Last Seen Blogs
janies-little-universe
Beauty, Healthy & Fitness
pequodharpooner
I tasted death, and death tasted bitter
oliviasanchez
Olivia Olga Sanchez
godlesstongues
and yet the victor weeps because his foolish hands grew strong
pottaetto
a hybrid pottaetto
Text
Ballistic Missile Crisis:
Ballistic missile incoming, what is your response:
As myself:
How would you initially respond to the situation?
Get to the safest place in the building
What is you had an extra hour?
Get in the whip and drive a far from densely populated areas
What if you had an extra day?
Get to my farm
How could you have been better prepared?
Go bag
Vehicle access
As the Uni:
Send an alarm out across the uni, telling people getting inside and in buildings and away from windows
With an extra hour - call in all the uni vehicles and busses to organise transport away
With an extra day - shut down the uni with public announcements so that no-one comes in the next day
Build safe zones, underground areas that can host people who are on campus
Organise emergency vehicle protocols to transport people away from the uni
As the Prime-Minister:
Inform everyone of the threat via news outlets
Tell everyone to get inside and get to the safest place that is on their property
Flee, you are probably a target as the leader of the country
With an hour, not much changes
With a day, release a public statement saying the public should assume a world war, and get to the safest place they can within the next day.
What could we do to be better prepared - create public bunkers, since apparently the nearest bunker is in Sweden
B.
0 notes
Text
SSL & Public Key Infrastructure
I have 7 certificates after removing some adobe one’s, because f*ck adobe.
The majority of mine are from apple however there is one from Macquarie Uni and one from UNSW. So while generally I would trust these organisations, after the ANU breach, there is a potential for both these companies to be currently compromised without them or me even knowing.
This would mean someone behind their network could be intercepting the traffic, so when we use uniwide or eduroam, our data can be observed.
Also, the root certificates that apple put in means they can essentially look at everything on this computer in terms of network usage, so that’s good.
B.
0 notes
Text
Analysis on my spotify data:
This is really cool. I’m tempted to download all data sources and analyse myself more in depth. Overall, doing spotify wasn’t too bad (maybe that’s what they want me to think).
The data comes in files of JSON, and is categorised. The most relevant categories are user information, streaming history, and search queries. My person info file is only about 10 lines, it has your name, birthday, country and if you’re linked to facebook.
What I chose to do was to analyse the most frequently streamed songs for myself, around the top 50. Here are the results.
Ultimately i’m suprised about the top spot, which corresponds to ‘pink noise for sleep 12′ by the artist ‘granular’. I used this a lot a few weeks ago for study so i thought it would be frequent, but definitely didn’t think it would be first. Ramin Djawadi is the composer who wrote the soundtrack for the Game of Thrones television series, so you can see i’ve been listening to the soundtrack a lot, with the top tracks being “Winterfell” from season 3 which is a belter, and ‘The Night King’ from season 8 which is another banger.
Mac Miller (may he rest in peace) and John Mayer have well earned spots high up the list. With Mac’s top song being ‘My Favourite Part’ and John’s being ‘Still feel like your man’. This is skewed slightly since it’s only the last month or 2 of data. If this was all time, I have a feeling the Top song would be ‘Slow Dancing in a Burning Room live in L.A.’
The only thing I couldn’t place the source of is the entry ‘Skin’. But doing a search in spotify revealed that it’s a Mac Miller song from the same album as the ‘My Favourite Part’ so I must’ve heard it a bunch of times while listening to the album.
Ruel and Daniel Caesar come in lower than I would have expected, if the data was over a longer sample, I think they’d be higher up while Stormzy, Tony Anderson, Ed Sheeran and Shawn Mendes would all be lower down. Ed and Shawn released new music over this period, hence the very high position on the list.
Ultimately this list is dominated by very relaxed music, with a distinct lack of DOOF DOOF, so you can tell that I have music going frequently while studying.
B.
0 notes
Text
China Syndrome: Movie Afterthoughts
That was seriously good, I finished watching it about a minute and a half ago. Im going to categorise my thoughts into some main area’s as I think of them.
Security vs. Profit:
One of the recurring themes here is that people don’t want to take particular courses of action due to the financial burden. Some examples of this are:
Getting the plant up and running after the accident as soon as possible
The quality assurance man not taking x-rays of all the pipes, but reusing the same image again and again
And refusing to update the x-rays since it would cost 15-20 million dollars
Not sending a team in to clean up the spill on the reactor room
Protocol vs. Human Judgement:
The first time this conflict occurs is in the accident sequence, where Jack makes orders to conduct a procedure and is quickly told that “that’s not what the book says”. But ultimately he saved that accident from going any further.
We also see this when Jack is trying to communicate the issue to his friends working inside the control room, where they tell him to go home sine they’ve been given orders to run the plant, even though some may think it is unsafe. We see this again in the exchange about scrambling the plant, where jack’s technician friend goes “isn’t that what jack was worried about in the first place?”, voicing some judgement that maybe this is a bad idea, before being quickly shut down with his superior saying “who’s side are you on?”.
Finding a Scapegoat:
Ultimately, the company will not own up to the mistakes it makes, calling jack a drunk and a mad man, rather than admitting that their safety systems are not up to scratch. As discussed in lectures, this is always likely since the public wants to believe that the problem can be boiled down to a single person acting against the will of the company, and the company doesn’t want to admit that it made mistakes.
Examples of Huge System Failure:
The list is long, and includes:
Relying on the dial which says the water levels in the system were high, when in fact they were low, and having to respond to false readings
Although the dial said high, the other indicators would suggest that it was actually low, and Jack could only say he didn’t know why they didn’t take those into consideration
When the initial alarms went off, everyone was still in a ‘everything is normal’ mindset, not believing there was cause for concern for about a minute after the alarms went off
A whole bunch of alarms went off at the same time, making it impossible to focus on any of the problems at once
The news team had to do a whole bunch of pretty irrelevant setup to get the ‘perfect’ broadcast when they should’ve just been trying to get the story out to the public as fast as possible
The control room was fairly vulnerable to an insider attack, where jack was buzzed in, and had enough free reign to be able to take the security guards gun and force everyone out
You can clearly see how quickly things could go bad if he had a reason to cause a problem, with the quote “he can do pretty well whatever he wants now” springing to mind, including turning the reactor up to 100% or higher and causing a big old China syndrome
The ability of 2 people to scramble the entire plant is probably a bit of a concern
B.
0 notes
Text
Week 9 Case Study: mAkE aMEricA saFe aGAiN
Come up with laws that prevent school shooting:
The most obvious one is to take all the guns out of circulation
Why is this hard:
There are a lot of untracked/illegal guns
The 2nd amendment would need to be changed as well as the general mentality of Americans
Laws about responsible gun ownership
Keeping your gun away from your kid
Censors at schools to sound alarms if anyone tries to bring a gun in
Technological Advancement:
Palm readers -> you can’t fire your parents gun since your hand doesn’t match the guns one
Limit the class of weapons available -> take away automatic and semi-automatic weapon availability
By rounds fired per minute
Restrict the damage that can be done by a weapon
Non-gun related measures:
Panic/safe rooms made of bullet proof glass and lockdown rooms
Make class rooms of the safe material
Any open spaces, like cafeterias, should be bagless, and we could use the alarm system to prevent guns entering the open space.
B.
0 notes
Text
Buffer Overflows:
So, how can I exploit your buffers.
Exercise 1 and 2:
These 2 are the easier 2 of the 4 exercises since they both contain source code that you can read. This means you know exactly where the weakness in the code is and how large the buffer you need to overwrite it, speeding up your task.
1: This task was about abusing the coders use of gets, which doesn’t length-check what you write in, in order to change the value sitting just above the buffer on the stack. The buffer size was 32 so I attempted to write 32 ‘A’s and then a ‘B’ but this didn’t work or cause a seg fault. This suggests there are things sitting between the buffer and character i’m targetting. From there it’s fiddling until you place the B in the right spot. I’ve hidden the number of A’s so you can have the fun of fiddling.
2: The similarity to part 1 was that you could read the buffer length in the source code, and you could see that there was a function pointer with the address of the lose function just above it. They help by printing the address of the win function. So then you fill the buffer and just after that, write, in byte form, the address of the win function. There was no padding this time, so no fiddling required.
Exercise 3 and 4:
Caff’s readme says only 4 doesn’t have C source code but for me it was both 3 and 4, which made 3 the biggest hurdle, and 4 pretty fine once 3 was worked out.
