A short and sweet post this week. Enjoy.

The Pros of Cons

The final Shmoocon was this weekend in Washington DC. The event had three ticket drops which sold out in less than 8 seconds. Some metrics:

• 11/01/2025 - 650 Tickets: Sold out in 7.15 seconds
• 12/01/2025 - 500 Tickets: Sold out in 6.76 seconds
• 12/15/2025 - 320 Tickets: Sold out in 7.37 seconds

Why are security conferences so popular? They're important for your career for 3 reasons.

1. Networking: The most obvious is allow for easy networking. While the talks are usually worth seeing, just hanging around outside the conference (canonically known as lobby con) is a fantastic way to strengthen existing relationships and form new ones with those in the field.
2. Lore: The less often discussed benefit of security conferences is understanding the industry lore. Talking with professionals in the field over coffee (or malort) paints an honest picture of the industry. People are more willing to discuss shady interactions they've had with vendors, dicey situations they've gotten into, and how they've navigated their careers. Not something they're likely to talk about publicly.
3. Pulse: Meandering around the vendor hall is a great way to see what trends vendors are leaning into. If you're in the business world, this allows for staking out competition.

Some recommendations for getting the most out of a security conference in no particular order:

Presenting new research is what keeps the security industry afloat, but the value of speaking is not in the presentation itself, it's in the accompanying benefits. Speaking gives people a reason to come talk to you. Some of the most engaging conversations I've had have been with people who have come up to me after a talk and asked questions about it.

Many conferences have different badges for speakers, this gives people a super easy opening line even if they're not at your talk: "What are you speaking about?". Most conferences have some sort of event for speakers. This is a great way to meet others and form lasting connections in the industry.

Presenting at a conference doesn't have to be a super technical endeavor, depending on the conference, it may be a benefit to give a less technical talk (such as if it's a bsides hosted at a local college).

If you're new to the industry, volunteer at conferences. You'll get many of the benefits that speakers do, but you don't have to present any information. Again, a great way to meet others and see how the sausage is made -- spoiler, conferences are tough to run and people get cranky. Showing up with a 12-pack of energy drinks for everyone running power strips will propel you to hero status.

Attending talks is a great way to recharge your social battery. Don't feel the need to attend every talk unless it's super interesting. You can circle back to them later if they're recorded.

Want to be remembered forever? Have a cool sticker, it can be as simple as something that reminds people of who you are. I have many that are just graham crackers with my personal website on it. Stickers also act as hacker business cards.

Want to be the coolest person in the room? Have challenge coins.

Does Anyone Know What's Happening?

I had many conversations at Shmoocon this weekend that could all be accurately summarized as "I don't actually know what's going on but it's OK, and neither does anyone else". Comforting. Maybe this is why the info-sec field has such historic rates of burnout and impostor syndrome.

Beginning a career in info-sec is humbling. You often don't know nearly as much as you think you do (see: dunning kruger), but that is to be expected. As long as you're honest in your intentions and flaws, no one will blame you.

At some point, people, and the companies they work for, cross into a zone where people start taking what is said as gospel instead of with a grain of salt. It's very much a "Santa isn't real" moment when discussing technology with a market leader in a space and you suddenly realize that they haven't figured it out yet either. The technical problems you run into they also don't have a good answer for (even though they claim to).

If a well-funded company who's sole mission statement is to provide businesses with answers to problems, doesn't actually have a complete solution to those problems, does anyone actually know what is going on or are we all kind of just cosplaying as all-knowing witches/wizards of our particular domain?

Caught My Eye

• HackSpaceCon CFP: The hack space con CFP is open through January 15th. I'll be submitting, you should too!
• Phrack 72 CFP: I didn't realize that Phrack had CFPs.
• ADFS -- Living In The Legacy Of DRS: Notes on the internals of ADFS. I really admire the work SpectorOps does, even though I don't specialize in Windows.
• hashcrack-ai: Automated Python script that uses vast.ai to deploy hashcat across many GPUs.
• Using SYN Port Scans with Source IP Spoofing For Offensive Deception: A great overview of SYN scanning using source IPs.
• Wiz - 2025 Cloud Security Predictions: I agree with many of these predictions for 2025. Some of which I've written about before.
• Why Do Keynote Speakers Keep Suggesting That Improving Security Is Possible?: Potentially one of the best keynote speeches in history.