Forgot your password?
typodupeerror
Security

TrustyCon was the 'Rebel Conference' Across the Street From RSA 2014 (Video) 20

Posted by Roblimo
from the the-most-interesting-people-are-often-in-the-rebel-groups dept.
RSA holds big-time annual security conferences. The 2014 U.S. edition had 25,000 attendees, Stephen Colbert as the closing keynote speaker, and a major controversy (and some anger) from potential speakers and attendees over RSA's reputed $10 million contract with NSA to make sure the company's encryption software had back doors the secretive agency could use to spy on people and companies that use RSA software. This is part of a story that might be called The Snowden Revelations if it is made into a movie, but right now it's still controversial, and enough of a bombshell in the IT security industry that F-Secure's Mikko Hyppönen decided not to speak at this year's U.S. RSA conference, followed by Bruce Schneier, DEFCON founder Jeff Moss, Princeton professor Ed Felten, and other security luminaries.

And so, TrustyCon -- the Trustworthy Technology Conference -- was born. It was a sellout, with 400 people attending at $50 a head, and another 300 on a waiting list who couldn't get in. Slashdot's Tim Lord managed to get in, and got to speak briefly with several people there, including one of the TrustyCon organizers, Joel Wallenstrom. These were crude interviews, done on a "catch as catch can" basis, and the sound in them is poor. (Google sent a camera crew and shot over seven hours of the conference speakers, which you can watch on YouTube if you want to view TrustyCon presentations in good HD with great sound.). Will there be another TrustyCon next year? According to The Register, "The conference organizers said that, at this point, the plan is to hold another get-together next year, but that a final decision will be made closer to the time."


Jamie Tomasello:
So CloudFlare is a web ____ optimization and web security company. We provide CDN services and distributive ____ protection.

Tim:What does ____ conference not have that at RSA ____.

Jamie:So what a security conference like RSA does not have, that TrustyCon has is a focus on trust. For us, it is one of our key tenets of our company, that we focus on both protecting our customers, making sure that they feel comfortable and that they trust us, not only with their data, but also with their tasks.

Tim:____ transparency report ____

Jamie:So a transparency report typically consists of law enforcement requests. Some transparency reports also include civil process requests but the transparency report that CloudFlare issued this morning, our first initial transparency report ____ to all the law enforcement requests we received, and we broke it down into things like subpoenas, court orders, search warrants, and pen register/trap trace orders.

Tim:Why is that ____

Jamie:I think it is important for companies to do that because it provides a layer of obviously transparency but security to their customers, so that they know what sort of requests are coming in at the company, and then gives the company an opportunity to say, “These are the things that we do; these are the things that we don’t do.” And essentially gives a little more information about the policies and the consistent application of those policies of the organization.

Tim:____ company like yours, ____ how many requests did you get?

Jamie: The types of requests we receive, are we receive very similar requests to telcos, and different service providers—subpoenas, court orders, things of that nature. But our volumes are very low. For example, our transparency report which is available at cloudflare.com/transparency, shows numbers around for subpoenas that we have received for 2013, 18 subpoenas but in thatcase, we pushed back on 16 of those subpoenas and they were either rescinded or additional court orders were pursued by law enforcement. Other numbers that we received are all under two digits. So we don’t have hundreds of thousands of requests like you would see at a telco.

Tim:____ talk about that ____ think about ____ how do they react to that?

Jamie:So from our perspective, it is important to keep things secure and keep things private, right. Trust, privacy, and security all go together. They go hand in hand.And so for us,it is something that we are concerned about, making sure that when we are designing services and designing products that we are considering privacy by design, so it is from an engineering perspective and from a policy perspective, and making sure that we are keeping our customers’ data secure at all times, and whether that means from hackers, or if that means from law enforcement or from government ____ that want to ____

Tim:It seems like

Jamie:That’s one thing that they can do.They can also choose to aggregate their data or essentially choose not to retain data. There are situations where it is important to evaluate how much of this data do we actually need to perform the services and provide the products that we are providing to our customers. In many cases, a lot of companies don’t need all the data that they are holding on to.

Tim:____ telcos as well ____.

Jamie:Right.It is important to find, especially for us, because we are providing a security service and an optimization service so we need to be able to protect our customers from different types of threats, like different DDoS attacks. So we need to have some information about the traffic that we receive; however, it is not important for us to keep every single thing. There is a lot that can still be gleaned through aggregation. So that’s something that we are very keen on, not only having strong policy about how we respond to law enforcement, but also make sure that we have policies around data retention.

Tim:____ keep that information as you need it ____.

Jamie:That’s correct.

Tim:So what should companies learn from the fact that we had a wholly different conference across the street mostly because of sponsors.

Jamie:I think it is something that companies need to be mindful of because it is not just about an entity spying on your company, or spying on your customers; at the end of the day it comes down to brand reputation. You are going to lose business if you are not in the business of trust.

Tim:____ we are right across the street from the same convention center where RSA is at. We are not at RSA, where are we right now?

Joel Wallenstrom: No, we are not at RSA. We are at TrustyCon. This is the first year we have had this. It is just a complementary conference to RSA. We put it together to make sure that a few of our industry experts had a platform for discussing some really important security issues.

Tim:Now how does it differ though, because RSA is obviously, many thousands of people are here for security, ____ and this was in fact, one of the different ____ talk about that.

Joel Wallenstrom: Well, I think there are several thousand people for a security conference, so there are thousands of security people here, but not that many security experts. So what happened is there were a few people whose voices really needed to be heard, who didn’t feel comfortable with that other platform just this year, and we wanted to provide that venue for them to have their voice.

Tim:Now we are at a movie theater, and with a smaller conference, but it did sell out quickly.How does ____?

Joel Wallenstrom: It did.Well when we heard a few people were uncomfortable with the current format, we decided that we needed to go hunting for a place to give them that platform I talked about earlier. And this was the place that was available. It seats 400 people, and I think it was just a few days before it sold out and we had a waiting list of 300.

Tim:And you didn’t ____ for finding speakers?

Joel Wallenstrom: We didn’t. There were not that many people who whole scale decided that they couldn’t speak at RSA. They were easy to find. Because they had made that public. And then once we created the forum, we had other great industry notables like Bruce Schneier and Dan Boneh who raised their hands and said, let’s be part of this.

Tim:Right now that you a single track conference ____ what are some of the highlights that are things that people could be here at the conference, what will be they seeing?

Joel Wallenstrom: A lot of it is heavy math, a lot of it is cryptography. A lot of it obviously has to deal with some of the issues that have popped up between in the media at least between NSA and RSA so it has a lot to do with freedom of speech and our ability to maintain privacy in our computing lives.

Tim:Now some people get the idea that being in favor of free speech, or in favor of encryption is somehow anti corporate ____, or anti-government, what kind of sponsors do you have ____ do you have companies that are involved ____.

Joel Wallenstrom: Well it is interesting, we do. You can look around, we have CloudFlare, Digicert, a number of different companies that have stepped out and they are formal sponsors. But we have a lot of people that are behind the scenes that are supporting us as well. Yeah, it is a little bit of a controversial issue. But the big guys are all involved in this conversation, and I like to think that we have their support in one way or another as well.

Tim:Organizing a conference this quickly is there any challenge in particular that made it hard?

Joel Wallenstrom: Well, the company I work for isn’t necessarily an event planning company, so certainly when you try and put an event together, that can be a challenge, but there is just such a ground swell, that we had volunteers from I think up to ten different companies who have jumped in, and helped us. ____.

Tim:So let me just ask you one more thing.You just told us you had a big waiting list.What is the future?Do you think TrustyCon has legs?

Joel Wallenstrom: Well there is a natural inclination to think that it does. ____ as I said, we have been so focused on executing on this that the next one hasn’t been planned or announced. But I mean, stay tuned, I am sure you will hear something soon.

Alex Gaynor:I am a software engineer with Rackspace, but moreover I work on Python the open source projects and particularly cryptography projects, trying to make cryptography more accessible to developers and I believe deeply in user privacy user security and trying to ____ those things.

Tim:What did you hope to gain today? And how do you think it came out?

Alex:I hope to gain new perspectives on how to give users increased ____ systems and it has been a fantastic conference.

Tim:Contrast this with the other security conference ____.

Alex:I’ve never actually been to another security conference.

Tim:This is your first one you went to ____ what do you think of this ____ conference?

Alex:Yes. ____ I have been super pleased. So much, so many exciting, interesting people showing their perspectives. It has been extraordinarily valuable.

Tim:Rackspace has done a lot of open source projects. So how do you feel about ____ privacy and things like that ____ you are here and you work there, ____.

Alex:Obviously, I can’t speak officially on behalf of them, but yeah, we place a lot of emphasis on open source and making the code we run very accessible to people.

Tim:____.

Alex:How do you mean?

Tim:Well, let’s say the hardware ____ hardware is something that is getting more and more ____ compared to hardware, and software is getting more complex

Alex:Sure. So again, I can’t speak officially, but I can say one of the projects we are involved is called the Barbican which is now, I felt exposed the hardware security modules reliably to users in cloud environments as well as provide a more robust secret management infrastructure.

This discussion has been archived. No new comments can be posted.

TrustyCon was the 'Rebel Conference' Across the Street From RSA 2014 (Video)

Comments Filter:
  • Sounds very, um... trustworthy... and believable...

    Even the summary said it was a sellout..

  • "catch as catch can." [merriam-webster.com]: using any available means or method : hit-or-miss
  • by Opportunist (166417) on Thursday March 13, 2014 @01:16PM (#46475325)

    Even if it was for a "good cause". Let's for a moment even assume that the NSA is an all-holy entity that could never do anything wrong and that we trusted them implicitly, not because our software forces us to but because we genuinely wanted to.

    Note the subjunctive.

    Even then the security software would be a security hazard. Simply and plainly because there is (at least) one way to access data that is absolutely beyond your control. You cannot even audit the security level of the entity holding the additional key to your data.

    If you need to give your non-tech boss a way to understand the severity, that's like having a general key to your office and the safe with all the highly classified and mission critical papers deposited at your local police force. While by itself not a problem (provided you trust your police), they are not required to give you any information concerning the key's storage or whereabouts. You will not be notified how they themselves will keep that key safe, nor do you get any kind of information should that key get stolen. You will not be notified if some potential attacker or burglar, or even a competitor, gets access to that key, legally or illegally.

  • I went to RSA on my company's dime for about five years, but was always asleep on a plane before Bill Clinton, Tony Blair or whoever else was there said their piece and collected their fee.

    Now that I'm more selective about which conferences I attend (I've already "seen the show" at the big ones), hitting alternative conferences like DEFCON (instead of BlackHat), and Thotcon (Chicago) and now TrustyCon will continue to be my focus.

    • Hate to break it to you but DEFCON is hardly much of an alternative conference anymore -- it's run by the same guy who started and later sold BlackHat. I was there last year. Vibe was very much the after-party for BlackHat -- lots of similar corporate T-shirts in groups, I think most of the attendees were sent there by their employer and many of them sported schwag. I watched a presentation that had a big "HP" logo for Hewlett Packard on the powerpoint. Lots of vendors (albeit smaller and non-corporate
  • Google.... is your friend.
  • Bruce Schneier did not boycott the RSA Conference [schneier.com]. Instead, Schneier also attended TrustyCon.

  • by CanHasDIY (1672858) on Thursday March 13, 2014 @02:12PM (#46475859) Homepage Journal

    Really? Nobody else is gonna say it? Fine, I'll be that guy:

    Day 1 event schedule:

    - Using the Force to Grow your Leads - Sales Manager Kenobi

    - 2 Meters Across: Beating the Niche Market Slump - Marketing VP Skywalker

    - The Dark Side... of IT Infrastructure - CTO Vader

    - It's A Trap! Avoiding Common Security Mistakes Keynote Speech - Adm. Ackbar

  • I hope this is the beginning of the end of RSA's conferences. That they can not categorically deny any modification to their encryption routines at the behest of the NSA is proof enough that their products can not be trusted. It's farcical that all these researchers, striving for maximally secure systems, would present their findings at a conference hosted by a company that sold everybody out -- and for little money at that.
  • Slashdot's Tim Lord managed to get in....

    I'm assuming this reference to the attendee was missing a letter 'e'. To clarify, this Slashdot staffer is the guy who uses his mystical powers to delay all postings a few days after they've appeared on news.google.com. When people say they don't believe in Time Travel, this guy shows them how to send articles into the future.

  • Yes, article sounds like an advertisment for some wanna-be-conf. Disappointing too that Colbert sold out to RSA. So much for Anonymous' folk hero. At the end of the day it's about opportunists trading people's liberties for cold hard cash.
  • This conference was a nice test of character. Colbert failed, RSA set the bar for epic fail, and it looks like F-Secure gets a pass.

Whoever dies with the most toys wins.

Working...