RSA Conference Day 1: The Human Factor
Our communities manager, Jon Ericson, is at the RSA Conference. Below are his reflections on the first day of the conference:
When I arrived at Moscone Center, where the RSA Conference is held, the first thing I did was connect to the wireless network. That required me to view this disclaimer:
In some sense the audience of the RSA Conference ought to know how to manage their network risk. Personally I took comfort knowing that all the websites I connect to use HTTPS. But as I attended sessions, it occurred to me that most of the security risks we face are not technological, per se.
Navigating the Legal Landscape: Cyber Law 2025
While technological progress pushes ahead, the law serves as a sometimes imperfect interface with other parts of society. In this session, a panel of lawyers discussed some recent cases with counter-intuitive (for non-lawyers, at least) outcomes. For instance, a ruling in a case involving an Uber data breach might effectively end certain types of bug bounties. The logic is that when a whitehat demonstrates a potential vulnerability of a computer system by gaining unauthorized access, they have already broken the law. If a company later offers a bug bounty that includes a non-disclosure agreement, that could amount to an attempt to cover up a crime.
As I said, counter-intuitive. Also, thankfully, tentative as the defense has paths to appeal the ruling. One of the speakers, Aravind Swaminathan, had this takeaway: “Worst possible holding on this issue because the categorical rule calls into doubt many Bug Bounty programs”. He is looking for security experts to write amicus (“friend of the court”) briefs to help the case.
The Digital Parent Trap: Keeping Your Kids Secure Online
As a father of preteen children, I was interested in hearing from Sandra Joyce, VP of Google Threat Intelligence, and Robert McMillan, a reporter who writes about computer security for The Wall Street Journal. Much of their discussion revolved around common-sense notions such as treating you children according to their own maturity levels rather than implementing dogmatic rules. They also discussed setting up a secret word that families can use to verify each other online given the tricks scammers use.
Gamification: How to Make Money and Stay Out of Jail
Behnam Dayanim, a lawyer at Orrick, Herrington & Sutcliffe, brought a change of pace talk about the law surrounding gambling, sweepstakes and games of skill. He talked about a Kentucky case with roots that go back to a 1710 act of the Parliament of Great Britain that allows people to recover gambling debts. The state sued an online poker site, PokerStars, for loses suffered by Kentuckians and won.
He also described various tests of what determines if an activity is a game of skill or luck since laws treat them differently. Games such as poker, which involve randomly drawn cards, can still be games of skill since a proficient player will regularly beat a novice.
The Journey of Enterprise Network Microsegmentation at Scale
Two Comcast engineers explained how they implemented policies to protect their company from catastrophic attacks. They set up policies which reduce the attack surface of applications using zero trust principles. The idea is to limit the exposure of individual services even to resources inside of what would traditionally be considered a trusted network. While developers tend to believe they need access to everything, the speakers observed the median number of connections needed by applications was 6 inbound and 6 outbound.