Informality and vigorous debate - plus some of the best securityspecialists in the world - are the hallmarks of COSAC, the annual Irishsecurity conference, writes Karlin Lillington
Since he wrote his famous military treatise 2,500 years ago in China, Sun Tzu has found evergreen relevance with some odd audiences: Western spiritual seekers looking East, martial arts fanatics, business people and, now, security geeks.
"The only win is to take the battle back to the enemy," says Mr Tom Berson, president of Anagram Laboratories, quoting Sun Tzu to 125 computer security specialists sitting under ballroom chandeliers at the Killashee House Hotel in Naas.
If the setting seems a bit incongruous, so does the idea of shifting the role of the security good guys from one of fending off and undermining hacker attacks to going on the attack against a dispersed, disorganised guerilla hacking force that has proven nearly impossible to find in cyberspace.
There are random objections and observations from the floor. But this is the annual Irish security conference, COSAC, where discussion and arguments during presentations is not only encouraged but essential to success - a speaker who isn't challenged feels ignored.
"People say we are defenders, not attackers," continues Mr Berson, after the audience has its say. "But every theory of defence contains a theory of attack."
And he's off into adapting more Sun Tzu in a series of PowerPoint slides, outlining 36 strategies of attack that, over the centuries, scholars have boiled down from the master's treatise. All 36 have been adapted to make sense in a computer security world.
"Murder with a borrowed knife" becomes part of the hacker wisdom the security forces most battle against.
It's all a bit tongue in cheek with plenty of hacker tactics thrown in and the rather odd keynote does indeed succeed in getting its highly security literate audience - many are among the best specialists in the world - to think about security in a new way.
"This is no anonymous sea of faces. Everyone has a thought worth sharing and an idea worth developing," says Mr David Lynas, security consultant and managing director of David Lynas Consulting Group, who established COSAC a decade ago.
Then, it was the only security conference in Ireland. He set it up initially for that reason - there were no security events and he wanted to see what would happen if he invited all the best speakers he'd ever heard and "let them loose" in a symposium format.
Talk to the delegates - limited to 125 so that sessions remain small enough for vigorous discussion - and they'll say COSAC is a highlight of their working year and a conference a lot of them have attended many times.
Everyone is on first-name terms during the sessions. That leads to one of the most valuable aspects of such a small event: "You get a career-long network of contacts beyond anything you could ever buy," says Mr Lynas, whose company is based in Moira, Co Down.
Mr Lynas addresses the conflict between security departments and the management and other employees at businesses, where security departments are typically seen as "getting in the way" of day-to-day business.
"We have this bad reputation, and no real business alignment," he says, arguing that security needs to be rethought as essential to businesses, not as some annoying department down in the basement.
Businesses spend far too much adding on security systems that don't actually address business problems, he notes. His prime example is SSL, or Secure Sockets Layer, the security technology added on to most websites that gathers information from Web users and processes credit card transactions.
The technology might protect consumer information as it travels across the Net but it doesn't protect the business against credit card fraud or create any useful record of a transaction that could be used in court, he says.
But most businesses cannot afford the kind of system that would be needed to provide the digital backup that exists in the paper world of business. The solution? "This is a quick and dirty world, and doing it by the book doesn't work," he says. Instead, businesses need to rethink how and why they use security, and what it does for them.
"It's time for a marketing makeover for security and risk," he concludes.
That's not entirely an answer for cash-strapped small businesses, as several in the audience debate - but that's the point. Security needs to be re-imagined and new solutions found that address real problems rather than cosmetic ones.
One of the more unusual presentations during the four-day conference was a session on graphology - that art of mining digital documents for information by computer forensics experts.
While many people think that what they see is what they get with a word processing document or spreadsheet, the file actually carries a wealth of information forensicists can use in investigations, said Mr Andy Clark, director of British computer forensics company Inforenz.
Most Microsoft Word documents have an astonishing range of associated data in the form of document property files, hidden from the computer user but readable using specialised forensics tools.
"If we start scraping \ the document, we can start seeing who's working on the document, the tree of authors associated with it and their associated edits. We can find documents authors have in common, machines used in common, and we can begin to draw inferences. That's quite interesting from a forensics point of view," he said.
British Prime Minister Mr Tony Blair learned the liabilities of putting a Word document directly onto the internet when his government posted the dossier document from the David Kelly investigation to the Web - which contained all the names of people who had made revisions to it, a smoking-gun trail of who knew what within the dossier. The document, Mr Clark says, was quickly withdrawn, and the government now has a policy of posting documents only in the unrevealing PDF format, he said.
As the crowd prepares to have its final session, during which attendees present impromptu talks on recent areas of research, Mr Lynas is quietly pleased with how the day has gone, especially the banter and discussion.
"The secret to COSAC is to understand that, whatever subject you're talking about, the guy who wrote the bible on it is probably in the audience."
Intimidating? Not at all. Most of this crowd will be back next September for another bout.
