Fear the Cowboy

Working with security and cryptography every day, I keep looking at the interactions that I do in real life, and try to visualize how that is keeping my identity secure, yet providing the required information to the parties that legitimately needing it. Pretty much doing it the same way we try to figure out how to make CardSpace safe for everyone to use wherever they choose. I then come across real-world security opportunities that make me shudder.

I got to San Francisco on Sunday morning, and went to the conference center to get my badge. There were quite a few mails going around the staff going to RSA as to who would get the expo conference passes and who get the exhibitor passes. I needed early access to the floor, so right near the end of last week, it was decided that I'd get one of the exhibitor passes which let me go in where I needed to.

When I got to the check-in, I went to the laptops that were set-up to look up my registration, and found out that I wasn't registered. No problem, I just went to the badge booth, and explained that I was a Microsoft employee and I was supposed to have a exhibitor pass. I handed the person in the booth a business card, and they added me in right there. No picture ID, no verification whatsoever. Just a business card, and a smile.

I successfully authenticated to the RSA conference with a self-issued credential, and was granted instant access. Pretty odd for a security conference. Now, it has been pointed out to me, that with my hat, and my story, that they probably thought I couldn't possibly be an imposter. But isn't that the point? How can they know? Where is the verification? Shouldn't they have asked for at least picture ID?

Last September, I went to DIDW in Santa Clara. Nice conference. When I picked up my conference pass, I just had to give my name. No ID check there either. At an IDENTITY CONFERENCE. Bill Barnes and I were quite boggled at that obvious lack of authentication there too.

I've decided, next conference, I'm going as Kim Cameron.