Saturday, February 16, 2008

Shmoocon, Day Two

Except for morning arriving too early, too bright and too loud- another great day.

A couple of references: the Shmoocon website and the speakers page.

An explanation of Shmooballs: ShmooCon 2008 is continuing in the tradition of arming attendees with ShmooBalls (a soft aerodynamic object of some sort). This is in an effort to facilitate a frank and open discussion of opinions. Speakers are encouraged to present innovative ideas that not everyone agrees with. Audience members are encouraged to use their ShmooBalls if they disagree.

First presentation was a tough choice, I passed up a great wireless talk to attend Mouse's inside look at voting systems. I have been concerned about voting systems for years- and after last year's talk by Avi Rubin and last night's talk by Alex Halderman I chose to hear more about the research that has been done. Mouse is on the team that did an in-depth analysis of the voting systems in Ohio after the fiasco of the 2004 elections. The phrase "one voter really can make a difference" takes on a new and ominous meaning in light of the findings on system vulnerabilities.

Next I went to the "Forced Internet Condom" talk, a couple of former ISP abuse department guys delivered their mea culpas and explained why the traffic filtering they once supported is the wrong approach. Takeaway, Sandvine and their customers are not very nice. "Intelligent traffic management" is a polite way of saying the ISPs have oversold their networks and are now controlling what their customers can and can't do on "their" Internet- and changing terms of service as they see fit to cover it. How bad is it? Commonly filtered ports now include TCP 21, 25, 80 (inbound), 111, 135-139, 445, 1433-1434, 3128, 4662 and 36781; UDP 135-139, 161, 445, 1434; and a few stray protocols.

At noon I went to see Jay Beale's preso on "They're Hacking our Clients". Jay is a very sharp man, but I was underwhelmed by this talk. He seemed to be proposing manually doing what agentless NAC already does (or claims to do). I think Palo Alto Networks are already where he is theorizing we should be going. Early in the talk Jay became the first victim of Larry Pesce's compressed-air powered Shmooball cannon- a yell of "fire in the hole", a load pop, and the air was full of Shmooballs.

After a little lunch and some time in the Lockpick Village I caught Simple Nomad's "Practical Hacker Crypto". It was informative and entertaining, as his talks always are. After a shot at Ovie Carroll (from the Cyberspeak podcast), Simple delivered the most solid advice of the con, "don't do dumb shit". A little light on specifics, but irrefutable advice. Simple later proposed PDP, the Plausible Deniability Protocol- under the topic of WWDKD (What would Dan Kaminsky do?). The now-infamous Mr. Pesce and his cannon struck again during the talk.

At 4:00 I went to one I had been looking forward to, a talk on small business security challenges. Displeased with their ideas, I threw Shmooballs and challenged their contention that small businesses are easier to secure than larger entities. To their credit one of the presenters, Pete Caro, found me in a hall later in the day and asked if we could continue the conversation tomorrow. I'm looking forward to it. That will be at least one blog post of its own, hopefully soon.

For the final time slot I went over my head into "Advanced Protocol Fuzzing" with Enno and Daniel from ERNW. I think it went over many people's heads, but I stuck it out and am glad I did. Crashed Cisco gear is a perennial crowd favorite, and they delivered. The preso, followed by a hallway chat with Chris Hoff and Daniel convinced me that I need to learn about VRRP and think about trying to break VRRP, HSRP and WLCCP. If I make any progress, that should be a few blog entries.

Chris Hoff and I have also been delivering running commentary on Shmoocon on Twitter. (There's another blog entry in the works, the growing Security Twitterati community). Chris' tweets are here and mine here.