The Man Who Saved the Internet is a little embarrassed.

“I don’t think I saved the Internet, I think I’m a small guy standing on the shoulders of giants that came before me,” says Paul Watson, a polite and unassuming young man.

He doesn’t particularly stand out in the crowd at CanSecWest/core04, but most of the 200 or so delegates to the Vancouver computer security conference Thursday morning were aware of his headline status.

Some of them were even less convinced than he is of his saviour creds, but that’s the nature of security experts, and these guys — they’re nearly all guys — are definitely experts.

Conference organizer Dragos Ruiu, a Vancouver-based computer security consultant, estimates at least 30 per cent of them have PhDs, a useful qualification if you want to understand much of what goes on in the presentations here.

“There are a lot of spooks, a lot of military guys, government, Fortune 50 large companies — basically anybody that’s large enough to have a dedicated security team,” he explains.

It’s the fifth year for the event he started. Last year, it expanded to add a fall gathering in Tokyo, which he says will now become part of the regular calendar.

It is, as one participant terms it, geek central. Not a tie in the place, a wide array of interesting T-shirts and hairstyles, and some spectacularly high-line wireless laptop computers in bomb-proof cases. A glimpse of a screen over a shoulder is a reminder that we’re a long, long way from Windows 98.

“This is a conference that isn’t sales-oriented, it’s about real research, what’s really going on out there, and it’s a really important place for people to sit down and come up with the ideas that can protect the Internet or critical infrastructures,” says Eric Byres, who is with the Group for Advanced Information Technology at BCIT. “This is probably one of the pre-eminent conferences in the world, this is the one to go to.”

Byres and his group have also been out saving the Internet in their own way, concentrating on security that ensures that power utilities can continue to deliver their services without fear of interruption.

Of Watson, he says: “He’s pointed out a flaw; a lot of people have pointed out flaws.” While he’s not taking anything away from him — “he certainly pointed out something that needed to be addressed and he got the ball rolling” — he notes that the Internet is “still the Wild West” when it comes to security.

He values conferences like this because he gets to meet many of the players in the small global community of computer-security experts, and establish some relationships.

“The tricky part is it’s hard to tell whose side some people are on,” he says. “There are some people that I don’t know if they’re on the black-hat side or the white-hat side or somewhere in between.”

That was part of the problem Watson had when he wrote his paper about a flaw in the transmission control protocol affecting one of the major brands of routers which move traffic around on the Internet.

As he puts it, if you were to discover a flaw that made it easy to cause airliners to crash, you’d want to give the airlines a chance to fix it before you made your knowledge even slightly public.

In his case, he couldn’t get any interest from the U.S. Computer Emergency Response Team, and had to deal instead with the National Infrastructure Security Coordination Centre in the U.K. to get a hearing.

All the time he was working on it, he had to be careful who he talked to: “Some people I’ve known for a year or two I told nothing to, other people I may have known for 10 years, I talked very openly with because I knew they understood the impact,” he says.

Face time at conferences builds that kind of trust, something which will be increasingly important as the Internet continues its spectacular rate of growth.

“There are always new attacks and new defences,” notes Ruiu. “We’ve skimmed the easy stuff off in the last three or four years. Now we’re getting to the really hard problems, the ones that are going to take us a while to eliminate.”

As for Watson, he’s speaking at one seminar during the three-day event, and sitting in the audience at the others.

© The Vancouver Sun 2004