
How I Socially Engineer Myself into High Security Facilities - wallflower
https://motherboard.vice.com/amp/en_us/article/qv34zb/how-i-socially-engineer-myself-into-high-security-facilities
======
jsnell
This was discussed 8 months ago (221 comments):
[https://news.ycombinator.com/item?id=15516526](https://news.ycombinator.com/item?id=15516526)

------
hguhghuff
Dunno, I just didn’t get the sense that this had the ring of truth to it.

It reads more like fiction.

~~~
aw3c2
Probably is, considering it's vice.com.

~~~
1337biz
Sad but true. What's coming post-Vice?

------
bootlooped
I think they went a little overboard on gifs for this article.

~~~
m0nty
Today's equivalent of meaningless clipart? But a whole order of magnitude more
annoying.

------
jbuzbee
High Security? I suppose it depends on context. But for real high security
facilities, a visitor is not getting past the first guard desk without an ID
check with the visitor's name being on a list that is maintained via secure
communication channels - facility to facility. And there are often multiple
levels of guard stations to pass through where this is repeated.

------
volkisch
This reads like some bootleg Mr. Robot episode.

------
caminante
2017 blog post.

Gross. The author explicitly brags about being "a terrible human being."

Aside from the sociopathy and embellishment, I get unease about the legality
of the means used, considering the agent was contracted.

I could've audited the security controls and arrived at the same deficiencies
without abusing people.

~~~
stale2002
I mean, the company pays them to do this. Thats the whole point of pen
testing.

Nobody is going to pay attention to a 10 page report. They are instead going
to pay attention to the fact that the person successfully got into the
building.

~~~
caminante
You're assuming that a "10 page report" will not elicit a response? Are you
addressing a hypothetical or the situation as described in the post?

If so, then that's mismanagement. Poor managers suddenly "paying attention"
are unlikely capable of implementing proper controls.

Also, you're assuming these poor managers can contract well.

~~~
stale2002
Yes, that's what would happen. People would not take a report as seriously as
if someone actually went and broke into the system.

You can call it mismanagement, but humans aren't perfect. Humans are emotional
being who, in many cases (but not all) will not take a threat seriously unless
someone goes and does it.

It is not even necessarily mismanagement either. It could just be ignorance.
IE, someone can talk all they want about hypothetical vulnerabilities, but if
you aren't a security expert, you have no idea how realistic those threats
are, no matter what the pen tester tells you.

Who knows, maybe the pen tester really is being paranoid.

It is much easier to actually convince someone that something is a problem by
actually exploiting it. That's just an obvious fact.

And it seems like the pen tester in question agrees with me. Because she
didn't right a report. She instead broke into the system, and what do you know
it worked in their goal of convincing the company that their was a problem.

If you will noticez the company in question really did think that everything
was secure. The pen tester really did need to do something extrodinary in
order to convince them. So she did, and it worked.

------
chirau
Francesca Abagnale :)

~~~
berbec
Hired by Hom Tanks?

------
jenhsun
Kevin Mitnick said that too.

