Schneier on Security
A blog covering security and security technology.
« Real Fake ID Cards |
| Database Error Causes Unbalanced Budget »
February 16, 2006
Security, Economics, and Lost Conference Badges
Conference badges are an interesting security token. They can be very valuable -- a full conference registration at the RSA Conference this week in San Jose, for example, costs $1,985 -- but their value decays rapidly with time. By tomorrow afternoon, they'll be worthless.
Counterfeiting badges is one security concern, but an even bigger concern is people losing their badge or having their badge stolen. It's way cheaper to find or steal someone else's badge than it is to buy your own. People could do this sort of thing on purpose, pretending to lose their badge and giving it to someone else.
A few years ago, the RSA Conference charged people $100 for a replacement badge, which is far cheaper than a second membership. So the fraud remained. (At least, I assume it did. I don't know anything about how prevalent this kind of fraud was at RSA.)
Last year, the RSA Conference tried to further limit these types of fraud by putting people's photographs on their badges. Clever idea, but difficult to implement.
For this to work, though, guards need to match photographs with faces. This means that either 1) you need a lot more guards at entrance points, or 2) the lines will move a lot slower. Actually, far more likely is 3) no one will check the photographs.
And it was an expensive solution for the RSA Conference. They needed the equipment to put the photos on the badges. Registration was much slower. And pro-privacy people objected to the conference keeping their photographs on file.
This year, the RSA Conference solved the problem through economics:
If you lose your badge and/or badge holder, you will be required to purchase a new one for a fee of $1,895.00.
Look how clever this is. Instead of trying to solve this particular badge fraud problem through security, they simply moved the problem from the conference to the attendee. The badges still have that $1,895 value, but now if it's stolen and used by someone else, it's the attendee who's out the money. As far as the RSA Conference is concerned, the security risk is an externality.
Note that from an outside perspective, this isn't the most efficient way to deal with the security problem. It's likely that the cost to the RSA Conference for centralized security is less than the aggregate cost of all the individual security measures. But the RSA Conference gets to make the trade-off, so they chose a solution that was cheaper for them.
Of course, it would have been nice if the conference provided a slightly more secure attachment point for the badge holder than a thin strip of plastic. But why should they? It's not their problem anymore.
Posted on February 16, 2006 at 7:16 AM
• 81 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
This is the kind of thing the UK banks used to do.
They give you an unreliable token (a credit card etc) and you had to swallow any false transactions.
Eventually Governments passed legislation to stop it, So the banks tried a new tack (Chip-n-Pin) which avoided the legislation (ie no signiture involved).
I can't see legislation being passed for Conferance badges or just about any other token system. But even if they did the companies would just move the goal posts.
I guess all organisations will try to minimise their costs and liabilities for "Share Holder Value"...
Why do you always have to be logical? :)
Your logic is always interesting and eye opening. Nice analysis
Sensible in that it addresses one side of the fraud equation in that badge holders are more likely to maintain a close eye on the badge. Yet, still, if someone did lose the badge, then the finder would still be able to get in. Or, if someone were held up for their badge...This still doesn't address either of these issues.
Badges make for easily thwarted security. If I left my badge at home for work, then I would just borrow a badge from a co-worker if I needed to briefly leave the office. There was no picture, so in my office there was no way to check to see if the badge I was using was truly my own. Back in my retail days, I remember my mother handing me her badge, which we used for a time punch card as well as "security", if we were running late. I'd clock her in and myself in at the same time right under the nose of the "security" person at the desk.
Also, in the most recent case of the shootings at the post office (in California), the woman who fired the gun got in by A) closely following a legitimate vehicle through the security gate before the door closed and B) holding an employee at gun point to take his badge and let herself in so she could shoot.
There are 3 classes of potential attendees:
(A) Those that pay and would pay no matter what.
(B) Those that would pay, but when they see an opportunity to get around the "system" for less money, are willing to take it.
(C) Those that are not willing to pay no matter what, and will only attend if they can get in for little or no money.
The real issues facing RSA are these:
Provide good service to Class A attendees; try to minimum the "discount" available to potential Class B attendees, so they will pay to attend; try to discourge Class C attendees, so they don't take away too many resources from Class A attendees.
Faced with this trade-off, talking a tough game is probably in the best interests of RSA. However, when push comes to shove, if they are faced with a bonafide Class A attendee who has paid his money but lost his badge, it would be in their best interests to quietly make "an exception" to the no replacements rule.
It would be interested to hear what the really end up doing.
At least they give you a $90 discount on the replacement badge. That's very considerate of them.
What kind of person "breaks into" the RSA conference?
Does it really matter?
From previous articles I know Bruce is against credit card companies asking consumers to cover fraudulent transactions resulting from a lost card so why do you support this method to avoid badge loss?
Forgive my ignorance, but they seem quite similar.
"Chip-n-Pin"; hmm, there's a thought. Why doesn't RSA issue smart cards for passes? If one gets lost or stolen, you pay for a replacement card and the old one can be invalidated.
This is the RSA conference after all. If RSA wants to convince us that smart cards are easy to deploy, why don't they use the conference as a show case?
Tom, I'm not sure what Bruce would say but I can see a big difference between the two.
There's the obvious that 1 conference or $2k is far less damage that the full credit card limit and credit damage.
More importantly however, I think is that customers have far more power to secure their RSA badge than they do their credit card info. The RSA badge is one physical item that a customer needs to secure. The credit card info is stored in databases from many different vendors, credit card processors, issuing bank and so on. A customers credit card info could be stolen without the customer doing anything "wrong" other than actually buying something with the card.
@Tito - Thanks, for that clarification, no excuse for me not thinking that one through.
If one were going entirely according to the economics of the situation, it's in RSA's interest to provide badges/holders that detach easily from the legitimate user. The sunk cost of making arrangements to attend the conference likely exceeds the cost of the replacement badge. Over the years you would see a shift in the mix of people attending the conference, at which point the profitability of RSA's strategy depends on how much of the perceived value of the conference is in the presenters and how much in the attendees. (There's probably a decent analogy here with the economic consequences of scorched-earth DRM.)
Tom: he sure doesn't sound to me like he supports this security technique. Maybe the sarcasm was too subtle.
On the threat model: I find it hard to believe that badge theft or fraud is a big problem for most conferences. Maybe it's just because I mostly attend more heavily academic conferences rather than ones with a large number of industry participants held in major urban centres (where maybe the situation is different), but from the point of view of academic conferences:
* $1895 is a lot for conference registration. $300 would be more typical.
* Your registration normally buys many other things besides the badge, including physical objects like the conference proceedings, and privileges like banquet admission which are normally controlled by separate tickets. At most conferences, all you'd get with a stolen, forged, or falsely "lost" badge would be admission to attend the talks - and the marginal cost of providing that to a few cheaters is almost nil, because the meeting rooms have already been paid for. It's hard to believe that the conference organizers could really lose significant amounts of money to this threat in the typical academic conference setting.
* Except at the largest conferences, attendees usually know each other. If nobody recognizes you as belonging there, that fact will be noticed. At the most recent conference I attended, there was nobody there who knew me at the time I showed up... but given the specialized nature of my work, there are probably only three or four people in the world who could have successfully impersonated me in a discussion of my research, and all of them were present and already had legitimate badges of their own, and within a few hours of my arrival, there were enough people who recognized my face that my badge became superfluous anyway.
* Conference registration is just a small part of the cost of attending a conference. Is someone going to spend a much greater amount of money on plane fare and accomodation just for the *chance* of being able to rip off the conference organizers for a few hundred dollars?
* Similar point: few people who attend conferences pay their registrations out of their own pockets; it's normally covered by employers. Who's going to get authorization and money for travel but not for the conference registration fee?
@Matthew - I promise I'm a lot sharper in the afternoon....
It's ironic that a leading firm in crypto security is so crappy at physical security. They should realize the cost of bad publicity (anybody reading this thread will be a little less confidence in RSA's capabilitiy to handle security problems.
How about an ID card with RSA keys, CA certificates, RFID readers and the like? It would be a bonus to their PR department.
Not to think of collateral benefits. Imagine Shamir's ending conference on "how I just cracked the brand-new RSA card with the cafeteria's microwave oven"; and next week's paper on microwave makers being sued for DMCA infringement; and new analyses about microwave side channel leaks; and...
Now that would be a conference to remember!
I was at a conference last year (can't remember if it was ALA or Book Expo) where they added barcodes to everyone's badge and scanned every badge upon entry. The lines at the opening of the exhibit halls were huge and slow. Lots of grumbling. I saw no one getting stopped, so I'm not sure why they were scanning or what the scans told them. It seems RFID tags would have been the way to go.
Cisco uses barcodes on badges at their Networkers conference. It doesn't seem to be a security measure, though--you can scan in for multiple talks in the same session (scan in for a talk; see the slides; decide it's not for you; go to a different talk).
I think the barcodes are for managing session reservations and ensuring that rooms don't fill beyond capacity.
>>"Chip-n-Pin"; hmm, there's a thought. Why doesn't RSA issue smart cards for passes? If one gets lost or stolen, you pay for a replacement card and the old one can be invalidated.
This is the RSA conference after all. If RSA wants to convince us that smart cards are easy to deploy, why don't they use the conference as a show case?
Kind of ironic isn't it. The shoemaker's children have no shoes.
Doesn't even require a smart card, just a card reader with access to 'valid' IDs database (RSA can manage a database in this case without private information, can't they?)
That should be a real embarrassment.
Why not slip an RFID tag in the badge, so that detection of a revoked badge can be automated? Now you're not looking for security guards to check faces against photographs, you're looking for an automated means to detect an ID that's on the list of "revoked" IDs.
Part of the problem here is that there is a mismatch of value. The card itself has a cost of production of - what, a few cents? The purchase of the card in the first place is the equivalent of buying a new laptop; but the cost of replacing it should cover only the cost of replacing it - the cost of voiding the old one, and of providing sufficient security to ensure that the old one cannot be used. The cost of a fraudulent card being used is small by comparison, as the fraudster can attend sessions that were provided anyway (so it doesn't cost any more in speaker's fees), and does not receive the entire conference packet of information and freebies.
As such, the cost to conference organisers to be interested in providing security sufficient to prevent this fraud is significantly more than the benefit that they get; the cost to an attendee to find that his badge is no longer working, however, is huge, as he is either unable to attend the conference, or has to stump up a significant fee.
The attendee and the organiser have a difference in their perceived value of the card, and the attendee has no means of getting back the value that was stolen from him if the card was stolen, or the value that was lost, if the card was lost.
The organisers have the means of preventing the use of the card, and are not willing to offer that as a service to the attendee, because they are not damaged by its loss.
Indeed, a mildly unscrupulous organiser could see the benefit to picking up and 'losing' as many conference badges as they can.
I disagree with Bruce on this one - I don't think it is appropriate to laud a system that has an innate reward for one of its participants to act dishonestly.
Its not a pure externality, we can choose not to attend such events until the policy changes.
(Like that'll ever happen.)
I keep my badge in my pocket, where it's hard to steal. I take it out on demand and when entering a room where it will be checked.
Imagine you have a $2000 bill in your pocket. Feel comfortable?
I attend a number of security conferences wherein I am only interested in *maybe* two talks, so I regularly either borrow someone else's badge or scan and photoshop one for those talks. I know it could be seen as "theft", but someone selling security information should probably know better, and I've often been the vehicle for teaching security businesses a lesson about practicing what they preach.
How about this: Give people a choice.
They can volunteer some sort of identifying information, such as a picture, in return for "badge insurance" which would replace lost badges for free/a nominal fee.
If you'd prefer greater anonymity, forego the optional insurance and keep a close guard on your badge.
As an academic discussion of security, these points are all good, but really, who's trying to break into the RSA conference? This point becomes the dealbreaker when attendees are at all inconvenienced by the security measures and get to stand in line for enough minutes to start bitching about it.
The loss opportunities of imperfect security here are so small as to justify only the barest security measures. The point of the high price tag isn't to make people avoid dark alleys so their badge doesn't get stolen, it's so that people don't forget the badge in their hotel room and just expense another one.
Also, any security measure that increases the vigilance of the end user, even involuntarily, isn't all bad.
> Imagine you have a $2,000 bill in your pocket. Feel comfortable?
This is kind of a bad analogy. Let's say my wallet is no longer in my possession.
If it's been stolen, I'm unlikely to get it back with $2,000 in cash in it.
If it's been misplaced, I'm less likely to get it back with $2,000 than I would be if it had $10 in it (basically honest people can be really tempted by a windfall of $2,000).
On the other hand, if I misplace my conference badge (and there's identification attached to it), I would think that it would be more likely to be returned than cash -> basically honest people won't be tempted by a badge to a conference they're not going to attend in any event, and if another conference attendee finds it, they're likely to return it because of the community effect.
There is another layer of externality here. Lots of people who *attend* these sorts of conferences do so on somebody else's dime (usually their employer). If they lose their badge, it's not $2K out of their pocket.
It seems like an unfair burden on conference attendees, but I imagine most of the attendees didn't feel overly put out about it.
"The point of the high price tag isn't to make people avoid dark alleys so their badge doesn't get stolen, it's so that people don't forget the badge in their hotel room and just expense another one."
Um, I am almost 100% certain that this is a very bad misstatement. The point of the high price tag is to make lots and lots of money. And then sending these high-paying people into a conference where others that are paying lots of money can try to sell them stuff. I mean, that is the point of conferences right?
"The point of the high price tag is to make lots and lots of money."
You're correct, of course. I should have said that the point of the high *replacement* cost is to put the burden of vigilance on the attendees.
"As an academic discussion of security, these points are all good, but really, who's trying to break into the RSA conference?"
A lot of people who have the cheap expo-only badges try to sneak into the sessions. And even more people try to sneak into the big gala party.
Another economics issue, why is the conference so expensive, probably one of the most expensive I know of. The cost 1) increases the incentive to commit fraud, and 2) should have a negative effect on attendance. One wonders if the cost were half, would the attendance more than double? But for many attendees, the cost is an externality, born by their employers, so who knows.
"From previous articles I know Bruce is against credit card companies asking consumers to cover fraudulent transactions resulting from a lost card so why do you support this method to avoid badge loss?"
I hope I never said that I supported this method. I think it's a good illustration of how economic incentives skew security decisions.
"A lot of people who have the cheap expo-only badges try to sneak into the sessions."
Right, but the cost of that loss is some extra buffet and drink expenses, which is bearable within reason.
"Another economics issue, why is the conference so expensive, probably one of the most expensive I know of."
Joel Spolsky, of "Joel on Software" fame, has written a few interesting columns on the psychology of pricing. In short, the high price justifies itself by connoting high value to the attendees, who, as you said, aren't paying for it anyway. That elitism is self-perpetuating: Would Bill Gates address a conference where attendees could get in for $10/day?
It's not economically true that halving the price would double the attendance. In fact, at this point, dropping the price would probably kill the conference itself by signalling to attendees that the conference's relevance is over and they're desperate to keep attendance up.
Daniel: the point of the high price might be to *limit* attendance. There's only so much space, and some sessions (like Bruce's) are already standing room only in rooms that seat 750 people.
RSA's solution to the lost badge issue by transferring risk to the attendee has some interesting ramifications. A conference staffer could always swipe badges from attendees on the sly, forcing the attendee's employer to replace the "lost" badge and feed more money to the conference. It could be done on a grand scale without much publicity: who wants to admit that they lost their badge?
"who wants to admit that they lost their badge?"
They'd have to admit it when they submit their expense report, wouldn't they? Casually replacing a $2,000 badge is something for CEOs, not for most attendees, I would imagine.
"They'd have to admit it when they submit their expense report"
I was more referring to the conference attendees not admitting this to each other at the conference, the only way I can see a scheme like this coming to light.
I'm just wondering if the conference is worth $2000 or thereabouts in the first place..
I wonder what kind of "finders fee" could be requested for "lost" badges?
A Hockey arena can get 26,000 fans in using barcodes but the leading security company cannot?
I have been at the RSA Conference this week, with the best speaker line-up in the event's history and a wealth of information and insight into our industry just waiting to be tapped.
And yet... badge-replacements and "thin-strips of plastic" is what is top of mind for you guys?? Is that really what matters?!
Wow: personal possessions become your own responsibility... what a revolutionary idea! (I'm being sarcastic.) I look after my wallet, I look after my lap-top, I look after MY stuff. And - this week - I've looked after MY Conference badge. This "Blame-Anyone-Else-At-All-Costs" culture just shows how much we need to grow up.
Arl: "A Hockey arena can get 26,000 fans in using barcodes but the leading security company cannot?"
That has nothing to do with who's designing the security protocol and everything to do with physical architecture. Hockey arenas and the like are designed for checkpoints in a way that most convention centers are not.
""A lot of people who have the cheap expo-only badges try to sneak into the sessions.""
"Right, but the cost of that loss is some extra buffet and drink expenses, which is bearable within reason."
Right, but then the incentive becomes to only buy the chaep expo pass because you can get into all the good stuff with it anyway.
"This "Blame-Anyone-Else-At-All-Costs" culture just shows how much we need to grow up."
I think you might be missing the point of this whole discussion. When a person pays two grand to attend a conference, their right to enjoy the product they've purchased shouldn't rest solely on their ability to keep track of a piece of plastic. Many conference organizers are realizing this and developing alternative methods of authentication. It is just odd that security conference organizers seem to be the last in line.
As much as I dislike many aspects of RFID's in general, perhaps this might be the right kind of application, if implemented correctly.
How does this sound:
Every badge has an embedded RFID tag that permits the checkpoint to rapidly scan entrants to verify both the validity of the badge, and the rights associated with it.
(i.e. expo only, conferences, VIP status)
Each venue scans for "valid" badges that have the appropriate level for admission.
Lost badge ID's could be reprogrammed (like a hotel key card) to deny access, and replacement badges could be provided at a nominal replacement fee.
After the event, participants can simply discard the badge.
This reduces the risk of lost or stolen credentials to both the exhibitors and the participants.
"Right, but then the incentive becomes to only buy the chaep expo pass because you can get into all the good stuff with it anyway."
Sure, but the security measure to handle that is people at the door visually checking whether passes are cheapo ones or not. The security risk we're discussing here is stealing the high priced badges to impersonate a full attendee. The incremental cost of a stolen-badge attendee is so small (especially with the higher badge replacement cost) that it's not worth guarding against more seriously with RFID or photo badges.
"I have been at the RSA Conference this week, with the best speaker line-up in the event's history and a wealth of information and insight into our industry just waiting to be tapped."
"And yet... badge-replacements and "thin-strips of plastic" is what is top of mind for you guys?? Is that really what matters?!"
well, for those of us who didn't spend the $2000 + airfare + hotel + meals . . .
What are we missing??? What have you learned that you'd like to share??
"As much as I dislike many aspects of RFID's in general, perhaps this might be the right kind of application, if implemented correctly."
Quick question here. Two years ago, my employer (a plastics manufacturer) was looking into RFID because of coming requirements by retailers like Walmart that products have RFID labels on them. At the time, the technology was still very sketchy--lots of practical problems still hadn't been worked out, like getting a 99%+ accurate read on a pallet of products in a warehouse, or overcoming the radio-scattering effects of metal products like canned soup, or the radio-dampening effects of large amounts of cardboard. Walmart was under heavy pressure from its suppliers to relax its requirements because the suppliers felt they couldn't be ready in time due to the fact that no consistently effective RFID architecture was available or proven.
Is RFID now at the point that it can be reliably used in a security scheme like Frank is describing?
The problem is that the badge isn't what was purchased; what was purchased was admission to the conference. The badge is merely "proof of purchase". Further, you may purchase admission, not realizing that the badge is made in such a flimsy fashion (I'm assuming others' descriptions of the badge are correct) until you receive it, thus eliminating your ability to make an informed decision about what physical objects you are in fact purchasing.
IIRC, At Brainshare 2002, the conference badges were BSafe Smartcards.
If you lost your card, they could just invalidate the lost one and issue a new one for a nominal fee.
Given that BSafe is PART OF RSA, it seems highly irrational that they aren't using the same technology.
"Imagine you have a $2000 bill in your pocket. Feel comfortable?"
