SoylentNews is people
SoylentNews
Professor Eugene Spafford at Purdue University, the father of the field of Internet security, has some takes on this year's RSA conference:
I have now attended 13 of the last 18 RSA Conferences (see some of my comments for 2016, 2015, and 2014). Before there were RSA conferences, there were the Joint National Computer Security Conferences, and I went to those, too. I’ve been going to these conferences for about 30 years now.
[...] I am giving serious thought to this being my last RSA Conference — the expense is getting to be too great for value received. The years have accumulated and I find myself increasingly out of step here. I want to do what is right — safe, secure, ensuring privacy — but so much of this industry is built around the idea that “right” means creating a startup and retiring rich in 5 years after an M&A event. I don’t believe that having piles of money is how to measure what is right. I will never retire rich; actually, because I will never be rich, I probably can’t afford to retire! I am also saddened by the lack of even basic awareness of what so many people worked so hard to accomplish as foundations for others to build on. We have a rich history as a field, and a great deal of knowledge. It is sad to see that so much of it is forgotten and ignored.
(Score: 2) by canopic jug on Monday March 11 2019, @06:10AM (3 children)
I suspect that he and the few capable individuals still around are getting worn down by the carpetbaggers, charlatans, and frauds. He writes in his post:
There are some good, useful products and services present on the market. But the vast majority are intended to apply bandaids (or another layer of virtualization) on top of broken software and hardware that was never adequately designed for security.
I notice that his selected quotes page [purdue.edu] is prominently missing his quote on that, which was well known long ago:
Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted. [azquotes.com]
Tactics and strategies to improve software design have to adress the fact that there are very large numbers M$ minions and resellers. They outnumber IT staff by quite a bit nowadays, if any IT staff are even left at this point. Some venues have only resellers. They also engage in entryism to enter and destroy sound(er) projects from the inside. An M$ reseller doesn't have to do any work to advance the M$ movment (yeah it's a movement), due to their numbers he just has to keep you from getting your job done. The methods used by the M$ resellers are remarkably similar to those of the various communist movements within Europe during the 1970s. The same way those were defeated works against M$ resellers and their movement.
Money is not free speech. Elections should not be auctions.
(Score: 2) by Hyperturtle on Monday March 11 2019, @02:17PM (2 children)
I have gone to these RSA conferences; I stopped years ago.
The business I was at paid full expenses for lodging, travel, and the full week of being there; classes, keynotes, etc. The last memorable one I was at had Bill Gates as a guest speaker, focusing on firewall enhancements for Windows (not 98!) as a whole and what they learned about what happens when wizards make things too easy by enabling everything without asking what's needed without any safety checks to protect against low skilled people just clicking next to continue. (You see, server guys got a bad rap back then for being able to set up a server but sometimes having no idea how to configure one. The answer usually was to reimage via cloning what worked--complete with a lack of understanding about why sysprep is important to run, etc--but that's not what Bill Gates dwelled upon.)
By the time I decided to stop attending, I had already firmly decided that it was just a who's who list of who paid to attend. I was mostly a conference of vendors selling their latest appliance to make it so that people spending money don't have to think, with a few people with names that might be familiar standing in front of prepared slides, and lots of people trying to get name recognition for a book they wrote or something like that. Cynical maybe, but it's what I came away with. The solutions of the day are not too different than now--Hook in this appliance and because of cloud you never have to do anything but pay regular fees! Much cheaper than having anyone with experience, an unskilled resource on the other side of the world can keep you secure!
And the courses offered--power points on a cinema screen presented by people that were flustered when questions came up that weren't just repeating what the slide said more loudly. I mean it was bad--inept community college teacher assistant with no knowledge of the course and got lost reading directly out of the book bad because the material was non-sensical to them. I wasn't the only one to have doubts; people sometimes got up and left during these power point presentations, which often flustered the 'speaker' even more.
I wasn't paying to go, and I felt guilty over the expenses of going. It became stressful that because I wasn't doing work I otherwise would be doing, and there was an expectation that I'd return with some sort of new repository of knowledge that can help the business and that I could further expand the knowledge of those not selected to attend, I couldn't even focus well on what was any good. It just wasn't worth going if the expecations came no where near what was happening. So, I stopped going, much to my then employer's surprise; ever since then I've not even considered returning, despite the regular yearly harassment I receive from RSA to get VIP discounts or what have you. Maybe if I got paid to go without the expectation that I'd get something out of it, sure. But they lost their credibility years ago. (And my employers understood my decision after I explained that attending a conference of vendors does not an expert make.)
It hadn't turned into a the "get rich in 5 years after a buyout" sort of approach yet--optimism in the IT market was only beginning to return at the time-- but the landscape was definitely becoming far too commercial and vendor oriented as opposed to agnostic security discussions. Why know anything when you can buy something to do it for you? Or get managed services to do it for you?
And it is bad to say this, but the last time I went, the most valuable things I got out of it were a laptop bag, a thermal carafe, and some neoprene foam cup insulators that I still use. They are the only things of value that I got out of that RSA conference, that I couldn't get anywhere else--except perhaps the experience of seeing what was once good fall victim to its own success, perhaps.
Even the small knowledge from the courses was fleeting; most of the classes had promises that the power points would be posted on a public website afterwards, but after a month of checking, none of them had been. There were handouts in some classes; I brought home probably a half dozen single-duplex printout of power point slides that I eventually just dumped into the recycle bin because... well no experts rely on power point when brooding in their personal dark lairs plotting their next moves. We actually have to figure it out.
They turned into a very expensive form of cheap. You want real security--go to a blackhat conference. Just bring a pad of paper and a disposable laptop intended for use to log into disposable accounts.
(Score: 2) by bzipitidoo on Monday March 11 2019, @04:09PM (1 child)
I have not been to a lot of conferences, but I see what you're saying. These are problems common to all such events, not just security ones.
These days, what really is the point of such a gathering? Meaning, with the Internet, why not do it all online?
One of the conferences I attended is at a ski resort-- the first of 2 times in my life that I have gone skiing. Still, I stayed at a cheap motel 10 miles away, and took a bus to the resort, to save money-- the public's money, not my money, for I was reimbursed for traveling and lodging. I would have never splurged to hit the slopes if they had not been in my face. And that was my own money, for which I was not reimbursed, nor did I expect any reimbursement. It was worth it, to learn how to ski and maybe find out why so many people think it's so much fun. But though I did mildly enjoy skiing, I also find embarrassing the flaunting of wealth and privilege inherent in it. There are plenty of hobbies that are far more expensive than skiing, such as boating and off-roading, but to me, skiing is still on the costly side. Lays us all open to charges of waste, same as any government official flying to a resort for a few days of fun at the public's expense. But everything I saw suggested that conference was scrupulously run, and the public was not cheated into paying inflated prices for the location. If anything, probably got a discount, and no doubt the ski resort counts on making it up from attendees who go skiing. At least that conference was real.
(Score: 2) by Hyperturtle on Wednesday March 13 2019, @04:31PM
There seems to be a line that gets crossed when something becomes mainstream. Like anti-establishment stuff suddenly becoming hip (as opposed to hipster stuff becoming mainstream). Suddenly, everyone that cared has lost control, and the forces of evil have taken over.
Then maybe they cash out, or regroup, or... find something else to do.
I think we can see that when fans are disappointed when bands sell out, or what happened to the Burning Man, etc... the RSA conference reached critical mass and now its just like one of those websites that used to be good but now displays nothing more than ads that are somewhat relevant to how the site used to be, with any actual news or updates being scraped from somewhere else.
(Also, I think the green site falls under the same category of what happens when that line is crossed...)