Silicon Shecky

Infosec Practitioner

Connect

Simple Post

By Leave a Comment

Quick post this week, just to keep posting. With starting a new job this week, I haven’t had the time to really work on an idea for a post. That being said one thing did cross the Twitterverse this week that I wanted to weigh in on.

Seems there is some controversy over a shirt worn by someone presenting at a conference. The shirt which had a woman in a more sexual pose (boobs showing? I could not see the picture well) has again divided the community. The big thing here is that most people I know do not see a problem with the shirt in a general sense, the deem it inappropriate to be wearing while on stage in front of people speaking on a topic. Agreed unless the shirt directly related to the topic being discussed. As a speaker you are representing yourself (and possibly the company you work for as a lot of speakers put that information in their slide deck), and this shows poorly on a professional level. Sure, it might be a small hacking con, and in the world of hackers who cares. Reality is different though. When speaking show some decorum please. It makes it easier for people to take you seriously. I am not saying you need to be dressed up, t-shirts are fine. Just something that is not going to cause a fuss or embarrassment to your employer or to the con. It is not that difficult to do.

Now that I have gotten off my soap box, those going to CircleCityCon this weekend, have a great time. If things go well I will see you all there next year.

I also recently did put in a CFP for DerbyCon so we can see if that flies. If not, I will do it again next year. While constantly trying advances to date someone is frowned upon, constantly trying in a lot of other things in this world is smiled upon. This talk I put in for is not a technical talk, but a soft skills talk so it will be interesting to see if it gets accepted.

Until next time, remember this time!

Thotcon 0x9

By Leave a Comment

Security/Hacking conferences are interesting. Each one has its own uniqueness about it, and yet they are all similar in some fashion, stemming from the “granddaddy” of them all, Defcon. These conferences are all over the place, and in the Chicago area we have two main ones, BSides Chicago and Thotcon.

Now Thotcon just happened over the weekend with the 0x9 iteration. Nine years is a long time to learn and find your voice, and each year should teach a conference something to make it better for the next. The joke the last number of years with Thotcon was the whole undisclosed location idea. For years it was at the same venue, even though they never officially let attendees know until a week or two before. This year, it was a new location, and I would say a huge improvement. The problem with waiting so long to reveal said location is of course people coming in from out of town, and where should they stay. I personally think this can be remedied with a longer heads up. reveal the location 6 weeks before, so people have time to make reservations at a decent price. Just a thought.

The new location, which I will not reveal where it is, as I said above was an improvement overall. The echo and open space issue that caused problems hearing talks was gone. Each track you could hear the speakers clearly, at least I could. The overall layout was not too bad either. There were downsides also, as Barcon was not as large an area and did not have an easily accessible outside for people to just walk out and enjoy the sun while drinking. The villages were almost out of the way a bit, and the traffic there seemed lighter because of that. The temperature in the building in some areas was an issue also due to the age of the building and where air conditioning was actually available. This issue drove some people up to Track 2 which had the best air conditioning in the building, just to cool down at times. Finally, there was the food issue. The old venue food was inside, and was plentiful. With the move to food trucks because of the venue, Friday saw only 2 trucks which had long lines and eventually no food. People wound up walking a few blocks to get lunch. Food trucks also mean weather could have been a factor, which was not the case as it was nice outside, but should it have been storming there was a potential issue. Saturday saw the addition of a third food truck, and between that and what seemed like lighter attendance on Saturday it seemed to hold up better, even with the long lines still there.

With the switch from a Thursday/Friday to Friday/Saturday the “After Party” was put in between the two days. It also was moved well off-site which is not a bad thing. The venue for that was nice, with 80’s dance music playing and tones of pinball and old school video games to play. The light food there was a nice add on to the candy and free drinks. It did seem to get a little more crowded, or at least packed in compared to past years. Also, I have to wonder if having in between the two days contributed to what seemed like lower turnout for the con on Saturday.

The keynotes I felt were an overall improvement. Some of that might be from being able to hear them clearly with little distraction, and some from the bigger ideas they seemed to cover. Talks overall were good and well received. I found myself in Track X which was more along the workshop lines most of the time, due to 2 fantastic talks, one each day. The Jaku Puppet Show was definitely a sight to behold and gave some nice levity to the whole con.

I still maintain that Thotcon should give the speakers the choice on whether to record their talks or not. This is a personal preference, as I believe that information should be out there, and there are always talks scheduled at the same time that one has to choose between. I understand the reasoning behind not recording the talks, but in this day and age of social media, things said still can get out of the open and protective shell that not recording the talks is supposed to provide.

When all is said and done, Thotcon 0x9 I felt was an improvement from previous years. There are lessons to be learned from it, but for value it is definitely worth it. I am curious to see how Thotcon 0xA comes together and what is planned to celebrate a decade of Thotcon.

It is CFP season… So what

By 1 Comment

It has begun. CFP season is upon us. Really it tends to go throughout the year, but with Defcon opening up its calls, RSA sending out rejection letters to everyone, and it being early in the calendar year, it seems there are more tweets about CFPs than at other times of the year. Talking at a con is a badge of honor, something to put on a resume, something to make an individual stand out, and we get all up in arms about it.

The world of infosec, I have noticed, tends to be about acceptance and rejection. There are a lot of introverts in our field. Introverts tend to have a tough time with both acceptance and rejection, hence why they do not feel comfortable in situations where an extrovert does. Yes there are plenty of introverts that play the role of extrovert, but really think about it. We sit in front of a computer screen, doing our thing, research, games, or other stuff, and we get along just fine. Well sort of. We do crave acceptance, and hate rejection, and I am sure somewhere in our psyche our being an introvert is some sort of subconscious method of protection from rejection (disclaimer, I am not a psychiatrist, but have played on one stage). So what does this have to do with CFPs? Everything.

Think about it this way. Human beings are said to be social animals. We get our social on at the cons we go to. Those cons are where we are around our peers, the people who are sharing our interest and passion to make the world more secure. We want to show that we belong, so we put in our CFP. We get rejected, we get down, and imposter syndrome either kicks in or ramps up to higher levels all because we want to be accepted by our peers. We yearn to show that we belong and know what we are talking about. We yearn to make an impact and share our findings, thoughts and experiences. That CFP gets rejected, and boom, there is a slap to our ego, our pride. What makes it worse is we keep preaching that speaking at a con is a great thing to do and everyone should at some point. Except, most of us never will either because we never put in to talk at one, or the cons never select us.

I will be honest here, I spoke at one BSides in Chicago back in 2014. I have not since. I have tried, I put in my CFP jsut like everyone else. I have gotten tips on how to write a better CFP, and still nothing. I put in the CFP figuring it is going to get rejected, but I still force myself to. Yes, I have imposter syndrome just like many of you do. This year I was thinking about it, while waiting for the first rejection e-mail (which I know is coming within a week of this post per the cons twitter account), and watched people talking about RSAs rejection letters that they were getting. These are people who are pretty much regulars on the con presentation circuit. People who I have watched present either in person or recorded at a con many times. Some have even been keynote speakers. I came to a multi part realization about the cons and being a speaker.

First, there are 3 types of cons we go to. The first is the vendor con like RSA. These are the cons where you really need to be speaking on what the vendor wants and extolling that vendor to become a speaker. There is plenty of good information at these cons, they can be fun, but ultimately you need to think like the vendor to get a speakers slot. The next 2 types tend to merge and shift between each other depending on the organizer and which way the wind is blowing for them. They are the Security con and the Hacker con. Most cons will lean one way or the other. You can usually tell them apart by a couple of factors. Do they focus on the latest and greatest vulnerabilities and exploitation techniques? Yes, well that tends to be a hacker con. Do they record the talks? No, well that tends to be a hacker con. Are they giving many defensive talks? No? That tends to be a hacker con. Are they giving talks about the state of the field, tips on being better in the field with soft skills or looking at our own shortcomings and how to hack around them? No? Guess what, hacker con. There is nothing wrong with hacker cons, I enjoy them, but I will more than likely get rejected from any sort of talk from them. My CFPs tend to lean more toward state of our field or soft skills, because I have yet to come up with a new, good tech talk.  You can look at the history of this blog and see I do not put many technical blog posts up there. That is the thing though, we have more hacker and vendor cons than security cons. There are cons out there that try to strike a balance between security and hacking. Some do a decent job of it also, but for the most part cons tend to lean one way or the other. Some, if you look at their talk history, are rather obviously one or the other. Again, nothing wrong with it, but it does limit what we learn.

Second is the “rockstar” status. These are the people who are well known in the world of infosec, and give talks all the time. they might be SANs instructors, well known researchers or people that just are well known and respected. These people will get invited to be keynotes, as well they should. They also, unknowingly tend to be the cause of new or lesser known speakers not speaking at a con. It is not an intentional thing, they put in a talk and your talk is too similar to theirs, they get the nod. Be it because their CFP is seen first, written in a more catchy way or, if it is not a blind selection process, their name means the con might get a few more people. I know this has happened to me and it was not intentional. Those speakers, who I know pretty well, and I never knew that we were putting in similar talks. It happens. A good number of cons do a blind selection, where they do not see names, but the regular speakers know how to write a compelling CFP (even when it is a 140 word max and no outline is able to be submitted as is the case with a con I put in a CFP to). How do we get around this issue? There is a simple way quite honestly. If a well known speaker and an unknown speak have put in for the same talk, when accepting the well known let them know about the unknown’s talk and give them the option of reaching out to said person to do a dual talk. This all of a sudden does two major things. It gives the new speaker a great mentor to work with, and it helps get more speakers out there. Simple option, easy to do. The well known does not have to, but give them the option, and be willing to adjust to having it as a dual presentation. It does not take up an extra slot.

Those of us that are not selected for CFPs we have other options out there. This blog for instance is my thing. I will probably do some write ups of my rejected talks after I get all the rejection notices. Blogs are a low barrier to entry, and with a little bit of push, can make someone into a well known quantity that cons would want as speakers. It also allows for one to work on their writing skills. There is actually taking with people on twitter instead of just watching your feeds, again allowing you to become a known quantity. Join slack channels, speak locally at meetups, or even do a podcast. The options are out there if you want to get the word out on an idea.

The toughest part of all of this is getting over the rejection stigma. Imposter syndrome will always be there. We crave acceptance. Remember though, you need to accept yourself, as you are, in order to truly be happy.