3: No source code meant I was fiddling with input lengths a lot until I worked out that byte 268 would cause seg faults. From then I used gdb but it didn’t give too much away as the seg fault location was given as ‘??’. At this point I was a bit stuck so I reached out to Ash who suggested using objdump -d on the executable. This was very helpful as objdump gives the entire set of assembly for the program, and in this I found a function called:
with its address. From there it was about filling up the buffer the full 268 and then overwriting the function pointer address, giving:
4: Based on the work I did for 3, 4 was much the same, I did an objdump and found the address of the win function:
and then used trial and error to find the length of the buffer and then overwrote whatever was after the buffer with my win function address, giving:
That was a lot of fun, doing a real (less so realistic) exploit.
B.
0 notes
Text
My Research For The Privacy Seminar:
Light Methods
Incognito modes:
- On chrome: the browser won’t save browsing history, cookies or information you enter into any forms like website log ins.
- When your send your get request to a website, you’re still automatically including some information like your IP address, so you can still be identified.
- Shared network: the owner can still see what you are doing
- Your Internet Service Provider can still see your connections and data usage.
- So, all private browsers do is stop the browser itself tracking you, you’re still very visible.
Privacy focussed browsers:
- Another way to increase privacy is to use different search engines. Just as an example, Duckduckgo is a widely used search engine for people seeking privacy.
- Claims that it doesn’t use cookies to track its users and doesn’t collect personal information like IP addresses.
Taking Care of Your Accounts:
- log out if you don’t need to be logged in. For google, if you aren’t using docs, drive, Gmail or posting anything, then you really don’t need to be logged in.
- Also, this won’t work unless you log out everywhere:
private browsing on safari
logged in on the YouTube app
Go on my laptop later & all my YouTube data is updated from phone activity.
- Don’t link accounts.
Don’t sign up for something like Spotify or Instagram with a Facebook account.
Essentially just increasing the number of access points all these companies have to your identity.
- just flat out lie. Like Richard said all the way back in week 1, when you sign up to any account, just lie. So companies have your information, but it’s all wrong.
Heavier Methods:
VPN:
- Establish an encrypted connection to your VPN's server
- Then when you browse, your network connection isn’t directly to your normal address, it’s to the VPN.
- Harder for someone to know your identity on the internet, since the identity they see if the VPN’s
- VPN’s also prevent your ISP form seeing your browsing data as easily since they just see a whole bunch of instances of you connecting to a VPN, but not what the VPN does
- Ineffectiveness:
Do you trust your VPN service?
Your VPN provider can look at your network activity if they keep user data logs
A less suspicious VPN provider will sell on the fact that they don’t keep logs of user information
Added benefit: if a 3rd party demands access to the providers resources, there are physically no user logs for them to look at
A less suspicious VPN will usually need to be payed for
Not always but if you aren’t paying for a VPN you should probably consider how the company supplying it makes its money.
Onion Routing:
- requests are encrypted and sent through around a bunch of intermediate routers
- Client uses symmetric-key encryption with a unique key for each node in the route so only they can fully encrypt and decrypt a data package
- 3-node onion route: client encrypts the message 3 times, once with each key.
Node 1 receives a 3-times encrypted message, peels off 1 layer, realises it’s still garbage and passes it to the next node.
Repeat until the 3rd node decrypts and can read the actual request, which it then makes
- On the way back:
Server responds to Node 3
Node 3 encrypts with key and passes on and this repeats until the client receives a 3-times encrypted response from the server, but they have all the keys so they can decrypt it and get the servers unencrypted response to their original request.
- Effective: restrict what any nodes in the chain knows.
Anyone who listens to the traffic on node 2 only finds out that it’s a node in an Onion route that passes encrypted messages to its 2 neighbours. They don’t know me or the server and can’t decrypt the messages without the keys
- Ineffective:
logging in to a website means that website knows, if you were successful, that it’s most likely you
Eavesdroppers still don’t know, but Facebook knows since you just typed your username and password
So, this undoes the effect of the server not knowing the client
Timing attacks:
Eavesdrop on entry and exit nodes.
If I see someone connecting to an entry node, and then I look at a node and see it’s connecting to a website almost immediately after, you can begin to compare the timing of requests.
After doing this for a while, you can begin to piece together what someone is done even with onion routing.
B.
0 notes
Text
PM Lecture Week 8:
WE DID OUR PRIVACY SPEECH!
