Interview: The Shmoo Group

Shmoo is an international group, but Bruce lives in the DC area and ShmooCon has been held here both years. Do you have a lot of members in the area? Do you think ShmooCon will always be a D.C. event?

Beetle: I work in the D.C. area, but I live several hours away. Folks joke that I live in Kentucky or something, but its not THAT far. A handful of the other Shmoo also work in the D.C. area — but they don't live as far away as I do.

For now, I don't see ShmooCon leaving the D.C. area anytime soon. The information security industry loves the beltway, obviously, and I think the nation's capital is at the top of the list of venues for a hacker con. We have loads of talented, geeky people here, and an incessant need for information security issues to be brought to light and discussed — even if just for the Feds' benefit. Hopefully, we can have more than our first two ShmooCons in D.C. — that's really up to the community and its support.

Bruce: Only a small fraction of Shmoo live in the D.C. area. However many of the folks at the core of ShmooCon live here, so that made D.C. the natural choice.

Regardless of the markets and tech trends, information security will always be in vogue in the Metro D.C. area. It makes it a great place for a security conference... and a security community in general. When I lived in Northern Va., I hung around with security professionals from industry, civil agencies, and the military. Even with the diversity of employers, we all pretty much cared about the same stuff. D.C. is a great place to be if you're into security.

Shmoo does a lot of work with wireless security, which obviously involves being somewhat near a target. I'll go out on a limb and assume you guys have done some wardriving in the area — how does D.C.'s wireless security stack up? Do you worry about auditing folks' networks in a city with so many secrets?

Beetle: Heh. Cazz and I did a wardrive for an NPR reporter several years ago, in and around D.C. We made a LOT of jokes during that drive about what we saw while in the nation's capital, most of which never made it to air. Naturally, since then, I've heard my share of horror stories — everything from traffic management sign modifications to gobs of Internet and corporate file access via very high-profile .mil & .gov contractor open APs.

The problem isn't really the companies and three-letter orgs' security policies and enforcement as much as their employees who just aren't conscious of the ramifications of placing an open AP on their Intranet. The "insider threat," which D.C. is painfully aware of thanks to all the spy stories, is all-the-more deadly thanks to $30 access points that idiot contractors with a few Microsoft certifications are jacking in for their own convenience. Add to that actual bad guys that want to exfiltrate secrets, and D.C. is quite the hotspot (no pun intended).

This is where Bruce is going to call "bullshit" and say proper network configuration and blah blah blah should solve all of that, and the orgs ARE to blame, but I'm simply talking about a social problem that, even in a security-scared town such as D.C., is still prevalent.

Bruce: Heh... that reminds me of a sig file I read the other day on social darwinism that was something to the effect of "if you build an idiot proof system, the world will build a bigger idiot".

We'll always be chasing our tails with respect to wireless security. Technology will get better. However sometimes things will be configured and used properly and sometimes it won't. There are MANY more options for those looking to do secure wireless now (versus a few years ago) but folks will still do it wrong.

I really don't see the D.C. area different from any other major metro with respect to wireless. I'm not worried about all the "secrets" in this town. I'm way more worried about getting tagged as a terrorist as I'm walking around with a big antenna and a laptop while a black t-shirt. :)

Most of our readers probably don't know what goes on at a hacker convention. If someone was to wander into ShmooCon, what should he expect to see?

Beetle: Walking in to ShmooCon, you'll see plenty of unassuming yet smart folks congregating and chatting up security issues as well as just goofing off with gadgets, video games, their laptops, and each other. There's smoking, there's drinking, there's socializing, etc. But more importantly, there's clue. These are people that are spending their weekend away from work / school, whether it's pulling cable or fixing firewalls or writing exploits, to soak up more information from other information security / technology enthusiasts. I say enthusiasts instead of professionals, because that's really what you see at a hacker con: good people who are genuinely enthusiastic about geeking out. With style and attitude, perhaps.

Bruce: Yeah, I think there's a stigma about hacker cons given the history of cons like DefCon. They used to be really far out there. However the scene has changed over the years and is much more focused on clue as beetle points out.

Do you think ShmooCon attracts a different crowd from other hacker conventions like DEFCON and TOORCON? In general, how do you think DC geeks compare to their peers in other parts of the country?

Beetle: More Feds and serious IT folks with shoulder bags instead of backpacks? I dunno. We see a LOT of the same folks, actually. Our hacker friends we're hanging out with at DefCon and ToorCon — a lot of them end up coming to ShmooCon. The GhettoHackers, DefCon Forum people, or Keith the infamous hacker con DJ, for example. We were literally shocked at how much West coast support we got last year, but we have close ties with DefCon, ToorCon, and LayerOne people, so it's a friendly con for them, I think. Funny thing, we see plenty of our fellow D.C.-area geeks at West coast hacker cons, too — but usually only a handful of other times on the East coast. So we're catching up with D.C. geeks at ShmooCon in D.C., since we're too busy in the beltway to do it any other time of the year. Man, we suck.

Bruce: I agree. I think that there's a lot of the same crowd as some of the other hacker cons. And, you'd be shocked how many DC area folks go to BlackHat and DEFCON each year. But I think there's still quite a number of folks that only go to local cons for a variety of reasons. I know there's some high school students making the trek on a shoestring budget from NYC who probably wouldn't be able to make it to one of the west coast cons.

And I think the D.C. area security geeks tend to wear more polo shirts and have shorter haircuts than their western counterparts. They really stick out.

You guys have released a lot of tools that could potentially be used for nefarious purposes. Rainbowtables helps people crack passwords; Airsnarf can be used for phishing; and you disclosed the web browser IDN vulnerability without suggesting a fix. Do you worry about what people might do with your work?

Beetle: No. The real bad guys, that are getting away with it, write their own shit and don't even need a leg up from us. We aren't even on their radar. And the people that download anything we've presented in a public forum and decide to use it for the wrong reasons, well, those people obviously suck and will probably get caught. No worries, right?

You'll note we don't churn out 0-days at shmoo.com — not because we don't have badass Shmoo RE skilz in the group, yo, but because 0-days aren't what drive our membership. We really try to operate and engage each other at a higher level. We get people thinking about the next issue. The IDN release wasn't about a 0-day as much as it was identifying a massive failure in cooperative trust and standards implementation in multiple parts of the Internet experience — domain registration, certificate authorities, AND browser vendors. That's also why there was no easy "fix" we could issue. Generally, you can't just "patch" the shit we bring to light. We strive to just keep pointing at the naked Emperor and raising security awareness through our day-to-day interactions with others and obviously, through our public presentations — which may appear irresponsible to some people. Disclosure, responsible or otherwise, is a testy topic — and one we're happy to have people discussing this year at ShmooCon.

Bruce: What we try to do (as Beetle pointed out) is raise awareness. The tools that have been released over the years have (hopefully) made people understand more about the security problems in the computer systems out there.

Unlike some other hacker groups, most of Shmoo's members make their names and email addresses public. Given that, do you worry about the legal implications of your work in light of the DMCA, the proposed INDUCE Act, and similar legislation?

Beetle: I'm confident that I'm one of the good guys and that my fellow Shmoo are, as well. If we face litigation in trying to inform the public with regards to how their security is at risk, that's obviously a shame, but it's a real risk these days — as was made evident at Black Hat this year. Michael Lynn is an Internet superhero for many folks, because he had the balls to face litigation for revealing serious software flaws that could potentially render the 'net infrastructure useless — ironically, the same infrastructure that those litigators depend on for a living. This summer was an eye-opener for plenty of hackers. Keep it to yourself, or post flaws anonymously. Didn't you know?

Some clued-in congressman needs to introduce an information security whistle-blower bill that protects information security researchers from being literally bankrupted by Fortune 500s with a DMCA / INDUCE hard-on, when the researcher's intent is to protect the public or, similarly, empower the consumer. And adhering to the toked-out and potentially corrupt "responsible disclosure" ideals of corporate America should not be a legal requirement.

It boils down to a safety issue. Coal miners aren't sued when they tell CNN their mine is unsafe and give documented proof of corporate avoidance / delay to fix the safety issue. Fired perhaps, but not sued — certainly not ARRESTED. Same concept. Our day-to-day lives, closely tied to the economy and various forms of communication, have come to rely on the Internet as a critical resource. Security researchers like Michael Lynn shouldn't face fear of reprisal for letting the world in on a corporate dirty secret with regards to Internet safety, one that has evidence of potentially being exploited by real bad guys even. They are Internet safety whistle-blowers. Internet safety superheros. They should be treated as such. And y'know, a whistle-blower bill shouldn't even be needed, it's sick to think otherwise, since that little First Amendment thingy should cover saying such things in the public's best interest.

I better shut up now before I get fired, sued, or worse.

Bruce: Wow.... how to follow that up? Well, personally I use my real name because I don't want people to think I have anything to hide. There are a lot of hard problems out there that need to be solved and I hope that the Shmoo Group is helping solve them. By using our names and being public about what we do and why, I think we're more likely to be viewed as honest partners in solving these problems than a bunch of black t-shirt wearing punks.

I for one, actually own a few non-black t-shirts.

Do you have any advice for our readers about how to avoid becoming the target of a misguided Shmoo devotee?

Beetle: The Internet's a nasty place. Perhaps abstinence is best? heh. For Shmoo's sake, NEVER connect your computer directly to your cable or DSL modem, i.e. the Internet. Use a firewall. Purchase low-limit renewable & throwaway credit cards like GreenDot to use for Internet purchases. Don't look at or reply to any email from someone you don't know. For important online accounts create long & strange & misspelled passwords that are easy for you to remember (but change them every 6 months). Don't use public wireless networks to do anything important on the Internet. And use an Apple computer.

Bruce: Heh. I don't use anti-virus, anti-spyware, or host firewalling on my Windows PCs at my house. For years and years I've had absolutely no problems with them. My wife and I know and practice safe computing practices (not clicking on random links, not opening unknown attachments, good passwords, etc.) and using common sense has worked well. Last year my 14 year old brother-in-law showed up for a vacation at my house. 48 hours after his arrival, my Windows PCs were totally 0wn3d. Spyware, trojans and other nasty things were all over the machine. I ended up blowing it away and reinstalling from scratch.

The moral of the story? Education and common sense are the ways to keep yourself out of trouble. The problem? You can't educate everyone. Really, the best thing to do is to put pressure on the vendors so that they build more secure products. Unless the vendors fix their shit, people will always be targets.

Some of the guys from L0pht once testified that they could take down the entire internet within thirty minutes. Care to make any bold pronouncements of your own?

Beetle: 31 minutes, tops! Heh. I do have a bold pronouncement, and you can imagine what technology is involved, but I'd better save it for our own Senate hearings. Or perhaps ToorCon this year. ;)

Bruce: Most of my career has been spend doing defensive activities (securing systems, not attacking them). A prediction (rather than a pronouncement) is that the technology developed by the Trusted Computing Group*is going to change the face of information security dramatically over the next 10 years. I wrote an article on this idea if your readers are interested in learning more: http://www.informit.com/articles/article.asp?p=428905*.