![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
RSA Conference, Day 2
Feb. 16th, 2005 10:08 pmAnd now I shall continue my writeup of the exotic and exciting RSA conference. Okay, so perhaps not exotic and exciting, but I'm enjoying myself here.
My day began at 6:50 once again. After being awakened yesterday by something that sounded like an order for all hands to abandon ship, this time I set the alarm to radio only, at a reasonable volume, and tuned to an actual radio station. Not nearly as pleasant as being awakened by my wife, but far more pleasant than than waking up feeling like I needed to man a lifeboat.
I skipped breakfast in the hotel, because I had discovered yesterday that they had breakfast, free, at the conference. Of course, today they didn't have free breakfast at the conference, but that was fine since I could just buy a cheese danish at the coffee shop, which I did. I walked into the convention hall for the first session of the day, "To Regulate or Not To Regulate - That is the Question."
This was a panel discussion by the aforementioned Bruce Schneier, representatives of two industry associations Harris Miller and Rick White, and Dick "fired by the Bush Administration for saying things they didn't want said" Clarke. It quickly became an argument, with the industry association representatives arguing for no regulation ("There's a surprise", said Clarke), Clarke arguing for a moderate regulatory approach (basically enforcing on companies the agreements they made with Michael Powell but didn't actually follow through with as there was no enforcement provision), and Schneier arguing for a full employment act for lawyers (making software companies liable for all losses due to security bugs.) Schneier's proposal seems particularly daft because software companies aren't really "at fault" for the issues except in a very distorted sense -- it would be like holding automobile companies at fault for car thefts, or home builders at fault for burglaries. No, the thieves and criminals are at fault, and companies liability doesn't enter into it unless they're clearly negligent. I think everyone knows where my stand would be on this, since I support regulation of anything in almost no cases.
The second session was by John Chambers, CEO of Cisco Systems, and was entitled "Building and Securing the Intelligent Information Network for Competitive Advantage." It was basically a sales pitch for Cisco's integrated suite of products, in which you have a Cisco product on your network no less than every five feet. You buy one Cisco product for firewall, one for intrusion prevention, one for routing, and then you buy an add-on module for your router to detect denial of service attacks, and then you buy a different add-on module (I'm not kidding) for your router to actually deal with denial of service attacks the first module detects. Why you would buy one without the other I have no idea. Then, once you have Cisco stuff everywhere, you have wonderful monitoring and management of your safe, expensive, all-Cisco network. Hurrah. It wasn't much of a speech if you weren't trying to build a network right then, this morning.
The third session was by Russell Artzt, VP of Computer Associates, and was entitled "New Realities in Security Management." I don't really remember much from this speech, and didn't take any notes on it, which leads me to believe it was not exactly revolutionary. Mainly he talked about how Computer Associates is focused on the enterprise, and demonstrated how their software works together to bring basically all management and reporting of anything anywhere into one convenient user interface, which was, bafflingly since it's not 1997 anymore, web-based. It's kind of cool but I'm always dubious of such integration schemes -- it seems that every time I encounter one it integrates everything in the world except for something I happen to have, or it runs into the universal remote control problem -- "you can throw away your old remotes, as long as you don't need to press any of the less-common buttons." But integration seems to be a big theme for this year's conference; everyone is talking about innovating through greater integration, both horizontal and vertical, through both software and hardware. Apparently integration is good as long as it's done by anybody but Microsoft.
Next, we had Marc Willebeek-LeMair, CTO of intrusion prevention system (glorified firewall) manufacturer TippingPoint Technologies, which was just snapped up by 3Com, to their shareholder's delight. His speech was remarkably like yesterday's Radware presentation -- a thinly veiled advertisement for the TippingPoint IPS that essentially took their product brochure and phrased it in the form of questions and answers as to what an IPS should do. He also took some unnecessary brutal digs at Cisco and McAfee that were apparently supposed to be funny but basically fell flat since they were bitter hostility without explanation -- geeks love hating things, but we need a reason to. All in all, a waste of 50 minutes.
