Schneier on Security

which goes to show that all you need is some good social engineering skills (to be a succesful crook, that is)... none of that Hollywood movie crap.
Although social engineering skills may get one pretty far without resorting to crime.

Jewel Thief? Technically yes, but she is really more of a high-end shop lifter using the same methods as shoplifting gangs around the country.

She has none of the "glamor" of the black clad thief rappelling into a high-rise apartment to break into the safe--nor of the conman who talks people into giving him the jewels.

I think she helps remind us that "jewel thieves" are thieves. Not as bad as armed robbers or people who--oh, I don't know--start a war on false pretenses, but not great for society, either.

"she glided in, engaged the clerk in one of her stories, confused them and easily slipped away with a diamond ring"

Wow, did she ever work for Sony?

"I think she helps remind us that 'jewel thieves' are thieves. Not as bad as armed robbers or people who--oh, I don't know--start a war on false pretenses, but not great for society, either."

Definitely not. If you think about it, we all pay a "tax" in higher prices to pay for theft.

You could think about the high prices we pay for jewellery in terms of theft... but it's worth remembering that, at least for diamonds, they're not especially valuable bits of rock that cost a lot because of great marketing and certain large companies with a monopoly on the stones.

But that's straying from the topic.

@Scote (and everyone else)

I'll bite. Of what false pretenses are you speaking? The false pretenses of the USS Cole? No? How about the false pretenses of the first WTC bombing? Not those either... Hmm... Oh, I know, the false pretenses of the WTC destruction... No? Oh, then you *must* mean the false pretenses of 11 years of Iraq's non-compliance to UN resolutions.

Oh wait, you're talking about the WMDs that all US politicians, allies, and opponents agreed Iraq had. Those false pretenses, right?

"If you think about it, we all pay a 'tax' in higher prices to pay for theft."

Unless you purchase off the black or even grey market, especially where theft is from the end user and not a retailer.

Another thing to consider is whether the retailers/suppliers even bother to look into the cost of securing goods versus just dumping the cost of insecurity on the consumer.

I think I've mentioned this before but I was told by an airline exec once that the reason little alcohol bottles were so expensive was because 60-80% of the supply disappeared before it reached the airplane. It's certainly conceivable that diamond theft actually helps drive the marketing campaign that sets their price artificially high in the first place...if theives didn't succeed in stealing them, would they still be precious stones?

Interesting story. I wonder if it is a coincidence
that social engineers like her or Kevin Mitnick for
example learned the basic principe of their "cons"
at young age. Mitnick discovered that he could just
ask for the things he wanted with little masquerading.
She learned how to play her stealing game in a simmilar
way. Question: Is it inherent to social engineers, that
they learned a different way of "succeeding" in a society
with all of its systems and complex interactions (social,
financial, ...) when they were young? Any ideas or recommended
readings welcome :)

@ Terrence Tan,

Slightly OT: I think you make an interesting point. Jewels, especially diamonds, are valuable in large part only because of marketing and monopoly control of the market rather *coughdebeerscough*.

A diamond as jewelry is primarily a public exhibition of wealth since CZs are visually just as attractive. Likewise, lab grown diamonds are chemically identical to mined diamonds and might be more ethical to buy since there is less danger and involved in their production and the workers are probably paid more than miners are... Yet the diamond cartel would still have you believe that only a mined diamond is worth wearing even though there is no way to tell by looking--showing that mined diamonds have more symbolic value than intrinsic value.

So, what is a jewel thief stealing? To a certain degree, they are only stealing marketing hype rather than intrinsic worth. But but there is value paid for at different levels of the production of jewelry and Doris Payne had no right to take it. She clearly had talent with people that she could have applied to legal work.

I suppose it is the fact that no rich people will starve if a $30,000 piece of jewelry is stolen that lets us glamorize jewel thieves more than, say, the shoplifting gangs who steal baby formula and resell it (sometimes mislabeled) back to distributors and retailers. Or the way we glamorize entertainers and CEOs and shower them with wealth but actually pay people who do many of the worst jobs the least amount of money.

I somehow doubt that many tales of wholesale cigarette thieves will make it to Schneier.com, but I think that has less to say about Bruce than it does about our own interests in the perceived cleverness and/or glamor of individual thieves vs. the unglamorous reality of organized theft rings who deal in physical goods.

