DEF CON 26 CFP Basic Statistics and Observations

This is the second blog in a series about DEF CON 26 CFP. The first:

A Look Into the DEF CON CFP Review Board (we’re actually really boring people)


First, this post is not sanctioned by DEF CON in any way. I am a member of the CFP team who decided to keep some rudimentary statistics on the submissions this year, as I did last year. I did this to give the team a feel for just how many submissions we got, how many talks we accepted, and primarily to track the way we voted. This greatly assists the powers that be (the amazing Nikita) to more quickly determine which talks are well-received. Due to time constraints, I was not able to track as much metadata, so this blog will be shorter than last years.

First, a few bits of information:

  • DEF CON 26 CFP opened on January 16, 2018
  • DEF CON 26 CFP closed on May 01, 2018
  • Two talks were submitted after closing date and were considered for various reasons
  • We received 551 submissions (up from 536 last year)
  • Four of the submissions were withdrawn by the submitters by the end of CFP
  • BlackHat received around 1,000 submissions this year for comparison

A recurring theme in these blogs and our Tweets throughout the CFP process is strong encouragement to submit early. While we did get a share of submissions in January and February, you can still the huge spike we experience in April (a majority a day before CFP closed), and May (on the day it closed). The two weeks between the end of CFP and the time when acceptance/rejection letters are sent out become stressful as we’re under deadline to review talks, try to get last minute feedback when we can, and make final decisions.

Of the 551 submissions, 107 were accepted (19.4%). There were 388 unique male submitters, 39 unique female submitters, and 14 anonymous submissions (note: we only catalog based on the gender, if known, of the primary speaker). Of those 14 anonymous submissions, 3 were trivially identified because the submitter didn’t scrub their submission properly or submitted work that had been presented before and was caught with a quick Google or Bing search.

Of the 551 submissions, 173 (31.40%) said they would release a new tool. 77 (13.97%) said they would release an exploit, up from 56 (10.53%) last year. Of all the submissions, 216 (39.20%) were also submitted to Black Hat and 51 (9.26%) said that speaking at DEF CON was contingent upon Black Hat accepting their talk. Only 73 (13.25%) submissions were also submitted to BSidesLV. Of the 551 submissions, 122 of the speakers had presented before at DEF CON, and an additional 28 had presented before at a DC Village or Workshop.

Unfortunately, time did not permit me to properly track ‘red’ vs ‘blue’ vs ‘black’ submissions, nor categorize the talks. That said, 11 talks were about ‘Artificial Intelligence’ and/or ‘Machine Learning’, even if some of them didn’t quite seem to know what those terms really mean. Ten submissions were on the topic of, or heavily related to, blockchain. Eight submissions came with the ultra creative title that included “for fun and profit”, four included “all your $blah belong to us”, two submissions used “pwned” in the title, and fortunately for our sanity, none wanted to make $blah great again.


That’s it! I realized this is a bit more brief than last year, but the time requirement of reviewing all of the submissions is crazy. Finding extra time to maintain the sheet is rough, and generating even more statistics or tracking additional metadata just can’t happen sometimes. Fortunately for me, this year Highwiz stepped up and did an incredible amount of work filling in data, especially while I was lost in the mountains for a few days. 

Advertisements

A Look Into the DEF CON CFP Review Board (we’re actually really boring people)

Written by Highwiz with contributions and editing from Jericho

Being on the DEF CON CFP Review Board can be as exciting as {something}; as frustrating as {something}; as thought provoking as {something}; and as enriching as {something}. It’s like mad libs, I hope you’ve filled in this section with something good.

Each year, myself and somewhere between 16 and 20 other reviewers take on the responsibility of selecting the best possible talks for DEF CON.

Oh, I should also apologize in advance as you read this first entry in the CFP Blog series. I apologize because I am not known for my brevity. In the “written word” and especially when it comes to something I’m passionate about, I tend to be wordy AF. [See, like that sentence: Could have just said “Hope you enjoy”, but nope – not me…].

I do genuinely hope that someone finds these blog postings helpful and that it will allow submitters (or potential submitters) some insight into the way we work so as to better prepare their submissions in the future.

In its original form, this post was about as dry as some of the white papers we read that were included in several submissions. Speaking of, white papers help tremendously when we’re reviewing your submissions, and if you include one, you’re already ahead of the pack. Sadly however, while White Papers do indeed help your chances during the CFP, they make for really shitty blog posts.

While we’re on this wildtangent of things that are related to the CFP Board but not actually part of the CFP Process itself, let’s talk about the term “CFP”. Above, I mentioned white papers; while the term CFP originally did mean “Call For Papers”, it doesn’t anymore. Most people don’t submit papers. When you think about the term CFP, you should really think of it as Call For Presentations. I know I’m not the first person to say that and I definitely won’t be the last, but still, it bears saying.

Alright, back to the topic at hand…

This year, the DEF CON Call for Presentations (CFP) Review board was made up of 16 “General Reviewers”,  six “Special Reviewers”, and two members of the DEF CON staff.

The DC CFP process is not “blind”, meaning reviewers can see each other’s votes, and we see who submitted it unless they specifically opt to stay anonymous (and properly scrub their submission). There are merits for both open review and blind review, but we’ve found that an open review significantly helps our process as there is a lot of good discussion about each individual submission. One reviewer may spend considerable time digging into the topic, researching prior disclosures or talks along the same lines, or offer their personal in-depth knowledge which typically helps several others better understand the topic and state of research.

If you submitted a talk to DEF CON this year, then all of the General Reviewers most likely reviewed and discussed your talk. While these reviewers tend to agree on many talks there are also submissions that cause arguments and intense heated discussions. Most of the review board members have a very extensive vocabulary and seem to enjoy finding new and creative ways to use the word “fuck” in a sentence (both in the positive and negative). Though, why the topic of vocabulary is at hand, let me say this to my fellow review board members: y’all motherfuckers need to find a new word besides “pedestrian“. I’ll leave it at that.

As reviewers, every year we’re often left wondering why certain people have chosen to submit to DEF CON and whether or not they actually understand what type of conference it is. A prevailing sentiment on many submissions is “This is not a DEF CON talk”. While the content may be of significant quality, the question we often ask ourselves is “is this talk right for DEF CON?”. Sometimes the answer is that while it would be good at a developer conference, RSA, or BlackHat, it simply wouldn’t be right on a main stage at DEF CON. DEF CON is, or at least it strives to be, a hacker con first and foremost.

TL;DR : This is DEF CON, please bring your “A” Game.

The Time Commitment

Often times people ask to be on the CFP Review Board because it is an honor and privilege to be among the group that selects the presentations for DEF CON… It’s also a giant time suck, which people sometimes fail to realize (or believe us when we tell them).

Now for the more formalized explanation of that so my “editor” doesn’t get pissed:

It’s been stated before, but being on the DEF CON CFP Review Board is an enormous time commitment. In the first few months, the average time a reviewer spends on talks is ten to twenty hours a week, depending on the volume of talks received. In the last two weeks, when everyone is rushing to submit before CFP closes, the time required rises to forty or more hours a week. The DEF CON CFP Review Board, like many other CFP Review Boards, is an entirely volunteer activity that many times becomes a second job. This is one of the big reasons we encourage people to submit earlier, and not wait until the last minute. Total time spent for a General Reviewer is probably in the range of 280 working hours.

The rule of the board for a General Reviewer is to do as many talks as you feel you are able to, but hit at least 70% of the talks. In practice and as far as the other general reviewers are concerned, you should be getting as close as you can to 100% of the talks. If the other reviewers feel that you’re not pulling your weight (so to speak) they will call you out. We’re like the fremen in that sense, crysknife and all. In less nerdy terms, no one wants to get shanked in the exercise yard because they didn’t review enough talks.

The topic of the exercise yard leads us into our next area, the prisons guards.. I mean, the DEF CON CFP Review Board staff.

