NCEE '98 Roundup

[Matthew Patton <patton@sysnet.net>]

The skinny: 5 CD's, 8 - TShirts.

For a 2 day effort the results were painfully lacking. In short, the venue
was totally inappropriate for our message of "security, crypto, robustness."

We had the most impressive booth of the non-commercial vendors there
(thanks JKatz for the banner). The coordinators had projected 7500
attendees. I guestimate we had 1500, maybe. The local radio station that
was supposed to do extensive spots pulled out at the last minute, as did
the weather. It rained solidly for 4 days straight. What inclination people
might have had to attend was effectively overridden by the unusually poor
weather.

The venue should also have been marketed as a Macintosh show. Almost every
booth there dealt with the Mac. And I would hazard a guess 60+% of the
people used Macs. Those that didn't used Win95. The vast majority couldn't
spell unix if they had to. And of those who could, Linux was something they
had tried in the past. For these home hobbiests, the notions of security,
crypto, and code correctness was totally lost on them.

Demographics were solidly against us as well. Most were 35+ years old, some
toting their children, all interested in practical business/home uses for
the available wares. While mentioning that parts  of the USAF/DoD uses
OpenBSD for firewalls and webservers struck a small chord, such concerns
were largely irrelevant as these activities were often outsourced or
foreign ideas to begin with. The trade rags were right: you don't sell
operating systems, you sell applications. Only uber geeks care about OS
arcana.

Even the ISP next door peddling $20/hr 'net access, had difficulty
comprehending how inappropriate Slowaris was for their operations. Our case
wasn't helped by their running multi-CPU Ultra's for which we have no
distribution. Likewise no Powermac support was a significant blow to our
appeal. We regretfully had to direct them toward using LinuxPPC if they
were so inclined. If we are to succeed at pitching OpenBSD to ISP's,
especially large accounts which tend to have money, money that is spent on
Sun's big iron as well as having the caliber of geeks on staff who care
about OS choice, we desperately need sun4u support. Our "corporate
partners" like NFR and Balista would probably appreciate it as well. Any
chance Theo we can line up some donations along these lines?

T-shirt sales were likewise below expectations. When faced with corporate
booths handing out free trinkets the idea of charging for t-shirts seemed
to be a difficult concept. The local residents didn't strike me as T-shirt
people, concerned with the "cool" factor. We did field questions on what
software was used to generate the wireframe, and sadly we didn't know. Dug?

I even saw my first 2 script kiddies. Bragging pathetically about how they
used BackOrrifice to play games with their teachers' minds, or rehashing
old Bugtraq posts. I tried separating some cash from their wallets but the
intellectual effort proved beyond their abilities.

What our limited marketing data showed was that the green shirts in L and
XL were the most popular. We had a disproportionately large sample of black
shirts which were avoided like the plague. I suspect that particular color
appeals only to those who attend DefCon, program for 3 days straight, have
pierced body parts, and think kernel hacking is what every programmer
consumes his day with. It was a novelty that we had X^4L shirts but that is
where the interest level stopped.

I sincerely hope we can pick more suitable shows in the future: namely SANS
'99 where traditinally the audience is vastly more aware of security
concerns and where t-shirts (even black ones) are an attractive means of
making a statement. The small time unix user or home business simply
doesn't care nor do they get it. Even appealing to the 20 something strata
(or those who have aged out of this core group) is insufficient in the long
term. We need better visibility, more corporate 'credibility.' We need to
somehow get our message into the types who make bundled products: single
box managed firewalls, web servers, other all-in-one solutions and the
like. Of late, most of these ~$1000 products use Linux as their OS. That is
sad. This is a market we could very well succeed in.

Let us not forget that most times, those making decisions are concerned
with the "good enough" solution. That is why people use MS NT where it
clearly shouldn't be used. That is why Linux with all of it's media hoopula
is adopted where better ones clearly exist. If as a group we can
concentrate on mailing editors and reporters intelligently presented
counterpoints to the Linux articles, we can purhaps let the world know that
we do in fact exist. Doing so, however, will require that we address those
deficiencies (purceived or real) in a non-arrogant manner. What we need I
guess is a Linus for OpenBSD, a PR person with the good graces to suffer
media boobs, and a coordinator who can convincingly sell OPenBSD to recent
Linux converts. Once a company has adopted a product overcoming inertia is
a very big task. Why else does MS continue to rake in the money?

2 prime candidates I can think of (aside from the integrated product
offerings mentioned above) are Oracle and IBM. Why stake their prime money
making products on a popular OS with a history of known security problems?
Are they going to appreciate news reports that highlight how Oracle on
Linux was vulnerable to xxx whereas the NT or Solaris version was not?
Wouldn't it be better to see how Oracle on OpenBSD wasn't vulnerable to yyy
whereas everybody else on Linux was? Similarly for IBM's ecommerce efforts.
What does OpenBSD need in order to appeal to these big entities? Is it
within our abilities?

Does anybody have a well written comparison sheet / white paper that
details on what basis we can differenciate ourselves from the 'other' OS's
out there? Or even a collection of notes/talking points on the subject?

Also does anyone have a wild guess as to the size of our user community?

--------
"Yes, the president should resign. He has lied to the American people,
 time and time again, and betrayed their trust. He is no longer an
 effective leader.  Since he has admitted guilt, there is no reason to
 put the American people through an impeachment. He will serve
 absolutely no purpose in finishing out his term, the only possible
 solution is for the president to save some dignity and resign."
  -- William Jefferson Clinton, July 1974 on President Nixon --