ShmooCon XX (Final)

January 10-12, 2025 · Washington, DC · 55 talks

The 20th and final ShmooCon — the beloved east coast hacker convention's commencement ceremony.

→ See editor’s top picks at ShmooCon XX (Final)

• Opening Remarks, Rumblings, Ruminations, and Rants — Bruce Potter

  This article delves into the opening remarks of ShmooCon's 20th anniversary, delivered by co-founder Bruce Potter, with significant contributions from Heidi (uncredited in the official speaker list…

• TaskMooster — Unknown

  The "TaskMooster" presentation at ShmooCon is a notable departure from the typical technical deep dives and vulnerability disclosures often found at cybersecurity conferences. Instead, it presents…

• I Just Wanted to Charge the Car — Richo Butts

  In "I Just Wanted to Charge the Car," Richo Butts, a seasoned security professional and motorsport enthusiast, takes the ShmooCon audience on a compelling journey through the world of IoT security…

• Software Screws Around, Reverse Engineering Finds Out: How Independent, Adversarial Research Informs Government Regulation — Andy Sellars, Mike Specter

  In "Software Screws Around, Reverse Engineering Finds Out," Andy Sellars and Mike Specter deliver a compelling argument about the critical, yet often unacknowledged, role of independent, adversarial…

• The Cost of an Incident — Amanda Draeger

  In "The Cost of an Incident," Amanda Draeger, a Cyber Risk Engineer, dissects the multifaceted financial implications of cyber incidents, offering a critical perspective for security professionals…

• Future Breaches and Past Disasters: Volunteering with ITDRC — Impos73r

  In his ShmooCon talk, "Future Breaches and Past Disasters: Volunteering with ITDRC," speaker Impos73r (Ian Furr) provided a compelling look into the critical, often unsung, work of the **Information…

• Lighting Up ShmooCon: Interactive Light Wands for an Epic Opening — Rob Joyce

  In "Lighting Up ShmooCon: Interactive Light Wands for an Epic Opening," Rob Joyce, a well-known figure in the security community, takes attendees on an unexpected journey into his passion for…

• Multi-Sector/Industry Hobo: Rules of Riding the Security Rails — Amélie Koran

  Amélie Koran's ShmooCon talk, "Multi-Sector/Industry Hobo: Rules of Riding the Security Rails," offers a profound and unconventional perspective on the cybersecurity profession. Moving beyond…

• Start at the Finish Line (Demystifying the Tech Career Path) — Kirsten Renner

  Kirsten Renner, widely known as Krenner, delivered a compelling talk at ShmooCon, "Start at the Finish Line (Demystifying the Tech Career Path through Reverse Engineering)," offering a pragmatic and…

• SOC Humor: How to Use Memes and Chaos to Improve Detection — Tyler Moody

  In the demanding world of cybersecurity operations, **alert fatigue** stands as a pervasive and critical challenge, threatening the efficacy of even the most sophisticated **Security Operations…

• ‾‾\___ʌ__.__ — Gabriel Bassett

  In the fast-evolving landscape of cybersecurity, professionals are constantly inundated with vast quantities of data, from network traffic logs to breach reports. Making sense of this deluge and…

• MalwareDB: An Open-Source Bookkeeping System for Malicious and Benign Files — Richard Zak

  Richard Zak's ShmooCon talk introduced **MalwareDB**, an ambitious open-source project designed to address a pervasive challenge faced by malware analysts, incident responders, and machine learning…

• The Unethical Engineer's Guide to Event Ticket Acquisition — Karl Koscher

  In "The Unethical Engineer's Guide to Event Ticket Acquisition," Karl Koscher delivers a thought-provoking and technically rich presentation on the various sophisticated methods that could be…

• Building and Hacking USB with FPGAs — Michael Ossmann

  In this ShmooCon talk, Michael Ossmann, founder and CTO of Great Scott Gadgets, delves into the evolution and application of open-source tools and hardware for building and hacking USB devices using…

• Rayhunter: Recording PCAPs from Stingrays With a $20 Hotspot — Cooper Quintin, Will Greenberg

  In an era of increasing digital surveillance, the ability to reliably detect sophisticated tools like IMSI catchers—often referred to as Stingrays or cell site simulators—is paramount. This talk…

• Modern-day SOC Evolution from Open Source to Unlimited Budget — Grifter, pope

  In this insightful ShmooCon talk, "Modern-day SOC Evolution from Open Source to Unlimited Budget," Grifter (Neil Wier) and Pope offer a comprehensive look at the essential components of a robust…

• The Permission Slip Attack — Leveraging a Confused Deputy in Android with 'pSlip' — Edward Warren

  Edward Warren's ShmooCon 2025 talk, "The Permission Slip Attack," unveils a critical vulnerability pattern in Android applications that leverages the **confused deputy** problem. This attack allows…

• Casting Light on Shadow Cloud Deployments — Brittney Argirakis, Chapin Bryce

  In an era of rapid cloud adoption, organizations frequently grapple with the unforeseen security risks posed by unmanaged and unmonitored cloud resources. This talk, "Casting Light on Shadow Cloud…

• Sandboxing Agentic Workflows with WASM — Joe Lucas

  In his ShmooCon 2025 talk, Joe Lucas tackles a critical and often overlooked security challenge emerging from the rapid adoption of **agentic AI workflows**: the inherent danger of executing…

• On Covert Channels Using QUIC Protocol Headers — David Cheeseman

  In this ShmooCon talk, David Cheeseman, a Johns Hopkins Master's student and cybersecurity professional, delved into the intriguing world of **covert channels**, specifically demonstrating how he…

• Windows Projected File System — The Reality Stone — Casey Smith

  In his ShmooCon talk, "Windows Projected File System — The Reality Stone," renowned security researcher Casey Smith introduced a novel and powerful defensive technique leveraging the **Windows…

• SkyScan — Autonomously Filming Aircraft — Luke Berndt, Mike Chadwick

  In their ShmooCon presentation, Luke Berndt and Mike Chadwick of iqt's Rapid Prototyping Group unveiled **SkyScan**, an innovative, open-source project designed to autonomously track and film…

• Building on the Foundation of our Shared Hacker History — Robert Weiss

  Robert Weiss’s ShmooCon talk, "Building on the Foundation of our Shared Hacker History," serves as a profound reflection on the enduring principles and rich cultural heritage that define the hacker…

• A Commencement into Real Kubernetes Security — Jay Beale, Mark Manning

  In "A Commencement into Real Kubernetes Security," Mark Manning and Jay Beale challenge conventional wisdom surrounding Kubernetes security, urging practitioners to shift their focus from…

• Inside the Information Stealer Ecosystem: From Compromise to Countermeasure — Olivier Bilodeau, Eric Clay

  Information stealer malware represents a rapidly escalating and pervasive threat within the cybercrime landscape, often operating beneath the radar of mainstream security discourse that tends to…

• The Hardest Problem I've Ever Seen: Making US Elections More Trustworthy in a World of Untrustworthy Technology — Matt Blaze

  In this compelling ShmooCon talk, renowned computer security researcher Matt Blaze delves into the intricate and often fraught landscape of U.S. election security. Drawing from a quarter-century of…

• SQLi is /so/ Last ShmooCon — Falcon Darkstar Momot

  In "SQLi is /so/ Last ShmooCon," Falcon Darkstar Momot, a Product Security Manager at a database company, challenges the persistent prevalence of SQL injection vulnerabilities and proposes a…

• Is this /s/C/F/ake? Content Provenance Tech to Fight Online Disinformation — Christian Paquin

  In an era increasingly saturated with AI-generated content, discerning truth from fabrication has become a paramount challenge. Christian Paquin from Microsoft Research presented a compelling talk…

• OpSec for Grandma — Rich Mogull

  In his ShmooCon talk, "OpSec for Grandma," Rich Mogull, a seasoned security executive, tackles a universal challenge faced by many in the cybersecurity community: providing effective technical…

• The Tech That Fought Back: How I Turned My Rejected ShmooCon Talk into a Democracy Saving Research Project for the 2024 U.S. Election — Andrew Schoka

  In this compelling ShmooCon talk, Andrew Schoka presents a stark look into the precarious cybersecurity posture of political campaign and party websites across the United States, particularly at the…

• Books, OMG, Books: Commence with Reading — Meghan Jacquot

  In "Books, OMG, Books: Commence with Reading," Meghan Jacquot delivers a compelling argument for the vital role of book clubs in fostering continuous learning, community building, and personal…

• I'm Not Your Enemy: How Practitioners Can Empower Content — Kali Fencl

  In her ShmooCon talk, "I'm Not Your Enemy: How Practitioners Can Empower Content," Kali Fencl, a Senior Content Marketing Manager and Security Researcher at DomainTools, addresses a perennial…

• Azure Survey 2025: 60 million Users and Counting — nyxgeek

  In his ShmooCon presentation, "Azure Survey 2025: 60 million Users and Counting," security researcher nyxgeek unveiled the extensive results of his multi-year project to enumerate valid Microsoft…

• Taiwan Digital Blockade: How Wargaming Taught Me About ICS Vulnerabilities and Small Islands — Nina Kollars, Jay Vogt

  In a compelling ShmooCon presentation, research professors Nina Kollars and Jay Vogt from the US Naval War College unveiled the insights gleaned from a unique war game designed to explore Taiwan's…

• Extracting the Ghost in the Machine — Guilherme Santos

  Guilherme Santos, known as Sky, delivered an insightful talk at ShmooCon, delving into the often-overlooked vulnerabilities and exploitation techniques within Artificial Intelligence (AI) and Large…

• Tracking the Triad Nexus: Investigating FUNNULL CDN's Role in Global Fraud and Money Laundering — Noah Plotkin

  Noah Plotkin, a Solutions Engineer at Silent Push, delivered an insightful presentation at ShmooCon, shedding light on a sophisticated and pervasive cybercrime operation dubbed "Triad Nexus." This…

• Pages from a Sword-Maker's Notebook pt. III, "The cursed blade" — Vyrus

  In "Pages from a Sword-Maker's Notebook pt. III, 'The cursed blade'," security researcher Vyrus unveils a compelling narrative of how he ingeniously transformed an open-source **Mimikatz packer**…

• Hacker Rock and Roll: Visualizing the 20 Year Evolution of ShmooCon Research — Greg Conti, Danielle Scalera

  In a poignant tribute to the "last ShmooCon," Greg Conti and Danielle Scalera presented a comprehensive and analytical retrospective on two decades of hacker research showcased at the influential…

• Attacking Classified Safes and Vaults from the Cold War to Now — Deviant Ollam

  In "Attacking Classified Safes and Vaults from the Cold War to Now," renowned physical security expert Deviant Ollam takes the ShmooCon audience on a captivating journey through the clandestine…

• C2 Operators Infecting Themselves: The Malware Maestro Story — Estelle Ruellan, Stuart Beck

  In an intriguing turn of events, a presentation at ShmooCon, titled "C2 Operators Infecting Themselves: The Malware Maestro Story," unveiled a fascinating research endeavor by Estelle Ruellan, with…

• Deception & Operations Planning Frameworks — Russell Handorf

  In an era where ransomware attacks are rampant and data breaches are a common headline, traditional security measures often fall short. Russell Handorf's ShmooCon talk, "Deception & Operations…

• Murthy v. Missouri, Jawboning, and How What the Supreme Court Had to Say Could Bear on Cybersecurity and Online Speech — Cathy Gellis

  In an era defined by rapid information dissemination and heightened scrutiny of online content, the interplay between governmental influence and private platform moderation has become a contentious…

• Taking Over Millions of Accounts from Abandoned Startups — Dylan Ayrey

  This talk, presented by Dylan Ayrey at ShmooCon, exposes a critical vulnerability in the widespread "Login with Google" **OAuth** implementation that allows attackers to take over millions of user…

• Keeping Our Home Addresses Offline: How To Graduate From Opt-Out Whack-A-Mole — Yael Grauer

  In an era where personal information is increasingly commodified and exposed, Yael Grauer's ShmooCon talk, "Keeping Our Home Addresses Offline: How To Graduate From Opt-Out Whack-A-Mole," delivers a…

• Our Time in a Product Review Cabal: And All the Malware and Bugs that Came With It — Adam Schaal, Matt Virus

  In "Our Time in a Product Review Cabal: And All the Malware and Bugs that Came With It," Adam Schaal and Matt Virus pull back the curtain on the murky world of online product reviews and the…

• Shmooganography, Looking Back from Behind the Scenes and into Plain Sight — Will Newton, Mike Bowen

  The ShmooCon conference has long been a bastion for cutting-edge security research and community engagement, and for many years, a standout staple has been the **Shmooganography** challenge. This…

• Disrupting the Model: Abusing MLOps Platforms to Compromise ML Models and Enterprise Data Lakes — Brett Hawkins, Chris Thompson

  In an era where nearly every organization is rapidly integrating Artificial Intelligence (AI) into its operations, the security of the underlying Machine Learning Operations (MLOps) platforms…

• A Story About Fighting Disinformation (Or How We Helped the Russian Trolls) — Krassimir Tzvetanov
• Hacker (Non)Court: Seymore, Inc. v. ThinkIz, Inc. — Andrea Matwyshyn, Carole Fennelly, Jonathan Klein, Elizabeth Wharton, Jessica Wilkerson, Desirae Satterlee

  This ShmooCon talk, "Hacker (Non)Court: Seymore, Inc. v. ThinkIz, Inc.," presents a captivating mock arbitration that delves into the complex legal and ethical ramifications of cybersecurity…

• The UN Cybercrime Treaty is Final, Here's What You Need to Know — Kurt Opsahl

  Kurt Opsahl's ShmooCon talk, "The UN Cybercrime Treaty is Final, Here's What You Need to Know," provides a critical analysis of the newly finalized United Nations Convention on Cybercrime. This…

• 0wn the Con / Growing Up ShmooCon — Shmoo Group

  The "0wn the Con" talk is a long-standing tradition at ShmooCon, offering attendees an unprecedented look behind the curtain of running a major hacker conference. Unlike typical security…

• Closing Remarks — Bruce Potter

  This article delves into the "Closing Remarks" of ShmooCon, a poignant and reflective session that marked the culmination of 20 years of the esteemed security conference. Delivered by Shmoo Group…

• ShmooFAQ — Shmoo Group

  ShmooFAQ is ShmooCon's annual, highly anticipated, and often chaotic quiz show, a cornerstone event that blends technical acumen with pop culture references and community engagement. Far from a…

• Detecting BLE Trackers for the price of a Gas Station Hot Dog — Bil Swearingen, Larry Pesce

  In an era where personal tracking devices are ubiquitous, the ShmooCon talk "Detecting BLE Trackers for the price of a Gas Station Hot Dog" by Bil Swearingen and Larry Pesce presented a compelling…

• Imposter Detection with Watchman — Matthew Wollenweber

  In this ShmooCon presentation, Matthew Wollenweber introduces Watchman, an open-source tool designed to provide rapid and cost-effective detection of imposter domains. The talk addresses a critical…