Black Hat Europe 2015

Black Hat is a famous computer security conference held annually in the USA, Europe and Asia. Philippe Arteau, the original developer of FindSecurityBugs, was accepted as a presenter and because of my significant software contribution, he suggested me presenting the tool together. Y Soft then supported me in taking this opportunity.

Black Hat Europe 2015 was held in November in Amsterdam and over 1500 people from 61 countries attended this event. The conference was opened with the keynote called What Got Us Here Won’t Get Us There mentioning upcoming security apocalypse, complexity as a problem, security anti-patterns, taking wrong turns, developing bad habits, missing opportunities or re-examining old truths (using many slides). The Forum and three smaller rooms were then used for parallel briefings – usually one-hour presentations with slides and some demonstrations of latest developments in information security. There was also Business Hall with sponsors, free coffee and a Tool/Demo area for the sub-event called Arsenal. Here we and mostly independent researchers showed our “weapons” – every tool had a kiosk for two hours and people come closer to see short demonstrations and to ask questions.

Despite presenting during lunch time, fair number of Black Hat attendees came to discuss and see FindSecurityBugs in action. The most common questions were about what it can analyse (Java and other JVM languages like Scala, no source code needed), which security weaknesses can we detect (the list is here, a few people were happy that there are also detectors for Android) and whether is it free or not (yes, it is open source). People seemed to like the tool and someone was quite surprised it is not a commercial tool 🙂

There were many interesting briefings during the two days. One of the most successful presentations (with applause in the middle of it) explained a reliable software-only attack to defeat full disk encryption (BitLocker) in Windows. If there was no pre-boot authentication and the attacked machine had joined a domain, it was possible to change the password at the login screen (and have full access to the system) by setting up a mock domain controller with user password expired. Microsoft released a patch during the conference. Other briefings included breaking into buildings, using continuous integration tools as an attack surface, fooling and tracking self-driving cars or delivering exploits “with style” (encoded in image/HTML polyglot). One presentation (about flaws in banking software) was cancelled (or probably postponed to another event) because the findings were too serious to disclose them at that time, but there was an interesting talk about backend-as-a-service instead – many Android applications contain hard coded credentials to access cloud services and researchers were able to extract 56 millions of sensitive user records. You can download many of the presentations (and some white papers) from the Black Hat website.

I also had time for a small sightseeing – there was a special night bus for attendees to the city centre and I was able to see it again before my flight home too. Amsterdam has a nice architecture separated by kilometres of canals and it is a very interesting city in general. What surprised me the most were bicycles everywhere – I had known people ride here a lot, but I didn’t expect to see such a huge amount of bikes going around and parked in the centre. They don’t wear helmets, sometimes carry a few children in a cart and don’t seem to be very careful (so I had to be a bit more careful than I’m used to when crossing streets). Walking through red-light district De Wallen with adult theatres and half-naked ladies behind glass doors is a remarkable experience too (don’t try to make photos of them, they’ll be angry). Sex shops and “coffee shops” (selling cannabis) are quite common not only in this area.

Another surprise came at the airport, where the inspection was very thorough and I was forced to put everything out of my bag (which I was not very happy about, because it took me a long time to pack it into a single cabin baggage). Just after (when I connected to the airport Wi-Fi) I realized what happened in Paris recently. The plane was also surprisingly small and first time for me I had received special instructions for opening the emergency door (since my seat was next to the right wing by chance). Nevertheless, the whole tripe was a nice experience for me and I was happy to be there, so maybe next time in London 🙂

I had the honor to open the GeeCON Prague conference with a short keynote. I spent several months thinking about appropriate topics as I wanted to express the reasons and motivation why we have partnered with GeeCON team and cooperated to make this happen. Now that the conference is over and we all feel positive about it, my colleagues asked me to share the keynote slides with them. I feel that the slides are not very comprehensive on their own, so I am writing this short post, trying to explain what was on my mind and what message I tried to give.

Two years ago, when we started to look around to search for interesting groups, projects and events within the developer community to support and work with, we have realized that there is no conference for Java  developers in the Czech Republic and there wasn’t one for at least 8 years. The last such event were probably the Java Days organized by Sun in 2006. Anyway, we set out to Krakow with the simple mission, bring GeeCON to the Czech Republic in two years. Mission accomplished. It was fun and a learning experience, I met lots of great people and I am simply happy that I have the opportunity to work with them. So let’s dig into the keynote…

GeeCON in Prague

We met for two days in Prague, with 42 speakers givin talks in 3/4 parallel tracks, more than a dozen of partners and almost 500 participants. Two days packed with information about Java, JVM and related tools and technologies.

In 2013, we started to look around for events, communities and organizations to cooperate. Cooperation with the community is important for any public company and in our case, it is about several things. First of all, any kind of such cooperation is giving you the much needed perspective on yourself. It is also giving you the opportunity to give something back and also to bring something new to your work. For us, it is also about presenting Y Soft and showing what we are doing to the public. When we started in 2013, we realized that there is no conference for serious Java developers and we set on a mission to bring one to the Czech Republic. How this came to this end is perhaps a topic for another post :-).

And so we were there and I used this opportunity to think out loud about how developer community could and perhaps should work.

Have you ever wondered why some communities work and some don’t? Well the key concepts are, in my opinion, contribution and sense of ownership. You probably think that this is just too obvious and trivial thought, so let’s elaborate.

One of the key traits in Silicon Valley is the notion of Paying it forward. This means that everybody is trying to help others without expecting to get immediate return. Help is seen as a long term investment – you do something for somebody now and somebody else will help you when you need it. The most fascinating part of this is, that this really work and not only in the Valley.

When you create something, you own it, but at some point, you need to let it go and open this, so others can contribute. And whenever you do this, you are transcending yourself to your work and letting others to share in your ownership alike.

All contributions do count – no matter how big or small they are. You can do something as small as attending a meetup or joining in a public discussion.

Y Soft is a proud contributor and we proudly share the responsibility for the state of the developer community here in the Czech Republic. We are also proud contributor to GeeCON, being a Platinum Partner in 2013 and 2014. We are having a plethora of other projects, such as Y Soft Technology Hour.

I would like you to think about your contribution. It does not matter whether you do something small or big. But it makes sense to be serious about it, because we all share the responsibility for the developer community in the Czech Republic.

The complete slides to my keynote are available at