ITWeb Security Summit in 2009 was my first "industry" security conference, and after a long diet of academic security conferences, ITWeb was a huge let-down. There were some interesting talks - especially the key notes, but a lot of the others were a big waste of time. So much so, I did not bother going again until last year - and even then, it was for half a day.
This year was slightly different - I was presenting in the afternoon, and so took the opportunity to also attend the keynotes in the morning and some of the other topics in my own track. The organisation was a bit sloppy: for a conference in its ninth year, starting late due to traffic is inexcusable - rather start late given that traffic in Sandton at 8am is bad! Likewise, the opening remarks were a long ramble with no particular purpose - especially given that the conference was already behind schedule!
The first keynote by Jacob Appelbaum's was definitely worth attending; covering a number of interesting topics related to surveillance. A bulk of it related to a primer of the NSA surveillance techniques, and especially on how these techniques are leveraged and integrated to provide a holistic end-to-end capability to intercept, inject and siphon data. His observations were scathing - not only of the US government but also of the general attitudes - and called the European/US/Canadian stance effectively "deep seated racism" - that they see themselves as superior, and thus it is ok to be doing mass surveillance on other people. I particularly enjoyed his argument, that it is not so much the NSA that is wrong - but the fact that this capability is provided for, and accepted. His view that even court authorised targeted surveillance without informing the target should outlawed is extreme - but was logically sound in the context provided. Sadly, he did not have much in the way of solution - and his approach of effectively open source (not necessarily commercially free) software and hardware will take a long time to really mature to be usable by the masses.
Christopher Soghoian's keynote continued in a similar vein, focusing more on the, almost willing, corporate participation in the NSA programmes. Some of it, such as major service providers like Google and Yahoo not forcing SSL connections for email logins by default inadvertently helped programmes like those run by the NSA. Although he did comment on the business models employed - effectively targeted advertising - I think part of the issue, that these services are free to the user could lead to undue expectations - after all, you do get what you paid for.
Unfortunately, I can't make day 2 - but at least the keynotes were well worth attending. The track I was on was ok overall - a wide diversity in the level of content presented; and was generally well attended.