Monday, February 18, 2013

ShmooCon 2013: Experiences and Reflections

Here are some thoughts and experiences from ShmooCon 2013.

1 Labs

I spent Thursday morning to Sunday evening working ShmooCon Labs. The labs are a group of volunteers that stand up the networking infrastructure for ShmooCon: fiber, switches, routers, DHCP, DNS, IDS, network monitoring. This is all done in under 36 hours by volunteers using donated hardware (shout out to Matt Hum and Entarasys for providing a metric-boatload of switches, defined as an entire pallet.)

My main support to the effort was helping with the layer 1 and 2 setup early on. Nothing else works until the photons, electrons, frames and packets start flowing. Switch-configs-R-Us. The making of sausages, laws and the innards of hotel wiring closets, telco rooms and NOCs are similarly not pretty.

Enterasys also loaned 50 wireless access points (WAPs). We wound up only needing to deploy 40. The end result was a redundant 10G core (Matt was shooting for 20G but had issues) feeding a 20Mb up-link. There were 3 wireless networks, one open, two secure (well, maybe not, considering the [ab]users). There were VLANs for admin, each of the teams, the wireless networks, and the various sub-events. Palo Alto Networks the the layer-3 firewall, and Liam Randall had Bro running on the Security Onion doing data capture and monitoring. AOL also monitored the network using their newly released tool, Moloch, capturing packets and indexing them. The team brought up IPv6 on the wireless network, because they could. The network "Hum-ed" (sic) along for the required 48 hours, supporting the 1700 attendees needs and various events. Then we tore it all down.

I would highly recommend working labs if you:

  1. like to play with networking gear
  2. like to make things work
  3. want to learn something new
  4. have some tool, tech, etc. you want to try out
  5. want to work with some great people for a long weekend

The kicker is, of course, that you need to get a ShmooCon ticket before you can register for labs. Thanks to Liam Randall (@hectaman), for giving me his speaker +1 ticket).

2 Talks

The surface level justification for attending cons and workshops is the talks. Here are a few things that caught my attention:

2.1 Opening Remarks

  • Bruce Potter said, among other things, that ShmooCon is moving more towards defensive technologies.

2.2 Panel Discussion: Hackers get Schooled: Learning Lessons from Academia

This was an interesting subject. What are the differences between academic papers and conferences and "hacker cons". What's good about peer-reviewed work vs. a random tweet or pastebin entry describing a new exploit? A few quotes (see the video for attribution)

  • "Research is the art of failing until you don't"
  • "My job as an academic is to disclose. To think of things and tell people.", Matt Blaze (@mattblaze) In the context of discussion of full-disclosure and release of exploits.
  • "A new way to own a Cisco router is a one-off, not new, fundamental results". This is part of the difference between what makes a good talk at a hacker-con and an academic result.
  • "If it changes the way you think, it's research"
  • "Hackers aren't serious, academics aren't useful", Matt Blaze, quoting a possibly-true-at-times truism
  • "The best stuff at hacker cons is just as deep as the best academic papers" … in the context of discussion of peer review.
  • "Academics and hackers leave different artifacts and have different rewards."
  • "The research process can be overbearing/stifling to the hacker process"
  • "It's hard to cite a tweet. The hacker body of knowledge can be very ephemeral ", Bruce Potter.

2.3 Panel Discussion: Running a Capture-The-Flag (CTF) Event

A number of the core labs team got together after labs last year and decided to participate in the construction and execution of a capture-the-flag event. This talk shared their lessons learned. Many interesting observations. Watch the video. The one really high level take-away for me is that CFT events are, fundamentally, sociology experiments where technology is only the medium. I'm becoming convinced that this is true of the field as well.

2.4 Talk, Demo: Moloch: A New and Free Way To Index Your Packet Capture Repository

If you thought it was fun to read AIM messages from your friends, why not read all the AIM messages from everyone on your network, and their DNS queries, and their email, and their downloads, and their malware ? Full packet capture, archiving and indexing can be fun and useful for network defense and forensic investigation. Who's running old versions of Java? Who downloaded malware that matches known malware hashes? That's some of what the Moloch tool does. It was released by AOL as open source on github with the aim of doing all that in a scalable fashion (as in, on the scale of AOLs network).

2.5 Talk, Demo: NSM And More With Bro Network Monitor

Liam Randall talked about Bro. He said to "Think of it as a domain specific Python" [for processing packets and network events]. He cover the "Bro Model", which comprised events for packets and higher level network objects, scripting, and the Bro IDS as one ("the first great") application of the object and scripting model, he discussed the scripting model, where analyzers unroll protocols, events are placed in queues and event handlers pull events from the queue. Earlier he had rolled a twitter-bot to post live events to twitter as Bro watched the ShmooCon network (such as people connecting to known malware sites, etc). He provided a number of example scripts, including the twitter-bot, scripts to examine various extracted protocol elements and http brute force detection at

3 People

The real justification for attending cons and workshops is the people. Networking. Social networking. The in-your-face-not-faceboook kind of social networking kind. I did lots of that. It's amazing how small the social diameter of the profession is.

4 Bling

  • How many black T-shirts do you need ?
  • The best bling were mice with LEDs and a real scorpion embedded.
  • One of my coworkers got a copy of Control-Alt-Hack card game for correctly answering a trivia question.
  • The proprietor of SkyDogCon was handing out interlocking M.C.Escher-esq interlocking lizard puzzle pieces.
  • Palo Alto Networks was giving away copies of the multiple-ending book "Data Center of Doom", advertising, but entertaining advertising.

5 Pictures

Here are some some pictures of the Future of Banking Summit in Paris, France (do you believe everything you read online ?). Permission given by all human subjects. I didn't ask the sea-gulls.

The sign on the hotel networking rack was amusing, they seem to have forgotten that "All your ports are belong to us."

6 Proceedings, Videos

The presentations and videos will, presumably, be available at soon. Some are available now wt

7 FloCon

Lastly, shameless plug. If you like, ShmooCon, consider attending next year. We focus on large-scale defensive technologies (usually involving Netflow analysis), but, alas, no Shmoo Balls…