,
43 tweets,
6 min read
Read on Twitter
Finishing the Derbycon CFP review today - phew, y’all! A lot of great submissions! Super hard choices!
(Don’t tell me what you submitted or try to influence my choice - that’s an automatic nope)
(Don’t tell me what you submitted or try to influence my choice - that’s an automatic nope)
I would never disqualify somebody simply on etiquette or spelling, etc. But I don't think I talked about this one in my blog last year. When you provide an outline, it's appreciated if you do not paste a PowerPoint outline without editing (memes and all). It is very hard to read.
You can start there, but please remember we have to read and comment on a plain text blob. PowerPoint doesn't do a great job of formatting the slides into a readable plaintext outline, especially if you have over 50 slides.
(It's also really bad when that includes your bio - because these reviews are supposed to be double blind and I really, really, really don't want to know who you are. Even it's simply "CISO of x" or "Author of x", it's a dead giveaway and I have to make a bunch of ethical calls.
Just hit my first talk that I had to blanket reject because they put their names in the synopsis and also didn't provide an outline.
Friends, please. :(
Friends, please. :(
I should add, after acceptance emails go out I am more than happy to tell you exactly why or why not I selected your talk. Just contact me on DM or email.
For reference this year, we have almost 550 talks to review and only 140 slots.
Every reviewer gets an equal vote. Most votes win unless the talk is disqualified for some reason.
Every reviewer gets an equal vote. Most votes win unless the talk is disqualified for some reason.
So I have to be extra picky. Things that have been covered elsewhere in great detail are out unless they really have a great hook. Vague submissions without outlines are almost always out.
Like, I just got one for *redacted topic I'm super interested in personally which is a fun story*. But upon careful consideration, no new research is being presented and it's been covered very thoroughly in the media and in the infosec-verse. They didn't sell repetition.
On the upside, I just got one that covers an old topic that spans decades in infosec, but the hook and title are so good it gets a yes from me, because it looks to be uproarious.
*small break to watch 'splosions*
I am not sure I put this so succinctly in last year's blog, but if your synopsis and outline are under 2 lines each, they had better be something to the effect of, "I know who Satoshi is" or "I'm the guy who arrested ______", or "I work for a Florida municipal government".
(Tangential: please submit all these talks.)
Lesley's Law 197: If your Star Trek analogy is so obscure I have to look it up on Memory Alpha, we have a problem. And yet, I'm also subtly impressed.
Corollary: If your Star Wars analogy takes over 2 sentences to explain, we might have a problem. And yet, I'm also subtly impressed.
This year is the year of infinite Powershell and phishing talks. But ATT&CK isn't quite down and out, yet. Sorry, Katie.
The purely philosophical talk proposals are my favorite because I love philosophy and yet I've never had enough gin for the left field ones that you all come up with.
Good job, yet again. Assembly is like an overripe orange, because...
Editor's comment: "I despise everything about this argument, but it's great. Approved."
DO NOT SEND ME OFF TO YOUR FILE REPO TO DOWNLOAD YOUR TALK OUTLINE - IT IS NEVER GOING TO HAPPEN, EVER.
I'm sorry, but I have over 500 talks to get through in a relatively short amount of time. Almost everybody else followed the instructions. -_-'
Good humor is really appreciated at this point in the day, and the ones that make me laugh or become curious are definitely getting a second look.
(Yes, I've been doing this since my original tweet)
There are a lot of talks this year on empathy, mental health, and neurodiversity - and I hope that if they are not selected for the main tracks you're able to connect with @InfoSystir and maybe figure out another venue. It's really hard to choose with so many great options.
I've now read 4 distinct talk proposals that cover the destruction of the Death Star and it's internal security.
I have to pick the best one.
I have to pick the best one.
Whoever the heck took the time to specify in their outline that, "We are not going to focus on the ATT&CK Framework" - thank you for reading my blog and I salute you.
There are a few really interesting submissions this year on reviving 30 year old hacking tools and tactics for various reasons, and I'm really intrigued.
That's all for now. I have about 100 left to go, but I must sleep. I hope my feedback has been helpful. Do check out my much more coherent blog from last year's. I've really enjoyed reading your submissions. Even the Star Wars ones.
Day 3: Lesley's Rule #648: Please don't make me think hard about whether I need to report your talk to a security manager. Or a power company. Or a hospital. Or anywhere else that might experience deaths because you clearly didn't follow responsible disclosure.
(Hey, I'm neutral good. But please don't indirectly kill people to get accepted to DerbyCon.)
My suggestion: If your talk is, "we've found a way to shut off people's pacemakers from our phones" (clearly a facetious example...) - make it clear in the outline or synopsis that you've disclosed and the problem is fixed or actively being fixed.
Or, to be very bold. "We tried for a year to disclose responsibly to no avail, and speaking at DerbyCon is our last chance to save the world because nobody will listen."
Chaotic Neutral and True Neutral CFP reviewers (there are many) may not care. I, Pancakes (as always) have a touchy-feely aversion to wanton death.
Lesley's Rule #53: Tread very lightly using Special Forces analogies and methodologies unless you were actually assigned to an appropriate military unit.
(It's not because of stolen valor or anything, you just look kind of putzy to vets if you get it wrong or make bad assumptions.)
All the Chaotic Neutral and Chaotic Evil people are messaging me extolling the joys of dropping 0days in unpatched medical devices, now. I love y'all.
More really amazing talk submission on mental health and overcoming disability. Please get these talks over to Mental Health village before the end of July if you're not accepted!
Since it's A Thing, please let me clarify: My "rules" are not "Rules". They are merely advice learned through years of boondogles and bar stories. I am full of rules, as you can see through the numbering convention. I drink, and I know things.
Out of a long list of mining talks, I just read a submission for a really intriguing and well though out argument for a Blockchain use case. Well played. You have my axe.
There are also bunch of security gamification submissions - I'm so happy to see people taking advantage of this in both offensive and defensive security and security education. Perhaps another potential panel if Dave and Karl see fit. It would be a great discussion.
And with that I am through all 500+! You all gave me a run for my money this year. It was incredibly hard to only choose 140 talks. I can't tell you what the other reviewers will choose or exactly when tallies will be complete.
I had to reject some really, really awesome talks. Please resubmit elsewhere - this was a numbers game! There were also some potentially intriguing talks that needed some submission help, and I am more than happy to give feedback after talks are announced.
Much like ATT&CK last year, if you're submitting a Powershell, AWS security, or Mining talk this year, I would recommend that it needs to be really rock solid. Those seem to be the topic of the day.
