The “Off The Record” Track

Posted November 21st, 2011 by

So while I was at some conferences over the past couple of months, I had an awesome idea while sitting in a panel about data breaches, especially notification. While streaming conferences is pretty awesome for most content, I keep thinking that we need that as an industry we need the exact opposite: a track of the conference that is completely off-the-record.

Here in DC when we do smaller training sessions, we invoke the Chatham House Rule.  That is, the discussion is for non-attribution.  There are several reasons behind this:

  • You don’t have to worry (too much, anyway) about vendors in attendance selling you something
  • It won’t end up in the press
  • It gets real information to people instead of things that are “fit for public consumption”

My local area has a hackers association (No linkie, if you have minimal skill you can find it) that meets to talk about mostly technical stuff and what folks are working on.  I find that more and more often when I do a talk there I do it “Off the Record” for a wide variety of reasons:

  • I don’t want the attackers to get more effective
  • I have half-baked ideas where I want/need feedback on if they are completely off-base
  • The subject matter is in a legal gray-area and I’m not a lawyer
  • I talk “on the record” all day every day about the same things
  • I can “test-drive” presentation material to see how it works
  • I can show nuts and bolts

So, the point of all this is that maybe we need to start having more frank discussions about what the bad guys are doing “in the wild” if we want to stop them, and that involves talking with peers from other companies inside the same industry to see what they are getting hit with.

Chatham House Rule

Chatham House Rule photo by markhillary.



Similar Posts:

Posted in Public Policy, Speaking, What Doesn't Work, What Works | 3 Comments »
Tags:

3 Responses

  1.  Ben Says:

    We’ve had “cone of silence” talks and tracks since the very first BSides event using these general rules. The first BSides Austin had a complete track dedicated for “cone of silence” talks/discussions.

  2.  Network Security Blog » Open tabs 11/22/11 Says:

    [...] The “Off the Record” track – There’s really no such thing as “off the record”.  But for some reason, I’ve noticed that people become more guarded and less likely to talk when they first  [...]

  3.  LonerVamp Says:

    1. I think they should always be called “Chatham House Rules” talks, so that we let everyone know what that means. There are still uninitiated who don’t know what that means when they attend something like that.

    2. This is one thing I like about adhoc Defcon discussions and the like. Even if you don’t trust the rest of the attendees around you, chances are no one knows your name, you can decline recording, and you can frown upon photos. Being able to attend anonymously or under a pseudonym is still valuable. A little less so when everyone in the room is local and knows who you work for anyway. :)

    3. For most orgs, I don’t see why you wouldn’t share information. Sure, actual breaches and incidents might be pushing the line, but even to talk about your implemented technology or weaknesses probably doesn’t open any doors for malicious attendees.

    4. I don’t always need someone to say their name, who they work for, and why they’re qualified to talk on a topic. If their data/content will demonstrate that to me, I couldn’t care less. Tell me your pseudonym and go to town (and save those 2 minutes for more content!).

    5. We really need orgs to be less gun shy about divulging things anyway.

Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.


Visitor Geolocationing Widget: