Homegrown info-security conference with international standing almost faltered at the get-go
Now a premiere event, but still cognizant of its community roots
IT IS hard to credit but perhaps perfectly in keeping with its underground ethos that one of Malaysia’s most successful tech-related exports has been under the radar for so long – a homegrown annual security conference that has made its mark on the global stage and is on the calendar of some of the world’s leading researchers and experts in the subject.
Hack In The Box (HITB) began at the crest of the first dotcom-boom-and-bust cycle as a website and community of hackers, developers, techies and all-round geeks, and not long after organized its first security conference, HITBSecConf. Many bumps and a decade later, it is all set to celebrate the 10th anniversary of the conference from Oct 8-11 at the Intercontinental Hotel in Kuala Lumpur.
Along the way it has not only managed to consistently pull in some of the world’s most renowned security experts and hackers --- and at the height of their influence and impact too – but has expanded to Europe and experimented in the Middle East too. This year’s conference, HITBSecConf2012, will bring back some of the series’ most popular speakers from the last 10 years.
The A-list speakers include hacker legend John ‘Captain Crunch’ Draper; info-security legend Mikko Hypponen, the chief research officer at F-Secure; Lucas Adamski, director of security engineering at Mozilla (yes, that Mozilla); and Peter ‘Brokep’ Sunde and Fredrik ‘Tiamo’ Neij, the founders of The Pirate Bay (yes, that The Pirate Bay).
The iOS Dream Team of experts who have unleashed many jailbreak tools and carrier unlocks – given that there is a new iPhone about, one might even see some ‘live action’ at HITBSecConf2012 – will also be there, as will Chris Evans, who leads security for Chrome at Google and about whom it is said not a single line of Chrome-related code leaves the factory floor without having first undergone his scrutiny.
HITBSecConf2012 (or HITB2012KUL) will also include a number of side events, such as the Capture The Flag network hacking challenge; the HackWEEKDAY 36-hour hackathon which made its first appearance at last year’s conference; two days of hands-on technical training workshops; and the HITB CommSec Village, an area that would be dedicated to highlighting various security related projects from the open source community and from various hackerspaces.
There will also be a charity auction just before the closing ceremony on Oct 11, with all proceeds going to the Needy Cancer Patient Fund managed by Mount Miriam Cancer Hospital, a hospital located in the northern Malaysian island of Penang whose goal is to make treatment affordable to all cancer patients.
Among the items up for grabs are various t-shirts, devices and collectibles, with the piece de resistance being a one-of-a-kind XBox 360 exclusively designed by Microsoft for HITB2012KUL. The winning bidder will have the option of having his or her name featured.
This year’s conference is shaping up to be HITB’s biggest ever, so Digital News Asia recently caught up with HITB founder and chief executive officer Dhillon Andrew Kannabhiran and two members of what he calls the HITB Core Crew (Nucleus) Amy Goh and Darryl ‘biatch0’ Yeoh, to ask the questions on everyone’s mind: What, you crazy? What were you thinking of?
While Dhillon (pic) has pretty much been the driving force behind HITB, he has never been reluctant to share the credit with the HITB community members who have worked hard over the years, including Amy and Darryl. It is this combination of ego and superego, or altruism and narcissism, that gave birth to the HITB conference series – if he couldn’t go to the mountain, the mountain darn well better come to him.
Dhillon started off as a technology journalist in 1999, first with PC World and then, at the height of the dotcom craze when US online media started expanding into Asia, writing for ZDnet, MIS Asia and Cnet.
“Those were the times, man – they were paying us US$2 per word,” he says. Then the dotcom bust saw many of these organizations dialing back, and he ended up working for a local publication. “The payments kinda shifted two decimal points to the left, and I realized journalism wasn’t really my thing.”
While he was dabbling in journalism, he still kept his hands in the developer pot. In 2000, he enrolled in the Asia Pacific Institute of Information Technology (APIIT), which is where he first met Darryl.
The two young men didn’t find APIIT quite what they expected – it was not the MIT of the Asia Pacific region they were hoping for.
“We dropped out in less than a year,” says Darryl. “We failed our accounting.”
“Which is why, up till this day, we have to pay good money to outside accountants to keep the HITB books,” chuckles Dhillon.
He then joined a startup which did development work involving SMS coupons and PHP, and that company was later acquired by a small telecommunications company that is now defunct.
“So I started doing telco development stuff, which was interesting. We were did some early, cutting edge work on Voice over Internet Protocol (VoIP), even though there was never enough bandwidth in Malaysia in those days to actually support VoIP,” he says.
‘We got shafted’
Darryl was with him at the telco, and started helping out with the HITB website that Dhillon had set up in early 2000.
“We were a ‘vortal, as they called it then – a vertical portal. HITB had a forum and a growing community, and was quickly becoming an information resource for developers and hackers. We were becoming a brand,” Dhillon recalls.
Amy interjects: “I’d just like to say that when he says ‘we,’ it was essentially him in the backroom of his mother’s house. And with others like Darryl helping out.”
“Yes, it was not quite the ‘royal we’,” adds Darryl (pic).
HITB quickly gained a name, and a local security software company approached the gang with a proposal to jointly organize a security conference, with HITB running a ‘Capture The Flag’ (CTF) network hacking event as well.
It was supposed to have been a joint conference, with joint branding, but when the time came for a press conference, the company kept HITB out and took all the credit … and the ensuing media publicity.
“We got well and truly shafted,” says Dhillon. “We were like coolies doing all the work … for nothing. We were not greedy for any glamour or anything, but credit where credit is due.”
It’s all water under the bridge now, he adds, but it was the first of very many important lessons for HITB. “It was because of this that a lot of things happened.”
‘Famous last words’
And amongst the things that happened was Dhillon saying to the HITB crew, “F**k this, let’s do it ourselves next time. I mean, how hard can it be?”
“Famous last words,” says Amy (pic).
Dhillon wryly agrees. “Yeah, we figured it was as simple as booking a venue and inviting speakers to come.”
That shafting from their supposed conference partner was not the only reason why HITB was looking at organizing an event – with the HITB crew and community growing, Dhillon had already been contemplating holding a gathering of some sort.
But that’s not the only other reason either, Amy and Darryl tease him. “Go on,” she says. “Tell him the real reason you wanted to hold an event like this here.”
He capitulates. “It started because I had always wanted to go to Defcon and Black Hat (the two premiere international hacker and info-security events) but could never afford it. It wasn’t just the conference pass but the air flight and accommodation costs – all this was beyond me.’
“So all this stems from the point when I thought, well, if I can’t afford to go to Black Hat, why don’t I bring Black Hat to me,” he laughs.
“That was the personal motivation,” adds Amy. “But the community spin to all this is that we have always strived to keep the cost low for participants. We want people who otherwise would not be able to afford it – people like us – to get the chance to hear some of the greatest speakers in the field.”
“Also, any profit we make is pumped into the next event, to make it bigger and better,” she adds. “Until today, HITB still offers student prices for its conference.”
So in 2003, HITB started working on its second conference, its first solo event.
“By this time there was about five or six of us in the HITB Crew,” says Dhillon. “The others asked me, ‘Who would want to come to Malaysia? Most won’t even know where it is.’ But I thought we’ll just invite them to come over; what do we have to lose? We invited LSD,, and lo and behold, they said yes!”
LSD or the Last Stage of Delirium – what were you thinking, dear reader? – was a group of security engineers at the height of their fame, and enjoying a certain degree of notoriety, as the hackers who had broken Microsoft Corp’s flagship product, the Windows operating system.
“These were elite fellows. Because LSD had agreed to come for the conference, others took notice and said yes too,” says Dhillon. “We booked quite a bit of space at the Cititel Hotel at the Midvalley shopping mall, so confident that, like (National ICT Association of Malaysia) Pikom’s PC Fair, we were going to fill up the exhibition space.
“We booked the Midvalley exhibition space – which is so huge you could hold an auto show. We had 10 booths in a little corner, with a small space for the CTF challenge,” he recalls with a chuckle.
HITB had already prepared sponsorship kits by July, for the event scheduled for December, 2003, and had begun sending them out.
“And nobody gave a damn. Nobody took notice,” says Dhillon. “We were getting desperate, and we knew we needed a professional event management company to help us out.”
A friend, Jennifer Tai, put the HITB Crew in touch with a company called CitrineOne, which accepted the job.
“CitrineOne appointed Belinda Choong as the event director to help these bunch of idiots who obviously had no idea what they were doing,” says Dhillon.
Belinda tweaked the sponsorship kit and started arranging for the logistics, and in the process, became part of the HITB Crew and has been helping organize these events ever since. Her official HITB designation is Events Director/ Conference Overlord.
“But we were so naïve – we had thought that since the cost of holding this conference was going to be RM30,000, we just needed to find three sponsors at RM10,000 each. It would have been just enough to break even, which was all we were looking at,” says Dhillon.
[RM1 = US$0.32]
But the HITB Crew had not taken into account the fact that sponsors would ask for discounts and concessions, from speaking slots to conference passes.
“We hadn’t factored any of this in. They weren’t asking for small concessions, but stuff like a platinum sponsorship at 50% off!! That would have just killed us, since we had only three slots,” he says.
In the end, HITB didn’t get a single sen of sponsorship money for its first solo conference in 2003, though there were companies that sponsored equipment and other types of resources on a contra basis. It managed to sell some booths, but ended up losing RM20,000.
“We took a while to pay back the hotel, it took a while to pay back the people we borrowed money from to pay for everything, including the speakers,” says Dhillon.
So why did HITB even consider continuing on this quest and holding another conference? Hadn’t the team learned its lesson?
“It was precisely of this that we had to hold another conference,” says Dhillon. “We had to pay these people back. Many had lent us the money out of the goodness of their hearts and because they trusted us. We had to generate revenue so that we could clear our debts.”
HITB had learned its lesson, however. “The main reason we failed – and this is a big reason – was that we did not know what we were doing,” says Dhillon.
“But we also realized that we had not paid enough attention to the details, and this was because I was still holding down a full-time job.
“So in 2004, I made the big decision to quit my job at the telco and go into HITB full-time,” he says. “We were going to do it again, but this time we were going to do it properly.”
Coming up next: Mainstream acceptance and the plans for global domination
HITB celebrates 10yrs of hosting world’s leading security researchers
Google offers US$2 million in bug hunt competition to be hosted in KL
HITBSecConf’s Capture The Flag challenge: ‘Let's play Global Thermonuclear War’