Friday, December 7, 2012

Create Good Security CFP Responses


As this year winds down next year's conference season is already picking up, it's time to start thinking about presenting your research to security conferences around the world. This is where things can get a bit crazy. You have some great research or an idea to solve a problem, but if it's not properly communicated it can get lost in the shuffle. Some conferences have a massive amount of submissions and it can be a bit hard to communicate what you are doing let alone make your submission stand out.

I decided to write this post up to share some of my observations / mistakes from submitting my own CFP responses as well as observations from reviewing them for the Black Hat conferences. Hopefully it is helpful to you. The overall goal is to raise the quality level of submissions and help you get your talks accepted. This is important for people who speak regularly as well, we all have a tendency to get complacent.

Anyway, here we go.

Above the CFP


Let's face it, there are some people who are above the CFP. They are respected so much that merely submitting their name and a title  TBD is enough to get them accepted. This is a fact of life and a vast majority of us are not in this category. If you really want to speak, then why not take the time and effort to fill out the CFP and communicate what you are talking about? It doesn't matter how many Twitter followers, friends, or pictures you have on Instagram, or how many hookups you have made on AFF, it's about what you have done and what you are currently working on.

Let me rant for a second.....

I've seen people go this route and put themselves in this category. They basically submit a talk with a title, barely any detail and don't fill out the whole CFP response. Then their talk gets denied and you see them ranting on Twitter about how the process sucks. If you take the time to put something together, then take the time to communicate what you are doing.

I've also seen people make all kinds of assumptions about things that are happening on the back end that just aren't true. This isn't InfoSec Conspiracy Theory and Jesse Ventura isn't poking around searching for answers. 9/11 wasn't an inside job and nobody is out to get anyone.

.... rant complete

Is Your Presentation Interesting and Original


Is there a place for your talk at a conference in general? Would you attend your talk if you were at the conference? Some pretty good questions to start with and not always as easy to answer as it may seem. There are plenty of submissions where you know if the roles were reversed, the person submitting would not sit through their own talk.

I'm  surprised to see just how many people do not look in to previous research on their topic. You see submissions where they state, "Nobody has done this before" and just the year before at the same conference there was a whole presentation on just what they are talking about. It's just a google search away. Be informed on previous research and show how you have a different perspective.

There is certainly nothing wrong with talking about the same topic more than once, especially one that has a large impact. Communicating how you have taken things a step further or make an issue broadly more applicable is a good start. Know what has been done on the subject previously and communicate how your presentation is set apart from that. You do not want people making assumptions on your behalf. 
The last thing you want to do is beat a dead horse... to death... again. I'm talking about reviving the horse just so it can be mercilessly beaten again. Making the horse wish it had a cyanide capsule to release it from its misery. Make sure your talk is not in this category. If you have a social engineering talk that involves dressing up like a UPS employee or calling up trying to get passwords changed there is a good chance you are breaking out the old paddles and reviving that poor horse. Be original, insightful, and stand out.

It's important to consider whether your talk is pointing out something that people may not know, solving an issue that people are having, or giving people a unique perspective on something. As you can imagine doing the exact same thing that someone else has done is NOT a surefire method for success.

Is it Appropriate For the Venue



Another question you need to ask yourself, is the submission appropriate for the venue? Some conferences have a much more narrow focus than others. Think about presentations that have been given in the past as well as the attendees for the conference you are submitting for. Submitting a talk to Black Hat USA on how to get a job in the security industry is obviously not a good fit. Neither is a talk on hacking your Roomba. Not unless the Roomba turns around jacks itself in to a network and destroys the entire Internets. Now i'm not saying these aren't interesting talks, but maybe they are not appropriate venue and attendees.

This is where looking through the previous archives of the conference you are submitting for can help. Sometimes when you look at say, "Wow, nobody has ever given a talk on this before at this conference", there may be a reason for that ;)

With conferences that cost a bit of money to get in the door attendees are looking for cutting edge research or something they can take away from the conference and start applying to their jobs on day 1 after the conference is over. There are also conferences with a higher ratio of more inexperienced individuals. The whole point of the CFP process is to determine whether the submission is appropriate for the venue. If you are not looking at the process in the same way, it could be bad times for your submission.

Now this shouldn't be seen as conference "A" is only interested in attacks so I shouldn't submit an interesting defense talk. Typically attack talks are better attended but there are places for defense talks as well. Some conferences that focus on attacks have management tracks as well so there are room for quite a bit of focus other than just attacks. Do a bit of research and be aware.

Fill Out Everything


How simple is this? If there are questions asked in the CFP, answer them. It's the most simple thing in the world, however, you'd be surprised at just how many people do not do this.

For Black Hat conferences there are a couple of additional questions that are extremely important. "What do you hope attendees will gain from the presentation?" and "Three reasons why this is a quality Black Hat presentation". Now let's just think about this for a minute. Why is your presentation important and why is it appropriate for the venue. These are important questions to answer for just about any conference regardless of whether they are spelled out or not. Your whole submission should be supporting these points.

Be Clear, Concise, and to the Point


Clearly communicate what you are trying to accomplish with your presentation. Adding a bunch of detail that doesn't directly support your research or particular points you are trying to make can get tiring to read. This can make the reviewer lose focus on what you are trying to communicate.

If it's not directly supporting your main points for the CFP response then don't add it. Save that for the presentation itself. You want to ensure that you have enough technical detail in the outline to support your main talking points. This is especially important in cases where you might not have the ability to add additional documents to the CFP response. Reviewers need to see this to determine that what you are proposing is feasible and has a certain amount of accuracy.

If your submission is a mess and all over the place the implication might be that your presentation might be the same. Take time to clearly communicate your points and have them flow in some general direction. You should quickly show how you are going to take attendees through your talk and how things will make sense for them.

Your abstract should be clear of any obstructions and be the general statement about your research and the goals of your presentation. It should not be too long but communicate what your presentation is about and it's impacts. In depth technical details are not necessary in this section and in some cases can get in the way of your point. Your abstract is the next thing people read after your title. Read your abstract and say to yourself, "Would I attend this talk?". Feel free to make it interesting or even entertaining, it can certainly help the attendance of your talk as well as getting it accepted.

Your outline should be organized properly with a proper flow to it. Outlines can get extremely wild in CFP responses. As mentioned previously, only put items that are supporting your main points. Show how you plan to take people through your presentation without being as detailed as the presentation itself. This is where you can show you are organized and have thought everything through.

Provide an Appropriate Level of Detail



Provide enough detail so that people can understand and follow what you are doing. Stating that you can own every router on planet earth is great, but without any detail to support your claims there may be questions about feasibility.

Don't think that providing an appropriate level of detail as to conflict with the previous point about being clear and concise. It's a delicate balance. The detail obviously needs to support your research and conclusions.

If the CFP system or email allows for attachments feel free to use those to add additional information. Reviewers will look at them if your talk is interesting enough. You may not want to bog down your submission with a ton of technical detail, but you could state that the attachment has further information. That way if there are questions about feasibility they can be answered.

Presentation Title 


Your presentation title is the first thing that people will see. It's supposed to draw people in to reading the abstract and ultimately attending your talk. Your title can be as wild and whacky as you want. Your talk could be called "How to eat spaghetti with a spoon". Creative titles definitely keep things interesting, but there are some downsides if you choose to make your title off-topic. From now on I will refer to this as the spaghetti with a spoon approach.

When you spaghetti with a spoon your talk title even if it's short-term effective, there may be long term drawbacks. After the conference is over and everything is archived, it may be harder for people researching topics to find your information. If you spaghetti with a spooned your title and your talk was about attacking and securing "widget A". People in the future may not easily be able to find your talk when performing research on widget A.

To give you an example I've seen this happen with Sammy Kamkar's How I Met Your Girlfriend talk. I've seen other submissions afterward that dealt with weaknesses in PHP session generation that did not reference the talk.

Now think about this from the reviewer perspective. Reviewers may only review talks in their areas of expertise. It may be hard to tell what eating spaghetti with a spoon is about. This can be good or bad. An interesting title can lead to interesting attention, but it could also lead to no attention at all. Feel free to be original, creative, and entertaining... just beware.

Is the Talk Better Suited as a Turbo


Do you have 20 minutes of solid content spread out in to 60 minutes of "meh"? Maybe your talk would be better suited as a turbo talk. Quite often while reviewing submissions you will see 60 minute talks that would be better suited as turbo talks. With some of these I think there is a misconception that maybe there is an over abundance of turbo talks submitted for a given conference and chances of acceptance would be better if submitted as a full 60 minute talk. This is not the case.

Think about how much setup and explanation is required to set up your concepts. Many times people add filler content to their setup that is below the technical level of the audience. Even if your talk got accepted, the last thing you want is half of your audience leaving before you even get to the best parts of your presentation. In the case of a submission, a reviewer may ask themselves, can you imagine sitting through 60 minutes of this? Don't shy away from the turbo, embrace it if you feel that is where your talk belongs.

Get Feedback Prior to Submitting



Don't keep everything to yourself. Feedback is so monumentally important. It's why many fields have peer reviews in the first place. You may miss glaring details that you didn't even think about. You may also not be answering fundamental questions that your submission creates. Identifying some of these are going to require a second set of eyes. Often when doing research we are so in the weeds that we can make too many assumptions. This is where feedback can help make your submission more clear.

Feel free to reach out to experts who have done research in the area of your submission. You might be pleasantly surprised, however your milage may vary. Busy schedules often prohibit a punctual responses.

With some pieces of research it can be difficult to weigh the sensitive nature of your research with the benefits you get from feedback. Find someone you trust that won't leak your research.

In some cases getting feedback prior to submitting can save quite a bit of embarrassment. Maybe in your haste to expand upon what you are working on you mention something that may not be possible. It's certainly happened before. Better to let a friend find this than a conference reviewer.

Does Your Response Answer All Proposed Questions


This is the cross your t's dot your lower case j's section. Often your CFP response will generate questions. It's important to anticipate any of these questions and ensure they are covered appropriately in your response. It's never good to raise more questions than you answer. It can raise questions about the viability of your talk. Once again, this is where getting feedback from someone else prior to submitting is invaluable. They are outside of the weeds and have a different perspective than you.

Don't Shotgun the CFP



Don't submit 10 different talks to the CFP. They are not lottery tickets and the more submissions you have does not increase your chances of getting accepted, at all. If anything it may hinder your chances. Quite often people will submit what is basically the same research in 2 or 3 submissions just worded differently. It can dilute your message and make it difficult to determine just where the focus is and may lead to all your submissions getting denied.

Don't Submit Just For a Conference Discount


If there is a conference that offers a discount to people who submit, don't submit mediocre content just for a discount. It's embarrassing. Not to mention your name is associated with a mediocre submission. What happens when all of the sudden you have a great idea for a talk? All of those conferences you submitted to for a discount just may remember you and not in a positive way.

Focus Presented Too Narrow


Any opportunity you have to communicate that your research has a broader focus should be taken. Sometimes when people submit their research it has broader implications than they communicate. Too narrow of a focus can lead to your research not getting picked up. If your research only affects 10 people in the world, then it probably doesn't have the appropriate level of impact for inclusion in a conference.

If your presentation does have a larger focus, ensure you submission reflects that. For example, let's say that someone has the ability to remotely unlock the doors on a certain make, model, and year of car. That certainly may be interesting, but if the same system applies to the entire make of car then that becomes a much more interesting.

Sometimes when we are doing our research we are so in the weeds that we forget to back up and look at the bigger picture. That bigger picture could mean the difference between getting accepted or not. Always look at the broader implications and properly communicate them.

Have "Something" to Talk About Before Submitting




Don't submit a response and wait for acceptance before working on content. You might not even get accepted until the last round putting the time between getting accepted and having to present the content   just weeks away.

There are so many security conferences now it's crazy. So if you get denied for one just submit it for another. You will need the content regardless so you might as well start working on it. It will also make your crunch time after you get accepted a whole lot more manageable.

Don't Submit Until You Are Finished


If the conference you are submitting for uses a CFP system do not submit your response before it is complete. You may not know how it looks on the back end. So maybe you put a title in there and start writing an abstract. Then you say to yourself, "Ah, I'll log back in and finish this Tuesday". Well between whenever and Tuesday someone may review your presentation rather unfavorably. Don't take this chance put everything together ahead of time and submit it when you have everything finished.

CFP systems are all different and it's hard to tell how they act. It's best not to use them as a draft or scratchpad for ideas. Put everything together and submit it when you are completed, preferably not 10 minutes before the CFP closes.

Submit Early


It pays to submit early, shortly after the CFP opens. There are quite a few conferences that accept submissions in rounds. Early in the CFP cycle there aren't as many submissions, which means less competition. You are also more likely to have a reviewer give more time to your submission because there are less of them early on. This is both good and bad, good if your content is great, bad if it is not so hot.

Of course, most people will still wait until the last possible second to submit. This slams the CFP on the last round, but keep in mind by the time the CFP closes there may have already been a couple rounds of selections. If your content is ready and you are able to submit early then by all means do so. It will be much more beneficial to you.


Don't get Discouraged



Don't get discouraged if your talk doesn't get accepted for a conference. It's not always because you didn't have a good idea. There are a variety of reasons why talks with merit may not get accepted. Not right for the venue, too many on the same subject, or a focus of the conference on a different subject are just a few of these reasons. There are so many security conferences out there that even if you don't get accepted at one, just submit to another. There are no shortage of conferences looking for people to speak.

Summary


To summarize ask yourself these questions before submitting your presentation to a security conference.


  • Is your presentation interesting and original? 
  • Is it appropriate for the venue?
  • Did you fill everything out and asker all questions?
  • Is your submissions clear, concise, and to the point?
  • Did you provide the appropriate level of detail?
  • Do you have a good presentation title?
  • Would your talk be better as a turbo?
  • Did you get feedback prior to submitting?
  • Does your response answer all proposed questions?
  • Is the presentation focus too narrow?
  • Do you have something to talk about prior to submitting?
  • Can you submit early?


Above all, don't get discouraged.

Hopefully you found this post useful. I know it got a bit long, but I really didn't want to break it up in to two parts. Now, let's see if the quality of those submissions get any better ;)

Saturday, December 1, 2012

Ping

Pong

Please bear with me, it's going to be a while before I change the template to something better, so the default template is going to have to do for now.