(Wait, isn’t tonight’s OWASP meeting the pregame? 
So, in about eighteen hours, I’ll be (hopefully) be picking up my badge, and getting started on this years version of ShmooCon.
Shmoocon is definitely a con where the best parts happen “off the record,” in the hallways, bars, and restaurants, or at the events like Hack or Halo, Hacker Arcade, the Locksmith Village, the parties, the list goes on and on. Last year suffered from extremely hit or miss talks, to the point where the end of con seemed based around people asking why some talks were allowed in. However, I’m cautiously optimistic this year looking over the presenter list, and pretty excited about some of presentations this year.
Shmoo’s opening day is traditionally slow, with a lot of people not even really getting to Shmoo until that evening, and then really only to socialize. Only one track runs Friday night, with a scattering of talks that could be big among others that look to be more on the fun/informative side, covering physical and hardware hacking. Of interest to me are “The Day the Spam Stopped,” discussing a botnet takedown that removed a large chunk of spam from the internet. Most spam victories seem to still be all too Pyrrhic, but there have been several instances in the past year where removal of a small chunk of the internet has resulted in a drastic reduction of spam . . . for the next 24-48 hours. However, it shows that large quantities of spam can be tracked to their origin and action taken, perhaps laying the groundwork for a more pro-active approach to at least making things more difficult for the bad guys.
“Automated Mapping of Large Binary Objects” looks to be the one preso that could be truly groundbreaking friday evening — the group presenting are an open source tool that will allow analysts to quickly jump to important information segments in binary files, which previously have been a royal pain to analyze in their entirety.
“Watching the Watcher,” a talk about third party web tracking should prove informative to those not that familiar with the topic. I’m curious to see their take on it, and willing to go in with an open mind that I might not possibly know everything that they are going to talk about, but I doubt it will be all that new to those familiar with the process.
The rest of the afternoon/evening looks like good clean hacker fun — open source tools to help build your own UAV drone, the art behind recent Shmooball launchers, and hacking Kwikset Smartkey locks.
Friday night, HacDC is throwing the “official?” Shmoo Friday night party (the question mark is there because albeit I have no doubt it’s blessed, there is no mention of it in the Official Shmoo Schedule. For those of you not familiar, HacDC is housed in a church just off 16th street in Columbia Heights. It’s a bus or a cab ride from the hotel if you are headed that way. Check them out if you don’t have other Friday night plans.
I won’t try to pick the “best talks,” but I’ll outline what I’m interested in for what that’s worth. As is usually the case at Shmoo, the most interesting talks look to be in the “Break It!” track, and this year is no exception. I often lament this syndrome, but Shmoo is pretty eclectic, and it’s always easy to make breaking things look sexy. I predict I won’t make a talk at 10 AM. It’s a toss-up at 11 AM as to whether I should check out the obvious web app sec bit of “Fail 2.0, Further Musings on Attacking Social Networks,” which will probably be more of a recap of the many ways complex web apps are complex web apps on the public intarwebs, and (surprise!) you can find holes in that and take advantage of it, versus seeing Charlie Miller put another notch in his cap pwning Android. “Hack the Genome” at noon looks worth going to just because it is such a wack topic (possible overlap between principles applied in cryptography and extrapolating information from genomes), but I might bail on that a little early, because A., the lunch rush during Shmoo is always hell, and B., I really want to be back in time for the “Blinded by Flash” talk at 2 PM.
The intarwebs tells me that this talk has been well received at other cons recently, and I’m looking forward to seeing it – I know that the truly l33t are moving on to hacking zunes via tcp over bongos, but “plain old” web app sec issues are still probably the biggest problem out there, and Flash is what is propelling a large chunk of the next iteration of the web. So, while I’ve grown a little bored of “same old web app” issue talks (though I think they are still VERY valid), ones with Flash excite me, because it’s something that a lot of people still are just getting a handle on. This is one of the few timeslots where I wish I could clone myself, because Jay Beale’s talk looks to be very interesting (practical application of MITM with a software tool, which makes MITM much more interesting than just talking about it in theory), and a talk on US search and seizure law and privacy issues as pertains to computer geeks.
At 1500, I figure I’ll check out the “Spread Your Spectrum” talk to see if there’s anything revolutionary in there. The “Off the Shelf Security” talk has potential (discussing creating a COTS product based system for automated crime response, stitching the pieces together with Open Source software), and the Anti-SAMY talk is a must see – it’s an actual “defense” talk that should be sexy in its own right, and worth seeing (despite my OWASP bias). Conversely, if you want to stick to offense, I’m sure the latest on Fast Track and Back Track will probably be worth the cost of admission. Then dinner and “the party,” and maybe when/if it loses my interest I’ll head to Spellbound DC.
Sunday, Chris Paget’s talk about cloning RFID badges and passports is likely to be the talk of the con. It’s the one with the most direct impact to the world around (especially in DC), and is painfully simple and practical. It’s also getting the most media attention. If there’s going to be one talk that’s going to get “Black-hatted,” this is going to be it — which would be a shame, as Chris has had this problem before. At Black Hat DC in 2007, I ended up chatting with him and several other folks at IOActive about the state and prevalence of RFID in Washington DC, just after his talk was modified due to threat of legal action from an ID manufacturer. The “Disclosure for Web Infections” could potentially be interesting, but who are we kidding, most likely I’ll be at 0wn the Con if I’m not wandering in a hallway or being hungover. Sunday is like that at ShmooCon. The closing group discussion looks to be good fun this year (aren’t they always), and the closing melee is one of the heights of Shmoo.
See you at the con!