BsidesLV 2025 - Breaking Ground - Wednesday
Show transcript [en]
[Music] Hey, [Music] hey, hey. [Music]
Heat. Heat. [Music] Heat. Heat. [Music]
Heat. Heat.
Heat. [Music] Heat. [Applause] Heat. Heat. [Music] Heat. Heat. [Music]
Heat. Heat.
[Music] Heat. [Music] Heat.
Heat. Heat. N. [Music]
Heat. Heat. [Music] Heat. Heat.
[Music]
[Music] Heat. Heat. [Music] Heat. Heat. [Music] Heat. Heat. [Music]
[Music] Heat. Hey, heat. Hey, heat. [Music]
[Music] Heat. [Music]
Hey, heat. Hey, heat. Heat. Heat.
[Music]
Heat.
Heat.
Heat. Heat. [Music] Heat. Heat. [Music]
Heat. Heat. [Music]
Heat. Heat.
[Music] Heat. Heat. [Music] Yeah, [Music]
[Music] down. [Music] Hey, [Music] hey hey. [Music]
Down [Music] down down. [Music]
[Music] Hey, [Music] hey hey. [Music]
[Music] D. [Music] Down. [Music] Heat. Heat. [Music] Fire. [Music] Down. Heat. [Music] Heat. [Music]
[Music] Heat [Music] is heat. Heat. Heat. [Music]
Heat. Hey, heat. Hey, heat.
[Music] Heat. Heat. [Applause] Heat. Heat. Heat. [Music] Heat. Heat.
[Music] Heat. Heat.
Heat. Heat. N. [Music] Heat. Heat. N. [Music] Heat. Heat. [Music]
[Music]
[Music] Heat. Heat. [Music] Heat. Heat. [Music] Hey. [Music]
[Music]
[Music] [Applause] So hello everyone. It's uh it's a pleasure to be with you all here. It has been an action-packed three days. A lot of talks, a lot of communication, a lot of networking. So it was super amazing and I can't really believe that we are getting to the end of it. It has been an amazing event. So I would like to start by thanking all of you here. Also for the people watching the stream, thank you very much. Um, I would like to thank Besides Las Vegas for hosting me here today, but more importantly, I would like to thank Besides Las Vegas for uh the proving ground because the first time I ever spoke publicly was in 2020
uh remotely in the proving ground of besides Las Vegas and since then it has been great speaking. So, thank you for having this. So uh for our talk today we will be having breaking the guest list hacking invitation systems for fun and profit. So without further ado let's go right in. So a bit of who am I? Uh I'm Ali. I am originally from Cairo Egypt uh on some platforms. I'm also known as logic breaker. So you can find me there. Uh I am a security and privacy engineering lead at bending spoons. I have been bug hunting for almost 10 years now. uh and I'm very security enthusiastic about everything related to security in general.
Uh I have been a speaker at besides several besides conference across many countries spoke at black hat before. I really love the community sharing with the community. So here we are. Uh one thing that I also really love is business security and the intersection between them. And this is actually the topic of today. It's how business and security interplay together. It's not about cross-ite scripting. It's not about SQL injection. It's about understanding the business model, bisecting it and breaking it more or less. So let's go. So for those of you who don't know, quick introduction about business logic vulnerabilities. So business logic vulnerabilities are basically uh a type of vulnerability that appear due to the
discrepancy between how developers and uh maintainers develop stuff versus how attackers perceive the application more or less. So the peculiar thing about business logic and actually it's why AI still needs us more or less is it's really dependent on two things. First of all the mindset of the person developing the application but also the mindset of the attacker looking into the application. So everybody had their own methodology but we are trying here to extrapolate some common themes um when it comes to invitation systems. So just to give you an example before we dive into invitation systems regarding business logic vulnerabilities. Let's assume let's take for example two applications. The first is a data inensive application like for example um
a data processing environment data bricks for instance the most important thing in data bricks is come on the data I mean this is their uh core value so as an attacker probably if I would like to compromise data bricks what I would like to do is that I would like to do this to get the data right I mean this is uh the actual value of the application now let's take a look at another application which is basically AI based It stores no data. It just for example generate images based on some image that you provided. So you provide an image, it provide you an avatar for you for example and it does it effirmly. So no
data storage. As an attacker when I approach such an application, what I would think of is okay, how can I abuse the GPUs behind this very nice AI application to generate stuff for free. Maybe for example to use it and resell the service at a reduced price. So you can see two applications. both of them are software web applications or mobile applications doesn't really matter and yet the threat model is substantially different and having a one-sizefits all for everything unfortunately doesn't work out so invitation systems what are we basically talking about we are talking about any kind of invitation system and we will see here that it really doesn't matter it can be an invitation system to a
Facebook group it can be an invitation system to a B2B application. So any application that operates in the B2B uh business, you'll probably have a team or an enterprise subscription where you can add seats uh so that you collaborate with people because I mean you don't operate alone and you need to send them guess what invitation. So this is invitation systems here as well and the core purpose of the token that we will see that regardless of the type of the invitation system the mistakes are the same. The way to secure them is more or less the same. of course taking into account some peculiarities of applications but again it boils down to basically the same thing.
So why invitation systems? On the left you can see the invitation uh template basically from Facebook to invite people to uh Facebook groups. Uh on the other side you see inviting members to Snapchat business accounts. And the question is why invitation system? Like I mean why do should we care? because it's very ubiquitous like nowadays social media strives on people sharing with each other inviting each other either to groups to the social media application or whatever. So this is how they grow. Uh again if you are in a B2B company or you use any B2B uh software you probably know that you have seats and you invite people to join your um application. So the ubiquity of this
makes this flow very common and yet the same mistakes happen over and over again. So why why is it a I mean why is it interesting an invitation system because it is what we call it's very easy to use but also trivially to abuse in this case. So why this it's due to the discrepancy between how the developers uh perceive stuff versus how the hackers perceive uh the same stuff or the application itself. So just to take an example, email tokens are secure enough. I'm a developer. I'm developing an invitation system. I I have invitations via email. I add a token and I say, "Okay, I mean this is a very long token. Nobody can guess it." Guess what? They
probably can. It really depends. So for example, if you generate a hash of the user email and this is the invite, I mean, come on. They can still generate it. Doesn't mean that because it looks random, it's actually random. Maybe you have a token which is very short like I mean a four character uh token or a serial number like basically invitation is invitation one invite two invite three so just because something looks that random it doesn't mean that it's actually random in this case uh onetime links so you as a developer I develop for example an invitation to a Facebook group I assume that it's intended for X only X will be able to use it and only X
should be actually using it that this is not how it works as well. Like I will try to take the invitation, load it into many accounts as much as I can, see if this allows me to gain access to basically more stuff. So gain access to adding people to the the group more than single person as we will see in one of the attacks. So just because you have an assumption, if you don't do the technical realization, if you don't do the technical um controls that support this, it will actually uh not work for you. The biggest sin in uh development is assuming that UI controls protect you. It doesn't. Believe me. No. So UI does
not enforce security controls. You can't rely on it. Just because you think that the application is designed in a specific way externally, people will not follow it. If the API still allow them to do something, they will do it because I mean the APIs, come on. They are public. You can look into the developers portal. you will see them and it's end game. So there is no point. The final thing about this assumption and I mean we can go to hundreds of assumption but uh for the sake of time which is invitations are isolated per user like I invite X the invitation will not work in Y unless you do something about it guess what it will as we will
see. So the difference in perception causes a huge gap as we will see in the attacks ahead. So before we go into the actual exploits, let's do a quick exercise together and try to look into this uh invite. So the invite goes as follows. We have an HTTPS example.com. Okay, nice. They use https. Nobody can intercept their traffic. I mean assuming they use it correctly. But then the interesting part starts. We have four uh quiddy parameters. We have group ID, sender ID, member type and token. And how I would actually approach such uh an invite that first of all I will ask myself the following questions. So group ID nice first of all it's a numeric ID.
So probably the groups are sequential. That's nice because I don't need to do effort to guess the group ID. Nice. It's not an issue on its own. But the next thing I will try what happen if I change the group ID from 1 to three to say 1 to4 am I able to join another group if so this is actually a big problem because I mean I'm joining groups that I was never invited to I have no access to but guess what if there is no validation I can the sender ID so uh back in the day there was a social media platform I don't recall exactly which one but when you joined it tells on your profile that
you were invited by X. So let's assume that X is the CEO of a very important company and the sender ID is not checked. So instead of 345, I just add the ID of this very important person. It will appear on my profile that I was invited to the platform by this person. Maybe they have um a valid uh account meaning that it's very wellknown and I can take it from there to tell them okay I know this very important person. He's my friend. And then maybe I can use it for spam, for fishing, for whatever. In fact, I mean it's an integrity problem by itself. It's just how you want to exploit it. And then we go to member
type. Okay, nice. Member type two. That's super interesting. What happen if we put member type zero or four? Do I get an admin privilege? Do I get a super admin privilege? Maybe. Again, if this is not checked, we are back at it. And then the last and the actually the most interesting uh one is the token. the token here it can have all sorts of problems. So first of all it can be guessable like you are hashing the email or the time stamp for example u it can be very short for example a numeric token which is six digits I can just enumerate it it's not a problem uh it can be that the token can be replayed so
it does not expire so all sorts of problems will happen can happen with the token so I mean there's quite a lot of thing that can happen here so I know what you have been thinking I mean I have been talking for 10 15 minutes. No exploits yet. It's pretty boring. Uh we will get into the the interesting stuff. Now uh by the way uh by the at the end you will have all the slides. So I mean you don't need to take pictures. You just can focus here and you will be able to download them if you want. So let's start. And the first exploit for today is once friends always friends. And actually the
name uh more or less leaks what we will be talking about maybe something about uh friendships on Facebook. We will see. So back in the days before uh so when meta was Facebook and uh alphabet was Google in this case. So around 2015 uh Facebook was still in the growing phase. So it had a feature in which you can basically invite people to join the platform. So uh my friend is not on Facebook. So I send them an invite to join uh facebook.com. Uh and with the invite on actually they accept the invite. Not only do they join the platform uh but they also become my friend. So they also become my friend which is very sensible when you think
about it. Like I mean I'm inviting you to a platform probably because I want you to be my friend. So two for one everybody's happy. So very interesting. So until now everybody's happy. Somebody invites someone to Facebook. They join Facebook and they become friends. Voila. No worries. The problem starts later. What if my friend does not become my friend anymore? Like I mean they turn to be malicious. I want to unfriend them. I mean come on, life happens. So in this case I mean I've unfriended them. Done, right? should be as easy as this. However, the invitation that you sent maybe a few years ago will still haunt you. I mean, past mistakes does not uh
go unnoticed. So, what the attacker or basically the uh bad friend who was invited years ago can do. They can go to their email, click on the same invite, and guess what? They can return to be friends again because the invite still works. It will return them to be your friend, and that's it. So, you don't need to do anything. just go to your email, add them as a friend, and no matter how many times they unfriend you, you can go to the invitation, read them as a friend, and that's it. I mean, it's that simple really. But I I mean, I see some of you, you're talking, okay, but maybe I can block them, right? I mean,
why don't I just block them if they are this malicious? Uh it's not that easy. So, the idea is as follows. First of all, as I told you, uh the malicious friend can do this trick as many times as they want. You unfriend them, they return back. But think about another part of the story. They also can unfriend you. So the flow can go as follows. I as a malicious friend, I will add myself to your friend list, maybe send you a message or see your friends only post or whatever. And then I will unfriend you and later I want to be returning to your friend. I'll just click on the invite and do it again and
again. But then to answer the people thinking about okay but they can block me. Back in the days Facebook didn't have any uh abuse prevention against the block feature meaning that you can block and unblock the same person as much as you want. So there is no limit now there is a limit I think of 24 or 48 hours something like that. So what you can do is that you can take the first step as the malicious friend you can block the uh person so that they can block you. So I have the malicious friend. What I will do is that I will block you. I want to see your friends only post. I will
unblock you, add you as a friend using the invite, see your friends only post or send you a message and then block you again. And guess what? If I block you, you can't block me. This is life. So that's it. Basically, even the block feature was not able to prevent this. And the invite, as far as I know, never expires. So a very bad situation I would say. So h this is what the one that we discussing. Sorry this is about the block feature. Okay. So let's do uh some reflections like I mean what did Meta did wrong here that cause this problem. So we can attribute this to at least three elements. First of all the invites never
expire. So it's it doesn't really matter if it is few weeks or a year. The invite uh as far as I recall didn't expire at least for a sufficiently long period that uh it's problematic. Uh the invite actually should have expired even earlier meaning that the invite should have expired once I accepted it back in the past. But this also didn't happen. So it's not a one-time use invitation and invitations by nature should be one-time use unless I mean there is a reason why not to do so. But generally they should be a single time use. And the last thing is that there was actually no mechanism to revoke the invitation. So I can't block you. I
can't unfriend you because you were returned again. And the invitation I sent years ago, I have no control over it. So I mean uh it's end game basically. There's nothing that I can do. So let's jump to the second uh exploit for today and it's called the now you see me and we will see why because I mean we will play some magic tricks uh in a second. It's also targeting meta by the way. So in this one we are targeting another invitation flow uh which is the groups uh invitation flow and I mean groups invitation flow have actually two ways. You can first invite your friend to join a Facebook group using their Facebook account. And this is not the uh
flow we are interested in. We are more interested in the flow which invites people via email. So you send uh people an invitation via email and then they can join uh your Facebook group. Um it should be simple right? I mean you send somebody an invitation. The invitation appear I mean let's assume that you are the admin. The invitation will appear here. Okay. Hey, you invited invitedgmail.com. There are very nice three buttons here that you can sorry three dots here that you can press on and delete the invite which is also an upgrade from the previous attack where there was no way to revoke the invitation. So it's actually a good upgrade. Uh not so good.
I can make the invite vanish. So here's the thing. This is the invite that I receive. And just to make sure that we are following up in this case uh we have one of two cases. First of all I might be invite to the group and I'm the malicious person or I'm the malicious actor or it can be that both I mean I'm the admin and I am malicious and I'm exploiting this to gain um basically persistent access to the group. We will see how in a second. So this is the shape of the invite. Uh you get an invite telling you okay hey uh X would like you to join them on Facebook. join
the besides Las Vegas group. Very nice. Uh you click join group. You will be prompt with a thing telling you, okay, hey, do you want to join um this group or not? If you would like to join, you press yes or you decline. Easy. And as we see in this slide, the invited there in the admin panel. But here's the trick. We would like to make this invitation disappear. And once we make this invitation disappear, the admin loses control over the invite. It's super easy. You navigate to your email. Uh you get the invitation link uh which is basically the link behind the join group uh part. You get this URL. You copy it and you paste it in the
browser while you are logged in. So you don't accept the invite. You just load the invitation URL. Nothing more. And the invitation vanish and that's it. So I mean there is nothing fancy. for some reason when you load the invite and you didn't accept it yet. So you are not part of the group yet the invitation will vanish from the admin panel. So basically nobody can uh see it. So if you go to the admin panel you will see that nobody's invited although somebody is uh and you haven't joined the group so nobody can remove you because I mean you're not a member yet. So this provides us with an invitation which does not expire and nobody can revoke
it. So what is the use case like? I mean why should you care? So imagine this. Imagine this is a work group or a group which is secret or where confidential information is shared and I'm the admin of the group now. I work in this group and I'm getting laid off and I'm very malicious. I would like to persist access after my access is revoked. What I would do is that I will send the invite to one email that I own. I will play this trick so that the invitation is not visible. And now I have a back door in the group that I can join whenever I want. So whenever I click the invitation, loaded it, it's now there. I
mean nobody can remove it. And even after I got laid off or my access gets uh revoked, I can still go there and do this. Of course, this is malicious. It's illegal, but it's technically feasible. So this is how to play this one. And as we will see this attack, we will go in two rounds. meaning that we will go into the first exploit ma will solve it we will bypass and we keep doing this it actually went up for three to four years if I recall correctly so actually what I told you is not enough like I mean I'm not satisfied meaning that uh yes I can use the invitation yet the invitation is hidden but inviting
one person is lame what if we take the invitation URL load it in 10 accounts 100 accounts can they all join They shouldn't but actually they do. Whenever you load the invitation URL before accepting it you grant this account an invitation itself. So what you need to do very simply you copy the invitation URL from the email. You paste it in as many accounts as you want and now all those accounts are actually invited. Nobody see this invitation. It's a ghost invitation and they can all join the group at any given point. So I don't need many invitation. I just need an invitation to a single email and I can distribute it as much as I want and
then all of them can accept whenever they want. So maybe account A will accept now and then they will remove it. I will use B, I will use C, I will use F, whatever. I mean I can have as many as I want. Uh so this is actually very bad and they solved it. So actually Meta solved it by tying the uh invitation to an email. So now the invitation is directed to uh a single person uh and they check in the email meaning that if the invitation is directed to xgmail.com only xgmail.com can join. It's a good uh a good approach it appears but and here is the discrepancy between how the developers and how the
attacker think in a state. Okay, it's typed for the email. So what happen if I move the email around accounts? So as you know in Facebook you can have more than one email. So what happened is I create I have an email for example aliyiamail.com. I load the invite in alimail.com and then I remove aliyah.com from the Facebook account. The Facebook account still exists. I add it to another account. I load the invite and I do the same over and over again. Guess what? It actually works. It actually works. They Yes. Uh they will allow me to do this. So basically I can reproduce exactly the same uh effect by having a single mail moving it between different accounts
loading the invite without accepting and then all those accounts have the invitation active and I can accept from whichever one whenever I want and I can repeat this for as long as I want as well. They fix this as well. But then I discovered something which is very interesting because it's very trivial actually. What if you block all the admins of a specific group? Theoretically, it should be that they can send you messages, they can see your posts, but uh the cherry on top of that, they can also not see your invite. So, if I create an account, sorry, if I create an invite directed to xgmail.com and then the account of xgmail.com blocked every admin in the group, the
invite becomes invisible to everybody. That's it. super easy, but I was not satisfied. I mean, uh, this was not enough. So, let's play the end game. At some point, probably they get bored and they removed the wall feature. Now, it's back, by the way. Like, I mean, this was around uh 2015, 2016, they removed the feature altogether. Like, I mean, there is no email invitation. If you want to invite somebody, you invite them using their account, but they didn't remove the API. So, I mean, guess what? We are back in the game. You just use the API, you send the invitation and life goes on. So again, I mean, you're just back in the game because the removing the UI is not
enough to remove the wall feature and we can reexploit again and have fun. So what went wrong in this attack? Actually quite a lot of things went wrong. So first of all, there is an over complication here where loading the invite have a very weird effect of making it invisible. I don't know really why it happens like so but it seems that uh the invitation is the invitation system is rather complex because when I think about it the invitation should be either accepted pending or rejected loading the invite should not have an effect on how it appears or anything basically so this is the problem over complication is a big problem here uh invitations were not bound to a user
attribute in the first round of this attack meaning that uh any email can accept any invite sent to any other email which allowed us to scale the attack easily as you said as you saw in round two it was not enough to bound to an attribute like email it doesn't work but it is something that you need to do so it's necessary but insufficient as they say uh invitations were not uh one time used so I can use it in many accounts which is actually the major problem with uh how I can invite many many users to uh the same group. By the way, this also when you think about it, if there is group moderation uh it mean
that me as a normal user who should not be able to invite people and they get automatically accepted. If the invitation I got was auto approved by an admin, I now have admin privileges by sending out invitations and having people join it because I'm auto approved. like not full admin privileges but yet I can exploit something that only admins should be able to have. Uh the other thing which is actually I mean I think that there have been many exploits uh in meta and also several social media platforms regarding this moderation should not uh be blocked by user action meaning that if you block me I can't message you I can't see your content that's fine but as a group
moderator I need to be able to see your invites I need to be able to see your posts even just in this context otherwise I can't moderate it and the uh block becomes a weapon uh more or less And finally, uh, stale APIs. Uh, removing the UI is not sufficient to duplicate a feature. Uh, by the way, uh, if you go to the OASP API top 10, the mismanagement of inventory is on the top 10 list. Like I mean this is very common that you either don't deprecate APIs or you still leave older version which are vulnerable for a specific VPI. So it's pretty common actually. And now with the uh last exploit which is in Snapchat in this case and uh just
to be clear here we are targeting uh Snapchat business manager and this is an example of uh a B2B product meaning that business manager is not intended for normal users. It's intended so that you can create ads for example. So usually it's used by companies. You create an account, you invite your colleagues and everybody's happy. And the title of this attack is one invite to block them all. Uh we will see why this in a second. So this is how the invitation look like. Very simple. You have an email, you have a role and invite members. So you just need to enter an uh email of the person you would like to uh invite. You add
them a role. Uh back in the days it was just member or admin. So very simple. And you invite them. And that's it. Uh by the way before we go further I would like to tell you that here just to be following up the person being invited is the victim while the inviteee basically the person who invites is the malicious person. This is opposite uh to what we saw in the uh mas exploits. So here what happened is this invitation uh that I just saw you it actually triggers two HTTP requests. The first one is a request that invites the user uh to join the organization like we will see in this request in a second and then there
is a second request which add the role. So there are two HTTP requests. The first you just send the inviting invitation email. The second assign them to a role which is member admin or whatever. So this is how the uh first invitation uh looked like. Uh it's a very normal post request. you add their name u and then you add their email and the organization ID and this actually sends uh the invite but then there is another request which is triggered which okay now you are a member so there is a member ID uh and then I assign you a role maybe it's a member maybe it's an admin uh it really doesn't matter at this point the
question is what happen if I don't send the second request like I mean I invite you to join my organization but I don't set you a role and I mean this from the UI it's not possible because a single click will actually have two um requests being sent but again I mean there is burpuite there is APIs I will just intercept it make the first request pass and drop the second one uh what will happen is this Whenever the user who is invited uh join their uh sorry log into their account they will see this uh well it's awkward access denied and you might say okay but what why this is a problem because actually in Snapchat business manager
you can have more than um one account meaning that you can be for example from a totally different company but just because I invited you and you joined or you clicked on the link that uh the invitation link in this case now you are not able not just to access uh my organization it doesn't really matter but also your organization so you are blocked completely because the API will see okay you are not in uh a right state uh you have a member in a specific organization with no role I don't know how to act uh I'm denying you access I'm sorry but this is not it some stuff made this attack even slightly more scalable first of
classic. Now, invitations were not bound to an email. So, any invitation from any account can be used to add anybody to anywhere. Uh there was no confirmation before you join the organization. Meaning that when you load the invitation link sent to your uh email, there is nothing that tells you hey um please confirm this uh invite or you want to join this organization. Once you click on the button on your email, you're automatically joined. We combine those two elements and we get a cross-sight request forgery. Meaning that I will send an invitation to a very random email. I will get the invitation URL, put it on my blog. Whenever you visit my blog, this invitation is loaded because
it's a very simple get request and you are added to my account. Basically, you are removed from everything because now you denied access to everything. But this also allow me to scale the attack. I'm not just relying on you clicking the invitation sent to your email. Maybe you don't click on emails you don't know but it can even be distributed on website so that once you visit the website this request will be sent and you will be denied access and Snapchat fixed the issue but it was not enough. So basically what they did is that now you can't create uh a member without an associated role. You will not be allowed. So this will not be allowed
anymore. So what we can do is as follows we can invite a user and add the role because this is now mandatory but we can delete the role after the that so it's it's really easy like I mean we can create we as we will see there was an end point which can delete your role and there is no API check that you can delete this role if is maybe the only role remaining. So what I will do is that I will invite the user I will add them a role and then I will delete the role and now the invitation is poisoned just like the first invitation there is no difference like I mean there is no
problem and this can be exploited basically by any admin uh by the way admin is very simple you create an account and then you are admin of the account so it's a free uh thing you don't need to pay a penny for it uh and it can be exploited against all members and members here don't think that I mean it's actual members what we mean here by members is that anybody who clicks on the link which you poisoned the invitation link in this case. Um and this is basically the uh delete request which deletes the role using the role id very simple. Um and now finally we come to some reflections about this case. I mean what
made this case possible? First of all there is no validation before executing the invite. Meaning that once you load the link you are in the organization. There is nothing that tells you hey do you want to join the organization? are you sure you want to take this action? And this is problematic. I mean, usually it's a very best practice that you confirm the user actions before you actually execute them. The second thing is uh and this is actually common not just for invitation systems but for other things as well. uh atom having associated functionality is atomic meaning that as you saw in the first uh round there's two requests one to send an invitation and another one to add the
role but those things from the developer point of view they should never be splitted like I mean they are one they are just atomic so what you should do is that you should have them in a single request and the request should fail if you didn't provide a role or you didn't uh you provide an invalid role or whatever so in essence uh it shouldn't be that you split requests that you want to make atomic otherwise you cannot guarantee it. I will use burpswuite or any other proxy drop the part of the request that I don't uh like and that's it. Just to give you an example about how this can be exploited in other things. Uh think
about uh story views on multiple social media. Usually what happened is that there is a request to fetch the data like I mean the story content and then there is another request to set you as viewed. I have seen this multiple times and the main problem here is you can just submit the request to fetch the data get this story content and drop the request that say that you viewed their story and that's it. So it's not a problem. Those things should be atomic but for some reason they are developed mistakenly to be uh separated more or less. The first thing is starting and ending in allowed states. Uh what happened here is that we started in the
first round of this attack we started by an invalid state meaning that it was possible for me to create a state in which there is a user invited it doesn't have a role in the second round it was possible for me to have a user without a role altogether it should be that the user starts with a role and then there is no possibility to remove the role unless I remove the user and that's it. So you should start in a specific known state and end in a specific known state. Otherwise uh if you do by the way this actually pretty good from Snapchat point of view. They uh are doing a deny by default strategy. Like I mean whenever
they see that this is an allowed state they do a deny by default but deny by default can be weaponized if you don't do it right. Uh, and I can't say this enough, invitation should be bound to a user attribute again because without binding the invitation to an email or the user ID, I was able to cause an invitation CSRF and force people to join my organization. Uh, in this case, so that's it. Questions?
Nobody have any curiosities?
Doesn't seem to be the case. Okay. Thank you everyone. Thank you for coming. [Applause] The URL can be used to download the slides and I promise it doesn't have a malware. Thank you. >> Thank you. >> Uh should I move? >> Should I move it?
No.
>> Someone stole our water.
like stickers. >> I do.
stickers for years. So, >> I was a volunter in 201
No, but I was
>> That is my
Heat. Heat. [Music] Heat. [Music] Heat. [Music] Heat. Heat. [Music]
Heat. Heat. N.
Heat. Heat.
[Music] Heat. Heat. Heat. Hey, heat. Hey, heat.
[Music] Heat. Heat. N.
Heat.
Heat. [Music] Heat. Heat. N. [Music]
[Music] Yeah,
[Music] down. [Music] Hey hey hey. [Music]
Down [Music] down down down down down down down down down down down down down down down down down down down down
Yeah, down.
[Music] Heat. Heat. [Music] Woohoo! [Music] Woohoo! [Music] [Music] Baby, [Music] baby. [Music] Fire.
Home. [Music] Down. [Music] Hey. Hey. [Music]
[Music] Heat. [Music] Heat.
[Music] Heat. Heat.
Heat. [Music]
Heat. Heat. [Music] Heat.
Heat. Heat. Heat. [Music] Heat. Heat.
[Music] Heat. [Music]
Hey, heat. Hey, heat. Heat. Heat. N. [Music]
Heat. Heat. [Music]
[Music]
[Music]
me. [Music]
Wow. [Music] Heat. Heat. [Music]
[Music] Heat up [Music] here. Heat. Heat. [Music] Heat. Heat.
[Music] Heat. Heat. Heat.
[Music] Heat. [Music] Heat. Heat. [Music]
Heat. Heat. [Music]
Heat.
Heat.
Yeah, [Music]
[Music] heat. [Music] So, let's go. Uh today we're going to talk about the age of zygote injection. How to break and write in boxing system. First of all, who am I? I am drone. Can you call me Trito? Uh I'm 19 years old Brazilian pain tester researcher and Mario developer at Hakai offensive security. Uh Hakai is a focus company on offensive security like services like testing, red teaming and th intelligence and other so on. I'm programmer gamer. I love cats. If you're going to eat some pizza, please call me. And I'm passionate about CS internals, reverse engineering, off of development, and mobile. Uh here we have a care code for my GitHub if you want to check my job
and others things other projects. So okay, what is the intention? Uh the I want to explain to you how zygote injections attacks work and what we can do with it. like is a pretty great uh alternative for tools like Freda or debuggers for instrumentating mobile applications. Uh and that's it. Let's go. Uh it's pretty cool because I go injection is a more stealth way we can bypass productions more quickly like uh we don't have to care about Freda or debugger detections just check some. So okay let's go. Uh first of all what is zygot? Zygotei the zygote process is the first process started Android is the parent process of all the Android applications. Um and inside of zygotei we have the
Android runtime that will care about like the policy Linux and the interpretation of the code. So under I have the zygote and when does I go need to generate an application like you open WhatsApp, Instagram another application the zygote will do a fork and this fork uh is for put the code inside the runtime and can run the code itself. Uh zot runs with limited privilege. So it applies the sea policy Linux inside each application to limit it. So one application can can't talk with the other. Uh we have got some process that are being started by zote like system server web zot and all the other app process and we have the specialization specialization is exactly this point to
the zot fork itself and set the security measures for this process. So when we set the security methods based on the C Linux policies uh this we call specialization. So okay here we have a diagram. So the Android start the car and the system. uh in this time we have some services like install dab ADB uh for interacting with the system to install some applications and we have the zygote process and from the zote process we will uh fork and generate the others the other process that need security measures. So okay we have Android runtime android runtime is the manage runtime that the applications will use to run it code. Uh the format that Android runtime understand is the
Vic executable that is a bite code format specific for Android. Uh and on the interpretation method the execution method we have a hybrid compilation. So we have GT and AOT GT is the uh process of pass in the interpretation. So the just in time compilation will pass through the interpreter and on AOT is ahead of time compilation. The code will be pre-ompiled when the interpreter being uh executes frequently. So we pre-ompile this code on on the Android. The Android will do this for us and the code will be is like for optimization is just convert for machine code. Um we have the difference between Java Cotlin code and native code. Java and Cotlin code will generate
DEX format and we have the native code. The native code is like a but you preo compile the code on your machine and passing format as a dynamic link casual library. Uh we have the difference between two libraries inside the Android. We have the lib android runtime.so and libar. So they are different. Uh liband runtime. So is for apply the security measures is the policy Linux that will be applied or the fork or the specialization is the environment setup and libard. So is the interpreter and what will execute our code. Uh okay here we have just a diagram. So GT code will be the interpreter. We have a white code dex format and they will
turn into machine code and execute. And the we have the frequently run code like 50% uh that will pre-ompile on our machine and just run as machine code all the process no need to interpret the B code. Uh we have this pretty weird diagram too but we can focus on the red boxes. Uh this is what liar sold does. We have here this side. Uh that is the interpretation uh execution. Here all the code that is GT will be interpreted and here on this other side on native method is the methods that we preo compile on our machine and pass in dynamic linkage library format and we have quick code. Quick code is AOT. AOT
is the fragmented code that was interpreted but now the Android runtime compile for us and just execute as machine code. Just two more concepts to we start the how we inject code in zygotei. We have the nature bridge on Android. Uh nature bridge is just a architecture translator. So imagine we have a x86 computer and we want to run an air emulator or Android emulator. We can use nature bridge to understand how the x86 uh op codes will run on ARM. uh this start on Android 5 and native breed is really interesting because it executes inside zygote if we don't need the nature breed like if you have a arm device or uh do you have an arm device
and this will run ARM code uh you don't need the nature bridge so this unloads from the zygote all Androids uh all the architectures have the nature bridge so okay start on Android 5 And like I said, if no needed, this will be unloaded. Here we have a diagram. I think will be a little bit smaller, but we you can check on Hakai offensive security GitHub after this uh presentation. Uh but is what I explained before the all the process of nonloadad and load into the go and check if we will need to translate some architecture codes from the process. We have PLT. PLT is prov table. Imagine we have a table with some symbols, some
function names and address. Uh this will be correlated. But if we we can use this for hook with if we change the address from one symbol to another, we will hirect the control flow of the program. We can use like frameworks like X hook or others. Uh and this is a diagram. So imagine we have this table with two symbols, two functions and two addresses. Uh we could change this address for the first and execute when we call barf funk execute f funk. So okay we have a line function uh in line hooking uh is other type of hooking but we don't know the symbol name. We just know uh the address of the function and
we can pass and we'll patch the three first assembly op codes. Uh let's get a diagram is more easy to speak. So we have here the original function we can jump for a malicious code and after this malicious code we will jump for the original code. So this is the control the haction of the control flow just with an address. So okay let's talk to talk how we perform zygote injection. Uh we need to change the nature bridge because the nature bridge will load inside the zygote. We can drop uh an artifact the first thing that we load in nature bridge is just a loader. This is because like I said if no need to run the nature
bridge the code will be unloaded. So we need to drop a new code in memory. Uh and we can restart the nature bridge the original if some application like if we are in an emulator probably we will need the nature bridge the original nature bridge functions. We can after hook the P for the class conra internaliz on geni functions. uh where this class is the is the place to find the functions like native xxx specialize and on this function we can find where each type of process will be generated will be for it and specialized uh and then we can have fun so this is the diagram we will see in a minute all of this but it's the
same process that frameworks like gisk and the heru uh does uh and just a quick uh we have heru and disk. The difference is here as my disk module for Lego injection is up to 11 version of Android. Uh and it's deprecated now because have some incompatibilities with other modules. Uh we have a gisk h is heru recommends you to use gisk now because jisk is built into magisk. So don't have the incompatibility uh in the time that we need to execute this injection and works from uh version 12 for nowadays. Okay, we will replicate what these two frameworks will does. So let's talk about Yaga. Yaga is my project to explain to you how Zot
injection attack works and how we can hook the interpreter and head the control flow of a single application. you have the QR code for the project and you can check on my GitHub too. So, okay, the project was tested on an ARM emulator, a Mac OS emulator uh and on Android 12. Um so, first of all, what is Magisk? Just a simple concept. We have a systemless hooting hoot binary that is systemless. Don't change the /s system partition. And the most interesting thing around magisk as this can run custom code. This can run an extension for its properties. Here is the face of my disk. And we need to develop a magisk module. Uh a magisk module. We have some files
like module prop to store metadata or install.sh to enable the features of the magisk module. And what we are really interested is on post FS data. Post FS data will execute this script during the boot process of the Android. Uh we have SE service.sh that will run after the boot process. Uh and we have two these two folders. We have gisk if you want to uh inject some code into the zygote process. We will replicate that. We don't will use the disk folder. We have the system folders for replicate the file system. like you have the SL system if you want to place something that will be native on the system of Android we can place on this folder and we have the
SA policy road that we can edit the SA policy Linux to be more permissive uh this is the module we need to put this folders like meta in common Google android and the two scripts that will identify this is a magisk module uh and here on the system folder I will place two files inside the library folder for each type of architecture x864 or x32 uh is the loader and the operator that we will see in a minute. We have the install and the module prop just for say this is a module and we have the two scripts posts data and service.sh uh just the metadata with name version and the author of the code.
Uh here on install.sh the two flag the boolean flags to set the two scripts and here we have the post fs data that will run during boot and just what we need to inject code into the zygote is change the property rov nature bridge for the loader. This will automatically load the code into the zygote. But why this works? We can reverse engineering the code of zygotei. So we have the main function and inside this main function going a little bit ahead we find the runtime start. This will be the start of the Android runtime and inside this function this start here we can check the start VM that will start the virtual machine for store some variables and
things from the environment. Go inside of it we can already check some flags here. And going a little bit forward we can find the arrow of nature brid flag that says that if zero means the nature brid is disabled but if not the bridging is only enabled for the zygote. So we can have an idea that this code will run into the zygote. Uh going a little bit forward we have the ji create java vm for setting up some virtualization things that we need to run the code to the interruption. So we have this function inside we have the runtime create and inside we have the instance knit and inside this function of initialization of the runtime we can go a little bit
further and find this comment that the Android developers put inside here that the code will look for the nature breed and check from this control flow and we can find some uh zy goat mentions here. So we can get this idea. Uh and here we have the load of the nature br inside the zygote. And here we have the function to load nature bridge. So okay uh if you want to masquerate the the thing the the malicious activity you can put the nature bridge as zero. This just work for like ARM ARM 64 ARM devices because if you need translation you can put like just a new string and here we have the loader we place
this structure that this structure is just a pointer for the other pointers that will be replicated from the Android code search. Uh this is for just restore the original nature bridge and restore after uh and unload our library our loader. We can check if we are into the zygote process uh drop a new code on memory that will be operator and after that we can just store the original nature bridge with the pointer and the structure. Okay, the function is I go. We can just get the SL proc self the line to get the name of the process and check with er into zote. Uh the checks are just to close the library when it will be
unloaded if not needed. And what we can do now we can have the Android runtime code the lib Android runtime. So that have some functions like native fork and specialized native fork system server or native specialized process that is the specialization process of each type of process. uh we have the hirroid internaliz that will be geni uh rest for each function and here just an example of execution of each type of fork and we have a lot of parameters that will be uh interesting for us. So inside the operator we can do a PLT hook. I use here X hook for the Hester native methods and know when a geni method will be Hester on the process. So
here are just some macros and on our hooket function we will check if is on the classical internaliz and check if the method name is one of the fork types like specialize specialize a process or system server the native fork can specialize for web views I go to we can check the signature too just to don't have problems uh like uh Samsung Motorola likes to change this signature they like to do by their selfies. But inside of each condition, we can store a pointer for the original method and uh hash use the hash native methods to hester a new function, our function to head to the control flow based on the hashster uh address that will be done. Uh here just
the variables that we store the original address and here the signature and the our new function prototype. We have uh the others functions the other types of specialization and here we have an example of execution. So we can execute normally here by the pointer and we can run a code on prever version that this pre version will execute before we set the specialization before the Linux policy was be applied to this process and we can execute a post that the SC policy Linux measures are being applied already. So we have the both types. We have the others like system server and we have the app process too. On that process I place here for we log
the name of the pro that the code will be injected. And here we have a little demo. Let me put here just make a better a better quality. I hope you can see all. So, okay. Uh, I place a data setup.sh on the project if you want to build more easily and you just need to push into your device via ADBD and you can install via magisk uh the module and what you need now is just reboot your device because when we reboot the all the injection will be applied on the initialization process. So here we can get the PD of zygotei here let's just wait here we have the PD 334 for zygote process zone this time and we
can check a lot of logs coming in and the first log is just code loaded in zygote process PD334. So we successfully injected code inside zygote and we can see to a lot of logs like uh camera contacts these are the process being generated we are injecting code in each process that it will be open. So it's nice so if I open some new process like chrome like uh if I open like my application here dummy tree I can see a new log here calling dummy tree. So we have the injected code on this new application that we open now via the zygote. Okay, cool. What we can do with it? Uh we have the libar.so. Uh
that is be that is the interpreter. Uh and we have this code of this application is a demo application that we have like is root function returning true and displaying on the screen remembering this is a dex code. Uh this will be interpreted. So libero so the interpreter have this function called do call. D call is the function that execute the method uh and it receives the first parameter as an art method. Art method is a class. Here we receive a pointer for the method and art method have this class and some parameters on protected part of the code that have like a declaring class uh the method index all the things where this method is located and need to be
executed. But the most important thing is the entry point from quick compiled code that will be the address for this function. We have inside the art method to this function that is pretty method just returns a human readable something like a package package the class that will be located and the method name. Okay. So what we can do with it, we have the app process post version that's the SA plus and Linux measures are being applied. Uh and we have two variables here. We can get the package name is chars from nice name and the app. This is just the name of the process and the slash data data of the application. And we can check if the process name is
the same as the application name. And here all this coding this condition will run inside just of this application. So we have some cache for the Java VM and the apple data JS. We will see this in a minute have just the function to get the M and get some variables inside the runtime. And here we can hook the first function from libart the pretty method. And we it's a little bit difficult to get this address. we need to self-implement a way to get the address like find name I will s uh look show to you in a minute and we can use like Dolby is in line hooker you we get the address of the function and
we just use this address to hook this function so pre method we execute normally we just need the original implementation and here we have the find name function the find name function we need to follow some steps like we need to load the memory map, the virtual memory map of the process, find the library name and get each page and when we get these pages, we can reconstruct a L file and check by uh the sections the dynamic symbols and the static symbols and look for the symbol that we want and restore each address. So each function we load the memory map from the proc maps. um we can get ish uh page and we can
reconstruct after we find the library name we will reconstruct this inside memory. So here is just the reconstruction and then we have the do load function and this do load will just load the elf. We'll get the magic byes and reconstruct all sections in memory just it uh and we have the get sims here. We get the static symbols and the dynamic symbols like uh we have the lookup sync function and this we will just after we reconstruct the file and can get the symbols we go in the sections that have the dynamic symbols and the stack symbols and get all this stuff. Okay. uh just some structures that I use it like to get the static symbols and
dynamic symbols. This is the symbol tab. Uh and to get the memory map and okay, we can do this for do call. Uh the do call function have four variations. We need to hook all of them and we can pass just an intereration to the same function. uh the what we need to do after hooking this function is every the same. So okay just some code stuff for hijack for this function. Uh this function is the hook to call and inside the call we have the art method and if uh with the art method we can call pretty method calling pretty method we can have the name of the function the class that is being executed on this
moment. We can check if this is from com example tree is the name of my application and we will know that this the package of the execution of this function is the our application itself not like the Java runtime function. Uh and we can log to have a like a a stack trace of all the functions that were called. uh and we can check if is this root function inside the main activity class and if it is we can get the M load a new dex into memory get this method transform into J object and get this art method and if it's is root function we don't need to execute normally the original function with arg one we can
just place the new art method that we load into memory so this is the just our replicate for art method And here we have the load dex and get method. Uh we will load the my dex.ex file inside the / data data of this process. Remembering that we need to pass a execution read and write uh permissions. Uh we need to get the J object. We need to get the art method of this J object. And just remembering we have the this function as example is root returning true and we can patch this function changing the dex for zero this mali that will be converted for dex in a new class called my dex uh this is the resulting java like we
have the false uh and here is just the process to generate these decks you can find this on my github project too. Uh, and let's go for the demonstration. So, let me just put on a better quality too. Okay. Uh, first of all, we have this function. I hope you can see you can see pretty well this the text. We have the true value on the screen and here we have is root function. And okay, we just need to compile our module with sets script and pass to the device, install the the magisk module and reboot our device and when it reboot we'll be apply all the modifications. Just a minute. Here we can see all the
logs coming in and the the code being injected. But when we open lip gum tree, we can saw the string now is false. And here we have all the stack trace of all the functions that were called and what function were was patch patched. So pretty cool. We have a DEX code hooking now via Zote. Okay. uh returning on the code we have this native code too string from native code that comes from libmet tree.so So uh remembering this is a machine code in dynamic library format. Uh here we have on the compiler that we have the returning of hello from nature breed string from this function. But if we pass a new argument this will
pass here and return this new string. We can hook this from linker binary or libdl.so. But linker binary on Android uh use libdl.so. So I prefer going on this way and get the Android DL open xt uh and we can hook with Android open xt. You can hook with x hook too but I prefer on this case uh because we can pass a new pointer here and he will find the library. We don't need to specify a library. And when we hook we can check on the first parameter if the library name is libmetry. So execute it normally the Android the open x and get a handle and get the address of the symbol of a
string from native code and hook this native code. Uh here we have the new function. We generate a string called hacket and interpreter the cast for int 64 that is the same that we saw into the the compiler here.
And that's it. So let's check it out. Uh let's just pify the video. Okay. So when we open the application now we can see two strings true and hello from native code. This is the original behavior and we can do all the same process just set up push the device the module and install. I'll just skip to get more time and we can reboot the device. And after we reboot the device, we can see the injection of our process here. And when we open now the same application, we can see the string true, the string false, sorry, and hack it and all the ST traces of each method and each library. So pretty cool. We have
two injections, two type of injections, the trap code and the machine code. Uh so let's call about and talk about lehoo. Lihoo is just a parting of this project for jisk. So we don't need to care about zygote injection more just the hooking of the all the methods the application methods and here we have the care code if you want to check the project. And that's it. this work in more versions of Android. I think uh version 11, 12 and 13. Yeah. Uh feel free to contribute with this project, send requests and other things. Um okay. Uh imagine that we have an application that have a lot of protections like debug detection, ADB protection, emulator and JWP.
uh some protections in native code and some protections index code like emulator to get a dynamic text or check if the application has been debugged. Here we have the implementation of like the ADB detection and the take actions. The take actions just will have a new pointer to crash the application itself uh and take the measures. And we have like the JDWP uh detection to check if we have the flag on prox of tasks. And here is how you use Lihoo. uh you just need to change on post app specialize some functions like set app set APK name and place your appk name and you can choose like hsterex hook or hester native hook uh if you have a
native function you can pass where what library it's located the entire name of the function and create a pointer for a new function and a pointer to store the original pointer of the function and for a dex hook We can pass the package, the class and the function name of the original implementation and now separated the new class, the new method, the signature of the functions and what is the dex that will be located. Uh these decks need to be placed at / data/lote. Uh here we have the implementation for the native code. We have the turn zero hit return zero for both protections for hit return false and we have here from the decks we generate a dex like bypass
dex with zero and zero for the protections and a dynamic text call it hacked so let's go to a demo uh I will put just on a higher quality and okay imagine that we have the application we open the application and boom Boom. It's crashed because we have a debugger detection. How we can bypass it. We can just build the Lehoo project have a setup script too. Uh and you can push the module Lehoo Magis module.zip zip inside the Android device and you can push the bypass dex to data/ local temp 2. Uh we can install the lehu module. It's just a cat. I love cats. And we reboot the device to apply all the all the injections
remembering that the jisk on my disk need to be uh enabled because if want we will not uh be able to disexecute. So enable jisk before it. You can place interesting thing you can place the with the jisk an app on deny list. So we can bypass root and hook the application with this framework. So really cool. Uh so when the device starts we won't see any log just when we open the application that we are targeting and the same application now will show the string hacked no will crash and we can see all the stack traces stack traces for the functions that uh were being executed that the program expect to be execute and what functions we patch it
to bypass it. So we have really a stresses and if we will bypass some protections like H has protections uh runtime applications have protection you can look all the stress of the application before you know like whoa this function is what uh kill the application now and you can patch this. So what's to do? Uh the only thing that is missing now that I see is static methods on Dex code because the stat the method that is static on DEX code is a little bit different. It's pretty the same but it's a little bit different. Uh but for all the other DEX methods and for native methods already works. So that's it. Feel free to contribute with the
project. Uh here is the biography uh questions and if you you have no questions I will just place a thanks and redirect to you for the care code of Hakai security. Uh and that's it. So feel free to ask some questions and that's it. [Applause]
No.
>> All right. Uh, so I'll just be loud without a microphone. Uh, first question. If native bridge is it is not enabled for example we're not in the Android code none of this works right >> uh Android code we load native breed uh you don't like >> exercise right suppose that Google ships a version of devices >> yeah if the if the Android code removes the nature bridge like uh you'll get the source codes from Android and remove no need but for default the native code will load if you want >> what >> by default of course they ship it but if that functionality wasn't there then you basically wouldn't be able to do anything
>> yeah if you remove yes and but if it's just that if it's place it that you just get the original code is by default >> okay >> like that >> why in the Does Android ship on devices with that functionality? Is there any practical reason for it? >> Uh, it's a great question. I think is because the I don't know if older versions of Android were other architectures before, but nowadays no need just for emulators. It's really strange. >> Yeah. Yeah. I mean, it would seem that they would they should just ship a version for emulators only. maybe good. Okay. Uh, second question. I don't believe you really like cats because there wasn't a single cat picture in
your presentation. >> No, I love cats. >> So, uh, kitty. >> Okay, good. Thanks. >> Hey, thanks again. Um, were you able to see if Google Play Protect could you completely defeat all the checks in Google Play Protect? >> You can just a little bit lower. Oh, did you try an app that uses Google Play Protect and see if all of your uh measures could defeat that? >> Yeah, on Google Play Protects it did bypass because the Google Play Protection just check the signature. If you patch the code like uh if I decompile the application, change the code and rerun this will protect on the Google Play uh version of protection. But some dynamic uh bypassing. No, these
don't check.
>> Okay. Because as far as I remember, Google Play Protect does more than just signature checks. It'll try to see if the device is rooted and things like that. >> A little bit too low. >> Oh, sorry. >> I thought Google Play Protect uh also checks if the device is rooted and some of those other heruristics that you could patch.
fully test. >> Yeah, I don't understand the the end, but is like the the static version of patching. No, but uh the the PL integrity checks just the static not the dynamic version. If we you can place a dynamic protection by yourself, but Google don't do this. I think his question was just have you uh tested it under those circumstances? Uh have you tried to run any of this code through something like the Google Play Store and those checks and seen whether or not >> you can just talk a little bit. I don't know why it's a little bit >> it's not that obvious. It's just a very close proximity effect. Mike, um have you tried testing it against those
scenarios? >> Yeah. >> Okay. >> I tested >> and it was able to bypass that. Yeah. Was able to bypass. >> And your theory to this is just if you're doing this dynamically, there's not enough there to >> All right.
>> Okay. I think no more questions. Someone Okay, so that's it guys. Thanks for watching.
>> What? Keep profit. [Music]
down. [Music] Down.
[Music]
[Music]
[Music] [Music] Derek [Music] deleg. [Music]
Hey, hey hey.
[Music] Fire. [Music] Down. [Music] Hello. Hello.
[Music] Heat. Heat.
Heat.
[Music] Hey. Hey. Hey. [Music]
Heat. Heat.
Heat. [Music] Heat. [Music] Heat. Heat.
[Music] Heat. Heat. [Music] Heat. Heat. [Music]
Hey. Hey. Hey. [Music]
[Music]
[Music] chance. [Music]
[Music] Heat. Heat. [Music] Heat. [Music]
[Music] Yeah. [Music] Yeah. Heat. Heat. [Music]
Heat.
[Music] Heat. [Music] Heat.
Heat. [Music] Heat.
[Music]
Heat.
Heat. Heat.
[Music] Heat. [Music] Heat.
Heat. Heat. [Music]
Heat. Heat. [Music] Heat. Heat.
[Music] Heat. Heat. [Music] Yeah, [Music]
[Music] down. [Music] Hey hey hey hey hey hey hey hey hey hey hey. [Music] Down.
Down. [Music] Down
down down down.
