StillSecure, After All These Years

Hi! If you haven’t noticed I have not blogged for over a week.  That is a long time for me to go without a word on here.  My dropping out involved more than blogging. I dropped out of most everything except being a daddy and husband.  It had been way too long since I actually unplugged and just spent time with my family.  My friend Brad Feld writes a lot about work-life balance.  I was badly in need of some balance. Unlike most people I actually love what I do.  But when it becomes work and I don’t like doing it, something is wrong and my work suffers.  Shortly after my work suffers, my family suffers because I become some sort of proto Mike Rothman-like grump.  That does not make for a happy home either.  So I unplugged for the week. Went fishing with my sons, played baseball, sailed a Hobie Cat, spent quality time with my wife and generally just unplugged.  The picture to the left is a bonito I caught.

Anyway I am back now, recharged and ready to rock n’ roll. I am excited to get on the road and start talking to people again. Black Hat will be here in a few weeks and I am looking forward to it! The Security Bloggers Network continues to grow and we have some announcements coming out around that as well.  Also, I am going to be doing a new series of podcasts on some great new topics that I am very excited about.  I have enlisted the StillSecure marketing team to help me promote them.  You will be hearing more about them soon! Generally I am ready to dive back into the security fray. It seems like the challenges are greater then ever and we have lots to do to keep up.  Looking forward to it!

Well it was a whirlwind couple of days. I flew up to NYC early Monday morning and flew home from the Black Hat DC briefings late last night. 

This was my first Black Hat DC, after attending many of the Vegas editions of the show.  The DC edition is a lot of fun.  Much smaller and much more low key then its glitzy Vegas brother, the DC show is really all about people who work for the government or for companies who do government work.  Of course the DC area is still thriving with all of the money the government is spending.

There was not a lot of vendors, maybe a dozen all told.  I caught up with a bunch of media folks and fellow security people.  I also got a real kick as each person that was lucky enough to get a free ticket to Black Hat from StillSecure came by to say hello and thank me.  Seeing people who read the blog and sometimes comment, but you never see in person is a lot of fun.

While Black Hat DC is not the biggest conference, it is one that I am going to add to my calendar every year!

I will be at Black Hat DC today catching some of the briefings and spending some time at the StillSecure booth.  If any of you are attending stop by and say hello!

Black Hat DC, while lacking the glitz and glamour of its Vegas sibling is a great place to dig in and learn. With a fantastic schedule of briefings and training, many security folks from within the Beltway and from without converge for 4 days of serious security.  The problem is of course that it is not cheap. A full conference pass is thousands of dollars and early registration has ended already.

The show this year is Feb 16th to the 19th at the Crystal City Hyatt Regency. StillSecure is a sponsor of the event.  As such the good people at Black Hat and StillSecure have made available a full conference pass that I can raffle off here on my blog.  So if you would like a free full conference pass to BlackHat DC (airfare and hotel not included) leave a comment on why you think you are most deserving.  Next Monday I will announce the winner!

Good luck and hope to see you at the show!

You can read plenty of other blogs about some of the great presentations at Black Hat.  So I thought I would take another angle and talk about some of the other stuff that may be important to you.

1.  secure@microsoft.com – This years hottest party was again the Microsoft party.  This year it was at the LAX club in the Luxor.  As usual there were quite a number of people at the door who thought they could talk their way in or worse yet were told they “were one the list”.  I was happy to be able to go and saw many of the usual suspects there as well. I had to leave the party early to go catch my red eye flight home, so went right to the airport from the party.  As I wrote earlier, Microsoft is trying really hard on security.  But I couldn’t help but notice the irony of this grainy, lousy picture of the DJ booth at the party.  If you can, notice the computers that the secure@microsoft.com DJs are using. That’s right they are Macs!

2. A new low for booth babes – What would a Shimel review of a trade show be without a booth babe rant.  Hey I recognize it is Vegas and all, but EdgeOS went way over the line this year.  A booth babe dressed as a Las Vegas showgirl or some other type of costume makes a statement.  I personally don’t like exploiting woman to make that statement, but I understand.  However, these guys had woman who were dressed so raunchy and classless, that I could not bring myself to post a picture of them.  Come on guys!  You want to resort to the booth babe thing (and BTW I think the Black Hat crowd does not respond to that), at least have a little class.  These girls looked like street walkers and do you and your company no favors.  Is that really the image you want to promote?  Grow up!

Authors note: I have received several requests to see a picture of the booth babes in question and judge for yourself. So I am including for you to make your own call

3.  The Security Bloggers Network – We are back!  With the end of the Black Hat show, the SBN is going back to being the SBN.  The old logo is back and our promotion with Black Hat is at an end.  However, I want to personally thank so many of you SBN members who blogged about Black Hat.  The Black Hat marketing folks made it a point to come over to me and thank us for the overwhelming support and help of the community.  Our network delivered big time with them and they are already thinking about ways we can work together next year.  I will keep you all posted on that.

We have several new promotions we are working on with the SBN and will have more on that soon. Also, we learned some valuable lessons.  Next time we will work with the network members more closely in doing these affiliations.  Also, for any show like this we need to have an official bloggers get together.  Not because we don’t want to buy our own drinks (thanks to Chris Hoff for doing more than his share in picking up a big bar tab), but frankly we need to reserve a place that has enough space for us.  Security bloggers are big time. We have a great community of people who get together. Lets make it better.

I have some other ideas around the SBN I am working on too and want to form a committee to help. If you are a member and want to get involved, please drop me a line or comment.

Anyway, another year of Black Hat is in the books. It was a good one and I can’t wait until next year!

----

Yesterday was a great day at Black Hat. I would tell you all about it, but it seems Mitchell thinks that it best that we don't talk about what goes on here at Black Hat. Now, far be it from me to break "Cardinal Rules" (has anyone ever really thought about what exactly is a "cardinal rule"? Why not a Blue Jay or Falcon rule?) but if we can't talk about it, what good is it. I think Mitchell is confusing divulging the really juicy Vegas stuff, from just the mundane. So let me tell you about my excellent adventure yesterday at Black Hat.

I was one of the multitude standing in the back listening to Dan's DNS report. You probably have already heard that it is bigger and worse than originally reported. I than spent a lot of time with the Microsoft people talking to them about their security stuff. I will tell you that despite many who rail against Microsoft, these guys actually are doing a great job on security and in dealing with the security community. Much better than a certain company named for a fruit whose marketing people killed the presentation of their own security research team. After lunch I took a front row seat to watch Hoff present on virtual security. He has some very pretty slides, but the message was clear. Great presentation by Hoff. I spent most of the rest of the afternoon catching up with lots of security bloggers here. I am amazed by the number of us here at Black Hat.

Had a quiet dinner with Mitchell (I would tell you about it but you know about what happens in Vegas with Mitchell) and than went to the Breach party at the Shadow Bar (I love that place, but it was too hot last night). We than went over to the Fuente cigar bar and next thing you know we were joined by about 30 of our closest security blogger buddies. It was a great time and their are pictures floating around twitter somewhere of it. We talked and laughed into the late hours, winding up at the Augustus cafe again for an early breakfast.

Well it is back to the show today and another round of parties tonight. Ah, it is tough living the life ;-)

I was reading the Security Bloggers Network feed this morning. I had missed a day or so and had a lot of articles to go through. I was also thinking of what could be the next topic suggested for members to blog about as part of our cross-promotion with Black Hat.  Than I realized there really was not any need.  The topic was obvious, DNS. I didn't do an actual count of how many times it was mentioned (as Mr Bump did with NAC vendors mentioned in the Information Week NAC survey), but there had to be at least a dozen and half, if not more articles on the great DNS leak of 2008. 

Dan Kaminsky's research was exemplary, but his naivete about people keeping the exploit under thier hat was not.  While Thomas Matasano apologized for his mistake, frankly from the moment Havlar Flake begain speculating on it, it was just a matter of time. 

Anyway, the cat is out of that bag, but something tells me that Dan K's presentation will still be a standing room only crowd in just a few weeks in Vegas.  But beyond that there are still a bunch of good topics to be discovered at Black Hat.  Not to mention lots of social activities brewing for both BH and DefCon.  I amreally looking forward to it. I would hope that no one is feeling the air out of the ballon on this one!

So our first topic of interest as part of the Black Hat Bloggers Network promotion was virtualization and security in honor of our own Chris Hoff presenting at Black Hat this year. While several members of the network wrote some really great stuff, I was hoping we would get more of a broader response from the 150+ blogs on the network.  So for topic #2 I wanted to pick something more generic and easier to blog on.  Our topic is why go to Black Hat.  Most of the blogger network members either go to Black Hat or wish they did.  Why?  Lets hear your reasons for going to Black Hat. Is it the briefings?  the parties? seeing old friends? what?  I am hoping to see a lot of blogs on this subject from all of our BHBN member blogs!

I should also point out that Black Hat is doing some great promos leading up to the show.  They have a great webinar coming up today that I totally spaced on because I wanted to give everyone more notice and time to register. In the meantime, don't be like Mike, I mean Shimmy, go register and check out the webcast!  Also be on the look out for some of the other great events they have cooking, as well as registering for the Black Hat Twitter feed.