Yesterday I took part in a semi-private event on “The war against cybercrime” organized by BT and $SOME_VENDOR_OF_ENTERPRISE_SECURITY_TOOLS in Brussels.
I went there for mainly two reasons: I had a meeting with a customer arranged in the context of the session, and the keynote was to be given by Bruce Schneier. Having seen and heard him at other occasions I knew there’s always valuable food for thought to be gained from his pronouncements.

The play had the kind-of-usual agenda such (in the end of the day: sales-) pieces have: keynote by $SOME_SUFFICIENTLY_PROMINENT_PERSON; tool presentation by vendor, potentially in the form of a case study with $SOME_SUFFICIENTLY_LARGE_ORGANIZATION; discussion panel on $SOME_SUFFICIENTLY_INTERESTING_TOPIC; fancy lunch or dinner.
Still, besides the scheduled stuff going on there was a number of aspects to observe:

a) Maybe he just had a bad day, but (not only) to me it seemed that Bruce was quite annoyed by being there/part of this type of event. I’ve no idea what he was told when asked to contribute (or if he even cared given the amount of public events he somehow participates in) but his obvious disinterest was striking. His keynote – at a “cybercrime event”, to an audience of about 50 people mostly from large European financial institutions and government agencies – was on Facebook and privacy matters (!). More or less the stuff from this blog entry.
Which, most probably, was not what the people in the room expected

I don’t know any details as for BT’s takeover of Counterpane back in 2006, but it’s a fair assumption that part of the deal was that Bruce had to stay on board (of BT) for some amount of time (usually 3-5 years)… and thereby take part in events like these. Not sure if he’s still feeling comfortable with that (if he ever did).
Which, by the way, would be totally understandable from my point of view.

Anyway, it was amusing to watch and his contributions to the panel were, as expected, the most interesting ones.

b) Practically none of the organizations being represented in the panel or in the audience cares about “cyberwar”.

c) Most of them have not yet outsourced their (core) security services nor plan to do so in the next years.

Overall it was a good event and Brussels worth the travel. My kids particularly enjoyed this place (a bit pricey though).

have a great day,

Enno

No tags | Post your comment here.

Interesting blog post of Michal Zalewski here. I’d like to highlight two pieces I particularly enjoyed. This one:

“Yet, for several decades, we have in essence completely failed [...]. The focus is almost exclusively on reactive, secondary security measures: vulnerability management, malware and attack detection, sandboxing, and so forth; and perhaps on selectively pointing out flaws in somebody else’s code. The frustrating, jealously guarded secret is that when it comes to actually enabling others to develop secure systems, we deliver far less value than could be expected.”

and this one:

“There is no way to define desirable behavior of a sufficiently complex computer system: no single authority can spell out what the ‘intended manner’ or ‘secure states’ are supposed to be for an operating system or a web browser.”

The latter one reminds me of a slide I used in that workshop mentioned in yesterday’s post. It looked like this:

Pls read Michal’s post. It provides good food for thought.

Have a great day

Enno

No tags | Post your comment here.

Well guys, long time no see. We promise to get better as for the frequency of posts here. Really!

I just gave a workshop on various security topics for a network equipment vendor. On my flight to the event I put together some slides to clarify terms and approaches as for various types of security assessments.
[It was an event planned to be in an informal "discussion mode" anyway. For sure I'd otherwise never put together slides right on my way to an engagement. never.]

Some of you, dear readers, might find them helpful as there’s still a lot of confusion around when it comes to this stuff. And yes, I’m fully aware: our definition of these might be just another clarification attempt that unfortunately contributes to the overall diffusion

Have a great day,

Enno

On a related note: we’ve fixed the date for Troopers 2011. Get out your calendars and mark it: it’s going to happen in the week 03/14/2011 to 03/18/2011.

No tags | Post your comment here.