• Hilbilly Geek (unregistered)

    Oh, yeah! Symptomatic of all bureaucracies. Draconian rules, enforced arbitrarily.

  • keke (unregistered)

    what's the point? the guard probably knew he was coming?

    and who cares how he dresses? it's not like someone can't be a thief/scammer/hippie just because he/she dresses nicely

  • MX5Ringer (unregistered)

    Can't believe this, the guard must have had some advance knowledge of this, and he must have known the guy collecting it (at least by sight) Security guards are always real little hitlers, even on a mellow day they would rather watch you squirm whilst they make you wait hours double checking your clearance.

    CAPTCHA:- burned (They would have been!!)

  • Trained.Monkey (unregistered)

    This is reason why I am using fully encrypted harddrive :-)

  • Tollebol (unregistered)

    Since when do security guards know where to find a server just by its name?

  • rooma rooma (unregistered)

    One year, during the Thanksgiving holiday, I had to do some work on the network of a private practice at a medical building that was run by a hospital. I was already in the area visiting family, so I went to the building on the off-chance that I'd somehow be able to get in before Monday.

    Everything was locked for the holiday, of course, but the hospital next door was open. I went to the front desk in my jeans and dirty sweatshirt and explained that I needed to get into the office to work on the computers. The head nurse on-duty was located, and she found a member of the janitorial staff to let me into the locked building and the locked office.

    Not big enough to be a WTF as this was only one practice, but similar enough to make the OP's WTF very believable. Many medical practitioners and their staffs just view HIPAA as a pain in the butt to be worked around or ignored. As an old boss once put it (when responding to me about a privacy issue on one of his systems), who's going to stop us, the HIPAA police?

    Captcha: tacos

  • HatTrick1914 (unregistered)

    Why take the server? I always have to go to the server, the server never comes to me. And I agree, the guard probably was aware he was coming.

    CAPTCHA: muhahaha

  • Ron (unregistered)

    I've done this before (perhaps not dressed as a hippie/terrorist), and, sometimes, it really is that easy. If you act authoritative and you seem to know the "lingo", you can get almost anywhere.

    I once:

    • Walked into a car dealership as a tech (I'd never been there before, only one guy knew I was coming)
    • Walked into a shared office where one guy was away (the guy whose computer was broken and who knew I was coming)
    • Sat down, asked a co-worker for his log-in password (it was "mustang")
    • Tried to get network connectivity (which included trips to the server room)
    • Asked for directions to their computer room/wiring area
    • Jiggled some wires, changed his patch cable
    • Went back down, unhooked his computer, and left with it (it needed a new network card)

    And this entire time, not a single person asked who I was or what I was doing. I was shocked.

    Captcha: bathe (crap, I knew I forgot something this morning!)

  • wcs (unregistered)

    The guard either had foreknowledge of the tech's arrival or he recognized him, or he wasn't bound for the datacenter security business for very long.

  • Sum-Yun-Gai (unregistered)

    This is similar to that transporting explosives on an airplane just to see if it could be done. There's no point in having strict regulations if people don't follow them. I sincerely hope this woman lost her job.

  • Tigress (unregistered)

    Far too common. I won't mention any details, but I did just that once, except that time it involved the laptop of a very senior member of management for a very large company.

    Not a single person challenged me, even though several people saw me working with that laptop, in the management person's office.

  • bob the dingo (cs) in reply to Tollebol
    Tollebol:
    Since when do security guards know where to find a server just by its name?

    or know how to power it down properly

  • MooseBrains (unregistered) in reply to Ron

    Part of social engineering. There was a case in Germany a while ago where some guy just donned a blue boiler suit, grabbed a cart and confidently walked out with one washing machine after the other.

  • Not There Anymore (unregistered)

    I used to work at a big (a multi-city-block teaching) hospital system. Everyone had picture ID badges. What differentiated me and many others cleared to move hardware in/out of any building was a yellow dot sticker slapped on the badge. Walking out of an area with a $5,000 server? Wave your sticker-enabled badge at a security guard, and your clear, yo don't even have to talk.

    You could get a sheet of stickers at Staples for $1.99, which I am sure many people did.

  • dillon (unregistered)

    WTF, all he needed was a badge that looked something like the hospital badge. I know a guy who does meat hacking for a living. He's used badges with Kevin Mitnick's picture and name on them. And has a woman who's badges say Ima Haxor.