Digital Forensics:
Stages of investigation:
Acquisition – duplicate the data source so you can take a clone away
Put a write blocker on the data so it can’t be changed after acquired
Analysis
Reporting
Types of forensics: memory forensics, data forensics
Tools for Digital Forensics: for taking snapshots of target and analysing the snapshot
Image of a USB: FAT 32 file system: 0xE5 (sigma) first character of deleted data shows that it is deleted, it isn’t fully removed from the system
Content:
Continuing with systems: Richard Tells a 45 minute story
3-mile island – look at accidents & consider the biases of people leading to the accident
Nuclear reactor – very complex -> problems when first starting up
The 2 people running the machine sued each other each for incompetence
If the core got too hot, components would start to melt and become unsound
China syndrome – melts so hot that that it burns through ground that it goes to China -> h/w where in China is Opposite where in America
Done a check of the system 2 days before, and left the system in a state that couldn’t perform emergency task – latent error (no indicator of pumps going into closed pipes)
When you’ve made a mistake, you’re likely to make it again, and only a new set of eyes can notice it
Computing, nuclear reactors, sea vessels, etc: these are all complex systems – and we see that humans cause/don’t notice these systems failure’s
Everything’s in a rush to be made, and so the quality/integrity can suffer
You cannot make a complex system failsafe, we can only build a system and make it harder for them to fail
We should not focus on scapegoats, we focus on “if something does go wrong, how can we limit the impact”
Work out important assets and put all resources into defending them
Assume you’re going to be breached, & set it up so it won’t cause disaster
Don’t build a data lake, where the attacker can access everything if they get in
B.
0 notes
Text
AM Lecture Week 8:
China syndrome movie will be in exam, must watch
Content:
When something goes wrong, we do a Root Cause Analysis:
Attempt to identify root cause so that we can prevent something going wrong again -> works if done like an engineer, not like a reactive, patching peasants
Causes in descending order of how often they’re told:
#1 Human/user error: sack the person, because system is fine
Humans like a villain so we often accept this
Attacks will be because of human error, but not just one human
‘Last touch’ – someone who comes through the door last is the dogs favourite
#2 Culture – we don’t have the right culture is a cop out as well since it’s no one’s individual fault, we can all be blamed and all not take action
“Let’s pay heaps of money to consultants to educate our staff to improve our culture”, “all our traders are now ethical, they passed the multiple-choice quiz”.
There first 2 have truth, but you can’t focus on them
#3 The whole system – at fault, too complex, tightly coupled
More human weakness:
Dishonesty: people lie, especially to themselves
Honour code – sign up to a uni pledging that you wont cheat or plagiarise and such. Do a test, and then mark your own and report what you got to the uni. If you do the test and sign the honour code at the end, you are less honest than if you sign the honour code before, and then sit the test.
If you put the reminder at the top of the page, the Stamford and Princeton were both honest, and if you didn’t, they weren’t, even though Stamford didn’t actually have the code, if you told them they did, they were as honest as Princeton.
For Princeton who was the honour code, you’ve shoved full of the honour code, made no difference.
Most people get away with dishonesty by convincing themselves that they aren’t - Misdirection and limited focus: we can’t focus on many things:
in any situation, there are usually more salient points than we can focus on. Like the lights are out, a crisis occurs & we can only look at areas of crisis with a torch.
Then we are subject to misdirection: humans should focus on what is logically important, but we tend to focus on salience (what grabs our attention)
Social engineers and magicians take advantage of this -> get you to focus on the wrong things.
Similarly matching: try to match what is happening to something you’ve seen before and then respond in the same way without thinking.
We have small working memory – so our brain tries to move things out of focus as early as it can so our body can automatically respond to Frequency gambling: we are trying to recall a pattern that describes what is happening now. But when we see something new, our brain still tries to pick a pattern, so if there are 17 patterns, we pick the most commonly used pattern in the past, which might not be useful.
Quite natural and can be useful – as soon as we here a lion roar, we run as fast as possible away from the sound
Asking physics postgrads and random people a practical physics question in the real world – they all got it wrong, but the physics students in a theory/exam environment think logically and get it right
Dropping a pencil, can usually grab it mid-air in a split second by pattern matching
This works, but bad when a new threat occurs, this might be detriment
Attacks vs. Accidents – attacks have intent, but accidents are somewhat random
An adversary is adaptive and clever, we assume when we program security that everything, we aren’t controlling will be exploited against us.
