Filed under: Security Start-up, SOURCE Boston, Uncategorized
We are doing a lot of new things for SOURCE Boston 2009. In addition to a brand new location, we are adding more activity based items such as round table discussion groups, contests, and so on.
A lot of the people involved with SOURCE have been bitten by the entrepreneur bug. Therefore, SOURCE is going to host a special event and reception that will provide an opportunity to present your company pitch to a panel of VCs, successful entrepreneurs, and other business professionals and, later, a reception.
Have you ever heard of Venture Capital Speed Dating? And yes, I’m sorry to say that there is no better name for it. Here is an article about one that was held in Seattle. We are still working on the logistics but it’s coming together nicely. We already have Jeff Fagnan from Atlas Ventures and Peter Kuper (who is also one of our keynote speakers!) serving as judges. Participants will be able to pitch their idea and receive feedback. The top pitch from each category will be recognized during our Entrepreneur Reception.
We will be posting more details and directions for submissions as we get closer to the date. For now – start thinking about your pitch!
We’re gearing up for SOURCE Boston 2009 and it’s going great. We’re seeing a steady stream of attendee registrations, a nice mix of sponsors and an impressive list of speakers (which you could join if you respond to the call for papers by Nov. 30). What could make this event better?
A social event!
Sponsored by Fortinet, the SOURCE Security Tweet-Up will take place the evening of March 12 from 6-8 p.m. at the Seaport Hotel in Boston. Anyone can attend. OK, not anyone. There are three requirements:
- Attendees must be listed on the official Security Twits list
- They must also be registered attendees or sponsors of SOURCE Boston 2009
- And, finally, they must RSVP by leaving a comment here on this blog post
Are you going to join us for some food, drinks and Security Twit camaraderie?
SOURCE Boston 2008 featured some fantastic speakers, which made for a compelling event for both our attendees and even our board of advisors. In designing the scope and content for SOURCE Boston 2009 we realized that while we collectively have a great team of resources for filling speaking sessions we owe it to our attendees and our sponsors to cast a wider net and try to bring in the best speaking talent available. That said, today we’ve opened up a Call for Papers for next year’s event.
We’re still going to hold true to our focus of issues and trends relative to the business and technical scope of security, and we remain application security focused. CFPs will be reviewed by our advisory board and speakers will be notified before the end of the year.
The CFP really summarizes the details of what we are seeking but what I will say is that we are not looking for sales-oriented or vendor sales-oriented presentations. Those won’t even be considered. We want talks that focus in on the most pressing business and technology trends in security. Our audience last year was comprised of C-level executives, venture capital firms, security researchers and engineers. While there are many people in attendance who make buying decisions speaking sessions are not the time to reach them during SOURCE Boston. We believe in keeping the content as pure and educational as possible.’
Check out SOURCE Boston 2009′s current speaker list to see examples of what we’re seeking.
– Stacy Thayer
How do you build a successful security conference simply by word-of-mouth?
Ask Stacy Thayer, founder and executive director of SOURCE Conference, which hosted its inaugural SOURCE Boston event in March of this year. The conference, which is the only security conference that has a healthy mix of application security tracks and business strategies topics. The best part of these topics? They were hand selected-by the conference’s seasoned advisory board and none of the talks — I mean none of them — pushed marketing hype or vendor solutions. They focused on the issues. They kept it technical and real. This attracted an incredibly breadth of technical and business decision-makers.
Warm-and-fuzzy hype aside, the feedback from the event was stellar.
“My experience at the SOURCEBoston conference was excellent. The quality of the speakers and presentations at the event far surpassed my expectations for the first time conference. If it can continue to deliver in that respect (and I’m certain it will), SOURCE Boston will soon be a landmark annual event in the security community.”
– Matthew Toia, Raytheon Company
“I was very impressed with SOURCE Boston 2008. Only in its first year, SOURCE came through with a wide range of very topical sessions on subjects like Web application security, data leak, compliance and security M&A. The show also lined up a slew of IT security luminaries like Dan Geer, along with notable entrepeneurs like Eugene Kuznetsov (DataPower), Jeremiah Grossman (White Hat Security) and others.”
– Paul Roberts, the451 Group
“In seven years of attending and participating in computer security conferences, I’ve rarely experienced a more intimate and focused event. SOURCE Boston 2008 was a riveting, well-organized conference with high-quality speakers and presentations but it was the warm, interactive atmosphere that stood out the most.”
– Ryan Naraine, journalist and security evangelist
Why am I blathering about all of this?
SOURCE Boston 2009 registration has started and the conference leaders have decided once again that word-of-mouth and industry relationships are going to be the key to the conferences success. Of course, those who know me won’t be surprised to hear that there will be a whole smattering of social media stuff and blogger relations and some traditional media outreach and the like. But what makes SOURCE Conference so strong is its deep roots in the security community — why change something that works?
So why would you register?
Aside from the reasons listed above, the growing 2009 speaker list has some of the brightest names in the security industry who will speak on topics relative to both tech heads and C-level leaders. The roster thus far:
- Amit Yoran, keynote
- Marcus Ranum, keynote
- James Atkinson, Granite Island Group
- Ero Carrera, Zynamics
- Bruce Dang, Microsoft
- Dino Dai Zovi
- Joe Grand (aka “Kingpin”), Grand Idea Studio
- Jeremiah Grossman, White Hat Security
- Christofer Hoff, Unisys
- Lee Kushner, LJ Kushner & Associates
- Rich Mogull, Securosis
- David Mortman, Echelon One
- Alberto Revelli, Portcullis
- Marty Roesch, Sourcefire
- Peiter “Mudge” Zatko, BBN
The past week has re-iterated something that my 12th grade Calculus teacher once tried to explain (somewhat unsuccessfully) to an entire room full of teenaged smartasses:
“A secret is something only one person knows.”
Mr. Merjavec always had a way with messing with our minds – he was the first person I ever knew who knew magic and wasn’t a bad clone of GOB from Arrested Development. But this one drew howls of protest, especially from the girls in the front row who positively knew that they could share their secrets with their BFFs and never have any consequences.
Merj explained it really simply: if you really want to keep a secret, you don’t tell anyone. Because, at that moment, it becomes subject to forces that you can’t control. All sorts of other variables come into play that don’t exist when only one person knows the secret.
I’m thinking that it might be the case that Dan Kaminsky is wishing that he had Merj for 12th grade calculus. And, if he had, I have a feeling that Merj would be smiling right now.
Filed under: Podcast, security, Social Media, SOURCE Boston, SOURCE Conference
Well, at least for an evening.
My buddy Chris Gerling of the Hak5 / Securabit gang has been kind enough to invite SOURCE Conference board members Chris Wysopal and Chris Eng to join the podcast’s motley crew tomorrow night for a discussion on the con and security news (I imagine that pesky DNS issue might come up as well).
Should be a good time. Tune in over at Securabit‘s site any time on Thursday to have a listen, hear more about SOURCE Boston 2009 and see what Wysopal and Eng think about all the current security industry noise.
Talk by Raffael Marty:
With the ever-growing amount of data collected in IT environments, we need new methods and tools to deal with them. Event and Log Analysis is becoming one of the main tools for analysts to investigate and comprehend the state of their networks, hosts, applications, and business processes. Recent developments, such as regulatory compliance and an increased focus on insider threat have increased the demand for analytical tools to help in the process. Visualization is offering a new, more effective, and simpler approach to data analysis. To date, security visualization, has mostly failed to deliver effective tools and methods. This presentation will show what the New York Times has to teach us about effective visualizations. Visualization for the masses and not visualization for the experts. Insider Threat, Governance, Risk, and Compliance (GRC), and Perimeter Threat all require effective visualization methods and they are right in front of us – in the newspaper.
The L0pht panel at SOURCE Boston is live now — packed and standing room only. Weld Pond, John Tan, Mudge, Space Rogue, Silicosis and Dilldog are being interviewed by journalist Michael Fitzgerald on their histories, names, lessons learned and memories of L0pht, current gigs, whether or not security vendors are selling snake oil, and even the impact of trying to balance a hacking life and a personal life. For a play-by-play of Q&A visit @innismir on Twitter.
Weld Pond, John Tan, Mudge, Michael Fitzgerald (moderator), Space Rogue, Silicosis and Dilldog:
To reach members of L0pht visit http://lopht.com/.
