Following my commitment to attend more conferences, I attended a one-day BCS event in Birmingham at the end of March. About 60 attendees, mostly UK practitioners, a mix of public-sector IT staff and small-business consultants.
This is the writeup. Briefer than last year's first-conference post; I expect future ones to be similar.
The talks
Seven talks, each about 45 minutes. The most interesting:
A retrospective on the Mafiaboy attacks, given by someone who had been on the response team at one of the targeted sites. The detail was excellent — actual packet captures, actual timing of the response, actual coordination with upstream carriers. The single most useful piece of new information for me: the attacks were initially mis-diagnosed as a peering problem; the DDoS hypothesis took several hours to converge on. The detection-versus-attribution gap was real even at well-resourced sites.
A cautious presentation on BIND 9 deployment by someone running a substantial DNS estate. Their migration experience was similar to mine, with one important addition: they had hit a TSIG-related compatibility issue with a legacy authoritative server that took a fortnight to diagnose. Worth knowing about; I had not seen the issue mentioned in the public BIND documentation.
A talk on Honeyd that overlapped substantially with what I had been writing. The speaker was running a similar deployment and we ended up in long conversation at lunch.
The conversations
More valuable than the talks. Three I will remember:
A long discussion with someone running security for a UK local council. The constraints they face are unfamiliar to me — public-sector procurement, statutory obligations, very limited budget. The defensive disciplines they apply are recognisable but the priorities are different. Hearing the constraints clarified my diversity-argument re-examination — diversity has costs that public-sector organisations are particularly poorly placed to bear.
A short chat with a Cisco engineer. They had read my PIX writeup and the IOS vulnerabilities post and were measured-but-not-defensive about my critiques. They acknowledged some of the structural issues I had raised. The conversation was a small reminder that vendor employees are often more thoughtful than the vendor's official position.
A young attendee asking how to get into the field. I am not the right person to ask — my own path is idiosyncratic — but the question was interesting. The barriers to entry are higher than they look from inside; the obvious advice (learn Linux, read Bugtraq, run a honeypot) is not as obvious to someone outside the practitioner community.
What I am taking from the day
Three small things.
Conferences are still worth the time. The marginal value of conversation is higher than the marginal value of an additional read of the proceedings.
The UK community is small enough that going to events is the most efficient way to meet people. Three of the people I had previously corresponded with were there in person.
I should be speaking, not just attending. I have been writing for over three years; I have specific things to say; the format would be productive. I am going to commit to giving a talk before year-end. The next big conference on my radar is in October.
More as the year develops.