Category: Conferences

Security & Usability, Workshops

soups.jpgThis was supposed to be a part of my book review post, but early user testing showed us confusion and a desire for a more tightly focused blog post experience…

It may also help to attend events like the “Security User Studies Workshop at SOUPS 2006” or the “Workshop on Psychological Acceptability and How to Design for It: Lessons
Learned in Designing for Usable Security and Privacy
.” Both have a submission deadline of April 7, and the workshop is July 12-14.

Blue Hat Pictures

windows-build-lab.jpgJ. in the Windows Build room, and some labels on a cabinet. And baby, that’s all you’re gonna see of the pictures. We value everyone else’s privacy, unless you were there. In which case, its all groovy. Drop me a note and you’ll get the super-double-secret URL.

As to the picture honoring ‘patch Tuesday,’ I asked if I could stick a USB drive into something so labelled, but for some reason, they didn’t think that was as amusing as the speakers thought it was.












‘Of course, the USB stick I had with me had nothing but some slides on it, so had they said yes, the joke would have been on me.

Reflections on the Microsoft CSO Summit

Adam’s Private Thoughts on Blue Hat, reminds me that I’ve been meaning to post about Microsoft’s recent CSO Summit.
This was an invitation-only spin off of Microsoft’s Executive Circle, and was a mix of MS product presentations, round table discussions, and non-MS folks speaking on how they dealt with real world scenarios in their various industries.
The round tables sessions were uniformly fantastic. The most interesting sessions though were the ones by folks on how they dealt with real life scenarios. Especially interesting were talks by Michelle Bealieu on how MS does identity management internally and CIO, Ron Markezich on how Microsoft itself was managing their infrastructure. Both their talks supported my own experience that this doesn’t have to be hard if you have a limited number of applications, only have one system of record, and centrally manage as much systems configuration as possible. I really pity my peers who have thousands of applications to manage and don’t have a tool like SMS to help manage end users. Frankly, I found the product pitches less than useful. They were essentially all material that was already available on the web.
Also of note was a talk by Brooke Paul from American Financial Group on how to articulate the value of security to upper management. He had a great discussion on not just ROI and metrics but also on managing risk.
Several interesting yet unsurprising things came to light over the course of the event. They are, in no particular order:

  • The big issue of the conference was identity management. Everyone cared about it, and no one had a solution that spanned multiple operating systems environments.
  • No one was getting extra funding to deal with compliance requirements, and yet they were spending a huge amount of time worrying about it.
  • The vast majority of attendees had been doing security for less than 2 years and almost no one actually had a CSO/CISO title and only marginally more were Director level or above. In fact, most of the VP or CSO/CISO level folks were speakers of some sort.

All in all, it was a worthwhile conference. The general consensus of the crowd was that next time there should be even fewer product related talks and more strategy based ones. Microsoft made it clear that the next one would follow that request. I look forward to heading back up to Redmond next year.
[Edit: Fixed link to the Executive Circle]

Private Thoughts on Blue Hat

blue-hat.jpgAs I mentioned, I was out at Microsoft’s Blue Hat conference last week. As it was a private event, speakers’ names are being kept private right now. I’m all in favor of privacy.

Unfortunately, that makes it hard to properly attribute this bit of genius:

1 bottle of beer on the wall, 1 bottle of beer, you take 1 down, pass it around, 0 bottles of beer on the wall.

0 bottles of beer on the wall, 0 bottles of beer, you take 1 down, pass it around, 4294967295 bottles of beer on the wall.

Michael Howard’s blog post, “A useful primer to Integer overflows/underflows,” reminded me of it, but I had the misfortune of hearing one speaker sing that for another.

[Update: Max Dornseif publicly credits Ilja, who points out the coincidence here.]

Blue Hat on privacy-enhanced person by OrchirdArts.

BlackHat Pwned!

MANHASSET, N.Y., Nov. 15 /PRNewswire/ — CMP Media, a marketing solutions
company serving the technology, healthcare and entertainment markets,
announced today that it has acquired Black Hat Inc., a producer of information
security conferences and training that includes Black Hat Briefings and

Jeff Moss, founder and owner, will continue to run Black Hat and will join
CMP Media as Director of Black Hat. Combining CMP’s current portfolio of
Computer Security Institute (CSI), Secure Enterprise magazine and the Security
Pipeline website with Black Hat, will position CMP Media as the strongest
platform in the computer security media market.

From the PR Newswire article.

Congratulations to Jeff, and the whole Black Hat crew!

I think this is a great move all around. Blackhat gains financial stability, CMP gets a great conference series.

(Via DM, my man.)