So this week is RSA, and I wanted to offer up some advice on how to engage. I’ve already posted my “BlackHat Best Practices/Survival kit.
First, if you want to ask great questions, pay attention. There are things more annoying than a question that was answered while the questioner was tweeting, but you still don’t want to be that person.
Second, if you want to ask a good question, ask a question that you think others will want to hear answered. If your question is narrow, go up to the speaker afterwards.
Now, there are some
generic best practice questions that I love to ask, and want to encourage you to ask.
- You claimed “X”, but didn’t explain why. Could you briefly cover your methodology and data for that claim?
- You said “X” is a best practice. Can you cover what practices you would cut to ensure there’s resources available to do “X”?
- You said “if you get breached, you’ll go out of business. Last year, 2600 companies announced data breaches. How many of them are out of business?”
- You said that “X” dramatically increased your organization’s security. Since we live in an era of ‘assume breach’, can I assume that your organization is now committed to publishing details of any breaches that happen despite X?
I’m sure there’s other good questions, please share your favorites, and I’ll try for a new post tomorrow.
Last Sunday, I did a book reading at Ada’s Technical Books. As I say in the video, I was excited because while I’ve talked about the New School, and I’ve given talks about the New School, I hadn’t done a book reading, in part because of the nature of the book, and my personal comfort zone in promotional activity. Since Ada’s is just getting started on taking video, the quality of the recording isn’t super-high, but the conversation afterwards is great stuff.
Adam Shostack at Ada’s Technical Books from Ada's Technical Books on Vimeo.
Thanks to Danielle for inviting me, and I’d be happy to do more readings in the future.
Self Promotion time, sorry for the spam, but I think the stuff I’ll be participating in at RSA is pretty NewSchool. Here’s an interview that talks about both of the things I’ll be doing and you can see if they’ll be interesting:
Interesting interactive data app from the Wall Street Journal about your privacy online and what various websites track/know about you.
Full disclosure, our site uses Mint for traffic analytics.
In a comment, Wade says “I’ll be the contrarian here and take the position that using pie charts is not always bad.” And he’s right. Pie charts are not always bad. There are times when they’re ok. As Wade says “If you have 3-4 datapoints, a pie can effectively convey what one is intending to present.” Which is true. But in every case I’ve seen, those situations are as well served with a small bar graph.
What’s the least contrived situation in which a pie chart is better than a bar graph or table? (Pac man and pies are two obvious examples.)
In Verizon’s post, “A Comparison of [Verizon’s] DBIR with UK breach report,” we see:
Quick: which is larger, the grey slice on top, or the grey slice on the bottom? And ought grey be used for “sophisticated” or “moderate”?
I’m confident that both organizations are focused on accurate reporting. I am optimistic that this small example in the utlity of pie charts will inform report writers. The report writers and their graphics departments, loving their customers, will move to bar charts to help them compare numbers between sources.
I’m confident that not using pie charts is a best practice.
Elsewhere: “The only time it makes sense to use a pie chart.”
And elsewhere: “The Visual Display of Quantitative Information, 2nd edition“
A lesson in miscommunication of risk from “abstinence only” sex education aimed at teenagers. The educators emphasize the failure rate of condoms, but never mention the failure rate of abstinence-only policies when implemented by teenagers.
Those of you who’ve heard me speak about the New School with slides have probably heard me refer to this as an astrolabe:
Brett Miller just emailed me and asked (as part of a very nice email) “isn’t that an orrery, not an astrolabe?”
It appears that I’m going to have to update my commentary. Thanks, Brett!
[And thanks Scott–I misspelt orrery, now corrected.]
Andrew Stewart and I will be speaking at the University of Michigan SUMIT_09 on Tuesday. We’re on 10:30-11:25. If you’re in the area, please come by.
We can all learn from this great role model, aimed at personal nutrition awareness and education: Nutritiondata.com. If only security awareness web sites were this good.