Friday, January 22, 2016

Is RSA really still relevant?

With so many information security conferences springing up, those new to the industry often have a hard time knowing which ones are worth attending.  For years, two security conferences stood out as forerunners, at least in the commercial space: RSA and Blackhat.  While Blackhat catered to the more technical crowd who likes to get into the bits and bytes, RSA catered to a slightly less technical group.  I've attended and spoken at both Blackhat and RSA and they have both served their purposes as fantastic (if very commercial) security conferences).

Has RSA gone off the rails in 2016?
RSA made some questionable decisions in their keynote selections for 2016.  They are apparently creating a CSI: Cyber panel with actors from the show.  The series creator and executive producer will also be speaking there.  I saw Colbert a few years ago at RSA and while I initially questioned his selection for a keynote, he was fantastic.  He prepared well and was spot on with some insightful remarks about the industry.  We should expect nothing less from someone who testified in front of Congress and started his own Super PAC.  He may have started as a comedian, but by the time he spoke at RSA, he had transcended that. But of course, because he's Colbert he was funny.  Damn funny.

But CSI: Cyber?  Seriously?!  What do two actors and a producer from CSI: Cyber really have to offer attendees?  I frequently point out to my infosec brethren that when shows like CSI: Cyber paint an unrealistic picture of our craft, they do us significant harm.  When Abbie and McGee share the same keyboard on NCIS to stop hackers, we look stupid.  And technotards (like my mom) think this is what I really do for a living.  The reality couldn't be much further from the truth.

Two idiots, one keyboard

Of course when Scorpion rebooted the air traffic control system with a sports car and a jumbo jet, the public were fortunate to learn how computers and hacking really work.  Sorry. I threw up in my mouth a little there.  Okay, a lot.

Are you kidding me?

But just when you think it can't get dumber, CSI: Cyber comes along.  Note that in this scene, one of the keynote speakers identifies malware by separating green and red code.  I have no idea how this is supposed to work, but people believe you can do this.  Just ask any consultant who has been in the field.  Unrealistic expectations about our abilities abound.

Because all malware code is red?

Want to see the two episodes of technical jargon compiled into 3 minutes?  This video shows how often we get to hear the words deep web, zero day, code, and hacker appear in the two videos.  Bottom line, it's out of control.

More techo jargon please...

This video introduces the sure to be a hit term "son of a backdoor hack."  We also learn that if we can pinpoint the backdoor frequency, we can track it.

Well "son of a backdoor hack" this show is insulting

Overall, CSI: Cyber is a disgrace to our profession.  It is doing nothing to elevate our profession in infosec.  RSA should not be giving the CSI: Cyber actors a stage to interact with the REAL heroes of infosec who actually keep us safe day in and day out.

This year, I don't have to worry about whether I should attend RSA.  I'm teaching real infosec crusaders advanced exploit development in London and have a schedule conflict.  But with cruft like this, I'm not sure I'd go even if I could.

Look, Hugh Laurie (Dr. House) never gave a keynote at a major medical conference.  Wesley Snipes never addressed West Point, despite being a general bad ass in his movies.  This idea that we should have actors addressing RSA is ridiculous.  It would be one thing if CSI: Cyber were elevating our craft, but they surely are not.  If anything, they are hurting it.

Twitter passwords? Seriously?!
While polishing this post this morning I learned that RSA was apparently asking attendees for their Twitter passwords so it could tweet on their behalf.  This is insultingly stupid for a security conference.  Everybody knows you should never give your password to anyone, that's what OAuth is for.  But despite that, many did give away their password.  I take this to be another indication that RSA is pushing itself into obsolescence. 

At this point, I'd like to introduce a new theory.  Since RSA developers are very likely to understand the need to use OAuth rather than plaintext passwords, I submit that they didn't code the faulty registration form at all.  I submit that it may have been the CSI:Cyber actors - because "son of a backdoor hack", requesting plaintext passwords for external accounts about lines up with their infosec prowess.

1 comment:

  1. I have been using Kaspersky protection for a couple of years now, I'd recommend this Anti virus to everyone.


Note: Only a member of this blog may post a comment.