Richi Jennings

We have fun at RSA conference in SF (and Dr. Python)

February 08, 2007 2:30 AM EST
Eeek! It's IT Blogwatch: in which stuff happens at the RSA Conference. Not to mention a Doctor Who/Python mashup...

Jaikumar Vijayan has this:
Stand-alone security vendors are going the way of dinosaurs. That was the assessment offered today by Art Coviello, president of RSA Security Inc., at the company's annual security conference, which is being held here this week. RSA is EMC Corp.'s security division. Delivering a keynote address this morning, Coviello said the trend by vendors such as Microsoft Corp., Oracle Corp., Cisco Systems Inc. and EMC to integrate security functions into their core technologies is diminishing the need for add-on products from pure-play security vendors. RSA itself was one such stand-alone vendor until it was acquired by EMC last year.
...
Factors driving the trend include the continually changing nature of threats and regulations that require companies to demonstrate better controls and hold them accountable for data losses ... In the near future, companies will need to implement more "information-centric" security models focused on mitigating business risk and financial losses rather than on "perfect security," he said.
Alex Eckelberry had fun:
RSA is ground zero for the deal-making side of security (partnerships, licensing deals, etc.) and an extremely busy show from that aspect. Of course, in between business meetings, we had to have some fun, so we started pwning the public terminals.
Brian Krebs fills in the blanks:
it came as a great surprise to me to discover a security gaffe at the RSA Security conference here -- one of the premiere computer security conferences in the industry. The kiosks of Microsoft Windows XP machines set up as a way for attendees to freely access e-mail from the conference floor were running under the all-powerful "administrator" account. In short, anyone could have used the terminals to download a free software program that records every keystroke typed on the terminals. That record would be extremely useful for spying on the Internet communications of executives at some of the most recognizable computer security firms in the industry. I spent about 20 minutes watching the activity at these booths, as executives checked their e-mail messages there or logged on to their PCs remotely. Had I spent a bit more than 10 seconds at the terminals, I could have downloaded software that would let me steal user names and passwords from some of the more important companies in the information security community.

It certainly is somewhat crazy that these security practices occur at a respected security conference. But it is also revealing that so many security professionals find it acceptable to access their personal data on unfamiliar public terminals without conducting even rudimentary checks on the host system's integrity.
Ryan Singel, more so:
One should never trust a public kiosk computer, but at the RSA security conference, one expects the public computers will at least be locked down as well as the public library's boxes. This year you'd be wrong as Sunbelt Software's president Alex Eckelberry and R&D vice president Eric Sites gleefully demonstrated to 27B by downloading adware from Zango and The Best Offers and by checking Google searches run by previous users.

Seems the Windows XP boxes -- supposedly protected by Sophos -- were actually just Windows XP machines running with full administrative privileges -- meaning any user could install whatever he might like -- including malware and key loggers. The machines didn't even have Sophos's Anti-Virus installed -- instead they used AVG Professional 7.5 (a perfectly good anti-virus program, but its made by Grisoft -- not Sophos). Eckelberry, who kept muttering "this is so evil," as he added more software to the machine, later said the prank reminded him of his days of messing with computers in Radio Shack as a teen.
Jack Vaughan:
Microsoft Chairman Bill Gates told the RSA Conference that a combination of authentication and access management strategies can protect corporate data, but information security pros are willing to wait for the proof ... Gates has long touted the demise of passwords, and Tuesday's talk about IPsec certificate-based identity management furthered that agenda. Gates said last year's introduction of InfoCard, a Windows feature for managing digital identities, later renamed CardSpace, was a milestone in the migration away from passwords. He announced that CardSpace will support OpenID 2.0, a decentralized framework for digital identities
...
While the joint keynote was heavy on strategy, it also served as a moment of transition for Microsoft. Gates' impending departure from a full-time role at Microsoft in 2008 has thrust the spotlight on others like Mundie and Ray Ozzie, Gates' successor as chief software architect. Mundie said Tuesday it will be his task to carry out the Trustworthy Computing initiative, which turned 5 years old this week.
Kaliya Young Hamlin is excited:
Bill Gates and Craig Mundie announced MSFT support of OpenID2.0 ... I wouldn’t go so far to say that they got Married. But what exactly was announced? ... The OpenID Relying parties will be able to request that the authentication be done in a Phising resistant way ... This is a very exciting development as it expands the options available to users. Their are issues with Phishing in OpenID ... and addressing this hole is key to making it a viable protocol that is good for users.
Alan Shimel has mixed feelings:
RSA was a circus today.  It is bigger and better than ever ... However, one thing I did not like was that some companies still think the way to sell security and get people to come to your booth is by exploiting women. Hiring booth babes and dressing them in skimpy outfits to appeal to the nerdy computer geeks, who would never get the time of day from girls like these, is degrading and has no place in our business.

Now I am no prude and realize that sex sells.  However, there is a time and place for it and the security industry trade shows are not it.  I find it debasing and exploitative of the women involved.  It is also disrespectful to the intelligence of the show attendees who are here to find out about security.  I think it is also incredibly disrespectful to the legitimate women working at these companies. What message is being sent here? What is the connection between scantily clad women and security?  None, that I can see.  This is so 1970's, it is an embarrassment to us all.
Martin McKeay feels defeated:
I freely admit to having my butt kicked by standing on my feet for the better part of 10 hours ... Not that today wasn't fun, but it was definitely tiring.  I don't have the hour or two's worth of energy to edit and upload a podcast tonight, even though I recorded a show Sunday night.  And tomorrow's only going to be worse.
Dan Farber was at the keynotes:
John Thompson, CEO of Symantec ... took a shot at Microsoft, saying that the conflict of interest --- the company that makes the underlying platform also securing it -- needs to be untangled. He gave compared Microsoft's security efforts in competition with Symantec and other vendor on the anti-virus, firewall and other fronts as similar to a company permitted to auditing itself.
Last word goes to Valleywag's ConFonz:
The fabulous and sexy Conference Fonzerelli has trouble avoiding parties. Even when he stopped to retch up the last of his peyote buttons into an alley off second street, he found himself standing outside of the PingIdentity party. Elsewhere, Microsoft held a press gathering at the Cartoon Art Museum, irony unimagined. Just another indication of the Mickey Mouse attitude Microsoft has towards security.
...
Still, best quote of the day goes to Microsoft: "I love RSA, you can assume everyone here is not a complete retard."
Buffer overflow:
Around the Net Around Computerworld Previously in IT Blogwatch
And finally... Monty Python and the Dalek
Richi Jennings is an independent technology and marketing consultant, specializing in email, blogging, Linux, and computer security. A 20 year, cross-functional IT veteran, he is also an analyst at Ferris Research. Contact Richi at blogwatch@richi.co.uk.