Lessons from RSA: Bum Rushing Conference Security

RSA Security Lesson 1

What happens when you bum rush conference security?

It happens to me all the time. I lose my conference badge and have to get past a couple of convention center security guards to cover a keynote. Lucky for me, computer security conferences tend to be run by geeks, and they usually have a casual attitude about letting uncredentialed people into sessions. (Tip number one: Carry an old badge; most of the time, any badge will get you through the door. Tip number two: If badgeless, position yourself in the middle of a group of tall people, and drift on in.)

Unfortunately for me, the RSA Conference is a pretty tightly run ship, and yesterday they busted me. It wasn’t really my fault. I was preregistered for the show, and the convention people sent me my badge in advance so that I could avoid the long registration lines. Unfortunately, they didn’t send me a lanyard, so I put my official RSA Conference 2007 badge in some old generic lanyard that was lying around the office.

So yesterday, just as RSA’s cryptographers panel was about to begin, my second-rate lanyard got me stopped.

“You have to have a red badge holder,” the security guard said.

“But this is what I was sent,” I insisted, an image of the dreaded 30-minute registration lines upstairs popping into my head.

“I don’t care.”

All the while the security guard was checking badges of other people walking into the keynote hall, so he was firm, but a bit distracted.

I thought about it for a second and then, figuring that we both understood each other’s position, I decided to call his bluff.

I slipped into the hall.

What would he do? A flying tackle? Panic button?

“Sir, sir,” I heard him call from close behind me. But I kept walking, and now he was getting farther and farther away from his post.

“Sir, sir!”

I kept walking.

I guess he eventually realized that his main job was to stand at the door and appear to check for badges, because when I sat down he was gone.

From a security perspective, it was probably the best move to make. I was credentialed and posed no threat.

RSA Security Lesson 2

Practice what you preach.

One of the tough things about running a security conference is that in addition to bum-rushers like me, you give a lot of security professionals like Sunbelt Software’s Alex Eckelberry and Eric Sites the chance to put your security practices to the test, in a pretty tough-to-control environment.

Alex and Eric gave the RSA show organizers, and Sophos, a bit of a schooling yesterday. I dropped by the Sunbelt booth after they’d shown Brian Krebs of The Washington Post and Ryan Singel of Wired News how easy it was to compromise the computer kiosks on the show floor.

Eckelberry and Sites were able to see a history of Google searches and install adware onto the machines (which then removed it), but they told me that they could have done much worse things, like installing keyloggers to see what the computer security executives at the conference were typing.

The booths, sponsored by antivirus vendor Sophos, were apparently not configured to spec, but as Singel writes, “One should never trust a public kiosk computer, but at the RSA security conference, one expects the public computers will at least be locked down as well as the public library’s boxes.”

-Robert McMillan, IDG News Service (San Francisco Bureau)

Keep checking in at our CSO Security Feed page for updated news coverage.