Shmoocon 2016

The Urbane Security crew will be at Shmoocon 2016 at the Washington Hilton Hotel in Washington, DC from January 15th, 2016 to January 17th, 2016. Stop by our table to meet the crew, share war stories, and even about what it’s like to work on the Urbane team.

DEF CON 23, Black Hat USA 2015, and BSides Las Vegas 7

Join the Urbane Security team in Vegas this August 3rd to August 9th, 2015 for DEF CON 23, Black Hat 2015, and BSidesLV 7. Our large lineup of events include:

An Urbane Private Affair at the Urbane Suite

Monday Night – 7pm to Midnight at the Urbane Suite

For the 4th year in a row, start the week off right with an escape from the Black Hat conference floor. The Urbane Suite is located at the Palms Place hotel, overlooking the strip from just the right distance. Craft Cocktails, Quality Food, and Chill music is always to be found Monday Night.

This event is a private invite-only event. To request an invite, please reach out to the Urbane Events team at events [at]

BSides Las Vegas Official Badge Contest

Tuesday through Thursday at the Tuscany Casino and Hotel

As the official Badge sponsor of BSides Las Vegas, Urbane has put together this years badge contest. Ranging in challenges from digital to physical, cryptography to history, it is bound to test your skills in various domains. Check out the BSides Badge for more details on how to compete!

First place prize includes hotel accommodations and an Amex gift card for flights to return to BSides Las Vegas next year and Second Place price includes an Amex gift card.

Dinner with the Urbane Crew

Tuesday Night, 7pm at Undisclosed Location

Already an Urbane client? Enjoy quality food and conversation? Keep an eye on your email for a special dinner invitation for Tuesday night.

“Seeing through the Fog” at DEF CON 23

Thursday, 12:00 at DEF CON Track 4

Stop by DEF CON Thursday to see Urbane Founding Partner Zack Fasel give his talk “Seeing Through the Fog”, reviewing the problems and solutions for cloud security.

Yes. “The Cloud” (drink). Even though many of us would much like to see use of public clouds decline, they’re not going away any time soon. And with such, a plethora of companies now have revolutionary new solutions to solve your “cloud problems”. From crypto to single sign on with two step auth, proxies to monitoring and DLP, every vendor has a solution, even cloud based for the cloud!

What we haven’t seen is much of an open source or community lead solution to these problems. So let’s change that.

Zack will review the laundry list of security problems with various cloud providers (and their pluthera of APIs), provide some easy fixes to the common issues seen, and introduce a few new open source tools to help monitor and defend the data and access in the wild.

Industry Appreciation Party at DEF CON 23

Thursday, 6pm to 11pm at the Urbane Suite

Starting at 6 p.m. and continuing until 11 p.m., enjoy drinks, music, Chipotle, and awesome company at the Urbane Suite acknowledging the accomplishments and contributions of individuals for the betterment of the security industry and community. RSVPs are required in advance at

DEF CON Black and White Ball

Saturday, 1am to 2am to the DEF CON Party in Sky View 5&6

Still holding through the whole weekend? Stop on by the Black and White Ball at DEF CON’s Sky View 5&6 to catch Erin Jacobs and Zack Fasel DJing to close out DEF CON. As the last set DEF CON music set of the weekend, it’ll be your final chance to work out your dancing shoes. Check out a sample of music to be heard at

The 5 Days of Shmoocon Tickets

Tis the time of the year, when boys and girls gather around their computers, waiting for the clock to strike 12. They furiously press F5, Apple-R, and BOTNET_ACTIVATE.exe in hopes of having the quickest fingers and the lowest ping to get one of a few golden tickets. But alas, many are not quick enough or are forgetful of such a holiday. It’s a holiday of dedication, sacrafice, and passion. It’s Shmoocon Ticket Season!

But alas, for those who overslept their alarms, couldn’t connect on GoGo, or “had to work”, Urbane has a holiday gift for you!

Five Days. Five Challenges. Five Shmoocon Tickets.

The Rules

As Urbane is sponsoring Shmoocon, we have a few extra tickets. Winning one is easy…..ish.

  • Every weekday for 5 days starting December 17th, Urbane will post one challenge on this page and announce the update via our twitter account (@UrbaneSec).
  • Follow the challenge instructions on this page for that day. Submission and winner varies based upon challenge.
  • …..

Some finer print:

Winners will be announced the following day and contacted with instructions on receiving their barcode. Barcodes are NOT for resale and will be sent via e-mail to winners on January 15th, 2015 (the day before Shmoocon) in order to prevent resale. Reselling winning tickets will be subject to public shaming or voiding of the barcode. Submissions will be judged by a panel of biased judges. Submission of content provides consent and license for Urbane to use submitted content in conjunction with this contest. And no, we won’t sign you up for some crazy mailing lists. Rules subject to change on a whim. Questions? Email Comments? Email

The Challenges

#1: Report-Writing Wednesday

Difficulty Rating: Low

SUBMISSIONS CLOSED! – Congrats to @mrb0t for going beyond just writing up a full disclosure, but also creating a fake defacement.

We’ll start the contest off simple and steal from our BSidesLV Badge Challenge playbook.

There have been a number of interesting vulnerabilities this year and more companies than ever participating in Bug Bounties. While many of the findings out of these programs are crazy awesome, many submissions include “less than legit” vulnerabilities.

Your challenge today is to write a fake vulnerability/finding/PoC and “responsibly” disclose it (whatever that means) to

Previous winning examples include:

  • XSS in any website POC:highlight the url, delete everything in the bar, type “javascript:alert(1)”.
  • Information Disclsoure: Copy/Paste leaks information to other programs.
  • User Impersonation Attack: Deface Ars Technica and leave Dual Core music so everyone blames Dual Core.*
  • You get the point…

Winners will be picked based on quality and hilarity. Just like in life, it’s not about length but quality of submission and what you can do with it.

Submissions close on December 19th at 12:00 EST. Get to it!

* Legal has asked us to remind you to not drop 0Day and for the secret love of god, and we don’t mean the passwords in Hackers, don’t actually deface a site….again.

#2: Throwback Thursday

Difficulty Rating: Low

SUBMISSIONS CLOSED! – Congrats to @nheafer

Welcome to #TBT (throw back thursday), where everyone posts things from just last week!

This challenge is easy, but might require a call to your parents. You should call them anyways.

Submit your best real picture of you as a child (think grade or high school) geeking/nerding out to (either as an attachment or as a imgur/etc. link). Examples include

  • The LAN Party at Eugene’s dad’s house.
  • Your basement electronics lab.
  • Celebrating the Comic Books you just got for Christmas.
  • That 486DX your parents just bought (or the IBM 519 and your deck of cards)
  • Your first amateur radio swap meet.

Only one submission per person, so make it count! Winners will be picked based on cuteness and the number of “awwwes” raised by a panel of mothers.

Submissions close on December 20th at 12:00 EST. Get to it!

#3: CTF Friday….

Difficulty Rating: High

SUBMISSIONS CLOSED! – Tickets going to @sibios for the best entry and runner up @JimGilsinn as an A for Effort! The only two who submitted. Should have tried 😉

Every weekend another CTF is popping up (just like cons – gotta catch them all!) and with every CTF, we see our ability to reverse, hack, and decipher put to the test.

This weekend, you’re on the other side of the table…. so to speak.

It’s time for you to develop and code out a multi-stage CTF challenge (in which the answer from one provides information or access to get to the next stage). Ideas? We’re not providing any this time. Details:

  • Create one CTF challenge that has at least 3 “steps” to solve (i.e. 3 different types of hacks, a combination of decipher/hack/reverse, hack/decipher/hack, decipher/crack/hack/hack/hack/crack/decipher etc.). Shoot for 300-500 point level (out of 500).
  • As some “steps” may require specific system configurations (i.e. ssh keys, certain versions of a lib, compile flags), please document such. There’s no need to send us a full on VM.
  • Keep it original. No copying and pasting a previous CTF challenge that was released.
  • Submit the source and (when applicable) challenge items with details on how to solve them in a compressed format or mega upload via email to
  • There may be bonus points if you actually stand up the challenge or create a VM for it….or there may not be. We just work here.

Unlike the previous challenges that required less effort, we’re treading a little more carefully on this. We may post high-level details on your challenge, but we will /not/ disclose the exact details of your challenge source/items without your written consent. No need to burn great work!

You have until 12:00 EST on Wednesday, December 22nd to submit. Don’t hesitate to email if you have questions.

#4: Monday Morning Calls

Difficulty Rating: Medium

Monday morning conference calls are the worst. Even worse is trying to remember all the various PIN codes for the bridges.

This time, your challenge is to figure out the 3 different 7-digit conference bridge codes for the number below:

860-94-SHMOO (860-947-4666)

Winner will be the first person to figure out the 3rd code and contact us via the instructions left in the message.

Your usual notes:

  • No brute forcing, but multiple guesses are ok. There are some block measures in place, and some you just can’t brute force past.
  • Winner will the the /first/ person to figure out the code
  • We will release periodic hints based on questions submitted to shmoo15 [at]

But where do you start? Here’s your first clue:

I wOn’t tell your SecreTs. your sEcrets are Safe with mE.

#5: Tuesday Travel

Difficulty Rating: Last Chance!

If you were waiting till now for things to get easier, you were sorely mistaken. Day 5? No new challenge. Most of us are traveling back home to spend the holidays with family. As no one has yet solved the Monday Morning Calls challenge, we’ll keep it running until the first one does. Don’t forget our previous clues!

ShmooCon 2013 Ticket Giveaway

You heard right – Urbane has an extra Shmoocon ticket to give away, and in traditional give-away spirit, we’re throwing a mini-contest for it. Since time is limited, we’ll keep it fun, easily accessible, and fast.

The “How Do You Hack?” Photo Contest

We’ve seen 100s of horrid photos of hackers with their ski masks and their crazy GUIs. So it’s your turn to show peeps how you pwn (for real or for the lulz). So here’s how you win a free Shmoocon ticket:

  1. Take a photo of you, your setup, or the cool stuff you’ve been working on.
  2. Upload the photo online and submit a link using the form to the right –>
  3. …..

The Details

It’s that easy! We’ll pick one of our favorites – the coolest, the funniest, or the weirdest and we’ll provide you a coveted Shmoocon Ticket! Obviously there are some rules and details, and here they are:

  • Contest Starts Monday, January 28th, 2013. All Entries Must Be Submitted by 12:00PM CST on February 1st.
  • Submit a photo of “how you hack” to <SUBMISSIONS_CLOSED>. This can be of you, your setup, you in a ski mask, you in cyberpunk, your bag of pwnage, you hacking from a crazy location, or other crazyness. Honestly, any somewhat relevant photo will do. We’re not going to be sticklers about it.
  • On Friday, February 1st at 12:01 PM, we’ll look through the submissions and pick one. We don’t know how we’ll be selecting it since we dont know what will be submitted. We’ll probably pick one that’s the coolest, funniest, wierdest, or leetest.
  • The winner of the ticket will have to pick up said ticket at Shmoocon in person Thursday night or Friday Morning/Afternoon. And it must be the winner. No friends, family, next of kin, intern, minion, or random person you decided to sell the ticket to. We’ll setup a meetup and provie a phone number to sync up at the Shmoo hotel.
  • If you need to explain your photo (i.e. your leetness), do so in the image. Footer or pointers. But the best photos don’t need explanation
  • It must be YOUR photo. No stealing others stuff.
  • We’re not judgmental on quality. Use your Phone, Webcam, DSLR, or Sony Camera that still takes Floppies.
  • Upload it anywhere publicly accessible. Your website, imgur, flickr, instagram, or the like works.
  • Yes, Your photo can be photoshopped beyond realistic comprehension. It does not need to be though.
  • No, your photo does not have to be realistic and can be completely ironic. Ski Masks, Rollerblades, lock picks, radios, and payphones are totally acceptable, and even encouraged.
  • By submitting an image, you give dubsec labs permission to copy and display said image in relation to this contest. It’s your photo though, and we’ll obviously cite as such

Now before you even have to ask, the answer is No.

  • We’re not signing you up for any kind of sales list.
  • You don’t have to follow us on Facebook or Twitter to win (although if you choose to do so, it makes you an awesome person).
  • We’re not going to use your submited content claiming it as our own.
  • There’s no strings attached to the ticket (other than the ones stated above).

The Submissions

The Results

The winner was @theKos with his Home Garage Hacker Space

As messy as it was, we were impressed with the setup. Congrats Kos!

If for some reason theKos doesn’t respond or decides he wants to pass on the ticket, the following are our runners up:

2nd Place: @nerd_monkey – It takes guts to wear that in the office every day

3rd Place: @_CRV – Bannana phone is always win