As you can see below, I’ve only gotten links to a few presentations. If you still need to post your presentation, please let me know via Contact Us or mention @grecs on Twitter and I’ll update this post as I get them.

Presentation Summaries

First, I like to put up some short synopses of the talks written by Justin Monroe and Chris Wheeler. They were a tremendous help both nights paying attention to the actual content while I coordinated everything.

Social Engineering Toolkit v0.4 Overview (David “ReL1K” Kennedy)

ReL1K released the newest version of his “Social Engineer’s Toolkit.” Version 4, codenamed “Pink Pirate” was released Saturday in the BackTrack4 repository as well as his website, secmaniac.com. The framework is a python driven open source suite which makes use of Metasploit Framework’s client-side attacks (PDF, Aurora, etc), and has the ability to auto-target a client operating system. It also integrates with G-Mail and sendmail to streamline sending phishing e-mails to targets.

SHODAN for Penetration Testers (Michael “theprez98″ Schearer)

SHODAN, a meta-data search engine for application banners was presented by theprez98, who showed several demonstrations of its usefulness. The engine stores OS version, country, open ports (currently only 21, 22 and 80), and makes the data easily searchable. As the engine stores banners from each service, it is not uncommon to find default configuration information in the header (such as a default password), as well as the version information of the service. At the time of the presentation, there were apparently 136 machines still running Windows NT 3.9. (slides)

Influencing Security (Marcus J. Carey)

In a presentation about influencing security, Marcus J. Carey took a philosophic approach to solving security issues. Likening the decrease in HIV infections in Thailand by means of peer pressure, he suggested that security professionals persistently teach users about information security, instead of doing training once a year. He also stressed a non-adversarial role with the people the policy is designed to protect, and instead of treating them poorly when the policy was broken.

Funnypots and Skiddy Baiting (Adrian “IronGeek” Crenshaw)

IronGeek presented some of his endeavors in “Funny Pots and Skiddy Baiting,” loosely defined as “messing with the people trying to break into your machines.” He suggested mapping loopback addresses (127/8) to a subdomain on your network, and then encouraging them to break into the machine at that hostname. If they manage to get in, they may own their own machine. Other fun endeavors included mapping your hostname to that of another website (say, 12.120.54.169), “lemon” wiping a drive with an arbitrary pattern of data for forensic investigators to find (coined from the “lemon party” shock site). He also demonstrated a robots.txt redirect, where snooping users would get redirected to shock sites when they visited the “Disallow” directories. His final and perhaps most humorous website involved using php-ids to detect attacks against a website and have Clippy pop up to help with their failed attempts. (slides)

Browser Fingerprinting Using a Stopwatch (Nicholas “aricon” Berthaume)

Aricon demonstrated how to more accurately fingerprint browsers based on more than the user-agent, HTTP headers, and Javascript. WebApp scanners often spoof headers, making it useless to fingerprint an attack. The timing and download order of images can be used to accurately fingerprint a browser using some custom mod_security rules. Differences start to show with basic HTML, but adding images and more content gives a much more accurate result. He did mention that plugins such as Greasemonkey, AdBlock Plus, and NoScript skew the results, as do VPNs, SSH tunnels and other proxies. He plans to release the mod_security ruleset and his fingerprinting scripts on his website. (slides)

Pentoo (Zero Chaos)

Zero Chaos, a Pentoo developer, was met with a barrage of Shmoo balls at the start of his presentation. Pentoo is a lightweight penetration testing distro based on Gentoo. It can be run from a Live CD and uses only 200MB of RAM. Pentoo is updated with the latest utilities and kernel configurations. Pentoo also has 13 users worldwide ( ), and began development before BackTrack.

Sleephacking 101 – How to Stay Awake for 20 Hours a Day without Turning into a Zombie (Benny “security4all” ???)

@Security4All gave a presentation on “sleep hacking,” discussing human sleep cycles and how to get more energy out of sleep. Although monophasic, humans are better suited to a polyphasic sleep cycle. Biphasic sleep involves getting 6-7 hours of sleep per night, and a nap at noon. Spain has institutionalized this cycle through siestas. For those who wish to get more out of their day, the everyman cycle provides 4 thirty minute naps, and a 2-3 hour block of sleep at night. Those looking to gain a sickening about of extra time in their day can try the uberman, characterized by 6 twenty minute naps per day, and separated by a four hour period of being awake. Also, for those who need the extra kick, drinking coffee before taking a nap increases the nap’s effectiveness, so long as the nap is kept to twenty minutes. There are also sleep cycle apps in the iTunes store to help adjust to the different sleep cycles. (slides)

Payment Application – Don’t Secure Sh!t (PA-DSS) (Christian “cmlh” Heinrich)

Christian Heinrich gave a presentation entitled “Payment Application – Don’t Secure Sh!t.” The presentation characterized the differences between the PA-DSS, PCI-DSS and PCI-PTS standards, focusing primarily on the strengths and weaknesses of PA-DSS. Visa has mandated compliance of all machines with this standard by 12 July 2012. The PA-DSS standard also depends on the PCI-DSS standard, as there is no sense in reinventing the wheel. It does contain a sunset clause for securing wireless data with WEP, as the newest revision mandates WPA, as well as mandates secure remote software updates through a system like SSL, although the most recent attacks on SSL have not been considered. (slides)

Wow, excellent summaries from Justin and Chris. Thanks again guys! Additionally, every one of the speakers should have gotten a parting gift sponsored by Trusted Signal. And if you want to relive the excitement of the Firetalks, be sure to check out IronGeek’s FireTalks from Shmoocon 2010 page. One of the things you may notice in the videos is the beautiful fireplace that helped cozy up this event. Mrs. Rybolov was kind enough to make this piece from scratch … and speaking of Rybolov, he himself provided a tremendous amount of coordination throughout both nights. Before moving on to announcing the winners, I’d also like to thank the ShmooCon team (go Heidi & Bruce and the rest of The Shmoo Group!) for allowing us to host this event in conjunction with ShmooCon and providing space, a projector, and audio!

Prize Winners

Now on to the prize winners …

3: Sleephacking 101 – How to Stay Awake for 20 Hours a Day without Turning into a Zombie

security4all won at $75 Think Geek Gift Certificate from nVisium Security.

2: Social Engineering Toolkit v0.4 Overview

ReL1K received a 32GB Kanguru e-Flash brought to you by nVisium Security.

1: SHODAN for Penetration Testers

thePrez98 won the grand prize of a Acer Aspire One D250 Netbook provided by Hurricane Labs.

Congrats to everybody!

///

For all information regarding this year’s Firetalks and links to related posts, see the ShmooCon 2010 Firetalks master post. On a personal note I had a lot of fun pulling this whole thing together and it was great to meet so many awesome people that I’ve only previously chatted with on mailing lists, Twitter, etc. I look forward to trying to keep up with everyone throughout the year and maybe (if  I get lucky in the ShmooCon ticket lottery ) next year at ShmooCon. See ya!

Sponsors

Most of the sponsorship opportunities have been covered however we are still looking for a few of the props. Specifically, there is a Countdown Timer, Gong, and Logo (see the master ShmooCon 2010 Firetalks post for more information on these items). Out of these, I’d say the most important one is a Countdown timer. So if you don’t have a big budget but would like to help out, you can always volunteer to bring one of the above items. If you are interested, either contact us or mention @grecs on Twitter.

Speakers

Although all the official speaking spots are full as reported three weeks ago, we are still seeking people to add to our Alternates List just in case any of the confirmed presenters are unavailable. If any of the speakers are not present, we’ll just start calling people from the top of the list. At a minimum you’ll get some PR with your name and presentation title on the master ShmooCon 2010 Firetalks post.

