Schneier on Security

Look like you belong there and you can get away with an awful lot.

My father was one of those who would wear a jacket, white shirt and tie even to shop at the discount store; countless times customers and even employees assumed him to be a manager.

I'm sure the guards noticed the activity and thought that something was strange, but...

To the guards, the risk of suffering the hassle and embarrassment of a false positive outweighed the low risk of the cardswipers actually being thieves.

Something like happened at my university years ago. Some people showed up and started loading computer equipment into a truck. The security guards even helped them load it.

They also took down license plates, and descriptions of the people. They were arrested a few days later.

It was about thirty years ago but...
department store in my home town. Fronted onto pedestrian access area. A couple of guys drove a large white van to the front of the store (in the pedestrianised area) and went in wearing coveralls and carrying clipboards.
The clipboards had lists of various white goods. They got store staff to help them load the van and then drove off with their loot.
They must have had some inside knowledge of some kind to carry it off but carry it off they did - literally...
Wetware failure.....

Bruce, you are a connoisseur of crime. This was a funny story in some ways. I wonder how far the thieves had planned for the situation in which they were rumbled?

There is an old story, perhaps apocryphal, about two guys who walked out of the NY Abercrombie and Fitch with a canoe on their heads. It was so blatant that no one stopped them. Supposedly, they only got caught when they went back for the oars.

I could practically hear Nelson saying "HA ha"

When I worked in a hotel, there was a guest who walked into the lobby, picked up a large potted plant and walked out with it.

A similar thing happened at an old workplace of mine. We would often have clients wandering around the building, so nobody batted an eyelid when a guy managed to get in and sat around drinking coke from the free drinks machine. He then went into one of the meeting rooms and walked out with the large plasma display that was in there. Someone actually held the door open for him.

Shortly after that we had to start wearing photo id badges at work...

On a related note, I hear that looking like a builder with a reflective jacket and a hard hat will get you into most places without being challenged.

Most apocryphal stories have a basis in truth somewhere in the past. One I heard involved a worker at a plant taking home a wheelbarrow load of scrap on a regular basis (I dont recall what it was, waste of some kind, sawdust, whatever) - this went on for some time before someone realised he was actually stealing wheelbarrows ... The obvious answer is often there staring us in the face, we just have to see it.

Herm, sorry to crash your party, but this register piece is fiction.

Ah, theft. While I could bore you with stories of regularly being mistaken for the office manager at my previous workplace (I was about the only one there who cared about his appearance, sadly), I'll bore you with this one instead.

Back when I was just starting high school, I noticed a monitor for a Commodore computer languishing on the floor of the chem lab. It was still there a few years later. The C64 was on the wane, but I was a diehard Commodore geek, and a TV set was never quite as good as a monitor. I asked the principal if I could purchase it (on the cheap) before one of the more observant punks kicked the tube in. Well, I couldn't, but he said I could borrow it until he asked for it back (hint hint - he was retiring soon and didn't really care either way). So, at the end of chemistry class not long after, I went and got it. Carrying this rather large object back through the class, of course one of the students said "What're you doing with that?"

So I said "I'm stealing it, of course."

And that was the end of it. 30 students and one teacher watched me make my getaway and that was all the resistance to be had.

Here's a nice prank example of social engineering. Had me laughing for hours.
An improv group put on blue shirts, went to Best Buy, and just stood around.
Humor ensued.
http://www.improveverywhere.com/mission_view.php?mission_id=57

@easynet employee

Sure. Just like Bush never invaded Iraq under false pretense. Just because you're embarassed about something, doesn't make it any less true.

*cough* Why should I be embarassed? There was a theft, but it was nothing like what's described in the Register (which gave us a good laugh today).

@not an easynet employee

a "false pretense" that actually seems to be becoming more true again as the real truth is uncovered (documents are found and translated).

Don't be an idiot next time by bringing politics into a discussion about crime and security... stupid cheap shot crap. Discuss the story or stay away!

