I’m a big fan of the Dailydave email list … always great discussions going on over there. Well, this afternoon I received my monthly “mailing list memberships reminder” from their Mailman service and I had my usual reaction.

Why the f$#@ are they emailing my password?

For being a security-focused group it would seem that they are not practicing what they preach. I’ve noticed this reminder many times in the past but for once I had some time to investigate getting this turned off.

Mailman has been THE application that most security groups use to communicate. Although now a lot of organizations seem to be migrating to Google Groups, giving up data privacy for convenience. Regardless, it is still the most dominate player for the groups I participate in. For those who aren’t familiar with Mailman, their website states that it…

… is free software for managing electronic mail discussion and e-newsletter lists. Mailman is integrated with the web, making it easy for users to manage their accounts and for list owners to administer their lists. Mailman supports built-in archiving, automatic bounce processing, content filtering, digest delivery, spam filters, and more.

After doing a little research and searching around I found that there is actually a user option to disable this “feature” (enter me doing the Jean-Luc Picard “hand to face” move). From the email reminder you just received click the link to the management interface, enter the password they sent you in clear text, and log on. Scroll down a bit and look for the following option text.

Change this option from the default of Yes to No. If you are signed up for more than one list on the that server, select the “Set globally” option as well. Then just hit the “Submit My Changes” button below and you should be all set.

Now, I never remember setting this option to Yes so I’m assuming this is the default setting. Sure enough after searching around I came across the following server option from the Mailman admin manual [PDF], which states that email reminders (with passwords) is enabled by default.

Aaaah once again … convenience wins out over security when it comes to default options.

So now what? Well if you subscribe to any Mailman-based lists, please log in and make sure this option is disabled if you haven’t done so already. Also if you are someone that manages a Mailman installation, please log into your server and consider configuring “send_reminders” to be disabled by default.

#####

Regardless of this one weak default setting, Mailman is still a great piece of open source software and I encourage everyone to head on over to their website and donate so we can continue to enjoy it. See ya!

Well people, it’s the final day of ShmooCon; for those of you who are still nursing hangovers and information overloads, you have my sympathies.

While none of the talks today will be providing alcohol (at least, not that I’m aware of), they will give you a final chance to cram your brain with some interesting information. As I tweeted about on Thursday, Chris Paget will be giving a talk about passport cloning at 11:00am.

While I’ll most likely be attending the talk by Paget, the “Bring It On” track, “Solve this Cipher and Win!” by Michael Schearer at 11:00am also looks interesting.

And if you’re one of the many professionals who’s wondering about what the economy means for people in the security field, check out the “Closing Plenary: Are Bad Times Good for Security Professionals?” at 1:30pm. With G. Mark Hardy, Bruce Potter, Peter Geura, Mark McGovern, and Jack Holleran as moderators, it promises to end ShmooCon with a bit of a controversial bang.

Well, I guess that’s all for now; check back later today and throughout the week for more ShmooCon summaries and discussions. You can also follow me @grecs to get updates throughout the conference today.

###

Was this post helpful? If so, consider passing it along to a friend or becoming a subscriber of our site. Or, you can always do both—we won’t complain.

In my last post (“Friday Recommendations“), I discussed some of the official and unofficial activities on Friday and summarized a few things that I’m going to focus on. There are some great planned talks as well as the Podcaster’s Meetup, the FireTalks, and a meetup party courtesy of HacDC.

In this post, I’m going to look at Saturday’s activities and give some recommendations.  As I mentioned previously, please be sure to review the full list of activities yourself just in case I’ve missed something that you might be interested in attending. I wouldn’t want to be blamed for you missing the talk of a lifetime due to my silly preferences.

Oh and before I get started, another ShmooCon ad has been released courtesy of the folks over at PSKL. This one is a hilarious Q&A … Matrix-style.

Saturday starts with the traditional “Built It!, Break It!,” and “Bring It On!” tracks. I’ve never been much of a “Bring It On!” type of person, so I’ll probably gravitate more towards the “Build It! and Break It!” tracks like I’ve done in previous years. Although I personally won’t be attending them, there are several topics in the “Bring It On!” track that really peaked my curiosity, and I’d definitely advise taking a closer look at them if the “Bring It On!” track is your type of thing. But now, back to the “Built It! and Break It!” tracks… 

Starting at 10:00am in the “Break It!” track, the “Exploring Novel Ways in Building Botnets” by Enno Rey and Daniel Mende would be my pick due to my fascination with botnets.  In the “Build It!” track, there seems to be a trend with wireless—another fascination of mine. Because of this fascination, I’ll probably head to Michael Ossmann’s and Dominic Spill’s talk on “Building an All-Channel Bluetooth Monitor” at 11:00am. Continuing on the wireless trend, Joshua Abraham’s and Ben Smith’s talk at noon—“Next Generation Wireless Recon – Visualizing the Airwaves”—looks interesting. Visualization seems to be big these days, especially with the amount of information we have to process to determine a true security event. While this talk focuses on a slightly different theme, it may provide some insights into other visualization techniques.

After a quick lunch at Harry’s Pub (if I can get a table), I’ll most likely be heading over to the must-not-miss Jay Beale talk on “Man in the Middling: Everything with the Middler” at 2:00pm. There has been a lot of talk on multiple mailing lists about the release of his tool, The Middler. So as usual, Jay’s session will probably be standing room only.

Continuing on the wireless trend, the “Building Wireless Sensor Hardware and Software” by Travis Goodspeed and Joshua Gourmeau may be a nice fit at 3:00pm. But the “Break It!” track also seems to include another interesting wireless talk called “802.11 ObgYn or ‘Spread Your Spectrum’” by Rick Farina (which will focus on the topic of tuning your wifi card to operate on licensed frequencies), making it a tough choice between the two. In my opinion, the one with the creative name may win out.

For the last two talks of the day, I’ll probably be focusing on the “Break It!” track. Ennoy Rey and Daniel Mende will be having a busy Saturday as they’ll also be presenting “All Your Packets are Belong to Us: Attacking Backbone Technologies” at 4:00pm.

At 5:00pm, David Kennedy’s talk “The Fast-Track Suite: Advanced Penetration Techniques Made Easy” looks fun. Who can pass up a session with pen testing in the name? Plus you get to learn about an interesting tool built into BackTrack 3.

As the main sessions wind down, the evening activities start to get going. Hack or Halo begins at 6:30pm, the Saturday night edition of FireTalks get going at 7:30pm, and the official ShmooCon party starts at 9:00pm. Hack or Halo consists of two challenges; the “Hack” portion involves teams solving a bunch of puzzles (from simple brainteasers to pwning a computer), and the “Halo” competition involves several rounds of people trying to get body counts as high as possible.  The top competitors from each round move forward until a winner is decided.

If Hack or Halo doesn’t interest you, then the FireTalks at 7:30pm provide another after-dinner option. The exact talks don’t look like they’re going to be decided until 7:30pm. Presentations will be determined on a first-come, first-serve basis. So the first four presenters to the person with the clipboard win! I assume the talks will take place around the press room as they did on Friday night.

If you’re not interested in the FireTalks or the Hack or Halo activities, you can check out PaulDotCom’s live podcast at 8:00pm. You can check out the post on his blog for more details, or you can listen in starting 7:45pm on the PaulDotCom UStream Channel or the PaulDotCom Radio on Icecast.  

But wait, there’s more! After Hack or Halo or the FireTalks, the official Saturday night ShmooCon Party will start at 9:00pm. You can also check out the DualCore DJing Party if you’re in the mood for some creative music. At this point, the location for both parties is still TBD, but be sure to keep up with the various Twitter feeds—@shmoocon, @podcastmeetup, @securitytwits, @novainfosec, @grecs—that I previously mentioned for updates.

In my next post, I’ll be discussing Sunday’s activities as well as our sad return to normal life. And if you’ve heard anything on the final location of the ShmooCon party, please let me and everyone else know in the comments below.

###

Was this post helpful? If so, consider passing it along to a friend or becoming a subscriber of our site. Or, you can always do both—we won’t complain.

While I already updated my “ShmooCon 2009 Guide – Friday Recommendations,” post, I wanted to make sure that everyone was aware of the schedule changes for this Friday at ShmooCon.

According to Podcasters Meetup, the live show, book signing, and FireTalks on Friday will be happening later than originally planned.

Setup will now start at 7:30pm, with the live show taking place from 8:00-9:00. The book signing will take place during the FireTalks, which start at 9:00.

There will also be a HacDC party that starts at 10:00pm, so be sure to visit the HacDC wiki if you’re interested in learning more.

You can get more updates at the Podcasters Meetup Twitter feed, @podcastmeetup.

###

Was this post helpful? If so, consider passing it along to a friend or becoming a subscriber of our site. Or, you can always do both—we won’t complain.

In my last two posts (“Up to this Point” and “General Advice”) I looked at the events leading up to this week and general advice for getting the most out of the conference. In this post I’m going to look at some of the different talks and activities going on Friday.

 As part of this discussion I’ll be giving my recommended activities. Keep in mind that these choices are based on my likes and dislikes. I’d advise reviewing the full list of activities yourself just to make sure you don’t miss anything that’s important to you.

Before I talk about Friday evening, I do want to take a minute to mention the plan for a Security Twits lunch meetup at 12:00pm at Harry’s Pub in the Marriott. If you plan on attending, RSVP at securitytwits{0×40}n0where.org. If you’d like more information, you can visit @securitytwits to see the original tweet.

And now, onto the evening portion of ShmooCon.

In typical ShmooCon fashion, Friday evening is dedicated to the “One Track Mind” talks. Of the “One Track Mind” sessions, three look particularly interesting to me. Being a fan of PaulDotCom and Larry’s imaginative hardware hacking exploits, how could I pass up “Building the 2008 and 2009 ShmooBall Launchers” by Larry Pesce and David Lauer at 4:30? Both SecurityJustice and Securi-D’s Weblog preview what they’ll be discussing.

Following those session, the “The Day Spam Stopped (The Srizbi Botnet Takedown)” talk by Julia Wolf at 5:00 seems like a nice post-mortem of a complex topic that I’m always looking to learn more about. In theory I understand how botnets work, but I’m continually looking for more details of them in action. And seeing a practical application of botnets—which this talk will provide—really drills those theories in.

The final “One Track Mind” session I hope to see is “Watching the Watcher: The Prevalence of Third-Party Web Tracking” by Brent Chapman, Tera Corbari, and Matt Devers at 6:30. Being a mildly paranoid person (which is probably why I migrated into the infosec field), I am always interested in learning more about who and what is profiling me through increasingly complex information gathering techniques. Plus, the advanced tracking mechanisms that many of these organizations use are simply facinating. Learning their techniques would at least help me disrupt their profile building activities. That’s my hope, anyways.

To finish out Friday night’s official activities, I’ll be going to hear what Matt Blaze has to say in his keynote talk. Speaking of Blaze’s talk in particular, one thing that has always bothered me ever so slightly at ShmooCon is that there’s no overview of the keynote. We always get nice bios but nothing concrete on the exact topic. Based on Matt’s background, it’ll probably involve the intersection of security and public policy in some way. Does anyone else have any ideas on his topic? Or did I just miss a major announcement somewhere?

According to Matt’s Wikipedia article, it looks like he’s been involved in some interesting things. He is credited with developing the forerunner of IPSec in ‘93, circumventing the wiretapping capabilities of the Clipper chip in ‘94, and rediscovering a vulnerability in “master key” security in physical locks in ’03. (It’s technically a “rediscovery” because it was an open secret among locksmiths). He also coined the term “trust management,” which means to “refer to the policy system which decides whether a particular entity should be permitted to carry out a particular action.” Currently, Matt is an Associate Professor of Computer and Information Science at the University of Pennsylvania.

Next come several unofficial ShmooCon Friday night events that you may want to take part in. There is some overlap with the official talks but you may want to check out the Podcaster’s Meetup. Setup begins at 7:30, with the live show starting at 8:00. Podcasters taking part include Hak5, PaulDotCom, CyberSpeak, Sucurabit, Security Justice, SploitCase, Unpersons, Phone Losers of America, and SMBMinute. After the recording, there will be some time for getting your books signed if you’re interested.

The FireTalks then start at 9:00. For those of you who don’t know, the FireTalk sessions include several 10 to 15 minute talks by those who have something interesting to say, but didn’t get accepted by ShmooCon or didn’t submit their proposed talk in time.

If you’d like more information, you can view the Podcaster’s Meetup post about the FireTalks, which I’ve pasted part of below.

“Have a talk that didn’t get accepted? Want the chance to share a project that you are working on? Think of FireTalks as a verbal blog post.

 The human experience is built on the ability to tell and learn from stories. At SchmooCon 2009, “FireTalks” is a supportive environment in which to either share insights or learn from others. Whether polishing a presentation (story) for conferences, meetings or training, FireTalks are the way to share, learn and improve.

 The inaugural FireTalks take place Friday night — following the Podcasters Meetup. Talks are limited to 10-15 minutes with four (4) scheduled talks and four (4) open slots. Open slots will be filled on a first come, first serve basis.

 Saturday night will be more relaxed. Come join us and present, listen and learn.”

Both the Podcaster’s Meeting and the FireTalks will take place somewhere around the press room. I guess we’ll have to figure out the location once we get there. As I mentioned in the “General Advice” post, be sure to check Twitter for constant updates about the conference.

Afterward the FireTalks are over, continue the fun with some networking at a local spot. Or if you’re interested, CharmSec is having a meetup after the keynote. Be sure to check it out if you can. You can view @charmsec for additional details. You may also want to follow @podcastmeetup on Twitter to get any last minute updates.

If there’s anything I’ve missed, please feel free to let me know by leaving a comment below.  Praise and criticism (and by that, I mean constructive feedback) is always appreciated. Additionally, has anyone figured out what the keynote topic is or where the post Podcaster’s Meetup/FireTalks “local spot” is going to be?

In my next post, I’ll be discussing Saturday’s activities with some recommended talks and other events. Choosing which sessions to attend will definitely be a lot harder given the wide range of options.

###

Was this post helpful? If so, consider passing it along to a friend or becoming a subscriber of our site. Or, you can always do both—we won’t complain.

In my last post (Up to this Point), I looked at the events leading up to this week, including basic logistics, ticket sales, and how to arrange last-minute airfare and hotel reservations. In this post, I want to touch on some general advice as well as ways of keeping up-to-date during the conference.

This will be my third year at ShmooCon. Since I now feel somewhat like a veteran attendee, I wanted to pass on a bit of advice for anyone attending the conference. The first time I attended ShmooCon, I over-scheduled myself by focusing too much on the scheduled talks. Overall, I probably attended about 20 talks. At the end each day, I was exhausted and just headed home to recover. What I hadn’t realized was that I only took part in about 40% of what the conference had to offer.

I missed out on taking part in all of the challenges, workshops, and events. My biggest regret was missing out on just having a good time with the rest of the attendees. For this reason, I’d recommend taking a good hard look at the scheduled talks today and only choosing five to attend. The rest of the time just relax, take in the environment, and just have fun and enjoy yourself.

The other thing I wanted to mention was that conferences are a great time to come out of our introverted shells (I count myself in this group). We all have something in common—a great interest in security. Because of this, starting a conversation shouldn’t be much of a problem. Just walk up to someone standing in the corner and introduce yourself and ask where they’re from. And if you have any favorite podcasters, tweeters, or bloggers, seek them out and introduce yourself.

While  I wouldn’t consider myself an infosec personality, it’d make my day if someone came up to me and said they enjoyed my tweets or blog posts.

Ok, now that all the soft skill stuff is out of the way, another important thing to consider is the protection of your electronic goods. You need to be very careful of how your devices will interact with anything at the conference. With that in mind, my first recommendation is not to take a laptop with any valuable information to the conference. If you do decide to take one, make sure to disable all wireless capabilities (e.g., BlueTooth and WiFi) and be sure not to plug in any network cables or USB devices. Better yet, spend $50 on a new hard drive and feel free to go au natural. Just be sure to DBAN the drive before using it anywhere else. This is probably the method I’m going to use.

And if you go with the hard drive switch recommendation, please be sure not to visit web sites of any value (e.g., you bank). Phones and PDAs add another challenge when attending hacker conferences. Since a “hard drive switcheroo” type option doesn’t work for most devices, I recommend disabling BlueTooth and WiFi. If you absolutely need access to the Internet, stick with cellular broadband networks for both your laptop and smart phone.

I will now get off my soapbox and pass along some ways to keep up with what’s going on at the conference.

How should you decide which talks and events to attend? Well, you can start by checking out ShmooCon’s Schedule and Events pages. And if you’re on the run, try feeding the entire agenda into your phone or PDA via XML, iCAL, or HTML through the Google Calendar Mark Bristow setup.

While the ShmooCon organizers have planned a very detailed schedule, a lot of the most notable events are simply going to pop up. Like Twitter, ShmooCon has also come to the rescue in keeping you updated during the conference. If you follow the official @shmoocon Twitter feed during the conference, you should be able to establish a nice flow of information. @podcastmeetup and @securitytwits should also add a good amount of commentary to that base. Additionally, keeping an open search on “#shmoocon” should bring in tons of additional information. I also can’t go without mentioning our own NovaInfosec Twits (@novainfosec) effort. If you follow us and we follow you back, anything you direct message to @novainfosec will be posted in the feed. So if you are interested see our NovaInfosec Twits page to learn how to become part of this localized @securitytwits spin-off. And if you want even more information, you can follow me at @grecs. I’ll be commenting on any of talks or activities I attend.

Well, I think that covers most of the general advice I have. If you can think of anything else, let me and everyone know in the comments below. In my next post, I’ll be discussing Friday’s activities with some recommended talks and other events.

###

Was this post helpful? If so, consider passing it along to a friend or becoming a subscriber of our site. Or, you can always do both—we won’t complain.

With only two more weeks to go until the conference begins, here’s my first post in a series of four blog posts that will help prepare those of you attending the con.

It’s been an interesting month of events leading up to ShmooCon this February; we’ve had the CFPs, three and a half rounds of tickets sales, the keynote speaker announced, and the other presenters decided on. The ShmooCon organizers have been hard at work since the end of last year’s conference, and I—like the rest of you—am looking forward to meeting other attendees, learning a few new things, and just having a great time.

In standard NovaInfosecPortal.com fashion, the basic logistics of the conference are listed below.

• Who: The Shmoo Group
• What: ShmooCon
      ShmooCon is an annual East coast hacker convention hell-bent on offering three days of an 
      interesting atmosphere for demonstrating technology exploitation, inventive software & hardware
      solutions, and open discussions of critical infosec issues. The first day is a single track of speed
      talks, “One Track Mind.” The next two days, there are three tracks: “Break It!,” “Build It!,” and “Bring
      It On!.”
• When: 2/6 – 2/8/2009
• Where: Wardman Park Marriott Hotel (2660 Woodley Road, NW; Washington, DC 20008)

While the ShmooCon organizers have been putting in a lot of work to get this conference off the ground, it hasn’t come together without a few problems. Round 1 of the ticket sales seemed to go smoothly enough, but the load of tickets during Round 2 in December seemed to have some issues. Despite some of the problems in round 2 however, discussions around the interweb seem to imply that everyone who should have gotten tickets during the first two rounds did. Despite the success of Rounds 1 and 2 however, con organizers surprised everyone by creating a round 2.1, which seemed to go much more smoothly than either of the previous rounds due to some code tweaks.

