Tuesday, March 5, 2013

Thank goodness that’s over.

As Dickens once said:

“It was the best of times, it was the worst of times, it was the age of wisdom, it was the age of foolishness, it was the epoch of belief, it was the epoch of incredulity, it was the season of Light, it was the season of Darkness, it was the spring of hope, it was the winter of despair…”

I am, of course, talking about the week of madness in San Francisco which centers on, and swirls around, the RSA conference. I don’t know where to start, it was a wild week.

Security BSides San Francisco was a great event, a new lead organizer and team of new and veteran crew and volunteers put on a great event at a funky new venue, the DNA Lounge. The event also moved to Sunday and Monday from the Mon/Tues it has been the past two years. A couple of things could have gone more smoothly, but it was an outstanding event, in spite of some challenges. A wide variety of great content and peripheral events, and an unusual but effective venue made this event a success. It is hard to believe that three years ago was the first BSidesSF, which was only the third BSides event. BSidesSF 2013 was the 67th BSides event globally (if my count is correct), and we’ve yet to hit the four-year anniversary of the first one. There are a lot of BSides events coming up, check the BSides wiki for all the details.

The RSA Conference itself was even more “RSA Conference” than usual, record attendance (I heard numbers like 24,000 people, but that’s unconfirmed), and record highs and lows. The expo floor was largely disgusting, the level of hype and chicanery was arguably worse than ever (a record not to be savored). This year brought a couple of revelations about the expo floor, primarily this:

Fotolia_27387829_XSeditThe worst of the expo floor largely offers “InfoSec Homeopathy”, but without the advantages of any potential placebo effect- it simply diverts us from appropriate cures.

I would love to get a documentary (mockumentary?) crew to follow a few folks who’ve played this game for many years as they wander the aisles calling out the age of the “new technologies”, the acquired tech left to languish under the mismanagement of big firms, and the absolute snake oil. In this fantasy, Gene Spafford, Marcus Ranum, and Robert Graham are your tour guides through the show floor. I’m too fond of these folks to actually ask them to do it, however. In between the hype and hyperbole, there are always companies at the expo for the right reasons, to engage customers and prospects in rational conversations about their products and services- you just have to look past the booth babes, cars, and screaming barkers.

Speaking of “booth babes”, this year brought a worsening of the “booth babe” phenomenon. I hate to even mention their name for fear that P.T. Barnum was right, but ForeScout’s “Catholic Schoolgirl” attired booth women represented a new low. Based on comments from friends, it may be that no one is going to buy their product MisogynyShirtbased on its merits, but that is no excuse. Sadly, they weren’t alone in the booth misogyny department. Speaking of misogyny, I did get to wear the latest in Misogyny Networks fashions a couple of times during the week.

Note that we do not have to put up with this, InfoSecurity Europe has updated their terms and conditions to prohibit “booth babes”. I applaud InfoSecurity Europe, and hope others follow their lead.

But it was not all bad, the crowds meant good traffic through the corporate overlords’ booth, and we had many good conversations about what we do and the way we see the landscape. Many others in the industry who were at RSAC to conduct business seemed to have a productive event as well. Unfortunately, the high booth traffic meant I didn’t get to see the talks I wanted to see, and there were several that looked good and had good reviews. But for me RSAC is about the business, so that’s where I focused. It’s worth mentioning that many attendees never visit the Expo floor, and many attendees never see a talk, and many seem to only be interested in the parties. You need to find an approach to RSAC that serves your needs- if you don’t, you’ll probably be mired in misery and frustration.

Speaking of parties, I avoided most of them this year and focused on a few smaller events where I could connect and reconnect with people. I did attend the Security Bloggers’ Meetup, it is a can’t-miss event for me where I can see folks in person I normally only see online. This year’s awards were great, with one notable exception: the judges voted me into the SBN “Hall of Fame” over better and more deserving nominees. I am grateful and flattered by the award, I just think many others have contributed more the security blogging community. Also winning this year was the Pauldotcom podcast, which has won four out of the five years the awards have been given. Since Paul and Larry launched the podcast many years ago, it has grown and evolved- the current crew of Paul, Larry, Mike, Allison, Patrick, and the audio and video team is a pleasure (and occasional terror) to work with and I’m honored to have been a part of it for the past couple of years.

Now, back to work.