So while I was at some conferences over the past couple of months, I had an awesome idea while sitting in a panel about data breaches, especially notification. While streaming conferences is pretty awesome for most content, I keep thinking that we need that as an industry we need the exact opposite: a track of the conference that is completely off-the-record.

Here in DC when we do smaller training sessions, we invoke the Chatham House Rule.  That is, the discussion is for non-attribution.  There are several reasons behind this:

• You don’t have to worry (too much, anyway) about vendors in attendance selling you something
• It won’t end up in the press
• It gets real information to people instead of things that are “fit for public consumption”

My local area has a hackers association (No linkie, if you have minimal skill you can find it) that meets to talk about mostly technical stuff and what folks are working on.  I find that more and more often when I do a talk there I do it “Off the Record” for a wide variety of reasons:

• I don’t want the attackers to get more effective
• I have half-baked ideas where I want/need feedback on if they are completely off-base
• The subject matter is in a legal gray-area and I’m not a lawyer
• I talk “on the record” all day every day about the same things
• I can “test-drive” presentation material to see how it works
• I can show nuts and bolts

So, the point of all this is that maybe we need to start having more frank discussions about what the bad guys are doing “in the wild” if we want to stop them, and that involves talking with peers from other companies inside the same industry to see what they are getting hit with.

Chatham House Rule photo by markhillary.

• Massively Scaled Security Solutions for Massively Scaled IT
• Metricon 5 Wrapup
• Civilians Ask “What’s With All the Privacy Act Kerfluffle?”
• Privacy Camp DC on June 20th
• Where is Rybolov?

My DDoS presentation at DojoCon on Sunday.  A big thanks to Marcus J Carey for organizing the con and Adrian Crenshaw for doing the recording.

• DojoCon 2009 Presentation
• Barcode Hacking
• DDoS and Elections
• Massively Scaled Security Solutions for Massively Scaled IT
• DDoS Planning: Business Continuity with a Twist

I’ll be speaking at Akamai’s Government Symposium on November 10th on the security of our platform and incorporating us into a Government IT environment: risk management, regulation, compliance, and delineation of responsibilities.  If you’re interested in Web Security, Government, FISMA, and/or Cloud Computing, it should be something of interest to you.  Even if you’re working in State and Local Government, there will be something of interest.

Event page is here.

Disclaimer: obviously I work for Akamai.  Nothing I blog about represents the official position of my employer.  From time to time, Akamai even claims me.  =)

• Where is Rybolov?
• Metricon 5 Wrapup
• The Long Tail and Security Posture
• More on Georgia’s FISMA Reporting
• Reinventing FedRAMP

My talking schedule over the next couple of months:

October 25-27: SecTor in Toronto, talking on DDoS and a turbo talk on some of my barcode stuff.

November 8-11: AppSecDC in um… DC, talking on the internal security program for a cloud vendor.

And coming to you, if you give me a call.  =)

• Where is Rybolov?
• DojoCon DDoS Video
• Metricon 5 Wrapup
• The “Off The Record” Track
• Massively Scaled Security Solutions for Massively Scaled IT

Metricon 5 was this week, it was a blast you should have been there.

One of the things the program committee worked on was more of a practitioner focus.  I think the whole event was a good mix between theory and application and the overall blend was really, really good. Talking to the speakers before the event was much awesome as I could give them feedback on their talk proposal and then see how that conversation led to an awe-inspiring presentation.

I brought a couple security manager folks I know along with me and their opinion was that the event was way awesome. If you’re one of my blog readers and didn’t hunt me down and say hi, then whatcha waitin’ for, drop me an email and we’ll chat.

You can go check out the slides and papers at the Security Metrics site.

My slides are below.  I’m not sure if I was maybe a bit too far “out there” (I do that from time to time) but what I’m really looking for is a scorecard so that we can consciously build regulation and compliance frameworks instead of the way we’ve been doing it. This would help tremendously with public policy, industry self-regulation, and anybody who is trying to build their own framework.

• Massively Scaled Security Solutions for Massively Scaled IT
• Why We Need PCI-DSS to Survive
• DojoCon 2009 Presentation
• Building A Modern Security Policy For Social Media and Government
• Professor Rybolov’s Guide to InfoSec and Public Policy Analysis

This was announced a couple of weeks ago (at least 9000 days ago in Internet time) so now it’s “old news” but have a look at Metricon 5.0 which will be in DC on the 10th of August.

It’s a small group (attendance is capped at 60), but if you’re managing security in Government, I want to encourage you to do 2 things:

• Submit a paper!
• Attend and learn.

I’ll be there doing a bit of hero-worship of my own with the Security Metrics folks.

• Metricon 5 Wrapup
• NIST Framework for FISMA Dates Announced
• C&A Seminar in August, Instructor-to-Coolness Ratio Goes Up!
• Certification and Accreditation Seminar, March 30th and 31st
• “Machines Don’t Cause Risk, People Do!”