Archive

Archive for the ‘Security Conferences’ Category

Hoff’s RSA 2012 Schedule: My Talks, Panels, Seminars & Such

February 26th, 2012 1 comment

I’ll be at the RSA Conference all week from 2/27-3/1.

Here are the sessions I’m slated to perform:

  1. SEM-001 : 2/27 – Security Basics Seminar “Firewall Basics”
  2. EXP-204 : 3/1 @ 1pm – Grilling Cloudicorns : Mythical CloudSec Solutions You Can Use Today (with my usual partner in Cloud, Rich Mogull)
  3. STAR-106 : 2/28 @ 1:10pm – Firewalls: Security, Access, The Cloud – Past, Present and Future

I’ll also be spending a bit of time lurking about the Juniper booth as well as that of our awesome new acqusition, Mykonos Software.

Lest I forget Jeremiah Grossman and my infamous BJJ Smackdown at Ralph Gracie’s academy (down the street) at 6PM on 3/1

See you at the show.

/Hoff

Categories: Security Conferences Tags:

Video Of My CSA Presentation: “Commode Computing: Relevant Advances In Toiletry & I.T. – From Squat Pots to Cloud Bots – Waste Management Through Security Automation”

February 19th, 2011 13 comments

This is probably my most favorite presentation I have given.  It was really fun.  I got so much positive feedback on what amounts to a load of crap. ;)

This video is from the Cloud Security Alliance Summit at the 2011 RSA Security Conference in San Francisco.  I followed Mark Benioff from Salesforce and Vivek Kundra, CIO of the United States.

Here is a PDF of the slides if you are interested.

Part 1:

Part 2:

Enhanced by Zemanta

Why I Don’t Speak At Security B-Sides…

January 13th, 2011 2 comments

Security B-Sides has long since emerged from the “Indie” shadow it was born from and now represents and produces some of the most amazing content and speakers in the security (mainstream and otherwise) industry.

So why don’t I speak at any of them?

Two reasons.

1) Many of the B-Sides get spun up quickly and without much notice.  Those that I might be able to travel to/attend take place alongside the bigger conferences which I am required to attend and/or have committed to speak at far in advance, and…

2) I speak at 30-40 conferences a year. People don’t need to hear me prattle on about the same things I’ve spoken about elsewhere.  Further, many of the folks who respond with awesome CFP submissions to B-Sides don’t (for a number of reasons) speak at the larger conferences…so why should I take up space when others should be given this amazing opportunity?

So there you have it.

Support B-Sides.  One day I’ll get to one live. Until then, I’ll watch the live streams.

/Hoff

On Security Conference Themes: Offense *Versus* Defense – Or, Can You Code?

November 22nd, 2010 7 comments

This morning’s dialog on Twitter from @wmremes and @singe reminded me of something that’s been bouncing around in my head for some time.

Wim blogged about a tweet Jeff Moss made regarding Black Hat DC in which he suggested CFP submissions should focus on offense (versus defense.)

Black Hat (and Defcon) have long focused on presentations which highlight novel emerging attacks.  There are generally not a lot of high-profile “defensive” presentations/talks because for the most part, they’re just not sexy, generally they involve hard work/cultural realignment and the reality that as hard as we try, attackers will always out-innovate and out-pace defenders.

More realistically, offense is sexy and offense sells — and it often sells defense.  That’s why vendors sponsor those shows in the first place.

Along these lines, one will notice that within our industry, the defining criterion for the attack versus defend talks and those that give them, is one’s ability to write code and produce tools that demonstrate the vulnerability via exploit.  Conceptual vulnerabilities paired with non-existent exploits are generally thought of as fodder for academia.  Only when a tool that weaponizes an attack shows up do people pay attention.

Zero days rule by definition. There’s no analog on the defensive side unless you buy into marketing like “…ahead of the threat.” *cough* Defense for offense that doesn’t exist generally doesn’t get the majority of the funding ;)

So it’s no wonder that security “rockstars” in our industry are generally those who produce attack/offensive code which illustrate how a vector can be exploited.  It’s tangible.  It’s demonstrable.  It’s sexy.

On the other hand, most defenders are reconciled to using tools that others wrote — or become specialists in the integration of them — in order to parlay some advantage over the ever-increasing wares of the former.

Think of those folks who represent the security industry in terms of mindshare and get the most amount of press.  Overwhelmingly it’s those “hax0rs” who write cool tools — tools that are more offensive in nature, even if they produce results oriented toward allowing practitioners to defend better (or at least that’s how they’re sold.)  That said, there are also some folks who *do* code and *do* create things that are defensive in nature.

I believe the answer lies in balance; we need flashy exploits (no matter how impractical/irrelevant they may be to a large amount of the population) to drive awareness.  We also need  more practitioner/governance talks to give people platforms upon which they can start to architect solutions.  We need more defenders to be able to write code.

Perhaps that’s what Richard Bejtlich meant when he tweeted: “Real security is built, not bought.”  That’s an interesting statement on lots of fronts. I’m selfishly taking Richard’s statement out of context to support my point, so hopefully he’ll forgive me.

That said, I don’t write code.  More specifically, I don’t write code well.  I have hundreds of ideas of things I’d like to do but can’t bridge the gap between ideation and proof-of-concept because I can’t write code.

This is why I often “invent” scenarios I find plausible, talk about them, and then get people thinking about how we would defend against them — usually in the vacuum of either offensive or defensive tools being available, or at least realized.

Sometimes there aren’t good answers.

I hope we focus on this balance more at shows like Black Hat — I’m lucky enough to get to present my “research” there despite it being defensive in nature but we need more defensive tools and talks to make this a reality.

/Hoff

Enhanced by Zemanta

The HacKid Technology Conference For Kids & Their Parents…

October 2nd, 2010 No comments

There are many projects in my time that I’ve been passionate about, honored to have curated and personally gratified by others’ responses to, but none more than HacKid.

What is HacKid?

HacKid is a new kind of non-profit conference focused on  providing an interactive, hands-on experience for the entire family — kids aged 5-17 & their parents –  in order to raise awareness, excitement and understanding of technology, gaming, mathematics, safety, privacy, networking, security and engineering and their impact on society and culture.

The first HacKid conference is in Cambridge, MA on the weekend of October 9th and 10th, 2010.

The activities and sessions at HacKid are many and varied in topic.  Some of the things the kids and parents will do are:

  • Learn About Online & Social Networking Safety
  • Make a 
Podcast
  • Learn How to Deal With 
Cyber-Bullies
  • Learn Kodu & 
Scratch Programming Languages
  • Build An 
Interactive Robot 3D printer
  • Discover Hair Hacking
  • Learn How the Internet works
  • Get Creative With Food Hacking
  • Manipulate Hardware & Software For Fun
  • Dive Into Electronics
  • Learn magic
  • Build a trebuchet
  • Meet & interact With Law Enforcement
  • Learn About Low-impact Martial Arts/Self-Defense

There’s a ton of stuff to learn and get excited about.

The gist of the idea for HacKid (sounds like “hacked,” get it?) came about when I took my three daughters aged 6, 9 and 14 along with me to the Source Security conference in Boston.  It was fantastic to have them engage with my friends, colleagues and audience members as well as ask all sorts of interesting questions regarding the conference, however while they were interested in some things, it wasn’t engaging for them because it wasn’t relevant, it wasn’t interactive, it wasn’t hands-on…it wasn’t targeted to them.

…and it wasn’t meant to be.

I went home that night, registered the domain name, tweeted about it and was overwhelmed with people who said they wanted to help make this a reality.  The next day I reached out to the folks at Microsoft’s New England Research and Development (NERD) center in Cambridge and they kindly volunteered their amazing facilities.  From that moment on (a few months) it’s been on like Donkey Kong.

We have some amazingly kind and generous sponsors: USENIX, Microsoft, Kaspersky, Barracuda, IOActive, Cisco, Elenco, Trustwave, ISC2, You-Do-It Electronics, O’Reilly, and the Cloud Security Alliance.  Also, I’ve been blessed with some amazing volunteer help in the form of my Board of Advisors: Andy Ellis, Zach Lanier, Jack Daniel, Joe Garcia, Tim Mugherini, Tim Krabec, Jennifer Hoff, Tiffany Rad, Ryan Naraine, and David Blank-Edelman.

I’m really excited about how this is turning out and we’re going to replicate it across the country/world after we wrap the first one in Boston.  The wiki details some of the other candidate venues.

I do hope you’ll join us.  Space is running out and we’re closing registration on 10/6, so get typing if you and your kids want to come: www.regonline.com/hackid

/Hoff

Enhanced by Zemanta
Categories: HacKid Tags:

Don’t Hassle the Hoff: Recent & Upcoming Speaking Engagements

September 20th, 2010 1 comment
Recent Speaking Engagements/Confirmed to  speak at the following upcoming events:

There are a ton of venues I haven’t added here because they are directly related to customer visits that may not wish to be disclosed.  You can see the prior list of speaking engagements listed here.

[I often get a bunch of guff as to why I make these lists: ego, horn-tooting, self-aggrandizement. I wish I thought I were that important. ;) The real reason is that it helps me keep track of useful stuff focused not only on my participation, but that of the rest of the blogosphere.  It also allows folks to plan meet-ups]

/Hoff

Video Of My Cloudifornication Presentation [Microsoft BlueHat v9]

August 16th, 2010 2 comments

In advance of publishing a more consolidated compilation of various recordings of my presentations, I thought I’d post this one.

This is from Microsoft’s BlueHat v9 and is from my “Cloudifornication: Indiscriminate Information Intercourse Involving Internet Infrastructure” presentation.

The direct link is here in case you have scripting disabled.

The follow-on to this is my latest presentation – “Cloudinomicon: Idempotent Infrastructure, Building Survivable Systems, and Bringing Sexy Back To Information Centricity.

