InfoSecurity and Revenue Protection

I registered for the InfoSecurity show (though I didn’t manage to attend).  They did send me a badge, though.

Back in the day, these badges just contained a conventional barcode.  If you scanned the barcode, all you would see was a seemingly-meaningless ID.  Clearly that ID was a lookup key in the organisers’ registration database.    For a fee, they would rent to exhibitors a barcode scanner. The deal is, of course, that you scan the badge of each person who visits the stand, with a view to following up the conversation, and trying to sell them something (etc.) later on.   You could scan the badges with any barcode scanner (including your phone app) of course – but without access to the database, those scans would have no value.  So the fee also covers a service to let you download the registration details (name, address, ..) of those whose IDs you scanned.  The fee is not inconsiderable.

Now, I see that this year’s badges contained a QR code as well as the old-fashioned barcode.  I was a bit surprised to see the following when I scanned my badge:

{“CJe”;”BE8FYTR”,”DO”;”Vojwfstjuz pg Pygpse”,”G”;”Boesfx”,”KU”;”Qspg pg Tztufnt Tfdvsjuz”,”T”;”Nbsujo”}

At first, that looks like gibberish.  Some advanced encryption, maybe?  Well, no: you don’t need to be a Bletchley Park veteran to spot that in fact the encryption scheme is about 2000 years old (according to legend, at least).  A bright ten-year-old could sort that one out.  (Lookup: Caesar’s Cipher, or ROT-25).

I assume they’re still trying to push the considerable rental fee for the barcode scanners, but, really, there’s a lot of information on offer without paying.  Maybe the fact that the email address isn’t there would be reason enough to continue to hand over the cash.

The choice of Caesar’s Cipher is perhaps rather an embarrassment for a trade show dedicated to the latest and greatest in Information Security, though: one might justifiably say that it looks amateurish.  Either you’re attempting serious revenue (and privacy) protection: in which case modern strong encryption should be used, or you don’ t mind that the data is disclosed: in which case, why not use plain text?


Footnote: this issue was reported two years ago (shows how long since I last went to InfoSecurity!) by Scott Helme.  So clearly the show organisers aren’t too bothered.