RSA Security Bloggers Meetup in San Francisco. Somebody Call Security!

February 16th, 2007 |
Image for FaceBook

 
Share this post:
Facebook | Twitter | Google+ | LinkedIn | Pinterest | Reddit | Email
 
This post can be linked to directly with the following short URL:


 
The video player code can be copied in different sizes:
144p, 240p, 360p, 480p, 540p, Other


 
This video file can be linked to by copying the following URL:


 
Right/Ctrl-click to download the video file.
 
Subscribe:
Connected Social Media - iTunes | Spotify | Google | Stitcher | TuneIn | Twitter | RSS Feed | Email
 

Taking a break from the bustle of RSA 2007, some of the best-known security bloggers got together at the Foreign Cinema, a French bistro and movie house in San Francisco, hosted by network security podcaster Martin McKeay. Check out the guest list, as we roam the crowd and talk to the best minds blogging on security today. Thanks to Shift’s Kristalle Ward, and to Fortinet and Microsoft for sponsoring the event. This is an F5 podcast.

More images on Flickr.

Transcript:

Host: Michael Johnson – PodTech

Guest: Martin McKeay – Network Security Podcast

Guest: Stephen Toulouse – Microsoft

Guest: Richard Stiennon – Fortinet

Guest: Richard Mogull – Gartner

Guest: Bruce Schneier – Schneir.com

Guest: Lori MacVittie – F5 Networks

Guest: Eric Green – Larstanpodcasting.com

Guest: Ron Gula – blog.tenablesecurity.com

Guest: Ryan Singel – 27bstroke6

Guest: Brian Krebs – Washington Post

Guest: Michelle McLean – ConSentry Networks

Michael Johnson – PodTech

This is Michael Johnson and we’re here at the Foreign Cinema restaurant in San Francisco, a very unique restaurant in which many of the nights they show movies outside, projected on a wall. We’re here at the site and on the occasion of the RSA 2007 Conference, and we’re here with a lot of people from across the country that are security bloggers, we’re going to talk to a few of them to see what’s on their minds or what they’ve been blogging about lately.

Martin McKeay – Network Security Podcast

I mean this is only happening once a year, there is a lot of us with a lot of voices out there, and well, we like to talk. So, it’s a really good thing to have this group together and (Voice Overlap). So, I wanted to give our sponsors, Microsoft and Fortinet, a couple of minutes to talk and they will tell you why they decided that it was worth sponsoring this event.

Stephen Toulouse – Microsoft

Hello everyone, I’m a Mac

Speaker

Don’t do that to me, I want to be the Mac.

Speaker

(Inaudible)

Stephen Toulouse – Microsoft

He said, I believe the exact phrase was, if I were shopping for a computer today, I would want to buy a Mac, that’s what he said, in that email, he’s being purposely dramatic, but that was Jim, as those who have ever talked to him know.

Speaker

That was Jim in the past tense.

Stephen Toulouse – Microsoft

Yeah, well, he retired, he retired, he’s gone. So, I want to talk a little bit about why we really wanted to help put this together. Most of you actually probably don’t know me as Stephen Toulouse, you probably know me as Stepto, which is what everybody calls me, it’s my email name at Microsoft, stepto@microsoft.com and my blog is stepto.com. I actually began — I’ve been with Microsoft since April of 1994 and I started off supporting Windows 3.1 and DOS 5.0, which I am proud to say had no remotely exploitable hole in the default install.

Speaker

Have you gone through that?

Stephen Toulouse – Microsoft

Had no network stack, but yeah, that it will, so we’ve come a long way since then. One of the things that Microsoft has done over the past couple of years, thanks to people like Scoble and thanks to a lot of the people that work at Microsoft and do blogging is we’ve embraced the blogging culture. So, last year we held a little lunch in, got some people together, it was just a dozen people, it was a lot fun, so when we heard the idea to do it again and do something a little bit bigger, a little bit fancier and invite more people, we jumped at the chance. I’m so glad, I mean seriously I’m so happy there are so many people here, there’s going to be so many great conversations. We’re just happy to be here, and happy to sponsor. I wish more of us were here, but planning for the next version of Windows is currently going on in Webinn (ph), so there is a lot of…

Speaker

Next after Vista?

Stephen Toulouse – Microsoft

Next after Vista, so there’s a lot of split. So, as I said diverse a few minutes ago, I know it sounds a little bit crazy to say for a company that has $34 billion in the bank, but it’s a resource issue, so we don’t have everybody down here, but I’m here, happy to be here, and happy to be with Fortinet in sponsoring this. So, thank you very much for coming, we don’t want to spend a lot of time in (Voice Overlap), so you guys have great conversations and Richard, what did you want to say?

Richard Stiennon – Fortinet

Cool, so I don’t have a lot of time to talk.

Stephen Toulouse – Microsoft

You’ve got as much as you want, you’re sponsoring.

Richard Stiennon – Fortinet

(Inaudible) Technorati ranking, somewhere way north of 12,000. I think that it is being a little site a Technorati blog ranking is kind of interesting when we all get together and meet, but what’s really, really, really interesting is that we are changing how people access information, because we all are in our own right experts or we all are in our own right good communicators and we know that because people are coming to our blogs, we’re all reading each others blogs, and doing the back and forth thing. This is new, we all know that, this is, in the security world for certain, this is the way that the end users are going to learn new stuff, we highlight things that just don’t get into the press, the press just doesn’t focus the same way that we do.

I’m super, super excited about what the blogging community does, so of course, when the opportunity came up, the timing was just right, I could say, Hey Rich, we’ll sponsor that, we’ll get there, that’s very cool.” As everybody talks to me this evening, I need a little help, I’ve got a bloggers dilemma, I’ve lost my bloggers voice, as you may have noticed, I can’t post anymore. Last week, for example, so TJX gets totally whacked by hackers, steals 40 million credit cards, I can’t find anything to say about it, because I have to check with our VP of North American sales to see if we’re doing a deal with TJX. That just stops you dead in your tracks, I could no longer be the (Inaudible) bloggers.

Speaker

Talk about that.

Richard Stiennon – Fortinet

Yeah, there was (Inaudible), so what do I do. I personally want to settle on a travel log because I travel a lot. So, I’m going to blog about shady hotels, and how they don’t have enough power plugs and stuff like that. Anyway, any other ideas, please let me know, and just thanks for everybody contributing to the community that we are, here it goes.

Martin McKeay – Network Security Podcast

Rich Mogull said he had a couple of (Voice Overlap) to say.

Stephen Toulouse – Microsoft

Yeah, Rich you want to say something?

Martin McKeay – Network Security Podcast

He’s the originator of this whole problem.

Richard Mogull – Gartner

You guys are joking, but — never mind, I’ll save that for when the camera’s not on. I want to thank everybody for coming, I got to be honest this went far beyond my expectations, I thought there would be a dozen guys, sitting in a room, paying for our own drinks…

Martin McKeay – Network Security Podcast

You’re paying for ours actually.

Richard Mogull – Gartner

Yeah, I though I was going to buy a round or two and that was going to be the end of it. When I started blogging as an experiment, it was, let’s just see what this is about, let’s see what’s going on out there in the community and it was mind boggling how valuable it was. The ability to have a — so let’s look who’s in the room? We have Brian from the Washington Post, reporter from a major newspaper here. We have representatives from all parts of the vendor community. We have representatives from the analyst side and we have end users everywhere. There is no place else in the world where we can all have a dialogue on a common issue, and at the same time, people read this stuff. If you were at the opening session for — I don’t normally go to the keynotes because come on, who needs to see Bill speak again. Hey now, that’s the truth really.

One of the things that Ze Frank said was, he called us the defenders of the renaissance. When you want to see the thought leadership, there’s two sides, there’s the back room, development being done, the really smart guys. When you want to see the people who are influencing, — I think that is us, but people who are influencing the community. If you look at where security came from and where security is going, I don’t care what Art (ph) says, security is not going away in two to three years, not going to be all embedded into the infrastructure.

