The Vegas security conferences used to feel like diving into a river. While yes, you networked and made deals and talked about exploits, you also felt for currents and tried to get a prediction of what the future held. A lot of this was what the talks were about. But you went to booths to see what was selling, or what people thought was selling, at least.
But it doesn't matter anymore what the talks are about. The talks are about everything. There's a million of them and they cover every possible topic under the sun. And the big corpo booths are all the same. People want to sell you XDR, and what that means for them is a per-seat or per-IP charge. When there's no differentiation in billing, there's no differentiation in product.
That doesn't mean there aren't a million smaller start-ups with tiny cubicles in the booth-space, like pebbles on a beach. Hunting through them is like searching for shells - for every Thinkst Canary there's a hundred newly AI-enabled compliance engines.
DefCon and Blackhat in some ways used to be more international as well - but a lot of the more interesting speakers can't get visas anymore or aren't allowed to talk publicly by their home countries.
If you've been in this business for a while, you have a dreadful fear of being in your own bubble. To not swim forward is to suffocate. This is what drove you to sit in the front row of as many talks as possible at these two huge conferences, hung over, dehydrated, confused by foreign terminology in a difficult accent.
But now you can't dive in to make forward progress. Vegas is even more of a forbidding dystopia, overloaded with crowds so heavy it can no longer feed them or even provide a contiguous space for the ameba-like host to gather. Talks echo and muddle in cavernous rooms with the general acoustics of a high school gymnasium. You are left with snapshots and fragmented memories instead of a whole picture.
For me, one such moment was a Senate Staffer, full of enthusiasm, crowing about how smart the other people working on policy and walking the halls of Congress were - experts and geniuses at healthcare, for example! But if our cyber security policy matches our success at a health system we are doomed.
I brought my kids this year and it helps to be able to see through the chaos with new eyes. What's "cool" I asked? in the most boomery way possible. Because I know Jailbreaking an AI to say bad things is not it, even though it had all the political spotlights in the world focused on examining the "issue".
The more crowded the field gets, the less immersion you have. Instead of diving in you are holding your palm against the surface of the water, hoping to sense the primordial tube worms at the sea vents feeding on raw data leagues below you. "Take me to the beginning, again" you say to them, through whatever connection you can muster.
-dave
I brought my kids this year and it helps to be able to see through the
chaos with new eyes. What's "cool" I asked?
What was the answer?
On Mon, Aug 14, 2023 at 3:36 PM Dave Aitel via Dailydave < dailydave@lists.aitelfoundation.org> wrote:
The Vegas security conferences used to feel like diving into a river. While yes, you networked and made deals and talked about exploits, you also felt for currents and tried to get a prediction of what the future held. A lot of this was what the talks were about. But you went to booths to see what was selling, or what people thought was selling, at least.
But it doesn't matter anymore what the talks are about. The talks are about everything. There's a million of them and they cover every possible topic under the sun. And the big corpo booths are all the same. People want to sell you XDR, and what that means for them is a per-seat or per-IP charge. When there's no differentiation in billing, there's no differentiation in product.
That doesn't mean there aren't a million smaller start-ups with tiny cubicles in the booth-space, like pebbles on a beach. Hunting through them is like searching for shells - for every Thinkst Canary there's a hundred newly AI-enabled compliance engines.
DefCon and Blackhat in some ways used to be more international as well - but a lot of the more interesting speakers can't get visas anymore or aren't allowed to talk publicly by their home countries.
If you've been in this business for a while, you have a dreadful fear of being in your own bubble. To not swim forward is to suffocate. This is what drove you to sit in the front row of as many talks as possible at these two huge conferences, hung over, dehydrated, confused by foreign terminology in a difficult accent.
But now you can't dive in to make forward progress. Vegas is even more of a forbidding dystopia, overloaded with crowds so heavy it can no longer feed them or even provide a contiguous space for the ameba-like host to gather. Talks echo and muddle in cavernous rooms with the general acoustics of a high school gymnasium. You are left with snapshots and fragmented memories instead of a whole picture.
For me, one such moment was a Senate Staffer, full of enthusiasm, crowing about how smart the other people working on policy and walking the halls of Congress were - experts and geniuses at healthcare, for example! But if our cyber security policy matches our success at a health system we are doomed.
I brought my kids this year and it helps to be able to see through the chaos with new eyes. What's "cool" I asked? in the most boomery way possible. Because I know Jailbreaking an AI to say bad things is not it, even though it had all the political spotlights in the world focused on examining the "issue".
The more crowded the field gets, the less immersion you have. Instead of diving in you are holding your palm against the surface of the water, hoping to sense the primordial tube worms at the sea vents feeding on raw data leagues below you. "Take me to the beginning, again" you say to them, through whatever connection you can muster.
-dave
Dailydave mailing list -- dailydave@lists.aitelfoundation.org To unsubscribe send an email to dailydave-leave@lists.aitelfoundation.org
What was cool for me was DEF CON HDA ( Hackers with Disabilities ) -- seeing the members of the community that are hacking away at things like mobility scooters, using eye-tracking keyboards , and the general community that is building in that regard. DEF CON this year had 3 rooms assigned to assisting / presenting to ADA needs.
On Tue, Aug 15, 2023 at 7:10 AM Ryan Naraine via Dailydave < dailydave@lists.aitelfoundation.org> wrote:
I brought my kids this year and it helps to be able to see through the
chaos with new eyes. What's "cool" I asked?
What was the answer?
On Mon, Aug 14, 2023 at 3:36 PM Dave Aitel via Dailydave < dailydave@lists.aitelfoundation.org> wrote:
The Vegas security conferences used to feel like diving into a river. While yes, you networked and made deals and talked about exploits, you also felt for currents and tried to get a prediction of what the future held. A lot of this was what the talks were about. But you went to booths to see what was selling, or what people thought was selling, at least.
But it doesn't matter anymore what the talks are about. The talks are about everything. There's a million of them and they cover every possible topic under the sun. And the big corpo booths are all the same. People want to sell you XDR, and what that means for them is a per-seat or per-IP charge. When there's no differentiation in billing, there's no differentiation in product.
That doesn't mean there aren't a million smaller start-ups with tiny cubicles in the booth-space, like pebbles on a beach. Hunting through them is like searching for shells - for every Thinkst Canary there's a hundred newly AI-enabled compliance engines.
DefCon and Blackhat in some ways used to be more international as well - but a lot of the more interesting speakers can't get visas anymore or aren't allowed to talk publicly by their home countries.
If you've been in this business for a while, you have a dreadful fear of being in your own bubble. To not swim forward is to suffocate. This is what drove you to sit in the front row of as many talks as possible at these two huge conferences, hung over, dehydrated, confused by foreign terminology in a difficult accent.
But now you can't dive in to make forward progress. Vegas is even more of a forbidding dystopia, overloaded with crowds so heavy it can no longer feed them or even provide a contiguous space for the ameba-like host to gather. Talks echo and muddle in cavernous rooms with the general acoustics of a high school gymnasium. You are left with snapshots and fragmented memories instead of a whole picture.
For me, one such moment was a Senate Staffer, full of enthusiasm, crowing about how smart the other people working on policy and walking the halls of Congress were - experts and geniuses at healthcare, for example! But if our cyber security policy matches our success at a health system we are doomed.
I brought my kids this year and it helps to be able to see through the chaos with new eyes. What's "cool" I asked? in the most boomery way possible. Because I know Jailbreaking an AI to say bad things is not it, even though it had all the political spotlights in the world focused on examining the "issue".
The more crowded the field gets, the less immersion you have. Instead of diving in you are holding your palm against the surface of the water, hoping to sense the primordial tube worms at the sea vents feeding on raw data leagues below you. "Take me to the beginning, again" you say to them, through whatever connection you can muster.
-dave
Dailydave mailing list -- dailydave@lists.aitelfoundation.org To unsubscribe send an email to dailydave-leave@lists.aitelfoundation.org
-- Ryan Naraine Twitter: @ryanaraine https://twitter.com/ryanaraine _______________________________________________ Dailydave mailing list -- dailydave@lists.aitelfoundation.org To unsubscribe send an email to dailydave-leave@lists.aitelfoundation.org
You are on point on so many levels. I've also been noticing a significant culture shift.
There is definitely a strong focus on policy-making, which now promotes conformity in thought and dismiss critical perspectives. These are the very things that the hacker culture once opposed, but they also now represent what policy-making is. We could even say that policy-making is now molding the hacker culture, rather than the other way around, and that this shift will inevitably lead to a "glocalization of cyber."
The definition of "technical work" appears to vary widely across various clusters of our industry, including within those self-specifically categorized as "technical clusters." When I engage with younger individuals, I frequently encourage them to consider a career as a software engineer, where they will have the opportunity to create tools and products rather than merely using someone else's creations. While this may seem obvious, the increasing noise in the industry makes it feel, year by year, as though the culture is shifting towards mastering "products" rather than developing "skills."
Well... It was fun while it lasted, thank you all for playing. -- Best Regards, Matt Suiche
*This transmission is intended only for the use of the addressee and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately.*
On Mon, Aug 14, 2023 at 8:03 PM Dave Aitel via Dailydave < dailydave@lists.aitelfoundation.org> wrote:
The Vegas security conferences used to feel like diving into a river. While yes, you networked and made deals and talked about exploits, you also felt for currents and tried to get a prediction of what the future held. A lot of this was what the talks were about. But you went to booths to see what was selling, or what people thought was selling, at least.
But it doesn't matter anymore what the talks are about. The talks are about everything. There's a million of them and they cover every possible topic under the sun. And the big corpo booths are all the same. People want to sell you XDR, and what that means for them is a per-seat or per-IP charge. When there's no differentiation in billing, there's no differentiation in product.
That doesn't mean there aren't a million smaller start-ups with tiny cubicles in the booth-space, like pebbles on a beach. Hunting through them is like searching for shells - for every Thinkst Canary there's a hundred newly AI-enabled compliance engines.
DefCon and Blackhat in some ways used to be more international as well - but a lot of the more interesting speakers can't get visas anymore or aren't allowed to talk publicly by their home countries.
If you've been in this business for a while, you have a dreadful fear of being in your own bubble. To not swim forward is to suffocate. This is what drove you to sit in the front row of as many talks as possible at these two huge conferences, hung over, dehydrated, confused by foreign terminology in a difficult accent.
But now you can't dive in to make forward progress. Vegas is even more of a forbidding dystopia, overloaded with crowds so heavy it can no longer feed them or even provide a contiguous space for the ameba-like host to gather. Talks echo and muddle in cavernous rooms with the general acoustics of a high school gymnasium. You are left with snapshots and fragmented memories instead of a whole picture.
For me, one such moment was a Senate Staffer, full of enthusiasm, crowing about how smart the other people working on policy and walking the halls of Congress were - experts and geniuses at healthcare, for example! But if our cyber security policy matches our success at a health system we are doomed.
I brought my kids this year and it helps to be able to see through the chaos with new eyes. What's "cool" I asked? in the most boomery way possible. Because I know Jailbreaking an AI to say bad things is not it, even though it had all the political spotlights in the world focused on examining the "issue".
The more crowded the field gets, the less immersion you have. Instead of diving in you are holding your palm against the surface of the water, hoping to sense the primordial tube worms at the sea vents feeding on raw data leagues below you. "Take me to the beginning, again" you say to them, through whatever connection you can muster.
-dave
Dailydave mailing list -- dailydave@lists.aitelfoundation.org To unsubscribe send an email to dailydave-leave@lists.aitelfoundation.org
Don't mistake the industry culture for the hacker culture. For every bit of "glocalization of cyber" and the industry demands of mastering products, there are people who are still picking up soldering irons, building robots, making off cloud home automation, inventing new things and international fun projects like the stack-chan personal robots. I'm not saying you are wrong, however adapting to the industry to get the jobs that pay the bills does not mean that the hacker spirit is totally lost. It's still out there, and it's still real. It just has a mortgage to pay. :) Look for the new batch , the kids at DEF CON who are just learning a cold solder joint from a good one, and have the educational shows from Adafruit where we had Mr Rodgers and The Electric Company. A talking semiconductor sings to a 555 chip about circuits instead of the Road Runner & the Coyote.
On Tue, Aug 15, 2023 at 7:21 AM Matt Suiche via Dailydave < dailydave@lists.aitelfoundation.org> wrote:
You are on point on so many levels. I've also been noticing a significant culture shift.
There is definitely a strong focus on policy-making, which now promotes conformity in thought and dismiss critical perspectives. These are the very things that the hacker culture once opposed, but they also now represent what policy-making is. We could even say that policy-making is now molding the hacker culture, rather than the other way around, and that this shift will inevitably lead to a "glocalization of cyber."
The definition of "technical work" appears to vary widely across various clusters of our industry, including within those self-specifically categorized as "technical clusters." When I engage with younger individuals, I frequently encourage them to consider a career as a software engineer, where they will have the opportunity to create tools and products rather than merely using someone else's creations. While this may seem obvious, the increasing noise in the industry makes it feel, year by year, as though the culture is shifting towards mastering "products" rather than developing "skills."
Well... It was fun while it lasted, thank you all for playing.
Best Regards, Matt Suiche
*This transmission is intended only for the use of the addressee and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately.*
On Mon, Aug 14, 2023 at 8:03 PM Dave Aitel via Dailydave < dailydave@lists.aitelfoundation.org> wrote:
The Vegas security conferences used to feel like diving into a river. While yes, you networked and made deals and talked about exploits, you also felt for currents and tried to get a prediction of what the future held. A lot of this was what the talks were about. But you went to booths to see what was selling, or what people thought was selling, at least.
But it doesn't matter anymore what the talks are about. The talks are about everything. There's a million of them and they cover every possible topic under the sun. And the big corpo booths are all the same. People want to sell you XDR, and what that means for them is a per-seat or per-IP charge. When there's no differentiation in billing, there's no differentiation in product.
That doesn't mean there aren't a million smaller start-ups with tiny cubicles in the booth-space, like pebbles on a beach. Hunting through them is like searching for shells - for every Thinkst Canary there's a hundred newly AI-enabled compliance engines.
DefCon and Blackhat in some ways used to be more international as well - but a lot of the more interesting speakers can't get visas anymore or aren't allowed to talk publicly by their home countries.
If you've been in this business for a while, you have a dreadful fear of being in your own bubble. To not swim forward is to suffocate. This is what drove you to sit in the front row of as many talks as possible at these two huge conferences, hung over, dehydrated, confused by foreign terminology in a difficult accent.
But now you can't dive in to make forward progress. Vegas is even more of a forbidding dystopia, overloaded with crowds so heavy it can no longer feed them or even provide a contiguous space for the ameba-like host to gather. Talks echo and muddle in cavernous rooms with the general acoustics of a high school gymnasium. You are left with snapshots and fragmented memories instead of a whole picture.
For me, one such moment was a Senate Staffer, full of enthusiasm, crowing about how smart the other people working on policy and walking the halls of Congress were - experts and geniuses at healthcare, for example! But if our cyber security policy matches our success at a health system we are doomed.
I brought my kids this year and it helps to be able to see through the chaos with new eyes. What's "cool" I asked? in the most boomery way possible. Because I know Jailbreaking an AI to say bad things is not it, even though it had all the political spotlights in the world focused on examining the "issue".
The more crowded the field gets, the less immersion you have. Instead of diving in you are holding your palm against the surface of the water, hoping to sense the primordial tube worms at the sea vents feeding on raw data leagues below you. "Take me to the beginning, again" you say to them, through whatever connection you can muster.
-dave
Dailydave mailing list -- dailydave@lists.aitelfoundation.org To unsubscribe send an email to dailydave-leave@lists.aitelfoundation.org
Dailydave mailing list -- dailydave@lists.aitelfoundation.org To unsubscribe send an email to dailydave-leave@lists.aitelfoundation.org
As always, it was the speakers themselves at Defcon that made the talks memorable. For example, I caught the last half of the presentation by Joe Sullivan, former US federal prosecutor and Uber CISO (also former CISO at Facebook and Cloudflare; also worked at eBay and PayPal).
The session was in the [new?] track called "War Stories — On the Record" and it was a human, straight-talking narrative about the Uber "cover up" for which he was convicted (no jail time). After his presentation, Joe also kindly moved to the discussion room across the hall for a further Q&A session in a smaller room.
You can see the presentation here: https://media.defcon.org/DEF%20CON%2031/DEF%20CON%2031%20presentations/Joe%2...
The crux of the story: is it still a breach if the attacker is a 19-year old kid living in his Mom's house who finds a vulnerability, is then directed to submit it via the bug bounty program, and then deletes the data (and gets paid)?
Joe also made an interesting point about attribution: it's important to know if the attacker is a 19-year old kid or a Russian outfit that has planted a bunch of back doors in your network that you now need to find.
Also, it was great to simply walk the halls and reconnect with the Defcon community (and do some BJJ training with friends at Jeremiah's annual SmackDown event!).
[image: image.png] *Joe Sullivan, now CEO of UkraineFriends.org.*
Best, Phil
On Tue, Aug 15, 2023 at 11:58 AM Richard Thieme via Dailydave < dailydave@lists.aitelfoundation.org> wrote:
Addressing the issues so well articulated in this thread was the essence of my proposed talk for Def Con, called, “Think! before it’s too late.” After speaking there for 26 years, this one was rejected because it lacked sufficient “data.” so it goes. thweeet.
Sent from my iPad
On Aug 15, 2023, at 9:20 AM, Matt Suiche via Dailydave < dailydave@lists.aitelfoundation.org> wrote:
You are on point on so many levels. I've also been noticing a significant culture shift.
There is definitely a strong focus on policy-making, which now promotes conformity in thought and dismiss critical perspectives. These are the very things that the hacker culture once opposed, but they also now represent what policy-making is. We could even say that policy-making is now molding the hacker culture, rather than the other way around, and that this shift will inevitably lead to a "glocalization of cyber."
The definition of "technical work" appears to vary widely across various clusters of our industry, including within those self-specifically categorized as "technical clusters." When I engage with younger individuals, I frequently encourage them to consider a career as a software engineer, where they will have the opportunity to create tools and products rather than merely using someone else's creations. While this may seem obvious, the increasing noise in the industry makes it feel, year by year, as though the culture is shifting towards mastering "products" rather than developing "skills."
Well... It was fun while it lasted, thank you all for playing.
Best Regards, Matt Suiche
*This transmission is intended only for the use of the addressee and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately.*
On Mon, Aug 14, 2023 at 8:03 PM Dave Aitel via Dailydave < dailydave@lists.aitelfoundation.org> wrote:
The Vegas security conferences used to feel like diving into a river. While yes, you networked and made deals and talked about exploits, you also felt for currents and tried to get a prediction of what the future held. A lot of this was what the talks were about. But you went to booths to see what was selling, or what people thought was selling, at least.
But it doesn't matter anymore what the talks are about. The talks are about everything. There's a million of them and they cover every possible topic under the sun. And the big corpo booths are all the same. People want to sell you XDR, and what that means for them is a per-seat or per-IP charge. When there's no differentiation in billing, there's no differentiation in product.
That doesn't mean there aren't a million smaller start-ups with tiny cubicles in the booth-space, like pebbles on a beach. Hunting through them is like searching for shells - for every Thinkst Canary there's a hundred newly AI-enabled compliance engines.
DefCon and Blackhat in some ways used to be more international as well - but a lot of the more interesting speakers can't get visas anymore or aren't allowed to talk publicly by their home countries.
If you've been in this business for a while, you have a dreadful fear of being in your own bubble. To not swim forward is to suffocate. This is what drove you to sit in the front row of as many talks as possible at these two huge conferences, hung over, dehydrated, confused by foreign terminology in a difficult accent.
But now you can't dive in to make forward progress. Vegas is even more of a forbidding dystopia, overloaded with crowds so heavy it can no longer feed them or even provide a contiguous space for the ameba-like host to gather. Talks echo and muddle in cavernous rooms with the general acoustics of a high school gymnasium. You are left with snapshots and fragmented memories instead of a whole picture.
For me, one such moment was a Senate Staffer, full of enthusiasm, crowing about how smart the other people working on policy and walking the halls of Congress were - experts and geniuses at healthcare, for example! But if our cyber security policy matches our success at a health system we are doomed.
I brought my kids this year and it helps to be able to see through the chaos with new eyes. What's "cool" I asked? in the most boomery way possible. Because I know Jailbreaking an AI to say bad things is not it, even though it had all the political spotlights in the world focused on examining the "issue".
The more crowded the field gets, the less immersion you have. Instead of diving in you are holding your palm against the surface of the water, hoping to sense the primordial tube worms at the sea vents feeding on raw data leagues below you. "Take me to the beginning, again" you say to them, through whatever connection you can muster.
-dave
Dailydave mailing list -- dailydave@lists.aitelfoundation.org To unsubscribe send an email to dailydave-leave@lists.aitelfoundation.org
Dailydave mailing list -- dailydave@lists.aitelfoundation.org To unsubscribe send an email to dailydave-leave@lists.aitelfoundation.org
Dailydave mailing list -- dailydave@lists.aitelfoundation.org To unsubscribe send an email to dailydave-leave@lists.aitelfoundation.org
The policy-making trend deserves its own thread.
Dave & I and a few others have done “deep policy work” which requires years (not just a few meetings and summits) of pushing extremely unpopular contrarian technical facts over desired policy outcomes that were drafted by people who often don’t fundamentally understand how computers work.
The policy tail has been wagging the technology dog for a while & it’s all running amok off-leash.
As soon as Policy became more popular, I have seen policy makers scrambling for technology influencers, inviting anyone and everyone with generalist tech knowledge, too little experience, or the wrong specialty knowledge for the task to inform what becomes damaging policy that then has to be undone over years.
Policy work is often looked down upon over “real technical work” - but look at how much it affects all of us, for good or for ill. We can’t afford to let less technical people set the rules for us or for the Internet.
Policy Influencer tourists who enjoy their Congressional staffer meetings & Whitehouse summits often unwittingly pollute the tech ocean with too many tech-adjacent microplastics and platitudes that are turning into tech policy forever chemicals.
We need more hands-on technical people with industry experience at scale who are willing to wade into the kind of years-long deep policy work that we all do not prefer over our technical work, but still desperately needs to be done.
How does one get invited to the table that goes beyond tech policy tourism, as an active participant and not just a passing guest they invited just as much for a photo op as they did to ACT on your advice? Just like everything you’ve ever done worth doing, you need to find an area you’re passionate about and you have to try a bunch of extremely tedious things until you pop that policy shell.
Ask Dave. He and I spent years attending meetings that mostly did not concern us, for the chance to speak up on the topics that did, until we were finally asked to officially join things like Technical Advisory Councils.
We may already be too late to reverse this Internet climate catastrophe. But we have no choice but to try.
k8e
—-
On Tue, Aug 15, 2023 at 07:22 Matt Suiche via Dailydave < dailydave@lists.aitelfoundation.org> wrote:
You are on point on so many levels. I've also been noticing a significant culture shift.
There is definitely a strong focus on policy-making, which now promotes conformity in thought and dismiss critical perspectives. These are the very things that the hacker culture once opposed, but they also now represent what policy-making is. We could even say that policy-making is now molding the hacker culture, rather than the other way around, and that this shift will inevitably lead to a "glocalization of cyber."
The definition of "technical work" appears to vary widely across various clusters of our industry, including within those self-specifically categorized as "technical clusters." When I engage with younger individuals, I frequently encourage them to consider a career as a software engineer, where they will have the opportunity to create tools and products rather than merely using someone else's creations. While this may seem obvious, the increasing noise in the industry makes it feel, year by year, as though the culture is shifting towards mastering "products" rather than developing "skills."
Well... It was fun while it lasted, thank you all for playing.
Best Regards, Matt Suiche
*This transmission is intended only for the use of the addressee and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately.*
On Mon, Aug 14, 2023 at 8:03 PM Dave Aitel via Dailydave < dailydave@lists.aitelfoundation.org> wrote:
The Vegas security conferences used to feel like diving into a river. While yes, you networked and made deals and talked about exploits, you also felt for currents and tried to get a prediction of what the future held. A lot of this was what the talks were about. But you went to booths to see what was selling, or what people thought was selling, at least.
But it doesn't matter anymore what the talks are about. The talks are about everything. There's a million of them and they cover every possible topic under the sun. And the big corpo booths are all the same. People want to sell you XDR, and what that means for them is a per-seat or per-IP charge. When there's no differentiation in billing, there's no differentiation in product.
That doesn't mean there aren't a million smaller start-ups with tiny cubicles in the booth-space, like pebbles on a beach. Hunting through them is like searching for shells - for every Thinkst Canary there's a hundred newly AI-enabled compliance engines.
DefCon and Blackhat in some ways used to be more international as well - but a lot of the more interesting speakers can't get visas anymore or aren't allowed to talk publicly by their home countries.
If you've been in this business for a while, you have a dreadful fear of being in your own bubble. To not swim forward is to suffocate. This is what drove you to sit in the front row of as many talks as possible at these two huge conferences, hung over, dehydrated, confused by foreign terminology in a difficult accent.
But now you can't dive in to make forward progress. Vegas is even more of a forbidding dystopia, overloaded with crowds so heavy it can no longer feed them or even provide a contiguous space for the ameba-like host to gather. Talks echo and muddle in cavernous rooms with the general acoustics of a high school gymnasium. You are left with snapshots and fragmented memories instead of a whole picture.
For me, one such moment was a Senate Staffer, full of enthusiasm, crowing about how smart the other people working on policy and walking the halls of Congress were - experts and geniuses at healthcare, for example! But if our cyber security policy matches our success at a health system we are doomed.
I brought my kids this year and it helps to be able to see through the chaos with new eyes. What's "cool" I asked? in the most boomery way possible. Because I know Jailbreaking an AI to say bad things is not it, even though it had all the political spotlights in the world focused on examining the "issue".
The more crowded the field gets, the less immersion you have. Instead of diving in you are holding your palm against the surface of the water, hoping to sense the primordial tube worms at the sea vents feeding on raw data leagues below you. "Take me to the beginning, again" you say to them, through whatever connection you can muster.
-dave
Dailydave mailing list -- dailydave@lists.aitelfoundation.org To unsubscribe send an email to dailydave-leave@lists.aitelfoundation.org
Dailydave mailing list -- dailydave@lists.aitelfoundation.org To unsubscribe send an email to dailydave-leave@lists.aitelfoundation.org
Hey all,
two quick notes:
1) I am deeply thankful for Katie and Dave, and many others (you know who you are, if you want to be mentioned by name here send me a message) that have spent time sitting in meetings that did not concern them until they had a voice in meetings that did. I have been extremely ineffective in all matters policy because ... I seem to be incapable of doing that work (aside from being on the wrong side of the Atlantic, I'm also incapable of the networking, alliance-smithing and "joint suffering through meetings" that this entails). Katie's analogy regarding policy entrepreneurs polluting the policy space with forever chemicals is all-too correct. It was a sobering revelation to me that many policymakers do not care much about passing a *bad* regulation, they care about getting *some* regulation passed with their name tangentially attached. So Katie is right: We need people with a technical clue to fight the good fight.
