A number of years ago… well, let’s just make it 2018, which it was… I had planned attendance to Gartner’s IT Symposium in Florida. Initially, we were going to have quite a showing from our staff due to the “Bring Your Boss” promotion, which targeted non-traditional attendees to the conference. In our case, we had managed to leverage two executive attendance passes along with the five planned regular staff planning on going.
As time went on, our CFO bailed, our CDO bailed, and eventually my boss, supposedly due to shoulder surgery recovery, also bailed. The only executive left was our non-technical Primary Deputy Inspector General, who was lured by the fact these executive tickets were a focused, bespoke experience tailored towards the non-traditional attendee. I suspect this was to help rationalize IT spending for all the other underlings who were shuffling around the rest of the conference.
To me, the late bail-outs of more expensive tickets, namely for our CDO and CIO, which granted some priority access and reservation priority for talks, left us paying for seats that wouldn’t be used, or as we found out, couldn’t be transferred. For a place that was supposed to weed out fraud and abuse of the use of taxpayer funds, it left me a bit upset. Gartner was quite intractable for allowing ether a refund nor ticket transfer.
Folks who know me, know I don’t take to “no” or stonewalling that well.
Regardless, we did show up with our small remaining contingent on-site and took advantage of what we could. The other downside was, while Feds, we couldn’t directly afford the per diem costs for the regular staff at the main conference hotel on the Disneyland grounds, and of course, no effort was made to transfer the prior hotel reservations from the Senior Executive Service (SES) staff who bailed to the regular staff to at least make their lives a little less shuttle bus dependent, but also a nice upgrade for those that stuck with the original plan.
Again, knowing me, this is starting to build up as a big annoying irritant, so of course some hijinks were to be had.
“How best could we recover the value our organization put into the event since we had no avenue to recover those experiences supposedly we had paid for?”
Normal people would just walk away and just know they may: 1) not have to be bothered with their bosses and additional co-workers while at a conference at a resort area, and 2) since it wasn’t your money spent, be glad you got to go and move on.
Well, I would have taken both points, if it weren’t for the fact that after seeing what the executives were doing and how cloistered away they were from the bulk of the event, I felt it was a disservice to what they promised. Not that the exclusivity was a bad thing, since many senior leaders supposedly run on a different time value than normal people. I also feel that’s utter bullshit, but I’m not normal – or people have told me.
So being the security-minded person I am, and noticing that the credentialling system was seemingly pretty arbitrary, I figured, that while I was sort of bored at the content I had access to (and the amount of walking on the “campus” for the event was a bit extreme, I needed to focus on something.
Given the distances were a bit extreme for the Dolphin and Swan resort area conference zones, Disney, as part of their contract with Gartner, put on the charm and set up, quite literally, watering holes to grab juice, soda, and lemonade while walking out in the October sun in Central Florida. How nice of them, that’s truly really sweet and welcome.
For security people – there’s also a thing called a “watering hole attack”. In most cases, this is where an attacker sets up to listen, watch, or “bug” a popular website or resource so they can steal data and other information from visitors. In some cases, install malware or other items in a browser or on a computer to maintain persistence for later abuse. All of this tends to be a digital attack, leveraging the carefree nature of many who visit, not expecting to be victims of an attacker.
Well, I figured, I need a beverage, and I need a badge.
What kind of badge? Well, one that could get me into the cloistered area so I could talk to our executive, of whom nobody had seen since they arrived on site, and if we didn’t get a chance to talk to them, would be in and out, with no idea of what there was to experience. So I figured, why not just step it up, and do it North Korean style and go for the biggest, baddest, all-access, platinum pass.
First question was, what would one of those look like? I didn’t exactly have a badge printer, nor did I have the Cap’n Crunch Decoder Ring for such things. All I had was some observational skills, maybe some counterintelligence ideas, and a reasonably good skillset with graphic design tools from misspent youth in high school and college, um, making things. Yeah, that’s it.
Luckily, I had my pass. A pass that left me as a lowly, basic peon attendee. No special skills or XP. Just general attendance which, at best, got me on the vendor floor for the end of day happy hours, and of course, back of the room seating when talks began to fill up. To be honest, when I go to conferences, sitting on the floor is often more comfortable than the standard seating for such events. Plus, sitting on the floor, you’re rarely having to excuse yourself to skootch out of the row when you get bored and leave.
I digress.
Back to that watering hole. It was a lemonade and water stand between the “boathouse” on the North end of the complex and the main conference vendor area in the Dolphin hotel. It had great lighting, a place for me to stand in the shade and lean against a pole (or a fake tree) and start observing.
First, this got me an idea that the badges had different colors. Orange, blue, purple, red, and so forth – each with an indication what part of industry or other role they had within the economy. Cool, as I had the purple one for Federal Government. I had once talked my way to get a “buyer” CES badge versus “media” or whatever I had as a designation when there in 2014 for work. I figured “buyer” would allow me to get exhibitors to talk more in-depth with me rather than press or simple attendee status. It did indeed work – much to my chagrin. So, always be cognizant of the privilege escalation category you’re shooting for.
I figured I’d stay with my current industry designation, as I wasn’t trying to win any prizes at booths. Mind you, a new iPad would be cool, but I wouldn’t have been able to keep it due to regulations, so, again, be cognizant of where you are.
