Monday, July 12, 2010

This will be interesting.

The week of Las Vegas madness that encompasses Security BSides, BlackHat and DefCon is approaching.  I am fortunate enough to be speaking twice that week-

I will be leading Security Speed Debates at 10am on Thursday, 7/29 at Security BSides.  It is an idea I have blatantly stolen from AusCert, but ours will be better, at least partly because we don’t talk funny.  I will be joined by the lovely and talented Josh Corman and Dennis Fisher (you decide which one is which) plus a “player to be named later”.  We will each have one minute to make our cases for or against a variety of incendiary topics, then we’ll give a couple of folks watching the spectacle a chance to add their opinions.  To make it more interesting, the panelists will be assigned pro or con positions, on the spot, by coin toss.  The goals are to 1: have fun, and 2: encourage conversation.

I will also be moderating a panel discussion on PCI at DefCon at noon on Sunday.  Yes, PCI at DefCon.  We have a killer team lined up for the panel, see the lineup and summary here.  I’ll be joined by James Arlen, (aka Myrcurial), Anton Chuvakin, Joshua Corman, Alex Hutton, Martin McKeay, and Dave Shackleford.  How’s that for a team?

I think our synopsis sums it up very well:

“PCI at DefCon? Are you on drugs? Sadly, no- compliance is changing the way companies "do security", and that has an effect on everyone, defender, attacker, or innocent bystander. If you think all that 0-day you've heard about this week is scary, ask yourself this: if a company accepts credit cards for payment, which is a more immediate threat- failing an audit or the possibility of being compromised by an attacker? That is one of the reasons "they" do not listen to "us" when we try to improve security in our environments- as real as they are, our threats are theoretical compared to failing a PCI assessment. Systems are hardened against audit, not attack. Sadly, this is often an improvement, but this can also reduce security and provide a template for attackers. This panel will discuss and debate strengths and weaknesses of PCI, expose systemic problems in PCI-DSS, and propose improvements.”

If you’ll be in Vegas for the fun, consider checking these out, they should be fun.