So, finally recovering from RSA 2008, enough to give some brief observations of this years conference. This time I'll start with some of the social observations.
Group dynamics:
One of the things about RSA is that it's an interesting mix of groups competing for attention and recognition. You've got the academics, who are giving the smack down on next generation of crypto attacks and workarounds (looks like the SHA family may get retired soon). There's the technical security geeks, who are working out all the kickass attacks against the infrastructures that the product peddlers are pitching to enterprises as the silver bullet for security and compliance. Then there are the CISO/CSOs and other business middle management trying out how to navigate the swarm of buzzwords and hype both in the expo and in the technical tracks.
The technical security geeks are for the most part trying really hard not to rag too heavily on the commercial products out there, because most of them work for someone who might get offended. They're also really bumming because they would much prefer giving this presentation at DEFCON/Black Hat/CCC and staying up til 3AM with proper hackers. They can't drop the f-bomb or call a product or technology a complete piece of shit, though sometimes they slip up.
The product peddlers are all calling like fishwives that their product will magically cure your enterprise of security woes. Of course that'll probably require a professional services agreement, and a couple advances of six to seven figures. You have the staff for that, right? If not, we can put you in touch with a nice group for outsourcing some of that work, as well. They're under the mistaken assumption that anyone in the financial services industry has a flush budget this year, and wilt when the news and attendant shaking of heads occurs. Well, there's always the 2009-2010 budget allocation...
The academics are generally burbling around, playing with the shiny schwag and ogling at the few remaining misogynistic marketing enticements ("booth babes"), or closeted with high level business people and peers running over the latest bombshell someone just dropped on a protocol exchange attack. Mostly harmless.
The government crowd has their reality distortion field in full effect: negating the technical security geek observations and findings, suppressing the impact of the academics' attack on their latest approved vendor technology and unable to realize that companies operate with fewer than fifty people to a department. They toss out TLA bombs and GAO report findings as badges of merit. Your choice: oblivious or malicious?
The business crowd, slowly nomming away the core of academics and technical security geeks, rubs elbows with the partner companies, shakes hands with the "permitted vendors" and stares glassily at the milling crowd. Somewhere in this mix they have to find the appropriate vendor list and market buzzwords to take back to upper management on where they need to be/buy in the next 6-18 months. The well funded take names and technology promises with aplomb, the less wealthy try and deconstruct the root of the offerings into cheaper point solutions that they can get past purchasing/upper management.