After the surprise of round 2.1, Round 3 of tickets sales started on New Year’s Day. While you would’ve expected this round of sales to be a little slower given the morning after affect brought on by New Year’s Eve activities, the Round 3 tickets sold out in record times. That’s why if you don’t have your tickets yet, you better start hitting up Craigslist (only one ticket for sale as of today in DC’s) or E-Bay (6 people selling them there).

Oh, and for those of you who are interested, the first ShmooCon ad has popped up. You can also view some of the hilarious ads from prior years at the ShmooCon Ad page.

After getting your tickets, finding someplace to stay in DC (and then figuring out how to get there) should be the next priority on your list. As most of you already know, the rooms at the Wardman Park Marriott Hotel have sold out. However the ShmooCon site did release a post about some overflow rooms at the Hilton Washington, and I hear that there may still be some rooms available. If you’re interested, give them a call at 202-483-3000 and reference the ShmooCon block.

Mubix also created a Google ShmooCon RoomShare Group, but it doesn’t seemed to have taken off just yet. But if you’re still in need of a room, I’d highly recommend posting there and seeing where you get. Besides being down in DC, I think that any hotel along the Red Line would be good because you won’t have to switch trains.

The Red Line starts in Maryland at Shady Grove, runs into DC past the Wardman Park Marriott Hotel’s metro stop (Woodly Park) and into DC, and then back out to Maryland to Glenmont. Although many of us live in and around DC, I guess some folks will have to travel here. Hopefully you booked your plane tickets if needed—or else I guess you’re driving here or paying huge last-minute airfare rates.

Just in case you didn’t know, you may still be able to find a cheap flight as the Metro DC area has three fairly close airports (Baltimore – BWI, Dulles – IAD, and Ronald Reagan Washington National – DCA). BWI in general seems to be cheaper to fly into. Another alternative is Jack Daniel’s ShmooBus if you are in the northeast along the I-95 corridor. He’s rented a 30’ RV and will be departing from Boston the morning of February 5th (Thursday, the day before con begins) and arriving at the hotel that evening. According to Jack Daniel’s 1/10 update post, there still may be a seat or two left.

Well, that about covers how ShmooCon is doing up to this point in time. In my next post I’ll be discussing Friday’s activities and recommending some of the must-see talks and events of the conference.

If I’ve missed anything or provided incorrect information, please feel free to let me know by leaving a comment below. And as always, if you have any information to share, I’m sure that other readers would be glad to hear it (especially if you can provide some tips on last minute travel or hotel recommendations).

Just a quick reminder that Computer Security Day is being celebrated tomorrow (even though the actual date in 11/30). So be sure to raise awareness of computer related security issues around the office! One idea would be to download, printout, and hang some of the posters from the Computer Security Day web site. See our original post for more information. And as always check out our Calendar for a complete list of infosec events in and around the NoVA area.

Just a quick reminder that the second round of tickets for the ShmooCon infosec conference event go on sale tomorrow (Monday, December 1st) at noon EST. If you miss that round, you’ll only have one more chance in January to get your tickets. Also, just in case you missed the announcement in the last post, mubix has started a room sharing Google Group that you may want to take advantage of.

For more information on ShmooCon, check out its description in our Infosec Conferences section. See our announcement and registration posts as well as ShmooCon’s registration page for more information about this conference. And don’t forget to view our Calendar for a list of similar infosec events in and around the NoVA area.

Just a quick reminder that the OWASP NYC AppSec 2008 infosec conference event is next week. The agenda and speakers are ready and they’ve even made a recent venue change to the Park Central New York Hotel to accomodate more people. Unfortunately, we won’t be able to make it this year, but we’ll be scanning the blogosphere for updates and announcements. See our original post for more information about this conference.