Well, one has to wonder what the vendors had to lose on those networks. If there was no value, there was no risk...

Well, true, it's very possible the *vendors* had nothing to lose...but what about the attendee-provided devices using the vendor-provided networks? 450,000 were reportedly in attendance; shouldn't the vendors promoting security provide security within an environment they are encouraging potential customers to use? Or, should the attendees just know they should view vendor systems/networks provided at trade shows as a "use at your own risk" type of situation? The risk here is to more than just the vendors.

"The risk here is to more than just the vendors."

According to some of the newest thoughts surrounding information risk management and framework (the work for which Jack Jones received the award at RSA this year) risk is a derived function, not a noun. Risk is a function of the amount that might be lost and the frequency with which one can expect to loose it. As such, where there is no value for the vendors to loose, there is very little risk.

Vendors who promote encryption should use it in a Guy Kawasaki "eat your own dogfood" sense, I agree. But both you and I as Information Risk professionals know that we trust "secured" WiFi about as far as we can throw our WAP (or maybe even less than that), and for anyone to be at that conference and just liberally join the conference network without considering their own control strength would be very foolish. If we don't all have a "use at your own risk" type of mentality concerning WiFi already, then we shouldn't be in InfoRisk to begin with.

Also, 12 will get you 13 that the vendors left their networks open to gather data. They, like most of us, operate in a data-isolated world. The best we get are these ridiculous FBI reports that consider scans an "advanced attack", and as such vendors do silly things like gather data on what happened at the trade show and turn it into a marketing piece (if the data supports their value proposition, of course).

You have a really good point, though - good encryption should be ubiquitous by now. We have the processing power, the bandwidth, all of the Moore's Law-sey benefits in our technology devices, and we still don't have universal adoption of encryption outside of SSL for the browser. Why, well, the devil, of course, is in the implementation.

Perhaps, as professionals, we should form a working group, deliver a standard with open-source packages, and petition Microsoft for inclusion across the board. It's kind of too bad that PGP was able to become a company again - a Mozilla-style approach to PGP/GPG may have helped the online community in a much broader, greater sense.

Nuts. Of course Risk is a noun. Too much jazz and G&T this afternoon, and not enough concentration.

I just am getting tired of hearing Risk attributed to other nouns, like "my data is my risk" or "my connectivity is my risk".

People also often get "risk" confused with "threat" and "vulnerability." A good and fun...well, at least to me :) ...exercise I do with some of my students and clients is to give them a scenario and label/identify the risk, threat and vulnerability; similar to those grammar exercises from elementary and secondary school where you had to disect the sentence into its grammatical parts. It's a pretty effective way to differentiate between risks, threats and vulnerabilities, and gives a new perspective to those doing it.