There is a new wave of security thought readers that are building in this industry. There’s the old wave, first and then — so I love the dialogue, it’s incredible that we can all talk in an open environment, especially guys like Allan and Richard now, talking about analyst side versus vendors versus end users, all of this, (Voice Overlap). So, I’ve talked too long, thank you all for coming, I know there is more people coming on the way, let’s go drink more, and make fun of each other.

Michael Johnson – PodTech

We’re here with Bruce Schneier. Bruce, tell me a little bit about what you do?

Bruce Schneier – Schneir.com

Oh God, I am a Security Technologist, I write, I speak, I work for BT Counterpane, and I piss of the government, I do a lot of things.

Michael Johnson – PodTech

What have you been excited about over the last year or so, and what’s been some of the more interesting things that you have documented in some of your studies and some of your blogs?

Bruce Schneier – Schneir.com

Well, what I wrote about — writing about now, what I posted this week, and what I talked about here at the RSA Conference is the psychology of security, how we perceive security. Security is both a feeling and a reality, and they’re different. You can feel secure and not be secure and you can be secure and not feel secure, and there’s a lot to learn in that difference, why it happens, what about the human brain makes us get security wrong? I’ve been reading a lot of psychology, a lot of human brain physiology, a lot of — there are studies about risk, there’s a whole lot of research being done in the psychology community, that we’ve never seen here in the security community, but I think is directly relevant to what we’re doing.

Michael Johnson – PodTech

That sounds fascinating, I think it is a concept of security that people are thinking about more these days, because certainly in the United States and in other places as well, this idea of what our security is, is certainly being called into question.

Bruce Schneier – Schneir.com

Right, and there’s a lot of crap security, I call it security theater (ph), security that doesn’t do anything good, but just makes you feel better, and that’s security that doesn’t target to the reality, but targets to the feeling. There are times, they’re not common, but there are times when that kind of thing is useful. There are times when it’s really bad, and how do you know the difference. I think there’s a lot of stuff there.

Michael Johnson – PodTech

What times would you say we’re in now; say the perspective of obviously the United States and Homeland Security, that’s a big name right now, but it seems to sort of be talking more to that feeling part that you’re addressing?

Bruce Schneier – Schneir.com

We’re definitely in the stupid security season, what happened in Boston last week is an example, that happens every time you get on an airplane, security is really stupid right now.

Michael Johnson – PodTech

If folks wanted to check out your blog and see some of the stuff that you’re writing about, where can they go?

Bruce Schneier – Schneir.com

Schneir.com, actually I think if you just type security blog into Google, I pop up as the first name, but its www.schneir.com, easy to find.

Michael Johnson – PodTech

Bruce Schneier, thanks a lot.

Bruce Schneier – Schneir.com

Hey, thanks for having me.

Michael Johnson – PodTech

We’re here with Lori MacVittie who is the blogger for F5 Networks, and welcome to the party Lori.

Lori MacVittie – F5 Networks

Thanks, it’s very exciting thus far.

Michael Johnson – PodTech

Well, it’s a really interesting group of security bloggers, we’re on the occasion of the RSA 2007 Conference in San Francisco, tell me a little bit about what you blog about for F5?

Lori MacVittie – F5 Networks

I blog about a number of things, security and otherwise, but generally just trying to apply all sorts of new technology to use in our products and how they can be used and extended and just trying to be innovative and then also commenting on what other people have to say about anything related to SOA, AJAX Security, those kind of topics.

Michael Johnson – PodTech

What excites you about this, what are the things that you find really interesting in this security portion of the blogosphere?

Lori MacVittie – F5 Networks

Well, I think that emerging technology, security is very exciting because it’s new and it’s different and we have to come up with innovative ways to solve that, something that we at F5 take very seriously, but also just some of the social issues. We were just having a conversation about teenagers and security and social networking, and it’s a very interesting problem that we have to solve because it’s not necessarily a technological problem but a people problem. So, it’s something different that we have to solve, so it’s a challenge, I like that.

