Walking down the endless isles, it’s easy to get the feeling that security comes in a box, blue boxes, orange boxes, purple boxes. But there are so many boxes, which box is the box that’s going to solve my security problem? I can hear Dr. Seuss ringing in my head, “security, it doesn’t come in boxes or bags, it doesn’t come with ribbons or tags…”. Much is we love to hate vendors we certainly do need them and their products. RSA is clearly one of the largest security spectacles I have ever witnessed and I think that’s just the way RSA likes it. I gathered a few photo’s on my journey of the vendor floor I thought I would share.
My first stop was the National Security Agency (NSA). I was surprised with the recent press around the agency they decided to show up. I was even more surprised to see such a large presence. It’s difficult to tell from the photo but the circular banner must be 40 ft in diameter (approximately 12 meters).
Incidentally, last year I stopped by the NSA booth and I was admiring their Enigma machine (photo on right). I ran into Professor Dan Boneh who leads Stanford’s Computer Science and Electrical Engineering departments. I know Dan from the yearly security and privacy workshops he hosts. Dan had someone else with him and asked me if I’d like to meet Ron Rivest. I said, “Ron Rivest, like the R in RSA? He said, “Yes, that Rivest”. (Squirrel moment) I forgot all about the Enigma machine and spoke with Dan Boneh and Ron Rivest for awhile. When our conversation was over, I moved on, forgetting about the machine. This year, the Enigma was back, and I took some time to have a good look.
The NSA employee I was speaking with works in the NSA’s history museum. The Enigma is museum property and is an original used in the war but the wooden case is a replica. While we were discussing details of the machine, someone passed behind me on the floor and shouted a loud, “boo”. I didn’t notice any reaction from the NSA employee so I tried to lighten the moment and said, “I bet you receive reactions all the time like that working in the museum”. I think it’s a tough time to be an NSA employee at the moment and I’m sure NSA booth duty at the conference was not easy this year.
In addition to the NSA, the Federal Bureau of Investigations (FBI) had a booth at the conference. I had a conversation with one of the agents to discuss processes for working with authorities on cyber crimes. For anyone curious, FBI manages relationships for cyber security to the private sector through an organization called InfraGard. InfraGard is not a branch of the FBI or government but they can place you in contact with proper law enforcement authorities if you suspect a computer crime. For corporations, most concerns are usually escalated either through or in conjunction with company Legal staff. Exercise some good judgement, InfraGard and the FBI are busy. Don’t expect them to unleash the packet sniffing blood hounds for your Mom’s infected PC. On the other hand, if you suspect significant cyber crime has occurred InfraGard is a resource to place you in contact with proper authorities. In the past, I attended several meetings of InfraGard’s Austin Texas chapter but never decided to join. I was a slightly too paranoid for such associations in my earlier days.
Continuing my journey, I came upon Bit9’s booth and Richard Clark was speaking on security. I wondered how many in the audience knew Richard Clark and how many were just standing there because everyone else was standing there. I met Richard Clark several years ago in Washington DC just after he published his Scorpion’s Gate book. I’m like a security Forest Gump, a case of being in the right place at the right time. Richard Clark has been speaking at vendor engagements on these conference circuits for awhile.
Next, I ran into Shape Security and Michael Coates. Michael is also the OWASP President. Ok, see the good looking guy on the right? That’s not me, I’m the guy on the left. Right is Michael. Michael and I talked for awhile and he helped me understand how Shape technology works. Keep your eye on Shape Security. It looks like promising technology.
Prior to Shape Security, Michael lead security for Mozilla Project and the Firefox browser. We’ve definitely had a few lively security discussions over the last couple of years. Last year, Michael helped me launch our very first security track at Oracle’s JavaOne developer’s conference – Securing Java.
On the left, I met with a dear colleague I have known for some time. Only after I softened him up with some conversation did he agree to let me post his picture. He would be grumpy if I shared much more. This person is the quintessential security hacker, leather hat, pony tail, sandals, and plays the harmonica – very well I might add. I own a harmonica but I am prohibited from practicing within the city limits.
Thanks to my manager, Donald Smith, and Oracle staff for your support. Security is always pulling the fire alarms with last minute requests. Thanks to the many security leaders who shared their time and conversations with me at the event.