ShmooCon 1.0 a Big Success – a review for Syngress

by rthieme on February 11, 2005

ShmooCon 1.0 a Big Success


Richard Thieme ([email protected]), author of Richard Thieme’s Islands in the Clickstream

The first ShmooCon worked.

Sponsored by the Shmoo Group, known to hackers and security professionals from presentations at Def Con, Toor Con, and other security forums,  ShmooCon was held at the Wardman Park Marriott Hotel in Washington DC February 4-6.

“The con scene is shifting to smaller regional cons,” was frequently said but it became clear that ShmooCon is complementary, not competitive, with larger established franchise cons like Def Con and the Black Hat Briefings and Trainings.

ShmooCon successfully straddled the multiple worlds of the-security-industry-in-transition and all lived together happily at the spacious hotel. Attendees did not put cement in toilets, hijack security frequencies to give false orders, or plant fake bombs under cars. Bruce Potter, who with his wife Heidi led the planning, set the tone with opening remarks that established clear guidelines. Don Bailey (aka Beetle) is also one of the original planners.

Bruce Potter, Don Bailey (aka Beetle), and Heidi Potter

A Senior Associate with Booz Allen Hamilton and founder of the Shmoo Group, Potter made clear that the con was meant to be fun – he identified entertainment venues from the Saturday night DJ party to hacking and halo contests in the hotel ballroom – but also made clear that professional standards were expected to be met.

The Party at FUR Nightclub.

That mindset was amplified by a well-received keynote address from Riley “Caezar” Eller.

Riley (Caezar) Eller’s Keynote.

Widely respected in security and hacking circles for his technical achievements and creativity (Caezar and his cohorts, the Ghetto Hackers, made the Capture the Flag contest at Def Con an elite technical challenge) called for hackers to forego the kinds of narrow niche-dwelling exploits that give props to their buddies in a piece of code that most folks just don’t need. Instead, he called on hackers to use their skills to deliver applications to a population hungry for the fruits of their real expertise.

“People want Bonzi Buddy. Yes, I know,” he said, sharing the crowd’s obvious disgust at the dumb memory-hogging animated talking parrot, “But we have to pay attention to what people want and need.”

Lest that emphasis on the marketplace imply that creative larceny has been expunged from the hacker heart, it should be noted that the most popular presentations indicate a precarious yin-yang balance in the security world. Mark Loveless (Simple Nomad) continued his con-by-con illumination of the necessity for a stealthy online life, outlining the need for piracy and anonymity on the web while explaining what it really takes to achieve it. Nomad spoke from experience directly to the heart of a community that knows who is out there and what they do.

The beating of a hacker heart that’s alive and well was also indicated by the crowd overflowing into the hallways from Deviant Ollams “Lockpicking 101” BOF. Crossing boundaries with passion and stealth still infuses the obsessive hacker spirit.

At the same time, Johnny Long’s Google Hacking (his book of the same name is a powerful treatise on how to hack information) was packed.

j0hnny Long’s Google Hacking Presentation.

Long articulates creative ways to use the popular search engine for sophisticated research and information hacking, showing how the real power of pursuit comes from knowing who’s doing what and with who. Long’s painstaking work discloses techniques for solid online research and intelligence gathering and also moves traditional hacking of machines and systems up a notch to the level at which information has real significance. Long’s presentation  amplified Caezar’s call to a higher purpose with a practical demonstration of one way to do it.

There were plenty of other good technical talks – panels including the likes of Novell’s security director, Ed Reed; the sly sophisticated mechanics of DNS hacking by Dan Kaminsky; and the wisdom of Crispin Cowan, founder and CTO of Immunix, who did justice to complex problems of application security. But perhaps the mellow vibe of the con was best seen in the size of the crowd staying to hear Bruce Potter’s final remarks.  Leaving early is typical of cons like this, but most folks didn’t want to leave. That was due to a first-time con going off with nary a serious glitch, the value of most presentations (hey, nobody bats a thousand) and the supportive context of a well-timed winter reunion. The location of the hotel, just off Connecticut across the Taft Bridge from Dupont Circle, meant lots of restaurants a few minutes away and easy access to the pleasures of a sunny mild weekend in DC. And for those who love social engineering, the National Defense Industrial Association, loaded with beltway bandits and Colonels doing business, was also on site for a while, offering tempting tasty targets.

Dan Kaminsky’s Black Ops of DNS” Presentation

The Potters began planning ShmooCon 2.0 as soon as the con ended. They built the first one from scratch and, to their surprise, had to stop registrations when they reached 440. As Jeff Moss noted, the time was right, the location was right, the setting was right, and a “small regional con” quickly became a bigger one. The Shmooikins brought an obvious  love of the game and high professional standards to the scene and next year looks to be even better.

Richard Thieme is a speaker and writer focused on creative and effective responses to technology-driven change. A collection of his work, “Richard Thieme’s Islands in the Clickstream,” was published by Syngress in 2004.

{ 0 comments… add one now }

Leave a Comment

Previous post:

Next post: