2005 Presentations

Keynote Riley "Caezar" Eller

By night, he donates his time and energy to the Ghetto Hackers organization; a group best known for dominating the annual DEFCON Capture the Flag contest and creating the Root Fu scoring system. Caezar is the authority on security contest scoring. By day, Mr. Eller has extensive experience in Internet embedded devices and protocol security. He invented fully automatic web vulnerability analysis and ASCII-armored stack overflow exploits, and contributed to several other inventions including a pattern language for describing network attacks. Caezar's credits include the Black Hat Security Briefings and Training series, the Meet the Enemy seminars, "Hack Proofing Your Network: Internet Tradecraft", and the Caezar's Challenge think tank.

The Secret Lives of Photons Abaddon

From rfid's, to street lights and mobile data terminals, the radio spectrum is filled with information and amusement that is just waiting to be abused. This presentation will serve as a beginners crash course in exploring the digital signals that are all around us. Special emphasis will be placed upon doing everything on a shoe-string budget.

Abaddon is best known in the hacker community for his work with 802.11 including the Airjack wireless MiTM tools. He is an accomplished software engineer with a solid background in kernel level programing. His research interests include RF shenanigans, cryptography, reverse engineering, and any protocol designed by committee.

"0wn the C0n!" BoF Beetle
The Shmoo Group

Whether you've noticed it or not, there's a trendy opinion emerging, amongst the folks around you, that the smaller hacker cons are where it's at. Fewer crowds, more clue. Less traffic, cooler tools. Fewer feds, more friends. ToorCon is the standard. CanSecWest is the cold kick-ass con. Creative genius abounds at CodeCon. LayerOne is the nifty newbie. Notacon, Phreaknic, etc. And now, in D.C., we have ShmooCon, which might actually have more feds, but aims to bring the small-hacker-con-with-clue fad to the nation's capital.

So let's figure out what it is we like and don't like about cons--including this one. Help us make our con better. Let's make other cons better. From suggestions to start-your-own-con strategies, we can figure out how to maintain or create critical, small scale, geek gatherings for ourselves and the public at large.

To hell with surveys. To hell with email feedback. This is live. This is on-site. The Shmoo Group wants you to step up to the mic and "0wn the C0n"!

Beetle is a member of the Shmoo Group, holds a BS in Computer Science, and is a D.C.-area computer security engineer. He is a geek, and he is a licensed amateur racecar driver. He presented on the topic of rogue access points at DefCon 11 and Black Hat Federal, demonstrating his rogue AP setup utility Airsnarf. Last year, he and the Shmoo Group pimped some of their new wireless gadgets, such as 802.11bounce and the Sniper Yagi, at DefCon 12, and Beetle unleashed Wireless Weapons of Mass Destruction for Windows at ToorCon. This year, Beetle is taking a break of sorts, and helping pimp an East coast hacker conference in D.C. called ShmooCon in the Winter, so he can spend more time in the Summer 1) getting his ass kicked on the racetrack and 2) drinking at all the other cons he likes.

"Avoiding the Mis-management of Patch Management" BoF Tina Bird
Security Architect, InfoExpress

Patch-management: it is one of our latest and greatest challenges and could quite possibly be the keystone to keeping our systems simply working, let alone relatively free from the kids that need extra space for their MP3s. What are we talking about? What AREN'T we talking about?! Pros and cons of the most popular patch-management solutions on the market. Tips and tricks culled from the last year of one of the newest and most needed mailing lists on the planet at patchmanagement.org. Challenges. Success stories. Miserable failures. Emerging technology to manage patching and emerging technology that needs to be patched. Come sit down and chat about patch-management--the task we all love to hate, but know damn well needs to get done.

Tina Bird brings rigorous scientific discipline, a wealth of network administration and Internet security expertise, and substantial teaching experience to her role as the Security Architect for InfoExpress.

tbird moderates the Log Analysis and VPN mailing lists. With Marcus Ranum, she runs http://www.loganalysis.org, a portal for building enterprising logging infrastructures and interpreting log data. She is slowly authoring a short topics guide to system logging for SAGE, the System Administrator's Guild. tbird is a co-moderator of the newly founded Patch Management mailing list.

Previously tbird was responsible for technical review and implementation of Internet firewalls, virtual private networks and authentication systems at Cerner Corporation in Kansas City, and subsequently for Secure Network Group in Lawrence, Kansas; the Director of Network Intelligence at Counterpane Internet Security; and a Computer Security Officer for Stanford University. Her responsibilities have included assessment of threats to corporate assets and current security practices, technical evaluation of available products, planning for long-term growth of Internet and extranet infrastructure, and network configuration and management in accordance with security policy. At Secure Network Group she also developed and implemented a training curriculum for the company and its customers. In this regard she obtained vendor certification from Security Dynamics to provide ACE/Server Administration courses, developed and presented classes on Sidewinder, FireWall-1 and Gauntlet firewalls as well as classes for USENIX and Network World on virtual private networks. At Counterpane she developed strategies and documentation for integrating customer devices into the monitoring system; tested new attacks and vulnerabilities to determine log-based forensic signatures; and wrote alerts for both internal use and customer distribution, based on significant new security vulnerabilities and attacks. At Stanford, she worked on the design and implementation of security infrastructure for University systems; writing Security Alerts for desktop and server machines on the 40000-host network; healthcare information security & HIPAA compliance; and extending the university's logging infrastructure. tbird was the primary Stanford representative for FIRST, the Forum of Incident Response and Security Teams.

tbird graduated from the University of Notre Dame with a B.S. in physics, and has a master's degree and Ph.D in astrophysics from the University of Minnesota.

Trike's Automatic Threat Generation Brenda

If you have ever tried to completely & accurately describe the insecurities (at every level of abstraction) in a system, you have probably noticed that there is no widely known, repeatable, and reasonably doable method for doing so. You could easily conclude that whole halting problem thing is stopping people. ;)

The thing about undecidable problems is that there exist algorithms which will solve particular cases, there exist algorithms which can make good predictions or approximations for particular cases, and there exist algorithms which can solve pieces of the problem. Essentially, by approaching the problem from different angles, you can move the insolubility around. For example, formal verification can be used in some situations, to prove or disprove a program's adherence to a formal specification. This moves some security-related insolubility from the program to the specification.

Brenda will present a brief overview of Trike (the way she, Paul Saitta and Michael Eddington are currently organizing this problem), the key differences between Trike and previous threat modeling work, the algorithm Trike uses to automatically generate all the top-level threats for a system, some assumptions that make this possible, and a description of where she thinks the insolubility will end up when the problem is organized this way.

Brenda has been working in various IT-related capacities (programming, system administration and software security, usually simultaneously) since 1993 or so. The pattern is clear: she gets in, determines the lay of the land, identifies the ridiculously large human/computer collaboration which would run _much_ better with a different division of labor, converts her audience and a few collaborators, and whips up some software to automate the problem into submisssion. Recently, she has been analyzing the security of software systems on behalf of a Seattle-based consulting firm, with predictable results: analysis techniques that take the respective strengths and weaknesses of humans and computers into account, dividing labor accordingly.

Design and Implementation of a Wireless IDS Laurent Butti and Franck Veysset
France Telecom

Wireless intrusions like rogue access points, injection and mac spoofing attack are a common way to obtain unauthorized access to corporate or hot spot networks. In this presentation, we will focus on the design and implementation "from scratch" of a WiFi IDS aimed at detecting and mitigating some security issues in wireless environments. After a quick state of the art in WiFi IDS domain, we will explain how and why we have developed our own tool, and detail a practical example of usage: rogue APs detection. A demonstration will be done during the talk.

Laurent Butti is a network security engineer working for France Telecom R&D security labs. He is involved in network and system security audits, wireless technologies and IDS. He talked about wireless security in several conferences (Eurosec, Libre Software Meeting, ToorCon, FIRST ...). He is now responsible of technical security analysis of solutions designed by France Telecom Division R&D regarding wireless LAN.

Franck Veysset (franck.veysset@francetelecom.com) is a network security engineer currently working for France Telecom R&D security labs. His activities are focused on Wi-Fi security, honeypot, and more generally IP security. He has presented at numerous technical and security conferences. He is also a program chair member of different conferences (FIRST, SSTIC, JSSI...). Aside from these activities, he is member on the board of the French Information Systems and Network Security Observatory, and a member of the French chapter of the Honeynet project.

"If You're Not Part of the Solution, You're Part of the Precipitate" BoF
Jon Callas
CTO, PGP Corporation

Human beings are the core of all security issues, as part of the problem and part of the solution. Security people are no exception. There are things that we do in trying to solve the problem that actually merely shift things around, or make it worse. In this BoF, we'll talk about what we security pros do that aren't helping and what we do that make things worse.

Jon Callas is currently the CTO of PGP Corporation and has previously served as Chief Scientist at PGP Inc. and as CTO of the Network Security Division for Network Associates Technologies Inc. Jon Callas served as Director of Software Engineering at Counterpane Internet Security Inc. and was a co-architect of Counterpane’s Managed Security Monitoring system. Most recently, he was Senior Systems Architect at Wave Systems Corporation. His career includes work at Digital Equipment Corporation, World Benders, and Apple Computer. He is the principal author of the Internet Engineering Task Force’s (IETF’s) OpenPGP standard and a writer and frequent lecturer on system security and intellectual property issues. Jon Callas has a B.S. in Mathematics from the University of Maryland.



"IDS Gone Bad"
Cazz
The Shmoo Group

We've all done Snort. Woopeee. Snort with perl plugins. Its been done. But what happens when the rules nazi gets his title stripped with only the shortest of "we will miss you" thank-you notes? He starts working on the darker side of Snort.

* Think Snort
* Think Snort with Perl
* Think Snort modifiable at runtime, thanks to perl
* Think Snort that gets new rules via packets, thanks to perl
* Think Snort that gets new functionality via packets, thanks to perl
* Think Snort that gets ATTACK functionality, via packets, thanks to perl
* Think Snort as a worm

Ok, So maybe thats a bit too much thinking. Snort, its not just for protecting your cablemodem anymore.

Brian Caswell is a member of the Snort core team, where he is the primary author for the world's most widely used intrusion detection rulesets. He has been a part of two books, the Snort books from Syngress. He is a member of the Shmoo group, an international not-for-profit, non-milindustrial independent private think tank. Currently, Brian is a Research Engineer within the Vulnerability Research Team for Sourcefire. Not only can Brian do IDS, he is a Pokemon Master Trainer.

In his free time, Brian likes to teach his young son Patrick to write perl, reverse engineer network protocols, poke people with rapiers, and autocross at the local SCCA events.



"Evidence-based Security Assessment" BoF
Crispin Cowan, PhD, CTO & Co-founder of Immunix
Adam Shostack, Entreprenure & Technologist
Al Potter, Security Evaluator for ICSA Labs
Ed Reed, Novell Security Czar

How to decide "Is this thing secure?" is a tough problem. It is a lot tougher than most naive security product consumers think it is. Issues like "what threats are you considering?" and "how much is /insecurity/ costing you?" make it tougher. It is also a lot tougher than most security professionals think it is; Alan Turing's Halting Problem proves that /automatic/ assessment of system security is undecidable, and so the question of "is this thing secure?" will always involve human intervention.

Unfortunately, the human approach to assessing security to date has also been sadly lacking. At the formal/government end, we have the Orange Book, TCSEC, and Common Criteria. Having discovered that assessing /actual/ security is hard, these procedures instead produce very expensive piles of documentation of how hard the vendor /tried/ to provide security. A system can be Common Criteria certified with a mountain of documentation, and have a remote root exploit come out the next day. At the informal/hax0r end, we have random penetration testing by "the community", ideally with full disclosure, and sometimes by forensic examination of compromised systems. Here occasional disclosure of a vulnerability definitively shows a product or system to be
*insecure*, but we /never/ get any assurance of security, and can only infer security from long silence.

We propose a panel on a new approach to assessing security: evidence-based security assessment. It's time to seek security expressed in disprovable hypothesis, and experiments designed to test them. This is the heart of the scientific method, and its time to apply it to security. Is this product or that more secure? Is that "best practice" really better? Can your CISSP-style stand up to the fury of our drunken master style? We will talk about how broad theories are better than narrow ones, and how simple tests are better than complex ones, allowing us to move to more interesting hypotheses and proofs than "This is secure; 0wn.c; patch; goto 10"

It's time to compare and contrast. It's time to test. It's time to demand evidence based security. This panel will feature speakers, presenting the world's fastest re-introduction to the scientific method, followed by the underlying hypothesis for other approaches to security, and testing them. We'll also show some examples of how to use evidence based approaches to testing a variety of technologies that are out there today.

Dr. Crispin Cowan, CTO and founder of Immunix Inc., is a pioneer in intrusion prevention, beginning in 1998 with the StackGuard compiler defense against buffer overflows. He holds a PhD and professorship in computer science, has published over 35 refereed conference and journal papers, and sits on numerous program committees and editorial boards, including USENIX, ACM, and IEEE. Crispin is a member of The Shmoo Group.


Adam Shostack is a technologist, startup veteran and regular public speaker. He has published papers on the security, privacy, as well as economics, copyright and trust.

Adam joined Zero-Knowledge systems in 1999 to build and run the Evil Genius group of advanced technology experts, researching future privacy technologies, including privacy enhancing networks, credentials, and electronic cash.

He joined Zero-Knowledge Systems from Netect Inc., a mass-market security software company where he served as Director of Technology. As leader of the core design team for Hackershield, he introduced numerous innovations in security scanning.

Shostack sits on the Advisory Board of the Common Vulnerabilities and Exposures initiative, the Technical Advisory Board of Counterpane Internet Security, Inc, and the Privacy Enhancing Technologies Workshop steering committee.


Al Potter is an Information Security veteran who has been a senior member of the technical staff at ICSA Labs since 1997. Since 2001, he has been dedicated to the Labs emerging wireless programs as the Manager of Technical Services. In this role, Mr. Potter worked to develop and refine test methodology and infrastructure, and actively participates as a voting member of IEEE 802.11 standards committee.

Al's prior roles at the Labs have included hands-on testing of commercial firewall products and management of the Network Security Labs (including the firewall, IPSec, cryptography and IDS testing programs). Mr. Potter was deeply involved in the development of the criteria, processes, tools and procedures for the delivery of TruSecure Corporation's TruSecure product family, and he served as the initial Technical Lead for TruSecure Delivery Services.

Prior to joining ICSA Labs, Al spent three years as a senior INFOSEC analyst with Science Applications International Corporation (SAIC), providing Unix system administration services to US Government customers. Before joining SAIC, Al served nine years as an Artillery Officer in the US Army, with extensive experience in tactical automation, nuclear surety and an overseas tour as a Battery Commander and Liaison Officer to the German 12th Panzer Division. He is currently a Major in the retired reserve.

Mr. Potter holds a B.S. degree in Mathematics from Davidson College and completed more than three additional years of professional military education.


Ed Reed is Novell's Security Tzar, responsible for leading security product strategy and direction across the company. A part of Novell's Office of the Chief Technology Office, Ed works with architects and business planners to fashion Novell's enterprise-oriented identity-based computing efforts to meet customers rapidly evolving needs. During his time at Novell, Ed has led both Product Management and Architecture teams in the areas of Directory and Security products. A graduate of Purdue University (BS), and Rochester Institute of Technology (MSCS), Ed is a frequently requested speaker at industry, technology and analyst briefings and conferences. His standards activities have included work with the IETF (LDAP, LDUP), DMTF, and OASIS.



"Intrusion Prevention and Application Security: The Good, The Bad, and the Ugly"
Crispin Cowan
Immunix

Richard Clarke said that "The reason why you have people breaking into your software is because your software sucks." More than just scathing criticism of the software industry, this comment highlights the extreme difficulty of assuring that your applications do what they are supposed to do, /and nothing else/. You can test for what an application is supposed to do, but you cannot effectively test for the surprising "something else" mis-features that attackers exploit: they "tickle" your applications with "creative" inputs that make software mis-behave, and as a result can break into your systems. Effects like open source code review help Linux to be more secure by being less likely to have unpleasant surprises, but this does not eliminate the threat. To really secure applications, host application security is required to nail down what each application is permitted to do, to ensure that it is not doing any surprising "something else"s. This talk will explain the theoretical foundations that make proving "nothing else" impossible, and show how host application security provides the only real alternative to trust-worthy software. We then show how the LSM (Linux Security Modules) feature (new in the Linux 2.6 kernel) enables unprecedented precision in the control of application behavior on standard Linux kernels.

Dr. Crispin Cowan, CTO and founder of Immunix Inc., is a pioneer in intrusion prevention, beginning in 1998 with the StackGuard compiler defense against buffer overflows. He holds a PhD and professorship in computer science, has published over 35 refereed conference and journal papers, and sits on numerous program committees and editorial boards, including USENIX, ACM, and IEEE. Crispin is a member of The Shmoo Group.



"Low Latency Anonymizing Networks" BoF
Roger Dingledine
Project Leader, Tor

Come talk with Roger Dingledine, Tor project leader, about all the hard issues in the anonymity world. How to get users? How to get servers? How does public perception figure into security? Should we have a GUI, and how should it work? Should we capture IP packets or work at the TCP layer? What good uses are there for anonymizing networks, and do they outweigh the bad uses? How do we scale while handling heterogeneous and unreliable nodes, and without sacrificing security? Should we integrate with BT, Kazaa, Freenet? How to choose a good path length? Caching content at the exit nodes? Should we allow revocation of anonymity if a threshold of servers want to? When does fixing your entry or exit node help you? Padding and traffic shaping? Patents? Responder anonymity and survivable services? Censorship-resistant publishing? Corporate and government users? Local adversaries, ISP adversaries, government adversaries? Jurisdictions? China? Iran?

Roger Dingledine is a security and privacy researcher. While at MIT he developed Free Haven, one of the early peer-to-peer systems that emphasized resource management while retaining anonymity for its users. He consults for the US Navy to design and develop systems for anonymity and traffic analysis resistance. Recent work includes anonymous publishing and communication systems, traffic analysis resistance, censorship resistance, attack resistance for decentralized networks, and reputation.



"Reverse Engineering for Fun and BoF It!" BoF
Chris Eagle
Associate Chair, Computer Science, Naval Postgraduate School

Reverse engineering skills can come in handy in any number of situations. Determining the behavior of malware, interoperability with closed source applications, and discovery of software vulnerabilities are just a few of the situations in which reverse engineering skills can come in handy. Unfortunately reverse engineers often seem to be self trained and open forums for discussing tools and techniques seem to be few and far between. This goal of this session is to hear people talk about tools and techniques employed for various reverse engineering tasks.

We'll talk about current tools of the trade, disassemblers, debuggers, fuzzers and such. Without turning into a religious battle, the relative merits of various approaches to reverse engineering techniques including static and dynamic analysis of closed source code may also be discussed. And, finally, we will discuss how to deal with the latest trends in anti-reverse engineering techniques with a potential look at the strengths and weaknesses of techniques introduced in the preceding talk by Pusscat: http://www.shmoocon.org/program.html#pusscat

Chris Eagle is the Associate Chairman of the Computer Science Department at the Naval Postgraduate School (NPS) in Monterey, CA. A computer engineer/scientist for 19 years, his research interests include computer network operations, computer forensics and reverse/anti-reverse engineering.



"/applied cryptography/? oh, i skimmed through that book once."
Seth Hardy

this talk is inspired by the title quote, part of a response to the question "how much cryptography experience do you have?" normally, it wouldn't have been a big deal. in this case though, the person i was talking to was someone who'd just given a talk on his new web-based, new-and-improved system for cryptographically-secure email that is easy-enough-for-anyone-to-use. a system he'd written in his spare time and was plugging hard so that everyone in the world could feel safe that their email is secure.


"High-Speed Computing & Co-Processing with FPGAs"
David "h1kari" Hulton
Dachb0den Research Labs

FPGAs (Field Programmable Gate Arrays) are slowly becoming more and more advanced and practical as high-speed computing platforms. In this talk, David will provide an in-depth introduction into the guts and capabilities of modern day FPGAs and show how you can take your current algorithms, efficiently convert them to gate logic, and run them on hardware. This presentation will also introduce a set of open source cores (jawn v1.0) that will implement the basic functionality of john the ripper on FPGAs and allow you to crack password hashes as
fast as 100+ PCs using FPGA PCMCIA cards on your laptop.

Have you ever written an algorithm or a crypto cracker and wondered how fast it would run if you implemented it in hardware circuits with your bits flowing as fast as the electrons can move? What if you could put all of your algorithm's logic onto a specialized processor that does all of the work internally and just spits out an answer when it's done? It isn't as difficult as you think, and the chips are only getting faster and faster. FPGAs have many unique properties that can be exploited by a wide range of algorithms.

This talk will release a new tool (jawn) that implements the basic functionality of john the ripper in FPGA logic. Jawn v1.0 currently implements DES, MD5, and Blowfish hash password cracking and runs on the ROAG platform, a Type 2 PCMCIA card with a XILINX Virtex-II Pro FPGA and a fully embedded PowerPC with 128MB RAM, 32MB Flash ROM, Ethernet, Serial Ports, and CANBus. It supports simple distributed processing by setting how many bits of the keyspace you want to search and allows you to search for just alpha numeric, all
typeable/printable characters, or the full keyspace. Future plans are to run the key generation on the PowerPC for intelligent password generation.

David will also go in-depth with new revolutionary approaches to FPGA programming including evolving algorithms / hardware / and other neural network concepts that become practical when using reprogrammable hardware. This presentation will provide a full introduction to how FPGAs work, different applications, how to design logic for them, how to interface with your different peripherals, and how to optimize your design to be as size and speed efficient as possible. The goal is for the audience will walk out of the room with all the fundamentals needed to start doing FPGA development.

David Hulton has been in the security field for the past 6 years and currently specializes in 802.11b Wireless Security, Smart Card, and GSM development specifically to exploit its various inherent design weaknesses. He is the main developer of the bsd-airtools project, a complete 802.11b penetration testing and auditing toolset, that implements all of the current methods of detecting access points as well as breaking wep on them and doing basic protocol analysis and injection. David has spoken at numerous international conferences on Wireless Security, has published multiple whitepapers, and is regularly interviewed by the media on computer security subjects.

David Hulton is one of the founding members of Pico Computing, Inc., a manufacturer of compact embedded FPGA computers and dedicated to developing revolutionary open source applications for FPGA systems. He
is also one of the founding members of Dachb0den Research Labs, a non-profit southern california based security research think-tank, is currently the Chairman of ToorCon Information Security Conference and has helped start many of the security and unix oriented meetings in San Diego, CA.



"Ph0wned: Phreaking in the 21st Century"
Lance James
CTO, Secure Science Corporation
and Lucky225

The days of nefarious phone phreaks "were" over, but with the new age of Voice-Over-IP networks provides a new vector for security, abuse, and identity theft. While many have not seen the impact, IP Telephony is trivial to exploit and the results can be startling.

This presentation provides a basic understanding of the SIP protocol, as well as STUN, Outbound Proxy usage, and VoIP infrastructure. Strengths and weaknesses are discussed, with a focus on computer security, as well as the impact on consumers and law enforcement.

The presentation includes demonstrations of VoIP "spoofing" and the impacts of systems that rely on reverse lookups for access validation, as well as re-routing calls, unblocking caller-id, anonymous calling, identity theft, and phone spam.

Lance James is the Chief Technology Officer of Secure Science Corporation, a company dedicated to providing advanced technology solutions to security. He frequently lectures at Colleges throughout the San Diego area on "Security & Cryptography in Data Communications", and is currently writing "Eye Own You", a book focusing on the security implications of Neurotech. In addition, he is the creator of InvisibleNet, a distributed pseudonymous framework for real-time communication on the internet. On his off-time, he breaks stuff and plays music.

Lucky225 is a 21-year old telephone enthusiast who has been playing in the world of telephony since a very young age. He has presented at several conferences, including Defcon and HOPE, and has written for various magazines, including 2600, <BR> and Von Magazine. He co-hosts an internet streaming radio show called "Default Radio". He is an active member of the DDP (Digital Dawg Pound), a hacking group that produces many projects such as the Binary Revolution at www.binrev.com



"Black Ops of DNS, Part Deux"
Dan Kaminsky
Avaya

DNS is a routing, caching, globally deployed overlay network on top of the Internet. Last year's Black Ops of DNS discussed rudimentary mechanisms for manipulating that network to achieve low bandwidth but insidiously firewall-penetrating connectivity anywhere and everywhere. This year, we expand this research to show how extensive, bandwidth amplifying routes can be deployed across the two million DNS servers out there -- and demonstrate an aggressively loss tolerant protocol that can extract high speed connectivity from what's usually considered to be the lowest capacity protocol on the Internet.

Dan Kaminsky, also known as Effugas, is a Senior Security Consultant for Avaya's Enterprise Security Practice, where he works on large-scale security infrastructure. Dan's experience includes two years at Cisco Systems designing security infrastructure for large-scale network monitoring systems. He is best known for his work on the ultra-fast port scanner scanrand, part of the "Paketto Keiretsu", a collection of tools that use new and unusual strategies for manipulating TCP/IP networks. He authored the Spoofing and Tunneling chapters for "Hack Proofing Your Network: Second Edition", was a co-author of "Stealing The Network: How To Own The Box", and has delivered presentations at several major industry conferences, including Linuxworld, DefCon, and past Black Hat Briefings. Dan was responsible for the Dynamic Forwarding patch to OpenSSH, integrating the majority of VPN-style functionality into the widely deployed cryptographic toolkit. Finally, he founded the cross-disciplinary DoxPara Research in 1997, seeking to integrate psychological and technological theory to create more effective systems for non-ideal but very real environments in the field. Dan is based in Silicon Valley.

"Quantitative Risk Assessments - possible or crack dream?" BoF
Toby Kohlenberg
Senior Information Security Analyst, Intel Corporation

With the increasing need to think carefully about where security dollars should be spent, companies are getting really enthusiastic about the idea of using risk assessments to decide what the "biggest" problems are and what the "best" way to solve them is. Being the engineering dweebs that most of us are, the obvious answer is to find numbers that represent everything and then figure out the answer. E.g. quantitatively.

Unfortunately that seems to fall into the category of a Hard Problem(tm). The only people who come close to doing this are insurance companies and they can't do it for IT-related risk yet. So everyone does "qualitative" risk assessments. E.g. they look at the problem, try to think about it in a structured fashion and then decide the risk, mostly on gut feel. NIST did a study a while back and found that quantitative risk assessments are much much more expensive than qualitative ones and not much more accurate.

So my question to y'all is: Is it ever likely to be possible to perform quantitative risk assessments for security-related risks and if so, what needs to happen (new tech, more data, better ouija boards) to make it possible.

Toby Kohlenberg is a senior information security specialist for Intel Corporation. He has extensive experience in penetration testing, incident response, architecture design and review, IDS, new technology analysis and various other things that paranoid geeks are likely to spend time dealing with. In the last couple years he has been responsible for developing security architectures for world-wide deployments of secure WLANs, Windows 2000/Active Directory, and IDS technologies and solutions. He is a handler for the Internet Storm Center and a co-author of the book Snort 2.1 from Syngress. He currently holds the CISSP, GCFW, GCIH and GCIA certifications.



"Google Hacking"
Johnny Long

This presentation explores the explosive growth of a technique known as "Google Hacking". When the modern security landscape includes such heady topics as "blind SQL injection" and "integer overflows", it's refreshing to see such a deceptively simple tool bent to achieve such amazing results; this is hacking in the purest sense of the word. Attendees will learn how to torque Google to detect SQL injection points and login portals, execute portscans and CGI scans, fingerprint web servers, locate incredible information caches such as firewall and IDS logs, password databases, SQL dumps and much more - all without sending a single packet to the target! Borrowing the techniques pioneered by malicious "Google hackers", this talk aims to show security practitioners how to properly protect clients from this often overlooked and dangerous form of information leakage.

The speaker, Johnny Long, maintains the Internet's most comprehensive database of Google exposures on his website, http://johnny.ihackstuff.com.

Johnny Long did not develop his skills within the hallowed halls of higher learning but rather by spending way too many late nights huddled in front of his computer, developing his anti-social tendencies.

Mr Long (Johnny's professional alter-ego) has previously presented at SANS and other computer security conferences nationwide. In addition, he has presented before several government alphabet-soup entities including three starting with the letter 'A', four starting with the letter 'D', a handful starting with the letters 'F' and 'S' and two starting with the today's letter, the letter 'N'. During his career as an attack and penetration specialist, Mr Long has performed active network and physical security assessments (one in the cube is worth twenty on the net) for hundreds of government and commercial clients.

Johnny Long is the Author of 'Google Hacking for Penetration Testers', available December 2004 from Syngress Publishing.



"CUTLASS - Encrypted, Peer-to-Peer Communications for Everyone"
Todd MacDermid, Jack Lloyd, Kathy Wang, and Nash Foster
Syn Ack Labs

Users on the Internet are rapidly shifting to more advanced and diverse forms of communication. Classic methods of communication such as SMTP and IRC are being replaced by peer-to-peer file transfer, voice chat, and text messaging systems. Unfortunately, the popular protocols are not secure, and the secure protocols are not popular.

Cutlass aims to fill the niche for tools powerful and usable enough to be broadly popular, while still providing strong encryption and authentication, all in a BSD-licensed package. Cutlass is not a strong anonymity system, as those requirements often create software that only security nuts will use. Cutlass is an open source competitor to Skype, without the licensing mess of WASTE, providing any group of users with the ability to set up secure cells of communication.

Come and hear about the Cutlass design process, the protocol overview, see a live demo, and learn why you should be using Cutlass to protect your communications on the Internet today!

Todd MacDermid is hopelessly addicted to bit-twiddling and tweaky network hijinks. He's created a wide variety of open-source security tools, including steganographic network tunnels, encrypted mailing lists, and packet-mangling libraries. He has spoken at many conferences, including ToorCon, BlackHat, Rubicon, Notacon, and HOPE.

Jack Lloyd is your basic crypto/coding/Unix geek. He has written, among other things, a C++ crypto library, a VNC password cracker, and a Linux Security Module. While at Johns Hopkins he worked on OpenCM, an secure source code management system. He likes urban wildlife, dive bars, and kitties.

Kathy Wang has loads of fun working with computers from both the hardware and software sides. Her background ranges from blowing up Alpha chips at DEC to authoring Morph, an OS fingerprint cloaker tool. Kathy has spoken at several security conferences in the past, including DEFCON, HOPE, Notacon, and ToorCon. She graduated from The University of Michigan with a BS and MS in electrical engineering.

nash e. foster joined the cutlass team to help design and implement the voice over IP functions; nash has developed enterprise software and security solutions for Fortune 500 corporations and is currently a Principal Security Architect at TruSecure Corporation, where he's developing risk modeling and analysis technologies for the financial industry.



"Old Skewl Hacking: Infra Red - MMIrDA (Major Malfunction's Infra Red Discovery Application)"
Major Malfunction

Major Malfunction spends a lot of time travelling. Consequently he spends a lot of time in Hotels. Hotels have Pay-Per-View. Hotels have infra-red remote controlled TVs. And so, to while away the hours, MMIrDA was born...

Infra Red is all around us. Most of us will use an Infra Red controller on more or less a daily basis, to change the TV channel, or open a car or garage door, but how often have you thought about how it actually works? This talk will describe not only how to analyse the signals being sent by your remote, but also how to use that information to find hidden commands and reveal functions you didn't even know your systems had. You will learn how to brute force garage doors, car doors, hotel pay-per-view TV systems, take over LED signs, vending machines and even control alarm systems, using cheap or home made devices and free software.

DEFCON Goon since DC5. White Hat hacker since the late 70s. Co-founder of InterFACE, one of the earliest Internet streaming pirate radio stations (1995).



"Automated Blind SQL Exploitation"
Nummish

Because of improper software design and implementation practices, the number of web-based applications vulnerable to SQL injection is still alarmingly high. Yet the actual steps used to exploit these applications remain very tedious and repetitive. This presentation will focus on methods available to automate the task of exploiting blind sql injection holes and will discuss the use of pattern recognition in the domain of web applications. The audience will be given a tour through the logic used for "Absinthe", the 0x90.org blind injection tool.

Cameron Hotchkies, aka nummish, is a member of the 0x90.org digital think-tank, and holds a B.Eng in Software Engineering. He currently develops business based applications on the .NET platform. Outside of work, he generally spends most of his time writing code. Some people have suggested he get out more.



"Lockpicking 101" BoF
Deviant Ollam

Physical security isn't just a concern of the IT world. Besides securing server rooms, locks of all sizes and styles are scattered throughout our lives. However, much of the general public is unaware of the insecurities present in many lock designs. Through discussion and direct example, Deviant Ollam will address the strenghts and weaknesses of standard pin tumbler locks, combination locks, warded locks, wafer locks, and more. Along with discussions of effective tools, advanced techniques, master key theory, this talk is aimed at lockpick novices who are interested in better security and learning lockpicking skills. While always the first to admit that he's no Barry Wels, Deviant hopes to have a good time with this lockpick talk and looks forward to hand-on audience participation. Many styles of practice locks and picks will be made available.

While paying the bills as a network engineer, Deviant Ollam's first and strongest love has always been teaching. Employed periodically at schools in the greater Philadelphia area, Deviant is presently a student at the New Jersey Institute of Technology in the hopes of tacking some actual letters to his name and doing the professor gig full time. Often seen at events like HOPE and DefCon, this is his first time officially on stage as a speaker.



"Opening Remarks, Yet-Another-Rant, and Your Pre-Con Pep-Talk"

"Closing Remarks, and Your Last Chance to Throw Shmooballs"

Bruce Potter
The Shmoo Group

Bruce Potter is a Senior Associate with Booz Allen Hamilton. Mr. Potter is the founder of the Shmoo Group of security professionals. His areas of expertise include wireless security, large-scale network architectures, smartcards and promotion of secure software engineering practices. Mr. Potter coauthored the books "802.11 Security", published in 2003 by O’Reilly and Associates, and "Mac OS X Security" published by New Riders in May 2003. Mr. Potter is coauthoring "Master FreeBSD and OpenBSD Security" with O’Reilly and Associates with a publication date in summer 2004. Mr. Potter was trained in computer science at the University of Alaska, Fairbanks.



"Frustrating Automated Static Analysis of Binaries"
Pusscat
Ghetto Hackers

As industries evolve and mature, the natural progression is to turn toward the automation of tasks. The computer security space is not immune to this law of business, and consequently, the prevailing trend in software vulnerability detection is toward automation. While tools for detection of vulnerabilities are not new, they have historically performed a grep-style check of the source for known unsafe functions, rather than performing any useful logical analysis of the software.

Currently, analysis is taking the leap into the next generation. We are beginning to see the first generation of auditing tools which transcend source code pattern matching, and perform legitimate logic and flow analysis. In this age when the security of software is finally beginning to become a focus of industry and government, these tools will supplant the efforts of manual auditors when the security of a product must be confirmed. Their consistency and thoroughness will be relied upon heavily.

This paper will discuss several techniques for frustrating the automated analysis and reverse engineering of binaries using techniques at the source code, assembly, and binary level. These techniques will then be demonstrated against such tools as Ida, in order to show that it is possible to hide data not only from simple pattern based tools such as virus scanners, but also from more robust decompilation tools.

Puss was so sadly terrified at the sight of malicious code so near her that she immediately got into the debugger, not without abundance of trouble and danger, because of its obfuscation, which was of no use at all to her in analyzing the program. A little while after, when Puss saw that the program had resumed its natural form, she stopped the debugger, and owned she had been very much frightened.

"I have been, moreover, informed," said the Cat, "but I know not how to believe it, that you have also the power to take on you the shape of safe code; for example, to change yourself into unreadable opcodes; but I must own to you I take this to be impossible!"



"The Evils of XSS: Its not just for cookies anymore"
Anton Rager

Many security professionals, security administrators and developers are aware of Cross-Site Scripting (XSS) vulnerabilities, but disregard them as a significant risk to an organization. Traditionally XSS attacks have either involved nuisance re-direction of a client or leakage of client cookies/state information to an attacker. They are almost always a one-shot XSS exploit against a vulnerable server and dont have the ability to execute multiple transactions against an XSS vulnerable site.

This presentation briefly outlines current XSS attacks, then discusses and demonstrates methods to create multi-transaction XSS attacks or persistent XSS based browser hi-jacking. Browser hi-jacking uses the victim browser to leverage existing trust that a browser may have with an XSS vulnerable site, and performs an arbitrary number of transactions from the victim browser against the vulnerable site. This means that the attacker can use the victims browser to attack a site that is behind a firewall, requires client-side certificates, filters IP addresses, or has a cached authentication with the victim browser this is way beyond cookie theft as an attacker is actually using the victims browser to access the site. Attack modes can include transparent site traversal thru victim browser (read and/or write to server with access of victim from remote attack console), passive monitoring of victim interaction with target site, or active MITM content modification of information to/from victim browser.

A new tool (XSS-Proxy) will be introduced that demonstrates the ability for a remote attacker to perform these XSS based attacks. XSS persistence and commands are controlled from a Perl based HTTP attack server with victim/XSS target content forwarded to the same server. This does not rely on any new vulnerability in browsers and currently works in modern JavaScript enabled IE and Mozilla/Firefox based browsers. Other tools may be introduced and discussed that assist with the identification of XSS flaws sites as well as initial injection vector creation for later use in XSS-Proxy.

Anton Rager is a Sr. Security Engineer with Avaya Labs and a founding member of Avayas Enterprise Security Practice. He specializes in vulnerability research, VPN security and wireless security and is best known for his WEPCrack, WEPWedgie and IKECrack security tools. He has presented at Defcon, Toorcon, Interz0ne and many other lesser-known conferences, and was a contributing technical editor to the book Maximum Wireless Security.

In addition to an addictive computer security hobby, Anton is also an extreme mountain biker, snowboarder, naturalist, guitarist and philosopher hack.



"The Warpack: perverting wearable computing on a budget"
RenderMan

Defcon 12 had an interesting and amusing sight wandering around the con for the Wardriving Mini-contests. It was RenderMan and the 'Warpack', a custom built backpack mounted laptop for use in the contests. This presentation will focus on the idea, construction, use and evolution of this novel concept in wearable computing and Warwalking, as well as Q/A and audience suggestions/comments for future development.

The Mark I version was the one that made it's debut at DC12. Part of the presentation will cover the reasoning (however odd), construction techniques and usage for this version. The remainder will focus on new developments since then for the Mark II, including new antenna mounts, new wardriving equipment, external Kismet monitor, and a sleeker design.

A fixture of the Wardriving community, RenderMan is most known for the 'Stumbler Ethic' and as one of the orginizers for the 'Worldwide Wardrive'. He is also a staff member of Michiganwireless.org, host of the premiere wardriving software archive. Not usually far from away from any wardriving news, often causing it himself, he tries to advance wardriving as an acceptable hobby and movement for increasing wireless security awareness.


"Building Target-based IDS: Snort on the Move"
Martin Roesch
Sourcefire

Martin Roesch founded Sourcefire in 2001 and serves as its Chief Technology Officer. A respected authority on intrusion detection technology and forensics, he is responsible for the technical direction and product development efforts. Martin, who has 17 years industry experience in network security and embedded systems engineering, is also the author and lead developer of the Snort Intrusion Detection System (www.snort.org) that forms the foundation for the Sourcefire product suite.

Over the past eight years, Martin has developed various network security tools and technologies, including intrusion detection systems, honeypots, network scanners, and policy enforcement systems for organizations such as GTE Internetworking, Stanford Telecommunications, Inc., and the Department of Defense. He has applied his knowledge of network security to penetration testing and network forensics for numerous government and large corporate customers. Martin has been interviewed as an industry expert in multiple technology publications, as well as print and online news services such as MSNBC, Wall Street Journal, CNET, ZDNet, and numerous books. Snort has Been featured in Scientific American, on A&E's Secret Places: Inside the FBI, and in several books, such as Network Intrusion Detection: An Analysts Handbook, Intrusion Signatures and Analysis, Maximum Security, Hacking Exposed, and others. Martin has also been the recipient of the 2004 InfoWorld IT Heroes Innovator Award as well as winning the 2004 "40 Under 40" award from the Baltimore Business Journal.

Martin holds a B.S. in Electrical and Computer Engineering from Clarkson University.


"Practical Privacy and Anonymity for Hackers" BoF
Simple Nomad

Everyone talks about privacy and anonymity in terms of usage of technology, but rarely talk about the day-to-day applications of technology to enhance that desired privacy and anonymity. This talk starts where the others end -- the application of technological solutions to real world problems.

Once you've answered the question of "if" when it comes to encryption, steganography, covert channels, the next questions such as "how" and "when" need to be answered. Do you know when to use (and not use) encryption? Are there implementation issues in using covert channels? Does a healthy level of paranoia online translate to your offline world as well?

This talk will not only cover online issues such as the proper deployment of covert channels and encryption, but other real life issues such as dealing with direct deposits, handling your bank accounts, what to shred and why you should burn it, travel tips, and many other issues. Expect a lively and entertaining talk from a paranoid for the paranoid.

Simple Nomad is the founder of the Nomad Mobile Research Centre, an international group of hackers that explore technology. By day he slices and dices computers as a Senior Security Analyst for BindView Corporation. He has spent years developing and testing various computer systems for security strengths. He has authored numerous papers, developed a number of tools for testing the security and insecurity of computer systems, a frequently-sought lecturer at security conferences, and has been quoted in print and television media outlets regarding computer security and privacy. He believes that Those Who Secretly Run Things are purposely losing his luggage, tapping his phone, and misdirecting his mail.



"Binary Difference Analysis via Phase Cancellation"
Joe Stewart and Mike Wisener
LURHQ

Binary difference analysis is becoming more popular due to a rise in the number of patches released from Microsoft and the increase in
long-running multi-variant malware. An interesting approach was taken by Halvar Flake using graph analysis to determine differences in binaries, however, this method has some drawbacks, one of which is the post-analysis data representation.

Other than the math-intensive graph isomorphism technique, the other obvious approach is to use fingerprinting to identify key characteristics of code, and find non-matching sequences. However, this method is also somewhat limited.

We propose a new analysis system, using methodology borrowed from the audio/RF world: phase cancellation. By applying these techniques, it is possible to overcome some of the drawbacks of both prior methodologies and present a clear picture of what has changed between two binaries. We present two new tools - OllyPerl, a plugin to allow scripting of the OllyDbg debugger in Perl, and WaveDiff, a Perl script which implements the phase-cancellation difference analysis described in the paper. Full source will be provided for both tools.

Joe Stewart, GCIH - Senior Security Researcher with LURHQ, a leading Managed Security Services Provider. In this role he researches unusual Internet activity to discover emerging threats, new attack techniques and the latest malicious code. He is a SANS Global Information Assurance Certified Incident Handler (GCIH) and has been in the information security field for four years. He is a frequent commentator on security issues for leading media organizations such as The New York Times, MSNBC, Washington Post, Bloomberg and others. Additionally, Joe has published numerous security research papers on Sobig, Migmaf, Sinit, Phatbot and other cyber-threats and attack techniques.

Mike Wisener, GCIA - Senior Security Analyst with LURHQ, has been working in the Information Security field for three years, and has handled millions of intrusion events for LURHQ clients while monitoring their corporate networks from the Secure Operations Center. Mike received his Bachelor's degree in Computer Science from Coastal Carolina University where he served as the BOFH for the CS student server, sometimes also known on campus as "the jerk who says I can't use telnet anymore".



Linksys WRT54G / WRT54GS “Magical transformation into a useful piece of equipment or a brick”
Sysmin and Quigon

The Linksys WRT54G and WRT54GS series of access points can be purchased at many major retail computer and electronics stores. Many purchasers never realize the true functionality of these access points, and let's face it, many will not even change the defaults. Using custom firmware and software packages these items can be transformed into more functional pieces of equipment that can be used in a wide variety of situations with little or no extra cost.

The first part of the presentation compares some of these custom firmware distributions and how to expand their functionality by:

• VPNs
• 802.1x authentication
• SSH tunnels
• Hotspots
• IPTables firewalls
• IPv6
• Logging
• Custom Antennas
• IDS functionality
• Community networking
• and more....

In addition, there is also a useful and entertaining section on what to do when firmware fails. The configuration of the devices involved is discussed and examples shown. The goal is to make it as easy as possible to extend additional functionality in these devices. Many access points capable of this functionality are significantly more costly and usually out of reach of the normal consumer. Using custom firmware such as OpenWRT or Sveasoft can put this functionality into the hands of the normal consumer.

The second part of the presentation deals with using the WRT as an attack vector. This involves the WRT attacking either its own network or the network of another. These are purposes for which the WRT was not originally intended.

Sysmin resides in Jacksonville, FL where he provides systems administration services for a government contractor. He has many years of experience in networking, systems administration, and information security. Most of his experience was gained in a military and government contracting role. Sysmin is currently finishing up his Master's degree in Information Technology and Information Security studies. He enjoys public speaking and has had the pleasure of speaking at many venues including Def Con, PhreakNIC, and Interz0ne. Sysmin is also a member of the development team for Fu-King Linux, an IPv6 enabled Linux security distro. He is an active member in the JaxLUG and is currently Vice President of the Jacksonville 2600. When he has some free time you can find him producing music, putting his RIAA toilet paper to good use, wardriving, and even dabbling in the world of parapsychology.

QuiGon resides in Jacksonville, FL and is currently providing system administration services to The Robin Shepherd Group, an advertising and marketing firm. He has 10 years of experience in electronics, system administration, networking and system security. Gene is best known for his work on the North American
IPv6 Task Force, The North American IPv6 Forum, and his work on Fu King Linux (an IPv6 enabled distribution of Linux), which includes security tools that can be run in IPv4 or IPv6 environments. He has also spoken on IPv6 and other topics at several venues including Def Con, PhreakNIC, and Interz0ne. When not totally absorbed by system security related issues, Gene can be found wardriving, actively participating as Vice President of the JaxLUG, and building a successful and dynamic 2600 chapter, of which he is currently president.



"The Clue Enforcers"
Rodney Thayer
The Shmoo Group

An interactive presentation based on a talk show format, The Clue Enforcers offers a sometimes irreverant, sometimes radical, always highly technical view on today's security landscape. Part Johnny Carson Show, part Buckaroo Bonzai, part Prarie Home Companion, we have monologues, news reports, and interviews with special guests. This is not your average talk, this is technology as performance art. Join us for an entertaining evening as we explore the clue -- or lack thereof -- that we all know you can find in the security marketplace. YOU are the Clue Enforcers!



"Zen and The Relevance of Perception to Cyber Security, or, When is a Network Not a Network?" BoF
Richard Thieme

Drawing on the wisdom of some of the best minds in security and intelligence, this talk uses insights from Zen practice to challenge security practitioners to call into question how they think about computer networks and security, and more than that, how they think about thinking. The intention of the talk it to press people to leave their comfort zones, however expert they might be, in order to observe themselves thinking about attacking and defending networks, then build the disciplines that will make such self-examination habitual and frequent. Such practice leads over time to genuine mastery.

Richard Thieme is a frequent speaker at hacker and security cons. He has spoken for Def Con and Black Hat for nine consecutive years as well as for the Pentagon, the FBI, the US Department of the Treasury, and Los Alamos National Laboratory. Corporate clients include GE, Medtronic, Johnson Controls, and UOP. A former contributing editor for Information Security Magazine and sometime writer for Wired, Forbes Digital, and the Village Voice, he has been publishing fiction lately, including two hacker/intel stories in the recent edition of Phrack.



"Automated WarSpying"
Frank "Thorn" Thornton

My project is an automated WarSpying program. Using commercial off the shelf hardware linked to specialized software, you drive an area, automatically grabbing JPEGs off any available ISM camera, such as the infamous X-10. A GPS will record the location of the receivers, using standard NMEA sentences. The hardware setup will scan a minimum of 4 standard video channels in the ISM band.

Frank (Thorn) Thornton runs his own technology-consulting firm, Blackthorn Systems, which specializes in wireless networks. His specialties include wireless network architecture, design, and implementation, as well as network troubleshooting and optimization. An interest in Amateur Radio has also helped him bridge the gap between computers and wireless networks.

Frank's experience with computers goes back to the 1970's when he started programming mainframes. Over the last thirty years, he has used dozens of different Operating Systems and programming languages. Having learned at a young age which end of the soldering iron was hot, he has even been known to repair hardware on occasion.

In addition to his computer and wireless interests, Frank was a Law Enforcement Officer for many years. As a detective and forensics expert he has investigated approximately one hundred homicides and thousands of other crime scenes. Combining both professional interests, he was a member of the workgroup that established ANSI Standard ANSI/NIST-CSL 1-1993 Data Format for the Interchange of Fingerprint Information. He resides in Vermont with his wife.

Frank is a co-author on "WarDriving: Drive, Detect, Defend" and contributor to "IT Ethics", both by Syngress Publishing.



"Reconstructing Root Fu; A post-mortem"
Peter "Divide" Zdebski
Ghetto Hackers

Divide: Security analyst, adventurer; has been involved with design and development for the Root Fu hacking contest since its inception 3 years ago. During that time Root Fu has grown from a thought experiment to the de facto standard of competitive hacking contests. Divide is currently located in Seattle where he is employed as security consultant.



About "Shmooballs"

Everyone that attends ShmooCon receives a Shmooball, which may be used during a presentation, by attendees, as the physical manifestation of their objection to statements made by a speaker. The Shmooball is not about personal hostility--so don't "bean" a speaker with your Shmooball. The Shmooball is about technical or philisophical disagreement--so if you hear something you don't agree with, let your Shmooball fly, in as orderly a manner as is possible. Shmooballs are finders-keepers, so choose your moments and manner of objection wisely. Naturally, hoarde Shmooballs when the opportunity presents itself--you never know when you'll need extra ammo. Speakers, heads-up!



About "Hack-or-Halo"

Some people can hack. Some people can game. Hack-or-Halo just puts those people in the same room. If breaking into boxen is your thing, then step up, jack in, and go head-to-head against other hackers, to see who can own their swiss-cheese target first. If laying the Halo smackdown is your thing, then step up, grab a controller, and go head-to-head against other gamers, to see who can rack up the most kills. Whether it's hacking or Halo, you've only got 5 minutes for each round. The winners get to stay, while the losers walk away--and the empty seats get filled by new challengers. Last hacker or gamer standing has to defend themselves against the winningest competitor of their respective competition, with a final champion in each competition winning a grand prize. It's a "run what you brung" event, so start polishing your Xbox skills, or auto-rooters, ASAP.


About the Speaker Party

Saturday night of the con, the Shmoo and the ShmooCon speakers will be at one of the coolest nightclubs in D.C.: FUR! Show your ShmooCon badge at the club entrance, and you get in for FREE, to boogie to your heart's content. The private speaker party with open bar in the Mafia Lounge at FUR runs from 10 to midnight, and features spinning by everyone's favorite West-coast, DefCon & ToorCon-infamous DJ, Keith! While getting in to the club for free only requires a ShmooCon badge, to get into the private speaker party in the Mafia lounge, you will need a special speaker party pass--only given out to ShmooCon staff, speakers, and attendees who reserved a room at the conference hotel. If you didn't reserve a room at the conference hotel, or you aren't a speaker, then you'd better practice on your social engineering skills to score a pass to the speaker party! Rumor has it, speakers will have extra passes to distribute as they see fit--perhaps to people who ask clueful questions during their presentations?

For comments or questions about this website, please email info@shmoocon.org
Legal • Copyright © 2004-2006 The Shmoo Group • Updated » 18:41:25 06-Feb-2008