Why is it, no matter what I do, my gate is always at the ass-end of the airport. That’s the real reason they want you there two hours early — you need the time to walk to the gate because they don’t actually use the gates near the airport entrance.

Aside from paying $7 for a day-pass, WiFi on the airport concourse is cool. More cool than eTickets and self check-in. For the paranoid: it helps if you can bounce everything through an IPSEC tunnel to your home network. Encryption stronger than WEP is a damn fine thing.

Kvetching out of the way, I’m excited about this trip. The entire reason is to see Massive Attack play live. Reportedly they don’t do a full US tour because they don’t like several of our government’s policies. I learned they were doing one show each in Seattle, Denver, and India CA; so with some vacation time to burn, I decided to take in the Denver show. It’s one of those once in a lifetime deals.

Having family in and around Denver area doesn’t hurt either. I tried my Aunt Kathy and Uncle Don, but they’re in Wichita KS to see their grand-daughter’s dance recital. My cousin Jill also lives in the area, so I gave her a ring. Unfortunately she’s working most of the weekend, but we did set something up for dinner Thursday.

Once I arrived in Denver, I picked up the rental car and headed for the hotel. I got lost once on the way, overshooting things by quite a ways. Once there, I was a bit surprised. It’s not so much a hotel as it is a corporate apartment complex. It’s an older building and the room is about twice the size of your average hotel room. The bedroom space is separate from the living/dining room area and it has a full, if tiny, kitchen.

They have DSL in the room, however the WiFi on the DSL box wasn’t configured. Luckily they didn’t bother to lock down the router, so I was able to set up my own SSID and WEP key, then route everything through an IPSEC tunnel like I did a the airport.

After Jill got off work, we headed for dinner. I was completely open to suggestions, so she suggested Pete’s Greektown Cafe just off Colfax, essentially the main drag in Downtown Denver. Decorated like a typical diner, with brushed aluminum counters, it was good stuff. It had been a while since I had Greek food, so I went with the gyros dinner and got plenty of food. The service was good and the food was delicious.

After dinner, Jill dropped me at the hotel and I called it a night.

My work sent me to an Information Security conference last Thursday and it turned out to be pretty OK. At first I thought it was going to be a total bust, and it was all the way through lunch, but the afternoon speaker made the whole day worthwhile.

The conference consisted mainly of several security vendors, each taking a turn telling you what you should be afraid of and, strangely enough, they just happened to sell a product that would take care of it for you. Spam prevention via email, Trojan horses via instant messaging, firewall and intrusion detection systems.

Don’t get me wrong, all of these are valuable tools in a comprehensive information security arsenal, but none of the presentations were tempered at all. They geared more toward people wearing the management hat rather than the engineering hat. It was all terribly unfortunate and made for a very dull time.

The first keynote speaker, Dan Thormosgaard, spoke about “Implementing a Secure Wireless Infrastructure.” The subject had the potential to be very interesting, but as a speaker he was sleep inducing. By lunch time I was ready to go into a coma. After lunch it wasn’t looking too good either. Two more vendor presentations that were really no better than the morning sessions.

Finally, after the afternoon break (the breaks were surprisingly long too, 45 minute “coffee-breaks” and almost 90 minutes for lunch), the afternoon keynote speaker took the stage and rocked the house.

Ira Winkler is usually described as a “Modern Day James Bond,” which factors into his presentation a bit. He’s an engaging speaker that knows his topic and keeps things moving. He started out by saying that James Bond and the Jennifer Garner character from Alias are lousy spies, but that’s necessary to making movies and television shows entertaining.

Why are they lousy? They good guys get caught every time. And it’s not like the bad guys are rocket scientists either. How smart is it if, when you capture the person sent to stop you, that you tell them your master plan before you leave them with some time delay method to die from which the good guy can escape easily. And the good guys are clumsy and dumb enough to get caught by these jokers.

In the real world, the good guys seldom get caught. They have to keep it that way because if they do, they die almost instantly. So that’s why every TV and movie spy are bad at their jobs.

Then he segued into risk management, which is what information security really is. It comes down to a fairly easily expressed formula:

Winkler told three stories of security evaluations for which he has been contracted to break into a company and try to steal their most valuable assets. Most of the time those assets are in the form of intellectual property. Business strategy documents, financials, nuclear plant designs. In each case, most of his work was done via social engineering, rather than brute forcing his way into their network.

The point is that in the formula, threat never really changes. That’s other people, and you can’t control what other people will do. Likewise, you can’t really change the value of the asset. It’s worth what it’s worth, whether that’s $10 or $10 billion, and it typically goes up over time.

What you can manage is your vulnerability by enacting countermeasures. The trick is that there’s a sweet spot; a point where the price of the countermeasures exceeds the value of the asset. One example is a computer mouse. They cost around $20 these days. They’re essentially disposable when you consider the cost of securing and tracking them. If your Help Desk has to spend even 15 minutes dealing with them, you’re on the losing side of the equation.

On the other hand, if your business is financial management, and your company handles millions of dollars over the course of a normal business day, you care a great deal about the security and integrity of those assets. If they’re lost, you’re done. Kaput. But how much will the countermeasures cost compared to the vulnerabilities you face?

That’s the basic idea, anyway. To me, as a computer geek interested in network security both at work and at home, it was fascinating. 5 minutes into it, I had to buy a copy of his book, I was that impressed.

Mr. Winkler signed autographs after he was done and stopped to chat with each person for a couple minutes. Interested in what they do and what interests them most about information security. In my case, I work for a government subcontractor. He wrote in mine “Do a good job so I don’t have to!” I cracked up on the spot.

If you ever get the chance to see him speak, go. Don’t miss it. Drink the Kool-Aid. At least go out and buy the book.

100 years ago today, right now in fact, the Great Quake shook San Francisco. I found this story about the US Mint in San Francisco and the people who saved the United States from possible economic disaster on that fateful day.

[Found via kottke.org.]