Around 2:00 pm, the phone rang...
Programmer: "Hello?"
Caller: "Hi, who is this?"
Programmer: "Excuse me?"
Caller: "I'm returning a call from my pager... Who are you?..." (sounding clueless and innocent).
Programmer: "Who are you looking for?"
Caller: "I don't know, I'm just returning my pager's call. I only have the phone number. I don't know who called me..." (the number of my direct line???)
Caller: "... What's your name... What do you do over there?"
[CLICK]

Some other day, after 4:00 pm, the phone rang...
Programmer: "Hello?"
Caller: "Hi, who is this?"
Programmer: "What do you mean?"
Caller: "I'm a recruitment agent. Are you looking for a job?"
Programmer: "Not really..."
Caller: "What kind of work do you do?" (You want to recruit me but you don't know what I do?)
[CLICK]

About 5:00 pm, the phone rang...
Programmer: "Hello?"
Caller: "Hi, I'm calling from --- recruitment firm... I saw your resume the other day... very impressive... Are you looking for a job?" (I've never posted or submitted my resume anywhere.)
Programmer: "Not really..."
Caller: "What kind of job do you do?" (And you're interested in someone you don't know what he's doing?)
[CLICK]

Social engineering, as I was told, is not uncommon. It's another fancy way to call "spy," I guess. Sometimes it's employed as security drill; sometimes just plain thievery. It's simply an act to elicit otherwise sensitive or confidential information from unsuspecting people.

Common as social engineering might be, data encryption is often almost the only security measure many people (business or technical) talk about, as though encryption equated security.

Once, a bank asked a web application developement house to build an application for them. They emphasized strongly on data encryption. Encryption on the URL (we said we could encrypt the CGI parameters but not the entire URL itself), encryption over the network communication (that meant SSL and such), encryption (of passwords at least) in the database.

They also wanted physically independent database server for extra security--which, for security purpose at software level, made no sense to me since the database might be physically seperated but not necessarily logically. (A logically separated and independent database might contradict the overall architectural design of an application that was meant to be part of a larger "integrated" system.)

But then, an upper-mid-level manager had all his passwords posted by his computer monitor in plain view. This happens to many other people who have too many passwords to remember.

So, all the data were encrypted, huh?

___________________
Endnote: That's why security should be checked at two levels, namely local and global. For instance, a password like Delaunay19631112 (spouse's name + birthday) might be hard to crack by itself via brute force (local level) but could be easy via social engineering, pattern or correlation (global level). Good cryptanalysts or security advicers explore the latter, not just the former.