Off Topic:

Sorry, "FP", I'm not sure what issue you are taking with my hypothetical "degrees of evil" comparison...I don't recall making any specific allegations about anyone or anything so I can't really tell why you are ranting so much. :-)

@False Pretense

Of all the items you innumerate, only one is related to Iraq, and it is of debatable veracity and applicability.

If people want to believe something strongly enough, they will deny reality if they have to. I think "False Pretense"'s post illustrates that nicely.

The security implication of this mindset [getting back on-topic] is that you are making yourself a target for con-artists of all stripes.

Informational message to "False": Iraq did not bomb the Cole. Iraq did not attack the WTC (either time). We're talking about the documents the CIA knew to be forgeries at the time the administration used them as pretenses. We're talking about aluminum tubes that the Department of Energy knew were not for centrifuges long before the administration claimed that they were. We're talking about editing CIA reports to remove phrases like "we belileve they may someday have the capability to..." and "they may be pursuing..." to manufacture fact from conjecture. We're talking about "fixing intelligence around the policy of regime change" in other words.

Hope that helps. With our help, you can avoid getting conned again in the future.

Could we not get side-tracked by False Pretense's outburst please? Everyone was quietly ignoring it until the last couple of posts. (FP: there are lots of examples in history of wars started under false pretenses, e.g. the Gleiwitz incident. There is no reason to assume Scote was refering to the recent Gulf War. It didn't occur to me to do so.)

actual jewelry theft is typically much more prosaic than its cinematic counterpart. when i was young and saw "to catch a thief" i thought it would be so cool to be suave and debonair like cary grant, athletic enough to reach a high window like a bird and lucky enough to get grace kelly on my couch for the 4th of july. are there really any cat burglars at all or was that just made up?

I used to be a cat burglar, but they are hard to fence.

I think the point of this story is that when it comes to security, people are the weak link.

Oh, and this woman stole from me. My insurance reimbursed me and made up the difference over the next five years. Yes, we do pay for theft.

One small comment, I don't really see Payne's MO as social engineering as such. Well, certainly some social engineering was involved in getting the victim to relax too much, but the actual crimes were committed by sleight-of-hand.

It illustrates, I suppose, that real attacks often use a variety of techniques (do whatever works!), but if we had to pigeonhole this, I'd file it under "Pickpocket" rather than "Con artist" or even "Jewel thief".

Well, actually it illustrates a few other thing too, I guess, but they're all pretty sad and uninteresting: "thief sticks to almost identical MO for 60 years, and it still works"; "thief arrested so many times they measure rap sheet by the yard, admits to kleptomaniac and sociopathic tendencies, yet still untreated and at liberty"; "our society can lionise criminals as folk heroes even when their own confessions show obvious sociopathy"; etc.

@another_bruce:
"are there really any cat burglars at all or was that just made up?"

The basic cat burglar certainly exists; one (nicknamed "Spiderman" by the press) was caught here in Sydney last May after a spree lasting several weeks in which he entered apartments as high as the 17th floor, all by scaling the exteriors of high-rise apartment buildings without equipment. He seems to have been a skilled climber, but otherwise a rather second rate burglar.

The gentleman jewel thief/cat burglar is probably a largely fictional device dating from the A. J. Raffles stories (originally penned in the 1890s by Arthur Conan Doyle's brother-in-law, but later updated in setting). However they may have some basis in fact. One early, famous cat burglar and occasional jewel thief was Jack Sheppard, an early eighteenth century cat burglar who seemed to be able to get in and out of anything, and became a folk hero before he was hanged in 1724. Another interesting case is Bill Mason, who wrote the book "Confessions of a Master Jewel Thief", in which he claims to have been such. I haven't read it yet and have no idea how accurate it is, however I am told that while Mason describes some feats of incredible acrobatics, his career owes at least as much to corrupt police and skilled but sleazy lawyers.

Oh, and there's this, too:
http://www.fbi.gov/hq/cid/arttheft/arttheft.htm

Most of them are actually armed robberies, but some are a bit more interesting. Here's my favourite:
http://www.fbi.gov/hq/cid/arttheft/topten/cellini.htm
The famous Salieri (Cellini gold salt cellar, valued at USD ~$58 million) was stolen by: climbing up a painter's scaffold, smashing a plain glass window (alarmed, but the alarms were ignored for some reason), smashing a plain glass case (neither armoured nor alarmed), and walking away. Why do we bother?

