Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security

Social Engineering in the Workplace 316

An anonymous reader writes "Could a total stranger walk out of your business with thousands of dollars in merchandise without your knowing? Even worse, could they manipulate you into helping them each step along the way?"
This discussion has been archived. No new comments can be posted.

Social Engineering in the Workplace

Comments Filter:
  • by glaserud ( 66891 ) on Sunday May 16, 2004 @04:10AM (#9165750) Homepage
    If a stranger could do that, I'd follow his example. :)
    • Re:If so, me too (Score:2, Insightful)

      by acceber ( 777067 )
      Just imagine, if a true story like that made front page news, half of us would be walking into our favourite shops and looting all the goodies, or at least trying, to see if it actually works.

      Then again, just imagine if that story got around to the managers of all your favourite shops...would they tighten security so that nothing like that happened to them? On second thoughts...

      As Isreal pointed out: No manager likes to do manual labor.

    • Shoplifting is Easy (Score:3, Interesting)

      by still_sick ( 585332 )
      A couple months back I bought a couple DVDs from Future Shop - Yes, I payed for them - but the de-magnetizing thing didn't do its job.

      Walked through the door - Alarms went off - but just for the hell of it I kept walking like I didn't notice (Yes, I DID pay for everything). Just one of those things where you want to see what happens.

      Both sets of automatic doors still opened for me, I think I heard one clerk yell out "Sir! Sir!", and that's it.

      Calmly walked through the parking lot, nobody followed me.

      Eve
      • by AuMatar ( 183847 ) on Sunday May 16, 2004 @02:17PM (#9168384)
        They're actualy trained NOT to do anything if you don't stop. Putting their hands on you is grounds for a lawsuit, especially if you're innocent. And most of the time the person is innocent, the demagnitizer just didn't work.

        They also have no right to search your bags as you leave, ala Fry's. Just keep walking, they won't stop you.
  • Stupid (Score:5, Funny)

    by divine_13 ( 680820 ) on Sunday May 16, 2004 @04:14AM (#9165758) Homepage
    "thousands of dollars in merchandise"
    Why merchandise?
    Just take the cash and scram! O.o
    • Re:Stupid (Score:5, Informative)

      by TinheadNed ( 142620 ) on Sunday May 16, 2004 @04:45AM (#9165849) Homepage
      Well, because while the warehouse guys and shop flunkies can come and go on a weekly basis, nobody, NOBODY ever gets to pay with the money. Two people are normally required to do the counting, and then it gets put in the safe.

      Also, while moving merchandise round is done everywhere in broadly the same way, the cash routines are normally more tightly fixed and less easy to predict. Also, the money has to be counted nice and carefully as the cashiers need to check they haven't screwed up during the day.
  • Yes it is (Score:5, Funny)

    by Soporific ( 595477 ) on Sunday May 16, 2004 @04:14AM (#9165760)
    Ken Lay did it to the tune of several billion dollars in California so I'd say it's very possible.

    ~S
    • Re:Yes it is (Score:2, Insightful)

      by divine_13 ( 680820 )
      The fact that someone once did it does not prove everyone else can do it.
      ;)
      • Re:Yes it is (Score:4, Insightful)

        by Dark Nexus ( 172808 ) on Sunday May 16, 2004 @04:23AM (#9165782)
        No, but that isn't what he was saying, was it?

        The fact that someone once did it proves that it CAN be done, and lends evidence that someone else can probably do it.

        There's a whole lot of space between only one person being able to do something, and everybody being able to do it.
  • Pages /. defended. (Score:5, Interesting)

    by Thornae ( 53316 ) on Sunday May 16, 2004 @04:17AM (#9165769)
    I love it. Load it up, the very first line of the page is "SlashDot defense provided by Nexcess.Net"

    There's forethought, with some free advertising thrown in.
  • by Anonymous Coward on Sunday May 16, 2004 @04:23AM (#9165781)
    No way. I'm too lazy to help the people I should be helping. Why would I help a stranger?
  • by Anarcho-Goth ( 701004 ) on Sunday May 16, 2004 @04:24AM (#9165783) Homepage Journal
    At the last company I used to work for they once showed us a video about the importance of information privacy, and how social engineering works. In this particular example, the person would have been caught right away because he was wearing a suit. No one wears a suit on our floor, unless they're having a job interview, or meeting with the executives or something.

    The reality is that most medium sized companies can be vulnerable to social engineering. In most cases the weak point in any security system is going to be on the human level. When you work with people you have to have some element of trust to make things more efficient.

    You might need a security badge to get by a security desk, and a key card to get onto the floor. But people sometimes loose their badges and keycards and will be let by just this once.

    If you can get into the cafateria without any security stuff you can just go to lunch there for a couple weeks, get to know people's name who work in the IS departments, and maybe even come across a dropped security badge. You can then fordge your own to get to the elevators, and then wait for someone else to open the door to get by needing a keycard. (Assuming the badge you came across didn't also have the person's keycard.)

    Then getting information out might be easy. And at the company I used to work for you could probably steal hadware just by putting it on a cart. We had multiple buildings so it was common for people to be carting PCs from building to building. How many security guards would recognize the difference between a PC and a server?

    Unless you have security guards that require written permission for every single hardware move your hardware is not going to be 100% safe. And unless you have a zero tollerance policy on holding the door open for someone, your information is not safe. How many companies are willing to do this?
    • by Anonymous Coward on Sunday May 16, 2004 @04:31AM (#9165805)
      For entertainment, the people one of my friends work with started showing costco cards to the security instead of their id's. They tired of this as none of them ever noticed. Also, they've got such a poorly implimented network with so many different passwords, it's actually a pseudo-policy that they have them written down near their workstations. Once more many of them have local administrator access to their workstations. It's hard to imagine what people so motivated might walk off with.
      • by Walt Dismal ( 534799 ) on Sunday May 16, 2004 @04:42AM (#9165840)
        I once worked for a CBS subsidiary. They decided to improve security so we were all required to get our photos taken for badges. (This was before card reader badges.) One VP took a picture of his dog and pasted it on a badge. Next morning flashed it at the guard and walked through with no problem.

        A lot of people are blind to anything that does not look out of place in their limited world. And a lot of others are sheep to any authority that comes along, anyone with confidence and some acting skills.

        • by Detritus ( 11846 ) on Sunday May 16, 2004 @08:00AM (#9166374) Homepage
          I read a story about a military intelligence officer at the Pentagon who forged a security badge to test if anyone actually looked at them. He borrowed a Soviet KGB officer's uniform and had his picture taken wearing the uniform. He pasted the picture on the forged badge. He then wandered through the Pentagon wearing the forged badge. Nobody challenged him or took a second look at his badge.
        • by Dun Malg ( 230075 ) on Sunday May 16, 2004 @11:24AM (#9167441) Homepage
          One VP took a picture of his dog and pasted it on a badge. Next morning flashed it at the guard and walked through with no problem.

          When I was in the army as an intelligence analyst at an air force base, we had to go through a fancy turnstile every morning where an air force guard would take our badge, look at it, look at our face, look back at the badge, then give it back and let us through. One day my roommate and I were walking down the hall inside the secure building when a master sergeant stopped us, pointing out that our badges were switched. We'd long suspected that the guards at the gate just went through the motions of checking faces, but this proved they weren't looking AT ALL, because I am white and my roommate was black! We brought this to the attention of the major in charge of security. THe guards were a lot more diligent thereafter.

          • by beer_maker ( 263112 ) on Sunday May 16, 2004 @03:52PM (#9168861)
            While in the Marine Corps I was a student (and later an instructor) at an all-services training base run by the Air Force - with just such a turnstile/guardhouse at the classroom area. We never thought very highly of the SPs (Squadron Police AKA Sky Pigs) guarding the facility, but did our best to avoid the temptation of screwing with them ... it was just too easy.

            As a student, the worst stunt I pulled was when I noticed the SPs would come into the chowhall for lunch and just leave their M-16s at a table with their headgear & other junk. The USMC is very particular about always leaving a "complete safe weapon", so I strolled over, popped out the magazines, checked the chambers, and verified the selector was set to "Safe." The two "security specialists" didn't even notice!. The next day they came in and left the rifles again - so I made them safe again. To make the point more obvious, I removed the firing pins and left them sitting on top of the SP's jaunty black berets in the middle of their table. The look on their faces was priceless.

            Our commander was forced to order us to "stop helping the SPs", though he did so with a smile on his face. They stopped leaving the rifles out, at least while I was there.

            When I later returned to the same base to be an instructor they had a much smarter officer in charge of the guard force. Some of my students were telling me they had been drawing moustaches and/or sticking pictures on the front of their badges and getting in without being challenged, but before I could test this myself I was invited to assist the SP colonel in a little experiment: He asked me to check in (& out if possible) using a fake badge he had made up. It was a quality job, using the regular forms and professional lamination - but it said I was Vladimir Lenin (with his picture) and a member of the KGB!

            Sadly, I got right through - one of the guards touched the badge to verify I had one, but none of them looked at it. The colonel was so disgusted those guards were immediately pulled and sent back to their original training base. I wanted to keep the badge, but the colonel said he might need it again, if his guys got sloppy again ...

            I expected to get some flack from the other guards, but they all felt that "anybody that careless was no loss".

        • by Anonymous Coward on Sunday May 16, 2004 @02:29PM (#9168448)
          I guess I have to chime in with my story as well. I was working at a military base (as a contractor) and some of the uniformed guys had a contest to see what they could flash at the guards instead of their military ID and make it through. They started with driver's license and then somebody got through with a library card. The winner? Got through by flashing a piece of toast...
    • by dilweed ( 698689 ) on Sunday May 16, 2004 @04:33AM (#9165812) Homepage
      Correction: He wasn't wearing a suit. He was wearing a black polo and khakis, aka the casual corporate uniform.

      It's been said that with a hard hat and a clipboard you can get into nearly any building. This is just another example of that taken a step further.
      • Funny but true. (Score:2, Informative)

        by Anonymous Coward
        Homeless people near my university used to pass themselves off as grad students to steal scrap metal to sell to those who deal in such things. To pull this off, they left their carts near exits to the building, and proceeded as normal.
    • by JaredOfEuropa ( 526365 ) on Sunday May 16, 2004 @05:33AM (#9165948) Journal
      The reality is that most medium sized companies can be vulnerable to social engineering. In most cases the weak point in any security system is going to be on the human level. When you work with people you have to have some element of trust to make things more efficient.
      A few years ago, a journalist showed how easy it was to get into the maximum-security area of the Prosecutor's Office in the Netherlands. It was as simple as forging a badge on a photocopier, checking out who went into that area, making sure he looked like he belonged there (no furtive glances, right clothes etc.). Then he just followed a guy into the secure zone, with the guy courteosly holding the door open for him. He was able to do this several times.
      And unless you have a zero tolerance policy on holding the door open for someone, your information is not safe
      That's just what they had in the military place I used to work. I notice that most larger offices and places with sensitive information are starting to use turnstyles and keycards, which amounts to the same thing. No badge = no entry. Forget your badge? You can get a 1-day pass at the security desk, but they will check your face against a photo on file, and require ID. Having reasonably good yet uncumbersome security is not that hard to implement for low-level security (i.e. against thieves). Problem is: many companies only pay passing attention to security (physical as well as electronic), and think one rent-a-cop at the door is sufficient.
      Unless you have security guards that require written permission for every single hardware move your hardware is not going to be 100% safe.
      Also becoming more commonplace... These days, the most popular target for thieves is laptops. Easy to carry, valuable, and it's the one piece of equipment the guards will expect people to carry out.
      • large companies too (Score:2, Interesting)

        by Anonymous Coward
        After I got my bachelor's I took a temp job with a caterer, just picking up stainless chafing tables and the like.

        One assignment was cleaning up a Christmas party at a big pharmaceutical company. While the guards were carding employees, they let me drive unasked onto the factory grounds in my unmarked van. I drove to the building, wandered around until I found my department, carted it into the freight elevator and loaded the van. This stuff was in boxes used for antidepressants. I walked through the wa
      • These days, the most popular target for thieves is laptops. Easy to carry, valuable, and it's the one piece of equipment the guards will expect people to carry out.

        Is it wrong for me to want to teach my company why a zero-tolerance policy is a good idea by stealing laptops until it's implemented?
    • by Anonymous Coward

      The federal government / armed forces aren't immune to this. I used to work at a building next to a Military Entrance Procesisng Center. (This was post 9-11). One of my buddies was a recruiting officer there. They have a strict policy that everyone gets 'stickered' if they don't have a government ID -- they basically plaster a barcode on you. (Inventory tag -- Recruit, Wet Behind Ears, 1)

      One time when I was visiting, I had my employee badge on -- which was the same approximate size as the government/milit

    • You might need a security badge to get by a security desk, and a key card to get onto the floor. But people sometimes loose their badges and keycards and will be let by just this once.

