The Falcon's View

Security BSides Austin 2010 - Join Us Saturday!

2010-03-08T22:10:12Z

Hey everybody! BSides Austin is almost here - are you ready for it?!? Here are a few housekeeping notes:

* Everybody is welcome - the event is free!

* If you're attending and have a talk you'd like to give, post it here!

* Please register for the event so that we'll have a better headcount.

* PLEASE pre-register for the special "Hackers on a Duck" evening event. There is a hard limit of 40 people, and we MUST provide them with a count first thing Friday (3/12) morning.

That's all from here. Hope to see y'all there! :)

RSA 2010 - Day 2 Round-up

2010-03-04T19:26:55Z

This year's conference has been much lighter than last year. The dark cloud of last year has lifted from the expo floor. Delegates, vendors, and speakers all seem to be converging on a much healthier, less-hyped message. Despite all the todo over cloud and APT (which some of us hope to rebrand to Adaptable Persistent Threat), there also seems to be a healthy notice that holistic is a good thing. :)

There's really not a whole lot to say about things. I've seen a TON of business being done, which is a drastically marked change from 2009. Business deals galore mean good things in this space. Add in the apparent push toward increased government transparency, such as through this week's declassification of the Comprehensive National Cybersecurity Initiative (CNCI) and the picture looks increasingly positive.

I'll write more in a round-up post after the conference is done, but suffice to say, I now feel quite bullish on the industry, even if innovation is still trailing.

RSA 2010 - Day 1 Round-up

2010-03-03T17:15:37Z

It's already Wednesday morning, which means the first full day of RSA 2010 is in the can and quickly receding into the past. Overall, things are fairly standard quo again this year. Sessions galore, vendor keynotes, and a busy expo floor. This last point is perhaps the biggest difference from 2009 in that the expo floor is, in fact, quite busy. My impression is that a lot of realistic networking and lead generation is happening this year.

Before I hit themes, one tidbit of interest. I spoke with a couple guys from Boston who specialized in financial fraud. One of the fellows had calculated the cost of doing a wholesale revamp of the card infrastructure to be about US$12B. That is far more than the card brands are eating in fraud costs today. Moreover, today the merchants bear most of the fraud burden, whereas the cost of a complete infrastructure overhaul would be primarily borne by the card brands (although these costs would obviously be passed along to the banks, merchants, acquirers, processors, customers, etc.).

]]> There seem to be a couple subtle themes this year. Cloud computing is of course very prevalent, but it's far less "in your face" than last year. A lot more vendors seem to be realizing that "cloud" is a tool, not a destination or silver bullet. This observation seems to suggest that a reasonable degree of sanity may be returning to PR and marketing, if only for a short time.

Another subtle theme is the adoption of the survivability mindset. Increasingly, vendors and businesses seem to really grok that there is no such thing is 100% (or absolute) prevention. This realization leads immediately to the next step, which is saying "what are we doing to help improve our ability to recover from an event?" I had an excellent conversation with Tripwire, in particular, where we talked extensively about how we can tackle this challenge and how the sales pitch, as well as product development process, is evolving to better meet this reality. It seems that all the hype over Advanced Persistent Threat (APT) has helped move the needle on this issue, too.

The other big part of Day 1 was the parallel start of Security BSides San Francisco. I was able to spend the morning out at the BSides venue, pariSoMa, in order to sit through some very interesting sessions from industry luminaries like Andrew Hay, Marisa Fagan, JJ Jabbusch, and Michael Santarcangelo. Unlike the formality of RSA panels and presentations, BSides seeks to provide an informal venue for interactive collaboration between presenters and participants.

Day 2 is now underway as I post this update. I will be sitting in on a few Law sessions, hope to see the big federal talking heads keynote panel in the afternoon, as well as catching up with a few key vendors on the expo floor.

RSA 2010 - Innovation Sandbox: Not Really Innovative

2010-03-02T17:44:56Z

Where has all the innovation gone? I was very much looking forward to talking to the startup vendors selected as finalists for this year's Innovation Sandbox at RSA. After last year, I suppose I should have set my expectations a little lower, although realistically it would have been impossible to set them low enough to avoid some level of disappointment. Because, quite honestly, I was quite disappointed.

Of the 9 finalists, 6 had "cloud" point solutions, largely targeted to the hypervisor, with one that did some funky inline crypto stuff that made me wonder. 2 finalists had "new" authentication approaches, which were sort of interesting, but they didn't solve the larger problems with authentication. The 9th finalist was also potentially interesting in that they provided a nice visualization dashboard for risk management, but the biggest downside was that all data had to be independently entered. There was no integration with any GRC products, and so while it looked pretty, it wasn't overly sensible. So, yes, I was a wee bit disappointed.

]]> A Theory...
So, I have a theory about why things seem so stale. Quite simply: there are no technology solutions that can solve people/org theory problems. We have an evolutionary gap in terms of how we, as humans, detect and respond to so-called threats that don't actually threaten us physically. We as a race have well-adapted capabilities (fight or flight) for detecting and responding to physical threats, but there's really no analog corollary for digital threats.

Sure, there are other areas where there is room for improvement. Compliance management (the balancing act that is only going to get more difficult as regulations increase exponentially), documentation+records management (think legal compliance, eDiscovery, and so on), and then of course all the normal operational security challenges we deal with on a daily basis (IAM, change mgmt., config mgmt., yada yada yada).

Now, where there is definitely a need for innovation is a leap forward. Unfortunately, I don't think we'll see that until humans catch up. Until then, it'll just be another day at the office...

Annual ABA ISC+EDDE Meeting After-Report

2010-03-01T21:54:46Z

The Saturday and Sunday preceding RSA has historically been set aside for the annual meetings of the American Bar Association (ABA) Information Security Committee (ISC), and now it's sister eDiscovery and Digital Evidence Committee (EDDE). This year we had very good discussions, particularly on the ISC side of the house (admittedly I spent more time there than with EDDE). There seemed to be some very interesting themes that were either new or escalated from previous years.

By the way of a little background... the ABA allows non-lawyer Associate members to join and participate in certain committees. The ISC is a perfect example where non-lawyer SMEs work directly with tech-savvy or tech-industry attorneys in partnership to help benefit the entire industry. EDDE is aligned along the same principles, but with a narrower focus.

]]> Breach Notification
As per usual, there is a growing need and demand for, and burden from, breach notification laws. We need better data in order to help structure improved practices, push forward better risk management (and legal compliance) frameworks, and so on.

Protecting ePHI
HIPAA and HITECH are the big sticks motivating the healthcare industry these days. The bad news is that the industry is in no way ready to deal with these problems. Fortunately, legal departments are providing a lot of leadership in helping these organizations institute change. Unfortunately, legal professionals in generally are still far behind the curve on understanding the technical requirements in a meaningful way. Toward that end, the ABA is working to produce a ton of guidance (albeit in their regretfully long publishing pipeline) on the topic, and the ISC is directly engaged in producing these works, as well as working to proactively educate lawyers and the judiciary.

Imperative for Change
An ongoing theme from the ISC committee is a desire to assist with, if not shape, the legislative process. There are increasingly dire needs in areas like breach notification and reporting, supply change integrity, and so on, where the business world as a whole could benefit from a few sane, well-thought, well-written laws (rather than what we normally get;). To that end, many members have a keen interest in finding ways to help instigate change in a variety of arenas using various methods. This continues to be a strong theme.

Ongoing eDiscovery Challenges
The best quote from the entire weekend was from K. Krasnow Waterman based on her academic research/analysis on eDiscovery tools. She said that they are still finding that a good analyst with a poor tool still performs far better than a poor analyst with a very good tool. This observation of course applies well beyond just eDiscovery (SIEM, for example). Nonetheless, there remain challenges in this vertical despite the emergence and evolution of reasonable tools. One of the key areas mentioned was a lack of good sample data that can be used to develop and test tools against. It will be interesting to see how this area progresses in the future. The good news is that there are now tools that can handle billions of records, meaning real progress is being made.

