Social Engineering Notes

This is a fantastic story of a major prank pulled off at the Super Bowl this year. Basically, five people smuggled more than a quarter of a ton of material into Dolphin Stadium in order to display their secret message on TV. A summary:

Just days after the Boston bomb scare, another team of Boston-based pranksters smuggled and distributed 2,350 suspicious light-up devices into the Super Bowl. Due to its attractiveness as a terrorist target, Dolphin Stadium was on a Level One security alert, a level usually reserved for Presidential inaugurations. By posing as media reporters, the pranksters were able to navigate 95 boxes through federal marshals, Homeland Security agents, bomb squads, police dogs, and a five-ton X-ray crane.

Given all the security, it's amazing how easy it was for them to become part of the security perimeter with all that random stuff. But to those of us who follow this thing, it shouldn't be. His observations are spot on:

1. Wear a suit.
2. Wear a Bluetooth headset.
3. Pretend to be talking loudly to someone on the other line.
4. Carry a clipboard.
5. Be white.

Again, no surprise here. But it makes you wonder what's the point of annoying the hell out of ordinary citizens with security measures (like pat down searches) when the emperor has no clothes.

Someone who crashed the Oscars last year gave similar advice:

Show up at the theater, dressed as a chef carrying a live lobster, looking really concerned.

On a much smaller scale, here's someone's story of social engineering a bank branch:

I enter the first branch at approximately 9:00AM. Dressed in Dickies coveralls, a baseball cap, work boots and sunglasses I approach the young lady at the front desk.

"Hello," I say. "John Doe with XYZ Pest Control, here to perform your pest inspection.?? I flash her the smile followed by the credentials. She looks at me for a moment, goes "Uhm… okay… let me check with the branch manager…" and picks up the phone. I stand around twiddling my thumbs and wait while the manager is contacted and confirmation is made. If all goes according to plan, the fake emails I sent out last week notifying branch managers of our inspection will allow me access.

It does.

Social engineering is surprisingly easy. As I said in Beyond Fear (page 144):

Social engineering will probably always work, because so many people are by nature helpful and so many corporate employees are naturally cheerful and accommodating. Attacks are rare, and most people asking for information or help are legitimate. By appealing to the victim’s natural tendencies, the attacker will usually be able to cozen what she wants.

All it takes is a good cover story.

EDITED TO ADD (4/20): The first commenter suggested that the Zug story is a hoax. I think he makes a good argument, and I have no evidence to refute it. Does anyone know for sure?

EDITED TO ADD (4/21): Wired concludes that the Super Bowl stunt happened, but that no one noticed. Engaget is leaning toward hoax.

Posted on April 20, 2007 at 6:41 AM • 66 Comments

Comments

InigoApril 20, 2007 6:58 AM

It's an excellent story, but it seems unlikely that it actually happened. There's no independent confirmation of it, from either the media or from any of the tens of thousands of people who should have seen it, and the photos are unconvincing.

Zug.com is promoting a book on pranks - the prank is that they're attempting to convince people that this actually happened.

Bruce SchneierApril 20, 2007 7:26 AM

"It's an excellent story, but it seems unlikely that it actually happened. There's no independent confirmation of it, from either the media or from any of the tens of thousands of people who should have seen it, and the photos are unconvincing."

Interesting. I hadn't thought of this possibility, but now that you mention it the photos are unconvincing.

Anyone out there have opinions on the matter?

jaredApril 20, 2007 7:29 AM

the sad thing is that I'm pretty sure they DID get all their lights in, its just that the prank didn't work. Even 10,000 lights aren't gonna spell out a message if a) not everybody wears them in the right spot and b) they're competing with prince's psychedelic rock show.

so he spent $40,000 on a good story. thats life I guess.

JasonApril 20, 2007 7:31 AM

uh huh.. sorta like this one - http://www.zug.com/pranks/visa/

*newsflash* - Visa doesn't lend money, they are just a brand, not a bank. You don't call Visa for credit increases, you can the bank/lender with a card that has a Visa brand on it..

KairoerApril 20, 2007 7:53 AM

Haha, no matter if the prank was carried out as described, or just beeing an online prank, the story is still fun.
I never stop getting amused of how easy it is to SE. Still, it is not my job to amuse myself - I should spend the time making it harder to SE...uh...huh...Back to work.

