February 2012 Archives

#RSAC 2012: A Roaring Success

It's already mid-week at RSA 2012, and wow, it's really huge this year! For those who've never attended RSA, you need to understand that it's the biggest security conference (at least in the US), typically with attendance in the 12,000+ range. A couple years ago things were looking very bleak. The economy was down, the expo floor was dismal, attendance was sparse, limited mostly to vendors crying in the aisles. Last year was better, but this year... well, this year can only be described as a blow-out return to better times. It's simply mind-boggling how many people are here this year.

But it's not just that... despite Art's overblown rah-rah speech in the opening keynote yesterday, I really do think that people are feeling a bit optimistic these days. Sitting in the 2nd annual "risk management smackdown" panel, it actually sounds like many people are starting to grok risk management. Sitting in the security burnout panel on Monday, I think people truly appreciated that we are a high-risk career field that needs support structures. Speaking with various (true) geniuses at the speakers' dinner last night, I learned of new advances in cryptography that are already advancing well to replace our aging frameworks, and I even met the phenom Ang Cui from Columbia University, who has not only demonstrated a way to hack an HP printer by simply printing his resume (in postscript), but has done considerable research around automated embedded system exploitation AND DEFENSE!!

I've not had much opportunity to walk around the expo floor, where I'm sure I'll find a variety of nauseating marketing themes, but I regardless can't help feeling like we're turning a corner here in 2012. It's very exciting to be able to watch and participate in a transformative time in history. Let's hope this trend continues.

"Where's Ben" at RSA US 2012

It's that time of year again! Time to make the annual pilgrimage to San Francisco, CA, for the RSA US conference (or, as I like to term it, "old home week"). RSA is the preeminent security function each year. It's by far larger than any of the others, and where you're most likely to run into... well, just about anyone in the industry!

On the (very) off chance that you're interested, here's where you can find me throughout my west coast visit:


  • Fri (2/24): Arriving into San Francisco mid-afternoon. The evening is free, in case you're local or in early and want to hang out. Nothing crazy or too late...

  • Sat/Sun (2/25-26): I'll be at the annual pre-RSA ABA InfoSec Committee meeting, including speaking Sunday morning on "risk management." I'll also likely be checking into the conference Sunday afternoon (at Moscone) and from there... who knows?

  • Mon (2/27): Cloud Security Alliance Summit in the AM, Innovation Sandbox and Exhibition Hall reception in the PM, followed by the "2012 Security Sociability Happy Hour."

  • Tues (2/28): I'll be around the conference, in a couple mtgs, etc., during the day. If you're involved with appsec initiatives at all, then check out the WhiteHat Security cocktail party in the evening. I'll also be attending the speakers' dinner, among other things.

  • Wed (2/29): Leap year! :) I'll be around the conference, in a couple mtgs, etc., during the day. Wednesday night is, of course, reception/party central. For appsec folks, check out the annual WASC lunch party. Follow @rsaparties on twitter, or check out their calendar for more info.

  • Thurs (3/1): The longest day! ;) Normally I would start my day at the annual Disaster Recovery Breakfast. Unfortunately, this year that will have to wait until after my 8am panel. Catch me for the "LAW-301 - Hot Topics in Information Security Law 2012" panel first thing Thursday morning. After that, I'll likely head to Jillian's, then back to Moscone for a mtg or two, followed by my second session of the day, co-presenting with David Willson in "STAR-304 - Legal & Ethical Considerations of Offensive Cyber-Operations?". After that I'll be off to a special 4-hour P2P session on risk management, then off to the nearby Ralph Gracie Academy for the annual security smackdown BJJ roll! :)

  • Fri (3/2): Chill, recover, wrap-up, misc mtgs as appropriate.

Want to meet-up at some point? Please leave a comment here, email me, or hit me on twitter. Or, hang out at the W and you'll likely run into me eventually. ;)

Reframing the Problem Space

Dan Geer (CISO at In-Q-Tel) last week posted two articles and the text of a recent speech he'd given. The two articles account for chunks of the speech, but in a nice, easily-consumed format. His comments urge (or predict) nothing short of a major sea change that, at first blush, seems to feed into the 2012 mythos, but in reality may represent a watershed realization in the industry (as such, expect it to be another 20 years before the world collectively realizes the wrong turn(s) made;).

Before talking about this further, let me point you to his pieces:
* "Power. Law."
* "More or Less"
* "People in the Loop: Are They a Failsafe or a Liability?"

TekSystems: Egregious Headhunting

| 1 Comment

A short post, to relate a story... just as I was about to hop onto a con-call this morning, my phone rang with a call from my Mom... given that it was first thing in the morning and that I still have a couple elderly grandparents, I answered fearing the worst... boy was I ever unprepared for the news!

Mom played for me a voice message left on her home answering machine. It was a recruiter from TekSystems, in a strong accent that I could barely understand, calling for me regarding an opening he was trying to fill. Yes, you read that correctly... a headhunter from TekSystems literally dug into the way-back machine and tried to reach me at my parents' home!

In case we've never met, let me baseline it for you: I'm well into my 30s, haven't lived at home since I was 19 (first Summer home from college), and haven't used their address as my "permanent" address since I was 22. Suffice to say, there is ABSOLUTELY POSITIVELY NO REASON that they should be calling for me there.

So, here's my reaction:
a) Tweeted my discontent.
b) Blogged my discontent.
c) Setup a gmail filter that will delete all mail from @teksystems.com, skipping my inbox completely.

What a galling way to start the day...

The Password Analysis Red Herring

| 10 Comments

Alrighty, this will be a fairly light post (in terms of my own applied analysis)... and, apologies as it's a wee bit behind the curve on various news pieces in the past couple months (I'd intended to write this in early January - oops!;). Please note that this post applies only to user passwords, and it does not apply to system and database password maintained within various environments.

Main Thesis: All this password analysis on compromised user password databases is fairly absurd. The breaches themselves are not generally the result of user password being compromised. As such, the time spent analyzing these passwords is largely a waste of time because it does not appreciably represent much risk to businesses; especially not to those that were compromised.

My Other Pages

Support Me

Support EFF


Bloggers' Rights at EFF

Creative Commons License
This blog is licensed under a Creative Commons License.
Powered by Movable Type 5.2.10