I just finished attending a Web Application Security conference for a mixed gvernment audience.  Actually, I more than just attended.  Due to a late cancellation of a presenter, I was invited to give a 15 minute demonstration of certain web application attack techniques (crudely referrred to, by some, as 'hacking'). 

And so on Monday, all day Monday, I went back to a slide show I had developed on the topic, scripted my whole delivery, and practiced, practiced, practiced.  My greatest concern was in not exceeding the 15 minutes allotted me.  A huge concern since, as a professor, I could ramble on for hours expanding and digressing about the simplest of topics.

 Tuesday afternoon and my time arrived.  "Just 15 minutes," I silently warned myself,  "and keep to the script."  Then I proceded to explain and give a web demonstration using a phishing email (that I had constructed) to leverage a Cross Site Scripting (XSS) attack upon a Trusted site by a Malcious site (that I had constructed) inducing the victim (played by myself) to furnish identity information to the attacker's cross-scripted form.  Additionally, I provided a web demonstration of a SQL Injection attack where I established a test account with a user ID and password  in a certain SQL injection-flawed web application and then showed how I could bypass the need for a password by providing a crafted SQL statement to the password field instead.

The presentation ran 18 minutes.  But that's only because of a technical glitch at the beginning (not my fault, but I fixed it) and because I didn't anticipate that the audience wouldn't be able easily to read the phishing email (small text even on the presentation screen) and so I had to read it to them (not in my script).

Afterwards, at a reception, a tall fellow walked up to me, shook my hand, and told me that my delivery of those particular attack techniques was the sharpest, clearest, and most convincing live demo of such he's ever seen (and he assured me he had seen plenty).   And that's one compliment I'm never going to forget since it came from a leading industry expert, Jeff Williams, the CEO of Aspect Security  (Application Security Specialists) and the chairman of OWASP (Open Web Application Security Project).