Friday, 3 October 2014

Free, it's just costing too much!

One day I’ll write a blog post that isn't me moaning about something in the security industry. Unfortunately, today isn't that day. I do warn you that this is a long read; frankly, I just didn't have time to write something shorter.
So, you work a ridiculous amount of time, researching some obscure angle in some software application, looking for a vector to exploit a system, only to find out that in the end, you're the exploited one.
We've built a system in the security industry that allows people to supply 'bodies of works' to organisations and/or businesses, who then sell that 'work' onto their customers. These 'bodies of works' suppliers are not remunerated (normally). The organisations or businesses aren't really getting rich out of it either, so it must be the paying customers absorbing all the gains. Well, no, they’re not really getting anything out of this 'trade' either. I bet you're a little confused by all of that, aren’t you? Well, if we just say 'security conferences' are the 'organisations/businesses', the 'suppliers' are 'speakers', and the 'attendees' are the 'customers' then we've very roughly just described the security conference world.

Hang on, I’ve missed a party out, sponsors. Well, to be honest, I'm not too sure what their role is in the security conferences' universe. In the case of free conferences like BSides*, their role is clear. Sponsors are gods that give venues, t-shirts, venues, beers, venues, printing, venues, Club-Mate, support, and of course venues in that context. So, what do they give in a commercial conference? Do they give the same? I guess up until tickets are sold, they play exactly the same role in a commercial conference as they do in a free one, namely finance. However, if a conference can be put on without cost to the attendees, why do we even have paid conferences? The ticket money goes to what exactly? I can assure you it doesn't go to paying the speakers for their time and efforts. Are the sponsors subsidising the attendees' tickets? The more I think about it, the more it gets confusing. As the philosopher Christopher Wallace once said, 'mo money, mo problems' – and taking money from sponsors and attendees seems to 'null and void' a lot of conference organisers' views on reality; that they sell other people's research, which they don't own! Recently, I heard a report about a conference organiser laughing at not paying people for their talks, I don't know who, I asked and I was told the person didn't want to name them. I can only agree to respect that, but it's heartbreaking that some people are painfully aware of their abusive behaviour.

Few conferences pay their speakers. In my years of speaking I have never been physically paid by a security conference for my talks (I've excluded training from this, but I can assure training at conference is about the only way your getting paid at one). I've recently begun to question what it is I’m doing speaking at conference. For a short time I feel great, nothing quite beats that bit really, but it's not easy. I don't travel well, I enjoy being home, and changes in my environment can affect me greatly. I've made great friends, and I know I’ve helped some people do complicated jobs and make sense of what it is they're doing. In some cases I’ve made testing detection systems effective. Yet not once has a security conference paid me for my time, and the only time I was supposed to be paid for my work at conference they decided to ignore all the emails and not pay. I've had conferences be very late with paying back expenses, I’ve had a conference argue over a €10 taxi fare, the list goes on. That aside, the fact of the matter is, I’ve never earned any money from those talks. Is my work of no value? Or, in the end, is it me who doesn't value my work?

We all have experiences with people outside of the security conference universe who do professional conferences, except they tend to be a little different. They tend to get paid for their work. People look at you bizarrely when they find out you do this for free; I can imagine it's only matched by the face of a security researcher learning people get paid to talk about crowd funding or something. Those who don't get paid probably work in an industry that's about sharing and caring. If security is about that, then security vendors don't exist and we all charge the minimum wage for testing, right?

The elephant in the room is that countless other industries can hold conferences and manage to pay speakers for their time, yet for some reason the security industry seems to be incapable of managing to work out how to do it. Look, I know putting on a conference is expensive; that's why conference tickets are expensive, except in our industry. The security industry tries to move the costs of it from the attendees on to the speakers. If this stays the same, then you need to accept that conferences won't get better, they'll degrade. There is no value in showing you the latest and greatest iPhone hack in exchange for an economy class ticket to Uber1337CON, when the value to the market is far greater. Bug Bounties, love them or hate them, kind of highlight a point; that most people could earn from their research, they'd happily give for a living wage. Of course, knowing our industry I've just introduced the minimum wage for sec con speakers.

Now I know conferences in security are fun, it's where we all go to party and apparently learn new shit, but seriously, let's just go and holiday together instead. Also, how bizarre the market of security conferences has developed, we've managed to get to a point where organisers of conferences make demands of people supplying work to them at no cost. Such as: 'you haven't given away this research to someone else before me, have you?' or 'will you be supplying code that you are liable for, for free? If so, have you given that code away for free before giving it to me?' My new personal favourite is 'You must use our slide-deck, and try not to be too sales-oriented!' Seriously, you've got this backwards; if I’m doing you a favour, and giving you my work for free, isn't it me who should be making some conditions on my agreeing to support you and your dream of holding a security conference in your home city?

Don't tell me, it's great exposure, right? That awesome line that is as fictitious as it is condescending. NO, it's not, it's great exposure for you! Speakers are the suppliers of the talks you sell for money. Also, when a talk sucks, it's the 'speaker' that sucked. In security we love to use the 'rock-star' tag, and for once I’m going to use it for good. So, let's play with an example a little. It's a bit like your local bar (let's call it 'The Four Corners Bar'), asking Jay-Z to come rap for them, for free, because the exposure he'll get from doing it is great for him. However 'The Four Corners Bar' must demand, as they're paying for an economy flight and accommodation, that it be stuff Jay-Z hasn't played before. He's lucky, too, because we know some conference organisers would gladly ask him to pay his own expenses if they could. The day that works out for 'The Four Corners Bar' is the day I’ll have 99 problems, and a CFP ain't one!

Here's another brilliantly framed issue: the attitude that speakers are getting paid because they're getting flights and accommodation. Firstly, the conference's organisers are flying the supplier of the goods they have sold to the location of their customers. It's one of the key ingredients of a conference: talks, supplied by people, that are there. How about I supply you the talk, but you give me the money for the flights, and I stay home. I'm sure a conference full of Skype chats would sell a lot of tickets, and the 'Sponsor gods' will be writing cheques in quick fashion. Secondly, it's no holiday either. You get to see airports and maybe get an evening out. My experience is that I’m shipped in from the night before the conference and my accommodation stops on the last day of the conference. So, for a 3 day conference, 3 nights accommodation – regardless of the time zone to adjust to. Trust me, though, there are conferences that consider that too many nights. Some would like to get you there for the day, give you a pass and if you could please leave once you've given your work, for free, so much the better. Don't tell me the payment for my research is the cost of my conference ticket. You have to be especially dense to consider that even a legitimate argument.

Now that I’ve managed to alienate commercial conferences, sponsors, attendees and 'The Four Corners Bar', I’ll draw my attention to free security conferences. Well, let's be honest, there is nothing I can really say that's bad about them. BSides as a whole does a great job. They work hard, and they deserve nothing but love and respect. In this 'trade' it's the conference organisers that are getting exploited the hardest, and they should know that at the very least I am, and always will be, in their debt for the work they do without recognition. The same goes for the 'almost' free conferences too. These people put on conferences at a very cheap price, that in the end are crowd funded. You guys rock too, and I’ll always have a space in my heart for you.

In a nutshell, no more free talks!

Yeah, I said it, you read it, now we'll start with the objections. When I say no more free talks, I don't mean no more talks at free conferences. What I mean is, if you charge people to see talks that I have worked on, and I’m not getting paid for it, then I’m not going to do it any more. Which probably means you're not going to see me talk at any more conferences, but this isn't actually about the money, it's about the motives. It has to stop! We can't keep on giving and not receiving, and be made to feel we should be grateful that your conference is giving us some fictitious 'chance'. A lot of people bitch about the quality of conferences but no one suggests ways in which it can be changed, apart from more stress being applied to the suppliers of the content being sold. We have too many conferences because in the end we have too many people willing to supply research for little or no return, bar travel. Today's rant was greatly inspired by OWASP's AppSec EU call for papers, but it's in no way just about them. Now, let's be honest: why should we blame OWASP for exploiting speakers when the vast majority of other commercial conferences have gladly been doing it for years? It is my opinion that in the case of this particular conference, it isn't about research, or making better security practitioners, it's about money. They'll charge an excessive amount to the attendees for the tickets, they don't even cover the speaker's expenses, and they'll be getting sponsorship money in addition to it. I mean, what on Earth are they actually paying for? Sponsors are subsidising, attendees are subsidising, and speakers are subsidising this conference. If I were a customer of theirs, I’d strongly consider shopping somewhere else. I've ranted on Twitter about this, but I’m going to try and shore up my issues. Firstly, if they weren't charging, I’d really have no gripe per se. But they will, and as far as I know it was expensive last year, so I can't see it being less this year. What value do you get when it's only companies that send their employees because they're sponsors, or it's researchers that are needing recognition so badly they need to pay to get it (I’ll make no further comment on this statement, especially seems as the conference is being held in Amsterdam). I mean, which hard working, undervalued, broke ass security researcher in their right mind is going to give them their work and pay for the hotel and flights on top? The answer is, probably quite a few. Especially if work is paying, amirite! Well, here's the second 'FU' from that CFP: they want you to use their slide-deck (frankly not going to happen from me, ever, your slide-deck, your presentation, and good luck) and limit the speaker to displaying two company logos per presentation. I accept that no one wants to pay lots of money to listen to a sales pitch, but what do they expect to happen here? If you can only justify your conference as being 'great exposure' – which is code for CUSTOMERS in business – you can't be that surprised if it's getting customer focused. Here's some guesses for you – I could be wrong, but – they have had issues in the past with their attendees not impressed with the talks that have been sales pitches, and instead of an invitation that promotes researchers to submit, they've made a rule. This is a security organisation establishing a policy on talks they're not paying for, but charging people for. Think about it this way, from their perspective: 'We sold your work for money, which we obtained for free, under the guise that it'll be great for the speaker's business, and we're as shocked as you that you got an hour long advertisement about how great the speaker's business is. If you do buy from them though, can you let us know because we think we're due at least some commission from that'.

This raises an interesting issue, though, because when it boils down to it, businesses have been supporting conferences for a very long time (yet not considered sponsors). I mean, the speaker, who isn't getting paid by the attendees, or the conference organiser, needs to be paid by someone, who tends to be an employer. That employer tends to lose an employee for a couple of days, and those precious things called 'billable hours' are lost. The justification that is used is 'acquisition' or 'PR'. Yet people take umbrage when talks are for the purpose of acquiring new customers. Who do they think is 'supporting' that talk they're watching? I mean, if they're not paying for the person's time, someone is.

I'm sorry to say this, but in the end, attendees of conferences are going to have to start paying more for conferences if you want excellence. If you want to have better conferences with better content, then people's time and effort needs to be remunerated. It's simple market dynamics. If you pay €300 for a two-day conference, you're paying around €9 a talk (let's just say two-track conference, 16 talks a day. I know you can't be in two places at once, but still you get the point). Now, yes, if that's multiplied by 100 people that's €900, but because 100 people buy a burger at a fast food place, it doesn't make the quality any better. It takes time and effort to make good talks, it takes practice, and more importantly, it takes research to make security talks. Yet none of that is being paid for – the venue and some flights are. If you want to have great talks that focus on areas the attendees value, then you need to actually pay for that. Otherwise, it's the research that is submitted that isn't going to lose revenue, and that some panel thinks you want to see.

Let's also raise the 'junk hacking' dynamic here too – in reality it was always going to come down to this. If the conditions are 'you supply to us, for free, works of new origin,' then this limits the supply of research. Firstly, if you believe a talk should have never been given for it to have value, then I guess you own no movies or music, because it has been done and been heard, it's old. Secondly, we still do the old things wrong. It's not like we're in a situation where we're looking for new problems as we've ran out of the old ones. Of course we are in the situation where we like to re-introduce old problems. Different blog post though. So, we require originality, we require it at no cost to conference organiser or conference attendee, then we're surprised that someone talks on hacking “Internet-connected bed-warmers” ( To be fair, Dave said this in reference to Blackhat, who I do believe actually pay). If the research paid, and the researcher or their employer invested time and resources, why would they give it to CouldNotCarelessCON for nothing? You see, there is no argument here, apart from, I want my peers to think I’m awesome. Look, let me save the environment a little, cut down your carbon footprint, do a little psychotherapy, I think you're awesome! I also think you're intelligent, witty, a ninja with slides and code so well that if Linus read your code he'd ask for you advice on coding and presenting.

I guess it boils down to why you conference – doesn't matter which part of the triangle you are. Do you conference to see friends and party? If so, does it matter if internet connected bed warmers got hacked? You went to party and a security conference broke out. There is nothing wrong with that, and I’m not judging; I’ve done conferences because of friends plenty of times. Are you there to be educated and learn? Then party hacking bed warmers probably not your thing then! If you're there to network with other industry people, you're probably a recruiter or not discovered Twitter :P (hang on, how did you find this blog post, then?) Joking aside, the same thing applies here too. You see, in the end, everyone has different wants and needs from a conference. For me, I wanted to meet new people and feel that my research would make a difference. 1 out of 2 isn't bad, right?

So, this is how I see it; if you're not paying speakers to speak for you, then no demands are ever acceptable. Seriously, I mean it. I'll try and be good, you try and be good, that's the only deal we have that I’ll honour. If you only cover expenses then I expect not to be out of pocket for speaking to your paying customers, everything covered from leaving the front door to coming back home. That's not unfair, IMHO, that if I catch a train to the airport that you pick up the cost of that up, or if I have a 3 hour layover in some godforsaken airport, because you won't pay for decent flights because 'budget', then I think it's fair you buy me a sandwich and a coke.

If you are paying me for my talk (or others), then you can make some demands as a 'customer' has the rights to do. If what I’m supplying isn't what you're after, then purchase from another supplier.

If you are a free conference, or 'almost' free, then please carry on and let me know what I can do to help and support you. You guys are the lifeblood of what we do and whatever I can do, just let me know. Please accept however that sometimes I’m not in a position to help but if I can I will.

To the speakers, I guess we do it ourselves! WE are the ones who allowed this to happen because WE couldn't say NO. We submit to conferences because we want to be heard, yet we value what we say very little, to the point we are just happy someone wanted to hear us speak (they don't, really; you'll very rarely see a con organiser in your talk). The fact is that for us to get better research and for us all to learn, we need to support people doing that. It shouldn't be the exception to the rule that we pay for what we consume. If you are a speaker, then do the conferences that you're bought into, that mean something to you, and value yourself enough not to submit or accept a conference that laughs at you for not getting paid.

I'm also looking forward to the point getting raised that people can't afford to pay more for conference tickets, and you are absolutely right. Your company should be paying more, and then claim that back against taxes like the rest of the business world does. Don't tell me – your employer doesn't have a conference or training budget, it comes out of your own pocket, so I guess that means that things should stay the same. I'm sorry to say it, but this is an issue between you and your employer. If they take advantage of you and your passions without remuneration, then this whole blog post you should empathise with, because that same situation is happening every day of the week all over the planet in the guise of the security conference universe.

If you're a conference and you can't afford to pay your speakers, then consider if there is a business argument for your conference to even exist. Is it worth the stress each year to scrape by so your hometown can be an 'X' marked off some 'Info Sec Rockstar's™' atlas? Can you do better with local user groups and help home grown talent flourish? Think local, not global. When you fly speakers in, remember that you may very well have excellent talent in your own back yard. Support that, and help them. Are you a conference that is paying more for a venue than the people helping you facilitate it? Are security conferences just a support arm to the hotel and tourism industry now? You know it takes more than speakers to make conferences happen – there are volunteers there, too. Most of the time they're forgotten, overshadowed and over-stressed; they get even less than a speaker gets.

If you're a conference that spends thousands of Euros on your after party, just remember that you could have used that money to support research and help further promote education and knowledge. Some of your conferences have pathetic student discounts, yet drop stupid money on alcohol and other 'party' related costs. You need to consider: are you a conference or a party? The next time your attendees are hammering that 'free bar' and bitching about the quality of the talks, try remembering what you paid for didn't pay for them, right!

If you're a conference and your customers are expecting certain things such as original works, then you should help 'educate' them that there is a cost to that. Passing on the bullshit sandwich to people trying to promote security work doesn't help anyone. Also, where did they get that notion from, that you pay 300 bucks and get awesome research? That'll be you and your bullshit attempts at marketing.