Finally, we had the most interesting presentation of the day, futurist Paul Saffo, who called his presentation "What's After Information, And What It Means For Security." He examined the predictions of the last fifty years, and what came true, and what didn't. He made the same observation that many others (me, Ray Kurzweil) have -- that we as a society tend to overestimate the impact of technology in the short term, but underestimate it in the long term. Looking at the recent tech bubble, we overestimated the impact of the Internet (expecting a New Economy overnight), got disillusioned by the bubble bursting, and are now underestimating what's coming. His actual predicitions were necessarily vague, but they revolved around the difference between a technology and a medium -- how something explodes when it actually becomes mainstream media. The big upcoming technologies for him are RFID and robotics -- the idea that we can actually store and index the physical world rather than just the virtual. Interesting facts: 2/3 of the people who own a Roomba give it a name. More than 30% have taken it to someone else's house to show it off. The majority of the cameras sold today are part of cell phones.
After that was lunch. Sarah and I all had different schedules today, and Himani wanted more Indian food, so I was on my own for lunch and went over to Quizno's. Mmmm... sandwich.
After lunch we had the sessions. The first one I went to was by Ira Winkler, and was unnecessarily melodramatically entitled "Secrets of Superspies." It was actually about penetration testing and social engineering, peppered with Alias references that, not having watched TV in four years, I didn't get. The talk was unenlightening yet entertaining -- Winkler was a former NSA employee who has since moved on to penetration testing of enterprises (think the main character in Sneakers, and you basically have what he does -- companies pay him to break into them.) Both employments give him a large number of interesting anecdotes, and basically the session was him relating them. The NSA in the late 1980s was as bad at information secuirty as everyone else -- when he was locked out of his workstation, the workaround given to him by the helpdesk gave him root access. National security secrets were stored on floppy disks, in boxes, sitting on desks. And when it comes to penetrating enterprise security, the weakest link is almost always people. Get a job as a temp, or just pretend to be an employee, and you're in; people will hand you the keys to the kingdom if you act like they belong to you. This is stuff I know; it makes for entertaining "how dumb can they be!?" stories, but it won't help me do my job.
The last session of the day was entited "Repelling the Wily Insider," a reference to the phrase wily hacker, which shows up constantly for no adequately explored reason (why are they always wily?) I was expecting something about security measures against malicious insiders, who are normally able to bypass conventional measures with ease -- much of information security is outward-facing. For instance, firewalls are useless against insiders; they're behind the firewall. However, it was really less about malicious insiders than about clueless ones -- not the disgruntled employee who wants to hack your company, but the dumb one who gives out company secrets in phishing mails, or downloads spyware at work. Clueless, well-meaning insiders bring external threats inside, where the security isn't, and these insiders are (according to one of the presenters, the chief security officer of ConAgra Foods) the #1 threat to a modern enterprise network. The overall problem is that "we're good at lines in the sand, but bad at levels of trust" -- we tend to give insiders more access than they need, because we emphasize allowing them to do their job over keeping them from doing harm. What's more, malicious insiders are a problem, too -- 80% of reported computer crime is by insiders, and the real number may be higher, as companies aren't likely to report it. It's embarassing.
Interesting takeaways: Social engineering is hard to stop because it depends on nothing more than human nature. It relies on people's desire to be helpful, tendency to trust others, and fear of getting in trouble. These things cannot be corrected, not that you would want to change them. People use identity as a substitute for authentication and authorization -- just because you know who someone is doesn't mean they should be able to do whatever they want. Extranets (partially trusted networks for partners and vendors) are often woefully untested, and getting legitimate extranet access is often easy for potential attackers, and is given for insiders. Internally developed applications are similarly often untested for security. The presenters' recommendations on what is the most effective use of your security dollar? Train employees on recognizing social engineering and how to avoid careless compromise of security. It's better to give a little training to everybody than a lot of training to security specialists; hopefully the security specialists aren't the problem in the first place. Also, in awareness programs, give examples, use anecdotes -- if you tell people not to leave their laptops in their cars, they'll forget. If you tell them about the time an insurance company employee left his laptop in his car, it got stolen, and the company was required by California law to notify every customer whose data was on that machine that their data had been stolen, at a cost of millions of dollars and thousands of lost customers, they'll remember. The "how dumb can they be!?" stories stick in people's heads.
I wasn't hungry after the conference, as I munched on junk food that was given away free by half the booths at the conference. During breaks between sessions, and one time period where none of the sessions especially interested me, I went to the expo hall. There are a lot of interesting products there, and companies are really big on integration right now. I picked up a three-inch-thick pile of papers, some interesting for work, and some just interesting to me personally. Two observations that amused me, but won't go into my writeup of the conference for work:
1.) Though this is a very professional conference and not the sort of place where companies do this kind of thing, there was, in fact, one honest-to-God booth babe. (For those who don't frequent tradeshows, booth babes are people whose sole purpose is to be eye candy and draw people to the booth, and who don't actually know anything about the product at all.) The policewoman in a blue spandex dress belonged to CyberGuard, who apparently sells network intrusion detection systems.
2.) When you're on the expo floor, people hand you stuff constantly. If you're talking to someone, he's shoving pamphlets in your hand. When you walk by people they try to talk to you, to get you interested in their product. Some people just shove leaflets at anyone nearby. When I walked out of the conference center to go get lunch, there was a very attractive woman standing outside who offered a leaflet at me, which I promptly took without thinking. It turned out to be an ad for the Gold Club (not work safe) across the street. It was reminiscent of walking down the streets in Las Vegas, where smut peddlers offer you cards and leaflets of porn every five feet. I was very amused to realize that after spending an hour or two in the expo hall, I probably would have taken a live squid had someone decided to offer me one.
And now, it is 11:00 and thus time for me to go to bed; I have another bright and early 6:50 wake up tomorrow morning. Tomorrow's exciting update will include a panel discussion on digital music and movie piracy, keynotes by a VP of Sun and the CEO of VeriSign, and sessions on crime, forensics, and network management.
My day began at 6:50 once again. After being awakened yesterday by something that sounded like an order for all hands to abandon ship, this time I set the alarm to radio only, at a reasonable volume, and tuned to an actual radio station. Not nearly as pleasant as being awakened by my wife, but far more pleasant than than waking up feeling like I needed to man a lifeboat.
I skipped breakfast in the hotel, because I had discovered yesterday that they had breakfast, free, at the conference. Of course, today they didn't have free breakfast at the conference, but that was fine since I could just buy a cheese danish at the coffee shop, which I did. I walked into the convention hall for the first session of the day, "To Regulate or Not To Regulate - That is the Question."
This was a panel discussion by the aforementioned Bruce Schneier, representatives of two industry associations Harris Miller and Rick White, and Dick "fired by the Bush Administration for saying things they didn't want said" Clarke. It quickly became an argument, with the industry association representatives arguing for no regulation ("There's a surprise", said Clarke), Clarke arguing for a moderate regulatory approach (basically enforcing on companies the agreements they made with Michael Powell but didn't actually follow through with as there was no enforcement provision), and Schneier arguing for a full employment act for lawyers (making software companies liable for all losses due to security bugs.) Schneier's proposal seems particularly daft because software companies aren't really "at fault" for the issues except in a very distorted sense -- it would be like holding automobile companies at fault for car thefts, or home builders at fault for burglaries. No, the thieves and criminals are at fault, and companies liability doesn't enter into it unless they're clearly negligent. I think everyone knows where my stand would be on this, since I support regulation of anything in almost no cases.
The second session was by John Chambers, CEO of Cisco Systems, and was entitled "Building and Securing the Intelligent Information Network for Competitive Advantage." It was basically a sales pitch for Cisco's integrated suite of products, in which you have a Cisco product on your network no less than every five feet. You buy one Cisco product for firewall, one for intrusion prevention, one for routing, and then you buy an add-on module for your router to detect denial of service attacks, and then you buy a different add-on module (I'm not kidding) for your router to actually deal with denial of service attacks the first module detects. Why you would buy one without the other I have no idea. Then, once you have Cisco stuff everywhere, you have wonderful monitoring and management of your safe, expensive, all-Cisco network. Hurrah. It wasn't much of a speech if you weren't trying to build a network right then, this morning.
The third session was by Russell Artzt, VP of Computer Associates, and was entitled "New Realities in Security Management." I don't really remember much from this speech, and didn't take any notes on it, which leads me to believe it was not exactly revolutionary. Mainly he talked about how Computer Associates is focused on the enterprise, and demonstrated how their software works together to bring basically all management and reporting of anything anywhere into one convenient user interface, which was, bafflingly since it's not 1997 anymore, web-based. It's kind of cool but I'm always dubious of such integration schemes -- it seems that every time I encounter one it integrates everything in the world except for something I happen to have, or it runs into the universal remote control problem -- "you can throw away your old remotes, as long as you don't need to press any of the less-common buttons." But integration seems to be a big theme for this year's conference; everyone is talking about innovating through greater integration, both horizontal and vertical, through both software and hardware. Apparently integration is good as long as it's done by anybody but Microsoft.
Next, we had Marc Willebeek-LeMair, CTO of intrusion prevention system (glorified firewall) manufacturer TippingPoint Technologies, which was just snapped up by 3Com, to their shareholder's delight. His speech was remarkably like yesterday's Radware presentation -- a thinly veiled advertisement for the TippingPoint IPS that essentially took their product brochure and phrased it in the form of questions and answers as to what an IPS should do. He also took some unnecessary brutal digs at Cisco and McAfee that were apparently supposed to be funny but basically fell flat since they were bitter hostility without explanation -- geeks love hating things, but we need a reason to. All in all, a waste of 50 minutes.
Finally, we had the most interesting presentation of the day, futurist Paul Saffo, who called his presentation "What's After Information, And What It Means For Security." He examined the predictions of the last fifty years, and what came true, and what didn't. He made the same observation that many others (me, Ray Kurzweil) have -- that we as a society tend to overestimate the impact of technology in the short term, but underestimate it in the long term. Looking at the recent tech bubble, we overestimated the impact of the Internet (expecting a New Economy overnight), got disillusioned by the bubble bursting, and are now underestimating what's coming. His actual predicitions were necessarily vague, but they revolved around the difference between a technology and a medium -- how something explodes when it actually becomes mainstream media. The big upcoming technologies for him are RFID and robotics -- the idea that we can actually store and index the physical world rather than just the virtual. Interesting facts: 2/3 of the people who own a Roomba give it a name. More than 30% have taken it to someone else's house to show it off. The majority of the cameras sold today are part of cell phones.
After that was lunch. Sarah and I all had different schedules today, and Himani wanted more Indian food, so I was on my own for lunch and went over to Quizno's. Mmmm... sandwich.
After lunch we had the sessions. The first one I went to was by Ira Winkler, and was unnecessarily melodramatically entitled "Secrets of Superspies." It was actually about penetration testing and social engineering, peppered with Alias references that, not having watched TV in four years, I didn't get. The talk was unenlightening yet entertaining -- Winkler was a former NSA employee who has since moved on to penetration testing of enterprises (think the main character in Sneakers, and you basically have what he does -- companies pay him to break into them.) Both employments give him a large number of interesting anecdotes, and basically the session was him relating them. The NSA in the late 1980s was as bad at information secuirty as everyone else -- when he was locked out of his workstation, the workaround given to him by the helpdesk gave him root access. National security secrets were stored on floppy disks, in boxes, sitting on desks. And when it comes to penetrating enterprise security, the weakest link is almost always people. Get a job as a temp, or just pretend to be an employee, and you're in; people will hand you the keys to the kingdom if you act like they belong to you. This is stuff I know; it makes for entertaining "how dumb can they be!?" stories, but it won't help me do my job.
