Inside ShmooCon 2023: The wacky, the bizarre and, in fact, the cybers

From hallway debates over what’s working in cybersecurity to idiosyncratic shows of oddball humor — resembling consuming Batman cereal from 1989 — the annual hacker convention ShmooCon has been attracting an eclectic mixture of techies, lecturers, attorneys and coverage researchers since 2005. This yr was no completely different. Greater than 1,600 folks gathered on the Washington Hilton in D.C. to see outdated mates, make new ones, and, in fact, discuss infosec. “This isn’t nearly skilled development, it’s networking, it’s a time to be with mates and fellowship,” mentioned ShmooCon co-founder Bruce Potter. Listed below are 5 massive takeaways from this yr’s convention:

1. Group reigns supreme

All through ShmooCon, a way of hacker neighborhood was ever current. It got here from the welcoming spirit amongst attendees in addition to the sheer variety of volunteers working the present.  You may sense it all through the convention, whether or not folks have been speaking  store about software bills of material, throughout the a number of contests that attendees participated in, to the books swap, to “ShmooBalls” (a small mushy ball given to each attendee to throw at presenters for enjoyable or to specific displeasure). After which there was the large rock, paper, scissors contest. “[ShmooCon] completely doesn’t occur with out the superb ShmooCon workers … and naturally help from the neighborhood at massive,” mentioned convention co-founder Heidi Potter.

2. State hacking legal guidelines may have updating

Whereas safety researchers can generally work in a world the place definitive solutions resembling assault attribution are tough, the legislation about what hackers can analysis legally will also be equally unclear. Harley Geiger, a lawyer who focuses on information privateness and cybersecurity on the legislation agency Venable LLP., gave a a lot wanted rundown of the advanced U.S. hacking legal guidelines and a few current adjustments. Largest takeaway? The federal authorities isn’t as involved with prosecuting reliable cybersecurity analysis, however states are one other story. Whereas the Pc Fraud and Abuse Act and the Digital Millennium Copyright Act have modified lately to favor safety analysis usually, and actions just like the Division of Justice’s coverage change to not cost hackers who interact in good-faith safety analysis, states are a bit extra erratic and may have a few of the “biggest danger to authorized analysis,” Geiger mentioned. Some states, he mentioned, resembling Washington have specific protections for safety analysis, however others resembling Maryland have broad legal guidelines that don’t take into account a researcher’s intent.

3. Railway cybersecurity wants extra consideration

Whereas software program vulnerabilities round automobiles have typically dominated headlines, a presentation by Brian Butterly took us from the beltway to the tracks together with his discuss on cybersecurity issues throughout the railway trade. Butterly identified {that a} tradition hole exists between the engineers who’re involved about bodily security and the cybersecurity professionals who deal with digital defenses. Moreover, infosec professionals working on this trade should take into consideration long-term options to defend railways because the software program and methods that run trains are not often up to date. Like most different industrial sectors, digitization is growing connectivity in addition to dangers.

The Transportation Safety Administration launched cybersecurity rules for the railway trade late final yr. Hopefully, the trade and policymakers don’t want a Colonial Pipeline equal earlier than better strides on this trade are made. “[Railway operators have] discovered about security the exhausting means. So now the problem is for them to grasp safety with out studying it the exhausting means,” mentioned Butterly.

4. China’s hacker underground survives underneath tight web controls

A presentation from Mao Sui, a cybersecurity analyst at LookingGlass Cyber Options, defined how the Chinese language on-line underground operates inside a closely managed web. Whereas many cybersecurity stories deal with Russian hacker boards and leak websites, China’s underground market is a mature ecosystem that in some way managed to outlive underneath an authoritarian authorities. The operators on these boards have created their very own sort of code language to flee censors. The digital black market additionally operates on the clearnet. Sui pointed to faux storefronts that to an unsuspecting netizen might merely appear like a random on-line market. As a substitute, it’s promoting illicit contraband or partaking in unlawful companies resembling on-line playing. 

5. Flipper Zero’s spotlight intent

Safety researcher Christopher Forte offered on the gamification of the favored Flipper Zero hacking instrument, showcasing how the toy-like system can presumably trigger real-world hurt. Utilizing a anecdote about hacking right into a jukebox app used at eating places and bars to manage music, Forte and a few mates not solely overplayed songs at a bar, but in addition messaged unsuspecting customers straight by the app. That would flip an app designed for taking part in your favourite songs at a restaurant right into a instrument for scammers, Forte famous. “It’s the mindset. It’s how it may be utilized. It’s how one can take one thing and switch it very malicious in a short time for those who had the appropriate intention.”