"Today's computer security conferences no longer offer relevant or practical knowledge to the attendee. Be honest now, when was the last computer security conference that you went to where you came away from with several ideas to implement immediately onto your networks? I would wager none. "
...
"What my not making the cut sank home for me though was that there are precious little practical talks going on today at computer security conferences."

>>We have done this to ourselves by demanding that we hear talks on the latest research and 0-day, brand new exploit attack vector, uber l33t hack tool, etc when we go to these security conferences. At some point we moved away from talks on practical widespread attack vectors on our network to teeny tiny attack vectors because all the "practical talks" have been given already and why do people want to pay tons of money to hear someone talk about research or information that everyone already knows?

"It is not everybody who can attend today's cutting edge security conferences and actually walk away having learned something. What is it that you are going to get out of it, and just how will it benefit our network? If the answers aren't there, you're not going. Practical knowledge is where it is at."

>>True enough statement. At least it can maybe now justify the cost of training you can take at the conference since you usually get access to the talks for free if you took the training. On the other hand, how often has it been that the "obscure non-practical theory/idea" talk actually turned into a huge attack vector? I'm sure the people that first listened to a talk on the supposed vulnerabilities in WEP didn?t really come home with the "practical knowledge" to do anything about it on their networks, but we see later how widespread and dangerous of an attack vector it was. Unfortunately people don?t give a crap about a new vector (it isn?t practical yet) unless the guy is dropping a kiddie friendly tool anyway, then maybe they'll go home and fix or upgrade the network to defend against the attack.

Another thing to think about is how do I justify to my boss sending me to a conference where they are going to talk about "practical knowledge" that I can 1) probably get in town from a local training center or 2) from a book for significantly less cost?

Don?t get me wrong, I?m all for a conference where I get something practical out of every talk but I would think its hard to organize a con like that because what might be new information for me might be old news to you. Of course that's probably why there are different tracks and more than one talk going on a time. Valid points though, something for those con organizers to think about at speaker selection time.


[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/449/34635#34635