Why I Love and Hate Presenting at Security Cons

Hate

I am not really a public speaker. I am nervous when I speak, even on topics I am very familiar with. Part of that is because I hold myself to a high standard for accuracy and ‘no bullshit’ given my history of calling others out on it. Just like I was right to do it to them, anyone in the audience is right to do it to me. My most recent talk has a ‘rule’ at the start that questions can wait until then end, but if I make a mistake speak up immediately. If you are right, I will correct it, apologize, and give you credit for holding me to such standards. If you are wrong, I will mock you. Seems fair! I hate dealing with AV, I don’t like dealing with cons and logistics and setup. This is partially due to past incidents where I am a registered speaker on schedule, and have to spend 15 minutes convincing the staff I am actually a speaker and have been attending that con for a decade just to get a badge (e.g. BlackHat). Every con does a different setup, where you aren’t sure if the speaker laptop will be ‘extending the monitor’ or ‘duplicating the monitor’. This matters for those of us using ‘presenter view’ in PowerPoint. I must have my speaker notes available in most talks as I tend to include dates, numbers, and details that I can’t otherwise remember.

Love

I also love presenting, because when I opt to do so, it is fairly interesting research or perspective. My talks are not technical, they won’t help you exploit a kernel or bypass memory protection. Instead, they are more in line with a historical and unique perspective in some cases (e.g. Anonymous, Cyberwar), or specialized to something I have focused on for two decades (vulnerability databases and related matters like statistics). I fully understand that some of my topics are not for everyone. Hell, they aren’t for most of the industry as far as a talk. While they likely use a vulnerability database, they certainly aren’t interested in the minutiae that goes with it. That doesn’t really matter to me. I’d rather have 20 people truly interested in the talk listening, rather than a ‘standing room only’ situation despite half the room not knowing the material past the first slide. For those handfuls of people out there, I know my presentations are improving on the common body of knowledge.

Hate, with a Twist

My most recent presentation, 112 years of vulnerabilities, has led me to develop a new kind of hate of presenting. The first time I gave the talk was in 2013 at BSidesDE. After the talk, I gave it twice more; once at a community college as a favor to a friend, and at a small boutique conference at a business school of a college. In doing the talk there, the conference organizer and a professor offered to try to get a copy of the ‘Repaired Security Bugs in Multics’ from 1973. What seemed like an impossible-to-find book ended up being a 7 page paper. But she managed to get a copy via inter-library request as a professor. With that simple gesture, the vulnerabilities in Multics I had cataloged jumped from 10 to 16. Thanks A.M.!

Six months later I get to spend some of my little free time going through more historic papers and find another dealing with Multics. Not only do I find more context around material in that presentation, I find that it is actually a lot more detailed and fascinating. The incident I describe actually happened twice, once in 1979 as I outline, and years before in 1974 with different results. The time spent digging into that came shortly after giving the talk to a security company on the east coast by request. Shortly after giving the talk, which extended to two hours with additional detail, Q&A, and a mix of discussion with them, I was approached about the electro-mechanical rotor cipher machines discussed. We got to talking for half an hour where he gave me pointers and information to later research. Before I left that day, he gave me two books on military cryptoanalysis from 1956 that were previously classified. Yep, just laying on his shelf, he had two tomes of incredible knowledge that might help me in cataloging the history of vulnerabilities. I’ve only had an hour or two to go through them so far. While I determined the first book had no usable information, the second is a treasure trove. A single appendix of that book appears to have information that will double the vulnerability entries I have on such machines and the compromise of their crypto systems. Thanks J.M.!

Every time I find such information, it makes me regret giving the talk. While the talks were given to show perspective and it was clear the history was incomplete, I hate that my audiences didn’t get all of the information. Doesn’t matter that I didn’t have the information originally, I feel that I should have taken more time to research all of this better. I’m both afraid and excited that every time I give this talk, someone else will come forward with a wealth of new knowledge. It is an absolute delight for the vulnerability historian in me, but an absolute dread for someone who can’t stand delivering less than a complete talk.

Moving Forward

Since the first time I delivered the talk, I have had several people tell me I should write a book on the vulnerability history I outline. There is certainly an abundance of material there, and boiling it down to a 45 minute talk has caused me to deliver the talk at a faster pace each time. Part of me wants to write such a book, and release it as a free e-book to the community. It would be fun doing so. On the other hand, it would also take months of dedicated research to finish a true preliminary overview of such history and time is a valuable commodity to say the least.

So to my previous attendees, I apologize. I certainly hope you enjoyed the talk, but I really hope you understand that this is work in progress. Work that I have been doing for a long time, and will continue to do. At some point, if I come up with a more complete work, I hope to be able to share all of it with you in some fashion.