Presenters and Panelists

Scott Blake, CISM, CISSP

As BindView's Vice President of Information Security and International Technical Services, Mr. Blake is responsible for the functioning of RAZOR, a team of security experts providing security expertise to all of BindView's technologies and performing original research in computer and network security, as well as supervising BindView's operational security, risk management, and emergency response team. Additionally, Mr. Blake is responsible for delivering technical support and professional services to BindView's customers, partners, and sales operations outside the Americas. Prior to joining BindView, Mr. Blake was Director of Technical Services for Netect where he was responsible for the Technical Support, Information Technology, and Pre-Sale Engineering groups. He also participated in the design of HackerShield, an award-winning vulnerability assessment scanner. Before Netect, Mr. Blake was Network Security Architect for Internet Security Corporation where he designed perimeter security, network security architectures, and developed security policies for several large companies including leaders in financial services and telecommunications, as well as several large hospitals and universities. Mr. Blake is frequently sought to speak at security and information technology conferences and by the media to comment on security issues. He is the author of several articles on various aspects of information security.

Mr. Blake is a Member Emeritus of the Common Vulnerabilities and Exposures Editorial Board, Member of the Open Vulnerability Assessment Language Editorial Board, and Chairperson of the Simon's Rock College Alumni Association Advisory Board. He holds a BA, cum laude, from Simon's Rock College, an MA in Political Sociology from Brandeis University, is a Certified Information Security Manager and a Certified Information Systems Security Professional.

Matt Blaze, AT&T Labs

Matt Blaze is a research scientist at AT&T Laboratories, where he studies the use of cryptography in computing and network security. His research focuses on the architecture and design of secure systems based on cryptographic techniques, analysis of secure systems against practical attack models, and on finding new cryptographic primitives and techniques. He is the co-inventor of the field of "trust management" and leads the KeyNote project at AT&T Laboratories. His recent work and collaborations have led to the creation of a number of new cryptographic concepts, including Remotely-Keyed Encryption, Atomic Proxy Cryptography, and Master-Key Cryptography. His research has also been influential in IP network-layer encryption (co-designer of the swIPe protocol, a predecessor of the IPSEC standard), session-layer encryption, and filesystem encryption. Blaze has discovered weaknesses in a number of published and fielded security systems, including a protocol failure in the U.S. "Clipper" key escrow system. Blaze has been long been active in the debate on encryption and security policy, has testified before Congress several times, and has participated a number of influential public-policy panels and reports. He holds a PhD in Computer Science from Princeton University.

Mary Ann Davidson, Oracle

Mary Ann Davidson is the Chief Security Officer at Oracle Corporation, responsible for Oracle product security, corporate infrastructure security and security policies, as well as security evaluations, assessments and incident handling. She represents Oracle on the Board of Directors of the Information Technology Information Security Analysis Center (IT-ISAC) and is on the editorial review board of the Secure Business Quarterly.

Ms. Davidson has a B.S.M.E. from the University of Virginia and a M.B.A. from the Wharton School of the University of Pennsylvania. She has also served as a commissioned officer in the U.S. Navy Civil Engineer Corps, during which she was awarded the Navy Achievement Medal.

David L. Dill, Stanford

David L. Dill is a Professor of Computer Science and, by courtesy, Electrical Engineering at Stanford University. He has been on the faculty at Stanford since 1987. He has an S.B. in Electrical Engineering and Computer Science from Massachusetts Institute of Technology (1979), and an M.S and Ph.D. from Carnegie-Mellon University (1982 and 1987).

His primary research interests relate to the theory and application of formal verification techniques to system designs, including hardware, protocols, and software. He was the Chair of the Computer-Aided Verification Conference held at Stanford University in 1994. From July 1995 to September 1996, he was Chief Scientist at 0-In Design Automation.

Prof. Dill's Ph.D. thesis, "Trace Theory for Automatic Hierarchical Verification of Speed Independent Circuits" was named as a Distinguished Dissertation by ACM , and published as such by M.I.T. Press in 1988. He was the recipient of a Presidential Young Investigator award from the National Science Foundation in 1988, and a Young Investigator award from the Office of Naval Research in 1991. He has received Best Paper awards at International Conference on Computer Design in 1991 and the Design Automation Conference in 1993 and 1998. He was named a Fellow of the IEEE in 2001 for his contributions to verification of circuits and systems.

James Duncan, Cisco Systems

Jim Duncan works in the Critical Infrastructure Assurance Group at Cisco Systems, where he is a subject-matter expert on incident response and vulnerability handling. Previously, Jim was an Incident Manager for the Cisco Systems Product Security Incident Response Team (PSIRT) for four years, where he handled customer security incidents and product security vulnerabilities. Jim's current work focuses on the National Infrastructure Advisory Council's Vulnerability Disclosure Working Group, co-authoring a comprehensive framework and recommendations for disclosing information system vulnerabilities. In addition to his work with the NIAC VDWG, Jim currently works on proactive issues supporting other incident response teams within Cisco. He is authoring an internal policy for information sharing, and he actively contributes to external projects for several Information Sharing and Analysis Centers (ISACs) and the Forum for Incident Response and Security Teams (FIRST).

Jim contributed to RFC 1244, the Site Security Policy Handbook, co-authored (with Rik Farrow) a highly rated tutorial on building an incident response team for USENIX, and is a Liaison Member of FIRST. Prior to Cisco, Jim worked for Penn State University in the Department of Mathematics and the Applied Research Laboratory as principal systems administrator, network engineer, and card-carrying member of the university's computer emergency response team.

Gerhard Eschelbeck, Qualys

Overseeing Qualys' engineering and operations, Gerhard Eschelbeck currently manages the largest and most up-to-date vulnerability database in the world. He is also responsible for protecting over 1000 corporate networks, and was recently recognized as one of the "25 Most Influential CTOs" by InfoWorld Media Group. Prior to joining Qualys, Gerhard was Senior VP of Engineering for security products at Network Associates, VP of Engineering of anti-virus products at McAfee Associates, and Founder of IDS GmbH. Earlier, he was a research scientist at the University of Linz, Austria, from which he earned Masters and Ph.D. Degrees in Computer Science and where he teaches regularly in the field of network security. Gerhard has authored several papers and is an inventor of numerous patents in the field of managed network security, and is a frequent speaker at networking and security conferences worldwide.

Stephanie Fohn, security consultant

Ms. Fohn has a broad base of management and entrepreneurial experience, with particular expertise in information security. Currently, she serves as an advisor and consultant in the security industry, working with companies such as BigFix and Latis Networks. Most recently, she was president and chief operating officer of SecurityFocus, a provider of enterprise security threat management systems. She led the company to a dominant industry position, resulting in its acquisition by Symantec in August 2002. Previously, she served as vice president of marketing and business development for Tripwire, Inc. and director of distribution partnerships for Infoseek/Go Network. She also co-founded and led two start-ups – Lucidian Technologies, a developer of network-based intrusion detection software, and The WWWorks, a web development firm focused on e-commerce and database integration. Ms. Fohn began her career in the security industry as director of business development for Pilot Network Services, Inc., one of the industry’s first managed security service providers. Prior to joining Pilot, she spent six years in venture capital and investment banking in the technology arena. Ms. Fohn holds an M.S. degree in management from Massachusetts Institute of Technology and bachelor’s degrees in business and psychology from University of Washington.

Lauren Gelman, CIS Assistant Director

Lauren Gelman has written, commented and lectured on Internet Law issues since 1995. She is currently the Associate Director of Stanford Law School's public interest technology law and policy program, the Stanford Center for Internet and Society, responsible for the daily operations of the Center, and for directing and conducting research on the interaction of new technologies and the law.

Ms. Gelman comes to Stanford from Washington, DC where she served as the Public Policy Director for the Electronic Frontier Foundation, the first on-line civil liberties organization, and as the Associate Director of Public Policy for ACM, the largest association of computer scientist in the world. In DC she worked with Congress, clients, the media and corporate officials in coalition building, public education and outreach on Internet policy issues including free speech, computer security and encryption research, research funding, appropriate protection of intellectual property and universal access. She also rode the dot-come wave as Corporate Counsel for RealNames Corporation.

Jennifer Granick, CIS Executive Director

Jennifer Stisa Granick joined Stanford Law School in January 2001, as Lecturer in Law and Executive Director of the Center for Internet and Society (CIS). She teaches, speaks and writes on the full spectrum of Internet law issues including computer crime, national security and constitutional rights, and electronic surveillance, areas in which her expertise is recognized nationally.

Granick came to Stanford after almost a decade practicing criminal defense law in California. Her experience includes stints at the Office of the State Public Defender and at a number of criminal defense boutiques, before founding the Law Offices of Jennifer S. Granick, where she focused on hacker defense and other computer law representations at the trial and appellate level in state and federal court. At Stanford, she currently teaches the Cyberlaw Clinic, one of the nation's few law and technology litigation clinics.

Tiina Havana, University of Oulu, Finland

Tiina Havana has studied Organizational communication and PR at the Department of communication, University of Jyväskylä, Finland, where she received her Master of Arts degree in spring 2003. Since May 2002 she has been working at the Oulu University Secure Programming Group (OUSPG), Finland, where she is currently preparing for her post-graduate studies. Her research interests include communication in the software vulnerability reporting process, publicity and risk management in computer security issues, attitudes and values that people have towards computer security as well as computer security information and knowledge management.

Shawn Hernan, CERT

Shawn Hernan is a senior member of the technical staff at the CERT® Coordination Center where he has worked for the past seven years. He currently leads the vulnerability handling group and has been a primary author or contributor on more than 40 CERT advisories. He has delivered testimony to the Library of Congress regarding DMCA and is an active contributor to many vulnerability disclosure efforts. Prior to joining CERT/CC, Shawn worked for the Systems and Networks division of the University of Pittsburgh for seven years where he developed databases and network applications, and shared in the system administration of the centralized computing facilities and the large campus network. Shawn has a BSCS from the University of Pittsburgh.

Sunil James, iDEFENSE US

Sunil James is Director of Vulnerability Intelligence at iDEFENSE US. In that capacity, he oversees the daily collection and analysis of all vulnerabilities and exploit code of interest to iDEFENSE customers. James also manages the Vulnerability Contributor Program (VCP) from an administrative standpoint, ensuring the continued submisison of timely and relevant intelligence from around the world. James joined iDEFENSE in July 2000 as an Analyst within the Vulnerability Intelligence team, and has worked in various capacities - both technical and non-technical - throughout the company since then. He earned from SUNY Stony Brook a BS in Computer Science with an Applied Mathematics concentration, and a BA in Political Science with an International Relations concentration. Previous to iDEFENSE, James has been employed by the US Department of State, the Council on Foreign Relations, Johns Hopkins University, and Pinkerton Global Intelligence Services.

Steven B. Lipner, Microsoft

Steven B. Lipner is Director of Security Engineering Strategy at Microsoft.  

He is responsible for the development of programs to provide improved product security to Microsoft customers, and for the Secure Windows Initiative team that focuses on improving Microsoft's security development processes.   Mr. Lipner was one of the leaders of the Windows division security push that mobilized over 8,000 developers, program managers, and testers in a security review of the Windows design and code base.   His team has led the definition of Microsoft's security development processes and their integration into the Microsoft product development life cycle.

Mr. Lipner has over thirty years' experience as a researcher, development manager, and general manager in IT security.   He served as Executive Vice President and General Manager for Network Security Products at Trusted Information Systems during the period of the company's explosive growth and public stock offering.   He has been responsible for the development of mathematical models of security and of a number of secure operating systems.   Mr. Lipner was one of the initial twelve members of the United States Computer Systems Security and Privacy Advisory Board.   He served on the board from 1989 to 1993, and was reappointed to the board - which has now been renamed the Information Security and Privacy Advisory Board - in early 2000.

David Litchfield, Managing Director, NGSSoftware

David Litchfield is the world's leading computer security vulnerability researcher and one of the five founding members of NGSSoftware (established during September 2001). His previous roles have included working as a Security Consultant for Diligence Information Security, a U.K. Penetration Test Team Leader for Arca Systems Inc, a Director & Research Scientist for Cerberus Information Security, and a Director of Security Architecture & Research Scientist at @Stake Ltd.

David has been certified as a CHECK Team Leader by the CESG, the Gold standard for penetration testing in the U.K.

With his vast experience of network & application penetration testing, David is a permanent presenter to Black Hat & regularly presents to the CESG. David has discovered & published over 100 major security vulnerabilities in many different products, including most notably Apache, Microsoft Internet Information Server, Oracle and Microsoft SQL Server. In every case where David has found vulnerabilities, he has worked closely with the affected vendors developing solutions.

In addition to discovering these vulnerabilities, David is also the co-author of Special Ops (Foundstone) where he contributed chapters dealing with security in Oracle. He is also the lead author of SQL Security (Osbourne-McGrawhill). In addition, David has written & published more than 15 security white papers on wide range of security issues (including buffer overflow exploits, protection & SQL related vulnerabilities).

David is quoted in many magazines, newspapers and on-line security publications on a regular basis as a leading authority on computer security and vulnerability research.

Simple Nomad, Nomad Mobile Research Centre

Simple Nomad is the founder of the Nomad Mobile Research Centre, an international group of hackers that explore technology as well as the political ramifications of doing such exploration. By day he works on BindView Corporation's RAZOR team with the title of "Occam Theorist". He has authored numerous papers, developed a number of tools for testing the security and insecurity of computer systems, a frequently-sought lecturer at security conferences, and has been quoted in print and television media outlets regarding computer security and privacy.

Len Sassaman, Anonymizer

Len Sassaman is a security architect for Anonymizer, Inc., where he works
to bring Internet privacy solutions to consumers in an effective and
usable manner. His information security career spans a variety of areas,
from anti-censorship measures to cryptographic protocol analysis.

Len's research focus has been concentrated in the area of privacy and
strong anonymity. In addition to being the author of numerous papers in
the privacy enhancing technologies field, Len is the maintainer of
Mixmaster, the most widely used Chaumian Mix-net implementation, and the
operator of an anonymous remailer.

Greg Schaffer, PricewaterhouseCoopers

Mr. Schaffer is the Director and Co-Leader of PricewaterhouseCoopers, LLP Cybercrime Prevention and Response (CPR) Practice.   Mr. Schaffer is responsible for managing a wide range of computer forensic, investigative and litigation support electronic discovery related projects for PwC clients.   Mr. Schaffer joined PwC in November 1999, after serving for two years as a computer crime prosecutor at the United States Department of Justice Computer Crime and Intellectual Property Section. At the Justice Department Mr. Schaffer was responsible for day-to-day management of domestic and international investigations involving a wide variety of crimes including computer hacking, illegal wiretaps and economic espionage.   Prior to joining CCIPS Mr. Schaffer was a partner with the law firm of Manatt, Phelps & Phillips specializing in civil litigation related to computer technology issues.    In addition to his duties at PwC, Mr. Schaffer is currently an adjunct professor at Georgetown University where he teaches a course on information security for international business.  

Bruce Schneier, Counterpane Internet Security

Bruce Schneier is an internationally renowned security technologist and author. Described by The Economist as a "security guru," Schneier is best known as a refreshingly candid and lucid security critic and commentator. When people want to know how security really works, they turn to Schneier.

His first bestseller, Applied Cryptography, explained how the arcane science of secret codes actually works, and was described by Wired as "the book the National Security Agency wanted never to be published." His book on computer and network security, Secrets and Lies, was called by Fortune "[a] jewel box of little surprises you can actually use." His current book, Beyond Fear, tackles the problems of security from the small to the large: personal safety, crime, corporate security, national security.

Schneier also publishes a free monthly newsletter, Crypto-Gram. Read by over 90,000 people, Crypto-Gram is where Schneier explains, debunks, and draws lessons from security stories that make the news. Regularly quoted in the media, Schneier has written op ed pieces for several major newspapers, and has testified on security before the United States Congress on many occasions.

Bruce Schneier is the founder and CTO of Counterpane Internet Security, Inc., the premier provider of Managed Security Monitoring services in the world.

Christopher Sprigman, CIS Fellow

Chris Sprigman is a Residential Fellow at the Center for Internet and Society. Chris's research focuses on the interplay of competition, technology, and intellectual property law.

Before coming to CIS, Chris was a partner in the Washington, D.C. office of King & Spalding LLP, specializing in the areas of antitrust, intellectual property and appellate practice.

Prior to joining King & Spalding, Chris served as appellate counsel to the Antitrust Division of the U. S. Department of Justice. While at DOJ, Chris represented the United States in civil and criminal appeals to the U.S. Courts of Appeals, and, in conjunction with the Office of the Solicitor General, handled appeals before the U.S. Supreme Court. He worked extensively on post-trial and appellate briefs in United States v. Microsoft. His responsibilities also included filing amicus briefs in selected private antitrust and intellectual property cases, working with the Assistant Attorney General to help formulate antitrust and competition policy, and representing the United States in court proceedings to review orders of the Federal Communications Commission.

