, special to SecurityFocus 2001-04-30
Ten thousand attendees, 250 vendor booths, and, still, something was missing.
No one thought to ask me what I was doing there while walking around with no badge.
The 2001 conference, held earlier this month in San Francisco, was my first RSA -- I was there as a guest of the fine security vendor Authentify, Inc. My first impression of the conference was made at the opening session, where rocker Pat Benatar belted out a live parody of her hit song "Heartbreaker." The title of the new song: "Codebreaker."
You're a Codebreaker
Crash Maker, File Taker
Don't you mess around with me...
Aside from the entertainment value, I was impressed with the sheer size of the conference. It's clear that the last six years have seen tremendous growth in the information security space. Literally. There were over 10,000 registered attendees, and Moscone Center's cavernous exhibit halls became a dizzying 250-ring circus featuring seemingly every security act in Creation, from Acotec to ZixIt.
Having once been banned from the 1991 DECUS conference in Las Vegas solely based on my reputation as a hacker (and my forays into DEC's Easynet), I know the feeling of being unwelcome. So I was pleasantly surprised to find most of the attendees friendly and respectful. It was good to reintegrate myself back into the computer security business without much resistance.
A lot of attendees didn't even recognize me. While waiting for a session on computer viruses to begin, I was listening to a conversation between two men seated next to me. When I glanced down at one person's badge, it said "FBI, Special Agent" right below the name. It was amusing for me to end up eavesdropping on a couple of FBI agents who were clueless to my identity. Or were they?
But when all is said and done, there was something missing from the conference. No sessions were offered covering physical attacks or social engineering. You could spend a fortune purchasing technology and services from every exhibitor, speaker and sponsor at the RSA Conference, and your network infrastructure could still remain vulnerable to old-fashioned manipulation.
The world's largest security conference should have offered a session that discussed these types of attacks, if nothing more than to raise awareness.
For the most prestigious security conference in the world, I was also surprised by the lack of physical security for the exhibit hall itself. While waiting for my contact person to arrive, I decided to take a stroll to locate Authentify's booth. The hall was closed to everyone, with the exception of staff setting up the exhibits. Although I was wearing no form of identification (such as a exhibitor's badge), I managed to gain access into the exhibit hall on two occasions without being questioned. I walked around for a good half hour before even locating the booth.
No one thought to ask me what I was doing there while walking around with no badge. Anyone else could have walked off with an executive's laptop or PDA without being noticed. You would think with tens of thousands of dollars worth of computer equipment and technology lying around, and the nature of the conference itself, that the exhibit hall wouldn't have been so vulnerable.
What new security technologies will be marketed as the killer-app at next year's RSA Conference? This year, deployment of public key infrastructures (PKI) dominated the scene. But while PKI technology may reduce the risk of hacker attacks, it's not a silver bullet. If your goal is to protect your network, you can not rely on technology alone.