Hack South: Home of the ubiquitous South - Charles "AngusRed" Wroth | BSides Cape Town 2023

all right thanks thanks everyone for coming to my uh my talk we're talking about uh hack house today uh home of the Ubi South when we started it was called home of the nefaria South but uh one of the mods told me to change that so the structure of my call today we're going to talk about the oranges of hack South current status uh future intent so what we plan to do in the future and a and a bit of a call to action I think I left the call to action out but we get there right so uh so who am I I think the scavenger hunt is closed but there's a QR code well

welome all right so first and foremost I'm a father to a young girl Haley I am a husband to Michelle I'm a a veteran of the British Airborne where I served six years two tours in Afghan I am the founder of red. a cyber security specialist recruiting company that's uh that's what I typically look like and then obviously I'm the the founder of hack South and uh unfortunately I'm a passionate helper I tend to make other people's problems my problems right so the origins of uh of hack South so I was on a on a Discord server I found out about Discord and I was a a part of a a community called uh the many

hats club which was a a dumpster for cyber security pretty much across the globe some more sketchy people than others it had about 8 and a half thousand members as you can see wide was a dumpster fire was run by this guy called cyber sex 2 so it had 8 and a half thousand members it ran podcasts and hosted all sorts of people uh I think the the most nefarious was um McAfee we interviewed him twice once in a faraday cage um and yeah lot of lot of shenanigans but it was a great community and it got me thinking and it got me excited about Discord and and cyber security so I was thinking to myself

there's there's got to be something in South Africa surely so uh I looked around and I found uh a server called zat Tech if there's any mods or Star here from zat Tech enjoy so I uh I was introduced to cyber security many years ago um and I decided to become a recruiter in it because I like connecting people and I liked helping uh people get jobs so I joined Z Tech and I saw they had a jobs Channel me being a recruiter I was like let me post my jobs looks like a cool Community I posted my uh I posted a job for a local job uh junior entry level pen testing job something everyone's always

looking for and some guy DM me is is like who the hell are you why are you posting jobs on you you're not allowed to post jobs you're not a company and I'm like well I kind of am but all good and then I found another Channel where you could uh where people posted like hey I'm looking for a job of been laid off or this and so I thought surely I can go on there and say hey uh you're looking for this I've got something like that let's talk I got a message from the same guy I was like who the hell are you you can't do that so I thought no screw this man this can't this it can't be

this way so I then had a discussion with Ross hip and hip and SEC so we spoke and uh I said I want to start a community in South Africa for cyber security um we spoke and he said yeah let's do slack cuz people can be on slack all day so uh I tried to push Discord we went with slack which was fine slack one and then slack was terrible uh it just didn't have the same feel and vibe that we had on Discord with voice chat and everything so I I decided upon myself screw we're going to Discord but we kept both and at one point I shot I think the slack is still going I just don't know

what's happening there I lost the password okay so what happened right at the beginning so fenri SE joined a friend of mine from the many hats Club Shadow rler I still don't know who they are and Meg on uh from the slack so everything was going well and uh I was on the way to the airport to pick up someone and I got a WhatsApp message I think from megalodon or someone saying dude they're raiding the server and we had a a bunch of Nazi propaganda go out on the on the main Channel I didn't know what to do I've never run a Discord so I uh we'll get there now so the question is how did Megalodon become a a

[Music] mod I asked who's been a mod before never met Megalodon in my life and he said I've been so I was like congratulations you're a mod really good uh uh privilege escalation there uh and then moon cake also became an admin on the spot right [Music] so is it animating there it's good so then Co happened we were we were tracking Co from about December I remember the first day there was two cases in South Africa and I was like oh man this is going to be bad my wife still spoke to me she's like how bad is it going to be I was like if everyone gets sick the water doesn't work woolies

hasn't got food chaos but the good thing with Co is it really drove the server to get a lot new members and get a conversation going also everyone had so much time on their hands so one of the things we started doing during Co is we did a I started a channel called media verification I got sick to death of fake news and I'm not talking about like Ivon type fake news I was talking about people saying oh they were amassing troops and the government is doing this and doing that there was a you might remember there was a big post all over social media about uh military vehicles being amassed at Cape Town Harbor so we just did some ENT and it

turned out Botswana had ordered some AP C's like 8 years prior and it was just a picture in walus Bay going to bwana now it was very hard for us to push that information back out but we tried our best and we went on social networks and we just commented people like guys this is fake and reporter is fake and if anyone found something that even sounded remotely possible we posted a m verification we tagged it there was a couple people that helped J yeah you were on there um and then we try figure out ourselves so at least we can keep ourselves informed was going on we had lots of different cases I think what

that was one of them uh what was this oh this was a police bulletin I think about WhatsApp Mass graves in joerg which turned out was something from Brazil many many years ago and uh yeah activity was booming so where are we today we're going to look a bit back we're going to look now then a bit back then we going to come back to the president So currently we have uh 1,460 humans so that's people that have accepted COC and can engage in the the the server we have 14 fngs we won't get into what that is we have nine Bots we have 518 people on a with a role called CTF crew which we we help people that have

never done a CTF say hey I found the CTF who wants to help me with it people come join uh and they learn something new what you'll see is we have 1,460 members and at the moment when I took the screenshot it might have been late at night we had 175 Live members or online members so these are some of the more prom people that run the role uh run the server there's root which is me there's a Al Presidente which is Megalodon we have four staff members nine mods we have a few former mods and then we have uh duy the Dy which is our moderator bot fun story I forgot to put it in here I

had a really cool idea one day and I said uh you know it would be funny because the mod is the bot is meant to protect the server I said we should call it the South African Police Service and we gave it a saps logo and then we had three random strangers joined the serve and immediately when I saw that it was like hey who are you hacking is dangerous and no no no no I was like this is a really bad idea to welcome people so we change it back to Duffy we have 197 rols some of them are functional some of them are just we have a role called trolley liquor I still

don't know who thought it up but right so yeah members that's the growth we've had since you'll see there's like a sharp a sharp start it's because that's when we decided when need to start monitoring the stats and and and what's going on all right so all time we have sent 119 19,600 87 messages that's where we got the bot so in 20120 you can see there we had roughly 19,500 messages uh 44.2 messages per person per year Co we had 880,000 messages with roughly 94 messages per person per year and then we only had 15,000 and then we only had seven so as far 2023 we've had 7,000 messages go of which I'm easily sure 3,000 of those is

worth bsides the whole bsides conference is planned on hack South thank yourself that you're not a mod or staff member on hack South cuz there is just channels on channels so these are the top performing people on hack south of course mostly staff members and a few Rarities Toco he's a oh you're a you're a stuff M yeah yeah so we have a few few people that really ape in their time at one point we were trying to generate activity so I was like you know what we should recognize people that are active um and people that really contribute a lot so we made a role called honorable member I have a sticker somewhere for if you are honorable

member and then we had uh we had different roles so there's levels with MI6 one of our bots so depends on how you on VC and talk and reply you get points Dominic uh Dominic white really for some reason enjoys this he's always checking his level in the week um and then we started a new Ro Now new to HCK South so if you're below a level five you're that so as we can see with the stats over the last years activity has really dropped off a clo um do we really need more members not really but we would love more so what is the the the flaw that we have we we have a place where people can

come together oh yeah the amount of time it took me to make that stupid thing and then I see this funny random guy on the right hand side that no one ever talks about so so we have a we have a we have a the conundrum that we have my notes are missing is um we've got a great place to bring people together and do things that can help change the fabric of cyber security and technology in South Africa we have 1,400 members of which probably 5% engage every time I meet someone and they're remotely involved in this industry I asked them the question are you on hack Sal lot of people go yeah and then they always the next thing out

of their mouth is like I really just lurk it's like it's a we need to we're going to talk about that now so let's look at some positives quickly and what what you can get with being involved hack South so uh offensive security rolled out an initiative where they were looking for organizations where they could donate 10 pwk vouchers to I thought these were I I knew how expensive they were I didn't realize how expensive they were I was telling everyone yeah 100,000 worth of training 100,000 Rand worth of training so offensive security uh with myself and uh monks um you know works at offse sec got 10 PK vouchers we started talking it through I was helping in the beginning

and then Toco also uh helped out and assisted there as well we can't just give anyone a pwk voucher that we need to make sure there's some technical standard there that they can actually grasp it and pass it we set up channels where people could get uh mentored by other people with ocp cuz we have an ocp role so we could tag them and collaborate um is there anyone here that got paid forward okay there is people out the conference I've seen them so here here has now shows you part of the problem we had we had this we gave our 10 and then we got another 10 offensive were like this is awesome so they gave us another

10 we struggle to find people inide Africa that wanted this we asked these people to do I think we asked them to do one medium box on hack the Box send us the report and then we give them the voucher and we'd Mentor them we struggled so hard to get someone in South Africa that wanted a 20,000 Rand course we started going outwards we got people in Nigeria Kenya Madagascar we gave them all out and we've had a lot of people pass their RP so here the uh animation actually did work so these are people that got pwk vouchers uh and quite a few of them are passed already on hack house we've helped students we have a dedicated student

area yes that's for University students but also for students that are just learning um we have areas where we can have a focus groups we have talk about certifications and training so before you pay your money come ask us hey what do you think about CH you can ask there and someone will tell you what they what their direct thoughts were on it we have a not going to get into that we need sponsors for next year uh we have a channel called resources I remember that was a super active Channel anytime someone found a free course somewhere or a mass massive discount or something we posted it there and people aped into it internships uh many companies have used

hacka to find interns namely MWR t space TR micro and orange cyber defense Megalodon found his internship at Orange through hack house I believe and quite a few people uh have found out about the MWR stuff jobs we have three dedicated channels where I can post jobs as much as I want uh one where we post jobs one where people post their availability one where we have a space where people can ask career related questions PS if there are any advanced colel vulnerability researchers among you I'm [Music] hiring right so future intent firstly a fair warning this is my personal opinion as a member of of hack house and does not reflect the opinions of other members mod staff or Papa

Megalodon now I don't have all the answers but let's let's take a peek right it's activity what do we require we need activity engaging activity we're not asking people to come in and just post nonsense ask a question put something in Main if there's something you're struggling with tell us about it what does this activity require it requires membership engagement it requires initiatives and it requires one brave soul to ask a question that starts a conversation that could last for days we see you we know the majority of people lurk all are welcome to lurk but with hack sou you only gain what you put in what you put in affects not only you but

others on the server so come join us and ask something say something challenge a friend to a challenge on hack the box or try hack me or a hackathon I know Toco is a busy man but if you message him saying hey I'm new to this I found try hack me I'd like to do a box I've had people ask me that thinking I know what I'm doing with cyber and then I go you know what I tag too and too's like yeah sure I got tonight I got time tonight not in work hours France um and he'll help someone we have I have so many people there that are willing to help I just need you to

tell me what the problem is so yeah Adventure way so one question uh one question like a seed grows many branches start something and see where it goes we have a a hack the Box meter which is really good it's it's struggled a bit recently cuz obviously everyone's had some hectic schedule this year but that drives a lot of traffic and brings a lot of people in and toco's got so much swag and so many vouchers to give away we just need people to come in and and and take part he still owes me a lot of Swag right so we also need in my opinion my personal opinion I think we struggle with time and we need

money taking away what did I say oh yes taking away the moments that made up a dull day we need time now now part of the challenge I'm not sure if I put this in elsewhere part of the challenge was during Co we all had time Galore lunchtime there would be 30 40 people on voice chat also if you join voice chat all you have to do is introduce yourself then you can just chill on there a lot of people are very scared about VC we had a lot of time and the problem is I think I somewhat created the problem in that um I kind of helped Megalodon get in with OCD I got moon cake a job at

Orange and uh Toco joined risk X so all the people that were heavy involved they all got really good jobs so now they were too busy so activity like I said before ask a question give an opinion contribute to a conversation propose a challenge and explore other channels or take part in a CTF we have a a channel called role assignment we have a ton of roles there where you can add channels and take away channels we even have a role called hacks South light so if you're a busy person you just want to know sort of what's going on it's got 15 or so handpicked channels that gets you the gets the message across to

you so why money what can money do money can buy certifications for people that need them most money can help fund events that make more

money I think we just I think we just got Rec that's because I'm talking about money that's the problem right money can buy swag cuz buying swager cost and selling it with a bit of a markup generates more income money can buy people and contractors now what I'm not saying is hack South is going to contract Gartner to do something fancy for us but what I'm saying is I have I have very limited time in my life cuz I run around business and then I've got bsides which is probably I've probably spend more time on bsides of my own business this year but it allows us to get people in to help us maybe with marketing or get a

trainer in like we did yesterday and do an online course you know that maybe cost a bit but it brings value money helps us get these kinds of people I got warned about talking about money in this in this uh talk okay money can help someone get ahead and help those most vulnerable uh get get ahead of life I'm personally I'm part of Roundtable South Africa and it's it's a it's a great model in that we raise money for our own Clubhouse and we raise money for the community and we have people approach us with problems and we look at our C Bank ballots and we go you know what we can't pay for your

cancer treatment but we can get you diesel to get to the hospital in the context of hack South if someone needs to get to bsid for example we can help and say you know what bsides might change your life will pay for your plane ticket small things like this right so here's the challenge uh I know we have nothing set up but we could start somewhere have a problem think you know the solution come tell us maybe we can solve it together if you have a skill set that you think we could that could be of value to us whether it is e-commerce whether it is marketing branding copyrighting bsize needs a copywriter come speak to us and tell us

we will take that thing we will Empower you to do what you need to do and then we can make a difference right subscriptions so we have a lot of models with uh Discord where we can offer subscriptions now hack South will never and this go on the internet so it's a fact we'll never charge a subscription to get any form of Elite level access or a pay wall that will never be the case the reason I brought this up is I have a lot of people going hey hack South is cool I'd like to help more I haven't got time but I've got cash I'm like pay us you can pay us $5 a month we'll give you

a shiny roll and maybe once a year we send you a nice challenge coin or pins or something just to say thanks Cash Flow creates change so with the innocent lives Foundation it's a it's an organization in the US they asked me to to help them with ENT and when they found out South African they were like we can't do that um they do this thing yeah the guy said that and he goes but what you can do is you can subscribe as a donor pay us I don't know what it was $20 a month and you get a really cool coin at the end of the year and I thought I like coin so I was like that's not a bad idea

maybe we could do something with h with hack South s is looking at this I told my wife earlier she doesn't going to come after after after this and go Charlie how much money do you you need right corporate partnership this is a touchy one for some people on the the mod mod uh mod side of things so you might how might this look you know do we know we don't but I have some ideas when we make swag what stops US selecting four sponsors in a year to put their logos on the shoulders of our hoodies our hoodies and t-shirts this year we w at all sorts of of conferences across the world there people wearing at

Defcon people wearing at a black hat it is a way to get more exposure for your company I personally don't see it as such a problem but the thing we're always worried about is Corporate alignment as a community this is a discussion that we need to have so we're also looking to uh register as a nonprofit or a PBO which actually means we can get government funding I am super not keen on Government funding cuz I always think there's a string attached but if there is ways to get access to things and actually contribute to other um like charitable government initiatives related to cyber security and Tech then then why not we are exploring our options to

become an M thanks to House of growth they the same people that do bsize auditing now Mahala uh another idea perhaps is achieving a set of Milestones oh so this is called partnership so another idea is perhaps achieving a set of milestones and committing to a certain level of financial support and one becomes like a like a hack partnered C company or a a a trusted I don't know like affiliate or there something we need to discuss and figure out and you can get your shiny Little Golden hack Sal logo at the bottom of your website it's probably a silly idea but it's something that could be explored oh and the I didn't know what

