[Techtalk] Gender as a weapon? Pen-testing and female auditors

Mary mary-linuxchix at puzzling.org
Tue Mar 16 07:52:56 EST 2004


On Mon, Mar 15, 2004, Devdas Bhagat wrote:
> Good idea. However, the whole point of social engineering is to get
> access to the $secret via *any* social means possible.

Do pen testers balk at threatening violence? At threatening people's
jobs? At actual violence? At actual fake firings? At extended faux
devastating office politics? At harrassment?

I can imagine all of those are good ways to get access to some people's
accounts, but I suspect that most of them are not tested regularly (I
can imagine that fake firings might happen occasionally, but planting
fellow employees and setting up two months of mock office politics, or
beating someone up, less often).

> I agree. The question to ask is, will the possible threat scenario
> include this particular threat? Will a competitor hire a prostitute to
> bribe the victim, or send in a corporate spy with an alluring body,

Or send in thugs? Maybe we'd better beat our employees up just to make
sure they don't tell when someone's twisting their broken arm...

My point in saying this is not that I think thugs would work better than
becoming friends or lovers than someone, so please don't reply with the
relative success rates of each tactic. What I am trying to point out is
that there are definitely grey areas to "any means possible". Even if
you're stopping short of leaving scars, I can imagine exploits that come
at considerable cost to people's emotional wellbeing in the short and
long term.

The fact that the enemy/opposition may be willing to try those tactics
doesn't neatly solve the moral dilemma either, because you still have to
weigh up the value of keeping the secret safe versus hurting someone
else and hurting yourself. (Plus time expenditure involved in screwing
someone's life up, for the prgamatic.) That's not a dilemma that the
opposition's tactics can solve for you.

-Mary


More information about the Techtalk mailing list