Note: This report is one year out of date. I attended ShmooCon in Washington, DC, last year, wrote up my thoughts, decided to wait until the videos were available before posting my thoughts, and then plum forgot about it. I see that this year’s convention was this weekend, so now seems like a good opportunity to finally make good on posting…
In general I was underwhelmed. This trip was my second time there, and ShmooCon seems to be more thought experiment (“here’s some things I thought of, and some first steps in that direction”) than hey-look-at-this-cool-result-you-can-learn-from. But most attendees seemed to enjoy the content — and for me, talking one-on-one to folks was the highlight of the con (as usual) — and it was as hard as ever to score tickets — so ShmooCon is clearly not waning in popularity.
There were some cool takeaways for me, including:
- A talk by someone who set up ~$400/mo worth of cloud instances (~80 nodes across ~8 hosting providers, one in each zone they provide) to collect metrics on things-that-scan-the-entire-IPv4-address-space (#noisynet). It was nice to see some quantitative numbers on what the minimum cost for entry is for RYOing your own round-the-world distributed collection of servers; $400 sounded surprisingly affordable. He also pointed out that the upstream bandwidth cost of sending a SYN packet to every IPv4 address is around 280 GB, which also sounds surprisingly affordable.
- A talk by a lawyer (#blinkblink) on how in the US there is a different legal standard (so far) for requiring you to unlock your phone with a passcode (something you know) vs requiring you to unlock with your thumbprint or face (something you are). In particular, if you use these technologies, you should probably also learn how to shut them off in a hurry (such as by triggering iOS Emergency Mode by pressing the lock button 5 times rapidly).
- A talk on robot attack and defense (#robotsattack) that was much more subtle than the kinds of attacks you’d expect. For example psychological attacks (the speaker retested the infamous Milgram experiment and found that people are pretty susceptible to being railroaded by a robot) and social engineering (she found that robots-that-pretend-to-deliver-boxes-of-cookies were much more likely to be allowed unescorted into locked spaces).
- I didn’t see the talk, but I heard people discussing EFF’s talk about their investigation into a malware espionage campaign (#duckduckapt). Their whitepaper (info at https://www.eff.org/press/releases/eff-and-lookout-uncover-new-malware-espionage-campaign-infecting-thousands-around) has interesting details such as how they pinpointed a physical building that appears to be responsible for the malware’s command-and-control (C2) infrastructure by identifying the C2 test nodes, probing which SSIDs were visible from those nodes, and cross-referencing those SSIDs on a Wi-Fi geolocation service.
One regret is that I missed the plenary session in which the future of cryptocurrency was debated. In one cryptocurrency conversation I had over the weekend, my observation that serious companies are putting serious money into serious blockchain R&D was countered by someone else’s observation that there may not be enough power in the world to run all the blockchain infrastructure if it continues to grow uncontained. I can’t yet predict what blockchain has in store for us but I do wish that I received 0.01 BTC each time someone voices a strong opinion about blockchain.
Finally, if you only watch one talk from ShmooCon (when they’re up on the tubes, in ~3 weeks?), I recommend:
- A somewhat extemporaneous talk by a seemingly-well-known exploiter/0day developer (#forging). Listening to the speaker talk casually about how everything-you-thought-was-pure-and-good-in-the-world-actually-isn’t was jaw-dropping, even for someone who was a computer security researcher in a previous life. Example: He discovered a way to turn a laptop camera on and off so quickly that the LED charging circuit that would have turned on the light never turned on, and he passed along an anecdote of how widely an organization opens its wallet once he uses that trick to provide a screenshot of their target from the target’s computer.