You may call me an RSA Conference sycophant for my views, and rave about the amazing Black Hat, DEFCON and OWASP conferences, but as great as those conferences are, they only cover specific subjects, and not the whole field to which many information security professionals are confronting in their day to day roles. And don't talk to me about any of the other ‘sales motivated’ IT security conferences, where speakers are practically sales people pedalling wares on the back of distorted views and misinformation.
It might be the Best Security Conference but it's not Perfect
I'm not a complete RSA Conference fan boy either, as the conference does need to evolve and improve in certain areas. The stand out is the conference’s perception as an "US Conference on tour", a view held by many European security professionals. Until the majority of the speakers speak with European accents, the conference can never truly feel like a European conference. This is important as there are some fundamental differences facing European Information Security professionals. In Europe privacy is strongly linked to information security, an EU citizen's right to privacy is increasingly being championed as an essential human right by EU politicians. Rightly or wrongly human rights aren't regarded in quite the same way on the other side of the pond, hence death penalties, Guantanamo Bay and having your fingerprints taken like a criminal every time you visit. It is fair to say the US won’t be winning a Noble Peace prize any time soon. Earlier this year the EU announced new privacy laws and regulations which will impact every European Information Security professional’s role in the next few years, yet there was very scant coverage of this at the conference this year.
2012 Conference Highlights
For those who didn't attend but are considering attending a future RSA Conference, here's a taste of my main highlights of the 2012 conference...
Taking time out of his honeymoon, the founder of Wikipedia, Jimmy Wales was 'the' keynote speaker at RSAC this year. The charismatic Jimmy did not fail to disappoint in entertaining, but his views with online freedom of information, was always going to be the stand out part of his talk, after his decision to take Wikipedia down for 24 hours in protest of a US bill. A bill in his words would have given the US government Chinese type censorship powers in controlling the Internet. The bill was dropped following the Wikipedia protest, which he was very proud of. Jimmy made it clear he was anti-piracy but said the called "snooping bill", SOPA, was just bad legislation. Jimmy's views can be summarised with his final words, "the biggest threat to online freedom of speech is bumbling regulators".
RSA Conference front man Hugh Thompson was in typical fine form, and as always one of the main highlights of the conference. Another entertaining speaker was Eddie Schwartz's (RSA CISO), particularly his flash presentation, which was very amusing even if you don't agree with his "privacy is dead" messaging. Eddie also presented an insightful talk about targeted user account hacking with real world examples.
I saw a presentation by Bryan Sullivan (Microsoft & author of Ajax Security) on the latest application denial of service (DoS) attacks. With DoS coming back into fashion as a weapon used by hacktivists, Bryan focused on various the techniques and possibilities with application DoS. It was a highly technical talk which was right up my street.
Mitja Kolsek presentation on how to rob an online bank was an interesting one, although I wonder whether many banks today would be vulnerable to the types of attacks he outlined.
Bruce Schneier, InfoSec's answer to Chuck Norris, talked about the psychology of trust within human society and how it relates to information security strategies. I have a confession to make, in that I broke out of the conference for a couple of hours on Thursday morning to listen to Bruce talk very frankly about cyber warfare, which was one of the best talks on the subject I've heard in a while, more on that in another post. But these kinds of things can happen at RSAC, you meet some very interesting folk which can result in some very interesting spin off discussions.
On Wednesday I saw an outstanding presentation by James Lyne of Sophos, who gave a lively talk about the maturing cybercrime business, showing how easily it is for anyone to buy cybercrime as a service, and demonstrating several attacks.
CrySyS Lab, the company which first detected and analysed the Duqu worm, presented a technical review of state sponsor malware, which included technical briefs on Flame, Stuxnet and Duqu.
Finally, arguably the best part of the RSA Conference is the networking. The conference provides a platform for both speakers and delegates to mix and discuss information security, debate and exchange ideas, and to have some good old fashioned fun. I met people I known in the industry for many years, and I made many new friends. This is always my biggest take home and main highlight from the conference.
RSA Conference Europe 2013 - Amsterdam
After six years of hosting in London, the RSA Conference Europe will be moving to Amsterdam in 2013, likely a decision based on engaging better with Europeans and putting more bums on seats. It is clear to me that a significant amount of delegates that attend the conference are from the European continent. But I do wonder whether some of my fellow UK rooted security professionals will be able persuade their bosses to send them to Amsterdam next year. I'll certainly intend to be there next year, heck I might even apply to present again.