So you want to present…

I’ve been attending InfoSec conferences since DEF CON 2, in 1994. Add up all the conferences I have been to, and all the presentations I have seen (in person or video later); quite a few to be sure. In the last year, I have been part of several CFP teams, where we review proposed presentation submissions for possible inclusion in a conference. This includes small conferences like BSides, regional conferences like RVAsec, and the longest running hacker conference, DEF CON. Having the perspective that includes the submission process, as well as talks at a wide variety of conferences, it gives me good insight into the process. After attending or listening to too many bad talks, I eventually took a few notes for an article on giving advice on the topic. Due to time constraints, like many other article ideas, it sat idle for several years.

Earlier this year at THOTCON in Chicago, I saw a very boiled down version of an 8 hour workshop James Arlen (aka @Myrcurial) gives. It is titled “Communication 4 Hackers” and covers a wide range of presentation tips ranging from creating slides to addressing the audience. After the con, I told several people it should be required attendance for anyone in our industry.

Jack Daniel recently posted a blog about the BSides “Proving Grounds” track, in which more experienced speakers mentor newcomers that are new to public speaking. Note that it doesn’t necessarily mean the people are new to the industry, they just haven’t taken the time to give public presentations. After a recent call from Banshee saying three more Proving Grounds speakers needed mentors, I volunteered.

There are a lot of forms of bias in our industry when it comes to talks. Some people think that the popular name will bring a good talk (often not true). Some people think that first time speakers are new all around, not realizing they may just be new to speaking. Some in our industry think that those who speak the most must be good. Others think that the highly technical talks are the best, even when they are over the heads of 95% of the attendees. Regardless of bias, new speakers need to have a shot in a friendly environment, absent the heavy criticism and skepticism that comes with most talks.

All of this factors in to my old notes about speakers. Instead of going over what Arlen covers, or speaks to the point of new speakers like Daniel and Banshee do, I will ask a few questions and give some thoughts. If you are speaking at a security conference, ask yourself these questions. Remember that others got passed over for you to speak. If you don’t deliver top notch material in an entertaining and engaging manner, you have done a disservice to your colleagues. Finally, just because you get a round of applause at the end of your talk, doesn’t mean you did good. The last keynote I attended that was an absolute bomb, yet received a solid round of applause. Given the crowd was full of smart people, I know it was applause signalling appreciation that he actually showed up sober and stayed awake for 45 minutes, nothing else.

Are you an expert?

Are you at the very least an authoritative source? Do you have more than 5 7 years doing whatever you do? Will more than 51% of your audience actually learn from you (as opposed to “enjoy your stories“)?

We all have amusing and informative stories, but they don’t warrant an entire presentation people pay to attend. If you just want entertaining stories, drop 30 bucks and order beer all night at your local comedy club or bar. My stories are just as amusing as yours, and quite different. Yet, 15 years apart and they still teach us the same lessons. You convinced a company in Vegas at DEF CON to give you entrance because you are a customer? That isn’t social engineering, that is how fucking sales works. Who do you think runs these parties? You can take someone else’s scripts, and run them in front of an audience? Great. Doesn’t mean you should. Especially when you don’t know how they work, if they involve overflows, or anything else about them.

Is the talk tailored to your audience?

Personally, I have a rule; I give any talk I do no more than two times. In addition, I only do it twice if they are very different audiences. For examples, the Cyberwar talk I did with Josh Corman at Brucon 2012, we also gave at THOTCON 2013. Not only was the talk updated to reflect new information and references, the audiences were very different with little chance of overlap. It also had little variations in the way it was presented spoke to the European crowd, even when the presentation was US-centric.

Other speakers often do not realize or account for this. Some will give the same talk, with very little variation, half a dozen or more times. I understand why; same talk, “different” audience, often free travel to different venues and more name recognition. Thing is, that is all about you, not the audience. Repeating the same talk to vastly different audiences can backfire in amusing ways. Well, amusing to us who didn’t give the presentation at least. For others, they realized the mistake of joking about the Spanish Inquisition to a largely Spaniard audience a bit late, or the falacy of calling the almost entirely Asian audience “too polite”.

Recycling talks for vastly different locales is fine, but at least tailor it to the audience and remember who you are speaking to. Most importantly, update the presentation between deliveries. If it has been six months since your last talk, and you have nothing new to add, then you aren’t learning or advancing your profession. If your content is getting stale, or you can’t figure out how to update it to keep it relevant, reconsider if you are a good candidate to give this talk.

New Doesn’t Always Warrant a Presentation

Some topics have been covered extensively the past decade. While little in security is set in stone, many things simply do not evolve quickly or much at all. They don’t have major breakthroughs; they limp along with variations and tweaks, or new tricks to make them more effective. For example, Cross-site Scripting (XSS) has been beaten into the ground. Despite that, there were three or four XSS-based talks at a single DEF CON in the past, as well as three SQLi talks at a BlackHat Briefings. Your trivial trick or variation is great, but it isn’t worth an hour-long slot at a conference.

Miraculously, researchers can take a five minute trick and leverage it into a new talk. Getting past a CFP team often requires inflating the claims and using a new bullshit marketing term. The actual presentation turns into a five minute intro with bios, ten minutes of history, five minutes setting the stage for the new gimmick, five minutes explaining the gimmick, a ten minute demo that is drawn out as filler, some parting thoughts about how it can be used, and the rest of the time for Q&A. All said and done, it is still a five minute talk with fluff.

It takes a significant jump to justify a talk on some topics. Any single web-application vulnerability (e.g. XSS, SQLi), social engineering, or most other topics that are part of daily InfoSec life are like this. Did you find a clever new method for an attack, only to demonstrate it on a specifically vulnerable application you wrote? Why not demonstrate it on a real application, even if older and currently fixed? That sends warning signals to CFP teams and audiences alike.

Look, I know there are a ridiculous number of security conferences out there. They need good speakers, and some conferences have lower standards. That doesn’t excuse you for giving a sub-par presentation. Just because you can present on a topic you aren’t qualified for, doesn’t mean you should. Remember, not only are you doing a disservice to your audience, but possibly many more down the road. The fact that you spoke at one conference does help you when submitting to the next. CFP teams like to see prior speaking experience, and we don’t always have the time to watch previous presentations, or find reviews and comments on it.

Questions CFP Judges and Attendees Should Ask

  • Is the talk being recorded? If so, is the video of just the presenter? Is it of both you and the slides?
  • Are your slides available after the talk without video?
  • If I read your slides later, will it be sufficient to learn your material? If not, do they come with a white paper, blog, or additional material?

In short, can someone get the full value of your presentation days or weeks later? While people mock PowerPoint, if done well, it serves its purpose. If PowerPoint is done poorly, it is worthless without the audio component. I know Presi looks slick, but it is utterly worthless without the audio to go with it. Even with audio, it forces someone to go through the talk and have no notes or additional information.

Yes, presenting puts you in the spotlight. It gives you good resume fodder, makes you popular, gets you free entry into cons, and other cool things. That said, it doesn’t mean you should throw a bunch of shit at the CFP wall to see what sticks. Sometimes, there is a lot more value to the industry by focusing on other endeavors, and more people need to realize that.


Tips from a CFP Reviewer

Finally, for those who are submitting talks to conferences, let me give you advice. This comes not only from my own submissions, but from someone who has been on several CFP review boards. Watching and participating in the process for the DEF CON CFP review has been educational on several levels. I hope that these tips will help you to submit better talks, that in turn better help the industry.

