How to Cheat at Managing Information Security

Those of you who are kind will enthusiastically remember the early (and might I say ground-breaking) work I did on wireless security. As a result, one day the CEO of a very large insurance company had seen a piece in the Wall Street Journal on my work and demanded that his security manager set up a meeting with me.
Dutifully, off I trotted with one of my staff who always had a copy of Kismet on a Zaurus Linux PDA (war-driving software on a palmtop computer). I explained most of the risks of wireless Ethernet to the corporate guy, emphasizing that they had been overexaggerated in the press, but sensible precautions really were necessary. The company s security manager, a past-retirement-age duffer, seemed to be enraged by my very existence. Cutting me short, he announced, That can never happen here; our information security policy strictly forbids it. When I asked whether he had conducted any wireless audits, he announced, I don t need to. I know we don t have wireless; it s prevented by the policy. Now do excuse me for a minute; I have something important to do.
While he was gone we whipped out the war-driving PDA. When he returned, we showed him that within his building there was a wireless access point called Marketing, one with the same name as the company, and two with defaults of tsunami and netgear. Plus we could connect to two of them and get an IP address. When we showed him,...