And now, back to some pure social engineer-ing through the mails... Scan all the computer mags and journals fu-riously, even the bad ones, for warnings about product failures and security loopholes. Journal-istic morality generally prevents dangerous se-crets from making their way to the mass media, so the exact details of system security failings won't make it to print. You'll see things like, "Four hackers were caught yesterday, after ex-ploiting a loophole in the V software on the W machine at X Military Base." Or you'll see things like,
"Company Y has released a warning about its Component Z, which is supposed to keep unauthorized users from penetrating a system...... What you do is, go print yourself up some official looking stationery, mail a
concerned let-ter to the folks at the company, and wait for their speedy reply. You can try the annoyed approach:
Dear Mr. Abel Jones:
It has come to my attention that there are serious shortcomings in your product, Component Z.
My business operates under the assumption that our data is secure because of Component Z.
Seeing as how we have been misled for six years, I expect either: details on the flaws which inhibit Component Z, or reimbursement for six years of twelve nonfunctioning Component Zs, the cost of which amounts to $14,000. I expect a quick reply.
Or the "Let's work together to make this world a better place to live in," approach:
Dear Mr. Abel Jones:
I was dismayed to read in Friday's edition of Computer Magazine that your Component Z is defective.
My business uses twelve of these devices, and I would regret very much if we experienced a data loss due to their not working.
Please send an explanation of the problem in the enclosed envelope, so that my technicians may remedy the problem as soon as possible.
Thank you for your help.
Sincerely,
I'm divided as to whether or not you should mention specific threats in your letter to the company or organization. On one hand, you don't want them to suspect your letter is phony. But on the other hand, they're going to be receiv-ing many letters similar to yours, most of which are legitimate. You shouldn't have any problem as long as you type the letter on good quality paper, with either a real or imagined letterhead on top. For added effect, type the address on the envelope, and instead of stamping it, run it through a postage meter. You may also slip in a business card of your own design; they are cheap to obtain.
If the company refuses to help you without proof of purchase, well then, you're on your own. You can always try to social engineer the company technicians into revealing the security flaws. There are also plenty of computer security associations, organizations and other groups which will have the particulars of the
loophole.You might also make an attempt to get the juicy details by calling the publication in which you read about the security failing. Try to speak to the person who reported the story. People at magazines and newspapers are surprisingly easy to reach on the phone, but getting them to talk is a different matter!
