I have been fortunate enough to be picked up by several CFP of great conferences, which basically gave me the opportunity to participate at conferences I wanted to go to anyway, as well as to present some of the research in the CyberCrime/CyberWar field.
After BlackHat Europe (see related post), I will be speaking at:
ph-neutral – Basically the real deal… If you are FoFX (Friends of FX) expect to rub shoulders with some of the world’s best security experts
AthCon – A new regional conference in Greece, close to home, sponsored by some great guys from encode, and a very interesting lineup of speakers.
FIRST Conference – If you have ever dealt with incident handling, CSIRT, CERT, and alike, this is the conference to be at. A whole day workshop, and 5 full days packed with great talks in sunny Miami. Can’t go wrong…
BruCON – Brussel’s local security conference. Last year has been EPIC (so I’ve heard from authoritative sources 🙂 ) and this year is shaping up to exceed the expectations!
These are the confirmed ones for now…
Also check out the following conferences which I plan to attend (i.e – are cool and have great content):
DefCon, BlackHat US, BSidesLV – you better know these by now…
ExcaliburCon – THE security conference in China. Held at WuXi (not far from Shanghai), and offers a great mixture of local (Chinese) hackers and international ones. Spoke there last year, if you are looking to expand to the Chinese market this is the conference to be at (and sponsor!).
This is going to be painful, so hold on.
Instead of mumbling short tweets about things I think that suck, I decided to keep everything in and just formulate a post on it.
This post is a rant. It’s a complicated rant by an “old” guy (my excuse for cynicism) in the industry who’s had a chance to see a lot going. Disclaimer: I’m going to give some examples here, real life examples from my own experience in the security industry. Some are from my consulting days, some from the vendor days, some from freelance and other gig days. If you think you are someone who I’m describing here – you probably aren’t. On the other hand, if you can recall some snotty smart-ass dude come into your company wearing orange bermuda pants (swear to god) sandals and (hold it) silver toenail polish (I was going through something back then), telling you how badly your security sucks and leave a single pager report on it showing gaping holes in technology and processed, well, I’m sorry…
Disclaimers aside, down to business.
What have we learned over the past decade in the security business – let’s see: AV is pretty much the same as it was in 2000 (which is the same as it was in 1990, you get the point). Firewalls do pretty much the same give or take a couple of useless protocols that nobody needs. Oh, oh, I know (yeah – I can hear you from the back of the room) – WAF!. Well, WAF right back at you. Doesn’t work, didn’t work back in the days when it took 3 days to configure it for a small site, and still doesn’t do much good other than the simple stuff (which you can get for free at ModSecurity).
We have almost no technological advantage over what we used to have 10 years ago. So, you must say, we learnt that we as security people must have gone through so much that we manage and deal with the risks and threats much better. Yes, that’s a tear at the corner of my eye. How much I wish you were right.
The same people who I used to see so excited by their newfangled CxO title and their big office 10 years ago, who didn’t know what to do in order to do their jobs, are not doing any better than most companies nowadays.
Then, just like now, they are still trying to find the right “stuff” that’s going to save their world if they just buy/lease/license it and install it in a shiny new rack. Now, just like then, we are focused on finding “vulnerabilities” and categorizing them “high, medium, low” (or whatever scale that doesn’t mean anything) in our networks, operating systems and applications. Then, just like now, we can’t tell the difference whether a threat will render our business useless, rob us blind, or just evaporate like a baby hiccup with a faint noise of “FUD”.
I meet a lot of talented young (and old) security people, they are all bright-eyed, bushy-tailed and ready to fight until the last drop of blood over what they were trained/self-taught/researched. And I envy them. I envy the ability to just disconnect, to adapt that tunnel-vision that allows them to dig right in to the utter abyss of a technical challenge. I also meet a lot of people with broad vision of how security should be. They have forgotten the technical mumbo-jumbo the kids are talking about today. “Sea surf? Yeah! I remember surfing when I was a kid…”, “Sequel? Which one? I thought the matrix series was over…”, “But let me tell you about my new world cyber-peace strategy…”. You get the point.
And don’t even get me started on all these certifications that everyone goes after. The sad fact is, these things have kept us back from thinking differently. They boxed us into whatever the course/certification/training is trying to cram into us on a technical level, and basically leave it at that. It created a 400 pound gorilla of money sucking industry without really giving us back any more talent. Most of my friends in the industry have some kind of certification (or two, or ten), but I still call them friends not because the number of certs they have on their business card, but because I know they don’t really need these certs to be professional security people.
What I’m still struggling with is the middle. I have always been looking for the middle (even as a kid – “your son is about average, but he’s got great potential” was a recurring parent-meeting slogan through all my school years). The middle which have built itself over the foundations of technical research, got their hands dirty in pen-tests, trying out new products, breaking stuff left and right, losing once in a while to get their bearings right. The middle who didn’t get blinded by a new management position, and kept relatively up-to-date on what’s going on. The middle who didn’t skip last year’s DefCon/BlackHat/Shmoocon/[your-favorite-con] talk because he thought it was some passing fad (and didn’t want to admit that it’s just too darn complicated for them to get into new stuff). The middle who took up looking at how the business works. From the numbers, through the sales, operations, tech-support, client meetings, competition and the board-room decisions. We forgot that this middle is our only chance to make progress, because this middle can translate the latest threat to numbers. Numbers that not only the CIO/IT guy can understand, but the CFO, the accountant, the COO and the order fulfillment guys can understand. The real impact on the business. With numbers, with a strategy on how (if ever) to address it, with an understanding that it might not be the latest and greatest gizmo that we need here, but something much simpler. An old solution, a tweak here and there – in a product, or a business operation. A quick chat with the procurement department on how they process stuff, or a change in the way that the sales organization works in the field when they run off to customers and meet the competition.
I find myself trying to fit in the middle too many times. I’ll admit it – I didn’t think of a middle back when I started getting paid for breaking things, but I saw the middle. I haven’t figured out the right terminology until 6 or 7 years ago for this middle. But darn it! (imagine what I held back until now…) I like that middle, and unfortunately (or fortunately as my accountant would say) we are still bad at filling that middle. We still haven’t bridged the gaps between the techies and senior management (I’m obviously generalizing, but look at your average F-100 company – you’ll get it…). Between the millions of dollars we spend on the wrong things, and the vague strategies we build on top of them to fend off auditors and boardroom questions.
Let’s get the good guys from both sides back to the middle. Let’s get the techies some business training, dress ‘em up nice and give them the tour. Let’s send our CxO’s to DefCon for a refresher on how things are done these days. There’s no shame in learning. If I find a day in which I didn’t have a chance to learn something new – technical, financial, political, strategy or disassembly, I feel wrong. Let’s justify our overpriced salaries and really make something out of it. We were used to be paid to think outside the box, and all we did since we started getting paid is to paint the box in crayons.
Break the box. Down to it’s nails and planks. See what makes it tick. Reassemble, open, get out, close it, and think how to make it better.
p.s. – what’s with the parenthesis you ask? well, that’s just how I like to write, and besides – it leaves room to put things in the middle 😉
It’s been a very productive couple of days here. Quite a lineup for this version of the BlackHat briefings out here. I had the great fortune of speaking right after a fantastic opening by Jeff Moss (BlackHat founder and director) and Max Kelly (Facebook’s CSO) that just set me up perfectly – both discussed elements of attribution, deniability when talking about proxied attacks through certain countries, and how money is the driving force for all Cybercrime.
The talk went fairly well, and the responses I got afterward was favorable all around (if you were too shy to put me on the spot or complain feel free to do so here or on my email… all feedback will be highly appreciated). For your viewing pleasure, I am including the most up-to-date slides that I used for the talk here: CyberCrimeWar-BHEU2010.pdf