Archive 6 min read

Tanacon, Security, and Lack of a Threat Model

Tanacon 1.0 was an unmitigated disaster. Not only is this a reminder that physical security is critical but it's an example of a failure to analyze risk properly (or at all).

Tanacon, Security, and Lack of a Threat Model

Watch this episode on YouTube.

Reasonably Accurate 馃馃 Transcript

Good morning, everybody. Welcome to episode 73 of mornings with Mark. I have a different one for you today. Um Over the weekend here, um We're in the middle of June. Uh There was an event held in California called Tanacon.

Now, this was a social media event. Um It was sort of a B sides E version of vidcon. Now, Vidcon is this massive event for um creators mainly for youtubers to interact with their fans.

Um you know, and have an experience and this Tanacon was set up by an individual creator um as a counter to that there was, she had some challenges um with the original event.

So started her own. So this is the first time this conference was ever run. The reason I want to talk about it today was because from all reports, it was a disaster. I was not there.

I did not attend. Um But from a security and privacy perspective, I find it a very, very interesting case because it reminds all cybersecurity practitioners that there is a physical aspect to things.

Um You can't just set it up easily online and not worry about um anything and that's always a good take home message for um cybersecurity in any and all venues. But I think what's really fascinating about this conference was that it's a classic example of not fully exploring the scope of the risk model associated with something.

So keep it easy. Keep it simple here. This conference um was planned in a venue that held about 1000 people they sold uh or had um made available about 5000 tickets and had anywhere from 15 to 20,000 people show up.

Now, the demographic of this conference was primarily younger folks who are very active on social media. So word spreads fast. Um Things get um very um sort of they sway one way or the other very, very quickly um given the audience and the level of connectivity.

So you get very interesting mass psychology effects going on. Um So we already had a problem. The venue was too small for the number of tickets released and then four times as many people up to four times as many people showed up to the actual venue.

So there's significant challenges here. Now, that's the first scoping problem is that while you expect some people not to show up, if you sell tickets, you have to have the capacity. So right off the bat, there's a sizing problem and that's a major risk.

Um So the venue is not appropriate for the number of people that you've committed to being able to serve. That's the, that's the number one risk. Um, number two is that this is a social event.

Um, this is, uh, you know, um, very, uh promised on digital media. They made the mistake of saying tickets were available at the door. They had way more people show up and they kept those people in line.

Um, and that's a really interesting thing to do. Now, this all comes back to, you know, I don't think it's any malicious intent. This is purely just inexperience, but a ton of people are really frustrated, but there are some really significant issues that tie back to the cybersecurity that I want to talk to because the parallels are very appropriate.

People have an idea in mind and say, hey, I'm going to build system X or I'm gonna get um you know, a few uh I'm gonna create my own conference or my own event um bigger than a meet up and then they start to scale out part of the problem, but only part of the problem that they see that they think about.

Um So this conference was started because of a lack of parody between um the uh creators and the sort of speakers at the conference and the people. So they wanted a lot of interaction in the first place.

Well, already that's a challenge. If that's your goal, your security settings and controls aren't lining up with that. Um And we see this all the time in organizations when I go talk to them where let's say, ok, I'm gonna create an application that is going to allow people to buy tickets online.

Let's use a, a relevant example of this conference. Uh I'm gonna create an application that buys tickets online. Um And because I want to build up demand, I'm gonna make sure that you only can buy it like 10 a.m.

That's when everything's gonna open up and, and you think about that and you go, ok, great. I'm gonna be able to sell X number of tickets um very, very quickly because of a pent up demand, but that creates other unintended consequences. Second order effects down the road. So that now you're forcing a, a massive spike in traffic on the system and that has issues is that your system is going to scale from nothing to massive, um and have um additional unintended behaviors that's very similar to this conference, right? They scaled it up way too fast. Um They uh had already scaled it out of its own capacity before they even started by selling 5000 tickets for 1000 person venue. Um And that's like I said, that's common, it's hard to properly scope something because you get so caught up in the coolness factor or in the idea. Um So I see this quite often when we're building stuff in the cloud, people go, ok, I'm gonna forklift my existing system over. Um, you know, and I'm gonna scale it out. I'm gonna add more servers. Um But without changing anything in the back end, without understanding that, you know, because you need more servers that needs more database capacity, it means more content delivery, network capacity. That means um concurrent authentication. There's a bunch of second order effects. This is really, really difficult to nail everything out of the gate, but you need to go through um some sort of exercise.

And when it comes to risk like Tanacon this weekend, we call that um threat risk assessments, there's a number of models that are out there um that help you work through asking these relevant questions. Ok. So if I have a venue for 1000 people, what happens if I sell more than 1000 tickets? Well, we're expecting maybe a 10%. Not right. Um But that means, you know, 1100 tickets, not 5000 tickets. So working through risk assessments are really critical um for real world events, but also in the cybersecurity world because it helps combat that issue of lack of modeling, lack of scope, uh a lack of understanding of the real scope and I know that's kind of vague. Um But I think it's, it's a really important thing to keep in the back of your head. There's no easy solution. It's just a core principle of doing cybersecurity of throwing an event frankly too. But on the security and privacy side, it's really important to make sure that you are properly modeling any potential risks and exploring and pushing yourself because you don't know what those risks are. So that's why you bring a team in. You do some white boarding or you ask some questions, you do ask people who have already um built similar systems or run similar events. Um because you can easily run into a scenario uh like happened at Tanacon this weekend where intentions were good implementation was atrocious and uh pushback and blowback has been significant.

Um The cybersecurity equivalent is intentions are good. You get hacked and end up on the front page again, scoping. That's why we use risk assessment tools. But uh in addition to that takeaway, remember that physical security um is always a piece of cybersecurity. That is the number one thing I see people missing uh time and time again is they only worry about um cybersecurity, not the physical security. And this is a perfect example of a lack of proper scoping and lack of risk assessment. So a bit of a different take uh for Mornings with Mark 73 here. Um What do you think? Let me know online um at marknca in the comments down below or as always by email Um I'm interested to hear your experiences um you know, in the physical security world and in scoping because I think scoping is a massive problem um in general in it sometimes for events, um and a number of things. So let's keep this discussion going. I hope you're set up for a fantastic day. I will talk to you online and see you on the show tomorrow.

Read next