Building a Hacker Conference from Scratch: The Wild Origins of ShmooCon
In this episode of Breaking Badness, we sit down with Bruce and Heidi Potter, two of the masterminds behind ShmooCon, the legendary cybersecurity conference that ran for 20 years. They take us behind the scenes, from its hilarious bar-napkin origins to how they built a tight-knit hacker community that thrived for two decades.
The Final Shmoo: The Story Behind 20 Years of ShmooCon
Introduction: A Conference Like No Other
Few cybersecurity conferences have the grassroots credibility and cult-like following of ShmooCon. For 20 years, it brought together hackers, security researchers, and industry professionals in a uniquely intimate and no-nonsense environment. But how did it all start? And why did it end?
In this episode of Breaking Badness, Kali and Aaron Gee-Clough (Senior Data Engineer at DomainTools who has attended all 20 ShmooCon) spoke to Bruce and Heidi Potter, the co-founders of ShmooCon, to explore its unexpected origins, the wild ride of running a conference, and what’s next for them.
How a Bar Talk Turned into a Cybersecurity Institution
Like many great hacker projects, ShmooCon started as a joke.
Bruce and his co-founder, Beetle, were at Black Hat when they sat through a talk filled with questionable security claims. They waited for someone to challenge the speaker—but no one did. That’s when they had the thought:
“If we ran our own conference, we would never let that stand.”
One fist bump later, ShmooCon was born. But it didn’t stop there. A few weeks later, Beetle took out a second mortgage on his house and secured a venue. That’s when things got real.
“He also didn’t tell his wife. So we needed to make this work.” — Heidi Potter
Why “ShmooCon”? A Lunch Bag and a Nickname
If you’ve ever wondered where the name “ShmooCon” came from, it has nothing to do with schmoozing. Instead, it traces back to a hilarious inside joke from Bruce’s early sysadmin days.
When a colleague’s girlfriend dropped off his lunch at work, she left a note on the bag that read: “For my little shmooey-kins.”
From that moment on, everyone called him “Shmoo,” and when the team needed a name for their hacker group (and later their conference), Shmoo Group was born—mostly because they were too broke to buy a new domain name.
“It’s really just because we couldn’t afford another name.” — Bruce Potter
Keeping It Small: Why ShmooCon Sold Out in Seconds
Unlike massive conferences like DEF CON or Black Hat, ShmooCon intentionally stayed small—capping attendance at around 2,200 people.
“It was big enough that you’d meet new people, but small enough that you’d find your friends.” — Heidi Potter
But the ticketing process became legendary, selling out in under a minute most years. At one point, the demand was so high that Bruce tried using gaming PCs as servers to handle the load. It…did not work.
“We thought we could solve it with raw horsepower. That was a mistake.” — Bruce Potter
They later switched to Stripe and built their own custom payment system—something that many hacker-run events don’t do.
Why ShmooCon Prioritized First-Time Speakers
One of ShmooCon’s most unique contributions to the industry was its commitment to new voices. Unlike many security conferences that prioritize famous speakers, ShmooCon actively encouraged first-time presenters.
“So many people got their start at ShmooCon. We’re just honored to have been part of their journey.” — Heidi Potter
They also leaned towards defensive security, real-world research, and practical solutions rather than flashy offensive security hacks. This made the conference stand out in the hacker community.
The End of an Era – And What’s Next
So, why did ShmooCon come to an end after 20 years? For Bruce and Heidi, it was time.
But they’re not leaving the cybersecurity world. Heidi is launching a new events company, Moose Meet, focused on smaller, targeted hacker gatherings. Meanwhile, Bruce continues to run his cybersecurity product company.
For the ShmooCon community, the spirit of the event lives on—in the friendships, knowledge-sharing, and hacker ethos it fostered.
The End of an Era – And What’s Next
ShmooCon wasn’t just another hacker conference—it was a movement. It proved that you don’t need corporate sponsors, flashy production, or massive venues to create an event that shapes an industry.
“The legacy isn’t ours to define. It’s up to the people who came, learned, and built something from it.” — Heidi Potter
Watch on YouTube
That’s about all we have for this week, you can find us on Mastodon and Twitter/X @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.
*A special thanks to John Roderick for our incredible podcast music!
