Shmoo Keynote Reax

Disclaimer: I nodded off, and missed the first fifteen minutes of it.

With that said, I have doubts about whether it could have been much better than what I actually did see. Maybe somebody will tell me what amazing things I could have seen there that I failed to see in the last 45.

Major take-aways:

  • Most applications use insecure communications
  • Edward Snowden figured out that TOR isn’t sekur
  • TPM is infiltrated
  • A brower makes it harder to use a self-signed cert than it is for someone malicious to get a signed cert that the browser won’t complain about
  • Hardware manufacturers are lazy
  • Fuck you, right? Okay?

Yes, the last one is snark pure and simple, but it is one of my pet peeves. No, actually it isn’t right, and what you said doesn’t get smart just because you asked me if it was right after you said it.

My two major points:
1. Not all communications need to be secure, even if many endpoint devices have the muscle to support that. There’s a reason SIP uses UDP. There’s also a reason your mother uses http:// when she watches that cute cat video for the eightieth time.
2. It’s completely unrealistic to expect vendors to change to meet your amazing idea about the way things ought to be done.

Early Shmoocon Thoughts

I’m kind of hanging back in the room until the keynote, after watching the opening.

A single thought comes to mind — maybe the thing was better last year just because the “break it” track was gone?

One of the things that really bothered me a couple of years ago was the focus on destruction. To me, so much emphasis is placed on building these monolights that destruction becomes job number one

Maybe in the past it was smart to worry about how to get rid of things, keep them from prying eyes. I really wonder now if that’s true.

Thinking about my own gear I have with me. I get hacked, and…? Congratulations, you got some of my music library, and endless revisions of my resume.

Getting the former might entice you to go see them play a show. Getting the latter might entice you to call me for an interview. And?

The keynote appears to be about what steps you, as an individual, can take to prevent getting pwned. Guess what — you can’t completely avoid it, short of moving to a cabin somehwere in Montana. If the speaker focuses on what strategies are most effective, it’ll be a worthwhile talk.

I’m not holding my breath, intentionally, at least. (My diaphragm does its own thing from time to time.) I’d like to see something where someone actually does the research to quantify the risks and effectiveness.

So, your endpoint device is locked down tight? Give me a minute to find the fuck I’m not giving since nothing important is stored there these days.