The topic for the evening was "Information Security: Is It Time to Fight Back?". For those that are impatient, the short answer (at least in the USA) is "No".
Here's my quick summary and ratign of the panelists:
- Karen Worstell (Moderator): She did an OK job of running the discussion. I would have liked to have more time for questions from the audience, and found some of her comments sloppy and alarmist. ("100% of organizations have been compromised" - really? 100%? That doesn't leave much wiggle-room). She also tended to let the discussion drift into general security topics (patch management, current exploit environment, what motivates attackers, etc.) which was sometimes a little boring. (But might have been good for people in the audience that had no security background).
- Kirk Bailey & David Dittrich (both from UW): Both were smart and had good anectdotes from the UW's experiences. David's is a name I'm somewhat familiar with (probably from his prior work on DDoS attacks). David mentioned a cool tool named Nepenthes that is used to collect malware for analysis. David's also got a more aggressive attitude in terms of going on the offensive, mainly to collect data that can be used to prosecute folks. (Too many people "pull the plug" after a compromise and just want to get their system back into operation, often losing data needed to investigate and identify the perpetrators).
- Albert Gidari Jr. : The lawyer on the panel - a great speaker and amusing too - which is something for a lawyer! :) His best quote (paraphrased from memory) when asked about attacking back:
Essentially, under current law, doing anything that enters/affects someone else's PC without their consent would make you a criminal - even if acting in "self defence" or solely to gather information to aid prosecution. The FBI/state can do these activities, so reporting incidents to the local authorities is currently the only legal way to respond. The problem raised is that for large-scale, egregious, or very easy to investigate and prosecute incidents, this works fine, but for smaller or harder incidents, there aren't enough resources. The FBI et al have the resources and expertise to track down the perpetrator and make arrests (witness ZOTOB and the NW Hospital cases), but for small businesses or individuals, the approach of contacting local police/law enforcement usually won't end up going anywhere.
Some people call them vigilantes, I prefer the term "felon"...
- Kristin Johnson (Microsoft): Sadly arrived late (due to traffic on the 520 which also delayed me...), but made a good impression during the time she was there.
Now, some rants about the venue (Westin Hotel in Seattle)...
- I got there about 75 mins late, which meant that I missed dinner. That's a bummer considering I paid $55 (I should be able to get re-imbursed, but still...) There was salad waiting at each un-occupied seat, and some dessert, but no other food.
- I guess the moral of the story is get there on time. However, for people coming over from the East Side, the start time of 5pm is ridiculously early. WSA: How about a cheaper price that excludes dinner for folks that know they'll be late?
- I got some wine on the way, initially thinking at least one drink would be included in said $55 fee. Wrong! $8.50 for a glass of incredibly ordinary merlot. :(
On the positive side, once the event was over, I found myself hungry and within one block of the Palace Kitchen. So, I treated myself to dinner there, which was amazing! More on that later...