johnk

Through a Hacker's Eyes: Recapping h1-604

Through a Hacker's Eyes: Recapping h1-604

For the first time ever, a hacker writes a live hacking recap blog, highlighting what it is like to attend a live event. Katie (@InsiderPhD) gives a first-person narrative of h1-604. From seeing a bear for the first time to collaborating closely with peers, Katie covers all the adventures of heading to Vancouver, Canada to hunt bugs.

I woke up to a lovely grey sky...

I use the term wake up liberally, turns out jetlag isn’t great for me, I’d been awake since 4 am. I know most people would look at this wet grey day and go “I’d rather be in Vegas” but as a dues-paying Brit, I’ll take grey skies. And thus, h1-604 begins. The reception isn’t until the evening, and unlike Vegas, the air outside isn’t a million degrees, so I can do some sight-seeing. I venture out to find a Starbucks (I did say I was jetlagged). I throw a message on Slack and see if anyone else is around, but most people arrive today anyway. I decide to go for a walk around Vancouver. The hotel HackerOne put us up in is nice, some of the rooms face the water and you can see seaplanes landing. My room faces the street. I head to the water to see if I can see a seaplane. I don’t find one. I do end up speaking to people in a lift who ask me “What boat did you come off?”, I was shocked and then I found out there’s a cruise terminal on the opposite side of the road. Ah.

 

On my walk, I decided to attempt to find some postcards and a fridge magnet. I collect fridge magnets of countries I’ve visited shaped like the country or state, eventually, I hope to have a world map. I spend the whole day soaking up the cloud-shine, checking out every tourist shop. The poor shopkeepers looked so confused that a crazy Brit was asking for fridge magnets. I decide to head back to the hotel early and have a look at the target.

The target is hard, but thankfully as I peruse the Slack, smarter people than I have asked some good questions. I decide on a personal scope – I like to hack small rather than work on massive scopes, looking at the work of others to keep motivated.

Wow, time flies when you’re having fun...

I head down the lobby to meet for the reception. There are not many people I recognise, but everyone seems okay with me butting in and I easily join into the conversation. This is one of the best things about live events! It’s okay if you feel awkward, people are super accepting of you and will invite you into conversations. All it takes is one person to be introduced to a wave of some of the best hackers in the world. 

We head off to the reception and go in and what is this HackerOne branded flannels?? You gotta give credit to the marketing team! I feel like a Canadian. I manage to catch up with people I recognise, my former mentors! They are both telling me how tough the target is, phew, at least I’m not the only one struggling. One of them lets me know one of the bugs I found at 702 inspired them this event. We exchange high fives. 

I end up having a long chat with another hacker, she was a huuuge help at 702, and tried her best to help me with one of my bugs literally in the last minutes of the event. We end up deciding to go get some sushi for dinner and chat longer. And wow, literally inspiring, we chatted about jobs and careers, her bugs at 702 and I’m feeling excited/inspired/hyped… inspihypcited? There’s nothing better than being able to chat with some of the best names in hacking and learn.

I head back to my hotel room and take another go at the target, I feel like I’m hitting a brick wall, but my dinner has still left me inspired to keep on bashing my head. I keep going.

Next stop, the top of the world...

uhh, Vancouver. I’m still super jet-lagged so I end up going to breakfast early. I run into another hacker, who I don’t know super well, but I met in Vegas. We decide to have breakfast together, and he tells me about his work on hardware hacking. Now, I’ve never done any hardware hacking before, so I’m learning a ton and the day has only just started! I end up running into DISTURBANCE as I’m heading up to my room before the coach arrives, I realise that they have matching team hoodies, and they look incredible. I stop and ask how bug-finding is going, they tell me it’s a tough target but that “teamwork makes the dream work”, as we’re speaking a bunch of them start getting really excited, I decide to leave them to hack and keep my fingers crossed that I’ll find out what got them excited at show and tell. I resolve to find them tomorrow and ask more questions. 

I head to the coach to Grouse mountain. In the coach, I end up next to a new hacker who has not been to a live event before. I’m no expert but I do my best to try to be reassuring and end up chatting about work/hacking. I feel really refreshed after a good conversation. We arrive and get loaded onto a gondola. I have never been up a mountain, I was low-key expecting snow or frost. Instead, we are thrust into the clouds. It doesn’t take long before I start feeling vertigo from the shifting clouds. I hear whisperings about there being a bear, and I’m thinking “wait, am I gonna get to see a real bear in person?” I thought that kinda rounded out the Canada experience.

 

First, HackerOne has set us up with lunch. We all feel rather underdressed. It kind of feels like a wedding...posh. The food was great – it often is at live events, honestly I could rewrite this post from the POV of the food! We sit down and commiserate in a group about how hard the target is. I think we’re all trying to help each other feel better. I take the opportunity to learn anyway from what people talk about and we’re all getting excited about seeing a bear, there’s also apparently a ski lift and a zipline. After we’re done with the food we begin planning, some people decide to stay behind, they’re close on a bug and want to investigate.

The mountain is a lot clearer than when we saw it pre-lunch, and now it feels less like the abyss and more like a pleasant forest walk. It doesn’t take us long to walk to the bear enclosure and to soak in the mountain atmosphere. Someone says you can tell the air is crisper, cleaner, I agree.

 

We have a bit of a wander around the enclosure, and there it is the first grizzly bear. They’re big like I was expecting a large dog, and I got a small horse. The fence doesn’t seem particularly thick, but there are some encouraging signs about it being electric. As I’m admiring the first bear, trying to get up close, bam, the other bear just comes out towards me. I follow it and get a great close up video of the bear. It’s shaggy and it has such tiny legs compared to its body. On the trees is some massive slashes where the bear has decided it didn’t like the tree anymore. I quite enjoy watching the bear until it trudges out of view. I have seen a bear! Mission Canada complete. We did miss the lumberjack competition though.

 

We then see the ski lift in the distance to the peak. The group decided to go for it, but I’m not the best with heights and it looks a little… sway-y. I bid my fellow hackers’ adieu and go to walk around. I end up running in with the other groups, I let them know about the bears and the ski lift and say I’m heading around to do some exploring since I’m worried around heights. I end up looking for interesting photos to demonstrate to my family that I don’t just spend all day inside, before heading back inside, checking up on the hackers left behind and seeing how they are getting on.

The clouds descend upon us once again, and I retreat to the gift shop. I am still on the lookout for the elusive fridge magnet. And before long, we’re packed up into a gondola again, and I’m chatting about the weather with some fellow hackers. What can I say, I’m British.
 
On the bus, I end up chatting to more of my fellow hackers and we chat about live events versus hacking alone. We all agree that live events are something very, very special. That you would expect people to be secretive with all the money involved, but actually people are only too willing to share knowledge, bugs, and help out their fellow hackers. We all comment that live events are great, even if you don’t find a bug, for just the community aspect. Days like today can be great for building new friendships, even if you’re not hacking together.

Plus, the bear was cool too.

T-minus some number of hours before kick-off, back at the hotel, I check in on my fellow hackers and ask how they got on, spirits seem to be improving as people are getting closer and closer to bugs. Some of the veterans tell us not to worry if we don’t find anything, the target is tough and specific on what they’re looking for. My lead didn’t pan out yesterday but honestly, it’s nice to hear that other people are having better luck than me, at previous events people have been so supportive when I’ve found bugs I’m happy to pay it back and cheer on my fellow hackers.

I head back to my room, thinking about how excited people are for others bugs, there’s been a new scope released – whooo! Maybe I might find something! I get hacking straight away... and I forgot to bring a USB-C dongle. No worries I jump on Slack and a fellow hacker will let me borrow his. Hey, it’s not just hacking help people provide at live events, sometimes it’s missing equipment help.

I head to bed and finally manage to get a full night’s rest, just in time.

Today’s the day...

It’s hacking day. I head down to Starbucks and pick up a coffee before having breakfast. I’ve specially packed a few days of lucky socks, but I’ve been saving the luckiest for today. I always find bugs when I wear my lucky socks, so I keep on the tradition. This pair found me my first bugs in London so I decided that for a target this hardened I’m going to need all the help I can get.

People and socks.

 

After a quick breakfast, we gather in the lobby and walk over the venue. Quickly give our names and pick up our badges and raid the swag pile. I love the swag; a new t-shirt with the h1-604 logo on it, more stickers, another challenge coin and what is this another table, with more swag from the customer?? I pick up 2 branded fidget spinners. It’s going to be a long day. And we settle down into the opening ceremony room. And WOW, we are literally in the UN.

Welcome to the United Nations of Hacking...

 

Honestly, the venue has this amazing UN feel. They tell us the WiFi is better downstairs, but the chairs are comfy and the room is incredible, so we’ll suffer from worse WiFi.

I take my seat, carefully positioned between Jesse and Cody, two incredible hackers, that I fully intend to peer over and bother, learning from the best. I also take the chance to ask about mobile hacking from Joel, who is working with Cody.

The opening ceremony starts and we are all really hyped and excited! Cody already has a few bugs in, so I keep my fingers crossed for him. After a few words from HackerOne and the target, I’m feeling refreshed, and ready to hack. I haven’t had any good leads from the hotel hacking, but I always do better when I’m at the event, taking in the atmosphere, the hype from everyone else and the expertise. I have a go and find something weird, it turns out to be nothing, but you know what: That’s okay. I’ve been too stressed at all the events writing reports until literally the last second. I can spend time at this one networking and learning instead. I think I have a race condition so I go downstairs and ask the expert, STÖK. DISTURBANCE is pretty busy so I just ask when he’s free if he won’t mind. 

I get interviewed for the YouTube channel. It’s an odd experience, but I don’t mind and it’s fun. Difficult to not look at the camera though. I return to my table and somehow Cody gets me to agree to do the hot wing challenge. He does show me some of the bugs he found and how he found them, I think that’s a fair trade!

STÖK comes to find me and wow, he sits with me and goes over race conditions in such depth, it’s like 1-1 tutoring. I get to ask plenty of questions and get his thoughts and opinions on something I’m working on. Hey, I might be 0 bugs, but I’m learning so much and I usually don’t have time for these in-depth discussions. I realise that another app I was working on probably has a race condition, so I’m excited to go and hack that program when I get back!

I’m true to my word so I get ready for the hot wing challenge. It doesn’t take me long to call it quits, but Ariel calls it quits at the same time, so I don’t feel like too much of a wuss. I enjoy watching other people suffer and get some drinks as people make their way up to level 10 spice. We weren’t doing this just for suffering! We were raising money for BADASS, a charity that helps people fight against revenge porn. It feels good to be a part of something good, even if I did feel like I was going to die at level 5 spice.

I spent some time talking to the other side, finding out what it’s like to triage and award bugs. This was actually super interesting, I had no idea what the job was like and how bugs are managed on the other side. It’s interesting as a hacker you end up in a narrow view of bug hunting, hearing what it’s like on the other side, how bugs are reported, how the process works. Super cool.

As the event wrapped up and we awaited show and tell, the best part of any live event to be sure! I went to go check on my friends downstairs, catch up on how they were getting on and how they did. They were playing a variation of beer pong, I laughed and watched along, listening to them recount their bugs. I asked if they found anything super cool that they’d be willing to show me and they promised that they would show me some interesting bugs related to one I found at 702.

The closing ceremony begins, and I cheer extra hard for all my friends in the show and tell. I’m a little biased, but they had really awesome bugs! There’s an after party, but I am exhausted.

I have a flight to Seattle in the morning to speak on HackerOne’s panel at DefendCon, so decide to head to bed. 

The 7th Annual Hacker-Powered Security Report

Hacker-Powered Security Report