I’ve been involved in information technology and infosec since the mid-1990s. Until recently, I had not been actively attending infosec or hacker conferences.
I started attending DEF CON in 2013 when the conference was held at the Rio Hotel. DEF CON was the first hacker conference I ever attended. I did not know many in the community and certainly didn’t know what to expect. Quite frankly, I was overwhelmed by the size and scope of the event. I attended again in 2014, and my comfort level grew as I became more familiar with the event. My employer paid for me to take the SANS 560 course taught by Ed Skoudis (@edskoudis). That course and Ed’s passion for his craft motivated me to dig deeper into the world of information security.
In 2015, I decided it would be beneficial to seek out smaller conferences, so I attended NolaCon and participated in a training class taught by Georgia Wideman. That class was “Introduction to Penetration Testing” and “Advanced Penetration Testing.” I had a blast and began developing my skills as an amateur pen tester.
Over the next year, I took a bold step and began submitting talks relating to my work at AppRiver. I first submitted to NolaCon in 201 – I was accepted and gave my first InfoSec conference talk that May. I also submitted to BSides Las Vegas and was accepted into the Proving Ground track. I was fortunate enough to be assigned Dave Lewis (@gattaca) as my mentor. My talks were well received, and I continued to submit new material to various conferences.
Not every talk that I submitted was accepted. I spoke at BSides Atlanta in 2016 but was turned down for ShmooCon, HushCon, and initially CircleCityCon. I did attend HushCon so I could get a feel for the kinds of talks being presented. Rejection didn’t really get me down. I continued to submit talks and even a training workshop. I ultimately spoke at CircleCityCon in 2017 and worked with Lennart Koopmann (@_lennart) from Graylog @graylog2 to present a four-hour workshop, as well.
So, how did I come to speak at DEF CON this year? I would not take no for an answer. After mulling over a topic that was rejected from HushCon and ShmooCon, I decided last minute to massage the content a bit and submit to the DEF CON CFP. After all, what would be the worst that could happen? They could only tell me no. And if I didn’t submit, the answer would definitely be “no.”
I studied the CFP information on the DEF CON website to make sure I followed the instructions carefully. I was a bit confused by the example submission. It was brilliantly laid out as a well-formatted PDF, but after reading the CFP submission requirements carefully, you find that you are required to submit all documents in archaic plain text format. That is what I did, as there were many discussions on Twitter about submissions received in other formats. I am not sure I understand the arguments for plain text, but I do know that if you wanted your submission to stand a chance of being accepted, you had to do what was required.
I worked through my outline and all the listed requirements. I double-checked everything and sent in my submission. I made note of all deadlines for additional materials if my submission was accepted. Once submitted, I promptly moved on to other things. I was fully expecting a rejection as the same basic content was rejected by HushCon and ShmooCon.
I waited for the rejection notices. The early acceptances were posted, but mine was not among them. Ok, I still had a chance albeit a remote one. I followed key people on Twitter and patiently waited.
One day, @Niki7a mentioned that all rejections were going out by the end of the day on June 1, 2016.
I watched my email. I even checked my spam filter to make sure something from defcon.org wasn’t getting held back. There was nothing. A few days later, @Niki7a let everyone know that if they haven’t received a rejection, their talk would likely be accepted. Now I was getting a bit nervous.
A few days, later, I received a notice indicating that my talk had been accepted. Shortly after that, the schedule was finalized and I learned that I would be speaking in Track 3. Gulp!
Now I had to get busy, put my talk together, and get my slides submitted by the early July deadline. DEF CON requires that you submit your completed talk and supporting materials several weeks before the conference. You have the option of updating the content closer to the event, so you can incorporate any last-minute changes or tweaks into your materials.
Once my talk was prepared, I simply had to wait for the event. The DEF CON staff contacted all speakers seeking information on any special AV needs such as connectors. Speakers were also informed of the process to expect during the event including registration, talk practices, and the process that would occur on the day of your talk. DEF CON provides a speaker ready room, so that you can run through your talk and test your device on the same setup used in the larger conference rooms.
Once in the speaker ready room, you get to meet the DEF CON Goon who will help you get ready on stage and accompany you to and from your talk.
One interesting DEF CON tradition involves first-time speakers and shots. The tradition is called “Shoot the N00b” and has become optional. I chose to partake, so just prior to my talk, a Speaker Ops Goon appears, pours a couple of shots of a pre-arranged beverage, introduces you, and you both take a shot together. In case you are wondering, I chose a shot of Jack Daniels. I was fortunate enough to have my former BSides Las Vegas mentor, Dave Lewis, do the honors. That made the talk even more special. Once the “Shoot the N00b” was over, I began my talk.
DEF CON is a bit intimidating if you are at all concerned about crowds. In my talk, it was estimated that there were about 3,200 seats, and they were almost all full. The talk went well except for some technical difficulties with the slide display in the room. The problem happened to many speakers in that room, so the love was shared.
At some point in my presentation, the display was changed over to a Chromebook with an older version of PowerPoint, which lacked speaker notes. I was forced to work without notes. The message here is – practice and know your content. Be able to give your talk extemporaneously!
Overall, my DEF CON speaking experience was outstanding. I learned a ton, met some outstanding people, and had a blast sharing a small part of the huge body of knowledge with the infosec community. I would recommend everyone submit to DEF CON. Who knows, you might even have the good fortune of being selected.
One thing I do know – if you don’t submit, you won’t be selected!
About the Author: Jim Nitterauer, CISSP is currently a Senior Security Specialist at AppRiver, LLC. His team is responsible for global network deployments and manages the SecureSurf global DNS infrastructure and SecureTide global SPAM & Virus filtering infrastructure as well as all internal applications and helps manage security operations for the entire company. He is also well-versed in ethical hacking and penetration testing techniques and has been involved in technology for more than 20 years.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.