Saturday, May 12, 2018

The Great Conference Con

Technical Security Conferences are big business nowadays. People attend them in large numbers and people try to convince themselves and others (usually their managers/sponsors) that the most recent conference they went to was "good". In reality, these conferences have almost no redeeming qualities and value whatsoever. This article explains why. 

The first and most obvious issue is that most of the presenters in these conferences are Geeks. Geeks, however, are Geeks, not performers. Geeks signed up to work in companies so that they can be left alone in their studies/labs to hack away at 4AM in peace. Most Geeks are terrible presenters: They do not have natural flow and get stressed when they speak; non-native speakers often have heavy accents when they present, and they tend to get extremely technical. Geeks think that their audience will consist exclusively of Reverse Engineers and Low-level programmers who will be able to process blurry, low resolution screenshots from 50 meters away in real time; not just that they will be able to, that they will actually bother to do it! 

[In reality, Geeks do not care much whether they will get understood by their audience or not. They just want to get the chore out of the way as painlessly as possible and go back to their lab] 


Even when they do have a knack for presenting something to an audience, Geeks get a raw deal out of these things anyway. Most Geeks work for commercial companies who want to make money out of the Geeks' work. The usual deal is that the Geek is expected to work in his own time and find catastrophic bugs that endanger the lives and savings of millions. The more widespread the bug, the better potential it will have commercially. Companies usually have a clause in the contract that all research - including research done in the Geek's own time - is pwned by the company while the Geek is employed by the company, and sometimes for years after the Geek has left the company, or even "for ever". 

In some cases, the Geek will get dedicated research time. This time, however, is usually devoid of all joy and spontaneous creativity since it is governed by strict deadlines, outrageous and often unrealistic objectives, progress reports [which often need to be dumbed-down to the point of being nonsensical in order to explain things to random non-technical bosses], and an overall clinical feel bundled with an omnipresent research manager who plays the role of Damocles' sword. 

If he finds something interesting, the Geek gets - and at the company's discretion is obliged - to submit his work to conferences. If the research is accepted, depending on the conference, the Geek gets paid flights and hotel bookings and sometimes a few hundred bucks on top of that. Normally, the company will insist that the Geek have at least one or two pages at the very beginning of the presentation where the company gets a eulogy for nurturing, supporting and encouraging the research (even if they didn't). The company will often insist that the Geek bundle his research with a live demo and a tool, so that they can sell it more easily. When all is done and dusted, the Geek will get a pat in the back and a beer, and the company will cash out. 


Another problem is the very format of the powerpoint presentation. With the exception of the fairly recent phenomenon of "lightning talks", a presentation is usually timed to go on for about 40', sometimes longer. In a world as distracted as ours, 40' is a fucking long time. The "good" news is that these 40' are almost always pure bloat. There are a few introductory slides about the presenter and his company that no-one gives a shit about, followed by some generic information about the context and the field in which the research took place, that again -surprise- no-one gives a shit about. 

Usually the presenter saves his punchline for the 3rd or 4th slide before the end. For a 40' presentation, this translates to minute 32' or thereabouts. Most people who've been to conferences know this and either go into the lecture halls around then, or if they are already in the lecture hall they are either sleeping or have their heads buried in their laptops/phones until the punchline is about to be delivered. One can normally feel a certain excitement in the room when "it's time", usually to be disheartened by a punchline that's either limp, non-exploitable, predictable, a flamboyant clone of an older bug, related to an obscure, unusable system or in a few cases just plain wrong. 

[In practice, most presentations can be condensed to 5' or less and could probably be done with 0 talk. The rest of it is pointless conference blabber.]


The vast majority of technical security conferences are not just futile, they are borderline insulting to everyone involved. The after-parties are even worse: Anaemic, uninspired parodies of futurist-themed cheap Hollywood drama; only here 95% of the participants are overweight white men, drooling in front of blinking screens with the obligatory club-mate in hand. Conference organisers should try self-slapping first, and then move on to different careers. 

The *only* exception to this abomination is the almighty Chaos Computer Club's c0ns. 

All hail CCC.