My heart is full of gratitude for finding such instant and easy connection. That's probably the best summary I can provide after my very first SoCraTes UK. I would have loved to be able to write this post right after the conference while memories and emotions were fresh, yet life happened and right now is the next best time for it. So let's start at the beginning.
Arrival
As for most conferences, it takes me a while to get to their location so I plan with a travel day back and forth. It reduces most travel worries due to hiccups, makes everything so much more relaxed, and also gives a chance to connect with the first set of people before the event starts. Also in this case, arriving the day before was well worth it. The lovely venue is located in the countryside, surrounded by nature. I had some time to settle in and just breathe. So far so good.
But then there was the heat. Well, that full-blown heat wave was not sparing the region and it presented a challenge throughout the conference. Especially given my hotel room was right under the roof, only had limited capacity to open windows and offered no air conditioning - not even any air circulation in the bathroom. Let's say it was tough, but I survived.
Having settled in and rested for a bit, it was time for meeting people and then having dinner together. It was great to see people like Amélie Cornélis, Emily Bache, Simon Görtzen, Alexander Alemayhu, Michel Grootjans, or Raimo Radczewski again. At the same time I loved connecting with folks I haven't met before, like Clare Sudbery, James Bel, Claudia Görtzen or Chris Jenkins.
Training Day
SoCraTes UK offered a bunch of trainings this year before the official start of the conference. I really appreciate these short pre-scheduled workshops that bring people together on practicing things hands-on and also provide some topics already to take further into the following open space.
- TDD Game with Cyber-Dojo by Jon Jagger. If you haven't come across Cyber-Dojo yet, it's a great practice playground for coding katas across all kinds of programming languages. And Jon is its creator! In this session, we split into groups and tried to predict every outcome of our changes, working on a kata. And not only that, we played against an LLM model who tried to predict as well - so our goal was to trick it into false assumptions. Well. The sad news: Nearly no group succeeded. A rather sobering insight. I guess this might change once the domain would become more unique and specialized, yet who knows.
-
Secure Development Lifecycle Applied - How to Make Things a Bit More
Secure than Yesterday Every Day
by me. I've given this workshop plenty of times already and every time it's
fun for me to notice how the groups engage with the material, what kinds of ideas
they surface, which ones they try first. As usual, I hope it's also fun for the participants to practice together hands-on on tangible things they can do
to make software more secure. I really appreciated the folks that joined,
many of them gave detailed feedback - invaluable! - and people seemed to
find value in it to take with them.
- Using TDD to Get Better Results From LLMs/AI by Clare Sudbery. We worked together in pairs to build an app using only an agent, based on a set of requirements provided by Clare. Half of the groups had to use TDD, the other half was obliged not to even mention any kind of testing to the LLM. Curiously, the key insight for me from this workshop was not related to the question "TDD or not TDD" at all. It was that no matter how we implement things, we still need to work with humans first to gain insights on the domain and problem space to gain understanding on what they actually want to have us build. Classic lesson, learned once again.
- Value Stream Mapping by Tim Ottinger. This was a really cool workshop for me. I've learned about the approach and key concepts from various sources for years and spread it further in one way or the other. This workshop felt super validating that what I've been sharing with my teams and outside was indeed going in the right direction. We all put on paper what the value of our product for a customer is, what they desire and require. Then we mapped out all the steps that need to happen to deliver this value. We annotated that stream to identify value-adding and non-value-adding work, including pure waste. We documented cycle times for each step, as well as waiting times in between the steps. Because one of the main points here is that speeding up a non-bottleneck process produces deeper queues and longer waits - you make the bottleneck worse. We analyzed several example situations and what we could do to make things flow. Well, as a longstanding advocate for pairing and ensembling, the answer how to increase flow was right there for me.
The training day was over, and the main conference started in the evening. It was a true pleasure to have Romeu Moura as a facilitator for the open space. He did a splendid job to get people to not only break ice, but also deeply engage with the values of the conference, really think about what everyone of us, starting with ourselves, can contribute to make this a safe space. This kind of foundation really showed the next days and I believe we took it with us even after the conference had ended.