DavidApril 20, 2007 8:09 AM

Unless someone can independently verify it, it didn't happen. Very few of the photos show people wearing the device, and the "large pile of boxes" photos could have been taken anywhere. So what are we left with? Someone was at the Superbowl and had backstage access. Someone brought in some LED tap lights and had people wear them around their neck. That's not much of a prank.

No one else took a photo of this in the stadium? No one with access to video tape leaked it to the press? Where's the FLICKR pool of photos??

Large organizations are horrible at covering things up.

It just doesn't pass the smell test.

Some GuyApril 20, 2007 8:29 AM

Being the right race certainly makes a huge difference. When working in a certain foreign country in S.E. Asia where there was a lot of foreign investment, we could walk right into a new facility being setup, and walk out with expensive equipment with very little questions from the guards. Just sign the log book, please. I don't blame them, because they were very low-payed and didn't need the trouble. The worst outcome either way was being fired, and it seemed a little more likely to happen by bothering the important foreigners than by leaving them alone. Luckily, we were supposed to be doing what we were doing, but we theorized that we could actually do a pretty good business by just walking into places and walking out with expensive equipment and just looking like we were supposed to be doing it.

AlanApril 20, 2007 8:33 AM

So, do we have a successful "social engineering" instance against Bruce himself? Egads, we are all doomed.

Kiaser ZohsayApril 20, 2007 8:42 AM

Quoting the zug.com article:

I realized I would need help, so I went down to the local school for the mentally retarded, where I was able to hire cheap labor. In fact, they worked for tin foil, once I told them it was money.

Smells like hoax to me.

JoeApril 20, 2007 8:44 AM

The text below the video on the ZUG site invites readers as follows:

"If you enjoyed the Super Stunt, e-mail the video to a friend, customized with your OWN secret message! "

That page has a form to fill out, with the recipient's name, e-mail, and secret message you want to display. It says:

"Send the Super Stunt video to a friend, customized with your own secret message! Start a conspiracy theory! Insult someone! Propose marriage!

Your message of up to seven characters will be inserted at the end of the video, spelled out in lights by the Super Bowl audience."

Why is Rob Cockerham standing by the story? I can't understand his rationale.

Mike SherwoodApril 20, 2007 8:46 AM

Whether it's true or false, it's a great story. Everything about it is plausable. Large event security is mostly theatre, and each of the actors only knows their small role. The author touched on the key element:

"The psychology of cat and mouse is that the mouse will never walk up to the cat and ask if he can borrow a forklift. Mice just don't do that. "

If they really pulled this off, I applaud their planning and execution. I also appreciate that they have chosen to use their gift for funny instead of evil. =)

Greg WilsonApril 20, 2007 8:48 AM

Article says, "Social engineering will probably always work, because so many people are by nature helpful and so many corporate employees are naturally cheerful and accommodating." If that's the reason, then Canadian banks ought to be immune to social engineering attacks (half a ;-)).

TexApril 20, 2007 8:48 AM

I think the Zug.com story is probably true. The reason no media covered it is because the trick didn't work, and they'd be too afraid of covering an infiltration like that and make the government look bad, thus harming their own access to government officials. To be sure, the gag failed because nobody saw the message, but I have a hard time thinking that Hargrave would try to trick his audience like that.

MikeApril 20, 2007 8:53 AM

If the Superbowl prank is fake, what do you think really happened? How'd they get all those pictures?

antibozoApril 20, 2007 8:58 AM

Hmm. So now I wonder whether zug's Michael Jackson prank was a hoax too.

The Improv Everywhere folks (http://www.improveverywhere.com/missions/) have a number of good pranks that seem relevant. "Cell Phone Symphony", "Rob!", "Best Buy", and "The Moebius" are some of my favorites, and "Suicide Jumper" is just plain funny. Most notably "Best Gig Ever" was featured in an extended segment on "This American Life".

pegkerrApril 20, 2007 9:10 AM

I don't have the flash player that allows you to see the video. What was the message supposed to spell out?

AnonymousApril 20, 2007 9:18 AM

Shouldn't something like this be very easy to confirm or refute, given that it has thousands of witnesses?

In this light, it is odd that most Americans are so absolutely sure that they know what happened on 9/11, 7/7 or in Iraq, for that matter.

BetaApril 20, 2007 9:19 AM

There's also a Jedi Mind Trick element.

Early one Sunday morning back in college, I was in the deserted student center using a bench grinder in a locked workshop. I was dressed in (typical) ratty clothes and a safety visor, making a lot of noise, visible throught the locked glass doors, very suspicious looking.

Two security guards came in and took up positions behind me, looking very Tough and Authoritative. I paused to inspect the tool I was grinding, glanced at them, looked at the tool again, and began grinding some more. They hesitated for a few seconds, then left. Being pretty oblivious to normal human social cues, I didn't realize until a few days later that I had stared them down. If I had tried to do it deliberately I probably would have failed.

GordoApril 20, 2007 9:45 AM

In the little video they posted of the prank, they displayed what looks like an eBay auction for one of the lights. This is supposed to be more evidence that the lights exist and people who received them would sell them after the fact.

I did a search for completed (and current) auctions on ebay, and could not find that light, and I have to conclude that they faked up the ebay page. The video kind-of pans past the webpage, making it really hard to pick up any details, but you could see enough that a search should have been easy. Any other google search always leads back to their website.

I am voting for fake stunt, as too many of the pieces of evidence are just non-existant. But it does make a good how-to on social engineering :-)

Lourens VeenApril 20, 2007 9:53 AM

"Again, no surprise here. But it makes you wonder what's the point of annoying the hell out of ordinary citizens with security measures (like pat down searches) when the emperor has no clothes."

That could have been a description of DRM...

ChipApril 20, 2007 9:55 AM

I have no doubt that they COULD have pulled this off, but I agree with others who say they didn't pull it off. And I think such a security breach is EXACTLY the kind of story that the media would have been humping like horny dog.

AndrewApril 20, 2007 9:58 AM

There is a difference between credibility and credulous.

No matter how right you were last week, you can be wrong this week. This is called the fallacy of the expert.

This prank fails the B.S. test. I'm not saying that it's impossible to do such a thing. It is impossible to do it in the way that they did, i.e. covertly.

"Carry a live lobster and look worried." I shall remember that one.

Personally, I've found that a harried look, a cheap suit and a clipboard will get you almost anywhere. A bored look, coveralls and a couple of tools will get you everywhere else.

aeschylusApril 20, 2007 10:07 AM

Andrew> There is a difference between credibility and credulous.

Um, yes. One is a noun and the other is an adjective.

MikeAApril 20, 2007 10:14 AM

There may be corporations where the employees are prone to Social Engineering because they are just naturally friendly, but in my experience with companies over about 200 people, it is more likely because they have become numbed by a series of completely boneheaded "security" measures.

When your are required to change all your passwords monthly, and told to click on links in email that _claim_ to come from I.T. (to update your security software), and must log every visitor to the site _except_ V.P.s...

Well, you get the idea.

GretchenApril 20, 2007 10:16 AM

Gordo - I saw the auction on e-Bay. It was a legit auction, the page was not faked.

pegkerr - The message was supposed to be "1984 = 2007."

jayhApril 20, 2007 10:32 AM

"Social engineering will probably always work, because so many people are by nature helpful and so many corporate employees are naturally cheerful and accommodating. "

It's more than that. It's deep in our evolution as social animals. For business to work, they simply can't treat every potential customer or supplier as a criminal. For social organizations to work, people do have to have a certain level of openness, and this can periodically be exploited.

The alterntative is a rigidly locked down, 24 hour a day suspicious mindset. Not a very nice world.

Steve BorschApril 20, 2007 11:15 AM

I'm leaning heavily on the "it's a prank about doing a Super Bowl prank" side of the equation.

Here's some evidence:

1) The Prank the Monkey news page (http://www.prankthemonkey.com/news.html) linking to the Startribune article on 2/13/07 is a "404 Not Found": http://www.startribune.com/389/story/999892.html

2) What I *did* find was a Mpls StarTribune blogger highly skeptical (link: http://www.startribune.com/blogs/websearch/?... who said this: "I called Hargrave to find out if he really pulled off the stunt, no small feat considering security at the Super Bowl. He assured me that he and his cohorts did and that the media would be all over it once someone figures out the secret message. So far, I’m the only member of the media all over this scoop. I just don’t know what it is. He did ask during the phone call if I could please mention his new book, “Prank the Monkey.��? Ah, so that’s it: He recounts a supposed publicity stunt just to see if he can get his new book, “Prank the Monkey,��? mentioned in a major daily newspaper. As if I’m going to fall for that."

I call bullsh*t.

