. See the Mailing List page for more details.
Announcing Metricon 5
With five years of organized conferences in the history books, this year's theme, appropriately, is Older But Wiser. Four years ago, presenters at the first Metricon discussed software security, benchmarking, identity management, enterprise case studies and many other topics. Since then, researchers and enterprises have continued to investigate new techniques. What have we learned? Given that we are trying to measure, measuring the security metrics field (and the success or failures of our own efforts) is also our responsibility.
The program is organized along three temporal perspectives:
- Metrics Past. Which metrics techniques from 2006 worked, and which did not? And how can knowledge of the past inform the present and future?
- Metrics Present. What is the state of the art as practiced today' by leading corporations, consultants and researchers?
- Metrics Future. What new strategies for measuring security will emerge in the future?
Metricon 5 will be a one-day event, Tuesday, August 10th, 2010, co-located with the 19th USENIX Security Symposium in Washington, DC (http://www.usenix.org/events/sec10/). Metricon will begin bright and early in the morning, continue through a catered lunch in meeting room, and extend into the evening with informal discussion. Attendance will be by invitation. Capacity is limited to 60 participants.
Program
Venue
Metricon 5 will be held at the Marriott Woodman Park Hotel, 2660 Woodley Road Northwest, Washington, DC, on August 10th, 2010. It is co-located with the USENIX Security 2010 Symposium.Event Sponsors
Attendance
Attendance is by invitation only. If you would like to attend, send an e-mail to metricon5 at securitymetrics dot org.All participants will be expected to "come with findings" and be willing to contribute to group discussions. Politeness will be praised; questions, encouraged; lurkers, flushed out.
The proceedings of all past meetings are available here:
For speakers
- Deadline for final presentation: July 30th, 2010
Conference chairs
- Andrew Jaquith, Forrester Research
- Khalid Kark, Forrester Research
Program committee members
- Jennifer Bayuk, Stevens Institute of Technology
- Dan Geer, In-Q-Tel
- Chris Walsh, SurePayroll
- Wade Baker, Verizon Risk Intelligence
- Ray Kaplan, Ray Kaplan & Associates
- Michael Smith, Akamai Technologies
- Daniel Arista, Syracuse Research Corporation
Mini MetriCon 4.5
Mini MetriCon 4.5 was held Monday, March 1, 2010, in SanFrancisco, California, adjacent to the USA RSA 2010 Conference. The presentations are posted as embedded links in the agenda; the original CFP remains available as well.
MetriCon 4.0
MetriCon 4.0 was held Tuesday, August 11, 2009, in Montreal, Quebec, co-located with the USENIX Security Symposium. See the MetriCon 4.0 page for the details of the meeting, including its CFP, the final agenda, and the meeting's Digest.
Mini MetriCon 3.5
Mini MetriCon 3.5 was held Monday, April 20, 2009, in SanFrancisco, California, adjacent to the USA RSA 2009 Conference. The presentations are posted as embedded links in the agenda; the original CFP remains available as well. Sadly, no Digest was ever completed.
MetriCon 3.0
The MetriCon 3.0 presentations and digest are available as attachments to the final agenda
Mini MetriCon 2.5 Presentations
The MiniMetriCon 2.5 presentations are available as attachments to the final agenda.
Metrics Catalog Project:
The Metrics Catalog Project was officially launched in June 2008. A major revision has been made available as of April 2009. To see the catalog on-line you can visit:- www.metricscenter.org The open and free read-only catalog that you can explore.
- www.metricscenter.net The commercial site where you can sign up for a free trial and create your own catalog. In addition, you can view the Center for Internet Security Consensus metrics with a trial account.
General information about the Metrics Catalog can be found in the following documents:
BEWARE: You will need a Javascript and Java enabled browser to optimally experience the content on these sites. Due to circumstances beyond our control, we cannot support any browser on Vista.
--Elizabeth Nichols, 3-July-2009
Logged in? Add a New entry to this blog!
Lots of people been rendered spitting mad by the plan. Three things seem obvious to me about how and why these plans came about:
- The ahem, marketing companies are clearly frustrated by the fact that their mail is getting blocked more and more often. If you believe the numbers from MessageLabs and others, spam is now 80-85% of all Internet e-mail.
- The existing spam filters of Yahoo and AOL are clearly annoying some of their most-phished customers (read: banks) by blocking their legitimate communications
- AOL and Yahoo clearly think that can make a buck on this
I can't stand spam in any form. It's why I switched my private e-mail from these guys to another provider. I used to get so many e-mails containing viruses, worms, trojan horses and other nasties that I almost longed for the simple "would you like some V1@grA?" type. Clearly, the deluge of spam is largely being fueled by the botnet boom, and the malware-laden variety is crushing the stuff that's merely solicitous.
And there's the rub. There are genuine businesses out there, like banks, who want to communicate with their customers. And there are other sorts of businesses who simply want to bombard us with come-ons for lots of stuff we don't need and didn't ask for. Yahoo and AOL clearly don't think it's worthwhile to try to distinguish between the two, so it's easiest to simply say: make 'em all pay.
That's just fine with me. The larger banks can clearly afford to pay, while the Spanish-fly-by-night yahoos (oops) will only do so if they think the risk/return is worth it. As for the latter type, I'm happy to let AOL and Yahoo drain their marketing budgets dry.
But of course, as a consumer I still don't want to get this stuff. Therefore, if AOL and Yahoo are going to make an unholy pact with Viagra-pedding lümpenmarketers so that they can cram their spam in our pliant craws, then it seems to me that the consumers whose craws are being crammed ought to have some right of redress. Specifically:
Marketers who pay Yahoo and AOL to guarantee delivery of their spam must also offer a verifiable opt-out provision.
And here's the good news: it seems that the proposed system does exactly that. The system AOL and Yahoo will be using claims to offer a "certified unsubscribe" feature, as well as a spammer-authentication system. This, I think, is the missing headline from this whole story. Even if there's more spam (ugh), at least you know whose throat you can choke. You can tell them to go away and feel pretty confident that they will. And you can feel all warm inside knowing that they are slowly and assuredly going broke.
That said, there are going to be plenty of ways to game the system. So I guess I'm glad I'm not a Yahoo or AOL subscriber.
An open letter to all anti-virus software makers:
February 2, 2006 Dear Antivirus Industry, Why are you so addicted to the term "blended threat"? It seems to mean something special to you... but it means nothing to anybody else. Certainly not to Grandma or to security professionals who don't work for anti-virus companies. To the lay person, a "blended threat" might be what happens when someone slips arsenic or hemlock into their Starbucks frappucino. That's what you meant, right? Oh, silly me. You meant "a complex program that targets multiple weaknesses in computer networks and uses multiple distribution methods to spread" (Trend Micro's definition). But doesn't that describe the behavior of every sort of malware that's seen today? Grandma doesn't get infected by "blended threats" -- she gets infected by: * Adware that spies on her and makes her computer sluggish and unusable * Viruses and worms that wreck her hard drive * Keyloggers and trojan horses that steal passwords and credit card numbers and send them to nasty mean people in Lower Slobovia We don't get it. Characterizing malware as using more than one vector of attack may be technically correct but it isn't the point -- it's the consequences that matter. The term "blended threat" might have been useful to your marketing efforts in 1998, but it seems a bit quaint in 2006 -- rather like describing today's automobiles as "horseless carriages." Please stop. Love, Everyone Else
Weblog archives:
This site is not affillated with any organization, and the opinions expressed on this website are strictly those of the authors themselves.
To log in to the Securitymetrics.org website, create a profile first.
Attachments
| MiniMetricon2.5 Agenda Final.pdf |  |
71221 bytes |
| MM35 Draft Agenda.pdf | |
105735 bytes |
| metricon5 - jaquith - welcome.ppt | |
1569792 bytes |
| Agenda Draft v2.pdf | |
105915 bytes |
| metricon40.cfp.pdf | |
56256 bytes |
| post-event-survey.pdf | |
116492 bytes |
Security Metrics: the book
Welcome
Metricon 5
Mini MetriCon 4.5
MetriCon 4.0
Mini MetriCon 3.5
MetriCon 3.0
Mini MetriCon 2.5
MetriCon 2.0
MetriCon 1.0
Who We Are
News
Recent Changes
Aggregation
Benchmarking
Empirical Studies
Metrics Catalog Project
Metrics Definitions
Return on Investment
Security Modeling
Visualization
![[RSS]](/content/images/xml.png "Aggregate the RSS feed of the entire wiki")