Thanks!

These strike me as useful metrics to track, at least operationally, with an ability to then roll them up into tactical, and even strategic, reports. Thinking about this all in terms of survivability, then, we want to be able to answer these questions:
- Have operations been negatively impacted?
- Were we able to continue operations despite degraded conditions?
- What measurable impact occurred during the impact period?
- How quickly can we resolve issues once detected?

These, I think, are very useful metrics to monitor. One could rightly argue that they're primarily IT operations metrics, but they go directly toward key infosec objectives, too. In terms of survivability, they help us gain a better picture about resiliency, such as benchmarking how recoverability, as well as to a degree defensibility.

Defensibility, of course, is where we start potentially getting back into squishiness. We have a similar problem with performing a FAIR risk analysis, too, when we look at the "Vulnerability" factor, since there's no simple, reliable, consistent way to measure it (i.e., this is one of the more subjective values in the overall scheme of things).

Putting this thought into a properly framed risk management context, based around survivability as the main driver, I think that metrics developed along these lines are more useful today, while also being reasonably accurate and precise. It's time to put aside fuzzy "security" metrics in favor of something that tells the business just how reliable its systems and applications are.

Overall, RSA was very good this year. My talks went well, my meetings went well, and it was awesome to see a lot of friends and friendly faces. The vendors really put on very good receptions this year, which was a nice return from the last couple years, which have been a bit lean. Shout-outs go to Barracuda and White Hat Security for each putting on very nice parties. Kudos also to Security Bloggers Network for once again running an awesome gathering of writers.

Themes

As far as I could tell, there were a few themes this year (some interesting, some note):
* Cloud: Whatever that means. This non-event "event" is starting to remind me of the move to outsourcing in the late 90s. There are concerns, but most of the technology is merely being migrated to virtualized platforms. There's not much in the way of "new" here. The need for good lawyers, however, is imperative. *Everybody* seems to have a "cloud" solution of some sort these days.
* Sandboxing: I saw several solutions that incorporated sandboxing, whether it be for protecting the browser, improving AV, automating malware analysis, or even hosting an embedded OS on a USB pendrive in a sandboxed environment. All of these solutions are built on the back of maturing (or mature) virtualization capabilities, and I think we'll continue to see good innovation here for the next couple years. I'll be rather disappointed if we aren't all running sandboxed browsers by this time next year.
* Mobile: It seems like every time a new platform comes out, that we must then start from scratch with security. Why is that? Anyway... mobile security is a huge hot-button topic this year, thanks to the boom in smartphones and tablet devices. iOS and Android are, of course, the big targets of opportunity, and of course riddled with holes. McAfee seems to be starting to make a strong name for themselves in the space, and I'm sure we'll continue to see vendors racing to fill the void. On a related note, please check out the OWASP Mobile Security Project as they have a lot of good work started that should produce tangible results later this year. Better yet: join up! :)
* Urgent Calls for Public/Private Partnerships: I've been fascinated to hear an increasingly desperate tenor in the pleas from the public sector for improved public/private partnerships. I'm not fully sure I understand the motivation. It's not that I disagree, but that these sorts of relationships seem to have had limited benefit in the past. On the flip side, we're already seeing a reasonable amount of partnership, such as around smart grid and crypto research. Nonetheless, this seemed to be a theme at the conference.

Good Times
There have been several negative responses to RSA from various "known" names in the industry. In a couple cases, people who had never attended before left feeling like they'd wasted their week. I must admit that I felt this way the first time I attended, but each year thereafter has gotten better. RSA is a *huge* conference, and it thus takes a couple years to get acclimated and start realizing all the benefits.

Most of us don't go to RSA to be speakers or to meet with vendors. Instead, RSA is where you go to meet people, catch-up with friends, and to get business done. The talks each years are fine, but it's not a hacker con, and thus nobody should expect a lot of whiz-bang presentations. At the same time, if you're open to learning about other aspects of the security industry, then this is a great place to be.

As mentioned, I enjoyed several of the receptions this year, as well as attending my first speakers' dinner (I didn't go last year and regretted my decision). I also greatly enjoyed getting a chance to meet with various people and organizations all week. Overall, I thought this year was very positive, and that it lacked the economics-induced black cloud of the past two years.

The other event that made this year fun was participating in the annual Brazilian Jiu-Jitsu Smackdown on Thursday evening. I skipped last year (another regretted decision), and so was eager to join this year. It was a lot of fun! My first time joining 2 years ago was a major beat-down for me, a fairly inexperienced white belt. This year, however, as a more confident, better-skilled blue belt, went much better, and was overall far more enjoyable. Good stuff!

Talk Summaries
Admittedly, I didn't get to very many talks this year, which isn't necessarily a good or bad thing. I did, however, make it to both of my talks, which I suppose is the important thing. That said, I did attend a few talks, including Mr. Clinton's closing keynote, and wanted to highlight what I heard or how it went.
* Mogull's "Everything DLP" Talk: Rich literally turned off his slides for the majority of the talk and just went through everything you might want to know about DLP, engaging in conversation with the audience, in what I think was a great talk. Take note, speakers: you do not need slides to have a good talk. Moreover, dumping the slides shows you know your topic very well!
* Rothke's Social Media Talk: Ben covered some interesting points on how we're basically all screwed and privacy is a lost illusion. Sad, really, but true. On the bright side, we're pretty much all equally SOL. Ok, so it wasn't quite that bad (or was it)? :) I liked the talk, though.
* Risk Mgmt Smackdown Panel: Let me start by say: Oh, sigh. Poor Alex Hutton. What do you do when the main opposition insists on reading statements rather than engaging in an actual discussion? More importantly, who in the world rejects all analogies outright on the basis that what we do is so special that nothing comes close to comparing? And, lastly, how relevant, really, are studies of "cyber criminals" from the 60s, 70s, and 80s? I mean, seriously. *sigh*
* GRC-201 Panel: I led a panel titled "Reasonably Foreseeable, Legally Defensible" consisting of Dave Navetta (InfoLaw Group), Serge Jorgensen (Sylint Group), Raf Los (HP), and Dan Houser (ISC2/Cardinal Health). For me, this was a lot of fun. I did everything I could to get the panel and audience pumped up first thing in the morning (we had an 8:30am Wed. start time), and then literally stood in the back of the room and let the panel talk. We had decent audience participation and I was overall quite pleased with how it went. Hopefully attendee reviews will agree! A hearty "thank you" to the panelists for a job well done!!
* LAW-403 Talk: The last talk slot of the conference, Dave Willson (NEK) and I gave an ethics talk on the reactive use of force in cyberspace. The talk was originally proposed by Randy Sabett, who was supposed to be the lead speaker. He had to bail for work reasons, so I recruited Dave to join since he had just retired from 20 years in Army JAG doing cyberlaw, and is now working in similar areas. Overall, I think the talk went ok. We had a lot of audience participation, which is definitely a positive, though it disrupted the flow of the talk. We'll see how the attendee ratings are for the session. Dave and I recorded a 20-minute version of the talk the previous afternoon for RSA (no idea when/where it will post), which went very well. For both sessions I tried to adopt an interview style with Dave as the SME in the room. I think that technique was generally effective (certainly for the recording). It was very hard to bring adequate energy for this final talk of the conference.

My Other Posts on RSA 2011

Here are my previous posts on RSA 2011:
* "RSA 2011: Books! Talks! (and where I'll be)"
* "RSA 2011: (dis)Innovation Sandbox"
* "RSA 2011: Imation Expands Offerings"
* "RSA 2011: Meet Federated Networks"

Miscellaneous

In case you're curious, I popped-up in a couple other places during the week, including:
* Tripwire Blog: "Top security issues for 2011: Data loss prevention and internal threats"

Also, as I mentioned before the conference, I had two (2) books come out to which I contributed. Both were from the ABA Press.

BT Counterpane's ethical hacking team has recently completed an assessment of some of these technologies, and reportedly the products performed well. FN is hoping that their products will be disruptive in the marketplace, and if half of what Lowenstein talked about ends up standing up to scrutiny, then I think there's a good chance he'll be proven right.

Beyond this, there's not much information I can share. I'll be looking for their product releases this coming Fall. FN also indicated that BT will next be testing their e-Voting solution, which I'll be interested to hear more about it as well.

A couple products from Imation's new Defender Collection struck me as being very interesting. These products include having biometrics and encryption capabilities, as well as a self-contained, pendrive-based Windows environment in development (making them only the 2nd vendor to do this, following on the heels of SPYRUS).

In addition to these new product lines, Imation has also begun developing software to support these devices. You, the reader, might think this is a fairly logical extension (you'd be right), but don't overlook the fact that standing up an entirely new software division to support new products is a somewhat risky venture, and something that represents Imation's strong commitment to these new product lines. The software will, in particular, provide central management and authentication integration for the new Defender line of devices, which should make them particularly appealing to the enterprise (at least for Windows-oriented folks today).

For demonstration and experimentation purposes, I received an F200+BIO USB storage device from the good folks at Imation. The device (Imation-supplied picture above) features 32GB storage, FIPS 140-2 Level 3 validated encryption using AES 256, and 2-factor authentication (password+biometric).

Installing the device on my Mac was, unfortunately, less than trivial. No documentation was provided in the retail box, and when I plugged the device in for the first time, it did not show up as a connected device. A quick search of the Imation support pages indicated that a firmware update may be needed, so I contacted Support for more information. After a few minutes on the line with a rep, he found the information, took my email address, and promised to email the update to me. Unfortunately, the files received didn't include directions on how to install them, nor was it obvious what the files were (i.e., they didn't come as a pkg or dmg, so I didn't know how to use them). As it turned out, one of the files was a PDF missing the .pdf extension, which included upgrade directions. The directions pointed me to a Windows-based PC to flash the firmware so that I could then use the device with Mac OS X 10.6.

Loading up my Win7 VM, the device was immediately detected and I was prompted to go through setup/configuration. These devices can support up to 10 users, each with their own protected storage space (which is rather cool). In my case, I simply created 1 user for myself, and opted to only use single-factor authentication (biometrics). Enrollment was straightforward, with 5 swipes per finger (for a minimum of 2 fingers) required. You could swipe all 10 fingers if you wanted to do so, or maybe even ask someone else to swipe in a finger should you want to have a device and single storage partition shared among a team.

Once everything was updated and configured, then the device worked like a charm. Upon initial detection, it shows up as "LOCKED" until you swipe your finger to unlock it, at which point it changes to "PRIVATE". On the Mac, an "Application" disc volume also shows up, which contains the Windows app code and documentation. One of the quirks of the device on Mac is that every time I connect and biometrically authenticate, OS X gives me a pop-up window indicating that the volume had not be dismounted properly. This, despite having ejected both the PRIVATE and Application volume. Another interesting quirk was that every time I attempted to eject the Application volume, it automatically re-mounted it and the LOCKED volume, making it essentially impossible to cleanly dismount. This might be part of the cause of the issues. Only long-term testing will be able to prove whether or not there are lasting data storage issues, though my guess is that it won't matter.

In terms of performance, the encryption did not appear to introduce any latency. The device has an onboard processor to do hardware-level encryption, allowing transfer speeds to be very high. I copied over a 480MB ISO image (the OWASP Live CD) and it only took about a minute to complete the operation.

Conclusion: The F200+BIO is definitely a nifty device, and I think it's a solid representation of the entire Defender Collection that Imation is releasing. I'm very eager to see the beta release their embedded Windows product in the near future, particularly because it will help provide competition for SPYRUS and lead to what I hope will be even better price points. It seems likely that the SPYRUS solution will be more mature initially, but I feel confident that Imation will quickly get up to speed and provide some reasonable competition in this space.

Overall, I'm disappointed again with the lack of truly innovative solutions. I have to believe there is better stuff out there, though the rules for getting into the exhibit are a bit wonky. Will any of these products revolutionize the industry? Nope. Oh, well...

Yes, SmartGrid technology will be needed in the future, but I'm gravely concerned that we're investing in the wrong technologies today. All the talk and focus is on how it will help improve the electric grid, but it does little to address one fundamental problem: it still relies on the fundamentally flawed premise of central power generation and long-haul distribution.

For the power companies, micro-generation also represents a new and very interesting opportunity for new revenue. And, incidentally, this would (today, anyway) likely be revenue that is outside most of the heavy regulations. True, new rules would be inevitable, but overall the impact would be highly positive.

Imagine if every commercial facility had its own power generation. The peak daytime load would then be greatly lowered on the grid. And, if engineered well, this approach could also help improve generation capabilities and overall grid capacity and stability by having companies sell-back their excess energy (if they so desired), particularly at night during off-peak hours.

If you remove reliance on power distribution, then many safety and security issues go away. For example, major snow+ice storms would no longer take out most commercial sites through downed power lines, which would in turn allow power companies to focus on restoring service to "legacy" customers (such as residential neighborhoods). However, also potentially interesting is the idea that neighborhoods (e.g., HOAs) could band together and setup their own micro-generation capabilities for a neighborhood.

Also, couple this with the current move from AC to DC power and you can start seeing a future where SmartGrid itself is less important. Oh how I wish that the political entities would wake up and smell the ozone on this topic...

About 8 months after starting the job, including a move from NoVA to Phoenix a couple months into things (a move that, to this day, I'm kicking myself over - always listen to your gut!!), my position was terminated and I was cut adrift in one of the worst markets in the country. The termination came right on the heels of my speaking at a small conference in Montana (for which I had been approved to travel!), and really served to knock the wind out of me hard. I had just started to feel like I was settling in the role and starting to understand how I needed to proceed and was more than a little angry over the sudden change of status.

The bottom line, though, is that I failed at the job. No, I didn't fail because I didn't know what to do, but because I failed to effectively communicate. It's ironic, I suppose, that someone as verbal as I am could fail at fundamental communication, but that is in fact what happened. In a nutshell:
   -- The prioritized approach I had developed was right.
   -- The staffing issues I had identified were right.
   -- However, I did not effectively communicate this plan to the C-level team (too abstract).
   -- Ergo, failure.

It's amazing how important clear communication is, especially when trying to share a serious message that requires explicit action and fundamental changes. And yet, when given a chance to brief the C-level team, I completely dropped the ball, using a very short slide deck that simply created more questions and confusion without actually setting forth and sort of plan of action. No wonder the CEO walked out of the meeting, turned to the GC and asked "is it me or has he done nothing in 6 months?" Nothing could have been further from the truth, and yet this was the message I somehow relayed through my presentation! Ack!

The important lesson to learn here is that it's imperative to clearly communicate a plan of action. It is not adequate to simply share a vision and leave it up to people outside the industry to fill in the blanks. Maybe some execs are ok with a more abstract approach, but this team certainly was not ok with such an approach, and I completely failed in my duty to reassure them of the choice that they'd made in hiring me.

Not Completely My Fault

Now, all of this said, I can't take full credit for my failures. Well, I guess I could, but to do so would be uncharitable to myself and ignore the hard work, blood, sweat, and tears that went into this fatal scenario that was, I think, doomed from the outset. How so? Well...
   * Inadequate Support: Plain and simple, I was never fundamentally supported in the position. I knew this before the move to Phoenix at a very fundamental level, but had hoped that being on-site would help resolve some of these concerns. As it turned out, I got put in a nice office 6 floors away from the entire ops team and was subsequently shut-out. It was very clear that I wasn't wanted there, and had really only been hired to say "yes, we have a security person," but without any intention to change things. Case-in-point, I tried to help accelerate a SSO project, which was assigned to one of the sysadmins, who subsequently ignored it until he finally snapped and yelled at me, announcing that he had no intention of doing the work assigned. He quit a couple weeks later, and the project never made any progress.

   * Politics: I came onboard in the midst of a protracted and increasingly volatile political battle. By all rights, I should never have been moved to AZ, but rather should have been moved to corp. HQ in Winter Park, FL. The Phoenix office was home to ops, but it was pretty much all acquired talent who had been running their own businesses, and who were being allowed to still operate with a high degree of independence. Unfortunately, this led to lots of decisions being made at a point too close to ops that didn't necessarily reflect a useful overall strategy for the company. Phoenix functioned like a subsidiary within the company, which created all sorts of challenges. IT, which was based at corp HQ, wasn't even providing support for the Phoenix office even though a significant number of people were based there. Dysfunctional hardly begins to describe what that environment was like.

   * An Overwhelming Amount of Work: I was amazed at how little security had been implemented. My tasking was primarily PCI compliance, and I had a tough time getting my brain around it. It took me a couple months simply to map out all the gaps that required remediation. In the end, I was able to initiate a project to address the majority of concerns in the cardholder environment (no idea if that project was ever completed). However, it was very daunting task, and one that took my a long time to get my brain wrapped around. It was one of the situations where there were literally several top priorities issues that needed to be addressed. And, given the lack of support, there was simply no place for me to start or any way to get anything meaningful done.

