RSA safety convention: 25 years of discontent and pranks
The primary time I went anyplace close to the RSA info safety convention in San Francisco, it was by means of a prank.
Two issues I like to cowl are pc crime and and enterprise safety, so once I met buddies for drinks at a downtown lodge bar in the course of the convention one yr they have been genuinely stunned I might by no means attended RSA. One among my consuming buddies that night time was Twitter’s head of safety, and he jokingly requested if I needed to go to RSA — proper now.
Seeing the confused look on my face, he defined that RSA’s massive, lavish, unique “Codebreaker’s Bash” was occurring on the very lodge whose Gray Goose provide we have been at present draining. He grabbed the badge of one other Twitter safety worker sitting subsequent to me, and handed me his personal. To get in I simply needed to comply with his lead, and impersonate him.
Seems I wasn’t a really convincing head of safety at Twitter. We cruised previous a couple of units of intimidating safety groups (who have been extra involved about my lack of ability to match the Victorian-themed gown code) after which my information toured me round a reasonably opulent ballroom of countless shrimp platters and flowing champagne.
Pranking me like solely a hacker would, he made some extent of introducing me to attendees he claimed have been from the FBI. Seeing as that the convention is a mixture of authorities, enterprise, business safety product distributors, and contractors, I am inclined to consider the great gents teasing me over champagne cocktails about whether or not or not my identify was actually “Bob” have been truly with the company.
As an occasion, RSA started as a non-company gathering that grew large enough by 1994 to have its second occasion on the Redwood Shores Sofitel — a long way each in physicality and spirit from its current-day sprawl of forty,000 attendees filling up San Francisco’s Moscone Middle. Reflecting on RSA’s Softel days, one nameless supply recalled beloved business elder Bruce Schnier as “some child named Schneier who bought me a guide referred to as “Utilized Cryptography” from a blue nylon duffel bag he had filled with them.”
However although RSA Convention has modified lots since its inception 25 years in the past, attendee pranks are amongst its consistencies. My supply defined that because the convention turned extra enterprise targeted into the late Nineteen Nineties, there have been energy struggles and “a variety of dangerous blood.” At the moment, RSA did not let simply anybody attend the convention. I used to be informed, “European rivals could not get a sales space. For those who did issues that they did not such as you could not get a sales space.”
So, various the earliest RSA “pranks” have been primarily getting one over on the powers-that-be by means of what we might now contemplate guerrilla advertising — delicate by at this time’s requirements, felony to RSA on the time. Should you could not get a sales space on the convention, my sources defined, “you’d get a set on the W Lodge and rent individuals handy out leaflets inviting them to your factor. The RSA individuals have been humorless and reacted in humorless methods. I do not know that they ever truly tried to get guerrilla advertising, off-website occasions arrested, however the tales flew that they did.”
RSA’s massive get together (then referred to as the “RSA Cryptographer’s Ball”) was additionally a goal for these seemingly innocent pranks. The dot-com growth days of the early 2000’s was when the celebration had prime tier musical acts, customized martini bars, cigar bars, single malt scotch, and in response to our supply, one yr there was actually caviar. Getting in was a brass ring — which meant social engineering your method in and spoofing badges was a scorching prank.
This was particularly as a result of RSAC individuals did not like badge sharing, attendees asking for plus-ones, and hated another after-hours events. I used to be informed, “If an organization was recognized to throw an after-hours get together, they could get denied sales space area subsequent yr (sure, actually) so quite a few these have been themselves pranks and virtually like speakeasies. There have been individuals who ran secret mailing lists to let individuals know the place the events have been. (Individuals concerned with Survival Analysis Labs* helped lots with this.) RSA events have been kinda like SRL occasions, the place the situation was a secret till the final minute.”
One yr, our supply defined, the RSA Cryptographers Ball was at an undisclosed location “and we have been all herded into buses. Quite a lot of individuals had in a matter of just some hours hacked their very own tickets and adopted the buses to the California Academy of Sciences in Golden Gate Park, discovered parking, after which walked in by means of the kitchens of their tuxes and ball robes enjoying dumb. They beat us via the gauntlet that we different individuals needed to undergo.”Enter Workforce Sadface
Round 2010, RSA Convention turned the dated-feeling, mega-company commerce present of safety distributors and U.S. authorities businesses it’s right now: A boring occasion that feels prefer it’s staffed by different individuals’s mother and father, and the place nothing actually occurs. By this time, these individuals’s youngsters had all grown up, and for this line of labor there have been far more thrilling and inclusive conferences to attend, like DEFCON and HOPE (Hackers On Planet Earth). Anybody feminine or non-white would’ve already felt alienated by getting caught of their firm’s RSA sales space. Worse, for those who have been younger in an business that seemed richer than god and promised conquer threats that may’ve been 5 years previous — 5 years in the past.
So on the times they did not need to put on fits and stand in an RSAC sales space for work, a gaggle of younger pranksters got here collectively to ask simply how a lot pranking could possibly be finished on the convention’s expo flooring.
The reply to that query was, so much.
RSAC within the 5-yr span round 2010 struggled for relevance in its keynotes and talks the identical means it does right now. However the convention was increasing into China, and its expo flooring was turning right into a gross sales-ahead infosec circus sideshow. Corporations comparable to Dell, Microsoft, Intel, MacAfee, Cisco and HP had cubicles alongside tons of of smaller safety distributors, together with the FBI, DHS and NSA. Each considered one of them would do virtually something to draw consideration and get our bodies of their sales space. They staffed their costly little patch of carpet with clueless salespeople tasked with operating demos and contests on hacking that have been past their skillsets.
For the prankster hackers calling themselves “Staff Sadface” — named for the seems to be they left on the faces of salespeople — this was a playground.
Crashing demos was straightforward for them, however boring. One yr, members of Workforce Sadface arrived to the convention with pretend FBI problem cash. These tokens hail from a army custom, indicating particular achievement and membership. In hacking tradition, these small, heavy cash bear the insignia or emblem of a corporation and are awarded to winners of hacking contests, or those that earn (or show) membership right into a hacker crew or group. The cash additionally forestall identify dropping and insulate towards untrustworthy outsiders. Whereas in dialog with a gaggle of individuals at a European hacking convention a couple of years again, I discussed my affiliation with a sure crew — and was relieved I had my coin on me once I was demonstrably challenged to show it.
As you’d think about, Workforce Sadface was actually pleased with its FBI problem cash. Sadly, the cash solely noticed use a few times — when Staff members would present up on the FBI sales space, current the coin, and say they have been right here to gather their prize. Individuals staffing the FBI sales space reacted as you’d anticipate; confused. Prize? What contest? Group Sadface would wait patiently as one FBI worker would go get somebody who may know, who would go get somebody who may know… All in enjoyable, to see if perhaps some type of cool prize can be produced. As a result of in contrast to the DHS and NSA, the FBI truly has actually nice convention schwag, like patches. It was a no-go, however apparently everybody actually favored the cash.
Violet Blue – photograph by Roberto Baldwin / Engadget
These days, the RSAC convention expo flooring does not have any hacking contests — however it used to. Nor are any prize drawings completed on-website. However throughout this brief time-frame, which was workforce Sadface’s heyday, there have been tons and a lot of hacking contests for prizes. Within the cubicles, gross sales and advertising employees did not stand an opportunity towards gamers who took the business’s challenges critically.
Not in contrast to immediately’s weird “hackers are evil, come meet this superstar hacker” advertising at RSA, the contests again then have been framed with slogans and ideas that combined PR with a close to-pathological confusion of excellent man versus dangerous man. One was framed to would-be contestants with the problem, “Do you might have what it takes to be a cyber legal?” To individuals who truly knew what it took to be a cyber-legal, this appeared like somebody in advertising was both crazier than a shithouse rat, or was desperately making an attempt to remake the world to satisfy their very own expectations.
A lot of the contests have been Flash video games (and I am guessing each hacker who simply learn that line is now grinning from ear to ear). One Flash recreation had a “random acts of crime” counter — the extra crimes, the upper your rating — and this was apparently straightforward to reverse. Straightforward for Staff Sadface, that’s. For a few of these contests, they defined to me, the payloads to stroll up and win first place would even be preloaded for deployment from their telephones.
One sales space recreation framed the participant as a botnet herder with a set quantity of exploits to assign to totally different nations on a worldwide map, with every nation incomes totally different quantities of cash (factors). The aim was to make as a lot cash as attainable with the least quantity of expenditure; scores and winner names have been racked up on the sales space’s leaderboard all through the day.
Leaderboard notables: DarkTangent (founding father of DEFCON), Twin Core (hackers/hip-hop duo) and “Lovely Legal responsibility
For this recreation, Group Sadface ditched their enterprise fits so they might be thought-about unimportant by the salespeople (they usually have been). First, they pretended to play the sport. Whereas one would play badly and lose, one other Workforce member would take pictures of their pal dropping — photographs that included info aside from their loser pal consuming shit on a silly Flash recreation.
The subsequent day of the expo, Workforce Sadface pretended to play the sport 4 occasions all through the day, which occurred to be the occasions awards have been being handed out for prime scores on the board. They gained every time, and by the top of the day had amassed a gaggle of followers, attendees in fits, who have been coming again to the sales space to cheer them on. On the final day of the expo, Workforce Sadface returned for a remaining spherical of profitable, and to go away the board in hacker type. They left a ultimate prank, rewriting the board with impossibly excessive scores (containing “1337”) and tagging the identify fields with the handles of different hackers as winners.
The wild years of Staff Sadface at RSA weren’t restricted to pc hacking. One firm’s publicity scheme centered on a timed contest to hack bodily locks. The occasion was based mostly round Grasp Lock’s “directional” padlocks: In case you might open the lock in 5 minutes, you’d win.
However there was only one drawback: Sadface crew included and liaisoned with one of the best lock pickers and protected crackers round, and these locks (which retailer the mixture in a mechanical hash) have been truly terrifically safe. Merely hacking these locks wasn’t going to be an choice. Nor might Staff Sadface pre-decide the competition locks, as they’d completed beforehand with a special lock opening contest on the expo flooring.
Once more out of enterprise fits and aiming to not be taken significantly, Group Sadface performed a couple of rounds with the locks to lose, asking “actually dumb” questions and hanging out to see what they might see.
They observed that in between the competition periods, every lock would have to be reset. The irritated and flustered salesperson who reset the codes did not have a personal space to carry out the resets, and sat in the identical place every time. He additionally did not discover the Staff Sadface member in t-shirt and denims who seemed over his shoulder every time, and relayed the codes to different members. After that, the Group “gained” eight or 9 occasions.
The salespeople knew one thing was up. Salesmen advised the exuberant winners of their lock cracking contest to return decide up their prizes on the finish of the expo. Naturally, Workforce Sadface confirmed as much as declare their pirate’s booty — and have been met with a lady who wasn’t having any of it. She informed them, “We do not know what you probably did. However we all know you probably did one thing. No prizes for you.” One Staff member recalled the trade with an enormous smile saying, “She was stone chilly. I’ve a lot respect for her.”
* Disclosure: I’m a former member of Survival Analysis Laboratories.