Archive for April, 2008

I had an excellent time in San Francisco at RSA Conference 2008. This was my second RSA conference, and now I think I know how to use my time most effectively. It helps that RSA provides a great session calendaring tool beforehand, copies of presentations on  a custom thumb drive, and audio podcasts of all sessions to conference attendees afterwards.

This time around, other than the keynotes, I spent a lot of time in the professional development, law & ethics, business trends, and hacker I, II sessions, among others.

The keynotes are available to the public. The opening keynote addresses by Art Coviello from RSA and John Thompson, of Symantec, were energizing and informative.  My personal favorite though was Malcolm Gladwell’s.  I’d read Tipping Point, and got a jump on the book signing gig afterwards.

Malcolm paced to and fro across the stage, moving his hands to accentuate points as he talked about how too much linear, academic, formal, logical, business-like decision processes result in poor decisions, and how our judgment can be overwhelmed by too much information, how less can be more and honoring learned intuition, trusting one’s gut.

I made so many new friends and business contacts, the trip was, and will be, well worth it! I also managed to avoid the Olympic Torch mania and just missed seeing it as it snuck about two blocks from my hotel during early afternoon.  Apparently, the torch and delegation slept across the street from my hotel, so I did get to see some of the fracas.

Things to think about ~ the scary state of SCADA security. Ask Ira Winkler… As Ira talked about how vulnerable the power grid is, despite repeated warnings, etc., I wondered how many al-Qaeda affiliates were attending ~ I mean, for the mere price of $1400 or so $U.S.D., one could gain admission.  Nothing secret or technical was revealed, but in terms of social engineering and espionage, RSA Conference is a goldmine.

As Ira talked about the difficulties in working with utilities to patch or upgrade older systems, he also spoke about how technology that controls these various systems went from analog to digital and Internet-connected for remote-access and the mindset evolution wasn’t as rapid.  Another element working against security progress is that many systems are interconnected to more efficiently and profitably wheel power; they are aware of when other low-cost power is available and they trade for it without serious consideration of the security risks of connected disparate systems.

It struck me that what’s needed is a different model, one that says in essence ‘I’ll buy from you, but only if your system is secure enough’, meaning, that the risks should be relative to the profit potentials.  From a shareholder perspective, this strategy minimizes uncertainty over time and should work to smooth profit variance.

While I was herded into the keynote address sessions, I wondered about how much electromagnetic countermeasures were in place, especially when Al Gore or Michael Chertoff were speaking, and CEOs Art Coviello or John Thompson. All would be targets of opportunity and we attendees, as members of ‘Turing’s Tribe’, were all issued identical conference backpacks ~ just the thing for a suicide bomber who wants to look like a killer bee in black and yellow.

Security didn’t seem too concerned and I did see serious young people with earpieces trying to look innoculous. I’m betting there were jammers all over that place, probably a veritable Faraday Cage near the stage.

One day, I ate the best Quiche Lorraine I’ve ever eaten, at Café de la Presse



Read Full Post »

Some folks think I write well enough that I should blog. After some minor cogitation, I thought I’d give it a go, just for a place to write my thoughts on information security, risk management, ‘ethical hacking’, and other notions that flit across my synapses.

I’ll try to keep it fresh and real.

Please comment on my comments!


Read Full Post »