rdn32

Frank Stajano’s presentation on security (and the recent Cambridge Stack Overflow Dev Day) was based on the premise that hustlers and scammers understand human psychology in a way that engineers do not, and so security engineers would do well to learn from how classic scams work.

I’m not going to go into the details of what Stejano said: the talk was basically a fluffier version (in a good way) of this tech report. I’ll merely note that some people have complained about talk, saying that although its expositions of scams such as the Three Card Monte may have been entertaining, it was hard to see how this was applicable to computing.

Actually, what I want to do is quibble with Stejano’s choice of words in framing this research: the thing that hustlers know is human psychology—a theory of human behaviour—and so by implication hustling is an application of this theory. Put this way, it follows fairly easily that the greatest part of a hustler’s knowledge is this theory of human behaviour—human moves—and that knowledge of particular scams is a paltry thing in comparison.

[Not that I’m saying that this is what Stejano actually thinks, but rather that this view fits easily with the way he’s expressed himself.]

There is a completely different way of looking at this, which I will try to explain with reference to Rodney Brooks’ work in robotics, or rather his criticisms of traditional Artificial Intelligence that he made in his classic papers of the early 90s (“Intelligence Without Reason”, “Elephants Don’t Play Chess”, etc.).

Brooks took a strongly anti-theoretic stance, in order to avoid what he saw as an intellectual bias that took AI up a blind alley. It had seemed that what was needed was a theory of the basis of intelligence. Moreover this basis was itself a theory, some folk theory of the everyday world (see Patrick Hayes’ “Naive physics manifesto”). To build a system capable of behaving intelligently one simply applies the right theory: a small matter of programming.

Against this all this, Brooks insisted on the importance of a practical, engineering problem: building a credible autonomous robot. If a robot can respond directly to its environment then it can dispense with intermediate steps—building up a picture of the world, formulating a plan of action—that might require some theory of the world. Moreover, a failure to build such a robot would show theories of intelligence up as vain speculations.

As I understand it, Brooks’ approach has worked out very well, but brings its own problems. If your knowledge takes the form of an abstract theory, then your chief problem is how to apply it to concrete situations. In contrast, if your knowledge is embedded in the way you respond to situations, then you have a problem of how to make knowledge portable, so that it can be passed on and re-used. I recall Brooks having written that people often asked him if they could see the plans for the robots he had built, but that he couldn’t oblige: there were no plans.

Getting back to where I started, the different way of looking at hustlers knowledge is that the most important thing is knowing how to operate particular scams, rather than a theory of human psychology. This involves setting up situations and making use of people’s reactions to them. But knowing a person’s reaction to a situation means being able to recognise it as one of a number of common reactions, familiar to the hustler, much more than a general theory of human behaviour.

So how is this knowledge portable? By being its own tradition, into which aspiring hustlers can be inducted. This is apparent in its specialised slang: marks, ropers, shills, etc. Someone going in to that life won’t be given some logical foundation from which all operations might somehow be deduced: they’ll learn how to make themselves useful in particular scams. Familiarity is the real basis from which principles might fruitfully be extracted.