Thoughts from the Summit

A few comments from the 4th Annual Detroit IT Security Summit yesterday.

The presentations from the keynote speakers have been posted to the Summit website. Ridgely Evers opened the show with comments on what has gone wrong with IT Security. Evers of Tapit Partners ranks high in my esteem because he says great things like:

"IDS - that has got to be one of the stupidest technology ideas of all time."

(While I agree with him completely I would not mind being Marty Roesch right now who is laughing all the way to the bank after Checkpoint bought his IDS company for a cool $225 million.)

Marty of course is the one who attempted to shave me with Occam's razor in his response to my critique of IDS. I notice that his rant is offline for some reason. Luckily I snarfed it from Google cache. For your amusement I recreate it "here. Note how he published my email address. Not nice.

Back to the Summit. I bumped in to a CSO from an automtoive data exchange firm. He was wearing an RSA SecureID token on his belt with one of those little retracting string things. It was stamped with the colorful eTrade logo. I thought that was kind of cool - tokens as fashion statement. He had also heard that account deposits at eTrade went UP when they issued tokens to account holders earlier this year. That has huge implications for online banking. Trust sells.

There were a bunch of panel discussions at this event. I was on one of them with some very hard core bloggers.

Adam Shostack www.emergentchaos.com

Richard Stiennon www.threatchaos.com

Michael Murray blog.ncircle.com

Ed Vielmetti vielmetti.typepad.com/vacuum

Ed and Adam debated an interesting point. The idea is that companies should reveal the details of breaches in security. Ed sited a practice in the aviation industry to publish all root cause analyses of airplane crashes. Everyone on the panel knows of incidents that have gone unreported (the Visa lost tapes incident for instance). The benefit to security is obvious. If banks freely talked about the extortion money they had to pay to cyber attackers perhaps other banks would take defensive measures to protect themselves.

Speaking of attacks, one panel included an unlikely "expert". Nino DiCosmo is the CEO of Autoweb. He pointed out that counterfit mechanical parts are a $16 billion industry. $3.2 billion in the US. And that there are real threats against companies that had the design data for those parts. In other words industrial espeonage has moved beyond product plans and style to actual manufacturing designs. Yipes!

The most amazing presentation was from Barrett Lyon. In a simple, unembellished manner he relates his hair raising experiences countering DDOS attacks from cyber extortionists. I am glad I was there to hear his story. Just published in the NewYorker by the way.