| Network effect and focus. Black Hat has become the premiere vulnerability research conference, and, like the top science journals, there's a prestige effect to being accepted. Also, unlike Defcon, Black Hat isn't an entertainment event; if your talk is accepted at BH, there's no uncertainty about whether it's there because it's "fun" or there because it (supposedly) makes contributions. Black Hat's talks are, as vuln research, generally much better than Defcon's. And Bsides is literally a conference defined by talks that are perceived as not strong enough to make it into Black Hat. That's why it's called "B-Sides". As with music, there are some B-sides that are better than their A-side. Some. I don't know that many people in my field who take RSA all that seriously. I don't, and I'm continually annoyed by credible people in my industry twerping about submitting or attending RSA talks. RSA is a marketing conference. Finally, with regards to price: I recommend against paying for your own Black Hat ticket. I have no insider information here, but I've been in the industry for a long time, some substantial amount of which was spent doing marketing professionally, and my insight about BH tickets is this: the two most important vectors acting on BH ticket prices are: * The maximum price that companies will pay for a professional development event for their employees (this was the original goal of Black Hat: to come up with a way to get companies to expense Defcon) * The sweet spot between attendance and ticket price that maximizes what sponsors will pay for sponsorships. Too high and attendance drops so much that impressions don't justify Gold sponsorship. Too low and the median attendee is no longer a prospect for most potential sponsors. Neither of these two forces are about you, the conference-goer. So my practical recommendations are: * If your employer is footing the bill, get them to pay for Black Hat. Chances are it makes not a whole lot of difference at the margin whether they pay for Black Hat or Defcon; what they'll remember is "paying for you to go to an event", not how much the event cost. Black Hat is expensive, but it's not expensive relative to other professional development events in other spaces. * Otherwise, pay for B-sides and (depending on utilikilt tolerances) maybe Defcon, but arrive in Vegas on Tuesday night and lobby-conf Black Hat. For the past several years BH has been at Mandalay Bay, and there's a big, terrible bar right at the food of the conference center that everyone hangs out in. Just treat that bar like the conference and tag along with people to events. Go to B-Sides for any talks you're particularly interested in. * Don't ever go to RSA. Other cheaper, credible, non-BH vuln research events include Infiltrate, Recon, and CanSecWest. They differ sharply in size w/ Black Hat, but not quality. |