Dinner time! Had lovely conversations with the folks at our table. Topics didn't stay shallow either, with the round addressing big societal problems as well as generational change. Afterwards, I was already pretty tired and close to call it a day, yet I wanted to check out what people were up to. The board game round intrigued me so much in the end that I stayed for way longer than originally planned. I just love games and the one people tried had a really cool concept, was not easy at all and truly required collaboration of players. You know, those lessons for life games.
Open Space Day 1
I'm a night owl, so open space marketplaces generally start too early for me. Yet I better be there if I'd like to hear folks pitch their sessions and be ready to host one myself (and of course I do). Here's my pick of sessions for this first open space day.
- "How can the way we work support democracy?" by Claudia Görtzen. I loved that she raised this topic already the evening before and was super happy she proposed it as a session. Because we all have our share in how we deal with things at work. Should we speak up about issues or not. Do we support unethical companies or not. Do we report misbehavior or not. Do we build this shady feature or dark pattern or not. All these big and small day to day decisions. In this session, we had a really insightful conversation and valuable exchange on tangible things we can do. The ones that stuck with me most? Join a union. Don't go alone - conspire. Learn from the book "Blueprint for Revolution". And the one I keep thinking about: start practicing anarchist calisthenics.
- "Your IDE / test suite / security scanner / design system / language server will steal your SSH key, unless ..." by Raimo Radczewski. When a security topic is proposed, I just have to attend! We all started with sharing stories about latest supply chain attacks - well, there were plenty of those happening the last years. Then we gathered ideas on what we can do to for better protection. Lots of good advice and tooling was collected. Like Little Snitch to monitor network calls on MacOS, that I already had on my list as it's been heavily recommended in the security community. As usual, there was also stuff I wasn't aware of yet that I'll definitely look into further, like nono.sh to sandbox any terminal agent, or Deno, where code executing in this Node-compatible JavaScript runtime has no access to read or write arbitrary files on the file system by default (among many more security features).
- "Capture the flag together (beginner's edition)" by me. What can I say: I just love proposing this session at various open space conferences. So once more, I tried this out - a bunch of people joined and were captivated with capturing that flag. This highly collaborative and highly educational session just keeps giving and comes with pleasant surprises! I thoroughly enjoy doing these. It seems people did appreciate it as well: folks were staying longer, wanting more, and giving plenty of positive feedback afterwards. The one that made me the happiest is their emphasis on how accessible security and penetration testing became to them thanks to these sessions. What more could I want?
- "How do we defend democracy and fight fascism" by Sarah Peper. I really wanted to continue this theme and engage more with this super crucial topic. Yet as my session before overran, I came to this one rather late. I was pretty tired at that moment in time so I can't really remember much from the conversation. At some point I had to walk out and cater to my needs. But that's also the beauty of open spaces - you're explicitly free, welcome and even encouraged to leave a session when you're neither contributing nor learning or just need something different at that moment in time.
- "How the way we talk can change the way we work" by Ellen Potter. Ellen hosted an interesting session based on the book "How The Way We Talk Can Change the Way We Work" and the exercises in it. She also posted about it including a description if you want to give it a go yourself. We all started taking note of complaints we have. Then we reflected on what's important to us, basically what makes us complain in the first place. We thought about our own role in this to keep this being a problem, as well as competing commitments that contribute to us being stuck. Finally, we took a deep introspection into which assumptions we base this all on and what experiments we can run to find out what's actually the case. This was such a thought-provoking session! Lots to unravel and try out.
The day was closed, the evening marketplace was opened. I couldn't resist and, after a lovely relaxed dinner, I offered the follow-up to my previous session: "Capture the flag together (adventurer's edition)". Once again, lots of people joined in! And as it usually happens... the evening got longer and longer. We had fun feeling all the rollercoaster emotions of going through frustration and hope and trying ideas and failing and sometimes succeeding by finding a new insight and circling back and wondering what we missed and... You get the picture. In the end, we spent four wonderful hours and managed to capture the flag together.
