Customer Service; Why I am mad before we start talking…

Back in the early ’90s, as part of my interest in phone systems and BBSs, friends and I looked at creating our own voice mail system. Back in the day, voice mail was still a developing technology. It wasn’t just about calling a number and leaving a message if no one answered. Hackers and phreaks used voice mail for diverting (via their outdial features), trading information (hijacking legit voice mail), and setting up their own hacker voice mail systems with menu systems that led to current information about phone hacking information. These systems could understand DTMF and had fairly simple, if not deep menu systems.

Jump to today with elaborate phone support systems that tie into databases, transfer calls across continents within seconds, and offer a variety of features. From 1993 to 2013, that gives 20 years of advancement and innovation. When a current support system has issues, it pisses me off. I get that today’s systems are more advanced, but we were already doing some of that functionality as a hobby 20 years ago. Largely, the issue is the standard Quality Assurance (QA) issue; the company does not test the system from the customer perspective.

To illustrate this, and to explain why I am frequently pissed off beyond words by the time the nice support representative says “hello”, I will use CenturyLink tech support (800-247-7285) as an example. While there are variations between support lines, this one is indicative of the problems that routinely set me off.

The Call

Welcome to Centurylink… For English please stay on the line… [Spanish]… pause

What happened to giving native speakers a ‘1’ to bypass this? Don’t make me wait for a secondary language message.

I have your phone number as… (identify my #) … one moment while i retrieve your account

The first time I enter my phone number. From here, the system accesses my account and has all of my information. They provide my phone service, long distance, and Internet connection.

Next, I am given options and select ‘Internet Repair’.

I have your account information… please hold while I evaluate your service… there doesn’t appear to be any open repair tickets. If you can’t connect to the Internet, press 1.

Next, it gives me an option to perform some automated tests via the voice prompt system, or I can choose a representative, which I do.

Please enter your phone number where you can be reached.

The second time I have to enter my phone number. I am glad systems ask for a call-back number in case of disconnection, but the phone company knows my number.

You can quickly chat online from a computer with a representative by using ctlchat.com.

I just selected “Internet Repair”, and the first advice they give me is a web site I can’t access because I have no Internet service.

Your account information is confidential and protected by law. Advise our agent if you prefer we don’t use it to market the products OR repair service. This has no effect on the service or offers we’ll provide.

What does this mean exactly? That if I don’t want them to “market the products” to me, then I also don’t get my service repaired? Yet, it has no effect on the service they will provide? This level of double-speak is infuriating.

While on hold waiting for a representative…

There is no limit to what you can do with high-speed internet from Century Link. Imagine an Internet up to 40 megabytes, now they can be yours…

Seriously? Not only am I calling because my service isn’t working, you taunt me with this? For the lat 10 years, I have had 7mb service with a whopping 0.8mb upload speed. Every six months, I call and ask if they can offer faster. When CenturyLink put up billboards advertising up to 40mb two miles from my place, they still did not offer it. Years later, when a friend that lives 100 yards from me can get it, I still can’t. I have asked for a business connection and offered to pay more, still nothing.

After several minutes and the repeated frustrations above, you finally come on the line. You greet yourself, then promptly ask me for my name, phone number (third time), billing address, and last four of my social security number.

That, is why I am always mad when I speak to you.

Advertisements

My Penguin Encounter

Yesterday, I went to the Denver Zoo to attend one of the new Animal Adventures. For 90 minutes, we got a guided tour of the Bird World exhibit, as well as behind the scenes access to the kitchen, and private time with a penguin (the real reason to go). We sat down in the visitation room, and shortly after, Mattie (Matty?) walked in! She is a 5 year old penguin, and the only one the zoo staff considers suitable for in-person viewings like this, because she was raised from a chick by zoo staff. The other penguins they consider safe, but slightly unpredictable, so they don’t allow them for visitation.

Mattie the penguin

Penguins are clearly a threat to security, and they get checked for weapons frequently. OK, not really. Stupid humans like to throw shiny coins into zoo exhibits with water (e.g. penguins, seals), and don’t consider that the animals are curious or may mistake it for food. The zoo staff keeps this metal detector wand on hand to periodically check the penguins for coins in their stomach. If the penguins can’t pass the coin naturally, they have to be taken for surgery.

penguin and metal detector

Penguins are very curious creatures. Mattie did laps around the room investigating everything and everyone. It is pretty easy to get her attention with the right noises, or colorful objects like the wristbands we wore. She enjoys being scratched under her chin, and despite the menacing beak, does not bite hard at all. By this point, I was seriously considering my odds for picking her up and bolting for the exit.

me and a penguin

A larger gallery of images is available on attrition.org.

My kind of reality TV…

Reality TV has become a staple for U.S. television. We all know that a majority of the shows are complete trash, and yet millions tune in religiously to watch them. In some cases, it is no different than watching a car wreck or a scene of utter amazement. Almost everyone who watches TV has at least one reality show they watch, even if it is a guilty pleasure. I certainly have a few.

Survivor used to be an entertaining show, but went downhill over the years as their attempts to inject a fresh angle were poorly executed and simply not creative. Hell’s Kitchen is entertaining, but primarily because Gordon Ramsay delivers a level of verbal abuse that would make some drill sergeants nod in respect. COPS has become routine, but I still enjoy it when a dumbass shows the textbook way to get tased. Ninja Warrior (Japan more than US) is entertaining, as it demonstrates a level of physical ability that few will ever know. I watch these shows because of the entertainment value, but also as background noise while working. They simply aren’t engaging enough on their own to warrant full attention.

There are two reality shows that stand out to me, as they went in a different direction. Instead of throwing people into a scripted and absurd situation before calling it ‘reality’ (e.g. Big Brother, Jersey Shore), some shows throw people into a very different situation for our entertainment, and education.

Solitary

From Wikipedia:

Solitary is a reality show on the Fox Reality Channel whose contestants were kept in round-the-clock solitary confinement for a number of weeks with the goal of being the last contestant remaining in solitary…

And that is the beauty of this show. For most competitions determining elimination, contestants were competing against themselves. Confined in their rooms, with only a robotic voice giving direction at times, they would keep doing a given task that got more difficult until they could take no more. At that point, they would hit a buzzer to indicate they were done. Each time they hit the buzzer, they had no knowledge of the other contestants so they never knew if they were the first to buzz out. As such, each contestant gave it their all. In addition to the eliminations via contests, some physical, some mental, they were participating in a larger contest every minute. When the pressure of being alone after having their identity stripped (they were only referred to as a number by the computer voice) was too much, they could buzz out of the entire contest.

No social game, just a test of self determination to see the extent a person can persevere.

The Colony

From Wikipedia:

The Colony is a reality television series that is produced by the Discovery Channel. The program follows a group of people who must survive in a simulated post-apocalyptic environment.

Season 1 is set in a post-apocalyptic Los Angeles, with 10 people living in an abandoned warehouse. While food and water is a daily struggle for them, the group is well-stacked for creativity and ability. Handyman, carpenter, machinist, computer scientists, and more. By the end of the show they have solar power, lighting, a shower, working radio (transmitter and receiver), and a lot more in the way of living. The group is put through many tests, often in the form of raiders, or other survivors begging for food and water to test the group’s unity. After surviving for almost sixty days, and losing one group member to an unknown incident, they are given a chance of escape and do so. The simulation is pretty well done and gives a rough idea of what life might be like. It shows how each person copes, how the group bonds as well as fights, over the smallest things. Commentary from an engineer, psychologist, and disaster consultant give insight as to what they are building, their mental state, and what options they have given the landscape.

Some of my gripes about season 1 are addressed early in season 2. Instead of attackers that push, shove, and menace, the colonists in season 2 are instantly pepper sprayed by the first large band of marauders. This forces them to use precious supplies like milk to neutralize the stinging. Season 2 also carries more dead weight; not everyone has life training in a discipline that has immediate use. A 22 year old model and a 70 year old man are in the group, giving a better spectrum of who may survive. Set on the edge of the bayou, this colony simulates a viral outbreak where every encounter with marauders must be done with masks and the threat of exposure. If possibly exposed during the struggles, they must self-quarantine themselves for 12 hours, and are only allowed to rejoin the colony if there are no signs of infection (e.g. fever, vomiting). In each case, while simulated, it gives a good glimpse into what a lack of society looks like. It shows how our minds work and how we can quickly descend into the types of people we looked down upon weeks earlier.

Know of any other reality shows along these lines? Let me know!

Why Squirrels…

LazloI get that question frequently, for obvious reasons. Not only is the attrition.org mascot a demented angry squirrel named Lazlo, but I seemingly have a serious fixation on squirrels if you read my Twitter stream. For over two years, I have been feeding squirrels that made their way up to my balcony, some that come from a block away across a large parking lot. As a break from work, I will go to Denver’s City Park and feed the squirrels there. While part of my obsession of squirrels is sincere, part of it is for show because it is fun.

The core of the squirrel fandom comes from reading about and observing them. While some people see them as pests, in reality they are a great animal that exhibits traits our society could use more of. Sure, some of their traits are amusing and suggest they aren’t bright animals. For example, it is sometimes reported as ‘fact’ that squirrels forget where they bury half of their nuts. For every ‘fact’ such as this, you can find research that will contradict this in both directions. Quite simply, there are too many factors at play to really gauge this (e.g. other squirrels finding a stash, re-caching, wet conditions letting smell find a cache and dry conditions forcing them to use memory, etc). There is still debate if squirrels use their memory, smell, or a combination of both to remember where their caches are. Regardless of the answer to that question, in reality, squirrels demonstrate great intelligence in many ways; enough to keep people glued to Youtube watching their cleverness.

Turning to relative experts on squirrels, we see examples that set them apart. As summarized in this NYTimes article:

In their book “Squirrels: The Animal Answer Guide,” Richard W. Thorington Jr. and Katie Ferrell of the Smithsonian Institution described the safe-pedestrian approach of a gray squirrel eager to traverse a busy avenue near the White House. The squirrel waited on the grass near a crosswalk until people began to cross the street, said the authors, “and then it crossed the street behind them.”
[..]
Reporting in the journal Animal Behaviour, the Steele team showed that when squirrels are certain that they are being watched, they will actively seek to deceive the would-be thieves. They’ll dig a hole, pretend to push an acorn in, and then cover it over, all the while keeping the prized seed hidden in their mouth. “Deceptive caching involves some pretty serious decision making,” Dr. Steele said. “It meets the criteria of tactical deception, which previously was thought to only occur in primates.”

Squirrels don’t only learn from us humans, they have demonstrated that they even learn from each other. You call it crime, they call it survival! Still think squirrels are stupid? Consider that squirrels masturbate to avoid sexually transmitted diseases. This is the tip of the iceberg! Even casual behavior can have unexpected consequences. Some 30,000 years ago, squirrels buried fruit seeds in the Siberian permafrost, that were only recently found and regenerated into flowering plants, described as “the most ancient plant material to have been brought back to life“.

Finally, in the theme of cleverness, consider what a squirrel can figure out to get to a safe and renewable food supply:

For some reason, humans will frequently consider squirrels a pest while feeding and watching boring birds. Sure, they are colorful, but yawn! In fact, some people will go to great lengths to try to keep squirrels out of the bird food. Despite that, squirrels are dedicated and tenacious, which can also be provide amusement for us because we know they will move on to another food source if needed:

Like many animals, including humans, squirrels can be extremely fierce and protective if their young are threatened, or even when predators try to descend on their fallen comrade.

In summary, squirrels are cute, fun to watch, have great tails, and are intelligent little creatures. They exhibit many great traits like cleverness and have been around as long as, if not longer than, us humans. Honestly, what’s not to like?

Would you like to know more?

Finally, if you don’t accept my reasons or like squirrels, here is some advice for you!

lazlopissed - wordpress

A Personal Challenge

A personal challenge, as in, the kind where i challenge myself. Last year, I got my friend Tamba a birthday gift of entry into the Tough Mudder Colorado. Since I was not in appropriate shape, I signed up as a spectator and ended up photographing the event. Two nights before the event, Tamba broke his ankle. Undeterred, he iced it on the drive up, wrapped it, and ran the race. After seeing that, I figured I should challenge myself.

This year, I got him the same present and signed up myself to participate. If you aren’t familiar with the Tough Mudder, or similar events, it is designed to test your endurance and physical ability. It isn’t enough to run the course, which is 11 – 12 miles in Colorado. You face 20 or more obstacles, some of them quite brutalchallenging.

This morning we got out of Denver on time but ran into a slight problem. During our philosophical discussion of post-apocolyptic planning and survival options, we missed our exit. Before we realized it, we had overshot by some 25 miles (the next exit happened to be many miles from the last). Our 1:20P start time was looking grim. By the time we turned around, parked, took the shuttle, checked in, and dropped our bags, we joined the final starting group of the day at 2:00P. This was a concern to me because the Mudder has a ‘cut off’ time (4:30P this year) where you may get sent down the mountain a much quicker way, out of the event. This meant I had to do about 5 miles of uphill, from 7,400 feet to a summit of 9,600 feet, in 2.5 hours. Given my asthma, that didn’t look feasible. Having been sick the entire week with a bad cough and serious congestion, that didn’t bode well either. This also meant that I started the race on about 350 calories, as we didn’t have time to get a bit more food in Avon, CO as planned. Doh! Clearly not my ideal circumstances for running the Mudder, but I didn’t have any other option.

This year’s course:

mudder-course

Of the 11 miles, I ended up doing about 9.5 of them. At the top of obstacle 6 (The Gauntlet), because it was right at 4:30, we barely made the cutoff (or were minutes late). Instead of cutting us off, we got moved directly into the downhill part of that obstacle, going over huge snow/ice ‘ramps’. These were rough as the ice was jagged and cutting many hands trying to slide down them. Upon reaching water station 3, I was dizzy and light-headed, and it didn’t go away with rest and water. Over ten minutes later, it was clearing up a tad but not going away completely. I sent Tamba up a brutal half mile+ uphill while I cut over to where water station 4 is (but it wasn’t really there). This gave me another 20 minutes to recover so I could continue the course. While we were only at ~ 9,000 feet, the lack of oxygen was affecting me and I am sure it was mild altitude sickness as well as dehydration. By the time Tamba got around that loop, I was ready to go on. From water station 5 to obstacle 15 was the final uphill push of the course, or so I thought. I slowly made it up that one, but didn’t have the energy for the very last uphill between obstacle 17 and 18. From just past 17, I took the access road down to obstacle 19 before finishing the course.

Ultimately, the lack of food as well as the amount of uphill (more than last year) sapped me completely. My legs were a constant dull pain by halfway through the course, and my back had a sharp pain from mile 2. Usually a solid hike does not hit my back at all, even in similar trail conditions. While I didn’t quite do the full course and had to skip some obstacles, we were on the course for over 4.5 hours.

