Saturday, January 28, 2012

Security BSides San Francisco, and RSA conference

I thought we were making progress last year, but I may have been mistaken.  The RSA Conference is enforcing the non-compete clause in their sponsor and exhibitor agreements, that means a written waiver is required for an RSA Conference sponsor/exhibitor to hold or participate in anything RSAC feels is “competing” within five miles of the RSA Conference (their definition of “competing” is pretty broad, too).  Last year they issued waivers for BSidesSF sponsors, but so far this year they are refusing to issue waivers.  For more details on this situation, please see this post at Infosec Island.

It would be great if you politely let RSA know that supporting the community is not a bad thing.  They really don’t need to feel challenged by a free event drawing a few hundred people next to their commercial event drawing well over 10,000.  Don’t go flaming @RSAConference on Twitter or anything like that, but if you are a sponsor/exhibitor, speaker, or attendee- maybe take a minute and let them know how you feel.

I will be speaking at RSA this year, partly because one of the comments we heard last year was that many BSides speakers don’t even submit to RSAC.  That seems unlikely to happen again if I have misunderstood RSA’s true attitude towards BSides.

Oh, and if you happen to know anyone who is not exhibiting at RSA who might be interested in sponsoring BSidesSF- you know where to send them.



Monday, January 23, 2012

Bumper Sticker “wisdom”

I saw a bumper sticker the other day that made me think about the trite things often said in InfoSec.  The bumper sticker said (paraphrasing):

“War never solved anything, except ending communism, fascism, nazism, and slavery”

While somewhat nonsensical, I’m sure a lot of folks cheer the sentiment.  I really wasn’t in the mood to interrupt my vacation to discuss the state of global communism, the fall (and pending rise) of Russia; China, its sphere of influence, and the economic power wielded there.  Nor did I wish to engage on fascism’s passing due to natural causes when Franco died a comfortable old man.  I’ll give him the nazism thing, but given the number of people enslaved globally that is far from “ended”.

My point is not about the politics of war, but about the temptation to buy into things which “sound right” and make you feel good.  Things are rarely that simple.  Let’s consider anti-virus, the Schrödinger's cat of InfoSec (reported to be both dead and alive, and we don’t know for sure until we open the malware).  The truth is that it is alive, but sickly; hairballs everywhere in spite of special diet of CPU and RAM.

If the answers were bumper-sticker-easy, InfoSec wouldn’t be fun.  Of course, some days (especially post-vacation Mondays) I would settle for less “fun”.



Saturday, January 7, 2012

InfoSec career attitudes survey

I have a favor to ask- please consider taking a survey on attitudes about your career in Information Security.  I’m helping a group of smart folks look into what makes InfoSec folks tick, and what makes us twitch.
This survey is mostly focused on your current situation, and this specific survey was selected because it is a standard measurement recognized by folks who study such things; this means aggregated results can be used for comparison with other professions (where there is survey data available) and averages.
The survey is copyrighted, and has some license restrictions imposed on anyone who uses it, the most notable is that unique logins are required for anyone taking the survey.  This means we need you to send a request to take the survey, and provide us an email address under your control so we can reply with a link to the survey, and enter the address in permitted users list.  We do not care what email address you use, so feel free to use an anonymous account from any of the freebies like Gmail, Hotmail/Live, etc.  The survey site requires a username, we are using the email address you provide as the username- again, we’re happy with anonymized addresses.  If you request to take the survey we do ask that you follow through and take it, each email address we enter counts as a licensed survey, whether completed or not and we pay per license to administer the survey.
We are going to give a $100 Amazon gift card to a randomly selected survey respondent as an incentive, if you are interested in that and use a “disposable” email address you may want to keep the account until early March when the winner is notified.
What to expect:
The first step is to request access to the survey and provide consent to participate (see below).  We will send a survey link to each person requesting to participate.
At the survey site enter the email address used for the request, create a password to complete account setup, then continue to the survey.
The survey starts ten demographic questions, these will help categorize results, and discover patterns- but they are optional, if you wish to skip any, please do.
The survey itself has a sample question and sixteen real questions, all multiple choice.
Expect to spend ten to fifteen minutes total on the registration and survey. Unless you obsess over stuff, like I often do- but even then it shouldn’t take much more than fifteen minutes.
The privacy and confidentiality bits:
The survey data is downloaded with email addresses included, they will be stripped from the data immediately.  We will keep two files, one with email addresses only (for notifying the winner of the gift card), the other with raw data (demographic data and survey results).  When the current project is complete and winner notified, all email addresses will be deleted from files and email system used for the survey, and we will request the data be purged from the survey administration site.  Anonymized results will be analyzed, and the results presented at appropriate venues, but raw data and email address files will always be encrypted when retrieved from the survey host, both file-level and full-disk encryption, using two different encryption applications.
There is more info on the survey website.  If you would like to participate, please submit the Contact form on the survey site, or send an email to consenting to participate and we will reply with a link to the survey.
I know you have a lot of demands on your time, I would be grateful if you would consider participating in this survey and sharing ten to fifteen minutes to help our research.
[EDIT] I missed two things in the initial post:
1) We will share aggregate results in a couple of ways, I'll post some here, other members of the team will post some, and we will present at a variety of events.  I'll try to list upcoming presentations as I become aware of them.
 2) The site is Flash (yeah, I know, it was free with the domain).  If Flash is not an option for you, just send an email to to give consent and request access- we will reply with a survey link.