(Related Pages :: BSidesBoston)

Call For Presenters (CFP)

BSides Boston will have two tracks (with "availability" for additional, ad-hoc talks that come up during the event). The first track will be talks voted on/confirmed before the event; the second track will be done Barcamp style, wherein talks will be announced on the first day and voted up on-the-spot.  The second track is ideal for round-table type discussions.

Talks

Please update with your: name, contact information (email, twitter, website), presentation title, and short description.  Please leave use the example text as a template.  Simply copy and paste it into a new entry, then edit it to fit your talk.   

• Name: Mike Dahn http://chaordicmind.com/
• Title: Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical Approach Towards Decision Making)
• Abstract: Just as there are two sides to every coin, there are two schools of thought in risk management. One camp believes that there is never enough data to make statistically significant risk decisions, due to the unknown-unknowns and never really knowing the entire population of data breaches. Another camp believes that we have well detailed information about specific domains and using Bayesian math we can come to conclusions on how to manage risk. Regardless of the group or believe in risk management the fact is that we all manage risk. This session will discuss the two camps and propose a hybrid model that goes beyond technical details into the core of trusted knowledge relationships. Read a review here.

• Name: Salvatore (Sal) D'Agostino sal@idmachines.com @IDmachines http://www.idmachines.com  http://idmachines.blogspot.com 
• Title: Personal Identity Verification Interoperability (PIV-I)
• Abstract: Personal Identity Verification (PIV) and Personal Identity Verification Interoperability (PIV-I) refer to the evolving standard for identity and credentialing being adopted by the United States Federal government and increasingly by state and local governments and critical infrastructure enterprises. These standards heavily leverage X.509 and public key infrastructure (PKI) to create a single token for authentication across logical and physical human and device identities. The talk will give a brief overview of the development of the standards including the relevant Federal Information Processing Standards (in particular FIPS 201) and the supporting special publications. It will review the current use cases that cover approximately 7 million individuals. The talk will focus on the enterprise architecture components necessary to support the use in physical and logical access control and the current solutions and services available and in particular highlight the differences among them.

• Name: Andrew Hay
• Title: So You Want to Write a Security Book, Eh?
• Abstract: Have you ever thought about writing a security book, but were not sure where to start? What kind of book should you write? How do you get a publisher? What can you expect to make off your book?

  Join Andrew Hay, author of the OSSEC Host-based Intrusion Detection Guide, Nagios 3 Enterprise Network Monitoring, and the Nokia Firewall, VPN, and IPSO Configuration Guide, to learn the pros and cons of being a security author and to learn if you've got what it takes to write the next great security book.

• Name: The B-Sides Team
• Title: Behind B-Sides, putting on a B-Sides event
• Abstract: Lessons learned, both the easy and hard ways, in organizing and running a B-Sides event.  Come to learn, come to laugh at our mistakes, come to make "polite suggestions", start planning the next event.

• Name: grep8000 : http://grep8000.blogspot.com : grep8000@yahoo.com
• Title: Escalating privileges through Secondary Logon (RunAs) processes
• Abstract: The scenario: You target a sysadmin PC and obtain a backdoor shell through a browser exploit, PDF with embedded payload, or similar client-side vector. However, because the organization is using RunAs best practices, your shell is running with limited user privileges. Some RunAs-invoked programs are running under the sysadmin's Domain Admin account, but you can't directly migrate to these processes from a limited user shell. The RunAs framework indicates that a user-level process should not be allowed to send commands to a greater privilege process. Sounds fairly solid, but as always, there are exceptions.. 

• Name: Marisa Fagan, @dewzi, http://erratasec.blogspot.com
• Title: No Budget Training
• Abstract:  During Security B-Sides San Francisco, I gave a lightning talk about software assurance and including security in your SDLC. I briefly mentioned the importance of training, and how companies should "get creative" in their training programs. I would like a chance to elaborate on this point, and talk about how small to mid-size software development companies with little to zero resources can still do security training. I'll cover online courses, on the job excersizes, mentoring, and much more! 

• Name: Jack Daniel @jack_daniel, http://blog.uncommonsensesecurity.com/
• Title: Surviving a Teleporter Accident.
• Abstract: Tips and tricks for dealing with this all-too-common tragedy.  Don't be a victim, be prepared.

• Name: Joshua Corman @joshcorman , http://www.the451group.com 
• Title: Fsck the FUD and the ECHO ECho echo Chamber 
• Abstract: The Signal-to-Noise ratio in our space is more like a Noise-to-Signal ratio. It is increasingly difficult to have rational and substantive discussion on many of our more significant issue. E.g. the [Mis/Dis]Information on topics like Aurora and APTs have driven two equal and opposite, unhelpful effects. The "Advanced Persistent Threat" of Intellectually Dishonest Marketing and FUD-mongering has muddied and confused the market. In nauseated response, the informed bloggers, thought leaders, and clue-full, dismissively groan when they hear the letters "APT" [and God kills a kitten] - despite the fact that many of us have *years* of direct experience researching and responding to the reality of talented, sophisticated adversaries. We need to be better. We need to drive clarity and dialogue - and drive out ambiguity, lies, and distraction. We need to Drive more Signal - and less Noise. Fsck it!

• Name: Erin @SecBarbie Jacobs http://www.secsocial.com/blog
• Title: I can't make this sh!t up! - War Stories from a former and award winning CSO
• Abstract: Stories from years of dealing with alternating and contradicting compliance requirements, external auditors, internal corporate politics, and survival from a light-hearted perspective. Come grab a coffee, sit and participate in what will end up being a fun and open dialogue of how to survive as mid-sized corporate CSO. 

