Why Are We Talking Philosophy Instead of Technology

I still believe that the presentations and panels being selected for most information security events are much too far removed from the “roots” of the art. Often times to the extent that there is a full slate of presentations where most sessions turn out to be less glorified keynotes with little more than feelings, whether warm fuzzies or cold pricklies, to take home with them. This is a negative thing for many reasons, but before we start lets makes sure we’re speaking the same language.

To be clear there is a difference between a conference and a con, perhaps not always in name but certainly in form. Conferences are for the money men to get together and see presentations from pseudo-sales guys about how their latest widget is fantastic and solves some problem that they didn’t know they were having, drink a few drinks and maybe buy a couple of the aforementioned widgets at the end of the day; cons on the other hand are less formal affairs, you probably aren’t going to get a free meal or a t-shirt with vendor logos all over it, and staying up all night hacking away on something other than PowerPoint is common. Real information is shared, whether in sessions or at the local watering hole. Practitioners and researchers got down into the things that interested them. Sessions provide actionable information, whether that thing you thought was safe probably isn’t, someone proving that the theoretical attack wasn’t so much anymore, or that that painful issue in reversing/exploiting/administrating had been made a lot easier by a tool a presenter released. Of course these cons still exist; probably in similar or greater numbers than they’ve ever been, but the sheer number of “mostly for social reasons” cons is making them much harder to find and much less likely for someone just becoming interested in the art to find their way to. Make no mistake, I’m not expecting for conferences to be more like cons, but I think cons would do well to act a lot less like conferences… seriously, who needs another logoed messenger bag that you won’t use full of cheap pens?

The industry is plagued with “professionals” who don’t understand the basic technical concepts. Admittedly the public cutting edge research has advanced at an impressive pace, and less public research more so, but its 2012, if you don’t have a good understanding of at least the concepts being discussed by researchers in the early 2000s you’re at best parroting and at worst contributing to the snake oil/FUD problem. I’m as guilty as the next person in that my presentations lately have been very high level lately have been heavy of stats, findings, and approaches and light on code. And I’ll be the first to admit that giving an engaging presentation with deep details is a rare art, but fighting to stay awake through the bad ones is completely worth it for the rare one that you leave with your head swimming and mind expanded.

We’re setting ourselves up for failure when we separate the “security community” from its technical underpinnings. Yes, security is fundamentally a people problem, but it cannot be separated from the technical details that we have to deal with today. We still have to be better at breaking apart the old, or figuring out the best detection/response techniques for the systems that we’re charged with the care of. If we focus only on high level abstract discussions on the philosophy of security for a better tomorrow we’re going to continue to stub our toes on the coffee tables of today. We rob ourselves of the chance to be inspired with advances in practical aspects of information security if we don’t give it a platform.