Geoff LaneApril 20, 2007 12:02 PM

I guess it won't be long before people acting strangely on 1st April will be detained as "terrorist suspects".

If there is one thing we can learn from history is that paranoid, authoritarian governments have absolutely no sense of humor (or for that matter humour.)

ChipApril 20, 2007 12:10 PM

I'm also calling BS on the bank story after going to the actual story page. I worked at a bank decades ago and even then we were well trained on these sorts of things. Also, once you bring fake credentials into the mix I think we're a bit beyond pure social engineering.

John C. KirkApril 20, 2007 1:25 PM

@MikeA:

"When your are [...] told to click on links in email that _claim_ to come from I.T. (to update your security software)"

Do any IT departments actually do that? I'd expect any large organisation to handle those kind of security patches centrally, rather than allowing users to install new software onto their machines. (And in a small organisation I'd expect the IT guys to walk round and do it themselves.)

Chris SApril 20, 2007 1:45 PM

Greg Wilson: "Canadian banks ought to be immune to social engineering attacks (half a ;-))"

...whereas British banks are completely immune to such attacks! (the other half a ;-))

Posted by: Greg Wilson at April 20, 2007 08:48 AM

BKKApril 20, 2007 1:46 PM

As another example of how the right color makes all the difference, I lived in Bangkok a number of years ago and was not the wealthiest person there by any means but I had (and still have) white skin and a big nose.

As it was the only park, I would do my daily 3-5 miles in Lumpini park. For those who don't know, Lumpini is analgous to Central Park in NYC - a nice green place in the middle of a dense city.

After my run I would grab my gym bag and walk into one of the nearby upscale hotels as if I were a guest. If I couldn't figure it out, I would ask one of the employees where the gym was as I had forgotten. They *always* directed me to the gym/locker room where I enjoyed a nice shower, towel service and sometimes the sauna (but Banngkok is hot enough so I didn't do this often).

Thing is that I was fluent in Thai but never let on - I just acted like the typical forgeign tourist/businessman and no one ever questioned it because in their experience, everyone with white skin and a big nose MUST be a tourist/businesman who was staying in their hotel.

Just another amusing memory/anecdote which supports the SE angle.

Chris SApril 20, 2007 2:57 PM

jayh: "For social organizations to work, people do have to have a certain level of openness, and this can periodically be exploited. -- The alterntative is a rigidly locked down, 24 hour a day suspicious mindset."

Perhaps, then, people need to be trained to think simultaneous contradictory thoughts. I try and do this and sometimes succeed. When I encounter unknown people on the floor, I will politely greet them and offer to help them, including walking them to the desk of the person they are meeting (because, you know, we have a large floor with a complicated layout).

At all times - treat the person you don't know as all of the following: your unknown new executive VP, an unknown but important customer, and an unknown but devious and dangerous intruder.

MikeAApril 20, 2007 3:31 PM

@John C. Kirk:
I wrote:
"When your are [...] told to click on links in email that _claim_ to come from I.T. (to update your security software)"

You asked:
Do any IT departments actually do that?

Yes. Both my current employer (the largest player in a middling-large tech sector) and my previous employer (the largest employer in very significant tech sector, with over 30K employees) do this. Not all the time, but often enough, and they get really snarky if you ask questions.

bobApril 20, 2007 3:49 PM

Prank or meta-prank, it's STILL interesting social engineering.

What makes us willing to put on a medallion and turn it on at the Super Bowl?

What makes us want to claim we did?

What makes us willing to believe that something like this is, well, believable?

When we call security theatre "security theatre", remember that effective theatre requires the willing suspension of disbelief. The craft of theatre is ancient. Still one of the best treatises is Aristotle's Poetics. Maybe we should learn something about security from the Poetics.

And Brenda Laurel had a book some years ago called "Computers as Theatre". A very interesting read.

And before GUIs were User Interfaces, they were called User Illusions.

SteveHApril 20, 2007 6:06 PM

At a local branch bank a few months ago, I was the unwitting perpetrator of a "social engineering" attack. After finding its (outdoor) automated teller out of action, I asked the first human teller inside "is your ATM down?", and was promptly waved into the room containing the offending device -- "It's in there" -- no questions asked. (I'm an over-50 "long-haired hippie-type" and happened to have my leather bag slung over my shoulder at the time.) I didn't have the nerve to enter the room, close the door, and see what I could do about the problem...

