It was in January 2017 when I heard of Nullcon 2017 Annual security conference. I’ve been in curiosity since Nullcon’s 2015 information security conference in India meanwhile I was a newbie to this. So, I couldn’t make it.
It was recent when a popular Hacker’s forum named Garage4hackers showed up with an opportunity of free limited passes of Nullcon 2017 conference for the pupil on their contribution towards open source and recent works in Information Security . I enquired them about my contributions towards InfoSec community. Then I was announced to be in winners list of Nullcon 2017 tickets and they endowed me a student pass, so this is how anxiously I jumped up at the chance to see what the fuss was all about.
Before getting to my experience let me share about myself, I’ve been in bug bounties on HackerOne platform, Since 2015, I’ve been Improving my coding skills everyday to automate stuff and to create something big to contribute it to infosec community, And I love to break stuff around internet and to learn how to fix them .
It all started with an excitement as I was in awe of Nullcon’s conference and this year it was in Goa. Animatedly I asked my friend Aqeel Asif who works at zenQ as senior security analyst and It was him with whom I’ve planned this trip.
Simultaneously we were in conversation with few of our friends who are going to attend the conference, huge (bug hunters) friend circle comes up with thought of spending a week together in Goa, can have fun on beaches and for conference as well. So, we booked an apartment in Vasco Da gama, Goa which was near to airport. Where as Nullcon conference was near Mobor beach Cavelossim, South Goa. For that we need to travel 30kms, though we decided to stay in middle as it would be easier to explore North Goa as well .
Excitement was at its peak, I was going to meet such dignities of this field. Speakers, whom I follow on twitter, security teams of Google, Microsoft, Facebook, Bugcrowd, and HackerOne etc. All those International Talented researchers, Security Team Members, and were several people who I’ve spoken with online that I finally got to meet in person.
FIRST DAY OF THE BRIEFINGS
On 3rd march 2017 first day of Nullcon 2017 conference. With friends I started mileage from Vasco da gama to Mobor beach Cavelossim. Though route wasn’t that long but with beautiful view of coconut trees, fresh air and green view. We reached around 9:30am to the venue of Nullcon 2017 conference,Holiday inn resort. After registration, the admittance render a cool badge,A BugCrowd goodie bag with Nullcon t-shirt and stickers in it.
When I’ve entered the resort there were these panels at right side, those were conference rooms- Ball rooms: Ball room-A, ball room-B, ball room-C.
And at left, there was a banquet hall, which was set as an Exhibition, well organised for open source software developers to demonstrate their software and answer questions. Also specified booths of Microsoft and Google stations, they were products like cloudsek along with several I had never heard of before.
So firstly we went to an exhibition. There were around 22 stations which includes Cloudesk, Checkmark, Microsoft, Indusface, Synopsys, etc. With their webapp ctf games, their product explanation and souvenirs (T-shirts, mugs, computer bags, power banks, hats, goodies and so on).
And when on our visit to Cloudesk booth they demonstrated us about Artificial Intelligence system(AI) . And provided machine learning cheatbook.
Also at exhibition’s one station I played Indusface WebApp ctf and got power bank as reward.
Around 11am, Facebook announced the start of their ctf game and the end to be on evening of 4th march.
The best part was to be there with friends whom I hadn’t seen before as well as making some new ones. I was also excited by how approachable well-known names in the field were and was fortunate enough to attend event with the security researches and speakers I met who are twitter friends as well, @fin1te Jack,prodsec engg at Facebook. @sushihack Adam Bacchus, chief bug bounty officer at HackerOne.@Faraz Bugcrowd ASE And @Agarri_FR Nicolas Gregoire.
At briefings there were different talks at ball rooms, we are to supposed to chose our favorites, as we can only attend a single talk at one ballroom at a time. I went through the program as soon as I got it to identify several talks that I really wanted to attend. I ended up attending five talks at ball room-A.
First talk I’ve attended was of Michael Hendrickx, security engineer at Microsoft, on how to be successful in the azure bug bounty, it was an hour long and well defined.
* As per my view it was a great talk, he delivered us tips on how to make reports on bug bounties, showed us that what actual kind of reports does Microsoft expect from us. And have explained their Primary focus area and recommended us to look for Vulnerabilities. He disclosed some great vulnerability reports which they have received so far in Azure BB , And also they announced that they have Increased the Bug Bounty.
Around 12, the talk was of a Security technical program manager Jack Whitton, about increasing impact on Facebook bug bounty.
* He had shown us great tips and his ideas about the things which we should include to present our report as better one while reporting security Bugs to Facebook, and how drastically describing can impact on a Security bug.
After an hour, two presenters @Karshana sharma security Engineer at facebook, and another dignity was @Martin straka who is a security program manager at Google enclosed us great bugs in Google VRP in 2016.
* Karshana Sharma And Martin, they both have disclosed some awesome bugs, the most interesting one was about exploiting Account Recovery XSS
Fourth talk on bug bounty reports, how it has to be and how do they work. This was by Adam Bacchus, chief bounty officer at HackerOne.
* @sushihack . It was very mesmerizing talk on Hackerone program management, and on hackers behaviour on HackerOne, he gave us few helpful ideas on how to be succesful at Hackerone platform and he had also shared quite great example reports of HackerOne.
Last talk was from Bugcrowd ASE, Faraz on how to interact with bug bounty programs.
While there was a lot of people at Nullcon 2017, 1st day conference, a good lunch, had great time from start to finish. So, the day ends and we went for dinner later to apartment and spent good time together, shared views, topic discussion and good fun with friends (bug hunters) .
SECOND DAY AT BRIEFINGS.
So, On 4th march, the 2nd day at conference. Me and my friends were little tired, as last night we couldn’t have the proper rest and probably spent half of the night on reviews and excitement on what all we’ve experienced that day.
Though the next morning we were quite late but possibly managed to be there at around 10:45am something!
After friends’ greetings, concurrently we went through the program. And thought of attending a talk at Ballroom-A which was started at 11am.
The first talk I’ve attended that day. By Bharadwaj Manchiraju on training machines for applications scanning in Retro style.
It was a lunch time, after an hour long briefing.
And on that day the incredibly passionate team and the members of Garage4Hackers had invited me for a lunch. It was great to be there in discussion with those talented researchers at table, which has led to valuable new contacts. The discussion was on Garage4Hackers forum, how they’re looking forward to conduct different Ranchoddas Webcast Series with researchers online. Also they shared their valuable ideas with us and their efforts to make forum more reliable for hackers.
I must say that all the Garage4Hackers members were so passionate about their forum, even though they are working and have their own job. They still manage hard to work for forum, also maintains forum and currently said to be conducting web series as well. I was overwhelmed to know about them. One of the team member, who was is in discussion is Sandeep Kamble. I would say they really inspires me a lot, their words of encouragement were really inspiring which I appreciate about them. After a great lunch.
We grab another talk on 7 sins of ATM protection against logical attacks by Timur Yunusov & The Last talk I’ve attended was of Ajin Abraham on injecting security into webapps with runtime patching and content learning.
The day came to an end. All were gathered at Exhibition area. Now, it was time for the CTF winner’s announcement. It was won by Haxor’s, who are my close friends and they got Drones as reward.
All in all, it was great two days conference.The same evening, Speaker from Bugcrowd, Faraz, invited (us) bughunters and researches for dinner and a late night party at Benaulim beach, Goa.Around 30+ bug hunters attended the party and extremely enjoyed as well.
It was a great first experience of mine, I now see what all the fuss was about and hope I’ll be able to attend next year’s Nullcon Annual security conference.