[busterarm]

BlackHat isn't a con you attend. You go there for the training sessions that are required to obtain/upkeep your certifications.

The infosec industry sorta runs separately from the rest of tech in that it's entirely a status economy. Name recognition, certification and publication are the most important things to maintain stable employment.

On the other hand none of the planned programming at DEFCON has any professional value whatsoever and it's merely a metacon for connecting with people in varying niches in the space.

[tptacek]

Trainings run days before Black Hat and are not part of the conference proper.

[busterarm]

Clarification not needed -- the trainings are the only sensible reason to be there.

[tptacek]

I don't know what to say to someone who thinks the Black Hat talk schedule and lobby conference isn't a reason to go, but a $5000 training course on "Active Directory Security Fundamentals" is. You do you, I guess.

I don't care if you go or not. I'm not trying to sell anybody on Black Hat. If you work in this field, you know what Black Hat is, and if you care about Security Summer Camp you're in the lobby bar at Mandalay. My only nit here is people claiming that the actual Black Hat conference is a vendor event (like RSA). It is not. Almost every good Defcon talk was a Black Hat submission (as you'd expect; it's the highest-status mainstream security conference, and it pays honoraria and travel expenses for speakers). There's a whole other conference, BSides, that started just to soak up the talks Black Hat doesn't accept.

[busterarm]

Fair enough. BH as vendor event wasn't my axe to grind but the parent poster's. I was just complaining about the industry and the event in general as only having status-economy value.

e.g., the only reason I would go is if I needed to for industry certifications. Talks aren't a reason for me to go to anything (they'll be streamed eventually and I can filter them better). I'll agree the talks are better here than most other events

I guess if your employer is footing the bill, sure, fine, whatever.

Talks having no attendance value to me might be a personal thing, but you can blame Netflix and re:Invent 2017 for that. I sat through 4 different talks given by 4 different people that were supposed to talk about different parts of their architecture but were basically the same slides and staff engineers from 4 different departments claiming responsibility for the same parts of the system. Sure that has nothing to do with Infosec, but talks can be an epic waste of time and I'm much more suspicious of them these days.

[tptacek]

Again: I'm not trying to sell you on Black Hat. But re:Invent is nothing at all like Black Hat. Black Hat is a peer-reviewed research conference focusing on presentation of security research results. You pay to see Black Hat talks if breaking the encryption on police TETRA radio or defeating Apple's PAC pointer authentication is professionally useful to you. For most Black Hat talks, that stage will be the first public airing of that research. At events like re:Invent, the new stuff is just product announcements.

I can see not wanting to sit through a bunch of vulnerability research talks! Defcon is certainly the more "fun" event.

There are higher-status (non-academic) research conferences, but they're not mainstream. Of the events everybody knows about and that employers at pentest firms will pay to have people develop talks for and employers at F500 security teams will pay to have engineers attend, Black Hat is basically the most important event of the year.

[_delirium]

> For most Black Hat talks, that stage will be the first public airing of that research.

I find this aspect intriguing, and seems to contribute to the buzz around the event? Used to be true in some other areas of computer science too, but outside of security I can't think of an academic conference where it still happens. Nowadays you can almost always expect talks at top conferences to have preprints posted on arXiv (or openreview.net) ahead of the talk, often weeks or months ahead. I mean not that somewhere like NeurIPS lacks buzz either, but you're not normally expecting major surprises in the talks.