Silicon Shecky

Infosec Practitioner

Connect

Pain Point: The Announcement of the End of Derbycon

By Leave a Comment

For those who came in late, earlier this week Derbycon announced that its board has decided that 2019 will be the last year for Derbycon. This of course has been met with dismay, anger, and talk. The statement from Derbycon was it had to do with multiple things over multiple years taking a toll on them, professionally and personally, so they decided it was not worth running anymore after this year.

The first rule I learned years ago about doing something is when you stop enjoying it, do not do it, and move to something new. This is basically what the whole Derbycon decision actually boils down to. Yes, their have been publicly known instances where Social Justice Warriors (SJW) have gone too far. Yes there have been instances, like the whole Code of Conduct situation, that could have been handled better and way more quickly. Issues, similar or not, come up with every conference out there. I know plenty who are worried that Derbycon shutting down will embolden the SJW people and cause more conferences to shut down.

We have heard of the issues with HOPE. I have heard rumors of Shmoocon having complaints and issues. We all have heard complaints about Defcon, and Spacerogue even mentioned Thotcon have had issues that were handled behind the scene. So why have these other conferecnces not capitulate, where Derbycon did?

I am willing to speculate on the actual reason. The following is my own thoughts and opinions, I have no inside knowledge, nor have any direct affiliation with Derbycon. Logically it boils down to one of two ideas, and very well could be a combination of both.

First let us look at the organizers, in particular Dave Kennedy. I met Dave at the last Derbycon, seems like a nice, stand up guy who really wants to help the field as a whole. He owns Binary Defense and Trusted Sec, gets brought onto national news outlets as an expert, and is rather high profile. Recently he took to twitter to announce he was cutting back on twitter due to the way things were going for him on it. Speculation is that he was catching flack from people and wanted to make his twitter more professional. Still this shows that something was getting to him. I have to imagine that other board members were getting flack about things also, I mean look at how much gets tossed onto twitter as it is, so this is completely logical. It also takes its toll on a person. So the first idea is that it basically wore them out to where it is not fun anymore.

The second thought I had was that it was taking a toll on them in a professional sense. Perhaps less clients (I am not sure how many on the board work for Dave or own their own companies) or clients dropping them due to affiliation. Again, just speculation.

The truth is probably a little of column A a little of column B. The difference being that it became too much work, not enough fun, especially with how Derbycon has grown.

What hurts more is they way a good portion of the people who attend Derbycon look at it. It is a mid-size conference, easy enough to get to know people and meet people at. There is an overall cool vibe to it, plus the lobbycon is really good (although I understand it was better at the Hyatt due to the different layout). With so many supporters, the shutdown takes a life of its own.

Obviously with conferences having been around as long or longer than Derbycon, there are ways to get past the pain points. The odds that SJW will be able to shut down a conference on its own is very slim, and in this case it was just one of many things, but the most public situation that occurred. Does it suck? Yes it does. Will we go on? Yes we will. There are other conferences that are small to mid size that are available. Circle City Con, GrrrCon, Thotcon, Cyphercon, Wild West Hackin Fest, Shmoocon are just a few to be named. There are also tons of BSides out there to go to. None of them will actually be Derbycon, but we can make them as fun to be at. Thank you Derbycon for the great times.

Post Derbycon Wrapup

By Leave a Comment

I went to my first Derbycon last weekend, and what a time it was. Yes Lobbycon is pretty cool. Yes the entertainment was a blast. The talks were all top rate (after seeing them, I am glad I my talk got turned down). I recommend checking out Derbycon if you can, and even if you do not have a ticket, go anyway. There winds up being last minute tickets available if you watch the Slack channel for Derby.

The fun for me with a con though, is finding things I can start working on in the environment I have. Derby had a great talk by Michael Gough on WMI Detection, that I am going over again so I can implement some of it. Actionable items like these are fantastic, and with certain things going on right now, should be rather helpful.

The name of the game on anything though is what impact good and bad will such things have on one’s environment. The second question is about the maturity level of your environment, not just technology wise, but resource wise. If you do not have the resources to maintain things, then you cannot do them, no matter how automated it might be. Otherwise all you have done is set up a system that won’t get used and has the potential to be a security hole as it is not maintained.

