The Unspoken: BSidesROC 2026 Travelogue
I attended the BSidesROC 2026 hacker conference on March 21st, 2026. This is my account of the experience. While preparing for the conference, I decided that I would only write about it if I was able to find some kind of framing or narrative hook that would make this something more than a mere enumeration of events. I hoped for coherent and meaningful, and I do suppose there was a sort of thematic tinge lingering over the whole trip, though by its nature, it is difficult to explain. Part of it concerns a certain bleakness. I don't want to convey the impression that I didn't enjoy BSidesROC 2026, or that I didn't learn anything, or that it wasn't worth my time or money. On the contrary, it was a great privilege to attend this event. My baseline hope — to find out what exactly I'm getting myself into by pursuing cybersecurity as a career — was fulfilled. I left with a much better understanding of what the industry is like, what kind of people are in it, and what hurdles I'll have to overcome if I want to participate. I also left with a sense of dread, and a confusion as to whether my dread was related to what I had learned, whether it had more to do with a broader set of circumstances, or if the dread came from nowhere, and there's just something wrong with me. I know this is all very vague, so I'm giving this article the slightly ominous title of The Unspoken, even though quite a lot of speaking took place at the conference. The vagueness will henceforth be considered a feature, not a bug.
Travel and Other Challenges
I left Ithaca for Rochester on Friday afternoon. The bus was delayed by an hour, and by the time it finally arrived, rain had begun to fall. This rain continued, on and off, for the next two days. If you've ever traveled on the FlixBus, you can substitute this next part for one of your own memories to get the general picture. I suffer from terrible motion sickness on buses (or any vehicle, really) unless I sit stock-still and stare straight ahead, so I spent the two-hour trip watching the road, which was shrouded in a dense fog. The bus driver was also in a state of distress: he kept wiping his face with his hand and jerking his head back and forth, as if he was being slapped by an invisible hand. The ride was tense, and despite my discipline in sitting still, I got pretty woozy pretty fast. I have always observed a correlation between rain and nausea, at least with respect to my own body. I often wonder if this has something to do with atmospheric pressure, but it could just as easily be psychosomatic. By the time we arrived in Rochester, the fog was so thick that I couldn't see the tops of the buildings. It was actually quite beautiful, this fog. I don't mean to equate the fog with my nausea in the mind of any reader, although in retrospect, I suppose it makes a perfectly fine metaphor for the confusion and dread mentioned in the preceding paragraph. I can remember being deeply moved by a similar fog around the New York City skyline during my last solo trip in 2024, though that was under different circumstances.
Traveling from the bus stop in Rochester to the RIT Inn & Conference Center in Henrietta was more complicated than getting to Rochester in the first place, despite being an exponentially shorter trip. As it turns out, no Rochester bus route actually extends to RIT campus, which is itself too geographically and infrastructurally remote from the conference center to enable easy travel between any of these three locales. I spent a significant amount of time preparing, trying to find a combination of city and shuttle buses to get me where I needed to go cheaply, an upsetting process that ultimately failed. I gave up and shelled out $30 for a rideshare. Credit where credit is due, my ride arrived surprisingly quickly and brought me where I wanted to go with minimal fuss.
I checked into my room at around 6pm, ate the sandwich I had saved for dinner, and laid down. This was my first time alone in a hotel room. I was tired, but not tired enough to ignore my natural urge to "case the joint," i.e. aimlessly wander around the premises in search of something interesting. To my horror, there were no less than half a dozen other nerdy-looking people, presumably also there for the conference, who had similarly decided to "case the joint." I scurried back to my room, and suddenly found myself so lonely and depressed that I started to cry. I kinda keeled over the heater in distress, which blew a bunch of lukewarm air in my face as I struggled to regain composure. I attributed this episode of melancholy to nerves. To self-soothe, I took a hot bath (I have no bathtub at home!), then watched TV (I have no TV at home!). The Office was on. It didn't lift my spirits by much, but I eventually grew too tired to care. Sleep came without too much trouble. Thus concludes the first day of my trip.
On Certain Contradictions
Now, I want to emphasize that I had no clue what to expect from the BSidesROC conference itself. I'd never attended a conference before, and had only a vague idea of what the word "conference" even meant, in a technical sense. I knew there would be talks to attend, and I assumed there would be other activities too, but I wasn't sure how the event would be structured beyond that. After breakfast on Saturday, I made my way down to the conference center and received my nifty attendee badge, which was made of solid aluminum that made a satisfying clinking noise against my belt buckle as I walked.
My first notable observation was of the sheer variety of people in attendance. First of all, I'll point out what you might call a diversity of fashion. The crowd was split between those wearing dress shirts and neckties, and those wearing jeans and hoodies (unwilling to confidently pick a side, I wore a tie and blazer, but paired with jeans and sneakers). This division, I think, roughly corresponded to the two different faces ("sides," if I may) of cybersecurity. On one hand, there were representatives of the hacker subculture that makes up the heart and soul of the field, and on the other hand, there were so-called security professionals connected to business and government. The existence of these two separate groups is not at all surprising, but their apparently harmonious coexistence was unexpected and disorienting. Keeping with this article's theme of unspokenness, I won't get into the complicated history of the Punk-Fed dialectic, but I will gesture vaguely toward the role of money in dissolving certain boundaries, and will also propose (again, in a vague way) the existence of an eerie undercurrent in cybersecurity that comes out of a failure to resolve certain contradictions. Whether you agree with me or not, keep this idea in the back of your mind as you read the rest of what I have to say. However, the suits/shirts split was far from the only thing differentiating people; there were men and women, old people and young people, people of various races (though whites were definitely best represented), and a broad sample of people from across the economic class spectrum, excepting the super-rich, who I suppose don't show their faces around people capable of outsmarting them, and the exceptionally poor, who can't afford to take the weekend off.
Talking About It Without Talking About It
The opening talk was a keynote speech by Cassandra Young titled By Endurance we Conquer: Teamwork and Resilience in Challenging Times. It was almost entirely dedicated to recalling the history of Antarctic exploration, specifically the story of Sir Ernest Shackleton's 1921-1922 expedition. The point of this heroic tale, as explained by Young, was to illustrate what good leadership under adverse conditions looks like. Now, I think it was appropriate that the opening keynote took the form of an elaborate analogy. Here is a prime example of what I'm going to call "Talking About It Without Talking About It." What exactly are the adverse conditions here (in the present, that is) that require strong leadership? By telling the story of Shackleton and his crew, Young was spared the trouble of having to get into all that nitty-gritty stuff. She could talk about "it" without talking about it, and I believe she chose this rhetorical method because she knew that referring directly about the subject of her talk would make people uncomfortable. The most interesting question is, of course, why that might be the case. Are cybersecurity people especially sensitive to unpleasant information? Would a straightforward discussion of current events really sour the mood more than the nebulous atmosphere of anxiety already had? Or could the social cohesion of the conference be contingent upon the tactful avoidance of certain facts?
Splitting my Time
After Young's keynote, I learned a bit more about the structure of the BSidesROC conference (and as it turns out, conferences in general). After the opening keynote, the room was physically divided in half by a gigantic sliding wall, and the rest of the talks proceeded two-by-two, one in each of the newly partitioned half-rooms. These two simultaneous series of talks were called "tracks." At the time, I thought that this was a clever pun on the tracks on a vinyl record (e.g. b-sides), but have since learned that this terminology is pretty standard at conferences. Bottom line, it meant that attendees were forced to choose between one of two talks for each ~1 hour time-slot. I was disappointed that I wouldn't be able to attend all the talks, and for me, every time-slot thereafter involved the torturous ordeal of trying to decide which talk to attend and which to forgo. For the rest of the day, the ten-minute intervals between talks became frantic periods of indecision, where I would jump from one track to the other, trying to suss out which talk would be more edifying based on what little information I had. By the second half of the day, I figured out which speakers and attendees I thought had the most interesting ideas, and tried to attend whichever talks they attended, under the assumption that they were more likely to be interested in things that would interest me. The problem was, it seemed that most people were doing the same thing I was doing during the ten-minute intervals: jumping in between tracks to suss out the vibes. As you might imagine, this turned into a real headache, as I would creepily follow someone into one of the rooms, only for them to go back to the other room while my attention was elsewhere. In the end, I was relatively satisfied with the selection of talks I attended, though I'll never know what I missed out on.
