Sunday, April 24, 2016

Becoming an infosec con speaker


In 2006, I attended my first infosec conference- HOPE in NYC, July 2006. And then yesterday I spoke at an infosec con -- BSides Charm 2016, something I seriously still have trouble wrapping my head around.

My talk was "Failure to Warn You Might get Pwned: Vulnerability Disclosure and Products Liability in Software" on how products liability law might someday apply to software (maybe - a lot of the talk is on why it doesn't apply now). It's a topic I've been interested in for a while; I wrote about it after the BlackHat keynote this summer.

I don't particularly have any qualifications to give this talk. I took a Products Liability law class in lawschool last year. I know a little bit about vulnerability disclosure from working in the software industry. The specific idea for this talk came out of hearing two different people, in different contexts, say that they thought that failure to warn and vulnerability disclosure might be worth looking at. And so I did. At the same time, Shmoo was opening their CFP, and encouraging newbie speakers to submit.

Let me jump back a few years- at the 2012 OSCON in Portland, I got into a conversation that made me decide that I should apply to lawschool. But also at that con, I spent some hallwaycon time sitting at the "women in tech" table and talking with Suzanne Axtell. She was trying to encourage all of us sitting at the table to submit to conferences. At the time, I was working at a company with a pretty restrictive public speaking policy, so my take was mostly "I don't know anything interesting to talk about, I don't know how to get a talk accepted, and even if some miracle happened and I did have one accepted, my company wouldn't let me speak." So I forgot about it, and went off to school the next year. At some point, I subscribed to the Technically Speaking email list, mostly because the two women who run it are really smart & say interesting stuff about a pet cause of mine, boosting the numbers of women in tech.

And then I saw the Shmoo tweets, and realized that the "my company wouldn't let me" excuse didn't apply to someone unemployed. So I submitted. And was rejected, but I got a ticket registration, which for Shmoo is pretty amazing. Then there was a lot of chatter on Twitter about encouraging women to speak.


 Shmoo Firetalks CFP went out shortly after. I think my thought process was "well, I have a proposal written, I'll just submit it and nothing will happen but whatever I submitted."  And then it was accepted for Firetalks, and I had to actually get up and give this talk- but it was "Firetalks," aka "not real" and it actually turned out to be a lot of fun.

Shortly after, the BSides Charm CFP opened, and... I think my thought process there was "huh, people actually told me at Shmoo that they found my fire talk interesting, maybe I'll tweak and submit."  Then this:

Then, and who knows why, I got the crazy idea that I should submit to the BSidesLV Proving Ground program, where newbie speakers are paired with mentors. Then the crazy stuff happened, and both  talks were accepted. (what?!?!) At which point I'm fairly sure I had a few days believing that I was dreaming or something and I'd wake up to reality shortly. But no, I had to write (or really modify) a talk.

This talk was a little hard since there was a lot of legal background to explain, and then a lot of speculation, and so I thought I'd try frontloading the legal theory this time. Not sure it worked so well. But, well, it was an approach.  My biggest problem prepping this time was that I love this legal area, and I have *too* *many* *thoughts* and it all feels important. Trying to pare back the amount of information, but still get across the key points, was hard. Not sure I came close to succeeding.

I wish I talked more about risk-utility balancing, because that makes all of products liability so interesting. And then that leads into social/policy goals of having it serve an insurance function, and... it all quickly spirals out into a lot of somewhat extraneous ideas.

I freaked out a lot about timing, and decided that using Power Point's presenter view, and knowing roughly what slide I wanted to be on at what point, was the way to go.  And then... somehow it was Saturday at 2 PM, and I was standing on a stage at an infosec con and talking to a room that was crazily not empty. For starting out feeling pretty confident, I was a nervous wreck by the end.

The firetalks were, well, very different- I ended that one feeling pretty pumped, but there was more audience interaction, and the back and forth with the judges right on stage. At BSides Charm, the lack of a clip mike kind of threw me (I should write some time about my first run in with clip mikes....), and how tall the podium was.

So, that was my experience with my first real conference talk. I'll try to blog along the way to BSidesLV, although there is also going to be bar prep going on this summer, so.... I'll have to frame blogging as "study procrastination" perhaps.