ShmooCon triumphs and failures

Information security conferences are loved and hated. Defcon is a zoo. Blackhat and RSA are both a corporate oxymoron and expensive. There are now several others seemingly with ups and downs. Shmoocon passed and I had an interesting weekend spending too much time at the bar, being a bit inspired, and discovering a mild distaste for the failures of so called security professionals.

My only real problem with the conference was the timing of the ghost in the shellcode event. I was really hoping to spend more time on a hostile network getting my laptop owned by people who actually know what they are doing. Unfortunately you have to choose between being engaged with the game or seeing talks as they both finish at approximately at the same time each night.

The keynote from Peiter Zatko, or the nom de plume we have always known as mudge, was far more intriguing than expected. The talk Jack Daniel gave at the firetalks was inspiring and left me wondering if I’ll hit career burn out again or persist to fade away.

I have a much better understanding of the disgust and relentless torment the blackhat community provides the security industry. Unfortunately a large percentage of security professionals are not technically savvy, much less programmers. The business world has somehow failed to differentiate a theory consultant from an admin who has the skills to actually implement best practices. Hackers write code, discover flaws and new attack vectors, and compromise systems. The bulk of security professionals lack the ability to accomplish any of these tasks, nor do they even practice what they preach. Watching the traffic of the shmoocon-open ssid, I saw an alarming amount of credentials of well known security professionals pass across the network. Allowing such information to cross a totally unsecured and extremely hostile network falls into the basic “things you just don’t do” category.

An epic flaw from those who preach about how flawed things are.

I wish I could say I wasn’t just a guilty as everyone else.