Friday, May 21, 2010

AusCERT 2010 in Review

Well its the day after AusCERT 2010. I thought I would post some of my thoughts and feedback on the event since I now have my own soapbox upon which to rant. Having said that, its been three years since my last one and round #4 by my count. So I think I'm an AusCERT veteran by this point. But I would definitely welcome feedback/thoughts from others who attended.

The Good
There seemed more sponsors to AusCERT than ever before. Yay for AusCERT! Also, the Royal Pines is a great venue and the catering as always, is awesome. Please keep it here!

Several talks need to be shouted at as big wins in my book. I realise at least one or two of these may be controversial to some, I'd like to shout them out:

Stranger in a Strange Land: Reflections of a Linux Guy in Microsoft Windows , Cyber Intrusion: A Government Case Study , US Secret Service: Cell Phone and Embedded Technology Forensics , Black Hat, White Hat, Gray Hat, RedHat: What Dr. Seuss Forgot to Tell You About the Computer Hacker Community 2.0 , The Rules of the Internet, and the Browsers That Break Them , A history of Microsoft exploit mitigations , Professional Vulnerability Research and Analysis  (my personal favorite), John Stewart (CSO for Cisco - Closing Address).

These guys had really good presentations - everything from showing things previously unseen, treated as dark arts, providing unique insights into particular issues or even for just inspiring people to look at things a little differently.

Of particular interest to me was the Professional Vulnerability Research and Analysis talk. I also wished I made Setting the scene in vulnerability work but for some reason I wound up in the wrong room listening to a McAfee talk about APT (again.... APT... sigh...). Vulnerability Research is regarded as the blackest of black arts within infosec IMHO - and its really refreshing seeing industry professionals peeling back the hood and showing everyone what makes it tick. Chris, if you're reading this - I want to see a one day training seminar. Thirty minutes didn't do your presentation justice. Also, I'd like to call out Daniel Grzelak and Paul Theriault for their talk which highlighted some of the newer and evolving web security threats. With HTML 5 still being thrashed about, this talk gave a good highlight of things to come.

The Bad
The speakers were shafted. Straight out shafted - the end. Their "gifts" given very crappy looking metal wallets that were completely impractical for anything beyond storing cigarettes, with the AusCERT logo. I can't even say that they'd function as paperweights because they seemed too light. AusCERT need to lift their game and provide speakers decent presents. Would a bottle of wine and/or a voucher for a security book from the book stand be too much to ask?? On this count, I thought AusCERT were very, very cheap. Without the speakers, they have nothing. They need to recognise this and pay due recognition.

Secondly, the talks are way, WAAAAY too short. It seemed each slot was 35 minutes, with 5 minutes allocated for questions. When I see talks like Chris Spencer's (which is one of the most detailed talks given at the event) on a topic of great interest then it seems to me that they do the speakers and the audience an injustice. Black Hat goes for approximately an hour and 15 minutes, allowing plenty of time for setup and Q&A. I would suggest that AusCERT needs to find a happier medium.

Thirdly, the transport situation was unacceptable. As someone that didn't stay at the Royal Pines, there were only two buses that were departing from our hotel. A whole group of us (at least 8 from DD) were waiting at the bus at the correct time. When I tried to board I was promptly kicked off (presumably because it was full but I was never told directly why) at which point they drove off - with no bus forthcoming. This was a very crappy handling of the situation. I seem to remember a time when buses used to run regularly and this was never an issue. Why was it an issue now? I feel they should pay the $30 cab fair we incurred as a result.

Fourthly - and this is something that hasn't been vocalised before but I will come out publicly and state this. There has been an ongoing 'rumor' that AusCERT has always shown particular favor to talks given by sponsors. This has never been more prevalent than it was this year when five talks from Stratsec were accepted and one training seminar. SecureWorks were accepted for three talks. Seriously - WTF?

Now I will be the first to shout out how awesome the Stratsec crew are, having worked with a good chunk of them for a good length of time and proud to call at least two of those that presented my friends. They know their stuff and they had a wide array of topics, all timely, relevant and illuminating. But seriously, FIVE talks from the one sponsor? When talks are being knocked back by non-sponsors and five talks are selected from one, it is clear there is a problem. I would like to stress that this is a failing on AusCERTs behalf and certainly no reflection on their (Stratsec's) capability. In the past I know of people who have had their talks knocked back and yet, sponsors given the slot for presenting almost the same talk in a non-vendor slot. Also, I'd like to add that this criticism isn't because I didn't get to speak (so don't think it sour grapes). There were a number of factors at work on that front (and mostly my own fault):
  1. I didn't present my synopsis by the due date (I was told by staff in Dimension Data I could use our vendor slot which would be guaranteed),
  2. Dimension Data cancelled their sponsorship this year,
  3. By the time I submitted my presentation to AusCERT, I was talk they'd already found someone to talk on my topic.
I also know of people whose talks were not formally accepted until the last minute and then given the worst timeslots. I personally don't have a problem with one talk in a sponsor slot and another in a non-sponsor slot. But to throw out too many slots to multiple sponsors in non-sponsor slots reeks.

AusCERT organisers need to lift their game, be more objective and more fair in assigning their talks. They also need to consider variety and people other than sponsors. While I could name names I certainly won't, but they know who they are. If they're reading, they should be vocal and voice their concerns to the powers-that-be.

The Indifferent
Attendees seemed to consist of mostly Queensland local councils and businesses. I did not see many businesses from Sydney or Melbourne unless they represented security vendors, consultancies or professioanl services firms. Some did come, and I did see a lot of the usual education, federal government, defence and law enforcement crowd, I just didn't see a lot of businesses. Is AusCERT losing its relevancy to these audiences? That said, the attendees were around the 1000 mark - which was about where it was when I last attended. Wierd.

Too many talks just plain sucked. In some cases, it was blatantly nerves/first time speaking. Can't blame that, those people deserve kudos for having the balls to step up and do something.

However, some people presented talks that blatantly did not match the description. Richard Steinnon's talk 'Titan Rain, the inside story of Shawn Carpenter' was a prime example. The talk stated (amoungst other things): 'Attendees will learn the methodologies the Chinese used to steal critical data on the Mars Lander and military data from US research labs. They will also learn the techniques the Shawn employed to back track the hackers and use their own tools against them.' This is a blatant lie. Certainly the author needs to share a measure of blame for an ill fitting description for his talk, but again, the blame rests on AusCERTs shoulders. Why wasn't this picked up in QA? Did any QA of the talks take place? I know that sponsor talks aren't usually QAed - but this only led to further questions - like, are sponsors that present in non-vendor streams QAed? What is the QA process? Again, yet another thing that must be fixed on the AusCERT side.

Part of my view is that too many of the talks are now becoming non-technical in nature. While I am certainly not as technical as some, I like to have a balanced view of things. In years prior there used to be a technical and non-technical stream. This is no longer the case. Now the talks seem to blend and in many ways, become more watered down. Is this a result of popular demand and market forces? Quite possibly - I simply don't know, but I certainly hope this trend isn't going to continue.

Also, while I like Max Kilger's talks and found him animating and engaging and the topics highly interesting, I found that he threw around numbers far too whimsically. He often did not clearly cite his references, how he arrived at these numbers and started jumping straight to conclusions. At the very minimum, he should have pointed out where a copy of the research could be found so the audience could see for themselves. While this is a nitpick of an otherwise brilliant view of things, I felt it smacked a twinge of bad science.

The Gala Dinner was apparently a let down (thankfully, I didn't attend). Dinner at the Royal Pines pales when previous years have seen it held at the Australian Outback Spectacular, Seaworld, Movieworld, etc. While Jimeon as the entertainment and the meal got the thumbs up, the entertainment afterwards got cained. While I must stress I wasn't present for this, I don't know anyone that did attend that liked it. However, take that for what you will.

Lunch on the last day was at a different timeslot to every other day. Umm... why??

Vendor sponsored events for two nights in a row also wound up at the same venue. Again, why?? This is not AusCERT's fault and I'm sure it was coincidence, but this was disappointing. Then again, it might have been that I was drinking there on the Sunday night, making Tuesday night day number #3 at the same venue...

Finally, the SMS feedback system - I don't think it worked out well over the paper system provided in years prior (although I hear they had a different electronic system last year). I say stick with pen and paper, or otherwise provice an online URL that people can access. Sod the SMS system.Charging people for their opinion is the height of rudeness.

Parting Thoughts
Seems like the sponsorship dollars were down this year on most. Yet, while there were seemingly more sponsors, the money didn't seem to go as far. Transportation was terrible, the entertainment lacklustre, quality of many of the talks seemed rather weak. Overall, the organisation just didn't seem up to scratch from previous years. I don't know whether it is a case of being spoiled in years prior or I'm just dreaming. Some of this I'm definitely not - infact most of what I've written here I can say is based on concensus feedback of numerous attendees I've spoken with. While I wouldn't say it was a failure or a waste of money (as there was value to be had) - there are many areas for improvement that simply need to be looked at urgently. 