Photo by Leigh Hollowell
Posted by Jennifer Leggio
James Atkinson of Granite Island Group has elevated professional paranoia to an art form. In ”Telephone Defenses Against the Dark Arts”, Jim delivered over two hours of solid, technical information- and held the audience’s attention to the very end of his engaging and informative presentation. After an introduction to the terminology and fundamentals of traditional telephone systems, Jim quickly went into the myriad of exposures in telephone systems and infrastructure. The telephone companies’ near total lack of concern for security and privacy was made very clear as Jim showed images and recounted stories of systems and equipment left wide open or “secured” by a single common bolt through a door. The layout and space available in telephone company boxes by the side of the road make very low tech eavesdropping simple; wiring is labeled and there is plenty of room to put a recorder inside the cabinet. Several photos of compromised equipment were shown, with enough explanation to make it clear that you do not have to be an expert to eavesdrop on telephone conversations.
As the session continued, focus moved through numerous weak points in telephone security; addressing the telephone on the desk to the telephone company Central Office and everything in between. The number of potential points of compromise is staggering, but it was also made clear that most IT people already have the skills needed to handle routine inspections. Many simple listening devices can be found with a flashlight, a ladder, and a lot of patient investigation. Tape recorders in suspended ceilings, stray wires in connection boxes and shiny things where they don’t belong are just a few of the things which can be found without any special skills or equipment. (But I’m a tool junkie, so when he started talking about the Fluke 289 meter and Fluke 199c oscilloscope I added them to my wishlist).
Once the X-rays of telephone equipment and close-ups of modified circuit boards came out (notice that there’s supposed to be a diode there, but someone replaced it with a capacitor…) we were headed into real spy vs. spy territory. Tracking down covert channels requires identifying, mapping, and physically and electronically testing every conductor out of an area. Even the conduit and grounds can be used to carry signal, and they have to be checked. This is the type of work best left to the pros, but Jim showed and explained some of the techniques used to detect signals in wired and wireless eavesdropping systems. Done properly, it takes the pros a few days per room to sweep for listening devices.
VoIP (in)security has been beaten to death in many venues before, Jim didn’t dwell on it in this talk, but did remind the audience of some of the basic flaws and some best practices in VoIP. He stressed were that using VoIP on a cable Internet connection was a very bad idea (shared medium, you neighbors might be able to listen to your conversations with tools we know and love such as Wireshark, Cain and Able, VoIPong, etc.). Jim also stressed network segmentation, keeping the voice and data networks separate to minimize eavesdropping from computer systems on a shared network.
Steven Levy just gave a very engaging and fun talk on the history of hackers and the paradox of hacking. The fact that Steven was talking about history that happened a few blocks from here made this talk even more engaging. The term hacker was born at MIT 50 years ago. Along with the hackers came their ethics: “Information should be free.” With this ethic, there comes a paradox: Free information, openness, accessibility leads to exploitation, but it is also useful and a pleasant thing. It lets society thrive. The hacker ethics shaped the way the PC worked. The homebrew hackers thought the same way. And when the Internet was designed, it inherited some of the same ideals: Openness was inherent in the design.
Steven gave a little bit of a overview of the story around the term hacker and the hackers themselves. It all started at the MIT buildings 20 and tech square. Back then with the model railroad club. The members of the club called themselves hackers. At MIT, they call something creative a hack. Things like covering up the dome with aluminum foil. Not only the rail road club members, also the students working on the very early computers called their work hacking. And with hacking there came the philosophy that everything they did should be shared. If someone came up with a better method of doing so, he would improve the programs, no questions asked. Even when the first game, Space Wars, was written on one of the computers, it didn’t belong to anyone. The concept of intellectual property didn’t exist for the hackers.
The term hacker got a bad reputation with some vandalism that a group in Minnesota caused. This group broke into some government computers and someone used the term hacker to refer to them. That’s when the hackers got a bad reputation.
What I found interesting is that computer security back then was represented by the admins. They locked away information, access codes, etc. and the hackers found ways to get to that information or the keys. The higher the admins would make the walls, the better the safeguards, the cleverer the hackers got about circumventing the safeguards (even C2 safes) At some point the admins gave up and they came to an agreement of privacy. The hackers would be allowed to do whatever they wanted, but they could not talk about where exactly they went. It seemed to work. An interesting approach to security!
The stories went on and on and Steven talked about Whitfield Diffie and how his hunger for crypto and privacy resulted in the birth of public key crypto. Followed by that event, Rivest, Shamir, and Adelman invested the RSA algorithm, also over at MIT.