Attrition, DEFCON 20, and a Bit of Advice

Sun Jul 15 19:59:56 CDT 2012


Attrition DC20 Badge will have a small representation at DEFCON 20 this year. Throughout next week, you can find Jericho and cji at different venues and events. As two of the staff members that work on Errata, we will be available to answer questions about the project. In the past year there have been occasional questions about availability and the perception that once we publish something, it is set in stone. This is absolutely not the case. At DEFCON 19, after a 1+ hour sitdown with someone listed on Errata, they were ultimately removed. The Errata project is a guideline, not gospel. For DEFCON 20, we already have a sitdown scheduled with one person that is on the unpublished charlatan watch list, so that we can get more information and also discuss his concerns.

Jericho will be presenting "Errata Hits Puberty: 13 Years of Chagrin" on Wednesday afternoon at the BlackHat Briefings. This is the same talk (with minor enhancements) that was given at RVAsec last month. He will be around the BlackHat venue before and after the talk for any questions or discussions, except perhaps for HTBridge employees (as they have filed criminal defamation charges against him in Switzerland [1/2/13 Update: Charges since dropped]). Everyone else, feel free to chat. Jericho will be at BSidesLV for part of Wednesday, and all day Thursday. You can find him at the OSF booth being a 'babe'. Questions about the Open Source Vulnerability Database? Discussion about VDBs in general? Bring them. Friday and Saturday, both Jericho and cji will be around the DEFCON venue with no schedule in mind. Look for the squirrely types.

Chainsaw Wielding Lazlo T-Shirt First, as some noticed last night, we sold 3 of the badges on eBay. This was done to cover the cost of all 25 badges, so we break even on them. The new shirts will be the same way; enough will be sold so that the cost to make them is recovered. We don't care about profiting off of this glorious merchandise, but remember that the Errata project already costs money to run. Historically, we're in the hole several thousand dollars. The money spent on marketing (e.g., shirts, wristbands, stickers) is also out of our pocket in the past. Since we have had to cover one court case related to Errata, and are currently wrapped up in a second, money for legal fees is a must. While some people think that selling merchandise is lame, to each their own. These are very small runs that are primarily given to friends and supporters of our project. Now the part you care about. How can you get your grubby hands on some schwag? Read on, heathens.

There will be a handful of badges and shirts available next week. They are on a first-come-first-serve-and-our-mood-depending basis. Some are already spoken for, some have already asked where we will be early in the week to mug us for one. If you have something to barter, that may increase your chances of getting one. Have tips about companies or individuals that should be on the Errata radar? Cough them up, and cite your sources! Have a shirt or badge from your organization or project? Maybe a swap is in order. In addition, there will be quite a few wristbands and a lot of stickers to give away. Don't be shy, find Jericho or cji and banter.

Conference Advice


If you are still reading, I would like to offer some advice for the conferences next week. This goes for BlackHat, BSidesLV, and DEFCON 20. As a long time con-goer, there is one thing that consistantly disappoints me at conferences. This came to a breaking point at DEFCON 18 when one talk I attended came with a disclaimer; no questions or comments during the talk. Any questions would only come after the talk, in a separate 'media' room, away from the crowd, despite the talk topic being big in the news, and controversial to some. This rule was absurd, especially for a conference that has a history of crowd participation. To me, if a speaker says something that is questionable or inaccurate, the audience should hear any objections or corrections. Having a speaker tell hundreds of people incorrect information, then be corrected after the talk in a room with a dozen people simply isn't right. In this case, I walked out of the talk halfway through when the speaker got some things provably wrong. So my advice to you is this; speak up. Rules be damned. Be respectful, but don't be afraid to interrupt a speaker if they are spewing bullshit. If you have a question that is timely, raise your hand to encourage the speaker to turn it into an open forum. Why?

Because the odds are good he is not the most knowledgeable person in the room on the topic. That is a growing trend in our industry, where people that are quite new to InfoSec end up speaking on a topic they have little experience with (relatively speaking). Speakers, you have a responsibility to ask yourself questions before you submit a talk to any conference. First, why are you speaking and not someone else? Second, are you in the top 5% of the industry regarding your given topic? Third, if you aren't, are you bringing a truly new and refreshing angle to a topic? If you can't answer the first, or answer "no" to the other two questions, don't submit a talk. Audience, think of these questions in the context of the speaker you are watching. If you have doubts, ask the speaker these questions. The presentation bio slide should explain the first two questions. We don't care that you were a VMS admin in 1993, if you are giving a talk about social engineering. Speakers need to list their relevant experience to the topic at hand. Further, speakers should encourage discussion. They should not hide from potential criticism. If they are truly an expert on their topic, then they will be able to defend any point they make.

Finally, if you are in a talk that falls short, tell the speaker. Be polite, but voice your concerns! If all they hear is polite applause after, they may have no idea the talk was a joke. Does the conference give you a chance to submit feedback? DO IT. Conference CFP teams have very little information to go on for new speakers. If a talk wasn't worth the time, tell them so that next year they are better prepared to recognize talks that are potentially lacking. Let them know so the same person doesn't get accepted again to give another crappy talk. In short, it is on you to police the industry. This starts with standing up for your right not to have your time wasted in a presentation.

main page ATTRITION feedback