Finance With Attitude

Those who personally partake in the autumn theater, or have bosses who are in the game, know this is the time of the year when bigger decisions are made.

Since everybody is exposed to big ticket items and larger numbers, throwing in the annual training cost is best done close to those discussions. A pro player separates the travel costs from the event cost, as these come from a different category anyways. Depending on your organization, there may or may not be leeway, so act accordingly.

Why go through all this trouble, our junior readers ask? Well, the discussion of attending t2’20 (and your other favorite cons) is a lot more easier for you and your boss, when everything has been agreed already beforehand and there is the money available for it. If you have a boss who appreciates employees making their life a tiny bit easier, giving the right support at the right time can go a long way. 

At the end of the day, your boss is the one who needs to figure out the right course of action after the Good Idea Fairy visited C-level executive(s) and they decided to go three levels deep into the budgeting spreadsheet to make cuts without any discussion on its impact or guidance on a new direction. Or maybe your boss was naive enough to provide accurate numbers from the get-go, when everyone else was inflating their numbers in anticipation of the first round of cuts. 

The worst kind of budgeting wizard just runs out of money in Q4, and the rest of the organization takes the hit. For those, you reserve your sneakiest DDE payload, figure out a chain of actions resulting in the file on their workstation, get the code running (everyone clicks OK at some point), establish persistence and wipe the payload from the original file. Whatever happens after this is left as an exercise for the reader.

Talking of planning, the big game hunter is saving up their Office 0days for this time of the year. Depending on the organization structure and budgeting process, it might be trivial to land your carefully crafted version of the budgeting numbers on at least one C-level workstation. Be sure to take note well in advance if someone is deviating from corporate policy with their device choice – this is most likely one of the easiest targets from exploitation perspective, as you can bet it lacks some or all hardening. IT isn’t too keen on debugging mysterious crashes happening to a unique snowflake, in case your toolkit isn’t that stable. Bonus points given for pretexting service desk with a false track record of unstable behaviour on a similar device, if you just can’t be bothered to get your budget items stable enough.

Not that any of these kinds of hypothetical things ever happen in real life. It would be ridiculous to potentially burn valuable exploits when you can just enjoy the adrenaline rush of quick rubber ducky action on the top floor, or casually misplace USB-cables in the right meeting rooms (Outlook Scheduling Assistant is your friend here).

So, get those events locked down on the budget level. Getting the commitment for your attendance well in advance never hurts.

After all, bug bounty and exploit money is typically reserved for bottle service, fast cars, exotic vacations and expensive handbags. And yeah, while Helsinki definitely can tick those boxes, we hope that the main reason for attending is our curated and hand picked program – finally available in its complete version.

The Art of the Budget hacking

It’s that time of the year again. To commemorate the 15th anniversary edition of t2, we wanted to open up the reasoning behind the frequent reminders to allocate training budget for t2 and our friendly suggestions for early registration.

Before getting to the nitty gritty it’s important to highlight that we organize t2 out of love, both for community/scene and hackerdom. This cannot be done for any other reason.

Conferences, and event business in general, imposes certain rules of business and financial terms on the organizers. These are location and time insensitive, and apply to most parts of the world.

  • Venue
    • Needs to be booked well in advance, and unless you have been doing business for a long time, they require a prepayment of some sort.
    • Once you confirm dates, you are committed. Cancellation terms do exist but it’s not like you can bail out at the last moment.
    • Multiple this by the number of locations (e.g. you plan on organizing dinners related to the event).
  • Liquidity
    • To offset for invoices due before the event, you either need to have healthy finances with some buffer from the previous years or take a loan (usually from the main organizer who takes the biggest financial risk personally). If ticket sales start early, you might have enough cash flow to balance everything out.
  • Travel arrangements
    • After CFP is done, you have the confirmed speakers and the event is nearer, the booking of flights begins. If you are covering 100% travel cost, you want to optimize the time of purchase to get the best price. Not too soon, not too late.
    • Here you have the risk of cancellations, or other last minute changes – all part of normal life.
  • Scale economics
    • Applies to your business only if you’re Jeff Moss. Forget you ever heard the term, more important jargon is MOQ.
    • Smaller the number of maximum attendees and planned financial upside, smaller the window of error between loss, breakeven and profit.
  • Sponsors
    • Depending on the year, sponsors might save the day when it comes to event’s financial performance. Fewer sponsors means smaller risk margin.
    • Some sponsors would prefer to have the attendance list (with contact details, of course) or buy speaking slots. t2 does sells neither of those.
    • Please take a moment to check out what the valued sponsors are doing during the event and online. Few events could do without them.
  • Conference schwag
    • Needs to be ordered well in advance to account for unexpected delays. Typically a prepayment is required, as your vendor needs to pay their suppliers and/or material.
    • Even when using high quality partners, you will have defects. More professional the partner, the easier it will be sort out the mess.
    • You end up ordering a good amount of extras to account for everything, and then giving these away for free the following year (or during the year, unless you organize an exclusive luxury fashion event in case you burn the extras with the receipts)

Having been in the game for well over a decade, most of it with the same partners, we have been able to build the trust and negotiate cash flow friendly payment terms. It’s like playing Tetris during the year with the calendar, but the blocks are invoices and you are actually gambling.

Nevertheless, each year the familiar friendly faces in the audience, the first timers and returning speakers make it all worthwhile.  It’s an honor to have the event filled with enough intelligence to make your brain hurt. With that out there in the open, we hope you register your ticket to this year’s 15th anniversary celebrations sooner than later!

 

Budgeting season

Surprisingly many companies lock down their next year’s budgets already in Q3. While many of our attendees have negotiated conference and training costs to be part of their annual non-negotiable compensation package, there are also those who rely on the good graces of financial overlords to okay their attendance. This post is to remind that it’s yet again time to have the discussion about t2’18 – after all, it’s the 15th anniversary.

Why do we pester our readers with this? As Thomas Lim finely stated it in his keynote at Infiltrate 2012:

“[..] Conferences don’t really make a lot of money, unless you’re Black Hat [..]”

In many years, the question of making a small profit to guarantee enough liquidity for organizing the next event comes down to having the right sponsors. No sane person would enter a business with this kind of a risk/reward ratio. The talk is filled with other gems as well, and it’s definitely worth watching.

The reasons for organizing are elsewhere, namely you want to give back to the community, love the atmosphere of a small event and want to see world class security presentations in your home country. The volunteer work behind the scenes only works when you focus on high quality and networking – it also helps getting repeat guests who value the effort put into curating the program, and setting the stage for making new friends. A considerable part of the audience comes from outside Finland, and it’s certainly not thanks to the weather.

To summarize some of our core values:

  • Networking is an integral part of the event
  • We focus on new research and technical aspects of information security
  • We never sell or give out the attendance list
  • Sponsorship does not give you a speaking slot or influence on the agenda, only CFP does

If you are interested in sponsoring t2, we are glad to discuss your exact needs. Please get in contact with us.

Carry on tradition

Having recently returned from the warmer parts of EMEA, where nights are warm and days even warmer, the importance of having friends and making new ones seems somehow topical. Global and regional geopolitics get a new meaning, when you can enjoy pleasant discussions with people having a local insight. The often-repeated-cliché of travel widening your horizons certainly holds true, but only if you get away from hotel and airport lounges to spend enough time in one place to really soak in the surroundings.

Historically, Helsinki has been the host city for all kinds of talks, and in many ways, t2 follows those traditions. We cater to an all-encompassing audience, where everybody is welcome regardless of a funny hat they might wear. One person’s ethical choice is another’s livelihood, and yesterday’s break-up/bankruptcy/allsafe is today’s comeback tour/hottest startup/evilcorp.

Just like a good foothold inside a Jenkins server gives you the keys to the kingdom, allocating an annual training budget for t2 is a good investment, if you prefer meeting fantastic people, exchanging intel^H^H^H^H^Hknowledge, and learning from world class research. This year there are also other interesting opportunities around t2 in Helsinki – a sauna day opening the doors of private homes for sauna visits and a whole event dedicated just to salty liquorice.

What more could you ask from an infosec conference?

ps. Don’t forget to include lobby bar expenses in your training cost estimates!

99 problems but a free ticket ain’t one

Three and half weeks until t2’15. We’re sold out but we didn’t sell out. The hard limit of 99 attendees is the corner stone of the conference and come hell or high water, it’s here to stay.

It’s also the reason we think now is a good time to remind those who plan on attending t2’16 to sneak those figures into next year’s budget. After that, it’s just a case of “We had this discussion last October” and “Our training budget accounts for t2, lobby bar and/or random 0day”. Some of the more veteran attendees have taken this a step further and just labeled the cost as threat intel. After all, it’s the one budget category where you can pour in money and nobody questions the spending or the results.

Speaking of money, we’d like to see Lester Freamon’s take on attribution when it comes to those annoyingly pedestrian toolkits.