Wednesday, November 05, 2008

Social engineering failure

The running joke is that if you've got a tape measure or clipboard and look like you know what you're doing, you can generally go anywhere and do anything unchallenged. This is actually mostly true in practice; looking like you've got a clue will get you just about anywhere except at facilities with actual military-style controls in place. This is all social engineering; we're trained to accept authority at face value.

I mention this because I had a social-engineering failure this week, possibly for the first time ever. We had a new exhibit load into the Artsgarden this week, and when I started unloading pieces, I had someone ask me who I was, what I was doing there, and why I was taking artwork off the truck. It was a valid question; I had no identification, I look a bit scruffy, and the guy in charge didn't introduce me. But still, it was shocking to actually have someone violate the looks-competent rule and ask me what I was doing.

I think one reason live-interaction social engineering scams work, is that authority figures make it so painful to question them. The right kind of person will make you miserable for doubting them (I almost did, but fought the urge), so you tend to err on the side of avoiding the pain. I watched this happen a few years ago at a concert. Everyone had to show a badge to get into the stage area, and the production manager tried to bully his way past the guard without showing ID. He actually pulled a "Do you know who I am? I'll have you fired!"; I thought that only happened in bad TV shows. But the guard stood her ground and called the supervisor over before she'd let him in. And, true to his asshole word, he tried to have her fired. The facility manager didn't fire her; he explained to the PM that it wasn't company policy to fire people for doing their job. But he did reassign her (as much for her benefit as the PM's, I suspect) to an area where she wouldn't have to see him for the rest of the night....

1 comment:

Clint said...

I like the response about company policy to not fire people for doing their job. In this particular case, moving the security person elsewhere so that she didn't see the PM again might count as a perk.

Because I hate that kind of person, were I the Facility mgr, I might write up the incident and suggest a raise for the guard.