the Act was but you know if people make Don Notions to us we can issue the 18c thing uh that you can write off against tax so one at a time one Join one message one question one initiative and one r at a time you hold the password right that's me age 36 it's how I feel now I actually got good rest last night so I'm I'm Gucci right so other things we've explored very briefly uh Jared are we on time okay so future and 10 things things we've thought about uh not really discussed is uh I I dabbled in a bit of crypto uh a few years ago when I had some cash flow

um never again but uh a lot of these communities really good social experiments lot those communities had like office hours where I mean a lot of them do it every day but like maybe once a month or once a Friday we to get together like uh as a community discuss what's going on tell you what our plans are hear ideas and and and and and see where it goes we have definitely explored a podcast um everyone's always like you know what we should do it's a podcast I love podcast but yeah maybe maybe yeah that's something we could look at a newsletter there's a way we can put out more information I just don't know how much people read their

newsletters um another thing that's been interesting and we actually started discussing recently um um I'm I was going to say I've been a victim of this is safe vulnerability disclosure now that's a whole other kind of worms on itself but I've had a lot of people especially in the UK that I know through tmhc they go hey Charles I found something interesting on one of your government websites and I don't know where to report it and I'm like whoa let's go talk somewhere else and then he send it to me and then I choose like my trusted allies and I message certain key people in in dig friends X or maybe worked with the government or something

and I'm like so if I had a friend that found something could I send it to you and you look into it and sadly the usually the answer is Charlie there's no point bro like they're not going to do anything about it right so collaborative security research what stops a couple of us getting together and doing something meaningful that we could present at something like bides or black hat or Defcon we have the resources we have the ability to do it we just don't and uh something I think is is is important but tricky to manage is Online safety content for normies or I heard uh Harry Potter people call them Muggles I still don't get Harry Potter

it makes no sense to me all right so in the beginning of my talk I said there was a call to action there isn't I just realized but it's all good we're going to go through the last few things so we are an awesome mediumsized Community depending how you look at it we want you to join we need ideas ideas no we don't need ideas ideas ideas are easy and we all have a million of them the Lord knows especially with like this conference I had ideas gal bring the idea the concept and let's work on proof of concept let's turn thought into action and action for the good of others tell people about hack South

bring your skills bring your input and we look forward to meeting you thank

you is it how long was that 30 that's right any questions about hack South how do we join oh yeah that's a valid point so if you got a you go URL there's a button to click connect and you connect this is fun fact what do most people get wrong with joining hack South they join the server and we've we've created a barrier of Entry to make sure everyone on it is safe there's a little button where you accept the code of conduct please read and adhere to the code of conduct um and then all we need you to do is introduce yourself we do not need a dissertation on your life story unless you want to

share it but just say hey hey I'm use your handle uh I found out about cyber security last week and I heard this is a place to learn that's enough for us and then a human one of us will delete your FNG role I'm not super sure what FNG stands for I'm Mi military so it comes with a territory we'll delete the FNG Ro and we give you human and then you get an automated uh message that says hey welcome to axal go to roll assignment and um you can get rolls and the idea roll suon you go right to the top and look to the roles there is student roles there's job roles there is we thought of

everything the only thing we changed cuz we had to rebuild the the server at one point uh which took a while is we removed all the vanity roles but we need to set up the channel at we said we're doing it in January me doll looking way we need to set up a Channel with the vanity rolls cuz there's some fun exciting rols there is some silly roles that you can earn as well we have a I was muted role if you go on TV we get a look Momom on TV roll so there's a lot of fun stuff there but yeah that's that's how you join um any say again yeah Discord I think Discord is

the future but if you've never used Discord it's it it looks complicated but the fact of matter is you just got to understand DMS on the one side servers on the other it's like a layered approach I wrote a Blog about this cuz I so many people ask me this so I wrote a a uh probably not the right name to welcome people right the skid guide to joining hack South and explained everything so every time someone goes how do I do this part I'm just like I take the link and I'm like do this part and then people uh people check it out another thing we're looking for in hack South sorry is blogs uh Jared rette I

