advance; I’ll then list the items now in my possession on my eBay account. On each sale I’ll fulfil the sale’s terms doing the shipping myself. I’ll give the owner their amount keeping the rest as profit.

Sounds fair, right? It’s just consignment.

If the advertiser is honest, she would jump at the offer. It gets the items sold and she doesn’t even have to do the shipping. Ideal! If she turns it down, or doesn’t respond … scam.

That is one of the simpler aspects of thinking adversarially. Instead of assuming the person is honest, you assume they are dishonest. Then you propose a solution that serves both parties if they are honest. That causes the dishonest to reject you (and without sensible reasons, another indicator) and the honest thinks you’re really smart and loves the deal.

I once read an advertisement seeking the readers to purchase fractional ownership of exotic cars which they would then collectively (in shifts) drive around Las Vegas, the cars showing advertising the company would provide. The drivers/owners would make money based on their driving shifts.

Doing this would destroy the cars (in very short order) and the maintenance for thousands of miles/month on a Ferrari is very high.

However, it sure sounds like an interesting proposition–get paid to drive around in a nice car. I responded with a proposal of my own.

I offered to skip the fractional ownership and bring in my own exotic car which I’d drive showing their advertising, just like their drivers, but without any of the overhead of them managing my car. I’d pay my own maintenance, and only I would drive my car.

A real win-win … I drive around town in my nice car and they pay me. As a nomad that’s almost like throwing money at me!

Amazingly (not) they rejected the proposal and tried to charge me to bring my own car and wear their ads. Now, that’s odd, that is against their very model — makes no sense if they were honest. Makes perfect sense, though, if they were scamming.

I called them “the car slavery ring.”

I believe their scam was as follows:

  1. convince their “new employee/owners” to sign a loan contract with a financial institution jointly with the other new owners for the loan to buy the car — making them jointly (personally) liable for the loan repayments (this is the “fractional ownership” aspect)
  2. the scammers then take the money from those loans and instead of buying the cars they close the company (buy no cars, place no ads) keeping the amounts of the loans for the cars and leaving the slaves liable for the costs personally

They had pictures of people with checks at a “Rah! Rah!” meeting. However, they had no pictures of cars with ads for anything but their own company. Nor did they have a URL or information needed to pay them for advertisements.

When the ad stopped running on Craig’s list (implying that they got their full quota of drivers here in Las Vegas) I never saw a single exotic car with ads. Nor did I find a way to pay for them to place my ads on their cars.

My guess … there’s a group of people who are having to pay back those business leases even though they have nothing to show for it or their credit gets trashed. Most will probably just go bankrupt — if they can. The kind of people who fall for these sorts of “deals” are generally not the most fiscally responsible and could already have a bankruptcy.

It is said “you can’t cheat an honest man.” You absolutely can. But it is very hard to cheat the man who asks “Can this be a scam?” every time and looks at it from the perspective “How could I scam someone else with this proposal?” That is the question an adversary (an attacker) asks!

That’s why one should think adversarially — not that everyone should be mistrusted! Rather “trust but verify.”

Keep the Light!

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s