  • Five presenters for a 45 min talk? No, that is clearly milking the free entry.
  • If the CFP calls for a “detailed” abstract, and yours fits on a bar napkin? It isn’t detailed. If your bio is longer than your abstract or outline? Also not detailed.
  • I don’t care how important or busy you are. Never have your corporate PR person submit your talk. If you don’t have time to do it, why do we think you have time to properly research your topic?
  • If you can’t follow the simple CFP directions of “fill out this form”, why do you think we trust you to explain more difficult concepts to an audience?
  • If you fail on the above and have to send in a PDF instead of plain text, don’t name it “$convention.pdf”. At least put your last name in the file name, because you can be sure other morons couldn’t figure out the plain text requirement and also sent in a PDF with the same name.
  • Just because you have APT1 or Cyberwar or $currentbuzzword in your title doesn’t assure acceptance.
  • If you phone a submission in, it shows. Really, it’s blatantly obvious to us.
  • Don’t wait until the last minute to submit, especially for a big con. After reviewing hundreds of submissions, those last ones are more and more grueling.

Have questions about submitting to a conference? Want a quick look or feedback before you do? I am willing to help out, time permitting.

Some additional comments from another CFP reviewer, Chris (Suggy) Sumner:

  • A bio is where you list your actual experience, relevant to your talk topic. It isn’t to list all the news outlets you spoke to or unrelated certifications you obtained.
  • I value abstracts which provide a summary of the main result(s) so that attendees can make an informed choice to attend or not. i.e. they can see whether the results rock the world, or are merely interesting. A one line conclusion is always handy too.
  • Outline slides (meaning nearly finished, not just bullets) go a long way for me too. My guess is that many people don’t think about CFP far enough in advance.  I had most of the work ready in February and it took a lot of stress out and meant I could get the submission in early and answer feedback.  Even if research isn’t complete, it should (in most cases) be possible to begin building a nice template.
  • Another niggle is the introduction. I like it when speakers keep it mega brief.  If people want to know more, they’ll read your bio and find you. Odds are, they already read your bio.
  • Perhaps my main observation from this and other cons are that too many people provide little or no detail.  This amazes me. It’s the speakers single opportunity to sell their talk and yet they don’t.  I’m sure this leads to potentially excellent talks getting kicked back.
  • If you get rejected, be sure to bitch about it on Twitter, everyone loves that  😉

Chris brings up a great point. You will get rejected by a CFP team at some point in your life. It sucks, it is discouraging, we all agree. However, if you haven’t been told why you were rejected, don’t bitch in a manner that is negative toward the conference. It may have been as simple as too many good talks, so that other good talks had to get cut. Perhaps that CFP submission you sent in never arrived (as happened with me recently).

More references and advice from Nikita, overseer of the DEF CON review process:

Finally, she gives us this talk by Strom Carlson:

The last thing Nikita wanted to emphasize: simply follow the CFP directions please! Watching the level of crap she had to deal with due to people sending in weird formats instead of plain text, sending in PDFs that didn’t allow for easy copy/paste, or not filling out all of the fields are a royal headache.

3 responses to “So you want to present…”

  1. My tip for the kids – if you want a long and fruitful career in the security industry – worry far more about how you add value to your employers and your clients, than whether your peers think your an expert because you presented at some con. Rejected by some CFP? Fuck it. Get your nose to the grindstone and get your kicks from satisfied customers.

    In a boom-time for the industry, most UK security firms are barely making a profit (check companies house – I ain’t kidding). I think that’s because they are too peer focussed and don’t spend nearly enough time understanding their clients needs and delivering solutions. We are in serious peril of becoming an academic industry and leaving a vacuum for security product vendors to destroy any faith busineses have in us. They need your insight far more than your peers do.

    I’ve done talks. I’ve enjoyed and took value from the talks of others. But it should be a sideshow, not the main event.

    I won’t be at many cons this year. I’ll be busy helping my clients. Maybe your clients if you’re not available ; )

  2. Really glad you wrote this Jericho. I’ve presented at a number of different conferences in the past and still learned a lot from your perspective on it. Going along with what you said about knowing your audience, I think that it’s also important to recognize the skill level of the people you are speaking to. Some crowds are less technical and may require varying degrees of “introduction” before you get to the meat of your presentation. Other crowds (BlackHat for example) are generally extremely technical and you can (and probably should) make some assumptions about things the audience should already know so that you don’t bore them to death. Regardless, thank you very much for taking the time to write out your thoughts and experiences.

Leave a Reply

%d bloggers like this: