At this year’s RSA show, a decent portion of the securitymetrics mailing list (about 30 people) convened for lunch. I enjoyed meeting my colleagues immensely, and I received good feedback from others who attended.
One thing everyone agreed on is there is enough activity in the security metrics area to merit convening the group a bit more formally. Thus, I am pleased to announce Metricon 1.0, the first-ever convention devoted exclusively to security metrics.
Metricon 1.0 will be held in Vancouver on August 1, 2006. The program chair is Pete Lindstrom. The program committee includes me and Dan Geer, who managed to persuade the USENIX folks to allow us to attach Metricon 1.0 to their own gathering.
(From Andrew Jaquith, at the Security Metrics blog. Photo from Stock.xchng.)
One of the neat things about Blue Hat is that people get pulled aside and introduced to people who have problems that they’d like your thoughts on. In one of those meetings, it came out that the person I was meeting with was destroying lots of data before it came to his group. Very cool. Unfortunately, this sometimes raises a problem, because it makes it hard to tell if unusual problems are coming from the same place. That is, Alice and Bob might both have a problem, or Bob might be reporting one problem twice.
I brought up the concept of slightly unique identifiers. For example if you have hundreds or thousands of users, use a number from 1 to 16 to identify people. This allows you to distinguish, a little, while not being able to say if this number 6 and that number 6 are the same. There are lots of number sixes out there. You can tune this by adjusting the scale of the number for the size of your pool, and how often you want to accept overlaps, and what sort of matches you care about. For this problem, the birthday problem doesn’t really apply. That is, it doesn’t matter that you’re likely to have two items that match very quickly: what you care about is that the odds of a match between two items you’re looking at anyway is 1/16.
To put it another way, there are lots of crayons of the same color, but if you pick two based on some other criteria, such as how sharp the tip is, odds are good they won’t be the same color.
One of the other neat things about Blue Hat is they now have a blog, “Blue Hat Security Briefings.”
Crayon picture from Presentation Pictures.com.
This was supposed to be a part of my book review post, but early user testing showed us confusion and a desire for a more tightly focused blog post experience…
It may also help to attend events like the “Security User Studies Workshop at SOUPS 2006” or the “Workshop on Psychological Acceptability and How to Design for It: Lessons
Learned in Designing for Usable Security and Privacy.” Both have a submission deadline of April 7, and the workshop is July 12-14.
J. in the Windows Build room, and some labels on a cabinet. And baby, that’s all you’re gonna see of the pictures. We value everyone else’s privacy, unless you were there. In which case, its all groovy. Drop me a note and you’ll get the super-double-secret URL.
As to the picture honoring ‘patch Tuesday,’ I asked if I could stick a USB drive into something so labelled, but for some reason, they didn’t think that was as amusing as the speakers thought it was.
‘Of course, the USB stick I had with me had nothing but some slides on it, so had they said yes, the joke would have been on me.
Adam’s Private Thoughts on Blue Hat, reminds me that I’ve been meaning to post about Microsoft’s recent CSO Summit.
This was an invitation-only spin off of Microsoft’s Executive Circle, and was a mix of MS product presentations, round table discussions, and non-MS folks speaking on how they dealt with real world scenarios in their various industries.
The round tables sessions were uniformly fantastic. The most interesting sessions though were the ones by folks on how they dealt with real life scenarios. Especially interesting were talks by Michelle Bealieu on how MS does identity management internally and CIO, Ron Markezich on how Microsoft itself was managing their infrastructure. Both their talks supported my own experience that this doesn’t have to be hard if you have a limited number of applications, only have one system of record, and centrally manage as much systems configuration as possible. I really pity my peers who have thousands of applications to manage and don’t have a tool like SMS to help manage end users. Frankly, I found the product pitches less than useful. They were essentially all material that was already available on the web.
Also of note was a talk by Brooke Paul from American Financial Group on how to articulate the value of security to upper management. He had a great discussion on not just ROI and metrics but also on managing risk.
Several interesting yet unsurprising things came to light over the course of the event. They are, in no particular order:
- The big issue of the conference was identity management. Everyone cared about it, and no one had a solution that spanned multiple operating systems environments.
- No one was getting extra funding to deal with compliance requirements, and yet they were spending a huge amount of time worrying about it.
- The vast majority of attendees had been doing security for less than 2 years and almost no one actually had a CSO/CISO title and only marginally more were Director level or above. In fact, most of the VP or CSO/CISO level folks were speakers of some sort.
All in all, it was a worthwhile conference. The general consensus of the crowd was that next time there should be even fewer product related talks and more strategy based ones. Microsoft made it clear that the next one would follow that request. I look forward to heading back up to Redmond next year.
[Edit: Fixed link to the Executive Circle]
As I mentioned, I was out at Microsoft’s Blue Hat conference last week. As it was a private event, speakers’ names are being kept private right now. I’m all in favor of privacy.
Unfortunately, that makes it hard to properly attribute this bit of genius:
1 bottle of beer on the wall, 1 bottle of beer, you take 1 down, pass it around, 0 bottles of beer on the wall.
0 bottles of beer on the wall, 0 bottles of beer, you take 1 down, pass it around, 4294967295 bottles of beer on the wall.
Michael Howard’s blog post, “A useful primer to Integer overflows/underflows,” reminded me of it, but I had the misfortune of hearing one speaker sing that for another.
[Update: Max Dornseif publicly credits Ilja, who points out the coincidence here.]
Blue Hat on privacy-enhanced person by OrchirdArts.
The Fifth Workshop on the Economics of
Information Security (WEIS 2006), University of Cambridge, England, June 26-28, 2006 has issued a call for papers. Submissions are due March 20th.
Workshop on the Economics of Securing the Information Infrastructure
October 23-24, 2006 Arlington, VA
Submissions Due: August 6, 2006 (11:59PM PST)
Has just been announced. There’s a great topics list, and a great list for the program committee. It should be quite the workshop.
The program for CodeCon 2006 has been announced.
CodeCon is the premier showcase of innovative software projects. It is a
workshop for developers of real-world applications with working code and
active development projects. All presentations will given by one of the
lead developers, and accompanied by a functional demo.
Early registration ends Jan 31.
Shmoocon has announced their 2006 speaker list. Today is the last day to submit to Codecon.