I suspect that there won't be any shortage of local providers to pick up the slack left by Vigilar closing shop.

"plus... I'll be there!"

Only reason I'm going :P

To address some of your comments:

1) The old adage: “Tell them what you are going to tell them, tell them and then tell them what you told them.” Well, there is also an element of that going on in press releases.

True, but the "old adage" has been molested into something along the lines of "tell them what you are going to tell them by telling them the same tired thing that everyone else is telling them, tell them again but this time tell them that what you're doing is new and innovative and unlike the competitor who is doing the exact same thing, rinse, regurgitate."

I don't blame you, or your colleagues, for this but rather the industry for letting it continue. Organizations have to take a stand and blaze new trails...not keep filling up the trails with the same garbage.

2) Second, as far as the vision reference - that was a very blatant nod to one of the points start-ups are judged upon by analysts – specifically, Gartner – vision and ability to execute.

Why....that sounds like pandering to me and, as a customer, care nothing for how an analyst firm sees you in their eyes. Again, a failure of the industry to let it continue.

3) Communication is not always as simple as one would think if should be. I see it all the time in security – all the rhetoric about security mangers needing to “speak the language of business…” Not so easy when business doesn’t speak the language of security, or care to learn any more then they have to. I think you would be surprised what a diverse set of stakeholders a single press release can have.

I somewhat agree with you on this point but shouldn't the vendor be doing their absolute best to relate to their customers? Perhaps targeted press releases for varying levels of a business would be a better goal than a blanket marketing sermon?

4) I have been in PR a long time and have seen many rants like yours. I take them all with a grain of salt, but as the target of your derision, I felt behooved to respond. Hopefully I was successful in providing a glimpse into our world that might evoke something besides scorn. If not, I’m happy to take you off my release distribution lists and be on my merry way.

I'm glad you took the time to respond. Most would ignore it and move on their way. What I would hope, however, is that your employer takes note of my "rant" (I like to call them blog posts...but whatever) and perhaps thinks that there might be a better way to better convey their product and/or service to the masses.

5) But I will leave you with one last point: these releases are not issued in a vacuum: Who do you think approves them before they go out? Hint: you position them in your post, incorrectly, as oblivious to the deeds of their lame marketing minions.

I disagree. I think they are released within a vacuum and it's up to the executives of the companies to read their press releases - I mean really read their press releases - and see if it actually says "something" before releasing it. I'm talking about meat and potatoes information here.

Good luck Alan.....keep us posted :)

Exactly...nothing new on this front.

If anything the process is just more simplified for Rapid7.

" This was meant to show that even secured networks are insecure and vulnerable to such tactics."

- True, even if it was a completely illegal way of going about it. You're right...maybe the laws shouldn't apply to the protection of ones privacy in Canada so long as its "cool" and at a "hacker conference". We'll work on getting those laws changed right away.

"Maybe instead of writing such a long winded post you should have written new security protocols to prevent stuff like this from happening!"

- Had I been asked my opinion on this before the conference started I certainly would have provided my input to prevent this from happening. Unfortunately I wasn't.

"But no, blogging about the problem is more important than solving it."

- What makes you think that this blog post is the end of this debate? Why was it educational to display attendees credentials in a public forum but reporting on how it was performed illegally was not? Maybe you can help me understand the distinction?

Well said. SecTor isn't Defcon, nor should it be. Ideally it should be a place where security people AND business people meet to discuss and learn about security in a non-threatening environment.

"I stick to 'intent' and the intent was not malicious and no harm was done."

- But harm was done. Laws were broken and personal data left the building after the conference in the hands of a vendor.

"Had they changed hte notification system to a captive portal instead of verbal announcements, nothing would be in violation of code."

- True, and Brian and I discussed this at the conference. They plan on addressing this in some fashion next year.

Well said my bald brother :)

Well said and I would totally agree with the educational aspect of the exercise had consent been properly sought out.