This reminds me of the "Australian shop-lifting gang" of the 1950s and 60s. This was a gang of Aussies who operated in Europe (never in Australia).

Their method was to distract the sales staff of a store, often a jewellery store, with some legitimate-seeming customers, then a confederate would sneak in and steal the goods. The "legitimate" customers would "innocently' block any pursuit. pursuit.

They were very successful and are credited with stealing several (1950s) millions of pounds worth of goods. Reportedly they had a very sophisticated set-up with their own telecommunications system.

A lady must stay a lady even in robbery.

I just finished reading "Confessions of a Master Jewel Thief."

It is a great book and very accurate. He is very honest about his thefts... he shows what the press said and how they made the heists seem impossible. But then he tells the straightforward truth, no bull. Like when he planned to safecrack a safe owned by a Cleveland Mafiosa, he lucked out because the guy left the safe door ajar!

So yes, he tells the truth. If anything, he actually even downplays his thefts. He acknowledges how much of a part luck plays, as well as people's foolish acts (like leaving windows unlocked, alarms off, etc because they think that it is impossible for someone to get to their penthouse apartment in the first place.)

He only ended up serving like 33 months total. He struck an immunity deal with the cops: any theft he confessed to, he couldn't be prosecuted for. The cops thought it was only one or two heists, but then he pretty much confessed to everything, along with details that only the real thief would know. The cops had no idea that all the unsolved crimes were even the same person.

His lawyers were crazy and loud, constantly having a good time, partying, etc. They'd use any loopholes, twisting, and construing of the legal process to scheme up a way out for their defendants. Some people say it's unethical, but others say that they actually SHOULD do anything & everything in their power to acquit their defendent.

It's a great read. Definitely one of the top 3 books I've ever read. Bill Mason is actually a really good guy; he just had a fatal flaw. It took a near-death experience to make him finally decide to quit stealing jewelry.

@Social Engineering,

I do agree with the previous comments that make no distinction between the type of theft. Theft is wrong regardless of who is being relieved of their worldly belongings. I think the reason this story appeals to some has to do with the clever nature in which the thief made off with the goods. Perhaps it is the thief's cunning and clever abilities that is what has really caught our attention on a story like this. In a way it appears that Payne has mastered a technique that fairly reliably causes the person in the store to lose track of all that is going on. It is a masterful example to misdirection. Perhaps it is her ability that is the real story. Stealing is nothing new, and certainly stealing jewels is not a recent occurrence (i.e. French Blue aka Hope Diamond). Here we see an example of a woman who has used her social skills to bewilder the salesperson. To me I think this exploit in many ways resembles the methods used to exploit computer glitches. On a computer the hacker attempts to gain unauthorized access by engaging a legitimate system or service and then proceed to feed said system or service predetermined data which ultimately results in compromise. A buffer overrun that drops instructions right on the processor essentially utilizing a security hole and passing something through that hole. The jewel thief in a manner of speaking did the same thing. The difference is that she exploited a security hole of her own making. The brain is without question the most advanced computing device we have had the benefit of studying. It is not such a stretch to compare the instructions we receive from others to also be analogous to programming. So if the Manager saying to the Salesperson "Watch the customers very carefully so they do not steal" is comparable to a security program, then the theft itself is the act where the ring is literally passed through the security hole created by the thief. The misdirection and confusion could be compared to a denial of service attack against the "Salesperson_Security_Service". It appears that in many cases people start to lose track when there is too much information to process all at once. Now that some of the relevant data has been taken out of active memory (Ring is forgotten in all the confusion) the thief is now free to steal it. When the salesperson goes to compare their mental list of items they are keeping track of, they discover nothing missing because the stolen ring was dropped from the list during the confusion. I would have to say this is a very effective and clever exploit that makes use of the limitations people have with keeping track of so many things at once. The electronic game "Simon" is probably as good a tool as any to estimate the point where information starts to drop from the current stream of consciousness. Even though the theft is wrong, we can still appreciate the means used to commit the crime which is the real story here.

@ False Pretenses
I am sick to death of people beating this "Dead Horse". I have heard all the usual phrases like "Bush Lied" and there were "NO WMDs" found in Iraq etc... Something I find a bit irritating in all of this is that it seems that many people in our country just do not seem to understand the nature of how our government really operates or how it seems to play out in the real world. The reality is that Bush, Congress and everyone else based the decision to go to Iraq the second time on some erroneous intelligence. To say Bush lied is ridiculous, he could not have known it was erroneous any more than anyone else could have at the time. The CIA knowing that the information was erroneous (If in fact they knew beforehand) may only be part of the picture. What were the exact circumstances that caused the erroneous information to go forward and not be corrected? Anyone who has ever worked for the government or worked on a government contract can attest that there are ample opportunities for communication breakdown just in the bureaucracy of a single organization let alone a bunch of them working together. I have seen instances where a government employee goes on vacation for a week at a time with little or no notice to everyone else. Generally it is difficult if not impossible to get in touch with these folks when they are on vacation because they do not want to be bothered with work. Was the analyst who penned the erroneous report on vacation when it was time to correct the mistake? Was the person who is responsible to correct or follow up on vacation at the time? There are so many possibilities as to why the bad information made it into the official decision making process. It is ridiculous to scapegoat the president and make this all his fault because he believed some bad intelligence. The reality is that the is a failure of bureaucracy and not a deliberate attempt to propagate a deception. In my career I have seen many instances where the bureaucracy and internal politics of an organization have prevented otherwise astute government employees from doing their job correctly or at all. No one wants to have a black eye for penning or promoting bad intelligence, so if it was known ahead of time the information was inaccurate, it is conceivable that the powers that be may have just wanted the erroneous intelligence brief to fade away quietly so that no one takes the career hit/demotion that would be sure to come. Correcting the mistake publicly or even privately after the president already made reference to the intelligence brief in public would have surely been career suicide for anyone who had to deliver that message to the president after the fact.

We already knew Saddam Hussein had WMDs and we also knew that he had made every effort to avoid compliance with the UN resolutions to terminate all WMD programs. An Iraqi general said after the war was over that all of the WMDs that were in Iraq were smuggled to Syria about a month before the war began. Incidentally, Syria is also ruled by the Baath party so a last ditch effort to hide the “contraband� is not a recklessly farfetched idea to consider.

I'd like to take a moment to question the folks who would like to see us get out of Iraq. Regardless of past mistakes, poor decisions and where this all started, lets look at the reality of what is going on in Iraq now. Iraq is now ground zero for Al-Qaeda and all of the jihadists who want to see us destroyed. Iran and Al-Qaeda seek to undermine the U.S. any way it can. So if we pull out of Iraq now and leave the Iraqi's to their own "Civil War" then Iran and Al Qaeda win and likely take over governance of Iraq. What if the result of pulling out is that Iran or Al Qaeda become the recipient of WMDs that remained undiscovered in Iraq. Those who say that "if there were any WMDs we would have found them by now" should take a brief read of the story of Oak Island and it's "Money Pit". http://www.mysteriesofcanada.com/Nova_Scotia/oakisland.htm

It is not only possible to hide things by burying them, but it highly effective because unless you know exactly where and what you are looking for, you will likely find nothing. The Oak Island money pit illustrates that something could be buried and remain secure for a very long time if you are not in possession of the secret information required for access. In the example of Oak Island, an exact location is known and still no one has managed to compromise the security of the money pit "vault" due to the fact that its specific construction methods and design are not known. Another example involves a case of a career bank robber who converted his stolen monies into gold and then buried it in very inaccessible locations. The federal authorities actually had a map to all of the caches of gold complete with GPS coordinates. Surprisingly, the search teams still had significant difficulties finding these hidden caches. Now imagine the motivation a person would feel looking for a Coleman ice cooler filled with gold coins worth a kings ransom. If it is this difficult to locate a cache of gold with GPS coordinates to help you, imagine the increased difficulty if more care was taken to conceal the actual location of a hidden item.

Something everyone needs to think about is this... If there were WMDs in Iraq, we need to start worrying about where they went. If the statements by former Iraqi military officers are to be believed, then the WMDs are in Syria, flown out of Iraq just weeks before the war. If they are still buried within the borders of Iraq, then you can be sure if we pull out of Iraq, former military members whom know the precise location would likely deliver these items to Al Qaeda or Iran. A historical side note that lends some perspective to this situation is how towards the end of the War in Europe, Nazi Germany placed the bulk of its atomic research/materials in a sub and set sail for Japan. While history records that sub never made it to Japan, I am forced to wonder if this is not in fact a similar situation. If a comprehensive look is taken at the way the Iraqi regime conducted its affairs leading up to the war, it is pretty obvious that Iraqi officials did everything in their power to keep their hands on the stuff they had and only at the last minute when there was no hope of keeping the WMDs, they gave them to a friendly regime who might have been generous enough to return the items when the smoke of the war cleared.

Regardless of who has the WMDs, regardless if we were justified in going to Iraq, regardless of who's fault you think this is, regardless of whoever you want to blame or punish for all of this. All of this is irrelevant now. What is relevant now is the situation we find ourselves in. The blame game is not productive anymore. So I will engage myself in a little analysis and a brief conclusion of my own.

Conclusion:
What is known is that there is a significant amount of WMDs not accounted for in the region. Iran is accelerating their missile and nuclear programs all to the end of becoming a contender in the nuclear club with a viable delivery system. Those who say that Iran is doing all of this for peaceful energy purposes is deluding themselves. The stark reality is that the cascade gallery at Natanz has no legitimate peaceful purpose. Satellite photos of Natanz taken at various points in its construction make it pretty obvious this site is being hardened against attack deliberately. Highly enriched uranium is not needed for nuclear power plants. Why would Iran want to spend money on a more expensive energy source when there already is an abundant, less expensive energy option literally beneath their feet? The simple answer is that energy is not their goal. Simple analysis of the particulars reveals this to be the case. Iran says they are developing rockets capable of flying intercontinental distances so they can place communication satellites in space. A simple exercise in economics makes it obvious that communication satellites are not the real goal either. It is far cheaper to use already mature space delivery technologies than to develop them from scratch. When taken at face value, Iran’s claims regarding peaceful designs for these capabilities seems to make sense until you look at the economics involved. Many nations and corporate firms have placed satellites in space using already mature delivery systems manufactured in other countries for economic reasons. Most notably, some US firms have even used Russian, Chinese or Japanese rockets to get their satellite payload delivered to space for purely economic reasons. Based on available information, it is obvious Iran is interested in these technologies as a strategic capability and not as an economic capability. The officially sanctioned Iranian stand on it's nuclear and missile programs states that is for peaceful purposes, but the economics surrounding these two technology programs seems to indicate otherwise. Iran is developing these capability to have a strategic nuclear capability that will allow them fire a nuclear tipped ICBM missile anywhere on Earth. Iran is becoming a serious threat to the U.S. as well as the global community and should be taken quite seriously. Failure to engage Iran on these issues will likely precipitate a strategic air strike on Iran’s nuclear capability by Israel. Israel did the same thing to Saddam/Iraq in the 80s for similar reasons. If the U.S. pulls out of Iraq prematurely without cleaning up the mess we created, then it seems very likely that Iran will make every attempt to undermine or takeover the weakened government left in the absence of the United States. It is important to leave the Iraqi government in a state where it can maintain its own sovereignty and security in the absence of a United States peacekeeping force. If the government of Iraq falls into the hands of a sympathetic regime to Iran, Israel might react by launching a pre-emptive strike on Iran due to the geographic proximity of Iraq’s westernmost border with Israel.

Wow ... yeah, what Armchair said...

Seriously, I am not sure you could get as pointed a reply to your post from those that speak their opinions on a daily basis that are nothing more than a simple regurgitation of what they hear daily on network television. Ask someone "Why" they feel as they do and often you will find that they do not have an educated response as to their own opinions following the usual espousal of media key words and stories of the day. Nice post.

@SJ ^

You make a very good point about people who are naive enough to take the pre-digested news/politicos statements at face value.

It is truly sad to see people reduced to nothing more than a human sized parrot.

I had an interesting thought the other day about the topic of deception and mis/disinformation.

I think a good analogy of this could be a bank vault door. Bank vault doors are rated in the number of hours it would take a skilled locksmith to compromise all of the security measures and get in. Misinformation could looked at in the same way. The more elaborate the deception is, the more time required to detect the error. If insufficient time is devoted to researching the topic of focus, deceptions or inaccuracies in their perception of the issue will never be discovered. In the case of the "Media", a reporter typically never seems to hover on any one story long enough to detect deception or disinformation. In many cases there is no intent to deliberately deceive you, just insufficient time was taken to explore the issue and the result was bad information.

I prefer to target jewelry while the family are at home, eating dinner, downstairs.

I once stole $50,000 worth of jewelry while 30 people ate a Rosh Hashana dinner downstairs.