Case Studies in Social Engineering, Running and the Severe need for Strategy

My great escapes

Location: Shell Oil Refinery Emergency Escape Bridge (Non refinery side).
Strategy: Running.

  • I’d been out on a seek and shoot photo safari with my partner (now my ex) when we came across this ludicrously over secured metal bridge from the roadside onto an island.  The stupid part was that it was very easy to wade across the 10 meter or so of water. I grabbed a couple of snapshots, and then we noticed the Jack Daniels promotional sticker on the gate of the secured bridge.  Sensing a great photo, I went in closer and took a few more snaps – right in the line of sight of the security camera on the other side of the bridge.  Few minutes pass, and we get back to the car when I see a white ute barrelling down the road towards where we were parked. Gut feeling was that this was some form of security, and they were going to want to have a chat.  Told the partner to hang on, and I back the car up, as the ute slammed into the space we’d been in.  Guy in a security uniform leaps out, there’s a BP security logo on the ute, and my decision was to run like hell. I knew as well that with my car in a better position to accelerate, and the security guy having to get back into the car, pull a three point turn and then chase me, I had the advantage to run.Key take outs
    • I was lucky. If I hadn’t spotted the incoming vehicle and had my car running, primed and pointed to go, they’d have caught me clean.
    • Gut feelings and trusting my instinct beats rules lawyers. My ex-partner protesting about rights to photograph and freedom and how she’d talk to that person was a waste of oxygen. I’m glad I ignored her.  When security is doing 120km in a 60 zone, they’re not about to negotiate.
    • Local knowledge for the escape and win. I knew to drive towards the docks where there were more turns and twists, rather than relying on open straight road. Sure, I could get to 120kph on the open straight, but so could the security guy. What he couldn’t do was follow me once it turned into fast corners and multiple options as to which road I had taken.
    • Speed is no match for sneaky.
  • I elected to run, and I had a run strategy. That’s how I got away.

Location: UQ St Lucia Campus, 1993
Strategy: We didn’t have one.
Improvised Strategy: Social Engineering – Caught while running

  • This is where I perfected the fear defence as an explanation for running like hell from security.  I was out doing a chalk squad run when I heard someone call “YOU! STOP”. Naturally, I did the sensible thing and bolted. Unfortunately, my chalksquad partner was slower to react, and was caught.  I got a few paces away from him when I realised he’d been nabbed, and it was my responsibility to go back for him.
  • When I got back, Security was towering over him, doing the big macho tough guy act.  I put on my best scared voice, told the guard that I’d freaked out, and that I didn’t realised he was security and he’d scared the shit out of me and hit the trembling notes in the voice.  By the time I’d finished explaining, he went from chest puffed out tough pose (standing at the top of a set of stairs) to walking down the steps to us, and changing his body language to conciliatory.  (Of course, I still lied about my name and my student id, but that’s not the point. I had an alias prepped for the scenario). The guard went from aggro to apologetic because his job was about securing the campus as a safe environment, and by making me feel unsafe, he felt he’d failed me.  Once that was resolved, we were let off with a warning and told to be on our way.
    • Key lesson: We’d not discussed mutual responses. We’d agreed to stick together, but not talked about running versus surrendering. Big mistake.
    • No strategy, no plan = Fail.

Location: UQ St Lucia Campus, Semper.
Strategy: Social Engineering, Expectations Defeat

  • Very late one night, my coeditor and I decided it would be a good idea if we climbed from our office balcony onto the neighbouring balcony of the Treasurer’s office, and taped a stuffed rabbit at eye level to her desk (for the record, it was a good idea, and she screamed wonderfully loudly the next morning).  In the process of climbing back, Security saw us, challenged us, and came racing up to the Semper office to demand to know who we were and why we were in the Semper office at 3am.  Cleverly, I didn’t have photoID on me to prove my identity and legitimacy as editor of Semper.  Amusingly, I could prove who I was by opening a recent issue to where there was a photo of me as one of the co-editors.Having verified who I was, I then thanked the Security guy for his work.  I really emphasised the fact that as someone who was working late hours and odd times, I felt a lot better about my safety because they’d challenged us and gone through the security process.  Sure, I was entitled to be in the office, and I could have gone and made a fuss, but the bottom line simply was – we were acting oddly at an odd time, and Security reacted to the stimulus in the appropriate manner.  Reacting to them in a polite and professional manner, and thanking them for their work in making us feel secure went a long way to establishing a good relationship with the campus security.

Location: My Office, Griffith University Campus, Night Shift Security
Strategy: Social Engineering, Hostile Scenario

By the end of my time at GU, I knew most of the night security guys by name, and they’d often joke about leaving me to lock up the campus after they went home.  Getting to know the security team at the place you work cuts you some additional slack you may not otherwise earn – simply because you can cheerfully chat to them about the physical infrastructure of the place, and express your love of locations, security guards will often know of some rather cool spots. Usually spots where they tend to head if they want a quiet cigarette or a 10 minute break on the rounds.  It also helps to walk with the security team a few times, if you’re finishing up when they come around, walk along with them, and get to know the crew.  They’re usually a bit lonely on the patrols, and someone being friendly and interested in the work goes a long way to brightening a shift.

  • I had one incident with the GU security team after I was hauling borrowed gear back on campus one night.  Somebody had seen me carrying loads of computer gear (six cases, three monitors and two large black bags of keyboards and mice etc) from my car back to my office.  Early that week, there had been a robbery of computers from somewhere on campus, and the person who saw me put two and two together for a score of five.  Computers+person = crime was the logic, not considering that the computers were going INTO campus from a car, and not the criminally logical reverse. I’d finished hauling all the junk up to my office when there was a knock at the door.
  • Given it was rather late at night, and I was in a roomful of expensive computer gear, and I was in the process of getting changed from my cargo hauling gear back into my suit to go home, I ignored the knock.  Next thing I know, there’s a fumbling of keys at the door, and the sound of the lock.  I grab the nearest large weapon (Hint: This is not recommended practice for greeting security), leap across the room to open the door to see if it was fight or flight time.  Security identified themselves and I discarded the weapon to open the door.  At this point, I was pumped because I thought they were hostiles. They were pumped because they thought they’d caught a thief.Here’s where it got interesting and tricky – once again, I didn’t have my staff id with me, so I had to prove who I was (photo ID licence verified I was Stephen Dann), why I was here (returning computer gear) and whether I was entitled to be here (the sign on the door and the keys to the office helped a lot, but not 100% ).  Security were not amused with me this time, for several reasons:
    • I lacked the proper authentication protocols. No official ID when they wanted the GU approved ID
    • My failure to respond to the door immediately was not met kindly.
    • Moving through campus in a manner that was different from usual
    • Failure to be intimidated by their presence.
  • This situation was turned around entirely when I thanked the security team for checking in on the situation.  I opened the door to the room up, showed them just how much gear I had in there, and explained how I really appreciated the fact they did check I was legitimately entitled to be doing what I doing.  This was not the response they were expecting – most academics who had been challenged in their offices would have been angry at the implied accusation.  I thanked the security guys, explained that I did appreciate the professionalism, how they’d handled the situation, and that given the amount of gear I had, I was glad they cared to check, and I asked how I could do things differently next time to avoid suspicion.
  • One of the most interesting aspects of this in retrospect was that the GU Security team needed to settle a score because they’d lost machines earlier in the month, and pinning me for the theft would have balanced the score for them – even though I wasn’t the thief, and I was actually securing equipment on the campus when they challenged me.

Location: Queensland University of Technology, Gardens Point Campus, 2005
Strategy: Social Engineering, Holding my ground

  • The first major post9/11 run in with security involved being stopped by guard at QUT because I was doing night photography of one of the buildings.
  • Their rationale was that I was:
    • taking photos at night, of a stair well
    • listening to something on headphones
    • answered a mobile phone, then proceeded to continue taking photos
    • was dressed in dark colors (as I usually am)
    • Since 9/11, well, you can’t be too sure about anything.  (Except that photographers are bad?)
  • During the encounter, I did the ID trick (producing ID in advance), plus walking up to security as they approached me. This wasn’t the usual protocol for people who were doing something unusual on campus.  In part, this is also an immediate but non-binding deference of authority to security, and a display that I was aware that something might be problematic in my actions. Being willing to explain myself, and listen to reason and talk to the guards about why I was acting “out of the normal” went a long way to saving me from serious hassle.
  • I asked about appropriate channels, authorizations and the proper protocols, and security helpfully gave me a list of names.  When I started following up the channels for authentication, what I discovered was that there was no protocol. There was nothing anyone could find officially to prohibit me from taking photos on campus, but at the same time, there was nothing authorizing my behavior. In the absence of authorisation, and the absence of prohibition, I was in the grey zone of “Not permitted because it’s not authorised but it’s not something we can authorize because it’s not prohibited”

ANU,  MMIB Offices  2006
Strategy: Social Engineering, Holding my ground

  • I was challenged by Security for the fact I was in my office at some ungodly hour of the morning (approaching dawn I believe) as I was working away on a deadline.  This was the first and only time thus far I’ve seen Security patrol the corridors of the Crisp/Copland/Moran building.  There were a few aspects to this instance that were problematic.  This isn’t a classic exploration scenario because I had legitimate cause to be on Campus, I was carrying ID which I volunteered, and I was clearly working in an office in a building with swipe card access.  Plus, a room with my name on it, and I had keys to the door.  In short, I was legitimately entitled to be somewhere, and I was exercising my 24/7 access around hour 21 or 22 of the 24.   Security was far more hostile to me than on most occasions because they were disappointed that I was legitimate, and that was their interesting thing for the evening ruined.  The encounter was interesting for the fact I’ve had official identification to prove my legitimacy and it was far less valuable for defeating the role expectations than the lack of ID was in the pre-9/11 world.

Operation #TrebuchetList now in order…