ShmooCon 2017 Retrospective

Written by Austin Keeley

I went to ShmooCon!

I’ve always wanted to attend but tickets are limited and incredibly hard to get. I was finally able to secure 2 barcodes this year so I passed one off to my friend, Ed, and we hopped on the metro to Dupont Circle.


The easiest way to get kicked out of the conference is take photos without permission. There’s a two strike policy on this; unfortunately that means I don’t have any photos of the conference. There were some interesting people and displays but I was going to respect the privacy of the attendees.

The vibe I got was that this was a gathering of good natured people and there wasn’t going to be much cover for illegal or blatantly malicious activities (I still wasn’t going to use the ATM in the lobby, however).

After 3 days of talks and shenanigans, I made a few retrospective notes.

  • How did I get a barcode? No gimmicks. I just went to the website and hit F5 as the site went live. My Internet connection at home is reasonably good and I think this helped.
  • Want to blend in? Wear a black tshirt and jeans. Want to make it easy for your friends to find you? Wear anything else.
  • There were two talks that really stuck out to me. The first was Anti-Ransomware: Turning the Tables by Gal Shpantzer and G. Mark Hardy. The presenters discussed why ransomware is such a big deal now (hint: money) and how it’s getting more sophisticated (e.g. being able to detect if VPN software is present and waiting for a connection for better exposure). The other talk was Goodnight Moon & the House of Horrors: A look at the current IoT ecosystem and the regulations trying to control it by Whitney Merrill and Aaron Alva. IoT is still a garbage fire from a security perspective and this talk discussed possible regulations to try to contain it.
  • I mostly attended talks. I regret not visiting some of the side rooms and participating in the lockpick village. Next time I plan on dedicating at least half a day to visiting these. A co-worker spent most of his time doing Hack Fortress and his team wound up winning the championship. My TF2 skills are a little too rusty to join a team, but I might consider doing that next year.
  • The Metro sucks. If you are coming from out of town, you might not know about the delays, shutdowns, and fires. I highly recommend giving yourself extra time if you plan on using it. This is especially true if you plan on using the disability access elevators since these are notorious for being out of order.
  • A VPN is highly recommended, even for the WPA secured Wifi networks. Cell service was pretty bad. Probably because of all the devices.
  • The food situation was wasn’t ideal. There was an impromptu bar set up in the lounge area where food was being sold, but it wasn’t great. Dupont Circle has some good restaurants within walking distance, however.
  • The Friday night fire talks were fun and probably the best part of the day (also the lightest attended).
  • Get a Twitter account. Set up alerts from @shmoocon. You’ll get buzzed when stuff happens. Also you can set up a list of all the speakers you saw so you can follow up with them later.
  • I kept sitting behind Ed Skoudis (@edskoudis) at various talks but I didn’t realize it was him until some of his tweets later.

Overall, it was pretty awesome. If I can get a barcode for next year, I’m definitely going back. There are a few other hacker cons being scheduled that I might attend in the meantime, including BSides DC and, of course, DEF CON.

Image credits: Dupont Circle Station, Wikimedia Commons

Posted January 18, 2017