Disabling Civilization
The second talk I attended had the real doozy of a title Would You Like to Play a Game? How About Disabling Civilization, and was jointly presented by James Troutman and Cheryl Biswas at rapid-fire, almost dizzying speed. Contrary to the title, the talk had nothing to do with games or anything else fun, and instead concerned the vulnerability of critical infrastructure (IT and otherwise) to natural disasters, terrorism, and catastrophic human error. There was a mild apocalyptic flavor to the whole thing. The speakers placed the blame for large-scale IT failures, such as the 2022 Rogers outages, on excessive centralization, supply-chain homogenization, and overzealous dogfooding. This talk was the sole exception to the otherwise pervasive rule of Talking About It Without Talking About It. One dramatic slide read "DON'T UNDERESTIMATE THE IRANIANS," in glowing green movie-hacker font, which produced a spate of nervous laughter when it flashed on screen. This was the only time I can recall Iran or its people mentioned by name at BSidesROC 2026, though one must keep in mind that I was only present for roughly half of the talks.
The Hidden Job Market
The third and final talk of the morning strained my composure somewhat. The presentation was titled 10 Practical Ways to Gain Experience Without Waiting for a Job, and it was essentially just a list of things an aspiring cybersecurity professional can do to pad out their resume before their first serious job in the industry. The speaker, Suzanne Ricci, soberly informed the audience that almost all cybersecurity jobs, at least ones considered entry-level, come from the "hidden job market," i.e. personal connections and referrals. Conventional job-hunting methods no longer work in the age of ATS and automated tools, since anyone with specialized computer knowledge can easily figure out how to apply to hundreds of jobs indiscriminately (I guess using OpenClaw or whatever nowadays), ruining it for the humble, honest applicant. The atmosphere of the room was tense and fearful. When the subject of industry certifications came up, the old man sitting behind me shouted "IT'S A RACKET!" provoking from Ricci the most nervous laugh I've ever heard come out of a person. At the end of the talk, she took questions. One guy asked about the usefulness of using AI tools during CTF competitions, and Ricci responded by informing us, with a tone of palpable apprehension, that we all absolutely must learn how to use AI. The most memorable question came from a man in the back row. "I've been looking for a job for six years, but whenever I come into an interview with my cane or wheelchair, I see the interviewer's face just drop. What should I do?" Ricci provided a practical if rehearsed answer, but I could tell that it did not totally satisfy the asker. In all fairness, I certainly couldn't answer a question like that if I were in her shoes — I mean, what do you even say?
I asked a question too! See, I was panicking over the suggestion that networking (or as my brain invariably translates it, shmoozing) is the only way to find work in cybersecurity. Indeed, it was three hours into the conference, and I had yet to shmooze with a single person. Over the course of Ricci's talk, I began to wonder if my conference trip was nothing more than an elaborate cargo-cult ritual. Like, could it be that my subconscious plan was to listen to some talks, sit straight up in my seat, take copious surface-level notes, and hoodwink myself into believing that because I was technically paying attention, I must be making the best use of my time? I fantasized about standing up, sprinting out of the room, and starting a conversation with the first person I happened to bump into. Alas, I didn't have that kind of fire in my belly. Instead, I raised my hand and asked: "how can I best take advantage of my time here today, at this conference?" Ricci responded by telling me to make sure my conservations are meaningful, and that I follow up, meaning that I exchange contact information with the people I speak to and keep in touch even after the conference is over. I don't think she understood that my issue was with talking to anybody at all — the problem of insufficiently deep connections still felt remote to me.
