Hackers! Do I shoot or do I hug

hi my name is Edwin a quick intro for me is coming up but first I have to warn you because yesterday evening I was still like this so I have a little bit of a flu sometimes I make off I hope that it works out for their coming 45 minutes I narrowed my presentation down just to be sure so it's not 160 slide but just 90 this time for 45 minutes so we should be good and I was like this when all the other guys were like this you know come on it's not possible I will check also my new I've got a new clicker by the way which can zoom so now you can see their war on there it's also

memory master I don't know what it is but it worked like this all right a quick news flash for us all satoshi nakamoto anybody know who is I thought so first no but it came out last week that it's not just one guy you know it's an evil gathering of corporations did you know that no I will tell you a secret now this is it so now you know fixed something new you learned today come on alright nobody under 15 in the room because some of my slides are pretty terrible it will give you nightmares no it looks good okay I will give you a beat I will be giving away some matter the matter tastes a bit like if you if

you never used it it tastes a bit like French cheese which you have pulled through an ashtray so that's it sir that's what it tastes like but you can win it and if you drink more than three bottles it's awesome so just keep drinking nothing worn will be running I will do a quick quiz so for instance if you see that logo and I ask you questions like this isn't test quite so what is this anybody know raise your hand if you know it over there the old internet well world issue first women oh you can won this practice yeah so that's it now here's one about love mother it's it's that easy you know so

have fun with it Who am I I'm an old hacker as they say I pushed a lot of buttons when I was a kid my parents still hate me for them of course I played with the old modems anybody still know the old modems raise your hand if you're old come on be my thank you played with BBS s got my hacker name in that age did a lot with the hectic which is an Amsterdam hacking magazine the police friend of course makes no sense I didn't do anything wrong in my age of course I started my own company but what I always wanted to do was all the hackers I know in all my

years I started hacking when I was about 13 I went to a lot of events and all the guys and girls I met I would put him in a room like this and I will drive in a car and I will drive in a washing machine or a website and just break it that's basically what I wanted to do so in 2016 I started with zero copter and we are basically using hackers around the world to break stuff it's that easy and it's fun and I like it in 2012 13 in the Netherlands we have something like the NC you see I think you have it over here as well they organized huge events and parties but

hackers from the Netherlands weren't allowed we weren't just allowed in which is stupid so in 2013 we organized our own conference which is called all this and we got all the people who were flown in and speaking over there just to also speak with us so we had a bus driving in between and the picking him up when they're done talking over there and flew to us they didn't like it that much and we had a lot of discussions afterwards but it did a lot of good for that community because this year this happened I was on the one conference mainstage so what that gifts to me is that hacking is growing and hacking is

getting out of the dark and into the lights and I think that's awesome in my free time I do guild of the grumpy old ecers where we just help little guys who hack and shout about it to be sensible and try to do normal stuff with all the things I find and I'm a part of the cavalry where we help medical and if companies to be more secure I don't have decertification does anybody in the room with these certifications raise your hands you're very brave guy I say don't worry you can download them you know this one download it this one download it it's all there you can just even this one unbelievable if you do

this one you you don't put it out there I think you haven't learned enough but people are still that stupid and even without those certifications sometimes you get weird emails like this one from our state secretary of justice and I was like Oh what did I do but in the end I had to help and assist the EU in talking to them about hackers and so fun horrible happens because I had to wear a suit this is about the one time you will see me in a suit I'm not happy easy I can zoom all right you're not here for that let's do a little intro and let's have a little bit of fun I'm from the Netherlands and I was very

happy to be asked here I only had one little [ __ ] because I came home and I said well I'm going to Belfast I'm going to speaker in September and my wife my lovely wife was sitting over there said September what day 7th hmm I see one like this and I was like oh my brain was racing what did I do and as he said it's my birthday so I said that's why you're coming so but I'm from the Netherlands we are famous for our chillip so we are famous for our cheese we are famous for our stupid wooden shoes and we suck at sucker yeah that's true we suck at soccer nowadays we're not good at all we are good at

skating we are also very good at water management and we are good at what this one well we are a bit of we call it the Docklands that means we allow a lot of [ __ ] so basically the law said you can't do this and the policeman said okay don't bother and that's what we are pretty famous for this one you know I don't know if any of you recognize these plants but in the Netherlands is pretty common to have a stock of these plans with your home we also allow this districts basically you can now say who Chris can we say who Chris yeah so we allow hookers and we allow hackers yeah you

made a bridge hookers and hackers and that's what our presentation is about and basically this is still what you get when you google hackers it sucks I never wear ski masks when I'm behind a laptop I don't we did a pizza counter eating contest once with ski masks so it doesn't work it's pretty messy we do of course we're hoodies but only because it's useful come on hackers this is what hackers do we don't make holes we just find the holes which are already there correct that's it that's that easy if you talk to press basically try to get this message out there maybe they are going to understand that everybody in my opinion needs a hacker

