RSA stands for Really Sweet Activities: HackerOne recaps an epic week
- February 27th , 2017
By Luke Tucker
Two weeks ago was my first RSA Conference experience and I survived to write this post.
Conferences are a forcing mechanism of sorts, an accelerant for projects to be completed, new product features to be announced, and survey news to be released in order to meet press deadlines.
Not to mention the development of your session presentation to live up to that abstract that got accepted (did I really promise to talk about that?!)
As you probably know, RSA Conference is a cryptography and information security-related conference. The flagship event is held annually in San Francisco and 2017’s festivities went down the week of February 11th to February 18th.
Here’s a quick highlight reel of HackerOne’s week at RSA, complete with a party that included drink names like “What did you Putin my drink?” and “Fancy Bear”. Dope, right?!
We lit the dry California desert on fire with our bug bounty lightning talks with Passcode, sauntered our way through an action-packed 2-days at BSidesSF, talked shop and automotive cybersecurity on an all-star panel, and we published the shocking results of our “Hacking America” survey with Kaspersky Lab.
So buckle your seatbelt as we rocket through the RSA week that was.
H1-415 was top shelf!
HackerOne’s RSA week kicked off fresh the Saturday prior with our h1-415 event which was sponsored by Github. H1-415 was a live bug bounty hackathon complete with a hacking 101 workshop and epic awards for some pretty amazing hackers.
First, the workshops. It’s such an important part of our company, to help the next generation of hackers. Talks from HackerOne CEO, Marten Mickos, veteran hackers Frans Rosen and Pete Yaworski, a tutorial walk-through and demo of the top tools for hackers by Justin Calmus, HackerOne’s VP Hacker Success, and finally a panel of illustrious guests dropping knowledge bombs about what it’s like working in security and engineering.
Community groups in attendance included:
The workshops were so successful, it nearly overshadowed the activities going on across the other side of our offices.
To give a hint, just picture a dozen conferences rooms with some of the best bug bounty hackers in the world, amped up on too much red bull and caffeine, hacking their hearts out on a few select bug bounty programs for 8 straight hours.
Yes, the ballmer peak definitely applies here:
A huge congrats to Mathias Karlsson (@avlidienbrunn) on taking home the Most Valuable Hacker award for the night!
At HackerOne, we’re all about the hackers. They are the geniuses that are helping secure the internet day by day. That neighborhood watch, the friend you can rely on.
We believe in honoring and showering our best hackers with swag, cash, and special surprises. Like designing custom superhero-esque comic book covers for them!
Hacking America Survey
The results take a broad look at what Americans think about hacker motivations, who they think security responsibilities fall on, whether or not America is more or less at risk with the new president and whether consumers trust their employers’ efforts on cybersecurity and their stance on ransom payments.
The top results included some pretty fascinating key findings (including some shocking results about employees view of their own employers cybersecurity efforts and their perspective on cybersecurity in the Trump administration).
BSides was A+
Our friends at BSides SF threw an action-packed 2-day conference, that HackerOne sponsored and attended. Which means we got to hang out in a diner-style booth, sharing custom HackerOne swag love, and also hosting a packed Hacker Happy Hour.
Custom swag anyone?
There were some incredible presentations, as expected. Dropbox’s Jason Craig’s talk was one of my favorites. Slides and videos will be up soon per BSidesSF. We’ll make sure and share via the Twitters when they’re ready.
One real quick thing that was super slick, during the talks an artist rendered visual notes of the presentation.
Pretty cool, right?! Check out - KingmanInk for more info.
Your full access pass to Passcode’s Bug bounty lightning talks
“Bug bounties are a divining rod, a seemingly magic tool to find water (i.e. vulns).” This was a quote by Uber’s Security Engineering Manager, Robert Fletcher at the lightning talks hosted by Uber and Christian Science Monitor’s Passcode.
The gathering gave viewers a behind-the-scenes look at the fast-growing bug bounty marketplace. Speakers included entrepreneurs, hackers, and executives providing an insider's knowledge of how bug bounties are transforming cybersecurity.
You can relive the event by watching the live stream and individual clips of each one of the talks:
- Motivations of a Bug Hunter (Luke Young)
- How the BBP Talent Pool Informs Security at Zenefits (Mack Staples)
- Keeping it Simple in a Complex Environment (David Linsky)
- Wacking Moles is Silly, Fix the System (Robert Fletcher)
- Bad Medicine: Contradictions of Bug Bounty Programs (Cory Scott)
- Working with Securty Researchers to 'Hack the Pentagon' (Lisa Wiswell and Katie Moussouris)
- Closing (Alex Rice)
- Uber’s Robert Fletcher definitely had my favorite presentation. I thought he did an exceptional job of presenting the “life of a report” and Uber’s approach to bug bounties. They’re definitely a program to emulate.
From Russia with Love: the HackerOne and Bateman Group Backdoor party
Hackers and security experts mingled and hob nobbed at the 4th Annual Backdoor party HackerOne co-hosts with Bateman Group.
This year, it was a spy themed party at an undisclosed private venue. Featured cocktails included:
Fancy Bear - Gummy bears swimming in an apt amount of Stolichnaya vodka, champagne, lemon juice and simple syrup
What Did You Putin My Drink? - Vodka and who knows what else
The Trumped Up Old Fashioned - Old Fashioned with a dash of Twitters
только глаза (tol'ko glaza) - [REDACTED]
There may also have been some undercover super sleuths, aka, actors dressed up looking like sherlock holmes. These gents were providing passports with photos for those guests who cracked the code in the scavenger hunt.
Feedback on the passport at our party from a customer: "Alright the passport idea is kinda cool as *&@!" " yeah, definitely one of the coolest things I've got from a vendor party."
“The Backdoor Party [expletive] nails it with FancyBear cocktails and soviet passports.” - tweet from anonymous guest
More evidence of merriment in the event photo collection.
Marten’s RSA Panel - Navigating Cybersecurity in the Connected-Car Revolution
On Friday, HackerOne’s fearless leader, CEO Marten Mickos was on a panel discussing the topic of “Navigating Cybersecurity in the Connected-Car Revolution”.
Joining him on the panel included Kevin Tierney, Director - Product Cybersecurity, General Motors; Chris Evans, Formerly with Tesla; and moderated by Robert McMillan, from The Wall Street Journal. Check out the full video recap on Youtube.
One interesting audience question that was brought up was requesting each panelist if they could share their thoughts on what the car industry can teach software about security?
I really liked Marten’s answer here. He said, “Software built the internet, and we didn't think about security. I'm guilty of that. Airline industry shares details with each other, from when flights take off and land to paths they take, etc. We should do the same. Software needs start thinking about security from the beginning.”
It’s a fascinating narrative to follow, how all companies we patronize, including and maybe especially car companies, should be scrutinized for their security practices by us as consumers.
So next time you are shopping for your sweet new ride, ask your car salesman if the manufacturer has a Vulnerability Disclosure Policy.
Or better yet, research the brand beforehand on HackerOne’s directory. :)
RSA Conference rundown
"Best part of RSA so far: seeing a guy in a t-shirt that says "no purchasing authority" sitting by himself in a bar crowded with suits." - @nousie tweet
Yep, that might be the most amazing thing I’ve ever seen at a conference.
In case you missed the sessions because you were too busy finding parking around Moscone Center, or like me avoiding the crowds all together, I found Daniel Miessler’s recap on his blog to be helpful.
RSA is over, now get back to work!
The messy aftermath of an atomic bomb is radiation. The aftermath of an event like RSA is the email radiation (and belated projects and catch up meetings). The only antidote I’m aware of is copious amounts of coffee.
The struggle is real. The sacrifice - worth it!
See you next year.
ps - Heading to nullcon next week? HackerOne will be there, make sure and catch the talk on writing better bug reports by our Chief Bounty Officer, Adam Bacchus!
pps - Want to see the infographic of our survey of 5,000 US consumers? Of course you do. Click here to download the goods.