Observations Along The Road... at Dreamwidth

Since 1990, I have had the honor and the privilege of being the Training Chair for the Annual Computer Security Applications Conference (ACSAC), one of the three original conferences on what is now called Cybersecurity. ACSAC, which is held in early December in the sunbelt, is an approximately 200-250 person conference that brings together academics and industry to connect and talk about the application of computer security cybersecurity research. Attendance is about 25% international.

The conference, which this year takes place the week of December 5 at the beautiful Hilton Universal City in Los Angeles, consists of two days of training and workshops, followed by a two-and-a-half day technical conference. The purpose of this post is to highlight this year’s training program. Advance registration ends 11/14/2016. I encourage you, if you have an interest in cybersecurity, to attend one or more of our training courses:

Tutorials T4 and T5 are half-day, the rest are full day. Click here to register for the conference; there are discounts for locals and those staying in the conference hotel. To register at the hotel, click here. Tutorials cost $575 (full day), $300 (half day); students are $300 (full), $150 (half). Rates include a good-sized continental breakfast and lunch (I know, I’m doing local arrangements and the food as well). Rates go up after 11/14.

Here is a summary of the tutorials:

Read the rest of this entry »

This entry was originally posted on Observations Along The Road (on cahighways.org) as this entry by cahwyguy. Although you can comment on DW, please make comments on original post at the Wordpress blog using the link below; you can sign in with your LJ, FB, or a myriad of other accounts. There are currently comments on the Wordpress blog. PS: If you see share buttons above, note that they do not work outside of the Wordpress blog.

(Click Here to Comment)

As I wrote in the previous post, I just concluded a week as Local Arrangements Chair for the ACSAC conference. Part of my responsibility was to coordinate some form of dinner entertainment. Luckily, the Hollywood Fringe Festival made that easy, for it was there that I discovered The Nigerian Spam Scam Scam, the duologue based on a true incident.

Here’s the description of the show from the Fringe website, which is as good as the description I might write: ““Please help me transfer $100 million from Bank of Nigeria!” We’ve all gotten this e-mail. Writer performer Dean Cameron did something about it. After he received an email from a Nigerian con artist posing as the wife and son of a dead Nigerian leader, Cameron replied. Posing as a sexually confused Florida millionaire, whose only companions were his cats, houseboy, and personal attorney, Perry Mason. Cameron embarked on a 11 month correspondence with  the bewildered and tenacious Nigerian, impeccably played by co-star Victor Isaac. This hit duologue, taken from actual email threads, documents the hilarious relationship as it descends into a miasma of misunderstanding, desperation, and deception.”

That is literally the show. Two podiums and a digital projector. Dean Cameron (FB, IMDB) relates the story of how he baited along Nigerian spammers, with the ultimate goal of getting them to send him money. Co-star Victor Isaac (FB) provides the voices of the spammer side, from MRS MARIAM ABACHA to IBRAHIM ABACHA to DR DONALD ABAYOMI. The story itself is pretty much just condensed versions of the actual email dialogue, with hysterical side commentary and the occasional visual.

My purpose here is not to review the show again. Rather, I want to talk about something specific to ACSAC — something that made me learn the stresses a producer faces. What stress? Well, consider that in the audience for this show we had a Nigerian Senator (from the newly elected opposition government), and two representatives from the National Assembly Antimoney Laundering & Cybersecurity Coalition of Nigeria. Yes, it is a real organization. How would they react to this show? Would they find it funny? Would they sue us? What have I done?

So, Dean and Victor do the show. Many people are rolling in laughter (especially Gene Spafford, who wants to now book them for a phishing conference). The Nigerians? Straight-faces. They go up and talk to Dean and Victor after the show. Oh, what we would have given to be a fly on that wall.

It turns out that they were worried the audience would believe the actors were portraying real Nigerian officials, and that people might thing the government was behind the scam. We (including one Nigerian student) worked to convince them it was clear that wasn’t the case. This was a true incident, with the words as written in the emails, that was perpetrated by scammers who are running the good name of Nigeria through the mud.