I remember the real ellamy are not Hecker's never does anybody know what the real enemy of us all is try once sorry club night I'll give him one come on yeah this is gonna be a shot one empty world now the real the real enemy in my opinion is this time to market somebody gets an idea go to an investor get a lot of money build 1 million devices half the matter as soon as possible before somebody else does and then think about updates and then think about security that is the real issue we should do something about it and of course that's not the only issue we have additional problems yeah maybe this gives a hint

what problem I anything about but it's people like this which are still in our company it's people like this there was nobody know 15min know this my favorite my favorite this one especially the guy in the middle it was ice close you know nothing is going to happen and I live in the Netherlands and in the Netherlands we have students and students when it's hot they drink a little beer and then they were in their pool in front of their student homes and they want to eat something of what they they do this really as long as you have stupid people stupid things will happen that's basically what we say and yeah this it's not much to be done but be honest I mean

we sometimes make the same mistakes I speak to a lot of companies and then I see this and I asked them which lock do you choose which one do you choose do you choose this one number one do you choose number two to everybody choose two then why are all the keys behind number one if we enter a building the easiest luck to pick is the luck with all the keys these stupid think about stuff like that and then people say are we your stacks well we still have stuff on eBay for for 10 to 15 pounds that can copy like 10 frequency cards for like 20 pounds it's so easy and people have to think about security

just having it to act just having a cart isn't gonna cut it for you and we got a lot of stupid stuff anybody knows what this is Amazon Alexia what can you do with it you can talk to it it's fun if you talk to it you can order stuff at Amazon and I will introduce to you the first third who order do some stuff with Amazon because that stuff is going to happen that's what you get when you do a lot of IOT and don't think about stuff this I don't want this because any of you want this this is going to happen your toothbrush once the LinkedIn connection with you we have more this yes we have a

lot of sensors in our phone so much sensors that they now can just see our pin code by the movement your phone works so not by what's your type no by the way you move in your phone reacts to two fiber Asians they can within five guesses have your pin code 100% of the time and I think 70% of the time they had it at the first try just literally have a script in your phone to do stuff like that awesome and this I do a lot of talks a lot of conferences and then you're in Russia and you had a little bit of that vodka which is not really good but it works and you walk and you

walk in the park to your turn you see this like a Windows error message five by five in the sky and you think oh my god that what go was really shitty but it's a building it's just it crashes all the time unbelievable and you have one in Japan now which does this it's perfect this is what we are building and this does anybody know what this is for a bottle of mater raise your hand raise your hand if you know well basically she's right yeah what this is is a trap it's a trip for ultimate autonomous driving cars they can drive in you know because the the lines are broken they can drive in but

they can never drive out it's that easy it's it's I think seven kilos of salt and some hackers who think of this [ __ ] and nobody has thought about it they have to look how do you fix it like this I don't know it will be fun in the future for us I think still coming back to it everybody needs a responsible disclosure how many of you have heard of the term responsible disclosure here a lot how many are using it actively I mean you have never heard of responsible disclosure nobody dare to raise their hand I give you a bundle of motto if you raise your hand I am working like 10 years now for responsible disclosure in

the Netherlands it's in the state's called coordinated vulnerability disclosure maybe that sounds a better bail for you but what it does is it says basically dear people hacker researcher whatever you are if you find something in my website or product and you think it's a security issue please tell it to me don't go to the press don't go download a lot of [ __ ] don't go go heck in don't know if you're if you can access my database please access to records and show me how you did it instead of downloading the whole database and putting it on the line and if you abide all those rules then we won't prosecute you that's it

and with that gesture you get the hacking community to help you and that's what I'm preaching for for all my life almost does anybody know what this is about movie this war games one of our what yeah it's good for you

