How to game the 44CON CFP

Every year 44CON has a Call For Papers (CFP). The CFP is run by a panel of about 10 people from various parts of the industry, predominantly based in the UK. The process and technologies used have changed over the years, most notably last year when we replaced our existing bespoke CFP system with HotCRP and implemented a weighted average scoring mechanism based on HotCRP voting results.

TL;DR – I want to speak at 44CON

Ok, then do these things to boost your chances:

  1. Submit a workshop with your talk
  2. Make it clear where else you’ve submitted and/or might/will submit
  3. Include links to other talks you’ve done, video if you have it
  4. Get your talk in early for a better chance of scoring higher
  5. Be enthusiastic, tell us of any boundaries, problems or needs, and work with us, not against us

Understanding how the CFP works

The CFP is opened on a particular date for submissions. Everyone speaking in Track 1 or 2 must go through the CFP process. Track 3 (which is sometimes used for workshops) is a little more fluid, for reasons I’ll discuss later.

Scoring and voting

A gypsy fortune teller brings her crystal ball to life to read the future.
Scoring is as much an art as science, but you can improve your chances of speaking at 44CON.

Our panel votes on and scores talks out of 5, normally in several tranches. It varies by individual and not everyone votes on every talk. People provide comments and feedback, which we pass onto those submitting on request. On average we get between 200-400 submissions a year.

When the CFP is due to close, we push panel members along to review and score submissions, particularly if they haven’t yet been voted on.

Once voting is complete, we divide the sum of scores from each voter by the number of voters to get an average, with an option for discussion under certain circumstances that can weight a score by up to + or – 0.5.

UK submissions normally get up-voted (with some exceptions, see below), and in the selection rounds there’s a strong bias towards UK-based speakers over non-UK-based speakers with identical scores, unless the non-UK-based speaker’s talk is exceptional in other ways. This doesn’t mean that your talk will be rejected if you’re not based in or from the UK. Non-UK based speakers make up the majority of our speakers, but there is definitely a small “home bias” amongst the panel members based in the UK.

Why does it take so long to find out if I’m accepted?

If you're not sure what's happening, contact us and we'll give you an update.
If you’re not sure what’s happening, contact us and we’ll give you an update.

Once we have the results we look to fill a specific number of slots, which varies each year. Acceptance messages are sent out in tranches, and when people return the speaker agreement, they’re confirmed. We normally send rejections for very low scoring talks, but there’s a glut of talks usually falling between 3.5-4.0, where they might be accepted if others scoring higher can’t make it.

If you’ve scored an average of 5.0, you’re pretty much guaranteed a slot and we’ll get in touch straight away. The bulk of submissions tend to hover around a score of 3-4, and 4.5 is normally the cut-off point for the first tranche of accepts. We then wait till the first tranche come back, or if we get no response, chase them up twice before moving on.

For the slots that free up, we move down the list, ensuring those who scored highest get picked first. Once we’ve filled up tracks 1 and 2, we move on to track 3.

After the first round of talk triage, cut-off tends to happen around average scores of 4.25 – 4.0/5.What this means is that there are a lot of good talks that just don’t get accepted at 44CON because we don’t have the space to support them, even with a third track. More often than not a talk or workshop rejection from 44CON does not mean it sucks. Ask for feedback and we’ll share what we can.

Wait, isn’t 44CON a two-track conference?

All speakers dress like this when preparing submissions.
All speakers dress like this when preparing submissions.

Yes and no. For several years we’ve run a hidden track under various names. This is because we’ve wanted to give our backup speakers a chance to speak if someone drops out, but we don’t want to risk slots emptying on the main tracks. Inevitably people drop out along the way, people who are allocated to track 3 move onto the main tracks and this leaves gaps that we have the option to fill.

Sometimes we’ll look back at the talks list and look to offer a spot to someone on the list, however sometimes it’s easier to go to people we know are definitely coming and see if they have something. This is a completely arbitrary decision affecting two slots a year at most, and more often than not, 10-20 people want the slots. We generally operate on a first come, first serve basis.

Hacking the process

Now you know how the process works, let’s look at how you can subvert it to ensure your talk has the best chance of scoring high. Each voter on the panel is different, but there are certain things that, on average, will result in you being more favourably considered.

Submit both Talks and Workshops

We have 2-3 tracks to fill with talks, and get on average 200-400 submissions a year. We get less than 20 workshop submissions a year. Workshops are 2 hours long and come with an extra night’s accommodation when talks are also submitted.

If you want to maximise your chances of speaking at 44CON, submit a workshop.

Workshops are typically more intimate affairs with room for about 30-50 people sitting down, although we have had workshops with 100 people. If you’re not sure what to do in a workshop, imagine that if your main talk is about the theory, try a play-along walkthrough on how to do this in practice.

Every year we’ve run a formal CFP process, we’ve treated people who submit workshops far more favourably than people who submit talks alone. Even if your workshop is unrelated to your talk, both are likely to be up-voted considerably.

I cannot stress this enough. If you want to maximise your chances of speaking at 44CON, submit a workshop.