Next up was to see what status I had. I mean, this is the part where you talk your way out of “steerage” seating at the back of the plane up to First Class. I had the basic ‘Attendee’ designation. The plebe of the conference. One among thousands. I wanted to be one among a few hundred, maybe even less.
I saw and cataloged all those areas above the industry bar through photographs. I then returned to the executive “enclave” and started watching those coming and going from their “special area”. Sure enough, the ones with “Executive Programs” were the ones who got the special treatment. This was an experience we paid for and didn’t’ have access to, even if I pleaded on site (which I did) to the registration crew.
See, I tried to do it the nice and kind way, and they sort of forced my hand.
I also side-eyed the decoder page when I was up asking the registration people a second time for the upgrade. So I noted there were the cool modifiers to get priority access to keynotes (aka “early boarding”) instead of getting it streamed, or booted to the hallway due to the session being filled. So, I figured that was also a useful piece of flair to add on to the soon to be new to me, all access badge.
About 200 photos later, I got enough real-world intelligence and data, I figured when I returned back to my room for the evening, I’d take a swipe at recreating a badge. Mind you, I had a leg up, as I used my current badge as a model for the graphic layout, fonts and other pieces, but if you were starting with zero knowledge, you’d have to back down your access to the conference hotels and other public places that didn’t require ID.
About 45 minutes later, I had a Photoshop file of the badge I wanted to use, and obviously, try out the next day. As the hotel’s printer in their office area only did black and white prints, I decided I needed to go find a FedEx Kinkos to do my print.
That next day, I shuffled off the hotel grounds and up to the local FedEx and went to print my badge via a saved file on a USB stick.
It went horribly wrong – but not in the way you’d suspect.
I mis-sized the badge. I walked out of the Kinkos with a comically large version of the badge on legal sized paper. It’s the kind of badge Flavor Flav would have worn if he was a Gartner customer.
I went back to my rental car, which is a whole other story of how to win friends and influence people at conferences, grabbed my laptop and re-scaled the original file to print out the right size. I went back in, and thankfully came out with a perfect reproduction of the badge I’d need to use to get access to our executive.
Mind you, I didn’t feel this was illegal. I merely figured I was bored, I was there having had admission, and I was gamifying the access the same way you’d collect stuff in a video game to beat the final boss. Except I wanted to meet the boss, not beat them.
One other step, in something I learned from all you physical pentesters out there, and a tribute to “Sneakers”, is to look like you’re supposed to be there.
So with that, I fired up my iPad and my AirBuds and started walking to the entrance, working my iPad as if I was busy in communication and work and walked right by with my badge entirely unchallenged. Surprise, to nobody except me, I wade it to the promised land, as it were.
A few minutes later I spotted our executive and sat down with her to talk, review her last two days and asked what her plans were for the rest of the week (as the event was five days in length). She had planned to leave the next day, but asked who else was here form the office, and if she could treat them to a drink at the bar.
We scheduled a time for the staff to meet up so we could watch the simulcasted ending keynote for the day, presented by Dr. Michio Kaku, and watched it near the lobby bar in the Dolphin. We chatted, had some laughs, got to know each other a bit better without having the odd office interaction.
Being the honest person I was, I also told her about the stunt I pulled to talk to her, but explained why I did it. She didn’t seem happy, and I knew I’d probably get a reprimand, but I explained the circumstances and how intractable Gartner was in regards to our paid attendance and access, so she appeared slightly less irritated, but still not happy nonetheless.
Granted, once again, if you know me, you know I like to push on things a bit.
However, the rest of the week went on. We had a reception the next day for the entire set of agency customers from Gartner in a small happy hour/dinner overlooking the fake “cove” and waterfront Disney is known to create. Even then, close up with our Gartner account managers, nobody picked up on the badge and such, so I guess for those who cared, they actually didn’t.
Now I know this isn’t like walking into a bank vault and walking out with some safety deposit boxes that weren’t yours, but it’s also one of those cases of realizing your premier experiences really aren’t all that.
Once other thing I noted, was that their schedule printer, which just scanned a standard barcode, was serialized and didn’t require authentication. So, I went and used a barcode generator to scan and print schedules for a bunch of folks. I could find out who, where they were form, and what talks they had planned. If you were looking to do some hard sales, or even spy on tech leaders at an event like this, it was way too easy to do.
If you ever wondered why most security conferences do not print personal or related information on badges, or at least the good ones, this is a reason why. In most cases, badges need to indicate access, and are a control mechanism, if unique enough, can be easily spotted and discerned from a distance away. Some conferences, especially the ones who do “Badge Life” style build or play badges, take this to a new level, and I highly encourage this type of fun.
However, those are usually low target value area conferences, and most attendees there, know what they are walking into. These large analyst or industry events, usually not always the same case.
My takeaway, short of a probable, near ban from any Gartner event that wasn’t paid for by somebody other than me, is, well that these companies could do better given the amount of cash that is paid them for consulting. The other takeaway is, given how many times I’ve been offered paid access to attendee lists for such events, as well as also tracking, in the mid 2000s, APTs who used such info to target government and military leaders, is that these events need to do a better job protecting their data.
Overall, I don’t recommend doing what I did, short of my own personal lulz, and the ability to tell this story, unless this is your job to do for a living. Otherwise, enjoy your next conference, and think a bit about those who have your info, those peers around you, and what it takes to be better at security.
(NOTE: I’m That Maverick!)