To submit a talk, use the Contact Us link above. Enter your name as you want it to appear and use FireTalks as the subject. In the Message area please include the title of your talk as well as a one paragraph summary of your presentation. You can also include a link to your website or preferred social networking profile and we’ll link your name off to this site/profile.

General Logistics

CapSecDC is organizing a Bar Crawl for sometime on Friday night. Based on discussions with them, they’ll probably be starting before the Firetalks. Instead of having to choose between the Firetalks and the Bar Crawl, we are working with them so FireTalk attendees can easily join up with the crawl midway. The general idea would be that they would be at a specific location around 10:30. That way anyone from the Firetalk session could just meet up with them to continue to enjoying the evening.

CapSecDC aren’t the only ones we’ve been working with. It just so happens that the Podcasters Meetup was originally scheduled to start the same time as the Firetalks on Saturday at 8:00 PM. After a few email exchanges we’ve realigned our start times to benefit all! The new plans are that the Podcasters Meetup will start at 7:30 instead of 8:00 and the Firetalks will start at 8:30. This will allow attendees to take part in both events. It does push the Firetalks a bit far into the Saturday night party … but you should still have plenty of time to enjoy it (assuming you can make it there with all the snow ).

In other logistical news we’ll be having several helpers run the Firetalks. Mike “rybolov” Smith will be assisting us as well as a pair of interns, Justin Monroe and Chris Wheeler. Thanks guys! Additionally, we are still finalizing the exact location but we previously heard we’ll be in one of the Wilson rooms.

And the big news is that Dual Core will be providing some entertainment to get the Firetalks started as well as playing some good nerdcore in-between the speakers on Friday. We’ll have to spin our own on Saturday as they’ll be getting ready at Heaven & Hell. Any volunteers?

///

This will be our final post … so from here on out, please check the ShmooCon 2010 Firetalks master post for the most up to date information or follow @grecs on Twitter looking for the #shmoocon and #firetalks tags. As usual, we’d like to thank the community for getting the word out and can’t wait to see everyone on Friday. See ya!

We started with a simple matrix and then populated it with the different talks and other official activities. Then we hit Twitter and some mailing lists and pulled together a good little list of “Side Activities.” As part of this we also found some other interesting things going on, so we created an area called “Interesting Things.” We also came across a bunch of various Twitter users or tags being used for certain events so we threw them in and provided some structure. I’m sure you get the point by now.

Anyway, check it out here – ShmooCon 2010 Cheat Sheet.

I’m sure we missed a bunch of things so please comment below for updates we should make. We are in particular need of information pertaining to other “Side Activities,” “Vendor Contests,” “Interesting Things,” and “Suggested Twitter Tags.” Also, there is also a lot white space left … so let us know of any new areas we should add. See ya!

Now on to the big news at hand … the announcement of the ShmooCon 2010 Firetalk sponsors!!!

Sponsors

First I’d like to mention the many folks that’ll be helping out in the props area.

• Projector/Space: ShmooCon Team
• Session Recordings: Adrian “IronGeek” Crenshaw (Georgia Weidman for backup)
• Fake Cardboard Fireplace: Mike “rybolov” Smith

Note that we are still looking for a Countdown Timer, Gong, and Logo (see the master ShmooCon 2010 Firetalks post for more information on these items). So if you don’t have a big budget but would like to help out, you can always volunteer to bring one of the above items. As noted before, either contact us or mention @grecs on Twitter if you’re interested.

Now on to the participant give-aways and prizes…

Participant Give-Aways

All of the below items are being brought to you by Trusted Signal.

• Wi-Fi Detector Shirt (2)
• RFID Blocking Wallet (2)
• Autoloader – Screwdriver Tool (2)
• Phantom Keystroker V2 (2)

2nd Runner-Up

$75 Think Geek Gift Certificate from nVisium Security

1st Runner-Up

32GB Kanguru e-Flash (eSATA & USB2.0 Flash Drive) courtesy nVisium Security

And finally … (drum roll please) …

Grand Prize

Acer Aspire One D250 Netbook brought to you by Hurricane Labs.