Regardless of the veracity of the article, the vulnerability is nonetheless real. I used to regularly enter, move about, and leave installations of the US Marine Corp, US Navy, and US Army, and nobody ever looked at my identification -- over a span of eight years. Apparently I looked like I belonged wherever I was. I'd also dealt with CHP, Sheriff's Office, and the local PD, yet I was the only person who ever saw my ID.

@Roy

Apparently you haven't attempted to enter a USMC installation recently. Regardless of your appearance, they ask for ID, compare it to you, inspect your vehicle, note the tags (electronically at a lot of places now) and inspect your vehicle's registration. Even when you've been going in and out for years.

"search the place for two house"

Hours? Or were they looking for Dr and Mrs House?

"EDITED TO ADD (11/25)"

Er, sorry to nitpick again, but perhaps this should be 10/24?

>> "search the place for two house"

Hours? Or were they looking for Dr and Mrs House? <<

Well, it was translated from Turkish!

Some years ago some criminals would just take a van and drive up to stores and take racks of cloaths etc., since they were wearing overalls the clerks would think that they had a valid reason for doing so :P

Around here any phillipino or somali woman who wanted to could get access to anything just by putting on an overall and carrying a mop. They must be very law-abiding people because I've never heard of it being done.

I know of a time when two men turned up to a BBC studio in overalls and a truck and stole a grand piano in full view of a load of BBC employees...

All variations on the fable of Gillespie and the King - look like you what people expect to see, and you have the keys to the city. Speaking of which, in these days do visiting dignitaries get the PIN to the city instead of keys?

@csrster: cool. where's here? I mean just generally.

"anonmymous emergency call"? s/anonmymous/anonymous/

I'll bet you could pull off the scam without a swipe card. Drive up the gate in a delivery truck, and say you have to make some drop-offs and pickups. The guards will probably let you in. Your "drop offs" will be fancy boxes suited for the occasion (VCR, widescreen TV, etc...) but filled with useless deadweight. And then you just make the pickups and leave...

Regarding the incident in Turkey - one would have thought that the police that searched the hospital would have noticed the presence of anyone, particularly since the presence of anyone in the building should have stood out light the proverbial sore thumb given the prior evacuation...?

Yes, the thieves could have hidden from the people carrying out the search, but what does that say about their level of competence? If they failed to find people-sized things, what chance would they have had at finding a possibly concealed explosive device?

@Mr Pond
That somebody would have trouble hiding in an otherwise empty (of people) hospital would actually surprise me more. Heck, even one full of people. Lots of rooms, closets, large rolling equipment carts..... Oh, and the noise of the place--even when empty..... Wear the right shoes and other clothing and just disappear.

Ben K,

canoes have PADDLES, not oars, arrr!

@W. Man

Please provide a URL to an article from a major news organization reporting on the "real truth being uncovered."

Not looking to discuss it, just looking for it because your allegation is brand new to me.

Australia lost a computer owned by the Customs department in a similar scam:

http://www.smh.com.au/articles/2003/09/04/1062548967124.html

This happened to me in the past few months.

I watched the ~20ish kid living with the neighbors two doors down load a variety of stuff into a car and thought little of it - it was the season, and he was the age, to be headed to college.

Turned out he'd been ejected from the house after a domestic dispute and was robbing the house.

If I'd known of the ejection, I'd have phoned the police; but in effect his long presence and a plausible assumption about his activity constituted a spoof of any security my looking out the window might have provided.

I used to have the opposite problem at my university. I would have all the correct paperwork, signed by the appropriate people, including serial numbers, etc. to bring my PC onto campus and take it away again.

If I was ever seen carrying it, I would be subjected to half an hour of grilling and interrogation despite following all their procedures. Their solution? Let them know a week in advance so that they could tell everyone. What's the point of having signout procedures in that case?

Regarding the wheelbarrow story:
http://www.snopes.com/crime/clever/wheelbarrow.asp

@jojo

Everybody check out that link. I've just barely survived the laughing. Funny on a few levels.