January 2011 Archives

While shoveling snow this evening I occupied myself by composing the following... :)

I'm currently actively involved in helping plan Security B-Sides Austin 2011, which will be Austin, TX in March (see here for more info). As I go through this process with my cohorts, I've had a few thoughts occur that suggest we're perhaps reaching the crest of this wave of small conferences that have popped-up everywhere.

Thoughts for OWASP Consideration...


Jeremiah Grossman got me thinking about this topic a few weeks ago when he posted his thoughts on OWASP. While I've been a supporter of OWASP for a few years, I only last year (in 2010) became a member and got involved with the local chapter. What I've found has been at times heartening, and other times saddening. Attending AppSecUS and AppSecDC this year further perplexed me as I saw, on the one hand, people interested in promoting software assurance, while on the other hand there seems to be a lot of bickering, confusion, and strife over what the "right thing" might be. Since the OWASP Summit is coming up soon, and since the leadership team is asking for feedback, I thought I'd finally take some time to layout my thoughts and suggestions.

The 2011 security conference season is upon us, with Black Hat DC already fading in the rear-view mirror. As I embark upon a busy couple months, I can help but reflect a bit on what is to come and question the value (perceived and real) of all this hoopla. Sure, I love getting the chance to travel a bit and catch-up with friends whom I typically only see at these events, but beyond the social aspect, what's the value of the security conference?

If you haven't read the Threatpost article "U.S. Needs Cybersecurity Skunk Works, Expert Says" yet, then take a minute to do so. Go ahead, I'll wait.

Ok, back? Cool...

I have 3 responses to this article:
1) A "think tank" could be interesting, especially if implemented using the same biz model as In-Q-Tel uses.
2) If done, the government cannot be in charge of it in any way, shape, or form. Participate? Sure, but not in charge. Otherwise, it would be a complete, abject failure.
3) "policy makers and security experts don't even know which questions to ask, let alone what the correct answers are" - Ummm, well, let's see... sure, policy makers are clueless, but perhaps he's not talking to the right "security experts," because I'd like to think a number of us actually know the right questions...

Overall, I'm unsurprised by the lack of clue, but am still a bit disappointed. And this was the keynote speaker for Black Hat DC today. Oh, well...

Added bonus quote: "a wonk-geek coalition" - seriously? *rolls eyes*

Greetings and solicitations! We're pleased as punch to announce the 2nd annual Security BSides Austin 2011: Keep Security Weird! This year's event builds on the great success of last year's inaugural event, where we had about 75 people participating in multiple tracks on an awesome Saturday of security. This year looks to be even bigger and better, with a new venue, more space, and a lot more great content.

    To make this event as awesome as possible, we need your help! Here's what we need:
  • Speak! The CFP is open. Please register and submit your talk, or just leave a comment if you don't want to register on the site.
  • Attend! Register to attend at http://bsidesaustin2011.eventbrite.com/
  • Sponsor! BSides events are free to attendees, which means we rely exclusively on sponsors. If you're willing to contribute, please drop us a note and we'll follow-up. Sponsorship is a great way to make a low-cost investment in the industry while getting your name out there and associated with one of the hottest events around!

*NOTE: BSidesAustin is not officially associated with SXSW Interactive (though we'd like to be some day). That said, we are particularly interested in drawing developers to the event who might just happen to be in town for other reasons. There will be lots of excellent content, including some hands-on workshopping on AppSec. Please help us spread the word!!

How Does This Add Value?

| 1 Comment | 1 TrackBack

This question, in short, summarizes my theme for the year. In chatting with a friend of mine a couple weeks ago (see his article "Move your security career forward by looking back") it occurred to me that I need to look back at what I've been doing and think about how I'm adding value. My short conclusion is that there's very little true value to be found in much of what I've done of late. Sure, my customers are happy, we've completed projects, and we've kept other projects moving forward, but to what end? In all the hustle and bustle of things, are we really make a measurable difference? And, as my friend Erin used to tell me back in my brief hay-day as a security director, all the theory in the world doesn't mean much if you can't actually show what you've done.

Overall, I'm coming to believe that we've worked ourselves into a corner. We have great movements like Security B-Sides, but at the same time it seems like we're just talking loudly in the echo chamber. What are we doing to reach outside the community to, ya know, the people who actually need to do a better job with security? While I think there's potential value in revolutionizing the security industry, it only makes sense to do this if it helps us achieve our goals outside the industry.

2011: A Look Ahead

"The problem with the future is that it keeps turning into the present." (Hobbes)

This is not a prediction piece. In general, I think prediction tends to be rather silly. Instead, I'm hoping this will be an interesting read for you in terms of how I see the coming year. If you'll recall my version for 2010, I tend to be a bit more tongue-in-cheek than most on this topic, and this piece may be no different, though my tone in retrospect seems more serious than intended. ;)

Oddly Normal: 2010 In Review

Mark Evertz at Tripwire got me reflecting before the holidays on 2010. Given a little down-time over the holidays, I finally got a chance to think about it, too, and have the following thoughts.

Unlike most of my posts, I'm not going to take the time to annotate this entry. Also, in many places I may do the unthinkable and not expound much on listed items (try not to be too shocked). Pardon any inaccuracies, but at the same time consider that our perceptions of past events are oftentimes more important/"impactful" than the underlying facts. Much of the success of FUD can be explained in this way.

STRATFOR on Terror and Terrorism

| 1 TrackBack

This was too excellent not to share. This report is republished with permission of STRATFOR.

Separating Terror from Terrorism
December 30, 2010
By Scott Stewart

On Dec. 15, the FBI and the Department of Homeland Security (DHS) sent a joint bulletin to state and local law enforcement agencies expressing their concern that terrorists may attack a large public gathering in a major U.S. metropolitan area during the 2010 holiday season. That concern was echoed by contacts at the FBI and elsewhere who told STRATFOR they were almost certain there was going to be a terrorist attack launched against the United States over Christmas.

Certainly, attacks during the December holiday season are not unusual. There is a history of such attacks, from the bombing of Pan Am Flight 103 on Dec. 21, 1988, and the thwarted millennium attacks in December 1999 and January 2000 to the post-9/11 airliner attacks by shoe bomber Richard Reid on Dec. 22, 2001, and by underwear bomber Umar Farouk Abdulmutallab on Dec. 25, 2009. Some of these plots have even stemmed from the grassroots. In December 2006, Derrick Shareef was arrested while planning an attack he hoped to launch against an Illinois shopping mall on Dec. 22.

About this Archive

This page is an archive of entries from January 2011 listed from newest to oldest.

December 2010 is the previous archive.

February 2011 is the next archive.

Find recent content on the main index or look in the archives to find all content.

Monthly Archives


  • about
Powered by Movable Type 6.3.7