Seems like every week there is an infosec conference happening somewhere in the world. With the BSides series of events as well as the premier conferences (not to mention vendor events), options abound.
Experienced attendees are well-aware of all the private data that gets disclosed to the venue, the sponsors and exhibitors at many of these events. When you fill out an attendee form and get a unique badge, it may have a QR or bar code on it or maybe has a magstripe or RFID chip inside. These unique identifiers are tied to your registration. When a vendor swipe/scans your badge at their booth, you are essentially giving them your personal information. And while it seems like the simple solution is to just not get your badge swiped/scanned by exhibitors, sometimes you want the t-shirt/pen/quad-copter or whatever else they may have to “give away”.
As a security-aware person, you may be thinking “How can I retain my privacy and attend these events?” Let’s examine this very question.
Protect Your Email
You generally will need to submit in the registration page an email address. This is how you’ll get your tickets, registration confirmation, etc. I have two different approaches to not giving your actual email address out: mail forwarders and throw-away email addresses.
When you own your own domain, as many people out there do, your provider may allow you to create email forwarders. Forwarders do just that, forward email. So let’s say that I have an email of email@example.com but I want to keep that secret and not register to the conference using that email. I may be able to create another email address (a forwarder) that, when mail is received, it forwards that mail to my firstname.lastname@example.org email address. What I do is create an email forwarder for each conference I register for and point them to send emails to my email@example.com email address. This way I can cancel/delete the email forwarder when the conference is over and any conference spam that is sent to that email, will get bounced back to the sender since the forwarder no longer exists.
The down side of using email forwarders is that they only protect you receiving emails. I cannot send out emails through the forwarder, just receive them. If I do want to send out emails then I can use a temporary email account.
Throw Away Email
Again, if you own your own domain, you can create a specific email address that you use just for a certain conference (e.g., firstname.lastname@example.org). When the conference is over, you delete the account and you kill the email spam that you would have received. Don’t have your own domain? No problem. I just Googled “throw away email” and got 40 million hits. I’ve not used these services but know that they are out there.
Your Personal Info
Conferences may give some or all of your registration information to vendors, sponsors and exhibitors. While protecting your email address using the above techniques is important consider anonymizing your other information. I just attended RSA in San Francisco and I registered with the job title of “Computers” while a colleague registered with his actual title. I had no idea what data the exhibitors received when they scanned our badges until one of them asked me what “Computers” meant as my job title. At that point I had the choice whether to tell the truth or to move along.
I’m not telling you to be unethical or to lie to people but consider whether you really need to tell everyone at the conference/event all this personal data about yourself. There were some very aggressive vendors at RSA that tried to scan my badge just for talking with them. If you’ve taken some of the steps above, you may be OK with that. Each time I interacted with an exhibitor I made a risk-based decision: disclose or don’t disclose my personal info. There were several levels of this too.
For those vendors I had an existing relationship with or those that I wanted to start one, I had no problem giving them my business card (with more of my personal info on it) and telling them about how my org would use their products. These conferences can be amazing places to network, find out about new vendors and products.
I Just Want the Swag
Sometimes an exhibitor would have a drawing or be giving away something that was neat and I wanted. Giving away this “swag” is commonplace at events. Usually you will see it, walk over to the vendor, ask for one, they will scan your badge and then hand you what you wanted. But then there are other times when they want to interact with you, find out about your environment, your position in the company, and other sales-things. All I want is the swag. My goals and their goals are at odds. In these situations I find it helpful to explain that all I want is the thing they are giving away. If the honest approach doesn’t work, consider short-circuiting the rest of the conversation by understanding their motives and responding to their questions with something like:
- You are a low-level person in the company (no influence/buying power)
- You are not a person that even uses the technology that the vendor is selling/showing (so they won’t continue to explain it)
Giveaways and Drawings
Just something to be aware of that sometimes a vendor might say that they are going to give away an [INSERT EXPENSIVE ITEM HERE] which you may REALLY want to win. They know this. At RSA there were two types of drawings:
- Must be present to win – Those events where you have to be standing at the vendor booth to claim your prize. This was used (with a few exceptions) by vendors that had a product demo to show. They’d make you watch a demo or listen to a salesperson talk about their widget, gizmo or cloud-based solution AND THEN do the drawing.
- Emailed if a winner – If you win a prize, they will email you and usually ship it to you.
I participated in both types of drawings and won a pair of Beats headphones at a must-be-present drawing. I like the “emailed if a winner” method as I can just scan my badge and carry on.
Getting it Home
Consider this before leaving for a conference where there are a lot of giveaways; the more swag you get, the bigger the problem of “how do I get this home” becomes. There are four main methods I’ve used.
Stuff it in your suitcase
That’s right. Just try to find room in your existing suitcase for all the stuff. This “can” work but usually fails for big industry conferences where there is a lot of swag.
Ship it home
I’ve seen people take their swag, go to a shipping store, box it up and send it home. There is obviously a cost involved here but it will work.
Check a box/suitcase
You could put all your swag in a box or suitcase and check it on the plane with you. There may be added cost depending on your airline.
Many years ago I attended my first BlackHat conference in Vegas and a coworker showed me how he had packed a suitcase inside of a larger suitcase. His clothes and toiletries were in the inner suitcase which itself was inside an outer suitcase. When he arrived at his hotel, he unpacked his inner suitcase and then used the outer one to pack swag in for his return trip home.
To have a successful event, consider your privacy when registering for conferences. Make good, risk-based personal decisions when a vendor wants to scan your badge. And think about how you are going to get all your swag back home after the event.