[Dailydave] w00t 08

Jon Oberheide jon at oberheide.org
Sat Aug 2 15:01:40 EDT 2008 

Having just gotten back from WOOT and being a self-loathing academic who
thinks that a significant portion of academic security research is
garbage, I have to both agree and disagree.

Yes, there is a huge gap between the public and private research
communities.  This division was very apparent at WOOT this year.  There
was a sea of blank stares and misguided questions during Charlie's JS
presentation and a bunch of confused faces when we were discussing
"Dowd-weeks" as a security assurance metric.  Simply put, if you want to
filter down the proceedings to the interesting presentations, a simple
`grep -v University` of the author institutions is sufficient.

But I disagree with the "in or out" approach.  WOOT certainly has a
difficult task: it only attracted a low 20-some submissions this year,
is scheduled right next to BH USA, and lacks any incentive for private
researchers to bring their work into the USENIX arena, just to name a
few of the problems.

However, if WOOT can narrow that gap between the public and private
communities ever so slightly (or even decrease the rate of the gap
widening), or convince 30-some academics that they are so far behind the
curve of offensive research, then I think it has achieved its goals.

Regards,
Jon Oberheide

On Fri, 2008-08-01 at 11:25 -0400, Dave Aitel wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> These are not the papers you're looking for.
> http://www.usenix.org/event/woot08/tech/full_papers/
> 
> Seriously, there's nothing there to scare an network offense 
> professional. I don't think it's w00t's fault, either. I think the 
> research communities are diverging into public and private, as this 
> research gets more expensive to do.
> 
> USENIX may not be the place for academic treatment of offensive security 
> research. A friend of mine wonders if there's any future for academic 
> treatment of the subject at all. He wonder's wistfully of course, since 
> he likes academia.
> 
> Anyways, either be scary or be silly. There's no middle ground here. 
> It's a fundamental truth in this field: You're either in, or you're out.
> 
> - -dave
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQFIkysFtehAhL0gheoRAnyWAJ9TKJVNITG4RHQe/gFkA5oF4ar/SwCeMEdj
> J0NkyoTLEpaNjC8LU8C70nM=
> =hdCB
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
-- 
Jon Oberheide <jon at oberheide.org>
GnuPG Key: 1024D/F47C17FE
Fingerprint: B716 DA66 8173 6EDD 28F6  F184 5842 1C89 F47C 17FE
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20080802/ff12b959/attachment-0001.pgp

More information about the Dailydave mailing list