Sunday, March 16, 2008

SOURCE: Boston 2008 (updated)

SOUCE: Boston 2008 has just ended and it was great. Source is a little hard to categorize; it was part executive-level symposium, part hacker con, with a few other things tossed in for good measure.

I was only able to attend on Wednesday, but I kept up on things from my desk on Thursday and Friday by following a very active Twitter stream from the event.

Wednesday kicked off with introductions followed by a short talk by Tito Jackson*, the IT Director for the Mass Office of Business Development. Jackson's talk was very upbeat about the state of technology in Massachusetts (as you would expect), but some of the numbers really are impressive given the current economic situation. Jackson was followed by a keynote from Richard Clarke. Clarke is a very good speaker and started (after the obligatory Elliot Spitzer joke) with a recap of the history and current state of cybersecurity in the United States and recent events which have refocused attention on cybersecurity. Unfortunately Clarke started wandering away from his real areas of expertise and eventually jumped the shark and ventured into bogus generalizations and speculation. His strong statements on privacy violations could have brought him back from the brink, but by the time he suggested ideas like laws regulating secure code and requiring ISPs to clean up the Internet for us he had lost a large part of the audience and it was just residual respect and decorum which kept him from being heckled.

After the keynote the three tracks split up and the choices became difficult (always a good sign at a con). The tracks were loosely defined as "Business and Security, "Application Security", "Security and Technology" and not being a coder I wasn't tempted by much in the Application track- but I later heard there were some excellent ones, such as Andrew Jaquith's Anti_virus preso. I chose to hear Mike Rothman's "How Compliance Can Get You Killed"- but really wanted to see Roger Dingledine's "Making TOR Play Nice with the Internet" talk, too. I'll have to wait for the videos to see Roger's, but Mike was as entertaining and informative as always.

The next tough choice for me was between Michael Rash's "Advanced Linux Firewalls" and "Disruptive Innovation and the Future of Security" by Rich Mogull and Christofer Hoff. I couldn't pass up the dynamic duo and they didn't disappoint. It was their first pass at what is an evolving presentation- it was good and will improve with a little polish. They tried to cover more Disruptive Technology topics than would fit in the time allotted and that limited the depth of the presentation, but even in "rough cut" form it was a refreshing change from most of the mundane "Business of Security' kind of talks.

The tough choice for the end of the day was between Andrew Jaquith's "Anti-Virus, not dead but twitching..." and James Atkinson's “Telephone Defenses Against the Dark Arts”. I opted for the phone security session and spent the next two plus hours in the ultra-nerdly and technical preso. It was great- see my guest blog post about it on the SOURCEBoston blog.

The evening's reception was fantastic as a large crowd gathered on the sixteenth floor to eat, drink and talk. The conversations continued throughout the evening and eventually moved downstairs and went on until the small hours of the morning.

Although I didn't get to attend on Thursday or Friday, the Twitterfeed had a steady stream of news. Wednesday's keynotes by Dan Geer and Steven Levy received rave reviews, as did Friday's L0pht Heavy Industries' "reunion" panel (There is was a somewhat-confirmed baseless rumor that L0pht is getting back together in some form or another- See Space Rogue's comments below).

Where is this "confirmed rumor" coming from? Basically Symantic owns all the L0pht IP, they even have the domain name. I suspect if we tried to doing anything under that name they would probably have something to say about it, not to mention that Silicosis still works there.

I suspect that there may be some individual collaboration between a few ex-l0pht folks in the near future but getting back together as a full group just ain't gonna happen.

- SR

It is clear that I missed many very good presentations, the full list is at

A special bonus at SOURCEBoston was the chance to meet several other Security Twits in person for the first time, notably "old friends" Ryan Naraine from eWeek and Jennifer Leggio, Keeper of The List.

Now I'm waiting for word on next year's conference.

*"Tito Jackson"? Poor guy, going through life with a famous name like that- what were his parents thinking?

Jack Daniel