Suits, Shmoos & Security Sense

This con is the first thing I’ve experienced that effectively challenges the discomfort ‘security suits’ can feel when mixing with hackers. I was told that would be the case, but you have to see and experience to believe. It’s both what you expect, and what you only discover if you make the effort and get off your proverbial. I have a technical background and hugely varied circle of contacts on social media, but that didn’t stop me being apprehensive.


Virginie (@fl3uryz) and Cheryl (@3ncr1pt3d)

Luckily I had the lovely Cheryl Biswas – also not a hacker – by my side (she’s produced her own excellent write up of her first Shmoo). She persuaded me to make this my first US con based on experience she’d had at DefCon. One contact quickly became two, then four, and so on. Spiralling outwards in a Fibonacci sequence of acceptance and honesty.

Yes the content, in part, was WAY above my head, but not so far above I couldn’t find hooks from my network past and GRC present. In fact, in one of the most deeply technical talks: Crypto and Quantum and Post Quantum (Jean-Philippe Aumasson, Principal Cryptographer at Kudelski Security), I found lots I understood. Not the deeply mathematical roots from which a qubit enabled future will grow, but these things from his summing up which I hope he’ll forgive me for paraphrasing:

Screen Shot 2016-01-21 at 17.58.51

Quantum computing is coming…but it’s not here. D-Wave machines, the much speculated about Google behemoths, are not it. They’re quantum-ish. In fact, in certain situations, the $15 million D-Wave Two is still no faster than the computer on your desk.

So for crypto, and the sake of your short and medium-term security sanity, Jean-Philippe suggested some more realistic focal points:

RSA 3072 or RSA 256 elliptic curves, and at least 256 bit symmetric keys.

Do so for your data crown jewels and you’ll land squarely in the top 1% of crypto-using companies…well…if it’s implemented properly and keys don’t go walkies.

Long live individuality, acceptance and collaboration

And that, right there, set the tone for me. I’ve spent some considerable time telling anyone who’ll listen to strike a rational balance between bright shiny boxes, unlikely exploits, and the stuff that’s basic and broke. A theme clear across many talks. Other principles I hold dear were also very much in evidence:

  • Security awareness is NOT a waste of time…its part of our security foundations
  • We have to empathise and respect the pressures others face to begin to change minds and behaviours
  • Being afraid isn’t the same as being at risk, and being at risk isn’t the same as being at immediate or intolerable risk

Overall, and contrary to the uneducated perception of many non-hackers, this wasn’t a techie circle jerk (scusing the imagery). It was information and education grounded in security reality. Sure there were some fantastically impressive demonstrations of boundary-pushing skills and exploits. Things like Travis Goodspeed’s hack of a $140 handheld digital mobile radio, to turn it into a hardware scanner for digital mobile radio (he’s a maestro with both the kit and the audience). Using hacks of z-ware smart energy control systems to burn out lighting (Breaking Bulbs Briskly by Bogus Broadcasts, Joseph Hall and Ben Ramsey). Not to mention hacking password safe browser plug-ins to scoop all the credentials for all the things (LostPass: Pixel-perfect LastPass Phishing, Sean Cassidy).

But, in keeping with founder principles, there was a great balance struck and plenty of evidence we all ultimately want the same things and can speak a common language.

There are a few posts that might come out of this trip. Definitely one on the uphill and heroic struggle to influence and inform government policy making around security (You Ain’t Seen Nothing Yet: New Paradigms for Policy, Regulation, and Community Engagement, Greg Conti – moderator, Mara Tam, Vincenzo Iozzo, Jeff Moss, and Randy Wheeler) and Jen Ellis’s related talk I sadly missed due to a scheduling conflict. There will also be one around Andrew Kalat’s talk: Online, No One Knows You’re Dead, and all the grief piled on top of grief when you don’t give your loved ones the means to unravel your virtual world.

Cons within Cons

IMG_20160118_110759Then there was LobbyCon. Where much else happens under the radar…like an impromptu round table on improving diversity in the tech and more general security community. A truly insightful debate between a number of attendees all committed to breaking down barriers to entry.

There were also the occasional ‘checks’ on local security (so much still runs on XP!) and lots of the great and good of security making time to listen and discuss with anyone brave enough to introduce themselves. That’s not ignoring all the personal tributes to Rance (@reverance), a much loved and hugely valued member of the community who sadly died this year. And it wasn’t a one-off and purely emotional response. Money raised in his name will be put towards a scholarship for someone wanting to break into the field, but struggling to find finance. Evidence of the close relationships that get built in this world and the ingrained sense of responsibility to create opportunities and share with others.

Finally there was SmokerCon (yes I’m overdue to quit again). Shmooers shooting the breeze with guests and delegates from other hotel events. Including , on this occasion, the Martin Luther King Jr. Civil and Human Rights conference. Folks who REALLY understand summary judgement and related treatment meted out off the back of it. I was party to many chats where non-security folk benefited from brilliantly simplified, expertly tailored, and practically relevant security advice. We all gain when Joe and Jane public get what matters, and there were many chilly folk who went off determined to do more stuff to keep their devices and data safe. In return I and many others heard some inspirational stories of hardship, fighting through it, and tireless effort to improve life for disadvantaged people everywhere. A mutually honest, open, beneficial, and sometimes sobering experience. Security awareness in true empathetic, give and take action.

Parting thoughts

So, at the end of it all, would I go back? In a heartbeat (pennies and screen refresh allowing). I understand the need for vendors to showcase their wares, and for higher-level strategic discussion, but too many cons have devolved down to the usual suspects doing the rounds and largely offering thoughts rather than practical advice (recycled thoughts at that). This, thanks to all the effort made by Bruce and Heidi (and the rest of the Shmoo Group) was very different. And, in my opinion at least, a better breeding ground for the collaboration and innovation we need to keep ourselves, our businesses, and our loved ones safe. Worth also remembering it’s run by folk volunteering their time and includes huge effort to fund raise for chosen charities, so to sponsors and private individuals out there, do consider contributing (

Finally a huge thank you to all who made me welcome, and who knows (having watched Jessy Irwin’s entirely non-technical talk get such a great audience and reaction – Speak Security and Enter: Better Ways to Communicate with Non-Technical Users), I might even chuck my hat in the ring to speak. But, whether or not I make the transatlantic Shmooward trip again, I’m glad the Shmoo community is there, both for the reasons I knew before I went, and all the many reasons I’ve now added to the list.


2 replies »

Want to add to the discussion?

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.