InfoSec Europe 2007 – Thoughts

Yesterday, I went to InfoSec Europe at Olympia in London. I have been to this event for the passed few years and as usual, I spent about 5 hours walking round, talking to people and listening to seminars. I only have one word to describe the event overall:


Here’s a breakdown of my thoughts on the various areas:

As per usual, there were a lot of the familiar vendors there with their huge stands (Symantec, McAfee, RSA to name but a few). However, across the board there seemed to be a lot of similar themes running through the event. Many stands seemed to be pushing products to deal with threat and vulnerability management (anti-virus, web filtering, email filtering etc). Not that there’s anything wrong with that, but its stuff that we see year in and year out. There seemed to be very little real innovation and cutting edge stuff. For example, RSA were still showing the SecurID tokens on their stand that I have been dealing with for around 5 years. I thought these events were supposed to be the exhibitors chance to really show off their new gadgets and gizmos.

From walking round and looking at badges, I am sure that there was probably an equal number of both exhibitors and visitors there. Each stand seemed to bring more and more people which gave the impression that the event was extremely busy but in reality just meant that you got stopped more frequently. When I go to an exhibition, if I see something that interests me, I will stop at that stand and show an interest in what they have to offer, possibly even asking someone for some information. Been stopped in the middle of the aisle and almost man handled onto a stand is not an indication that I am interested in their product or that I would like my badge to be scanned so that I can be bombarded with email that doesn’t interest me.

Whilst there I took in two presentations.
The first was by Dave O’Brien (VP of Corporate Development for Courion Corp). I felt that this presentation lacked any real content. It was very high-level and a bit too brief. For me, I felt he was just stating the obvious and providing information which should be common sense. For example, one of his main messages was to start with your pain points and not from a fixed perspective when looking at roles. Is this not obvious?
The second was by Colin Robbins (Principle Consultant with Siemens Insight Consulting). He was talking about the National Identity Infrastructure (i.e. ID cards) and how businesses can use these to their competitive advantage and to save costs. The main point of the presentation was that ID cards are going to happen anyway and since someone else will be paying for them (i.e. the taxpayer) why not use them to realise cost savings within your organisation. I felt the talk itself was very biased towards the NII scheme and the underlying message (to me anyway) was that ‘Siemens think its a good idea because they are going to make loads of money out of it’. It didn’t cover any of the issues with the NII scheme that I would have liked it to cover (what will be stored in the backend database, how will access be controlled, how will the enrollment process prevent fraud etc etc)

Bruce Schneier
The highlight of the day was listening to Bruce give a presentation on the BT stand. He was talking about the whole Web 2.0 revolution and how we have a generation gap at the moment which will cause businesses to re-think how they handle/embrace the new generation of employee due to the new and different ways in which they interact and live their lives (Facebook, MySpace etc). This is the first time I have heard Bruce speak in person (I have read his blog for some time and have read his books). I found what he had to say a refreshing and an interesting perspective on this security issue. Unfortunately, I didn’t win the bun fight at the end to try and get one of the 100 autographed copies of his book which the other 300-400 people were also fighting for.

Future Thoughts
One of my main observations about the event was the lack of ‘Identity’ related technologies from the main vendors. Sun, Oracle and CA did not have a stand at all. IBM had a stand but were only pushing ISS on it. HP were the only ‘big’ vendor that I saw who were pushing Identity Management on their stand. I didn’t get to the Microsoft stand to see what they were pushing. There were a number of the smaller players there (Courion, ActivIdentity etc) but a distinct lack of support from the big fish. This does lead me to wonder whether there is a bigger question about the usefulness of these events from a lead generation point of view. My previous company have been on a number of different vendors stands over the years and I don’t remember one sale that could be attributed directly to a lead generated from the exhibition. I wonder if the bigger vendors are also thinking the same thing and therefore staying away and thinking of better ways to spend their marketing budget.

To me, it does question the future of these big, generic events and whether the trend will be to have more area focused events such as Digital ID World where you have a better idea of who your audience are and your audience have a better idea of what to expect from the event.

I am finding myself questioning whether I will bother going next year. I suppose it all depends on whether I run out of pens and stress balls before next April. Also, if I win one of the many PS3 or Wii competitions that I entered, then I might be inclined to go back next year. Otherwise, I can think of better ways to spend a day.

One saving grace is that my youngest daughter (3) does love the mini etch-a-sketch that I got from the SurfControl stand 🙂

Technorati Tags: , , , ,


Professional photographs

Three years ago I took my family to have some professional family photographs done after receiving a voucher as a present for one of the large national chains. We had decided that we didn’t want the traditional ‘stuffy’ portraits but instead wanted something a bit more modern and unique. The photos that we ended up with were very impressive and just what we were looking for. However, as usual at these sorts of places, we spent far more than we intended to. Having decided that we would limit our purchase to a couple of hundred pounds we managed to come out with three framed prints with a total cost of over £1000 (yes, you heard me right, THREE).  This was partly due to the good quality of the photos but mainly due to the high pressured sales environment that they put you into when you go to select your prints.

Last year my sister and brother-in-law started up their own business doing professional photography. He has been in the photography and graphic design business for over 10 years but decided it was time to start out on his own. Taking full advantage of the family tie I asked him to take some family pictures. Having not seen his work before, I was unsure what to expect.

We spent about an hour in their studio having a great time. The kids really enjoyed it and he must have taken hundreds of pictures.

When he then showed us the pictures, I was absolutely blown away by the quality of what they had produced. They were exceptional. They had produced a selection of photographs in both colour and black and white. I have never been a big fan of black and white pictures but I must admit, I now have two on the wall in my lounge.

I know how much of a perfectionist they are and this clearly shows in their work. I sincerely believe they are better than the earlier pictures we had taken. On top of that, their prices are far more reasonable than that of one of the larger chains (not that I had to pay :-), thanks sis ).

Therefore, if you live in or around the London area (their studio is in Reigate or they do sittings in your home) and want some top quality photographs, I would highly recommend Peter Butler Photography. This is not because they are family but because I have seen for myself the passion that goes into their work, the talent that they have and the quality of their photographs.

The family bit does help a bit though!

Chocolate for your password

Eugene Cozonac posted a comment on an article he saw on the FT website.

The post (and the article) talk about how easily people will divulge their passwords when offered an incentive. In this case, people were offered chocolate bars. According to the research, in total approximately 62% of people asked gave up their password.

I have a problem with research of this type. If I was stopped in the street and offered chocolate in exchange for my password, I would happily tell the researcher that my password was H4EDwb!!.

The fact that I have just made that up and don’t (and never will) use it for anything, makes no difference to the researcher. As far as they are concerned, I have just divulged my ‘secret’ password and I am another of their statistics.

In the meantime I am quite content with my free chocolate bar. Bonus!!

Technorati Tags: , , ,

More on simplicity (or lack of it) in federation

A few days ago I wrote a post around federation and how I was surprised it wasn’t simpler to configure.

In response to this, “Curious” posted a comment directing me to a post by James Mcgovern where he talks about why federation has been slow to be adopted and how this could be partly the fault of the vendors and the industry analysts. Whilst I agree with the message that James is trying to convey, there is one particular point he writes that I don’t necessarily agree with.

“I wonder if the CTOs of these companies have ever considered that if they expect to sell solutions to federated identity that part of the purchase requirement may be the need to federate with someone else that already has the software?”

Whilst I believe that it is normally a major benefit if your trusted partner(s) already has a federation solution in place, I don’t think it is a necessity. There is no reason why the deployment of a federated solution couldn’t encompass both ends of the partnership at the same time. I do agree, however, that it is simpler and usually quicker from a design and deployment perspective, if indeed, the trusted partner already has the technology in place and is using it already.

However, it can also introduce extra challenges when trying to integrate with existing deployments. Lets say, for example, that you want to role out a new federation platform based on SAML 2.0 (see why the Danish public sector chose SAML 2.0 over other standards here). Since SAML isn’t backwardly compatible between versions, this poses a problem when trying to partner with a service provider who only supports SAML 1.0. Here you have two options:

1) Pick a product that supports both versions of the standard and then configure different protocols for different partnerships.
2) Utilise a further standard outside of SAML to provide the ‘glue’ between the two versions of the protocol and handle the token conversion (e.g. WS-Trust)

Had the partner not had an existing SAML deployment already, it would have potentially been possible to deploy and utilise a single version of SAML (i.e. 2.0) and to help guide the partner to ‘federation enable’ their software. This could be through a full access management type product (e.g. Tivoli, eTrust, Fusion etc) or through a lightweight engine (e.g. PingFederate). Obviously, there are a number of factors that would help make this decision which I won’t go into now. Adopting a single version of the standard may seem less flexible but if there are no reasons for using multiple different protocols or versions, why complicate the architecture.

Therefore, to summarise, I think there are advantages and disadvantages to integrating with partners who already have federation enabled infrastructures. In some cases it can be a major bonus and in others it can add additional (but not insummountable) deployment challenges.

Console war – Which console?

Ever since the latest generation of consoles have started to be released, i’ve been trying to decide whether I should take the plunge and buy one.

I currently have an XBOX which doesn’t get much use (although I have just completed Spyro) and a PSP which I hardly use at all.

However, despite this, I have been looking with particular interest at the Wii. Although the graphics look appalling compared to the XBOX360 and PS3, the motion sensitive controller looks great.

My favourite types of games are platform games (e.g. Rayman, Spyro, Crash Bandicoot) and puzzle games. I also have two young daughters (3 and 6) who I think will enjoy playing the Wii.

Realistically, I think the PS3 is too expensive to justify spending on a games console, so the decision is between the 360 and the Wii. My pros and cons so far are:

XBOX 360
Graphically superior
Better for the hardened gamer
Better online gameplay

Not as many kids games
More expensive

Better family fun

Graphically not as good
Not as wide a selection of games
Online gameplay not as good

If anyone can offer any advice on which console I should go for (assuming I could find a Wii in the UK if I decided to get one), it would be appreciated.

Federation shouldn’t be this hard

I’ve been working with federation technologies since the early days of SAML 1.0 (circa November 2002) and in that time I have seen a lot of changes to the support for the standards from various vendors.

Some have been quicker than others to support the various standards. As a consultant I have either used or been exposed to most of the major IAM products on the market, such as Sun, IBM, CA, Oracle etc.

However, what surprises me even now is that even after 5 years of SAML, the amount of infrastructure and configuration that is needed to setup and use federation within most of the products is still quite considerable. I would have expected federation to be more of a commodity by now in terms of setup and configuration.

The only vendor that I have come across to date who does meet this criteria is Ping Identity with Ping Federate. I have used this product for some time and found that, not only is it easy to setup but in addition, it doesn’t require a lot of infrastructure behind it to get it working.

Hopefully, it will just be a matter of time before the major vendors catch up. Not that I should be complaining, its kept me in a job 🙂

Technorati Tags: , , , ,

There’s nothing quite a queer as folk

Religion isn’t usually something that I comment on. Whilst I have my own beliefs, its not something I shout about from the rooftops. However, I felt compelled to comment on something I have just watched on TV.

Louis Theroux has just done a documentary which was aired in the UK on the Westboro Baptist Church in Kansas (purposely not hyperlinked so as not to increase their profile). I am a great fan of Louis’s and have watched most of the documentaries he has done over the years. However, this one had to take the prize as one of the wierdest and most frightening exhibition of peoples’ beliefs.

This strange and deluded ‘cult’ that call themselves the Westboro Baptist Church are so bizarre and horrific that it really does beggar belief. I’m sure you will have heard about them. These are the people who picket funerals of American soldiers who have died in Iraq or Afghanistan, ‘celebrating’ their death as God’s justice being done. They are led by this fanatical old fossil who managed to dodge nearly all the questions put to him.

It saddens me that there are actually people like this walking the earth and preaching their sickening message today. In addition to their sick and twisted minds, they actually have the audacity to include their children on the picket lines and within their doctrination. When one of the 7yr old boys was asked if he knew what the slogan on his banner meant (God hates fags) and why he was standing there, he had no idea (its probably a small consulation that he doesn’t understand)!!

I have no problem with free speech and I sincerely believe that everyone is entitled to their own opinion. However, since when does it become a right to picket someone’s funeral. Its not even as if they are trying to ‘convert’ people to their way of thinking. Their sole purpose in the pickets seems to be to point out how bad everyone except themselves are and how everyone will incur God’s wrath and go to hell.

I’ve seen Louis do a number of documentaries before covering Nazis, anti-semetics, racists etc, but this group of people are by far the most outrageous and one of the most dangerous I have ever seen.

As usual, Louis did a great job of giving them enough rope to hang themselves before asking the question “Why do you do this?” with the underlying tone of “You stupid people”.