[Music] Heat. Heat. [Music]
[Music] Last talking bside. Guys, hope you're all having a great time. Uh, without further ado, here is Casey Ellis with The Tale of Two Fools looking through through the looking guys. [Applause] >> Whoa, nearly knocked that thing over. How we doing? >> Yeah, good bides. >> Rock and rolling. Cool. Um I am like I'm I'm kind of feeling about this talk with a mixture of excitement and dread um in some ways. This is like a definitely a collection of of thoughts um that I put together over the past 12 months. And I'll explain kind of the context of that in a second, but uh yeah, let's get right into it. I appreciate you guys all
all kind of turning up for the lo note. And I think really thinking about it like what I'm trying to do here is touch on the things that I think are most powerful and most important about security as a community. Thank you very much. All right. How are we going to do this? >> Just be shorter. That's a good That's good advice. >> Yeah, it's helpful except for when it's not unfortunately. Um anyway, let's let's get into it. So, agenda, who am I? Bit of context, the thesis, uh why this, why now, and then solutions and suggestions. So, who the heck is this guy? Uh, my name is Casey. I am probably best known as the founder of Bugroud and the
co-founder of Disclos.io project. Um, also do like angel investing, policy stuff, all sorts of wacky things. Um, but yeah, Bug Crowd uh basically we didn't invent bug bounty and vulner we did pioneer this concept of getting in between the uh security research community and all of the folks that can help out with security insight and all of the different problems that exist on the defender side. So sorry and you're welcome, I guess. Um cuz that definitely escalated. Uh but yeah, from a context standpoint, like that's that's kind of my background. Um and yeah, Australian in case you couldn't hear that. I live in San Francisco, California. Um one one note, uh there's a little bit of medical stuff
in in this uh talk. So if that's um something that makes you squeamish, it's nothing hectic. Just to give you a bit of a warning there. So yeah, in terms of like how I'm thinking about, you know, what's important, disclose.io is really around or is really around changing the operating environment for folks that hack in good faith. Like we've done a lot around trying to influence policy, actually seeing the CFAA get amended with charging rule guidance changes out of DOJ, um different things that we've done with Scotas and in other countries as well. Basically like if you're hacking in good faith, it shouldn't be a crime and you shouldn't be worried about it being perceived as criminal. So
that's the problem that we're trying to solve there. Um with Buckroud, it was really about creating a new market by disrupting the economics of defense versus attack. And then in terms of the stuff that I'm working on outside of that, it's really just about encouraging the pursuit of potential. Um that's kind of a passionate uh conviction that I have, you know, for myself, for other people, for pretty much everything I build. I think there's a lot of that sympatico in this room. Um, and you see it, you know, just in the really the vibe of the Bides community, but especially besides Las Vegas, like you're all here because you see the gold in each other and you believe in the
gold in yourselves. So, I'm big on that. Um, here's the hectic part. So, right about now, uh, last year, so I basically got, uh, cold cold rebooted twice last year. Um, I had a valve failure, uh, that we found. I actually had been, it turns out, ignoring um basically the fact that my heart was operating at like 20% capacity for probably about a year or two. Um it had enlarged and was going crazy as a result. So we eventually figured that out when I was in Australia on vacation. Um and managed to uh get open heart surgery and get a repair done probably with a couple of weeks on the clock before that would have been a bigger
problem. Um, and then a month later, which is when when Bides was on, shout out to Carl who stood in for me at a couple of talks, um, as I'm like riding them on the way to the hospital. Um, there was a complication from that and they had to go back in. So, all up that netted out to like pretty much three and a half months on my back, um, recovering from it and all of that sort of thing. And, you know, the thing is that Yeah. Yeah. Thank you. um doctors like the medical stuff that goes on here. I've got a new appreciation for that obviously um new apprec appreciation for community family like
every it took a village like I got lucky right so I think I will drop the health nugget like don't ignore stuff like we all you know like to be superheroes and and hard charge and that's a part of what we do it is a part of what's necessary sometimes but if it's coming at the cost of listening to yourself and actually like not dying um don't do that because I got pretty close to doing that And I don't recommend it. It's not fun. So anyway, um, >> love you. >> Love you too, Josh. So this is my >> because I figured I'd get emo on that slide and need to break it up a little
bit. So this is my attempt at doing that. But yeah, that's some context. Um, so here's the thesis. Um, like this is actually borrowed from a book called the the shockwave writer. It's funny. I actually didn't know the book it was from. just heard the phrase a bunch of times and uh loved it because it it it really does capture a lot of what what I believe around generational knowledge transfer and I'll get into why I think that's important for us in a sec. So there's two kinds of fools. One says this is old and therefore good and the other says this is new and therefore better and I'm going to assume that's ringing some bells already. Neither are
right and neither are wrong. The truth is almost always somewhere in the middle, right? Um, an example of this, this is actually from two nights ago at at uh Mandalay Bay. Like I I firmly believe and try to live by this idea and I know that this is like a core thing within the bides community. There's a couple of reasons I think this is actually urgently important right now that I'll get to in a sec, but basically um these guys were all very early bounty hunters on the the Bug Crowd platform. Um, and all four of them have gone on to start companies that are now employing other people um, and doing all that kind of stuff. So,
like what we kicked off and what the team within Bug Crowd grew, passed on what we knew to these guys who then picked it up, you know, interpreted it with what they believe is going to be the most important set of things to do going forward. And now they're off doing that and they're going to hand that off again. Right? In the meantime, they're telling me [ __ ] I've never heard before. like they're thinking about ways to solve problems that, you know, I can get into that stuff pretty quickly, but they're native to it. So, they can think about how to solve these things in a way that I can probably get around to, but
it's not where I grew up. It's not my kind of core suit in that sense. Um, so it's just a really cool example. And in terms of my journey with entrepreneurship, I did the same thing, you know, in reverse. I was looking for mentors, like getting people in that had been successful, drawing from that, throwing out the stuff that didn't matter, sharing with them the things that I was learning that blew their mind. Um, and on and on it goes. So, it's just a cool example of that. So, yeah, I'm going to read a little bit here. As defenders, we are a diverse rag tag community of connected tribes. The strength of those connections ultimately
determines our success. Like, I firmly believe in that. Cross uh generational communication is something that society struggles. like this is a hard problem, but the result of that hard problem is that every subsequent generation that's that's disconnected ends up reinventing the wheel and we don't have time for that anymore. Um, in terms of securing the internet, um, yeah, the reason this matters is twofold. The older generations will never be native to the technology and times of the younger generations and vice versa. But everything is currently in place. So if you're an old like packet rat, like the internet still runs on that stuff. So what you know from a technology standpoint still matters even though
most of the hotness and most of the focus right now is abstracted up into business logic and all those other things. That's one technical example of that. Um on top of that we need wisdom as well as knowledge working together, right? Um and yeah, like I said, we're out of time for continually reinventing the wheel.
This is where it's like, oh yeah, he's still getting his breath back. So why this? Why now? Um there's a there's another piece to this that I'll that I'll add add back in here, but um you know hybrid conflict is is here. Like there's been a bunch of talks on this either, you know, referring to it directly or kind of alluding to it. Um this is kind of the new normal for how we're defending cyerspace at this point and it's not going to slow down. Um you know, thread actors are blended. It's accelerating. couple of examples that are up on there that I think about a lot, but you know, I know there's been a lot that's sort of
gone on today. There's this aspect of technology evolution outpacing defensive readiness. Like from my perspective and from the vantage point of having hacked the internet at scale for the last 12 years, like we were actually there a long time ago and just kind of didn't realize it. Um, but you know, when you think about how quickly we're deploying new things, um, that's part of the the eye broken icon, you know, vibe coding joke. You know, our our rate of deployment of new technology is only going to accelerate. And meanwhile, we've got all this debt to pay back, right? Um, nation state is one of my my favorite ones there. The whole idea of like the uh the
opportunistic spraying of the internet that started happening in 2020 that's just kind of ramped up ever since. And in the meantime, the tools that you need to do that and the barrier to entry for really anyone like chat GPT LLMs like the the you know the agentic stuff that's starting to come out. It's put the idea of good enough to cause impacts hacking in the hands of literally anyone. Like if you found metas-ploit difficult to use and that was kind of your bar to ride, you can now like there's a lower bar now. you know, we've got this kind of confluence of different things that are coming together that I only see accelerating over time. Um, and I I
removed some slides uh here because they they were a little bit heavy. Um, you know, the other thing in terms of like my own story with with all of this is like generations aren't permanent, right? Like we've lost a lot of heroes, you know, that have left a legacy that we're all following. Um, and like I came pretty close to that last year, right? So that's been a reminder for me. I've always been appreciative of, you know, in memoriam and folks that have passed away. Um, but that's that's going to that's that's life. That's a thing that's going to keep happening, right? We're not permanent. What we're working on is not permanent. We need to think
about it in that way and just be comfortable with that and look at ways that we can hand off what we know and look at ways that we can learn from people that are up and coming so that we can stay in the game as well, right? We good so far? >> Yeah. I'm trying not to frame this as like it's dumpy because like I look at this this it's a it's a heavy topic, right? But we're already doing it I think pretty incredibly well here. Um I'm not sure about outside but in here like this is kind of the default mindset and culture of bides and I do think it's a critical time to get this right. So
tools. Um, shout out to Bo Woods for reminding me to tie this into Alice in Wonderland because this is actually kind of handy. Yeah, the part where Alice uh I think eats or drinks. I'm forget which one is which to make herself small so that she can navigate the thing, right? That was a choice. Um, humility is about knowing what you're world class at, what you're good at, right? and not being ashamed of that, not backing away from that, but also recognizing you're going to need help with everything else, right? Um, and that requires it's a posture. It's a thing that you like deliberately adopt and accept. Again, this group and this room, I think, is
amazing at this stuff. It's not necessarily a feature of the cyber security community, right? Um, and I think we could go a lot faster and be a lot more, you know, productive in handing things off to each other if we took this on. Um, it's not a weakness either. I think it's it's a it's a guard against blind spots, right? On the flip side, when Alice took the thing to make herself bigger because she needed to do that. Sometimes you need leadership. Um, you know, this is how Bug Crowd started. Like, I just literally said, "Fuck it. This is a problem that shouldn't exist. I'm going to go after it." and it worked and people came in behind it and all of
a sudden, you know, I'm not the one like driving that anymore. It was just kind of kicking it off. There's so many other examples of that that exist. Um, and sometimes it does take, you know, the one person seeing a thing that no one else sees and saying, you know what, no, screw it. I'm going to take I'm going to take that hill. Right? That's not the opposite of humility. I just think people tend to position those things against each other. I actually think they're kind of on the same, you know, coin uh side of the coin, if that makes sense. for framing that up. Um, and and you know, practically for those people, if you're in that bucket, like step out,
like share what you're seeing, ask for help. Don't be afraid to do that. If someone does that to you, like be emotionally and intellectually available and like consider that a privilege when it happens. It might be a dumb idea. Maybe it's not, right? Balancing curiosity and ego. I partly just wanted to use this picture because I freaking love it. Like, it was It was a a Defcon um 2013 I think had a barcode with with this particular illustration on it. It's awesome. Um we're a naturally cur curious group of people but like we've got egos um that I don't believe in the idea of killing the ego if that makes sense. I think without some sort of sense of ownership and
pride in what you're trying to get done like oftenimes nothing gets done but you got to balance that out. Um, and you've got to be careful about how your ego might quash someone else's curiosity. I think if you if you think that part through and you just stay mindful of that and um, you know, encourage I guess each other, that's that's when you get to draw out the gold, right? The pursuit of potential thing I was talking about before, it's like, what do you mean by that? What do you like? What's the thing that you see that I might not see? Um, community nobrainer, right, for this group. This is coming back to the why this why
now conversation, right? Because I think we're all all in on community as a uh you know as a as a room and as a group of people here, but it's not to me it's not just about you know friendship and and belonging. I actually see this as a strategic asset for cyber defense, right? Because it's that diversity piece. It's the sharing of wisdom and knowledge across generations, across different groups. The bad guys look diverse and they're pretty good at working with each other to get the job done. Um, this is our asset to actually counter that with the creativity that we've got. You know, the best solutions come from collective brilliance of a community willing to share challenge and
collaborate. Hashtag it takes the crowd. Like this is kind of what Bugrad was founded on, but it's not I'm not saying it because of the company. I'm I'm saying it because I deeply believe this is true. This one's fun.
