A New View of RSA

A year ago I told my colleagues at CNET “If I’m covering RSA next year, just shoot me.” I gave myself a year to get out of journalism. After starting to look for a job in earnest following Defcon, I landed here at the Bateman Group in October.

This year, I’m back at RSA but in a much different role. Instead of running around from session to session to meeting to press room and filing stories like mad, I got to attend sessions and keynotes at leisure, meet friends for lunch, have long, spontaneous conversations in the hallways with industry contacts, and go to networking events at night (cough, parties…) with no deadlines hanging over my head. A journalist friend commented on how I seem so relaxed and happy. She’s right.

Internet pioneer and Googler Vint Cerf

In addition to the deadline stress, one of the things that used to frustrate me about covering RSA was the fact that in many ways things haven’t really changed since I covered my first RSA in the mid-90s. The bad guys are breaking into networks and stealing data, and the good guys are trying their damndest to keep them out and are failing. True, over the years the computer attacks have gotten scarier – fewer web site defacements but lots of credit card data theft, much more corporate espionage and even sabotage targeting industrial control systems (Stuxnet). And smartphones and social networks offer even more attack vectors and sources of data leaks. But many of the security products are useless and companies still aren’t following basic security measures. Hell, we haven’t even solved the password problem yet.



Wolfgang Kandek, Qualys CTO

Having said all that, there is interesting stuff happening at the show. For instance, Internet pioneer and Googler Vint Cerf talked about how computer security challenges are spilling over into other areas of our lives, through Internet-enabled refrigerators, medical devices and even light bulbs. And he urged the industry to come up with a strong authentication platform to protect all these connected devices and the people who use them. Philippe Courtot, chairman and CEO of Bateman Group client Qualys, called on the mobile platform providers to share their APIs so security vendors can put security “agents” on devices that can report incidents to servers in the cloud for analysis and prevention. John Pescatore of the SANS Institute talked about the 20 Critical Security Controls, basic precautions that, if followed by corporations, could prevent the vast majority of data breaches that occur.

Philippe Courtot, Qualys Chairman and CEO


Meanwhile, Howard Schmidt, former U.S. cybersecurity coordinator and CISO at Microsoft, and CSOs from Google, Visa and U.S. Bank talked about the challenges they face working on risk reduction inside of corporations. “We tend to speak Klingon to Captain Kirk all the time,” was how Jason Witty of U.S. Bank put it. In a panel, Qualys CTO Wolfgang Kandek, HD Moore of Metasploit and Rapid 7, Ron Gula of Tenable and several others discussed the IPv6 landscape which is dotted with addresses in the next-generation networking protocol, but not tamed yet and has the potential for lots of unwanted surprises.


Howard Schmidt - Former White House Cybersecurity Czar and Qualys Board Member

And then there was major drama with BSides San Francisco, the much smaller and more loosely organized security conference that happens the same week as RSA and focuses on everything but products. Security researchers were up in arms about a talk BSidesSF cancelled after a complaint that its content would be harmful to females in the audience. Blogger Violet Blue was scheduled to give an “underground talk” titled “sex +/- drugs: known vulns and exploits” that deals with issues of “harm reduction,” which is arguably a very tenuous connection to the subject of computer security. (More details on Violet Blue’s blog.) Research talks have been cancelled numerous times at security conferences after legal threats and claims by companies (Cisco) and government agencies (FBI, Massachusetts subway system) that they would compromise real-world computer systems or violate the Digital Millennium Copyright Act. But this is the first I’ve heard cancelled because it had too much sex in it. Someone with The Ada Initiative, argued that talks on sex should be banned from security conferences because they create an unsafe environment for women in a community where many women already feel threatened (See my CNET article all about this topic after Defcon last year — Sexism and the single hacker: Defcon’s feminist moment).

Hacker conferences should do what they can to create a safe environment for all participants, including but not limited to women, minorities and gays. But banning a talk purely because the topic is sex is censorship pure and simple. And it’s anathema to what hacker culture and security conferences are all about – open exchange of information and ideas.

I love the security community and I’m glad to be able to go to RSA. Not only are the people smart and colorful (whether they be white hat or black hat), but they are on the cutting edge of research that impacts security, privacy and how we think about and use technology every day.