The Defcon CFP Review Board Staff

Nikita and Alex are the foundation of the Review Process. They post the talks, interact with the submitters, deal with the reviewers when we’re cranky and obstinate (we can really be bitches sometimes), reshape the feedback given by the reviewers and transmutate those turds into flowers and candy before the submitters view it. They are the fecal alchemists and without them, the process would not work.

Similarly, there is the non-official review board staff member in the form of Jericho who tracks our submissions, votes, and other information. He categorizes the talks for us while providing amazing feedback and insight into anything vulnerability disclosure related. Like Nikita and Alex, Jericho is an integral part of making the DEF CON CFP Review Board function and prosper.

The fourth person (another unofficial one) who deserves a great amount of credit for making sure that people keep up with their reviewing is our own special CFP Vocal Antagonizer in the form of Roamer. If a review board member is slacking they can be certain that Roamer will “gently” remind them that they need to review talks. This is an important role as we want as many of the review board to provide feedback and vote on a talk as possible. This ensures more reviewers see it, and provide commentary based on their diverse background. In other words, Roamer is like a shot caller; if you don’t sack up and do the tasks assigned to you, you’re going to wake up with a horse head in your bed.  

Both Jericho and Roamer are inspiring examples of what it means to truly care about the hacker and DEF CON communities. On a personal note, it’s also pretty cool that I get to call Nikita, Jericho, and Roamer, these amazing people, my friends. I say that because after all these years, they still talk to me, even though I can be a bit dramatic.

While we’re on the topic of dramatic people, let’s talk about our special reviewers. I’m just kidding, where drama is concerned all of them pale in comparison to yours truly.    

Special Reviewers

Our special reviewers are subject matter experts who specifically comment and give their feedback on talks in their “wheelhouse”. There are many talks where the “general reviewers” simply don’t feel fully qualified enough to make the necessary judgement of a “yes” or “no” vote. Sure, they are familiar with a topic to some degree, but just don’t spend their lives immersed in that corner of security.

Everyone in InfoSec “knows” about pen-testing and social engineering for example. However, unless that is their primary tradecraft and they have been doing it for a decade or more, they may not be keeping up with the latest tools and techniques. In such cases, the general reviewers will typically “defer” to the subject matter experts. The input provided by the Special Reviewers this year has been invaluable in helping shape what DEF CON 26 will be.

Discussions

The DEF CON CFP Review Board has a unique style in how they (we) review talks in contrast to many other CFP Review Boards. There is oftentimes a lot of discussion that goes on about individual talks that plays a key part in the process. The reviewers do not live in a vacuum when reviewing the individual talks, rather, they are encouraged to communicate with one another openly on the system so as to provide a higher quality of talk selection. Sometimes the discussions may turn heated, but at the end of the day it does improve the final selection. “Heated” is a really nice term. It’s a really nice term because when we say it, you may think we might mean like a “hot summer day” when it fact we mean the fires of Mordor, or whatever is causing a burning sensation in the nether regions.

The being said, on the Review Board, it’s very important to be open to new ideas and perspectives which such discussions strongly facilitate. I don’t think the DC CFP review board would work nearly as well under any other type of system. Conversely, what works for “us” may not necessarily work as well for other CFP Review Boards.

How do I get on the CFP Review Board?

First, are you really sure you want to? Do you really have the time? The numbers we posted before about the time commitment wasn’t an attempt to oversell things (in fact they are probably conservative estimates). As a review board member you will be dedicating that much time to reviewing talks over a three to five month period, with the final weeks being absolutely brutal. And if you don’t? You’ll find yourself being called out or greenlit by a shot caller. And then the best option there is you may not be asked back the following year. Remember, you are helping to shape the tone, feel, and content of DEF CON, the longest-running hacker convention now attended by over 25,000 people. That is an incredible responsibility and you are helping ensure that attendees get value from the talks they attend.

Still want to do it though? OK. Talk to some CFP Review Board members at DEF CON 26. That’s it… just do that. Judge for yourself based on how they describe it, the good and the bad. If any of them describe a breezy stroll through a nice park with flowers and chipmunks, walk away. They aren’t telling you the whole story.

Why don’t you have a CFP Review Board Panel at Defcon?

First, it would be super boring. Invariably the attendees are going to ask us a lot of questions that we can’t answer about specific submissions. While we may “vague” tweet or generally answer a question, we can’t and won’t provide specifics on submitted talks beyond what Nikita and Alex have provided as official feedback, and then only to the person that submitted the talk. So the panel would consist of a lot of jokes, high-level “CFP tips”, and not much more value. If you really want to “know” more about the CFP, just find out where some of us hangout at DEF CON.

Before we end this first entry in this series of three or four posts. I would like to take the opportunity thank you for reading along thus far. Jericho and myself worked on this entry, but he shouldn’t be held responsible for my tangents, side notes, and improper use of some punctuation.

Credit Roll

First and Foremost, we really need to thank those people around us (friends, family, significant others) that deal with us during the three to five month a year process of reviewing talks. They truly are the unsung heroes. They know we can’t go into specifics, but they’re there to listen to us bitch and moan about “that talk”. They understand us during this endeavor when we forgo plans to hangout with them or we’re not in bed until three hours past normal time. Without their support, we could never accomplish the task laid out in front of us.

General Reviewers

Jericho Roamer HighWiz Shaggy
bcrypt Vyrus Zoz Claviger
Suggy Wiseacre Secbarbie PWCrack
KingTuna Medic Dead Addict ZFasel

Special Reviewers

Andrea Matwyshyn w0nk Malware Unicorn
Snow Kodor Grifter

DEF CON Staff

Nikita Alex

DEF CON Founder

The Dark Tangent

Shoutouts

We’d also like to give a big shout out to the Workshops Review Board. While they are a separate entity from the CFP Review Board, their contributions to DEF CON are just as important.

Tottenkoph Munin Sethalump DaKahuna
CyberSulu Kodor SinderzNAshes SinderzNAshes
Kodor SinderzNAshes Wiseacre HighWiz

In part two of the series we will be covering the statistics, because that’s the type of thing that makes some of us (but especially Jericho) super wet.

With part three will come our thoughts, and comments on the Submission Form and the Questions we ask.

Part four will be some lessons we’ve learned along the way as well as ideas for improving things in the future.

One last thing, Jericho is totally the Jimmy McNulty of the CFP Review Board.


Continue reading the second blog in this series, “DEF CON 26 CFP Basic Statistics and Observations“.

Building a better InfoSec conference…

There is an abundance of information security conferences out there. While the industry is drowning in these conferences, a lot of them are producing more noise than value. Increasingly, people are realizing that even a moderate security conference is a profit center. We need fewer conferences that are more topical and offer more value, whatever the price. In addition to the frequency of conferences, most of them are doing the same exact thing. There is a serious lack of creativity and forward-thinking. It was only the last few years that saw a couple conferences dedicate entire tracks to defensive security.

I have been attending security conferences for almost 20 years now. Based on my experience, as well as being on several CFP review teams, there are many aspects I want to see in the future.

  • More talks or entire tracks dedicated to sociology and human sciences, as relates to the security world. We see this from time to time, usually in passing regarding security awareness or phishing. Attacker profiling is a stronger use, but most talks are over-simplified and don’t cover new ground.
  • Talks on law and policy are more frequent lately, but they don’t seem to do much good. In the recent DEF CON 21 CFP review, we received many talks that focused on law and/or policy. There was one trend that emerged between all of them; no practical information on how the average person can truly make a difference. Sure, write your congress critters, stay informed, and all the usual advice. That hasn’t worked in the past. What else do you have?
  • Heckling should be encouraged. Several years ago, DEF CON changed to where questions or comments were not allowed during talks. The years prior, if a speaker said something that was not factual, you could quickly call them on it. It gave the audience a chance to see the error with minimal interruption. Now, questions are done after the talk, in a separate room, away from the audience. If a speaker says something inaccurate, the audience leaves thinking it was factual. This is a disservice to the attendees. Speakers must be kept honest.
  • Continuing that theme, all talks should have a mandatory 5 minute Q&A session at the least. It is rare that a speaker is so decisive and thorough as to leave no questions. If an audience member wants to debate a point or call them on bullshit, they get an opportunity to do just that.
  • More lightning talks, with a twist! Having 3 presentations in an hour gives more researchers a chance to share their progress and ideas. It gives a brief platform for them to find others that may want to help, or get ideas for moving forward. The twist? A gong. If a talk is bad or going nowhere, don’t even give them their 15 or 20 minutes. Gong them off the stage and let the next lightning talk start.
  • Most conferences solicit talks (the CFP), have a review team decide which are worthwhile, and create a schedule. It would be nice to see conferences follow this process to weed out the crap, but then put all good talks up for community vote. Based on the feedback, use it to determine what the masses want to see and then build a schedule off the higher voted talks.
  • Speakers should not only explain why they are presenting, they should justify why they are the ones giving the talk. Not a general resume with 20 years of security experience either. What specifically have they done that warrants them giving this talk. Pen-testers with a few years of experience should rarely give a talk on pen-testing or social engineering, unless they truly have groundbreaking material. They should be required to make their slides available shortly after the convention. The slides should properly reference and footnote prior work, source images, and give credit to what influenced them.
  • Conferences should solicit feedback from the audience, and give it to the speakers so that they may improve their talks in the future.

These are but a few ideas for improving conferences. Have your own ideas? Leave a comment!

So you want to present…

I’ve been attending InfoSec conferences since DEF CON 2, in 1994. Add up all the conferences I have been to, and all the presentations I have seen (in person or video later); quite a few to be sure. In the last year, I have been part of several CFP teams, where we review proposed presentation submissions for possible inclusion in a conference. This includes small conferences like BSides, regional conferences like RVAsec, and the longest running hacker conference, DEF CON. Having the perspective that includes the submission process, as well as talks at a wide variety of conferences, it gives me good insight into the process. After attending or listening to too many bad talks, I eventually took a few notes for an article on giving advice on the topic. Due to time constraints, like many other article ideas, it sat idle for several years.

Earlier this year at THOTCON in Chicago, I saw a very boiled down version of an 8 hour workshop James Arlen (aka @Myrcurial) gives. It is titled “Communication 4 Hackers” and covers a wide range of presentation tips ranging from creating slides to addressing the audience. After the con, I told several people it should be required attendance for anyone in our industry.

Jack Daniel recently posted a blog about the BSides “Proving Grounds” track, in which more experienced speakers mentor newcomers that are new to public speaking. Note that it doesn’t necessarily mean the people are new to the industry, they just haven’t taken the time to give public presentations. After a recent call from Banshee saying three more Proving Grounds speakers needed mentors, I volunteered.

There are a lot of forms of bias in our industry when it comes to talks. Some people think that the popular name will bring a good talk (often not true). Some people think that first time speakers are new all around, not realizing they may just be new to speaking. Some in our industry think that those who speak the most must be good. Others think that the highly technical talks are the best, even when they are over the heads of 95% of the attendees. Regardless of bias, new speakers need to have a shot in a friendly environment, absent the heavy criticism and skepticism that comes with most talks.

All of this factors in to my old notes about speakers. Instead of going over what Arlen covers, or speaks to the point of new speakers like Daniel and Banshee do, I will ask a few questions and give some thoughts. If you are speaking at a security conference, ask yourself these questions. Remember that others got passed over for you to speak. If you don’t deliver top notch material in an entertaining and engaging manner, you have done a disservice to your colleagues. Finally, just because you get a round of applause at the end of your talk, doesn’t mean you did good. The last keynote I attended that was an absolute bomb, yet received a solid round of applause. Given the crowd was full of smart people, I know it was applause signalling appreciation that he actually showed up sober and stayed awake for 45 minutes, nothing else.

Are you an expert?

Are you at the very least an authoritative source? Do you have more than 5 7 years doing whatever you do? Will more than 51% of your audience actually learn from you (as opposed to “enjoy your stories“)?