/r:b:April 20, 2007 6:38 PM

The device's auction *does* exist on ebay, and I have a link to it below.

If you do a google search on "superbowl xli halftime prince light" (the title of the ebay item in the video), two archived ebay auction pages come up:

http://www.google.com/search?...

or

http://tinyurl.com/252zwh

Both of these are for ebay item 190081164356, which shows the device.
URL: http://cgi.ebay.com/ws/eBayISAPI.dll?...
tinyurl: http://tinyurl.com/28b5jv

I leave it to others to hunt down the identity of the seller etc.

As Gordo says above, though, searching ebay completed auctions for this string produces no hits. That appears to be a shortcoming of the ebay search engine.

/r:b:

SamApril 20, 2007 7:14 PM

Wow, am I the only one who thinks that the security largely worked? I mean, even if the story is true.

So they pranked the stadium with a bunch of lights. So what? I quote:
"If we had been bringing in anything truly dangerous, I assure you they would have found it."
...
"With my media badge, I was allowed to enter early, but first I had to get through eight layers of security screening"

It's not like they would have been able to bring in a vanload of ammonium nitrate, or a bunch of 55 gallon drums...

itistodayApril 20, 2007 9:29 PM

I know this doesn't go for much but I've been reading Zug for a while. If you've read Zug.com then you know these are no amateur pranksters. They have been doing "professional pranks" for a while now, including convincing several hundred people that Michael Jackson attended some musical performance (this did in fact make the news).

In other words, the reason I think this is legit, besides the video evidence, is that the pranksters at Zug.com have a very good reputation for pulling of spectacular pranks, and I do not remember them every pulling a fast one on the readers themselves, after all, what would be the point of that? Piss off the readers?

Those saying that they're doing this just so that they can later boast about fooling a lot of people into believing them, that's just stupid. None of their readers would find that amusing, they would be offended and would trust Zug less. It's just not a rational course of action for them to take.

This is legit.

I'm a believerApril 21, 2007 3:46 AM

The question of whether this was a prank or a meta-prank really bugged me -- I have a natural distrust of authority so that I really like to believe in the concept of "security theater" bogosity and so wanted it to be a real prank. So I went out to verify it independently.

I just downloaded a copy of the full-resolution HDTV broadcast of the half-time show from alt.binaries.hdtv and watched it in slow motion. Anyone with a subscription to a premium usenet provider can do the same, at least until the articles expire with their provider. My conclusions:

1) There are a lot of blue lights in the audience in the section of the stadium where Zug claims to have placed them
2) There are few, if any, blue lights in any other section of the audience
3) The distribution of the lights is such that they do not really spell out anything
4) The two ethnicly ambiguous dancers on stage were smoking hot, I wish there had been a janet jackson moment.

Based on the above observations, I'd say Zug really did everything they said they did, but they made two big mistakes that consigned their prank to the dustbin of obscurity:

1) The lights were not bright enough by a couple of orders of magnitude. I note that the devices shown on the Zug website use cheapo 5mm LEDs which is a common newbie mistake - the Zug guys should have consulted with the guys at candlepowerforums.com - although a bunch of cops hang out there (many cops have a fetish for really freaking bright flashlights) which might have put the kibosh on their plans

2) The distribution to the audience didn't work out well - the Zug site says they labelled each light with the seat number and relied on the audience to take the correct light and pass the rest on up to the next guy in line. What appears to have happened is that many people grabbed whatever light came to hand without paying attention to any labelling. Thus resulting in a semi-random distribution of lights.

I'm a BelieverApril 21, 2007 4:47 AM

Here are three frame-grabs from the halftime show. FWIW, I have not edited them in any way, they were saved as BMP files from mediaplayer classic's frame grab function and then converted to jpeg.

Note that in all 3, the blue lights do not stand out very much but they are visible, be sure to click on the images to see them at their full resolution.

1) Look at the upper-right quadrant
http://img100.imageshack.us/my.php?...

2) Across the entire top half of the image, but mostly in the upper-left quadrant
http://img100.imageshack.us/my.php?...

3) Most of the bottom half of the seating on the far side of the stadium
http://img145.imageshack.us/my.php?...

Bruce SchneierApril 21, 2007 2:32 PM

"You are more than one month late, on a fake story... Continue like this and you will soon have the same quality of reporting as Ed Felten's blog."

This isn't a news site. If you expect timely posts, there are lots of other sites that suit. And don't diss Felten's blog; a lot of that stuff is excellent and well worth reading.

LDPApril 21, 2007 4:24 PM

There a lot of good reasons to think this would be a hoax - the photographs could have easily been doctored; there is very little physical evidence of the prank; it wasn't covered by the media; it doesn't pass the "sniff" test. But I think itistoday is right, and taken within its context, it just doesn't make any sense for this prank to be a fake.

First off, John Hargrave has been doing this stuff for years, and if you take a look at all of the pranks on zug.com, you can see that the website has always been a "safe haven", i.e., if you read the website, you're in on the joke. The vast majority of his pranks are imaginative, elegant, and meticulously-planned, and he never chooses easy targets. Pranking his own readers would be completely uncharacteristic in that (a) it would break the trust he has with them, (b) it would damage the credibility of future pranks, and (c) it's really not terribly difficult, elegant, or imaginative to fool people who implicitly trust you. There's a rare renegade mindset behind his pranks, and if you have it, there's no escaping it - it pervades every aspect of your life, from scoffing at signs that say "Do Not Enter", to organizing anti-authoritarian stunts, to crying tears of happiness when your kid tells you he wants to be a painter. And without exception, everyone I've ever known with that mindset would rather drill holes in their kneecaps and fill them with battery acid than take the "easy way out".

Second, and more importantly as far as I'm concerned, is his message. John Hargrave is doing more to fight "terror" than any government could ever hope to do. I think most readers of this blog would agree that since 9/11, we've been living in fear. Not everyone of course, but on the whole, we've become more aggressive, more suspicious, more withdrawn, and a lot less fun. It's like we've forgotten how to take a punch and walk away, for fear of seeming weak, so we make damn sure noone gets close enough to take a swing. And if you read John's account of the Super Bowl stunt, you can see how important it is to him to not give in to that fear. Pulling this stunt as a hoax would do nothing to support his beliefs or underscore his point, and in fact would invalidate his opinion as a credible one. So, based solely on my own intuition and until proven otherwise, I choose to believe that the Super Bowl was in fact hacked.

Now, maybe I'm wrong on this; maybe I've been completely and utterly doofed. But I sure hope not.

FPApril 23, 2007 11:01 AM

I've taken I'm a Believer's first snapshot, and used a simple image filter that enhances all blue-ish pixels (blue value is at least 32 more than red and green, on a 255 scale), mapping everything else to black.

The output confirms that there are significantly more faint blue lights in the audience on the right side of the picture than on the left side.

It's not really conclusive, and it isn't possible to make out any patterns or letters, probably for the reasons that Believer mentioned.

Add to that the zillions of photography noobs who think that they can capture some of the action in near darkness with a hand-held camera, just by turning on the flash.

Petr KazilApril 24, 2007 4:55 AM

QUOTE: After my run I would grab my gym bag and walk into one of the nearby upscale hotels as if I were a guest.
- - - - -
Here is a great "HOWTO" on illegally swimming in hotel swimming pools. It's also a nice guide on "looking as if you belong".

It's stil a classic by the (unfortunately deceased) urban explorer "Ninjalicious":

http://www.infiltration.org/hotels-plunge.html

antibozoApril 24, 2007 10:22 AM

Petr Kazil> Here is a great "HOWTO" on illegally swimming in hotel swimming pools.

Heck, go find a copy of Abbie Hoffman's classic "Steal This Book" if you enjoy that sort of thing. Free food! :^)

mxApril 24, 2007 12:10 PM

many years ago when i was in 7th grade (age 13 or so) a friend and i attended a Cleveland Browns football game during December. The weather was unbelievably cold and we were miserable.

Necessity being the mother of invention, I hatched a plan to get into a press box to get out of the cold. I had both my friend and I buy 4 or 5 coffees and carried them in those flimsy, cardboard carriers right past the security guard with no questions asked.

The key was having a bunch of coffees rather than one each. He naturally assumed we'd already been in the press boxes and were just returning.

Incidentally, the hard part was getting the people in the press box itself to let us stay. I guess they just took pity on us because we saw the 2nd half in comfort!

