I have two favorite conferences of the year:
- AppSec Cali
ENIGMA 2019 ended today, and I wanted to do a quick capture on what I saw and found interesting there.
For me conferences are all about the combination of ideas, people, and conversation, and that’s what both of these do really well.
First a bit about the conference itself. It’s put on by USENIX, which means it’s an academic conference. That means most of the talks are by Ph.D. types who have a tentacle in the security industry as well. But the conference also features prominent speakers from industry. I’ve not looked at the actual stats, but I’m guessing 75% academics and 25% from industry. Regardless of the actual mix, it feels like a good one.
What I like most about ENIGMA is that it’s single-track, so there’s no FOMO whatsoever. There’s one giant room where all the talks are, so everyone is in session and at break at the same time. This massively improves networking potential, and I’ve had some of my best conversations at the two ENGIGMA conferences I’ve been to so far (out of 4 total).
ENIGMA exposes the weaknesses of other conferences by doing certain things really well.
You can basically see the world as a series of spectrums with extremes at both ends. Or at least that’s how I see the world. And conferences have this as well.
Academic conferences are mostly theory, the research takes forever, it’s extremely robust and defensible, and the conclusions are quite modest and muted. That’s my understanding, anyway.
Conferences like DEFCON are the opposite, with wild research, talks that often focus on growing a brand rather than the content itself, and the methods used are usually quite crude compared to academic standards. But in my opinion, the hacker community gets more work actually done through quick trial and error.
Also, both sides secretly want the respect of the other, even though they pretend it would be below them.
It shows me that what’s needed is a move towards the middle in most cases. Hacker types need more rigor in what they do. And academic types need to move faster and be more willing to fail. Both sides can learn from each other.
My personal preference these days for conferences is not showing me how X widget and Y system have vulnerabilities. I feel it’s too easy to find problems in things compared to finding solutions for them. We already know everything is broken. I still like those talks, and find them interesting, but only for a brief moment—like a game of Chess that I can’t (and shouldn’t) remember the next day.
What I really prefer is hearing big ideas about how things are broken and how we can fix them. Causes rather than symptoms. Or about software and solutions that address those big ideas. The perfect conference environment for me would be:
The research part could be substituted with code they wrote (and make available) to go and collect data and/or do a particular task defined in the problem statement.
- TED-like presentation of a problem or an idea
- A research project or experiment around that idea
- A reveal of the results
- A brief discussion of what they learned with next steps
Length? 15 minutes. And I want to see 40 of these talks in a conference.
That is how you surface the best ideas, expose new and diverse thinkers to the world, and get good ideas seen by those who can help apply them at scale.
So it’s a combination of slick presentation with technical content, wrapped into a cohesive narrative. ENIGMA is the closest thing I’ve seen to this format, which is why I love it so much.
This year’s offering was fantastic. Here’s what I enjoyed the most:
- Great conversations with @anthonyvance and @oliikit, @alsmola, @act1vand0, and a bunch of other people who don’t do the Twitter thing and/or like to stay in the shadows.
- Ran into Bob Lord after his great talk.
- Met Neha Rungta and Ashkan Soltani after their talks, which I really enjoyed.
- Got to see a bunch of local friends that I sadly only see at cons.
So here were my favorite talks.
- Abusability Testing, by Ashkan Soltani
- Provable Security at AWS, by Neha Rungta
- Usage of Behavioral Biometric Technologies to Defend Against Bots and Account Takeover Attacks, by Ajit Gaddam
- How to Predict Which Vulnerabilities Will Be Exploited, by Tudor Dumitras
- Mobile App Privacy Analysis at Scale, Serge Egelman
- Building a Secure Data Market on Blockchain, by Noah Johnson
- Insider Attack Resistance in the Android Ecosystem, by René Mayrhofer
- Convincing the Loser, by Ben Adida
Interesting tidbits extracted from various talks
- We shouldn’t discard knowledge because it didn’t come from academia. Mendel had his theories rejected because he wasn’t credentialed in biology, and his work was almost lost.
- The demo in Ajit Gaddam’s authentication talk was really excellent. The whole time I was listening I was thinking about my post on Continuous Authentication from 2015.
- You can use TrickURI for checking how your code handles various URIs.
- Stethescope is a tool that NETFLIX uses to check a client’s configuration before it can access certain things.
- The study that was done on who found the most vulnerabilities showed that the personality trait of openness was more predictive of success than having more training or having better cognitive performance. This to me sounds a lot like other advice I’ve heard that says to hire for high IQ and train from there. Especially for security people, since it’s all about curiosity and discovery. What this did was narrow that down to a particular OCEAN trait—Openness to Experience.
If you’ve not been to ENIGMA, and you like big ideas more than the party and entertainment culture of like 3/4 of the conferences these days, you need to add this to your list for 2020. It’s January 28th-30th at the San Francisco Hyatt.