To office workers trudging to their cubicles, the promotion looked like a chance at sweet relief from the five-day-a-week grind.By simply running a free CD on their computers, they would have a chance to win a vacation. But the beguiling morning giveaway in London's financial district last month was more nefarious than it appeared.Like flies to garbage, dozens of victims took the CD, unable to control the irresistible attraction of "free."Secret agents behind enemy lines, the CDs piggybacked through companies' physical security systems tucked in the bags and pockets of their couriers. The office workers dutifully took the CDs to their desks and plopped them in their employers' computers.The mission was complete.In the process, the CDs likely skirted an array of IT security systems in place to prevent malicious code from being installed. Although the CDs did not contain malicious code, the exercise accomplished the point Robert Chapman wanted to make: People are misinformed about what actions could damage their computers or expose them to malware, adware and viruses."All these things are bypassed by human nature and curiosity and a level of ignorance and naivet\u00e9," says Chapman, director of The Training Camp Ltd., a computer training and consulting firm based in London, who came up with the idea. "The lure of a free holiday entices them more than the potential damage that they may make to their corporate network."cWhen a user ran the CD, the code on it prompted a browser window that opened a Web site, Chapman says. The site then tried to load an image from another Web site, Chapman says.The number of people who opened the CD could be tracked by the number of times the image was accessed, he says. Users saw only an error message saying the page could not be loaded, he says."There is nothing clever about it or illegal," Chapman said of the CD's code.Although the front of the CD contained a written warning to users to check their company's internal security guidelines before running it, as many as 75 of the 100 CDs were played. Chapman says he was able to trace the IP addresses of those computers that tried to access the image and found that employees at two well-known insurance companies and a retail bank were among the duped.Chapman declines, however, to identify the names of those companies.The experiment underscores what experts say is the weakest point for IT security: people. Many companies have policies and make their employees sign legally binding documents containing the rules for using company computers, but it's doubtful users get specific training on why those rules are in place, Chapman says.Firewalls can block incoming hacking attempts, but most default firewall settings allow outbound traffic, Chapman says. If malicious code was already in the system, it might not be blocked by the firewall, allowing for the transmission of data from inside the computer, he says.Chapman says he surprisingly didn't get any angry calls from rankled systems administrators. "I was half-expecting something like that to happen, but I hope people realize that this is being done with a good heart," he says.