good very good wargames was basically the first responsible disclosure ever a hacker finds something he breaks in and anything Saudis might be shitty and he's going to try to fix it himself basically that's it you fight to get stuff fixed and the receive an iso standards enough for it you have an iso standard for vulnerability disclosure itself and how to work with an ability disclosure so how to get the process organized in your company so it's not even something hackers shout about anymore but it's something legit because it hasn't iso standard and even this oursa standard is even free which is probably not often in iso standards and people like Kady in your room are the people who worked

very hard to get it done so I'm very thankful for them to get it out there and in in the Netherlands the National Cyber Security Center even made a policy even translated it to a lot of languages arriving at a practice for responsible disclosure because in the Netherlands we have the public prosecutor who even has it's not really a law but a guideline that says well if a hacker did a responsible disclosure and even if the company doesn't have a responsible disclosure guideline what the heck are held to all the rules we won't prosecute that hacker which is really awesome and we trying to spread that throughout the world to give the hacker community a

better race that's one of the guys responsible for it by the way and we have a book helpful a curse at the end of my presentation I will give you a free link and you can just download to the PDF version of the book and it's awesome it's 19 stories about Dutch hacking and and problems they're fixed and how it works so it's really really something I love and they translated it now and basically once again if all the questions are positive positive above the public prosecutor may refrain from conducting criminal investigations - okay awesome this outlooks for us and I can use my phones and click again do not take advantage do not reveal the

problem to the press do not use weird or physical attacks provide sufficient information and then we will respond within five days and if you follow the instructions above we will not take any legal action against you that's it please guys do it and then the Netherlands we are running on points at this we get a lot of also from for instance France we get France seconds who gave us responsible as Klaus is at zero copter for French companies which is pretty weird but they think if we do it in the Netherlands we won't get prosecuted that's their easy so we are now basically a proxy the Belgium's they also adapted responsible disclosure the government is working on it but they are

now said in the press and forgot to do one thing they didn't register responsible disclosure de which we did so it will be fun in the future to talk to the Belgian government and no sound sound guy ok everybody sing come on this is have you seen this by the way you can use it everywhere it's awesome and we've sounded was even better which was supposed to work but it didn't so Democrats I wish you luck later decision so in Holland most of the times responsible disclosure is not as bog Monty's your noble Vantage I guess that's just paying people in the Netherlands it works like this if you do responsible disclosure basically you work for shirts and if you do bug mantas

you will work for money that's the big difference of real and one of the guys doing a lot of [ __ ] is this one fix or favors anybody heard about him in the Netherlands he's like team maestro he worked for I think 18 years and that nothing but responsible disclosure last year he took a sabbatical for a year and he worked 15 hours a day just doing responsible disclosures all around the world it's really really awesome and he's even got in Parliament to explain how it worked and he's working now at this one a lot of Chinese bit fund mining machines are openly on the web I don't know if you've seen it that's one find he's fixing and also

this one and the others people in the room yeah it hurt somebody some of the earth people have made a password on SH H which was now openly available so you can access all these RS devices via the internet and what they do is just clean it up they contact the companies they contact the owners ISPs and they say come on your irises blocked and they give you stuff on how to fix it which is awesome and he doesn't want any money he's doing this for eighteen years he just wants to have a safer internet for his kids that's the only reason he does this and that's really awesome last year it gets a lot of fun abilities

all around the world and if you look at it what's what struck me was that in China most of the things were fixed within five days because nobody else can then use the stuff if you look at longest time two figures Russia but Russia also fixes but don't tell and if you look at not fixed at all France is they're pretty high but I don't think they know they have internet yet so I think that will be in the end if you're gonna do responsible disclosure by the way you have to be sure that you know that they will come you will get a lot of false messages a lot of phony messages and I thought it would be fun

to take you along in some of these funny things this is Schubert Phillips a company in the Netherlands they had 1,000 responsible disclosures last year and of those 1000 only two were valid so you get a lot of [ __ ] we do it for shirts of course this is one of my favorite I act kpn which is our telecom provider and all I got was this lousy t-shirt that's the stuff we like you know the government even does it I hacked the Dutch government and all I got was this lousy t-shirt and even the Dutch bank the the National Dutch bank is now giving away prizes for responsible disclosure and does anybody of you know what they give away

that would be awesome by the way but they don't another hint anybody what would a bank give for responsible disclosure mm-hmm nobody do you know I just don't want to matter come on they giving away gold bars unbelievable small ones and in the end it turned out it's an USB stick it sucked but the idea was nice and they got a lot of responsible disclosure after this picture something all right I will take you along and some of my sales about stuff we've seen at at zero copter and companies around us which should be fun this one we get a lot I want to warn you that you have to speed parts three one two eight open anybody in the room for a

matter what's the port come on over there no yes it's a reverse proxy that's over there again are you hating me already I will get you a beer tonight you know I will be paying so these are people who have a local squid proxy and they are sports scanning their own networks and then giving us a list of their own open ports internally and saying that we are the problem which is really really stupid I mean come on when you wreck yourself have fun this one also I want to warn you that you have a problem somewhere and it might be SSL or it might be a server update okay so can you be more specific no we are

just sending these messages out to a thousands of people and we hope that song responds and give us money or shares that's basically how they work that's dragnet responsible disclosures this one is also fun a hacker found a website we're if you work and they say if any attacker suggest a username and password and found it then they might enter oh wow wait so you found a site where you can log and if you guess correctly then you're in that's a responsible disclosure ass announcement unbelievable and then even currently fix as soon as possible Wow if you look at the site it even has two-factor authentication in place but that's not what they're looking at they

just see the backend unbelievable and this one you know if you're easily shocked please cover your eyes now for the next picture I want to warn you that you are front of all to a CV this sounds amazing this sounds interesting so our researchers go on it and look at the CVE and then they find it it's a PHP mailer remote code execution Wow the only problem is that this is announced on the side that's running Ruby on Rails what you know are you really really super Paragon password reset was also fun a guy finds that when I click forgot password and I will get a reset link and if I go to the reset link login logout

then my session will still be fellas which is OK a normal announcement but then parents answer is like where are you seeing this because we don't have a password reset feature maybe okay so the attacker is an assist ringing okay I will help so he gives us screenshots are you ready bargain in this definite person I don't know if you get the hint at the moment but the link in the end is dead please reset your password what do you think bargains answer was correctly sorry we are not responsible for a hit up and come security action this one due to improper configuration the following directory is open their files are listed and of course in Finland right oh yeah it's our

source tree maybe it's supposed to be open you never know a lot of stuff like this happens and we get a lot of those messages so you will be flooded with stuff like this and if want to see more but Monty Phil by Melvin is one of the sites where they gather all the funny stuff and you will have a lot of loves and yeah basically that's why aliens won't talk to us also responses our responses can be a lot better even from us as companies we should do a lot better and stuff like this this one I don't know if anybody for a bottle of Martha knows where this one hint said I'm sorry this is not a

box thank you security Facebook nobody don't you just like matter it's lovely

so it was about because Khalil eventually ours bad this it posted it on Facebook and he said I'm sorry before I can look at it better I'm sorry for breaking your privacy and posting your wall mr. Mark Zuckerberg but I don't have any other choice so he found about he posted it to Facebook and Facebook I said well probably not a bug and then he just impacted marks of effects own private wall so also please listen and please check if your ability you get is really legit this one is also brilliant uber closing and not applicational since out of scope and and research you get a little bit pissed am I allowed to say all this am I allowed to say okay I will

be you I know this is out of scope a new team member blah blah and then in the end yeah this is to Oberon the worst curse which you can give to a Hoover you [ __ ] taxi driver awesome unbelievable that would seriously cloud pets do you know the story about cloud pets are you breaking are you from cloud pets I will tell the story about Victor Victor that the guy you saw earlier which is friend of mine he found some stuff at cloud pets and he was kind enough as he does to warn them about the fact that some of their databases were openly available on the internet and he did it like this he said

well I want to inform you that IP address is running a MongoDB instance which appears to we have been not correctly configured as it grants full opening access this is a responsible disclosure you get from Victor it looks like this it's awesome it is it's detailed it gives you all the all the sets it's says why this is a problem because a lot of ransom was was going on with the databases and we suggest to check your accounts to see at the store files and try to fix it very nice email but if you focus in on the email you had eight hundred and twenty one thousand registered users and over two million forced messages and this is toys for

kids you know you buy a toy you put it in a room and it can record what you kid does you can send message to your kids so it's pretty pretty scary stuff there were even a lot of military stuff in there and this is what it could do just fire the internet now access nothing just connect to the database you can do anything you want it's that easy now how many times for a bottle of matzah do you think Victor tried to warn his company anybody come on we shoot something don't we have beers or something for beers five yes lower one lower that's easy yeah I'm sorry I'm sorry I'm sorry nine times nine times he warned him it's

