Social engineering (by alaric)
Bruce Schneier's blog as an article on a recent diamon heist carried out purely through social engineering. No high-tech descending on wires through skylights, gymnastic climbing through nets of laser beams, or reprogramming advanced electronic locks. Nope, the perpetrator just earnt the trust of the staff by appearing to be a nice harmless guy.
No amount of snazzy technology can prevent this kind of thing. Sure, you can make it harder in some ways, but people will still be the weakest link.
My suggested solution to this kind of crime is to make it everybody's civic duty to test security systems. Teach social engineering at school. If somebody is caught in an attempted non-violent non-property-damaging security breach attempt, congratulate them. If they manage to pull one off and get away with it but then fail to report the fact, throw 'em in jail - but if they DO report it and turn the goods back in, they get congratulated and a reward from the victim's insurance company.
Sure, this makes an actual malicious robbery slightly less risky (as long as you don't damage anything or anyone during the attempt, which is clearly against the rules of a good-natured security probe), since if you get caught in the act you can say it was just for fun and you'd have handed in the winnings if you'd not been caught, but actual successful robberies at that level are rare. And with a segment of the population worrying at any possible security hole in search of a finder's bounty, there'll be less security holes to exploit, and the staff will be a lot less trusting of nice folks...
Crypto / security | alaric | 
Wed 21st Mar 2007 11:55 am
Subscribe
By Ben, Wed 21st Mar 2007 @ 12:27 pm
All good apart from the bit where governments would have to go against the best interests of large corporations, who are quite happily reaping the benefits of other people paying for their lack of security.