“Puss in Boots” and social engineering
The furry trickster was a 21st century hacker in disguise.
I read a lot to my kids, and “Puss in Boots” is one of those timeless tales we all enjoy. The plot is imaginative and has a good hook. However, if you scratch the surface, it happens to have an interesting dark side. Next time, I invite you to read it with a different mindset and shift your perspective: in my opinion, it is a very educational piece addressing human nature, confidence tricks, (cyber-)security and social engineering. Some of the events described on it could happen right now in any actual corporation or government. If you wish to revisit a classic from a different perspective, introduce your kids to some of the concepts above in plain terms or just silently overthrow a government, just keep reading!
The miller’s family
The miller’s family is dysfunctional, to say the least. The father must have some severe parenting issues because he leaves his youngest son utterly penniless. From a current perspective, the father’s will would be void in many countries as he effectively disinherits him. Some legislations do not recognize freedom of testation: simply put, the testator cannot dispose freely of his estate because a portion of it must be divided following the law, which typically provides a fair split among the natural heirs. This is a concept that originated in Roman law and still endures. If there were an entire mill and several mules at stake, sure that a simple cat does not qualify as a fair share. Legal issues aside, the older siblings, far from helping his brother, kick him off the house to fend for himself. So nice and exemplary of them.
The youngest son
Granted that he is going through a rough patch, but it is also true that he does not raise a finger to change his luck. He sits on his hands and lets the cat do as he pleases, blindly following his bidding. Surprisingly, at the end of the tale, he possesses riches, a title of nobility (“Marquis of Carabas”), the princess’s hand and, consequently, a direct succession line to the throne. All this is quite surprising for a spiritless youngster whose only achievement is inheriting a silver-tongued cat. He lacks ambition, has no merits, nor is he entitled by birth to hold such position. In that sense, “Puss in Boots” is an amoral tale because there are not plainly “good” or “bad” characters to identify with, and this is very didactic because you have to build your own opinion.
The cat
Honestly, is the cat a hero? He is a con-artist. A very successful trickster, indeed. Everything he accomplishes is by manipulating other characters. He is versed in deception, flattery, threat and theft and engages in them without remorse. While his means are reprehensible, his ends are fair at the very least: to assist his hopeless master.
The cat excels in pushing the right buttons at the precise time. Humans have certain flaws of character that may be easily exploited. For example, he takes advantage of the guards’ credulity and irresponsibility to enter the castle without being vetted. The king gives clothes to the naked young man without questioning his alleged identity out of compassion and some credulity too. The ogre is tricked into turning into a mouse on account of his vanity. These are not the only levers that a con-artist may exploit: there are also greed, dishonesty, opportunism, lust or desperation, to name a few.
The castle
The cornerstone of every scam is tricking the victim into an error of judgement, which is typically caused by imperfect information (conveniently fed by the perpetrator) and the victim’s cognitive biases. There are well-defined stages in every con. Two of them take place in the king’s castle: the approach, or initial contact with the victim, and the build-up, when he is lured into the trap.
From a security standpoint, the garrison of the castle is a bunch of fools. The “Marquis of Carabas” is a bogus identity, an absolute fake. Despite that, a complete stranger (the cat) is not only allowed to access the premises for months but also makes regular gifts of game to the king himself on behalf of the alleged marquis, without raising even the slightest suspicion. He is never vetted nor subject to a background check. Should he be an assassin, he could have poisoned the king anytime. Day by day, he legitimates and consolidates the fake identity of the “Marquis of Carabas”. This careless security oversight is key in establishing trust and the catalyst for subsequent events.
The fine clothes and the ride
The cat asks his master to bathe naked in the river and hides his clothes afterwards. Then, he stops the royal carriage under the pretence that his master has been robbed and requests the king’s assistance. This event exemplifies an essential stage in every scam, the “hurrah”. It is an artificially induced crisis to force the victim to take a rush decision. The key parts here are the imperfect information the king has received (the existence of the marquis), his own character (compassion, credulity) and the need to act quickly (a friendly marquis has been robbed and he is naked in the middle of nowhere).
Do not underestimate the effectiveness of the time pressure. The artificial sense of urgency is a frequent element in nowadays phishing attacks. Who has not received an “important” email such as “if you do not log in here and update your personal information in the next 24 hours, your account will be deleted”? If you are in a hurry, it harder to notice that the link is utterly unrelated to the service and the sender’s email address is not legitimate. Take your time, double-check with the provider if you have to (through another channel) and don’t fall for it.
We all know the rest of the story: the king, who has been receiving the gifts for months, does not suspect foul play and gives him luxurious clothes. Interestingly, they serve as a token that allows the impostor to authenticate as a royalty member, who he is not (another serious mistake). Later on, in a magnificent suit and acknowledged as the Marquis of Carabas by everyone, the young man sits next to the princess, who eventually falls in love with him.
The ogre
This episode is remarkable because it comprises the “corroboration” phase. On the one hand, the cat compels the ogre’s peasants into supporting his story in front of the king. On the other hand, the cat usurps the ogre’s castle and estate for his master, pushing the king further into the scam.
The almighty ogre is tricked into relinquishing his power and shapeshifting from a lion into a harmless mouse. To that end, the cat exploits the ogre’s vanity. This is fascinating because the author describes some kind of privilege escalation attack centuries before computers were even invented. In this analogy, the cat is a hacker, and the ogre is a super-user who is lured into an account takeover. This is another valuable takeaway: since building a whole identity and reputation from scratch is costly, why not hijack someone else’s? Today, this is not uncommon as internet domains and web pages are often subject to these attacks.
We all know the end of the tale: once in the marquis’ castle, the gullible king spirals farther down into the trap and eventually gives the marquis the princess in marriage.
Final thoughts
“Puss in Boots” is a surprisingly multi-faceted tale for children and adults alike. Most of the concepts in it are timeless and can be easily translated into today’s world. Although centuries have passed since this story was written, the virtues and flaws in human nature are remarkably constant through time and space. The cat’s tricks in the story might be employed in current technological attacks by hackers and state agents.
Thank you for reading and feel free to leave any comments!
References
[1] https://en.wikipedia.org/wiki/Puss_in_Boots
[2] https://en.wikipedia.org/wiki/Freedom_of_testation
[3] https://en.wikipedia.org/wiki/Confidence_trick
[4] Orbach, B., & Huang, L. (2018). Con men and their enablers: The anatomy of confidence games. Social Research: An International Quarterly, 85(4), 795–822.
[5] Smith, E. H. (1922). Confessions of a confidence man: A handbook for suckers. Scientific American Publishing Company.
[6] Opie, I., & Opie, P. (1974), The Classic Fairy Tales, Oxford and New York: Oxford University Press
[7] Bettelheim, B. (1977) The Uses of Enchantment, New York: Random House: Vintage Books.
[8] https://www.kaspersky.com.au/blog/operation-puss-in-boots/23550/