   * Wrong Person For the Job (sort of): In many ways, I was the wrong person for the job. Or, more correctly, I needed one other person - a solid, hands-on technical security resource, to help make headway. It quickly became clear that I couldn't lead the security charge AND implement all the necessary changes. Moreover, as I needed to be the "bad guy" in many cases, delivering bad news, it would have been very useful to have someone technical who could endear themselves with the ops team and actually made some progress. Alas, it wasn't going to happen.

Suffice to say, I now find the experience instructive, even though it represents a spectacular failure in my career. I'm confident that I could tackle a comparable position in the future and a) avoid a bad environment, while b) getting stuff done.

I'm not even home yet, and already my brain is churning. I left Lisbon this morning, heading for home, and then on to San Francisco for RSA-related "festivities" the next day, but since I'm stuck on a plane for several hours here, I thought it would be a good time to jot down some thoughts. Actually, I started making notes in the car this morning en route to the airport... here how it starts:

As we raced down the highway in excess of 150kph, flying through the lush green hills, kissed by the slowly lifting fog, I couldn't help but let my mind wander freely over this trip and the past couple days. I leave Portugal with a few conclusions:
   * OWASP is doing good and important work.
   * OWASP is going through a transitional period, in part related to generational ascendence.
   * OWASP is strong and filled with wonderfully passionate people.
   * OWASP is application security.

Perhaps the writing is a bit over the top, but it's how I feel after what I can only describe as an interesting, yet strangely energizing, event marked by the expression of strong sentiments and passionate drive to make the world a better place. Allow me to expound...

What was the Summit, exactly? Well, it was kind of like a conference, except different. Instead of traditional talking-head lectures, pretty much everything was couched as a hands-on workshop or interactive discussion. It was extremely rare to have a single person at the lead, and in all cases there was a high degree of engagement from participants. Walking between sessions during the day, and even wandering between sessions Wednesday night, it was amazing to see so many openly participating (contributing!) to projects, discussions, and workshops.

Nowhere was passion more readily demonstrated than in the "governance" dynamic session Tuesday evening. People I know and respect got up and voiced their concerns in no uncertain terms. By the end of the night, a clear direction had been laid out, all the while clearing out the bile that had boiling up in some over the course of the year (or more!). Growing mains, miscommunication, and confusion is inevitable as organizations rapidly grow and move; especially an organization that is tackling such a daunting mission of enable application security globally.

Up-n-Coming Leaders

Helping drive much of the passion within OWASP is an emerging cadre of younger leaders. There's nothing more thrilling than seeing the next generation begin to assert itself and start taking ownership of projects and leadership roles. It is only through the dedicated efforts of these new leaders that OWASP will continue to grow and succeed.

Another remarkable point was the degree of participation from our European counterparts. This is the first forum where I've truly seen international collaboration on a truly ubiquitous scale. It was awesome to meet so many non-Americans with such a strong passion for OWASP and appsec. I should also note that it's not just the Europeans, either, but also the Brazilians, who are building strong leadership cadres to promote and grow OWASP locally and global.

Room for Improvement

It would be fool-hardy to somehow imply that OWASP was already adequate, as nothing could be further from the truth. As is true of most things, there is ample room for improvement. Specifically, there are some tough issues that are going to need to be addressed aggressively in the coming months and years:
   * Process Development/Improvement: By it's own admission, the board is not currently strictly following its defined processes when it should be. Its made a commitment to resolve that matter. But, more than that, there is a general lack of formal processes within the organization, which can lead to confusion, miscommunication, and decisions made without following due process. This area will be one of the largest obstacles to overcome in the near-term as it is exceedingly difficult to introduce more rigorous process within a well-established, mid-sized organizations. At the same time, there is a certain degree of irony in OWASP not having very good processes when so many of us actively promote formalizing SDLs wherever possible. ;)

   * Formal, Documented Rules (aka "policies): It's likely that the governing by-laws will need to be amended, at least to a small degree, if for no other reason than to make them better reflect the current status of the organization. However, additional rules need to be established, such as spelling out roles and responsibilities, how authority is delegate, who can become project or committee leads, etc, etc, etc. Everybody is working for the greater good of OWASP, but it's time to put some formal definition around what that means, or what the consensus leadership believes meets the objective of "greater good."

