Cатсн²² (in)sесuяitу / ChrisJohnRiley

This post stems from a short debate at HAR2009 (at the bar, obviously) over some of the talks that we’d seen at recent conferences. I thought a few times about whether or not to write this up, as I’m pretty sure there will be strong opinions. However that’s what blogging is for really. I hope this can stir up at least a mild response and make some of the conference organizers think twice about their selection process next year. After all it’s all about what people want to see.

Have you ever booked to attend a conference before you’ve seen the program ? Sure you have, sometimes it’s the only way to get the cheap flights, good hotels and early-bird entry prices. We all do it sometimes. In-fact I tend to book most of my conferences based on reviews of last years event, or word of mouth. This bought to mind my 2009 conference experiences so far. Most, if not all, have been very good. Lots of great people and a mixture of good, and not so good talks. Not everything can be good for everybody though. You can’t please us all. However, with that said, I’m sure they could be better. Don’t get me wrong, I know planning a conference is a very hard thing to do. I’ve no idea how some of these people manage it year after year. However I also know that nothing changes without feedback. So, without further padding, here are my 5 things (in no particular order), that I don’t want to see at a conference.

• Another talk about Conficker/W32.Downadup

The Conficker worm has been one of the biggest talked about stories of 2009 so far. The media loved it. Mostly because they love everything doom and gloom, but that’s another story. Conficker even won a Pwnie award at Defcon this year for the most over-hyped bug. So naturally everybody and their 3rd cousins little sister wants to talk about it. We’ve had talks on how to combat it, talks on how it works, talks on how the AV vendors reverse engineered the worm and learnt how it worked. I saw a talk back at the beginning of the year on how Conficker helped secure peoples networks. I know what you’re thinking, but I tend to agree. Ask me about it over a drink and I’ll talk endless about it I’m sure. Still, that’s not the focus of this little rant (yes, I know this is a rant). To add to the fun, we’ve had all these talks for each different variant of the worm (A through E). Hell, I’ve even seen Microsoft talking about how they worked on the MS08-067 bug and fought against Conficker from the OS side. It was very interesting and I learnt a lot, but still, it’s time to say enough is enough and move on. Things are under control, nothing to see here, please move along. If we’re still seeing talks on this through till CCC in December, then I’ll be disappointed.

• The Estonia/Georgia Cyberwar

Apart form the large percentage of security professionals that would be shouting “there’s no such thing as Cyberwar”, there is an equally large collection of people begging those who were involved in the various talks about it, to move on. The details of both these events, the social aspects, and the possible impact on future conflicts, have been examined, and re-examined, more times than most of us would care to discuss. I remember attending a talk on this at last years CCC and was already thinking the topic was old by then. I’m sure there are many aspects that still interest people, and they may be valid for a round-table discussion. However rehashing the same (limited) facts we have on these events doesn’t move us forward from my point of view. With the latest cyber attacks on the US that were rumoured to have come from North Korea (or England if you’ve read the same information I have), then I’m sure the next wave of talks with limited or no firm information is already being sent to the next Call For Papers. I’m sure the people who attend RSA next year will love it.

• Speakers who’ve been here forever.. or the old boys club

Now, I know I’m going to get some hate-mail for this one, but I’m sure we’ve all seen it. You turn up to a talk from a speaker who was the hottest thing since pizza pockets at last years event (they’re better than sliced bread right ?), just to find that nobody ever asked what he/she was talking about this year. Now, I understand there are some researchers who want to keep things close to their chest for legal, personal, or just comedic reasons. However a Call For Papers should involve a little more than checking the name of the researcher and simply saying, “he gets accepted, last year he was great”. Surely their should be some kind of review involved. There are a lot of researchers out their doing really good work (see Security B-Sides and Dojosec for more information). It seems sometimes that the new breed of speakers are being left out in the cold while the established speakers (not all, but some) are resting on their reputations and have an almost guaranteed spot at some events. I don’t claim to be able to do better, but I’d rather see 5 new faces with interesting topics, than 20 regulars with nothing much to say. The various talks on attacking x.509 at this years Blackhat/Defcon spring to mind as a perfect example. I can’t imagine why they’d accept 3 talks that cover almost the same research unless nobody actually read the papers before they acceptance letters were sent out. I know this discovery was the “new hotness”, but really it only needed 1 person to explain the issues in one presentation. You can’t even fault the speakers, because from what I know, they didn’t even know that anybody else had found the issues until they’d given their talks. On the flipside however, I really would like to applaud the Blackhat/Defcon organisers and the whole Metasploit team for putting together a full track dedicated to Metasploit. This goes totally against the “boys club” mentality and was a breath of fresh air. I really hope it comes back next year in full force. Metacon anybody ?

