Archive for the 'Public Speaking' Category

Apr 06 2014

NSP Microcast – BSides London 2014

This afternoon I had a chance to talk to two of the main organizers of one of the biggest security events of the year, BSides London.  Paul Batson and Thomas Fisher have been working tirelessly (or maybe tiredly) for months to bring together all of the disparate elements required to make a conference come together.  And it’s no mean feat when the people you’re working with are all volunteers and the money comes from sponsors, both of whom believe in your cause.  This year will be my first chance to go to BSides London (this is the fourth) and I’m really looking forward to it.

-Martin

NSPMicrocast-BSidesLDN-2014
Time: 18:00

No responses yet

Mar 20 2014

European InfoSec Blogger Awards

Next month is Infosecurity Europe here in London, taking place from 29 April until 1 May, as well as BSides London on 29 April.  I’ve never had the chance to go to either event and I’m really looking forward to my first time.  Another event that’s happening alongside both of these is the European Security Bloggers Meetup at the Teck Pub (appropriately named place for our group).  Many people may not know it, but I’ve been one of the people organizing the RSA Security Bloggers Meetup from the very start and I’ve been the MC for almost every single one.  So I’m very excited to see how the event translates to London and the European community.  I know it won’t be the same event, which is why I want to go.  Brian Honan is hosting with a little help from Jack Daniel and Tenable Security, which pretty much guaruntees this will be a most interesting shindig.

One of the aspects of the Meetup since the second or third year has been the recognition of bloggers and podcasters by the security community, the Security Bloggers Awards.  As one of the organizers of the Security Bloggers Meetup, I’ve always held my blog and my podcast as being out of the running for any recognition in the RSA version of these awards. I didn’t want there to be any potential conflict of interest with the awards, so it was easier to opt out of the competition all together.  Some people might say it’s because I feared folks like the Security Weekly Podcast and Exotic Liability taking the awards even with my competition, but I’m going to stick with my story of conflict of interests.  

But a funny thing happened last year; I moved my family to London.  Which means I’m now a European blogger and podcaster.  And since I have absolutely nothing to do with the European Security Bloggers Meetup or the European Information Security Bloggers Awards, I feel free to compete and do my best as a transplant to take whatever awards I can wrest away from the natives!  It also helps that the only ‘competition’ here in the UK that I know of are the Eurotrash Security Podcast and Finux Tech Weekly. And I’m pretty sure you have to have actually posted within the last year and you can’t have any pictures of WickedClownUK in spandex.  Not just can’t have them on your site, you can’t even be in possession of them.  Since the ‘rules’ of this competition are … well, non-existant, if I can convince voters of these requirements, it helps my efforts.

So go vote for Rich, Zach and me as the hosts of the Network Security Podcasts for Best European Security Podcast of 2014!  Sure, I’m the only one of the three of us that actually lives in Europe.  Yes, I’m not really European, I’m an American transplant.  But none of that is nearly as important as not letting Chris John Riley win the award!  So vote early, vote often, and just vote for the Network Security Podcast!  Or at least go vote, since I’m not really all that attached to winning an award, truth be told.

Hmmm, vote for the Network Security Blog as the Best Personal Security Blog too while you’re there.  Maybe I do care about awards after all.

 

 

No responses yet

Mar 15 2014

NSP Microcast – BSidesSF with Trey Ford

I caught Trey Ford right after his talk at the BSides Conference in San Francisco last month to talk about the efforts he’s making on behalf of Rapid7 and the security community.  It may be a sign that we’re a maturing industry when we’ve got folks like Trey traveling to Washington, DC in order to talk to lawmakers about how what they’re doing affects our lives.  And, as with all my interviews this year, I ask Trey how revelations about our government has affected his personal as well as professional life.  Check out his site at Password123.org.