Starting at 2P, we were able to catch up to the other 2 people running from Tamba’s gym (Amy and Lecia) who started at 1:20P as planned. Despite my very slow pace on the uphill, we ultimately passed some people and finished about an hour before the final person. While recovering, we also watched as an 80-year-old man crossed the finish. That is hardcore. Team Up Gym:

imagejpeg_0

An exhausted, hungry, bruised, and sick me:

20130615_190734

The one upside to all this? Post-Mudder dinner! This was the first time I was able to eat a plate of Nachos without Tamba yelling at me about fat and calories. The other thing? Biggest plate of nachos i’ve seen in my life, from Dillon DAM Brewery (note the fork for size reference):

20130615_212934

A Directionless Panel Paid Off…

Recently at BSidesDenver 2013, I moderated a panel called ‘Everything is Pwned’. Or at least, that is what I posited. I had loose guidelines to qualify that, and one panelist called me out for not being as specific as I should have been on them. He also called me out because I didn’t have a direction and I wasn’t following a narrative. However, that was for good reason.

While I believe in what I posited, I don’t think it is specifically a new idea, and it doesn’t solve anything. My direction was establishing and agreeing on the fact that everything worth owning is owned, or will be. After some debate over that premise including several points dancing around the issue, Nickerson eventually responded “so what?” and that is where the panel turned around and found direction.

Johnson mentioned the companies he consults for fly under the radar, and believe they are safe through a combination of moderate to good security, along with “attackers not being interested in them”. I don’t doubt that the companies believe that, but otherwise I don’t think that is true at all. There are a metric butt-load of automated scanners and malware that are out there attacking everything all day long. This rogue software doesn’t see “Company X”, instead they see “a numerical label assigned to each device (e.g., computer, printer) participating in a computer network that uses the Internet Protocol for communication.” Add to that the bad guys that are interested in you. The dreaded “APT1” isn’t just about the big guys, they want other computers to proxy through, other computers that may have a trust relationship they can exploit, or information that may be of some value. Meanwhile, lower end attackers are looking for web servers to deface, servers to host phishing pages, and a wide variety of other shady or criminal activity. I don’t think those companies are flying under the radar; I think they too are owned, and just don’t realize it.

Before the panel, I believed everything is owned. I didn’t know what it meant or the full implications, other than the security industry has failed us. If so many resources have been compromised, and we can’t uproot an embedded attacker even after reinstalling entire networks, what hope do we have? I was already thinking in the direction Nickerson took us on the panel, but he found the words and pushed me over the hill in my own thinking.

So what if everything is owned? Nickerson argued that ultimately, it doesn’t put the company out of business. If it posed a real risk, they would designate resources to fix it. Even after all these breaches, all these loss of credit cards, stock dips, and more, the number of companies that actually go out of business is negligible. Corman reiterated that point when he reminded everyone that a credit card number is of virtually no value on the street, is easily replaceable, bears no liability on the end consumer, and will continue to be that way moving forward.

With the number of breaches and signs of compromise out there, I still believe everything worth owning, is. After the panel and further thinking, I think Nickerson and Corman make good points. If a common target of a breach is credit card data, which is easily replaced and has almost no financial impact on the company or consumer, why does it matter? Hundreds of big companies with incredible security budgets have been popped, it isn’t about reputation any more. If Google and Microsoft can’t keep their networks safe, why would we expect a smaller company with the fraction of the budget and expertise to?

Ultimately, that is about where the panel ended. Operate under the assumption that your network is compromised. Quit spending so much money trying to defend everything; that is like trying to put a fence around a national park. Focus on trouble areas, or those of the greatest concern, or that mean the most impact if something goes wrong. Quit thinking of your network as a castle, when the attacker has mortars and missiles. If you are losing the war, and losing most battles, at least try to protect your most valuable assets as best you can.

bsides2013-panel

So you want to present…

I’ve been attending InfoSec conferences since DEF CON 2, in 1994. Add up all the conferences I have been to, and all the presentations I have seen (in person or video later); quite a few to be sure. In the last year, I have been part of several CFP teams, where we review proposed presentation submissions for possible inclusion in a conference. This includes small conferences like BSides, regional conferences like RVAsec, and the longest running hacker conference, DEF CON. Having the perspective that includes the submission process, as well as talks at a wide variety of conferences, it gives me good insight into the process. After attending or listening to too many bad talks, I eventually took a few notes for an article on giving advice on the topic. Due to time constraints, like many other article ideas, it sat idle for several years.

