Everything You Wanted to Know about
Social Engineering -- But Were Afraid to Ask...
Richard Thieme: reporter of phony
hacker stories
X-Sender: rthieme@mail.execpc.com
Date: Mon, 31 Jan 2000 13:44:17 -0600
To: Carolyn Meinel <>
From: Richard Thieme <rthieme@thiemeworks.com>
Subject: Re: In the words of Adam Penenberg, "So sue me."
At 12:24 PM 01/31/2000 -0700, you wrote:
>If I were to leave out that you had planned in advance to
learn more about
>Se7en at this lunch, doesn't that contradict your writing
so many stories
>about him shortly thereafter?
The causal fallacy here is "post hoc ergo propter hoc,"
i.e., after this therefore because of this. My doing a couple
of interviews with Se7en afterward had nothing to do with some
unannounced "plan" or alleged intention before doing
them. I was very open to lerarning about everyone at DefCon,
including Se7en and yourself.
>How could you explain this discrepancy?
It is not a discrepency. (see above)
>I don't even mention that you wrote magazine articles based
on his wild
>stories uncritically despite knowing he was a pathological
liar. I don't
>even mention the part of the luncheon where you were doing
the Dutch uncle
>thing on him over his wild stories. You spent quite a loing
time trying to
>persuade Se7en that he would come to a bad end if he kept
it up.
This is all interpretation Carolyn and I disagree completely
with your interpretation.
>In any case, this is not news but the anatomy of a social
engineering
>scheme. I don't even bring up the question of whether you
were the victim
>or collaborator. Actually, I am curious as to which you were.
Did you just
>forget that Se7en was a pathological liar, or did you decide
to sell stories
>you were quite certain were false?
Obviously, there are other options besides the two you suggest.
This is an attack on my character that is not warranted. You
ought to be ashamed of yourself.
>I am so fed up with phoney baloney
>hacker reporting -- that's one reason I sent out copies of
this chapter.
That is a very ironic statement.
You asked my comments on the accuracy of your statements.
I responded to that request.
I hope you can distinguish between an observable behavior
or documented statement and your own interpretation of what you
think someone's silence "must have meant." It is the
difference between objective reporting and libel.
X-Sender: rthieme@mail.execpc.com
Date: Fri, 04 Feb 2000 12:50:07 -0600
To: Carolyn Meinel <>
From: Richard Thieme <rthieme@thiemeworks.com>
Subject: a legitimate concern
At 09:14 AM 02/04/2000 -0700, you wrote:
>The best I can do is write about what I observed and recorded
at the time.
>I do question why you so uncritically wrote up what Se7en
told you after we
>established without a shadow of a doubt at that luncheon
that he was not a
>hacker and was a pathological liar.
Carolyn, that's a legitimate concern and I'll speak to it
directly.
Many people in the hacking community are less than honest
about the totality of their lives. That Se7en exaggerated in
one obvious area to make himself sound bigger than he was did
not necessarily lead to the inevitable conclusion that he was
"a pathological liar." That's a diagnosis, not an opinion,
and I was not in any position to make it after one lunch. So
perhaps you concluded then as you say that "he was not a
hacker and was a pathological liar" but I did not. Perhaps
you had more context or more specific knowledge of Se7en or both.
There was a great deal of exaggeration and posturing among many
people at that con and in fact at many of the business conventions
for which I speak - the costumes are different, maybe, but the
posturing and exaggeration are the same. People exaggerate their
importance and market an image of themselves that is larger than
life. That's human nature.
The two interviews that I subsequently published focused on
plausible or at any rate possible truths - that he had been taught
by others how to dumpster dive and how to phone phreak. There
is nothing in those two interviews that is not plausible, although
in retrospect he is clearly describing things he knows others
to have done rather than things he hasdone himself. As a description
of behavior, he is accurate; as a description of himself, he
is not.
And yes, it was my first Def Con and four years of experience
has taught me more than I knew then. Once it was revealed to
me that the entire pedophile deal was a lie (social engineering
is a polite phrase for that one), I never referred to it again,
and I did my best to hedge the off-hand remark about it (it was
a very small part of the piece on Blosser) by saying "no
one knows ..." which was the literal truth. If I had known
then what I know now, I would have not said even that, of course.
And I continue to feel compassion for Se7en. He is very smart
and a good writer and in my opinion is quite within the possibility
of redemption. I have worked with people a lot further down than
he was who have come back onto the train, and I also remember
people who did not give up on me at my worse and think I should
do the same with others. I liked him and I feel sorry for him.
That's doesn't mean I can't see what he did clearly, just that
I am going to let it go at that.
But come on, CM. We go back all the way to that lunch and
that con. I killed that profile on you for Salon that I was exploring
because it would have turned into a "personality piece"
which would not have served you or anybody. And at least one
of the solid sources you cited to me contradicted directly what
you said he said ... which does not necessarily make you a "pathological
liar" in my book, but does call into question how forthright
and open everyone in this domain can be at different times ...
I think we all need to approach one another in this domain
with greater understanding and compassion. There is simply no
need to create adversarial relationships out of what can be collegial
or at worst neutral postures.
Sincerely,
RT
Richard Thieme
ThiemeWorks ... professional speaking and
business consulting:
ThiemeWorks
P. O. Box 17737 the impact of computer technology
Milwaukee Wisconsin on people in organizations:
53217-0737 helping people stay flexible
voice: 414.351.2321 and effective
http://www.thiemeworks.com during times of accelerated change.
X-Sender: rthieme@mail.execpc.com
Date: Sat, 05 Feb 2000 16:53:39 -0600
To: Carolyn Meinel <>
From: Richard Thieme <rthieme@thiemeworks.com>
Subject: Re: a legitimate concern
At 09:34 PM 02/04/2000 -0700, you wrote:
>I can understand you believe that it is OK to write a story
on the basis of
>no evidence just because we hadn't proven that Se7en lied
100% of the time.
Carolyn, that is not what I said. It is - once again - a distortion.
The validation given Se7en by Dark Tangent
at others at DefCon 4 is not insignifcant. "Evidence"
for hacking activity would consist of logs of telephone calls
or computer activity and no one requests that before deciding
they have a credible report in this domain. Including yourself.
You yourself have established yourself as someone in "the
hacker scene" while admitting to many people that you do
not have sophisticated technical skills. And you ignored my statement,
that people to whom you referred me directly refuted and contradicted
what you said.
Can you extend to others the courtesy you want others to extend
to you?
Carolyn replies: That looks to me
like a pretty wimpy blackmail attempt. It only would be serious
if I really was a phony computer security expert. Mr. Thieme
is welcome to write any "expose" he wants to write
about me. If he continues to write totally phony news stories
about me or anyone else, I believe that is his First Amendment
right. Whether anyone will pay him to continue writing stories
he knows are phony is another matter.
Oh, yes, about my not having any
sophisticated technical skills -- when I wrote "How Hackers
Break in -- and how they are caught" for the Oct. 1998 Scientific
American, there was plenty of opportunity for people to expose
my supposed lack of skills in the letters to the editor of the
Feb.
1999 issue. You will notice that no
one could find anything wrong with that article. Mr. Thieme was
one of the people who emailed the editor of Scientific American
pretending to know that I supposedly have no technical knowledge.
OK, OK, I'm not claiming I'm any sort of genius -- I'm just saying
I write things that don't
suck.
Back to "So Sue Me"--->
