Akamai Diversity

The Akamai Blog

ShmooCon Security Conference This Weekend

ShmooCon has always been one of my favorite security conferences. Unfortunately, I can't be there this year. But for those who are going this weekend, here's what to expect.

In recent years, I've found some of the best content at ShmooCon, and I've learned a lot. It's also an excellent place to meet other security practitioners that can become important allies. Some of the most important contacts I've made were at ShmooCon.

The unfamiliar usually chuckle or cock their heads in puzzlement when I tell them about ShmooCon. The name throws them off, and it's not a traditional business conference.

ShmooCon is organized by the Shmoo Group, a security think tank started by Bruce Potter in the late 1990s. Attendees represent the full cross section of the security industry. There are hackers, CSOs, government security types and everything in between. More than a few people have compared it to the Black Hat conferences of old or a smaller version of Defcon.

The event has inspired a lot of thinking outside the box -- not just in terms of the talks, but in how attendees travel and network. In recent years people have carpooled to ShmooCon.

For three years in a row I traveled to and from the event in what we called the Shmoobus -- An RV crammed with hackers making the journey from Boston to Washington DC. Those 12-hour drives made for a lot of bonding.

With such a long trek, there's time to delve into deep discussions about the challenges of our jobs.

The Shmoobus is no more, unfortunately. But what I learned about security on those journeys will last a lifetime.

ShmooCon 2015
This year's event is at the Washington Hilton Hotel, 1919 Connecticut Ave., NW in Washington DC. Here's the schedule:

Friday, January 16, 2015
TimeOne Track Mind 
1200 Registration Opens
Opening Remarks, Rumblings, and Rants

Bruce Potter

Five Not-Totally-Crazy Ways to Build for Usability

Elissa Shevinsky

Simple Windows Application Whitelisting Evasion

Casey Smith

Don't Look Now! Malicious Image Spam

Kathy Liszka

Userland Persistence on Mac OS X "It Just Works"

Joshua Pitts

SEWiFi: Building a Security Enhanced WiFi Dongle

Ryan Holeman

Betting BIOS Bugs Won't Bite Y'er Butt?

Xeno Kovah and Corey Kallenberg


Keynote Address

Joseph Lorenzo Hall

2000 Infosec Family FUD

Saturday, January 17, 2015
TimeBuild It!Belay It!Bring it On!
0930 Registration Opens
NSA Playset: USB Tools

Dominic Spill, Michael Ossmann, and Jared Boone

Cockroach Analysis: A Statistical Analysis of the Flash and Java Files that Infest the Internet

David Dorsey

Where the Wild Things Are: Encryption, Police Access & the User

Whitney Merrill

Knock Knock: A Survey of iOS Authentication Methods

David Schuetz

Understanding a New Memory Corruption Defense: Use-after-Free (UaF) Mitigation and Bypass

Jared DeMott

Analysis of POS Malware

Brandon Benson

httpscreenshot - A Tool for Both Teams

Steve Breen and Justin Kennedy

There's Waldo! Tracking Users via Mobile Apps

Colby Moore and Patrick Wardle

Quantum Computing 01100101

Tess Schrodinger

1300 Lunch Break
Automated Binary Analysis with Pin and Python

Omar Ahmed and Tyler Bohan

Practical Machine Learning for Network Security

Terry Nelms

Come to the Dark Side--We Have (Misfortune) Cookies

Lior Oppenheim and Shahar Tal

NaCl: A New Crypto Library

Daniel J. Bernstein and Tanja Lange

The Joy Of Intelligent Proactive Security

Scott Behrens and Andy Hoernecke

Deception for the Cyber Defender: To Err is Human; to Deceive, Divine

Tom Cross, David Raymond, and Gregory Conti

Tap On, Tap Off: Onscreen Keyboards and Mobile Password Entry

Kristen K. Greene, Joshua Franklin, and John Kelsey

Manually Searching Advisories and Blogs for Threat Data--"Who's Got Time for That?"

Elvis Hovor and Shimon Modi

Rethinking Security's Role in Computer Science Education

Sarah Zatko

0wn the Con

The Shmoo Group

The Windows Sandbox Paradox

James Forshaw

Ask the EFF

Kurt Opsahl and Nate Cardozo

1800 Golden Flag Awards
1830 Fire Talks
2100 Saturday Night Party

Sunday, January 18, 2015
TimeBuild It!Belay It!Bring it On!
0930 Registration Opens
White is the New Black: Why White Data Really Matters

Irena Damsky

No Budget Threat Intelligence: Tracking Malware Campaigns on the Cheap

Andrew Morris

The Mile High Club: Getting Root at 40,000 Feet

Wesley Wineberg

Eliminating Timing Side-channels. A Tutorial.

Peter Schwabe

Infrastructure Tracking with Passive Monitoring and Active Probing

Anthony Kasza and Dhia Mahjoub

Mascots, March Madness & #yogapants: Hacking Goes to College

Chris Cullison, Zack Allen, and Avi Rubin

The Dark Art of Data Visualization

David Pisano

Micronesia: Sub-kernel Kit for Host Introspection in Determining Insider Threat

Loc Nguyen

How Random is Your RNG?

Meltem Sönmez Turan, John Kelsey, and Kerry McKay


Closing Plenary

Get Off My Lawn: Examining Change through the Eyes of The Old Guard

Bruce Potter (moderator), Carole Fennelly, Rick Forno, Ben Laurie, and Space Rogue

1400 Closing Remarks

Not to be missed:

In all the ShmooCon's I've attended, I've found these to be highlights:

FireTalks: ShmooCon FireTalks are 15 minute presentations meant to be an alternative to the traditional 30 to 90 minute conference format. Similar to 5 minute Lightning Talks, the purpose is to challenge speakers to skip the BS and instead dive right into the core of their content in a more relaxed alternative environment. Unlike Lightning Talks, which are usually performed in rapid succession, the additional time allows the speaker to follow a more traditional introduction, body, and conclusion format. Judges will be on hand to vote for the best talks with prizes being awarded to the top three presentations. The FireTalks will take place Friday and Saturday night between the main track presentations and any evening activities.

Infosec Family FUD: Have you ever watched the Family Feud on TV and thought you had what it takes to win? Are you dying to show off how well you've got the pulse of the Infosec community? No? Well, come join us on anyway and play along as ShmooCon presents a special Infosec Community version of the Family Feud. On Friday night we will be forming teams from audience members live, but even if you don't get selected to be on stage, we still need you to be our sampled audience -- the whole game is generated from your feedback.

Hackfortress: Hackfortress is back for it's 4th year at Shmoocon. This year is stacking up to be no less exciting for the competition than previous years. With two brand new Oculus HD Rift's planning to make an appearance at this years competition, virtual immersion into TF2 will play an even bigger role during this round (and this time without the nausea). Don't worry though, we'll still have the two original Rift's on hand for a challenge (or as a form of punishment or just to amuse the judges). Just as in years past, the competition will consist of a team of 10 players competing to score more points than the opposing team during each 30 minute match. Six players will play Team Fortress 2 against six players on the opposing team. The four remaining players on each team will do their best to solve puzzles while the TF2 match is happening. These puzzles have a direct impact on the game just as the game has a direct impact on the puzzles. One new twist this year is that we plan to offer payload and KoTH maps during this year's matches.

If you're attending, I wish you safe travels and a lot of fun!