Michael Johnson – PodTech

We were speaking with Brice Schneier a little bit early about the sort of the concept of security and how we have a lot of solutions around, and now it’s a question of getting those things implemented, are you seeing that implementation happening now slowly but surely, or is it something that’s going to take a while do you think for the concept to sort of follow the implementation of these things?

Lori MacVittie – F5 Networks

I think as usual, unfortunately security comes last. People wait until there is a problem to actually solve it. You don’t change locks on your doors until someone breaks in. I wish that we could change that view so that people thought of it upfront, but I still think it’s a after the issue problem.

Michael Johnson – PodTech

If folks want to check out your blog, where could they go?

Lori MacVittie – F5 Networks

You can go to devcentral.f5.com/macvittie

Michael Johnson – PodTech

Alright, Lori MacVittie of F5 Networks, thanks for being with us here, enjoy the party.

Lori MacVittie – F5 Networks

Thank you.

Michael Johnson – PodTech

Tell me your name?

Eric Green – Larstanpodcasting.com

I am Eric Green.

Michael Johnson – PodTech

Eric, what do you blog about or Podcast about?

Eric Green – Larstandpodcasting.com

We’re across a lot of different spaces, I mean personally I’m our security guy, so we do a lot of stuff on Information Warfare, Information Operations and a couple of other security Podcasts. Company wise, we do — we cut across personal finance supply chain technology and cross technology, we do a lot of federal government stuff as well.

Michael Johnson – PodTech

What kind of interesting stuff have you come across in the last number of months?

Eric Green – Larstandpodcasting.com

The last number of months have been interesting on the IO space for me. So, if you look at Info Operations and Info Warfare, the critical infrastructure side of being sort of finance and telecommunications on the security side has seen a lot of people — like a resurgence of people wanting to talk about IT security, everything all the way up to SIOPs, it’s the psychological warfare and the like. So, it’s fun being back at RSA to see what people are saying on the floor about things like that.

Michael Johnson – PodTech

So, tell me your names.

Ron Gula – blog.tenablesecurity.com

I’m Ron Gula.

Michael Johnson – PodTech

What’s your blog?

Ron Gula – blog.tenablesecurity.com

I’m blog.tenablesecurity.com.

Michael Johnson – PodTech

And you?

Ryan Singel – 27bstroke6

I’m Ryan Single, my blog is 27bstroke6, which is blog.wired.com/27bstroke6.

Brian Krebs – Washington Post

I’m Brian Krebs of the Washingtonpost.com and I blog on Security Fix.

Michael Johnson – PodTech

So, what have you — I saw you three talking in a circle, what have you been really excited about, or what have you been putting in your blogs lately, is there been any dialogue between all of you other than here in person or is it been happening on the blogosphere?

Ron Gula – blog.tenablesecurity.com

Well, right now, one of the good things about getting together is, you have a lot of different disciplines. These two are from the media side of the house, I’m a vendor, so we were just kind of talking about different things that we can blog about, we all blog about dramatically different things.

Michael Johnson – PodTech

What’s your favorite topic?

Ron Gula – blog.tenablesecurity.com

I like to talk about computer security, vulnerabilities, intrusion detection, that kind of thing.

Michael Johnson – PodTech

What do you like to blog about?

Ryan Singel – 27bstroke6

You should jump to Brian on that one, because you guys do kind of similar things.

Brian Krebs – Washington Post

I mean basically for me this is great because I’m getting to meet a lot of the people whose blogs I read everyday and put a name with the face.

Ryan Singel – 27bstroke6

So, I do a little bit of the higher level kind of things. We cover government databases, privacy, kind of higher level security, so a lot of these folks know a lot more than I do at the — sort of nitty-gritty, kernel level kind of stuff, whereas we’re kind of higher level, a little bit more snarky.

Michael Johnson – PodTech

Now, one of the things I’ve been hearing here at the conference as well as in this group is that the thinking about security, has to really be the thing that has to change for a lot of people, not so much we have the technologies, we have a lot of solutions at the show. At RSA, we certainly see hundreds of solutions that are offered up, but the thinking about security has to change, what do you think about that?

Ron Gula – blog.tenablesecurity.com

Well, everything is related. Long time ago, if you were the firewall guy, you just had to worry about the firewall, or the virus guy just had to worry about making sure the viruses were update. Nowadays, everybody realize everything is linked, the operating system, the router, the policy, everything is together, and you’re probably seeing vendors start to offer solutions along those lines and consultants talk along those lines and people blog about that kind of stuff, so I’m happy to se that kind of change.

Ryan Singel – 27bstroke6

Oh, it’s kind of interesting to hear a lot of people getting sort of some of the old time religion, which is about securing the data not about securing the firewall or securing the perimeter. I’m still waiting for the sort of the big change, where security becomes easy and the Internet becomes safe and it’s not here yet.

Michael Johnson – PodTech

How long do you think it’s going to take?

Ryan Singel – 27bstroke6

Forever.

Brian Krebs – Washington Post

I write generally for a much wider audience, so I don’t tend to write much about technology solutions and things like that. Basically, I’m writing for people, the everyday Joe, average Internet user, and so I think that’s a constant education effort because it’s real easy to I think over estimate people’s grasp of technology and security issues, and that’s a dangerous thing.

Michael Johnson – PodTech

Do you think information is getting out from the blogosphere to the general public, where people read it, or does the pubic need to know more about what goes into security or do you think it actually has to stay at the enterprise level and got to go down from there?

Brian Krebs – Washington Post

I’d like to see more mainstream publications covering this important issue. I happen to think that most of the people who really need to know most about what it is they need to do, to stay secure online, don’t read blogs, I mean they’re still reading mainstream publications.

Ryan Singel – 27bstroke6

I think the mainstream folks that really need to know what they do should go to his blog, because I pick things up from you, he’s one of the best at sort of translating — like he understands the high level stuff, but translates it into what does this means for you, how do I get Flash 8 off my system, when you didn’t even know you had it on there.

Brian Krebs – Washington Post

It is always Flash 8, why do I need it?

Ron Gula – blog.tenablesecurity.com

Yeah, I mean the biggest failure of the vendor so far is all the solutions we offer are extremely technical, the average person doesn’t know, should I click this, should I not click that, am I going to be safe, am I going to lose my credit card data, it’s very difficult, so, things are getting better, we just have a long way to go.

Michael Johnson – PodTech

Alright, well, thanks for speaking with us and enjoy the party.

Michelle McLean – ConSentry Networks

Hi, I’m Michelle McLean with ConSentry Networks

Michael Johnson – PodTech

What do you do at ConSentry, Michelle?

Michelle McLean – ConSentry Networks

I’m actually in charge of Product Marketing.

Michael Johnson – PodTech

And you blog?

Michelle McLean – ConSentry Networks

I do, we’ve just recently launched the En Garde blog and there are several of us posting to it by commenting on security, how security is being perceived, what we’re seeing in the customer business that we have, and just how the market is evolving around how to secure what happens on the LAN, inside the enterprise.

Michael Johnson – PodTech

What’s the importance of the blog to ConSentry Networks?

Michelle McLean – ConSentry Networks

It’s multidimensional, there is the notion that for your customers, you’re trying to give them a little bit of an inside view into what’s going on, helping them understand their peers. There is definitely this notion of an industry level dialogue, where you know that press and analysts and other bloggers are reading some of your thoughts and it fosters the dialogue, it’s definitely a level of discussion that’s more fast moving and a little bit more straightforward than what you can see in the press necessarily, that’s just the nature of the flexibility of the medium. You can be very quick to get a whole dialogue going and in two days worth of comments you’ve moved the whole goal line forward around what the industry’s thinking about the topic, it’s really dynamic.

Michael Johnson – PodTech

Do you think it really helps the industry?

Michelle McLean – ConSentry Networks

I think it does, because I think you end up shaping how people talk about the problems, the solutions, how they’re trying to cope with certain issues in the enterprise. I used to be a journalist and an analyst actually for nine years, and it’s really nice to be back in that thought leadership domain that a blog can give you, it’s a lot of fun, and I do think it benefits both the consumers of technology as well as those who are charged with thinking about and writing about the industry.

Michael Johnson – PodTech

Michelle McLean of ConSentry Networks, thanks for talking with us.

Michelle McLean – ConSentry Networks

Thank you so much, it’s good to see you.

Richard Mogull – Gartner

Richard Mogull, and I’m an analyst with Gartner and mostly contribute to the Gartner blogs.

Michael Johnson – PodTech

Obviously you’re doing something about security, right?

Richard Mogull – Gartner

Yeah, exactly, I’m on the information, security and risk team over there, so that’s — well, it’s pretty much what I’ve been doing since I was 16.

Michael Johnson – PodTech

Since you were 16?

Richard Mogull – Gartner

Believe it or not, I started in physical security back when I was in high school and eventually got into — it was at PC tech job, and eventually that led to my information security career.

Michael Johnson – PodTech

What has been the most interesting thing for you or what area do you focus on a particular, and what over the last few years has been some of the top one or two security issues?

Richard Mogull – Gartner

Well, it has been really fascinating actually, I’ve been covering data security for about five, maybe six years now, and back then it was something nobody would pay attention to, the research wasn’t read very frequently, not a lot of conversations about it. Last year, data security has exploded, protecting people’s private information, protecting corporation’s intellectual property, incredible amount — vendors all over the place addressing it, we couldn’t go to a keynote without a mention of data security. So, I think it has been just fascinating to watch it over this five year period, as this has finally developed and has finally started to hit the mainstream.

Michael Johnson – PodTech

What do you think changed, what was it that sort of pushed it over the edge?

Richard Mogull – Gartner

Oh, to be honest, it’s because of couple of factors. One is we actually start putting things back up on the Internet and making them potentially available that people had monetary value. There were no safe crackers except for 14 year teenage boys until people put money in the safes, then the bad guys figured it out. We put those things up there, the bad guys had a little bit of time to realize not only what was there, but learn the techniques to get at it. So, now all of a sudden, information security, we’ve always called it information security, it was network security, now we’re getting back to the information, we’re getting back to the data, we’re protecting private information, we’re protecting our intellectual property.

Michael Johnson – PodTech

So, has the mindset caught up, because it’s the scene that I’m hearing at RSA, I’m hearing it tonight, has the mindset of the enterprise community that deals with that data, whether it’s data in flight or data at rest, and even some of the marginal network, firms that are out there, large storage firms that are out there, have they really caught up with the idea about what security is?

Richard Mogull – Gartner

I think we have a lot of work to do there. We know there is a problem. Now, a lot of it right now is mostly compliance driven, so people are implementing data security as much for compliance as anything else, and a lot of part of it is we don’t really know how big or how bad the problem is. Over the next few years, we’re really going to start raising that awareness, we’re going to start understanding how to build security as opposed to just layering it on, and we will get back to the concept that it’s about protecting the data, and it’s about protecting our sensitive information. So, we got a little ways to go, it’s not quite there yet.

Michael Johnson – PodTech

Thanks for talking with us, enjoy the party.

Richard Mogull – Gartner

Thank you very much, this is great.

Michael Johnson – PodTech

So, that wraps it up for our blogger evening, security bloggers from all over the country, all over the Web, all of the blogosphere, coming together here in San Francisco at the Foreign Cinema restaurant as part of the RSA 2007 Security Conference in San Francisco, I’m Michael Johnson, well see you next time.

Copyright ©2006 PodTech.net. All rights reserved. Privacy policy

Tags: , , , , , , ,
 
Posted in: Connected Social Media, Corporate, F5 Networks Incorporated, Technology