Speakers

Although all the official speaking spots are full as reported two weeks ago, we are still seeking people to add to our Alternates List just in case any of the confirmed presenters are unavailable. If any of the speakers are not present, we’ll just start calling people from the top of the list. At a minimum you’ll get some PR with your name and title on the master ShmooCon 2010 Firetalks post.

To submit a talk, use the Contact Us link above. Enter your name as you want it to appear and use FireTalks as the subject. In the Message area please include the title of your talk as well as a one paragraph summary of your presentation. You can also include a link to your website or preferred social networking profile and we’ll link your name off to this site/profile.

///

Well it’s been a great week with getting most of the sponsor stuff taken care of. As usual, we’d like to thank the community for getting the word out! We really appreciate all the RTs and mentions. And if you’d like to RT this post, we wouldn’t mind that at all. See ya!

Sponsors

We’ve gotten various support for some of the logistical props in terms of a projector and space from the ShmooCon team and recording of the sessions by Adrian “IronGeek” Crenshaw. However we are still in desperate need for sponsors of the prizes and participant give-aways. Although I would rather focus more on the the non-money aspects of the event, some have asked for general guidelines on the cost of the different prize levels so I’ve included suggested values below. Ideally, the prizes would most likely be geek toys from vendors valued at these suggestions.

• Grand Prize: $250
• 1st Runner-Up: $125
• 2nd Runner-Up: $75
• 5 Participant Give-Aways: $100 (or $20 each)

Additionally, there are still several props we are looking for including Fake Cardboard Fireplace, Countdown Timer, Gong, and Logo. So if you don’t have a big budget but would like to help out, you can always volunteer to bring one of the above items.

If you know any companies willing to support prizes, please have them contact us or mention @grecs on Twitter and point them to the Sponsors section in our master post for more details on the different options. You can pass along this longish bit.ly link we created to point to the main Firetalks post – bit.ly/nipshmoocon2010firetalks.

Speakers

Although all the official speaking spots are full, we’d like to take this opportunity to encourage others to continue submitting their ideas. As mentioned last week we have an Alternates List just in case any of the presenters are unavailable. If any of the speakers are not available, we’ll just start calling people from the top of the list. At a minimum you’ll get some PR with your name and title on the master ShmooCon 2010 Firetalks post.

To submit a talk, use the Contact Us link above. Enter your name as you want it to appear and use FireTalks as the subject. In the Message area please include the title of your talk as well as a one paragraph summary of your presentation. You can also include a link to your website or preferred social networking profile and we’ll link your name off to this site/profile.

General Logistics

We’ve been looking at the schedule and decided that we’ll probably have to extend the length of the event a little so things run a bit smoother. With this in mind we will be adding 20 minutes for a 5 minute introduction and 5 minute breaks between each of the talks. That brings our total running time to about 1 hour and 20 minutes each night.

///

Well a slow week with a little progress … but progress nonetheless. Again, we’d like to thank the community for getting the word out! We really appreciate all the RTs and mentions. And if you’d like to RT this post, we wouldn’t mind that at all. Here’s even a nice link you can RT out – bit.ly/nipshmoocon2010firetalks.  See ya!

Speakers

First off, I’d like to put out a HUGE “Thank You” to the infosec community for spreading the word on this year’s Firetalks. And I’m excited to say that because of everyone’s support, we’ve filled all of the presentation slots! Here is a quick list of the topics and the presenters.

Friday

• Social Engineering Toolkit v0.3 Overview (David “ReL1K” Kennedy)
• SHODAN for Penetration Testers (Michael “theprez98″ Schearer)
• Influencing Security (Marcus J. Carey)
• Funnypots and Skiddy Baiting (Adrian “IronGeek” Crenshaw)

Saturday

• Browser Fingerprinting Using a Stopwatch (Nicholas “aricon” Berthaume)
• Pentoo (Zero Chaos)
• Sleephacking 101 – How to Stay Awake for 20 Hours a Day without Turning into a Zombie (Benny “security4all” ???)
• Fuzzing Web Applications with Nymf (Jack Mannino)

The master post contains additional details on each talk. But even if you didn’t make the above list, you still might get to present your idea! Because there’s been such a great response, we’ve decided to open up an Alternates List just in case any of the presenters are unavailable. As an alternate you’ll have to be present and ready to speak. If one of the speakers is not available, we’ll just start calling people from the top of the list. And so far we have two additional submissions!

Sponsors

On the sponsor front Adrian has stepped up to record the audio and video (split screen even) for both sessions! For an example of what to expect, see his test over at Vimeo. Additionally, the ShmooCon team has offered to hold a space for us as well as lend us a projector. Beyond these two additions, we are still in need for other sponsors, especially for the prizes. If you know any companies willing to support this effort, please have them contact us and point them to the Sponsors section in our master post for the different options. You can pass along this longish bit.ly link we created to point to the main Firetalks post – bit.ly/nipshmoocon2010firetalks.

Speaking of sponsors … Adrian also came up with the great idea of having a Firetalks logo. I have no design skillz so if someone out there has any artisic ability, this is another way you can help us out. The logo at a minimum would be embedded in the videos that Adrian will be creating. If we have time, we hope to create a banner or something.

General Logistics

Beyond getting speakers and sponsors we’ve also been working with the ShmooCon team to coordinate Firetalks fitting nicely into the overall conference schedule. As mentioned above they are already supporting us in several ways however they would like us to move the start of the talks to 8:30 on Friday night so it won’t interfere with the end of the keynote. So we’ve made this change on the master post as well.

///

Filling all speaker slots as well as getting the sessions recorded and support from the ShmooCon team … Its been a great first week! Again, we’d like to thank the community for getting the word out! As you known, you can never have too much PR … so we’d appreciate any continued efforts to spread the word! Just pass along the link to our master post or our “easy-to-remember” bit.ly/nipshmoocon2010firetalks link.

For all the latest happenings, check back to this post periodically. It will be the home for any and all information relating to the ShmooCon 2010 FireTalks. You may want to use a service like ChangeDetection.com to get email alerts of any updates. Alternatively, you can subscribe to our main RSS feed or follow us on Twitter at @novainfosec since we’ll put out short “update” posts with just the new information and a pointer back to this “master” post. And as usual … I’ll be regularly updating my Twitter stream at @grecs with all the information and will be using the #firetalks tag. If you need to quickly refer back to this post, you can also use the longish bit.ly link we create at bit.ly/nipshmoocon2010firetalks.

Anyway … here are the logistics for this year’s FireTalks in traditional NovaInfosecPortal.com form:

• Who: ShmooCon/PodcastersMeetup/NovaInfosecPortal.com (and anyone else we’re missing)
• What: ShmooCon 2010 FireTalks
• When: 2/5, 8:30 – 9:50 & 2/6/2010, 8:30 – 9:50 PM EST
• Where: Wardman Park Marriott (2660 Woodley Road NW, Washington, DC 20008; Wilson A/B/C)

Now onto what this whole FireTalks thing is and how to get involved…

History

Instead of reinventing the wheel to explain things, we just went back and took a look at what was done last year. The idea of Firetalks seemed to originate with Michael Santarcangelo. The post titled “Podcaster’s Meetup @ ShmooCon” by @mubix on PodcastersMeetup.com seemed to be the first place that this idea came up. As part of several announcements, one of them was this interesting idea from Michael.

