Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Bad choice as an example of social engineering, not funny, and doesn’t make sense at all.


I don't think that it was a joke or made in bad faith - rather to demonstrate the logical extreme.

Essentially that the logical extreme of dropping computer-destroying USBs to demonstrate that one shouldn't plug strange USBs in the first place is akin to destroying an office that you talked yourself into to prove that you shouldn't have been let in in the first place. Perhaps "shooting up" was a tad too far, but with charity it's a reasonable point nonetheless.


Right, it wasn't supposed to be a joke, and the intended argument was that hiring a gunman as social engineering training makes as much sense as using a computer-destroying USB stick as physical security training—so yes, it was supposed to be a bad example of social engineering.

Using a computer-destroying USB stick as an example of physical security threats misunderstands the nature and motivations of attackers. Everyone past childhood (and some in childhood, sadly) understands that there are a few people in this world whose motivation is to cause destruction and hurt simply because they find destruction and hurt enjoyable in themselves. They also understand that such people are rare, and that their threat modeling (which everyone does, even if they don't call it that) should rationally respond to such people by almost ignoring them—otherwise you find yourself not leaving your house for fear that there's a gunman on your block.

The motivations of people who want to actually get something out of you are quite different. They're not interested in destruction, because that would harm their target. They're usually interested in being undetectable. A social engineer will pretend to be locked out, ask meekly to be let in, and behave like a normal employee until they get what they need and leave normally. Defenses like "don't let people tailgate" work for those people. A gunman will just shoot you, break the door, ignore the alarm, and keep shooting until the cops kill them.

Similarly, someone who's trying to attack your business with a malicious USB drive will give you a USB drive that appears to be a normal one, that maybe pops up a terminal window very briefly and then disappears. You likely won't notice that you made a mistake, and you'll probably see an actual drive pop up on screen. Someone who's trying to attack your business will generally not give you a USB drive that destroys your computer immediately. (For most businesses, computers are not worth much compared to the secrecy of the data they contain, anyway, which is why full-disk encryption is a reasonable defense; it assumes that a computer might be lost and that this is recoverable.)

So a good security training program should say "These are ways where people might try to subtly break in to gain access that you might not have thought of before," not "Sadistic sociopaths exist, wear plate armor at all time."




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: