How time flies, GDPR+2!

2020-02-07, by Arron Finnon, CTO, Vindler GmbH

This should be filed under the section “blog posts I wish I wrote earlier”. I’ve been meaning to write about my experience with the GDPR+1 conference back in May 2019, and now here I am writing about my experiences less than two months before we do it all again. Actually it’s pretty good timing because our good friends at the BSidesLeeds, a cyber security conference, were kind enough to run our “save the date” in the program. And to be honest the program they developed had amazing security related talks, talk after talk. It really got me in the mood to start thinking about my talk at this year’s GDPR+2 conference.

Last years GDPR+1 conference was an interesting event. For a few different reasons, firstly it had been 1 calendar year since the European regulation came into force. Now a lot of time when GDPR is being discussed it’s been discussed in a negative light. However this conference has a little bit of a twist. It really tries to show how good business practices and regulations can coexist. One of the reasons why I was happy to support this conference again, in anyway we at Vindler GmbH could. The event offered translators so all the talks could be understood in French, English, and German. And the venue it’s self was great. Looked amazing, and enabled a real up front and unique experience. Of course great venues like this are a gift and a curse, it’s a gift for the participants because they can really benefit from one-to-one exchange of ideas and solutions but it’s a curse when it comes to available places. It’s a shame, but as I say the limitation means that great dialogue can be had by all who were lucky to get a ticket. 

My awesome colleague Nina Fasel gave a fantastic set of workshops and the feedback we got at Vindler about it was great. We were very proud of her. But the workshops and the format that was used was very interesting. I’m sure everyone who was there would agree the workshops being done in this bite sized approach really promoted focused exchanges of ideas. 

My talk last year was a lot of fun for me personally, but the audience played their part and I think it was pretty educational. I didn’t really have a brief before I started thinking about this talk. What I wanted to look at is even if you’re complying with regulations that doesn’t make you secure. Only a secure mindset can do that, yet many seem to think data protection and cyber security are the same things. While they have the same look and feel in some areas they are widely different in many others. In essence my brief to myself was simple; “how to I hack a room full of data protection professionals”?

Unfortunately the answer is a lot “easier” than it should have been. I showed the audience how a hacker like myself may bring an own wireless hotspot purposely crafted to look like it was the conference’s own WiFi. Our good friends at Dury’s helped us crafted a terms and conditions on a captive portal which people gladly accepted. The EULA gave us permission to check the data for known security vulnerabilities. As the audience watched me discuss the dangers of connecting to random hotspots they started to realize that I had been describing the WiFi hotspot many of them had connected their phones to all day at the conference. Nothing was stored and was to explain what things could have been done. Security in reality, is a series of teachable moments and I do hope those in attendance did consider my advice on how to be more secure on public WiFi networks. And I need not remind anyone how much data is stored on a phone. 

So this year I’ve already started working on my talk, and while I may not hack the audience again, I’m sure we’ll all have much fun again.