How to steal priceless jewelry: prank call
June 4, 2008 1:30 PM   Subscribe

Isn't this how Mitnick did most of his "hacking?"
posted by Afroblanco at 1:35 PM on June 4, 2008 [1 favorite]

My favourite detail (of many); "Meanwhile surveillance cameras that were still operating captured poor pictures of what was going on inside the museum because of a policy to turn the lights off at night."
posted by Keith Talent at 1:36 PM on June 4, 2008

I'm looking forward to the comments on this on Bruce Schneiers' weblog.

This one is going to end up in all the books as an example....
posted by DreamerFi at 1:57 PM on June 4, 2008

Social engineering is typical identified as the number-one security risk (rather than electronic snooping, etc, to gain confidential info).
posted by KokuRyu at 2:04 PM on June 4, 2008 [2 favorites]

A social engineering exploit paying off big time. Things always break down on the wetware layer.
posted by porn in the woods at 2:04 PM on June 4, 2008

This is similar to the low-tech methodology used in the Gardner Museum heist in Boston, 1990. So basically, while museum security people may have learned something from that, they didn't mention it to the campus cops at UBC.
posted by beagle at 2:05 PM on June 4, 2008

For those of you like me wondering WTF bear spray is, it's apparently pepper spray intended to be carried while camping in case of grizzly attack.
posted by Rhomboid at 2:34 PM on June 4, 2008

social engineering FTW.
posted by rmd1023 at 2:36 PM on June 4, 2008

A couple of years ago, some thieves stole an expensive server from Customs & Immigration at Sydney Airport, by showing up after hours & saying "Oh, hi. We're the IT guys. We've come to take a computer away for repairs"

Ah, found it. Turns out they stole two servers.
posted by UbuRoivas at 2:38 PM on June 4, 2008

...police have said the museum's insurance company has boosted the current $50,000 reward substantially but will not say by how much.

Doesn't that kind of defeat the purpose of offering a reward?


Bear spray
posted by Kirth Gerson at 2:51 PM on June 4, 2008

something doesn't make sense to me here - this guy is smart enough to evade/trick all security be it human or electronic yet fails to consider his high profile and the need for a solid alibi or accomplice. (I base this on the article stating that they know someone who works this way and are already focussing on him.)

this sounds like a molecular biologist who can't figure out how to open a can of peas. or a hacker who lacks knowledge in personal hygiene.
posted by krautland at 2:53 PM on June 4, 2008

My guess is the security guard was in on this.
posted by sour cream at 3:06 PM on June 4, 2008

One aspect of my job is training people to be aware of what social engineering is, how it works, and to be cognizant of the fact that at some point, they will probably encounter someone trying it in some way, shape or form.

Employees are always amazed when they realize how much confidential information they give away without knowing it, once it's brought to their attention.
posted by quin at 3:11 PM on June 4, 2008

Afroblanco, "A clipboard and a confident wave can get you into any building in the world." is the quote sometimes attributed to Mitnick, but probably most famous from the bad movie The Paper.
posted by rokusan at 3:11 PM on June 4, 2008

I was thinking bear spray attracted bears and that perhaps they sprayed to attack the guard to keep him occupied. I had all sorts of comical scenarios playing out in my head before I got to that paragraph in the article.
posted by Brainy at 3:22 PM on June 4, 2008 [4 favorites]

I was scammed in one of those "order printer cartridges" scams. I was working in an office and had to cover the front desk one day when the receptionist was out. Ordering office supplies was not part of my normal duties, so when a nice, chatty guy called and let me know that we were nearly out of printer ink, and he was calling to confirm our address so our order could be filled, I totally fell for it. No one had ever told me about this scam, and it never dawned on me that such a thing could exist.

Even so, these guards seem pretty...trusting, for being guards.
posted by rtha at 3:27 PM on June 4, 2008

Bear spray

Best. John Waters furdaptation. Ever.
posted by cortex at 3:30 PM on June 4, 2008 [3 favorites]

I love that museum. I'm glad only a few things were taken, but still, this isn't just jewelry here, these are cultural artifacts. So any amusement I have in the cleverness of the thief is lost in the thought of what was stolen.
posted by Hactar at 3:54 PM on June 4, 2008

I see the campus cops at UBC are still the crack squad they were in my day.
posted by Turtles all the way down at 3:58 PM on June 4, 2008

I was scammed in one of those "order printer cartridges" scams.

Wow, that's a pretty elaborate scam...
posted by SweetJesus at 4:06 PM on June 4, 2008

Best. John Waters furdaptation. Ever.

And no one had to shave Travolta for that one.
posted by GuyZero at 4:28 PM on June 4, 2008

From the Social Engineering wiki link:

Kevin Mitnick, William L. Simon, Steve Wozniak. 2002. "The Art of Deception: Controlling the Human Element of Security". John Wiley & Sons. ISBN 0-471-23712-4.

(hehe - sell 'em Apples & pretend that hackers & phishers don't go after 'em...)
posted by UbuRoivas at 4:46 PM on June 4, 2008

He just wrote the foreword.
posted by box at 5:16 PM on June 4, 2008

What the hell? A multimillion dollar museum heist happens on my campus and I hear about it two weeks later on Metafilter? I need to get out more.
posted by PercussivePaul at 5:43 PM on June 4, 2008

Isn't this how Mitnick did most of his "hacking?"

Yes. As any hacker worth his salt knows, social engineering is the fastest and simplest way to break into any system. Thus, Mitnick made extensive use of this.

His hacking, therefore, was uncommonly effective, and didn't require scare quotes.
posted by dhartung at 5:49 PM on June 4, 2008

WTF it sounds like a movie...
posted by super11 at 7:04 PM on June 4, 2008

Pffft. Bear spray has nothing on shark repellent bat spray.
posted by pokermonk at 7:25 PM on June 4, 2008

UbuRoivas,

I'm not a MAC guy at all, but Woz wrote the forward... I read it back in 2002, but I am pretty sure Woz wasn't involved in any ilicit activities :)
posted by andryeevna at 8:44 PM on June 4, 2008

You may be right, andryeevna, but just to be sure I'm going to change my MacBook password, so it's no longer a combination of my Social Security, bank a/c & PIN numbers.
posted by UbuRoivas at 10:27 PM on June 4, 2008

His hacking, therefore, was uncommonly effective, and didn't require scare quotes.

Thank you, seriously, it's annoying when social manipulation is seen as being somehow less valid than technical solutions. People always have this bizarre preference for imagining hacking as some kind of mystical "Hackers"-style interface with the computer itself. (Kind of reminds me of when a good speech is accused of being "just rhetoric." So what if it is?)
posted by voltairemodern at 11:08 PM on June 4, 2008

voltairemodern: that's because it's comforting to think that mindblowingly complex technical engineering can protect us, as opposed to being at the mercy of all-too-human factors - like the fact that 97% of people, left to their own devices, would use the name of their loved one, pet or favourite sporting team as their password.

Unless they're sysadmins, of course. Then the password is usually one of four options: sa, [blank], "." or God.
posted by UbuRoivas at 12:00 AM on June 5, 2008

"I'm not a MAC guy at all, but Woz wrote the forward... I read it back in 2002, but I am pretty sure Woz wasn't involved in any ilicit activities"

Oh let's just say Woz liked to get his phreak on every now and then.
posted by PenDevil at 12:08 AM on June 5, 2008

Erk! that link should point here.
posted by PenDevil at 12:09 AM on June 5, 2008

Even so, these guards seem pretty...trusting, for being guards.

I was a security guard once. The only qualifications were a clean police record and a willingness to work the late shift. There was no psychological testing and very little training or supervision. It's a great job if you don't have much ambition and like being alone for hours at a time. Easy pickings, really.
posted by tommasz at 5:26 AM on June 5, 2008

speaking of nonchalant guards (again in Canada)
posted by figTree at 8:54 AM on June 5, 2008

Unless they're sysadmins, of course. Then the password is usually one of four options: sa, [blank], "." or God.

don't forget "password123" or "admin"
posted by indiebass at 8:59 AM on June 5, 2008

His hacking, therefore, was uncommonly effective, and didn't require scare quotes.

My use of the scare quotes was to contrast Mitnick's actual deeds with the public perception of what constitutes hacking.

Far be it from me to profane the name of such as solid character as Mitnick.
posted by Afroblanco at 10:46 AM on June 5, 2008

Mitnick does have one of the coolest business cards I've ever seen.
posted by quin at 10:59 AM on June 5, 2008 [1 favorite]

After being out of the country for about a month, I returned home and could not remember the complex password into the underground parking garage. The superintendent gave me the "backup" password: 1234.
posted by KokuRyu at 12:08 PM on June 7, 2008

Update: 10 of 12 pieces recovered, three people arrested.
posted by russilwvong at 5:35 PM on June 10, 2008

Hey, I just came in here to post the same good news. Beaten by one hour.
posted by PercussivePaul at 6:40 PM on June 10, 2008