Saturday, 1 November 2008

Steve’s musings from RSA Europe 2008

RSA Europe was held again at ExCel at the outskirts of London Docklands. Great venue – but the location is not really London and can disappoint some who travel from abroad. Also the timing was not great for UK-based InfoSec professionals with families –the show was held in school vacation time (half-term).

There were many familiar faces at the show: both at the exhibition and fronting many of the keynotes and other sessions. Art Coviello, President and CEO, RSA Security was pushing for “Thinking Systems”. This is quite close to my heart as my academic heritage links directly back to Alan Turing (who was the “motif” for the show) who spent much of his time contemplating thinking machines. Indeed, some core of these ideas can be found in the core of Secerno’s symbolic machine learning techniques.

RSA was a busy time for me – I was involved in three sessions and manning the Secerno stand along with the great networking that was provided in the evenings. My presentation “Regular expressions as a basis for security products are dead” went down well and even though it was reclassified as “Advance Technical” it did not deter an interesting audience. Some lively debate ensued after the talk. Although I could not make it, another talk mentioning SQL Injection was given – this was the talk on “SQL Smuggling”. I was not able to get to the talk, but the slides looked interesting. I know that the failures, pointed out by the presenter Avi Douglen, in outdated technologies does not apply to the Secerno SynoptiQ new generation technology.

My second “gig” was on Paul Fisher’s (Editor of SC magazine) CTO Panel. Although we were supposed to be blue-skying about “Beyond Tomorrow” it turned out that I was sat in the middle of two Malware CTOs who only wanted to think about malware AV and delivering this as a service. There were times when we were able to get the time horizons of the topics a bit further out. I did like Paul’s question about the Art’s “Thinking System”. I believe – and built that belief into our products - that security (and everything else in life) is a battle for knowledge. Thinking machines need to turn information into knowledge and then we can use that knowledge as a form of defence.

The final role for me was leading a special interest group “Securing Virtualised Assets”. Virtualisation drives down operating cost, but what does it do for security? The SIGs were a far more intimate affair with only 10 seats available around a table. It was pleasing to find security professionals who were being proactive in their company’s virtualisation efforts. It seems that there is confidence in how to tackle the security of back-office virtualisation projects. What was more edgy was how to do the same for the desktop. Interestingly, one of the attendees of my SIG was from Dell who had just announced that they were offering outsourced virtualised desktops.

Bruce Schneier’s address was as thought provoking as usual. He, like me, clearly sees that we are still the pioneers of computing as the field is still less than a century old. He drew analogies with industrialisation where output was important and pollution was seen as a necessary side effect. In the Internet era he likes to think of the massive data collection and the lack of care in its production and storage as being analogous to industrial pollution. One day, society will be forced to stop information pollution, and possibly need to go back and clean the information litter landscapes.

I chatted to Bruce after his book signing queues had died down. Last year, he left a message in the front of his book that he signed for me– and his message was “encrypted”. When I got home last year I gave it to my then 12 year old daughter to crack – “she got it in 5 minutes – right” said Bruce this year, in his rapid fire sentences. “Of course ...” was my reply.

Confession time...I did not tell him I had failed to crack it myself J.

No books for Bruce to sign from me this year. But Wiley, the publisher, did sell me Petzhold’s 2008 book “The Annotated Turing” on Turing’s famous 1936 paper on Computability and the Turing Machine. It is a good read – beautifully written – making the mathematics truly graspable.

At the exhibition the interesting new technologies were few and far between. I did quite like the concept behind the Yubico USB key fob providing one-time-authentication keys from a small USB device with a cute button. I chatted to the CEO of the Swedish company BehavioSec who provide behaviour “biometric” information making it possible to detect when keyboard activity is coming from a different user. I did manage to meet up with the MD of DISUK, Paul Howard who has a really neat solution to encrypting tape backups – put one of their SCSII encryption devices in the SCSII device chain –job done! Paul is a passionate gliding instructor which allows him to see the world from a different perspective at times.

The final keynote I saw was that from the UK's Information Commissioner, Richard Thomas. He seems to be getting traction and a larger budge to fulfil his mission to support both Data Protection and Freedom of information which is good. His view is that breach legislation needs to be risk based, not simply for every breach. His argument is that we should not worry about low volume, low impact breaches. Tell that to the individual that has to reclaim their stolen identities and refill their bank accounts – that they don’t need to be notified that their very identity is at risk.

Finally, the conference organizers were promoting Alan Turing as the “brand” for the conference. I wonder what Dr Turing would have made of his image and the promotional videos about the place. They even had a display of encryption devices including the Enigma that Turing played a part in breaking. In reality, the successes at code breaking were massive team efforts. No single person “cracked” the Enigma code. Oh – by the way – there were many other codes than Enigma that needed cracking during WWII – and they were! Turing, rightfully, is one of the very few fundamental computer scientists – but we should remember that he was not the only code breaker.

Steve Moyle