News from Portfolio.com

Also on Portfolio

Time for Tech to Throw Everything Into Energy

Hollywood Frets Over Corruption Crackdown

McCaw's Back to Remake the Wireless Landscape

Subscribe to Portfolio magazine

Apollo Robbins won't say whether he's ever stolen anything in his life, but it's clear he could if he wanted to. Having grown up in Missouri with three half-brothers who were all involved in various criminal activities (one of them is in the witness protection program after testifying against former colleagues of his), the 34-year-old Robbins was indoctrinated at an early age into the finer aspects of pickpocketing and con games.

He eventually developed those skills into a successful career as a sleight-of-hand artist and performer in Las Vegas. His latest act, though, has him starring as a corporate security consultant. In this role, it is less his dexterous hands that appeals to his clients than his mastery of all aspects of criminal cons, grifts, and social-engineering ploys.

"When you're trying to steal something, you find the weakest link and work that," Robbins says. "Nowadays, as technology gets better and security systems get harder to break through, the weakest link in any system is the human running it."

Robbins founded his consulting operation, Whizmob Inc. (the name comes from the street term for a team of pickpockets working together), two years ago while still performing full-time.

After doing a show a few years back in which he pickpocketed Secret Service agents accompanying former president Jimmy Carter, the resulting publicity led several law-enforcement agencies and other groups to contact him about his techniques.

"At first, I'd refer them to security people I knew," says Robbins. "Then I realized that instead of being a referral service, I could capitalize on this."

It was a good time to get in on the act. Information security consulting, which barely existed in the mid '90s, has become an estimated $10 billion to $12 billion business as the need to protect sensitive information stored on computers and servers has become a more central concern.

Today, Robbins counts the N.F.L., TNT, and several Fortune 500 companies among his customers. He recently advised the N.F.L. on information security protection at this year's Super Bowl in Phoenix to combat the expected flow of thieves and con artists lured by all the deep-pocketed spectators coming to town.

His work included getting a major hotel to upgrade its WiFi security so that fake access programs known as Trojans couldn't extract valuable data and password information from unsuspecting guests' computers. And at the stadium where the game was held, Robbins and his team identified areas where pickpockets would most likely operate—specifically, places with lots of traffic where bumping into people would be customary, and easy access to exits for escape purposes.

Besides the shadier elements of Robbins' childhood, his father, a blind minister, instilled in him a strong sense of morality. "It was like living in two worlds," Robbins says.

In many ways, he still is living in two worlds, since he keeps in regular contact with some professional thieves he knows in order to stay abreast of the latest cons. (While he doesn't pay them, Robbins says that "a lot of these guys are really good at what they do but they can't exactly discuss it with a lot of people.") But increasingly, Robbins is spending time in the more staid settings of the corporations that hire him to vet their security systems.

"It's a good time to be in the business," he says.

Scott commented that you can get cheap code-signing certs, as Jon Robbins points out. 80 bucks sounds like quite a deal, but a quick look at Jon's post reveals that a cheap code signing cert isn't as easy to use as one issued by the big dogs:

I had some trouble with registration process at Comodo. Make sure you add https://secure.comodo.net to the list of trusted sites in Internet Explorer so they can properly get you registered and install their trusted root certificate on your computer.

It's not just ease of use that I'm worried about here though. What's it mean to ask your customer to install a CA certificate into her trusted root store? I'm thinking of a nontechnical person like my mother - what's she going to think when she's asked to approve something that looks like this (the dialog that pops up on Windows XP when you try to install a cert into the trusted root store):

(click image to enlarge)

If you find that your customers tend to choose the default option here, "NO", your code signing cert won't be trusted, which begs the question, why didn't you save yourself the 80 bucks and simply issue your own code signing cert via Windows built-in Certificate Services?

And even worse, what does it mean if you find that your customers tend to choose, "YES"? That leads to the philosophical question: what use is PKI anyway if the end user doesn't understand it? If every software vendor creates one of those web pages (I'm sure you've seen them) instructing users on what to do when they see the above dialog ("press YES"), then ultimately what's the cost to the consumer?

I don't like tithing to my certificate authority any more than the next guy, but buying a "cheap" cert is more costly in the long term. If you need a cheap certificate for testing or for personal reasons, issue it yourself! If you need a real certificate, your best bet is to stick with a vendor that your customers already "trust", for better or for worse.