      And there is always the problem of tailgating. I've gone this myself. Our restaurant was in a separate building from the other offices. Access required swiping the keycard. But since there were so many people going in and out the door was more or less open all the time. In the end, security decided it was simpler to keep th
    • by dbIII ( 701233 ) on Sunday May 16, 2004 @07:14AM (#9166200)
      It can be very easy.

      I got into two power stations with no ID - in both cases because I was wearing overalls with a badge bearing the name of the former owner of the power plants (sold in one case, renamed in the other - but the same company in both cases). In both cases I was not working for the company owning the plant, but as a contractor. In one case I got the ID after going into the plant, in the other case I never got the ID since it was a one off visit.

      Both times there was a security guy that I had never met before on the gate. I just walked in as if I belonged there, and it's just as well for everyone that I did have a legitimate reason to be there (and needed to go inside to get the ID to go inside).

      The most dramatic theft I heard of at a workplace I was at was a diesel backup generator the size of a shipping container. It was located fifteen metres off the ground. The theives had to move a crane, get the generator, load it on a truck and drive out on the only road past the security gaurd on the gate and down the narrow neck of a peninsula.

      Customs at Sydney Airport, Australia had a couple of guys turn up and remove most of the servers over the course of many hours one night. That one still hasn't been solved, despite the intelligence community and two police forces getting put on the job - since it was after 9/11.

      • by jafiwam ( 310805 ) on Sunday May 16, 2004 @10:47AM (#9167206) Homepage Journal
        Your story reminded me of one my dad used to talk about.

        This was a paper mill, of the type that took trees and made them into paper.

        These mills typically have several large boilers to make heat and steam to do stuff, and there is a lot of paper scrap that gets created during cutting. The scrap is put in the boilers to burn it... getting rid of the scrap helping on saving of the other fuel (coal I think). So there's always guys moving the stuff around and everybody has a chance to see with this scrap looks like.

        So the guards catch a guy with a wheelbarrow full of this type of paper scrap attempting to leave with it. No printing on it, just big sheets or partial rolls of paper. They poke through it and let the guy go. (I don't know if he used to work there or worked there or what, but in any case there was no badge involved. It was the 70's so maybe they didnt have them yet.)

        The guy goes by the same few guards twice a week for weeks, each time getting his cargo inspected for contraband. No problems, sure you can have the paper scrap.

        At the end of the year, 102 missing wheelbarrows.

        Theft is not always what it seems to be at the time.
  • by RanBato ( 214181 ) on Sunday May 16, 2004 @04:29AM (#9165797)
    This is a great read! One has to wonder: Isn't it much easier to social-engineer ones way into a system than the "hacking" approach?

    How hard can it be to get usernames/passwords this way? And since we are in linux-land here: I would bet that more than half of the sysads here would open up their systems to the first pretty girl that would walk along their cubicle. Obviously she cannot be too pretty as that would be VERY suspicious.

    There are plenty of stories going around about people just walking into a server room, and taking a few servers [securitynewsportal.com] home with them. We even had one of those on slashdot here a few months ago ,something with the Australian customs office. And there is the now really famous French guy who used to simply walk in on high level government events and get his picture taken.

    But the world is probably safe: Somehow good social skills and good technical skills are mutually exclusive...
    • by Anonymous Coward
      made me think for a moment this article was about how to score on chics and get laid ....
    • How hard can it be to get usernames/passwords this way?

      I read about early hackers in "Approaching Zero" (by Brian clough & Paul Mungo) It's been common practice amongst hackers since the 80's or before. I hope that since then companies have learned to train their staff to check people are who they say they are. However, lots of money has been lost by people being tricked by email into going to fake bank websites and entering their personal details. It's more or less the same thing.
    • One has to wonder: Isn't it much easier to social-engineer ones way into a system than the "hacking" approach?

      Definitely -- on top, less of a risk and cheaper.

      Somehow good social skills and good technical skills are mutually exclusive...

      Disagreed - a colleage is a therapist as well as a SAS-programmer currently evaluating mainframe performance (of installed systems) for an insurance company.

      CC.
    • This is a great read! One has to wonder: Isn't it much easier to social-engineer ones way into a system than the "hacking" approach?
      Often, indeed. Ask kevit mitnick..
      But the world is probably safe: Somehow good social skills and good technical skills are mutually exclusive...
      Well.. ask kevin mitnick..
    • When I was doing support and needed someones username I always had to specifically ask them to *NOT* give me their passwords.
  • by 0x12d3 ( 623370 ) on Sunday May 16, 2004 @04:29AM (#9165798)
    I work tech support at an isp, and after reading Kevin Mitnick's "The Art Of Dection", I've had a keen eye for situations were social engineering could be going down, the thing is if policy dictates that you respond a certain way, you do so reguardless. The funny thing is how much more helpful other internal departments are if you use some social engineering techniques. Sometimes the billing dept. will help a save desk agent more than techsupport; sometimes a field rep. gets less lip than tech.support to escalate an issue. Guess it goes to show any tool can be used for good or evil.
  • by chamenos ( 541447 ) on Sunday May 16, 2004 @04:29AM (#9165799)
    What's the deal with calling cheating and conning people "social engineering"? Giving it a catchy name doesn't make it any more fashionable or acceptable. I guess we have the l337 underground crowd to blame for this idiotic euphemism.
    • by Anonymous Coward on Sunday May 16, 2004 @04:40AM (#9165833)
      This time the phrase conveys additional information. Engineering is probably best described as the art of applying science to control failure. A typical con, ala Matchstick Men, The Grifters, etc is all about craftsmenship, using the people. Where social engineering is all about a well planned design for a well understood system, using the bureaucracy. One is personal, one is impersonal, one depends on personal charisma, one depends on blending in.
    • It's a trend. More and more words are being euphemised.

      ??? -> W.C. -> Toilet -> Washroom/Bathroom.
      Dead-tree edition Hard copy. (Notice the direction of the arrows...)
      Bystander deaths -> Collateral damage.

      But in this case, I'd say it really is social engineering. You are conning not individuals, but a whole group of people.
  • by Sycraft-fu ( 314770 ) on Sunday May 16, 2004 @04:29AM (#9165800)
    Can you social engineer your way to getting some stuff from a store and get away without getting arrested? I've noticed that with most social engineering test the people leave themselves VERY exposed in terms of being caught later. I saw this with a coworker. He did a hypothetical social engineering/hacking scenario. It was all well and good excpet that I gaurentee that had he does it in reality, he'd have been thrown in jail
    since there were at least 10 people that could make an easy ID.

