Tuesday, February 09, 2010

ShmooCon 2010 – Show Notes

First things first: ShmooCon was one of the most awesome conferences I attended in quite some time.

If you’d like to see what REALLY was going on as Washington, DC was plunging into a “snow-pocalypse”, go check out #ShmooCon Twitter coverage. Then read other show accounts, such as this one from PaulDotCom.

My note follow below:

First, Bruce’s “intro” was kinda interesting.  For example, he made a couple of TSA jokes (the video was hilarious) and noted that “if you think this is funny, then you’d see that network security is actually worse.” What was interesting to me that he also noted that many organizations prefer to “buy new boxes” rather then do something useful, like log “accepts” and “allows” and analyze them.

Then I went to “Social Zombies II: Your Friends Need More Brains.” This was one of those “shit is bad” presentations. Maybe it’s just me, but somehow the idea that some people disclose too much info (Blippy anyone? Anyone sane? Heloooo…)  fails to scare me.  No shock value really. It can be summarized as "info is out there. done."  Then again, I have to admit that their “KanyeWestify” tool was pretty cool and I downloaded the Maltego tool already, so it was pretty useful (Twitter+Facebook+text mining tools = hilarity! :-)). More coverage of it is here and the deck is here.

Now, “GSM: SRSLY?” talk was massive fun. For one, I had no idea that a [relatively simple] piece of hardware can both capture all local cell phone connections (by easily masquarading as AT&T or T-Mobile)  AND force them into A5/0 mode that means “no encryption – and you don’t know about it.” So, as I said, I didn't know much about the area, but this talk was very enlightening, useful and overall awesome.

Ah, “Build your own Predator UAV @ 99.95% Discount” talk was fun as well. Think what you can do with an autonomic, mostly quiet robot plane that can fly around (10-12 mile range) and do some wireless hacking and video (via video goggles, of course). No missiles though. What can possibly be more awesome than that? Check  out the partial video of it here and many of the UAV building tips are here.

The next presentation was my only disappointment, the  “Cyborg Information Security: Defense Against the Dark Arts” talk. Think of this as Dan Kaminsky, but with no issue described in detail and no Dan Kaminsky :-) Yes, some implantable medical devices are a) wireless and b) unencrypted. This is sad. So what?  But "This shit is bad! FAIL! Epic fail" summarizes the talk well. Not useful, not really amazing - and, honestly, not really shocking either. And as my opinion of the talk was going down – they misspelled HIPAA. At which point I realized: these guys built the talk based on some googling and no real research at all. FAIL! Epic fail! :-)  In some post-show conversation, I actually tried to defend the talk as “raising awareness”, but was beat up by other folks, most of whom labeled is as content-free and aimed only as some posturing.

The Splendiferous Story of Archive Team and the Rapidly Disappearing Digital Heritage” rant was purely that – a rant. But it was 5PM, people were tired and needed a drink – and a rant :-) So it was a perfect fit for the occasion. Apart from reminding everybody about backup (and if there is one thing that everybody always needs a reminder of – that’s backup! I am backing up my laptop as I am typing this :-)), Jason basically talked that some web content just dies – think GeoCities. More details are here.

Even though I am not a web hacker, “Exposed | More: Attacking the Extended Web” aka “owning the APIs” talk was actually very interesting – and useful. I wish he’d speak more about methods to discover undocumented APIs though.

Next – OMFG! – was our “PCI" panel” – but let me first finish with other’s talks and I will write a whole post on that tomorrow.

Also, I went to “Pulling the Plug: Security Risks in the Next Generation of Offline Web Applications” by the zScaler guy and learned about csSQLi  and other interesting offline apps stuff. HTML5 will make security fun again – eh.. that is if it is not fun enough for you know :-) That talk – IMHO – was how “a new security issue”-type talk needs to be presented: with details and ideas for solutions. There is enough of fun and epic FAIL in our realm, but the talk was not just whining about it, but actually taking it apart and showing areas of concern.

Finally, as with any great conference, “hallway conversations” are golden. This time I broke the record and probably deserve the Guinness record book inclusion: on the last day of the show I was involved in – srsly! – a 9 hour (!!!) such conversation. It will probably result in a dozen blog posts, a few papers, a few consulting projects  and some other interesting implications…

The usage of word “fun” count: 8

Dr Anton Chuvakin