Security Blunders
(I probably shouldn’t be posting something like this … but hopefully it’s now generic enough that it can sit in the ‘funny story‘ category instead of the ‘oh-my-god he published that!?‘ category.)
Earlier in the week I had a small issue with a "security device" that I have – basically it wouldn’t work as it insisted I didn’t know the magic combination. Sure, it was annoying but at least it was defaulting to locking me out so this gave me some confidence in the system. Getting a new access code issued for the device isn’t a simple process, and requires you to actually appear in person at one of the organisation’s installations.
I arrived at the security checkpoint for installation A, holding a security pass for installation B. Even though this entire story falls under the one organisational umbrella, the design of the security passes is completely different between installations.
Me: Hi there. How’s your day been?
Security: Alright so far … how ’bout yours?
Me: Can’t complain. Anyway, I haven’t actually been to this installation before as I usually work out of installation B, but I need to get to an XYZ office and apparently you have one of these.
Security: We sure do … it’s just down that way.
As I walked into the installation, I realised I hadn’t even shown my ID. I’d walked past the big red signs saying "ID must be shown on entry and exit." Even though I’d told the guard that I wasn’t familiar with the installation, I had apparently demonstrated that I was meant to be there.
The best bit happened in the XYZ office:
Me: Hi … I’m having a small problem with this device today. I’ve tried it at two separate terminals and it’s not accepting my password on either.
Girl: Ok … let me take a look at it.
<girl takes security device and connects it to her system>
Girl: Hmm … there doesn’t seem to be anything here to indicate it’s disabled. Are you sure you aren’t just getting the password wrong?
Me: Hope not … can you give me a new one now?
Girl: No – it’ll take 24 hours to do that. How about I give you what you’re after now, you try again yourself in 24 hours and if it’s still an issue then we’ll issue you a new device?
Me: Great – thanks.
At this point I exited the installation.
A summary:
- I entered a secure installation without being checked for ID, purely because I had engaged in conversation with the guard and used enough lingo to express that I might actually have a legit reason to be there. Even the post-uni boardies+t-shirt look didn’t highlight that I was a bit different to everyone else there.
- I accessed a highly secured resource using a security device that I didn’t know the password for and without providing any other ID or even saying my name. In the process of this, the girl even read out several of my details.
- I exited the installation without being checked for ID, even though this is a clearly stated procedure.
This scenario renews the confidence I have in some of the organisations I trust every day – not!
technorati tags: Security