Earlier this year at THOTCON in Chicago, I saw a very boiled down version of an 8 hour workshop James Arlen (aka @Myrcurial) gives. It is titled “Communication 4 Hackers” and covers a wide range of presentation tips ranging from creating slides to addressing the audience. After the con, I told several people it should be required attendance for anyone in our industry.

Jack Daniel recently posted a blog about the BSides “Proving Grounds” track, in which more experienced speakers mentor newcomers that are new to public speaking. Note that it doesn’t necessarily mean the people are new to the industry, they just haven’t taken the time to give public presentations. After a recent call from Banshee saying three more Proving Grounds speakers needed mentors, I volunteered.

There are a lot of forms of bias in our industry when it comes to talks. Some people think that the popular name will bring a good talk (often not true). Some people think that first time speakers are new all around, not realizing they may just be new to speaking. Some in our industry think that those who speak the most must be good. Others think that the highly technical talks are the best, even when they are over the heads of 95% of the attendees. Regardless of bias, new speakers need to have a shot in a friendly environment, absent the heavy criticism and skepticism that comes with most talks.

All of this factors in to my old notes about speakers. Instead of going over what Arlen covers, or speaks to the point of new speakers like Daniel and Banshee do, I will ask a few questions and give some thoughts. If you are speaking at a security conference, ask yourself these questions. Remember that others got passed over for you to speak. If you don’t deliver top notch material in an entertaining and engaging manner, you have done a disservice to your colleagues. Finally, just because you get a round of applause at the end of your talk, doesn’t mean you did good. The last keynote I attended that was an absolute bomb, yet received a solid round of applause. Given the crowd was full of smart people, I know it was applause signalling appreciation that he actually showed up sober and stayed awake for 45 minutes, nothing else.

Are you an expert?

Are you at the very least an authoritative source? Do you have more than 5 7 years doing whatever you do? Will more than 51% of your audience actually learn from you (as opposed to “enjoy your stories“)?

We all have amusing and informative stories, but they don’t warrant an entire presentation people pay to attend. If you just want entertaining stories, drop 30 bucks and order beer all night at your local comedy club or bar. My stories are just as amusing as yours, and quite different. Yet, 15 years apart and they still teach us the same lessons. You convinced a company in Vegas at DEF CON to give you entrance because you are a customer? That isn’t social engineering, that is how fucking sales works. Who do you think runs these parties? You can take someone else’s scripts, and run them in front of an audience? Great. Doesn’t mean you should. Especially when you don’t know how they work, if they involve overflows, or anything else about them.

Is the talk tailored to your audience?

Personally, I have a rule; I give any talk I do no more than two times. In addition, I only do it twice if they are very different audiences. For examples, the Cyberwar talk I did with Josh Corman at Brucon 2012, we also gave at THOTCON 2013. Not only was the talk updated to reflect new information and references, the audiences were very different with little chance of overlap. It also had little variations in the way it was presented spoke to the European crowd, even when the presentation was US-centric.

Other speakers often do not realize or account for this. Some will give the same talk, with very little variation, half a dozen or more times. I understand why; same talk, “different” audience, often free travel to different venues and more name recognition. Thing is, that is all about you, not the audience. Repeating the same talk to vastly different audiences can backfire in amusing ways. Well, amusing to us who didn’t give the presentation at least. For others, they realized the mistake of joking about the Spanish Inquisition to a largely Spaniard audience a bit late, or the falacy of calling the almost entirely Asian audience “too polite”.

Recycling talks for vastly different locales is fine, but at least tailor it to the audience and remember who you are speaking to. Most importantly, update the presentation between deliveries. If it has been six months since your last talk, and you have nothing new to add, then you aren’t learning or advancing your profession. If your content is getting stale, or you can’t figure out how to update it to keep it relevant, reconsider if you are a good candidate to give this talk.

New Doesn’t Always Warrant a Presentation

Some topics have been covered extensively the past decade. While little in security is set in stone, many things simply do not evolve quickly or much at all. They don’t have major breakthroughs; they limp along with variations and tweaks, or new tricks to make them more effective. For example, Cross-site Scripting (XSS) has been beaten into the ground. Despite that, there were three or four XSS-based talks at a single DEF CON in the past, as well as three SQLi talks at a BlackHat Briefings. Your trivial trick or variation is great, but it isn’t worth an hour-long slot at a conference.

Miraculously, researchers can take a five minute trick and leverage it into a new talk. Getting past a CFP team often requires inflating the claims and using a new bullshit marketing term. The actual presentation turns into a five minute intro with bios, ten minutes of history, five minutes setting the stage for the new gimmick, five minutes explaining the gimmick, a ten minute demo that is drawn out as filler, some parting thoughts about how it can be used, and the rest of the time for Q&A. All said and done, it is still a five minute talk with fluff.

It takes a significant jump to justify a talk on some topics. Any single web-application vulnerability (e.g. XSS, SQLi), social engineering, or most other topics that are part of daily InfoSec life are like this. Did you find a clever new method for an attack, only to demonstrate it on a specifically vulnerable application you wrote? Why not demonstrate it on a real application, even if older and currently fixed? That sends warning signals to CFP teams and audiences alike.


Look, I know there are a ridiculous number of security conferences out there. They need good speakers, and some conferences have lower standards. That doesn’t excuse you for giving a sub-par presentation. Just because you can present on a topic you aren’t qualified for, doesn’t mean you should. Remember, not only are you doing a disservice to your audience, but possibly many more down the road. The fact that you spoke at one conference does help you when submitting to the next. CFP teams like to see prior speaking experience, and we don’t always have the time to watch previous presentations, or find reviews and comments on it.

Questions CFP Judges and Attendees Should Ask

  • Is the talk being recorded? If so, is the video of just the presenter? Is it of both you and the slides?
  • Are your slides available after the talk without video?
  • If I read your slides later, will it be sufficient to learn your material? If not, do they come with a white paper, blog, or additional material?

In short, can someone get the full value of your presentation days or weeks later? While people mock PowerPoint, if done well, it serves its purpose. If PowerPoint is done poorly, it is worthless without the audio component. I know Presi looks slick, but it is utterly worthless without the audio to go with it. Even with audio, it forces someone to go through the talk and have no notes or additional information.

Yes, presenting puts you in the spotlight. It gives you good resume fodder, makes you popular, gets you free entry into cons, and other cool things. That said, it doesn’t mean you should throw a bunch of shit at the CFP wall to see what sticks. Sometimes, there is a lot more value to the industry by focusing on other endeavors, and more people need to realize that.

defcon21

Tips from a CFP Reviewer

Finally, for those who are submitting talks to conferences, let me give you advice. This comes not only from my own submissions, but from someone who has been on several CFP review boards. Watching and participating in the process for the DEF CON CFP review has been educational on several levels. I hope that these tips will help you to submit better talks, that in turn better help the industry.

