Friday, February 04, 2005

Shmoocon Begins

I am happy to report that the first Shmoocon has commenced in Washington, DC. Bruce Potter, founder of The Shmoo Group, gave the first talk of the con. The best part in my opinion was his indictment of the Linux development model and his praise of the BSD development model. I found it ironic given I had just blogged on Linux kernel development issues yesterday.

Bruce was followed by Snort developer Brian Caswell, who demonstrated an extension to Snort. It allows arbitrary addition of rules while Snort is running, as a response to Snort viewing packets which it interprets as commands. Theoretically, one could do the following:

1. Run Snort in Caswell mode to watch for attack traffic.
2. Upon identifying attack traffic, determine if adversarial host suffers any vulnerabilities.
3. Upon identifying vulnerabilities in adversarial host, attack it with Metasploit or similar code.
4. Upload precompiled version of Caswell Snort.
5. Repeat.

This is "aggressive self defense," or "Snort as a worm," as Brian's talk put it.

I left during the last presentation of the evening, which was supposed to be a sort of "hacker talk show." It was more of a train wreck than anything entertaining or informative. I will report on Saturday's talks tomorrow evening.

No comments: