Wait…what? Shmoo….what?
What the heck is Shmoocon? Shmoocon is an Information Security conference hosted by the Shmoo group, a group of Infosec experts who are masters of their craft with quite the sense of humor to boot. The founders of the annual event are Bruce and Heidi Potter, who have been throwing the conference since 2005. Since that time, the attendee allowance amount has nearly quadrupled to the roughly two thousand which we see in their current 2022 iteration of this fantastic event.
Shmoocon is made possible through both it's volunteer base as well as it's sponsors. And as endearingly goofy and off-the-cuff as the founders/hosts of the event are, you might not expect some of the big names that appear in the sponsor list, such as Lockheed Martin, Oracle Cloud, and Accenture. It is inspiring that very large corporate companies such as these recognize the value in Shmoocon. Shmoocon is not some stuffy corporate event comprised of clean-pressed suits and ties, but rather an absolutely casual, goofy geekfest of Infosec collaboration. Researchers, developers, vendors, pentesters, sysadmins and more all come together under one roof to learn, share their knowledge, compete against one another in challenges, and just straight up have a good time.
This year, Shmoocon was thrown in Washington D.C. at the Hilton Garden Inn hotel. Ever the exclusive event, Shmoocon's tickets go on sale online in 2 separate rounds at a widely publicized time and are literally sold out within seconds of going live. They do this to keep their conference more intimate and less chaotic than cons such as the more-well-known Defcon in Las Vegas. Defcon has been called "The EDC of hacker conferences", which is not necessarily always meant as a term of endearment. Because of the very nature of Shmoocon, photography is almost entirely prohibited. The anonymity of many of it's attendees is taken very very seriously. Photographs of individuals can seriously compromise those engrained deep in the world of cybersecurity or pentesting and that is something that needs to be respected by all spectators.
The crowd at Shmoocon varied wildly across the IT/Security spectrum. I met a variety of pentesters, including some who focused more on network intrusion, with others who focused solely on web apps. There were also security-obsessed (hey, that’s a good thing!) Sysadmins, Security software vendors/developers, Wireless hacking gurus, as well as those part of the upper executive tier of organizations, such as Infosec Directors and Chief Information Security Officers. Students were certainly not underrepresented at Shmoo. I met students from elite online infosec school such as SANS. Rochester Institute of Technology, infamous for their top tier infosec department, was present as well.
Shmoocon featured rows of vendors. Electronic Frontier Foundation, a digital privacy and free speech rights organization, was there. Other vendors included security software platforms, consultant groups, and vulnerability research groups. Active Directory hardening consultants Trimarc were happy to discuss their product and their youtube channel also boasts some incredibly useful videos for any Sysadmins out there looking to take things up to the next notch when it comes to locking down AD. Other security providers such as SynAck were also among the vendors, explaining the services they offer and what sets them apart from typical bug bounty research/reward groups and security as a service providers. Polarity, a developer of software catered toward data analysts were ever eager to discuss their software's pioneering features to compile data from many different running services/apps such as Servicenow, Wireshark, Salesforce, etc etc. Also featured was Hack for Charity, a group that works tirelessly to educate, and house displaced persons from countries in turmoil. Black Hills Infosec was in attendance as well, famous for their consulting and SOC services as well as online instructor-led VM courses. BHIS is a personal favorite of mine. Owner John Strand teaches pay-what you can courses that cover SOC basics, Intro to Security, as well as Cyber Deception (think Honeypots and other ways of making offensive hackers cry).
As keynote speakers presented throughout Thursday to Saturday, anywhere from dozens to hundreds of attendees filtered in to listen and take notes on talks that ranged from discussions of the dangers of commercial VPN services to cryptography to GO language to Wardriving (a wireless hacking technique) to name just a small few.
Beyond just the cornucopia of engaging keynote speeches, there were several other eye-opening sub-conference rooms. One of those including an intro to lockpicking. Each table in this room had a friendly lockpicking coach there to help guide beginners in this ever-so-delicate practice. The tables included different levels of key locks (think the lock mechanism gutted from a padlock). They were numbered from #1 to #4 depending on difficulty level (# of pin mechanisms the inner lock was comprised of). This was my first time attempting to lockpick and within the span of about 2 hours, I managed to eventually pick 3 levels of locks using a very basic lockpick set.
Shmoocon featured rows of vendors. Electronic Frontier Foundation, a digital privacy and free speech rights organization, was there. Other vendors included security software platforms, consultant groups, and vulnerability research groups. Active Directory hardening consultants Trimarc were happy to discuss their product and their youtube channel also boasts some incredibly useful videos for any Sysadmins out there looking to take things up to the next notch when it comes to locking down AD. Other security providers such as SynAck were also among the vendors, explaining the services they offer and what sets them apart from typical bug bounty research/reward groups and security as a service providers. Polarity, a developer of software catered toward data analysts were ever eager to discuss their software's pioneering features to compile data from many different running services/apps such as Servicenow, Wireshark, Salesforce, etc etc. Also featured was Hack for Charity, a group that works tirelessly to educate, and house displaced persons from countries in turmoil. Black Hills Infosec was in attendance as well, famous for their consulting and SOC services as well as online instructor-led VM courses. BHIS is a personal favorite of mine. Owner John Strand teaches pay-what you can courses that cover SOC basics, Intro to Security, as well as Cyber Deception (think Honeypots and other ways of making offensive hackers cry).
As keynote speakers presented throughout Thursday to Saturday, anywhere from dozens to hundreds of attendees filtered in to listen and take notes on talks that ranged from discussions of the dangers of commercial VPN services to cryptography to GO language to Wardriving (a wireless hacking technique) to name just a small few.
Another fascinating portion of the conference is the Team Fortress 2 "Hack Fortress" event. It's actually a little difficult to explain this, especially without pictures, but I will do my best. There are two teams each sitting at their respective tables in the stage area up front, with spectators watching both teams from the bleachers. Each of the two teams is comprised of 6 players ( playing the Team Fortress 2 First Person Shooter) and 4 hackers behind them. The hackers are on their team and are engaging in capture the flag-type challenges on their computers. So what's the point of that? Well, each time one of these hackers completes a challenge, it actually effects the live gameplay, doing things such as freezing the gameplay for the other team. So essentially, the hackers on both teams are completing challenges to supplement their respective soldier's gameplay status. Basically, a unique handicap is leveraged against the other team with each point the hackers of that particular team obtain. So a team needs to have skill-full soldiers and hackers working for them in unison to win. Although it was nearly impossible to see exactly what was on the hacker's screen (set up this way by design), the FPS action and points mirrored on the large displays were fun to watch. A very unique experience indeed.
This was my very first foray into the Infosec conference realm and I have to say I found it refreshing, welcoming, and inspiring. Shmoocon prides itself in both showing you how far the rabbit hole goes as well as reminding you not to take yourself too seriously and have fun along the way. We could all take a page from the Shmoocon playbook.
No comments:
Post a Comment