Greater acceptance thanks to media coverage and Microsoft taking a risk
Engagement with US software giant was a win-win situation
HACK In The Box (HITB) began as a website, grew into a community and expanded into a movement when it began organizing its annual info-security conference, HITBSecConf, in the early 2000s. It may be celebrating its 10th anniversary this year with what is expected to be its biggest-ever conference, but it was almost sunk at the start.
Its first conference, organized in cooperation with a major Malaysian security software vendor in 2002, was frustrating for the HITB crew because its partner took all the credit (see previous article). When it decided to go solo in 2003, its inexperience in marketing saw it RM20,000 in debt. Few companies were interested in sponsoring outright cash, and contra deals and equipment-on-loan cannot be used to pay for a conference venue or hotel accommodations.
Undeterred, HITB hunkered down to organize its next conference, still intent on its mission to bring some of the world’s greatest IT security experts to Malaysia, at a price that would be affordable to all.
Things started to change in 2004, says HITB founder and chief executive officer Dhillon Andrew Kannabhiran. Digital News Asia (DNA) recently caught up with him and two members of the HITB Core Crew (Nucleus), Amy Goh and Darryl ‘biatch0’ Yeoh.
While the 2003 edition saw it in debt, the conference was a success enough because amongst the speakers were the members of LSD or the Last Stage of Delirium, a group of security engineers who were world-famous for constantly breaking Microsoft Corp’s Windows operating system. LSD’s participation made others in the info-security and hacker world sit up and take notice of HITB.
But it was in 2004 that HITBSecConf finally broke through into the mainstream, thanks to media coverage in The Star, Malaysia’s No 1 English daily, and its technology pullout, then known as In.Tech.
“That coverage helped us a lot,” says Dhillon (pic). “In.Tech was mainstream media, and the fact that a mainstream publication was covering us made a huge difference.”
“It validated us,” adds Amy.
The media coverage also came because HITB had managed to invite one of the world’s first ever hackers, the legendary John ‘Captain Crunch’ Draper, to speak at the conference.
Draper, whose handle Captain Crunch came from an American cereal, was one of the world’s first ‘phone phreaks’ or phone hackers, and also wrote EasyWriter, the first word-processor for the Apple II computer.
“All this made a difference because it helped open doors for us,” says Dhillon. “Before that, nobody had heard of us, and many of those who had, did not take us seriously. It made it easier to get speakers, and the mainstream acceptance made it easier to get sponsors – not many, but enough.”
This year’s conference, HITBSecConf2012 (or HITB2012KUL), will bring back some of the series’ most popular speakers from the last 10 years, including Draper, and will be held from Oct 8-11 at the Intercontinental Hotel in Kuala Lumpur.
The conference will also include a number of side events, such as the Capture The Flag network hacking challenge; the HackWEEKDAY 36-hour hackathon; two days of hands-on technical training workshops; and the HITB CommSec Village, an area that would be dedicated to highlighting various security related projects from the open source community and from various hackerspaces.
There will also be a charity auction just before the closing ceremony on Oct 11, with all proceeds going to the Needy Cancer Patient Fund managed by Mount Miriam Cancer Hospital, a hospital located in the northern Malaysian island of Penang whose goal is to make treatment affordable to all cancer patients.
Digital News Asia is amongst the official media for HITBSecConf2012.
However, the real turning point for HITB came in 2005, when Microsoft itself took a chance to bring the latest version of its then dominant web browser, Internet Explorer, to be shown to the public for the first time – at a hacker conference, no less.
“Microsoft was involved in a smaller way in 2004, but did not come on board officially till 2005,” says Amy.
The US software giant had taken notice of the hacker conference because a zero-day exploit affecting the Windows operating system was dropped at HITBSecConf – a zero-day exploit is a previously unknown vulnerability, which means there are no patches or fixes available to plug that security hole.
At that time, Microsoft’s Malaysian subsidiary was employing a developer evangelist named Tan Loke Uei, who was also on personal terms with many of the HITB crew. The company itself was in the midst of its mid-year review (MYR), when all full-year plans and sales targets are reviewed, budgets increased or decreased, wrists slapped or worse. Everyone goes a little crazy at Microsoft during MYR.
“I remember Loke Uei had to leave his mid-year meeting to come to HITB to verify whether it was a genuine exploit,” says Dhillon. “It was, and more media coverage followed.”
Loke Uei is currently based with Microsoft in Redmond, Washington, as a senior technical product manager with the US software giant’s Mobile Developer Experience.
“We’ve always had a very weird relationship with Microsoft Malaysia;” says Dhillon. “Apart from Loke Uei, nobody in Microsoft Malaysia wanted to talk to us ... at all. But Microsoft in the United States understood us better, I guess.”
Microsoft was not having the best of times in those years – it was reeling from the antitrust action brought against it by the US Department of Justice; and in Malaysia, its Windows hegemony was facing the threat of a very vibrant Open Source Software (OSS) movement that included many from the country’s hacker community. And HITB had now come to the attention of the software giant.
“Prior to this, Microsoft had always been in a sue-the-hackers mode. It did not engage with hackers. But for HITBSecConf 2005, it came in officially and even had a speaker on board,” he says. “It gave away early beta copies of Internet Explorer 7 (IE7) for our attendees to play around with. Because of that, other big companies started to come in as well.”