Open Space Day 2
The longer the conference, the more tired I grow. Which is nothing new. The good thing about open space conferences is that I don't have to feel bad about not going to sessions. Okay, I usually do feel bad at first. Then I realize it's the perfect thing to do right now to not stress myself, follow my needs, and recharge batteries so I can fully enjoy the rest of the day. So I chose a very slow morning without sessions. There were also quite a few personal tasks to do, given this was a period when a lot was going on in my life on top of many travels in a row. So I took the liberty to just miss sessions, although there were really good ones on offer. Instead, I could lift a burden from my shoulders and that was a true relief. In hindsight, giving myself grace that morning was absolutely the best thing I could have done.
Then came lunch time and afterwards I wanted to join sessions again. But things happened differently. A new session was born over lunch, as it happens. So I stayed at my table and our group continued talking about all the things: personal differences, neurodiversity, weird and even surreal situations, academics, health conditions, and so much more. It was just lovely.
Way sooner than not it was time for the session I pitched myself that day, so I better had to be there! I had called it "Interactions with security folks - gone well and gone badly" and it aimed for an experience exchange. Once again, lots of folks turned up! I started with preparing a flip chart. I set the room so more people than just dominant voices would share. Then I asked for people's experiences and insights - and lots of stories were brought to the table. At some point I asked more specific questions that elicited further insights. The outcome? The "Nay" side of my flip chart filled up rather quickly - something I observe and hear way too often, all the bad experiences people make with security folks. The "Yay" side lagged behind for a long time. Good news: in the end, it was showing a lot more points. There's hope! This session provided lots of food for thought. Not only for my contribution at work, but also for what I want to share in my next talk that I'll soon start to craft.
For the last session slot during the day I picked the "TDD Game" by Ted M. Young. He brought the board game he designed and I was eager to give it a try. Even though we were on a tough time constraint, this game was truly a great experience! The game play and different tactics triggered insightful conversations and at the same time validated what our group knew already based on their own experiences. It would have been really interesting to do this together with people who are not aware of TDD, value stream mapping and flow, collaboration techniques, and all the good practices. Also, the game was super accessible, I felt very safe with my own knowledge and skills - and yet it forced decision making and practicing it. Another interesting thing was that Ted included the concept of exchanging a card as "thinking time", and also that you always have to hold back two (yes, two!) playing cards, otherwise you run out of energy. Really neat. If you have a chance to try this game out yourself, I can only recommend you to give it a go.
A lovely dinner followed, and, how else could it be, I offered once again an evening capture the flag session. I really enjoy them way too much not to. This time, something really cool happened. First, Michel Grootjans went all in and started a whole setup for himself and we could already use it for our session. Second, the group decided to experiment with different ways to collaborate and become more effective together in capturing the flag. Third, it didn't end that night at SoCraTesUK (spending up to six hours and absolutely capturing flags)! The next day at breakfast (that I obviously skipped), people kept talking about these sessions and expressed their eagerness to continue beyond the conference as a SoCraTesUK CTF round. Ellen Potter kindly offered to drive this, and can you imagine, the first session already took place and the second is scheduled! I'm a bit sad I couldn't join any of these (yet), and I'm overjoyed this just happens without me. Just beautiful.
Departure
It was time to leave. My heart was full, the newly found connections were strong. I absolutely appreciate the organizers to craft this space so intentionally. It seemed to be a smaller event this year compared to the previous ones, yet it did not matter at all. I absolutely recommend checking this one out. I'm certain I'm not the only one who got a lot out of it this year.
As a bonus, I opted for a longer stay at the airport so I could meet my dear community friend Tabitha Ncooro for the first time in person. We got to know each other a few years ago during the time I seeked connections into the security community and found her trying the same. Ever since we check in with each other regularly and I've found her to be one of the kindest and wisest people I've ever met in life. It was a true pleasure to meet her in person just after such a wonderful event.
I'm back home. It's been a few weeks since SoCraTes UK. And yet: I still think about this event, how people made me feel, and all the inspiration taken with me from it. This conference brought instant connection and keeps resonating.