Hows My OpSec? Security Con Badges, the Wall of Sheep, Hit Points and You
Are you sometimes embarrassed by the lack of security hygiene demonstrated by so-called security professionals at hacker cons? Do you find the Wall of Sheep statistics depressing? Do you wish that those make a living out of telling everyone else how to “do security” should start practicing some themselves?
Here’s a suggestion to bring in some real accountability. I mentioned this idea to a few peeps at Brucon who seemed to like it…
Given that more and more hacker cons run a Wall of Sheep and supply attendees with a con badge decked out with CPU, display and even RFID…why not link them together and throw in the gaming concept of health points as a public display of an attendees’ opsec?
All attendees start with the same number of health points (e.g. 5). The con badge displays a light for each health point remaining. Each time the Wall of Sheep sniffs out valid credentials on the con network, a signal is sent via RFID to the attendee badge of the person practising bad opsec. The badge emits a beep and a light goes out on badge “health bar” – they just lost a health point – and everyone can see it. You could even throw in a little traffic shaping goodness – no speedy feedz for you “Mr 2 Health Points” (zero points = no more con network access).
You might be wondering how to determine which badge to send the signal to?
Imagine that to even get on the con network in the first place, you have to use your con badge as an authenticator. Yup, con badge as hard token if you will. If that sounds too fancy or requires too much from the badge, just give each attendee a unique userid and password for Interwebz access when they register at the door, then link the userid to the con badge. No access without authenticating. Sure, there’s some admin overhead here but just imagine the good you’ll be doing the industry ;-).
But…but…but…someone might hack the system/shouldersurf my password/play layer 2 games/impersonate me etc etc and cause my health points to be deducted!?! Awesome – it’s a hacker con after all ;-).
P.S If you’ve already done this or seen this somewhere, let us know in the comments.