Adam Caudill

Security Leader, Researcher, Developer, Writer, & Photographer

Making BSides Knoxville

Two years of discussions, months of planning, weekly meetings, and thousands of dollars – BSides Knoxville 2015, the first BSides Knoxville that is, is in the books. By any metric I can think of, it was a resounding success – the feedback was great, awesome talks, good food, and a great atmosphere.

I would like to give a little insight into the event, some of what I learned from it, what went right, went wrong, and how to make something like this without going insane. Hopefully this will be useful for others thinking about running a small conference, or if you just want a behind the scenes view of what goes on.

Time #

A conference of any size takes time to put together, and even a fairly small regional event is no different. The planning actually started in the summer of 2013, with an event planned for the spring of 2014 — that clearly didn’t happen. Venue quotes, preliminary budgets, talks with potential sponsors — altogether, several hundred hours of work went into the 2014 event before a painful decision had to be made.

Putting something like this together is hard — you truly have to juggle a thousand things at once, if you can’t dedicate the time needed to keep track of them all, things fall and the event fails. In May of 2014, we let the main BSides organization know that we put the event on hold, with no set date to resume. After so much work, this was a hard thing to do — but we wanted to do it right, and the team we had simply couldn’t put in enough time to make it happen. If we couldn’t make it the event Knoxville deserved, we weren’t going to do it.

At DerbyCon 2014, a few of us met and discussed the path forward to make the event happen — we still had a strong desire to make it happen, but it had to be right. After a number of conversations, it was clear that we needed to rebuild the core team.

The timing couldn’t have been better.

A couple weeks after DerbyCon, a message was relayed through the main BSides organization that someone else was interested in getting a BSides event in Knoxville. Perfect.

In November 2014 the regular meetings started, and ran through till a few days ago. Between the four person team, the time investment ranged from 10 hours to 40+ hours a week. Running the CFP, finding sponsors, negotiating with venues, badge design and manufacturing, and of course promoting the event.

The best lesson here was to find good tools and use them religiously — we coordinated everything through Trello, and it worked out beautifully. Making the move to run everything through it might have been the best decision we made.

Money #

Running a conference isn’t cheap, and without the generosity of the sponsors, it simply wouldn’t be possible. To give a rough idea, the cost per attendee was roughly $77 — we charged $10; the $67 difference was covered by the sponsors. So when I say it wouldn’t be possible without them, I’m really not kidding.

The cost of food and drinks was, by far, our largest expense — making up over half of the budget. The badges made up the next largest cost — we really wanted to do something special, useful, memorable, and we hope we did it.

Getting the money necessary and determining the best way to use it to get the most bang for everyone involved is anything but simple. Of all the time we spent in the planning meetings, approximately half was spent discussing money.

Team #

Without the team, both organizers and volunteers, there’s no way it would have happened. In total, there were four organizers and twelve volunteers. Having a good team is critical for the event’s success — without a good team of people that are willing to work hard, the event will have issues every step of the way.

Volunteering at a conference is a great way to learn about how to manage an event, and get an insight to the issues that you may have, and how to deal with them. For me, volunteering at BSides Las Vegas was a great experience — extremely educational, and something that everyone interested in running a conference should do.

For me, I was in charge of coordinating the staff, and I feel that I could have done a better job coordinating the team and promoting communication. This is my top personal item to improve for next year.

Speakers #

We had 20 speakers and 14 talks, plus the keynote — the content, I think, was excellent. The feedback from the speakers was excellent, and the feedback on the quality of the talks couldn’t have been better.

One of the goals was to make sure that the speakers walked away with a positive feeling about the event, and would remember it for years to come. We had custom flasks made, speaker areas for each track stocked with snacks and drinks, walk-out music, and so forth — all with the goal of making sure that all of the speakers would walk away looking forward to next year.

The one area where I think we failed the speakers, is that we didn’t accurately judge which talks would need the most space — leading to a couple cases where the smaller area was completely packed, and the larger area had half the seats empty. This is something we will do better next year.

Overall #

We had a target of 200 people, including staff and speakers — and we sold out around a month before the event. Had we been able to open up more spots, we likely could have increased this number by quite a bit. There’s a huge interest in the Knoxville area for this kind of event. For our first year, the response was incredible.

Adam Caudill

Related Posts

  • The Manifesto

    As a child, all of my time was spent reading – at the age of 8 or 9 I was staying up all night reading the likes of Dickens and Verne, at 11 or 12, I was tearing through encyclopedias, medical texts, and anything else I could get my hands on. I had a love for learning, for understanding, a desire to know everything, and an insatiable curiosity that often led me in interesting directions (in that ancient curse “may you have an interesting life” kind of way).

  • Proposal: Association of Security Researchers

    Security researchers play an important role in the industry, though one that doesn’t always receive the support needed. In this post, I am proposing the creation of a new non-profit entity, the International Association of Information Security Research Professionals (IAISRP), as a supporting group to push research forward, and provide the tools and resources to improve the quality of work, and the quality of life for those involved in this vital work.

  • On the need for an open Security Journal

    The information security industry, and more significantly, the hacking community are prolific producers of incredibly valuable research; yet much of it is lost to most of those that need to see it. Unlike academic research which is typically published in journals (with varying degrees of openness), most research conducted within the community is presented at a conference – and occasionally with an accompanying blog post. There is no journal, no central source that this knowledge goes to; if you aren’t at the right conference, or follow the right people on Twitter, there’s a great chance you’ll never know it happened.

  • Verizon Hum Leaking Credentials

    or, Christmas Infosec Insanity… A friend mentioned Hum by Verizon, a product that I hadn’t heard of but quickly caught my attention – both from a “here’s a privacy nightmare” perspective, and “I might actually use that” perspective. While looking at the site, I decided to take a look at the source code for the shopping page – what I saw was rather unexpected. Near the top is a large block of JSON assigned to an otherwise unused variable named phpvars – included was some validation code, a number of URLs, some HTML, and the like.

  • Juniper, Backdoors, and Code Reviews

    Researchers are still working to understand the impact of the Juniper incident – the details of how the VPN traffic decryption backdoor are still not fully understood. That such devastating backdoors could make it in to such a security-critical product, and remain for years undetected has shocked many (and pushed many others deeper into their cynicism). There are though, some questions that are far more important in the long run: