Misinformation Communicated by Conference Speakers
I just attended another information security conference. Normally when I attend a conference, I give a presentation and then leave shortly afterwards to hurry back to the High Tower office. This time, however, I had the luxury of being able to take in a number of presentations. Although some of them were truly outstanding, what speakers said in two of these sessions struck me terribly wrong.
In one session, a person who described himself as a forensics expert made some reasonably good points. I would in fact have considered his talk to be above average until he started answering questions from the audience. Someone asked him if he had ever had to decrypt file content in the course of a forensics investigation. He replied that he had, and that obtaining and running a decryption tool was the correct approach. I suppose that there is nothing wrong with using an decryption tool, but I was surprised that he did not say anything about trying to look for encryption keys in a system’s memory before doing anything else—by far the most straightforward approach. I was also surprised that he told the audience that forensics tools such as EnCase are of limited value because they are too complicated to use. I fear that although the audience learned several valuable principles of forensics, some of what they learned was far from the truth.
In another conference session a speaker made numerous recommendations concerning PCI compliance. He, like the previous speaker, made a reasonably good presentation, but then he said something that I could not believe. When discussing the need to protect customer data at rest, he said that strength of encryption is not important—that any kind of encryption is sufficient to protect such data. I certainly hope that no one in the audience took him seriously. Would ROT-13 be sufficient to protect customer data? Certainly not. How about the trivial to break DES algorithm? And for data in transit, I fear that the speaker would also endorse 40-bit SSL, which also can be quickly broken.
I am by no means any kind of exclusive truth repository in information security. Sometimes I, too, get things wrong. My much-valued friend and long time mentor William Murray does not hesitate to tell me when he thinks I have been wrong, and for that I am glad. I tried to return the favor, so to speak, in that in both presentations I raised my hand at the end in an attempt to correct the assertions that I considered to be faulty. Somehow, however, both speakers overlooked me, something that only added to my frustration.
I’ve said it before, so I will say it only briefly here. It is incredibly difficult to correct misinformation communicated during conference sessions; it is much easier to correct misinformation in published works such as books and journals. If uncorrected, misinformation can cause serious errors of judgment in the workplace. Conference committees work hard and deserve a lot of credit for putting conferences together, but they need to pay far more attention to what a potential speaker intends to say before that person is allowed to make a presentation. Screening the content of upcoming presentations must become a greater priority. And, finally, I truly hope that those who attended the two sessions in which misinformation was communicated will read this blog entry—but I am not holding my breath.