One helpful idea I learned from Ricci's talk was the importance of specialization and differentiation. When looking for work, having experience in a particular niche or holding domain-specific knowledge makes you more qualified for a role that is similarly specific. In a shallower manifestation of this same basic idea, a lot of people adopt calculated eccentricities that act as conversation starters at conferences and other social events. Kat Fitzgerald (see below) travels with a flamingo marionette. Ricci told the story of someone who successfully built their network by showing up to industry events with an accordion.
It didn't take me long to start coming up with my own ideas in the same vein. Later, I realized that this concept also explained a puzzling phenomenon that I experienced throughout my time at the conference. I would consistently get compliments about my necktie, even though it was a completely ordinary gray tie — not eccentric at all. Too late, it dawned on me that these people were trying to start conversations, and in the absence of any obvious conversation-starters on my person, simply pointed out the most prominent feature of my outfit.
Thankfully, lunchtime was next, giving me plenty of time to calm down and reorient myself. I decided to track down the disabled guy from the career advice talk, figuring that he would be more likely to give me the unvarnished truth about the industry, as opposed to shmoozing or talking around the real subject of discussion. I found him in the hotel lobby. He confirmed that although the advice given in the talk was fine, it wasn't guaranteed to work. He advised me to take advantage of the resources I have as a student, and gave me a book recommendation: Turing Annotated by Charles Petzole, which he said would help me understand how computers actually work. I don't remember your name, but if you're reading this, thank you!
Breaking Stuff in Cool Ways
Now, one other notable aspect of this conference was the booths: tables set up by businesses and universities for recruitment. There was one particular booth that I couldn't really get my head around at first — even after reading their brochure, I failed to get a clear idea of what their business did and why. The table was staffed by three friendly, attractive young people, one of whom complimented my tie. Blushing, I asked what they did, and one of them answered with something like "well, we are a defense contractor. We mostly do malware reverse-engineering. You know, we like to take things apart, poke around, see if we can get stuff to break in cool ways."
This response triggered something in my brain. The refrain of "getting stuff to break in cool ways" was one I'd heard before. One thing I've learned since immersing myself in this culture is that the act of hacking, as understood by hackers, is a childlike, almost pre-rational expression of human creativity and ingenuity. Many hackers trace the root of their hacker ethos back to childhood, when they disassembled their toys, cleverly exploited the systems of rules set by their parents, probed the definitions of various boundaries, and so on. This is to say, there is a definite aura of innocence and wonder pervading the whole practice of hacking, and hacker type people tend to integrate this pretty deeply into their personal identities. So when this defense contractor portrayed his work as fun experimentation, as almost a kind of play, I was taken aback. I wondered if this was just his way of selling defense work to self-identified hackers, or whether the defense sector is actually composed of such people, those who have managed to frame their (undoubtedly abstracted) war-making as something fundamentally isomorphic to, say, a child playing with Lego bricks. Then, a more difficult thought: what if they're right? What if war is a kind of play, play is a kind of war, and humanity has drawn totally artificial boundaries around these different forms of expression as a self-protective measure?
Though I didn't take that last thought too seriously (I decided it was nihilistic to the point of being kind of evil), it recontextualized my experience. Looking at the conference around me, I could only determine that there was compartmentalization and self-deceit occurring somewhere; on what level, I wasn't exactly sure. And it resonated with some kind of equivalent compartmentalization or self-deceit inside myself, hence the perceived aura of strangeness around the whole event. Could we all have fooled ourselves into thinking violence is beautiful, or have we, as a species, invented things like beauty and genius and innocence entirely to distance ourselves from our fundamental violent tendencies? What does my presence at BSidesROC say about my own capacity for denial? What does my discomfort mean?
