Why I Love and Hate Presenting at Security Cons

Hate

I am not really a public speaker. I am nervous when I speak, even on topics I am very familiar with. Part of that is because I hold myself to a high standard for accuracy and ‘no bullshit’ given my history of calling others out on it. Just like I was right to do it to them, anyone in the audience is right to do it to me. My most recent talk has a ‘rule’ at the start that questions can wait until then end, but if I make a mistake speak up immediately. If you are right, I will correct it, apologize, and give you credit for holding me to such standards. If you are wrong, I will mock you. Seems fair! I hate dealing with AV, I don’t like dealing with cons and logistics and setup. This is partially due to past incidents where I am a registered speaker on schedule, and have to spend 15 minutes convincing the staff I am actually a speaker and have been attending that con for a decade just to get a badge (e.g. BlackHat). Every con does a different setup, where you aren’t sure if the speaker laptop will be ‘extending the monitor’ or ‘duplicating the monitor’. This matters for those of us using ‘presenter view’ in PowerPoint. I must have my speaker notes available in most talks as I tend to include dates, numbers, and details that I can’t otherwise remember.

Love

I also love presenting, because when I opt to do so, it is fairly interesting research or perspective. My talks are not technical, they won’t help you exploit a kernel or bypass memory protection. Instead, they are more in line with a historical and unique perspective in some cases (e.g. Anonymous, Cyberwar), or specialized to something I have focused on for two decades (vulnerability databases and related matters like statistics). I fully understand that some of my topics are not for everyone. Hell, they aren’t for most of the industry as far as a talk. While they likely use a vulnerability database, they certainly aren’t interested in the minutiae that goes with it. That doesn’t really matter to me. I’d rather have 20 people truly interested in the talk listening, rather than a ‘standing room only’ situation despite half the room not knowing the material past the first slide. For those handfuls of people out there, I know my presentations are improving on the common body of knowledge.

Hate, with a Twist

My most recent presentation, 112 years of vulnerabilities, has led me to develop a new kind of hate of presenting. The first time I gave the talk was in 2013 at BSidesDE. After the talk, I gave it twice more; once at a community college as a favor to a friend, and at a small boutique conference at a business school of a college. In doing the talk there, the conference organizer and a professor offered to try to get a copy of the ‘Repaired Security Bugs in Multics’ from 1973. What seemed like an impossible-to-find book ended up being a 7 page paper. But she managed to get a copy via inter-library request as a professor. With that simple gesture, the vulnerabilities in Multics I had cataloged jumped from 10 to 16. Thanks A.M.!

Six months later I get to spend some of my little free time going through more historic papers and find another dealing with Multics. Not only do I find more context around material in that presentation, I find that it is actually a lot more detailed and fascinating. The incident I describe actually happened twice, once in 1979 as I outline, and years before in 1974 with different results. The time spent digging into that came shortly after giving the talk to a security company on the east coast by request. Shortly after giving the talk, which extended to two hours with additional detail, Q&A, and a mix of discussion with them, I was approached about the electro-mechanical rotor cipher machines discussed. We got to talking for half an hour where he gave me pointers and information to later research. Before I left that day, he gave me two books on military cryptoanalysis from 1956 that were previously classified. Yep, just laying on his shelf, he had two tomes of incredible knowledge that might help me in cataloging the history of vulnerabilities. I’ve only had an hour or two to go through them so far. While I determined the first book had no usable information, the second is a treasure trove. A single appendix of that book appears to have information that will double the vulnerability entries I have on such machines and the compromise of their crypto systems. Thanks J.M.!

Every time I find such information, it makes me regret giving the talk. While the talks were given to show perspective and it was clear the history was incomplete, I hate that my audiences didn’t get all of the information. Doesn’t matter that I didn’t have the information originally, I feel that I should have taken more time to research all of this better. I’m both afraid and excited that every time I give this talk, someone else will come forward with a wealth of new knowledge. It is an absolute delight for the vulnerability historian in me, but an absolute dread for someone who can’t stand delivering less than a complete talk.

Moving Forward

Since the first time I delivered the talk, I have had several people tell me I should write a book on the vulnerability history I outline. There is certainly an abundance of material there, and boiling it down to a 45 minute talk has caused me to deliver the talk at a faster pace each time. Part of me wants to write such a book, and release it as a free e-book to the community. It would be fun doing so. On the other hand, it would also take months of dedicated research to finish a true preliminary overview of such history and time is a valuable commodity to say the least.

So to my previous attendees, I apologize. I certainly hope you enjoyed the talk, but I really hope you understand that this is work in progress. Work that I have been doing for a long time, and will continue to do. At some point, if I come up with a more complete work, I hope to be able to share all of it with you in some fashion.

You have a new security initiative? Great, here’s some advice…

I am getting frustrated with the never-ending stream of ‘new’ security initiatives being announced. Doesn’t matter if they are community driven, compliance-based, or ‘industry standards’. For twenty years, we’ve heard it over and over, yet things just aren’t changing.

Most of these initiatives flop. Some may make it months or even years, limping along with virtually no support. Even projects with hundreds of people involved or supporting represent such a tiny fraction on the InfoSec industry, let alone the general IT industry, to say nothing of the rest of the world. In a few cases, the ‘new’ idea might even make a slight improvement for 0.000001% of the world. At best…

Largely though, they are worthless. People sometimes even spend more time banging on the initiative war-drum than the end result. Worse, for every one announced that does any real and lasting good, another hundred end up wasting time and going nowhere.

So you want to announce a new initiative to save the world? Great! How about instead, skip the initiative name, the policy, the name, the graphics, and the rest of the things that take time from actually doing something. Don’t talk about the project day in and day out. Just do good.

If you really feel that a structured movement with lofty ambitions and a brand are required, then do good first. Show the world you are serious and capable. Announce your new initiative on the back of a big ‘win’ or change. That will demonstrate you have the drive and dedication. Come out of the gate on the back of something concrete, not fluffy bullet points that are indistinguishable from any for-profit security company or charlatan.

Yes, everyone knows you want to ‘help’ and ‘protect’ and ‘improve’ and ‘secure’. The exact same thing everyone else in the industry says, both good and bad. And like many of them, your new initiative may not deliver either.