Slashdot Mirror
Undercover Hacking, For Money
Dollyknot writes: "Amusing story of a guy employed by IBM to check companies security out by trying to con his way onto their premises." This sounds like a fun job, to say the least, and supplies at least two good reasons to own a digital camera.
Does anybody here remember the movie Sneakers? It's a bit old (1992), but still very good. A team of guys normally hired to physically break into places to prove it can be done and find weaknesses in security are hired for a slightly more illegal mission than their usual fare -- to steal a mysterious black box from a famous mathematician. While screwing around with it, they find it is a mathematical wonder capable of bypassing any US encryption system. Great geek movie, and definitely underrated in this review. =-)
Is most of the time the Human one. This story just proves it. I have plenty of times used talk my way into places I should not have. Either because I was just a familar face (but not one that should be where I am) or I just seem like I should be there. That would be a fun job to have. Well have fun ppl
Expecting ordinary employees, and even receptionists, to function as guards is absurd. There's no way to know who is supposed to belong in a big company, and who the hell has time to play company cop? give me a break. Put guards at the doors you don't want the wrong people going through.
---
SCO is weenies
Gator is Spyware
Microsoft is thugs
god save us all if they send a pretty woman into a programming house full of single geeks.
/\/ 3d J00!" for kicks.
Might as well just change all the screen savers to "We 0\/\/
Not that it has ever happened to me, mind you.
(ok, ok, the escorting a pretty girl part, but not the screensaver part. I did get griped at and rightfully so)
Have you read the moderator guidelines? Well, have you, PUNK? (and I want a Karma: Gnarly option)
Just wear a pizza delivery shirt and carry a big red bag.. Never fails, everyone trusts the pizza guy..
Death and poverty like me so much, they've brought friends!
as if i'm not paranoid enough!
He doesn't mention in the article whether any of them use layered security. As you cannot expect humans to be infalliable, shouldn't layers be built up around critical infrastructure, so if they get past reception or the first security door, they still don't have full roam of the business. Extra security should be provided around critcal points such as server rooms, closets etc, and a limited number of people provide access, and know reason of letting the serviceperson have access.
What if they suddenly tell you "Oh, there you are. You have a company presentation in 5 mins... come with me..." erm oO(OH SHIT) :)
----- Whats wrong with this picture? http://www.revoh.org:1234/whatswrong
If I was Paul (from the article) and I really wanted to be bad, I'd replicate the 'get out of jail free card' and then look for work in corporate espionage for competitors. I'd go and break in to the same company again, and if I got caught, I'd just use the card to walk away.
At my last job, my boss was very slow in getting me an ID badge, even a temporary guest pass, so that I could swipe myself in. Employees should have one immediately, but it took him over 3 weeks to get me a temporary badge. So what did I do in the mean time? I snuck my way into the building, every day.
For the first few days, I had security let me in, but they got real frustrated with checking me in. So every morning, I would park my car, get out, and start towards the side door, which happened to be closest to the IT department. I would then try to find someone who was walking towards that door and high-tail it behind them.
If no one was going into the building at that time, I'd stop, pretend to take a phone call on my cell, or tie my shoes repeatedly, until someone walked past me, and then I'd just walk quickly behind them so they would hold the door for me.
Not once during those 3 weeks did I ever get questioned by anybody, which surprised me greatly, especially considering I was about 20 years younger than anyone else at the company, and I have facial piercings.
The moral of the story is that the overall trusting nature of humans is very easy to exploit, and this guy obviously shows off that point on a daily basis. Maybe we all should be a little more wary...
Everyone owns shreders(not the Ninja Turtle kind) nowadays...Even I don't let potentially important info go into the trash without being shreded. It's *very* difficult to get information off of a sheet of paper that's been through a crosscut shreder.
If you liked this story on physical hacking I suggest a trip to infiltration.com. It contains guides and how-to like articles for sneaking into hotels, exploring hospital, derelict buildings and the like. Excellent reading for the armchair sneaker
You'd be surprised how many large corporations employ folks in their security departments who's sole purpose in life is to break into company sites, or data, or their partner's sites. The guys who do Physical Security rely on Social Engineering like this guy is reported to do, or even simpler means like tailgating or even trying to pick the lock.
It's pretty cool, but there's a lot more time writing up reports about the intrusion than there is actually doing intrusions.
Never attribute to malice what can as easily be the result of incompetence...
Probably applies to college dorms everywhere, but it was the same at Georgia Tech. Getting into someone else's building was easy as pie. The exception of course is guys getting into the girl's dorm buildings. Other way around, we'd roll out the red carpet for the lovely ladies...
Dyolf Knip
..would be if a company were to pay to sabotage a competitor's web site.
I suppose that whole illegal thing gets in the way. Alternatively, it sure would be nice to be paid to test a company's security.
It-a-not-a-worka-for-some reason
I think there's a glitch in their DNS registration. Try here.
Dyolf Knip
Any good hacker knows the way into secure systems is through the weakest link: humans.
So, of course the US Gov't spent the past 10+ years evisserating the hum-int in favor of carnivore-type el-int. No wonder we didn't have a clue.
-- @rjamestaylor on Ello
The danger would be if you couldn't get ahold of a real pizza delivery outfit for some reason
Easy. I worked at Papa Johns for quite a while and they always had old shirts and hats sitting around. You could sneak in and grab some or just get a job for a week and never take yours back. I still have mine, for instance. The hot bags and car tops would be a tougher deal, though you could steal some from a delivery car when the driver's not looking. They really hate that, lemme tell you.
Dyolf Knip
I wouldn't be a bit surprised to find that it came from an episode of the old "Rockford Files" television show. He (Jim Rockford) did stuff like that all the time, and it has the ring of the dialog they used to write for the character.
I see even classic Slashdot is now pretty much unusable on dial up anymore.
I work for Corporate America
In one sentance our values dictate respect for our fellow employees.
In another, we are to firmly question anyone that 'does not belong' or is unexpected
Recently our company hired a new diversity 'expert', and she was 'aghast' at the way fellow employees treated each other in the hallways
Now I ask all of you sentinent people... how should we react when confronted with someone we neither recognize nor know, and how do we fullfill both of the philosophies?
I used to work in a secure area, where if someone knocked I'd let them in but question and deliver them to the person they wanted... but now it's an open area- thus I don't exactly know the 250 people I now work with. Frankly the stress isn't worth it- any single one of them could be an auditor waiting to 'sneak up' and get you reported to upper management- it isn't fair.
Although this article definetly shouldn't come as any surprise to anyone with even a marginal interest in information or any other type of security. Back in the day (early nineties), I was able to read loads of textfiles on all the local hacking BBS's about social engineering.
Notwithstanding all of that though, it's kind of funny to see exactly how physical security is implemented these days. Back at my old job in the Canadian government (the department shall remain nameless), this stuff was nothing but a joke. Although you could certainly see that attempts were made at making things secure, like with the ID cards with the digital picture and magnetic swipe thing, it didn't really make much of a difference in the end. Firstly the only verification system that was used on these was to flash them at the rent-a-guards who sat all day long at the entrances. By this I mean that they would literally look at it for a split second - hardly enough time to even read the expiry date or even have a good look at the photo on the card. Case in point, after quitting, a friend of mine made a copy of his card on cardboard and was able to use that to get in without any trouble.
Another strange thing was the departmental library. It was actually located within the building that I worked in on the second floor. Thus anyone (who knew about it) could walk up to the guards in the main lobby asking for access to it. They would then have to lend a piece of ID and write down their name, number, etc... and they'd get a library pass. This would essentially give them acccess to the entire building, as there wasn't any verification that they were sticking to the library. I ended up using this method of entry a few times to visit friends while I was at school in another part of the country.
Anyway, I could rant on about it all night, but in the end it just came down to the fact that the people implementing the physical security were subcontracting to a bunch of dumbasses. Other things like network/information security were dealt with by intelligent and capable people for the mostpart, but I won't get into the whole weakest link discussion.
I say this man goes to too much trouble to infiltrate these offices. At my former office, a bum walked in off the street, went straight through reception and out the back door with a $3000 laptop full of somewhat confidential information. Just some smelly guy in a dirty trenchcoat. I wonder what the receptionist thought when he passed by; that he was a programmer?
Even as you read this, your pants are strangling your loins! Aaa!
the website is www.infiltration.org they haven't put out new issues for a well over a year now though. shame...great site.
If the Jargon File is anything to go by, this isn't exactly something IBM has only started doing recently.
The entry on Tiger Teams provides the definition; the entry on patches gives the example story:
Repton.
They say that only an experienced wizard can do the tengu shuffle.
There are a few ways to make a complex secure:
1: Require cardkeys to park a vehicle. This makes it more inconvenient for an attacker. Better yet, require an ID badge to bring a vehicle into all premises except for deliveries (restrict to a small area).
2: Think choke points and isolation levels. Always assume that at least one level of security will be broken and plan for it.
3: Keep the teams that have access to high security areas small and ensure that they know eachother. This helps there.
4: Electronically monitor server rooms. Cardkey and camera should be used for surveillance and there should not be a reason for maintenance workers to have access to the server rooms at all.
This means no garbage cans permanently stationed there. If janitors have access, then they become the weakest link...
I am actually surprised how many problems people have protecting their server rooms...
LedgerSMB: Open source Accounting/ERP
Anyways, this building was almost totally insecure. They've got a bank of elevators with two entrances, north and south. In the day you can walk up to either, say that you're a consultant and forgot your page, sign a fake name and a random floor number and you're in. At night this isn't neccessary- they close one entrance and the sole guard is almost always napping. Reach over the desk to hit the door unlatch and there's a whole building full of computers awaiting you, with a loading dock you don't have to pass security to get to.
I'm sure they knew this when I worked there: I showed up one day to find my monitor moved from atop my PC and the case ajar. I opened it up, and found that someone had taken all my RAM.
check this 'zine out: Infiltration It's about different ways to break into and explore urban areas ... pretty f*g cool
Same things happened at my former employer. Before I started there, a dude posed as a delivery person, carrying a large box. He got someone to open the door for him who then went back to their business without a thought. This guy picked up a few laptops from empty offices (this was at lunchtime one day) and presumably put them in the box and took it back out with him. He also ransacked one woman's purse. He made off with several PowerBooks, and went on a spree at the shopping center across the highway from the corporate park, using that woman's credit cards. This resulted in the company spending thousands on strong magnetic locks for the doors, controlled by numeric keypads that logged our codes.
Fat lot of good those did. While I was still working for that company, someone made off with a brand new combination TV/VCR, probably by waiting until the evening cleaning crew left the door unlocked. After that theft, my boss and I put in a passable security camera system consisting of some dinky yet highly visible cameras trained on the office doors, and one watching the door to our equipment storage and server room, from inside the room. We ran the camera inputs into a 4-way combiner, and then into a spare Mac with a video capture card and running webcam software that snapped a picture when movement was detected during non-business hours. Nothing further disappeared, though the system did catch some amusing photos of me staggering around the halls the morning after my 27th birthday party, when I crashed in my office.
I've been gone from that company for almost a year but I still talk to friends there. I heard that a month or so ago, employees of a different location of the same company (without security cameras) came in one morning to find about 10 Dell laptops were gone, ripped out of their docks by a guy who waited for the cleaning crew to start working and slipped into the offices. The company's solution to that one: All laptops must now be taken home at night.
~Philly
One word: Goodwill
Uniforms from everywhere can be found there. Just wash em to get that "cap'n crunch" smelling laundry detergent out of 'em (no reference to 2600 man, but to the cereal)
I've seen security uniforms there...
1q2w3e4r5t6y7u8i9o0pqawsedrftgthyjukilo;p'azsxdcf
Having worked at IBM SSD here in Tucson, I can tell you for a fact that Big Blue takes their security very, very seriously.
I worked out on the floor -- Your typical raised-floor temperature controlled room, except on a very large scale. Without going into specifics, getting to work was always fun when it came to security. You have to go through a human checkpoint, then one card-access doorway, then another combination human/card-access doorway with a tailgate alarm.. At each point along the way you're monitored on cameras mounted in the ceiling Occasionally, if your badge doesn't work, a voice comes over the loudspeaker where you are and asks you to hold up your photo badge so they can confirm who you are before continuing.
My favorite story comes from one of my old floor bosses at IBM. He used to work for a defense contractor out east in New Jersey, right off the turnpike. He claims someone got busted sitting on a highway overpass with a camera and telescopic lens attachment, photographing the blackboards inside the plant. "Thats why all the exterior windows have reflective tint nowadays. Its a safety measure."
Fun stuff.. I miss IBM like you wouldn't believe. Friggin awesome company to work for.
Cheers,
Bowie J. Poag
I wonder if small companies (30 people) are more secure than large companies. A common theme between the article and posts are that no one knows who works in their own company. But in a small office, everyone knows everyone, and a stranger is obvious. It's also usually known by when someone is expecting a visitor, so an unexpected drop-in would also be obvious.
Are small companies less resistant to social engineering, because of greater employee "intimacy"? If so, how can this be utilized at larger companies to increase security?
ShoutingMan.com
If all you have to get past are other students, then carrying anything that looks like a present works pretty well for getting into girl's dorms. Assumming you are trying to meet up with someone in particular, and you know where in the building they are, it's not hard to get complete strangers to escort you.
;-)
Thankfully most dorms are becoming coed which only makes things easier.
I'm not surprised that it's this easy.
One cause is companies, despite security policies, routinely violate them themselves. You may say that a receptionist/guard/etc. is to challenge all vistors and ask for ID, but the first time they do that to a senior executive or VIP from out of town and get smacked down for it, they'll never question anyone again.
OTOH, I worked for an organization that took security seriously. You were to challenge anyone without a badge, and escort them to sercurity if tehy didn't have one. I challenged teh CEO once - he pulled out his badge, showed it to me, and clipped it to his collar, where it should have been. No "don't you know who I am?", no nasty note to my boss; just a simple "thanks" and doing what he expects everyone else to do. Of course, that also takes a leader, not a manager.
I'm a consultant - I convert gibberish into cash-flow.
Probably $200 an hour.
I'm a consultant - I convert gibberish into cash-flow.
It happens in Germany, at Siemens, the giant electrical engineering and electronics corporation. The über-boss, a member of the von Siemens familiy, an old man at the time, routinely used to test how easy was to enter his company facilities (most of the employees had seen photographs of him). Once, he tried to enter a factory where he meets this old-guard janitor, a typical case of prussian education. Von Siemens is denied entry, even when, having confirmed that the entrance was guarded well enough, he wanted to finally go into the factory. The old janitor kept on saying Yes, you are telling me you are von Siemens and you really look like him, but if you don't produce a valid ID, you are not entering this building
Von Siemens had to wait until the following day and the janitor was promoted.
A couple of years ago, I was working late in the office one night (maybe 5:30 or so) and this woman came up to me asking me where the copy room was. I asked her if I could see her ID, because the company has a policy of visible ID at all times. She kind of chuckled and said it was on her desk. I didn't know what to do next, as I was relatively new with this company, so I asked her if I could see it (Mine was clipped to my belt). She agreed, and walked me around to the other side of the office to her *office*. A big office. She shows me her ID, I apoligize for the inconvienience, but she says "no no...that's ok!"
;)
Monday, I show up at work and everyone is laughing at me. Turns out, I ID'd the new VP. Later that morning an email went around asking everyone to be more security conscious, and always ask someone you don't know for their ID.
It was sent out by the VP and corporate security.
People stopped laughing, and started asking for ID from those they didn't know.
Moral of the story: it doesn't hurt to ask someone to show their ID, and you never know who you'll be asking. (Plus, the brownie points are fabulous!)
...for getting passwords. I have one that can record about six minutes of video. It's so easy to set it running, then have it surreptitiously pointing at a keyboard when someone logs on. Then you can down load the MPEG, and go through it frame by frame.
;-) ).
(Not that I'd ever do something like that, but as I do a bit of 'ethical hacking' as part of my job, I have developed a deviously cunning mind
Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated up.
My neighbors pay me to do this as well. I check out their home security on a nightly basis. Usually they don't have the cash laying around to pay me, so I just grab TV's, VCR's, computers, etc, as payment. Of course, the way we play the game, if they catch me breaking in they call the police, but otherwise I get to keep the stuff. It's real fun, you guys should play with your neighbors..
My approach was to go late at night, find a janitor, and tell him I lost my key. It worked every time - no ID required. I would then have the computer to myself for hours. One time, about 3 AM, a researcher (I assume
During that same year, I also used the Stanford IBM 360/67 (an OS with a VMM while Bill Gates was in grade school) to do a bunch of personal programming. There, an ID from an out-of-town for the year gard student did th job.
Meanwhile, my friends at the University of Kansas (which had a rare GE-625), wanted source of the OS to improve their attacks on the OS. One of them found out the tape numbers by looking at printouts in a public place. He then ran jobs when times were busy to copy those tapes to his own... every once in a while so as to not draw suspicion. Then, he later printed out the whole thing, again in little bits. Thus when I later went there, we had source of the whole OS. We used that to find a number of holse, although GECOS-III was surprisingly well designed for security. In fact, the CIA used it for that reason, and it was chosen for the World Wide Military Command and Control System (WMMCS). As a result of our hacking, one of us later got a call, out of the blue, from a CIA recruiter who knew of the exploits and was looking to hire him for a white-hat hacking job. This was in 1970.
Social engineering works!
The only good weather is bad weather.
You know, we should have a unit basically dedicated to
thinking up terrorist attacks to the united states, and
trying to "implement" them. Just more war games. So
we get a couple of agents trying what the Sep 11 hijackers
tried on July 13th, and we shore up weaknesses before they're
really exploited (we would, of course, have our gamers stop
short of say, actually killing or even threatening anyone. Wouldn't
do to have people saying "Oh, this isn't a REAL terrorist attack...
it's just the gamers. Sit back, everything's going to be OK.").
Actually, I know this is done to some extent. A couple of
weeks ago, for example, I heard a guy on the radio who
used to work out at Dugway Proving grounds in the Utah
west desert. His job for a while was to come up with
anthrax delivery scenarios.... from city wide to single
building to single person. I don't know if they actually
disseminated a "marker" substance to test their theories
and come up with security techniques, but I'd be happy
to some portion of my taxes spent on such a thing.
Libertarianism is rich wolves and poor sheep playing gambler's ruin for dinner.
Is it really that difficult or costly for companies to implement things like retinal/iris scan, voice printing, etc. for highly secure areas? I've always felt we can have no true security based on things like ID cards (lendable and counterfeitable), passwords (crackable, write-down-able, storable), and human security guards (con-able). It would be rather intrusive and expensive, I'm sure, to implement biometric scanning for every person entering a public building, but if the critical security areas of that building were restricted to root users via biometrically automated door locks, breaches of mundane perimeter security would be less threatening.
OTOH, I'm sure someone will reply that biometrics has a weakest link as well. E.g., intruder could corrupt a root user and get their retina authorized into the system illegitimately, figure out some kind of black box to hold up to the scanner, crash it to its embedded version of shell prompt, and send it "unlock door" command, etc. But from my perspective, biometrics kicks the ass of any other solution, and I'd feel a lot safer if airports, highrises, and public utilities were using it for critical areas.
* * *
No, no, no. This is not a sig.
I used to work for a defense contractor, and our lab was a restricted area. We were instructed to challenge ANYONE we didn't recognize as being on the access list, even if their badges showed the proper clearance...
One of my co-workers challenged the company president (he was not on the list, and he was unescorted). She got atta-boyed!
Wish I'd been there to bust the pres...
General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
Quite a few years ago I recall seeing a documentary on security guys. One used to get into the buildings, usually dressed as phone tech or similar, and just leave a biz card on their patch panel "If you find this you need me." or somesuch. Very cool way to advertise (although some ahole would slap a charge eventually).
I once contracted at a large company that was so paranoid, contractors had to be re-badged every six months, the firewall only passed http and email, and there were even rules about leaving your workstation logged in and sending sensitive info via text page! Yet they had a serious tailgating problem. Headhunters would routinely sneak in to make the rounds. Nothing was done until valuable personal items started disappearing from people's desks at several locations, and security decided that the thief was a tailgater. They had the receptionists crack down, and launched an educational campaign. So it became much harder to sneak in -- for a while. Don't work there anymore, but once the thefts stopped, I doubt if people remained careful.
I remember once, in high school, I was trying to hack around into our Novell 3.11 network that was connected to a WAN that had 22 high schools and about 180 elementary schools hooked up to it. (It was pretty sweet back then!). I had done all of the hacking from the library in open sight (I mean, a hacker wouldn't possibly do that, right? So mustn't have been one... ;P) and I made friends with the librarians as well. One day (after I learned of the 'server debug mode') I realized that if I could just get physical access to the server (which was in one of the rear librarian's only rooms) I'd be all good. So I just got up courage, and walked straight in! Walked up to the server, did the deed, walked back to my machine, logged in, returned to the server, removed the deed, stopped to say hi to one of the librarians on the way out and back to the computer, now logged in as Supervisor. Of course, because of really really stupid network admins at the board office, it was rediculously easy to get access to the master network at the board office as well. I ended up using a brute force password hacker and got 320 of 540 passwords, including 5 supervisor-equiv accounts. I ended up phoning up the head of the network admin at the board (who was rumoured to be a cool guy), got his voicemail and said "Hey, I think we need to talk. I'm such and such from such and such high school and I wanted to talk to you about network security. Please call me back here, and by the way, I hear that Greece is wonderful this time of year" (His password, of course, was "Greece"). Needless to say I got a phone call back pretty quickly saying "Hi. Let's talk."
Ahhh, back to the good old days.
If God gave us curiosity
Nodwick from a few days ago.
-l
One solution for this is to use subway turnstiles at the entrance. They look like rotating doors except they have horizontal bars projecting out from the center shaft instead of door frames. The keycard enables it to rotate far enough to let one person into the building.
Mea navis aericumbens anguillis abundat
Heh... what a great job!
Back in '77 after the first "break-up" of Pacific Bell, I was a telecommunications tech at a small interconnect in Santa Clara, CA (i.e. Silicon Valley), one of three troubleshooters in the company, so I usually worked alone. We had no company uniforms or other identifying paraphernalia, but my tool belt was my "badge".
We sold state of the art (for the time. eh?) NEC microprocessor controlled, time division multiplex phone switches, and smaller office sized systems. Our switches kicked Pac Bell's ass, they ruled because the telcos in the USA we still in the dark ages.
Anyhow, my territorry was from San Francisco (and the rest of the Bay Area) to Montery, we had phone systems in many high tech companies, so I was steeped in the culture.
It didn't take me long to observe that I could go virtually anywhere in most of these companies, without question. Often even without a visitors security badge, company employees, and even security guards would open doors for me if my hands were full.
It seemed that my tool belt and butt set (Linemans test set) hanging off of it, was all I needed to have the run of the place. I started to play a "game", to see just how good their "security" was.
So here I am, this spikey haired punk rocker, in street clothes, but with my tool belt, butt set, and a professional attitude, walking up to a security guard and saying to him, "Hey, I need to look in that locked room over there to see if there is any phone equipment in there.".
They allways walked over and opened it for me without question, and then walked away reminding me to lock it when I was done. I did this just for grins at many of the companies I visited.
In those days, computers were still refrigerator sized, and filled large, lead lined, air conditioned rooms with raised floors, with lots of cabling under them, tended to, by clean-cut guys in long white lab coats (no kidding). And every company had a security guard at the door of these special rooms.
One day I screwed up my courage and decided to see if I could gain access to one, I had zero reasons to go in there, since there was never phone equipment in these rooms. I nervously walked up to the door, looked the security guard in the eye, and he glanced at my tool belt and test set, and opened the door for me without a word between us!
Next thing you know, I'm wandering around this large computer room, pretending to look like I know what I'm doing. None of the guys in there even pretended to notice me, I could have done what ever I wanterd, and nobody would have questioned what I was doing.
At work, I started to brag about how people were so easily manipulated by "normal" circumstances. None of my coworkers believed me, they were just like the people in these companies, they were non-observent.
One day, I needed some help, so I brought my boss along. We finished up our job and as we were walking out, I reminded him of my discovery, he said "bullshit!" . So I said "follow me", and walked toward the big computer room.
The security guard didn't bat an eye, and unlocked the door for us without a word. I was the only one with a tool belt, my boss was also in street clothes, we could have been anybody, but the magic tool belt, butt set combo got me through again.
My boss was blown away, and was also very nervous about being in this formerlly taboo computer room, so we exited. On the way out of the building, I couldn't resist, and stopped at random and asked the closest security guard to please open "that closet, over there", he of course, complied.
My boss was very impressed, but wasn't at all happy that I was doing this for "fun", and the next morning at work, I was admonished to never do "that" again.
I guess my point is, that people are easily fooled by normal seeming circumstances, and that security is often a Paper Tiger.
If it don't GO... chrome it. ~ Frank Banks
A while back Microsoft was in town running a conference. One of the gigs they had was a little party out at a local theme park. I copied my mate's ID card, and we waltzed up to the gate. We were let through without even being asked for ID, and we were free to enjoy the food and rides all night. :-)
Complete story.
Funny, funny. But really, you couldn't accomplish a continuing intrusion that way. Chopping people up is rather noticable, bodies laying about and all. The real value for an intruder of rooting a system is keeping it rooted for an extended period, while undetected. Seems the same would be true of rooting a secure area. Like, even in a nuclear power plant where gaining entry to the area would theoretically allow the intruder to accomplish a one-shot destructive act, don't you figure that repeated access to the area would be necessary for the intruder to learn the proper procedures and codes? He/she'd want to plant cameras, bugs, etc., then come back. That severed arm is not going to be re-usable for that purpose, as poor Joe who turned up armless and dead is off the access list immediately.
* * *
No, no, no. This is not a sig.