NSPMicrocast – BSidesSF – Trey Ford

No responses yet

Jan 23 2014

But first, BSides…

I’m looking forward to this year’s pilgrimage to San Francisco.  Not that it’s ever been a pilgrimage before, since I lived 60 miles away, but now that I live near London, it’s a much longer trip.  I’ll be arriving in San Francisco a few days early for a couple of reasons.  The first is to visit my family and friends in the Bay Area, who I haven’t seen since I moved away.  The second reason is to attend BSides SF on Sunday and Monday.  Which, in many ways, is also a visit to friends I haven’t seen since moving.

Let’s assume for a second you’ve never attended a BSides event.  It’s community led, it’s free, and each one is unique.  BSides SF is being held in the DNA Lounge, which has been a fixture in San Francisco for as long as I can remember.  Think of a funky, grungy, dark underground bar.  Then add in a couple of hundred hackers, security devotees and a few people who happened to find their way into the event with little or no idea of what’s going on.  The talks range from first time speakers (something that’s strongly encouraged) to some of the best speakers in the realm who want to step outside the confines of a business conference to talk about things that aren’t quite politically correct.  Finally, add in a healthy dose of chaos and an even healthier sprinkling of community and you have some idea of what BSides is.  But unless you actually attend, my description is never going to be adequate to capture the true energy of the event.

I make no bones about it, for me conferences are about meeting the people there, not about the talks.  However, the talks at BSides tend to take a higher priority than they do elsewhere.  While some of the talks are a bit rougher than those at conferences you pay for, the fact that people are speaking with unfiltered passion more than makes up for it.  And a number of the talks simply couldn’t be given at a corporate event.  I’m looking forward to Morgan Marquis-Boire’s (aka @headhntr) talk, even though he hasn’t publicly stated what it’ll be about yet.  Morgan has worked on uncovering a number of government surveillance schemes around the globe, so anything he’s chosen to talk about has to be interesting.  Along the same lines, Christopher Soghoian’s talk about living in a post-Snowden world is a must for me, even though I often find myself disagreeing with with what Chris says publicly.  What can I say, privacy has always been a favorite topic of mine and has never been something that’s more in need of open, public discussion.

I’m also looking forward to seeing three of my friends on one panel, Jack Daniel, Wendy Nather and Javvad Malik discussing how to talk to an analyst, or rather how not to talk to an analyst.  Javvad gave an excellent PK (20 slides, 20 second per slide) talk at RSA EU covering all the horrible slides he sees again and again as an analyst.  The trio will be entertaining at the least, and I might even learn a little about talking to analysts myself.  Ping Yan’s talk on using intelligence looks interesting and has potential for my day job, so I’m going to try to find a seat for that talk as well.  And I have to support my podcast co-host Zach Lanier, even though I usually understand about half of what he’s presenting on any given occasion.

There are other interesting talks, if I can sit through the talks I’ve already mentioned, it’ll probably be the most I’ve seen at one conference in a long time.  I have a pretty short attention (Squirrel!) span, and I’d rather be talking with the presenters than simply listening to them passively.   I’ll have a mic and my Zoom H4, so it’s entirely possible I’ll be able to get a few of them to spend a few minutes doing exactly that.  Which means I can share the conversations with you as well.

 

No responses yet

Jan 19 2014

Prepping for RSA

It’s funny.  There are two distinctive groups I get invites to meet with at the RSA conference: the early invites from companies that are hungry for coverage, any coverage, and the last minute invites from companies who didn’t get as many interviews as they’d like and are looking to fill one or two last interviews from second (or third [or fourth]) tier ‘press’ such as myself.  There are a few invites that come somewhere in the middle, but they stil tend to gravitate towards one of those two ends of the spectrum.  And it makes setting up a schedule for RSA extremely hard sometimes, since I tend to want to leave one or two slots open to make time for the last minute invites I find intesting.

Speaking of interesting, I think the most interesting story of the conference will be the boycott by a few speakers and the reasons behind it.  I wonder how many of the company representatives I speak with are even going to be aware of the fact that a boycott is happening and if it will affect them in any way.  As I’ve said before, I’m not really in support of the boycott, but I understand the reasons a number of professionals are supporting it and I think they have every right to.  So asking other attendees and sponsors how they think the boycott has affected them should get some interesting responses.

