[tptacek]

I don't know what to say to someone who thinks the Black Hat talk schedule and lobby conference isn't a reason to go, but a $5000 training course on "Active Directory Security Fundamentals" is. You do you, I guess.

I don't care if you go or not. I'm not trying to sell anybody on Black Hat. If you work in this field, you know what Black Hat is, and if you care about Security Summer Camp you're in the lobby bar at Mandalay. My only nit here is people claiming that the actual Black Hat conference is a vendor event (like RSA). It is not. Almost every good Defcon talk was a Black Hat submission (as you'd expect; it's the highest-status mainstream security conference, and it pays honoraria and travel expenses for speakers). There's a whole other conference, BSides, that started just to soak up the talks Black Hat doesn't accept.

[busterarm]

Fair enough. BH as vendor event wasn't my axe to grind but the parent poster's. I was just complaining about the industry and the event in general as only having status-economy value.

e.g., the only reason I would go is if I needed to for industry certifications. Talks aren't a reason for me to go to anything (they'll be streamed eventually and I can filter them better). I'll agree the talks are better here than most other events

I guess if your employer is footing the bill, sure, fine, whatever.

Talks having no attendance value to me might be a personal thing, but you can blame Netflix and re:Invent 2017 for that. I sat through 4 different talks given by 4 different people that were supposed to talk about different parts of their architecture but were basically the same slides and staff engineers from 4 different departments claiming responsibility for the same parts of the system. Sure that has nothing to do with Infosec, but talks can be an epic waste of time and I'm much more suspicious of them these days.

[tptacek]

Again: I'm not trying to sell you on Black Hat. But re:Invent is nothing at all like Black Hat. Black Hat is a peer-reviewed research conference focusing on presentation of security research results. You pay to see Black Hat talks if breaking the encryption on police TETRA radio or defeating Apple's PAC pointer authentication is professionally useful to you. For most Black Hat talks, that stage will be the first public airing of that research. At events like re:Invent, the new stuff is just product announcements.

I can see not wanting to sit through a bunch of vulnerability research talks! Defcon is certainly the more "fun" event.

There are higher-status (non-academic) research conferences, but they're not mainstream. Of the events everybody knows about and that employers at pentest firms will pay to have people develop talks for and employers at F500 security teams will pay to have engineers attend, Black Hat is basically the most important event of the year.

[_delirium]

> For most Black Hat talks, that stage will be the first public airing of that research.

I find this aspect intriguing, and seems to contribute to the buzz around the event? Used to be true in some other areas of computer science too, but outside of security I can't think of an academic conference where it still happens. Nowadays you can almost always expect talks at top conferences to have preprints posted on arXiv (or openreview.net) ahead of the talk, often weeks or months ahead. I mean not that somewhere like NeurIPS lacks buzz either, but you're not normally expecting major surprises in the talks.

[tptacek]

Yeah, it's an idiosyncrasy of vulnerability research and "zero day" status. Things will get discussed with the media in advance of the conference, but if you blog your whole talk before the review board sees the submission, that'll get used to shoot down accepting. Which sort of makes sense, because even if it's good, your submission will be competing with 5 more really good talks on the same track.

I'm a longtime reviewer for Black Hat, and I've reviewed (shadow) for ACM and (publicly) for Usenix (I was a PC for WOOT a few years ago). It's a different vibe. Nobody's WOOT submission got dinged for having been disclosed in advance, but Black Hat submissions will get dinged for having been presented at regional conferences prior to BH.

Again though: the single easiest way to make sure a talk has no chance at BH is to make it vendor-y. Reviewers will LinkedIn-stalk the names on the presentation to make sure nobody's connected to marketing or sales. If you're submitting something that's even tangential to your product (smart toaster firewalls), even if it's good research (elite-level zero-day vulnerabilities in smart toasters), you have to go way out of your way to assure reviewers you won't pitch on stage.

Black Hat is pretty sensitive to making sure the talks themselves aren't commercial, even though the conference trappings are extremely commercial. "This would make a better RSA talk" is an extremely common epithet.