A Note on the RSA Keynote Fiasco…

In the past day or two, The RSA Conference announced a few of the keynotes for the upcoming 2016 RSAC conference. The industry is largely scoffing at some of their choices, for obvious reasons. There are so many facets to this topic, one could write a book. Hopefully I will limit myself to the key points, as applies to the chatter in our industry. If a couple paragraphs are meh to you, skip down a few, as the point will likely change quite a bit.

First, let’s put this into perspective. This is the RSA conference. The Computer Dealers’ Exhibition (COMDEX) of the InfoSec industry. This conference is a weird mix of “OMG necessary” and “OMG I hate it“, and it has been for a decade or more. It’s the party everyone shows up to, and the one you want to be at, to ‘be seen’ and ‘catch up on the gossip’, even though you hate it. In our industry, it is the embodiment of reality T.V. in many ways. On the flip side, this conference hasn’t actually been relevant to our industry for a long time, where reality T.V. is sadly relevant in the worst ways. Sure, it is THE place to do a meet-and-greet, solicit new customers, solicit new employees, and show off your stupid “advances” in security technology. Advances in quotes for a blindingly obvious reason. But, if you feel RSAC is relevant in any meaningful way to our industry, you can stop reading here. You are not my intended audience, and do not meet the “you must have this IQ to ride this ride” criteria. Sorry =( I feel this point is almost entirely lost on the 2016 RSA keynote fiasco.

On the “keynote” angle, first… what is a “keynote” talk? You can’t even Google “keynote” and get the definition in the first few results. You actually have to qualify “keynote definition” which I can’t recall ever having to do for Google to get a definition. Even for some pretty obscure animal-related searches I have done while trying to learn as much about wildlife rehabilitation as I could. That is telling.

Now, I called this bit out in my BSidesDC “keynote” presentation in 2014, where I questioned what a keynote was, in my keynote. How very “meta”, and how very appropriate given I picked on RSAC back then. Look to slide 5 where I pointed out that RSAC had as many as four keynotes a day back then, 16 in total. So again… what is a keynote? For most conferences, it is very clear, per the definition. It “sets the intended tone of the conference” in so many words. For RSAC? It is more a game of how many “big” speakers can we cram into a multi-day event to fill the seats. [Remember, many of them may be in our industry, but it doesn’t mean they bring any value to the rest of us.]

This latest fiasco is no different. So… back to the controversy. RSA stacked the keynote deck with the usual nobodies (in the context of providing real value to our industry, or if an awesome person, not in the context of a 40 minute talk). This year, they went above and beyond, and are having three people in the keynote lineup that are more than questionable. I’m sure it isn’t the first time we have seen it, but it sticks in my mind… RSAC set up a “keynote panel”. For most conferences, that would be laughable, but in 2014 they had 16 keynotes. Compare that to this year, with 20 keynotes on the schedule so far! Two minorities, and one female, if you are keeping track after the last two years of our industry pointing out the lack of diversity. Maybe RSA will say it is a good sample representation to be politically correct, given the representation in the industry!! So… the three speakers making waves, well before the conference starts?

  • Charley Koontz, Actor, CSI: Cyber Panel
  • Shad Moss, Actor, CSI: Cyber Panel
  • Anthony E. Zuiker, Creator/Executive Producer of the CSI Franchise, Technology Visionary

It is honestly difficult to figure out how to approach this, in the sense of writing this blog. This show has been lambasted from day one within the InfoSec industry. Worse, it has deviated from the CSI franchise in ways that are arguably more harmful to the public than the predecessors. The last 15 years of the other CSI shows have created the “CSI Effect“, which has been a burden on our current legal system. It took many years of the original CSI franchise to give us that modern problem, that interferes with our judicial system on a daily basis. We are all arm-chair experts on DNA, trace matter, footprints, dark crime scenes, and flashlights. That is a T.V. show born out of a 30+ year scientific discipline. And it has serious backlash in the real world.

Now, we have CSI: Cyber, which is easily argued to be the worst of the franchise. Looking at ‘Rotten Tomatoes‘, well-known for providing real-world reviews of movies, what do they say about the entire CSI franchise?

rotten-tomatoes-csi

Wow… enough people hated CSI: Cyber to contribute their opinion, where the original CSI show that ran 15 years didn’t get enough feedback to rate. The original show was ground-breaking, in many ways. It introduced the average American household to the world of forensics, even if exaggerated and dramatized to some degree. Jump to today, and enough have spoken out against the new spinoff to give it a negative rating. That is telling.

OK OK, so jump back a bit, because this is not an easy blog to write. The entire CSI franchise is questionable; it has some serious value, but also has some serious pitfalls. So let’s try to focus on CSI: Cyber. Start by doing a Google search:

google-csi-cyber2

Woops, that is telling. It also reminds me that the series got renewed for season 2, which I bet would happen to an FBI agent I know (who refuses to watch the show, as does the entire ‘Cyber’ division in his city). If it gets renewed for season 3, I lose a dollar. OK, seriously sidetracked. Back to the latest drama..

Cliff notes: three people related to CSI: Cyber are part of the RSAC 2016 keynote clustermess this year. Two actors, and an executive producer putting himself forward as much more than that (or RSAC is), are part of a panel that is a keynote. Every bit of the InfoSec fiber is not happy with this, and they shouldn’t be. RSAC is grabbing what is popular, what is in the ‘mainstream’, and vomiting it on stage. No care, no concern, and most importantly, no consideration of what it means. Of the two actors, do either have any background in computers? Security? One is a very young rapper-turned-actor who I previously Tweeted to, because I felt his portrayal as an African American actor in the context of the Black Lives Matter movement was absolutely horrible. I’m a privileged white guy and I felt that episode was a disgrace to African Americans (do the math). The other is “sympathetic to the issues” according to Violet Blue, in an article she wrote on this topic. If Koontz is truly sympathetic, he should either back out of the talk accompanied by a public statement, or use the stage-time to go against the very reason he was invited. Embrace the fact he is a T.V. actor, that the show is lacking in technical detail or reality, and call out the technical advisors and/or producers, and let the world know why the show may be harmful. As for the producer, why? It could be argued there is value if one of the technical consultants to the show were to speak, not a producer.

It should be obvious that I do not think any of them are relevant, or should be keynoting a BSides, let alone RSAC. They are actors in a mid-ratings show, built on a 15 year-old franchise. A current iteration that isn’t really that popular or well-known… merely “what some people are watching”. RSAC is quite simply cashing in on a popular meme, in line with the profitable business.

So… let’s agree to agree, or agree to disagree! Yep, how is that for a blog plot twist, befitting that horrible T.V. show? Let’s focus on the small bit that actually got my attention in all this, that demanded all of the above as backstory and explanation. Let’s jump to the other fun bit of this mess. While most of the industry was somewhere between annoyed and outraged over these keynotes being announced, others quipped in ways that suggested the industry wouldn’t be so upset if it was “other” high-profile media-centric personalities that were keynoting.

rsac-fiasco-actors_from_hackers

I’d like to assume the ellipses were leading off to the obvious conclusion, “we would ridicule them just the same“. But I have a feeling that was not the intended argument. That movie is 20 years old, released on the fourth year of RSAC. Assuming you at least meant to compare the cast being keynotes at the 1995 RSAC… this is actually a more compelling comparison as far as a “timely” media publication being thrust upon our industry. Back then, I don’t think it would have been considered. I say that because some of us in the hacker circles back then joked about them speaking at DEFCON and how absurd it would have been.

rsac-fiasco-colbert_baldwin

This is a fascinating comment, because it puts two polar opposites as a single argument that somehow has the same merit, which is baffling to say the least (compare Colbert vs Baldwin in the context of ‘actor’ vs ‘comedian’). If your argument for comparison is “Stephen Colbert” (soft T), then I would argue you are beyond dense and completely oblivious to the genius of the persona Colbert (hard T) took on. The entire persona was designed around being a blind fanboy to an ‘industry’ (or political party in his case, which is basically an industry) in a manner that highlights how absurd the industry is in the first place. That is exactly the kind of persona that would help our industry realize how perverse it is, and show us through delicious irony how absurd and blind we are to our own problems. More importantly, Colbert did not claim any relevance to, or portray anyone in our industry in any way.

If your argument for comparison is Alec Baldwin? That is a valid argument I think! If the industry didn’t speak out against Baldwin in this context, while speaking out against CSI: Cyber actors, that seems hypocritical. I don’t recall Baldwin doing a RSAC keynote in the past, but it isn’t something I would have noticed unless there was an eruption of drama. Stick with this example for arguments against the CSI: Cyber cast.

rsac-fiasco-adam_savage

Really? This has to be the worst comparison possible. Adam Savage has made his career around breaking and building things, a cornerstone of the hacker ethos and mentality. Not only does he build and break things, he does it in the pursuit of truth and shares it with anyone willing to watch MythBusters. That embodies the hacker spirit in the minds of a significant portion of our industry. The cross-over from our largely digital world, to his largely analog world, makes complete sense. He is a rare case where the ‘reality’ in ‘Reality TV’ is actually true.

To come full circle, people still argue that RSAC has value because that is where the “trends” are announced. The problem is, RSA ‘trends’ are mostly buzzword rebrands of old technology, with a few ‘bleeding-edge’ adjectives thrown in to make them sound more sexy. I’ll leave this great Tweet as a tongue-in-cheek, but accurate, reminder of how a significant portion of our industry views the conference, regardless of keynote choices.

rsac-tic

The Charity Snail Mail Burden

If you have ever donated to a charity, you likely received something in the mail from them down the road. A thank you note (and request for more money), a new fundraising initiative where they would like you to donate again, or general information (and request for more money). What happens when you donate to a dozen or more charities over the years? The amount of snail mail you get from those charities, and many others you have never donated to, gets out of hand. At the start of 2015, I decided to keep all of the snail mail I received from charities for the entire year. How much would it be? What kind of ‘gifts’ would add up over the year?

Before the fun bits and pictures, a quick background on this. Charities have three primary categories for spending money: administrative (e.g. salaries, office supplies), fundraising, and program expenses (i.e. what their cause is). Charities are rated based on that breakdown, among other things, by the excellent CharityNavigator web site (a 501c3 not-for-profit themselves). As an example, let’s look at the breakdown for Paralyzed Veterans of America, who spends almost two thirds of the money it brings in trying to raise more money. They only spend 33% of their money on the intended cause; helping paralyzed military veterans. That is an absolutely horrible ratio and not a charity anyone should support. They are essentially in the business of raising money. All of the snail mail you get from charities falls under that ‘fundraising’ category. If a given charity sends what seems to be an obnoxious amount, that is money they could be better spent on the program expenses.

20160103_141807  20160103_141953
20160103_143928  20160103_144238

In one year, I ended up receiving 351 pieces of mail from charities, that weighed 26.6 pounds. It’s hard to say if this is truly a lot, and what led to this. I donated to 32 different charities in 2014, some in a manner that would not have led to any snail mail (e.g. “would you like to donate a dollar to..” during grocery store checkout). A few were local charities that do not maintain mail lists and would not have generated any mail. Other bigger charities though, certainly took the opportunity to solicit me for additional money. And at least one of those charities sold or shared my information with other charities that I never donated to, and in some cases would not. To offer a bit of perspective, the 26.6 pounds of charity mail can be contrasted with the 10.8 pounds of ‘commercial’ snail mail I received.

20160103_202512  20160103_203008

Back to charities! Who were the worst offenders? The top six charities by snail mail volume are as follows, with links to pictures of their offering, and what percentage of their money they spend on fundraising:

Charity Fundraising
Humane Society (31 pieces) 19.1%
World Wildlife Fund (21 pieces) 18.9%
American Red Cross (21 pieces) 6.0%
USO (16 pieces) 26.5%
JDRF (13 pieces) 12.8%
Doctors Without Borders (11 pieces) 10.3%

Note that I have donated to the top five charities on that list, but never donated to Doctors Without Borders. Considering that I received snail mail from around 75 different charities, almost three times as many as I donated to in 2014, that is certainly interesting. Also note that many charities were right on the heels of 11 pieces, but I had to pick an arbitrary amount to highlight above. Charities should note something very important! This level of snail mail is a waste of money, and does not encourage some contributors to keep donating. I understand that direct mail campaigns are a huge source of revenue, but finding a happy medium for the amount of requests versus the expected income would be appreciated. Someone donating $25 to a charity and receiving 30 pieces of mail, is watching $14.70 of that money go to postage alone (for charities that are paying full price, which some do). That money should be spent on program causes, not soliciting for more money that will likely be wasted.

Now the fun bits. Which charities sent me money? Yes… a long-standing gimmick of some charities is to send some level of money, typically under a dollar, and ask that you send them more back. They usually want 25 – 1000% more of course. This gimmick is frowned upon by many people, and for good reason. First, it is just that, a gimmick. Second, for charities that put a nickel, dime, or quarter in the envelope, they are quite literally throwing money away. Many people are tired of receiving the snail mail spam and quickly throw it away, coin or not. Even March of Dimes no longer sends a token dime in the mail. In 2015, Paralyzed Veterans of America sent $0.15 (3 nickels), FINCA sent $0.10 (2 nickels), Unicef sent $0.10 (2 nickels), Sierra Club sent $0.30 (6 nickels), National Law Enforcement Officers Memorial Fund sent $1.50 (6 quarters), Keepers of the Wild sent $0.50 (1 half dollar), Leukemia & Lymphoma Society sent $0.05 (1 nickel), and CARE.org sent $0.05 (1 nickel). All said and done, I cleared $2.75!

20160103_coins

Next, what is it about mailing address labels and charities? I mean seriously… almost every single one thinks that sending me such labels is a ‘gift’. Do these people not understand that the average adult in 2015 does not send that many written letters? Even people who send in checks to pay bills don’t generate too much snail mail. Yet, the National Wildlife Federation sent me enough address labels to mail a letter a day, every day of the year. Amnesty International sent 96 mailing labels in a single piece of snail mail… and sent three of those mails. USO sent 81 address labels in a single envelope. I didn’t have the patience to try to count them all individually, but I did take the time to count 154 sheets of address labels, weighting 558 grams, or 1.23 pounds.

20160103_labels1  20160103_labels2

Membership cards are another popular thing to send, because membership apparently has its privileges? By privileges, I mean it grants you absolutely nothing. Yet, dozens of charities want you to carry that card around… yet none of them send you a new, bigger wallet. National Wildlife Federation sent me four membership cards in a single year, and Sierra Club sent me six. I have not donated to either.

20160103_membership_cards

If that isn’t odd enough, the support stickers that are sent out are certainly interesting! In addition to the usual “Don’t give me a speeding ticket” stickers, that you receive from supporting law enforcement organizations, I received a NRA 2015 member sticker! Despite never donating to the NRA, or contacting them. It makes me wonder if that is how the NRA claims such high membership numbers. Is it based on who is on their mail list?

