Notes from Shmoocon 2014

As I sat by my gate in DCA airport I had a moment to collect my thoughts about the whirlwind that was the last 72 hours. That whirlwind was none other than Shmoocon 2014. 

For those of you who might not be familiar with it, Shmoocon is a smaller security conference that takes place every year in Washington DC. This was the tenth iteration of the conference and my third time in attendance. 


ShmooCon is an annual east coast hacker convention hell-bent on offering three days of an interesting atmosphere for demonstrating technology exploitation, inventive software and hardware solutions, and open discussions of critical infosec issues.  The first day is a single track of speed talks called One Track Mind.  The next two days bring three tracks:  Build It, Belay It and Bring It On.

While there was a lot of good content I am always amazed at the sidebar that is commonly referred to as "Lobbycon". This is where attendees congregate and the conversations that result are nothing short of enjoyable. I could best characterize this as an "Infosec family meeting".

It is a very relaxed inclusive atmosphere. 

There is no shortage of things to see and do at Shmoocon. This year was no different. Some of the highlights included a lock pick village, Shmoocon Labs and  the Hack Fortress. In addition to this there was a large group of students that were here for the conference. It was really nice to see them introducing themselves to other folks and watching the connections being made. A perfect example of this was when I met a young student at Shmoocon 5 by the name of Matt Johansen who now enjoys a successful career with WhiteHat Security.

Another aspect of Shmoocon is that it tends to lend itself nicely to a recruiting opportunity for companies. There is a large pool of talent that shows up and the chance for people to find a new opportunity is very much in their favour. 

What was my takeaway? The best part of the conference for me was the part that happened after I had already left. The announcement was made by Microsoft Senior Security Strategist Lead Katie Moussouris, that the ISO 30111 Vulnerability Handling Processes has been published.

From ISO:

ISO/IEC 30111:2013 gives guidelines for how to process and resolve potential vulnerability information in a product or online service.

ISO/IEC 30111:2013 is applicable to vendors involved in handling vulnerabilities.

The part that I have difficulty with is that this document, while a good idea, is something that we have to pay over $80 dollars for these 12 pages. It would be nice if they made this publicly available so that this could be universally deployed. 

But, that's just me grumbling. I'm glad to see it come to fruition. 

For more on this topic, here is a video of Katie from her presentation at RSA in 2013. 

(Image credit: Dan Tentler)

Copyright © 2014 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline