If you're a registered FreeConference.com user like I am, then you probably received a vague and rather inflammatory email from them yesterday. In it, they imply that the House Energy and Commerce Committee is out to get them. Given that they don't cite anything useful in the letter (below), I decided to call Congressman Waxman's office for more details (he's the committee chair).
March 2010 Archives
In August 2009 I wrote about "Defensibility and Recoverability", in which I started developing the notion of using a legal basis for building a defensible position. I later expanded on this notion in the post "Creating Epic Fail Conditions: PCI and Best Practices", along with touching on it in a few other places. More recently, I used the idea of "legal defensibility" through the article "Architecting Adequacy: When Good Enough Really Is" in the March 2010 issue of The ISSA Journal (I'll post an ungated copy of the article when I get a chance). I also floated the idea at the ABA InfoSec Committee meeting during RSA, where I the response was very positive, including getting some air time on a couple panels in the LAW track at RSA.
So, that's a brief background, but what is it, really? What is "legal defensibility" and why do I think it amount to a new doctrine for the infosec community as a whole? More importantly, how can this new notion be used to successfully promote security initiatives, and why should you take it as a legitimate new argument and approach?
Last Saturday (3/13) was the first ever B-Sides Austin unconference event, and what a great event it was! We were able to successfully pull in excellent, engaging participants from across the state for a really fun and educational time.
The event was made a tremendous success thanks to the hard work of Jack Daniel, Todd Kimball, and unconference specialist Kaliya/Identity Woman, who joined us from Unconference.net and the Internet Identity Workshop (IIW).
Not to be outdone by Anton, I thought now was probably as good a time as any to finally sit down and knock out some of my quick reflective thoughts on the week+ of RSA 2010. For those who don't know me very well, my RSA week is always a long one as it's preceded by ABA meetings (InfoSec Committee and eDiscovery and Digital Evidence Committee - see my after report here), as well as now including the annual MiniMetricon on the Monday that the conference starts. Add to this blogger responsibilities for meeting with vendors, surveying the expo floor, and attending a few sessions, and, well, the week tends to fly by.
Overall, I found this year to be quite positive and energetic. People seemed to be moving so frenetically that we all shared a common complaint: "gosh we're tired!" In part, I have to think this exhaustion was cumulative, not just from the conference itself, but as a result of dragging our sorry tails out of a miserable 2009 through the break clouds into the emerging sunshine of 2010. Based on my observations, it seems like 2010 stands to be a very good year... but I'm getting ahead of myself...
Hey everybody! BSides Austin is almost here - are you ready for it?!? Here are a few housekeeping notes:
* Everybody is welcome - the event is free!
* If you're attending and have a talk you'd like to give, post it here!
* Please register for the event so that we'll have a better headcount.
* PLEASE pre-register for the special "Hackers on a Duck" evening event. There is a hard limit of 40 people, and we MUST provide them with a count first thing Friday (3/12) morning.
That's all from here. Hope to see y'all there! :)
This year's conference has been much lighter than last year. The dark cloud of last year has lifted from the expo floor. Delegates, vendors, and speakers all seem to be converging on a much healthier, less-hyped message. Despite all the todo over cloud and APT (which some of us hope to rebrand to Adaptable Persistent Threat), there also seems to be a healthy notice that holistic is a good thing. :)
There's really not a whole lot to say about things. I've seen a TON of business being done, which is a drastically marked change from 2009. Business deals galore mean good things in this space. Add in the apparent push toward increased government transparency, such as through this week's declassification of the Comprehensive National Cybersecurity Initiative (CNCI) and the picture looks increasingly positive.
I'll write more in a round-up post after the conference is done, but suffice to say, I now feel quite bullish on the industry, even if innovation is still trailing.
It's already Wednesday morning, which means the first full day of RSA 2010 is in the can and quickly receding into the past. Overall, things are fairly standard quo again this year. Sessions galore, vendor keynotes, and a busy expo floor. This last point is perhaps the biggest difference from 2009 in that the expo floor is, in fact, quite busy. My impression is that a lot of realistic networking and lead generation is happening this year.
Before I hit themes, one tidbit of interest. I spoke with a couple guys from Boston who specialized in financial fraud. One of the fellows had calculated the cost of doing a wholesale revamp of the card infrastructure to be about US$12B. That is far more than the card brands are eating in fraud costs today. Moreover, today the merchants bear most of the fraud burden, whereas the cost of a complete infrastructure overhaul would be primarily borne by the card brands (although these costs would obviously be passed along to the banks, merchants, acquirers, processors, customers, etc.).
Where has all the innovation gone? I was very much looking forward to talking to the startup vendors selected as finalists for this year's Innovation Sandbox at RSA. After last year, I suppose I should have set my expectations a little lower, although realistically it would have been impossible to set them low enough to avoid some level of disappointment. Because, quite honestly, I was quite disappointed.
Of the 9 finalists, 6 had "cloud" point solutions, largely targeted to the hypervisor, with one that did some funky inline crypto stuff that made me wonder. 2 finalists had "new" authentication approaches, which were sort of interesting, but they didn't solve the larger problems with authentication. The 9th finalist was also potentially interesting in that they provided a nice visualization dashboard for risk management, but the biggest downside was that all data had to be independently entered. There was no integration with any GRC products, and so while it looked pretty, it wasn't overly sensible. So, yes, I was a wee bit disappointed.
The Saturday and Sunday preceding RSA has historically been set aside for the annual meetings of the American Bar Association (ABA) Information Security Committee (ISC), and now it's sister eDiscovery and Digital Evidence Committee (EDDE). This year we had very good discussions, particularly on the ISC side of the house (admittedly I spent more time there than with EDDE). There seemed to be some very interesting themes that were either new or escalated from previous years.
By the way of a little background... the ABA allows non-lawyer Associate members to join and participate in certain committees. The ISC is a perfect example where non-lawyer SMEs work directly with tech-savvy or tech-industry attorneys in partnership to help benefit the entire industry. EDDE is aligned along the same principles, but with a narrower focus.