There are tons of great ideas, theories and thoughts out there, and more pop up every day. Just make sure you are not overspreading yourself.

Anatomy of a Rejected CFP

By Leave a Comment

Call For Presentations, a staple of any conference. Those of us that come up with ideas to share, love and dread them. I wrote about them in my CFP season post earlier this year. Of 4 CFPs I put in for conferences this year, I got rejected for 3 of them. The last one, which is for Derbycon, just came this week. I am not surprised by the rejection as Derbycon had 125 slots and 495 Presentations put in (not 495 speakers, people put in multiple presentations to hedge their bets, I put in just one). Over the last few weeks, I have been impress with how transparent Derbycon has been with the process. Dave Kennedy tweeted a thank you that showed who was the panel who reviewed and scored them. There was another tweet from Dave I do believe that explained preference levels (score, has the presentation been done before etc…) used to make the decisions. He even tweeted about how difficult it was deciding who to cut because of how good the presentations sounded. Now the CFP for Derby was blind, so the reviewers did not know PII of who the submissions were from. Some, like Lesley Carhart, Lee Holmes, and Amit Serper gave thoughts and recommendations based on what they saw (click on their names to see what they wrote).

I figured I would post my CFP here (email address removed) and take a look at it, what I might have done wrong, and one small complaint about the Google Forms (based on what Lesley wrote about outlines). Lets take a dive shall we?

 
 
 
 


Thanks for filling out DerbyCon 8.0 Evolution - Call for Papers


Here's what we got from you:
DerbyCon 8.0 Evolution - Call for Papers
Use this form if you are looking to submit a talk for DerbyCon. All submitted talks will be reviewed by the DerbyCon CFP review board. If accepted, DerbyCon will reach out via the email address provided in this form. An accepted talk provides admission to DerbyCon for each speaker(s) and $200 cash per talk (to be divided if more than 1 speaker). If you choose to do so, donations are accepted at check in. DerbyCon does not provide reimbursement for travel and expenses. Follow @DerbyCon for additional announcements. 
 
Email address *

Additional email address(es) of speaker(s) 
If there is more than one speaker that will be contacted Example: Karl - creepy@derbycon.com , Bob Speaker - bob@example.net ....(clearly showing name association with email address, separating multiple speakers by commas). This info will be used to contact you, it will not be published 
 
Name(s) of speaker(s) *
Provide your name(s), these will be printed in the handout and on the website unless notice is given
Mike "Shecky" K
 
Twitter Handle(s) of speaker(s) 
Example: Karl - @dorkultra , Bob Speaker - @bobspeaks ....(clearly showing name association with twitter handle, separating multiple speakers by commas). This info will be published on the handout and website unless notice is given
Siliconshecky
 
Speaker(s) Bio *
Provide a brief bio for the Speaker(s)
Shecky has been involved in computers since the late 70's. Over the last 20 years he has worked up from being on the help-desk to Security Engineering roles. He helps organized one of the Burbsec meetups in the Chicago area, has volunteered at B-Sides Chicago in 2017, and Burbseccon in 2018 in Chicago and spoken at Cyphercon in 2018 and B-Sides Chicago in 2014.
 
Talk Title *
This will be the title of the talk
Communication Breakdown
 
Talk Description *
This is the description of the talk that will be put in the DerbyCon handout and website
We have all seen it and experienced it. It lurks all around us, and when shows its ugly head problems get exasperated. We have a communication breakdown so we will breakdown communication. The problems, and possible solutions. Ways to get better at communicating and how to potentially hack ourselves into being better communicators.
 
Talk Outline *
Provide an outline of your talking points. This helps us narrow in on the talks that are a great fit for the con.
I.	Introduction 
II.	II. The problem 
A. Talking over people’s heads 1. Example 
B. Talking around the truth 
C. Treating others like idiots, both in and out of the Cybersecurity Field 1. Example 
III. Why should we work on communication skills? 
                      A. Buy In from others in the company/client 
                      B. Lower levels of frustration 
                      C. Easier to get help when needed 
                      D. Helps lower the loneliness factor 
                      E. Helps with Social Engineering skills 
                      F. Communication does help secure things 
IV. Different types of communication and how to work on them 
                     A. Written Word 
                                1. Blog 
                                2. Whiter paper 
                                3. Social Media 
                     B. Spoken Word 
                                1. Toastmasters 
                                2. Acting/Improv Classes 
                                3. Speaking at confrences 
                                4. Talk to strangers 
                                            a) Just say hello 
                                            b) Listen first 
                                            c) Talk to at least one new person every conference 
                                            d) Go to local meetups (security or non-security) 
V. Conclusion – hack yourself into becoming a communicator 
VI. Questions 
 
Provide a category for your talk *
Ex: password cracking, social engineering, phishing, blue team, etc
Communication/Social Engineering
 
Has this talk been given before? If so.. Where? 
Let us know if and where this talk was given before
This talk has not been given
 
Talk Length *
How long is your talk? Stable talks are 30 minutes, normal talks are 45. Please note that we reserve the right to change talk times based on available time slots and variety of content.
•         ( ) 30 Minutes (Stable Talk)
•         (X) 45 Minutes (Standard Talk)


Create your own Google Form

Pretty normal, I made one spelling error in the outline (the word conferences is misspelled).

Anything that we can see wrong with the description? Maybe a little grammar near the end:

“We have all seen it and experienced it. It lurks all around us, and when shows its ugly head problems get exasperated. We have a communication breakdown so we will breakdown communication. The problems, and possible solutions. Ways to get better at communicating and how to potentially hack ourselves into being better communicators.

That last line probably should be combined into the sentence before it. That would be points off then, and can make a difference. When I wrote it, it seemed right to me, but English and grammar are weak points (one of the reasons I write this blog is to get better at both of them).

Next up is the outline. I have adjusted it back to how I saw it when I put it in originally. I did the outline in Word so I could get formatting correct. Lesley said in her blog post about problems she found with some of the CFPs “Many submissions I reviewed did not include one or the other. In some cases, the submitters provided long bullet lists or paragraphs instead of a tabbed outline that concisely described their talk proposal. ”

Above you see a proper outline. The actual e-mail showed my outline like this:

 

Talk Outline *

Provide an outline of your talking points. This helps us narrow in on the talks that are a great fit for the con.

  1. Introduction II. The problem A. Talking over people’s heads 1. Example B. Talking around the truth C. Treating others like idiots, both in and out of the Cybersecurity Field 1. Example III. Why should we work on communication skills? A. Buy In from others in the company/client B. Lower levels of frustration C. Easier to get help when needed D. Helps lower the loneliness factor E. Helps with Social Engineering skills F. Communication does help secure things IV. Different types of communication and how to work on them A. Written Word 1. Blog 2. Whiter paper 3. Social Media B. Spoken Word 1. Toastmasters 2. Acting/Improv Classes 3. Speaking at confrences 4. Talk to strangers a) Just say hello b) Listen first c) Talk to at least one new person every conference d) Go to local meetups (security or non-security) V. Conclusion – hack yourself into becoming a communicator VI. Questions

Notice, it has lost its formatting. I will take blame on this one partially, only due to the fact that I did have it originally in proper outline form, and once submitted it reverted to the paragraph above. This is something I will have to figure out how to prevent next CFP I do, but it would cause points to be removed from my score.

Other items that get talked about such as fit into the conference’s overall theme/scheme are tough to judge since that information was not given by Derbycon itself. It is a guessing game there as to how the CFP review board felt on that. Soft skills talks are difficult to get accepted unless a CFP is perfect, at least from my perspective. Truth is I probably should have put this in as a workshop instead of a talk, I mean who wants to just listen to someone talk about communicating. I do wish we could have gotten feedback from the review board sent to us, but with almost 500 submissions, that is just way too time consuming,

Hopefully this helps some of you out there with what a rejected CFP looks like, and please feel free to comments and critique mine. Thanks again to Derbycon for being so transparent on the whole process.