We also worked to convince them that the best way to fight the problem was with the truth. If you read the linked article from the Nigerian News Service, it noted that the goal of the organization is to align Nigeria with the global initiative against terror financing, cybercrimes, currency trafficking and money laundering. The organization was born out of the realization that huge financial losses through such financial crimes had become a threat to the nation, and that the collaboration with strategic partners, particularly the central bank, was to discuss ways to align foreign exchange operations with international best practices. Lastly, in line with the anti-corruption drive of the president, the coalition aimed to meet the expectations of Nigerians to kick out crimes denting the image of the nation internationally.

The upshot of this is that the Nigerian delegation is interested in presenting a case study next year telling a major technical conference the work that Nigeria is doing to prevent crimes such as this, and other forms of fraud that hurt their country.

Step back now, and look at this in perspective: A show from the Hollywood Fringe Festival, presented at a long standing technical conference, has served to encourage a government to tell the world broadly that the image the world has of them is wrong, and that they want to be in the forefront of fighting this type of crime.

The power of theatre. As Dean says at the end of the show, “mic drop”.

This entry was originally posted on Observations Along The Road (on cahighways.org) as this entry by cahwyguy. Although you can comment on DW, please make comments on original post at the Wordpress blog using the link below; you can sign in with your LJ, FB, or a myriad of other accounts. There are currently comments on the Wordpress blog. PS: If you see share buttons above, note that they do not work outside of the Wordpress blog.

(Click Here to Comment)

I’ve been at ACSAC all week, and it has been a great conference. The committee and the Universal Hilton have a lot of work to do to top this year’s conference at the Hyatt French Quarter. But I’m confident they/we will. So what is more appropriate than some security-related articles:

• Remember Benford’s Law. Here’s an interesting summary of an article about how accountants are using Benford’s Law to fight fraud. Benford’s Law, for those that don’t recall it, refers to the frequency distribution of digits in many (but not all) real-life sources of data. In this distribution, 1 occurs as the leading digit about 30% of the time, while larger digits occur in that position less frequently: 9 as the first digit less than 5% of the time. Benford’s Law also concerns the expected distribution for digits beyond the first, which approach a uniform distribution. The accountants looked at a log of financial ATM transactions for an ATM with a limit of $50, and saw an abnormal number of first digits that were 4. This led them to find financial fraud. Think about this for analysis of audit trails…
• Two-Factor Authentication. One point that has been continually made this conference relates to the value of two-factor authentication. We even heard from Avi Rubin on how to use two-factor in online poker. However, there is a major problem with two factor: what happens if you lose the second factor. Here’s an article that explains what to do. Now that you know what to do, you have no excuse. Enable two factor authentication.
• Cyberphysical Attacks. One major theme of the conference has been cyberphysical security. You probably think it was Stuxnet. Wrong. A recent article points to a 2008 Turkish pipeline explosion, which was caused by a cyberattack that overloaded the pressure on the pipe. As Avi pointed out, as we get more and more devices in our houses and lives that are network connected, how susceptible will we be to cyberattacks.

Want to learn more about these problems? Come to the 2015 ACSAC, December 7-11 2015 at the Universal Hilton. Paper submissions, training submissions, workshop submissions, and similar stuff are all due around June 1, 2015. As Local Arrangements and Tutorial Chair, I look forward to seeing you for what will be my 25th ACSAC on the Conference Committee!

This entry was originally posted on Observations Along The Road (on cahighways.org) as this entry by cahwyguy. Although you can comment on DW, please make comments on original post at the Wordpress blog using the link below; you can sign in with your LJ, FB, or a myriad of other accounts. There are currently comments on the Wordpress blog. PS: If you see share buttons above, note that they do not work outside of the Wordpress blog.

(Click Here to Comment)

ACSAC 29 is now history. It was a busy week (as you could tell by the dearth of blog posts). Conference weeks are especially busy for me, as I’m the training chair for this conference and one of the long-time regulars — meaning that I’m one of the folks that helps to run the conference.  Combine this with conference activites that run late, a few migraines, and there is just no energy at the end of the day to write a post.

Let me summarize, from memory, the conference day by day. This year was a weird year — tight budgets and the government shutdown meant that our registration numbers were down — severely — by the advance registration deadline. They slowly rose over the last two weeks of November to near normal levels, but it was a nail-biter.  There was much more on-site registration than usual. Combine this with really bad weather at the beginning of last week that impacted the ability of people to get to New Orleans from DFW and IAD/BWI, and… Let’s put it this way: I wasn’t sure if some of the course instructors would make it. Luckily, they did.

The first day of the conference was tutorials and workshops. As training chair, I “audited” the tutorial on systems and security engineering.  I’ve previously written about this: we had 3 instructors who were from Europe (Spain, Germany), and one US instructor. The European instructors seemed to emphasize modeling and security pattern work as opposed to the traditional system engineering process (or in support of it). I didn’t connect with that approach, perhaps because I’m not a UML type of guy. The US instructor talked about the NIST approach and the upcoming 800-160 document. This approach integrates security engineering into the traditional IEEE systems and software engineering approach, and made a lot more sense.

The second day was more tutorials and workshops, followed by the conference reception. During the morning, none of the tutorials were of interest (I had seen the 1/2 day tutorial the previous year), so I sat in the Next Generation Malware Workshop. The first speaker was really interesting — Michael Franz of UC Irvine talked about some approaches he is working on regarding randomization of generated code, essentially making it so that each user has a unique executable, making stack attacks to execute code much more difficult. I didn’t connect with the subsequent two morning speakers. In the afternoon, I attended the tutorial on Cyber-Physical Systems. This was a reasonably good overview, and emphasized my contention that space is just another example of a cyber-physical system.

Wednesday was the first technical program day. The distinguished practitioner talk was great — Nancy Levison on applying Systems Thinking to Safety and Security Engineering. The basic notion was that simple failure analysis was not enough, because safety and security are both emergent properties. Engineering for both is similar, and must be done in the design.  She related this to feedback control loops, and showed how to use that thinking to engineer better systems. A very good talk. After that, I attended a panel on high-assurance approaches to cyber-physical systems. I’m unsure about the approach discussed, as I don’t think formal methods will scale to complex CPS. In the afternoon was a talk on the NIST Cybersecurity Initiative, followed by a panel that I chaired looking back at the legacy of the Orange Book. Following that was the conference dinner — which was excellent — and included a great performance of the Dapper Dandies, a New Orleans Jazz Band.

Thursday started out with a great invited essay by Carl Landwehr of GWU on the need for software building codes, which he justified using the analogy  to traditional building codes.  After that talk, I sat for a bit in the Cyber-Resiliency session, as none of the other tracks looked that interesting. Lunch was the annual meeting of ACSA; as Secretary, I was responsible for taking notes. That ended up going long, so I missed the session after lunch. For the post-break session, I attended a paper sessions with two interesting papers on malware attacks: one looking at attacks and the forensic capabilities of solid-state drives; the other looking at a stealth hard-drive backdoor. I skipped out on the Works-In-Progress session, but then came back for the posters. After that, was the conference committee dinner at Bayona Restaurant in the Quarter. This was a spectacular dinner.

Friday… a migraine got me. It started at 2pm, and got steadily worse. I attended the committee breakfast in pain, went back to my room, and drowsed out till it was gone, missing the first session. I also have the responsibility to pack the conference office, which meant I missed the second session as well :-(. After the end of the conference, we dropped off the shipping, and then went to Squeal for some great BBQ. It was then off to the airport and home.

Next year, the conference will be in New Orleans at the same hotel. We may recast the name to avoid some of the silliness going around in the DOD about “Conference” in the name — focusing more on what the conference is. I’m suggesting “ACSAC | Your Cybersecurity Technology Interchange Meeting”. It will be our 30th year.

ACSAC moves every two years, and aims for the sunbelt — or at least some place that isn’t freezing. We need some place with a reasonably sized airport, that can accommodate direct international flights (for attendees do not like changing to small planes). We need to have hotels with suitable meeting room layouts, that will provide government rates, and can accomodate 200-300 people. We also want to be within walking distance of restaurants and evening stuff, not in the middle of nowhere. For ACSAC 31 and ACSAC 32 (2015 and 2016), we’re looking to the west coast, and the two candidate cities are Los Angeles and Portland. I’m looking into Los Angeles, trying to find areas that will meet the above requirements — most likely, Santa Monica / Marina Del Rey, the south bay (Manhattan Beach / Torrance), Hollywood / Fairfax area, or Universal City. I think Long Beach and Pasadena are too far away to work, and LAX doesn’t have the right atmosphere. Probably in 2017 we’ll start looking back to the mid-country and east coast again.

This entry was originally posted on Observations Along The Road (on cahighways.org) as this entry by cahwyguy. Although you can comment on DW, please make comments on original post at the Wordpress blog using the link below; you can sign in with your LJ, FB, or a myriad of other accounts. There are currently comments on the Wordpress blog. PS: If you see share buttons above, note that they do not work outside of the Wordpress blog.

(Click Here to Comment)

Well, ACSAC 29 is upon us, at the Hyatt French Quarter in New Orleans. This has been a crazy conference year. First, due to the shutdown and the uncertainty about budgets, people haven’t registered until the very last minute… making planning very difficult. Today, complicating matters, a weather system hit the midwest. I’m coordinating the training program. Two of my instructors for Tuesday are stuck in Dallas with cancelled flights, and the instructor for Monday coming from Minneapolis is finally getting to New Orleans… after 4 different airports and 12 hours… and he’s arriving after midnight. This is the first year this has ever happened.

Let’s hope this all settles down and the rest of the conference goes better.

P.S.: Also complicating matters is the fallout from those people who have abused conferences, which makes it much much harder for people to attend legitimate technical conferences. This has gotten to the point where even having “Conference” in the name can get you disapproved.

This entry was originally posted on Observations Along The Road (on cahighways.org) as this entry by cahwyguy. Although you can comment on DW, please make comments on original post at the Wordpress blog using the link below; you can sign in with your LJ, FB, or a myriad of other accounts. There are currently comments on the Wordpress blog. PS: If you see share buttons above, note that they do not work outside of the Wordpress blog.

(Click Here to Comment)

Last night, I wrote on Facebook that I had been invited to talk at ACSAC about the legacy of the “Orange Book” (TCSEC), as 2013 marks 30 years since it was first published. I was fishing for opinions from a number of people whom I respect (but I’d take them from folks I don’t respect as well ), but got few response. So let me expand on my current thoughts… perhaps this will get folks thinking.

The TCSEC was a seminal publication in security … one of the first security criteria out there. It defined preset grouping of functionality and assurance requirements (what today we would call a package or a profile) that were well thought out. This was a strength, but it was also a problem as the pre-defined packages didn’t work well for anything other than monolithic operating systems. The assurance paradigm that it had was based on in-depth design analysis — increasing the level of design details and analysis, as well as testing, to ensure all problems were found.

How well did this all work out? Well, there was the mantra of “C2 by ’92″, which admittedly got more and more systems to have discretionary access control, object reuse, auditing, and I&A. This was one of the factors that led to Windows having more security — NT had to have stronger security to meet C2 by ’92, and Windows NT is the basis of today’s Windows systems. Could one argue that the TCSEC beat up Windows 98 in an alley fight? Perhaps.

However, the assurance paradigm was in some sense flawed, and may have gone down the wrong path. There was a naive assumption that if we could get commercial vendors to follow that path, we would have more secure systems. Did that work? Those working with evaluated systems can answer that question — we never saw higher assurance take off, because it went against commercial practice.