20160103_stickers_blurry_oops

Moving on to stamps! Yes, postage stamps. A few charities will include a stamp in their offering, with the intent that you use it to mail them more money. While this is a variation of the ‘coin’ gimmick, the real tragedy is that some nonprofits have figured out the USPS offers special rates for charity-related mail, and others have not. The USO understands this, as their Self-addressed Stamped Envelopes (SASE) include five 1-cent stamps on them, while the Human Society of America sends a SASE with a forever stamp. Regardless, all of the stamps included, on an envelope or not, can be re-purposed since they have not been used to send mail yet! In 2015, I received two Forever stamps, one Postcard stamp, nine 10-cent stamps, one 4-cent stamp, seven 3-cent stamps, three 2-cent stamps, and 85 1-cent stamps. That is $3.39 in stamps! If they came in a sealed roll, I could return them to the post office for cash per old hacker legend. Alas, I can just tape them onto an envelope as needed, and they are still valid stamps.

20160103_stamps

To wrap this up, what else did I get? Nine calendars and 26 writing pads, apparently for the silly number of letters these charities think I write, that demand thousands of mailing address labels.

20160103_calendars  20160103_paper_pads

I also got card sets (again, maybe explains the address label flood?), magnets, random swag, calendars and paperwork, as well as X-mas specific gifts:

20160103_cards  20160103_magnets  20160103_paperwork  20160103_swag  20160103_xmas

And finally, two bits of pure amusement. First, ‘Doctors Without Borders’ seems to be fond of sending us Americans world maps. Yes, yes.. I know, Americans suck at Geography. But sending us world maps that we’re to hang up on our wall, of our first-world decorated establishments where style and the artist’s name matters more than actual living enjoyment? Please. But I get you, send the maps, rub it in that we’re a nation of stupid.

20160103_maps

Second, all of this snail mail spam… can you opt out of it? Nope. At least, none of it includes any wording or forms or telephone numbers to remove yourself from the snail mail lists. For the charities that call as often as they send snail mail? If you complain enough, and trust me, ‘enough’ is relative… they will eventually opt you out. But then? They send you a not-so-form letter. In the case of March of Dimes, they write:

“… we are writing to you because of your request not to be contacted by telephone… please donate $25 to us”

I donated $5 to them on 2014-06-04, meaning it was “target of opportunity” (e.g. grocery store, or some case where someone asked me to donate). This was not a yearly contribution I make to half a dozen or more charities that I feel are making a difference. In the span of half a year, March of Dimes called me enough that I got fed up with them and specifically asked to be removed from their spam call list. They did as I asked! But then… reverted to snail mail to ask me for more money.

In summary, U.S.-based charities are living in the 80’s. They send pads of paper and mail address labels, on the heels of you telling them “quit harassing me”. They send stamps and currency in a desperate attempt to guilt you into donations. Some send you as many as 30 pieces of snail mail in a calendar year, on the back of a $50 donation given to a specific sub-group of their organization (e.g. in my case the Prairie Dog Coalition, a part of the Humane Society). If I want to find out if the Prairie Dog Coalition printed a new token adoption certificate, I e-mail the director. And Lindsey responds to me personally every single time. That is what I want to support… both prairie dogs in jeopardy, and the director of a non-profit group who takes the time to respond to my emails, helping me to support their cause in the specific way I want to. This is a model for how charities should work in 2015/2016. Instead, most are still stuck in the early ’80s, sending me dead trees that I don’t need or want.

If the director of a non-profit can’t reply to you, or even sign that Christmas card they sent, while asking for more money? That is bad. They should task their staff to send personal replies and sign such cards. It doesn’t matter what name ends up on it; it matters that someone on the other side appreciates my contribution, and takes the 30 seconds to read and reply to me or scribble their mark. In fact, I think that might be a great criteria for charities I support in 2016. No personal contact? Then maybe the charity is too big and has plenty of money coming in. Maybe they don’t need my donation. Instead, I can give to local charities, which I have started focusing on, where I can see exactly how my money is used, and even stop by and talk to the ‘director’ or staff when I want. I put that term in quotes because it is a misleading title for small local charities, for someone who is often knee-deep in mud or animal poo, doing their best to make the charity work. With that personal connection, especially when I find myself volunteering or visiting, then I feel very comfortable telling friends, family, or social media about their cause and encourage them to donate as well.