or – One CISO’s reaction to BH/DC 2007
In this episode of the drama which is Liquidmatrix, we find “Blogger Myrcurial” interviewing “CISO Myrcurial” regarding the two fabulous Vegas productions.
Read more after the fold – you’ll like it, I swear.
Q: Was there value in sending yourself?
A: There are two kinds of value that I derive directly from Blackhat – one is the tight mixing with the vendor community and the ease of access to their senior technical people (which is sometimes quite hard to arrange as part of the pre-sales cycle) and the dynamics of the crowd as it relates to the presentation – gives me a good handle on where the thought leadership is going – as it pertains to both individual speakers and the philosophies or schools of thought that they adhere to. DEFCON however, is primarily a guilty pleasure. I’d like to believe that I still have some tangible link to the hacker past that spawned me, but I’m not entirely sure that I do. In the meantime, it’s an opportunity to see junior staff or potential junior staff in a light where they are not under the normalizing pressures of the confining corporate environment – how do they perform when there is a different set of rules.
Q: Was there value in sending a subordinate?
A: With the kind of people that I find myself hiring, it is easy to use attendance at blackhat/defcon as part of their total compensation package – they perceive the value of the time/cost to be greater than the budget line that I have to manage – it’s an ideal way to balance the legitimate needs of the organization to have information security analysts who are *excited* about doing their job with the rather dismal practical realities of finding ways to encourage positive operational behaviours (read the damn logs today PLEASE!!!!!!!)
Q: Blackhat Training, Briefings or both?
A: Well, if you’ll follow along, you’ll have noticed that I did not attend Training, only the Briefings. Everything I’ve heard about the training is that it is absolutely a mind-f**k and is highly recommended. My career arc seems to have taken me outside of the usual training options. I would be interested in having some of the physical security world represented in the Training curricula as I find myself working in that world more and more as my physical security colleagues and I work more closely.
Q: DEFCON as a “must do”?
A: Well… OF COURSE. If you’re part of the culture, it’s as obvious as spring break is to fraternities and sororities. It’s not often that you spend time surrounded by people who actually understand you when you describe your job – usually, you get the blank stare followed by “So you work with computers?” – I’m looking at you Grandma! DEFCON will likely remain *the* event for the hacker (non-derogatory) community in North America.
Q: Vegas as a town in which to do business?
A: If you’re the Donald, probably. If you’d like to spend your mornings (early mornings) working on Eastern time, you’re going to be *very* disappointed in the facilities. Caesar’s has excellent rooms, excellent facilities, and really is a pre-eminent hotel. But by today, I’m dying for my Aeron and a desk that’s the right height (and optical mouse compatible). Oh… and if you’re going to put a frakin HD TV in the room, you MUST feed it some (any) HD content. Thank-you-very-much.
Q: Best Session?
A: I’m kinda stuck – they’ve all blurred together at this point. I think that the session with Alexander Muentz on how to protect your IT infrastructure from the Legal system was probably the best delivered speech. It was entirely 101 content, but from a field that many/most hackers have had very little exposure to. He summarized the content in a such a fashion that it was both easy to learn and easy to memorize.
Q: Worst Session?
A: Do.Not.Get.Me.Started. – This is one of the overriding complaints that I have – too many sessions were of the $topic 101 variety. In the same way that not every networking book needs to have the OSI upside-down triangle in the first chapter, not every presentation needs to start with “and this is how $topic works” for 80% of the time alloted. If you’re spending more than 10 minutes on the introduction, then you need to start with a statement that goes something like “ok people, you’re going to have to suck it up and either have prepared for this session or just try to stay out of the way while I talk”. It’s the goon principle of management as applied to speakers. Speakers aren’t there to be your friends, they are there to inform you – violently if necessary.
Q: Memorable moment?
A: “Priest is *NOT* *HAPPY*!!!!!!!!!” Followed by the sound of a thousand little geeks peeing their pants.
Q: Famous people collision?
A: Well, I had a recognition moment with Jon Callas (PGP) which felt pretty good – I’m not actually a very memorable person – right on the bell curve for geeks – middle height, middle weight, caucasian, brown hair, glasses – anyone who can remember me is doing pretty darn good. (Unlike Mr. Photogenic up there!) I also had the opportunity to meet Bre Pettis from Make Magazine (who may have one of the coolest jobs in the world) and took the chance to speak briefly to him about how Make and Craft Magazines are helping me to instill the hacker ethic in my kids – teaching them that if you can’t mod it, you don’t truly own it… and in the case of my son, if it’s still working, you haven’t finished (modding|breaking) it.
Q: Best non-session attraction?
A: People watching. One of the best parts of both shows is people watching. I have no idea which major grouping I appear in, but I think I’ve narrowed it down to: “The sluts, the bloods, the wasteoids…” oops. Wrong movie. There are the really hard core nerds – people who can converse with each other using grammatically correct TCP packets. The Freaks – DEFCON is only a counterculture to some of us, many of them are actually living the life of the cast from “Hackers”. The geeks – the rest of us, we do this for a hobby or an advocation or both, many of us are paid to do it well. And lastly the “poseurs” – Joey Joey Joey… you don’t have a handle and you *never will*.
Q: What did you buy in the vendor area?
A: See previous post. I think I’ve been forgiven. Maybe. I also bought some music, some tshirts, the only caffinated thing that didn’t have artificial sweetener (one chemical only Vassily), and paid my EFF dues for another year.
Q: Are you glad you didn’t move to the Riv for DEFCON?
A: Oh Lordy Yes. Where Caesar’s was designed by a febrile 5 year old to support the needs of an overweight mid-westerner on holidays, the Riv was designed by Clark Griswold’s cousin-in-law Eddie. And is held to the same cleanliness standard. Note to Riv management – SOAP IN THE BATHROOM IS NOT OPTIONAL, NEITHER ARE TOILETS WHICH FLUSH. I can only imagine that the room have that permanent funk smell.
Q: How do you feel about the realities of having a tech conference in Vegas in the summer?
A: Nothing quite like the sight of a poseur in leather wearing wet shoes is there? Or a portly geek walking around in his own permanent warm rain.
Q: If there was one thing that you could fix, what would it be?
A: Honestly, I only have suggestions, DT, Priest, Noid, Agent X, Nikita – they’re all really fabulous people. Different, strange even, but really singularly wonderful. If there was anything I would change… it would be asking them to accept me as a helper in whatever capacity they determine that I’m useful for – I’m big enough to be a useful goon, I used to work with the mentally disabled so I have the training to handle the average attendee, and well, I’m a pretty good technical/managerial type who can present well… I’m sure they need “fronts” every now and then. I’m not begging, but it would make me happy to be able to do anything to help. I think that DEFCON can keep getting bigger (I heard over 15k people this year) but it’s going to need a thicker management structure with more delegation in order to work – and besides, DT doesn’t have any more room to add additional radios on his tacvest.
Q: What would you give as your best advice to a CISO who is attending for the first time?
A: If you are part of the culture (like me), just go already. If you are not part of the culture, and worried about sticking out, go already – play the part of avuncular older participant… but above all, PARTICIPATE. If you go to DEFCON and only catch the speaking tracks, YOU HAVE FAILED THE MISSION. 50% of DEFCON is *not* the speaking tracks. Jump into the aCTF area and learn, pick a lock, just Chill and listen, contribute where you can, argue, discuss, teach, learn, mentor if the other is receptive, but *PARTICIPATE*.
[tags]interview, CISO, DEFCON, DEFCON 15, Blackhat, Blackhat 2007[/tags]