Prof. Peter P. Swire, Ohio State

Peter P. Swire is a Professor of Law at the Ohio State University and director of that school's Washington, D.C. summer program. From 1999 to early 2001 he served as the Clinton Administration's Chief Counselor for Privacy, in the U.S. Office of Management and Budget. In that position, he coordinated Administration policy on the use of personal information in the public and private sectors, and served as point of contact with privacy and data protection officials in other countries.

He was White House coordinator for the proposed and final HIPAA medical privacy rules, and played a leading role on topics including financial privacy, Internet privacy, encryption, public records and privacy, ecommerce policy, and computer security and privacy. With Lawrence Lessig, he is Editor of the Cyberspace Law Abstracts of the Social Science Research Network. Many of his writings appear at www.peterswire.net.

Hal R. Varian, Haas School of Business

Hal R. Varian is the Class of 1944 Professor at the School of Information Management and Systems, the Haas School of Business, and the Department of Economics at the University of California, Berkeley.

He received his S.B. degree from MIT in 1969 and his MA (mathematics) and Ph.D. (economics) from UC Berkeley in 1973. He has taught at MIT, Stanford, Oxford, Michigan and other universities around the world.

Professor Varian is a fellow of the Guggenheim Foundation, the Econometric Society, and the American Academy of Arts and Sciences. He has served as Co-Editor of the American Economic Review and is on the editorial boards of several journals.

Professor Varian has published numerous papers in economic theory, industrial organization, financial economics, econometrics and information economics. He is the author of two major economics textbooks which have been translated into 22 languages. His current research has been concerned with the economics of information technology and the information economy. He is the co-author of a bestselling book on business strategy, Information Rules: A Strategic Guide to the Network Economy and writes a monthly column for the The New York Times.

Vincent Weafer, Senior Director, Symantec Security Response

Vincent Weafer is responsible for the Symantec Security Response global research center teams. His mission is to advance the research into new computer threats & exploits and provide a comprehensive & rapid security response to today's blended security threats. His team has also been responsible for the development of key security technologies such as the Symantec extensible anti-virus engine technology, scanner heuristic detection technologies and threat acquisition and analysis infrastructure used by Symantec.  Weafer has been quoted extensively in the global press and also speaks regularly at security conferences and seminars throughout the world, including the panel discussion for the launch of the OIS Security Vulnerability Reporting and Response Process at Blackhat 2003 in Las Vegas.

Stephen Wu, InfoSec Law Group

Stephen Wu is President and CEO of the law firm InfoSec Law Group, PC and of the consulting firm Infoliance, Inc. in the Silicon Valley. He advises clients concerning legal, business, and technical matters relating to information security, electronic contracting, authentication, regulatory compliance, and public key infrastructures. He has provided advice to organizations such as the American Medical Association, RegistryPro, and the Ministry of Economy, Trade, and Industry of Japan. Mr. Wu is Co-Chair of the American Bar Association’s Information Security Committee. He is a 1988 graduate of Harvard Law School and, before founding ILG and Infoliance, was in charge of VeriSign, Inc.’s worldwide policies and practices governing its digital certification services.

Chris Wysopal, @stake

Chris Wysopal is director of research and development of @stake. His career in the information security industry has spanned over 13 years working as a software developer, vulnerability researcher, corporate security engineer, and security consultant. He has advised government agencies such as the Army, DISA, and the National Security Council as well as top software vendors such as Microsoft on application security. He presented expert testimony in May of 1998 on the state of government computer security to the US Senate Committee on Governmental Affairs and again in August of 2003 on the problem of viruses and worms to the US House Subcommittee on Technology. Chris manages @stake's pioneering products group which develops security tools focused on wireless, infrastructure and application security.

Prior to @stake, Chris was a senior security engineer at GTE Internetworking (formerly known as BBN). He has 10 years of software development experience for companies such as Lotus and AT&T. While a vulnerability researcher at the L0pht, he co-authored the award winning password-auditing program, LC4 (formerly L0phtCrack), which is used by over 5,000 government, military, and corporate organizations worldwide. He holds a Bachelor's Degree in Computer Systems & Engineering from Rensselaer Polytechnic Institute.