The New MacBook Pro

My old 17" MBP gave up the ghost recently. I had reached 98% capacity in my 120 GB drive, and my VMs were dying with Snow Leopard with only 2 GB of RAM. This was the max at the time that the model supported.

I found out from iFixit that my model could upgrade to 6 GB of memory with a manual repair. So, I did that. Then I bought a 500 GB internal drive, and put it all together. Then the logic board died. It's about $900 to replace the logic board, and even then, it's likely only a refurb.

So, I went out to look at a new Mac. Here's what I found.

This is not a hard core hardware review of the new Mac. I don't have that info. But, here are my consumer thoughts - price, upgradability, features.


Conference Angst

I've been to my share of InfoSec conferences, and there seems to be a universal undercurrent of dissatisfaction regardless of the conference. There are the complaints that the speakers are chosen poorly, or the content is inappropriate or unsatisfying, or the assertion that InfoSec conferences do nothing except perpetuate the echo chamber.  The disconnect, in my opinion, is that conferences are rarely solution based.

These all follow the same general format that has been followed for decades: multiple "tracks" with hour long slots (occasionally a lightning talk track that enables shorter presentations), separate training offerings (normally pre-conference, or sometimes during conference as a track), sometimes a vendor room, sometimes side-events or contests, and usually some form of after party during which vendors collect leads and partygoers make connections.

Attendees may leave a presentation better informed about a topic, but most presentations are unlikely to grant new skills to the audience. Training is, for the most part, a separate goal. Presentations are frequently one way communiques designed to generate thought or debate, or introduce a new tool or methodology. But, it's rare, even at B-sides events, for presentations alone to achieve the type of engagement that results in solutions and deep collaboration.

The excuse to bring people into narrow physical proximity generates some of this synergy in the form of "hallway con." And many argue this is the real value of conferences: a 'safe' forum in which like-minded people can have informal discussions off the books that result in ideas, agreements, or collaboration that more broadly influences or improves things.

In response to the solutions disconnect, some have proposed "hack-a-thons" in which talented individuals come together for a set period of time and a specific goal to program solutions. But, this approach is likely to alienate community members who don't code, and is more likely to hinder innovation across the lines between policy/process and tools manufacture/usage.

I would like to see "tracks" around workgroups and workshops instead of presentations. Topics that are designed to bring like-minded people together to discuss and even generate solutions, or share skills. Put the power-point in an isolated track of 15-30 minute presentations designed to quickly introduce questions or ideas designed to stir innovation. Does this exist? Is there any interest in making it exist?


The problem with certifications and CBKs

A lot of people complain that certifications demonstrate a familiarity with a Common Body of Knowledge (CBK), but that a familiarity with the knowledge does not indicate competence at applying it. In an attempt to compensate for this, some authorities have required proof of experience and professional endorsements. But, sadly, experience is not the same as competence.

Some have suggested that certification should be accompanied by monitored internships or with specific project work in order to prove competence.

But these are all missing something of the point. CBKs are good at informing a practice, but they can't teach professionals how specifically to implement a practice. Companies are too diverse. What works for a bank isn't guaranteed to work for a hospital. What works for a risk-centric security department isn't guaranteed to work for a response-mandated organization. Success implementing a risk management program in a healthcare organization is not a guarantee of success doing the same on a government contract.

CBKs define the points at which differing organizations converge, not the techniques specific individuals must use to apply the knowledge successfully in different circumstances.