That devilishly handsome bloke you see to the right is Bruce Hallas. I used to go to school with him nearly 25 years ago, and then last summer, at the first old boys school reunion that our year organised since leaving I met him again, and it turns out we are in the same infosec business. I spoke to him about all of the good work I am doing, the company I work for, the many countries I visited and generally tried to make myself feel more important than the skinny eighteen year old I was when I last saw him. He told me that he runs his own infosec consultancy, his own blog, works with the UK government, and was in the process of setting up “a project” as a freely available, self funding, resource of analogies/stories to help people better understand information security. (Bruce immediately won the “my life is awesome since leaving school” competition of course.)
Since that time, The Analogies Project has grown from one man, an idea and a website to something producing real, quality content, and with a very promising and bright future.
In the words of the Project itself;
The Analogies Project has a clear mission. To tackle the unintelligibility of information security head on and secure the engagement of a much broader audience. Its aim is to bridge the chasm between the users, stakeholders and beneficiaries of information security and those responsible for delivering it.
Through a series of innovative initiatives the Analogies Project will enable information security professionals to effectively communicate with their chosen audiences. The content will be delivered through a variety of alternative communication techniques, media and partners.
The part of this project that I like the most is that it is essentially a community project. Bruce isn’t charging money for membership to the analogies as they are written (and they are coming thick and fast now!), and none of the contributors are charging for their work either. There are not only the web contributions in the form of a library, but a book planned, a conference, and even an opera! With the momentum that is currently behind the project at the moment there is every reason to believe in its future success.
So why am I contributing? Honestly, I have selfish and philanthropic reasons to do so. Obviously it gets my name out there, allows me to practise my writing, test some ideas and also say “I was there from the start”. All that aside though, I have frequently struggled in my day job to get infosec concepts across to people, either directly, in meetings or even in awareness training. To have had a resource like this available to me five years ago would have made my life so much easier, allowed me to advance the infosec “cause” more effectively and given me a set of tools I knew were consistant with the prevailing thoughts of industry commentators. Having a centralised, peer validated, toolkit available is fundamental to us as professionals when it comes to the messaging we give to our users, clients, bosses, teams and even the infosec community as a whole.
It’s still early days, but I have submitted my first contribution just last week (soon to be published I hope) and I am already inspired enough to be working on my second and third. There are a number of analogies already in place, and I would urge you to read them and consider them in the context of your current communications to your audiences, whomever they may be. The book will be another important milestone and one I hope to play a part in; indeed I hope to be able to play a part in the the project for the forseeable future, and why I am happy and proud to display my “contributor” badge up on the top right of this site.
If you feel you have something to contribute, then head over to The Analogies Project and let Bruce and the organisers know. If you don’t feel ready to, then certainly check it out anyway. You won’t regret it.
This is not a the type of post you normally get from me but I felt compelled to jump out of my comfort zone given the amount of coverage that DefCon is getting as a result of banning “Feds” from attending DefCon 21 this year.
My personal opinion on this is somewhat irrelevant given DefCon is not the type of conference I attend given the core topics covered are not my day job. For what it is worth however I am a staunch believer in having as open and transparent a dialogue between two opposing viewpoints as possible, and therefore feel this is an odd and somewhat self defeating decision.
But perhaps more importantly I feel there is something of a naiveté surrounding the fact that 1) people think the message will be taken seriously by the Feds, and 2) that the Feds have not successfully been undercover there anyway.
I know that the “Spot the Fed” fun that occurs every year is seen as proof that the general community of attendees is able to spot the government moles that attend. I find this preposterous though! Whatever department of “Fed” it is that attends, be it the NSA, FBI, CIA or other TLA agency I think it is germane to appreciate that these are a group of people who successfully infiltrate organisations far more dangerous than DefCon, and for far longer periods. Undercover operations are taken extremely seriously, require extraordinary amounts of character and commitment, and are not easily undermined. I am sure someone with the power of Google will be able to find the odd example of undercover operations that have gone awry, but to my mind, there are likely to be more Feds at DefCon than anyone would think, and there have been for years.
I am not going to go into what the motives for doing this are, that is for people far more politically minded than me. I would however suggest that this years Spot the Fed competition will be a dud, not because they aren’t there, but because the Feds who attend in plain sight won’t be attending. Who will you be sitting next to at DefCon this year, and how much about them do you really know?