Shmoocon remix

Last Friday my alarm woke me up a 3:30 a.m. I rolled out of bed, got dressed and hit the road for destination Shmoocon 2009. This is the first hacker con I've been too since a former employer sent me to Black Hat back in 2006.

Shmoocon exceeded my expectations. Here's a roundup of my experience at the con, no this list of talks attended is not in chronological order, it's been recompiled from my notes, the program and a post-con report I put together for my employer.

I attended a talk by Arshan Dabirsiaghi and Jason Li about AntiSammy. It's an OWASP project that offers an API for validating "rich" user input for sites that allow users to input HTML and CSS, but don't want to be vulnerable to XSS.

They briefly mentioned a tool that they were also releasing called Scrubbr. DBAs can point Scrubbr at MS SQL or MySQL databases and it will find fields that contain persistent XSS.

Julia Wolfe of Fire Eye spoke about the company's work to bring down the Srizbi botnet. It was obvious from her slides that they had done some really great analysis of the malware and inner workings of the botnet, very cool stuff.

Shane Lawson gave a hilarious presentation about defeating Kwikset's SmartKey. This one made me want a lock pick set to call my own.

I also introduced myself to Paul Asadoorian and Larry Pesce of PaulDotCom fame. Larry and David Lauer of the Security Justice Podcast showed off their ShmooBall Launchers.

After the days talks were over, I headed over to hear the Podcasters Meetup. It was a great time and lots of prizes were given out. I introduced myself to Mubix, he did a great job arranging the meetup and the after hours talks. I hope this can become a regular part of Shmoocon.

Following the fire talks, HacDC hosted a great after hours party that was around two miles from the hotel. I'm a regular walker. I try to get out for at least a three mile walk every day so I knew walking to the party would be a snap, navigating the whacked out streets of DC was a bit of an adventure. I live in a part of the country where the streets are on a nice east/west, north/south grid.

The party was in an old church and featured an open bar in exchange for donations at the door. Of course the highlight for me was meeting CrucialCarl, gattaca, rybolov and myrcurial at the bash. Rybolov brought his didgeridoo and flabongo to the party.

Walking home from the party was far more adventurous than walking to the party. I tried to walk back without the aid of my iPhone. Of course I missed a turn and ended up going a few blocks too far to the south, but I quickly got back on course and found the hotel without incident. To walk a city is to know a city.

On Saturday I sat through another great list of talks. Enno Rey and Daniel Mende of ERNW gave a pair of great talks. The first was on novel ways to build botnets. One technique involved finding and taking advantage of all the ignorant fools who have snmp devices unprotected on the internet with private strings exposed.

Their second talk of the day was on attacking internet backbone protocols. It's amazing how the same kinds of security issues that plague software development also affect core internet protocols and they are all based on misplaced assumptions about trust.

Shawn Moyer and Nathan Hamiel gave a hilarious talk about problems they've found in social networking sites. These two obviously love what they do, are good at their work and could likely make a second career in stand-up.

There was a lot of hallway talk and online bitching about Jay Beale's and his vaproware, Middler (yes it's out now so stop complaining). His talk was good and it was awesome to see this tool has finally been released, even if it is a bit rough around the edges. I have downloaded the code and have been working through it.

Prior to Jay's talk, I finally met hevnsnt and surbo from i-hacked. We had a nice lunch at the Indian restaurant a block from the hotel. Great couple of guys and I hope I can get more involved in all the stuff they are doing in the Kansas City area. If you haven't purchased a raffle ticket to help them cover the rent for their hacker space and possibly win yourself a MacBook, well, what are you waiting for. Go do it now!

I attended a few other talks, but am too exhausted now to keep going. I met a bunch of interesting and wicked smart folks that I've only known virtually and saw some old friends including Ed Skoudis and Kevin Johnson of InGuardians. I introduced myself to Johnny Long early on Sunday morning when he was setting up. He's everything everyone has ever told me he is, approachable, friendly and seems genuinely interested in what others have to say. I hope to get more involved with Hackers for Charity.

I paid my own way to Shmoocon and used vacation to cover my time off. I took good notes and when I returned to work, I wrote up a little two page report for my boss of all the things I learned or thought might help out our office. As a result, she rejected my time sheet and told me to replace my vacation days with non-project training. It would have been nice to get reimbursed for my travel and lodging, but I wanted to go to Shmoocon for myself and I'm glad I did and I'm looking forward to next year.