Dave Shackleford’s rant against Security Conferences – Rethinking the Security “Con”
See the contents of the first couple of paragraphs of his post:
I realized a while back that I had lost the zeal to attend security conferences. I’ve been attending security conferences for a long damn time, as many of you have too. DEF CON, RSA, Shmoo, a whole $HIATLOAD of B-Sides, SANS of course, etc. Lots of smaller ones here and there, too (logistics have prevented me from getting to Derby yet, which makes me a little sad). The number of security conferences being held is off the chart. If you take a look at SECore, you’ll see just how many conferences are going on anywhere in the world at one point or another.
I think it’s gotten out of hand, honestly. Not because security cons are a bad thing, truth be told. Because we’re saying the same damn thing at all of them. The themes are the same, it’s a lot of the same people talking, the talks sometimes even say the exact same thing in different language. I can hear the criticism now. “Shack, that’s bullshit. We learn things at cons.” Mmmm hmmm. Sure you do. You hear what people say, you may find it fascinating, but very rarely will it make an impact on what you do day-to-day. Especially the heaping quantities of “Internet of Things” flaws and “sky is falling” talks about how doomed we all are when our thermostat becomes sentient, remotely takes over our cars, and we all die. Get a grip. It’s interesting, but we have major problems today, they’re a lot damn simpler than any of that “forward looking research”, and we’re still sucking ass at the basic stuff.
If you can’t lock down your desktops, what the hell are you doing listening to someone talk about malware reversing and shellcode? If you can’t detect a freaking port scan, let alone a DNS C2 channel, why are you waiting hours in line to hear a talk about hijacking car internals? I am a true believer in lifelong learning, so learning something just for the sake of learning is A-OK with me, I get it. But cons aren’t really helping us accomplish anything, unless they are straight-up training cons. And I don’t mean training your livers, since most cons involve staggering quantities of alcohol. . .
I agree almost completely with most of the statements Dave makes here; however, I have a couple comments/disagreements with a couple of the points he brings up.
I for instance, have a hard time connecting with people in the information security realm. While there are some great local security groups, they meet, maybe monthly, but often times, meetings get canceled. Also, like many others I have my family. Often times, I find it easier to go out of town, to attend a conference, where my wife can prepare the time with my son, and where she doesn’t always try and interfere with the time I spend with these people. For that instance, I almost think it is easier to travel out of town, rather than go to a meeting that is 1 hour away.
I would consider myself maybe 75% blue team, and 25% red team, type experience and work experience, etc. . . So, I don’t consider myself a 100% pen-tester; and most of my work experience I look back to my experience as a defender (ala Blue team). I find it an important detail to understand what both the attacker and defender are doing, and how to “fix” problems that may occur.
I also think that it is somewhat important to discuss where we are failing. If I discuss where I/my organization is failing, maybe others have been in a similar situation and have overcome that certain challenge. Not a complete waste of time, but maybe there is something that can help me. It is nice to understand the threat landscape, and see where organizations are getting hit, and how they are getting hit; and developing a way to overcome those challenges.
Anyways, check out more at Dave Shackleford’s blog.
More about Dave: