Postbag Special: This is why security conferences are all messed up

Doing any more security conferences? Steve G

Well, I am - but I'm not telling yet ;)

Mind you, the whole "security conference" thing is vaguely depressing, if I'm being honest. Like many people, I submit presentations to upcoming events and some get accepted, some get rejected. Cool, whatever. What did open my eyes, was one particular response I got back. It seems to be symptomatic of both what people expect from security researchers, and what people think they're supposed to put up with at security conferences.

"I think it might have interested the reviewers if it was a little more technically specific, your talk description sounded more suited to a general audience than an audience of security specialists."

Hmm. So a crowd of people would rather sit through an hour long talk with a lot of technobabble they might not understand, but because "we're security specialists, lol" and we're supposed to act and think and do in a certain way, anyone falling outside that bracket is automatically excluded because "it ain't security if you understand what the Hell the guy on the stage is talking about".

I go to lots of talks like that where the guy starts rambling on about some obscure method of coding that affects some server application I never heard of, and you know what happens within ten seconds of those bad boys starting? See the bar over there in the next room? Yeah, that's me. Come over and I'll grab you a beer.

You're paying for it, though.

What is this obsession with it only being security if whole chunks of it sound too complicated to understand?

Where are the conferences where we get to hear how to repeatedly punch bad guys into the ground until they start crying? Where is the balance?

And anyway, my background isn't microscopic evaluation (and discussion) of code. It is a more general application of lots of non-security disciplines used to track down scumbags and make them cry.

Don't those methods count either due to them not being in the realm of pure code? Oh well.

"My suggestion is to recast this proposal and resubmit it, but next time include more details on the technology in the examples you will be covering, and have more highlighting about what is going on in the technology of the attacks."

No. Resolutely no, no, no.

If I include a screenshot of some stupid thing happening behind the scenes in a hijack somewhere, or throw in ten minutes of rambling about how chunk of code kicked into life while some other bit of code did some other thing, have we really gained any insight into anything?

If the actual focus of the talk is some coding thing, or looking into how x does y by a process of eleventy, then great. But if the focus of your presentation is looking at the human cost of a particular hijack, how it affected the people it appeared in front of, what happened in the process of getting said scam kicked off the Internet, then I'm not going to lose any sleep over it because it is irrelevant.

Case in point, at the ASC Conference in Boston, while giving a general overview of the different kinds of attacks I'd come across in the last year or so, when I got to the Yapbrowser shambles I simply flipped up a screenshot of the browser installing, before child porn and after.

Afterwards someone came up and said something along the lines that everyone in the room were shocked, took a deep intake of breath, really had the message of the attack driven home to them etc because they had no idea people were going round pushing web browsers that redirected you to illegal porn.

Job done, some more rage generated against the scum that plagues the net. I know some of those people went off and explored this area further, got involved in takedowns etc.

This is a good thing.

Would that have happened if those more general screenshots had been subsituted for a 30 minute talk about the code contained in the Browser? Nah. Everyone would have nodded sagely at the code-talk and forgotten all about the fact that some asshat in Russia somewhere is making lots of money from naked pictures of kids. I refuse to separate the human misery peddled by these applications from the main thrust of my argument in all these talks, which is that

scumbags + human misery = SOMEONE NEEDS THEIR ASS KICKING.

There's room enough for all these angles, or there should be. But meanwhile, here's another presentation on Fuzzing.

"Oh also a nitpick... our reviewers are lazy prima donnas and they all hate to click another program to review stuff...So next time make sure you include a .txt version or synopsis. It's tough to figure out if that actually played a part in the rankings but I'm willing to bet at least a few of them looked at it with less scrutiny in the flood of stuff they have to review."

.....now this is interesting. I'm a visual person. I go for the images and the pretty colours. I want to show you what this stuff does. It's almost impossible to create a text-only version of a 37 page Powerpoint presentation where 95% of it is entirely constructed with images and moving graphics.

It's back to that one-size fits all thing, I guess. And if you're a "lazy prima donna", then what on Earth are you doing on the panel anyway? But this next quote is the killer:

"Your presentation was a fascinating case study, but I fear the reviewers (and the attendees) are a little jaded about all the abundant classes of malware that seems so prevalent these days."

....wait, what? If people are sick of learning about new kinds of attacks via new types of Mal/Spy/Adware, then why on Earth are they even bothering to show up to these things?

What is it that they're actually listening to and thinking wow, this is awesome!

.....fuzzing?

Sigh.