Paid Advertising
web application security lab

Back From RSACon

It was a whirlwind trip, but I just returned from RSACon. It was a fun trip and I had a lot of meetings while I was there. I had very little time to stop and relax, but there’s no rest for the wicked, or so they say. Anyway, here’s an ultra abbreviated version of the highlights (there will be more posts to follow, this is just a summary for those who couldn’t make it).

Before I even took off, I got a call from a friend of mine who did a search in Google for “RSACon” to get some more information. It turns out that I am ranked number 1 and number 2 for “RSACon” on the search results (randomly). So before I even took off he knew I was coming into town even though I hadn’t told him. How weird!

I landed and within 30 seconds I got a page from Arian Evans asking if I was in town. What, am I wearing an RFID tag?

I meet up with id and we roll down to the XYZ for a late night meeting with some high powered infosec guys and then called it a night around 1:30. I slept on his floor, trying to ignore the jet engine sound of his walk-in-closet/data center - it was not glamorous.

I woke up early and went to a Dark Reading meeting. Met with some good folks, had a technical round table discussion and bailed to go to the con. I’ll probably have to post about what we talked about in the not too distant future.

I arrived to find they didn’t start until 11 - giving me a few hours to kill. I met up with Billy Hoffman. Later I met up with Jeremiah Grossman and we had a quick chat with Jeff Moss (DarkTangent) about some future talks that Jeremiah and I are thinking of doing - we’ll see.

The con itself started and I hit the floor hard, seeing as much as I could in an hour or so. I’ll probably write something up about some of the scanner stuff I was looking at. There’s a lot good and a lot bad about what I saw. This one deserves another post. For the most part the theme this year was scanning, blocking and identity theft. There were a lot more web application security companies this year than last year though. No one really knew who I was (I wasn’t traveling under the RSnake moniker) so I got the raw skinny on a lot of technology. People try to sell me too much when they know who I am.

So then it was about that time to go to the WASC meetup. Wow. Talk about a turnout - it was at least 30 people (compared to the 11 that showed the year before). A shout out to the Danes (Tate and Soren) that showed - I wish I could have chatted with you guys a little more. They were the first ones to come up to us and say, “Okay, which one of you is RSnake?” ;)

Zeno showed, Arian showed, Billy Hoffman, Michael Sutton, Anurag Argawal showed, some ex co-workers, etc… It was quite a powerhouse! Here’s where the apologies begin:

  • MicroSoft - Where to begin?
  • A friend of mine, Erik shows up to the WASC meet-up who I hadn’t seen in years. He and I chit-chat and he has been to my site. Oh, he works for Adobe now and he didn’t tell me. Yah, sorry about that.
  • Daniel Veditz shows up from Mozilla to talk to me. Oooh… yah, sorry about that.

So yah, I don’t think I’ve ever apologized so much in one 24 hour period. I had a really interesting conversation with Billy Hoffman that I’ll have to write about (it’s way too long to include here) about another unique way to detect CSRF.

At some point I got accosted by someone who works for an ubercorp who was giving me the third degree on me setting up my own company. Too much competition, tough to get in, what do I bring to the table? “I run this site called ach ay dot cee kay ee are ess dot org” “No, I don’t think I’ve heard of it.” “” “Oh! Yes! Are you RSnake?” ;)

Later we packed it up and left to go back to the convention. I ran into someone who outed Jeremiah almost immediately but didn’t know who I was until Jeremiah said “If you know who I am you know who he is.” At which point he said, “Are you RSnake?” ;)

What a day. Anyway, it was a rip roaring good time, lots of tech, lots of talk, and I promise to go into depth on more of the tech stuff as I know that will interest more people. Plus there are some photos floating around, I’ll have to see if I can get my hands on some of them and throw them up in the pics section.

4 Responses to “Back From RSACon”

  1. MikeA Says:

    Wish I could have been there, but I’m on a client site doing security stuff. What makes it worse it that it’s only down the road in San Jose, so would have been really easy to have gone up if it wasnt for odd-working hours.

    Oh well, joys of working in this industry I suppose. Hopefully I’ll be able to meet up with all you guys at DefCon, if not before.

    If you are still at the con, have a couple of beers on me :)

  2. Jungsonn Says:

    Haha great story RSnake, can’t wait to hear more from it and to see some more impressions ;)

  3. Anurag Agarwal Says:

    Hi rsnake

    It was fun at the WASC meetup and those who are interested can see the pictures at

    Lets see if they can identify you :))


  4. RSnake Says:

    More pics here:

    id == James in the photos. Don’t let him fool you, he can hax0r your boXen.