The last session of the day was entited "Repelling the Wily Insider," a reference to the phrase wily hacker, which shows up constantly for no adequately explored reason (why are they always wily?) I was expecting something about security measures against malicious insiders, who are normally able to bypass conventional measures with ease -- much of information security is outward-facing. For instance, firewalls are useless against insiders; they're behind the firewall. However, it was really less about malicious insiders than about clueless ones -- not the disgruntled employee who wants to hack your company, but the dumb one who gives out company secrets in phishing mails, or downloads spyware at work. Clueless, well-meaning insiders bring external threats inside, where the security isn't, and these insiders are (according to one of the presenters, the chief security officer of ConAgra Foods) the #1 threat to a modern enterprise network. The overall problem is that "we're good at lines in the sand, but bad at levels of trust" -- we tend to give insiders more access than they need, because we emphasize allowing them to do their job over keeping them from doing harm. What's more, malicious insiders are a problem, too -- 80% of reported computer crime is by insiders, and the real number may be higher, as companies aren't likely to report it. It's embarassing.
Interesting takeaways: Social engineering is hard to stop because it depends on nothing more than human nature. It relies on people's desire to be helpful, tendency to trust others, and fear of getting in trouble. These things cannot be corrected, not that you would want to change them. People use identity as a substitute for authentication and authorization -- just because you know who someone is doesn't mean they should be able to do whatever they want. Extranets (partially trusted networks for partners and vendors) are often woefully untested, and getting legitimate extranet access is often easy for potential attackers, and is given for insiders. Internally developed applications are similarly often untested for security. The presenters' recommendations on what is the most effective use of your security dollar? Train employees on recognizing social engineering and how to avoid careless compromise of security. It's better to give a little training to everybody than a lot of training to security specialists; hopefully the security specialists aren't the problem in the first place. Also, in awareness programs, give examples, use anecdotes -- if you tell people not to leave their laptops in their cars, they'll forget. If you tell them about the time an insurance company employee left his laptop in his car, it got stolen, and the company was required by California law to notify every customer whose data was on that machine that their data had been stolen, at a cost of millions of dollars and thousands of lost customers, they'll remember. The "how dumb can they be!?" stories stick in people's heads.
I wasn't hungry after the conference, as I munched on junk food that was given away free by half the booths at the conference. During breaks between sessions, and one time period where none of the sessions especially interested me, I went to the expo hall. There are a lot of interesting products there, and companies are really big on integration right now. I picked up a three-inch-thick pile of papers, some interesting for work, and some just interesting to me personally. Two observations that amused me, but won't go into my writeup of the conference for work:
1.) Though this is a very professional conference and not the sort of place where companies do this kind of thing, there was, in fact, one honest-to-God booth babe. (For those who don't frequent tradeshows, booth babes are people whose sole purpose is to be eye candy and draw people to the booth, and who don't actually know anything about the product at all.) The policewoman in a blue spandex dress belonged to CyberGuard, who apparently sells network intrusion detection systems.
2.) When you're on the expo floor, people hand you stuff constantly. If you're talking to someone, he's shoving pamphlets in your hand. When you walk by people they try to talk to you, to get you interested in their product. Some people just shove leaflets at anyone nearby. When I walked out of the conference center to go get lunch, there was a very attractive woman standing outside who offered a leaflet at me, which I promptly took without thinking. It turned out to be an ad for the Gold Club (not work safe) across the street. It was reminiscent of walking down the streets in Las Vegas, where smut peddlers offer you cards and leaflets of porn every five feet. I was very amused to realize that after spending an hour or two in the expo hall, I probably would have taken a live squid had someone decided to offer me one.
And now, it is 11:00 and thus time for me to go to bed; I have another bright and early 6:50 wake up tomorrow morning. Tomorrow's exciting update will include a panel discussion on digital music and movie piracy, keynotes by a VP of Sun and the CEO of VeriSign, and sessions on crime, forensics, and network management.
