Wednesday, August 8, 2007

Post BlackHat 2007 / DefCon 15

This is the trendy thing to do. Its the first full week of August and everyone is just getting back from BlackHat and DefCon -- its blogging time. A race to see who gets up the most informative, complete synopsis of the festivities. Me? There is no race because its the same old shit.

OK, thats not completely fair. There was some new and cool things presented at the aforementioned cons, but I've got two gripes.

One, much of the security conference space is very, very incestuous to the point where it is reasonable to assume that 25+% of the presentations that occur at cons in the mainland United States, or make slashdot, have already been presented somewhere else within the past 6 months or will be recycled again before the year is up. If a given presentation doesn't strictly fall within that 25% bracket, there is a very good chance that it is just a modified or updated talk from the past year. I didn't drive 4 hours across the 110 degree desert for you to take $2k of my money only to chew my ear off for approximately an hour on a subject that is, at least among the clued in the security space, almost common knowledge. NAC is broken?! If you transmit cookies in the clear but content encrypted, you will be embarrassed?! Say it ain't so!

Secondly, this presents a unique situation for me with my employer and others like me. Sure, there were more than a few "new things" that we have to worry about in our day to day jobs, but in all honesty, many shops still have yet to master the basics. Many places that I know of or have been in are still struggling with the concept of why "security by obscurity" is a bad idea and plain-text protocols. While this adds more proverbial fuel to the proverbial fire, it does little to help us improve the security of our organization.

Don't get me wrong, I was very pleased with Blackhat this year. DefCon too. 9 days in Vegas can really start to get to you, but that is why god invented Shark Week. I ended up bailing early in the hopes of re-acclimating to Los Angeles before starting work again. To those that I did not see because of my anti-social behavior, I'll make it up to you.

No comments: