I've been great friends with Aseem and Murtu from a long time, and they are one of the most humble and down-to-earth guys I've ever meet. They've done a really fantastic job with their flagship con - Nullcon Goa and this year have embarked on organizing Nullcon Delhi!
Nullcon Delhi is next week and I am very thankful that they agreed to this interview, even though they were exceptionally busy! So without further ado - we present Null and Nullcon!
NC - Aseem Jhakar and Murtuja Bharmal, Null Community and NullCon
VR - Vivek Ramachandran, Founder SecurityTube.net
VR: When did the Null movement start? And what was the inspiration?
NC: It all started back in 2008, we and a bunch of colleagues were discussing about active information sharing platforms in information security domain. India being the global hub of software development, it was a little surprising that there were no active infosec communities. This coupled with the problems we faced during our learning phase because of no one to talk to, mentor and guide us. We thought of starting a community with no boundaries i.e. anything security and hacking was welcome. The aim was to create a security research platform, share knowledge and assist any organization with security related issues. We started the null mailing list in July-Aug 2008 and made our first public appearance at BarCamp Pune in Nov 2008, where we announced that we are starting physical null community meet ups in Pune. There were a few hackers and security professionals whose needs were answered by null and they joined in as volunteers. There has been no looking back since then. It has not been easy but has been a very interesting journey. Null is now a registered non-profit society with over 2400+ members on the mailing list and more than 150 security professionals and hackers meet every month in different cities at the null meets.
VR: How many chapters do you have in Null right now? How do you coordinate with Chapters on the monthly agenda?
NC: We have six active null chapters throughout India in major cities - Pune, Bangalore, Mumbai, Delhi, Hyderabad and Chennai. Every chapter is run by 2-3 Moderators. They are run as a community rather than an organization. The moderators decide the agenda of the monthly meets and make sure we have a suitable place for the meets. There are generally presentations by members and discussions on hot topics in security. The chapters run independently with all the information being collated on our community portal http://null.co.in It is amazing to see the kind of deep technical knowledge talks and information exchange happening at the null meets. There is training on RE, introductory sessions for the newbies, news bytes about the recent happenings in security domain, research talks, tool releases and so much more. The meets are free for everyone i.e. no registration and as we at say at null – just come with an open mind.
VR: Apart from information sharing what else does Null do?
NC: We have several projects running. All projects are run by null members who have volunteered and taken some time out of their busy schedule to manage those projects.
- Software projects: There are various open source security software written and contributed by null members. The details can be found at – http://null.co.in/section/atheneum/projects/. Some of the noted projects include Game|Over – The web security learning platform, Jugaad – Linux remote thread injection kit, Wireplay – server communication fuzzing tool, Malware analyser and many more.
- Project Keeda: A database of vulnerabilities found in the wild. Researchers who find it difficult to report and get the vulnerability fixed, report it to us and we take on the responsibility of reporting it to vendor and getting it fixed. There is no restriction on the type of vulnerability one can report i.e. even vulnerabilities in custom websites can be reported to Keeda. For more details you can visit http://keeda.null.co.in
- Null Jobs: A free portal for posting and applying for security jobs. We have been running the portal for more than a year now and have received hundreds of job postings and applications. Many people have found the right jobs through the portal. We have changed the way how security job openings were communicated in the past by way of having a centralized portal for most of the security jobs in India. We plan to take it international in sometime and assist the international community for the same. Details can be found at http://jobs.nullcon.net
- null Humla: Humla literally means attack in hindi. An offensive hands-on informal workshop and gathering. This happens in most of the null chapters. It is a day long session on any offensive technology picked up by the volunteers. We have a Humla champion who runs the show. The session is totally free, however to maintain the quality we keep limited registrations.
VR: When was Nullcon founded? And how many years has it run?
NC: nullcon was founded in 2010. As of writing this we have had 3 successful Conferences in Goa (Feb-2010, Feb-2011, Feb-2012) and have decided to go bi-annual with the introduction of nullcon Delhi in Sept 2012 (26-29th Sept) which will be our fourth event overall and second in 2012.
VR: How did it all start? What was the inspiration behind Nullcon?
NC: We realized that we needed an integrated platform for exchanging information on the latest attack vectors, 0-day vulnerabilities and and unknown threats with the international community and the industry as well and nullcon was born. I still remember how we argued on the name, at one point we also thought of naming it h4ckf357 ;-). The objective of the conference is simple, unearth next-generation security and attacks and get all the niche researchers, CXOs and Govt under one roof the discuss about the future of information security. I'm not sure about other countries, but in India we were surprised to see the active participation from all the concerned Govt. agencies right from the first conference onwards, which was more of a shock (in a positive sense) to us given the stereotypical Govt. response :-). Now, we can proudly say that within three years nullcon has become one of the premier security conferences in Asia and we do not wish to stop here. We have plans of going international (out of India) in sometime. Currently, we are looking at international destinations and doing a feasibility study for the conference.
Last year we decided to go bi-annual in 2012 with nullcon Goa in Feb and nullcon Delhi in September. Although the talks and training are almost similar in both the conferences, with nullcon Delhi we will target the Govt. and the corporates more as Delhi being the national capital and the hub for the Govt. agencies. Nullcon Goa continues to host a mix of all types of attendees and has something for everyone.
VR: How did you find your first volunteers for Nullcon? Was it difficult to convince them to help start a new conference?
NC: The community realized the potential of doing something different and new. When we approached volunteers to help us with certain tasks, they agreed enthusiastically. It is all because of the volunteers' dedication to support the cause that we are able to put up a great show. We have an excellent review panel which helps us with neutral and technical review of the submitted papers. Our CTF team is just super-amazing, they keep surprising us with every CTF.
VR: How many days in advance do you start planning for the conference? And how much work is involved? We are asking this as most people fail to appreciate the sheer hard work and sweat it takes to deliver a fantastic show!
NC: We start planning for a conference 8+ months in advance. Dont even get me started on the work part. It requires a hell lot of backend work before the conference and patience to make it happen. I can write a long book on DOs and DONTs and the work involved in organizing a security conference and still that would not be enough to talk about the effort involved. Most conference organizers would agree with me on the work part :-).
For us nullcon is also a bread winning job and hence it gets more tough. In 2011 we realized that if we want to take nullcon to mainstream we have to sacrifice our current jobs and dedicate our full time towards the conference. I do not regret that decision but we are yet to see the light of the day i.e. the bread :-). India as a market for security conference is not mature enough and it will take another year or two to understand the true value a security conference holds. We are ready to wait. On the contrary we have found enormous talent by way of the quality submissions we get from within the country.
VR: When is Nullcon this year? What all does the conference have this year – Talks, Trainings... ?
NC: nullcon Delhi is scheduled in Sept 2012.
Venue: Leela Kempinsky, Gurgaon
Dates: Training – 26-27 Sept , Conference 28-29th Sept 2012
Its an action packed conference in Delhi. We have added quite a few sub-events at the conference.
- nullcon Blackshield awards: An annual award ceremony to honour organizations, thought leaders and researchers who drive innovation in information security domain.
- Reboot: Yes! We are having an exclusive preview of Reboot movie at nullcon Delhi. I think everyone in the hacker community is aware of the movie. For those who are not aware, you can check out the movie trailer on their official website http://rebootfilm.com. A special thanks to Sidney sherman and Joe kawasaki for giving us the opportunity to show the preview at nullcon.
- Prototype sub-event: Prototype is an excellent opportunity and platform for security organizations to present their new and innovative security technologies/products to the conference attendees to attract industry recognition and to boast about their technology's capabilities. These talks are reviewed by nullcon team and selected based on the innovative features of the technology. The talks are strictly technical as apposed to vendor marketing talks.
- Security Conclave on Critical infrastructure protection: A focused panel discussion of 90 mins. Expert panelists from Govt. and large private organizations will create the road map for the protection standard and processes. The idea is to come up with suggestions and drafts for creating standards for the same.
- Exhibition: We have added an exclusive exhibition area for vendors to engage with the attendees and showcase their products.
- Executive Briefing: Exclusive two hours sub-event for senior management and the CIO’s to present summarized content of conference talks/events to them and an opportunity for the researchers to get access to the decision makers.
- Nullcon Job fair: An exclusive booth at the exhibition for hiring the best talent and submitting resumes. This is the right place to get to the right place :-)
- Training: This is the second time we are doing training at the event. We have kept seven advanced security training at nullcon Delhi on various niche security topics. You can find more details about each training at http://www.nullcon.net/website/conference/it_training.html
- Reverse Engineering and malware analysis - Abhisek Datta
- Xtreme Xploitation – Omair
- Mobile application hacking: Attacks & Defense – Hemil Shah
- Attack incident investigation by log analysis – Murtuja Bharmal
- Xtreme Android Hacking – Aseem Jakhar & Anant Shrivastava
- Xtreme Web Hacking – Akash Mahajan & Riyaz Walikar
- Secure SDLC and code review – Akash Mahajan & Prashant K.V.
- HackIM CTF: We just closed the HackIM Delhi 2012 CTF and announced the winners. For more details about the CTF one can visit http://ctf.nullcon.net
VR: Who is giving the Keynote this year? What’s it about?
NC: There are two keynotes scheduled at Delhi:
- Day 1 keynote is by Mr. Raghu Raman. He is the CEO of one of the Govt. most ambitious projects – “National Intelligence Grid”. He is a thought leader and one of the most sought after luminary in Infosec. His talk has been kept as a surprise.
- Day 2 keynote is by Mr. Richard Thieme. He is a well known international author and speaker. He is going to talk on the dark side of intelligence and security.
VR: I know all talks will be fantastic but are there any key talks you would like to highlight which are a “MUST WATCH” this year?
NC: Oh yes! There are many. The talks are really good this time at Delhi. However, a few of the highlights:
- Talk on DTMF fuzzing by Rahul Sasi promises to be an eye opener for alternate fuzzing methods for telecom applications.
- Our signature Desi Jugaad talk – This year in Desi jugaad track Antriksh shah is disclosing a serious bug in Apple store that allows one to bypass the payment process and download the apps for free.
- Talk on hacking hardware equipment (Set-top boxes) by Zoltan Hornak, he will showcase his innovative methods of breaking the box.
- Prasanna is releasing his tool for penetration testing SAP setup, the tool is built on IronWASP framework by Lavakumar and named IronSAP.
- Ajit hatti is going to present his analysis and comparison of internet banking security of various banks and is coming out with a checklist to measure the effectiveness of security.
- Aditya and Subho are releasing AFE (Android Framework for Exploitation) at Delhi.
- Michael sutton and Pradeep are releasing a new utility for behavioural analysis of mobile apps.
- Ravishankar is going to talk about vulnerabilities in USSD code implementations in telecom applications.
VR: How many CFP submissions do you typically receive? For how many speaking spots?
NC: We typically get more than 60 submissions per conference and it is increasing by every con. The slots range from 20-25. It is extremely difficult to select one talk over the other as most of the talks we receive are really really good and innovative. What we do instead is to keep all different kinds of talks and try to refrain from keeping similar talks. One common problem which other organizers must also be facing is the late submissions, the problem is that we review papers as they come and quality submissions coming in late have less probability of getting selected if the slots fill up or if we are left wth very few slots, this is when it gets very very difficult to chose one talk over the other, given that most talks are really good quality. So, researchers if you are reading this PLEASE SUBMIT EARLY :-)
VR: In all the years with Nullcon, which was the most memorable event / experience?
NC: It is hard to pin point a few moments as each and every nullcon is a remembrance in itself. we make history every time :-). Every participant has his/her own experience and moment at nullcon that creates a long lasting impression on them. I have had my share too :-). I still remember the audience enthusiasm when we had our first desi jugaad talk on hacking auto-rickshaw meters, where the speaker demonstrated the hacks live with an actual meter. Then there was the long discussion on security scene in India at the beach till 4 in the morning with the volunteers. I also remember the villages room was half taken over by the Android village with very little space left for other booths. And then there are those “Oh! You know this new technique...” moments and secret discussions on new attacks and vulnerabilities. I really like the hunger that the attendees have for learning something new and to go the details of things. One of the most tiring moments is to go to the interiors of Mumbai, Delhi and Pune to search for that perfect nullcon Goodie.
VR: On the other extreme, was there ever a nightmarish situation at Nullcon? Could Nullcon ever have been cancelled?
NC: Yes, we have had those situations. We made up for it by putting in our own reserved savings. As I mentioned before also, we are yet to break-even for the conference, but our passion for running nullcon is so strong that we do not see ourselves giving up anytime soon. One of the major problems in India is the cost vs charges game. While the cost of organizing is same or more than compared to other countries (especially the hotel cost compared to other countries, yes we have looked up the cost for even Las Vegas and a few other places), attendees are not willing to spend for passes compared to the costs. The problem we see is that the whole culture of going to conferences, learning new things and meeting fellow hackers is yet to pick up here and we are confident that it will change in an year or two based on the response we are getting at nullcon.
VR: Based on previous years, how many attendees are you expecting this year? Where is the conference venue this year?
NC: We had around 300 participants in Goa 2012. we are expecting the same no.s if not more in Delhi as it is our first time in Delhi. The venue for delhi is the exotic Leela Kempinski in Gurgaon.
VR: Your CTFs are really popular? What is the secret recipe?
NC: All thanks to our “League of Extra-ordinary Gentlemen”. We have an amazing CTF team, who work hard to make the challenges. We have three different types of CTFs running at nullcon. All the three are desgined to be different.
- HackIM: It is our web based CTF with different levels and challenges and open to all. We usually launch this prior to nullcon and the winner gets free stay + conf pass for nullcon.
- Battle Underground: BU is more of a theme based CTF and challenges include breaking into systems. Since 2011, we started running this challenge over the cloud for everyone to play. BU opens during the conference.
They are also not allowed to use toilets for free. If the participants need food, water or want to use the toilet, they have to solve codes given to them periodically. Their main challenge is chosen before they enter the jailbreak and can be one of finding real world zero days to writing exploits or security tools.
JailBreak Part 1
The first one to finish the challenge can break free from the jail. The winner gets a cash prize (Last JailBreak winners won INR 12000). We even shoot the Jailbreak videos. We could say that It is one of the first reality show on hacking. You can watch the two part Jailbreak show on our youtube channel:
JailBreak Part 2
VR: Party Time! So what’s up for the Nullcon party this year?
NC: nullcon networking party has become an important event in itself. Everyone looks forward to the party after the conference. We try to keep each party exclusive and something to remember us by. If you have never been to a nullcon party its about time you should come and have fun with the fellow hackers. The Delhi party is more of a business cocktail party with lots of opportunities to network with CXOs and Govt. folks.
We are organizing the following events during the cocktail:
- nullcon Blackshield award ceremony
- Private open air preview of reboot movie with cocktail and snacks.
VR: When are you planning to open the CFP for the next conference.
NC: Infact the CFP for nullcon Goa 2013 is already open. One thing we always advise submitters is that we review papers on a first-come-first-serve basis so if you wait for the last moment for the submission chances of rejection increase regardless of the quality of the paper as we have already selected a good no. of papers. So, we again request the community to submit early as all we need is the detailed abstract and not the whole paper. The link to nullcon Goa CFP is: http://www.nullcon.net/website/goa2013/cfpGoa2013.html
VR: OK, you can thank your sponsors now
NC: We would like to thank all our sustaining and past sponsors, without their support we would not have been able to put up the great show.
- Microsoft: Sustaining Sponsor – Thank you Katie Moussouris for believing in us.
- Qualys: Past sponsor. We really thank Wolfgang Kandek for holding our hands during our infancy stage and look forward to working with Qualys again.
- SANS: Sustaining sponsor – Thank you Suresh Mustapha for supporting us during our infancy stage.
- Palantir: Past sponsor – Thanks to your support in the last conference.
- Praxeva: Sustaining Sponsor – Thank you Tejan Timblo for believing in us.
- IIS – Sustaining Sponsor – Thank you K. K. Mookhey for believing in us.
- IsightPartners: Past Sponsors – Thanks you for your support John Watters.
- Innobuzz and Secfence: Sustaining sponsor – Thanks for supporting us Atul and Ankit.
- Secure Matrix: Past sponsor
- Hacker5: Sustaining sponsor
- Widget factory: Past sponsor
- Seclore: Past sponsor
- Watch Guard: New Sponsor
- ACPL: Sustaining sponsor