Menu

ShmooCon: Bad Guys Gone Good?

By Taylor Banks

This year marks my third consecutive attendance of ShmooCon since it's inception in 2005, and I'm pleased to report that the conference was once again outstanding. I generally attend no less than 3 security conferences each year (though there are ~5 on my wishlist), and Shmoo has steadfastly claimed one of those spots, alongside Black Hat / Defcon and RSA.

I've been going to technology and security conferences since about 1990, and while I truly miss the biannual Comdex in Atlanta, ShmooCon has quickly become one of my favorite to attend. In fairness, I should probably refer to ShmooCon as a “con” and not a “conference” for despite the former's roots in the latter, the two are indeed quite unique.

In point of fact, ShmooCon is a “hacker con” as much as it is a “security conference,” owing to it's founders' recognition by the community as a “hacker group.” While the Shmoo Group describe themselves as

“a non-profit think-tank comprised of security professionals from around the world who donate their free time and energy to information security research and development,”

their work on notable security projects like AirSnort and freely available rainbow tables has demonstrated their knack for developing tools that appeal to the “Ambiguously Off-White Hat” segment of the professional information security community otherwise known as “hackers.” Our work at kaos.theory is done in the same spirit, although we haven't been around long enough to warrant holding our own conferences. 🙂 Until we do (and most certainly thereafter), we'll keep on attending and enjoying the con-fruits of Shmoo's labor.

So, after three years of attending ShmooCon, what is it that makes it so good? I think I can boil it down to several key factors:

  1. Minimal moose
  2. Minimal bullshit
  3. Excellent con organization
  4. Smart and social attendees
  5. Smart and engaging presenters
  6. Good variety of topics
  7. Focus on security

Let me further elaborate.

1. Minimal moose

For at least two of the past three years, ShmooCon has advertised “Less moose than ever!” As such, there is very, very little moose at ShmooCon.

2. Minimal bullshit

Don't get me wrong, bullshit can keep cons “interesting,” as anyone who's ever attended Defcon, Hope, or Interz0ne knows. In fact, I depend on a certain amount of bullshit in order to keep things lively every year at Defcon. I've been attending Defcon since 1999 and I plan to continue as long as the con is around. That said, it's a welcome (if temporary) paradox to have a “hacker con” with no bullshit. Things run smoothly, people get along, the hotel loves us, and very few people get arrested or find unusual objects in miscellaneous bodily orifices after waking up hung-over, half-naked and shaved everywhere by the swimming pool.

3. Excellent con organization

Not sure how she pulls it off, but according to Bruce, conference organization is all Heidi. I know Beetle was responsible for kicking things off back in 2005, and as such, I have to give him due props. Nonetheless, Heidi seems to get and keep things running without hiccups from start to finish. Commendable.

4. Smart and social attendees

In my opinion, the crowd makes the con. I mean, content is key (see #5 below), but without a good audience, talks lack meaningful interaction and outside discussion and never reach their full potential. Having been in the security training business for several years, I can tell you without hesitation that students do more to make a class meaningful and informative than does courseware. To that end, the crowd at ShmooCon is excellent. Of course everyone in the Shmoo Group is a rock-star; further, friendly geeks and icons abound, and great conversation always ensues from the hallways at the con to the bar at the hotel and beyond.

5. Smart and engaging presenters

Jon Callas, Richard Bejtlich, Dan Kaminsky, Al Potter, Adam Shostack, Scott Moulton, Josh Wright and Mike Kershaw, Ben Laurie, Michael Rash. Etc., etc., etc. Need I say more?

6. Good variety of topics

  • Hacking the Airwaves with FPGA's
  • Security Breaches are Good for You
  • Bypassing NAC Systems
  • The Pain of Network Intrusion
  • Reanimating Hard Drives for Data Recovery
  • Extensible 802.11 Packet Flinging
  • the Current State of Cryptography and the Internet
  • Attack Detection and Response with Linux Firewalls
  • An Examination of OLPC Security and the Impact on Society

7. Focus on security

See #6, above.

So, in the end, I must conclude that ShmooCon is, in essence, a hacker con done right. Please, take no offense, Jeff, as I do love Defcon and [almost] everything it represents (and I hope and plan to present again this year! please accept my [forthcoming] submission!). However, we should all pay attention to ShmooCon and take note: these guys are definitely on to something.

Follow

About the Author

Taylor Banks is an entrepreneur who travels full-time in an RV with his wife, Beth, and their dog, Sedona. Taylor's background is in computer, network and information security and privacy, but he now also runs several e-commerce sites and chairs a mastermind group that provides mentorship to other entrepreneurs who want to achieve location and financial independence with passive income provided by lifestyle businesses.

Leave a Comment:

(1) comment

beth

I always think of shmoo as a con by and for people who care. 🙂

Reply
Add Your Reply

Leave a Comment: