RSAC 2017: What just happened?
RSA Conference 2017 is over. The numbers are in, and most of the talk videos are online. Over 43,000 infosec professionals, government employees, marketing biddies, sales flacks, and genuine rubes all piled into San Francisco's Moscone Center for a week of hellish hawking and conspicuous consumption, while everyone pretended like they weren't looking for new jobs. 

Attendees were hacked via rogue access points. There was a fight on the Cryptographer's Panel. Meanwhile, F-Secure acquired Inverse Path. 

Synack told press that Apt28/Fancy Bear(s) used Hacking Team tools on the DNC.  Microsoft declared that we need a Digital Geneva Convention

UnifyID, rather than being named "Most Likely To Have Emerged From A Fever Dream After Reading 1984," was instead named RSA Conference 2017’s Most Innovative Startup. The RSAC Security Blogger Awards were announced and it was the usual dudely suspects all around. (Is the collective noun for RSAC security blogger awards winners ... a disappointment?)

It was a week of gimmickry and impossible promises. Millions were spent while people starved outside on the streets of San Francisco, and people like me struggling for rent swam upstream through hordes of suits navigating $100,000 booths, all of us looking for a reason to be there.  We were rats in Moscone's endlessly Kafkaesque, under-construction maze.

The press weren't at their best. Some lingered at talks presented by well-known security brands, trying their hardest to pull negative stories out of security researchers who now despise the press just a little bit more. Or, some obfuscated source material in attempts to seem in the know about topics they struggled to explain.

It was all normal.

I'm really grateful that one thing RSA does right is get their talks online right away, so I can point you to the good stuff you might've missed. To my surprise, there were some really really great talks this year.  

A curated list of the most interesting are below. Talk title links to YouTube video; description and slides (if any) follow.

IoT: End of Shorter Days

(description / slides)

-Charles Henderson

Don't be fooled by the title, this talk hides a hell of a big, big problem in its IoT/identity management buzzword wrapper.  The nugget: Henderson discovered that car apps, mostly made by one third party entity, don't clear owner identity info when a car is sold. Playing with the app for a car he sold, he could still access the car's features and find its location, among other unsettling things... "Your smart devices aren't smart enough to know they've been sold."

Data Plays the Victim: What Ransomware Has Taken from the Kidnapping and Ransom Industry

(description / slides)

-Jerimiah Grossman, Chief of Security Strategy, SentinelOne

Fascinating talk; covers how ransomware is similar to kidnap and ransom, projections on the ransomware market, and tactics being employed to prepare for/prevent ransom scenarios.

Hello False Flags! The Art of Deception in Targeted Attack Attribution (description / no slides)

See also: Their incredible paper, Wave Your False Flags (.pdf)

-Brian Bartholomew, Juan Andrés Guerrero-Saade, Security Researchers, Kaspersky Lab

Superb presentation on currently active attack groups who obfuscate their tracks, and breakdown/analysis on how they're doing it. You won't see attribution the same.

The Cryptographers Panel 2017 

(description / no slides)

Do you like watching a good fight onstage? I sure do, and this panel delivered.

How to Delete Data for Realz: This Presentation Will Self-Destruct In... 

(description / slides)

-Davi Ottenheimer, President, flyingpenguin; Ian Smith, Research Scientist, University of Washington

This talk presents a new tool that could create an industry standard method for realizing an automated service with genuinely deleted data. This would solve much of the identity management problems we're seeing come up, and yes, these guys were mobbed with questions and requests for the barely-launched service after their talk.

Lessons from a Billion Breached Records 

(description / slides)

RSAC doesn't have this video up yet, but you can watch Hunt's interesting material previously presented in Lessons From A Quarter Billion Breached Records (Vimeo; talk starts at 4:30).

-David Gibson, VP of Strategy, Varonis Systems; Troy Hunt, Microsoft Regional Director and MVP, Consultant  

No doubt you've visited or found yourself in Hunt's HaveIBeenPwned service. This covers what he's observed and learned (sometimes the hard way) from running a continually growing set of searchable breach record databases. Also discusses how this data is sold and redistributed. Fascinating. 

RSAC TV: Jessy Irwin Interview


-Jessy Irwin, Paul Roberts 

Roberts stumbles over the intro, but nice discussion with Irwin about how she balances her advice for employees on security without compromising on productivity.

Tier Benefits
$1 or more per month
As a patron, you have my gratitude and thanks. Plus the pride of knowing you're supporting a female writer in hacking, sex, and security who maintains an independent voice, is a fierce ally of LGBTQ+ people, a fighter for at-risk populations who face discrimination, as well as someone who opposes censorship at every turn.
$3 or more per month
You're buying me a cup of coffee at a non-snooty cafe, the kind we'd actually hang out in. Your pledge will add up to a very meaningful amount over the course of a year.
$5 or more per month
My sex website is well-established, linked to from everywhere, 15 years old, gets an average of 350K visitors a month, and as you'd imagine, it gets attacked all the time. My server costs are real, and yet the information, news, entertainment, and education on the site has always been, and will always be, free. Same goes for my writing on security. This level of monthly pledge helps a lot.
$10 or more per month
Your support of $10 or more a month definitely gets you hero status. I have a number of $10 costs each month, and I deeply appreciate you carving out one of yours.
$25 or more per month
You were born a hero, and then you were either spanked by a god/goddess, or you had some rad accident in a lab that gave you powers beyond those of mortals. This kind of support heads into sustainability territory. If anyone ever steals your magical cape, call me -- I'll get it back.

You get access to my private posts. 

$100 or more per month
While some believe villains may never win, you know for sure that they have more fun -- by helping people like me hatch master plans for upending censorship, calling out infosec hypocrites, skewering goody-goody PR flacks, exposing evil "real names" enforcers, normalizing sexuality, and my general plan for world domination. It's unbelievable that anyone would contribute this generously, and yet, if you do, my gratitude will actually have me speechless.

You get access to my private posts. 

$164 or more per month
If I were to pick one being in the world that was the most important to me, it would be my three-year-old Bengal cat Max. He is my 24/7 support system. Max was found as a baby kitty living rough with his siblings in a feral litter. These days he enjoys cat puzzles, barking at hummingbirds, cuddling in the mornings, and playing fetch. He has many friends. This patron amount covers the cost of his food and kitty litter for one month. Patronage at this level makes you the noblest kind of human, and guarantees your seat on the mothership when they rescue us from this planet.

You also get access to my private posts. 

Recent Posts