After all the big breaches reported last year, Real Future's Kevin Roose wanted to see how well he would fare in a personal pen-test. Issuing such a \u201chack me\u201d challenge is rarely wise as New York University Professor and PandoDaily editor Adam Penenberg found out a few years ago after asking TrustWave to hack him if it could. Roose posted a video showing \u201cwhat happens when you dare expert hackers to hack you\u201d and the resulting pwnage was not pretty.When Roose asked to be hacked, social engineering pro Chris Hadnagy replied, \u201cmay God have mercy on you ;)\u201d. Roose said he is a \u201cpretty privacy-conscious guy\u201d and believed he had good security hygiene, but \u201cHumanHacker\u201d Hadnagy, for example, pulled up Roose\u2019s home address by zooming into a tweeted photo of Roose\u2019s dog and grabbing his address off the dog\u2019s tag.And the vishing pulled off by social engineer specialist Jessica Clark was especially impressive as she called an unnamed cell phone provider to trick it into handing over Roose\u2019s email address. Before she called, spoofing his phone number, she started a YouTube video of a baby wailing in the background. She pretended to be his non-existent wife. The call started at 2:29 in the video and by 2:59 she had his email address. Roose also asked Dan Tentler,\u00a0pentester and founder of the Phobos Group, to hack him. Although Roose promised himself he would be \u201cextra-careful while the hackers were targeting\u201d him, he fell for a phishing scheme. Tentler registered a domain name that was one letter off from Roose\u2019s website host and sent an email allegedly from the host\u2019s security team. After Roose clicked on the link to supposedly install a security certificate on his site, Tentler\u2019s shell owned him.At first Roose said he experienced a variety of fake pop-up boxes which appeared to be OSX legit, so he entered his admin password. Tentler used a keylogger to obtain the password for Roose\u2019s 1Password manager and used the Dropcam credentials to \u201cspy\u201d on his house via his own security system. Additionally, Tentler installed a program that used Roose\u2019s webcam to snap photos every two minutes. At one point, Roose said a \u201crobotic montone\u201d coming from his laptop said \u201cyou look bored.\u201dLater, when explaining the hack, Tentler told Roose:\u201cIt\u2019s ridiculous,\u201d Dan said. \u201cI have control of your digital life in its entirety. I have all your credentials. I have all your access to all your financial information, all your work information, all your personal information. I can pay people with your bank account or your Amex account.\u201dFor all intents and purposes, he said, \u201cI am you.\u2026\u201cI could have left you homeless and penniless,\u201d he said.If that\u2019s not bad enough, all of this was revealed to Roose at DefCon where he surely would have been wise to be feeling a bit paranoid at any rate since he was surrounded by digital ninjas normally cloaked in cyber-ether. Although he reportedly wanted to toss his laptop into the ocean and go hide on a deserted island, security and privacy pro Morgan Marquis-Boire injected some sanity into the situation by pointing out that Roose would not normally be interesting enough to be targeted by such skilled hackers.\u201cDo you worry about trained martial artists beating you up on the street?\u201d asked Marquis-Boire.Roose admitted that he was not too worried about being attacked by ninjas on the street.\u201cBut you\u2019re aware that they exist,\u201d Marquis-Boire said. \u201cYou\u2019re also aware that you probably couldn\u2019t do anything about it if one of them wanted to beat you up in the street.\u201dI highly recommend watching the video, whether for amusement or for a reminder that good things rarely come to those who ask to be hacked. On the serious side though, people are always the weak link. As Verizon said in its 2015 DBIR, \u201cWhether it\u2019s goofing up, getting infected, behaving badly, or losing stuff, most incidents fall in the PEBKAC and ID-10T \u00fcber-patterns.\u201dRegular Jane and Joe Public may not issue challenges to be hacked or need to worry about the newest strain of \u201cCEO fraud,\u201d aka Business Email Compromise (BEC), that was reported by KnowBe4 \u2013 a company so confident its security awareness training works that it will \u201cpay your ransom if you get hit with ransomware while you are a customer.\u201d Yet Jane and Joe could be employees, the weak end user links to be targeted and exploited via BEC spear phishing attacks.Over the last year there\u2019s been a huge increase in BEC, according to a new report by PhishLabs, and \u201cno security tool or training regimen will prevent\u201d people from falling for phishing attacks \u2013 the toehold Tentler used in pwning Roose. Even if employees are extra cautious and wise about phishing, what about falling for vishing? You could be as security-wise about social engineering as possible, but if a company with which you do business isn\u2019t, then that\u2019s all it takes for an attacker to own you.