RogerJuly 13, 2007 9:54 PM

I originally thought this was obviously a hoax. There was so much that didn't look right. As well as the things others have mentioned, these include:
* just 2350 lights? That's a 40 x 60 seat grid, way too small to cover the area where the message was supposedly displayed;
* supposedly, the 2350 devices with packaging, and 3 batteries fitted each, weighed 1/4 ton. Hmm, a AA battery alone weighs ~1 oz depending on type, so 3 x 2350 x 1 oz = 441 lb, either they took very tiny batteries or the rest of the stuff must have been _very_ light!
* the money doesn't make sense either; $10,000 for some brief advice from 2 lawyers -- who did he hire, Johnny Cochran? $20,000 for 2350 "cheap Chinese LED beer coasters" -- that's $8.50 each, wholesale! [see footnote] $800 to get a shirt embroidered with a 4 colour logo? (Real price, about $5 to $10.)
But John's writing style always includes a lot of irony, hyperbole, and just plain made-up bits (after all, he's a professional marketer!), so maybe those numbers were supposed to be part of the joke.

But after seeing "I'm a believer's" screenshots, I'm opening the door to the possibility that SOMETHING happened -- but the Zug crew screwed it up completely.

However, the screwup isn't just that the blue lights were far too dim and ended up randomly distributed; there also just aren't that many of them. For example in the first screenshot (which is the clearest) I count about 40 possible blue lights.The second, wider shot maaaybe has as many as 60 -- and on the basis of the 3rd, that seems to cover pretty well all of them. No wonder no-one can read a "message".

Hargrave claims that he got 2350 lights into the stadium. Either 97.5% of his (rather expensive) lights failed to work at all, or 97.5% of them never made it in, or something. (Or the whole thing is, in fact, a hoax.)

But, let's still give him the benefit of the doubt. What security lessons can actually be learned here? Actually, not very much. Hargrave didn't sneak in, as a legitimate marketing promoter he had actually secured a valid press pass after a background check (he rightly points out that the media are given a lot of privilege and power in the US, but hey, maybe that's the price of a free society.) His crew didn't sneak in either, he bought tickets for them. And he didn't "smuggle" his equipment in, it was presented at a security checkpoint, scrutinised rigorously (despite being presented by a security cleared white man in a suit), and allowed in only after being (correctly) identified as harmless. Note, incidentally, that the security screeners followed some of Bruce's advice here; even though Hargrave had been identified and had passed a background check, they based the screening on the potential for danger, not on his identity or race.

There may be at least one valid lesson, which comes from the inimitable Rob Cockerham. Rob found that even though the security passes had no special anticounterfeiting measures, and despite hours of work with Photoshop, he was not able to make fake security passes that looked convincing enough to pass even casual observation. So he came up with the clever idea of making a completely different "pass" which looked fairly professional but made no attempt to resemble the official ones. Because of the sheer proliferation of passes and badges of various kinds, no-one could identify them all by sight so this turned out to work quite well. (And it had the additional advantage that if caught, they couldn't be accussed of forging an official document!) Clearly, in a scenario like this, there should be only ONE acceptable type of pass, and everyone should be able to recognise it on sight. If that had been done in this case, then even though it was just printed on laminated card without any special security features, it would have thwarted this $40,000 semi-legit intrusion attempt!

Another thing, I guess, is that it demonstrates that doing things on this sort of scale is really quite hard -- whether it be pranks or terrorist attacks. You can get a hundred details right, but miss one or two and a spectacular coup turns into a farce with all the armchai experts chuckling "incompetent dolts!"

Footnote:
1. "Sir" John Hargrave notes that he bought real tickets for most of his crew, but doesn't comment on how much they cost -- unlike everything else, where he gleefully exaggerates the price. However Rob Cockerham's description of the stunt says they were bought from a ticket scalper, probably at $2500 each. For each of 4 people. Plus plane tickets, car and van rental and motel rooms (on Superbowl day.) So now we know where most of the money went.

NeeyalNovember 15, 2007 1:39 PM

Couple things, Roger, and I only read a couple parts of your posting.

1) They used AAA batteries, not AA. This is a significant reduction in your weight calculation.

2) Hargrave explicitly states that purchasing the tickets bumped his budget from $30,000 to $40,000 (and the two lawyers bumped his budget from $20,000 to $30,000).

Ironically, I haven't read your whole posting, but when critiquing someone else's work, try to at least pay attention.

byloattalebraMarch 12, 2009 6:54 AM

продам Форд-Фокус 2008 года за 200 тр. торг возможет. срочно!!!
+7 963 333 69 66

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..