Elicitation in relation to Security

[overwraith]

A while back I discovered that elicitation could be used in order to protect the company from intrusions from unscrupulous employees. I do believe that one of Mitnick's books or someone else's describes how a savvy net admin discovered a chat box on his computer and used elicitation to make the hacker believe he was one too. On doing this the hacker revealed how he had broken into the company using some sort of VPN vulnerability. One method in a pharmaceutical company is to have a Vikodin trap. Essentially people are informed as to the whereabouts of unsecured vikodin, for example using an encrypted document that has a few developers, and therefore only a few possible recipients, loose talk around the office, and or water-cooler talk, or any other means of targeting specific people. The manner in which you reveal the information is the manner in which the employees will find out. Obviously the trap is monitored by unobtrusive security, like a camera etc. Anybody caught stealing the cardboard box of vitamins is summarily let go from the company due to the fact that it is cheaper to let them go than to navigate tort law. Vikodin could be replaced with anything of value at your workplace, but you should in fact be leaving out fakes or just cardboard packages rather than the expensive items. This would not be considered entrapment if sufficiently bland, for instance you do not actually dominate the person in order to make them fall into the trap, or otherwise trick them. It has to be their own decision as opposed to trickery. You want to demonstrate a clear and willful act that can't be refuted.

[overwraith]

Another aspect of this could be if somebody was not supposed to be looking in your desk drawer as per company policy, and you happened to acquire a fake grenade (Training Grenade Blue, no explosives already spent fuse). You stick the fake trainer in the desk drawer, and some point later in the day the bomb squad gets called and you know exactly who is snooping. Probably give the bomb squad and police a courtesy call first along with your address etc.