Category: Conferences

Mini Metricon 4.5 Call for Participation

[Posting this here to help get the word out – Chris ]
Mini MetriCon 4.5 will be a one-day event, Monday, March 1, 2010, in San Francisco, California. Through the cooperation of RSA, the workshop will be held at the University of San Francisco, within walking distance of the Moscone Center, the location of the RSA Conference, to be held during the same week. Mini MetriCon attendees are eligible for free RSA exhibit passes.
Like its predecessors, Mini Metricon 4.5 is an informal workshop designed to facilitate exchange of new ideas as well as practical experience in using metrics to drive better security, compliance, and risk management. The day will be divided between open/moderated exchange and short presentations. Participants are expected to come prepared to actively interact as either presenters or active listeners (or both).
Place: University of San Francisco (walking distance to the Moscone Center)
Time: 8:30am to 4:30pm
Participation: by invitation.
Attendance: Limited to 80 people
Additional details, including links to past workshops, presentations, and digests, as well as a calendar with important dates and instructions for submitters is available at securitymetrics.org

Mini Metricon 4.5 Call For Participation

Mini MetriCon 4.5 will be a one-day event, Monday, March 1, 2010, in San Francisco, California. Through the cooperation of RSA, the workshop will be held at the University of San Francisco, within walking distance of the Moscone Center, the location of the RSA Conference, to be held during the same week. Mini MetriCon attendees are eligible for free RSA exhibit passes.

Like its predecessors, Mini Metricon 4.5 is an informal workshop designed to facilitate exchange of new ideas as well as practical experience in using metrics to drive better security, compliance, and risk management. The day will be divided between open/moderated exchange and short presentations. Participants are expected to come prepared to actively interact as either presenters or active listeners (or both).

Place: University of San Francisco (within walking distance of the Moscone Center)

Time: 8:30am to 4:30pm

Participation: by invitation.

Attendance: Limited to 80 people

If you would like to participate

Due to space limitations, we are asking all who are interested in participating to send an email to metr…@securitymetrics.org

Please provide some information about who you are, your interest/experience with metrics, what metrics you can bring to discuss, and your preferred level of participation: presenter or active audience participant.

Presenters: Please provide an abstract of 5 paragraphs or less that describes the nature of the metrics and metric results that you would like to present. Following past MetriCon practice, preference will be given to those who respond to this CfP with actual work in progress that demonstrates the value of security metrics with respect to a security-related goal.

Submission of recent, previously published work as well as simultaneous submissions to multiple venues is acceptable if disclosed in your proposal.

Active audience participants: Please indicate your area(s) of specific interest.

Examples of past well-received presentations are:

§ Intel Presentation

§ Verizon Presentation

§ Whitehat Presentation

Visit http://www.securitymetrics.org for digests, presentations, and handouts from past Metricon Workshops.

Notification

To get invitations out well beforehand, we’d like all email submissions to be in-hand by December 5. Our goal is to send invitations to participate by January 15.

Important Dates

– 05 Dec 2009 – Responses Due to this Call

– 15 Jan 2010 – Notification of Acceptance

– 01 Mar 2010 – Mini MetriCon 4.5 Workshop

Program Committee

§ Warren Axelrod, Financial Services Technology Consortium

§ Jennifer Bayuk, Bayuk.com

§ Fred Cohen, Fred Cohen and Associates

§ Lloyd Elam, SigmaRisks

§ Jeremy Epstein, SRI International

§ Dan Geer, In-Q-Tel

§ Renee Guttmann, Time Warner

§ Ray Kaplan, Ray Kaplan & Associates

§ Pete Lindstrom, Spire Security

§ Joe Magee, Vigilant

§ Elizabeth Nichols, Plexlogic

§ Steven Piliero, Center for Internet Security

§ Chris Walsh [Program Committee Chair], SurePayroll

§ Caroline Wong, eBay

Please feel free to contact the Program Chair with any questions. Inquiries beyond administrative matters will be forwarded to the Committee.

Additional information will be posted at www.securitymetrics.org as it becomes available.

Privacy Enhancing Technologies 2009

The organizers of the 9th Privacy Enhancing Technologies Symposium invite you to participate in PETS 2009, to be held at the University of Washington, Seattle, WA, USA, on Aug 5-7, 2009.

PETS features leading research in a broad array of topics, with sessions
on network privacy, database privacy, anonymous communication, privacy
policies, and privacy offline. (The PETS 2009 program is here.)

Like last year, we also present the HotPETs workshop, which showcases hot new research in the field.

We will also be presenting the Award for Outstanding Research in Privacy
Enhancing Technologies to researchers who have made an outstanding
contribution to the theory, design, implementation, or deployment of
privacy enhancing technology.

Important dates:

Stipends deadline: July 2
Hotel group rate deadline: July 5
Earlybird registration deadline: July 9
Symposium: August 5-7

Venue and registration information, as well as the program, can be found
at the PETS 2009 website.

We hope to see you in Seattle!

– The PETS 2009 organizers

SHB Session 8: How do we fix the world?

(Bruce Schneier has been running a successful prediction attack on my URLs, but the final session breaks his algorithm. More content to follow.)

So as it turns out, I was in the last session, and didn’t blog it. Bruce Schneier and Ross Anderson did. Matt Blaze has the audio. I’ll turn my comments into an update to this post.

Attempting to reconstruct what I said, or intended to say. (Yes, I suppose I could listen to the audio..but then again, this is more fun for me.)

So it’s a struggle to say something new at the end of a workshop like this. And Ross Anderson even said that. So how do we fix security and human behavior? We first need some degree of understanding of what needs fixing. It’s easy at the end of all the talks to think we know what’s wrong, but I don’t think we do. What leads to more failures? 0day or patches not installed? Authentication failures or configuration failures?

We don’t know what goes wrong because people are concerned about a laundry list of issues from customers fleeing to stock price collapse, but we actually know that those don’t really happen. So why don’t we know what goes wrong? Shame. People are ashamed that their security is imperfect and don’t want to talk about it.

This holds us back. When Angela Sasse talks about a compliance budget, we don’t know what to spend it on. When Diana Smetters discusses prioritizing how to train users, we don’t know what to prioritize. When Mark Stewart shows frequency/loss equations, we don’t know what to put into them (for information security).

So we need something like the National Transportation Safety Board, or a Truth and Reconciliation Commission which will hear testimony, ask questions, and provide analysis.

In order to improve security and human behavior, we need more and better data. And to get more and better data, we’ll need to overcome shame.

I’d also like to thank Addison Wesley for providing copies of The New School (the book) to the attendees of the workshop. As I’ve said, they’ve been great [a great publisher] to work with.

How to Present

As I get ready to go to South Africa, I’m thinking a lot about presentations. I’ll be delivering a keynote and a technical/managerial talk at the ITWeb Security Summit. The keynote will be on ‘The Crisis in Information Security’ and the technical talk on Microsoft’s Security Development Lifecycle.

As I think about how to deliver each of these talks, I think about what people will want from each. From a keynote, there should be a broad perspective, aiming to influence the agenda and conversation for the day, the conference and beyond. For a technical talk, I’m starting from “why should we care” and sharing experiences in enough depth that the audience gets practical lessons they can apply to their own work.

Part of being a great presenter is watching others present, and seeing what works for them and what doesn’t. And part of it is watching yourself (painful as that is). Another part is listening to the masters. And in that vein, Garr Reynolds has a great post “Making presentations in the TED style:”

TED has earned a lot of attention over the years for many reasons, including the nature and quality of its short-form conference presentations. All presenters lucky enough to be asked to speak at TED are given 18-minute slots maximum (some are for even less time such as 3- and 6-minute slots). Some who present at TED are not used to speaking on a large stage, or are at least not used to speaking on their topic with strict time restraints. TED does not make a big deal publicly out of the TED Commandments, but many TED presenters have referenced the speaking guidelines in their talks and in their blogs over the years (e.g., Ben Saunders).

Ironically, he closes with:

Bill Gates vs. Bill Gates
Again, you do not have to use slides at TED (or TEDx, etc.), but if you do use slides, think of using them more in the style of Bill Gates the TEDster rather than Bill Gates the bullet point guy from the past. As Bill has shown, everyone can get better at presenting on stage.

bill-vs-bill.jpg

I’ll be doing some of both. As both Reynolds and Bill understand, there are better and worse styles. Different styles work well for different people. There’s also a time and a place for each good style of presentation. Understanding yourself, your audience and goals are essential to doing any presentation well.

Of course, style only matters if you’re a professional entertainer, or have something interesting to say. I try hard to be in the latter category.

If you’re in Johannesburg, come see both talks. I’m looking forward to meeting new people, and would love to hear your feedback on either talk, either on the content or the style.

Security is about outcomes: RSA edition

garner-hard-drive-crusher.jpgSo last week I asked what people wanted to get out of RSA, and the answer was mostly silence and snark. There are some good summaries of RSA at securosis and Stiennon’s network world blog, so I won’t try to do that.

But I did I promise to tell you what I wanted to get out of it. My goals, ordered:

  1. A successful Research Revealed track. I think we had some great talks, a panel I’m not qualified to judge (since I was on it), and at least a couple of sell-out sessions. But you tell me. Did it work for you?
  2. See interesting new technology. I saw three things: Garner’s hard driver crusher (they have a “destroy” button!), Camouflage‘s database masking and some very cool credit card form factor crypto devices from Emue. (I’d add Verizon’s DBIR, but I saw that before the show.) Four interesting bits? Counts as success. Ooh, plus saw the Aptera car.
  3. Announce our new blog at Newschoolsecurity.com. Done!
  4. See friends and make five new ones. It turns out that the most successful part of this was my Open Security Foundation t-shirt. I urge you all to donate and get this highly effective networking tool.
  5. Connect five pairs of people who previously didn’t know each other. I counted seven, which makes me really happy.

What I didn’t want: a hangover. Only had one, Friday morning.

Navigation