In any case, now it’s time to start responding to the invitations to meet I’ve already gotten and try to figure out how I can fit everything in along side my professional duties.  Many years I’ve created microcasts throughout the conference, something that’s incredibly hard to find the time and energy to do.  Last year I mostly abandoned them, but I think I’m going to try to do microcasts again.  But I reserve the right to drop them if time doesn’t allow for it.

No responses yet

Jan 06 2014

Still going to RSA

In the last couple of weeks Mikko Hyponnen from anti-virus company F-Secure announced that he won’t be speaking at the RSA Conference in San Francisco at the end of February.  His reasoning is that the company, RSA, colluded with the NSA for a fee of $10 million in order to get a weakened version of a random number generator included in the public standards, a move that makes the whole suite of encryption standards easier to crack.  As Mikko points out, RSA has not admitted to this accusation, but they haven’t denied it either.    So Mikko has pulled his talk and has publicly stated that as a foreigner, he doesn’t feel right supporting the conference.  I understand his sentiment, I see what he’s hoping to accomplish.  But I don’t think boycotting will do much, other than gain Mikko a little bit of attention short term and harm his reputation long term.

The first problem with boycotting the conference is that RSAC is, for all intents and purposes, a side company from the RSA corporation.  It has it’s own management structure, it’s own bottom line, it’s own profit and loss reporting.  And it’s only a small fraction of the overall revenue stream of the corporation. As such, any impact that boycotting the conference might have is going to be highly dilluted when it reaches the management of the central corporation.  Yes, at some point in a meeting it will be discussed that a speaker has withdrawn over NSA concerns, maybe even a dozen other speakers will join in a show of allegance.  But the conference organizers will simply pick from the dozens of alternative speakers of nearly equal capability and move on.  Senior management might lose two or three minutes of sleep that night, but nothing more.  And any impact that having a particular speaker boycott has can easily be written off as being from other, much larger changes that RSA is making to the conference lay out this year. 

The second problem I have is that while Mikko has stated he’ll be boycotting the RSA Conference, he’s said absolutely nothing about F-Secure boycotting.  As a vendor, I know that marketing departments have to commit to the conference at least a year in advance and I’ve heard that some commit to multi-year contracts in order to get better pricing.  The small booths at either end of the halls cost tens of thousands of dollars, while the big booths in the center of the floor cost the vendors several hundred thousand dollars when all is said and done.  If Mikko wanted to make a statement that would really be heard, he’d have F-Secure withdraw from the RSA Conference this year and for the next few years.  Except he can’t.  Any vendor that’s mid-size or larger in the security field has to be at the RSA conference.  In many cases, this conference is the keystone for the whole marketing effort of the year, and any talk of a boycott would be immediately quashed as an impossibility.  Quite frankly, if you’re a security vendor and you don’t have a presence at RSA, you’re not really a security vendor and everyone knows it.  

The third issue I have with the boycott has nothing to do with Mikko and is closely related to the vendor point; it’s become a popular meme since Mikko’s announcement for security professionals to say they’re going to boycott RSA as well.  I’ll be honest, I’ve never paid to go to RSA, I’ve always had a press pass, gone as a vendor, or gone as a speaker, more than once as all three at the same time.  But even if I was, the money I’d pay to go to RSA is still insignificant when you compare it to what the organization makes off of the sponsors.  It would take a huge number of attendees failing to show up in order to make an impact.  Given the growth rate of the converence over the last few years, it’s most likely that even a thousand people joining up in a boycott would simply lead to a flat growth rate at best.  Additionally, similar to vendors, most people who are attending and have their company pay for it have already purchased their tickets and a boycott at this point would be more detrimental to them than it could be to the RSA Conference.

If you think that NSA has been behaving badly and you really want to have an impact, go to the event and talk to people at the event.  If you’re a speaker, change your talk to include a slide or ten about what you believe RSA has done wrong.  You might be right or you might be wrong, but you’ll have a chance to tell your story to the several hundred people in your audience.  If you’re an attendee, go to the conference and talk to other attendees, tell them why you think the RSA Corporation has crossed the line and spread the word.  You gain almost nothing by throwing a temper tantrum and leaving the playground.  But if you attend, talk to people and raise awareness of the issues, you let others know that something isn’t right, something needs to be changed.

I wish Mikko the best, and maybe his boycott has raised awareness some.  But all the people who say “Me too!” aren’t going to have an impact.  They might feel better about themselves for a short period of time, but all their really doing is cutting themselves off from one of the biggest events in security.  It’s better to attend, be social and spread your opinions that opt out and leave your voice unheard.  I’m attending as a blogger, as a podcaster, as a speaker (panelist, really) and as a vendor.  It would have more impact on me and my career to boycott than it ever would to the RSA corporation.  

If you really want to send the RSA Corporation, quit buying their products and tell them why.  Now that’s a message they’ll hear loud and clear.

 

 

8 responses so far

Nov 21 2013

Had fun in Norway

I got invited to speak at the annual dinner of the Cloud Security Alliance in Oslo, Norway earlier this week and had a lot of fun at the event.  I always enjoy visiting cities I’d probably never see if not for my job.  Even more importantly, I love talking to people who are outside of the conference circuit and the echo chamber that is twitter.  It’s always interesting to see how these people see security differently than I do and differently than most of the people I hang around with (digitally, at least) do.  I appreciate the invitation Kai Roer (@kai_roer/kairoer.com) extended to me and I’m glad I went.

The other gentlemen who talked at the event was Mo Amin (http://www.infosecmo.blogspot.co.uk/) a London-based security professional who was giving what was only his second ever talk in front of a crowd.  There were some rough edges to his talk, but then again, there are enough rough edges to my own talks that you could grate cheese on them.  But Mo brought up some points about security awareness and training that many security teams need to be thinking about.  Specifically, he asked how many of us are teaching to a plan we developed in a vaccuum without understanding the needs of our audience or having talked to the people we’re trying to communicate with before hand.

It’s surprising (or maybe not) how many security training seminars are something that was developed by people who are more concerned with what the target “needs to know” as defined by the trainer.  We spend a lot of time developing the training based on what we believe our co-workers need to know to be secure, rather asking them what they’d like to know about and how they’d like to be taught it.  This is by no means true of all security teams, but it’s more prevalent than it should be and it’s thought of as ‘the right way to do things’ by many people.

Mo related a lot of his past experience from teaching English abroad to teaching security within a company.  And when you think about it, from the point of view of a lot of our co-workers outside of security, we really do speak a different language in our little club.  So maybe it’s worth taking some time out as you develop training to talk to your users in order to find out how they’d like to be taught. It might be interesting to see how that changes your effectiveness.

One response so far

Oct 21 2013

RSA EU is all too soon

Published by under General,Public Speaking

Next week is the RSA Europe conference in Amsterdam.  I’m speaking three times at the conference, once as a sponsor, once with my own topic and once in a lightning talk, aka a Pecha Kucha talk.   And at just 6’40″, it’s the PK talk that scares me the most.

The PK talk scares me because it’s such a rigid format.  20 slides set to forward automatically every 20 seconds means you have to have your patter down.  I don’t usually speak in public like that.  I generally use my slides as a template that I can hang talking points off of, but I don’t have a rigid script I’m talking to.  This lets me control the pace and the timing as I want to, rather than needing to go at a set pace.  So, yeah, it scares me.

The other part of giving the lightning talk is that some of the best speakers in security have given them, and I can’t help but compare myself and be found wanting.  Katie Moussouris, Josh Corman, and Rich Mogull, all friends, have given the talks and rave about how much fun it is, but they also talk about how hard the format is.  Any one of them probably have a dozen times the speaking experience I do, and if they found it hard, how is it going to be for me?  

So, if you’re in Amsterdam next week at RSA Europe, whatever you do, don’t come to the lightning talks!  Don’t come see me embarass myself!  I already feel like an idiot abroad, don’t make it any worse.

 

No responses yet