“It was Andrew Cushman who approached HITB to do an outreach with hackers,” says Amy. “Microsoft in the United States saw the value of working with the hacker community.”
Cushman is now senior director of strategy in Microsoft’s Trustworthy Computing group, and continues to be responsible for what the company calls ‘end to end trust outreach’ where he works with teams across Microsoft and the broader security ecosystem. He also previously managed the Microsoft Security Response Center (MSRC).
“In 2005, Cushman came to HITBSecConf with Window Snyder,” adds Amy, referring to Mwende Window Snyder, who was a senior security strategist at Microsoft, but who left the company not long after, working at Mozilla Corp where she was its ‘chief security officer’ equivalent. Snyder is now a security and privacy product manager at Apple Inc.
“It was very much a learning experience for Microsoft,” says Dhillon. “The company realized that you could engage with the hacker community; you could talk with them one-on-one; you could actually have a conversation. Suing them was not the only relationship you could have.”
It was not only HITB that changed from that 2005 engagement with Microsoft. “It changed things for Microsoft too,” he adds. “It’s this kind of engagement that led to the creation of the MSRC.”
Indeed, “Cushman was instrumental in getting Microsoft to see the advantage of engaging with hackers, instead of just suing the pants off them,” declares Amy.
Govt takes notice
With Microsoft coming on board, the way was paved for other established corporations to engage with HITB as well. The public sector, however, was a harder nut to crack.
“I think we only started gaining acceptance with the government guys in 2007 or 2008, but even now it’s not that great,” says Dhillon. “There are some agencies or ministries that support us, there are some which still don’t.”
Part of this acceptance stems from early support by industry regulator the Malaysian Communications and Multimedia Commission (MCMC), especially its former director of Security, Trust and Governance, Shamsul ‘Sam’ Jafni Shafie.
“Sam at the MCMC saw the big picture, and realized that it was better that if and when something happens, the government and regulator knew who to call,” says Dhillon.
The MCMC did not sponsor HITB, but allowed its logo to be used in conjunction with the conference. According to the HITB crew, this sign-off from the MCMC aided a great deal in getting the green light from law enforcers. In Malaysia, public gatherings require police permits.
“Having a regulatory body behind us helped us in not getting closed down,” says Dhillon with a chuckle. “It made things easier, especially in applying for police permits.”
Sam was also instrumental in getting HITB inducted into the MCMC’s Information Sharing Forum (ISF) in 2004. The ISF was formed with various Internet service providers and other agencies to address information and network security issues in Malaysia.
“It was elite s**t – there were all these law enforcers and top policy guys … and us,” says Dhillon.
A virtual Switzerland
HITB isn’t flogging itself when it comes to acceptance by the public sector, or in dealing with the ‘weird relationship’ it has with Microsoft Malaysia. It accepts the fact that hackers are still not exactly popular with the mainstream.
“It’s still the same today with Microsoft in Malaysia – and a lot of other companies, to be fair,” says Dhillon. “They’re always fixated on, and fearful of, the word ‘hack.’ Get a grip, dude, it’s just semantics.”
“It’s one of the reasons why we use the HITB acronym more and more, and call our conference HITBSecConf – because of the connotation that the word ‘hack’ has, that it’s somehow ‘evil’.”
“But I can’t blame them – for a long while, the only hacker conferences were Black Hat and DefCon in the United States, and crazy things happen – hotel rooms are thrashed, elevators are defaced with graffiti, and so on. It is not really an environment to have a conversation in.”
“At HITB, on the other hand, we try to meld the underground, the mainstream, the OSS movement – it’s an amalgamation of all this. It’s a little bit of Black Hat, a little bit of DefCon, a little bit of something else, and a whole lot of HITB,” says Dhillon. “You can only get this kind of environment at HITBSecConf.”
“It’s where the white hats can meet the black hats,” adds Amy (pic).
But Dhillon is honest enough to admit that this wasn’t so much planned, as something that just happened.
“Somehow or the other, it just became like that – we didn’t go out of our way to make it so. It just ended being that way.
“Perhaps this is because HITB’s driven by our volunteers, and each of them brought something special to the table – for instance, Dr Nah Soo Hoe,” he says.
Dr Nah was a council member of the Malaysian National Computer Confederation, and widely regarded as an OSS guru.
“Dr Nah volunteered to help, and he ended up emceeing for us,” says Dhillon. “That’s the thing about HITB – it doesn’t matter what you do in your day-job, whether you are a doctor or a datuk [the Malaysian near-equivalent of a knighthood], a professional, an IT guy, developer, or a student – everyone pulls together and helps in any way they can.”
“I think HITB is special in that,” he says. “It’s a place when you can have hackerspaces and next to them, some big established IT company and its booth.”
“This also helps with the sponsors; they don’t mind coming in for something like this,” adds Amy. “It’s non-threatening; neither a grey nor a black hat area, just a mix. It’s a neutral setting.”
[Disclosure: The writer has worked with both The Star’s In.Tech pullout and Microsoft Malaysia]
Tomorrow: HITB goes global …. kind of
HITB: If the mountain cannot come to …