Seriously, It Could Happen to You

The author's identity was stolen, which led to a confounding realization about the paradoxical nature of security.

November 16, 2004 — CSO — One Thursday morning in September, Scott Berinato from CIO magazine called an executive assistant named Carolyn at a large IT vendor. Berinato said he wanted to talk to the "storage R&D guy." Carolyn, following procedure, asked for a call-back number. Berinato at first wouldn't give one. He was "weird and skittish, or up to something," Carolyn said later. "He definitely sounded like he wasn't sure what he was going to say."

Eventually, Berinato left a number for his hotel in Pennsylvania. Carolyn relayed the details of the odd conversation to a PR person who called the hotel and got no answer. The PR person then called meScott Berinatoat my desk and left me a message.

I called her back, puzzled. She said, "This is in regards to the call you placed to [that executive's office] at 8:15 this morning." I told her that at 8:15 I was at home getting ready to take my daughter to day care. Confused, she asked, "So you're not in Pennsylvania?"

She sighed and relayed all of the above details. I remember thinking that one of three things was going on. One, a practical jokeand I even asked who had put her up to this. Two, some kind of security auditsometimes we talk about auditing ourselves around here for the practical experience. Or three, this was corporate espionage. It's not clear what information a competitor would get that I would be privy to and they woudn't. But since this man targeted R&D, it seems likely that he hoped the appearance of an objective journalist would get him data on forthcoming plans he otherwise could not ascertain.

At any rate, I downplayed that possibility at first and decided that it was more random than any of that; just a case of fuddled sticky notes or something. Still, the PR person and I created a random password that only we would know. Simple encryption. If you are who you say you are, you'll have the private key. I felt silly about the cloak-and-dagger stuff, but it made sense, just in case.

The next day, Scott Berinato from CIO magazine called the executive assistant to a vice president of new product development at another large IT vendor. The assistant said Berinato wouldn't provide a phone number and "got rude." He told her he was on deadline and said, "Don't call me back." She handed over the information to her PR group, who called me.