Related articles by Zemanta

Enhanced by Zemanta

See You At Black Hat 2010 & Defcon 18?

July 25th, 2010 2 comments


This year looks to be another swell get-together in Vegas.  I had to miss last year (first time in…forever) so I’m looking forward to 112 degrees, recirculated air, and stumble-drunk hax0rs jackpotting ATMs and commandeering elevators.

I’ll be getting in on the 27th. I have a keynote at the Cloud Security Alliance Summit on the 28th (co-located within Black Hat,) a talk on the 29th at Black Hat (Cloudinomicon) from 10am-11am and I’ll be on another FAIL panel at Defcon with the boys.  I’ve got a bunch of (gasp!) customer meetings and (gasp! x2) work stuff to do, but plenty of time for the usual.

I’m going to try to hit Cobra Kai, Xtreme Couture or the Tapout facilities whilst there for some no-gi grappling or even BJJ if I can find a class.  Either way, there are some hard core P90X’ers that I’m sure I can con into working out in 90 degree, 6am weather.

Rumors of mojitos and cigars at Casa Fuente are completely unfounded.  Completely.

Oh, parties? They have parties? ;)

See y’all there!

/Hoff

Enhanced by Zemanta

Reflections on SANS ’99 New Orleans: Where It All Started

July 25th, 2010 1 comment

A few weeks ago I saw some RT’s/@’s on Twitter referencing John Flowers and that name brought back some memories.

Today I sent a tweet to John asking him if I remembered correctly that he was at SANS in New Orleans in 1999 when he was still at Hiverworld.

He responded back confirming he was, indeed, at SANS ’99.  I remarked that this was where I first met many of today’s big names in security: Ed Skoudis, Ron Gula, Marty Roesch, Stephen Northcutt, Chris Klaus, JD Glaser, Greg Hoglund, and Bruce Schneier.

John responded back:

I couldn’t agree more.  That was an absolutely amazing time. I was on my second security startup (NodeWarrior Networks,) times were booming and this generation of the security industry as we know it was being given birth to.

I remember many awesome things from that week:

  • Sitting in “Intrusion Detection Shadow Style” with Stephen Northcut and Judy Novak for something like 8 hours going cross-eyed reading tcpdump packet traces and getting every question Stephen asked wrong. Well, some of them, anyway ;)
  • Asking Ron Gula’s wife something about Dragon and her looking back at me like I was a total n00b
  • Asking Ron Gula the same question and having him confirm that I was, in fact, a complete tool
  • Staying up all night drinking, writing code in Perl and doing dangerous things on other people’s networks
  • Participating in my first CTF
  • Almost getting arrested for B&E as I tried to rig the CTF contest by attempting to steal/clone/pwn/replace the HDD in the target machine. The funniest part of that was almost pulling it off (stealing the removable drive) but electrocuting myself in the process — which is what alerted my presence to the security guard.
  • Interrupting Lance Spitzner’s talk by stringing a poster behind him that said “www.lancespitznerismyhero.com” (a domain I registered during the event.)
  • Watching Bruce Schneier scream at the book store guy because they, incredulously, did not stock “Practical Cryptography
  • Sitting down with Ed Skoudis (who was with SAIC at the time, I believe,) looking at one another and wondering just what the hell we were going to do with our careers in security
  • Spending $14,000 (I shit you not, it was the Internet BOOM time, remember) by hitting 6 of the best restaurants in New Orleans with a party of hax0rs and working the charge department at American Express into a frenzy (not to mention actually using the line from Pretty Woman: “we’re going to spend obscene amounts of money here” in order to get in…)
  • Burning the roof of my mouth by not heeding the warnings of the waitress at Cafe Dumonde, biting into a beignet which cauterized my mouth as I simultaneously tried to extinguish the pain with scalding hot Chicory coffee.

I came back from that week knowing with every molecule in my body that even though I’d been “doing” security for 5 years already, it was exactly what I wanted to for the rest of my life.

I have Stephen Northcut to thank for that.  I haven’t been to a SANS since 1999 (don’t ask me why) but I am so excited about going back in August in DC (SANS What Works In Virtualization and Cloud Computing Summit) and giving a keynote at the event.

It’s been a long time.  Too long.

/Hoff

Enhanced by Zemanta

On Amrit Williams’ (BigFix) Beyond The Perimeter Podcast

July 18th, 2010 No comments

My good friend Amrit Williams (@amrittsering) from BigFix (congrats on the IBM acquisition!) has an awesome Podcast titled “Beyond the Perimeter.”

He was nice enough to invite me to record episode 93 titled “Is Trust the Real Barrier To Cloud Computing?” (ultimately points you to an iTunes subscription.)

We spoke for almost an hour on all sorts of great discussion points related to Cloud Computing, specifically focusing on Trust (which I define in context as Security, Compliance, Control, Reliability and Privacy.)

We also spoke about the Cloud Security Alliance, CloudAudit and the HacKid conference — three things I am very passionate about.

Thanks Amrit, great conversation as usual.

/Hoff

Enhanced by Zemanta