Near the tail-end of lunchtime, I found myself sitting with a group of who I considered to be ordinary people. They were all much further into their respective infosec journeys than I was into mine, but I identified them as fellow travelers in the cultural latent space. They were solving Rubik's Cubes slowly, which gave me my only opportunity to show off (I cubed competitively as a kid). For a short time, I was able to actually tap into that sense of playful joy that hackers covet, and I recalled the same feeling from my speedcubing days. Though I wasn't sufficiently fluent in the language computer security, I could at least communicate in other ways. This made me feel a bit better, even though I knew I couldn't simply shake the brutality of adult games off of me.
Two Technical Talks
The first two talks after lunch were highly technical in nature, which helped distract me from any philosophical unease I might have been experiencing. The first was on malicious npm packages. Javascript libraries are apparently used very indiscriminately, which opens up web-based applications to supply-chain attacks. I was dimly aware of this problem already, and as a bona fide Javascript hater, all of my biases were confirmed. I got to sit there smugly, thinking "ah yes, an attack vector for fools. This would never happen to me, whose webpages are static, just as God intended."
The second of the two talks was a presentation on Kerberos reflection attacks by Darryl Baker. Even with the advantage of knowing how Kerberos works, this one went way over my head. This form of attack is apparently fairly novel, and didn't even come up during the research for my Kerberos article. As I understand, a reflection attack is when a victim's authentication request is relayed to one of the victim's own services (SMB, LDAP, etc.), effectively self-authenticating it. This is possible (or was, at least) within Active Directory through the use of "Ghost SPNs," which are essentially lingering Service Principal Names (SPNs) left over from decommissioned servers, hostname changes, etc. I can't say I grokked it — there were too many details that were outside the scope of my knowledge. I still paid as close attention as I could, in the hope that I could at least absorb some of the general structure of the information being presented. I don't feel like I'm at the point yet where I actually understand new vulnerabilities on anything but the most basic level. While I don't necessarily believe in passive learning, I do believe that by paying close attention to this stuff, I can at least become better prepared to approach it in other, less advanced contexts. I learned while writing my Kerberos article that a major hurdle in grasping technical subjects is the very notion that a concept is boring or complicated. If you can convince yourself that something like Kerberos is not boring but beautiful, and not complicated so much as intricate, you'll have a lot less trouble.
A Breath of Fresh Air
The next talk was my favorite. It was titled Security Misconfigurations in the Cloud - "Oh Look, something fluffy, poke poke poke!" and it was presented by the aforementioned flamingo-toting Kat Fitzgerald. I went in with no pre-existing knowledge of cloud security, except for the vague sense that everything involving the cloud is rife with leaky abstractions, janky web interfaces, and other places where the cold fingers of complacency tend to find hold. I was drawn to Ms. Fitzgerald, not just because we share a name, and certainly not just because she was wearing cat ears, but also because her bewilderment and frustration over poor cloud security practices was positively infectious. I mean, how dare they! Sipping tequila from a plastic cup, she broke down how cloud platforms suffer from systemic misconfiguration, overcomplexity, identity and entitlement overreach, over-permissive API keys, and general sloppiness. Punctuating every point with an emphatic "I just don't understand!", the rhythm of her presentation fell somewhere between a comedy routine and a rant. It was totally unlike anything else at this conference — no other speaker expressed anything even resembling levity or humor. For once, the laughter in this room wasn't the nervous, awkward kind, but the genuine sort of laughter. That's not to say she didn't communicate a whole lot of actionable information. It was all in service of her advocacy of something called Policy as Code, which is basically a method of automating all these stupid mistakes into impossibility. As she described it, Policy as Code turns "be careful" into "not allowed." Or put another way, it acts as a technological buffer against complacency. This would ordinarily be pretty dry stuff, but she explained it in such a way as to make it sound like the Obvious Correct Action. And I'm sure that it is!