We all have amusing and informative stories, but they don’t warrant an entire presentation people pay to attend. If you just want entertaining stories, drop 30 bucks and order beer all night at your local comedy club or bar. My stories are just as amusing as yours, and quite different. Yet, 15 years apart and they still teach us the same lessons. You convinced a company in Vegas at DEF CON to give you entrance because you are a customer? That isn’t social engineering, that is how fucking sales works. Who do you think runs these parties? You can take someone else’s scripts, and run them in front of an audience? Great. Doesn’t mean you should. Especially when you don’t know how they work, if they involve overflows, or anything else about them.

Is the talk tailored to your audience?

Personally, I have a rule; I give any talk I do no more than two times. In addition, I only do it twice if they are very different audiences. For examples, the Cyberwar talk I did with Josh Corman at Brucon 2012, we also gave at THOTCON 2013. Not only was the talk updated to reflect new information and references, the audiences were very different with little chance of overlap. It also had little variations in the way it was presented spoke to the European crowd, even when the presentation was US-centric.

Other speakers often do not realize or account for this. Some will give the same talk, with very little variation, half a dozen or more times. I understand why; same talk, “different” audience, often free travel to different venues and more name recognition. Thing is, that is all about you, not the audience. Repeating the same talk to vastly different audiences can backfire in amusing ways. Well, amusing to us who didn’t give the presentation at least. For others, they realized the mistake of joking about the Spanish Inquisition to a largely Spaniard audience a bit late, or the falacy of calling the almost entirely Asian audience “too polite”.

Recycling talks for vastly different locales is fine, but at least tailor it to the audience and remember who you are speaking to. Most importantly, update the presentation between deliveries. If it has been six months since your last talk, and you have nothing new to add, then you aren’t learning or advancing your profession. If your content is getting stale, or you can’t figure out how to update it to keep it relevant, reconsider if you are a good candidate to give this talk.

New Doesn’t Always Warrant a Presentation

Some topics have been covered extensively the past decade. While little in security is set in stone, many things simply do not evolve quickly or much at all. They don’t have major breakthroughs; they limp along with variations and tweaks, or new tricks to make them more effective. For example, Cross-site Scripting (XSS) has been beaten into the ground. Despite that, there were three or four XSS-based talks at a single DEF CON in the past, as well as three SQLi talks at a BlackHat Briefings. Your trivial trick or variation is great, but it isn’t worth an hour-long slot at a conference.

Miraculously, researchers can take a five minute trick and leverage it into a new talk. Getting past a CFP team often requires inflating the claims and using a new bullshit marketing term. The actual presentation turns into a five minute intro with bios, ten minutes of history, five minutes setting the stage for the new gimmick, five minutes explaining the gimmick, a ten minute demo that is drawn out as filler, some parting thoughts about how it can be used, and the rest of the time for Q&A. All said and done, it is still a five minute talk with fluff.

It takes a significant jump to justify a talk on some topics. Any single web-application vulnerability (e.g. XSS, SQLi), social engineering, or most other topics that are part of daily InfoSec life are like this. Did you find a clever new method for an attack, only to demonstrate it on a specifically vulnerable application you wrote? Why not demonstrate it on a real application, even if older and currently fixed? That sends warning signals to CFP teams and audiences alike.


Look, I know there are a ridiculous number of security conferences out there. They need good speakers, and some conferences have lower standards. That doesn’t excuse you for giving a sub-par presentation. Just because you can present on a topic you aren’t qualified for, doesn’t mean you should. Remember, not only are you doing a disservice to your audience, but possibly many more down the road. The fact that you spoke at one conference does help you when submitting to the next. CFP teams like to see prior speaking experience, and we don’t always have the time to watch previous presentations, or find reviews and comments on it.

Questions CFP Judges and Attendees Should Ask

  • Is the talk being recorded? If so, is the video of just the presenter? Is it of both you and the slides?
  • Are your slides available after the talk without video?
  • If I read your slides later, will it be sufficient to learn your material? If not, do they come with a white paper, blog, or additional material?

In short, can someone get the full value of your presentation days or weeks later? While people mock PowerPoint, if done well, it serves its purpose. If PowerPoint is done poorly, it is worthless without the audio component. I know Presi looks slick, but it is utterly worthless without the audio to go with it. Even with audio, it forces someone to go through the talk and have no notes or additional information.

Yes, presenting puts you in the spotlight. It gives you good resume fodder, makes you popular, gets you free entry into cons, and other cool things. That said, it doesn’t mean you should throw a bunch of shit at the CFP wall to see what sticks. Sometimes, there is a lot more value to the industry by focusing on other endeavors, and more people need to realize that.

defcon21

Tips from a CFP Reviewer

Finally, for those who are submitting talks to conferences, let me give you advice. This comes not only from my own submissions, but from someone who has been on several CFP review boards. Watching and participating in the process for the DEF CON CFP review has been educational on several levels. I hope that these tips will help you to submit better talks, that in turn better help the industry.

  • Five presenters for a 45 min talk? No, that is clearly milking the free entry.
  • If the CFP calls for a “detailed” abstract, and yours fits on a bar napkin? It isn’t detailed. If your bio is longer than your abstract or outline? Also not detailed.
  • I don’t care how important or busy you are. Never have your corporate PR person submit your talk. If you don’t have time to do it, why do we think you have time to properly research your topic?
  • If you can’t follow the simple CFP directions of “fill out this form”, why do you think we trust you to explain more difficult concepts to an audience?
  • If you fail on the above and have to send in a PDF instead of plain text, don’t name it “$convention.pdf”. At least put your last name in the file name, because you can be sure other morons couldn’t figure out the plain text requirement and also sent in a PDF with the same name.
  • Just because you have APT1 or Cyberwar or $currentbuzzword in your title doesn’t assure acceptance.
  • If you phone a submission in, it shows. Really, it’s blatantly obvious to us.
  • Don’t wait until the last minute to submit, especially for a big con. After reviewing hundreds of submissions, those last ones are more and more grueling.

Have questions about submitting to a conference? Want a quick look or feedback before you do? I am willing to help out, time permitting.


Some additional comments from another CFP reviewer, Chris (Suggy) Sumner:

  • A bio is where you list your actual experience, relevant to your talk topic. It isn’t to list all the news outlets you spoke to or unrelated certifications you obtained.
  • I value abstracts which provide a summary of the main result(s) so that attendees can make an informed choice to attend or not. i.e. they can see whether the results rock the world, or are merely interesting. A one line conclusion is always handy too.
  • Outline slides (meaning nearly finished, not just bullets) go a long way for me too. My guess is that many people don’t think about CFP far enough in advance.  I had most of the work ready in February and it took a lot of stress out and meant I could get the submission in early and answer feedback.  Even if research isn’t complete, it should (in most cases) be possible to begin building a nice template.
  • Another niggle is the introduction. I like it when speakers keep it mega brief.  If people want to know more, they’ll read your bio and find you. Odds are, they already read your bio.
  • Perhaps my main observation from this and other cons are that too many people provide little or no detail.  This amazes me. It’s the speakers single opportunity to sell their talk and yet they don’t.  I’m sure this leads to potentially excellent talks getting kicked back.
  • If you get rejected, be sure to bitch about it on Twitter, everyone loves that  😉

Chris brings up a great point. You will get rejected by a CFP team at some point in your life. It sucks, it is discouraging, we all agree. However, if you haven’t been told why you were rejected, don’t bitch in a manner that is negative toward the conference. It may have been as simple as too many good talks, so that other good talks had to get cut. Perhaps that CFP submission you sent in never arrived (as happened with me recently).


More references and advice from Nikita, overseer of the DEF CON review process:

Finally, she gives us this talk by Strom Carlson:

The last thing Nikita wanted to emphasize: simply follow the CFP directions please! Watching the level of crap she had to deal with due to people sending in weird formats instead of plain text, sending in PDFs that didn’t allow for easy copy/paste, or not filling out all of the fields are a royal headache.