• Name: James Baker @ABCecurity
• Title: The changing landscape of Enterprise Information Security Architecture: How does virtualization and Cloud computing play a role in it?
• Abstract: Virtualization and Cloud computing are the driving forces in businesses wanting to consolidate, lower IT budgets, and provide elasticity for their IT resources. All of this while trying to comply with their regulatory conditions. These business goals are relying on technologies that are relatively new and gaining popularity daily. How does a security professional maintain a company’s good security posture in support of these businesses goals? In this presentation I hope to answer that question by first discussing how some aspects of Enterprise Information Security Architectures need to be realigned to meet these business goals and how other aspects are only found in cretin Security Architectures, but should be in any EISA that plans on taking  advantage of virtualization and Cloud computing

• Name: Joseph Sokoly @jsokoly
• Title: ...But If You Try Sometime, You Get What You Need
• Abstract: A continuation of the challenge issued at BSidesAustin. A recounting of my experiences giving a first talk at an InfoSec con, and another challenge to a new group of people. 

• Name: Dan Stolts @danstolts
• Title: Become a Superstar and get paid like one too!
• Abstract: Come to this session to learn how to be seen as a superstar by your peers and most importantly your boss. Learn how to use this new found "label" to get paid what you deserve. This session will start off with Dan Stolts sharing his secrets of success and then moderating an open discussion from the audience on what they have done to achieve success. If you are already a superstar, come and share your experiences (and get new ideas to maintain your status). You might also get some ideas on how to increase your worth and your paycheck. If you are not yet viewed as a superstar, come and find out how to do it. At this type of conference there are many superstars in the network and security field.  This discussion will bring out the lessons learned for all to learn from and take advantage of.  So come get some ideas, have some fun and learn how to fatten your wallet all at the same time.  Who knows, maybe you will find the secret of a 6 figure income (and more).

• Name: Dan Stolts @danstolts
• Title: Hyper-V Security
• Abstract: Come to this informal, interactive and marketing free session to learn how Hyper-V (in Windows Server 2008 and Windows Server 2008 R2) is architected (for a secure hypervisor platform) and what you need to know as you start playing with virtualization on Hyper-V.  After looking at the architecture, we will take a closer look at networking and segmentation for performance as well as security.  As if that were not enough, we will conclude with some great resources (free and otherwise) to enhance your knowledge on this technology.

• Name: Dan Stolts @danstolts
• Title: Build Our Community While You Build Your Reputation and Sphere Of Influence
• Abstract: Everyone knows that who you know is often far more important than what you know. Come to this session to learn how to expand your sphere of influence while building your reputation and helping your community.  We will look at starting community groups, growing community groups and how to "leverage" the community to get what you want out of life. In this interactive session there will be plenty of opportunity for all to participate so bring your questions and bring your ideas. Most importantly though, bring your open mind because we will fill it with the information you need to start and grow an online and/or live community group. You will take away a new way of looking at community and a firm understanding on what you can do to get the most out of your community investment.  

• Name: Michelle Klinger @diami03
• Title: PCI: The R.O.U.S. for Service Providers 
• Abstract: This talk is to highlight the under discussed challenges organizations categorized as Service Providers under PCI are facing to meet PCI compliance. This includes their absence when discussing potential solutions for PCI and their concerns when being discussed amongst PCI professionals. My purpose is to shed some light so that security professionals are aware of the reach PCI disruption has and not just for merchants. Audience participation (e.g. war stories) are welcomed and encouraged. 

• Name: Paul Roberts @ the451group  
• Title: Teach to the Test: How anti malware testing gets it wrong (and makes us less secure)  
• Abstract: The smoke and mirrors game that is anti malware testing and benchmarking is the worst kept secret in the security industry. This presentation will take the measure of current methods for evaluating the effectiveness of anti malware suites, discuss proposed (and implemented) changes in testing protocols and make the argument for why current testing regimes like the VB 100 are ineffective and, in fact, divert development resources (and attention) away from efforts that could improve the effectiveness of anti malware products. With the decline of independent testing labs, there's need now more than ever for responsible, industry led efforts to quantity the effectiveness of malware fighting products. This talk will suggest some ways that might be accomplished.     

• Name: Gal Shpantzer  @Shpantzer   
• Title: Security Domination via Hard Drive Isolation
• Abstract: Every individual and organization with an internet connection is a reluctant participant in the malware arms-race, investing untold blood and treasure in securing the essentially unsecurable: Commercial general-purpose, fat-client endpoints that are simply inappropriate for certain high-risk business processes. This talk goes through this problem and proposes an alternative approach to the one-size-fits-all desktop. A recent SANS.edu grad student project call this approach ROBAM, while Gartner calls it Trusted Portable Personality Devices. You will learn how leading government, financial and emergency response sector organizations are enabling security while simultaneously extending remote access and mobility to administrators as well as end users. Several specific use-cases are outlined and demonstrated in this talk.

• Name: Gal Shpantzer  @Shpantzer   
• Title: Security Outliers: Cultural Cues from High-Risk Professions    

• Abstract:  What do security officers have in common with airline pilots, surgeons, and special operation teams? This presentation explores factors involved in successful risk management for security officers by drawing upon lessons from other high risk professions that have a cultural legacy of overcoming risk. We derive early warning indicators of communication disconnects and provide a list of training objectives to dramatically improve risk management outcomes. (This talk was successfully delivered at RSA in March 2010 and is updated with new interviews and research)