Sunday, January 31, 2010

Coast to Coast B-Sides

Security B-Sides in Las Vegas and Mountain View were great successes, and there are more on the horizon.  If you are near (or will bsidesbe near) any of them, please join us.

B-Sides San Francisco will be held at pariSoma, 1436 Howard St. (at 10th) in San Francisco on Tuesday and Wednesday March 2-3.  Not coincidentally, there's some other security conference in San Francisco that week.  This will rock, the lineup looks fantastic already.  Thanks to all the sponsors, especially the folks at BigFix, who will be running their shuttle busses again this year- with B-Sides on the route, so transportation will be a breeze.

B-Sides Austin is just ten days later, on Saturday March 13.  This will be during SXSW Interactive, so downtown venues were locked up- but we have a great venue not far from downtown at the Norris Conference Centers at 2525 West Anderson Lane.  We will have two adjacent rooms, and are working out details now.  Maybe more formal presentations in one room and panels/discussions in the other?  Maybe some Cone of Silence sessions- where those who can't talk openly for one reason or another can talk openly with others, under NDA if necessary.  (I know what you're thinking, "NDAs at a B-Sides?", but the idea is that there are a lot of people who would otherwise be shut out of the conversations- a little sharing is much better than none.  And this is only one of the ideas we have, so chill).

B-Sides Boston will be held on Saturday and Sunday, April 24-25, at Microsoft's New England R&D facility in Cambridge.  That's the weekend after SOURCE Boston, so it will be a great time to expand on some great conversations and begin new ones.

As always, these will be free events (but there will be a "tip jar" if you want to help).  And yes, more sponsors would be greatly appreciated- equipment rental, meeting space, and beer do not grow on trees.  But what we really want is help spreading the word, and for you to join us at the events.  These are community events, that means you- tell us what you want, and help make it happen.



Sunday, January 10, 2010

The obligatory disclaimer post

Most people know, but I suppose I should make these things clear.  You probably don't actually want to read this, it will be pretty boring- but I feel compelled to CMA and make the following perfectly clear.

I am an employee of Astaro Corporation.  This blog is not their corporate blog, the opinions expressed here are mine, not those of my employer.  I occasionally contribute to their blog, and there may be some overlap in topics, I may even plagiarize myself occasionally.  I am not compensated by my employer for anything I say on this blog.

Nor am I compensated by anyone else for what I say on the blog.  I rarely comment on specific products, and when I do, what you read are my opinions, not influenced by any gratuities.  I am not shy about enjoying the company of vendors when they offer food, drink, entertainment, etc., but these never alter what I write about them, except for the occasional notes of thanks.  I am likely to thank sponsors of the events I'm involved in, and will continue to do so, without prejudicing anything else I may write about them.

I do a lot of things in the IT and security community.  My employer is supportive of this and provides assistance in a variety of ways, ranging from tolerance for my absence to paying me to participate, and providing sponsorship of events.  The sponsorship of events has included financial sponsorship of the events, as well as non-financial assistance (logistical planning, use of equipment, etc.).  I was very active in community events before joining Astaro, and should I leave Astaro I expect to remain active in the community.

I present and talk at a variety of meetings and events, sometimes as an employee of Astaro, sometimes not.  I try to make it clear which is which.  (When I use terms such as "sales weasel", or "vendor shill", it is a hint that I'm probably on my own).

Free stuff.  The only things beyond the routine free vendor freebies I have received from my blogging are access to events, the following are the events I have attended free, but with no quid pro quo or other arrangements:

  • SOURCE Boston 2008
    • I received a complimentary press pass, and did write about the event for both this blog and the SOURCE blog.
    • I was so impressed with SOURCE that I worked as a volunteer for SOURCE Boston 2009, and expect to do so for 2010. I received free admission in exchange for this work.
  • RSA Conference USA 2008 and 2009
    • I received complimentary press passes both years, for which I am grateful to the RSA Conference.  They were one of the first to treat bloggers with respect and consideration, and they are to be applauded for this.  I did write posts on this blog about the RSA conferences and related events.
    • I also worked at the Astaro booth part-time during 2008 and 2009, during which time I was compensated as an employee.
    • I will not have the time to properly cover RSA 2010, out of respect for the conference's generosity I have not applied for press credentials this year.  I may purchase an expo pass to visit some vendors, and I may or may not write about it.
  • SC Magazine's World Congress 2008
    • I received a complimentary press pass, and did write about the event for this blog.
  • BlackHat USA 2009 and DefCon 17
    • I received complimentary press passes to both events.
    • I am grateful for the passes, but I was unable to participate in BlackHat or write about it adequately due to other, last minute commitments that week.
    • I am unlikely to apply for press passes for BlackHat events in the near future.  Due to schedule conflicts with Security B-Sides events it would be inappropriate for me to do so.
      • If they want to offer, however...
    • I expect to pay for DefCon Press credential this year.

Security B-Sides is not as clear cut, so I'll ask you to trust me on this one.  Astaro has and will sponsor B-Sides events.  They may or may not cover expenses for me, and may or may not pay me for my time while helping with events.  My time and labor may be considered part of Astaro's sponsorship of the events.  I will be as involved as possible, regardless of Astaro's role in the events.  B-Sides events are NOT Astaro events, they are community events- but my employers and I are supportive of community events, and we both, independently and together, support them.  Some people would call this "synergy", but I hide from people like that (and vice versa).

HEY! Wake up!  I'm done with this tedious, but necessary post.  Any questions, just ask.



Wednesday, January 6, 2010

Maybe this will help

I have had a few conversations recently on the topic of getting security messages to a wider audience, and the pitfalls that may bring. If we are too technical we lose the audience, if we generalize we may get called out by security pros for inaccurate or incomplete statements. This will always be a balancing act, but there are a few things I believe will help. These aren't original thoughts of mine, but I think they are good ideas which bear repeating.

First, there is a tendency to dumb-down content for non-technical people, and that is a mistake. Presenting information in a concise, or even simple, manner is fine- but don't dumb it down. I can describe the Internet as:

An interconnected mesh of networks and connecting links


A series of tubes

The former is not perfect, but is simple and concise. The latter is simple, and wrong. Most of the people we need to reach aren't stupid, they just aren't security pros, so we need to educate them- while accepting that they don't want to be security pros, they just want to be safe.

The second idea is that we need to define ourselves and our audiences before crafting and delivering our messages. I mean really stopping and thinking about our own background and perspectives, and then considering the audience's perspectives, goals, and expectations. Imagine you are going to talk about Fast Flux and Double Flux (165k PDF), if you are a network security engineer for an ISP and are presenting to an audience of peers you can safely skip an explanation of DNS, and you need specific details and examples in your presentation, generalizations won't be welcome and errors won't be tolerated. And if the presentation is good, many will ask you for copies of it so they can re-read and digest it later. Now imagine you are trying to explain the same concepts to a local ISSA chapter, you'll need to review DNS for the less technical folks and you won't want as much detail, and no matter how good it is there won't be too many people asking for your deck. If the audience is non-technical managers at work you will need to cover the basics and make very concise points; you get one shot, and no one is going to ask for your slide deck here.

And if the target audience is the general public, we need a distilled and focused message. Not stupid, not fear-mongering, no lies. But maybe a generalization, an anecdote, a story- as long as they are honest.

No matter who we are trying to engage, we need to understand our own perspective and we need to know our audience- and if there is a chance of confusion, we should make things clear. I'm not suggesting we need to preface everything with an explicit "intended audience" disclaimer, but sometimes it would be a good idea.

Go forth and enlighten the masses.


Sunday, January 3, 2010

Shmoobus II

There will be another ShmooBus, leaving the Boston area on Thursday morning, February 4, arriving in Washington, DC in the evening.  Return will leave DC on Sunday afternoon, getting to the Boston area...whenever we get there.

It looks like we'll have some repeat riders, and new faces.

Space is limited, but if you are interested in joining us let me know- email jdaniel in care of my corporate overlords at  Astaro has kindly agreed to sponsor the ShmooBus again this year.