Legal Defensibility in InfoSec

Thanks in large part to my friend Dave Navetta (co-chair of ISC), the phrase "legal defensibility" is starting to make it's rounds. And, even more encouraging is that lawyers actually grok the concept and are using (perhaps already) the term "defensibility" in their regular language. The next step will be expanding on the interest and use to get lawyers to start driving the term into their businesses and IT departments. Forget about compliance, it's time to think as an attorney: when you get sued, how will you protect yourself?

---
Overall, I thought this was an excellent round of meetings. ISC is working on several projects that have the potential for producing meaningful results. Now we just have to follow-through and get stuff done.

The Need for Consumer-Oriented Intervention

2010-02-25T17:42:58Z

I had an interesting conversation on the plane last week with a retired choir director/professor who had recently experienced fraudulent charges on his bank account. As I had disclosed my profession, he wanted to know how this could have happened and I struggled to answer the question in a way the he - a non-techie - could easily understand.

The conversation made me wonder once again: what should/can we reasonably expect the average person to understand? Do we really need to reduce to the lowest common denominator, or do we at some point draw a line, with the caveat that a certain percent of the population will never "get it"? If so, what percent is reasonable and appropriate?

]]> Or, instead, is it a matter similar to our cars? Do we set a minimum set of "safety" requirements with punishments and then relegate anything too technical to a "mechanic"? We need to know how to operate our vehicles, and in an allegedly safe manner, but beyond that what is our duty?

I've read a few articles lately that seem to tie into this topic, though from a variety of angles. One such article, titled "Compliance with Information Security Policies: An Empirical Investigation" in the February 2010 issue of IEEE's Computer magazine, talks about how rewarding people for policy compliance is ineffective, and how punishments actually have the best results. They key in on peer pressure, in particular, but the overall message is clear: rules without consequences are ineffective.

It seems that we need something comparable in infosec, and not just in the corporate world. Certainly, enterprise security policies need teeth that are actually used to bite, but this time around I'm talking about the real world. Sure, the notion of licensing end-users isn't new - it's in fact been bandied about for decades. But the real question is this: at what point do we start getting serious about setting reasonable expectations?

There are a few quick thoughts:
* Assumption: The average end-user cannot be held accountable for underlying product defects.
* Assumption: The average end-user can be held accountable for bad decisions.
* Problem: Definitively tying end-users to their bad decisions.

It seems increasingly necessary for legislation on this matter. We're already seeing more calls for increased regulation of enterprises and government intervention on botnets/spambots. It's time to also start looking at sane laws that require end-users to behave responsibly and intelligently (well, as reasonably intelligent as possible). If you are found to be negligent in using or maintaining your computer, you should be held responsible.

So, how do we define negligence for average end-users? Again, a few quick thoughts...
* Patching: Every major OS has automated patching capabilities.
* AV and Anti-spyware: AV and anti-spyware packages are widely available, many free for personal use.
* Reasonable clicking: This is an awareness issue. Part of this problem is poorly coded apps, but the other is basic awareness and intelligence.
* Reasonable suspicion: People are clearly too trusting of the Internet still. Consider this story from Brian Krebs where a man in North Carolina willingly served as a money mule for laundering money.

At the same time, we also need to provide facilities to back these things up. We're fairly safe on most of these cases already, so really just need to add in a few areas. Vendors already provide automated patching tools. There are a wide variety of free AV and anti-spyware packages, with others for relatively little money. This just leaves training and awareness, as well as some sort of consumer-oriented reporting capability. Also, tied to patching, there needs to be a path to help facilitate upgrading. For example, I wonder how many people are still running Windows 95?

