Tyler Oderkirk's Blog

Having last attended Shmoocon in 2007, I was glad to see that all the things that made it great ”then” were still present for the 2009 installment:

• A close-knit community feel. The Shmoo Group’s prolific members are very active in the infosec community and appear to unite many disparate groups within it.
• The freedom to push the boundaries of free speech. I believe this freedom comes, in part, from an independent backing (as opposed to an overriding corporate interest).
• Affordable tickets.

There wasn’t enough reverse engineering content for my taste, but the low price and DC’s proximity more than make up for it.

Twitter

During the conference I spent a fair amount of time reading other attendees’ Twitter feeds. I was impressed. It is honestly a decent alternative to an official ‘con IRC channel. I used it to find…

• The locations of unscheduled events (e.g. the Podcaster’s meetup)
• Feedback on nearby restaurants and BARZ.
• This photographic collection of entries to the “Barcode Shmarcode” competition wherein prizes were given to the most creative ticket barcode substitute.

It was also nice to see people discussing a presentation ”’as it happened”’ rather than hoping to be called upon during the short Q&A in meatspace¹.

If I succumb to ADD, I might start twittering sometime in the future. In the meantime, I’m keeping some notes on alternative (esp. open source) micro-blogging software.

Ticket resale market on eBay

A friend of mine wasn’t able to make it so I sold a ticket on eBay. After eBay/PayPal fees (~$20 all told) I lost about $30 on the deal. Anyways, for future reference, here’s how eBay looked on the day the conference began. As you can see, 34 of 47 listed auctions resulted in a sale between January 22nd and Feb 5th with an average selling price of ~$150.

As an aside, selling barcodes/UUIDs is apparently a violation of eBay’s TOS – they’re “intangible”.

For more on the economics of Shmoocon ticket sales look for a video of the ’0wn the con’ organizer-led presentation.

Saturday 2/7/2009

If you’re staying at the Wardman Park Marriott and you’ve got a hankering for a killer NY-style deli sandwich, you should take the 12-minute walk to So’s Your Mom in Adam’s Morgan. Buy your chips and drink at the natural foods store next door, though, to save a buck or two.

Here are some rough notes I took during Crispin Cowan‘s presentation on his transition from the Linux world to the Microso~1 world.

• Microsoft employs ”’entire compute farms”’ for the purpose of fuzzing their software.
• Some members of it’s security team are paid ”per discoverd bug”.
• In the early part of the decade Microsoft’s OS group stopped most of it’s design and coding work for a period of a few months to educate its engineers on the topic of secure coding. During this time, it “lost” $200 million dollars.
• A security prompt to the user is and unhandled security exception.
• Access control in X is very immature – apps can keylog others.
• Microsoft’s security department is roughly the size of the entire SUSE Linux company.

In the evening, I watched the Hack or Halo competition (props to coynemartin) and started poking at the conference’s FreeRADIUS registration form. I discovered that its (homebrew?) CAPTCHA is vulnerable to replay attacks `:/`. If this is still the case next year, I’ll have to let them know. I wonder what the consequence of this vulnerability is. Resource exhaustion?

Sunday 2/8/2009

A beautiful, sunny day. Arrived just in time to learn about Matt Weir’s clever synthesis of dictionaries/rulesets and rainbow tables. At some point I should grab the source code and see if he’s optimized the OpenSSL MD5 code or used it verbatim as the freerainbowtables.com folks have.

After the conference wrapped up at 4ish, I walked from the Mariott, down scenic Connecticut Avenue to the Obama family’s new home. As I walked towards the capital, the Obamas returned from their first Camp David trip via three Marine helicopters². Finally, I walked past the hostel for a giant fish sandwich at Horace and Dickie’s, past the hostel again for an overpriced six-pack of Sam Adams, and then to the hostel to enjoy both with a new batch of folks at the hostel.

Charity

I was glad to see that ShmooCon directly and indirectly supports the following charities and non-profits:

• Deviant Ollum’s Travelling Terabyte Project – Sending suitcases of hard drives containing lots of multimedia to members of the armed services.
• The EFF
• The Covenant House

1. Yeah, I said it. “Meatspace”. [↩]
2. Part of a fleet that costs more than 11 billion dollars [↩]