  • Five presenters for a 45 min talk? No, that is clearly milking the free entry.
  • If the CFP calls for a “detailed” abstract, and yours fits on a bar napkin? It isn’t detailed. If your bio is longer than your abstract or outline? Also not detailed.
  • I don’t care how important or busy you are. Never have your corporate PR person submit your talk. If you don’t have time to do it, why do we think you have time to properly research your topic?
  • If you can’t follow the simple CFP directions of “fill out this form”, why do you think we trust you to explain more difficult concepts to an audience?
  • If you fail on the above and have to send in a PDF instead of plain text, don’t name it “$convention.pdf”. At least put your last name in the file name, because you can be sure other morons couldn’t figure out the plain text requirement and also sent in a PDF with the same name.
  • Just because you have APT1 or Cyberwar or $currentbuzzword in your title doesn’t assure acceptance.
  • If you phone a submission in, it shows. Really, it’s blatantly obvious to us.
  • Don’t wait until the last minute to submit, especially for a big con. After reviewing hundreds of submissions, those last ones are more and more grueling.

Have questions about submitting to a conference? Want a quick look or feedback before you do? I am willing to help out, time permitting.


Some additional comments from another CFP reviewer, Chris (Suggy) Sumner:

  • A bio is where you list your actual experience, relevant to your talk topic. It isn’t to list all the news outlets you spoke to or unrelated certifications you obtained.
  • I value abstracts which provide a summary of the main result(s) so that attendees can make an informed choice to attend or not. i.e. they can see whether the results rock the world, or are merely interesting. A one line conclusion is always handy too.
  • Outline slides (meaning nearly finished, not just bullets) go a long way for me too. My guess is that many people don’t think about CFP far enough in advance.  I had most of the work ready in February and it took a lot of stress out and meant I could get the submission in early and answer feedback.  Even if research isn’t complete, it should (in most cases) be possible to begin building a nice template.
  • Another niggle is the introduction. I like it when speakers keep it mega brief.  If people want to know more, they’ll read your bio and find you. Odds are, they already read your bio.
  • Perhaps my main observation from this and other cons are that too many people provide little or no detail.  This amazes me. It’s the speakers single opportunity to sell their talk and yet they don’t.  I’m sure this leads to potentially excellent talks getting kicked back.
  • If you get rejected, be sure to bitch about it on Twitter, everyone loves that  😉

Chris brings up a great point. You will get rejected by a CFP team at some point in your life. It sucks, it is discouraging, we all agree. However, if you haven’t been told why you were rejected, don’t bitch in a manner that is negative toward the conference. It may have been as simple as too many good talks, so that other good talks had to get cut. Perhaps that CFP submission you sent in never arrived (as happened with me recently).


More references and advice from Nikita, overseer of the DEF CON review process:

Finally, she gives us this talk by Strom Carlson:

The last thing Nikita wanted to emphasize: simply follow the CFP directions please! Watching the level of crap she had to deal with due to people sending in weird formats instead of plain text, sending in PDFs that didn’t allow for easy copy/paste, or not filling out all of the fields are a royal headache.

T-Mobile SMS Disclosure

Yesterday while waiting for a friend to arrive for a movie, I got a curious text from an unknown number with a 337 area code, saying that I had the wrong number. Since I had not called or texted that number, I replied as such. A few texts later, the stranger sent a screenshot of their phone showing that I did send them messages.

Looking at my sent messages, the messages received by my friend, and the screenshot from the kind stranger, I figured out what happened to some degree.

I sent a string of text messages to my friend. She received most, but not all of them. For whatever reason on the T-Mobile side, they decided to send a few of my messages to the stranger. Note that my friend and the stranger do not have similar numbers, and that they are in different area codes even.

Screenshot_2013-06-04-16-59-20

What is odd is that the stranger got a few of them, but not all, not even all of the ones sent in the same ~ 5 minute period.

Screenshot_2013-06-04-16-59-11

Further, my friend got one of the messages that also went to the stranger. So not only were some mixed up and sent to a stranger, one went to multiple people. It’s pretty clear that this was a one-off situation, but it makes me wonder what happened, if it happened to other people, and/or how widespread it was. The obvious implication of this issue is that a sensitive SMS redirected to an arbitrary person could be embarrassing to say the least.

Figured I would document it here for posterity and just in case it happens again to someone else, they can hopefully find prior incidents.