“Michael Santarcangelo, the Security Catalyst community and the Security Twits have come up with a group that will be doing after hours presentations. So, if you were declined, didn’t submit but have a talk, or just want to learn to speak by watching the critiques that go on, please come out an join us. The main goal of these after hours talks is to foster the development of the speaker in a less imposing environment than a ShmooCon track. Depending on the responses we get, we may be doing these talks all three nights. …”

This idea was followed up with a more focused definition in an update post aptly titled “Podcaster’s Meetup @ ShmooCon Update 1” again by @mubix. Here is where the term “Firetalks” was first used as far as I can tell.

“Have a talk that didn’t get accepted? Want the chance to share a project that you are working on? Think of FireTalks as a verbal blog post. The human experience is built on the ability to tell and learn from stories. At SchmooCon 2009, “FireTalks” is a supportive environment in which to either share insights or learn from others. Whether polishing a presentation (story) for conferences, meetings or training, FireTalks are the way to share, learn and improve. The inaugural FireTalks take place Friday night — following the Podcasters Meetup. Talks are limited to 10-15 minutes with four (4) scheduled talks and four (4) open slots. Open slots will be filled on a first come, first serve basis. Saturday night will be more relaxed. Come join us and present, listen and learn.”

Speakers

We will have four 15-minute speaking slots each night and as noted above these have been filled on a first-come-first-serve basis. If needed each speaker must have their own laptop to connect to a standard projector.

Because there’s been such a great response, we’ve decided to open up this Alternates List just in case any of the presenters are unavailable. As an alternate you’ll have to be present and ready to speak. If one of the speakers is not available, we’ll just start calling people from the top of the list.

To submit an alternate talk, use the Contact Us link above. Enter your name as you want it to appear below and use FireTalks as the subject. In the Message area please include the title of your talk as well as a one paragraph summary of your presentation. You can also include a link to your website or preferred social networking profile and we’ll link your name off to this site/profile.

Alternates List

• Michael Montejam Montecillo: Profiling and Tracking in 15 Minutes
  • Whether seeking information about a company for employment purposes or figuring out exactly who is flooding your IPS/IDS, tracking and profiling can be valuable skills for any security professional. This talk will discuss tools and techniques for profiling companies, tracking hacker activity, and identifying potential threats through Open-Source Intelligence (OSINT). There will be a particular focus on applying the hacker mindset to make determinations based on available data.
• Ralph “ralphbroom” Broom: TBD
  • TBD

Prizes/Sponsors

Awards will be based on a 3-person panel scoring each presentation from 1 to 10. In case of a tie, we’ll maybe have a forth person pick the final winner.

Most of the sponsorship opportunities have been covered however we are still looking for a Countdown Timer, Gong, and Logo. So if you don’t have a big budget but would like to help out, you can always volunteer to bring one of these items.

Prizes	Sponsors
Grand Prize (~$250) – Acer Aspire One D250 Netbook	Brought to you by Hurricane Labs
1st Runner-Up Prize (~$125) – 32GB Kanguru e-Flash (eSATA & USB2.0 Flash Drive)	Courtesy nVisium Security
2nd Runner-Up (~$75) – $75 Think Geek Gift Certificate	From nVisium Security
Participant Give-Aways (~$100 or $20 each) – Open Wi-Fi Detector Shirt (2) RFID Blocking Wallet (2) Autoloader – Screwdriver Tool (2) Phantom Keystroker V2 (2) [plus other stuff I can't mention ]	Brought to you by Trusted Signal
Props
Projector/Space	ShmooCon Team
Session Recordings	Adrian “IronGeek” Crenshaw (Georgia Weidman for HD backup version)
Fake Cardboard Fireplace	Mike “rybolov” Smith
Countdown Timer with Large Red Numbers	Open
Gong (this could be fun)	Open
Firetalks Logo	Open

For all our illustrious sponsors, you get your logo placed here and several mentions during the event. If you are lending any of the stage props above, feel free to include your logo on it as well. We are open to other suggestions (e.g., some small signs you can post up around the event) but this will depend on what ShmooCon will and will not let us do.

Use the Contact Us link above or mention @grecs on Twitter to get in touch with us if you are interested in sponsoring.

Related Posts

• ShmooCon 2010 Firetalks – Update 1
• Call for ShmooCon Firetalk Sponsors (a.k.a. Update 2)
• We Haz Sponsors (a.k.a., Firetalks – Update 3)
• ShmooCon 2010 Firetalks – Update 4

Challenge #1 – Find the Link: The first part of the challenge was to find the link. Unlike the last two rounds, the link was at the top this time. Clicking on it usually brings you to the first page of the registration process however this time it resulted in a 403 Forbidden error page as shown below.

Challenge #2 – Guess the URL: I guess you had to do some information gathering and figure out the cart system they were using. Armed with this data, you knew that “/cart/” needed a little more info. Specifically you had to append “reserve.cgi” to it. So the whole URL would have been:

https://www.shmoocon.org/cart/reserve.cgi

Several tweeps in Twitterland seemed to figure this out before I did; I saw tweets from @bbaskin, @KPOsborn, and @joerussbowman echoing this suggestion. Congrats to them for being the first to figure it out and post about it. I’m sure others discovered this too but keeping it to themselves has its advantages in cut-throat hacking contests like this one. Several others (@ryancnelson) reported that restarting your browser also worked. And there were some complaints about a bad ticket link on a “cacheable” page that prevented some early risers from accessing valid codes.

Overall, I was guessing the initial link they posted was wrong and either typing it it manually or restarting your browser (only after they fixed the link) to clear the cache worked. The cache part doesn’t make sense though because I was doing a hard refresh (i.e., Shift- or Ctrl-Refresh) in both Firefox and Safari. Apparently, it wasn’t “hard” enough as compared to restarting your browser. For me the story ended after tons of refreshing and the site stating the following message.

Challenge #3 – Enter the Captcha: As you know the next challenge was to entry the Captcha correctly. I could go on about this but 1) I never got there and 2) you can read about my Captcha horror stories in “Ticket Buying War Story.”

The Rest of the Story

Well that’s about it for the first 15 minutes or so. After an hour the ShmooCon folks posted a nice message to explain what happened.

“2010-01-01 17:52:20 : That was fast…

Another round of ticket sales, another adventure. The good news is the new server has way more capacity than the last and the webpage was responsive the entire time. The bad news is we inadvertently redirected the reservation code page to an insecure page (which the webserver won’t allow). We updated the landing page with the right link once we realized the mistake, but at that point we were already so close to selling out that the majority of you were still effected.

The good news is we have logs and have already sent an email to everyone who made it through the reservation process. If you haven’t received an email by now, please try again next year – but also please check back in the weeks leading up to the con as we have more surprises up our sleeves. No not more tickets, but good things none-the-less.

Happy New Year everyone. Our resolution? Do everything we can for a successful ticket sales experience for ShmooCon 2011.”

Yes, the server had WAY more capacity this time; it barely slowed down. Great job!!! Of course the second statement is off some from the little bit of research I did. In the above message, I think they are talking about the page AFTER you successfully choose your tickets and entered the Captcha. It does not address a potential second bad link typo on the Registration page that resulted in the initial 403 Forbidden error I described above.

What do you think happened regarding the bad link on the Registration page? Yadda, yadda, … comment below … and all that.

Regardless, the ticket sales phase is finally over and I imagine that those who wanted tickets either got them or will acquire them through other means. Now it’s on to doing con prep and all the surrounding excitement. See you all in February!!!

But first to get things started, here is a summary of ticket buying lessons learned in case you missed our earlier posts.

