top of page
  • Chris

On the Road: BloomCon

Over the last weekend in March, I attended BloomCon at Bloomsburg University. It's a great conference, growing quickly for its age — in its third year, about 650 attendees showed up, many of them students from up and down the East Coast and Midwest. I was happy to present a talk about a vishing attack vector that I recently tried out for the first time, to great success.

But let's back it up.

Highlights of the Conference

Something I loved about BloomCon that set it apart from other conferences of its size was the involvement of the students. I met students from as far away as Florida and Michigan, not to mention the digital forensics majors from Bloomsburg University who got involved in running the conference itself.

The influence of the 80% student attendance was obvious. Not only was there a lockpicking vilage, they ran a forensics CTF, a wireless CTF and even an OSINT CTF where they stalked one of the professors online! And I'm sure the students loved the Drone Wars event put on by the Army.

A personal highlight of mine was the presentation of a vishing attack vector I've been thinking about for a while and recently got to try out on an engagement. As alluded to by the title, "On the Hunt: Hacking the Hunt Group," the pretext has to do with exploiting a hypothetical vulnerability in the hunt groups typically used in call centers.

But don't let me spoil it for you! Watch the recording of the talk below:

I presented live calls to illustrate the pretext, which went over well with those in attendance. We had a great discussion afterward. You can listen to the questions and answers in the video.

The Value of Small Cons

Even though BloomCon probably qualifies as a mid-sized conference at this point, it felt intimate and informal like smaller conferences I've attended. And that's what I want to talk about today: the value of attending small cons.

We focus a lot on the hype around big conferences. And of course, the DEF CONs and the BlackHats and the DerbyCons are great. You get to see all the people you met last year, you get to travel to a big city, and you get your pick of dozens of sessions, workshops, tracks, and villages.

But sometimes, big cons feel like never-ending sprints. You never get much time to stop and have a real conversation. There's always someone else to see or some other session to attend. With smaller conferences, you might not get to see as many people at once, but that can be a blessing.

Take BloomCon. Dual Core was in attendance (and featured heavily in marketing materials for the con). He performed at a networking party, rapping while escaping from handcuffs. That particular stunt was a hit with the crowd, as you can imagine.

Dual Core rapped and escaped from handcuffs at the same time, a crowd favorite.

At larger conferences, I would have attended the party, said hi to Dual Core, and never seen him again. But at BloomCon, we ended up getting a drink and talking about the security community and topics outside of info sec. It was a normal conversation with a friend that wouldn't have been possible at DEF CON.

It's not just friends that don't get to see each other often who benefit from the intimacy of a small conference. The first afternoon of BloomCon, I joined an informal panel of presenters who answered questions from attendees in the casual "Meet the Mentors" session.

We were there to talk about whatever attendees wanted to ask us, and everyone got a chance to participate. Larger conferences with more structured panels and heavy moderation can't get close to those kinds of conversations.

Like what you read? Want to get notified when I post? Subscribe to the email list.

72 views0 comments
bottom of page