I can see many “sore” heads this morning walking around, but then again, that’s pretty standard throughout AusCert. The dinner last night (Tuesday) was pretty good and great to catchup with people. Always enjoy my time with my mates at TrustDefender. (Blatant promo for the guys. They will do well and I highly recommend you check them out).
Here we go:
Missed the keynote and so did everyone else I know. At least I can blame work and not the night before. 
Caught Wade Alcorn’s (NGSS) presentation first up on Fuzzing. Small attendance surprisingly, or not (given the AusCert) crowd mix. Nice start to the day. Thanks Wade….there are some security people and techos here after all!
Not sure why I missed the next session but sitting outside in the sun with a few friends just seemed pretty cool at the time.
Now the next session, was a triple banger presentation. I was looking forward to seeing this one and to be honest, it did not disappoint. I expected nothing and it pretty much almost made my expectations:
“Broad lessons from the Computer Network Vulnerability Assessment Program”: this is CNVA for short. We’re (Securus Global) on the panel but we’ve never hit the keyboard in anger since being on it. If you don’t know what it is, in a nutshell, it’s a government initiative to protect critical infrastructure. Google for more details. Somehow the program is described as successful but statistics on the slides confuse me. 26 successful applications/tests out of 30 applications received in the 3 odd years it has been around. Hang on, shouldn’t we be talking hundreds and thousands? Nope – 26! WTF? You’re kidding me…and calling this program over the years successful? Surely I am missing something? Now is it just me, but then pie charting the 26 and showing percentages across critical infrastructure sectors on who has done an exercise under the CNVA program itself just seems so wrong – eg; banking 4%….okay so now we know 1 bank in all this time has done something in the program. That’s a pretty lousy percentage. I reckon you should not be allowed to pie chart unless you have more than 100 in the sample!
“Cyber Storm II – an international cyber security exercise”: A good deal of high end waffle on what this is/was and what it will be. If I typed more about the presentation here, your knowledge would be no more, so I won’t bother.
“Cyber Storm II in Australia”: as above. Waiting on a report on this to get more information but given the summary of activity presented, I stand by the questions and statements here.
The highlight of these 3 combined sessions was Big Galoot’s question to the presenters:
” Given your objectives as you stated was to test preparedness, and you now state the next such exercise is in 2010, can you explain how that works? Also, what are your thoughts on quotes that have been made that this exercise is nothing more than a Cyber Storm in a teacup?”
Now there was a response….I heard them speaking but I did not hear an answer. (A bit like politicians answering a question). Big Galoot become a magnet for people after the presentation with a load of back pats and “awesome mate!”
Lunch and then Big Galoot distracts me and drags me into some presentation on endpoint security. I think the title got him as it mentioned iPhones, iPods, Flash Drives etc. I sit down and realise I am now missing Daniel Klein’s presentation. The bugger gets bored within 2 minutes and leaves me there on my own. I didn’t want to be rude to the presenter so I stay. Big vendor sales presentation and it drags on and on…WTF am I doing here? I hate you Big Galoot!
“Geekonomics: The Real Cost of Insecure Software” by David Rice is next. This should have been a keynote. This was my favourite presentation of the conference. Awesome! Got to meet David afterwards and bought his book. Just starting to read it!
The closing sessions were good! Rob Redenbach talked about “Streetwise Leadership”. This was not an IT Security presentation but rather Rob talking about his life in the armed forces, traveling the world, studying martial arts, becoming a trainer of Nelson Mandela’s body guards and relating lessons learned to how people should approach life and it’s challenges. I couldn’t do this talk justice in a short post. Can’t believe I went out to meet him also and bought a couple of his books. (I’m on a roll). Another great presentation.
The last session of the day hosted by Adam Spencer was a panel/series of debates. Adam is always interesting and he turned this into a nice end to the conference.
More on AusCert: podcasts of various interviews done by Patrick Gray at Risky Business.
“Big Galoot distracts me and drags me into some presentation on endpoint security”
Folks, thats what we call being well & truly “verballed”.
Here’s my recollection:
DD: “What presentation are you going to, BG ?”
BG: “The one on endpoint security looks interesting. I might go to that.”
DD: “Yeah, (yawns) I might come along with you. I’m so tired. I need some sleep.”
The pair of us then took our seats in the lecture room. On taking our seats, I noticed the bloke sitting next to me stank strongly of alcohol – at 1pm. Not bad given that his last drink was 10 hours previously. (It must’ve been a good session !)
Moving along, the presenter opened his presentation with the startling revelation that – wait for it – removable media may contain malware or viruses ! (queue photo of USB thumb drive, for those of us who’d never seen one before.)
It was about then (around a minute into his rant) that I decided this presentation was not for me.
DD: “Where are you going, BG ?”
BG: “Mate, this presentation sucks. Its security 101 for kids. I’m outa here.”
DD: “Ok, I might stay here for a while and get some rest… I need some sleep.”
BG.