Ok, now that I’ve had a week to recover from ShmooCon, I just wanted to officially wrap up the FireTalks for this year with a quick post announcing the winners and pointing to some other related resources.

This year had 12 awesome presentations but only three could come out on top. The judges ranked each talk from 1 to 10. At the end we added them up to determine the winners. For 2011 the ShmooCon FireTalk winners are:

• Second Runner Up: Lisa “@llorenzin” Lorenzin – “What I Learned about Security at Burning Man”
• First Runner Up: Dave Marcus – “Using Social Networks to Profile, Find andOwn Your Victims”
• Grand Prize: Schuyler “@Shoebox” Towne – “We Need to Start Attacking Disc Detainer Locks”

Once again congrats to the winners! Schuyler won an iPad provided by Astaro while Dave and Lisa won an Asus netbook and a $100 ThinkGeek gift certificate, respectively. Aplura provided the two runner-up prizes.

Also if you are not on Twitter and haven’t heard @irongeek_adc had the FireTalk videos out on Monday after the con. Wow, what an amazing job to get them out that fast! Thanks Adrien. You can find them here. And for those that were able to watch live, please also send a big thank you to @vincentkadmon.

I’ll update the master post with all this information where you should be able to find everything.

Once again I like to thank everyone involved in making FireTalks happen this year. From awesome sponsors (Aplura and Astaro) to the many volunteers (Jack “@jack_daniel” Daniel, Adrian “@irongeek_adc” Crenshaw, Georgia “@vincentkadmon” Weidman, Mike “@rybolov” Smith, Nathi “@nathiet” Thwala, Jason “@jasonmoliver” Oliver, “@DaKahuna2007“, and Mike “@theprez98” Schearer), our recruited judges (“@shrdlu”, James “@mycurial” Arlen, and Melanie Smith), and especially the ShmooCon team (“@heidishmoo“, “@gdead“, and everyone else involved in Team “@shmoocon“). Thanks for a great time and another successful year. See ya!

Ok, less than one day until the big event starts. Oh, ShmooCon starts too. And as usual I am waiting until the last minute … this time to put out the FireTalks speaking schedule. Also if you haven’t noticed already on the FireTalks master post, we’ve already listed the top three prizes. Well without further ado, here is the schedule.

Friday

Saturday

Note to the Presenters: Please Contact Us if there are any errors or omissions and we’ll try to get it updated ASAP.

Finally, all these esteemed speakers have the opportunity to win one of the following prizes.

#####

Well I think that is about it… We look forward to seeing everyone tomorrow night. See ya!

Well only three days left until the start of ShmooCon 2011 and we are busy putting the final touches on this year’s FireTalks. We are finally ready to announce the speakers, welcome a new sponsor, and note a minor room change. And as always for all the details in one place, head on over the the FireTalks master post.

In no particular order here are the speakers and their talks we’ve confirmed so far.

• Ralph “@RalphBroom” Broom & Danny Gottovi: Protocol Security: You’re (Still) Doing It Wrong
• Irongeek “@irongeek_adc“: Intro to I2P
• Rick “Zero_Chaos” Farina: Radio Chaos: Why Retired Men Know More about Hacking than You Do
• Lisa “@llorenzin” Lorenzin: What I Learned about Security at Burning Man
• DaveMarcus: Using Social Networks to Profile, Find and Own Your Victims
• Raphael “@armitagehacker” Mudge: Armitage: Cyber Attack Management for Metasploit
• Michael “@theprez98” Schearer: Net Neutrality, the FCC, and the End of the Internet as We Know It (in 15 Minutes or Less)
• Jimmy “@shah_jim” Shah: Mobile Botnets and Rootkits: An Overview
• Gal “@shpantzer” Shpantzer: Security Outliers: Cultural Cues from High Risk Professions
• Valerie “@hacktress09” Thomas: Gurlz Rule and Boys Drool: How a Hacktress Can Take Your Social Engineering to the Next Level
• Schuyler “@Shoebox” Towne: We Need to Start Attacking Disc Detainer Locks

Also joining Aplura, LLC we’d like to welcome Astaro as another FireTalks sponsor! I think we pretty much have the top three prizes covered however if you want a quick mention at the event and be listed on the master FireTalks page, feel free to pass some cash or goodies along our way. I’m sure we’ll make good use of it. If you are interested just Contact Us and we’ll follow up with you.

Finally, Team Shmoo notified us that due to a last minute room change, we will now be in the International Ballroom – West instead of the Jefferson rooms. Sounds like we’re moving up…

#####

I hope to get the final schedule out tomorrow so be on the look out for that. Wow, only three more days!!! See ya (soon)!

One of the guys we reserved a ShmooCon barcode for had to drop out at the last minute and so we thought we would auction their ticket off with all proceeds going to Reverse Space. For those that don’t know .. Reverse Space is an awesome new a 5,500 sq. ft. hacker space in Herndon, VA just outside of Washington, DC. It has equipment for rapid prototyping, reverse engineering, building, and computing in a group environment.

The auction just started and will last 24 hours until midnight on January 25th. So head on over to our eBay listing to get started.

#####

Good luck to everyone out there and we hope to see you at ShmooCon this weekend. See ya!

We just wanted to put out a quick update regarding the FireTalks coming up in less than 10 days at ShmooCon this year.

First, we made some slight adjustments to the start times on the master post to sync with the ShmooCon official schedule. So that means that the FireTalks will be starting at 8:00 PM on Friday and Saturday. Although the schedule shows the FireTalks only going an hour, I’m guessing it’ll probably go over since we originally planned for two hours.

Also we are still in need of some sponsors. Currently we are looking for two more prizes to give away. Price-wise we are looking at anything between $200 and $500. Also if anyone wants to throw some extra cash our way, we’ll be sure to buy some Think Geek goodies to give out to attendees. As originally stated sponsors get their logo placed on the master FireTalks post and in some of the update posts as well as several mentions during the event. Please contact @jack_daniel if you are interested in sponsoring. As a backup you can Contact Us and I’ll forward the information on to Jack.

Regarding current sponsors, we’d like to thank Aplura, LLC for providing an Acer Aspire One netbook as well as a cash donation for some extras.

#####

Be on the lookout … speaker announcements are coming soon. See ya!

We really enjoyed running FireTalks last year. It was a great chance to meet a lot of the online friends we made up to that point. With the completion of the third round of tickets and some coordination calls with the ShmooCon team, we proudly announced the ShmooCon 2011 Firetalks!

If you followed the FireTalks in the past, this year’s was essentially run the same however there were a few differences we noted. First, instead of having four 15-minute sessions each night, we expanded up to six. We hoped to accommodate many of the awesome submissions that the ShmooCon team was not able to accept due to the finite number of speaking slots. Additionally, we ran the CFP a little more like a traditional conference instead of on a first-come-first-serve basis. The goal was to have a nice mix of established and new speakers. But other than those two changes, most everything else remained the same.

For all the latest happenings, check back to this post periodically. It was the home for any and all information relating to the ShmooCon 2011 FireTalks. You could have subscribed to our main RSS feed or followed us on Twitter at @novainfosec since we put out short “update” posts with just the new information and a pointer back to this “master” post. And as usual … I regularly updated my Twitter stream at @grecs with all the information using the #firetalks tag. If you need to quickly refer back to this post, you could have also used the longish bit.ly link we created at bit.ly/shmoocon2011firetalks.

Anyway … here were the logistics for this year’s FireTalks in traditional NovaInfosecPortal.com form:

• Who: ShmooCon/NovaInfosecPortal.com
• What: ShmooCon 2011 FireTalks
• When:
  • CFP Due Date: 1/23, midnight EST
  • Event: 1/28, 8:00 PM & 1/29/2011, 8:00 PM EST
• Where: Washington Hilton Hotel (1919 Connecticut Avenue, NW Washington, DC 20009; International Ballroom – West [where the Bring It On track will be])

For a historic look at the whole FireTalks idea, please check out the History section of last year’s post. From @catalyst, @mubix, @carnal0wnage, and many others, we are standing on shoulders here. Now onto what happened with this whole FireTalks thing…

Speakers/CFP

We had six 15-minute speaking slots each night. Hopefully, the talks provided a nice mix of established and new speakers. Here was the 2011 schedule.

Friday

For those that missed it, here was the video for Friday night…

Saturday

And here was the video for Saturday night…

To ease our submission load, we used the free EasyChair Conferencing System. We used it to handle submissions for AppSecDC this year and it worked nicely. It just required that you create an account, login, and select Submissions from the top menu. From there just fill out as much information as you can and hit the submission button. To get started head on over to the EasyChair SC2011FT portal. Note that the CFP closed 1/23 at midnight.

Prizes/Sponsors

Similar to last year we had prizes for the top 3 presentations provided by some awesome sponsors. The top speakers were based on a 3-person panel scoring each presentation from 1 to 10. In case of a tie, we had a secret forth person pick the final winner.

Here were the sponsors for this years event…

This year had 12 awesome presentations but only three could come out on top. For 2011 the ShmooCon FireTalk winners were:

• Second Runner Up: Lisa “@llorenzin” Lorenzin – “What I Learned about Security at Burning Man”
• First Runner Up: Dave Marcus – “Using Social Networks to Profile, Find andOwn Your Victims”
• Grand Prize: Schuyler “@Shoebox” Towne – “We Need to Start Attacking Disc Detainer Locks”

Once again congrats to the winners!

Volunteers

Of course this event would have been nothing without all the people that helped us put this thing on. Please give a big shout out to the following folks.

• Jack “@jack_daniel” Daniel (sponsorship)
• Adrian “@irongeek_adc” Crenshaw (session recordings)
• Georgia “@vincentkadmon” Weidman (backup session recordings; streaming)
• Mike “@rybolov” Smith (fireplace; judging panel)
  • “@shrdlu”
  • James “@mycurial” Arlen
  • Melanie Smith
• Nathi “@nathiet” Thwala (TBD)
• Jason “@jasonmoliver” Oliver (security – the physical kind)
• DaKahuna “@DaKahuna2007” (A/V coordination)
• Mike “@theprez98” Schearer (timer)

Related Posts

• CFP / Sponsor Support
• Update 1 (aka – Time Change & Sponsors Needed)
• Update 2 (aka – Speaker Announcement & New Sponsor)
• Update 3 (aka – Schedule & Prizes)
• Update 4 (aka – Winners, Videos, & Slides)

#####

Well that is pretty much it…. Thanks for all the support. See ya!

Although many of the details are still being worked out we wanted to put out a quick post to announce the ShmooCon 2011 FireTalks CFP and solicit sponsors.

This year we are planning on having up to eight 15-minute speaking slots each night depending on the final discussions the ShmooCon team is having with the conference hotel. We are hoping to accommodate many of the awesome submissions that ShmooCon was not able to accept due to the finite number of speaking slots. If you are already speaking at ShmooCon, please be considerate and leave submissions open to others. Other than that … the only thing we are looking for is a nice mix of established and new speakers.

To ease our submission load, we will be using the free EasyChair Conferencing System. We used it to handle submissions for AppSecDC this year and it worked nicely. It just requires that you create an account, login, and select Submissions from the top menu. From there just fill out as much information as you can and hit the submission button. To get started head on over to the EasyChair SC2011FT portal.

Similar to last year we will have prizes for the top 3 presentations and are looking for sponsors willing to put forward some awesome contributions (maybe a few iPads … one for the organizer too ). You’ll get your logo placed on the master ShmooCon 2011 Firetalks post, some of the update posts, and several mentions during the two night event. Use the Contact Us link above or mention @grecs on Twitter to get in touch with us if you are interested in sponsoring.

#####

Stay tuned for more details on the ShmooCon 2011 Firetalks. Further posts will provide all the necessary details. See ya!

So I’m finally getting around to getting this post out… I just wanted to close this whole series by announcing the winners and again thanking everyone for helping make it a success.

As you can see below, I’ve only gotten links to a few presentations. If you still need to post your presentation, please let me know via Contact Us or mention @grecs on Twitter and I’ll update this post as I get them.

Presentation Summaries

First, I like to put up some short synopses of the talks written by Justin Monroe and Chris Wheeler. They were a tremendous help both nights paying attention to the actual content while I coordinated everything.

Social Engineering Toolkit v0.4 Overview (David “ReL1K” Kennedy)

ReL1K released the newest version of his “Social Engineer’s Toolkit.” Version 4, codenamed “Pink Pirate” was released Saturday in the BackTrack4 repository as well as his website, secmaniac.com. The framework is a python driven open source suite which makes use of Metasploit Framework’s client-side attacks (PDF, Aurora, etc), and has the ability to auto-target a client operating system. It also integrates with G-Mail and sendmail to streamline sending phishing e-mails to targets.

SHODAN for Penetration Testers (Michael “theprez98″ Schearer)

SHODAN, a meta-data search engine for application banners was presented by theprez98, who showed several demonstrations of its usefulness. The engine stores OS version, country, open ports (currently only 21, 22 and 80), and makes the data easily searchable. As the engine stores banners from each service, it is not uncommon to find default configuration information in the header (such as a default password), as well as the version information of the service. At the time of the presentation, there were apparently 136 machines still running Windows NT 3.9. (slides)

Influencing Security (Marcus J. Carey)

In a presentation about influencing security, Marcus J. Carey took a philosophic approach to solving security issues. Likening the decrease in HIV infections in Thailand by means of peer pressure, he suggested that security professionals persistently teach users about information security, instead of doing training once a year. He also stressed a non-adversarial role with the people the policy is designed to protect, and instead of treating them poorly when the policy was broken.

Funnypots and Skiddy Baiting (Adrian “IronGeek” Crenshaw)

IronGeek presented some of his endeavors in “Funny Pots and Skiddy Baiting,” loosely defined as “messing with the people trying to break into your machines.” He suggested mapping loopback addresses (127/8) to a subdomain on your network, and then encouraging them to break into the machine at that hostname. If they manage to get in, they may own their own machine. Other fun endeavors included mapping your hostname to that of another website (say, 12.120.54.169), “lemon” wiping a drive with an arbitrary pattern of data for forensic investigators to find (coined from the “lemon party” shock site). He also demonstrated a robots.txt redirect, where snooping users would get redirected to shock sites when they visited the “Disallow” directories. His final and perhaps most humorous website involved using php-ids to detect attacks against a website and have Clippy pop up to help with their failed attempts. (slides)

Browser Fingerprinting Using a Stopwatch (Nicholas “aricon” Berthaume)

Aricon demonstrated how to more accurately fingerprint browsers based on more than the user-agent, HTTP headers, and Javascript. WebApp scanners often spoof headers, making it useless to fingerprint an attack. The timing and download order of images can be used to accurately fingerprint a browser using some custom mod_security rules. Differences start to show with basic HTML, but adding images and more content gives a much more accurate result. He did mention that plugins such as Greasemonkey, AdBlock Plus, and NoScript skew the results, as do VPNs, SSH tunnels and other proxies. He plans to release the mod_security ruleset and his fingerprinting scripts on his website. (slides)

Pentoo (Zero Chaos)

Zero Chaos, a Pentoo developer, was met with a barrage of Shmoo balls at the start of his presentation. Pentoo is a lightweight penetration testing distro based on Gentoo. It can be run from a Live CD and uses only 200MB of RAM. Pentoo is updated with the latest utilities and kernel configurations. Pentoo also has 13 users worldwide ( ), and began development before BackTrack.

Sleephacking 101 – How to Stay Awake for 20 Hours a Day without Turning into a Zombie (Benny “security4all” ???)

@Security4All gave a presentation on “sleep hacking,” discussing human sleep cycles and how to get more energy out of sleep. Although monophasic, humans are better suited to a polyphasic sleep cycle. Biphasic sleep involves getting 6-7 hours of sleep per night, and a nap at noon. Spain has institutionalized this cycle through siestas. For those who wish to get more out of their day, the everyman cycle provides 4 thirty minute naps, and a 2-3 hour block of sleep at night. Those looking to gain a sickening about of extra time in their day can try the uberman, characterized by 6 twenty minute naps per day, and separated by a four hour period of being awake. Also, for those who need the extra kick, drinking coffee before taking a nap increases the nap’s effectiveness, so long as the nap is kept to twenty minutes. There are also sleep cycle apps in the iTunes store to help adjust to the different sleep cycles. (slides)

Payment Application – Don’t Secure Sh!t (PA-DSS) (Christian “cmlh” Heinrich)

Christian Heinrich gave a presentation entitled “Payment Application – Don’t Secure Sh!t.” The presentation characterized the differences between the PA-DSS, PCI-DSS and PCI-PTS standards, focusing primarily on the strengths and weaknesses of PA-DSS. Visa has mandated compliance of all machines with this standard by 12 July 2012. The PA-DSS standard also depends on the PCI-DSS standard, as there is no sense in reinventing the wheel. It does contain a sunset clause for securing wireless data with WEP, as the newest revision mandates WPA, as well as mandates secure remote software updates through a system like SSL, although the most recent attacks on SSL have not been considered. (slides)

Wow, excellent summaries from Justin and Chris. Thanks again guys! Additionally, every one of the speakers should have gotten a parting gift sponsored by Trusted Signal. And if you want to relive the excitement of the Firetalks, be sure to check out IronGeek’s FireTalks from Shmoocon 2010 page. One of the things you may notice in the videos is the beautiful fireplace that helped cozy up this event. Mrs. Rybolov was kind enough to make this piece from scratch … and speaking of Rybolov, he himself provided a tremendous amount of coordination throughout both nights. Before moving on to announcing the winners, I’d also like to thank the ShmooCon team (go Heidi & Bruce and the rest of The Shmoo Group!) for allowing us to host this event in conjunction with ShmooCon and providing space, a projector, and audio!

Prize Winners

Now on to the prize winners …

3: Sleephacking 101 – How to Stay Awake for 20 Hours a Day without Turning into a Zombie

security4all won at $75 Think Geek Gift Certificate from nVisium Security.

2: Social Engineering Toolkit v0.4 Overview

ReL1K received a 32GB Kanguru e-Flash brought to you by nVisium Security.

1: SHODAN for Penetration Testers

thePrez98 won the grand prize of a Acer Aspire One D250 Netbook provided by Hurricane Labs.

Congrats to everybody!

///

For all information regarding this year’s Firetalks and links to related posts, see the ShmooCon 2010 Firetalks master post. On a personal note I had a lot of fun pulling this whole thing together and it was great to meet so many awesome people that I’ve only previously chatted with on mailing lists, Twitter, etc. I look forward to trying to keep up with everyone throughout the year and maybe (if  I get lucky in the ShmooCon ticket lottery ) next year at ShmooCon. See ya!

Not too much has happened since last week … just tons of small stuff. We are still looking for some “prop” sponsors as well as alternate speakers. Also there are a few logistical changes we wanted to announce. Read on for all the details…

Sponsors

Most of the sponsorship opportunities have been covered however we are still looking for a few of the props. Specifically, there is a Countdown Timer, Gong, and Logo (see the master ShmooCon 2010 Firetalks post for more information on these items). Out of these, I’d say the most important one is a Countdown timer. So if you don’t have a big budget but would like to help out, you can always volunteer to bring one of the above items. If you are interested, either contact us or mention @grecs on Twitter.

Speakers

Although all the official speaking spots are full as reported three weeks ago, we are still seeking people to add to our Alternates List just in case any of the confirmed presenters are unavailable. If any of the speakers are not present, we’ll just start calling people from the top of the list. At a minimum you’ll get some PR with your name and presentation title on the master ShmooCon 2010 Firetalks post.

To submit a talk, use the Contact Us link above. Enter your name as you want it to appear and use FireTalks as the subject. In the Message area please include the title of your talk as well as a one paragraph summary of your presentation. You can also include a link to your website or preferred social networking profile and we’ll link your name off to this site/profile.

General Logistics

CapSecDC is organizing a Bar Crawl for sometime on Friday night. Based on discussions with them, they’ll probably be starting before the Firetalks. Instead of having to choose between the Firetalks and the Bar Crawl, we are working with them so FireTalk attendees can easily join up with the crawl midway. The general idea would be that they would be at a specific location around 10:30. That way anyone from the Firetalk session could just meet up with them to continue to enjoying the evening.

CapSecDC aren’t the only ones we’ve been working with. It just so happens that the Podcasters Meetup was originally scheduled to start the same time as the Firetalks on Saturday at 8:00 PM. After a few email exchanges we’ve realigned our start times to benefit all! The new plans are that the Podcasters Meetup will start at 7:30 instead of 8:00 and the Firetalks will start at 8:30. This will allow attendees to take part in both events. It does push the Firetalks a bit far into the Saturday night party … but you should still have plenty of time to enjoy it (assuming you can make it there with all the snow ).

In other logistical news we’ll be having several helpers run the Firetalks. Mike “rybolov” Smith will be assisting us as well as a pair of interns, Justin Monroe and Chris Wheeler. Thanks guys! Additionally, we are still finalizing the exact location but we previously heard we’ll be in one of the Wilson rooms.

And the big news is that Dual Core will be providing some entertainment to get the Firetalks started as well as playing some good nerdcore in-between the speakers on Friday. We’ll have to spin our own on Saturday as they’ll be getting ready at Heaven & Hell. Any volunteers?

///

This will be our final post … so from here on out, please check the ShmooCon 2010 Firetalks master post for the most up to date information or follow @grecs on Twitter looking for the #shmoocon and #firetalks tags. As usual, we’d like to thank the community for getting the word out and can’t wait to see everyone on Friday. See ya!

With ShmooCon only a few days away and things getting announced left and right, we thought we’d put together a little plan of what we wanted to focus on. It didn’t take long to figure out that since there was just so much going on, we should probably create a little one page cheat sheet for the conference. Now this isn’t anything too amazing but we find it useful and thought we’d share it out with everyone else.

We started with a simple matrix and then populated it with the different talks and other official activities. Then we hit Twitter and some mailing lists and pulled together a good little list of “Side Activities.” As part of this we also found some other interesting things going on, so we created an area called “Interesting Things.” We also came across a bunch of various Twitter users or tags being used for certain events so we threw them in and provided some structure. I’m sure you get the point by now.

Anyway, check it out here – ShmooCon 2010 Cheat Sheet.

I’m sure we missed a bunch of things so please comment below for updates we should make. We are in particular need of information pertaining to other “Side Activities,” “Vendor Contests,” “Interesting Things,” and “Suggested Twitter Tags.” Also, there is also a lot white space left … so let us know of any new areas we should add. See ya!