Top takeaways from ShmooCon: Less moose, more cyberthreats

ShmooCon 2023 has come and gone. Now it’s time to consider what the most laid-back infosec conference of the year — boasting the quirky tagline, “Less Moose Than Ever” — can tell us about the security industry heading into 2023.

WASHINGTON, D.C. — ShmooCon 2023 saw more than 2,000 security researchers, infosec professionals and others in the industry descend on the U.S. capital for a long weekend of competitions, hands-on labs and, of course, talks.

Many of these people have been attending ShmooCon for years — part of the reason tickets to the conference sell out in seconds—and several told README they’re already planning to come back next year. Unlike other, more business-oriented conferences, ShmooCon prides itself on prioritizing the infosec community.

But ShmooCon 2023 wasn’t all just inside jokes and infosec reunions. Speakers at the conferecne take on some of the most pressing challenges in cybersecurity, from open-source software security to upcoming policy changes (this being in Washington, D.C., after all).

Here are a few top takeaways:

Struggling to answer, ‘What IS working?’

The conference was supposed to end on a high note with infosec pros Mark Manning, Tina Velez and “SPAM” joining ShmooCon organizer Bruce Potter in a talk about “what IS working for them” in security.

That optimism turned out to be misplaced. Although there was some talk about effective controls, much of the panel consisted of complaints about how software-as-a-service companies fail to supply the information necessary for security teams to respond to potential incidents. The panelists also said too many companies misplace focus on vulnerabilities before properly gauging their risks, and they lamented how marketing departments at many security companies rely on fear, uncertainty and doubt that can make the rest of the industry’s work harder.

Combine all this with ongoing concerns about multi-factor authentication being too simple to bypass, the ease with which phishers can find victims and more, and it’s not hard to see why Velez said most organizations don’t have to worry about government-backed advanced persistent threats. Even relatively low-effort scams and attacks still prove successful.

“The crypto-miner is the threat that we deserve,” Velez said, referring to relatively low-skilled attackers who compromise systems just so they can profit off cryptocurrency mining without investing their own resources.

That still beats squaring off against an APT, because at least in a crypto-miner’s case, a security team has “a tangible amount of money lost” that they can go to management and say, “if you invest this money, or at least half of it, maybe we can catch it” next time, Velez pointed out.

The less-than-rosy outlook was an appropriate closer for ShmooCon. The conference has a reputation for being a fun event where attendees can meet up with their old friends, play board games and regularly interrupt the speakers with comments, questions and callbacks to previous conferences. But when the talks end on Sunday, everyone still has to head back toward working on the same problems as before.

Open source anxieties

The security implications of our reliance on open source software have been hot-button issues since the Log4Shell vulnerabilities were disclosed in December 2021. But a number of talks at ShmooCon 2023 showed that these risks are still top-of-mind for many in the industry.

Seemingly everyone is waiting for the next Log4Shell, which affected the widely used Log4j Java logging tool. Log4j isn’t the only popular open source project in the world, and it’s probably not the only one with a critical vulnerability waiting to be discovered, either. Even if by some miracle Log4Shell does end up being a once-in-a-lifetime event, many organizations still have to contend with new regulations and shifting public perceptions around open source software use.

Azure open source hacker Aeva Black discussed the ongoing problems resulting from the way tech companies have “normalized profit-driven insecurity” in the first talk of ShmooCon 2023, “Open Source Software, Y U No Secure?” They cited Sun Microsystems’ acquisition of the open source MySQL database management system for $1 billion in 2008 as emblematic of the wider trend.

Nathaniel Mott/README

“The knowledge of how to [safely use open source software] was developed 20-some years ago,” Black said. “But somewhere along the way, it was lost, and the safe handling techniques of open source were not propagated at the same pace as the adoption of open source after 2008.”

Effectively disclosing open source software flaws can pose its own set of challenges, as ShmooCon speakers Madison Oliver and Jonathan Leitschuh discussed in their own talk, “Congratulations! You Found a Security Vulnerability in an Open Source Project! Now What?”

There are a variety of motivations for seeking vulnerabilities in open source software , Oliver and Leitschuh said, that often align with developers’ reasons for maintaining those projects. In other words, the bug hunter and open source volunteer don’t have to clash.

“It is really important to understand these motivations because at the heart, vulnerability disclosure is truly a human process,” Oliver said. “It is very easy to forget that who you’re talking to is a human on the other side. They have their own motivations for what they’re doing, they have their own responsibilities, their own habits, their own things that are going to come into play during your vulnerability disclosure.”

If security researchers and open source software maintainers can come together to address some of these problems on the micro level, it could snowball into major security improvements over time.

Supply chain chatter

One side effect of the Log4Shell incident — as organizations scrambled to determine if they were affected by those vulnerabilities — was a sudden interest in the so-called software supply chain. This, too, continued with a variety of talks at ShmooCon 2023.

While much of the focus on supply chain security has centered on a software bill of materials (SBOM), a sort of software ingredients list for tech products, ShmooCon speaker and DevSecOps specialist Schwartz shined the spotlight on the Supply chain Level for Software Artifacts (SLSA) framework that Google introduced in June 2021.

“SLSA is supposed to be an approachable ladder of prioritized, proscriptive practices,” Schwartz said, “and it’s going to help you” meet the security controls in the National Institute of Standards and Technology’s Secure Software Development Framework. A boost from SLSA is needed because the NIST framework “will tell you what you need to do but not how you need to do it,” Schwartz said. SLSA is supposed to bridge that gap, helping organizations adopt secure coding practices and introduce fewer vulnerabilities into the software ecosystem.

When Google announced SLSA, the tech giant said the goal was to help consumers “make informed choices about the security posture of the software they consume.” (The framework is now stewarded by a group within the Open Source Security Foundation.)

This focus on the software supply chain continued with Trellix vulnerability researcher Kasimir Schulz explaining how difficult it can be to detect and remediate vulnerabilities in open source projects in his talk, “Escaping the Tar Pit and Securing the Supply Chain.”

Schulz explained how Trellix “started the process of patching over 65,000 open-source repositories on GitHub” after discovering that the Python Tarfile module was still vulnerable to a decade-old path traversal flaw identified as CVE-2007–4559 in a bid “to ensure that this didn’t become the next Log4j.”

SLSA, SSDF, SBOMs — all these tools are supposed to help developers write more secure software and secure the supply chain used to create that software. Trellix’s efforts show what happens when those problems already exist and somebody takes it upon themselves to help fix them. To liken coding to the tobacco industry, the frameworks are aimed at getting people to avoid smoking cigarettes, while patching projects like Trellix’s are focused on treating lung cancer.

Policy changes in the U.S. and internationally

The first policy talk of ShmooCon 2023, “Hacker Law for Hackers” by Venable’s Harley Geiger, focused on a variety of changes made in the past year. Some of these updates related to the 1986 Computer Fraud and Abuse Act (CFAA) — including a bid to allow for “good-faith” security research — and others involved state-level laws.

Geiger said that Section 1201 of the Digital Millennium Copyright Act (DMCA) is “now the greater risk for ethical hackers… than the act of security research itself” because it doesn’t carve out exceptions for good-faith security research. (Regardless of how vague the CFAA’s definition of “good-faith” is.)

The CFAA has long troubled security researchers and the attorneys who represent them, and the Electronic Frontier Foundation said in 2020 that the DMCA “has encouraged private censorship and hampered privacy, security, and competition.” The changes made to CFAA enforcement in 2022 alleviate some of the concerns about that legislation—even if it still isn’t totally clear how the U.S. defines “good-faith” security research.

“The security community has made tremendous progress, admirable progress, in standing up for itself in building bridges with policy makers and getting more favorable accommodation under the law, especially federal law,” Geiger said. But there is still plenty of work to be done when it comes to state laws, private lawsuits brought under the CFAA and other rules imposed by national and international governments.


Speaking of international efforts: the EFF’s outgoing deputy executive director and general counsel Kurt Opsahl covered the UN’s recent efforts to create a unified framework for handling cybercrime.

Opsahl presented numerous areas of concern in the draft proposal submitted by the fourth session of the Ad Hoc Committee on Jan. 20. These include a lack of clarity in some definitions of cybercrime; efforts by authoritarian states such as Iran, China and Russia to use the treaty to quash tech-enabled freedoms; and fears that the treaty itself is too broad because it doesn’t focus specifically on cybercrime.

“This should not become a general purpose vehicle for creating investigatory vehicles for all crimes,” Opsahl said. That means it shouldn’t require organizations to weaken the security of their systems to assist with investigations, he said. He added he hopes the UN can address those concerns before coming to an agreement on the closely watched treaty.