Anti-Windows Catalog

I learned a lot from IST's Winnipeg Expo 2005

Written by Gordon Fecyk, 10/1/2005

Gord Wong of Information Security Technology, Incorporated, along with his senior conference organizers, challenged attendees to "not learn anything" during his conference. He offered refunds to those attendees who could meet that challenge.

No, I didn't try to hold him to his promise. But I did share what I learned with him. What follows is a letter I wrote to him two days after the conference. This copy contains corrections to his original letter.

Dear Mister Wong:

Thank-you for allowing me to represent my company at the IST Security Expo in Winnipeg. Thanks also for challenging me to try to "not learn anything" and offer a refund if this were the case -- admittedly, I forget exactly if that was you, Keith Olsen, or another who made that offer. I'm happy to say I won't have to take you up on that.

I would, however, like to share with you what I learned on that day.

• Computer Economics, Incorporated doesn't count as a quotable source.

  Doug Cooke from McAfee thinks so highly of his competitor, Symantec, that he cited their threat report, which he claimed the Zotob worm and variants caused $14 billion in damage. He did this even though Symantec didn't publish dollar values in their report. I may have misread his source of the $14 billion damage quote.
  I had difficulty finding numbers from insurance claims for Zotob's damage, although I could find insurance claim numbers and averages from Hurricane Katrina from The Washington Post, dated September 6th 2005.
  
  
• Mr Cooke also admitted to me that his company's new intrusion prevention technology, which looks for program code exploiting known vulnerabilities instead of known viruses, could have stopped Melissa and other earlier viruses before the fact. They must have worked on this for over six years, because they were able to stop Melissa on their own networks before their customers did.
  
  
• Keith Olsen told me in his Keynote that hackers, virus writers, spammers, spyware companies and so on, are using modular, "drag and drop" programming tools to collaborate and create new variants of existing malware with ease.
  This is disquieting, since I can pick up a copy of Visual Basic .NET 2002 or Diamondback (Delphi 2005), at my local Staples or Office Depot store, which are also modular "drag and drop" programming tools. I thought only New York State senators wanted to restrict access to such programming tools in the name of computer security.
  
  
• Mr Olsen also holds Wired Magazine writer Michelle Delio in high regard. He reproduced one of her articles on a slide during his Keynote. He holds Ms Delio in higher regard than Wired does, since they had problems confirming some of her sources.
  
  
• Craig Baltes from LURHQ provided what I considered the most valuable of all the presentations. His company produces a reporting tool that can accept data from several sources. I was amazed that his company's product is able to gather data generated from anti-virus software and firewalls before they can delete it.
  
  
• John Quinn and Ajay Sood from Ironport believe that e-mail is "too efficient," and they implied that making e-mail less efficient would fix it. Mr Sood was able to explain that better than I possibly could to any of my clients, who insist on having real-time delivery of e-mail 100% of the time (and in fact, can get that from Messagelabs.)
  
  
• Mr Sood and Mr Quinn also explained that I couldn't find out what my client's "e-mail reputation score" is, unless that domain subscribed to their service. This is unfortunate, because Sood later admitted he couldn't sell his product to a client with only twenty-five users.
  
  

• "Can you give me an example of a malicious Java applet?"

  After ten years of Sun's Java technology, Rich Holstein from Blue Coat couldn't provide an example of a malicious Java application or malicious Java applet, although he suggested Java applets were a threat.
  
  
• Finally, I'm glad your speakers showed more professionalism than Curtis Blais from Telus. I attended his talk the day before about his company's security services.
  I learned from Mr Blais that a certain terrorist, who was caught and jailed for his group's murders, was "reading a book about computers" in his jail cell. Blais cited him as an example of a "computer terrorist." Unfortunately, I can't find the name of the terrorist, nor a news article referring to him or his activities after an exhaustive search.
  By comparison, your speakers did not resort to this level of fearmongering. Even the booth staff from Air Magnet believed that Mr Blais was "unethical."

Overall, I learned that while the methodologies have changed, the overall thinking has not. McAfee wants to look for known vulnerabilities after the fact instead of known viruses after the fact. Your own firm's staff wants to blame Microsoft and Delphi for providing the programming tools that malware writers use. Ironport wants us to believe e-mail is "broken," when in fact it's doing exactly what it was designed to do -- anyone who attended the IETF-marid conference in 2004 would have learned that. Blue Coat claims Java is a threat, yet after ten years we haven't seen a single Java-based threat. Finally, computer security firms continue to use anecdotes and "what-ifs" to justify their jobs and products without any hard quotable data. They like to cite the Michelle Delios and Russ Coopers of the IT industry, even after their own firms call them on their lack of quotable sources. By the way, Computer Economics, Incorporated doesn't count as a quotable source.

That's not to say I wasted my eighty bucks. I expect to benefit from products provided by Air Magnet and LURHQ, whom I wouldn't have known about without attending your conference. I don't blame IST as a company for this shallow thinking. However, you risk losing your audience by continuing to let your sponsors do this.

As computer security professionals, we're exposed to this hysteria daily. We already know what Symantec's Threat Report says -- it's our job to know this -- so we don't need to have it quoted during half of a Keynote speech. We want to know about your sponsors' products and services so we can reduce or eliminate the damage. Personally, I'm more interested in prevention, not so much detection, and I'm interested in metrics so I can determine trends and plan for upgrades. You can sell security products and services to security professionals without resorting to fearmongering, anecdotes and "what-ifs."

You can sell to computer security critics too. For example, Mr Cooke was grateful for my "heckling" during his first speech, as, "it keeps [him] honest." I made an effort to speak with every speaker after each session, first to clarify vague points and to verify sources of data, and second to point out questionable parts of the speech. While I might have offended one or two non-speaking attendees, each speaker expressed gratitude for my comments and a desire to be more accurate. I believe they were effectively "put on notice" to expect criticism in the future and I believe that will result in better presentations. We need more criticism in this industry because clients are asking us questions that we can't answer, and because certain "unethical" speakers are making us look bad.

I hope IST hosts more conferences in the area, and invites more security firms, security professionals, and security critics to those conferences. I look forward to attending the next conference to see what awaits us.

By the way, I forgot who won the Sony Playstation 2 you gave away, but I hope he didn't come away from the conference worrying about Playstation 2 viruses. Those boxes can connect to the Internet, you know!

Thanks again for an entertaining and informative show.

Related Links:

• I also learned a lot from PBS Frontline -- VMyths
• We need more 'citizen journalists' -- VMyths

[Catalog Home]

Resources:

Recently Edited Categories:

Browse All Categories

Recent Commentaries:

Browse All Commentaries