• Lets start with the basics…

This one is something I’ve been struggling with for a while, and I hope you guys understand where I’m coming from. Last week I sat in a talk that promised to cover advanced XSS exploitation, and other “blackhat” techniques. I’m always interested to learn new techniques. After all, as a security professional this is what I do, day in day out. What happened however, was all to familiar to people talking about advanced topics or new attacks. They started with 20 minutes of “What is XSS”. That’s 1/3 of the time allotted for the talk, with Q&A included. I know not everybody is at the same level, and I really understand how it feels to be left not understanding the more advanced stuff without having the basics explained. However this practise of every talk covering the basics quickly before moving on to the real meat of the talk, is holding back some good speakers with some really interesting stuff to say. If you claim to be talking about advanced methods of exploitation, then consider skipping the 101 at the beginning. If a certain percentage of the crowd doesn’t understand the basics, then they’ll have no chance of understanding the real technical parts of your presentation anyway. After all, XSS is an easy premise to grasp, but you can’t teach a stranger everything there is to know about XSS in 20 minutes. So why try to achieve the impossible. Leave it to the many good books, or the “intro to…” talks.

• Look what our product does

I’m sure everybody has seen this before (many times). You see a talk in the conference program that peaks your interest, just to find that mysteriously the person talking thinks it’s all about the marketing. Many good presentations have turned into something completely different once the marketing team gets hold of the slides. Sure, it starts out innocent enough. A couple of introduction slides giving details of what company you work for, perhaps a page on the current projects. Then after the 3rd review phase, you find that the 45 minute presentation now only has about 20 minutes of real content, and a whole lot of “how great are our products”. It’s not always the fault of the speaker, and I almost feel bad listing it here (it could easily have been another topic, I have a few in reserve). This is as much a message to the marketing teams as it is to the conference organisers. Marketing is all well and good. Sometimes the speakers need their companies to stand behind them to enable the research, protect them from the big bad lawyers, and of course the costs involved in bringing these things to the public. I understand that companies do a lot of research to gain marketing opportunities. However when that marketing message takes center stage, and the real content is stuck somewhere in the back, the attendees start to get restless. There is a time and place for marketing. Conferences like RSA, Infosec Europe and some others are all about product placement. The people attending are interested in your products. The technical security conferences, they’re not such a good place.

Well there it is, my 5 things I don’t want to see at the next conference. I didn’t even mention the people who talk and tease a new tool that’s going to help end the world, just to find out that they’re never going to release it. I also didn’t mention the people that write a fuzzer for some random protocol, file format, or system and then shortly after the talk and buzz dies down, they abandon it, never to be looked at again. There are so many things that could easily have made it on the list, but that’s not what this list is all about. I know I can easily just look at the program and skip the talks that I’m not interested in. I’m sure somebody will probably say something imaginative like “if you don’t like the talks stay home”, and I understand the feeling. I can indeed skip the talks I don’t like.

However my goal here is to make things better for everybody. There are so many researchers out their right now trying to break into the conference scene. There ideas are good, even if they’ve never presented before, don’t have a large vendor paying for their ticket (or being a conference sponsor), and aren’t talking about the latest buzz around the corporate watercooler (I’m thinking cloud here for some reason). However these people need space as well. If we let the same old thing be presented at every conference, then the major conferences will slowly become obsolete.

If people say what they want, then conference organisers will listen. Fill out your feedback forms (I know it’s boring, but it helps), and email people if you think things were too “marketing”. In fact, email even when a talk was good. Sometimes no feedback is bad thing. Make your voice heard.