So, finally recovering from RSA 2008, enough to give some brief observations of this years conference. This time I'll start with some of the social observations.

Group dynamics:

One of the things about RSA is that it's an interesting mix of groups competing for attention and recognition. You've got the academics, who are giving the smack down on next generation of crypto attacks and workarounds (looks like the SHA family may get retired soon). There's the technical security geeks, who are working out all the kickass attacks against the infrastructures that the product peddlers are pitching to enterprises as the silver bullet for security and compliance.  Then there are the CISO/CSOs and other business middle management trying out how to navigate the swarm of buzzwords and hype both in the expo and in the technical tracks.

The technical security geeks are for the most part trying really hard not to rag too heavily on the commercial products out there, because most of them work for someone who might get offended. They're also really bumming because they would much prefer giving this presentation at DEFCON/Black Hat/CCC and staying up til 3AM with proper hackers. They can't drop the f-bomb or call a product or technology a complete piece of shit, though sometimes they slip up.

The product peddlers are all calling like fishwives that their product will magically cure your enterprise of security woes. Of course that'll probably require a professional services agreement, and a couple advances of six to seven figures. You have the staff for that, right? If not, we can put you in touch with a nice group for outsourcing some of that work, as well. They're under the mistaken assumption that anyone in the financial services industry has a flush budget this year, and wilt when the news and attendant shaking of heads occurs. Well, there's always the 2009-2010 budget allocation...

The academics are generally burbling around, playing with the shiny schwag and ogling at the few remaining misogynistic marketing enticements ("booth babes"), or closeted with high level business people and peers running over the latest bombshell someone just dropped on a protocol exchange attack. Mostly harmless.

The government crowd has their reality distortion field in full effect: negating the technical security geek observations and findings, suppressing the impact of the academics' attack on their latest approved vendor technology and unable to realize that companies operate with fewer than fifty people to a department. They toss out TLA bombs and GAO report findings as badges of merit. Your choice: oblivious or malicious?

The business crowd, slowly nomming away the core of academics and technical security geeks, rubs elbows with the partner companies, shakes hands with the "permitted vendors" and stares glassily at the milling crowd. Somewhere in this mix they have to find the appropriate vendor list and market buzzwords to take back to upper management on where they need to be/buy in the next 6-18 months. The well funded take names and technology promises with aplomb, the less wealthy try and deconstruct the root of the offerings into cheaper point solutions that they can get past purchasing/upper management.

( I am made of Win! )

At the RSA security conference this week.  While it's less dramatic and shiny than something like DEFCON or a Black Hat briefing, I can actually convince the company to send me to this conference (mass transit to conference, no hotel?  Ok.)  Sometimes I really do feel like I work for some sub-department of the Laundry, without all the cool magical underpinnings.

I'll have a con report afterwards, but for now, let me just say that I'm always both thrilled and terrified by the attendee population.  I got to listen to Bruce Schneier's annual state of thinking speech, which was nifty. 

Now excuse me, I have to go write my daily allotment of prose before all of my remaining grey matter curls up in a quivering mess.  Oh, and super limited email and LJ activity as I'll be there for about 10 hours a day and then transiting for another 2.  Bleagh.

It will be a few days before I can get to any coherent thought out on the conferences and my promised ramblings. I've been having security geek nightmares around the issues talked about last week. Never give an analyst more information threats and larger unknowns. Eeep.

Anyone know a free network visualization tool? I need to group, map and display the current infrastructure. Hand-visio or similar won't work, as I'm talking about addresses scattered over the entire RFC1918 space. Then I have to correlate that map to threats in the enterprise. I need something that can eat XML or CSV data.

Writing is stalled, mostly to the winter depression set. I did at least have a moment of clarity last week where the tone and process will be for the final moments of Kaleb. Lot of fun to figure out how that will work out, now all I have to do is write it.

Still no luck on finding Lilly a home, starting to get desperate for solutions that don't end her up in a cat-lady home.

