From hallway debates over what’s working in cybersecurity to idiosyncratic displays of oddball humor — such as eating Batman cereal from 1989 — the annual hacker conference ShmooCon has been attracting an eclectic mix of techies, academics, lawyers and policy researchers since 2005. This year was no different. More than 1,600 people gathered at the Washington Hilton in D.C. to see old friends, make new ones, and, of course, talk infosec. “This isn’t just about professional growth, it’s networking, it’s a time to be with friends and fellowship,” said ShmooCon co-founder Bruce Potter. Here are five big takeaways from this year’s conference:
1. Community reigns supreme
Throughout ShmooCon, a sense of hacker community was ever present. It came from the welcoming spirit among attendees as well as the sheer number of volunteers running the show. You could sense it throughout the conference, whether people were talking shop about software bills of material, during the multiple contests that attendees participated in, to the books swap, to “ShmooBalls” (a small soft ball given to every attendee to throw at presenters for fun or to express displeasure). And then there was the giant rock, paper, scissors contest. “[ShmooCon] absolutely does not happen without the amazing ShmooCon staff … and of course support from the community at large,” said conference co-founder Heidi Potter.
2. State hacking laws may need updating
While security researchers can sometimes work in a world where definitive answers such as attack attribution are difficult, the law about what hackers can research legally can also be similarly unclear. Harley Geiger, a lawyer who focuses on data privacy and cybersecurity at the law firm Venable LLP., gave a much needed rundown of the complex U.S. hacking laws and some recent changes. Biggest takeaway? The federal government isn’t as concerned with prosecuting legitimate cybersecurity research, but states are another story. While the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act have changed in recent years to favor security research generally, and actions like the Department of Justice’s policy change to not charge hackers who engage in good-faith security research, states are a bit more erratic and can have some of the “greatest risk to legal research,” Geiger said. Some states, he said, such as Washington have explicit protections for security research, but others such as Maryland have broad laws that do not consider a researcher’s intent.
3. Railway cybersecurity needs more attention
While software vulnerabilities around cars have often dominated headlines, a presentation by Brian Butterly took us from the beltway to the tracks with his talk on cybersecurity concerns within the railway industry. Butterly pointed out that a culture gap exists between the engineers who are concerned about physical safety and the cybersecurity professionals who focus on digital defenses. Additionally, infosec pros working in this industry must think about long-term solutions to defend railways as the software and systems that run trains are rarely updated. Like most other industrial sectors, digitization is increasing connectivity as well as risks.
The Transportation Security Administration released cybersecurity regulations for the railway industry late last year. Hopefully, the industry and policymakers don’t need a Colonial Pipeline equivalent before greater strides in this industry are made. “[Railway operators have] learned about safety the hard way. So now the challenge is for them to understand security without learning it the hard way,” said Butterly.
4. China’s hacker underground survives under tight internet controls
A presentation from Mao Sui, a cybersecurity analyst at LookingGlass Cyber Solutions, explained how the Chinese online underground operates within a heavily controlled internet. While many cybersecurity reports focus on Russian hacker forums and leak sites, China’s underground market is a mature ecosystem that somehow managed to survive under an authoritarian government. The operators on these forums have created their own kind of code language to escape censors. The digital black market also operates on the clearnet. Sui pointed to fake storefronts that to an unsuspecting netizen could simply look like a random online marketplace. Instead, it’s selling illicit contraband or engaging in illegal services such as online gambling.
5. Flipper Zero’s highlight intent
Security researcher Christopher Forte presented on the gamification of the popular Flipper Zero hacking tool, showcasing how the toy-like device can possibly cause real-world harm. Using a anecdote about hacking into a jukebox app used at restaurants and bars to control music, Forte and some friends not only overplayed songs at a bar, but also messaged unsuspecting users directly through the app. That could turn an app designed for playing your favorite songs at a restaurant into a tool for scammers, Forte noted. “It’s the mindset. It’s how it can be applied. It’s how you can take something and turn it very malicious very quickly if you had the right intention.”