How's my driving? We're good. >> Yeah. Okay, cool. It's been a while. Um, yeah. So, gratitude, right? Gratitude is a force multiplier. And by the way, like part of why I I I set up, you know, sort of giving the the the heart surgery story at the start, like this is the this is the [ __ ] I've been thinking about like kind of laying in bed recovering, right? Um it was really interesting trying to assemble this talk because it's that's a lot of time to think about stuff. Um and you know what I've tried to do is is to to pull it together into the things I think are valuable and useful and actually
actionable for this group as as things to prioritize. Um but this is a big one, right? the whole idea of like just being grateful for the care I got thinking about that in terms of like how does that work in the defender space? How does that work in business? How does that work in policy? Um we've got a lot of things to get annoyed about and it's really easy to be kind of dumpy and and you know a bit of a car margin as a as a security person. I don't think that's a bad thing, but if it comes at the expense of gratitude for the things that are good or for the people that are
trying, then, you know, maybe we're not quite doing that part, right? Um I don't think it necessitates a apathy. So the whole idea of being grateful for a thing doesn't mean like, oh, cool, it's done. I'm not going to, you know, continue to try to make it better. It's um myself. I I think you can carry an attitude of gratitude and still desire change and pursue change. And honestly, this is one of the things I I do love most about this community. I love about working with security entrepreneurs, like folks that are at the coalace and seeing like how hectic things actually are. Because if you can do that, if you can stare some of the bleakness that we have to
deal with in the face and still have this attitude of like, [ __ ] it, I can take that hill. Um, and I'm actually grateful for the opportunity to do that. Like that to me is clutch. Um, it's truly a force multiplier, I think. Shout out to Josh. This is a really practical one, especially for I think for the younger um generations. And I'm trying to speak to this not just as like the old fart in the room in if that makes sense. Um I do believe there's like you know the younger generation, the middle generation and and the older uh in in that sort of sense. And I don't really have clear lines on like how to define
those. But there's folks that are coming in, there's folks that are active and connecting and then there's folks that are kind of on the on the tail end of things if that makes sense. Um, but yeah, Josh shouted out this uh this great oneliner when we were chatting about this like on a long enough timeline many of us end up doing things for the public good. Like I think working in security on its own is an awesome thing. Um but like there's other there's force multipliers that we have access to um that oftentimes people don't really discover until they're later in their career, right? Uh and you know often times that actually makes it easier to get into that type of thing
because later in your career you've you've developed more influence, you've developed more you know optionality, all those different things. Um but you got less time to do stuff, right? So, you know, I do think that um you know, one of the things I love about hacking pol uh sorry, the uh the policy village at Defcon and like things like Hackers on the Hill um you know, it used to be like a group of 50 of us and and that was kind of it. And then walking in there, I think it was 2022 and like I didn't know 90% of the people in that room. I'm like this is awesome. This is exactly what we need. Right? Um same on the
entrepreneurship side of things. I think there's a lot of ideas, there's a lot of opportunity, there's a lot of help available for people that want to do that. Um, this is really the practical part. I think that the folks that know how this work, like we're all willing to help you get started in all of that stuff. Um, and I kind of want to call that out because I I think again this is sort of preaching to the choir in terms of y'all being at Bides Las Vegas. Um, I do honestly think that outside of these circles like these sorts of ideas and these sorts of messages, we need to be practicing them there as well. So, it's
not just us and our group here. Um, but when it comes to that, you know, the the policy stuff, there's all sorts of folks that have worked in that space that are that will help you get into it and lots of opportunities to do that as well. And this one's fun. Don't forget about old man's strength. This is um I forget the name of this guy uh from the book. Anyone know the dude on his head? Father something or other. Anyway, he's basically showing off like he's older. He's kind of, you know, aging out doing doing that whole thing, but he has this habit of like standing on his head to show that he still can.
>> Um >> Father William. >> Father William. There you go. Thank you. Um and it's a thing, right? Um, I'm not saying that I'm old and aging out by any stretch of the imagination. I am like literally, you know, tailing out on recovery at the moment. This is kind of a bit of an I'm back thing that's going on at the moment as well. Um, but I can relate to this a lot because like my son is like this tall as you could imagine. He's getting kind of big. Um, and we'll rough house and and do all those different things. Uh, and I'm starting to, you know, especially as I've been kind of recovering from the stuff
struggling with that a little bit. Um, but he knows that if I want to get it done, I'll get it done. So, this there's this idea of I think you know it doesn't need to be old man strength. That's just what I call it as a as a older man. But, um, yeah, that idea of like the folks that are that are in that position like there's that sort of I'm I'm going to rally and and do the thing because I'm motivated and inspired enough to do that. Um, and then set something else in motion. Like I'm trying to teach him how to fight, like do all those different things. There's a purpose to that. Um, and that's, you
know, part of why I do it and part of it's just to show them that I can. Um, so, you know, that's how that works. Um, for younger generations, I think knowing that this is a thing is actually kind of good as a as a mental model. It's like, no, come on, you can do that. Like, let's let's go. And throwing out a bit of a challenge. And I think for the older generations, like, use it. Make it available. You're not you're not done yet. All right, we're rounding up. Um, so yeah, who's doing this? Well, this was a really interesting one to think about cuz, you know, I think the uh there's there's a bunch of communities. There's
a bunch of different like what we're doing as a part of this. I think what the other, you know, bounty and disclosure platforms are doing as a part of this because we're connecting these different generations of knowledge together in order to be better defenders as a whole, right? Um, obviously I don't want to throw that out there because it feels a bit biased, but you get it. Um there's like companies like um the hacking games that are working on basically diverting uh early Gen Z and Gen Alpha from getting recruited into cyber crime because they're all getting hired on Roblox at the moment. That's a thing. It's like literally a thing. Um and it's crazy because it's kind of
like, you know, how drug meals worked, you know, 20 years ago. It's just like the online version of that being diverted into crime. So how do you stop that? How do you meet them where they are? You know, same thing. It's like have someone who comes in who's been through the bad sides of getting dinged for hacking the wrong stuff. Get them talking to that generation saying you don't have to be like that. Like this is harmful and it's going to cause you harm. Here's some better ways to do that kind of mentorship. There's lots of different things, but I I do come back to this kind of being ceres. Like you think about the proving ground.
you think about, you know, all of the different even besides itself as like an outlet for folks that weren't able to present at the main conferences like that to me is is like connecting the next generation of what's going to be important with the folk that are available to hear it right now. Um, so I think y'all are awesome at this. Um, again, I don't know that people outside these four walls are that great at it. um cuz we keep on making the same mistakes like we keep on learning [ __ ] the hard way, reinventing the wheel. It's not necessary. I think if if you the folks that have that tenure and that wisdom and perspective can come in
and not tell the upandcomers how it's done because we don't know what they know, but there's axioms and there's wisdom and there's all these different things that that we learn along the way that we can actually, you know, make available to them if they want it. I think that's a big part of how we can uh we can get better at all this stuff. And again, like y'all rock, right? I think anyway. All right, summary. So, younger generations, what you bring to the fight is critically important. You will end up inheriting these problems. Um, and you're amazing at solving hard things. Don't let anyone tell you different, right? Um, middle generations, like you're the connectors. like we're the
ones that actually are probably going to be most effective at plugging all this stuff together and making it more of a thing, right? Um that's what I see as our role in this and take it or leave it, but this is a framework that to me is kind of useful. Um older generations, you're not done yet, right? Two ears, one mouth, stay in the game. Um so yeah, that's the uh that's the big hairy takeaway slide there. And then everyone look out for each other and look look out for your health. Um, coming back around to that, like we can't do it all ourselves. Like I I I do think that there is a lot
of pressure that can come on the things that different people in this room are doing. Um, and again, some of that's necessary. Some of that's just part of the job. Uh, but you know, adrenaline is not a great diet. Um, and it can cause you to ignore things that, you know, will kill you. Um, or at least take you out of the game. Um, that's a thing that happened to me. Like, don't do that. And if you see friends, if you see your peers doing that, jump in. Like, let them know. Tap them on the shoulder. Say, "Hey, like you seem to be burning it at both ends. Like, are you okay? Do you need help? I'm worried about you. I
want to help you." Whatever it is that you that you uh however you do that, however appropriate. Um, I think coming back to just calling out the fact that like I I was totally caught off guard by by the stuff that happened to me. Um, you know, like I said, it was a genetic issue. Um, so we had been testing for it, but it normally presents in in the 30s, and I'm older than I look. Um, so we'd stopped looking for it. Um, and then when things started to kind of, you know, it started to slow down, get a bit of arythmia, like whatever else, I thought it was because I was stressed or working too hard, you know, it was part
of the job. Oh, that's just being insecurity. That's just being an entrepreneur. And it nearly killed me. Um, so yeah, don't do that. All right. And that's it. Obligatory humor slide at the end there. [Applause] >> Thank you. >> Thank you so much. >> All right, everyone. Uh we are a little bit ahead of schedule for getting into closing. So uh back in this room at 100 p.m. closing ceremonies. Enjoy. [Applause]
Black out.
[Music]
Heat. Heat. [Music] Heat. Heat. [Music] Heat. Heat. [Music] down. [Music] Here [Music] you [Music] Fire. [Music] Hello.
Hello.
[Music]
[Music] Heat.
[Music] Heat.
Heat. Heat. [Music]
Heat. Heat. [Music] Heat. [Music] Heat. [Music] Heat. Heat.
[Music]
Heat. Heat. Heat. [Music] [Applause] Heat. Heat. Heat. [Music]
Heat. Heat. Heat. [Music] Heat. Heat. Heat.
[Applause] Heat. Heat. N. [Music]
Heat. [Music] Heat. [Music] Heat. Heat. N. [Music] Hey,
[Music]
[Music] hey hey. [Music] Heat. [Music]
[Music] Hey Heat. [Music] Heat. Heat. [Music]
Oh yeah. [Music]
Heat. Heat. [Music] Heat. Heat.
[Music] Heat. [Music]
Heat.
[Music] Heat.
[Music] Heat.
[Music] Heat. Hey, heat. Hey, heat. Heat. Heat. N.
Heat. Heat.
Yeah, [Music]
[Music]
down. [Music] black
hey [Music] you hey you hey you hey you hey you hey you hey you hey you hey you hey you hey Yeah, [Music] up down down down. [Music] Down down down down down down Yeah.
[Music]
Hey. Hey. [Music] Springs. [Music] Heat. Heat. [Music] [Music] Fire. [Music] Hello. [Music]
[Music] Heat.
[Music] Heat. Heat. Heat. [Music] Heat. Heat. [Music] Heat. Heat.
Heat. Heat. Heat.
[Applause] Heat. Heat. Heat. [Music] Heat. [Music] Heat.
[Music] Heat. Heat.
Heat. Heat. N. [Music] Heat. Heat.
[Music]
[Music]
Hey. Hey. [Music] Hey. Hey. [Music]
What are you doing? [Music] Heat.
[Music] Heat. [Music] Heat. Heat. [Music] Heat. [Music] Heat.
Heat. Heat. N.
Heat. Heat.
[Music] Heat. Heat. [Music] Heat. Heat. [Music] Heat. Heat.
Heat. Heat.
Yeah, [Music]
[Music]
yeah yeah. [Music] black
hey [Music] champ. Yeah, [Music]
down. [Music] Down
yeah.
[Music] Heat. Heat. [Music] Heat. Heat. [Music] Down. [Music] Fire. [Music] Down. Heat. Heat. [Music]
Down. [Music] Down. [Music]
[Music] Heat. Heat.
[Music]
Heat. Heat.
[Music] Heat. Heat. N. [Music] Hey hey hey.
[Music] Heat. Heat. N. [Music] [Applause] [Music] Heat. Heat.
Heat. Heat.
[Applause] Heat. Heat. Heat.
Heat. [Music] Heat. [Music] Heat. Heat. [Music] Heat. Heat. [Music]
[Music]
[Music] Oh, Hey. [Music]
[Music] All
right. Def. Uh, >> definitely. Haha. >> Definitely. >> Definitely [ __ ] that one up. We'll fix it in post. Um, hello. >> So fired. >> I know that was already the case, but unfortunately I'm also indentured. So you can come I have to come back anyway. Even though I even though I don't get paid anyway. >> Um, all right folks. Uh, if you're standing up in the back, go ahead, find a seat. We're going to get this thing started. Pretty please. >> Pretty pretty pretty pretty please. >> I do not want to wave my off with their heads. >> No off their heads. >> All right guys, grab a seat. >> So, uh, first off, brief message. If you
are staff, please stick around afterwards. We're going to do a staff photo. So, don't go running off uh before we start doing loadout uh for the uh the conference. Uh, welcome everyone, staff or not, participant, speaker, whatever your particular role here might be. If you snuck in, you're welcome too. That's fine. Um, welcome to the beginning of the end of the conference and yeah, and also the end of the beginning of your adventures in Wonderland, which hopefully will continue as you move out those doors into the rest of the crazy world that we've got going on in Vegas this week. Um, show of hands while you're here. Uh, who is team Alice? Team Alice, anyone? Allison, Bob in
Wonderland, Eve. No. Anyone? Team Bob? No. Nobody. Nobody cares. Okay, never mind. Obviously all team Eve. That makes sense. I get it. >> Um, so we put on a thing and it actually went pretty well. Uh, yesterday, >> uh, you know, in spite of all the things the the world throws at us, I mean, yesterday was, I think, the first time in several years where I did a day two opening where I had no emergencies to relate. That was pretty crazy. Um, so, uh, we had 555 submissions. We had 218 speakers. We had 245 sessions across those 218 speakers. We had all of that spread across nine different talk tracks and six training rooms. That's a lot of
bides, my friends. And you are the ones who did it. It's really not bad for uh you know some pretty good progress from something that was 20 people in a room with a melting air conditioner just you know a decade ago right? >> Sheets on the wall, man. >> Sheets on the wall. Yes, we need a t-shirt that says sheets on the wall. Um and in fact, you know, we were uh this is our second year now with Sky Talks coming and joining us here, which we are incredibly excited and grateful for. But I was uh I was at the the Sky Talks reception with Blue Knight earlier this week and he brought up something that
was really amazing. uh standing right over there on the side and uh if he can wants to duck he can but he brought this artifact into the room and you know this you're all pretty familiar with the sky talks bucket right put your money in the bucket please
>> uh but one of the things not a lot of people know see this on the other side. Can we get a can if you can get the camera on it that says Bides? This is the original bucket that >> from the original Bides >> from the original B sides back when it was a a a little room in a house, right? Banshee went out and bought this bucket in order to take donations and then later, you know, it came back and uh was given to the Sky Talks folks and they used it and then they got Eddie the Yeti to decorate this. If you see this splatter art, I don't know if you guys
are familiar with all those portraits at Defcon. Like this is three different conferences I'm holding in my hand right here. And over a decade, it went around the horn and now it's come back home here to Bides. And I just think that's the coolest damn thing. Let's hear it for for the the Sky Talks folks. Blue Knight, Troutman, Circuit Swan, the whole crew. They did an amazing job putting together a great program this year. Thank you for being here. >> And now I get to unlock my phone again because >> security >> I talk too long. Yes. Well, we weren't the same, >> but um we had some some really great messages, I think, this this year. We had uh some
keynotes that were really important to me. Our first uh we had Bryson Bort here talking about how, you know, we get further if we go together and if everybody actually is able to give their full contribution, not just being present in the room, but actually feeling like they can give everything they've got in the room. Uh we went and we had our our a keynote from someone who recently left the Treasury Department about how what we do cyber, you know, the the the security of the information systems could be potentially underpinning the next giant financial crisis. And that talking about lessons in resilience from, you know, finance that can apply to security and and then
turn around and and reinforce finance again. underpinnings of our economy and our entire, you know, society, right? We had, uh, one that was really important to me, uh, Allison coming up here and, you know, giving a a really deep and and nuanced examination of the the the security underground, the hacking culture, the the comm uh, you know, movements uh, within some of the, you know, Gen Z and so forth. And for me though, while that was an amazing talk in its own right, the thing that really hit home for me is that Allison started here as a proving ground talk at Bsides and 10 years later she's come full circle and she's now on the main stage
as our keynote speaker. And I just that is what we do here. As Jack always says, we are changing the world one life at a time. All we're doing is changing lives and you guys are the ones that are doing that. So, um, and then, you know, Casey John Ellis, uh, brought it home for me where, you know, we talk about I I'm here quoting Jack, right, who we all wish was here with us. But that transition from being the person doing the thing to being the person teaching and and and aiding and assisting and leveling up all those folks who are coming after you. and being able to listen to what they know and to their truth and to the things
that, you know, that they can contribute and and not get in their way and hold them back, but kind of guide them, direct them a little bit, and get the hell out of their way and get whatever else you can out of their way, too. Um, and I think that that is what Bides is good at is putting people together across those generations and making sure that we do that work together because that is how we're going to fix the things that are broken. So, please, if you take anything away from this conference, think of that. Look to the people to your left, to your right, at work, at home. Find the people that you
can help be better than they are today. and then ask them how they want to be better and let and let them be better in that way, not the way that you think they should be. >> All right. >> Now, uh that's really the bulk. I don't I I could go on, but I I want to get off stage. So, uh, I'm going to without further ado, uh, pass along to our next esteemed speaker, the lovely nouse. Speaker, >> sorry, now I have to say we have 556. Is that No. >> Hi everybody. I am Nouse, also known as Kelly. I hate speaking. I don't like being on microphone. Uh that is why I am
behind the scenes doing stuff with my teams. Um but uh I force myself to be up here because I want to acknowledge all of the the [Laughter] [Applause] Stansions are awesome. >> Just because you love stansions. >> Stansion. >> We do really love our standins around here. Um, >> really great Russ. >> Um, as should be obvious at this point, um, uh, the staff and volunteers here are >> all fired. I'm ahead. >> Um, we're uh we're all uh very close. We have a lot of fun together. Uh we don't take ourselves too seriously, but we too take the work seriously. um the the staff who work year round, the volunteers who come in and and come
to Vegas and pay for the privilege of hanging out and lifting heavy things and standing in place for a very long time and other ridiculous asks. Um we're all here because we believe in what we do. We believe in the mission of besides we believe in, as Damon spoke to, changing people's lives. Um I am a person who has had whose life has been profoundly impacted uh both both personally and professionally by my work with bides. Um it is incredibly important to us. Um but it's not always easy. Uh sore feet and dehydration are just part of the fun. Um endless hotel buffet is also part of the fun. Um, but I really want to to to make a point of
saying how much I appreciate my team and all of the volunteers. Um, it means everything to be able to do this for you all, to help people uh to make connections, to help people level up in their careers. Um, it I just I want you all to please join me in appreciating them and thanking them for all their hard work. [Applause] [Music] [Applause]
Yeah sorry >> that I was I was >> Please welcome uh Ashley, our head of safety operations.
>> How's everyone doing? Are we feeling safe yet? Um, I just want to say thank you to everyone, especially all of my folks in blue shirts. Um, if you are in here right now, can you just stand up so we can give you a hand one more time, please? Please.
So, I do have a background. I was in the the army for 13 years and so I've done everything from hey show up at o dark 30 stand here for a while watch this box all the way to hey the vice president's coming down and we need to actually do a full escort so I came to bsides in 2019 had never been to a bsides before I was like be what? Okay, well, I guess I'll volunteer. And the day I got here, I got adopted by Lolski, who runs Speaker Ops, and he introduced me to all these favorite misfits that I've come to know and love and call crying about things that don't matter and everything else.
But I I thought about how safe I actually felt. And knowing what's going on outside in the world, we all probably were very happy to be here in our bubble these last few days. And a big part of that is making sure that again I want you all to have our little nerdfest in the desert. I don't want you to have any problems because I got to come into our little nerdfest in the desert. And I had a blast and I have lifelong friends up here. And so when I was asked to join staff my second year volunteering, I was confused because I'd only been here once before and I'm like, are you sure? And
now in my fifth year, I'm head of safety ops. I have notes, but but it's been really fun. And so last year, if you were here, you remember there was a lot of chaos. There was a lot of chaos at the pool party. There was a lot of chaos around the con. And it was unfortunately, it was our lowest staffing point. And so when I took the reigns this year, we went from 45% staffing to 96% staffing. So I told all my all my blue shirt friends, I said, "Hey, you all know good people. I know all of you are good people. Bring more people." And so Safety Ops is always looking. So if you
would like a way to get involved, you can always ask me. Um, the other thing is that we do also offer medical. Are any of my smart people in here? I saw imposter. Oh, there's one. >> That's Amber. Hi, Amber. And Amber's one of my newest staff members, but stepped up in a humongous way. Also helping coordinate all of the blue shirt folks you saw roaming the con, making sure that they asked if you were good. You probably saw me asking them if they were good because again, NCO in the army, I got to check on my people. We also did offer mental health support this year. So, in the future, if you're having a rough time, and again,
this place is overwhelming. I went from living in the Bay Area to living in the middle of nowhere in New Mexico. I have one neighbor and there's like jack rabbits outside so I can understand coming to a you know big area can be a lot sometimes also you know you might have a work call things just things just come up so if you need that extra support we are also offering that as well the final thing that I'll kind of touch on is that I made it a point to bring lots of people onto my staff that were very very different from me because I wanted my staff to not only be reflective of our community but I wanted
you all to be comfortable cool enough knowing that if there was an issue, if you have feedback, you can tell us. I'm not going to get upset. You won't hurt my feelings. And if you do, I won't tell you till later. So, I just again, I really appreciate everybody. I saw lots of smiling faces. I still see smiling faces, which means we did our job right because everyone's happy. Um, no, you know, minor minor incidents, more band-aids than anything else. And, you know, if it's just band-aids, we're doing a good job. So, I want to thank all of you as attendees. Again, I know we kind of had to be a hard ass about badges. Again, I promise it's for your
safety. And just a reminder, please bring your badge to the pool party. It will save me so much headache. Bring your badge to the pool party. Pretty please. >> And your ID. >> And your ID if you would like to drink or make sure you have one of these red wristbands. See my friends in blue. We'll make sure you can come straight into the party and have a great time. Um, if you are on my staff, can you stand up if you're in here? I see Andy. I saw Amber. Okay. Well, those are my I have 15 staff members, but here's two of them. So, one more time, let's just give them a hand. They put up with me all my
ridiculous asks and demands and spreadsheets and lists and checklists and checklists for the list and the checklist, but we got through it. So, we have the pool party tonight. I want you all to have a very, very safe time. I will be there incognito, but if you need anything, you are always welcome to come say hi. So, thank you again. [Applause] All right, up next we got Dichotomy, who runs our Pros versus Joe's CTF, which is >> one of my favorite things here, but it's also where my son spent all his time this week. So, please come on up and give it a show. >> Hello, my staff. Come forth. Proby Joe staff, you know the drill. This is not
our first game, guys. So, hi, I'm Dichotomy. I run pro versus Joe CTF. This is we've started here at Bsides Las Vegas in 2013. We are a red versus blue offensive defensive CTF. We built out this massive cyber range throughout the year. We invite a bunch of uh Joe's who are going to come in and play defensive against the red teamers, some of which are in this crew here who are following direction. There we go. And so, you know, it's a massive effort. We deploy a cyber range at Wington University, the school that has been hosting us from the beginning. Uh and the Joe's come in to a cyber range that is just fully uh
saturated with red team implants and persistence and C2. Our red team has had weeks and months to prepare in advance and they just are faced day one of hey look there's the adversary and they're all up in our business and we have to deal with that while we maintain services and maintain uptime and try and do points and so it's a lot of fun. It's a lot of learning. That is our priority right? We are focused on learn first or excuse me have fun learn. Let me try this one more time. Learn, have fun, win if you can. We deemphasize the winning because that just kind of brings bad incentives. So, I want to get take a
moment to give please give my staff thanks here. This is just a portion of the people. They work hard all year long. Red, blue, gold, gray, they're amazing. Uh, and we had a great turnout this year with the Joe's. A lot of fun competition. Uh, we're very different from a lot of red blue CTFs and that our red team are very, very accommodating and helpful. A lot of red teamers ran walked around and helped the blues out. You know, hey, have you looked at your firewall lately? Maybe it's a DNS thing. It it might be DNS. Have you checked DNS? Uh, you know, we know the drill. Uh, and so a lot of fun, a lot of
shenanigans, a lot of uh nonsense. And the extra format I think worked out really well for us because we had today like demos. You know, red team sat down the Linux side, the Windows side. They gave full demos, full disclosure. Normally, we just do a hot wash, which is quick and back and forth questions and as much as we can. So, that was wonderful. Um we're also a 501c3 CTF factory incorporated incorporated back in 19 2018 uh nonprofit in that year and we have a wonderful uh board member here now who we love to have on our board a few others I'm president whatever but you know we thank everyone for their donation that's my official title it's
on the card um thanks for those who donated we are always happy to take more donations there's some swag t-shirts and coins and stuff winners uh there were four teams we lumped the blues into different teams and they defend their ranges. Uh, Pink Pony Club came in first, came out of the rear. They were awesome. Uh, we had Peep Chipmunks in second, Bafflegap in third, and Bit Happens in fourth. But again, it's about the learning and the points don't matter. It's like whose line is it anyway if you've seen that? Um, lastly, I want to give a thanks to our sponsors, uh, Drop Zone AI, Expel, Hack the Box, Port Swigger. Big shout out to
Wilmington University who has hosted us from the beginning all the way back to our first at Bides Delaware. 2012, 2013 was our LV. Yeah, it's been a while. Uh we'll be at Bides New York. We should be at Bides DD De. We are always open to new venues. If you're interested to have us, come talk to us. Uh we'll be opening the call for BSLV next year around April like usual. And I want to give a big thanks to all the Bides LV support. We would not be here without Bides LV. Thank you to Nouse. Thank you to Reges. Thank you to Safety Ops. Thank you to Cube Branch. Thank you to especially to Knock. I love you. Um and I think that's
it. I miss Okay. Thank you everyone. All right. So, our next staffer coming up here probably should need no introduction. She does all the cool swag, the t-shirts, all the stuff. And more importantly, she is the brilliant designer of our what has become our annual >> crypto challenge uh with the uh choose your own adventure books. So please without further ado put your hands together for Tess.
>> Good afternoon. How many here played the crypto challenge or tried? So, I wanted to share that the choose your own crypto challenge was born from me going to Defcon and other conferences and looking at the challenges and wanting to cry and saying I'm too stupid to do these. So, my goal has always been to have a crypto challenge that everyone can play, everyone can enjoy, but then also people who really want a hard challenge can also get that as well. So, it's really a choose your own level. And I really hope next year if you haven't played before and you've never played because you thought you couldn't, please give us a try because we're always happy
to help, to teach, and to uh share how to get through things. We had four people, well, no, three groups finish. The first one was Daniel Jump on his own. He spent, in my estimate, probably 24 solid hours doing the challenge and he finished around 5:30 last night. Uh, and then we had White Night Labs came in second place with their team and then we had Ghost Glitch finish up this afternoon with their team. So, it was pretty fun. Um, I think everyone enjoyed it. We will be around for the rest of the conference to answer questions if you have them. In the past, we've done some really fun themes like besides Nightvil Clue. Um, originally from
Washington DC, we did a spy version. We've done pirates for Besides Charm in Baltimore, Dungeons and Dragons. If you were here last year, you saw the Cthulhu one. And if you did not see the back of this year's book, we're hoping for a Nancy Drew mystery next year. So, um, I think those are all my notes. My brain is soup right now from all the crypto. But again, please, if you've never played before because you didn't think you could, know that I write these for all of us that feel like we can't do them. So hopefully you'll join us next year and we'll have a lot more fun and more people playing. We also have leftover flamingos for
everyone who wanted one. They're in the corner over here after the closing ceremonies. Feel free to grab any of the flamingos that you want. [Applause] All right. Now, we've been talking a lot about besides staff, besides volunteers, besides participants, and how they make this thing work, but there's a whole other group that makes this thing happen, and it's the staff here at Tuscanyany. And there is >> there are two of them in particular who oh I'm who are who are critical to our operation and they've been here and they've just they've saved our butts so many times when you know someone comes in and demands a stage in uh overnight or another table on a stage in 15
minutes. uh they take care of it and uh so we have up here to talk about them and and what they do for us Caspian who runs our uh events and so take it away. Thanks. So I'll be really quick. Um Lance is the banquet uh captain for Tuscany. He's been here for ages. Uh he's this guy that you've seen running around wearing, you know, hotel uniform, getting in fights and doing things. Uh and he is absolutely fantastic. This conference would not happen without him and his team along with Debbie who helps us organize everything. And on the other side from on stage, we've got Robert and his team who if you thought it sounded
good in here, that's because of them. It's not me. I mean, I I look like I know what I'm doing. These guys actually do know what they're doing. So, uh, Xanadu went out and got some awards for both of them. For Lance, we have the chaos coordinator award. Uh, it's just a little plaque. And for Robert, it's the exact same one because they actually do coordinate all the chaos. As Damon said, the crazy last minute requests.
>> You don't get to get away so quick because now we're going to talk about the raffle and the auction and we're going to give some stuff away.
>> First off, we want to go ahead and get some numbers out of the way. Um, we still have our lucky loser. Anybody who purchased tickets on Monday, we had four items was not picked up. So, we have a lucky loser that we will pull raffle tickets. So, go ahead and get your raffle tickets out real quick so we can find the winner of this next item. Pull [Music] >> number is >> 2238625. It is a blue ticket. 2238625. The A looks like a B. >> Anybody? >> First time. >> Come on up. I got that for you. >> He's gonna hand that off. >> Sure. >> Hand me the >> hand that way. >> What's he winning?
>> Yep. >> What is he winning? >> What is he winning? >> What is he winning? >> It's a pile. >> Um, he has a NSA journal >> that's embossed. >> He has some lovely earrings. >> The Sky Talks badges >> and the Sky Talks badges >> and the shaker bottle. >> And a shaker bottle from >> Shukon. [Applause] This year we had 71 auction items. >> Wow. >> All of them were picked up except for two which are going into live auction. >> So let's start with Circle City Con badge. It's a 2025 staff. That should be wrong. 2015 staff or speaker and a 2016 traveler. I must have gotten my numbers off. Let's go ahead and start the bidding at
five. Who will give us five? >> We got five. >> 10 15 >> 15 20 25 30 >> Going for 30. No. Do we have 35? >> 35. 40. >> Going one. >> This is money going to chair. >> 40. Do we have 45? >> Sweet. 50. Sweet. 55. >> Sweet. 60. >> How many times can we make her say sweet? >> Let's find out. 65. Anybody going for 65? This is for charity people. >> I'll even give you a receipt. >> Zel and PayPal. [Laughter] >> Isn't that great? >> I really thought that was a recording. >> 65 60 Who is my 60? Raise your hand. >> 55 >> going once. Going twice. >> 55.
>> The market has spoken.
[Applause] >> Thank you for your donation. All right. >> It's it's a conference. >> All right. Our next item is the lost oh sorry last unassembled DC Zia electronic sampler and we will start the bid at 15. Sweet 16. Sorry I scrubbed that one up. 20 25 30 35 40 >> in the back >> 45 50 60 70 >> 80 90 90 >> 100 >> I love >> 120 room >> front versus back >> 140 >> 150 180 >> Any takers >> 200 100 250. Any takers? You want to challenge the man? Come on. This is for charity. >> He looks serious though. >> He does. >> All right. 200. >> Congratulations. >> Sold.
>> So, what's our to >> currently? They are totaling up the money and taking payments. So I will talk a little bit about our silent auction raffle. I've been doing this the last seven years. Um we have two supported charities each year. This year we have EFF and Valid which I pronounced properly. [Music] >> Awareness rising. >> We had over 30 people donate items to us this year.
We had was it 41 raffle items? Sorry. >> 45 >> 46 actually raffle items and 71 auction items. Well, we only had 20 was 24 boxes each day. So, and 71 auction items. Where did you put the total? Oh, never mind. See it blind. I pay to see everybody. >> So far, adding everything up, we have made over $8,880 >> for our supported charities this year.
>> That's a lot of hats. and Besides Las Vegas is gonna uh round up on that to give $5,000 to each of our charity partners. >> Thank you for everybody who donated. Thank you to everybody who bid, who put bought raffle tickets. Thank you so much for supporting our supported charities. Thank you. >> Oh, no. No, no, no. There's one more person to thank. >> Huh? >> We got one more person to thank. Not only >> do you have one of the most amazing costumes I've seen so far. >> I 100% agree. >> But all the work you've put in on this, Caspian's going to give you a little pin here. >> So for those of you who can't see, which
is nearly everyone, this is a tiny little pin. It's got a heart. It's got a greater than sign and then money. And that pretty much sums it up. >> And the best backstitches in the conference. >> You're violating HR code by doing this. I'm sorry. I give you my permission. >> Seriously, the commitment to that costume is amazing. I love that. It's a >> Thank you very much for everything you've done for us so far. Uh I'm looking forward to working with you in the future. [Applause]
>> All right. And then there was one. Please rise for her majesty. do not write. >> Although I did give the registration table a hard time. I'm like, where are my bows? Why is nobody bowing to me? >> I won't let it go to my head. I promise. Um, hi. What do you guys Hi. What do you guys think of the extended >> Oh, I'm sorry. I forgot to I do that every time. >> I'm Cindy Jones. I'm the president of the board for Besides Las Vegas. I have been involved. I have been involved personally with Bside since Bides Las Vegas number two in 2010. Um, and I've seen this and experienced that life-changing thing that we're
always talking about and it's fabulous. It's something that just blows my mind. But one of the things I wanted to ask you all and if I could just, you know, holler, raise your hands, whatever. What do you guys think about the extended format, the two and a half days? What do we think? >> Yeah. >> Wow. All the way in the back with the jumping. >> Yeah. Nice. I like hearing that. I mean, you guys are still here at closing. So, that's amazing in itself. So, thank you very much for coming out to closing. Um, yeah, this is it was kind of like let's see how this works out. And I'm thinking it's proven itself. I mean
>> I mean, who cares about sample bias? I'm with these people. >> Fair. Me, too. >> Fair enough. So once again, I want to thank everybody who's been involved and that includes all of the participants here. One of the advantages of coming to these events is building out that community, building out making the connection amongst yourselves. I can't tell you how many times I've heard of and personally experienced the the positivity that can come out of these events, whether it's professionally, personally, what have you. I've I have my job, current job because I met a person here last year. So, keep that in mind when you're coming out to these things. Be willing to network with
people, have a conversation, just nerd out with somebody because goodness knows we have a lot of that going on in this space. So, enjoy yourselves when you're here. Um, when it comes to the Bides events in total, I literally have nothing but love for this organization. um seeing all the changes it's been able to pro provide and the positive you know forward momentum that people in as individuals and as groups have been able to experience it's just lovely it just I mean literally gives me a warm fuzzy I was writing out my notes and I actually have love faith charity and that is not normally my kind of mantra so I think it's kind of funny anyways um as far as
the faith goes these are some trippy times these are some really trippy times And when we're talking about the ability to connect with a community and potentially find your next role because you might have been part of a layoff, um you don't know where to start. You're thinking about how can I get my messaging out and I want to go ahead and start speaking at a conference and see if I can go ahead and make an impression. I think one of the things that we're able to do here is support all of those types of um initiatives and I think we do. um our proving grounds alone, the the keynote aspect that she came back 10 years later and did a
keynote. How cool is that? It's just so neat. Um so I think people need to be able to have faith in their community and sometimes that feels a little hard maybe outside of our little space whether we're the the hackers infosc folks. It's kind of hard right now in some areas to have that kind of that same faith. Um think everything's going to be okay. But we can look out for each other. And I think that's one of the things you have that capability of doing when you're here is look out for each other. Look out for yourselves and know that we'll we'll get through it. We'll get through it. And support the people who
are having a harder time getting through it is another big takeaway I think we need we all need to remember. Um y'all talked about our charities, EFF. Thank you EFF. Um, seriously, right? I mean, thank you EFF for everything they have done and everything they continue to do in that same sort of vein of the taking care of the community. They are there for us. We need to be there for them. So, thank you all who contributed and renewed your memberships um or your sponsorships rather. Um, keep doing it. They live they only exist because we can support them. So, don't forget to do that. Um, Valid, >> Valid, I'm sorry, I had a hard time
pronouncing that. I said it wrong too many times. They're, if you didn't have an opportunity to stop by their booth, be sure to go to veil.org and check out their site. Their goal is to go ahead and provide their created an open- source application framework, which is really focused on privacy. Um, that's really important nowadays, I think, in so many areas of all of our lives. So, be sure to uh check their site out as well. make more donations. They They'll take it. Nobody's gonna say no. >> They're bootstrapping. They need it. >> Yeah. Sorry. >> They need a support. >> They need a support. >> Yeah. Startups. >> Yep. >> It's a startup. Do it. Um something else I want to say
is if you are a sponsor and I did not have a chance to speak to you going making my rounds around the uh conference space, thank you so much. Whether you're working the table or you're providing, you know, you're the one signing the check and providing the support for Besides LV, we can't do that without you. Literally cannot do it without you. >> So, let's >> Yes. I don't have a list. >> Yes, I will. >> Thank you. Yes, I was coming. So, thank you. and everybody else, if you guys don't mind just going ahead and giving them a big round of applause because they are they're there for us. So, thank you again sponsors. Um,
going back to that whole community community thing, we wouldn't be here unless there was, you know, a desire of the community or people who may not feel like they're a part of a community to be someplace and learn something new or to have a chance to interact with people of their own mindset, I guess, is a good way to describe it. Um, so I want to thank all the participants, anybody who's been involved in the organization or the running of or the running around the days of all of you guys make this what it is. And please come back. We uh we want you here. We want to be able to share what we can
with you. Um, and you heard the numbers that Damon provided around the speakers and the submissions. Is that about 50%? >> A little less than >> a little less than 50%. Submit your ideas. Submit them. Just do it. We have a call for papers that goes live in the early spring >> and we Yeah, early spring and we we give uh really the one thing I would say there is we give very detailed instructions on how to do a good CFP. Please, you guys have great ideas. A lot of the things that we turn away, it's not because the idea is terrible. It's because it's not written up with all the details we know in order to like give it
a proper adjudication, right? >> Yeah. >> So, >> 100%. And using leveraging the resources that we have posted, I know that um I think Schmukon used to have a really good uh tutorial on how to submit something. >> Yeah, we we actually built ours off of theirs. >> Build it. That's amazing. I didn't know that. I wasn't involved with >> I I am I am very very okay with stealing. It is fine. >> It's reappropriation. Ah, I'm just kidding. >> There we go. That's the word we're looking for. Thank you. >> So, once again, you guys want to contribute. We want to hear what you're thinking because we might be stuck in our own little ruts and you might have
some amazing ideas that would really benefit the entire industry. Bring it here. We're an international convention. Y'all are part of it. Thank you for coming. Enjoy the pool party tonight and uh >> see you next year. >> Yeah. See y'all next year. Very cool. >> Remember, you're changing lives. [Applause] >> No, really, that's it. Go home. >> Bye-bye. >> Bye. >> See you guys. >> Stick around. >> Bside staff, if you're here, staff, we're doing a photo. Heat. Heat.
[Music] Heat. Heat. [Music]
[Music] Heat. Heat.
[Music] Heat. [Music] Heat. [Music]
Related talks
51:51
32:48
33:48
54:33
31:06
20:51