    It's one thing to BS your way in and steal some stuff, it's quite another thing to get out and not get ID'd or videotaped. This is where most crimes go wrong. It's not that the crime itself doesn't work out ok, the criminals often get what they want, it is the aftermath that goes wrong. The crime gets reported, an investigated, and they find out who did it, and that's all she wrote.
    • If this guy had been really good and didn't want to get caught, he would have parked a van somewhere off the security cameras, and convinced somebody via telephone to load the computers in it for him.

      "Hi, Charles asked me to have five computers transfered. Let me fax you some paperwork. The van is parked out back, could you have it loaded?"

    • The trick is not to make everyone immediately aware that their security has been compromised. You quietly install a keylogger and disappear. If they find it 3 months later, it will be very hard to find you on the tapes and for sure nobody will remember you for an ID.
    • by D.A. Zollinger ( 549301 ) on Sunday May 16, 2004 @05:16AM (#9165906) Homepage Journal
      Thats just it though. The way he engineered it, they NEVER would have known that he was the one who stole those computers. They would have been looking for some disgruntled employee taking some stock home after closing up, or accounting/inventory miscalculation, or ANYTHING other than him. He presented himself to be an employee with a legitimate reason for taking those computers out of the store.

      He presented a possible occurance, and explained it twice. Once to the stock boy, once to an assistant manager. Neither of them bothered to take a look at the "official papers" that he had folded up in his breast pocket, and he claimed that he had gotten those papers and authorization from accounting. Yet no one checked his story.

      This is the goal of social engineering. To use the system so that you can get what you want without raising suspicions.

      Lets just say, for arguments sake, that they did a full store inventory within the next 3 months, and found a discrepency. Where would you start investigating it? You wouldn't know when it happened. You wouldn't know how it happened. And because of how he pulled it off, no one would ever remember him. He blended in so well, and so convincingly, that by the time they finished their shift, they wouldn't have even been able to remember what he looked like. He was completely forgetable, and no one would have been the wiser. And if he was seen walking out of the store with a pallet full of computers by a video camera (assuming they kept tapes for that long), they would have seen him approached by an assistant manager who let him walk out of the store with the merchandice! And again, that is where the social engineering would have continued to work, anyone reviewing said tape would have seen him being checked out by the assistant manager, assumed the assistant manager was doing his job, and that there was a legitimate reason for him to take those computers out (even though the reviewer never heard the conversation). And 10 to 1 odds, the reviewer wouldn't even check with accounting to see if anyone was authorized to take 5 computers out of the store that day.
      • RFID tags on the merch. They realize it was stolen 2 months ago, check the logs to see exactly what time the tag left the door, and then look up the CCTV footage at that exact moment. Game, set and match.
        • IF they keep a video archive that long.

          However, you are correct. If they could find out when (very important), they have other tools at their disposal to investigate with. CCTV being one. With it, they could track the guy as he walks in, canvases the place, goes in the back to the break room, finds a uniform, and his "official document", goes to the warehouse, runs his act, gets his merchandice, walks through the store with the merchandice, stopped by the assistant manager, and finally through the fron
  • by Anonymous Coward on Sunday May 16, 2004 @04:30AM (#9165803)
    ..so we don't have stuff worth thousands of dollars sitting around. I'd wish that someone would steal some crappy old computers sitting around though. Please take away the Apple IIs...please..
  • by foniksonik ( 573572 ) on Sunday May 16, 2004 @04:33AM (#9165811) Homepage Journal
    Social Engineering "as we know it" is going to be impossible to combat or educate against.

    No amount of technology or education can or more accurately 'will' stop SE from being effective.

    The only hope is that most thieves are too dumb to use it.Those who are smart enough almost deserve to get away with it.

    SE requires knowledge of methods, practices and the weaknesses inherent in such.

    A smart business will simply acknowledge the existence of such and absorb minimal losses associated... and raise prices accordingly. Very similar to piracy of IP.

    It will happen and you can do very little to stop it and what you can do will cost you more than the loss involved.

    Soooooo.... minimize, minimize, minimize.... your losses as much as possible by identifying effective deterents and ignoring all else.

    I'm sure companies do this already.... co this may or may not have been an effective exercise... was it realistic in terms of statistical attempts to steal merchandise? Probably not though it can identify weak areas in security that can be improved to catch less skilled SE perps...

    • Not really knocking anything you say. I think your right, it is going to be impossible to combat or educate against (mostly). But I don't see how this is anything new? You con for money, you con for information, whatever. Social engineering seems like an old dog with a new, more marketable face.
    • use it for good (Score:3, Insightful)

      by kardar ( 636122 )
      after reading about stuff like this, I feel empowered and justified to never have any kind of unjust run-in with any less-than-ethical coworker or supervisor looking to gain by hurting others and putting them in unjust situations.

      the ability to talk your way out of anything, ESPECIALLY when you actually haven't done anything wrong, but are being used as a scapegoat or a target to help someone else look good, or say, for instance, in a situation where you may be eventually threatening you manager's job or c
  • When I read the title to this article, my immediate assumption was that "social engineering" referred to the misguided attempts by "progressives" to re-work society into a socialist utopia.

    "Social Engineering in the Workplace" could easily be an article about the problems created by such policies as affirmative action, or the reactionary knee-jerk responses to charges of sexual harassment or discrimination that are so common nowadays.

    I guess this is what happens when you're someone whose interests include
  • by some1somewhere ( 642060 ) on Sunday May 16, 2004 @04:56AM (#9165867)
    Well, I guess it comes down to how nice people are. If every person you passed asked for your identification, your papers, what you're doing here... hum... sounds like Germany back when...

    But seriously, you can get to the point of having people anal and trusting no one. Everyone is suspicious of the other, and while I suppose that is a good way to reduce theft, it also makes the place not very nice to work and shop or be around.
  • by nsebban ( 513339 ) on Sunday May 16, 2004 @04:59AM (#9165876) Homepage
    I'm not sure someone could walk out of my business with thousand dollars in merchandise, as I work at MacDonalds.

    It's a place where no worker will listen to any social engineering attempt, you know. And anyway, thousand dollars of McDonalds food will probably kill anyone, in horrible pain.
    • by 6Yankee ( 597075 ) on Sunday May 16, 2004 @05:57AM (#9166008)

      I'm not sure someone could walk out of my business with thousand dollars in merchandise, as I work at MacDonalds.

      If your store has a night shift like ours did (no managers), I virtually guarantee that someone could turn up with a white van and steal a whole set of vats. Our guys would have drained it for you and helped you put it in the van.

      In the McD's I worked at, we started inexplicably losing a few boxes of chicken nuggets a day. Management couldn't figure it out (surprise surprise), but it was obvious what was happening.

      I realised straight away that it wasn't going through the kitchen (even our managers would check the transfer paperwork, every time). Then I worked out that, with the freezer door wide open, nobody could see the fire exit. I pointed this out to the shift manager - and the pompous bastard searched me then and there. For months afterward, he would regularly pull me into the office and rifle through my rucksack.

      The lesson I learned from this was: If you discover a hole in the system, you either (1) keep your mouth shut, or (2) keep your mouth shut and exploit it. (Or, I suppose, (3) tell someone who will, um, appreciate the information.) Telling the bastards in management is too much trouble.

      Besides, I wasn't going to risk my job, even that job, over a few measly nuggets. Putting a JCB through the wall and ripping out the deposit safe was more my style. :)

      Footnote: that bastard shift manager went on long-term sick-leave. Our regional manager took our store manager to dinner, and who do you think was the waiter? He got fired from both jobs, as I understand it. Sweet.

  • by acehole ( 174372 ) on Sunday May 16, 2004 @05:02AM (#9165881) Homepage
    I worked at a finacial institution, with doors that can only be opened with swipe cards, these were on each floor.

    We were visited by a deaf woman (we assumed she was deaf from her speech, and her hearing aides, we learnt from the police that she was really deaf and was wanted in connection with other thefts) who was only just barely communicating that she was selling raffle tickets in something, no one knew sign language but let her in anyway assuming someone had let her in the building.

    She used the time during lunch when most people werent at their desks to take wallets, go through draws or whatever, for some reason i was having lunch there, being the cheap bastard I am, I didnt buy a ticket, but my co-worker did.

    For some reason I stood up to look at the woman operating from the otherside of the room, she looked a bit strange, she looked back so i sat back down. We found out later that she had her run of about 3 or 4 floors before someone challenged her being there.

    It was also a running joke for us asking the co-worker who bought a ticket if she had won anything yet...

  • Slightly OT (Score:2, Offtopic)

    by adept256 ( 732470 )
    Could a total stranger walk out of your business with thousands of dollars in merchandise without your knowing? Even worse, could they manipulate you into helping them each step along the way?

    Offtopic...

    But this occurred in the last 24 hours.

    I live with some close friends in a 'share-house'. We all have common interests and we enjoy a fair deal of household harmony.

    Recently, I did a big favour for a friend by letting him store some of his belongings at my house while he moved.

    All of this was pr
    • Hope your roomie's grandma enjoys the new 21" monitor.

    • Right on the money. Totally classic drug scenario. Same thing happened to a friend of mine -- let an old friend, whom he knew was fucked up on drugs, stay at his place for a while. When my friend finally decided to tell the guy he had to go, the next day he found a bunch of his stuff missing, and the hard drive in his computer swapped out with another hard drive. I guess the junkie figured he could sell it with all the "valuable software" that was installed on it. Funny thing, he left a ton of CDs and DVDs
  • "I followed one of the girls as she was taking off her jacket so I could take a look at the coat rack."

    oh yeah baby take it off
  • by anubi ( 640541 ) on Sunday May 16, 2004 @05:43AM (#9165963) Journal
    About 20 years ago.

    It happened on a Saturday.

    White panel truck with appropriate lettering pulled up to corporate headquarters. Man wearing logo'd shirt gets out and approaches security guard, papers in hand. He is supposed to remove typewriters for cleaning, and is supposed to come back Sunday to return them. Papers are signed by an executive of that company.

    [ uh-huh. right name, but *that* executive has never even seen the papers. Its just a signature. ]

    Guard is cautious. Needs to call and check. Truck driver agrees to wait. Executive out of town. Guard says no-go. Truck driver says fine, just sign here that I showed up. Your company still must pay the $5000 fee for weekend overtime service as per the contract. ( Shows contract details to guard ). No biggie to me. ( Guard gets ansy. A lot of money, What's his boss gonna say about losing more money than his monthly pay just because he wouldn't let another man do his work? ). The guard refused to sign anything. The truck guy notes down his name from his badge, notes it on his form, looks at his watch again, dates and signs the form, and asks the guard to let 'em know he was there. Leaves the guard a business card, and mentions that the next available window to do the cleaning work on a weekend is about 3 months away. Another fee will be assessed for the next service. He tells the guard he has 50 people at his plant right now ready to clean typewriters, and when he gets back, he has no work for them, so he will pay them their four hours Union wage for showing up and send them home.

    The guard is really sweating now. He doesn't know exactly what to do, but he doesn't wanna find out he screwed up the company something fierce by keeping someone from doing their job, so he relents. He even helps load the truck!

    We never saw those typewriters again.

    The truck? Bogus plates. Plain white panel truck with vinyl stick on lettering. Run of the mill truck. The guy even had shelves in it made in such a way so he could load up the completely full. Seeing how professional the truck was equipped for the job impressed the guard and reassured him that everything was indeed on the up-and-up.

    The forms? Yes, lots of forms! Every typewriter was duly noted on its own form..serial numbers and all! Obviously our con-guy had gotten a hold of an inventory list, because every form indicated where the typewriter was. Why even a copy of each form was even left with the guard! The only traceable signature was that of the guard. There were other signatures on the forms, but no one ever found out who the actual signers were.

    Come Monday, Management was very puzzled and disturbed over the missing typewriters.. a little over a couple hundred of them. There were investigations. There were lots of phone calls to the non-existent phone numbers, people, and attempted visits to the addresses referenced to in those oh-so-professionally done forms.

    Yup, some clever guy invested in a couple hundred dollars worth of "movie props" and walked out with several hundred thousand dollars worth of nearly brand new IBM typewriters.

  • by weiyuent ( 257436 ) on Sunday May 16, 2004 @05:45AM (#9165969) Journal
    Social engineering isn't rocket science -- it boils down to exploiting the trust that exists between people. Smart-alec geeks and slashdotters seem to take pleasure in pointing out how stupid victims of social engineering are. Granted, many social engineering schemes are successful due to mere ignorance. But is it inherently stupid to trust people? Here's the problem: there are costs and benefits to an environment in which people don't trust each other.

