Friday, March 02, 2012

Security Conferences: you're doing it wrong

For the most part, I am not a conference person. I have no interest in booths or free pens (free pens that you paid $2000 to get your hands on, fact fans), I rarely bother with the parties or speaker dinners, I avoid keynotes with a healthy passion and usually spend most of the time locked in my hotel room unless I'm doing what I went there for, which is "be a dancing monkey on stage for 40 minutes and hope someone got something useful out of it."

More often than not, it's the same bunch of people speaking at the same bunch of events. If your company has a person who goes to these events and speaks, be happy about it. It's even rarer if you have more than one of them. If you're lucky enough to have a security lab with dozens and dozens of people across the globe, the physical act of coming up with an idea, having sufficient research material to cobble together into something coherent and then get up in front of a couple of hundred people to deliver it isn't for everyone.

So you're stuck with your conference boob. Your single, solitary conference boob who wades through a world of idiocy to do their dancing monkey routine.

Additionally, you can bet hard cash that almost everyone speaking at these events doesn't have "official conference speaker guy" as their primary function (in fact, it likely isn't even listed as a function at all - I certainly don't have it listed anywhere, it's just some random thing that happened and kept happening). Those people will have a whole shedload of tasks as part of their regular duties, plus their homelife, and then they have this weird conference thing shunted into the mix sucking time out of the other two.

Then the conferences themselves blunder into view and make everything so very bad.

I've done a lot of conferences in a lot of places. Four RSA events, a bunch of InfoSec Europes, SecTor in Canada, Hackid in Boston, most of the AntiSpyware Coalition conferences, RootCon in the Philippines, VB2011, a collection of small events in India, Singapore and London along with the semi notorious CNET Antispyware con of 2005, where someone had the bright idea to put security people like me in the same room as a bunch of adware vendor asshats and watch us tear each other to shreds on stage.

My honest opinion is that the bigger the event, the smaller the amount of care that seems to be taken with regard the speakers, their wellbeing, commonsense approaches to the talk itself and - the crucial bit - making things as easy as possible for me to do what I need to do.

It blows me away that the biggest pull for most of these events is people rambling at other people from a stage, yet almost no logic is applied to the noble art of not pissing off your speakers.

In my time, I've seen:

* Speakers encouraged to come and present with the promise of hotel costs covered, only for those speakers to arrive - jetlagged, with no money because the currency exchange didn't have any cash or (insert random disaster here) - and the hotel has no card on file, nothing is paid for and the speaker has to fix some shit within seconds of arriving.

* Speakers promised payment for giving a talk, only for those conferences to dick the speaker around for weeks at a time despite having more than enough money in the bank off the back of all those big juicy sponsorships and ticket sales.

* Speakers sent to wrong rooms, given incorrect information, sent to the wrong building, been placed in front of an audience with the most basic thing of all - the presentation - being nowhere in sight. Enjoy your crappy start, speaker!

* Way too many other anecdotal horror stories to mention. I did manage to live the dream at RSA Europe though.

Regardless of what horrors the conference throws at you - and it will - more than enough additional things will go wrong to make the experience a crappy (if memorable) one. Exploding toilets1984 style televisionsbadges that make no sense and emergency fuel dumps are usually par for the course, and the last thing the speaker needs is anything added to the overall mess.

All the conference cares about it getting you on their stage and making a big deal about that fact to hopefully sell a few more tickets. They all seemingly operate in isolation and whatever you do outside their event is irrelevant - however, this disconnect between events isn't the case for the speaker who typically has to end up mapping out half the year in advance based around an endless chain of other talks.

What we want is a submission date, a deadline, an announcement so we can drop another flashing light on the chart and start planning. What we get is this:

1) Call for papers date announced, deadline announced, announcement date - er - announced.

2) Deadline extended. Wait, now I have to push these other two things back and email this other guy whose thing clashes with some other thing and tell them to hang on. And crap, this means the holiday I was going to book may or may not now clash with some other thing too, so I'll have to hold off booking it just ye-

3) Deadline extended again. Okay, I'm hedging my bets if I'll be accepted for this one, but I'll withdraw my submission from that event and tell my boss I can't now do the stuff I'm actually contracted to do because it'll clash with this conferen-

4) Two days before speakers are notified if they'll be speaking or not, all paper submitters are told the paper selection announcement has been pushed back three weeks, or (even better) no date is given and you're told "soon".

Fuck you security conference.

Once this fiasco is finally resolved, you realise you have about a week to put a 20 to 40 sheet slide deck together along with mapping out what words you're going to pin to it. But by this time, the deck creation clashes with some other event thanks to the endlessly pliable not-very-dead deadines and everything goes tits up.

"Well, you should make your decks well in advance". No, the security conferences should get their act together, decide on dates and stick to them. I don't pre-roll a 30 to 40 slide presentation months in advance and spend my nights dreaming that my little precious will one day grow up to walk the halls of fame alongside (insert random blogger of choice here).

I send you a thing, you tell me you like the look of my thing, I make the thing bigger and then I give everyone my big thing.

Have fun with that sentence.

Even worse is when a conference extends dates, and then doesn't do anything remotely sensible with it. I once saw a well respected con was doing a "second round" submission for talks to sit alongside the first bunch selected. I'd never sent anything to this one, but I thought things would be pretty straightforward.

How wrong I was.

1) Submit paper on (or just before) 20th September. An autoreply tells me they make a decision "about a week or two after the cfp closes". Okay, fair enough.

2) Deadline is October 15th. Deadline comes and goes, and I'm prodding them to make their minds up twenty four days after the deadline, well into November. The conference itself is now just under a month away which means a mad dash to put the finished presentation together if it's actually accepted. On top of this, I had to sort out a rather tricky visa, along with a shrinking window of opportunity for increasingly expensive connecting flights - but all I could get out of them decision wise was "we're making the final decisions now".

Well, nobody made any decisions so I emailed them the day after and withdrew my submission.

Protip for conference organisers: THIS IS NOT HOW YOU DO IT.

Sometimes I suspect conferences don't actively challenge the idiotic treatment dished out to potential speakers because they're betting on the so called glamour and prestige of speaking at their event overriding the common sense of the speaker.


Good luck with that. I have no issues at all with blacklisting conferences based on crappy experiences, so they won't be getting anything else from me. I'm sure there are more than enough eager beavers to keep throwing themselves at the blender and keep things moving.

Which brings me to RSA.

When I did it in 2007 and 2008, I was left to my own devices. Lots of people turned up to listen to two sets of 50+ slide talks and they went very well, to the extent I have one of those little "top rated speaker" things next to my name.

This time? Oh God, this time. They sent an email with some suggestions for the content. At this point, the suggestions were pretty good and I incorporated what I could into the overall structure. They were already worrying about "number of slides", which was alarming - didn't they know the last talks I did there were full of the things? I went along with it - for now - and removed a bunch of slides, even though I was effectively gutting half the presentation.

Then more and more suggestions came along. I've never seen such a mishmash of contradictory logic, assumptions and plain out silliness sent to me in relation to a presentation. I won't list everything, but some of the belters:

1) The first revision email asked me to remove slides, most of which were images of attacks that they felt had "already been seen". This also has an unintended effect of giving me a "timeline of disaster" presentation without the timeline, because I had to jettison half of it. 

Now they were asking me to "put the images back in", while stating that there was too much text. Of the 32 slides that remained, only six had text. Buh?

2) For some reason - presumably wringing out some emotional impact (either that or they assume nobody ever saw a disaster scene before) - they wanted a "real news photo" of the Japanese tsunami for slide 2. This was needless padding, and would only serve to either increase the amount of slides or reduce the text which I felt was actually required. Also note that I wouldn't own the copyright to such an image, but was just supposed to stuff one in there with no context anyway. Thanks, but no thanks.

3) With regard a slide showing security information resources, a number of assumptions were made as to illustrating how the sites in question were legit. Or, to put it another way, "the speaker doesn't acknowledge the credibility problem or give solutions". I told them that on the basis the entire timeline was images only, I was alarmed that they didn't seem to think this would actually be brought up when physically talking about the slides. Seriously, a group of people on a panel and this isn't immediately obvious? Why are you wasting my time with this?

4) I'll just cut and paste what I sent them for these next ones. Ensuring no stone was left unturned, I now had to deal with the idea that a section called "Fighting Back" was impractical for home users to go fight 419 scammers, even though it couldn't have been more obvious that this was illustrating what security researchers and scambusters had been doing during the month of March:

(You) seem to be misunderstanding what the "fighting back" section is about, and based on a lot of the commentary I'm wondering why (you) accepted the presentation because all of what its about was outlined clearly in the synopsis:

"I’ll also give examples as to how researchers shut down / prevented 419 senders from claiming fresh victims, including a “419 honeypot” and some of the tactics used to discourage them from sending further 419 mails."

This is clearly the fighting back section; although actually the average person can perform the techniques performed quite easily and this would also be discussed. Just because it isn't written on the slide doesn't mean it isn't up for debate!

5) Same for this one. This is what I sent them in response to them claiming the "Timeline of Disaster" presentation didn't really present a timeline for scammers:

The "scam template" has been broken, due to having to remove half of the timeline. While we can add in a graphic of some description attempting to give an overview, the template itself is never going to be as detailed as it would have been with all the slides included.

6) There were then issues over the fact I would be "dissecting" the examples shown. Uh, wait - isn't that what I was supposed to be doing? Email time:

This suggests a lack of familiarity with how I present, despite being listed as a "top rated speaker" in the conference brochure. Both of my talks in 2007/08 contained something like 40 to 50 slides with detail heavy subjects such as botnets, yet the talks easily came in under time with enough left for Q&A at the end. If they want a detailed discussion of the timline and threats, then I need to have the number of slides that are in there.

Again, this shouldn't be an issue given that they would have seen the synopsis I submitted originally:

"At each step, notable examples will be dissected and explained, relating these attacks to non disaster related activities that could easily impact your organisation."

I'm sure you can agree none of this should be a surprise, especially as I'm on record as having successfully given talks at RSA with slide decks totalling 40+.

7) Finally, there were concerns that attendees would already be aware of most of the things I was talking about. My response:

Which raises the question, again, of why (you) accepted the presentation if (you) thought it wouldn't fly. From the synopsis:

"The kind of attacks examined will include Facebook clickjacking, viral facebook messages leading to fake donation websites, the kind of scams performed by individuals creating fake pages, disaster themed Malware, SEO poisoning used by rogue antivirus products and 419 scam mails."

While I fully expect the attendees to be aware of most of the above forms of attack, I don't expect them to be aware of how these particular scams were deployed during the month of March, how they interacted with one another, how the attack vectors shifted, why the 419ers linger once the initial threats have subsided or any of the techniques used by the security researchers and individuals who took offence to the scams deployed.


For the record, nobody from the conference ever replied to my laundry list of comments.

I even had issues attempting to record a podcast for them - it was booked well in advance, scheduled for midnight my time in Manila on the 8th which I was good enough to make time to stay up for. I was told dial in details would follow - so of course, nobody sent me anything, the whole thing was a waste of time and I had to stay up all over again a week or so later to get it done.


Even when following their guidelines, speakers are having issues. This is not how things should be.

My experience at RSA Europe was one of the most toe curlingly dreadful conference experiences I've ever had, and was hoping RSA US would be better. While the talk itself went without any noticable hitches - and thanks for coming, I hope you liked it, I would have especially liked to give you the original version because that's the one that was lost under the weight of three revisions - the run up to the talk itself was horrendous and contained way too much dicking around to make any kind of sense.

If you don't trust your speakers enough to give the talks they want to give, go get someone else from your own Org to do it themselves because there comes a point where so much editorial interference means the presentation I'm giving is no longer my own.

Would I speak at RSA again? In the current format, the answer is a resounding no. At this rate, I'll be doing a Beatles and retreating to the studio if security conferences in general don't start getting their act together.


I send you a thing, you tell me you like the look of my thing, I make the thing bigger and then I give everyone my big thing.


Simon said...

Landed here via @uisbegeatha's tweet... FWIW, it's not just security conferences that mess deadlines around. I suspect it's universal.

"We must set an early deadline so that those lazy academics/businesspeople don't try to leave it until just before the event".
"Oh, we don't have enough submissions. Let's extend"

And yes, I'm currently in a situation of not being able to confirm flights that are rapidly going up in price because I haven't yet been told whether I'm speaking and if so when, and thus don't know whether leaving before the end of the conference would be a problem...

LoLo said...

So... ummmm... I like your thing. :P