[this email was in response to a thread which started as a distress call over the unusually poor quality of CFP proposals. It is the start of some thoughts over how to “fix” the Info Sec Conference problem. ]
X-Mailer: iPhone Mail (9A405) From: the grugq <thegrugq gmail com> Subject: Re: [redacted: name + title of the guilty talk] Date: Thu, 5 Jan 2012 11:05:12 +0700 To: [conference committee list] >> I have a different take on it [redacted-name]. I feel there is a lot of new >> security research and work being done out there but it is being hidden >> by the flood of introductory/survey/low-value talks. With 1,791 infosec >> talks at cons record in 2010 (source: http://cc.thinkst.com/statistics/) >> as an industry we've fucked ourselves and have elevated the role of a >> speaking spot at a conference to something mythical and special when in >> reality it has been watered down to the level that we've seen thus far >> with the submissions to [this conference] I agree to a large extent with this analysis, but I think there is another facet that hasn't been brought up yet, which I call the "Episode 17a Ensign #3" problem. (I'll be incendiary first, so if you're impatient you can stop reading now and start flaming.) Essentially (most) security cons are comic / star trek conventions, but with less cosplay and even fewer girls. The conference talk might be styled (somewhat) on the academic lecture, but realistically the audience would rather a Steve Jobs style product unveiling than a lecture. They want some background info to ground themselves and align expectations, then they want the big product reveal at about 40 minutes in; and for a real treat, a "one more thing". (for product unveiling see demo; and don't forget the tool release: "available right now, you can download this today,... and hack the shit out of something") This is entertainment, it is not knowledge transfer. • most regional cons would be vastly improved as informal peer training activities focused events. Like the LUGs and Python groups and so on. Regular meetings to actively do something with a few "event centric" talks thrown in as part of the evenings entertainment but also to guide the discussions and activities along. That's how you get people learning shit, have them actually do it. Novel concept, eh? ;) • the big cons get big names cause they have a symbiotic relationship. And it doesn't require any backhanded arrangements; as a researcher with a new topic to present, you're faced with two choices: blow your wad at NoNameRegional Con, or save it for MassiveMediaExposure con in 4 months. Guess which one will work more towards getting you laid? This is why the big cons get the hit singles and the small cons get supporting acts and "best of greatest hits" talks. It's part of why I think conferences aren't helping the community very much. • other problems include the high value that original research frequently has, far in excess of the cost of the price of a ticket and hotel... This makes independent researchers inclined to maximize value on the market directly, rather than indirectly through conference driven reputation building. For employees, they're in a similar situation except their employers want to minimize liability and maximize ROI on their big name researcher. So they aren't keen to release anything super awesome, for free, at a con (i.e. someone else's branded event). So that leaves a reduced set of potential speakers, combined with an incentive to present something sufficiently interesting to provide entertainment but not sufficiently useful enough that it decreases in value. Note: I say these are incentivized behaviors, not what everyone (or anyone) does or wants to do. • as a conference that isn't swamped with submissions, that means you have to be proactive. For SyScan Taiwan 2011, we made a hit list of topics we wanted, and another list of people who were either subject matter experts on a target topic, or whom we wanted to meet up with. We then spent about 6 weeks chasing every single speaker down personally and inviting them to speak. In the end, if you see our line up, I think it is fair to say this is an effective strategy for getting an AllStar line up. Obviously this isn't effective at finding new talent, because you can't chase down someone you don't know exists). That's why we, as a community need breeder events that help to make the existing conferences stronger by finding the new talent, encouraging them to develop their technical skills and their presentation skills (they got to learn to entertain an audience for an hour, ). Presenting a bit of research at the local security meetup is a good start to a career of talking about typing on a keyboard... Oh right, so how we're all just at a cosplay-free comic con. So the one hour talk format isn't good for knowledge transfer, it rewards entertainers more than pure researchers. This leads to a few super rockstars who deliver(ed) the goods, and know how to do a product unveil at 42 minutes into their slot. This ends with a few Shatneresque rockstars and loads of "ensign #3 from episode 17a, the one where Shatner massaged the heap for an hour and then dropped shells all over everything, it was the first time he did a multiple root in public. So cool!!!" The 1 hour presentation format is completely shit for knowledge transfer. I hold by the barcon inspiring theory that your new research is either simple enough that you can explain it over a beer(ie .5min of content) or something so complex that I want the white paper version to work through at my own pace. There is genuine frustration at the (frequently) horrible Product Unveil style talks which take an hour to reveal 5 minutes of content. On the other side is the frustration at talks which are made up of potentially interesting info, but the slide deck is all lolcats, the code is never released, and the presenter never writes up the white paper.