   * Improved Communication: Communication is not particularly good within OWASP. There's a lot of confusion, there are a lot of lists, there's no easy way to access most of the information, and so on and so forth. The next point will speak to one of the main obstacles today (the web site), but beyond that there are other improvements to be made. OWASP has mailing lists, twitter, and the web site through which information can be published. For all I know, there might also be a blog. There's no excuse for various announcements not to be heard, and yet that's exactly what is happening today. E.g., external consultants have been retained to help formalize and improve the vision, mission, objectives/goals, and so on. Very few people knew this was going on, despite an assertion that it had been announced. And here the board just figured nobody cared to review what had been proposed... d'oh! My expectation is that leadership will diligently work to greatly improve communication this year. I hope that they formalize rules and processes around this area, too.

   * Revamped Web Site: The current OWASP web site rather sucks. It's true! It is nye on impossible to find things on the site. Many people (myself included) use Google instead of the built-in search engine because the site is just that broken. Part of the problem is organization (or lack thereof), part of the problem is too much stale/outdated content that should have been archived years ago, and part of the problem is general maintenance. The underlying code was upgraded recently to improve the basic functionality of the platform, but much more will need to be done. Thankfully, there is a group of interested, passionate people working on developing recommendations as a direct outcome from the Summit.

Willingness to Evolve, Motivated to Serve

Perhaps the most pleasant surprise for me was the openness of the current "old guard" leadership to suggestions for change. Change is necessary and important, especially given how rapidly the organization has grown these past few years. Everybody I spoke with expressed a willingness to do what was right for OWASP, and that translated directly to a willing to change. Never have I seen such a strong balance between outright passion and willing flexibility.

Along these same lines, this group of people we call "members" is really quite remarkable. Smart, motivated, and innovative. It was exceedingly wonderful to see a lack of resistance to innovation, and in fact it was great to see such an interest in evolving practices and the organization. Case-in-point, I led an hour-long "dynamic" session (that is, ad hoc) on formal risk assessment methods that had a full room. Never in my life did I think that I would get a dozen or more interested parties in a room talking about risk assessment, the differences between qualitative and quantitative, the need to define labels/ratings, and so on. It was wonderful! :)

A Promising Future

For as much work as was accomplished this week, I believe that we will historically only see this as a blip on the radar. Though the Summit had been billed as "building OWASP 4.0" I think it really was perhaps more along the lines of v3.5. We do not need a bunch of wholesale changes, but rather a handful of well-considered, targeted changes addressing the issues I've listed above. This is very good news! Going into the Summit I had concerns about the future of the organization, but now I'm reasonably optimistic about things. The next step is to figure out how I can help out more. I hope that you'll join me in formally engaging with OWASP, either as a leader or a volunteer, and always as a member. There are tons of projects that need help, there are committees that need more people, there are events that need volunteers, and there are leaders who need honest feedback and suggestions.

Good grief, RSA is almost upon us! This year will be another busy one for me in San Francisco. I have 2 talks scheduled, 2 books coming out, and I'm involved with 3 different events. As such, I wanted to share some of these announcements with you on the off-chance that you might like to attend one of my sessions, or just meet-up face-to-face. If you see me, please introduce yourself!

Sat-Sun: ABA ISC Annual Pre-RSA Meeting
Mon: Mini-Metricon 5.5, then RSA Innovators Sandbox
Tues: Speakers' Dinner at night, sessions during the day
Wed: Moderating the panel for GRC-201 (details below), various and sundry the rest of the day - This panel is going to be AWESOME!!! :)
Thurs: Mostly free for exploring the expo, interviewing some folks, etc.
Fri: Speaking with Dave Willson in LAW-403 (details below), after-glow at Scoma's

RSA Talks

GRC-201 "Reasonably Foreseeable, Legally Defensible"
Wed 08:30am, Orange Room 300, 70 minutes
Preview Podcast

LAW-403 "Ethical Considerations Involving the Use of Force in Cyberspace"
Fri 11:20am, Orange Room 310, 50 minutes
Preview Podcast

Books!

I am excited to announce (a little ahead of the official word) that 2 books to which I've contributed will be released during RSA!

Data Breach and Encryption Handbook
http://www.abanet.org/abastore/productpage/5450059

Information Security and Privacy: A Practical Guide for Global Executives, Lawyers and Technologists
http://www.abanet.org/abastore/productpage/5450058

For this year's hacker con adventure I opted to attend ShmooCon, which I think I'll now add to the annual schedule (especially given the low cost and easy proximity). It was a decent experience with the requisite number of "omg we're so screwed" moments, coupled with all the social attributes necessary to make the event fun. I learned a few things, but mostly have ideas for the future. As is typical of my previous experiences attending a specific con for the first time, I know that my next attendance of the con will be better because I'll know the ropes a bit and have my expectations better adjusted.

So, without further adieu...

The event was held this year, for the first time, at the Washington Hilton Hotel, which is where Pres. Reagan was shot in 1981 (if you look at the pictures there, this shows the entrance at the Terrace level where the conference was held). From that perspective, it was kind of interesting/curious/surreal to be at such an historic place. But I digress...

The Hilton was recently remodeled, touting highly limited sight-lines everywhere, and overall the venue seemed to be very nicely appointed. There were, however, a few oddities. The main ballroom where the opening talks were held, and which was later split "in twain" (to quote King Bruce), was less than ideal. As Jack Daniel said, "Every seat has an unobstructed view. Of columns." These two rooms were, as a result, long and narrow, making it hard to read slides from the back, not to mention the challenge of finding a speaker amongst the obstructions.

Another oddity was a very narrow corner around the outside of this ballroom area. There is a 6' choke-point corner that tended to make a real mess of people moving between the vendor space area and the contest area. This was perhaps more an annoyance than a "problem," but it's something that stuck out.

And, lastly, given all the curves and corners, designed to reduce sight-lines to protect dignitaries, navigation was at times confusing. The third track of the con was in the International Ballroom West (which we're not certain was actually on the west side), and getting there from the main area was at times a bit disorienting.

Perhaps the biggest negative to this venue, though, was how stringent security was about clearing areas when they closed. People were apparently rushed out of the main conference area Friday night when it was deemed "closed" (effectively killing some hallwaycon chats), and we also found that when the lobby bar closed on both nights, security then promptly stepped in and, in no uncertain terms, told us to leave. Note that this is an open area that adjoins seats in the lobby area. I think that, in part, they were creating open space for the cleaning staff to work, but overall it was just not a positive thing. Events like these thrive on the social aspects, where many of the best discussions occur outside of the formal tracks. To have those chats forcibly interrupted by an overzealous staff was off-putting.

Talk Content Quality

I'm increasingly incensed by the lack of adequate training and preparedness that speakers display at conferences. On the one hand, the technical content is usually very sound, but the presentation of that content more often than not leaves a lot to be desired. If these conferences prove one thing, over and over again, it's that being super-smart does not immediately translate into being a good public speaker.

Overall, I was a bit disappointed in the selection of talks. It seemed like there were a lot of talks on mobile security (Android, specifically), as well as on removable devices (e.g., USB pendrives). While I'm sure it was all very interesting, it was very hard to sort through and pick who would be best.

By the way, as I think about content... what in the world has happened to Mudge? I feared the worst, and I can only conclude my fears have been realized... my comment to a couple people ahead of time was "I'll be curious to see just how filtered he is now." and I was unsurprised, yet disappointed, to be right in my implicit assumption that DARPA has fairly well muzzled him. The whole thing was kind of disconcerting...

Schedule

I really liked the schedule format that was used, and I think this should be called out as a great strength. A 10am start on Saturday and Sunday was wonderful after a late night. The mid-day Friday start was also nice, allowing me (a local) to miss the morning commuter traffic. Having the firetalks on Friday and Saturday night was also great, although I was a little disappointed that I wasn't then able to attend the official ShmooCon party (despite having a wristband, which I later gave to someone else). I could have attended the party, but by the time we made it to the hotel lobby after the firetalks, people were already filtering back from the event indicating that free drinks were mostly gone. Ah, well. Suffice to say, it was a good structure.

If I were to make one quip, though, it's this: I don't think the "Build It" track was either named right or filled with the right talks. I dunno, maybe it's just me, but when I think of the "builder" vs "breaker" dichotomy in infosec, it doesn't map to the talks scheduled. In my mind, if the "Build It" track was mapped to the "builder" sub-culture, then it would have been a bunch of anti-hacker-con-cliche talks. Ya know... my kind of stuff! :) Instead, I think maybe the "Build It" track was supposed to be about things that were built, but then again, not all talks actually seemed to follow that rubric... I dunno... whatever... as you can see, I've clearly not reconciled it yet, even.

People/Socializing

My favorite part these days of any conference is in meeting people, watching people, and just generally being around people (I told you I wasn't a "hacker"!). Hacker cons always bring out a special sort, too. It was a lot of fun hanging out, seeing folks, and counting the utili-kilts. I also amused myself by watching the stares and double-takes of non-con people in the hotel as various con attendees wandered about. It's really quite remarkable how thoroughly a hacker con can take over a venue! :)

Anyway...
Will I go back to ShmooCon again? Yes.
Is there room for an improved experience? Definitely!
Did the Potters do a good job? Absolutely!
Was the venue perfect? No, but then, what venue is?
Were the talks great? Not really, from the ones I saw, but others saw different talks and disagree. *shrug*

See you next time ShmooCon!

Federal authorities opened an investigation Thursday into the local organizers of the "ShmooCon" security conference held in the District each year. Agents suspect the Potters of tampering with, or otherwise compromising, the super-secret government weather machine, causing copious amounts of snow to fall on the DC metro area in conjunction with the annual event.

Authorities first began to suspect a connection between the major snowfalls and ShmooCon in 2010 when a pair of storms bookended the event. Such quantities of snow are not generally considered to be normal for the area, and someone pointed out that "this wasn't the first time" that a major snow had occurred around the time of the event. This week's snowfall, which left hundreds stranded without any way to order a Hoffacino from their local Starbucks, has confirmed investigators' suspicions.

Self-described "security curmudgeon" Jack Daniel (possible alias) commented that "snows like this are more normal on the Cape," referring to his home neighborhood in the Boston, MA, community. When pressed, he acquiesced that if there was a super-secret government weather machine, then it was probably networked and easily hackable. While he did not overtly indicate the Potters, he did relent and admit that ShmooCon and the associated Shmoo Group do have a reputation for being notorious hackers who may be capable of such a feat. He also recommended that maintainers of the alleged super-secret government weather machine should invest in product from his employer, Astaro Internet Security.

When questioned, the Potters decried the allegations as a massive right-wing conspiracy, lamenting "Why won't you feds just leave us alone already?!? Can't you see we have enough problems getting all this schwag to the venue??" Federal agents declined to comment on why the Potters' home was the only one in a 30-mile radius to not be plowed-out after the storm. In fact, some reports suggested that snow was intentionally plowed into their driveway, though this could not be confirmed.

In response to the Potters' counter-allegations, former President George W. Bush chortled and snickered, then referred journalists to consult with "ol' Dicky boy" and "red rover, red rover, send Karl right over." Former veep Cheney was unavailable for comment and rumored to be hold-up in his underground lair counting the money saved by foisting all blame for the Deepwater Horizon oil spill onto BP.

Former Bush advisor Karl Rove did answer calls about the alleged right-wing conspiracy. In response, he suggested that this was, in fact, a left-wing conspiracy perpetrated by environmental extremists and pointed to the "conveniently coincidental timing of Keith Olbermann's departure from MSNBC." Olbermann's location was unknown when this article went to press and thus was unavailable for questioning. Mr. Rove also implied a potential connection to WikiLeaks and Julian Assange while also mumbling something about "advanced persistent threat" and "Obama" under his breath (a connection was not immediately apparent).

At the end of the day, authorities seem convinced of the Shmoo/snow connection and promised to hold the Potters as long as necessary. Charges of obstructing merriment were being considered, along with allegations of domestic terrorism, correlating the impact of the snow storm to a weapon of mass destruction. Formal charges are pending completion of the formal investigation. It's expected that ShmooCon will proceed this weekend as planned, despite the act of nature (or sabotage). However, attendees should be prepared to be subjected to full-scale TSA "naked scanner" assessments. Attendees found to not have their barcodes tattooed to themselves in metallic paint will likely not be admitted.

Hope to see you at ShmooCon! :)