Wednesday, April 09, 2008

The RSA Absurd

Today I was giving a speech at the RSA Conference in San Francisco. The RSA is a really big conference and also seems to me like a very well organized one – e.g. they have all those computers at the registration hall where you put your name and then it immediately says to which check-in counter you should proceed and then when you get there they already have a badge waiting for you. Pretty cool stuff.

So my speech turned out to be scheduled in a very small room, say with seats for 100-200 people only (I haven't counted exactly). But then it turned out that there are more people interested in seeing the speech, so, as it usually happens on conferences, people started seating on the floor and also standing at the back of the room. I would say there was about 30% overflow, but still they could fit ok in the room. And then came this guy from the conference and said that all people who don’t have a seat should leave the room! It turned out that this is a fire regulation.

Interestingly it was perfectly ok for the additional people to stay in the room, provided they arranged for additional chairs for themselves. In other words it was fine for people to sit and block the main aisle, provided they sit on chairs, but they couldn’t stay and sit on the same aisle without having a chair (maybe a "certificated" chair also), as that would be against the fire regulations!

Yes, I know there are more examples of stupid pseudo-security rules (think airports), but, come on, this is on of the most well known security conference...

That situation annoyed me so much (because, of course, it turned out to be impossible to arrange for the additional chairs, so all those people had to leave) that I decided to submit this story to my blog using the totally unsecured public WiFi in my hotel. It was really unwise for me to do that, as Google’s Blogger uses HTTPS only for authentication (i.e. the login screen) but then it switches back to the good old plain text HTTP, making it possible for some evil guy sitting in the lobby to hijack my session. Is it that I miss something here or Google simple forgot that it is 2008 and not the 90’s anymore? Anyway, I'm just taking this risk bravely, hoping that the potential attacker, seeing my determination here, would refrain themselves from compromising this blog.

I know, I know, instead of complaining about Google, I should just move my blog to some other place. One day that’s gonna happen for sure :)


Hans Nordhaug said...

Or, in addition to complaining about Google, install the Secure-em-All GreaseMonkey script so you always use HTTPS (for your selected services).

Unknown said...

You forgot the first pillar of security, it is only the perception. The perception is that by everyone sitting the world is a safier place.

How many bad security policies are allowed to perpetuate simply because "well it is policy!"

rwnin said...

the comedian mitch hedberg had a great little bit where he tells a cop that nothing which is flammable and has legs is ever blocking a fire exit ;)

silly sec stuff is bad, but when they turn around and do something worse (ie: the chairs) all you can do is sigh and/or smile...

i've wondered the same about googleblogs and ssl (and google docs for that matter). i wonder what (perceived?) benefit there is to directing an existing ssl session out to cleartext...?

Anonymous said...

ha ha ha :), it's pretty funny story

Anonymous said...

I wonder why sites like Google and Hotmail don't just use HTTPS for everything? Would it lead to too much CPU usage or something?

Anonymous said...

Jason, when you're serving up billions of requests daily it becomes a CPU intensive problem. Facebook doesn't even SSL the entire login page; they just secure the 'POST' or XMLHttpRequest and send everything else in the clear.

Anonymous said...

Just do a vpn to your house (that secure the data on the wifi and wild network) and go out on the net at ur home.
U could do easily tuning a little linux firmware in a little box without noise.

Anonymous said...

Hi guys

::::: stupid pseudo-security rules

Yeah completely right, unfortunately in our world there is no way to keep all staff too safe, or there is no way to learn all staff for detect emergency times and most of them can't defeat with unplanned times.
That is not because they are not IT managers, because there is no security structure exists in our world!

All of us every day see human false in our streets and roads, this is our world we must change that!

A good idea: making a human Security protocol for early life!

I think that is good point!

Thank you Joanna for share it

Have fun, Nima

Vincent said...

[...] using the totally unsecured public WiFi in my hotel.

ssh -D