After a two year hiatus, I am writing again a small post for the 5th ISACA Athens Chapter Conference which I had the joy to attend in full.  The previous two, I tried to attend but in 2013 I got dragged out of the conference due to an emergency and in 2014 I got sick.

The conference had a great start with Prof. D. Gritzalis delivering a speech with his usual performance (worth studying when you speak in front of an audience). His address was focused around Aristotle’s “high honors are awarded to one who kills a tyrant, but not to one who kills a thief“.

Then the floor was given to Jim Manico who spoke about the development of the OWASP Application Security Verification Standard 3.0 [pdf]. If there’s one thing to grab from Jim’s keynote, that would be “have dedicated security sprints” to address problems in your code.

Vasilis Katos gave once more a stellar performance on stuff they work on at Bournemouth University. A true loss for Greece, he traded war stories of stuff they have dealt with online regarding criminal activity. He covered stuff ranging from cyber-psychology, the fading distinction between online and offline life up to money laundering and murder.

Generally I get bored when leadership talks are given. They take more than 20 minutes to arrive to the conclusion (most of the time obvious to me) if any. But this time. Artemis Miropoulos after eating away his twenty and more minutes (of course) left the audience with two valuable pieces of advice: (a) If you feel you ever wronged someone, go and ask for forgiveness. Grudges, even for the most idiotic reason tend to stay unresolved for years and (b) take care of your profile and have one in the first place. Not having any, which in Engineering often is the result of humility, not only harms your career, but also the careers of the people working under you. You owe it at least to them.

My longtime friend from college years, Dr. Athena Bourka delivered a speech about Big Data and Privacy and the effort needed to keep those two in balance. Like many others before me, I believe this is a lost game (she doesn’t) but I too believe we need to work on this, despite the game being lost.

The closing keynote was delivered by ISACA’s Vice President Rosemary Amato. I wish I had her notes because the first five minutes summarised all of the conference and I would have written a better post than just hailing stuff I loved listening to.

That’s just about it. I tried to blog how I felt during the conference since you can find all the slides at the conference site. If you want to see what was being twitted the whole time, just inspect #isacaathconf15.

“Πάλι απουσία στο athcon” –SMS φίλου

Για μια ακόμα (4η συνεχόμενη) φορά δεν κατάφερα να έρθω στο AthCon λόγω υποχρεώσεων.

Καλή επιτυχία στις εργασίες σας παιδιά (και στο hallway track ειδικότερα) και ελπίζω του χρόνου να έρθω.

When Martijn Grooten told me that he would spend a few days in Greece, I immediately grabbed the opportunity and asked him to give us a presentation. He gladly accepted and with great assistance from the Athens ISACA and Greek OWASP chapters, the presentation was given yesterday at 18:30 at PwC’s building:

Photo courtsey of @kpapapan

Photo courtesy of @kpapapan

The title of the presentation is “Being a spammer for 40 minutes” and you can grab the PDF version of the slides. For those who missed it (and it was a full house) an outline of what Martijn intended to say was posted some days earlier.

Thank you Martijn for letting us share and thank you for giving an illuminating talk for a diverse audience. Indeed the interesting things in mail happen after filtering.

3rd Infocom Security badge

3rd Infocom Security badge

Yesterday I managed to attend the 3rd Infocom Security event here in Athens. It was a full house, given the fact that the registration queue was so long that I gave up and went for coffee for half an hour before returning to the desk. Such a high attendance was to be expected, since this is a “free of charge” event. I saw almost all familiar faces (whether we’ve been introduced or not) that I see in other events and gatherings which are considerably smaller. This only makes it a success.

For as long as I stayed there, I was on the hallway track. It was too difficult to secure a place within the halls, so I wandered around the booths with a lot of other attendees. The most interesting one IMHO, was by census since these guys did something that the others did not: The displayed a zero day exploit. Quite impressive stuff accompanied by an excellent and thorough technical explanation. In the end I had an interesting exchange with them that went along these lines:

– Since you are not in the exploit selling business, why are you showing this to me here?
– We aim to show that even when you do your best (and most do not) you may end up with a false sense of security. And we aim to help you with that.

A lot of people opt for the blue pill and take a bet: things won’t break while they are in office. Even competent people put their heads in the sand sometimes.

So there, it was a “red pill” presentation, quite different from the typical “blue pill” ones that we’re used to. And the best thing that I got from the event.

#include<std/disclaimer.h> /* I have known the census people for some years and share a graduate supervisor with one of them */

Sun Tzu said:

He who can modify his tactics in relation to his opponent and thereby succeed in winning, may be called a heaven- born captain.

Which is much like what Boyd said some thousand years later about “getting inside” the opponent’s OODA Loop.

Yesterday I attended the 2nd ISACA Athens Chapter Conference. Time and money did not permit attending the workshop the day before, but I heard it was a great success. So here are some of the highlights:

Paul Spirakis talked about “Trust in the Web”. His talk followed closely the spirit of “Reflections on Trusting Trust” with a bit of mathematics and more time at his disposal. He concluded with a metatheorem (a conjecture really) that we cannot achieve perfect trust in the web and in his line of thought this closely resembles Arrow’s Impossibility Theorem. In my mind and following the same path of thought, this is not similar to Arrow’s theorem, but more closely to the Good Regulator which also depicts the complexity needed in order to achieve this.

Spirakis’s talk made me think that we System Administrators love to say that trust is not transitive, or as my good friend George loves to recite “I trust my friend who trusts the President; do I trust the President?”. And yet, although we say this thing like we believe it, at the same time we demand using protocols that depend on PKI or other third part infrastructure all the time. And we feel good about this and our users do not complain since their browser (who also trusts a set of third parties) does not complain too. The truth is that trust decays upon transition. We trust someone to a degree of certainty (which can be absolute) but when we introduce that someone to a third person, a lower degree comes along with the introduction. Why? Because it is always possible that the person we introduced do something we did not expect. The person accepting the introduction, accepts it with even less certainty that we do (yes they may accept our word blindly, so multiply by one in this case) and the two newly introduced parties work their trust from there. So given time, trust either builds up or dies out. But I digressed long enough.

@kpapapan (Greek OWASP chapter leader) presented the idea where bugs in code are debt waiting to be paid later. I had never considered this point of view and I liked it very much. I surely hope he can have the opportunity to present again the subject this time with the aid of numbers from a real software project that costs money to develop and support. I sure hope that there can be one or two software vendors that can provide him the numbers to support the “bugs as debt” point of view. It would help project managers deciding realistic deadlines.

This was part of a “20 slides in 20 seconds” track where George Raikos gave an excellent presentation based on the “Ginetai” (it can be done) rebranding strategy for Greece. I am opposed to “Ginetai” but I have to acknowledge excellence even to stuff that I do not agree with. In the same session there were also two presentations from the ISACA Athens Chapter board members thanks to which I learned that in Greece there exist 192 CISAs, 71 CISMs, 24 CGEITs and 52 CRISCs. That was Friday. Saturday was ISACA test day, so I am guessing these numbers will grow.

The best presentation in the room was given by Ramses Gallego. Forget all he spoke about going beyond identity management and towards access governance. The man asked the audience the Drucker question:

If you were outside the industry that you are in now and you had all the information that you have now, would you join it?

– If not run away; otherwise embrace the field.

Pretty generic, but that is what you take away from impressive speakers. Stuff that can be applied in multiple cases. Closer to home Ramses also insisted on asking the right questions (about access) at the right time. Because this gives you control of the world that you are supposed to be managing: Who? What? When? Where? Why? How?

And of course there was the “hallway track”. Usually the most important part of a conference. I did not have the chance to talk to a lot of people but really exchanged a few ideas with some, triggered mostly by what was presented. Even though it may be unconscious to many of the attendees, they are employing a systems approach on the (well) systems that they manage. To that end a bit of studying system dynamics is needed, since it will enrich the view we have on the behaviour of the systems (people, machines, processes and information) that we manage. The hallway track is always the best part of the conference and this time I left with a whole lot of pointers for stuff to look up.

There were four or five people tweeting from the conference, less than 3% of the attendees. That was bad. I would have loved to see what others made of the presentations while they were being given.

Congratulations to the ISACA Athens Chapter board members for organising what seems to be a conference that will last many years. Congratulations to them also for making it possible for unemployed members of the Chapter to attend free of charge.

I am a big fan of Jeffrey Carr‘s “Inside Cyber Warfare“, so when he wrote “A traveler’s guide to cyber security” I went along and bought it. The booklet is exactly what the title says: A traveler’s guide. It puts you into the mind frame you have to have when you visit a foreign country (sometimes it may not even be a foreign country, it may be a certain building) and what measures to take in order to protect (as best as you can) your electronic data.

It is divided roughly in three parts, the first one being the measures that you have to take depending how high profile a target you assess that you are. The second part presents the legal framework within which Russian and PRC agencies operate, while the third is an interesting collection of news articles about espionage stories all over the world which involve cyber activities in the process.

Fun reading, cheap, small (40 pages) and handy to show when a less technical “higher up” needs to understand stuff.