Last day was a short day, just three panels, then the closing keynote and remarks.
I attended Jon Callas’ and Bruce Potter’s discussion of the state of crypto. This was more of a question and answer session than a formal presentation. The two most intriguing topics that came up were the effect of quantum computing on crypto and elliptic curve crypto.
Callas was very skeptical of quantum computing in general, a skepticism I share. He was smart enough to admit to being skeptical about his own skepticism, that is reserving that quantum computing may bear out in the end.
I am not very familiar with ECC but the panelists described its advantages over PKI pretty well. The attraction of a system that scales better, at least that is the claim, for larger key lengths makes sense.
The next panel I caught was Adam Laurie’s discussion of RFID cloning. He covered the usual topics, from chips used in keycards and animal tags to national passports. He also did a live demo where he not only showed cloning but did so with a standard form factor RFID card, rather than the usual kits we see. He even successfully cloned an RFID implant in an audience member he never met and used the cloned card to unlock the owner’s laptop.
The last panel I attended Chuck Willis’ talk on passive assessment of the security of web applications. Given my day job, this was both of interest and a lot of material I had already encountered. I was glad of his description of Cross Site Request Forgery, a term I had encountered some weeks back first in an advisory without any adequate explanation. It also seems like Billy Hoffman’s blind request technique via AJAX could be characterized as CSRF.
The final keynote was a quick roundup on the OLPC project. I was especially fascinated by Krstic’s characterization of how the OLPC can enable more discovery based, peer oriented self education. I was also impressed by the security goals and constraints, especially that they prize owner control almost before all else. A lot of hard questions were posed by the panelists, themselves, as well as the audience. The effort is unarguably quite noble but no one claims to have all the answers on what lasting effect it will have, for good or ill. It was good to see their open mindedness in the face of bald skepticism and that they were already asking many of these questions themselves.
I would definitely say ShmooCon was well worth attending and am hugely looking forward to coming back next year!