Curiosity got the better of me and so I held up a bright light to my badge. The internal antennae were readily apparent. RFID it is, I guess. Then I simply peeled the two layers apart to reveal the metal inside. Note the fake smartcard print on the face:

A total of six little lines run around the edges of the badge and end up connecting to a strip just below the Taj image on the right. A tiny slice or pin-prick through these lines would kill the tag without any obvious damage. I wasn’t particularly careful because, well, I was feeling impatient and a bit cavalier. A clean job can be accomplished by sliding a razor gently and repeatedly along the edge of the badge and peeling up the label on the back, then lightly slicing the metal lines, then gluing the label back in place and applying pressure. Of course my badge rarely worked anyway and I refused to take it out of it’s little plastic pouch (when it wasn’t in my pocket) so this is hardly a burning issue. In fact, after several attempts to read my badge on the first day HP actually asked me to type my info into their system by hand…had I been more patient, and the card more reliable, I would have first tried to read the thing and see how the data was stored. Maybe next year.

I also noted that someone left themselves logged into the badge station in the afternoon when there was just one bored guard standing around. That seemed especially sloppy to me and made me wonder if anyone had ducked behind the desk to print their own badges on the sly.

The Budapest Business Journal has reported an interesting twist in an election race:

A statement published on the web page of the party’s parliamentary group said that the documents had been obtained from a site “accessible with a user name and password available to anyone.”

For some reason the South African Mail and Guardian has posted this version of the story:

Hungary’s main opposition party, Fidesz, said on Thursday that it had made a “serious mistake” in hacking into the server of the governing Socialist party ahead of the April general elections.

Anyone else wonder if the user:password was fidesz:fidesz?

Well, I said I would post more, and then I actually posted several things over on Bruce’s blog…odd that he took the $100 fee I mentioned to him as gospel. Anyway, the bottom line is that Bruce said I should try to get in without my badge because it wouldn’t work if he tried it (I said he should do it, but he claimed he is too well recognized — yes, I am transferring all blame to Bruce). He had asked me to email the results of my tests, but I guess I didn’t get done in time for his blog entry to pop up.

Anyway, I did as told by the great Bruce and stuck my badge in my pocket and just wore the lanyard and plastic holder with the pocket agenda. The only thing I didn’t try was just walking right up to the booth and saying “I need a new badge, what will that cost me?” I probably would have done it, too, if I hadn’t found it so easy to walk around badgeless. Sadly, I wasn’t challenged sufficiently to actually have to produce my badge. In fact, on a few occaisons I had to actively look around and seek out the guard who was stationed at the main doors. The presentation rooms had a single person for a huge crowd and there were so many issues with the readers during the sudden influx of people that I was not the only person literally forced to enter without my badge being carefully checked.

All-in-all a bizarre situation for a security conference. I started to feel like I needed to beg people to challenge me for my badge so that I could see if the $1900 replacement fee was for real. In fact, at one point I put my badge back on just to see if it mattered and was still working. Of course, at that point I was scanned. Dumb luck, I guess, or it could have been because the woman in line in front of me said she worked for Homeland Security. Alas, sometimes a hypothesis leads to a completely different set of conclusions than was originally expected.

Overall the conference was a huge benefit to me as I managed to meet several people who can help with the secret key issues I’m working on, and I learned a great deal of very useful tidbits from security industry luminaries like Ron Gula and Crispin Cowan (just in casual conversation outside the conference). McNealy’s presentation was very funny and helped me understand how Sun plans to get back on track. His human message was also very appreciated. Honestly I had given up on them back around Solaris 7, but they definitely seem to be back in the swing of things with Open Solaris and Office…tempting to see what it would take to replace our Windows desktops that are mainly used for analytics and email. In the Expo I was particularly impressed with the Identity Engines product and the Array SSL VPN (very fast, very clean). The food was sufficiently edible as well.

I give the conference high marks for bringing so many great minds together, but I really wish they would sort out the conference badge/identity situation properly (hey, this is a chance to really do something secure and efficient and not just talk about it) and work on quality/quantity of presentation issues. A DoJ speaker actually started her talk with “RSA sent me some presentation gurus. They said that I need to use humor and avoid going off-topic into the weeds”. Then she put up a cartoon and said “ok, here’s some humor” and then she proceeded to immediately head right into the weeds, so far off-topic that she (and her presentation buddy) became too lost to continue the slides. Oh, and I can’t forget that at one point she looked at a symbol for the British pound and said “um, that’s in Lira, right?”. I know, boring trivial stuff, but the presentation was so bad I had to wonder what might have been rejected from the conference.