Fitzgerald's talk, more than any other, represented an expression of the whimsical spirit I would expect from a hacker conference. At no point did I get the sense that there was any kind of uncomfortable, unspoken dimension to anything Fitzgerald was saying. She concluded her talk by saying "I don't trust AI. It's going to kill us all," to several audible gasps.
Coming Down
The next, and second-to-last talk of the day was titled Practice Being Punched in the Face. For the most part, it was about cybersecurity insurance. This was the first time I had ever had to think about cybersecurity insurance, and God willing, it will be the last. There was also some stuff in there about how enterprises ought to publicly communicate about their security failures, and what kind of measures they should take in preparation for those failures. Basically, it was a very small talk on the very large topic of risk management. My question (asked only in my mind): how do you determine much to spend on cybersecurity insurance? Is there some equation that quantifies the probability of an incident, and if so, what are its variables? It's hard to imagine such an equation being accurate enough to be useful, but here I am, exceeding my minimum required time spent thinking about cybersecurity insurance. Shame on me.
By the time the final talk rolled around, I was completely out of steam. I had spent the previous eight hours frantically trying to absorb as much information as possible without losing my mind. My whole body felt numb and weird. I couldn't even bring myself to take notes on this last one, which is a shame, because it was fairly interesting. It described a simple method that an attacker (red-teamer, pentester, etc.) can use to remotely communicate with a drop-box on a compromised network using an SSH-based reverse shell and an intermediary jump-box in the cloud. I didn't know enough to compare the proposed method with other methods of achieving the same thing, but the concept was more-or-less within my grasp.
All that was left then was the closing speech, and the raffle. The funny thing about the raffle is that they only handed out raffle tickets right before the drawing — apparently, the organizers had had problems with raffle-participants leaving before the drawing during past events. However, there were so few people left by the end that the number of raffle prizes (donated in large generous quantities by the sponsors) roughly matched the number of raffle participants. This meant that practically everyone won a raffle prize. So, I can proudly say I am the winner of a free one-month subscription to HackTheBox VIP+. Woo hoo!
I stumbled to the hotel restaurant for dinner, then stumbled back to my room. There, I was again overcome with sadness. I attribute this episode of melancholy to the Unspoken. I took another bath, but decided against watching TV again. So I kinda just stared into space until I was tired enough to sleep, and then I slept.
The Sickness Unto Death
Come Sunday morning, after checking out, I was waiting for my rideshare in the hotel lobby when I was approached by a departing pair of hackers who offered me a ride into town. I accepted. Over the course of the drive, I exchanged more words with these two than I had with anyone during the conference. "Did you go to the afterparty?" one of them asked. "What afterparty?" I replied. The gist of their advice was to connect with hackers in my area and to show up at as many events as possible. The mere thought of doing this was exhausting. I directed them to drop me off at an address right outside a local Methodist church. For whatever reason, I didn't want them to know where I was going.
This church was larger and more beautiful than any in Ithaca. I went in and introduced myself. The atmosphere in the sanctuary was extremely morose. The preacher made solemn reference to some kind of terrible tragedy that had affected the congregation in the preceding week, but provided no clues as to what had happened. Everyone already knew; everyone but me. Religious people are among the very best at Talking About It Without Talking About It. Why even talk about it when there are so many analogous Bible stories you can talk about instead? You can talk about the heavy hearted and the crushed in spirit, and the rich allegorical framework available to the faithful Christian will autofill the rest. The preacher's sermon focused on the Raising of Lazarus from John 11, and I realized that I had walked into an unspoken lamentation of death. In the absence of a specific object of mourning, I could only interpret the service as a lamentation of death in general. Why weren't you there? Why didn't you do something?
I dunno. Should I go to DEF CON this summer? I hear Vegas is a lot of fun.