Some things that I think would help:
* Privacy regulations: If privacy protection is codified and enhanced, then people will have a better reason to protect their data. Such a movement could help roll back some of the privacy losses over the past decade, as well as to help modified Gen Y (and younger) culture that does not put a premium on privacy. Part of this would be making the shift away from protection against intrusion toward a more control-oriented approach (see my post "The New School of Privacy" from last year).
* A national awareness program: Right now our only mechanism for alerting consumers is through the hype amplifier that is mainstream media. We need a sensible, non-inflammatory national program that is seen as legitimate and constructive, that spends its time offering from training and awareness to consumers about how to protect themselves (this becomes all that much more important if consumers are afforded more protection plus subject to consequences for bad behavior).
* Vendor-oriented regulations: There need to be increased regulations that codify the responsibility of vendors to provide consumers with reasonable protection against defect and compromise. While it's imperative that consumers share the burden, it is also necessary to act proactively to prevent vendors from sloughing off their responsibilities in this shared ecosystem.
* More aggressive government intervention: The government needs to start intervening more aggressively to protect consumers from malware, scams, and fraud. At the same time, the government also needs to aggressively protect consumers from defective products or vendors who aren't taking responsibility for their own systems and applications. It seems that there should be an insurance vertical around this area, too. Perhaps a model along the lines of FEMA's flood insurance could be used for protecting consumers.
* Consumer protection regulations: We need new regulations that provide consumers additional protection, primarily against vendors who don't demonstrate a reasonable standard of care, but also to ensure that consumers are not punished for the evil perpetrated on them by others, at least so long as they aren't making foreseeably bad decisions. Some form of insurance may be helpful, but so would a consumer protection program geared toward cybercrime and related areas.
* Regulatory consequences for bad decisions: While affording the consumer protection is worthwhile, it seems that we have also reached a point where we need to develop reasonable "safety" standards for use of computers and the Internet. As such, just as we have laws governing operation of motor vehicles, so it also seems that we need some sort of comparable program - maybe short of licensing - that requires people to operate their computers up to a minimum level of sanity. What this would look like is unclear, but what is clear is that the current state is neither adequate nor acceptable.

It's a fine line to balance between protecting consumers, requiring consumers to act responsibly, and creating an environment that ends up being unnecessarily exclusionary. However, what is clear is that the Internet and computing will only become more pervasive in our lives. Toward that end, it's time to start affecting cultural change. Of course, none of this perhaps helps me explain why someone had fraudulent charges on their bank account, but it does at least give us a starting point for conversations on safe(r) computing practices in the consumer sector.

RSA 2010 Is Nearly Here

2010-02-24T21:58:02Z

The 2010 RSA Conference (USA) is nearly upon us, kicking off next week Monday (3/1) at the Moscone Center in San Francisco, CA. I will be making the annual trek out there, with a similarly rigorous schedule once again (ABA mtgs Sat-Sun, MiniMetricon Mon, BSidesSF Tu-We, RSA Mo-Fr).

One major change this year (this week!) is that I'll be hopping on the LAW-401 panel at the last minute, substituting for a friend of mine. The panel is 9am Friday morning (I know, yikes!), but just in case you might be interested, here are the details:

LAW-401 Digital Forensics vs. Security & Encryption
Session Abstract: From self-encrypting drives to auto-wiping media, advances in data security present unique challenges to accurate and effective forensic evidentiary collection. Failure to anticipate the ramifications of encrypted or secured data can result in a complete breakdown of the digital forensic process. The panel will discuss current devices, legal challenges and capture solutions currently used in the field.

Micro-Generation Closer to Reality

2010-02-22T16:49:03Z

This is very cool. I've been saying informally for several years that I viewed micro-generation as the wave of the future. I figured that businesses would be the first to adopt technologies that go into buildings to make them essentially self-sufficient for power generation. Well, that ideal is now much closer to reality. Meet the Bloom Box:

Watch CBS News Videos Online

A Sense of Self-Preservation

2010-02-19T19:01:30Z

I'm starting to think that we as a people have devolved to the point of losing most of our basic survival skills. If you spend any time driving the crowded roads of a major metropolitan area, or passing through airports and their associated screening processes, or even just pay attention to the news and some of the incredibly idiotic things that people are doing these days (Baptist "missionaries" trying to steal kids from Haiti, Pennsylvania schools surreptitiously spying on students via issued laptops, or even the current state of mindless politicians being directed by their corporate masters), then you probably understand what I'm talking about here.

This thread absolutely applies to infosec and the business community. It seems decreasingly likely that businesses are doing what is absolutely necessary to protect themselves and, more importantly, to ensure that the business continues. And I'm not talking about business continuity here in the BCP/DR sense (though that's certainly a part of the big picture). I'm thinking, quite simply, about fundamental attitudes and behaviors that reflect a general lack of awareness about viable threats to the business and continued success.

]]> What we really need is a wake-up call of some sort here. A call for sanity and forethought to return to business. A call to move away from short-sightedness and a shift back toward long-term thinking that builds companies that provide value, benefit, and profit for much longer than 3 months at a time. Similarly, enterprises need to adapt a mentality that puts a premium on the survivability of the business, such as by acting in a self-preserving manner to defend itself against reasonable threats and establish reserves that help facilitate

From an infosec perspective, this should translate into a few common-sense practices...

Stop talking about traditional "risk management" as some sort of magical rubric or panacea.
Start talking about threat modeling and legal defensibility.

Stop using ad hoc approaches to security architecture and solutions.
Start adopting a holistic, systemic ISMS-like approach.

Stop delegating ownership of security to IT or other non-business leadership.
Start requiring execs and the board to directly own and be responsible for security.

Stop relying on shortcuts to survive audits.
Start demonstrating actual due diligence by adopting a reasonable standard of care.

Stop looking for ROI to "justify" security.
Start thinking of security as a business enabler that facilitates better decisions and helps protect the business during both the good and the bad times.

2010 looks to be a good year for a return to rational thought. It's time to re-awaken a sense of self-preservation in ourselves and our businesses. To survive is success in and of itself, and to accomplish that goal means building an environment that is resilient to changes, threats, and whatever else may try to shake it to the core.

2010 CWE/SANS Top 25 Most Dangerous Programming Errors Released

2010-02-16T22:06:47Z

Get it while it's hot! Skimming through it, unless you're new to the industry or have been hiding under a rock, none of this will be new. Nonetheless, it is a well-written document that can be used as a solid reference with both techies and management. It's definitely a nice stake in the ground - now you just need to figure out how to peg against it.

2010 CWE/SANS Top 25 Most Dangerous Programming Errors
http://cwe.mitre.org/top25/index.html

Uninspired.

2010-02-15T20:55:24Z

In case you haven't noticed, my blogging has trailed off the last few weeks, roughly corresponding with starting a new contract. There could be any number of reasons why this has happened, but it's nothing you couldn't probably guess at. New gig, longer days, lots of work, too few hours, not enough resources, yada yada yada. You know, it's called security. ;)

Perhaps the most frustrating part for me has been trying to find time and energy to write. I keep having quick ideas, but when I finally sit down to write about them, well, things just fizzle and fall flat. Not being one to publish something that I think is complete garbage, I've simply not. I even tried to write a couple article submissions last week, but those were not particularly good. If they end up running one, fine, though I will not be sad by any means if they don't.

]]> Anyway... in order to provide some value, I thought I'd just go through and toss out in short-form some of the ideas that I've had percolating lately in hopes that maybe someone will find value in the starter thoughts, even though I'm current unable to get beyond those starts. So, without further blah blah blah, here ya go:

* Legal defensibility: I'm increasingly of the opinion that the correct metric we should be working toward is that fuzzy concept of "a reasonable standard of care." Forget about risk and risk management as your lead - it's not working. Instead, the pitch I think is most easily understood by business managers is this: you must do what is necessary to protect the business against impugnability. That is, when you sit down with senior or executive management, don't try to talk to them about information risk, because it'll generally go right over their heads (whether they acknowledge this or not, it seems to be almost universally true). Instead, say "when you get hacked tonight, will you be able to tell customers or shareholders, in a court of law, that you did everything reasonable to protect the business?" My hope is that a "no" answer in this scenario would incite a realization that the business is exposed to excessive liability, which needs to be actively managed.

* Where are the corporate attorneys?: Along the same lines to the previous point, I'm a bit confused why legal departments, in-house counsel, and the sort are not rushing in to pick up the fallen gauntlet of security. It is just a matter of time before more laws, more regulations, and - importantly - more fines and crimes start piling up that the business realizes "oh no we're in trouble!" In my mind, the job of corporate counsel is to help identify these liabilities and exposures and help drive the business toward a safer stance. If only they would wake up and realize that this opportunity exists...

* Security intuition: Much of the "psychology of security" research thus far has confirmed what we pretty knew already: people don't respond to online threats because they haven't evolved any sort of defense detection or reaction mechanism for it. In neurology terms, there is no feedback loop that connections online actions with consequences. Without repercussions humans will not develop and instinctual response for poor online decisions. As a result, much of our attention has been paid to appealing to the intellect of people. We reason with them, provide them with logical arguments, and work hard to develop abstractions like risk to help show measurements for areas of concern. And yet little of this is actually working. So, if there's no capability to evolve instincts, and the appeal to intellect is failing, then this leaves only one level of existence to try targeting, and that's intuition. Of course, this is problematic, because we don't really know anything about intuition, except that it's higher function than intellect, and that it's at best related to innate wisdom and feelings. In other words, oh crap, we're so screwed. ;) Seriously, though... I think there's something to this whole line... and I think it underscores the importance of deepening security education, training, and awareness initiatives so that everybody hears it (in reasonable, rational terms - no FUDsec, plzzz!!) on a regular, recurring, nearly-brainwashing basis. Perhaps.

* What is core to infosec?: I sort of asked this same question in July 2009 in my post "Do You Need a Security Department?", but not to any level of satisfaction. I've also read Mortman's reasonable post "Incomplete Thought: Compliance, Governance, Audit and Risk aka GRC We’re Doing It Wrong", which seems to have garnered a strong negative response from those supporting GRC. I still can't quite put my finger on all the angels yet, but what I do think I know is this: anything have to do with IT operations is not security. Firewalls, IDS, access management, patch management, vulnerability management (at least in part)... these are all operational issues by in large. So, if you take away these things, you're left with a handful of higher-level activities... mostly stuff that falls under governance, security management, process management, and quality & performance management. Notice I left "risk" out of that list - that wasn't accidental. I consider it to be a sub-part of the other area. Btw, if you're wonder what quality & performance mgmt. is, that's my collective heading for metrics, testing, audits, etc. (e.g. pentesting, SAS70, vuln scans, appsec scans), and all the reporting that goes with it. This line of thinking that makes me wonder, after fighting against the marketing hype of GRC all these years, if it may actually make sense. Well, at least the governance part, at any rate...

* Losing faith in the security industry and community: If there's one thing I'm increasingly feeling, then it's an utter lack of hope for or faith in this industry. On the one hand you have vendors driving products that don't solve problems. On the other hand you have an increasingly elitist and self-congratulatory "core" of people who think more highly of themselves and their alleged achievements than I think is warranted. And in the end, you have the same stupid problems day in and day out with companies and people everywhere. For all the "innovation" that is allegedly occurring, where is the meaningful improvement? The only thing we seem to be able to link to some sort of changes in the world is the need for compliance with various regulations, such as PCI or GLBA or HIPAA or any number of EU provisions. It seems to be the case that no business is really interested in spending one penny on self-preservation unless it is absolutely mandated by a governing authority. And even then we see massive failures as we learn that businesses are actively gaming compliance. The whole thing is a total nightmare and highlights, I think, the great threat of all: the complete dissolution of trust. I don't know that I like the thought of a world without any trust. It's rather disconcerting and downright disturbing.

Anyway... those are my random thoughts as of late... sorry not to have been able to develop them further. It's hard to think actively all day long and then try to come home and think some more. At some point one just needs to clear the mind and live intuitively.

Quick Link: "Chip and PIN Is Broken"

2010-02-11T19:48:33Z

Just a quick note and redirect here... if you've not seen Ross Anderson's post "Chip and PIN Is Broken" yet, then I highly recommend zipping right over to his site to read through it. Basically, the underlying schema is broken because of the way the "solution" has been aggregated from various standards. This finding underscores the need for coherent and well-coordinated standards when it comes to things like handling sensitive data.
http://www.lightbluetouchpaper.org/2010/02/11/chip-and-pin-is-broken/"

Update (2/18/10): The Smart Card Alliance has provided a response questioning the viability of this attack in the "real world." It certainly seems somewhat unlikely, though the truth is probably somewhere in the middle. Maybe they should just fix the schema.
http://www.digitalidnews.com/2010/02/15/emv-hack-may-be-overstated"

Buy My ShmooCon Ticket!!

2010-02-05T02:46:13Z

Due to pending inclement weather, I've bailed on my plans to attend ShmooCon this weekend. As such, my barcode is now available. Please ping me asap if you're interested!!

Another ISSA Journal Cover

2010-02-03T16:45:57Z

I am extremely honored that my October 2009 article in The ISSA Journal has been included in the February 2010 "best of 2009" issue, and that it was the cover piece to boot. This makes 2 covers in 5 months with The ISSA Journal. The bar is so high now that I'm almost inclined to pull a Bill Watterson and retire at the top of my game. ;)

Thank you to The ISSA Journal editorial board and staff for this distinction!

BSides or Be Square: San Francisco and Austin

2010-02-03T16:41:23Z

Hey there conference attendees - it's time to find your groove and hop on the bandwagon for Security BSides. We have two events coming up VERY SOON - now's the time to act! Security BSides events are free to attendees, relying exclusively on the generosity of volunteers and sponsors.

Speaking of sponsors, we still need some, especially for BSides Austin! Wondering about the value proposition? Check out the Security BSides page on Sponsoring. Please let me know if you have questions or interest in helping out!

]]> BSides San Francisco
Up first is BSides San Francisco, being held at the same time as the annual RSA Conference. You must pre-register for this event as space is limited. Pertinent information is:

When: Tuesday/Wednesday, March 2-3, 2010 @ 10am - 5pm
Where: pariSoma, 1436 Howard St. (at 10th), San Francisco, CA 94113
http://www.securitybsides.com/BSidesSanFrancisco

Speaking of #BSidesSF, now is the time to vote for talks! You can see a complete list of proposed talks here:
http://www.securitybsides.com/BSidesSanFranciscoTalks

To vote for the talk of your choice, you need to hit Twitter and post a message like the following (this one would be for my talk):

I vote for "I Think I'm Gonna Hurl" by @falconsview #BSidesSF http://bit.ly/BSidesSFtalks

BSides Austin
This event is being held at the same time as another major conference that we can't name because of their super-tight brand management. Our thought was that it's about time we start getting security people into conversations that involve developers, and what better place to do it than around the same time as a major developer conference? At the same time, we've heard from several colleagues in Texas that getting out of the state for conferences in the current economy can be a challenge. So, to that end, we give you BSides Austin!

When: Saturday, March 13, 2010
Where: Norris Conference Centers, Austin, Texas
http://www.securitybsides.com/BSidesAustin

Please feel free to ping me for more information. If you're not familiar with the major event in Austin at the same time, then let me know and I can point you in the right direction. I personally think it'S an eXceptional chance to See What is happening. :)

As already noted, we're still seeking sponors.

I hope to see you at one or both of these events!