I attended ShmooCon 2020 this year. I had submitted a talk and it was accepted, which in itself was surprising. I had spoken at the first several ShmooCons, but after a tight reign in on material I could discuss (I worked for a government contractor for 7 years), my recent conference submissions had been rather unceremoniously dismissed at a lot of conferences. I had a submitted a keynote talk I had already given at the Louisville Metro Infosec Conference, and while most conferences typically will turn down such talks since they've been previously given, this one was accepted. I did mention it would be updated as the topic - implementation of Zero Trust at my employer - was dramatically in flux, but still did not expect the acceptance.

I guess it shows that one should not assume. When I submitted for Enigma and had a talk accepted, I had made three submissions - two of then I put in a ton of work, and I added a third one last minute that I threw together in a day. Yep, the last minute talk was the one that Enigma accepted. Go figure.

Travel Day

I usually do the whole "one bag travel" method. I am already a minimalist when traveling and usually have a large backpack with a messenger bag tucked inside with all my tech that I use as a day bag. This time I used a very small roller bag and the messenger bag, to make things easier on my back. The mini roller bag is supposed to be able to fit under the seat in front of you (it doesn't).

I arrived at the Washington Hilton Thursday night. I had booked the room way in advance, but unfortunately forgot to assign myself a room. Second floor near the elevators, plenty of street noise and loud conference attendees in the halls.

I did opt in for the digital key, so my phone is the room key. Now normally the tech person inside me might blanch at such a potential point of abuse as an electronic phone key, especially during a hacker conference, but as I've stated before I keep all my tech with me at all times. Nothing electronic is ever left in the room, so frankly I could care less.

As a ShmooCon speaker you are allowed either an honorarium or a free con ticket, and I had opted for the latter. My co-worker was unable to attend so we gave away his ticket via Twitter to a deserving soul. That was fun - if I ever speak here again and get a free ticket as a part of it, I'll do this again.

ShmooCon Day One

I slept in all the way to 9am, which was surprising. After a bit of email catch-up, I headed downstairs to breakfast. I was kind and decent to the wait staff. They must not be used to being treated like a fellow human being by the usual visitors, and I was left with a dilemma on how to expense a heavily discounted bill. Of course there was the paranoid part of me that also considered they were a foreign agent.

I headed over to check in. I got both a ShmooCon bag and a speaker "thank you" bag. The ShmooCon bag was loaded with stuff, but after searching through it for anything hidden (they hide some type of goodness in a small amount of random bags every year) I grabbed the coozy and the lanyard for the badge, and gave the bag away.

Now the speaker bag was a bit different. A decent drinking mug, a reusable straw in a fancy black sleeve (included pipe cleaner), chocolates, and a moose doll. Yes the doll thing is not my taste but I can gift it to someone.

The con started and went as expected, fun intro and on to the talks. I was in and out of good talks doing a lot of hallway con, but the talk that really stood out for me Friday was Sam Teplov's talk called "Reverse Engineering Apple’s BLE Continuity Protocol for Tracking, OS Fingerprinting, and Behavioral Profiling." Not only was it entertaining and highly interesting, kudos for a live demo involving Bluetooth scanning that actually worked. You can follow the project here: https://github.com/furiousMAC/continuity

ShmooCon Day Two

The night was surprisingly quiet. When I leaned out to put the privacy card on the doorknob I noticed a fairly strong weed smell, but I am sure there was no correlation. After breakfast, a ton of tea, and a chai it was off to attend talks.

I had seen Roger Piqueras Jover’s talk on LTE hacking a few years ago, and this update for 5G entitled “5G Protocol Vulnerabilities and Exploits” was excellent. I also enjoyed Mark Manning’s talk on Kubernetes entitled “Command and KubeCTL: Real-World Kubernetes Security for Pentesters”. My morning closed out with Olivia Stella’s talk “Airplane Mode: Cybersecurity @ 30,000+ Feet“. I felt sorry for her as there was a fairly major projector failure as she was setting up, and it took a rough 10 minutes for ShmooCon staff to fix. Not her fault, but she patiently waited until it was corrected, and shouldered on. Decent talk as well, although it was more of a review of standards and general security approaches than anything hackish. Nonetheless, I used to work at an airline so I found it quite interesting.

Lunch was entertaining as the lack of OPSEC was horrid. Hearing red team members from two different companies comparing notes on what was found and what was not fixed at their places of employment was, surprising. Good god.

After lunch I only caught a couple of talks, the main one that caught my attention was Noelle Garrett for her talk on “Privacy Scores for iOS Apps” where she used mitmproxy to do some testing of privacy-related traffic coming out of an iOS device. Yet another talk with a live demo that actually worked.

I had skipped a few talks to do some tweaks to the slides for my own talk. Since I’d arrived I’d been asked questions about Zero Trust and if my talk discussed one thing or covered another, and it gave me a few ideas for some minor changes.

After a bit more hallway con, I ventured out to grab a early dinner. I took my ShmooCon mug and replaced my Bear Grylls water bottle with it for the walk down to Chipotle. I made the mistake of assuming the lid sealed in liquid - it did not and walking made it splash out the top. After I got back I discovered that the leak really soaked the bottom of the bag pretty good. Fortunately my laptop, iPad, and a few other electronics were fine, but my Sony Cyber-Shot DSC-RX100 V did not. That was an expensive little mistake, but at least the presentation won’t be affected. (EDIT: After partial disassembly, cleaning, and reassembly the Sony Cyber-Shot works again)

ShmooCon Day Three and Flight Home

Final day of the conference. I attended one talk all the way through - my own talk. It was called “Real World Zero Trust Implementation”. Seemed to go pretty well. I expected a bit more heckling, but a Sunday at 11am I was just happy a decent crowd showed up. I don’t find heckling bad at all - my fave talk I gave by far was at ShmooCon in 2008 where numerous people yelled at me and I even got nailed with a ShmooBall.

Due to careful planning, I managed to give myself a mere 6 hours to get to the airport after the conference ended. A leisurely lunch and a chai, it was off to the airport for a relaxing work/blog/people watch session before the flight.

I arrived at the airport barely in time, only 4 hours to spare, so after establishing a space to work I managed to catch up on a few things. After a lovely dinner of airport food, I boarded my plane (exit row to myself) and headed home.

Summary

Overall, I think the best part of this con for me was just the amount of people I had conversations with. I made a lot of new friends and put faces with a few names, but it was really fun to talk with old friends, many I had not seen in years.

I hope to see you next year, ShmooCon. And for many of my hacker friends, I’m pretty sure I’ll see you this summer in Las Vegas.