I agree with Pat that it's bad analogy, but for a different reason. If I have $2000 cash in my pocket, I'd be worried about mugging, whereas no-one is going to mug you for a conference badge: it can be cancelled, at which point it has no value at all. Also, the badge is only usable at a very specific location for a very limited time, so either the mugger, or a receiver of stolen goods, is practically guaranteed to be caught if they did try to use it. A slightly better analogy would be "imagine you have a non-negotiable cheque for $2000 in your pocket. Feel comfortable?", in which case the answer is probably "yes" (assuming it was written with insoluble ink!)
"That has nothing to do with who's designing the security protocol and everything to do with physical architecture. Hockey arenas and the like are designed for checkpoints in a way that most convention centers are not."
Well, precisely. If they are trying to get 2,000 people into a room with only two doors, it doesn't matter how they check IDs, the doors themselves are the rate limiting step. Whereas if you have 4 entry points each with 4 gates, you can admit everyone in 2 or 3 minutes -- provided an authentication token can be verified within about 1 second. This is the case for nearly any automated type (on average a barcode scan takes considerably less than a second, ask a supermarket checkout operator) provided that a) there is a reader at each gate and b) there is a way to quickly move aside people with problems so they don't block the queue. So at the conference with the barcode delays, the problem was architectural, not the authentication system.
For the scheme Frank is describing, contactless cryptographic smartcard technology is not only mature enough, it is actually already in widespread use for transit systems in several countries. This is however not quite the same thing as RFID, which usually implies very cheap, very small contactless devices with no internal processing capacity. Such devices are now *reliable* enough for this sort of application , but have essentially no security and generally should not be used in security related applications, especially not with a $2000 payoff.
1. Recently, I participated in a "fun run" where times were recorded by detecting an RFID tag attached to your running shoes, as it crossed the start and finish lines. At peak moments, the system was recording about 120 persons per second, with about 6,000 persons in all, and allegedly no-one has missed out for any of the (three?) years they have used this system. It's also cheap: there was a replacement fee of $10 if you didn't return the tag at the end of the race, but it was free otherwise (they are robust, and reusable for many years).
Aren't you the one always raving against companies "externalising" their security costs to the customer? How is this suddendly clever and not just grubby?
"Aren't you the one always raving against companies "externalising" their security costs to the customer? How is this suddendly clever and not just grubby?"
Can't something be both clever and grubby?
Honestly, companies are going to make security trade-offs that are in their economic self-interest. That's life. I think it's imporant to understand that, to accept it, and then to deal with it.
"Its not a pure externality, we can choose not to attend such events until the policy changes.
"(Like that'll ever happen.)"
Your parenthetical comment is important. We can choose not to attend such events until the policy changes, but that really only makes sense if there is a market in these events where this policy is a feature that they compete on. So today it's not really a market, so today it is an externality to the conference companies.
You can also issue a Purchase Order in conjunction with your conference payment, and put on the back terms and conditions that state lost badges must be replaced for free, etc. How much you want to bet RSA will accept the P.O. w/o batting an eye?
I notice one thing that is significant to this situation and particular to the comparison between crypto and physical security.
Someone can try to 'break' the security, not only with a goal to get inside, but to inflict damage on the person who has their security broken.
If the card costs a lot to replace then it is a viable 'attack' to steal their card, even if you ahve no intention of using it yourself. You have an easy method of inflicting considerably more damage than the probable cost of the attack in an easy manner. I would liken this to a DOS attack. In fact, that is exactly the vulnerability that RSA is opening up in for the consumers under these circumstances.
@ Mr. Schneier: "We can choose not to attend such events until the policy changes, but that really only makes sense if there is a market in these events where this policy is a feature that they compete on."
Actually, to the extent that falling revenues will either encourage such events to pay more attention to the policy, or will encourage other players to launch events that compete on this policy, such a refusal (the scale can be small, as long as it is significant) will have a useful effect on the marketplace.
Well, the badges are smartcards. So really, with some tweaking to the way RSA is checking badges, a lost/stolen badge could be handled more gracefully and with less customer expense.
1. When the badge is reported lost, invalidate it. Since the sessions require you to badge in, this would disallow stolen-badge user's entry.
2. Add checkpoints/badge scanners for entering the major events like the keynotes and the gala. Simply replace the guards who are looking for FC on the badge with people with readers. It will slow down entry to those specific events, but it would also keep out invalidated badges.
2.5. Don't add badge scanners for entering the Expo. Glancing at the badges is sufficient because the Expo-only badge is a minimum-access badge. Besides, the Expo vendors want as much foot traffic as they can get.
3. Sell replacement badges at the price of an Expo badge + a nuisance fee of an extra $50-100. After all, if the lost badge can't access anything but the expo, the risk has been reduced to the price of an expo badge.
I was actually at the conference, using an exhibitor badge that I borrowed from a friend. And I also was probably the only
There is something about the admittance system used at the RSA Conference that is flawed, but it is only partly due to the lost-badge policy. First off, if the price remains as high as it is than I think photo identification on the badges would be unreasonable, as even among large and legitimate companies only a certain number of badges are purchased, and often have to be shared among employs. Also, a photo-id system that was actually *inforced* would lead to longer lines as Bruce pointed out in his presentation, and it's not really a fool-proof system to begin with. The ridiculous pricing on the conference is what would have to change for me to support a totally individualized badge.
Assuming that changing the price is not an option, than RFID seems reasonable, as has been recommended. If you lose a badge, than you get a new one, and the old one no longer works. You would, of course, have to provide valid photo ID that matches with the name of the original registrant of the badge, so this wouldn't be an easy way of just picking up a badge either. Plus, the conference security could only increase with RFID. At the point in the day that Schneier was presenting, the only badge that was available was for the expo only. Yet I sat in the second row. RFID would have prevented this, or at least made me look for a much more complex infiltration method, which cuts out at least casual miscreants who consider something that is illigitimate but easy somehow better morally than something illigitimate and sophisticated -- if they can just walk in they will, but if they have to pre-meditate it and act in an organized way to violate the conference policy, some are more hesitant.
I must admit that since the presentation was pretty full I was a little tense about sitting in such close proximity with people who obviously had security on their minds, what with the invalid badge, but since the neck-strap was the same for all the badges when the going got tough I casually held a handout or two in a position to conceal the badge itself. Not so sophisticated, huh?
Some time ago, I wanted to attend a NANOG conference. Well, I only wanted to attend one portion of the conference: the PGP key signing, and a discussion about the future of network-based attacks, largely stemming from the Blaster worm.
However, I wasn't willing to pay for an entire conference fee, and didn't understand why I should in the first place. I was very up front about not wanting to pay, and offered to pay for the single session. I was informed, by no less than [the conference organizer] that this was not an option.
So I attended the conference anyway. No badge, no identification, and no conference fees paid. My presence was not questioned, even though I greeted [the conference organizer] -- who, not a few hours previously, told me I would be unable to attend -- as this person entered the room.
I sat through the entire presentation, took part in the PGP key signing, and my presence was never questioned. Granted, this was NANOG and not RSA, but handing out badges is completely useless if nobody questions the lack of one. Especially at a closed session (the session in question was not 'open', whatever that meant, though I think it was because Team Cymru was discussing techniques they would have preferred so-called 'black hats' to not learn).
Lotusphere (www.lotusphere.com) - IBM/Lotus Software's annual conference at Disney World Orlando, have the same policy on lost badges - the conference fee ($1600 or so) again for a replacement.
One of the things few people realise is the vendor hosting the conference generally outsources all the logistics nightmares of handling badges and visitors to an exhibitions company.
It is really the event companies like these that we need to target and convince that smarter use of technology will save everyone time and headache as well as add benefits.
The sort of benefits that a conference would see if they used the right badge technologies are things like knowing which of your attendees visited which speakers presentations, allowing better followup than the 100s of junkmails one gets after most conferences.
I attended Bruce's talk at RSA and there are some interesting things going on about these Badges.
First off they look like kinda like standard smartcards, but if you look closely, the smartcard contacts area on the card is both a) off-center for a "real" smartcard and b) Is not really a contact area, its a picture of one. (To validate this assertion, tests using the conference's Sun Ray 170 smartcard readers were not able to detect it as a smartcard.)
Therefore the badge used is either a piece of plastic with simple RFID tag or a contactless smartcard ( http://en.wikipedia.org/wiki/... ), my bet is with the contactless smartcard from Axalto since when Microsoft started punching holes in the badges as part of a promo, they broke them (RSA issued replacements for these broken badges for free, assumably charging Microsoft).
For walking about or going in the exhibitors hall, guards glance at your badge from 5-15 feet away as the crowds quickly stream by. They generally only look to see if you have something approximating badge (even if it's turned backwards) and that you have the appropriate colored ribbons stuck on it. Exhibitors and expo badges have different color ribbons.
When attending sessions, a handheld PDA reader is used to scan the badge from under an inch away. The people scanning say things like "yes you're authorized" implying that it is possible for me to have a badge that would not be so (revoked?).
In the Exhibition Hall, several times I've had to take my badge out of it's holder and hand it over to folks. This once led to a pretty scary moment where my badge was misplaced in the drama of interacting with the vendor while trying to understand their product and fitting my schmooze goodies into my overstuffed backpack.
Since I pay the conference fees myself, I'd be very upset if I had to pay $1985 on day 4 of the conference to have a new badge issued to me.
As a consumer I'd prefer to not have the risk of expensive badge loss looming over my head and would like to be able to focus on what the vendors are saying not where my little piece of $2000 plastic is. The vendors would like me to be able to focus on this too.
I think RSA made the wrong call here. I would have preferred the real costs of minor badge fraud to be rolled into the costs of the conference and then have badges that offer inexpensive discouraging security rather than unbreakable smartcard security that doesn't address my risks.
FYI: Pictures of the RSA 2006 Conference Badge are below:
In it's plastic badge holder with ribbons:
The badge is as much a proof-of-payment token as an access control token; you get in if you pay. In English, it's a ticket. And very often, if you lose your ticket, you're required to purchase a new one.
The way the lost badge question has been solved in a traditional way: a ticket is purchased for a specific bus/train/boat/flight/movie/play/conference. It may or may not be limited to a specific person. If not, whoever presents the ticket gets whatever the ticket gives access to. The seller of the ticket is not responsible for how the buyer handles the ticket. If written for a specific person, the ticket may be rewritten, if the ticketing system allows for it.
Why didn't you, as a form of protest, lose your badge before your conference? That would have got RSA thinking.
"Gee, do we give a presenter a new badge?"
Unless, of course, you got in for free.
"Your parenthetical comment is important. We can choose not to attend such events until the policy changes, but that really only makes sense if there is a market in these events where this policy is a feature that they compete on. So today it's not really a market, so today it is an externality to the conference companies."
I agree with Lyger. Moreover, I did quite a bit of experimentation with my badge at RSA and found that it not only was trivial to get into the full conference (FC) without my badge (it was in my pocket), but that it was actually more convenient than standing in the long lines of people trying to use the normal entrance (the door readers were slow, understaffed and often had technical difficulties). I tried several times to actually get caught without my badge displayed (I just wore the lanyard and pocket agenda) so I could test the veracity of the $1900 replacement fee threat, but unfortunately no one ever challenged or questioned me for not having the actual badge. This made me feel quite silly for having paid full price in the first place (although I was an early registrant and the fee was actually more like $1100) but even sillier for worrying about losing the thing.
The $100 was three years ago, and I can assure you that, based on my extended argument with the conference organizers at the time, badge fraud is very uncommon. The officials I spoke with actually claimed that the RSA conference organization company (different than the RSA security company) were the ones who set the fee and it was based on some internal and proprietary algorithm (seems like the $10,000 DoD toilet seat to me). My best guess is that the San Jose facilities had some different contract/policy than San Francisco so the replacement fee changed.
"Why didn't you, as a form of protest, lose your badge before your conference?"
Everyone recognizes Bruce, so his badge is a mere formality. I did in fact try to make a statement by "losing" my badge, but ultimately only discovered that it wasn't really necessary to gain entry where I wanted to go.
I must admit, however, that the girls hired to monitor the doors seemed unnecessarily easy to distract and engineer. My favorite line was "oh, you already swiped my badge, remember?" Even though I had my real badge in my pocket, it actually saved time/hassle to pretend not to have it.
If there are that many people who want to go to the sessions, they should rent a bigger space and lower the per ticket cost. They would make more, probably ($10 each from 10 000 is more than $100 each from 750). The reason they don't is that the real purpose of conventions and such is the same as "professional" organizations- to stroke the speakers and attendees egos and to keep down competition.
Oh, and I should probably also mention that the idea to not have someone swipe my badge at the door started when the badge readers failed at two of the doors the first day, actually preventing me from getting it read. The door monitor just waved several people through since her device didn't work. At first I was excited about learning more about the technology/control but the flaws made it patently obvious that there was no way this particular badge reading system was going to be able to control who actually entered the room...not to mention many people managed to slip from room to room during the presentations.
"If there are that many people who want to go to the sessions, they should rent a bigger space and lower the per ticket cost. They would make more, probably ($10 each from 10 000 is more than $100 each from 750)."
I don't know what the numbers were this year, but recent RSAs have had in excess of 10,000 people in attendance. I don't know how many would want to attend the sessions as opposed to just the Expo, but with these kinds of numbers "bigger space" starts to be hard to find...
"my bet is with the contactless smartcard from Axalto"
That would make sense, given the giant Axalto logo on the back, but the Axalto reps I spoke with swore up and down that their technology had nothing to do with the badges.
"with these kinds of numbers 'bigger space' starts to be hard to find..."
Bah, the Bay Area is full of giant stadiums and other massive venues including the HP pavillion. Concerts and sporting events seem to run ok and even San Jose megachurch corporations have to support regular events with around 4,000 people, so a vendor meeting twice or even three times that size shouldn't be such a problem if held in the proper area.
Like Bruce has advised me in the past (/2005/12/security_cartoo.html) it seems again that "people are our weakest link".
Well I'm here to tell you all that it's true that people are our weakest link in conference security, and that's also *the way it should be*!
Through a contact of mine I was able to get a badge and a seat at Bruce's keynote address at a conference last year without paying a cent. All I had to do in return was perform some basic speaker introduction at some of the other sessions on the first day. A fair trade perhaps? But with ironclad security based on "badge <==> paid" the ability to freely choose the terms of trade would be confined to only those tokens originally envisaged for the security system. My services would then count for nothing.
Of course the kicker is that the same guy loaned me his (photoless) badge to get into the cocktail party that night too. Mmmm, free pina coladas from Symantec never tasted so good.
Hi, I'm a person, I'm part of the weakest link, and I'm proud of it! :-)
- - - -
P.S.- Bruce, I refuse to solve the code you put on my autographed copy of your book because that would take away the mystery. I'd prefer not to know what it says, but I'd prefer to believe it isn't random either.
I peeled apart my badge and posted a pic on my blog. You can see the inner tag complete with antennae if you hold the badge up to the light. Look just below the image of the Taj...
"Why didn't you, as a form of protest, lose your badge before your conference? That would have got RSA thinking."
I didn't do it because I'm too much of a public figure. My guess is that if someone lost their badge and complained long enough, the conference would have relented and given them a new one with a minor replacement fee. It's economics again: the risk of someone sneaking in is worth not completely pissing off a high-paying customer.
"Unless, of course, you got in for free."
All RSA speakers get in free. They don't pay any speakers fee. They don't comp hotel. They don't pay airfare. It's the least they can do.
(And the main stage speakers pay something like $100K for the privilege.)
It's interesting to ask why they charge so much for the conference. My guess is that it's because they then have a bunch of participants who have demonstrated their willingness to drop $2K on a security conference, which makes them a whole lot more valuable as advertising targets. (The other way to get in is to be interesting enough to be a speaker, which leads to an interesting crowd of people getting together.)
My big complaint about all the RSA social functions I went to was that they were *loud*. The whole point of being there is to get into interesting conversations with people who are doing stuff somewhat related to what you're doing, but not exactly the same stuff. Sometimes, you can pose a problem and someone from a different field can just say "oh, yeah, there's an easy solution for that problem." But none of that works when you're in a room with music blaring so loud you can hear only every other word. The Gala in particular was annoying in this way--in the whole middle of the big room, you had one track of music (80s pop music covers) in one ear, and another track (music for the Indian dancers) in the other ear. But every formal social function I went to had blaring music, for some reason. (Maybe this makes people more susceptible to sales, by increasing cognitive load?)
"My guess is that if someone lost their badge and complained long enough, the conference would have relented and given them a new one with a minor replacement fee."
I disagree. They would point to the notice and say tough luck. But I say that from experience, having discussed this with them in person. The organization that runs the event is not the same as the RSA company. What incentive do they have to relent? Instead they create a huge incentive for people to try and evade detection.
@ John Kelsey
I agree 100%. There were no safe areas this year where you could reduce the noise and increase the signal. I remember two groups in particular trying to discuss something when people just said "I can't even hear myself, I'm leaving". At least in the San Fran venue they have had the big main room with music and then some side hallways/rooms that are a little more conducive to groups that actually want to talk. On the other hand, if you wanted to get totally plastered, stuffed with food, and out on the dancefloor...
Many conferences and trade shows I attend have badges with either 2D or 3D barcodes on them. As you enter the conference or exhibits area, a guard scans the card. This is done from 2-3 feet and you normally do not have to stop.
This is done to see who is coming in and how many times. Exhibitors like this to get metrics on how sucessful the show is.
It would be easy to incorporate a function in the scanner to beep when it encounters a badge reported as lost or stolen.
Why can't RSA do something like this? Then, if a person loses their badge, charge them, say, $50 for a replacement to cover the hassle and put some onus on them for taking precautions with the badge.
>Is RFID now at the point that it can be >reliably used in a security scheme like >Frank is describing?
Yes and it has been for 40-50 years. You probably use it on a daily basis in your employee ID card to open doors. Or maybe you use it on your car to pay tolls.
I work in the field of RFID and know all the hassles your employer and everyone else trying to meet Wal-Mart's requirements goes through. I was just at an RFID conference yesteday, in fact.
The problem is not the technology. It is safe and proven. Yes, there are some security concerns but most of them have been overblown by people who don't kow what RFID is.
The problem your employer faces is that RFID technology is very application specific. WalMart is looking for a "one size fits all" solution.
There should be no more problem with an RFID tag on a conference badge than there is on my car windshield. (And before someone asks, my toll card is passive. Unlike the big boxes with batteries required by some systems, mine is a paper label, powered by the radio energy of the reader as I am passing at 35MPH.)
Cost per tag for something like a conference badge is probably less than 50 cents. If fact, the organizers could probably get someone like Zebra Technologies to foot the bill in return for a plug.
Posted by: Justin at February 16, 2006 03:08 PM
"and new analyses about microwave side channel leaks;"
Been there and done that...
Seriously if you put the chip used in smart cards into a microwave wave guide between a low power source and an appropriate detector, You get a lot of cross modulation onto the microwave signal which can be displayed on a spectrum analyser. With early smart cards you could get a lot of information of in exactly the same way you could by power line analysis...
If you used an IQ mixer to base band you could then use more specialised equipment to start doing some realy interesting stuff.
Unfortunatly being in a very comercial environment at the time I was not allowed to do much indepth work on it.
Nothing new. This has been the usual MO at all of the conferences I've attended for years.
Science fiction conventions have employed this policy for years. Of course, the fees at SF cons are considerably cheaper than $2000 and I suspect the policy gets waived if the con organizer knows you or thinks you have an honest face. It does allow for simple security measures -- any badge will get you in -- which makes sense, since the main purpose is to make sure people pay for the event, not to protect anything or anyone.
CRYPTO-GRAM March 15, 2006
Security, Economics, and Lost Conference Badges
"For this to work, though, guards need to match photographs with faces. This means that either 1) you need a lot more guards at entrance points, or 2) the lines will move a lot slower. Actually, far more likely is 3) no one will check the photographs."
Before Desert Shield became Desert Storm, USA Today printed a small color photograph of Saddam Hussein. It was the same size as the color photograph on my clip on ID badge. I taped it over my picture and wore the badge every work day.
About 4 weeks later, as I sometimes did, I had lunch with the Director of Physical Security. Roughly midway through lunch, he looked at the picture, looked at me, and asked, "JT, do I want to know how long you've been wearing that picture?". After replying no, I removed the picture, gave it to him, he laughed, and said, "Thank you, I needed a good example of why we need to check the ID badges.".
The idea to do that came from when I was in the 7th or 8th grade, I read a Reader's Digest Humor in Uniform story. The writer's husband was an employee for the War Department and during WWII for about 3 months had a picture of Adolf Hitler taped over his clip on ID.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.