• Read and Become Familiar with the ShmooCon Purchase Instructions
• Carefully Enter those Captches
• Look at the Bottom of the Page for the Link to Make Reservations
• Keep Refreshing to Buy Tickets Even if You Get a Sold Out Message
• Keep Trying to Buy Early Bird Tickets Even if You Were Only Able to Get Open or I Love ShmooCon Tickets
• Never, Never, Never Buy ShmooCon Tickets Through a Hungry Work Proxy

All I can say is that I will be at home with a non-proxied Internet connection this time! For all the details on these lessons learned, check out “Buying ShmooCon Tickets – Top 5 Lessons Learned” and “Ticket Buying War Story“. Also head over to PaulDotCom.com for more ShmooCon ticket buying advice in their “The Quest for a Shmoocon Barcode” post.

And here’s a direct link to the ShmooCon Registration page. Now on to some updates…

Over the past month the conference has really started to take form. We’ve had official updates like the wrap-up of the second round of tickets, several speaker announcements, and a listing of the organized contests (can you say Hack-or-Halo, Hacker Arcade, Barcode Shmarcode, TF2 Lan Party, and ShmooBall Launcher Contest?). The good news is, as usual, the community is pitching in to support the conference in many different ways. The following is a short list of some of the contributions we’ve come across.

• ShmooCon Slugs: Can’t find a way to get to the conference? Check out the ShmooCon Slugs site for connecting with people from your local area who are also heading to DC. Not sure what “slugging” is? This nice Wikipedia article comes to the rescue.
• Room Shares: Now once you get to DC, you’ll need a place to stay. The Wardman Park Marriott is running at $180 a night. And that’s the conference rate. I’m guessing they are probably sold out by now so you may even be looking at more. Enter the ShmooCon Room Shares list. This is a simple mailing list with the purpose of helping you connect with others looking to split the cost of a room.
• Twitter Speaker List: What is a con without @mubix helping out in some way? This time he’s pulled together all the announced speakers and made a corresponding Twitter list. This is a great way to quickly find out what the speakers are up to while at the conference.

And for all the official happenings, be sure to visit the ShmooCon 2010 – Latest News page. Beyond these posts, ShmooCon is also getting talked a lot about on many of the security podcasts. For information from the source, we’d recommend taking a listen to Security Justice Episode 20. It includes an interview with Bruce Potter himself. And for the basics be sure to review our ShmooCon announcement post for the regular Who, What, When, Where info.

Well as usual that is all we have for now… Is there anything we missed? Please let us know by commenting below or tweeting this post with your addition. See ya!

///

Be safe in your celebrations this evening, good luck to everyone tomorrow, and follow @grecs for last minute ticket reminders and other ShmooCon updates.

Here’s a time line of my 10 minutes on the ShmooCon site…

12:00: They started up right on time … and guess what … the link to the reservation page is at the bottom again. I clicked the link and patiently waited for the page to load. The response wasn’t fast however after a minute the page finally came up and I filled everything in. There was still one field left though … the fateful Captcha .. but the image was no where to be found. Looking up I found the browser still chugging away downloading a few more items.

12:03: After another 2 minutes the Catpcha finally decided to appear. So I quickly entered and rechecked it. Unfortunately, I wasn’t sure if the thing that looks like an “i” between the “m” and “n” in the image below was something I was supposed to enter or not. I guessed it was an “i” and decided to include it. The site squirmed away for another 2 minutes.

12:05: I finally got a response I didn’t want to get as you can see below. So I went back to the registration page to try again and waited…

12:08: After a few minutes the website informed me that all tickets were reserved. So what does any good ShmooCon ticket-buying fool do … rinse and repeat.

12:10: After a few more tries I was still getting a message that all the tickets were reserved. At this point I went back to main registration page and got the fateful message. A ShmooCon blog post and tweet confirmed everything.

Lessons Learned #6: Never, Never, Never Buy ShmooCon Tickets Through a Hungry Work Proxy

Of course the saddest news of all is that @nathiet wasn’t able to snag a ticket either. Well, there is still one more round left at least. And guess what… it’s on January 1 — a non-work day! No slow lunchtime company proxy to minimize my chances next time.