right every means he gave them everything and they still eventually wiped the database it's unbelievable nine times so also listen if you get responsible disclosure stuff in and one of the best still in the world about responses is this one a guy tells somebody that he has an XSS on the side and the answer of Kevin Wilson supporter hero is it looks like you are trying to add the other script in the name which is not possible because you need to add letters and numbers in the JavaScript that's an answer of an exorcist come on guys this doesn't work that way if you have an exercise you should fix it that give stupid answers like this everybody

needs a hacker and do all the hackers are are you all like this does everybody working do we have to be exceptionally brilliant to breaking into other people's computers no unless we don't have in the Netherlands this is still common you have a form and all the standard forms are all rights but then there are other forms where the developer hasn't thought about stuff and you can just add in PHP code in forgotten forms and possibly this won't run this will never give back for all right it gives back for well if it runs PHP in a form we could also get stuff like this it is that easy this is 15 seconds of work and it's still very

common also this one send the he card Wow brilliance you can send the cards you can email it but you can also upload [ __ ] Oh what should we upload should we upload some PHP it won't work it will never work come on oh wait we are now basically owner of the server 15 seconds that's so easy at all this and that's how easy it stays if we don't do something about it beautiful apps beautiful mobile apps beautiful servers beautiful websites but never look at your API because no the connection [ __ ] right so as long as that's a mindset and you can just proxy or burp whatever your way in and just

change some details and be on the rough stuff it stays shitty we have to fix it can we fix it yes we can do you have Bob the Builder over here by the way yeah I like this this is how you fix stuff you know do you know this Oh what SKF security knowledge framework if you have developers if you are a developer if you know developer please point them at stuff like this this is free you can freely use it you can say I want to build something new and people have to login and people have to do certain functionality you just click it and there you get goat's code samples on how you can fix stuff it's that easy and

it's free for instance XML injection prevention PHP example how to prevent it for free if you use stuff like this in your work or if you you point people at them then in the end we will be a lot safer so what have we learned in the last couple of years you see after well mostly this a lot of people need still clarification because they build beautiful things but I have no clue about security so it's up to you guys and to all of us to clarify to those guys that security is a thing and also a lot of people are still not ready for responsible disclosure you have to do that in a slightly polite manner we have

a lot of things where we work with she's outs and team leads and they are very happy to work with us and then in the end the signature has to be done by a Board of Directors and there's a guy in a suit with like 70 years old cigar and says hackers no way and that's gone again so you have to educate people to make sure that hackers are pretty sweet and can help explain responsible disclosure to companies explaining to hackers and please explain it also to your governments because the more everybody adapts things like that in the end we lot safer and we can even benefit a lot from it if you look at these stats

these are stats about hackers and X and it's like fifty five percent of all the hex and hackers are done by owner so responsible disclosure people like Victor cavers in the five percent thirty percent is espionage that means China looking into other companies and trying to steal stuff I don't think we can do a lot about that now then you have fifteen percent activists and you have ten percent script kiddies and forty percent who doing it for the money now what if we can do bug bounty raising and responsible disclosure so that these forty percent don't have to go to the dark side they can make enough money by just doing bug bounties and if we train

and learn how to hack mm then we have fifty five percent of all the hackers on the right side the good side where the cookies are you know if we can do this and I think it will be a lot safer and in the end still everybody needs a hacker so if a company has a responsible disclosure policy just go just just give them your findings if not try to link to responsible disclosure info you send them an email like Victor tell them how it works and give them a place to start to learn if not go to a local cert and if anything else fails communicate to your local search so give the findings

to them and let them and yen fix it but one thing is very very important for every hacker out there is to be kind because only bad [ __ ] goes to the press all the good things everybody forgets but if we react in a stupid way then the press will pick it up and we are all screwed again alright I'm going to the end this is the link by the way I hope full hackers dot NL if you go there you can download the book we were talking about I will be here afterwards so you can look at it again yeah are you were late right I will go to my last slides everybody

has this who wants it yeah this is basically my handing you know a lot of people still think that hackers are guys with foodies and ecers are stupid people breaking up [ __ ] now we are here to fix things and we all want a better and safer internet so we all should work so basically your new mother from this day on should be this one you know Keep Calm Hager hacker and I wish you a lot of fun at this awesome conference and thank you for having