  • phx (unregistered)

    and there was that newspaper in Germany, that littered USB thumbdrives in front of some bank offices. And then sat back and watched several employee computers log into their prepared IRC channel from inside the bank's extra secure intranets.

    Social engineering made easy. These thumbdrives were rigged with trojans and almost everyone who found one plugged them in - into the first USB port they could find, their own office desktop, of course.

    CAPTCHA: onomatopoeia WTF? Try typing this three times in a row...

  • Changed to protect the guilty (unregistered)

    Do you really think this is unusual? I work on a military base. This morning, I went to a secured building to turn on a port. The person on duty signed me in, then looked at me. "Do you have a clearance." "Yes," I told him. "What level?" he asked. "Top Secret," I told him truthfully. "OK, then you get an unescorted badge. Go right on in."

    I see this type of stuff all the time. I don't even blink at it anymore. I went on in and did my job.

  • RichNFamous (unregistered)

    Hi Alex. I couldn't get you on the phone, but I'll be over in a few minutes to collect the TDWTF1337 server...we need to install some really WTF code on it.

  • anonymous consultant (unregistered)

    It is true...

    Just last week I went to do some work at a financial institution... walked up to the desk, said, "Hi, I'm XXX here to see YYY", and was given an all-access passcard.

    10 minutes later I was sitting in front of the main server-room KVM (having been shown there by the assistant IT manager - the IT manager - YYY - was not there that day).

    He supplied me my domain-admin password... and another 20 minutes later, I found myself - by accident - logged into the main alarm control computer (hit the wrong button on the KVM). I only realized when I thought "hmm... this does not look like where I meant to go... and looked at the server name. Interestingly, all of the other servers were given obfuscated names, but the main alarm control machine was named "main alarm control".

    Well, I freaked out - went and found someone who appeared to be senior - told them what I had done... made them write it down, etc. I know it is probably paranoid, but I at least hope there was some monitoring going on and that my login would set off an alarm or red flag at some point.

    I have to say that part of me was glad that it made my day and tasks very simple, but part of me was thankful it wasn't my bank (although I am sure there would be stories there that would make me consider pulling all my money and stuffing it under my mattress).

  • maht (unregistered) in reply to bob the dingo

    power down : press power button FreeBSD & OpenBSD do a sync / halt then power off I presume other OSes can use the 8 year old ACPI api too.

    Since when do security guards know where to find a server just by its name?

    Probably by the BIG STICKER on the box / rack.

    captcha - tacos "the spiciest OS you'll ever use"

  • Stormy (unregistered)

    Knock, knock. Who’s there? HIPAA. HIPAA who? Sorry, I’m not allowed to disclose that information.

    CAPTCHA - "pinball" - I have Medieval Madness and Twilight Zone.

  • prilmeie (unregistered) in reply to maht

    Since when do security guards know where to find a server just by its name?

    Probably by the BIG STICKER on the box / rack.

    I work in a datacenter where you can spend days looking for a server if you just know its name.

  • imk (unregistered)

    I work at a Behavioral health care facility. We don't have security guards anymore. Why? Because we tended to have more problems with the security guards than we did with our customers. If anyone was going to steal our servers, history told us it would be the security guard. The last one we had assaulted his manager when said manager was telling him about the complaints she had received about his "creepy" behavior.

  • tofu (cs)

    I once had to move a file server from one building to another (there was no massive data server at this school, just a few comm closets). So I waited until a little after 5:00 on a friday, and I pulled it out of a rack and walked out the door.

    Just a couple of weeks earlier, someone had stollen two very expensive proxima projectors from the lecture halls in the building I was leaving. The security guards were in big trouble because they had failed to check the doors all weekend.

    So here I go, leaving a building, with a nice 2U Dell power edge. I pass the security guard on his way into the building. He doesn't know me, I don't know him. I could have been a student. I could have been anyone. I say, "hi, what's up." He says, "hey" and that's it.

    I lolled.

  • sammybaby (cs)

    Happens. All. The time.

  • pjabbott (cs) in reply to Not There Anymore
    Not There Anymore:
    You could get a sheet of stickers at Staples for $1.99, which I am sure many people did.

    I had a similar situation at a city government where I used to work. If you passed the police security clearance (required to do any IT work for the police department) you got a capital "P" on you ID badge. It was a generic, arial-style letter that could easily be faked by one of those sheets of letters on wax paper you rub with a pencil to apply.

  • ima haxor (unregistered) in reply to imk

    Umm, ok. Your facility has some serious HR problems.

  • NoneRightNow (unregistered)

    Wear a jump suit and carry a clipboard, and you can go nearly everywhere.

    Captcha: Ninjas (Yeah, those black suits work, too).

  • poochner (cs)

    As for banks, all I can say is I was working on a system for a bank as a sub for their security contractor. I needed to do some work during the time the back was closed. They gave me a key and told me how to work the alarm. Yes, small bank, but still... WTF?! indeed.

  • jo42 (cs) in reply to phx
    phx:
    These thumbdrives were rigged with trojans and almost everyone who found one plugged them in - into the first USB port they could find, their own office desktop, of course.
    This is why I have a .reg file that turns off autorun on all devices that I install on all of the machines I set up. Another True Stupidty(tm) brought to the world at large by Microsoft.
  • Bob (unregistered) in reply to poochner

    My one experience with inadvertant "social engineering" occured when I was a undergraduate co-op at a minor computer company.

    The day before my last day of work, I was delighted to learn that a nearby department had received a new shipment of manuals...one set per person...for some chip design package. I scooped up the empty boxes, nested them and carried them out. The security guard stopped me, complained that I did not have a permission slip to take out these boxes & proceeded to search each one.

    The next day I was asked to take a copy of some design documents for their next big system in case the person taking over for me had questions. I did have the requisite permission letter as well, but the guard just waived me through this time.

  • aaron (unregistered)

    "Listen I'm in big trouble, you know anything about computers? My BLT drive on my computer just went AWOL and I got this big project due tomorrow, and if I don't get it in he's gonna ask me to commit hari-kiri"

    captcha: KUNGFU! The legend continues!!!

  • anonymous (unregistered)

    "This is why I have a .reg file that turns off autorun on all devices that I install on all of the machines I set up. Another True Stupidty(tm) brought to the world at large by Microsoft."

    Auto-run wasn't the problem. People being curious was. They would run whatever was found on the thumb drive to see what it was.

  • PeriSoft (unregistered)

    Reading stuff like this makes me rue my morals. I could be making so much money...

    CAPTCHA: Gotcha. Would have if I were unscrupulous...

  • Benjamin Smith (unregistered) in reply to Trained.Monkey

    This is why I'm using a fully encrypted harddrive :-)

    Which is only going to protect you if the machine is powered down first...

  • nobody (unregistered)

    I have heard similar stories. Someone walks in wearing a blue uniform, says "I'm from the phone company". Even has an ID that says "The Phone Company". And he's let in - all the way to the phone closet.

    I heard that story when I worked at a building where people's checkbooks were disappearing. One day, someone noticed a security guard in the cube area. A few hours later, a checkbook was missing where the guard was seen.

    New rent-a-cop company, and no more missing checkbooks. (The servers of that day were a bit hard to steal; even a Vax 730 was half a rack.)

    So this story is quite believable to me.

    At home, I'm protected rather well. Standard poodles (50-60 lbs) are very protective.

    Captcha: stinky. Describes this "security" well.

  • sir_flexalot (cs)

    I've seen that a million times, what's surprising is that sometimes people know enough to stop and check, and other times people just let them right in. I guess it's security by random inspection...

    Also, the more/less accurately and in detail that you can describe what you need, you may bypass that person's guard for some reason. In some instances, a super detailed description is required, but in my experience, the most vague possible reason is bafflingly the most widely accepted. "I need to pick up the server thingy" would probably work 99% of the time!

  • proud mama (unregistered) in reply to nobody

    At home, we put all of the kids' movies on the computer. We made a login just for them that just has a big icon for each movie on the desktop. We leave it up by default so that can toddle in and launch whatever they want without bothering us. They can't read or write yet but this they were able to master pretty quickly - go figure.

    Heaven help anyone who shuts that thing down in the middle of a movie - the screams - pretty good burgler alarm...

  • akatherder (cs)

    I usually throw my wallet in my computer bag so I don't have to sit on it all day. It seems to hurt my back, and it's uncomfortable at the very least.

    Co-worker: You just leave your wallet in there all day? Me: Yeah I don't like sitting on it. Co-worker: What if someone steals it? Me: I once got mugged when I was in Flint. This poor, dirty disheveled man walked up behind me and told me to give him my wallet. I didn't know if he was armed so I pulled it out and handed it to him. He took off running down the street peeking into my wallet. He stopped suddenly and turned around, walking back towards my directions. He handed my wallet back to me and apologized, then gave me directions around the block to a shelter.

    This was back when I was grossly underpaid and liked giving my co-workers and management guilt trips about it. This story actually happened, but the mugging was entirely made up.

  • Pap (cs)

    When the guy comes through the door and asks for the "PRDSEC08 server", and the guard is apparently familiar with that particular server, then that's honestly good enough of a confirmation for me.

  • Mr Ascii (unregistered)

    Rules only inconvenience those who obey rules.

    At my last place of employment you had to have a permission form to take equipment out of the building after hours. A VP was taking his personal inkjet home one evening (without a slip) and was stopped by the guard. The VP (rightfully) pointed out that people walked in and out of there with $2000 laptops all the time but he was getting stopped for carrying out a $100 printer.

  • Harrow (unregistered)

    In 1965 I was a sergeant in the Air Force and was posted to NSA as a radiotelephone traffic analyst. My badge was not ready when I first arrived so I made my own and used that for three days.

    A few weeks later I felt confident enough to complain about the poor badge security but nobody was interested. I even dug out the fake badge and changed the picture to one of Adolph Hitler, and went in and out the main gate with it twice before being stopped. My boss and my commander told me to stop screwing around and get to work.

    -Harrow.

  • odweaver (unregistered) in reply to Tollebol
    Tollebol:
    Since when do security guards know where to find a server just by its name?
    Since they were notified in advance and given instructions? Security guard does not equal incompetent.
  • Jno (unregistered) in reply to Changed to protect the guilty
    Changed to protect the guilty:
    Do you really think this is unusual? I work on a military base. This morning, I went to a secured building to turn on a port. The person on duty signed me in, then looked at me. "Do you have a clearance." "Yes," I told him. "What level?" he asked. "Top Secret," I told him truthfully. "OK, then you get an unescorted badge. Go right on in."

    I see this type of stuff all the time. I don't even blink at it anymore. I went on in and did my job.

  • anonymous coward (unregistered) in reply to Pap
    Pap:
    When the guy comes through the door and asks for the "PRDSEC08 server", and the guard is apparently familiar with that particular server, then that's honestly good enough of a confirmation for me.

    My thoughts exactly. How many random hippies know about a PRDSEC08 server in that hospital?

  • CodeWhisperer (cs)

    Metal t-shirt & jeans + long hair = Dressed like a hippie?

    Tie-died tshirt, maybe. :)

    "Yeah man, I saw this long haired freak wearing a Hanson t-shirt, he looked like a total head-banger"

    rolls eyes<

    -cw

  • Jno (unregistered) in reply to Harrow
    Harrow:
    In 1965 ...I even dug out the fake badge and changed the picture to one of Adolph Hitler, and went in and out the main gate with it twice before being stopped... -Harrow.
    And still it goes on. I went to check into a UK military base a little while back, presented my pass, and saw that the badge the security guard was wearing had a likeness of Yoda on it. The guard was not Yoda. "Hey, there'd be a sense of humour failure if I tried that", sez I. Not-Yoda looked puzzled, and I pointed at his badge. "WTF?". All his mates were falling around laughing: they'd doctored his badge the day before, and I was the first to mention it.
  • Florian (unregistered)

    That's weird: my name is Florian, I need a haircut, I'm in my twenties, and look a bit like a hippy.

    I wonder if this is a sign of things to come?

  • Anon E. Mouse (unregistered) in reply to MX5Ringer

    Well the OP escapade did prove that the server needed more security...

    CATCHA: cognac -- After reading these, I could use some.

  • Jno (unregistered) in reply to Jno
    Jno:
    Changed to protect the guilty:
    Do you really think this is unusual? I work on a military base. This morning, I went to a secured building to turn on a port. The person on duty signed me in, then looked at me. "Do you have a clearance." "Yes," I told him. "What level?" he asked. "Top Secret," I told him truthfully. "OK, then you get an unescorted badge. Go right on in."

    I see this type of stuff all the time. I don't even blink at it anymore. I went on in and did my job.

    This was me hitting return before I had put anything into the message. Sorry. However, it got posted, even though I had not done the CAPTCHA thing. WTF is that all about? I'm off to see if a shell script can consistently get those dumb first posts...

Leave a comment on “The Direct Approach”

Log In or post as a guest

Replying to comment #:

« Return to Article