    Yes, this Israel fellow demonstrated very well what happens when people trust each other too much, but what happens when you take it to the other extreme? You end up with stories about like Walmart where employees are locked in to prevent theft and can't call an ambulance when the forklift rolls on them. Some might think that it's worth compromising on a theft rate of, say .5% if it means being free of stifling bureacracy and draconian security. Given that, trusting each other is a choice we make because the risks it entails is, on the balance, worthwhile.

    That's why, for example, hotels generally don't ask you to show ID when you claim you've lost your room key. If they did, they'd suffer more lost business than the cost of insuring against the occasional theft of a guest's belongings.

    Everything is a compromise.
    • That's why, for example, hotels generally don't ask you to show ID when you claim you've lost your room key.

      Well, that may be the case in the hotels you have visited, but having worked at a hotel for more than a few years I can tell you that we had a policy regarding key-loss. The guest had to ID themselves. Furthermore we had CC style keys (the ones you swipe the lock with to open it), and if lost (or taken as a souvenir) were useless... there was no room number on it, and once we coded a new key, the old one was made invalid by default (we could make a copy of it too).
      This seemed to work out pretty well, because in the 3 years I worked there there were only 2 thefts, both in meeting rooms that were left unlocked by their occupants. Both cases were easily solved anyway, because we had the perpetrators on video (no the hotel is not a 1984 big brother fortress) and measures against the thieves were taken accordingly. 1 case was solved the same day, the other within a week.

      The hotel received very kind "thank you" letters from both companies that hired the meeting rooms, as well as new reservations for future meetings. Both companies involved heartily recommend that hotel still to other people if they need to hire a meeting room.
    • by Otto ( 17870 ) on Sunday May 16, 2004 @06:41AM (#9166122) Homepage Journal
      That's why, for example, hotels generally don't ask you to show ID when you claim you've lost your room key.

      I used to travel a lot for work, and I've been to a lot of hotels, all over the country. All hotels nowadays use swipe cards or something along those lines, and if you lose your card, yes, you show ID to get back in. I've lost my card on a number of occasions (usually only to find it later hidden in the depths of my wallet) and they *always* prove that you are who you say you are. Some places are satisfied with a driver's license, but some require you to show the credit card you used to pay for the room, so they can compare the numbers in the computer to the numbers on the card.

      Maybe if you stay in a place that allows non-credit card transactions, but I haven't seen a place that'll take cash for a hotel room for years and years...
  • You don't need to train everyone. You just need to train the people at the door. I believe Best Buy has practices which might be similar to what is necessary to deter such behavior, but I could be mistaken.
    • by Sancho ( 17056 ) on Sunday May 16, 2004 @06:26AM (#9166079) Homepage
      At our local Best Buy, the people at the door pretty much only stop you if they think you're carrying something out and they didn't see you at the checkout lane. I notice this all the time.. if I'm exchanging something, frequently I'll be stopped and they look at the receipt. But if I stop at the register first because I'm also buying something else at the same time, they never stop me. I imagine it would be simple to just walk out with a hard drive or two if I bought something else, first, telling the cashier that I had made an exchange earlier (explaining the extra package that he/she isn't scanning.

      Disclaimer: It's not something I'd EVER do, but it's the pattern I noticed because I do, in fact, buy a lot of shit from Best Buy (and conversely, have to exchange a lot of malfunctioning electronics)
  • If you're interested in social engineering attacks(and how to defend against them), Kevin Mitnick's The Art of Deception [amazon.com] is a must-read. The book is all about the human-shaped holes in security systems, and has almost nothing to do with computer-based hacking. The example security policies at the back are worth the price of admission - and the book's war stories make it easy to explain why these procedures are necessary.
  • We are a small company and we know everyone who comes in and out of the office. If we don't we don't let them to far past the front counter. But that is also because we fix our own stuff and we only let employees into were the expensive stuff is. But doing subcontracted calls for other companies I get to walk into a company say I am from a company that I don't work for, then I Fix their gear then leave, Sometimes if there is a major problem I take the gear then bring it to the office. Now that is fine be
  • by RandoMBU ( 740204 ) on Sunday May 16, 2004 @06:07AM (#9166028)
    Social Engineering has long been known as the #1 reason for a breach of security in areas where classified information is available. My current place of employment requires security clearance to even apply for a job, and there are strict physical security measures seperating classified and unclassified areas of buildings.

    The issue of social engineering is taken so seriously here that there is a dedicated team whose job it is to attempt to compromise the network by any means possible. Their electronic attempts are generally significantly less successful than the attempts that include a human element. Because this is a large scale organization with multiple shifts of employees that rarely overlap, seeing strange faces is par for the course. The "red" team takes advantage of this during shift turnovers, and will attempt to follow people through passcode protected doors and use a USB flash device on an unlocked workstation once inside to compromise the network. We as employees are told to challenge anyone who passes a secured doorway without keying in, and lock any unlocked workstation we find (or report it to security).

    Overall, I would say our electronic countermeasures are significantly more successful at defending the network than our human ones, so the security team takes social engineering very seriously.

  • by Ketnar ( 415489 ) <KetnarNO@SPAMketnar.org> on Sunday May 16, 2004 @06:12AM (#9166048) Homepage
    Social engeneering is fun.

    It's even more fun when others don't notice that you are on to them and feeding them complete bull. :)

    (from MSG)
    'Isn't that that guy, from that other network? The script kiddy?'
    'Yes.'
    'the one that tried to hack you.'
    'Yes.'
    'And you are talking to him?'
    'Yes.'
    'WHY?'
    'Shh,Watch.:)'

    (In chan, after some yacking about and playing stupid, he was posing as a billing person from my ISP ;) )
    'Oh, you need my new credit card info for that. let me msg it to you.'
    'ok.'

    (later, after he left)
    'WTF! You gave him a CC number?'
    'Yeah, of a old card.'
    'I don't understand.'
    'The card was reported stolen a year ago.'
    'Yeah...okay..so, it won't work.'
    'No, it wont, but guess what happens when you try to use a *stolen* credit card?'
    '......'
    'OHHHHH!'

    Hee!:)
  • by BillsPetMonkey ( 654200 ) on Sunday May 16, 2004 @06:17AM (#9166057)
    If you pay someone $6 an hour, do you really expect them to be vigilant defenders of company property?

    We recently had an internal discussion of how to reduce theft in the company - we are a retail group and often there's thousands of pounds worth of sports gear etc. parked temporarily in corridors. One of the astonishing revelations was that a large percentage of the theft had to be internal! Our own staff were stealing from us!

    After a lot of hand-wringing and head scratching we concluded that the reason they are stealing is because they feel that at $6 an hour, the company is stealing from them. Senior execs were not prepared to negotiate a rise in the shop-floor staff wages, so we took the strategic decision to drop the whole issue.

    Not really a difficult conclusion, just an unpalatable one.
    • After a lot of hand-wringing and head scratching we concluded that the reason they are stealing is because they feel that at $6 an hour, the company is stealing from them.

      Time to revisit this Fortune Magazine article [fortune.com] again.

      Synopsis: Costco suffers much less stock shrinkage than Walmart because it pays its employees well and treats them nicely.
  • by 6Yankee ( 597075 ) on Sunday May 16, 2004 @06:19AM (#9166060)

    At my uni you didn't even have to resort to social engineering to get the basics. All you had to do was show up at the finance office for your student loan.

    They made everyone sign next to their name on a big printout that sat close to the counter. This was in surname order, but also contained forenames, date of birth, matriculation number, department, and a couple of other bits and bobs.

    Which was great. Especially given that the network user IDs all took the form [first initial][last initial][matric no].[department code] and the default password was the date of birth.

    As far as I'm aware, this wasn't used for anything beyond "I don't like Bob, log in as Bob, look at doggy-porn, print doggy-porn, log off, run" - which would still be pretty bad news if you were Bob. But it would have been so easy for anyone with even more malicious intent to take a few pages of the printout and use it to extract even more personal information.

    Scary, really.

  • by FS1 ( 636716 ) on Sunday May 16, 2004 @06:28AM (#9166086)
    They can try to change everything they like, but i know who they are talking about. This story is about walmart. Having worked for them at one time in their electronic department i can tell you this level of ignorance is the rule and not the exception.

    I remember that people returned a vcr in a xbox box, bricks in a tv box, run out the door with computers, and the list goes on. Most of the time when i was working we caught these people, or didn't because i couldn't find a manager fast enough to stop them ( you as an employee weren't allow to confront them). Also i remember an incident where 10 people distracted every employee on one side of the store and made off with $8000 of printer cartridges ( the cartridges were on anti-theft peghooks too). There were days i was expected to watch 4-5 departments by myself, basically 1/3 of the store, and there was many thefts.

    I was actually fired for speaking up about it. Oh well not my problem now.
  • by hak1du ( 761835 ) on Sunday May 16, 2004 @06:38AM (#9166109) Journal
    I'm sorry, but I fail to see how it is bad that people are trusting and helpful. Apparently, stuff gets stolen infrequently enough this way that people can afford to be trusting and helpful--otherwise, the employees would already be more careful. OTOH, if someone in "Vernstown" is really waiting for his five computers and isn't getting them because some employee forgot his badge, the business may be in trouble--the customer doesn't give a damn why he isn't getting what he ordered, he just knows the products didn't arrive when promised.

    There may be procedures that you can follow that avoid this sort of social engineering and still let the business function--but devising them, implementing them, and training the employees for them has its own costs. A phone call would have done the trick in this case and may have been prudent, but getting each employee to remember to make the phone call is difficult. Employing a separate person keeping track of everything that leaves the store and asking the right kind of questions would be better and ensure that only one person was distrusting, but it has an obvious cost--another salary to pay.

    Efficient businesses need a lot of trust and initiative on the part of employees. If you try to make this kind of social engineering too difficult, you may be preventing more thefts, but you also may be preventing your business from working. Given that this was demonstrated through a staged theft, it seems like the real thing is happening rarely enough for employees to be aware of it; this sort of thing is self-limiting--once the first real theft like that happens, people become less trusting automatically--with all the costs that that entails.

    There are no easy answers--in some environments, you just have to bear the costs that come with increased security--but one also shouldn't automatically assume that it is automatically better to adopt business procedures that prevent loss or theft.
  • Inside edge (Score:4, Interesting)

    by Blue23 ( 197186 ) on Sunday May 16, 2004 @07:03AM (#9166168) Homepage
    Isreal may have done a slick job at getting the computers out of the warehouse, but I wonder if he would be so good at social engineering if he was trying it at a place he didn't work for. Knowing all of the procedures and stuff definitely helps.

    Not that you don't have to be aware of employees or ex-employees who are trying to game the system, but being able to SE someplace you're familar with is an order of magnitude easier then trying to scam someplace else because you know all the right internal buzzwords and procedures.

    Cheers,
    =Blue(23)
  • Now this happened at a company I used to provide tech support for, and it just goes to show you how your average person doesn't care the slightest bit about security:

    I needed to do something in someone's account and didn't know their password. I also didn't want to reset it in the server because then I'd have them calling me saying the computer didn't work or whatever. So I thought of asking the guy working across the cubicle from where I was, not really expecting a reply:

    "Say, you wouldn't happen to know
  • Seems to be working great here. It's the american way.

    http://www.google.com/search?as_q=sco+lawsuit
    h ttp://www.google.com/search?q=microsoft+laura+did io

  • by aurelian ( 551052 ) on Sunday May 16, 2004 @07:45AM (#9166326)
    maybe I'm just in a bad mood but that guy seems to really enjoy being a smartass and getting people in shit. I hope one of the employees he dupes socially re-engineers his teeth next time.
  • When I was in college, two of my fraternity brothers made it a game to try and walk out of stores with ANYTHING. The bigger the better.

    So one day they decided that they needed to snag a canoe from Sears. They walked in and waited until no one was looking and grabbed a canoe and headed for the door.

    As they got near the door, a clerk stopped them and said "Excuse me, did you pay for that canoe?"
    "No, we're just walking out the door with it!" they responded sarcastically. The clerk backed off and held the door open for them as they left.
  • It Works! (Score:5, Interesting)

    by Anonymous Coward on Sunday May 16, 2004 @08:35AM (#9166515)

    Good story, kinda reminds me of a couple of my past experiences.

    Just out of High School I'm a gofer at a major chain hardware store, it's holiday season (without a doubt, best time to social engineer) and because it's so busy, I'm stuck helping load customers vehicles with bulk merchandise at a usually closed side door.

    A guy backs up a station wagon up and comes up to me (the youngest looking employee in the store) waving a "receipt" and saying he's here to get his pallet of Presto Logs. So being young and dum... errr... I mean, eager to help out, I went over to my very busy "dickish" "boss" and asked what to do, his curt reply was "Get him the logs, I'm busy.", and then he rapidly walked away toward the front of the store.

    So I got a pallet jack and moved a whole pallet of Presto logs across the whole store to this side door, and proceed to load up his station wagon till it was sagging badly in the rear, but I got 'em all in.

    The poor guy was in a BIG hurry because his wife was at another store and he had to go get her since her car had broken down, and he had a bad back so he couldn't help me load the boxes of "logs", but I loaded that whole pallet of "logs" into his station wagon in record time.

    And not 30 seconds after he drove off than another guy drives up in a pickup truck wanting his pallet of Presto logs!

    Well, I had just loaded up the last pallet of Presto logs...

    Thats when I knew I'd been had...

    Luckily, I'd asked my loser boss, and he had to take the heat, but that was a BIG lesson for me in Social Engineering.

    Move ahead several years to 1977, I'm working for a private interconnect (TELCO) company in SillyCon Valley. We don't have company uniforms, or even name tags, really low budget, but we do have tool belts and butt sets (linemans test set), we had to buy those too.

    So I'm one of the company's troubleshooters and we had many high tech clients, one of which is where I was making some changes to the state of the art TDM PBX our company sold and installed Waaaay better than anything MaBell had at the time. Merlins... what a joke.).

    My boss (a "real" boss, yaaaa.) arrived unexpectedly to give me some good news (a raise!) and as we were leaving the building I joked that I could go anywhere I wanted with only my toolbelt and buttset.

    My boss gave me the look and then smiled and said "no way".

    Mistake...

    We happened to be in a large room full of desks looking at a wall of glass, behind which was the computer room, you know, raised floors, BIG banks of BIG six foot tall computers with BIG reels of tape slowly spinning away, heavy duty air conditioning, guys in white lab coats! The whole deal. And the only door in/out was protected by an armed security guard.

    Nobody had noticed us yet as they were all busy doing their jobs, and I looked at the computer room and said to my boss "Wait here and watch." He got an unsettled look on his face but didn't stop me as I calmly but purposefully walked straight toward the door with the guard.

    I noticed that the guard was alert and saw me coming, so I was all ready to talk my way into the computer room, but as I got close enough to talk, he just opened the door for me! I said I needed to check out something and would be right out as I was calmly (yeah, right!) walking by him into the "secure" computer room.

    The white lab coat guys totally ignored me even though there were NO phones in that room! I walked through the whole large room, looking at all the cool computers and stuff and attempting to look "official".

    I finally got my fill of sightseeing and went back to my boss, who by now was angry at me, but I pointed out that no harm was done, and I had made my point to him. He forbade me to ever do it again, anywhere, but when we got back to the shop I was a big hit for my "ballsy" behavior and he was bragging about it and laughing like crazy.

    Yeah... social engineering... it can work.

  • Trust AND Fear (Score:5, Informative)

    by Titusdot Groan ( 468949 ) on Sunday May 16, 2004 @08:49AM (#9166563) Journal
    The best way to combat social engineering is to have policies in place AND allow people to enforce them. The second biggest hurdle is security people afraid of some uppity VP getting upset because you aren't giving him "special consideration".

    If the minimum wage plus a couple of bucks guard can prevent the blustering VP of Operations who forgot his security pass from entering the building WITHOUT repercussions AND the guard knows it; you have a chance of social engineering not working.

    There's a probably apocryphal story of one of the von Siemens being stopped from getting into one their own buildings by some old German guard. The punch line is the old guy saying "Yes, I admit you LOOK a lot like von Siemens and you PROBABLY are von Siemens but without papers you are not getting into this building". von Siemens thought about it for a while, settled down and gave the old guy a big bonus. The story was passed around to everyone as how security should be done.

  • by TheLink ( 130905 ) on Sunday May 16, 2004 @11:42AM (#9167542) Journal
    Article [telegraph.co.uk] mentioning 50% of people not noticing that they're talking to a different stranger after being interrupted.

    Anyway why it's easy:
    1) Most people are trusting and not paranoid.
    2) Most people are too busy doing their main jobs.
    3) Most people aren't observant.
    4) Most people aren't very smart.
    5) It's hard to be polite to people especially customers while at the same time be suspicious/wary of them. For most businesses it's better to err on the side of politeness. Let insurance etc take care of the other stuff. Remember if customers don't buy anything coz you pissed them off, the creditors come and take everything ;).

    6) High staff turnover is bad for security - makes things even harder - as a worker you can't stop every new face you see whilst trying to get you job done so that you don't lose your job. By the time you get around to training newbs about security they're already on their way out - you're lucky if you even managed to finish training them how to do their main jobs.

    7) The people who aren't easily fooled aren't cheap and plentiful. Plus they probably got sacked or changed jobs coz they weren't easily fooled by management ;).
  • by Wiseleo ( 15092 ) on Sunday May 16, 2004 @02:57PM (#9168582) Homepage
    Sometimes I have to wonder what could happen if I were a malicious individual.

    Things that tend to happen:

    1. I wear my ID with blank side showing. I get asked for help in any store, regardless of whatever uniform standards in place. If qualified, I generally will assist, but then people are surprised to find out that I don't work there.
    2. I am in an automotive dealership (not exactly a very innocent place). I need to copy a few dozen pages from a service manual. I ask where I can do it, and I am advised to use the copier in the showroom. Now, this is a networked copier that also happens to be the printer for ALL customer paperwork (credit apps, driver licenses, insurance cards, you name it) that's associated with a vehicle sale transaction. Now, I basically monopolized the copier for over 40 minutes, and I was asked if there is something wrong with the machine and what would it cost to have it moved away from public sight by the dealership's GM. At this time, I was wearing my usual generic logo shirt and a blank ID. I explained I wasn't there to service the machine. I also advised him of this risk. The risk is simple - sniff the network and an access point.

    I can't count how many times I walked into restricted areas by mistake and never got asked any questions. The logo gear I wear can be purchased from any corporate store on the web that allows its customers to promote the company by wearing its logo on a hat and shirt.

    The public is conditioned to white piece of plastic and any logo as a universal access device.

    The world is really lucky I am not malicious.

C'est magnifique, mais ce n'est pas l'Informatique. -- Bosquet [on seeing the IBM 4341]

Working...