Infosec conferences give cybersecurity professionals a chance to network, hear the latest research, exchange ideas, and demo hacks and new tools. But with so many conferences, how do you decide which ones to attend? How can you get the most out of your experience? Are they worth your time and money? What’s it like to be a presenter, or even an organizer? For episode 50 of Cyber Security Sauna, we spoke to Noora Hammar, head of comms for the Nordic security event Disobey and vice-chairwoman for HelSec Association; and F-Secure’s Tomi Tuominen, founder of the T2 infosec conference.
Can you share with us a little bit about your background and your involvement with infosec conferences?
Tomi: My background is on the demo scene and phreaking scene, so naturally when the first infosec conferences came to be, I was really, really curious. The problem was that most of them were held in the US, so I was eagerly waiting for the European scene to wake up.
When the first Black Hat came to Europe, it was in Amsterdam, probably the year 2000 or so. I booked my tickets there, and being the Finn I am, first thing, I landed at the hotel, I went to the hotel bar and saw some guys there, black T-shirts on. I went to that table and asked them, “So, is it okay if I join you guys?” They were like, “Yeah, sure.”
Then four o’clock in the morning, there was a guy called Thor or Hammer of God. He asked me, “What are you going to be talking about tomorrow?” I’m like, “Uh, I’m an attendee.” They were like, “Okay. Cool.”
Then, because I was part of the crew by now, they invited me to all these cool invite-only conferences, like PH-Neutral that was taking place in Berlin and so on. That’s basically how I got involved.
Noora: I’m a person who picks and chooses. I’m not one to go to the physical conferences because I would like to just know the topic and ask around from my peers, “Is this something that you would recommend?” To listen or watch or whatever. Because I’m not the kind of person who wants to attend these misleading conferences and all you get is these sales pitches. That’s not ideal for me.
So, yeah, I’m kind of picky, so therefore, I’m more and more turning to surfing around the web and trying to ask from my peers what they would recommend me to attend virtually.
Right. So do you go to physical events at all?
Noora: Yes, I did, pre-corona, Disobey being the main event for me. It’s near, I live in Helsinki. That’s the one that I’ve recently been participating in.
Yeah. Speaking of the recommendations, sometimes these events and conferences get glowing reviews. Sometimes you just hear that they are, like you said, a waste of time. So what, in your opinion, makes good conference?
Noora: I think the people who know their area of expertise, they are passionate about showcasing their findings or whatever, and really giving the practical examples of how they do it. That’s interesting and inspiring.
Tomi: Well, I obviously have pretty strong opinions about this one. The reason why I founded T2 was that I saw the difference between commercial offerings and invite-only events.
If you would go to places like a Symantec conference or something like that, you’d see these horrible sales pitches that would actually provide you zero value and you would not really learn anything besides maybe using a tool or two. Then on invite-only events, you could see that, “Yeah, I was playing this game called Second Life, and then I used that to port scan the internet and so on.”
So the discrepancy, or the difference between these two, it was just huge. And I wanted to have something like that. I have some pretty strong ideals or opinions how a good security conference would look.
First of all, I think independence is a key thing here. No sponsor can impact or affect the agenda, no product pitches, and each and every presenter is on the stage because of their skills. This is not true for the majority of conferences. For the majority of conferences, you buy this platinum sponsorship package or something, and you get a keynote. Basically, we have reached some ridiculous pivoting points for this one because you go to RSA, the keynote is worth something like five hundred thousand euros, or something ridiculous. I don’t think that really serves the audience too well.
Transparency, I think that’s a key ingredient as well. So be honest how you roll. Don’t sell your delegate packages to outsiders and so on. This is a common thing that I learned early 2003 or so, that it’s a common practice that if you attend any type of event, those delegate lists get sold afterwards. Nobody talks about it, but I don’t think it’s fair.
Obviously, content is the king. High quality content, and that comes from multiple things like CFP moderation, at a minimum you need to review the presos prior to the event. There are a few conferences that do dry runs and those are super good. Like INFILTRATE in Miami. They have a really good process on dry runs. It takes a lot of work, but it usually provides a pretty good bang for the buck.
And of course, I think that all events should be for the community. Of course, your mileage may vary here, but I think personally, I like events that are small enough and have this inclusive atmosphere. And the networking should be a very, very integral part of this, because that basically creates and drives the community to do cool stuff. And I think that the role of the organizers there is to act as enablers. They need to somehow facilitate that thing.
Yeah. How does that list sound, Noora?
Noora: That sounds good.
I think the most common problem is that the people who throw these conferences really underestimate the crowd, and the audience. If you give a conference for the first time and you are promising this and these topics, and instead all you do is sales pitches, that kind of sets the barrier for people to not come next time.
So do not mislead people, give practical examples and something that people can really benefit from participating in the event, other than sales pitches. Like Tomi, you said correctly, it’s kind of a waste of time and money.
Both of you like to see cool things when you go to these events. So where are you on live demos? Demo effect is a joke people say, but we’ve all sat in the audience when something doesn’t work. Is it worth doing things actually live or just, I don’t know, recording beforehand? You doing it live and then just running the recording. What do you guys think?
Tomi: Well, personally, I think that a live demo is just a horrible idea. It doesn’t add any value to do it live. Just record the thing and be done with it. I mean, nobody wants to see the audience sweating there, “Oh my God, the demo gods are not with me.” That’s so old.
Noora: Then you should not attend HelSec’s meetings, because we have regular demo stuff in our meetups. We do it because the community members love them. The previous time we had Mr. Peeter Marvet sharing some YARA rules. Demoing live some stuff. There were some technical problems, yes, but that’s life. When it comes to demoing live, there’s always this risk that something will not work as it should.
Yeah. I don’t know. I just feel that it wouldn’t be any less valuable if he’d recorded it beforehand working right and then just showed that and talked through the presentation.
Tomi: I really think that there is a difference between running a workshop, because I think that HelSec meetings are more like workshop types of things. So the attendees might be using their own keyboard at the same time and trying things out. And then I think it’s totally okay.
But a good example of this would be a super complicated thing I use is RFID or SDR, or something like that, where there is a high risk of getting some interference and it will just fail because of stupid stuff.
Yeah. Okay. We talked about organizing conferences and what are good conference, what are bad. What about attendees? What are some good reasons to attend a conference and what are some not so good ones?
Noora: I think for me, it’s meeting like-minded people who share the same interests, and maybe getting to know a few other new people on the way. And then the whole experience, depending on what conference you’re referring to. I always like the atmosphere, if I know that there’s some good music, some good food and stuff, it’s the overall experience for me at least. Then it’s just a plus if there are some interesting topics that I would like to go and listen to.
Tomi: This probably varies a lot, depending on what you’re after. I would say that the guys who are just on the early stages of their path, they’re maybe there in order to learn new things. And the older you get, the more you’re into networking with people. You want to see the old faces, you want to see new faces, and so on.
And of course there’s always the valid reasons of Security Vacations Club that The Grugq launched. So you pick a very, very good destination, maybe Hawaii or something like that. Then you go there no matter what there is, because the location is just good.
Noora: So that’s just an excuse to go and have a good time.
Noora: Yeah, I get it!
Maybe what I’m looking for is expectations. You go to a conference with certain expectations. What are some of the expectations that are bound to get you disappointed?
Noora: I’d say, don’t visualize something before you go and check it out yourself. Don’t set these expectations. Ask around from your peers that, is this something that is worthwhile attending? Do a bit of background research, because conferences, the one that are doing these sales pitches and stuff, they want to promote and sell, sell, sell. So you really need to ask around, “Is this something worth my time and my money?”
Okay. Let’s say, I do want to go to a conference now. I’ve set my expectations. I’ve read a little bit about good conferences, bad conferences. I’ve asked around a little bit. Anything else you should take into account? Particularly now that the location maybe isn’t such a big thing. How do I choose a good conference?
Tomi: Well, first of all, in my humble opinion, there is no such thing as a virtual conference. I openly make fun of these glorified webinars, is what they are. They’re lacking just about everything that makes conferences enjoyable, in my book.
But one thing worth noting is that nowadays many of the conferences, they specialize in something. For example INFILTRATE run by Dave Aitel in Miami, Florida, it’s purely about offensive techniques. So heap exploitation and that sort of stuff, memory corruption vulnerabilities and whatnot. If that’s your bag of tea, then maybe go there.
Then there are some other conferences that are doing the same for the defensive side and so on, or forensics or incident response. There’s a good chance that you won’t be disappointed if you go that route.
Personally, I happen to like smaller events. For example, there is one really awesome one in Finland.
I think we know the one you’re talking about.
Noora: I don’t know. Please do share.
I think he’s talking about T2.
Noora: Okay, okay. (Laughing)
Which he’s an organizer of.
So what do you think makes a good conference, Noora?
Noora: For me, it’s the way it’s been branded and the way my peers talk about it, that is kind of the welcoming sign for me to even start looking more information about it.
When it comes to practicalities, Tomi mentioned about these dry runs, was it the Miami conference you referred to? I think that’s a crucial part of making a conference successful, if we are talking about physical conferences and events.
Then of course you need to have people you trust and the roles are clear. Everyone has their responsibility areas and they will do their best to succeed at it.
Then of course, basically you just want to join forces with people you trust and then divide the roles and stuff, and check out all the technicalities, book the premises on time, early, beforehand. Make sure everything is as it should be, and all this double checking so the people can just enjoy and not face anything on premise, something problematic or something does not work or it’s because we have not checked something and we found out on the go that is something that we have not checked.
So double check, triple check. Make sure everything works so that the participants who join the event will have their money’s worth.
Okay. Now I’ve done my homework and I’ve made my way to the conference. How do I make sure that I get the most out of this experience?
Tomi: I personally suggest that you attend hallway tracks and talk to people. It’s super valuable, that you can’t get from anyplace else. Physical events tend to have all sorts of gatherings and briefings and whatnot. Those are the best places to get to know people who are either like-minded or otherwise interesting.
Noora: Or then the afterparties, where you really get to know people. That’s something that is also something to look forward to. It’s a good way also to dive more deeply into the networking.
Yeah. Okay. I guess in events like this, it’s okay to strike up conversations about the weirdest topics. So you can go up to somebody like, “How do you like memory forensics?” And then they either know something and want to talk about it or they don’t. But if that’s your thing then…
Tomi: Well, personally, I don’t find that topic weird at all, but…
(Laughing) Yeah, I know. Okay. Tomi, you mentioned you like the smaller conferences and smaller events better because of the interaction and intimacy, almost. Are there any advantages to attending these big well-known conferences or should I just spend my time in smaller hackathons and meetups and things like that?
Tomi: I guess this is one of those things where your mileage may vary. The bigger events, they’re usually a bit more one-way. So there is a guy on stage delivering his talk or her talk, and then you’re just absorbing that information.
Well, the upside of bigger events is that the whole conference business actually scales extremely well. So the more attendees you have, the more money you’re making. Effectively that means that you have money to get the people there that actually know their stuff, so you might end up seeing some really good presentations. There is also the thing that the rock stars of the scene won’t most probably be at those smaller events.
So it really depends. There still seems to be some sort of glorification of the fact that you’ve been keynoting Black Hat or DEF CON or some other big event.
Given how that is, is that a big impact that you’re going to get better talks, the most breaking research is going to be at one of these big events and not one of the smaller ones?
Tomi: I think previously, it used to be that all this really hardcore stuff was released either at USENIX or Black Hat. Nowadays, it’s a bit different. Many of the players actually prefer smaller conferences because of the reasons we just covered earlier.
Right. Let’s get back to organizer’s standpoint. Noora, you were already giving out some advice to how to organize a successful event. Is that different when you’re doing an event in-person or virtually?
Noora: Well, of course that’s totally different kind of scene, because virtually you don’t have to book any premises or do this more practical stuff. Then you can just set up the agenda, invite the speakers, get everything ready, do double checking on the tech side. Then just activate the link and announce the date and then just to make sure the whole virtual meetup goes as it should. You need to have someone in the background, checking that everything works as it should, then just go according to the agenda. It’s much different and much easier.
Sure. Any advice, Tomi, you’d want to give to event organizers?
Tomi: Yeah. The first one is, don’t do it. It’s simply too much work.
Is it? (Laughing)
Tomi: (Laughing) Yeah, wait for somebody else to do it.
Um, quality content. In the end, that’s the only thing that matters.
And I’m sounding like a broken record here, but I think that the inclusive atmosphere – it doesn’t matter if the event is aimed more towards beginners or a bit more advanced practitioners, but the inclusive atmosphere needs to be there. Otherwise, it’s not going to turn out well.
I mean, you started an event that was aiming to be one of the smaller ones. You have a limit on your attendees.
Tomi: Yeah. We’re capping the amount of attendees to 99 people.
Yeah. In that first ever year, did you ever worry that like, what if nobody shows up?
Tomi: Well, the thing is that I’ve been doing this now close to 20 years and I’m still afraid of that, every friggin’ year.
You’ve been sold out like, since forever!
Tomi: Yeah, that’s true, but you know, the thing is that…I do this with passion.
Tomi: And when you’re doing something very, very passionately, you kind of become blind to what you’re doing. And there’s always this fear that, “Okay. Am I doing this right?”
I mean, luckily we have a bunch of brilliant people there. We have Mikko (Hypponen) and Henri who are on the advisory board, and we have other good people that are providing valuable contributions there, but still, it’s our echo chamber. We’re thinking that, “Oh, we like this.” It doesn’t necessarily mean that the audience will like it, or the attendees will like it.
That being said, when I don’t get the feeling anymore, that panicky feeling, I’ll stop doing this, because then it’s old news.
Huh. What about you Noora, and Disobey and HelSec?
Noora: Well, with Disobey, it’s like, are we selling too expensive tickets? Are we keeping the interest of the people? Are we still the event to go to? It’s based on that we don’t take anything for granted because we don’t want to underestimate the participants.
Therefore, it’s crucial to…It’s also healthy to think about, “Okay, would this be something that people are into?” And not just be stuck up with old ways of thinking and doing what’s best for us, because we really have to cover different areas that keeps people’s interest, and interests vary per person.
Yeah, okay. Sowhat about if I’m someone who would be interested in presenting my work or speaking at a conference for whatever reason? What’s some advice for preparing for the presentation? How do I even get my name on that speaker list?
Noora: I’d say that, be bold. If you know someone who knows someone who is involved in an event, just reach out. I, myself, maybe I’m the weirdo here, but I have no thresholds. I don’t have any boundaries. I just ask, “Hey, can you help us out with this?” Because then at the end we are all people and we’d like to help each other. At least I’d like to think so, that we’d like to help each other out.
You just go and make yourself visible. Otherwise, we don’t even know that you exist. I don’t know if you exist if you don’t make yourself visible and reach out. If you have something that we could mention and incorporate, then all good.
Tomi: I’m probably going to be crucified when I say this out loud, but most of the CFP entries or call for paper entries are just plain horrible. Basically, they fit into two different buckets. First one is that those written by the PR agencies, you can always spot them because they write the bios in third person. Then there’s another category that, “I found this XSS, very important, get me.”
It seems to me that the quality entries really stand out. It’s not really that hard. At T2, we have an advisory board so that it’s not just a single opinion. Each one of the advisory board members goes through all the CFP entries and then we vote on which ones get selected.
One piece of advice that I would give to anybody, just include a link to a previous talk that you have given. Link to a YouTube video or anything, or if it’s just you talking to a mirror, it doesn’t matter. We need to see that you can behave in a furnished room, and that’s what matters. You can be the best person on the planet, but if you can’t deliver your talk, it’s going to be suffering for all the participants.
Tomi: Then, of course, the content. Pick a descriptive title for the presentation. For example, you’re only allowed to use “for fun and profit” if you happen to be Aleph One. All those other guys, they can just go and leave the floor.
Explain why your submission matters. It might not be self-evident, so you need to tell us why it’s unique. Even better, include a draft version of the presentation, or at least the outline.
You mentioned all the advisory members read through all the papers and then vote on that. How often do you agree or disagree on the good ones?
Tomi: Like 99% of the time. We are old school, all of us are so old school. We’ve been to pretty much all the conferences there are out there. We know the scene extremely well, and we have a pretty solid understanding what good looks like.
Even then sometimes people get offended that, “I have some really cool stuff and I was not selected.” But we have to look at the big picture. We can’t have 10 talks about iOS exploitation. It simply doesn’t make any sense.
We need to cater to different needs as well. So there might be something on the mobile, something on SDR, something on offensive stuff or exploit or heap stuff or whatever it is. It would totally not make sense to have similar talks that are repeating the same things over and over.
Okay. Let’s say I make the cut and I am now on the stage or preparing to be on the stage in an event to give my presentation. Any advice you guys would give to the presenters?
Tomi: I guess you could run complete workshops about this topic.
Noora: Yeah, you should. I would say that you are there for a reason. You have been picked from those CFPs. There’s a reason that you are chosen, just trust yourself and just share what you feel passionate about.
The only thing that may be would be nice to go through before the event goes live, is to do these dry runs so you have the confidence to present your stuff.
Yeah. Other than that training session, Tomi, is there a single piece of advice you feel is most important?
Tomi: I have few here. First of all, remember your topic. Very often you see people on stage, they’re talking about some really random stuff, totally forgetting why they’re there.
Then, structure your deck. You have a topic, then you need to structure your deck accordingly so that it actually makes sense. There’s this one Finnish guy, Zarkus Poussa, who always says that everything has a beginning, a middle part and an ending. That’s good advice for this as well.
Use demos and case examples. We all love good stories. We want to see demos and everything. Don’t do the typical mistake, that the first 50 minutes you’re telling how awesome you are and then the five last minutes you’re saying, “Ah, we don’t have time for the demo.” Everybody came there because they wanted to see the demo. Don’t be that guy.
Meet the schedule. I mean, if you’re given 20 minutes, do it in 20 minutes and just do dry runs as long as needed so that you get the timing right.
Then the last, but very, very important thing. Use a font size that is large enough. I mean, xterm font size tiny might look cool on your screen, but it is definitely not cool for the audience.
Noora: Yeah. And I would also throw out, the Q&A session. If you have time and the agenda allows it, so people can ask questions. If something that was supposed to be presented in their own expectation were not presented, so they have the possibility to ask additional questions.
If we’re thinking career-wise, how important is it for security professionals to score a speaking slot at a conference?
Tomi: The fact that you’re not speaking at any of these events does not make you a bad researcher or a bad consultant or bad anything.
That being said, I think that the effort that you need to do in order to go there, it helps you to become a better version of yourself, because you actually need to restructure your thoughts in a manner that you can explain to other people. It’s like the old thing, like you have this rubber duck debugging method, that you’re talking to a rubber duck in order to find the bug in your code. It’s pretty much the same thing.
As soon as you need to explain your ideas to somebody else, you’ll need to structure it in a way that allows you to do that. I think at least, personally, it has made me a better person.
Yeah, okay. All right. But now we have the plague on the land and it’s not possible to attend physical events. Now, Tomi, you already expressed some mild criticism towards virtual events. What are we supposed to do now?
Noora: For me, it’s like, we just have to adjust, because the world keeps running forward. For me, it’s like, you just have to do things well enough so they become more interesting. If you hear that someone has been doing something with quality – referring to HelSec – then of course you would like to attend.
It’s not obviously an ideal way to meet people. You don’t meet anyone virtually. You just chat with someone behind a NIC or something. But the thing is that we have to adjust, and before we can meet each other in physical space again, we have to make the most of it.
What would that look like? Because I’m thinking a lot of these virtual events right now are physical events taken to the virtual space, like shot with a cheap camera and put online as-is. Should we approach virtual events as a different kind of medium? Like add, I don’t know, animations or whatever. Approach that in a different way from a physical presentation?
Noora: It depends. To me, it’s like if you know a platform that works well and you trust it and it supports what you’re doing, virtually holding the meetups and stuff, presenting stuff, then it’s okay. You should go for it. You don’t have to make things too difficult though. Keep it simple with quality, good visuals.
Fair enough. Do you guys think the pandemic will change infosec conferences in the long-term? Will we see more remote conferences? Even if we return to physically, will we see those conferences cater more to the remote audiences, something like that?
Tomi: I think that as soon as there is either proper testing, like almost immediate testing, or a proper vaccination available, people are going to get back. I mean, everybody I’ve been talking to, they’re all just eagerly waiting to have a physical event they can go to.
Noora: I agree, yeah. Because it’s way different than sitting in that chair of yours after a work day. Yet another thing to attend virtually. It’s really a totally different energy, totally different experience. Everything is different. Yeah. I fully agree with you, Tomi.
In all your conferences, are there any special moments or stories you’d like to share?
Tomi: Back in 2018, Timo (Hirvonen) and myself, we were doing Ghost in the Locks world tour and we were in Singapore, Hack in the Box. When we got in, we got this almost royal treatment and we’re like, “What is going on here?” It turns out that the guys who made Proxmark were actually sponsoring the event, and because of our talk, the sales of Proxmark went up the roof and they were super happy about that. They got something like 1400% more sales because of our talk, or something.
Noora: What? That’s insane.
Tomi: Yeah, it was totally ridiculous. We got this super good treatment because of that. Everybody there knew who we were and we were like, “Okay. This is a bit awkward.”
But yeah. We also got to meet the guys who actually designed and made Proxmark.
Oh, that’s got to be pretty cool.
Tomi: It was kind of cool, yeah.
Outside of the conferences you guys organize yourselves, which are the conferences out there that you’ve found to be the most helpful, most valuable?
Tomi: I go to a few of these invite-only events, but they are not available for general audience. Out of those that anybody can go, I think that TROOPERS is most probably my favorite.
TROOPERS ticks quite a few boxes of the things that I like. The atmosphere is very, very inclusive. It’s built by the community. They have some really good speakers there. It has enough content so it’s a multi-track thing. I personally like multi-track because it allows the organizers to pick and choose topics that might be super niche. Like massaging the heap on Android or something really obscure that might not be of interest to everybody.
Then the after-parties or the common dinners and all that, that they do, it’s really extremely well organized. It’s very easygoing, strongly recommend it.
Noora, what about these smaller, more intimate events like HelSec, how do I know I’m good enough to attend HelSec?
Noora: Well, first of all, anyone can attend. You don’t have to be afraid that we will diss you out or whatever, because we want people to get involved with infosec. If you are even considering for example, a career within infosec or cybersecurity or whatever it covers, you’re most welcome.
The thing is that we share information, we share knowledge and anyone interested in the knowledge that we’re going to present, just feel free to join us. We want to keep the threshold very low because we don’t want to exclude anyone or even give that kind of energy out. It’s a good way to start finding out about stuff. Just attend those meetings. You don’t have to ask anything if you’re not ready to ask. Don’t get stressed if the things that were presented you don’t quite get because you can always Google your way into finding out things.
The first step is to come and join and see what’s out there, and see what we’re talking about, and see if you would like to continue joining the meetups, because the agenda is changing and the themes and the speakers are changing.
Well, with those recommendations, I want to thank you guys for being with us today.
Noora: Thank you.
Tomi: Thanks for having me.
That was the show for today. I hope you enjoyed it. Please get in touch with us through Twitter @CyberSauna with your feedback, comments and ideas. Thanks for listening. Be sure to subscribe.