This only works if you submit your workshop separately to your talk. People submitting a talk and workshop in one don’t get the voting benefit separate talk and workshop submissions do. Finally, if you’re only prepared to come if your talk is accepted, please say so on both submissions.

Tell us where else your talk has been submitted

44CON is usually among the first events in the calendar after BlackHat and DefCon. Everyone wants to speak in Vegas, we understand that. Some people score BlackHat and DefCon talks slightly lower in order to give preference to newer talks, some don’t. It’s down to the panel. If you don’t tell us you’re talking at BlackHat or Defcon, and we find out by checking the site, panel members will remember next year and it may affect future submissions.

If you’re doing your reveal in Vegas, focus on your process at 44CON.

Not everyone in the UK can go to BlackHat or Defcon, so there’s not a massive deal in your talk being done in the UK afterwards. We do need to know what will be different. It takes a lot of effort to deliver a big Vegas talk, and making something different may seem like an awful lot of effort, but there’s an easy workaround that normally gets big bounces.

If you’re doing your reveal in Vegas, focus on your process at 44CON. If you spent 6 months trying to reverse engineer and compile code for an arcane architecture, we want to know how you went about it. We also appreciate failures as much as successes. Some of our better talks have been talks about how people have failed and what they learned.

If your talk is 70% different to your Vegas talk, say so. If it’s 50%, say so. If it’s 30%, say so. If you say so, and it’s not, then reviewers will know next year.

Show us your other talks

A picture speaks a thousand words, but a video of your talk lets the panel look at the type of speaker you are, how you approach your talks, and gives us an idea of where we think you might fit in best.

Show us your other talks, even if you're a rockstar.
Showing us your other talks helps us fit you in.

This is an especially powerful tool for speakers coming from countries where English is a second language. All of our talks are delivered in English. We have some great speakers from across Europe, India and even China, and we want to keep the focus on the content, not on the way it’s conveyed.

It can be pretty scary delivering a talk in a second or third language, and it’s useful to see you speak, both to reassure voters when you’re delivering a talk, and to determine what help we might be able to offer if your research is brilliant, but you struggle with the language.

Even if you’re a native English speaker, throwing us a link to earlier talks lets us work out where and when we can put you. We often put more energetic speakers on in the afternoon for example.

Submit your talks early in the process

Most of the panel vote in several stages. Almost everyone votes for the first submissions coming in, and slowly dribble off after a while. At several points while the CFP is open, more people will vote, but because there are fewer talks to vote on, we’ve noticed that early talks score higher on average than those submitted later.

The more votes you get, the better the chance of bringing your voting average up and the better the chance of your talk being accepted. Submitting early gets you more (and often higher) voting scores.

Remember It’s A Two-Way Street

We completely understand how much of an effort you put in to come to speak at 44CON. Many of the crew talk at conferences themselves, and understand that you’re giving your time for free to go and speak at an event. That’s why we try to make the talk as cost neutral as possible for you to come and present. When people interact more with the event, and try to get involved, they’re generally more likely to have more positive responses.

There are certain speakers who come back to 44CON regularly such as Jerry Gamblin, Saumil Shah and Joe Fitzpatrick amongst others, all of whom make really strong efforts to interact with the crew and those attending. If, in your submission, you come across like you’re treating 44CON as just another con to shop the same talk around and disappear, you’re probably going to score lower than someone who comes across as though they really want to be there.

Coping with rejection

Our scoring method is not without its faults. No scoring system is perfect, and we’ve had to break bad news to big names as well as people with talks some of us thought were brilliant fits for the event.

If you don't hear from us straightaway, wait or contact us, don't assume your talk was rejected.
If your talk was rejected, it’s not an indictment of you or your talk.

To help you deal with the sting of rejection, remember this:

  1. Your talk not being accepted at 44CON does not mean we thought it was bad.
  2. You absolutely have the right to ask for feedback. It might take a while depending on when you ask, but Steve will personally write back to you with as much detail as he can provide.
  3. We’re all here to learn. If you think that we’ve made a mistake, or have ideas on how we can improve (beyond “accepting my awesome talk next time, dumbasses”), then we want to know.

Most importantly, your talk not being accepted does not mean we don’t want you to come and enjoy 44CON. We absolutely do want you to come, and will happily offer you a discount on a ticket as a thank you for submitting.

We want everyone to have a good time at 44CON. If you have any special needs or requests, from assistance with disabilities to being able to bring your kid(s) along just let us know. Unless it’s something we absolutely cannot accommodate, it will have no bearing on your submission’s consideration.

44CON CAFE at IPEXPO 21st May

If you weren’t at IPEXPO Manchester to witness 44CON Cafe in action then you missed out on some great talks.

But luckily for you we have a recap of them all below.

Paul Pratley, Head of Investigations & Incident Response at MWR

Smoke Detectors & Super Spies

Paul’s talk looked at the cutest trends in serious and targeted security incidents in the UK and what you can do to get your cyber smoke detectors working. As a very UK centric Incident Response practice and operating under the CPNI cyber incident response scheme, MWR is able to observe the trending nature of data breach incidents in the UK. Despite the ever pervading perception of nation state actors and APTs being the principal threat using highly advanced tools and techniques, the reality we are seeing is that attackers are following some basic common methodologies. What most organisations fail to accomplish in their security postures is detection and response capabilities to deal with the reality of most common attacks. In addition, there is a marked lack of knowledge around the attack timelines and techniques that can be used to slow down attackers, trigger internal compromise alerting and carry out response in a timely manner to limit the damage to victim organisations.

You can find out more about MWR at http://www.mwrinfosecurity.com/ or follow them on Twitter @mwrlabs

Dean Brown – Red Team Engineer at Cortex Insight Limited

An examination of telephony security

Dean, a thoroughly interesting guy, gave a revised version of a talk he gave at Secure Word Expo 2003, but the topics of the original talk are still as applicable today as they were in 2003. Dean’s talk was split in to two parts.

During part 1, Dean did a review of old school phreak & hack of the PSTN/Office PBX systems mentioning the likes of John Draper, Kevin Mitnick and Stephen Wozniak. Part 2 focused on a Live, yes live, VoIP interception, looking at GSM.

To find out more about Cortex Insight and the work they do, visit www.cortexinsight.com and follow them on Twitter @CortexInsight

Ben Williams – Senior Security Consultant for NCC Group UK

The L@m3ne55 of Passw0rds: Notes from the field

Ben’s talk was a Penetration Tester’s view on the world of passwords, describing the day-to-day experience of attacking networks and applications. Forget exploits and 0-day for the moment, this talk focuses on how attackers can gain and expand access using a variety of practical password attack techniques. NCC customers are often surprised when NCC gain unauthorised access with these techniques, especially when they have enforced a password strength policy and account lockout. In many cases these things can be merely a hindrance to a determined attacker.

You can find out more about the work NCC Group by visiting www.nccgroup.trust/en/ or following them on Twitter @NCCGroupplc

If you have an interesting talk to share with us, why not submit it to our CFP?

IP EXPO Manchester 20-21st May 2015

44CON Café will be making an appearance at this year’s IP EXPO Manchester. As the threat of cyber crime for leading organisations continues to grow it is clear that this topic is more important than ever. Staying up to date with the latest developments in computer attacks is one way to stay ahead of the threat.

At 44CON Café you will:

  • See real world attacks take place in real time, and gain an insight into how businesses can learn to detect and defend against them
  • Network with and learn from the UK’s leading information security technical specialists and face up to your information security defence issues
  • Discuss cyber crime prevention with professionals and researchers from all sides of the industry
  • Mingle and share knowledge in the IdeaHub – Whiteboards and Pens will be provided

IP EXPO Manchester is the new launch event in the IP EXPO series for 2015. IP EXPO is the UK and Europe’s leading IT infrastructure and Cloud event series for those looking to find out how the latest IT innovations can drive their business forward. The events showcase brand new exclusive content and senior level insights from across the industry, as well as unveiling the latest developments in IT. IP EXPO Manchester will house over 60 exhibitors, 65 free to attend seminars and 5 theatres, all under one roof.

If you are in Manchester and want to find out more or register to attend please follow this link http://www.ipexpomanchester.com.

Suits and Spooks May 2015

Suits and Spooks are offering 44CON attendees a promotional rate for tickets to attend their Suits and Spooks event taking place in London on the 6th & 7th of May.

Suits and Spooks London 2015 will be held at a techUK facility in London. Following their event in 2014, Suits and Spooks London 2015 will be their first 2 day event.

During Suits and Spooks London they will have representatives from the British government speaking and in attendance, along with British Venture Capitalists and the usual mix of public and private sector participants.

Speakers will include Marina Litvinenko, the widow of the Russian FSB officer who was poisoned in London with radiation, EJ Hilbert of Kroll Associates, Zach Tumin of the NYPD, and many more.

44CON Members will be entitled to a membership rate ticket for £319. All you have to do is visit their website to register. When you register, select Membership in the amount option.

The two day event includes two continental breakfast and two lunches plus all the sessions.

If you are in London during this time then why not take advantage of this promotional rate?

44CON Proud Supporters of White Hat Rally

44CON are delighted to announce that we will once again be proud supporters of White Hat Rally and their project to raise money for Barnardo’s.

The awesome people over at WHR are in their third year, yes third year of raising moment for Barnarod’s. They will rally from the Welsh borders, to the West Coast, from north to south, taking part in all sorts of challenges as long the way.

This year we have decided to donate some of the money from PREMIUM ticket sales.

We have given WHR members a 40% discount on PREMIUM tickets to our Cyber Security event happening in London on Tuesday 28th April with usually cost £100. For every ticket sold using this discount code 44CON will donate £10 to Barnardo’s .

Last year WHR raised over a whopping £39,500. Lets see if we can help them raise even more this year and help make a real positive difference to these children’s lives.

Barnardo’s will be in attendance at this years 44CON Cyber Security event so if you are not a member of the WHR and still wish to do your bit then make sure you come along and talk to them at the event.