I would go so far as to say that if my experience repeated itself again, I would probably not attend. Based on the attendees I saw, I also feel that there is a very real risk that AusCERT is losing its relevance to private industry. More effort needs to be maintained to ensure its relevancy, stronger support in local security professional groups (AISA, OWASP) and actively drumming up support for talks long before the official request for papers goes out.

I welcome feedback from anyone who attended on this - sorry for taking so long.

- J.


Anonymous said...

Hi Jarrod,

Great post and I think most of your comments were dead on. I would like to touch on one point though around sponsorship and speaking slots because I think what you saw was actually a symptom of AusCERT getting this right this year.

I work for an organisation that in previous years would regularly submit at least 3 papers. Each year only one would get chosen no matter the quality of other submissions. In fact, some years we were downright upset because amazing presentation were rejected, seemingly based on the policy of accepting only 1 submission from each company.

This year stratsec submitted a lot of papers, and from talking to some of the submissions panel, in general their submissions were of high quality and so many were chosen. Unfortunately, what was a great change in acceptance policy looks like a horrible change.

Just my 2c.

Anonymous said...

Good points anon. Maybe they should have said something or actually approached more local organisations. I know a few that gave up submitting talks a long time ago because no matter how good they were, they were not getting accepted. Shame but is AusCert really in touch with the local industry? I say not.

Anonymous said...

Yes, this is the classic 'equal opportunity' dilemma. Should you choose a weaker presentation from an under-represented organisation/group, or a stronger presentation from an over-representated organisation/group. There are arguments for and against each approach.

The other thing to keep in mind is that while as a speaker you get a free plane ride, hotel, and conference registration, you're not getting paid to present, so it actually does have a 'cost' to your organisation, if only in terms of opportunity cost (ie you could be working on something else). Lots of organisations probably don't put forward staff at this time of year because everyone is flat out busy coming up to EOFY. If it was moved to later in the year, you may get a different selection of speakers.

Jarrod said...

There is a significant cost to an organisation in delivering a presentation, I didn't realise it until recently looking back on an Dimension Data presentation I am working on.

If it is done on company time, the time spent on researching and preparing the presentation is a effectively absorbed by the employer. The justification from a marketing viewpoint is that it is building/maintaining the company brand and ensuring they have visibility in the marketplace. This is a reputational boost that is something of an intangible (with some methods of measurement however). The issue is whether or not a given employer will allow support. From a technical viewpoint, research is how you maintain staff interest and build intellectual property, skills and internal training without "spending" money (albeit not earning/billing if this is done during business hours). Generally, most organisations will "sponsor" the employee but will expect them to do it on their own time.

I can certainly appreciate why some organisations (particularly smaller ones) may not afford the luxury of time on this. However, this is digressing from my original point (with regards to presentation selection).

It would be interesting to see how this fares next year. Hopefully it will be more impartial, but looking back on years prior, I remain skeptical.

- J.

Mark said...

Hi Jarrod,

Thanks for the post on the conference. All feedback (good and bad) is appreciated.. One thing I thought I should point out though is in regard to the speaker gifts... I'm afraid that you may have the wrong end of the stick there...

IMHO we didn't shaft the speakers...

The "very crappy looking metal wallets" were in fact "RFID Blocking Passport Billfold" wallets from ThinkGeek URL:

We had to ship them in from the USA; and they cost us around AUS $50 each (not including the printing). My feedback from the presenters I asked was that they thought they were a pretty appropriate gift for a security conference - especially for those speakers who traveled a lot; needing to protect their RFID-chip embedded passports in airports where nasty identity thieves were out to get their data using a concealed RFID reader..

We actually took quite a bit of time deciding on the primary speaker gifts this time around - perhaps we should have mentioned what they were to the audience..?

Cheers, Mark

Jarrod said...

Hi Mark,

Thanks for the FYI on the RFID blocking wallets - I certainly didn't know that. I should point out that neither did at least two of the speakers I sat next to as they opened them.

Suppose it was appropriate contextually - however I do believe in prior years books (and booze even!) seems to have been more appreciated.

- J.

Mark said...

Hi Jarrod,

Thanks for the feedback on the 'booze'.. :-)

I'll definitely mention what the speaker gifts are next time... so at least the speakers know.

Truth be known; for speakers who appeared more than once at AusCERT2010, we gave additional presents beyond the wallet, including: A very nice writing pen, a computer toolkit, a also bottles of Wine. :-)

Mark :)