don't know if he's here he was a volunteer today he wrote a thing on LinkedIn about going from a barista to a qsa or something like that so I was like I messag him was like hey Jared put that on hackas we'll speak to the web team we'll uh put it in markdown and we'll post it and then we can share it on social media so we we'd love people to contribute to that this year we've been terrible with blogs I take forever to do my markdown because I've got a really silly way of thinking about it so it takes me about 3 days to do it but we we're looking for something like that uh

any any other questions last question yes howly or how strongly are you guys looking at the n registration we we I think it's a natural course of action the reason I ask is

like yeah I put a 18c I just don't know which on yeah so anyone provide that my will that there is massive benefits and if you come a PBO like I'm do I've done it with on table it's it's a bit of a mission but House of growth our accountants are are really good they're doing a director change at the moment and and all that I just think it it makes sense like you know a lot of people said oh Charlie you know Meg says like Charlie we don't need money find the problem then we can find the money I do believe confidently we could find money but I think we need we need steady

money coming in that we can spend money on valuable things not not valuable shiny things things that are valuable for the community I've dealt with so many people as a recruiter where people go hey man I heard your name um and I'm thinking about cyber security now I'm not a cyber security person but because I've been between people and companies recruiting I've I've I've learned very much what what works what doesn't what companies are looking for so I tend to catch people before they make a bad investment I go who I think you should consider this this and this is a career path you can look at here's three people you can talk to to understand it better

so it's a it's a it's a tricky thing to get right but I think if we if we if we we can bring the ideas ideas are cool and bring a bit of action to that is a there's there's so much we can do um and I think as an NP as a PBO cuz as a PBO I found out the other day you can just apply for Grants I'm like I said I'm very sketchy about getting money from the government cuz I wait I wait for them one day to ask me for something but I think there is massive benefits and i' I've I didn't want to bring Round Table into this but there's there's components

of what round table does that would that would work very well with something like this or certain aspects of it but yeah thanks thanks for that last last one maybe hello and last year about like my initial thing when I was get security stuff was was very much like Stu I think you obviously weren't on The Blue Team channels eventually but it just it feels a little B more C stuff so I think you know maybe if we can again planning I'm tring too now about doing something te yeah and one like the office hours think like meet the team behind ha it took me a long time to unv

together might also create more engagement and encourage people to participate more kind of understand how together goals yeah and I I'll be I'll be honest like have we communicated our intentions like no the the problem we have and it's a similar to problem we have with bsides with bsides at beginning of the year I put out a call and say saying hey I'm looking for artists like if you got a cool design or a theme idea let us know I got I had one submission uh when I said hey if you wanted an international speaker who would you choose I heard nothing so yes we need to post more but I'm I personally am struggling to make the time to create

content now maybe with chat gbt and canva bu right I can start I used chat gbt a lot uh for for other things so if we created more content we' probably get more engagement because what's frustrating with us is if we get a good idea and we can post it in polls or in main or in announcements like we get so little responses and it's like well is it is it worth it you know if we look at the I don't know what the metrics are about an election and how many people have to vote or whatnot but it's like if 20 people are saying yes let's do this out of a, 400 I mean should we really do it

and that's a challenge and the thing is we we are democratic in many ways but a lot of times I just go let's just do this and then we'll see what happens you know asking for forgiveness and acceptance but yeah join us on hack South check it out if you have any questions you can message me so I forgot to add this we get so many messages of people asking us to hack social media I'm sure as most of us doing this this conference the last one I got was a guy saying hey could you hack my competitor in the trucking industry uh and I I was like why what do you want you goes no I want to see what

he's quoting so I could be this quot and I was like maybe just make a more competitive model and then I told him asking that is is super not good and this is not the place but yeah everyone thanks very much you want to talk afterwards

y