The chafing against the pre-set packages of the digraphs also led to an unbundling of functionality of assurance, eventually leading to the Common Criteria of today. I’d argue that this eventually gave us the “control” notion we now see in 800-53: pick the functional and assurance requirements you need to meet your threats. This is a good thing, but it is also a loss of the forethought that went into the bundling. We are seeing a return to bundling in some sense with the move to standard protection profiles and  CNSS 1253 baselines and controlled ways to modify things. Did the TCSEC show the value of these bundles?

The TCSEC, just like 800-53 and the CC, is a catalog of requirements; it is not an evaluation process. Yet the evaluation process that grew up around the TCSEC also has a legacy. That process established a very in-depth process that took far too long. The legacy of that process — and the analysis the TCSEC required — affected how the process is viewed today. We’re still seeing fights against a process that takes too long, and we still haven’t found the balance between better / faster / cheaper that is satisfactory for both the vendors and users of evaluated products.

I’d like to think that the TCSEC has a greater legacy than just perl. Hopefully, my preliminary thoughts above have gotten you thinking, and you’ll share your thoughts in the comments. I’m going to keep thinking on this so that I can work all of this together into a coherent presentation.

======

Additional musings added a few days later:

Thinking more about the TCSEC, I’m seeing a number of dimensions of impact (think like a tag cloud), other than (of course) perl. Here are some thoughts on each in alphabetic order — feel free to add more in the comments:

• Assumptions. Familiarity with the TCSEC led to assumptions about functionality that didn’t propagate through to newer criteria. One can see this in the Common Criteria. Notions that were present in the TCSEC — such as protecting authentication data or having process separation — are no longer explicit in the CC. People assume they are there, but they are not. Are they tested for? 
• Assurance. The TCSEC codified the notion of design assurance, but most people didn’t see design assurance because they didn’t see above C2. Although the design assurance transferred to the Common Criteria (CC), there it was more of a failure — precisely because it never became commercial practice for the vendors. Instead, documentation was developed after the fact, which doesn’t improve assurance. Today, is there more thought given to making the design small, simple, and minimized… or are things large and complex with multiple failure paths? Did the TCSEC avenues to assurance survive?
• Awareness. Did the TCSEC make people more aware of security? Certainly, those working on the government side know what C2 security is — if only in terms of the functional requirements. But people in general? Most people probably don’t understand access control or audit — they never use the DAC mechanisms in Windows or Apple, and they’ve probably never looked at the event log. To most people, security is Passwords.
• Bundling. One characteristic of the TCSEC is it bundled functions with assurance. This was also its downfall, as the bundling was designed for a monolithic world and assumed MLS was a need. Yes, MLS needs high assurance, but high assurance doesn’t demand MLS. That was a failure, and that notion led to the unbundled CC. But bundling is returning with the new standard Protection Profiles, the -53 baselines, and overlays. There is thought being given to what requirements belong together. This is good. The problem is there’s often no thought about what these requirements need in terms of assurance. Assurance is typically “best possible” (the standard PP approach), which doesn’t necessarily correspond to what the functions need in their environment. We’re still faced with the eternal problem: people don’t pay for invisible assurance.
• Commercial Products. In my earlier part of this post, I argued that the TCSEC improved the security of some commercial products. Certainly it influenced Windows NT, and arguably influenced a number of Unixes, although whether any of those made it into the Unix base of today is a different question. But many products still think about security after the fact, or don’t incorporate it into the design process.
• Confidentiality. The TCSEC’s focus was confidentiality — access controls to prevent disclosure. This focus remained for many years, and might have hurt trying to grow the focus to integrity and availability.
• Controls. Did the TCSEC come up with the “control” paradigm, or did that exist in the financial world before 1983? Certainly the TCSEC began the Federal Criteria which begat the CC, and TCSEC requirements and CC requirements influenced the controls in NIST SP 800-53.
• Developmental Assurance. The TCSEC had the notion that a well-thought out design would lead to a higher assurance product. Has that been borne out, or is it like FDA studies of marijuana? Is there empirical evidence of what design approaches do best, and did that agree with the TCSEC? Did commercial vendors ever actually follow the TCSEC processes?
• Formal Methods. The TCSEC pushed the notion of formal methods at the higher levels. Yet we rarely see formal methods these days.
• Government Development. Here the TCSEC had more influence. The notion of C2 by 92 led to pushes to use C2 functionality, and this was captured in the 8500.2 controls and 800-53 controls. Many of the security requirements for systems today come from C2. However, the focus on functionality led to a loss of focus on assurance, and that’s only lately being recovered. There was also the assumption problem above.
• Multilevel Security. The TCSEC envisioned a world where MLS was everywhere. Yet MLS as a concept disappeared, reappeared under different names, and nowadays is present mostly in specialized guarding devices. Its become a dirty word — is that because of the TCSEC?
• Product Evaluation. The TCSEC showed the value that could come from product evaluation in the overall accreditation process. Countless dollars were saved because operating systems and other products did not need to be reexamined in depth. Yet the original process in the US (TPEP) was very expensive for the government and took a lot of time. Think “Better / Faster / Cheaper”. We moved to a cheaper process of having labs do the work. People still complained it wasn’t faster. The CC came in, and we’ve been tinkering with the process to make it faster and faster because of Internet time scales. Have we made it better than we had it during the TCSEC? Are the requirements as well understood today? How did the legacy of the TCSEC process color today’s process.

These are just some areas. Perhaps as we explore the legacy, there should be an additional question asked: For those areas where the legacy shows a form of failure, are there places were we can learn lessons and perhaps improve where we are today. Given I’m dealing with the TL;DR generation, perhaps that should be a topic for a future post … or ACSAC talk.

This entry was originally posted on Observations Along The Road (on cahighways.org) as this entry by cahwyguy. Although you can comment on DW, please make comments on original post at the Wordpress blog using the link below; you can sign in with your LJ, FB, or a myriad of other accounts. There are currently comments on the Wordpress blog. PS: If you see share buttons above, note that they do not work outside of the Wordpress blog.

(Click Here to Comment)

ACSAC Last Day:

Today was the last day of ACSAC. Had a great session on Continuous Monitoring from Ron Ross. That was followed by an even greater panel session with me (on Collaborative Protection Profiles), Mike McEviley (on System Security Engineering), and Ron (well, supposedly on Overlays, but he never got to that topic).

After the end of ACSAC, got the office packed up (as I usually do), and got all the boxes shipped (as I usually do, educating FedEx Office along the way).

Friday Fun:

After the conference, we went to the Charles Hosmer Morse Museum of American Art. This is a really cool museum in Winter Park with loads and loads of Tiffany glass — lamps, windows, and other stuff. Dinner was at a great Turkish restaurant, Bosphorous. Now we need to find Turkish food in LA (hmmm, there may be some place in Reseda). Tomorrow… Epcot!

ETA (while I’m waiting for a download to finish): Winter Park is a really neat Orlando community. Hipster neighborhood, with lots of funky stores and restaurants. Loads of ethnic cuisine, art stores, and such. A very different image of Orlando than the touristy places where we are staying near Downtown Disney.

Friday Un-Fun:

When we got back to the hotel, we got in the elevator to go to our room. Around the third floor (we were on the fifth), a jerk and… nothing. We were stuck in the elevator. After about 15 minutes, we were freed (they are comping Sunday morning breakfast… which happens to be the Character brunch!)

After that, I logged into work. Someone at work is trying, on Friday, to schedule a meeting at 5pm Pacific on Tuesday. That doesn’t fly for me, and probably flies even less well for folks on the East Coast.  Sigh. I’ll likely have to do some work Monday from home.

ETA #2: The hotel is filled with a pre-teen cheerleaders convention, as well as a bunch of Pop-Warner boys (and a bunch of medical coders, but they are OK). First, I feel like Miss Hannigan from Annie: “Little girls, little girls, everywhere I look I see them”. Second, I start to realize I’m in “Get off my lawn” mode, especially when the kids are noisy in the hall or in the pool that faces our room. Sigh. Another demonstration I’m getting older.

This entry was originally posted on Observations Along The Road (on cahighways.org) as this entry by cahwyguy. Although you can comment on DW, please make comments on original post at the Wordpress blog using the link below; you can sign in with your LJ, FB, or a myriad of other accounts. There are currently comments on the Wordpress blog. PS: If you see share buttons above, note that they do not work outside of the Wordpress blog.

(Click Here to Comment)

Well, the two training days of ACSAC (for which I am responsible) are over. I was able to audit three excellent sessions: one on Security Requirement Engineering, one on Assurance (which ended up having a greater focus on Mission and System Security Assurance), and one on Resilience. Good speakers, great subject material — this is what I love to see in ACSAC training sessions. I also had some great conversations over lunch and at the reception tonight regarding a myriad of technical subjects. Now if I can just avoid the ACSAC 15 (like the Freshman 15), I’ll be fine.

Tomorrow, some excellent technical sessions, plus I get to condense a 6 hour tutorial into perhaps 5!

This entry was originally posted on Observations Along The Road (on cahighways.org) as this entry by cahwyguy. Although you can comment on DW, please make comments on original post at the Wordpress blog using the link below; you can sign in with your LJ, FB, or a myriad of other accounts. There are currently comments on the Wordpress blog. PS: If you see share buttons above, note that they do not work outside of the Wordpress blog.

(Click Here to Comment)

An off-hand comment in an email discussion today got me started thinking about the value of the printed word. The comment?

Hopefully most folks will take advantage of the mobile and EPUB versions.

The discussion was relating to the ACSAC Final Program. There has been a movement this year away from paper. There are no printed (or even CD) proceedings–they are all on-line. There is encouragement to use versions of the final program on eReaders and tablets; paper is discouraged. I haven’t yet had the call for me not to print Tutorial Notes, but I’m sure that’s coming.

I think this movement away from paper is a bad thing. A really bad thing. Consider the theatre. You attend the theatre and you get aprinted program. They don’t just point you to a URL and tell you to download the program. You can read the program at your leasure; you can consult it afterwards. More importantly, you can keep it as a souvenir, and you can share it with your friends. It can contain advertising that you can consult for related shows. It lives on afterwards.

A printed final program from a conference can do the same thing. You can use it to unobtrusively make notes during a session, without having to stare at a screen. You can share it with colleagues after the conference. It provides evidence of attendance for continuing education. It allows you to look back at the conference as you plan for the next one (that’s harder with an epub, which you probably delete after the conference).

Similarly, I feel the move away from printed flyers, newsletters, and other publicity items is hurtful to event attendance. I receive email blasts for events every day. I skim them, delete them, and forget about them. Flyers, on the other hand, I put up on my bulletin boards. I share them with colleagues. They are continually in my face, reminding me about the event. They are significantly better than the bits of an electronic message.

So what about you? Do you still want paper publicity? Is this an age thing — does the younger set treat electronic communication and documents with more reverence?

This entry was originally posted on Observations Along The Road (on cahighways.org) as this entry by cahwyguy. Although you can comment on DW, please make comments on original post at the Wordpress blog using the link below; you can sign in with your LJ, FB, or a myriad of other accounts. There are currently comments on the Wordpress blog. PS: If you see share buttons above, note that they do not work outside of the Wordpress blog.

(Click Here to Comment)

I’ve been the training chair for the Annual Computer Security Applications Conference since 1990. In my over 20 years in this position, I’ve seen what was a very popular training program decrease in attendance. Whereas in the past we regularly had attendance for courses in the 15-35 student range, of late the attendance has been in the single digits (of course, there are always a few exceptional courses). That’s true again this year, even with (what I believe to be) one of our strongest training programs in years (look at Monday and Tuesday). [I certainly encourage all of my readers to attend the conference, and to encourage your friends to attend and take training courses.]

I’ve been trying to figure out the reasons for the decline in the program, and what to do about it. This post is part of that effort: I’d love comments that might help me figure out how to move the program forward in the future. Here’s what I think are some of the problems:

• Publicity. As always, our publicity for the courses is poor. They tend to be subsumed into the technical program, and it is difficult to figure out what is a tutorial/training course and what is not. Part of this is due to how the Advance Program has changed: there used to be a separate section highlighting the training program and the courses, and it’s not there anymore. Part of this is due to a change in format: I’m of the strong belief that our move to electronic notification methods makes publicity in general less effective. People ignore email blasts and web pages except when they are seeking information. At least with mailed advance programs, if the target wasn’t interested, they could put it on a board or hand it to a colleague.
• Growth of the Field. When ACSAC started back in the late 1980s, it was one of three major computer security conferences: ACSAC, IEEE (Oakland), and the NCSC. Today? There are hundreds and hundreds of conferences, each providing their own aspect of training. There are also online webinars, courses at local universities, and such. People don’t need to go to ACSAC to get their training, especially in a short course format for which they pay $$$.
• Changing Budgets. Related to the last point is the change in budget. It is harder and harder for commercial contractors, defense contractors, and government to get funds to go to conferences. When they do, they need to be able to get something they can’t get elsewhere. That’s certainly true for the technical program–you only get the papers at the conference. That’s also true for workshops, where there is interaction with others in the field. Training courses? As noted above, those are increasingly available. With tighter budgets, it is harder to justify travel dollars for courses, even with CISSP requirements.
• Changing Audience. One problem the conference has had is a changing audience. We’re working to fix that, but right now, the conference has become more academic. Contractors and government need tutorials to keep abreast of a changing field (and to maintain their CISSPs). Academics? Much less so. As the conference has become more academic, I believe the interest of that side for tutorials has gone down.

So what should the conference do about the situation. I haven’t fully worked that out yet. We already have an effort underway to restore the mix of the conference. Hopefully, this will increase the participation of industry and government. Doing that should help out the training courses some. Beyond that, however, what should we do? Here are some ideas:

• Reduce Tutorial Days. If we reduce the number of paid tutorials, we can ensure that what we do present are the strongest and most attractive. I’m thinking right now of experimenting with only a single tutorial day (3 tracks), and using the second day for something training-related in a different way. Perhaps this might be more workshops related to the conference theme; perhaps this might be more interactive seminars.
• Integrate Tutorials Into The Conference. Right now, we have two training approaches. We have our formal tutorials, for which attendees pay separately, and our government track, which has training sessions during the conference and is included in the conference fee. We could eliminate the training as a separate gated event, and just have a training track across all the days of the conference. This would provide more space for technical papers and discussions, and may increase attendance at the training courses.
• Fix the Topics. I’ve begun to realize that general introductory topics are not good draws, even though they may be good courses. If I could get the material at a local university course, why have it at the conference? Our topics need to either be unique or something that clearly cannot be easily gotten elsewhere. Looking at our top draws this year, they are topics you are not seeing elsewhere. In past year, a regular strong draw was a tutorial on botnets. We need ACSAC-unique topics… and I need to find presenters to propose them.

Right now, I’m just at the musing stage on how to fix things. I’d welcome your ideas.

This entry was originally posted on Observations Along The Road (on cahighways.org) as this entry by cahwyguy. Although you can comment on DW, please make comments on original post at the Wordpress blog using the link below; you can sign in with your LJ, FB, or a myriad of other accounts. There are currently comments on the Wordpress blog. PS: If you see share buttons above, note that they do not work outside of the Wordpress blog.

(Click Here to Comment)