Off I go, need some rest.

Freddie Mercury is spinning in his grave so fast that you could power a small city. RSA had a horrible mashup of "Under Pressure" using security terms. I cannot even come close to describing the horror that was that show.

The keynotes from MS and Symantec were the usual business spiel. Interesting the MS is proposing certificates, IPSEC and IPv6 as a way of mitigating security risk. I did get a chuckle out of their claim that Vista was the first product of theirs built via the Trusted Computing Model. Guess that explains the myriad of vulns and issues already found in Vista.

Symantec's keynote was non-memorable, Chambers had been nattering on the same vein for years now. Honestly he isn't able to articular how to do anything other than try and sell you on Symantec. *yawn* Covellio from RSA at least had a interesting take on the industry, saying that companies will have to move security within the corporate applicaiton framework instead of latching on post-facto. The keynotes are somewhere up on the RSA conference website.

Bruce's speech on the psychology of fear has been wanting to touch base with my friend Derek and talk cognitive psychology for a few hours. Bruce's presentation and delivery was smooth as always, but I did want to ask about how security professionals can work that psychology to help organizations honestly assess their risk, instead of just combating the technical.

Great presentation yesterday from Peter Mell from NIST. Chatted about an initative where NIST, DISA and several other organizations are trying to get the vulnerability assessment players to standardize on the CCE, CVE, CPE, XCCDF and OVAL standards so that people can honestly assess the performance and functionality of scanners and patching in the enterprise. http://nvd.nist.gov and http://nvd.nist.gov/scap/scap.cfm. Needless to say, I'm hugely interested, since I abhor secret knowledge when it comes to the security posture of an enterprise.

The rest of the day was in presentations and walking the trade floor. Feet hurt and my brain is jello. Bumped into an old boss too, which was a bit of a trip. Got a little bit of schwag, but these days there's honestly very little handed out. No way I'm sitting through a dog and pony demo for the possibility of a ipod. *yeeech*

I do love the security geek and guru hairstyles. Always a blast to see the wild and varied cuts. Kind of like style archeology. Some from the 60's-present day. Down to only a few idiotic attempts at using non-security presentation people (aka booth babes), but frankly the geeks want tech details more than leather and latex these days (thank goodness).

Tomorrow brings lunch with BT Counterpane and some interesting presentations. I was kind of bummed out that Michael Chertoff canceled his presentation, I was so looking forward to what kind of reception he'd get from people who actually CAN handle incidents.

I'll be off geeking out for the next week or so at the RSA 2007 Conference in the city. An entire week of talks about various subjects, at high and low levels.  Might swing into some of the crypto-panels, just to make my brain ache.

Let me know if there are any products or companies you'd like inspected. Here are a few that will be ont he trade floor: [List]

Thrilled to be at a professional luncheon where I get to listen to a favorite security expert, Bruce Schneier, chat about his latest and where BT Counterpane is headed. Eager to hear more and listen attentively. Plus the restaurant should be good considering how much of a foodie Bruce is purported to be.

Also secretly hoping that we get some collision attack news on the SHA-1 MD5 front.  People have been moving to the exit corridors to flip to AES and some of the newer hashes.

--

Meanwhile in one of my other interest spaces, some less than stellar news. Sea Launch, a company that uses Russian Zenit (IIRC) rockets and launches them from a sea platform/ex oil platform, had a spectacularly bad day.

On the other hand, lots of news from the Masten-Space folks, as well as the ridiculously beautiful photo shots from XCor. And Monday we should be getting a lovely new tidbit from Armadillo Aerospace on what it takes to get a VTVL rocket insured and licensed for launch.

--

I'll be crazy busy until the end of next week, but expect a few tidbits here and there if I get inspired by the conference or if my brain revolts and demands right brain activity. Writing group Sunday, still trying to get Lilly a home (anyone up for a cute rescue kitty?).