A short note on a regional BCS event in Newcastle this past weekend. The first of my planned 2005 conferences. The format was traditional talks plus generous unstructured discussion time.
The content has been substantive enough that the writeup is worth more than the brief reports I have been producing recently. The dominant conversation was about phishing and the maturation of cybercrime as a commercial enterprise. Several practitioners discussed specific organisations under sustained phishing pressure; the cost is no longer episodic but operational.
The talks
Five talks across the day. Each substantive enough to write about briefly.
A retrospective on 2004's worm year. Given by an operator who had been on the response team at a major UK financial institution during MyDoom and Sasser. The detail was substantial — actual incident timelines, actual coordination calls, actual decisions made under pressure. The most useful single new fact for me: the financial sector's coordinated response to MyDoom was substantially better than the response to earlier worms because the major institutions had developed shared incident-response infrastructure over the previous several years. The cooperation is invisible from outside but is operationally meaningful.
A talk on phishing-defence research. From an academic at a UK university. The research focused on user-side detection — specifically, browser features that attempt to detect phishing pages and warn users. The research is in early stages; the prototype tools have promise but are not yet production-ready. The interesting structural observation: user-side detection is genuinely hard because the legitimate sites and the phishing sites are increasingly indistinguishable in their visible features. The detection has to use signals that are not visible in the rendered page (URL patterns, certificate properties, network properties) — which is structurally different from how users themselves evaluate trust.
A presentation on the Sony BMG situation (preview). The Sony incident has not yet broken publicly as I write this — but the speaker had advance knowledge through industry contacts and gave a careful walk-through of what was likely coming. The talk was, in retrospect, prescient; the actual public disclosure later in 2005 followed essentially the trajectory the speaker described.
A practitioner panel on small-business security. Three practitioners discussing what advice actually works for small businesses versus what sounds good but cannot be deployed. The conversation overlapped substantially with my own writing on this; several of the panellists had read the notebook and referenced specific posts.
A short talk on Linux 2.6 deployment. Useful operational content; consistent with my own migration experience. The speaker emphasised the LSM infrastructure as the most underutilised improvement; my own assessment is similar.
The conversations
Three I will remember from the unstructured time.
A long discussion with the financial-sector operator. They have been thinking about the structural defensive question for some time; their organisation has invested heavily in internal segmentation and structured logging. Their operational metrics are sufficiently mature that they can quantify the defensive benefit of specific investments. The conversation was deeply useful for my own thinking about how to structure operational improvement at smaller scale.
A short conversation with one of the panellists about non-technical writing. They had been considering writing for less-technical audiences but had not committed; we discussed the primer I wrote and what I had learned from the exercise. They are likely to publish something similar in the coming year; I look forward to reading it.
A surprising conversation with a younger attendee about the field generally. They were considering whether to specialise in security or to remain a generalist. The conversation was about career-shape choices; my own is idiosyncratic enough that I am not the right person to give general advice. We talked through the trade-offs; they will, on the available evidence, decide for themselves.
What I am taking from the day
Three things.
The phishing-as-commercial-enterprise framing has become consensus. Multiple speakers and conversations referenced the framing. Two years ago this was my own view; today it is the practitioner consensus. The categorisation has, on the available evidence, moved from edge perspective to mainstream understanding.
Defenders are tired. The burnout pattern I wrote about in 2002 continues to be visible. Several practitioners explicitly mentioned the operational tempo as unsustainable. The cumulative cost of multiple worm years (2003, 2004) has been substantial; the recovery has been bounded.
The community is, on balance, in good health despite the tiredness. People showed up; people engaged; people made plans for further coordination. The structural community-of-practice is more developed than it was a few years ago. The collective resilience is real.
Operational notes from the day
Four specific operational items I picked up from conversations.
Anti-phishing toolbar deployment is happening. Multiple banks reported that they were piloting browser-toolbar partnerships. The deployment is partial and uneven; the trajectory is positive.
Two-factor authentication for retail banking is closer than I had thought. One bank operator (under the unspoken Chatham House Rule of these gatherings) discussed their plans for retail-customer two-factor deployment. The plan is conservative but specific; the deployment will probably begin in late 2005.
SMB-segmentation projects are common. Multiple operators reported that they were running internal projects to limit SMB exposure on internal networks. The motivation is the Sasser-style lateral-spread problem. The deployment is non-trivial but the operational logic is well-understood.
Honeypot adoption among smaller operators is growing slowly. Two operators at the conference were considering deploying their first honeypots. The barrier is partly knowledge, partly resource; the Honeynet Project tooling makes the deployment more achievable than it would have been a few years ago.
A short reflection on conferences
The value of conferences continues to be the conversations rather than the talks. The talks are useful; the conversations are where the new information arrives. Several pieces of operational knowledge from this conference will inform my writing for months.
For anyone in the field who has been attending conferences regularly: the cumulative effect is real. The community-of-practice is genuine; the relationships compound; the operational knowledge that flows informally is substantial.
For anyone who has not been attending: starting is worthwhile. Small regional events are accessible; the cost is modest; the value, particularly the connection-building value, is meaningful.
Looking ahead in the year
For my own conference attendance, three more events on the agenda:
- A spring research-focused event in Cambridge (similar to last year's).
- A summer practitioner gathering in Manchester.
- An autumn industry conference, possibly with me speaking.
The rhythm continues.
What I expect to write about over the next quarter
Probably:
- More on the phishing trajectory as it develops.
- Specific operational pieces drawing on conversations from this conference.
- A piece on internal segmentation that has been on my list for some time.
- Continued tracking of Trustworthy Computing progress.
Less specifically: whatever incidents arise. The operational tempo of recent years suggests that something will happen that demands a writeup.
More as the year develops.
A small note on the conference format itself
The traditional-talks-plus-discussion format continues to work for me. The workshop format I tried in 2002 had its merits but produced more exhaustion than learning. The plenary-talks format is, on balance, my preferred mode.
For any conference organisers reading this: the unstructured discussion time is the most valuable part. Generous coffee breaks, generous lunch, an evening drinks element where attendees can talk to each other without time pressure — these are what produce the value. Compressing them to make room for more talks is, in my view, the wrong trade-off.
More in time.
A longer reflection on the conference experience
Let me extend this conference writeup with a more substantive treatment of what conferences have been producing for me over the years.
Cumulative conference attendance
I have been attending UK security conferences regularly since my first one in late 2000. Across the five years, I have attended somewhere between 20 and 30 events; the count is approximate because some smaller events I am uncertain whether to count.
The cumulative effect has been substantial. Specific dimensions:
Network development. I now know, through repeated encounters at events, perhaps 100 individuals well enough to recognise them and have substantive technical conversations. The network is not large by some standards but is adequate for the kind of work I do; the cumulative depth of relationships is what matters.
Operational knowledge. Conversations at events have given me substantial operational knowledge that I cannot get from public sources. Specific incidents at specific organisations, specific defensive techniques that have worked or not, specific upcoming changes at specific vendors. The information is shared informally at events and is not generally available otherwise.
Calibration of my own writing. Reading engagement at events tells me which posts have landed, which have produced disagreement, which have been useful. The notebook would continue without this calibration but would be lower quality.
Speaking opportunities. The cumulative network has produced several speaking opportunities at events I would not otherwise have been invited to. Speaking is valuable for its own reasons; the opportunities arise primarily through community connections.
What makes a good conference
From five years of attendance, my own preferences have stabilised.
Generous unstructured time. The conversations are the value; they require time. Conferences with packed talk schedules and minimal break time produce less value per hour than conferences with sparse schedules and abundant unstructured time.
Practitioner-focused content. Talks by people who are actively doing the work are more valuable than talks by consultants summarising the state of the field. The practitioner content has detail; the consultant content has framing. I want the detail.
Mixed seniority. Events that include both experienced practitioners and newer entrants are more valuable than events that segregate by seniority. Cross-pollination matters.
Bounded size. Small events (20-100 attendees) produce more substantive conversation than large events (500+ attendees). The smaller scale enables actual discussion; the larger scale tends toward presentations-and-passing.
Geographic concentration. Events in cities where I can travel by train are more accessible than events requiring flights. The marginal cost of additional events drops substantially when travel is bounded.
The BCS regional events I attend most often satisfy most of these criteria. Larger industry events satisfy fewer; their value-per-hour is lower; I attend them more selectively.
What I have learned about speaking
I have spoken at perhaps 8-10 events over the past few years, starting with the first talk in Leeds in 2001. The cumulative experience has produced specific lessons.
Less material is better. I consistently prepare too much material. The right amount for a 40-minute slot is roughly 30 minutes of content; the buffer matters for questions and discussion.
Specific cases beat abstract argument. The most effective talks I have given centred on specific honeypot captures or specific incidents. Abstract structural arguments produce less audience engagement.
Honest uncertainty produces better questions. When I include the calibrated humility discipline in talks — explicitly noting what I am uncertain about and what would update my views — the audience asks better questions. Confident presentations produce confirmation; uncertain presentations produce dialogue.
The interactive format works better than monologue. Asking questions of the audience, incorporating their answers into the discussion, treating the talk as conversation rather than lecture. The audience prefers this; I prefer this; the cumulative experience is better.
What I want to do at conferences in the next year
Three things.
Continue regular attendance. The cumulative network value continues to grow with sustained attendance. Four to six events per year is the right cadence for me.
Speak at a larger event. I have been speaking at small regional events for years; the next step is a larger industry event. The preparation is more substantial; the audience is larger; the practice would be valuable.
Explore the workshop format more. The workshop event I attended in 2002 was educational; I have not pursued the format much since. Workshop-format events would be a useful complement to my talk attendance.
More as the year develops.
A broader reflection on community engagement
Let me close with broader observations about community engagement and its role in professional development.
The security community in the UK is small enough that sustained engagement produces meaningful relationships within a few years. Five years of regular conference attendance has produced a network that informs my thinking and supports my practice.
For anyone earlier in their career: the investment in community engagement pays back over time. Specific actions:
Attend at least one event per quarter. The cumulative attendance, sustained over years, builds the network.
Speak when invited. Speaking is harder than listening; the practice is valuable; the visibility produces follow-on opportunities.
Correspond with people you find interesting. The most valuable relationships in my network started with brief exchanges that grew over time.
Contribute to discussions even when uncertain. Certainty is overrated; tentative contributions advance conversations more than confident pronouncements often do.
Sustain engagement during quiet periods. The community matters during your quiet periods as much as during your active ones. The relationships are bidirectional.
For the events specifically: the BCS regional events I have been attending consistently provide better value-per-hour than the larger industry events. The smaller scale, the practitioner focus, the unstructured time — all combine to make these events particularly useful for the kind of work I do.
For anyone considering whether to engage: start small. A single regional event tests whether the format suits you; sustained attendance builds the network if it does.
More as the year develops.
A note on regional events specifically
Let me close with brief reflection on regional events as a category.
The UK security community is concentrated in a few cities — London, Manchester, Edinburgh, Bristol, Cambridge. The specific events I attend are mostly in these cities; the geographic concentration is convenient for travel.
For practitioners outside the major cities: the regional events are accessible via day-trip travel from anywhere in Great Britain. The concentration is not exclusionary; it just means the events happen to be in specific places.
The BCS regional structure is what makes most of these events possible. The local branches organise the events; the venue costs are bounded; the format works.
For anyone interested in starting a similar local event: the BCS framework is supportive. Specific BCS branches have organised events when one or two practitioners volunteered to coordinate. The barrier is lower than it appears.
For my own continued attendance: I expect to continue the pattern of 4-6 events per year across the UK. The variety of cities is incidentally valuable; each event is in a different context; the cumulative experience benefits from the geographic spread.
More as the year develops.
A practical close on the Newcastle event specifically
The Newcastle event was, on reflection, a particularly good one. The mix of academic and practitioner attendees, the practitioner-focused content, the generous unstructured time — all combined to make it more useful per hour than most events I attend.
The specific factors that made it work:
The venue. A modest conference room above a pub in central Newcastle. Not impressive; entirely functional. The atmosphere was conversational rather than ceremonial.
The size. Forty attendees was at the upper end of small. Large enough for diverse perspectives; small enough for actual conversation.
The pacing. Five talks across the day with substantial breaks. Not packed; not rushed. The unstructured time produced as much value as the talks.
The host. The organising committee had clearly invested in making the event work; the practical details were handled.
For anyone organising similar events: the modest venue, modest size, modest pacing combination produces better events than larger and more elaborate alternatives.
For anyone attending similar events: showing up with the intent to engage in conversation, not just to listen to talks, produces more value. The talks are the structure; the conversations are the content.
More as the year develops.