So what motivates me to attend BlackHat? The #1 reason for me is networking — meeting new people and catching up with old friends and colleagues. Despite our best intentions, we are all busy and our networks are constantly expanding, making it increasingly difficult to stay in touch with old friends in the industry. Twitter and other forms of microblogging help you chip away at the communication gaps; you get a glimpse into peoples’ lives but it’s no replacement for a real conversation.

Obviously, the briefings themselves are a major draw. Even though it’s expanded to over 10 tracks now, the quality hasn’t really suffered. This year’s experiment with allowing paid delegates to vote on speakers seems to have produced a good lineup, though I’m sure there was still a selection committee that could and probably did overrule the votes in some cases. Either way, BlackHat presentations are a decent indicator of the overarching themes that will be prevalent in information security for the upcoming year or two.

When I first started attending BlackHat, I was drawn to the talks discussing 0-day vulnerabilities, tool releases, shellcode tricks, and the like. These days, anything relating to static analysis, automation, and of course web security are most interesting to me. I also consider who’s speaking, regardless of the topic (e.g. one of these guys presents, I’m there). In general, I’ll try to gauge how much value the speaker will add to the presentation — in other words, what do I gain by attending the talk vs. flipping through the slides later? I never attend every time slot; sometimes the hallway conversation is just more interesting.

Some of my other reasons for attending, in no particular order, most of which fall under the “networking” umbrella:

• The parties (duh)
• The Pwnie Awards
• Meeting fellow security bloggers
• Recruiting speakers for SOURCE
• Finding future Veracode employees
• Trading war stories
• Picking up vendor schwag for my kids (RSA is much better for this one)
• Meeting current and former customers — and future ones, hopefully

Things I could do without:

• The cigarette smoke
• The heat
• Quark’s

I’ve stuck around for DEFCON a couple times in the past, but I don’t anymore. I fly out Friday morning or early afternoon so I get home in time to spend the weekend with the family. Personally, three days in Vegas is plenty for me.

When it gets closer to BlackHat time, I’ll post my picks from the briefings schedule.

The evolutionary primacy of the brain's fear circuitry makes it more powerful than the brain's reasoning faculties. The amygdala sprouts a profusion of connections to higher brain regions -- neurons that carry one-way traffic from amygdala to neocortex. Few connections run from the cortex to the amygdala, however. That allows the amygdala to override the products of the logical, thoughtful cortex, but not vice versa. So although it is sometimes possible to think yourself out of fear ("I know that dark shape in the alley is just a trash can"), it takes great effort and persistence. Instead, fear tends to overrule reason, as the amygdala hobbles our logic and reasoning circuits. That makes fear "far, far more powerful than reason," says neurobiologist Michael Fanselow of the University of California, Los Angeles. "It evolved as a mechanism to protect us from life-threatening situations, and from an evolutionary standpoint there's nothing more important than that."

I've already written about this sort of thing.

• ...numerous standards organizations have issued leading or “best” practices for control design and implementation; however, neither SOX (Sarbanes-Oxley Section 404) nor the PCAOB (Public Company Accounting Oversight Board) recommends a specific set of controls.


• ...In 2004, (PCAOB) issued a statement that COSO (“Committee of Sponsoring Organizations’ Internal Control—Integrated Framework"), or any other generally accepted control framework could be used. Note: it did not say COSO was the only one.


• But COSO can pose a problem...COSO doesn’t set out details. As its name implies, it is a framework.


• Each organization must still go through the difficult process of setting out its own system of internal control to meet its perception of COSO—which, in broad terms, is more of a philosophy than a set of rules.


• To fill the gap between theories and practice in implementing effective general IT controls, managers have turned to other externally developed standards and frameworks, such as the Information Technology Infrastructure Library (ITIL) from OGC, CobiT from ISACA, or the 20000-series of information security standards from the ISO/IEC