Log in

No account? Create an account

Previous Entry | Next Entry

I don't want you to trust me

People are remarkably trusting creatures. Even in post-9/11 America with W's fear machine cranking out terrorism alerts every time his poll numbers drop, people still generally trust other people.

Case in point: today I was out and about in the City with Pat, one my network engineers. We were visiting the three new magnet schools that started up this fall to validate our inventory data and check for any outstanding work to be done. One of the schools is operating on the campus of a local university. The T1 line that connects the magnet school to the City network terminates in a building a couple buildings away from the one the school occupies. We walk in, find that the door to the basement (where our equipment is installed, along with the university's network gear) is locked, and go hunt down a random secretary.

We find someone working in a ground-floor office. I've never met her before, Pat's never met her before. She doesn't know us from Adam's off ox. Yet, we say "Hi, we're from the City public schools IT department, do you have a key for the basement?" and without even a glance at our IDs, she's off searching for someone in the building with a key. The man she finds who knows a back way into the basement never even asks who we are or why we're there. We could have been thieves, vandals, or FBI agents planting a wire tap. We just asked nicely and complete strangers were happy to let us into one of the inner sanctums of their network.

It's reassuring to know that we still live in a largely open, trusting society. It's also darn handy when we have to get into somewhere that we don't have keys to. But the part of me that's paid to think about infrastructure and physical and electronic security cringes when these things happen.

Back in the mid '90s there was a crew in New York running a scam where they showed up in a building just before five PM wearing AT&T polo shirts and carrying a clipboard. They'd say they were from AT&T, and were dispatched to fix a phone problem. Staff would let them in to their phone room and then leave for the night. In the morning they'd come in to find that the thieves had made off with all of the cards in their PBX.

I can, without exercising any imagination at all, see this happening in any number of the municipal buildings or schools in the City. In the schools at least we'd have a fake name on the visitor's sign-in sheet. Our desire to trust and to be helpful is the fundamental piece that makes social engineering such a powerful tool for intrusion.

I like being one of the technical ghosts of this world. I like being one of the people who knows where all of the back rooms and underground passages are. I would be inconvenienced (and somewhat put out) if secretaries started really checking IDs and making sure that you belonged where you say you belong. But, damn, why bother launching a 'cyber attack' when you can just walk right in the door?


( 4 comments — Leave a comment )
Sep. 22nd, 2004 06:33 am (UTC)
I've discovered that I can walk into any building in las Vegas, as long as I'm holding a clipboard.

Skeery, huh?
Sep. 23rd, 2004 03:17 am (UTC)
...Add a handtruck with a big box from Dell or IBM and not only will they let you in, but they'll hold the doors open for you!

That was my experience in the early '90s working for CCC; the guards at our corporate customers wouldn't let you past the front door without an escort from their staff, but if you rolled up to the loading dock in a van shazam -- you could go anywhere on your own recognizance as long as you had something that passed for paperwork.
Sep. 23rd, 2004 05:37 am (UTC)
Now I'm wondering if security protocols are tighter at, say, the hospital than when I worked there....
Sep. 24th, 2004 03:13 am (UTC)
Hard to say...
Looking around the City, it seems like most of the pre-9/11 laxitude has returned. There was a lot of paranoic extra security laid on in late '01 and into '02, but all of that security is tres expensive. So, there are a lot of bored guards asleep at their desks again. OTOH, when DHS pushes the Threat Advisory up to orange you do see a extra cops and guards...
( 4 comments — Leave a comment )

Latest Month

January 2017


Page Summary

Powered by LiveJournal.com
Designed by Lilia Ahner