I realized a while back that I had lost the zeal to attend security conferences. I’ve been attending security conferences for a long damn time, as many of you have too. DEF CON, RSA, Shmoo, a whole $HIATLOAD of B-Sides, SANS of course, etc. Lots of smaller ones here and there, too (logistics have prevented me from getting to Derby yet, which makes me a little sad). The number of security conferences being held is off the chart. If you take a look at SECore, you’ll see just how many conferences are going on anywhere in the world at one point or another.
I think it’s gotten out of hand, honestly. Not because security cons are a bad thing, truth be told. Because we’re saying the same damn thing at all of them. The themes are the same, it’s a lot of the same people talking, the talks sometimes even say the exact same thing in different language. I can hear the criticism now. “Shack, that’s bullshit. We learn things at cons.” Mmmm hmmm. Sure you do. You hear what people say, you may find it fascinating, but very rarely will it make an impact on what you do day-to-day. Especially the heaping quantities of “Internet of Things” flaws and “sky is falling” talks about how doomed we all are when our thermostat becomes sentient, remotely takes over our cars, and we all die. Get a grip. It’s interesting, but we have major problems today, they’re a lot damn simpler than any of that “forward looking research”, and we’re still sucking ass at the basic stuff.
If you can’t lock down your desktops, what the hell are you doing listening to someone talk about malware reversing and shellcode? If you can’t detect a freaking port scan, let alone a DNS C2 channel, why are you waiting hours in line to hear a talk about hijacking car internals? I am a true believer in lifelong learning, so learning something just for the sake of learning is A-OK with me, I get it. But cons aren’t really helping us accomplish anything, unless they are straight-up training cons. And I don’t mean training your livers, since most cons involve staggering quantities of alcohol. Really, for a lot of folks, I think cons have become a few things:
- A way to escape reality. Very few con talks touch on the mundane bullshit that we’re sucking at. They discuss pie-in-the-sky scenarios that involve vendors, “researchers”, and stuff that we can ogle at.
- A stand-in for a social life. I have a lot of friends in infosec. I’ve got plenty that aren’t too. I can get shitfaced anytime – I don’t need to wait for a con. Seeing your infosec friends is cool. Going to more and more cons to see those people…well, that’s up to you. But maybe you could get together OUTSIDE a con for once? That’s what real friends do. Plan a trip somewhere that does not involve security. Shocking.
- A place where people who don’t actually DO shit for a living can expound on their amazing security philosophy, telling those of us that DO do shit for a living how it’s all shaping up. Please. I know what the hell is going on in security, I live it every day. With a lot of clients. Doing real work.
- An egomaniac stomping ground. If you continually got your ass beat in high school, sunlight sets you aflame instantly, and you have deep-seated challenges interacting socially, you can still be a rock god by breaking something and giving a talk on it. This is getting ridiculous. I love smart people, too, but I’m kind of over the “celebrity researcher”. I like people when they’re cool people, not just because they have some amazing “use after free” flaw they presented on.
- A “scene whore”…well, scene. It’s COOL to be in infosec, apparently. You can almost predict the tweets when a con starts:
<scene_whore>Arrived! Where’s everyone at? #ConHashtag
…10 min later…
<scene_whore>I’m in the bar at the <con_hotel>! <Picture of alcoholic beverage> #ConHashtag
…20 min later…
<scene_whore>What’s going on? where is everyone? #ConHashtag
Most people are just folks. But being at a security con does not even come close to making you a real infosec professional. Knowing a bunch of people on Twitter doesn’t either. Drinking with people in bars may make you new friends, but still doesn’t mean you can accomplish shit as a security professional. There are even some people I see on Twitter who seem to attend every security conference on the fucking planet. What the hell is your JOB? Does someone pay you to go to cons? It’s SAD…NOT endearing.
This is a rant. I know this. But really, folks, cons are not doing shit for us, aside from giving us some fun times and maybe a handful of interesting talks here and there. If you really get value out of tons of cons, awesome. I would never tell anyone how to live their lives, or what to do with their time. But we are not FIXING ANYTHING. We still have Adobe and Java problems. We still suck at intrusion detection. We still suck at incident response. People are still clicking shit. We don’t know what we don’t know. Pretty much every con I see today won’t even begin to help with any of that. If you’re a pen tester? Sure, you’ll get some new tools, new techniques. But only about 5% of security folks are ACTUAL PENTESTERS. Lots of people like to fake it. But 95% of you are defense folks. Which is probably just fine. So do defense. Get better at fixing stuff. Focus on the boring, the mundane, but incredibly important crap like inventory management, patch management, configuration management, blocking and tackling at the network layer, security awareness, etc. I see almost no talks at cons on “solving this one problem in 10 different ways”. Almost none of you need to worry about hacking an ATM or a car. You DO need to get your backyard cleaned up. It’d be nice to see a conference with the following parameters:
- The theme of “we’re failing” is 100% forbidden. No talks accepted, no slides with that, if you say it in your talk you are forced to listen to Barry Manilow albums the rest of the con.
- All talks tell us how to fix something. That’s it. And REAL somethings, not some arcane crap that is only a reality for .00000004% of the world.
- Absolutely no slides that include references to the Verizon Data Breach report. Verboten.
- Every single attendee must write a blog post chronicling at least 5 things they learned. Tactical, “fix shit” things they learned.
- No selfies. NONE.
- People can only use their real names. Be a human being, and we’ll hang out. I have a real hard time here in 2014 referring to someone as only a “handle”. Call me “Dave” or “Shack” and we’re good. Let’s actually be real professionals. Crazy, right? Imagine if people at law or medical conferences referred to themselves as “D@rk Malpractice L0rd” or “SurgeonZer0”. Please. We’re not in chat rooms, people. And even if we were…that shit is OLD.
It probably won’t happen. There are still some really good efforts and conferences out there – I’m not disparaging the enormous efforts of those who run them. But I think we’re starting to look silly. Security is just a shit show, and we throw booze fests in the name of “research” constantly. Yay us.