I’m a big fan of the book “Back of the Napkin” which is all about using pictures to help with problem solving. Yesterday, I was introduced to a related concept “visual notetaking” where you use images to support other notes you are taking during a meeting. I’m at a two day workshop and we have a professional notetaker who is using this. It really makes the notes much more powerful and useful then just text. Imagine having notes with visual cues to (including but not limited to network diagrams) help you remember what happened. I’m sitting here looking at the posters, the notetaker made in real time with our discussions and it’s amazing how much more useful they are.
[Posting this here to help get the word out – Chris ]
Mini MetriCon 4.5 will be a one-day event, Monday, March 1, 2010, in San Francisco, California. Through the cooperation of RSA, the workshop will be held at the University of San Francisco, within walking distance of the Moscone Center, the location of the RSA Conference, to be held during the same week. Mini MetriCon attendees are eligible for free RSA exhibit passes.
Like its predecessors, Mini Metricon 4.5 is an informal workshop designed to facilitate exchange of new ideas as well as practical experience in using metrics to drive better security, compliance, and risk management. The day will be divided between open/moderated exchange and short presentations. Participants are expected to come prepared to actively interact as either presenters or active listeners (or both).
Place: University of San Francisco (walking distance to the Moscone Center)
Time: 8:30am to 4:30pm
Participation: by invitation.
Attendance: Limited to 80 people
Additional details, including links to past workshops, presentations, and digests, as well as a calendar with important dates and instructions for submitters is available at securitymetrics.org
RSA 2010 Call for Speaking Proposals. You know you want to.
The organizers of the 9th Privacy Enhancing Technologies Symposium invite you to participate in PETS 2009, to be held at the University of Washington, Seattle, WA, USA, on Aug 5-7, 2009.
PETS features leading research in a broad array of topics, with sessions
on network privacy, database privacy, anonymous communication, privacy
policies, and privacy offline. (The PETS 2009 program is here.)
Like last year, we also present the HotPETs workshop, which showcases hot new research in the field.
We will also be presenting the Award for Outstanding Research in Privacy
Enhancing Technologies to researchers who have made an outstanding
contribution to the theory, design, implementation, or deployment of
privacy enhancing technology.
Stipends deadline: July 2
Hotel group rate deadline: July 5
Earlybird registration deadline: July 9
Symposium: August 5-7
Venue and registration information, as well as the program, can be found
at the PETS 2009 website.
We hope to see you in Seattle!
– The PETS 2009 organizers
As I get ready to go to South Africa, I’m thinking a lot about presentations. I’ll be delivering a keynote and a technical/managerial talk at the ITWeb Security Summit. The keynote will be on ‘The Crisis in Information Security’ and the technical talk on Microsoft’s Security Development Lifecycle.
As I think about how to deliver each of these talks, I think about what people will want from each. From a keynote, there should be a broad perspective, aiming to influence the agenda and conversation for the day, the conference and beyond. For a technical talk, I’m starting from “why should we care” and sharing experiences in enough depth that the audience gets practical lessons they can apply to their own work.
Part of being a great presenter is watching others present, and seeing what works for them and what doesn’t. And part of it is watching yourself (painful as that is). Another part is listening to the masters. And in that vein, Garr Reynolds has a great post “Making presentations in the TED style:”
TED has earned a lot of attention over the years for many reasons, including the nature and quality of its short-form conference presentations. All presenters lucky enough to be asked to speak at TED are given 18-minute slots maximum (some are for even less time such as 3- and 6-minute slots). Some who present at TED are not used to speaking on a large stage, or are at least not used to speaking on their topic with strict time restraints. TED does not make a big deal publicly out of the TED Commandments, but many TED presenters have referenced the speaking guidelines in their talks and in their blogs over the years (e.g., Ben Saunders).
Ironically, he closes with:
Bill Gates vs. Bill Gates
Again, you do not have to use slides at TED (or TEDx, etc.), but if you do use slides, think of using them more in the style of Bill Gates the TEDster rather than Bill Gates the bullet point guy from the past. As Bill has shown, everyone can get better at presenting on stage.
I’ll be doing some of both. As both Reynolds and Bill understand, there are better and worse styles. Different styles work well for different people. There’s also a time and a place for each good style of presentation. Understanding yourself, your audience and goals are essential to doing any presentation well.
Of course, style only matters if you’re a professional entertainer, or have something interesting to say. I try hard to be in the latter category.
If you’re in Johannesburg, come see both talks. I’m looking forward to meeting new people, and would love to hear your feedback on either talk, either on the content or the style.
So last week I asked what people wanted to get out of RSA, and the answer was mostly silence and snark. There are some good summaries of RSA at securosis and Stiennon’s network world blog, so I won’t try to do that.
But I did I promise to tell you what I wanted to get out of it. My goals, ordered:
- A successful Research Revealed track. I think we had some great talks, a panel I’m not qualified to judge (since I was on it), and at least a couple of sell-out sessions. But you tell me. Did it work for you?
- See interesting new technology. I saw three things: Garner’s hard driver crusher (they have a “destroy” button!), Camouflage‘s database masking and some very cool credit card form factor crypto devices from Emue. (I’d add Verizon’s DBIR, but I saw that before the show.) Four interesting bits? Counts as success. Ooh, plus saw the Aptera car.
- Announce our new blog at Newschoolsecurity.com. Done!
- See friends and make five new ones. It turns out that the most successful part of this was my Open Security Foundation t-shirt. I urge you all to donate and get this highly effective networking tool.
- Connect five pairs of people who previously didn’t know each other. I counted seven, which makes me really happy.
What I didn’t want: a hangover. Only had one, Friday morning.
Registration for The Eighth Workshop on the Economics of Information Security (WEIS 2009) is now open.
The deadline for the Early Bird registration is 1 June 2009.
We’ve written here often (and favorably) about WEIS, and about papers delivered there.
So I’m getting ready to head over to RSA, and I’m curious. If you believe that “security is about outcomes, not about process,” what outcomes do you want from RSA? How will you judge if the conference was worthwhile?
Every year around this time, thousands of people converge on the Moscone Center in San Francisco for RSA. I had never given much thought to who Moscone was–some local politician I figured.
The law don’t mean shit if you’ve got the right friends
That’s how this country’s run
Twinkies are the best friend I’ve ever had
I fought the law
And I won
I blew George and Harvey’s brains out with my six-gun
I fought the law and I won
I learned about Harvey Milk, but didn’t really remember George. I learned who he was from Milk, the movie.
When you hear someone talking about the absolute catastrophe that getting hacked might be, put it in context of human life. Most hacking incidents are annoying, some have real financial impact, and some few have the potential to do real and irreparable harm.
So as we go to the Moscone Center, remember the murders committed by an authorized entrant into city hall. When you hear someone talking about the absolute catastrophe that getting hacked might be, put it in context, and remember George Moscone and Harvey Milk.
For the past few months, I’ve been working with the folks at the RSA Conference to put together a track entitled “Research Revealed.” Our idea is that security needs to advance by getting empirical, and bringing in a wide variety of analytic techniques. (Regular readers understand that Andrew Stewart and I brought these ideas together in a book, “The New School of Information Security.)”
The content is really exciting. From the opening with a top rated speaker, Betsy Nichols, who’ll be talking about “Crunching Metrics from Public Security Data” continuing to Gene Kim’s talk about applying real analysis of practice to virtualization and a great panel talking about lessons learned from Election 2008, this track is just packed with hard facts and practical analysis.
Because I’m so excited by this, I’ve put the data into a Research Revealed .ics file you can use to bring these into your calendar.
I also extracted this table from the RSA website (it was hard to link), so you can easily see the track:
|Session ID||Title||Classification||Session Type||Scheduled
|RR-105||Crunching Metrics from Public Security Data||Advanced||Track Session||Tuesday, April 21 01:30 PM||
|RR-106||Controlling Virtualization Security Risks: Tips from the Experts||Intermediate||Track Session||Tuesday, April 21 03:00 PM||
|RR-107||Technology Lessons Learned from Election 2008||Advanced||Track Session||Tuesday, April 21 04:10 PM||
Senior Computer Scientist,
Chief Technology Officer,
Open Source Digital Voting Foundation
University of California, Berkeley
University of Iowa
|RR-108||Security Risk Metrics: The View from the Trenches||Intermediate||Track Session||Tuesday, April 21 05:40 PM||
|RR-201||Fraud Management Strategies of North American Financial Institutions||Intermediate||Track Session||Wednesday, April 22 08:00 AM||
|RR-202||Data Sources, Methods, and Challenges||Not Rated||Track Session||Wednesday, April 22 09:10 AM||
The Security Consortium, Inc.
Professor of Computer Science,
University of Pennsylvania
|RR-203||Why Software is Still Insecure: Conclusions from a Ten-Year Study||Advanced||Track Session||Wednesday, April 22 10:40 AM||
Research Director, Secure Content and Threat Management Products,
|RR-301||Into the Breach: An Analysis of Attack Data Trends||Intermediate||Track Session||Thursday, April 23 08:00 AM||
Information Security Manager,
|RR-302||Best Practices for Mitigating Insider Threat: Lessons Learned from 250 Cases||Advanced||Track Session||Thursday, April 23 09:10 AM||
Senior Member of the Technical Staff,
Carnegie Mellon Software Engineering Institute
Carnegie Mellon Software Engineering Institute
|RR-303||Using Science to Battle Data Loss: Analyzing Breaches by Type and Industry||Intermediate||Track Session||Thursday, April 23 10:40 AM||
|RR-304||Cyber Warfare: Technology, Law and Ethics||Advanced||Track Session||Thursday, April 23 02:10 PM||
Professor and Program Coordinator,
Sheridan Institute of Technology and Advanced Learning
|RR-401||The Data-Driven CSO: Steering Clear of Security Breaches||Intermediate||Track Session||Friday, April 24 09:00 AM||
Vice President of Technology & Innovation,
|RR-402||Closed-Loop Information Assurance||Advanced||Track Session||Friday, April 24 10:10 AM||
|RR-403||Applying Pattern Recognition in SOD, Fraud or GRC-Related Violations||Advanced||Track Session||Friday, April 24 11:20 AM||
Software Development Director,
This year’s Computers, Freedom and Privacy Conference will feature a research showcase in the form of a research poster session as well as a research panel that includes the authors of the best research posters. CFP is the leading policy conference exploring the impact of the Internet, computers, and communications technologies on society. For more than a decade, CFP has anticipated policy trends and issues, and has shaped the public debate on the future of privacy and freedom in an ever more technology-filled world. CFP focuses on topics such as freedom of speech, privacy, intellectual property, cybersecurity, telecommunications, electronic democracy, digital rights and responsibilities, and the future of technologies and their implications. Researchers who work in any of these areas are invited to submit research abstracts.
We seek research abstracts describing recent or ongoing research in all areas relevant to the conference themes. We are especially interested in research abstracts that present results with clearly articulated policy implications. Abstracts should be written for a general audience and should avoid using technical or legal jargon.
Submitted research abstracts can be either unpublished original research (including work in progress), or research that has been recently published (2008 or 2009).
This is a great opportunity to get interesting work in front of a diverse audience. I’m on the program committee, and we’ve extended the deadline — all you need to submit is an abstract — to Friday the 10th. Check it out.
I suspect at least some EC readers will be interested in the Call for Papers for Metricon 4.0, to be held in Montreal, August 11.
Metricon 4 – The Importance of Context
MetriCon 4.0 is intended as a forum for lively, practical discussion in the area of security metrics.
It is a forum for quantifiable approaches and results to problems afflicting information security
today, with a bias towards practical, specific approaches that demonstrate the value of security
metrics with respect to a security-related goal. Topics and presentations will be selected for their
potential to stimulate discussion in the workshop.
MetriCon 4.0 will be a one-day event, Tuesday, August 11, 2009, co-located with the 18th
USENIX Security Symposium in Montreal, Quebec.
Beginning first thing in the morning, with meals taken in the meeting room, and extending into the
evening. Attendance will be by invitation and limited to 60 participants. All participants will be
expected to “come with findings” and be willing to address the group in some fashion, formally or
not. In keeping with the theme of The Importance of Context, preference will be given to the
authors of position papers/presentations who have actual work in progress that demonstrates the
value of security metrics with respect to a security-related goal.
Topics that demonstrate the importance of context include:
Data and analyses emerging from ongoing metrics efforts Studies in specific subject matter areas Time and situation-dependent aspects of security metrics Long-term trend analysis and forecasts Measures of the depth and breadth of security defenses Metrics definitions that can be operationalized Incorporating unknown vulnerabilities into security metrics Security and risk modeling calibrations Security measures in system design Software assurance initiatives Security metrics relationship to security assessments
The program committee will also consider any innovative security metrics related work
How to Participate
Submit a short position paper or description of work done or ongoing. Your submission must be
brief — no longer than two pages including both text and graphical displays of quantitative
information. Author names and affiliations should appear first in the submission. Submissions
may be in PDF, PowerPoint, HTML, or plaintext email and must be submitted to
email@example.com. These requests to participate are due no later than noon GMT,
Monday, May 25, 2009 (a hard deadline). You should receive an email acknowledgment of your
submission within a day or two of posting; take action if you do not.
The Program Committee will invite both attendees and presenters. Participants of either sort will
be notified of acceptance quickly — by June15, 2009. Presenters who want hardcopy materials to
be distributed at the Workshop must provide originals of those materials to the Program
Committee by July 27, 2009. All slides, position papers, and what-not will be made available to
all participants at the Workshop. No formal academic proceedings are intended, but a digest of
the meeting will be prepared and distributed to participants and the general public. (Digests for
previous MetriCon meetings are on the past event pages mentioned above.) Plagiarism is
dishonest, and the organizers of this Workshop will take appropriate action if dishonesty of this
sort is found. Submission of recent, previously published work as well as simultaneous
submissions to multiple venues is entirely acceptable, but only if you disclose this in your
In re-reading my blog post on twittering during a conference I realized it sounded a lot more negative than I’d meant it to.
I’d like to talk about why I see it as a tremendous positive, and will be doing it again.
First, it engages the audience. There’s a motive to pay close attention and share what you hear. They’re using their laptops for good, not evil.
Second, it multiplies the attention to the talk. The talk was standing room only, but the room held fewer than 100 people. The people who tweeted had 5,300 followers. Now, that’s total followers, not unique (does anyone have an easy way to calculate that?) It’s also unlikely that many of them were reading Twitter or read backscroll, but it seems like an ok guess to say that 200-500 people saw some mention of the talk on Twitter.
Third, it promotes the audience from passive to engaged (although that wasn’t a problem for my audience, I’ve seen it in other talks). They’re no longer just listeners, they’re interpreting, quoting, and generating additional content as we engaged around the ideas in the talk.
What chaotically emerged is larger than my talk. It’s a conversation.