# My Trip to Las Vegas for DEFCON & Black Hat

## Метаданные

- **Канал:** LiveOverflow
- **YouTube:** https://www.youtube.com/watch?v=bhQ6FF3fCdA
- **Источник:** https://ekstraktznaniy.ru/video/23414

## Транскрипт

### Segment 1 (00:00 - 05:00) []

This is an Android painting. I made this painting in University. So this is like vintage art 13 years old. but it's still surreal to me to think that back then I was just a student, and I was a fan of Android, such a fan to paint a painting. and now Google reached out to me to create Android security courses. and that is just insane. but yeah. the reason why I'm packing is because we are heading to Las Vegas now to Defcon where we also have like an Android workshop and we have a table to represent Hextree at DEF CON. it's really crazy right now and I want to take you along so let's head to the airport. all right I made it to Vegas I'm in my hotel room finally and I already unpacked a little bit. we brought lots and lots of PCBs. look at this so if you come to our table at DEF CON. you will get this. it's like a you know a little merchandise like a sticker but it's a PCB with the hextree logo on it. and you can solder a few LEDs on there and then they will glow with NFC connected whatever. and then we have here this stuff. so this is the secret target. this has not been publicly announced when I record this, but it will be announced during Defcon and it will be basically the first ever microcontroller Bug Bounty in collaboration with Rasberry Pi. and then all the way at the bottom here I have some FULTiers the name obviously comes from Fault injection and hextree everywhere our logo it's so crazy to see it everywhere. but I should probably go to bed now because it's 10 p. m. tomorrow is Black Hat. and I don't want to be there too late tomorrow is kind of like a free day but I still have lots of stuff to prepare for some talks and workshops that I also have to give during this time. but yeah it's exciting for us it's crazy Hextree is happening Hextree is public and we are here representing it. it feels still a little bit unreal but I'm here. so let's see how it goes. jet leg it's 4:00 a. m. in Germany it would be now 1 pm. I can't sleep anymore. I'm super awake um I did check Google Maps there's a Walgreens across the street and I think I will just now take a walk maybe get some drinks and snacks. it's still 34 C degree outside this is like one of the hottest days in Germany and it's dark it's 4:00 a. m. so let's head out. all right I was just at Black Hat walking through the vendor hall meeting some people I met Marcus Hutchins that was a big highlight for me. I've never met him before but he did recognize me as well so it was a very cool mutual meeting. I also met John Hammond. I went to the huntress booth but then he wasn't there. but I met his girlfriend Kaitlyn again and she texted him and so he came by, but as soon as he came back to the booth everybody swarmed him again and wanted photos with him. so I felt really bad because I think he had left because it got a bit overwhelming and because of me he came back so... sorry John for that. but now I'm back in the hotel room. actually I'm in the hotel room from stacksmashing and as you can see here he has a little bit of a recording setup because he's still like getting courses ready for Defcon where we have a really special Hardware security challenge stuff. and he wanted to get the hardware courses ready for that which is absolutely insane. we are just in work-mode here, not much socializing. I'm also sitting here in the room just working on some last minute Android stuff because we're also releasing the Android continent I think tomorrow. soon I will meet up with some Google folks to talk about that as well and yeah that's it it's kind of like startup life. busy. but it's cool it's very exciting and we are very proud of hex Tre and being able to represent it so it's fun it's exciting it feels like we are doing something productive something that has that matters so that's pretty cool. Today is Thursday the 8th of August today I actually have an event at the Las Vegas university. in parallel to Defcon and Black Hat Google is organizing init. g it's an event for students so that's happening at the Las Vegas University and I'm scheduled to give a

### Segment 2 (05:00 - 10:00) [5:00]

20 minute talk about Android application security, Android reverse engineering, and I'm just going now over the slides again to prepare myself. so far my anxiety level is pretty good, I feel pretty chill but I know myself. just before the talk I might throw up or something. initially Thomas would have also come with me and that would give me more security because then he could do the talk and I could run out of the room basically. but he's so busy over at Black Hat. he just gave his Black Hat talk as well and he would now have to leave that and come with me to the Las Vegas university for short 20 minute talk that basically I giving. so yeah I told him: "Thomas, it's fine you are very busy. stay there I can do it alone". which I should be able to do alone and he was very grateful as well he would have come with me to assist me and help me give me a little bit of support. but of course on paper it's really dumb that he comes with me. and I see that too. so I told him just stay there I will manage. so let's see how it goes. all right I'm in the auditorium this is where I will hold the talk yeah lots of seats. so far I'm feeling pretty good but um yeah the nervosity will spike just before it. especially there's like lunch right now so there's lots of noise and that makes me always very nervous. so using here the quiet room to calm down and go through the slides again and then yeah see you in a moment. All right I will still say, that Google has a really nice bug bounty program for Android that pays really well. fabian, take it away. hello everybody! who has done some Android stuff before or is this all new to you? okay perfect so then I hope I can give you like a quick start into Android hacking. so I'm Fabian I'm from Germany, I'm a security consultant by day, I do like code audits and um report vulnerabilities. and online I'm also known as liveoverflow, I have a YouTube channel. you are basically my target audience so if you don't know the channel check it out! like and subscribe! all right stay curious and um keep hacking and thank you so much for your attention. all right I just came out of the University Building I'm now waiting for my Uber heading back to the hotel because I have to work on my workshop for tomorrow and then later I hope I get a chance to go to DEF CON to see our table there. Thomas already praised it very highly. so I'm very curious to see it and then maybe, if I manage to finish the workshop uh I will go to the Microsoft party tonight but let's see, maybe I also skip that don't know yet. it's 6:00 p. m. and I'm still sitting here working on the workshop for tomorrow um at 8:00 p. m. I believe there's a Microsoft party that everybody is talking about. thinking about going to Defcon to check out our table our area. I haven't seen that ye. t and then the other thing do I really want to go to a party. uh I should go to bed early anyway let's see. let's go to Devcon. let's see if Thomas overhyped our table he's pretty excited he said he's almost got emotional seeing it so yeah let's head there and check it out. okay I'm here now at the Las Vegas Conference Center but I'm apparently very wrong like as you can see there's nothing here. there's literally nothing. I have no clue where I am. but apparently I'm very wrong. um yeah I need to figure this out. all right I just met somebody with a Defcon badge and he told me to go up this escalator and then down there apparently. so wish me luck. I feel like there should have been some security, I shouldn't be here. I feel like what does the sign say? yeah not very helpful okay what the f'. I have no clue. there are some people with some thrasher t-shirts - not quite DEFCON but getting closer I think. hey yo looks like I made it I found it! I'm here and I feel like I backdoor it came in without going through the check.

### Segment 3 (10:00 - 15:00) [10:00]

all right I'm here at our table you can see our logo here. it's pretty unreal it's a day before Defcon and we just set up stuff. here we have three raspberry pi with screens where we can show Hextree and our courses and videos. we got them from Raspberry Pi they have the table behind us. it's pretty unreal it's pretty crazy. it looks so professional as if we like are a real company with like uh stuff to show. it's insane. it's also crazy to see this, it's like, you know it exists, it's like physical. it's pretty cool, I wonder how full it will get tomorrow right now pretty quiet. just leaving Las Vegas Convention Center checked out the table it's pretty cool to see we also were at the speaker party drinking thing for a moment. talk to some people. actually met somebody from near my hometown! speaking the German accent where I'm from! pretty crazy and I hope if you're at Defcon that you check out our table and see you there. you know what I just felt a drop is it raining now there's a water drop there's another one. let me actually check the weather. for a moment I thought somebody's spitting on me. but it doesn't say rain on here. uhm interesting so it might still be spit. good morning! it's Friday. it's not even 7 a. m. but I woke up kind of naturally I still want to prepare a little bit the workshop. but also Thomas gave me the PCB and the target the glitch tag. this is the Faultier, this is the one that can do the attack, the glitch attack, and then we have the glitch tag which is based on the air tag, the same chip, and we try to glitch this one. so I can try out the challenge that he prepared with the videos on hexstree. it would be good that I have done it at least once so I can even help people when I'm at the table. so let's see how that goes. All right. today is the big day. I have a workshop to give at a Google Bug Hunter event, but everything that I am teaching there at the workshop you can learn also on hextree. io we have a whole Android continent where you can learn from zero to being able to find bugs in real applications. for example in the ContentProvider course I showcase a vulnerability that I found in the Flipper zero Android app and that's also the example I will showcase today in the workshop. so if you want to learn that stuff too just head over to hextree. io but yeah so let's get going I have to go to a place called starbase Google is renting it for this Bug Hunter event. all right we are here everybody's sitting up still right now um it's a crazy Place uh weird stuff here so when you look up like Android for bug Bounty I think there are like two worlds. there are the people that basically just want to reverse engineer Android applications, intercept SSL and so forth, to discover maybe hidden apis and increase the scope in the web bug bounties. in the end it's kind of just web hacking. you just use the client to figure out maybe some hidden apis that you don't know about. but we want to focus today more on actually finding bugs in an Android application. part of that is also reverse engineering, but often times we don't even need to dabble in networking setups and that's why also we don't need that today. we have different threat models in this world as well and in the end we want to exploit bugs inside of an app. last night I was at a red team Village party where I met nahamsec and Jhadix for the first time! that was very cool! John Hammond was also there so we caught up there as well. that was really nice getting all together for once. I'm not in the US crater bubble

### Segment 4 (15:00 - 20:00) [15:00]

so for me this is was really cool to meet all of them. now I'm heading out for the second day of Defcon my voice is already maybe a bit horse if you can hear that, but I also now have to go to a locker box because we ordered stuff from Amazon for our table at Defcon. so yeah let's get going. all right I'm back at the Village area you can see it's empty because it will open up in like 20 minutes or so. there's a huge line already in front of it. I have the Amazon packages with some stuff for our table and Thomas should already be there. I'm excited to start the second day. this now like a full day of standing there at the table. yesterday I was at the Google event before, so it wasn't too bad. but today will be more crazy. thats the HackTheBox booth with: "where the reals cyber pros level up", which is false! it's actually over here! so we have screens here where you can browse hextree and watch the videos. we ordered headphones that just arrived today that I picked up and then other people can sit with their own laptops right next to here. and then do the glitching lab. let me show you the devices. so this is the faultier, this is basically the attack board designed by Stacksmashing. it's also based on a Rasberry Pi as you can see. and this one can do a voltage glitch so it can like drop the voltage momentarily. I mean this is what you learn in the glitching lab so you should just watch that. And this is the target! this is the glitch tag it's based on the Apple AirTag chip. basically and you can learn how you could glitch a real AirTag. of course here you know all the pins are already exposed for you, to easily hook them up to the attack board, but yeah that's what we are doing here. it's pretty cool people seem to like it, it's really easy. Thomas had made a great job with the videos introducing it. all right people are coming! oh my gosh it's very busy but I'm in such a good mood. it's such a great experience, people like our platform. it's so cool! it's also cool I met so many UY creators now! I met others from our like Creator Discord. Laurie Wired I also met she was also super nice. yeah it's pretty exciting everybody is wishing us luck and it's rooting for us that's so cool. Thomas is right now giving also a little glitching demo and overall it's just such a great experience. sometimes when I think about it almost like tear up, because it's like so special for us. for me. for hextree. because we built it for so many years and now it's public yeah. yesterday was an incredible day for us maybe you can hear it with my voice uh the village were open from like 8 a. m. to 6pm. and from the start I've been just standing and talking. from the beginning people were there it was very busy, you can see it on the few clips that I made. there were always people there sitting down, waiting in line to do the glitch lab. it was amazing and then of course lots of people came up wanted to take pictures talk to me and so forth and it was so nice. everybody was so kind and nice, shared had so many nice words with me. overall it was just an incredible day. we are just happy. that's the easiest word how to describe everything. it makes us so proud to see hextree that we have been secretly working on for like four years or so. we announced it one and a half years ago. just a month ago we open it up to the waiting list. and now it's like fully public now. this event here is basically our big release party. and it's just great. everybody is giving really good feedback, and if you have negative feedback please we need it we have too many people saying nice stuff but uh we need also some critical feedback. we're just super happy. and today's the last day, I believe it's also not a full day, which is probably good because then it's over. the last month with the Android continent deadline to finish that course

### Segment 5 (20:00 - 25:00) [20:00]

preparing the glitch lab, preparing our travels here, coming here doing a Google Workshop, doing a talk at the Las Vegas University, running the glitch Lab at Defcon, socializing meeting with other people, going to dinner. everything is over today and that is a good feeling to be honest. it were it was some very stressful months! you know I also didn't upload a YouTube video in 6 months... this is the reason. I had to prioritize, or I wanted to prioritize, hextree because we want to build something. and yeah... all right anyway, I have to get dressed now heading to the venue for last day see you there. Not yet bye Defcon, but last day just walking to the vendor area. which will open in like half an hour getting set up. all right that's the end of it tables are empty everybody got kicked out and we are now picking up everything. packing everything together and then it's over. heading to the party afterwards. it's insane I'm exhausted. but we are so happy. it's such a cool experience, we had such a good time here. thanks to everybody who came by and did the glitch lab. yeah and check out hextree. io, the courses will be available there as well. so see you bye! want to like plug your podcast? unnamed reverse engineering podcast! unnamedre. com it's so cool me so many creators here. finally in the US bubble it's really nice as a German. all right Black Hat and Def Con is over. those were some quite exhausting days. but we are very happy everything went so well. we are just very happy how everything went. based on the stats we have on hextree, estimate that we taught around 150 people the introduction to fault injection and glitching. which is really cool because it's still a like a niche topic and it can be quite Advanced Hardware hacking. so being able to say that we maybe introduced 150 new people into that field is pretty cool. and overall, like of course we were able to expose lots of people to hextree. and yeah we are very happy about that. as you can see I'm dressed up, because I'm so excited for the CTF after party. the past few months were so exhausting. we had deadlines with the Android continent for Google and then preparing for Defcon of course. and now the past few days were of course full of just doing stuff. but now everything is over. and I'm just so excited to relax and just have a good time. usually I'm really not a party person, I don't go to clubs, I don't go out, you know and never do this... but tonight I'm really looking forward to just have a few drinks with nerds in the same room and just you know forget a little bit the past few days! actually I don't want to forget them they were really great but I think you know what I mean. I'm just excited to finally unwind and not have to worry about all the stuff that's going on. if we saw each other at defccon, thanks so much for coming by. everybody I met was so nice and kind to me. and I really appreciated. you coming over. all right. thanks so much for watching, I will go back into liveoverflow making videos very soon, I still owe a webp vulnerability video that I'm really excited about, but because of hextree and priorities, yeah you have seen I haven't uploaded a video in quite a while. but for now I will go to party so see you soon! [screetch] Ok this CTF party didn’t go as planned… So we arrived in the hotel lobby and we got picked up to get past the hotel security. We entered the Hote Suite at a side entrance. Here is a rough sketch of the Hotel Suite, but I don’t know what’s in this area. I entered through this side door, and I basically never left this area. It was insane. CTF player after CTF player just kept coming to me asking for selfies. I have NEVER experienced anything like that. They were all so incredibly nice, but it also was incredibly overwhelming. getting this kind of attention is something I am not used to. so at some point I had to go to a quieter place, a bathroom nearby and just sat down for a moment to process what just happened. I was able to calm down a bit. And eventually I felt recharged and was planning to head to the actual party area which was supposedly somewhere here. But when I walked over there, the light was on, no music, and police with a dog kicking everybody out… yep… that was it… I am still kinda sad about this anticlimactic end to our trip. Even several days later, back home in germany, I am still mad about it. This CTF after party meant a lot to me

### Segment 6 (25:00 - 26:00) [25:00]

I was really looking forward to it and unfortunately it was cut short… But thanks so much to everybody who came to me and talked to me. I am sorry if I was awkward, seemed distracted or seemed not engaged properly in conversations, I was just completely overwhelmed by the whole situation. I appreciate all of you very much, you made me feel very proud of myself that night. And I hope to see and talk to you properly at another CTF party again. Well... that was it. That was our trip to DEF CON. Our release of hextree. io… Afterwards we went hiking for a bit and just relaxed. We really needed it. I also completely forgot to thank the embedded system village in this video, so thank you very much for having us, you took great care of us. Hopefully we can do that again. Of course also thanks to raspberry pi for trusting us building the security challenge and working with us on the new RP2350 chip. And thanks to Google for trusting us to create official Android application security courses. And again, thanks to every single person I met. You were all so great. thank you.