Programming Satan’s computer – if you engage in a strategy that is unsafe, you will be caught
Satisficing and bounded rationality: we generally accept that good enough will do, we don’t go for the best possible outcome
We tend to try to verify a generalisation not falsify it
Confirmation bias
Groupthink syndrome – how your behaviour changes when you are in a group
When you value group membership and acceptance more than getting things right, you don’t want to cause problems and feel pressure to comply
We design systems such that if we experience human error, it isn’t catastrophic
System Error:
A normal accident: this is just going to happen, we can’t really stop it from happening
Someone is hit in a car crash, ambulance is diverted, given the wrong drugs and died -> it’s not always last touch, it’s everything/the whole system is at fault
If your culture punish/blame, you’ll never learn from these & fix your system
Best way to design a system: High coherence, low complexity, loose coupling in a design, means the code is not brittle and can respond to changes better
Your security system is resilient in response to adverse circumstances
Resilient to common-mode failure (1 cause -> lots of problems)
Looking back, everything seems clear – every little point seems salient because you know the outcome, but when you’re actually dealing with a case study, you need to look for the important things
Humans simplify - as we tell stories again and again, we simplify more, drop things we don’t think are salient and exaggerate things that we believe are
We often plan for less contingencies than actually occur
Hindsight bias: seen the event impact before -> tend to overestimate it’s likelihood
Latent errors: immediate response to something bad, but the impacts or it aren’t felt until later -> these are the hardest to detect and remedy since the failure was invisible
Can make defence in depth more dangerous – since if something goes wrong but the impact is saved by something else, you can’t detect a fault in the initial thing
Automatic safety devices -> operators losing their skill. If something then goes wrong, we don’t have enough skill to deal with the crisis.
Humans as the last line of resort isn’t good, all these extra systems to prevent crises -> worse crisis response from people
As we plan for the future, we are really planning for reoccurring past events
Learn about Chernobyl accident for exam
B.
0 notes
Text
Facial Recog vs. Opal (The Final Frontier)
Ultimately an efficiency versus privacy battle.
On one hand, I hate the line’s to get off at central station in the morning to get to uni. But do I hate them enough to let my face be my ticket? Not really.
I can understand that using facial recog would stop fare evasion and speed up traffic during busy times. But then I think you’re probably putting a whole bunch of transport officers out of work as a result, and storing everyone’s faces. Overall, i’d rather wait the extra 20 seconds either way to get through a station than have my face be used by transport as my opal ticket, it seems a bit overkill.
B.
0 notes
Text
Facebook data file received:
The analysis on it is coming soon, for now I just love how even in the email
it says keep the file secure since it has private information. It’s kind of like Facebook saying “Hey all this information you don’t want people to know, it’s our little secret ok?”, so now all my info is a little secret with one of the biggest companies in the world in terms of staff who presumably can access user data, and resources to use that data however they want. bUt iTs jUSt oUR liTTLe sECreT.
B.
0 notes
Text
Biometrics Homework (Week 7):
My god, week 7 has a lot of homework.
Biometrics can currently be used in the form of:
Fingerprints
Photo and video: used in facial recognition and retina scans
Physiological recognition: Facial recognition, hand geometry recognition, iris or retinal scanning, palm vein recognition, and ear recognition.
Voice
Signature - I signed my internship contract digitally
DNA
So we can see that biometrics is already being rolled out pretty heavily. Let me just pick on 2 examples that raise some concerns I have with biometric authentication.
There is a country (I think in Asia) that currently has shopping centres with no form of checkouts. It operates kind of like this WeChat powered store: https://www.businessoffashion.com/articles/china-edit/chinas-store-of-the-future-has-no-checkout-no-cash-and-no-staff
except the huge difference is that you walk in and the camera’s in the store recognise your face, recognise what items you’re taking off the shelves and then link the face to an account that is directly charged for the items. This is getting a bit too ‘big-brother-y’ for me.
Another example raises concerns for the potential for things to go wrong. I was perusing my tagged photos on facebook and there was one with a group of people. When I read the comments on the photo, one of them was a photo comment from someone in the photo. It was a screenshot of facebook asking him would he like to tag his brother in his photo, but his brother wasn’t in the photo and the suggested tag area was on his face. This is a pretty harmless example, but you can see just by combining the two examples that the consequences could increase pretty quickly, i.e. you get charged for someone else’s groceries.
B.
0 notes
Text
Week 7 Lecture Homework:
read up about the NSW LPI and think about what assets they have and what risks arise from them having been privatised
Important information:
“responsible for land titles, property information, valuation, surveying, and mapping and spatial information in the Australian state of New South Wales. From 1 July 2017, the operation was transferred to Australian Registry Investments, a private consortium, under a 35-year concession with the NSW government.”
“The community, business and government rely on this information for a variety of purposes including land management, conveyancing, property development, investment, local planning, state economic and social development and historical research.“
Assets:
Records of property ownership and information
Addresses of people
historical ownership and prices
Property valuations
Physical land
Risks from Privatisation:
When a public agency like this goes private, you have to consider how their interest in profit might compromise the integrity of the previously state-owned service. When state owned, the operation will be primarily funded by budgets, which are in turn finance by tax and borrowing, so their is less need and incentive to make money off providing the service in the first place - just like when University used to be free.
So now that LPI is private, we consider how they might want to flex their money making bicep, and how the assets might be compromised as a result.
As property changes hands, the price of transferring land titles and all the admin the LPI used to perform is likely to be higher now that is it a private service that is a monopoly. There is no other land titles agency in NSW so the benefits of competition can’t be felt, in that their is no reason for the private company to lower prices, in fact, prices have risen for the service since the privatisation.
Since private, there is no responsibility for the new LPI to want to preserve the environment, and so development may occur at the expense of natural resources
A private company now has access to all the residents on every piece of land
B.
0 notes
Text
Hacking the Pants Off Barbara:
OAuth is essentially a system that allows one service to grant access for another service to have access to select parts of someone’s data. For example, when you sign up for Spotify with Facebook, Facebook is giving Spotify access to your basic information, like birthday, email, password, etc.
So how can we use this to break Barbara’s security system:
Reconnaissance:
Barbara always signs up for new websites with ‘sign up with google’
This is a single point of failure, if we get her google account, we get everything
According to the research, people don’t realise that fake websites can request the login credentials of the google account, when the real one’s shouldn’t ever, since the point of OAuth is to prevent this
One way to hack Barbara could be through a phish. We could send her an email from a fake google service, like maps saying something like “update your home address for maps to find your route faster”, something believable like that. Then we could click something like “forgot my password” and use the home address could be used to break security questions, so we can reset the password and boom, the accounts are all ours.
The maps thing is just an example, if we dig into her account and find different security questions, we can pose as a different service with an equally as legitimate query into her account.
Another strategy could be shoulder surfing, using keyloggers, a more direct email phish to acquire the password, or write a fake website that requests the password in order to obtain the data.
B.
0 notes
Text
Spot the Fake:
Something that was faked: Social Media Accounts
Twice in my life, I’ve come across fake accounts that were claiming to me friends of mine.
The first was in year 8, and one of my friends made a facebook account under the name of one of my other friends (both knew about it and were part of the joke) to deceive everyone else in our year. From then, there were two Ollie Michael’s in my year, here’s how it was done:
Since the two were already friends on facebook, the impersonator had access to all the real Ollie’s photos and other data, making it very easy to download everything and re-upload it on the second account.
Then the fake Ollie begun to comment on the real Ollie’s posts and pictures, telling them to stop pretending to be them
While this was happening, you could obviously check the upload date of all the posts, but:
If you were to receive a message from a person with the correct name, with the correct profile picture, you’re probably going to see what you expect to see, and believe it is them.
The second time was when one of my friends told me someone was pretending to be them on tinder. This one was more scary because we still don’t know who the person was, just that they were a ‘catfish’. How this was achieved:
Going to my friends facebook profile and finding any photos that were set to public
Post them to a fake tinder account, and use a fake name, and a fake bio to convince the public the person is who they say they are.
B.
0 notes
Text
Google Yourself:
My data is being prepared by facebook, I downloaded it in JSON so that I can write some Java so do analysis on it if I want. When it arrives I will post again.
B.
0 notes
Text
Social Game: Module 4
My tactic for this game would be to try and make the phishing questions seem like the logical follow up question to an ice-breaker/normal conversation question.
For example: My friend from a semester-based uni just got back from Canada, so I’d ask “How was the trip?” <then he’d tell me how it is> and then i’d go “Oh man, I’m so jealous, was that your first overseas trip?” <and he’d answer> and if it wasn’t then i’d go “Oh nice, where was the first trip to then?” [4 points].
Another example: in the same light, I could say “Oh man I can never sleep on plane’s, do you sleep or just find stuff to do?” and then follow up with “Do you get to do any reading on the plane?”, if yes:
- “Oh nice, is that your favourite book?” -> “Oh so what is then?”
if no:
- “So you’re not a big reader then, do you have a favourite book?”
[4 points].
B.
0 notes