2) It's bizarre to me to see people still argue that software engineering is an optional technical skill in security. Broadly speaking: In the same way that building alliances and understanding of organisational structure and incentives is the lever that allows you to make a big impact on the organisations that you're dealing with, writing code is the lever that allows you to scale your other technical skills. A piece of paper with the right signature will regulate people's behavior long after they've forgotten why it was signed in the first place, and the right piece of code in the hands of people will still be in use 15 years after you last improved it, long after your life has moved elsewhere.
Cheers, Thomas
Am Di., 15. Aug. 2023 um 18:09 Uhr schrieb Katie M via Dailydave < dailydave@lists.aitelfoundation.org>:
The policy-making trend deserves its own thread.
Dave & I and a few others have done “deep policy work” which requires years (not just a few meetings and summits) of pushing extremely unpopular contrarian technical facts over desired policy outcomes that were drafted by people who often don’t fundamentally understand how computers work.
The policy tail has been wagging the technology dog for a while & it’s all running amok off-leash.
As soon as Policy became more popular, I have seen policy makers scrambling for technology influencers, inviting anyone and everyone with generalist tech knowledge, too little experience, or the wrong specialty knowledge for the task to inform what becomes damaging policy that then has to be undone over years.
Policy work is often looked down upon over “real technical work” - but look at how much it affects all of us, for good or for ill. We can’t afford to let less technical people set the rules for us or for the Internet.
Policy Influencer tourists who enjoy their Congressional staffer meetings & Whitehouse summits often unwittingly pollute the tech ocean with too many tech-adjacent microplastics and platitudes that are turning into tech policy forever chemicals.
We need more hands-on technical people with industry experience at scale who are willing to wade into the kind of years-long deep policy work that we all do not prefer over our technical work, but still desperately needs to be done.
How does one get invited to the table that goes beyond tech policy tourism, as an active participant and not just a passing guest they invited just as much for a photo op as they did to ACT on your advice? Just like everything you’ve ever done worth doing, you need to find an area you’re passionate about and you have to try a bunch of extremely tedious things until you pop that policy shell.
Ask Dave. He and I spent years attending meetings that mostly did not concern us, for the chance to speak up on the topics that did, until we were finally asked to officially join things like Technical Advisory Councils.
We may already be too late to reverse this Internet climate catastrophe. But we have no choice but to try.
k8e
—-
On Tue, Aug 15, 2023 at 07:22 Matt Suiche via Dailydave < dailydave@lists.aitelfoundation.org> wrote:
You are on point on so many levels. I've also been noticing a significant culture shift.
There is definitely a strong focus on policy-making, which now promotes conformity in thought and dismiss critical perspectives. These are the very things that the hacker culture once opposed, but they also now represent what policy-making is. We could even say that policy-making is now molding the hacker culture, rather than the other way around, and that this shift will inevitably lead to a "glocalization of cyber."
The definition of "technical work" appears to vary widely across various clusters of our industry, including within those self-specifically categorized as "technical clusters." When I engage with younger individuals, I frequently encourage them to consider a career as a software engineer, where they will have the opportunity to create tools and products rather than merely using someone else's creations. While this may seem obvious, the increasing noise in the industry makes it feel, year by year, as though the culture is shifting towards mastering "products" rather than developing "skills."
Well... It was fun while it lasted, thank you all for playing.
Best Regards, Matt Suiche
*This transmission is intended only for the use of the addressee and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately.*
On Mon, Aug 14, 2023 at 8:03 PM Dave Aitel via Dailydave < dailydave@lists.aitelfoundation.org> wrote:
The Vegas security conferences used to feel like diving into a river. While yes, you networked and made deals and talked about exploits, you also felt for currents and tried to get a prediction of what the future held. A lot of this was what the talks were about. But you went to booths to see what was selling, or what people thought was selling, at least.
But it doesn't matter anymore what the talks are about. The talks are about everything. There's a million of them and they cover every possible topic under the sun. And the big corpo booths are all the same. People want to sell you XDR, and what that means for them is a per-seat or per-IP charge. When there's no differentiation in billing, there's no differentiation in product.
That doesn't mean there aren't a million smaller start-ups with tiny cubicles in the booth-space, like pebbles on a beach. Hunting through them is like searching for shells - for every Thinkst Canary there's a hundred newly AI-enabled compliance engines.
DefCon and Blackhat in some ways used to be more international as well - but a lot of the more interesting speakers can't get visas anymore or aren't allowed to talk publicly by their home countries.
If you've been in this business for a while, you have a dreadful fear of being in your own bubble. To not swim forward is to suffocate. This is what drove you to sit in the front row of as many talks as possible at these two huge conferences, hung over, dehydrated, confused by foreign terminology in a difficult accent.
But now you can't dive in to make forward progress. Vegas is even more of a forbidding dystopia, overloaded with crowds so heavy it can no longer feed them or even provide a contiguous space for the ameba-like host to gather. Talks echo and muddle in cavernous rooms with the general acoustics of a high school gymnasium. You are left with snapshots and fragmented memories instead of a whole picture.
For me, one such moment was a Senate Staffer, full of enthusiasm, crowing about how smart the other people working on policy and walking the halls of Congress were - experts and geniuses at healthcare, for example! But if our cyber security policy matches our success at a health system we are doomed.
I brought my kids this year and it helps to be able to see through the chaos with new eyes. What's "cool" I asked? in the most boomery way possible. Because I know Jailbreaking an AI to say bad things is not it, even though it had all the political spotlights in the world focused on examining the "issue".
The more crowded the field gets, the less immersion you have. Instead of diving in you are holding your palm against the surface of the water, hoping to sense the primordial tube worms at the sea vents feeding on raw data leagues below you. "Take me to the beginning, again" you say to them, through whatever connection you can muster.
-dave
Dailydave mailing list -- dailydave@lists.aitelfoundation.org To unsubscribe send an email to dailydave-leave@lists.aitelfoundation.org
Dailydave mailing list -- dailydave@lists.aitelfoundation.org To unsubscribe send an email to dailydave-leave@lists.aitelfoundation.org
Dailydave mailing list -- dailydave@lists.aitelfoundation.org To unsubscribe send an email to dailydave-leave@lists.aitelfoundation.org
The BsidesLV "Cavalry" track was exactly that, how Policy has been changed due to significant efforts by technical people, such as medical devices being subject to FDA regulation and DCMA exemption. This years talks are not up yet but the track from last year is at https://www.youtube.com/playlist?list=PLjpIlpOLoRNTdZqdr-jR9sa8niVSy4pPf
It was very educational I found, for example how difficult it is to define what a "password" is in legislative and legal terms, amongst other things. We are used to contextualising technical risks to business/risk owners, however staffers and policy makers are very different animals.
JJ
On 15/08/2023 16:07, Katie M via Dailydave wrote:
The policy-making trend deserves its own thread.
Dave & I and a few others have done “deep policy work” which requires years (not just a few meetings and summits) of pushing extremely unpopular contrarian technical facts over desired policy outcomes that were drafted by people who often don’t fundamentally understand how computers work.
The policy tail has been wagging the technology dog for a while & it’s all running amok off-leash.
As soon as Policy became more popular, I have seen policy makers scrambling for technology influencers, inviting anyone and everyone with generalist tech knowledge, too little experience, or the wrong specialty knowledge for the task to inform what becomes damaging policy that then has to be undone over years.
Policy work is often looked down upon over “real technical work” - but look at how much it affects all of us, for good or for ill. We can’t afford to let less technical people set the rules for us or for the Internet.
Policy Influencer tourists who enjoy their Congressional staffer meetings & Whitehouse summits often unwittingly pollute the tech ocean with too many tech-adjacent microplastics and platitudes that are turning into tech policy forever chemicals.
We need more hands-on technical people with industry experience at scale who are willing to wade into the kind of years-long deep policy work that we all do not prefer over our technical work, but still desperately needs to be done.
How does one get invited to the table that goes beyond tech policy tourism, as an active participant and not just a passing guest they invited just as much for a photo op as they did to ACT on your advice? Just like everything you’ve ever done worth doing, you need to find an area you’re passionate about and you have to try a bunch of extremely tedious things until you pop that policy shell.
Ask Dave. He and I spent years attending meetings that mostly did not concern us, for the chance to speak up on the topics that did, until we were finally asked to officially join things like Technical Advisory Councils.
We may already be too late to reverse this Internet climate catastrophe. But we have no choice but to try.
k8e
—-
On Tue, Aug 15, 2023 at 07:22 Matt Suiche via Dailydave < dailydave@lists.aitelfoundation.org> wrote:
You are on point on so many levels. I've also been noticing a significant culture shift.
There is definitely a strong focus on policy-making, which now promotes conformity in thought and dismiss critical perspectives. These are the very things that the hacker culture once opposed, but they also now represent what policy-making is. We could even say that policy-making is now molding the hacker culture, rather than the other way around, and that this shift will inevitably lead to a "glocalization of cyber."
The definition of "technical work" appears to vary widely across various clusters of our industry, including within those self-specifically categorized as "technical clusters." When I engage with younger individuals, I frequently encourage them to consider a career as a software engineer, where they will have the opportunity to create tools and products rather than merely using someone else's creations. While this may seem obvious, the increasing noise in the industry makes it feel, year by year, as though the culture is shifting towards mastering "products" rather than developing "skills."
Well... It was fun while it lasted, thank you all for playing.
Best Regards, Matt Suiche
*This transmission is intended only for the use of the addressee and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately.*
On Mon, Aug 14, 2023 at 8:03 PM Dave Aitel via Dailydave < dailydave@lists.aitelfoundation.org> wrote:
The Vegas security conferences used to feel like diving into a river. While yes, you networked and made deals and talked about exploits, you also felt for currents and tried to get a prediction of what the future held. A lot of this was what the talks were about. But you went to booths to see what was selling, or what people thought was selling, at least.
But it doesn't matter anymore what the talks are about. The talks are about everything. There's a million of them and they cover every possible topic under the sun. And the big corpo booths are all the same. People want to sell you XDR, and what that means for them is a per-seat or per-IP charge. When there's no differentiation in billing, there's no differentiation in product.
That doesn't mean there aren't a million smaller start-ups with tiny cubicles in the booth-space, like pebbles on a beach. Hunting through them is like searching for shells - for every Thinkst Canary there's a hundred newly AI-enabled compliance engines.
DefCon and Blackhat in some ways used to be more international as well - but a lot of the more interesting speakers can't get visas anymore or aren't allowed to talk publicly by their home countries.
If you've been in this business for a while, you have a dreadful fear of being in your own bubble. To not swim forward is to suffocate. This is what drove you to sit in the front row of as many talks as possible at these two huge conferences, hung over, dehydrated, confused by foreign terminology in a difficult accent.
But now you can't dive in to make forward progress. Vegas is even more of a forbidding dystopia, overloaded with crowds so heavy it can no longer feed them or even provide a contiguous space for the ameba-like host to gather. Talks echo and muddle in cavernous rooms with the general acoustics of a high school gymnasium. You are left with snapshots and fragmented memories instead of a whole picture.
For me, one such moment was a Senate Staffer, full of enthusiasm, crowing about how smart the other people working on policy and walking the halls of Congress were - experts and geniuses at healthcare, for example! But if our cyber security policy matches our success at a health system we are doomed.
I brought my kids this year and it helps to be able to see through the chaos with new eyes. What's "cool" I asked? in the most boomery way possible. Because I know Jailbreaking an AI to say bad things is not it, even though it had all the political spotlights in the world focused on examining the "issue".
The more crowded the field gets, the less immersion you have. Instead of diving in you are holding your palm against the surface of the water, hoping to sense the primordial tube worms at the sea vents feeding on raw data leagues below you. "Take me to the beginning, again" you say to them, through whatever connection you can muster.
-dave
Dailydave mailing list -- dailydave@lists.aitelfoundation.org To unsubscribe send an email to dailydave-leave@lists.aitelfoundation.org
Dailydave mailing list -- dailydave@lists.aitelfoundation.org To unsubscribe send an email to dailydave-leave@lists.aitelfoundation.org
Dailydave mailing list -- dailydave@lists.aitelfoundation.org To unsubscribe send an email to dailydave-leave@lists.aitelfoundation.org
On Tue, Aug 15, 2023 at 7:22 AM Matt Suiche via Dailydave < dailydave@lists.aitelfoundation.org> wrote:
The definition of "technical work" appears to vary widely across various clusters of our industry, including within those self-specifically categorized as "technical clusters." When I engage with younger individuals, I frequently encourage them to consider a career as a software engineer, where they will have the opportunity to create tools and products rather than merely using someone else's creations. While this may seem obvious, the increasing noise in the industry makes it feel, year by year, as though the culture is shifting towards mastering "products" rather than developing "skills."
Ironically in the 90s many people that worked as security engineers were
simply configuring routers, firewalls, and security software. There was a noticeable point where it became clear to really have an impact as a security engineer required software development--whether it was creating tools, reviewing code, or building security into products/services. And following that many of the mastering "product" jobs disappeared in security. Like fashion, it seems what is old becomes new again. That is disappointing, since so many of us see exploration and creation as core attributes of the hacker, and it feels like without hardware and software development front and center we stray away. Sure, is finding unintended/unknown paths through a neural network hacking? Indeed. But we run the risk of losing understanding of the deepest layers of hardware and software if all focus shifts to "products." Maybe this is just the beginning of a new domain? The exploration has to start on the surface, and eventually it will follow the holes down into the core of the matrix (operations)?
Dom
Well... It was fun while it lasted, thank you all for playing.
Best Regards, Matt Suiche
*This transmission is intended only for the use of the addressee and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately.*
On Mon, Aug 14, 2023 at 8:03 PM Dave Aitel via Dailydave < dailydave@lists.aitelfoundation.org> wrote:
The Vegas security conferences used to feel like diving into a river. While yes, you networked and made deals and talked about exploits, you also felt for currents and tried to get a prediction of what the future held. A lot of this was what the talks were about. But you went to booths to see what was selling, or what people thought was selling, at least.
But it doesn't matter anymore what the talks are about. The talks are about everything. There's a million of them and they cover every possible topic under the sun. And the big corpo booths are all the same. People want to sell you XDR, and what that means for them is a per-seat or per-IP charge. When there's no differentiation in billing, there's no differentiation in product.
That doesn't mean there aren't a million smaller start-ups with tiny cubicles in the booth-space, like pebbles on a beach. Hunting through them is like searching for shells - for every Thinkst Canary there's a hundred newly AI-enabled compliance engines.
DefCon and Blackhat in some ways used to be more international as well - but a lot of the more interesting speakers can't get visas anymore or aren't allowed to talk publicly by their home countries.
If you've been in this business for a while, you have a dreadful fear of being in your own bubble. To not swim forward is to suffocate. This is what drove you to sit in the front row of as many talks as possible at these two huge conferences, hung over, dehydrated, confused by foreign terminology in a difficult accent.
But now you can't dive in to make forward progress. Vegas is even more of a forbidding dystopia, overloaded with crowds so heavy it can no longer feed them or even provide a contiguous space for the ameba-like host to gather. Talks echo and muddle in cavernous rooms with the general acoustics of a high school gymnasium. You are left with snapshots and fragmented memories instead of a whole picture.
For me, one such moment was a Senate Staffer, full of enthusiasm, crowing about how smart the other people working on policy and walking the halls of Congress were - experts and geniuses at healthcare, for example! But if our cyber security policy matches our success at a health system we are doomed.
I brought my kids this year and it helps to be able to see through the chaos with new eyes. What's "cool" I asked? in the most boomery way possible. Because I know Jailbreaking an AI to say bad things is not it, even though it had all the political spotlights in the world focused on examining the "issue".
The more crowded the field gets, the less immersion you have. Instead of diving in you are holding your palm against the surface of the water, hoping to sense the primordial tube worms at the sea vents feeding on raw data leagues below you. "Take me to the beginning, again" you say to them, through whatever connection you can muster.
-dave
Dailydave mailing list -- dailydave@lists.aitelfoundation.org To unsubscribe send an email to dailydave-leave@lists.aitelfoundation.org
Dailydave mailing list -- dailydave@lists.aitelfoundation.org To unsubscribe send an email to dailydave-leave@lists.aitelfoundation.org
dailydave@lists.aitelfoundation.org
-
A.P. Delchi -
Dave Aitel -
Dominique Brezinski -
JJ Gray -
Katie M -
Matt Suiche -
Phil Neray -
Richard Thieme -
Ryan Naraine -
Thomas Dullien