Episode 33: The Master of Hacker Show&Tell: Inti De Ceukelaire

Justin Gardner (@rhynorater) (00:02.887)
All right, so I wanted to start off this episode a little bit by saying, you know, NTY, I'm super hyped to have you here, okay? And actually, I don't know that I've ever told this story before on the podcast, but essentially the way that I got into live hacking events in the beginning was I was a plus one of a plus one. So one of my buddies just kind of ran into Ted Kramer. I don't know if you remember Ted Kramer. Yeah. And yeah, of course, how could we forget?

Inti De Ceukelaire (00:28.286)
I do.

Justin Gardner (@rhynorater) (00:32.064)
And he was like, hey man, I'm a hacker as well. And Ted was like, oh, you should come to the live hacking event in DC. And so he's like, great, can I bring my friend Justin or RynoRator, I think is what he said. And then at that moment, John Bodorini, right? John Bodorini was standing nearby and he's like, wait, did you just say RynoRator? Oh, he just found a really weird bug on like XYZ target, right?

And then Ted was like, oh cool, well yeah sure, let him come or whatever, right? Yeah, if he can make it, bring it on. And so I went to that live hacking event and I somehow placed eighth and became good friends with Kevin Rosenbaum at that event. And because of that, they invited me to San Francisco. And then when I get to San Francisco, I get a show and tell, right? And after that show and tell, I was like, they invited me to the next one. So I was like, okay, the show and tell is the key.

you know, to getting access to other live hacking events. And who is the master of the show and tell, but Inty. And every live hacking event that I went to, you know, at the time, you were in the live hacking event circuit at the time as well. Inty was getting show and tell after show and tell after show and tell after show and tell. It was sort of like a meme, you know, how is Inty gonna get show and tell this time? So that's why I'm really excited to have you on the pod because you just have these crazy show and tell bugs.

Inti De Ceukelaire (01:48.21)
Yeah.

Justin Gardner (@rhynorater) (01:53.127)
And I think it's left a big impact on all of us that were in the live hacking event scene at that time. Um, so with that man, welcome to the pot.

Inti De Ceukelaire (02:01.366)
Thank you, thank you. And I gotta say on the show until that the pressure really helped actually. It was a paradox. Like at first I didn't like it because I knew you have to perform for live hacking events but I also had to hit that holy grail offshore and tell every single time. But in the end, you know, I always found a way to do it. So, and yeah, I'm so proud of that. Like most people have awards for like a lot

Justin Gardner (@rhynorater) (02:06.157)
Yeah.

Justin Gardner (@rhynorater) (02:13.349)
Yeah.

Justin Gardner (@rhynorater) (02:19.506)
Yeah

Justin Gardner (@rhynorater) (02:24.473)
Yeah.

Justin Gardner (@rhynorater) (02:27.919)
Yeah.

Inti De Ceukelaire (02:31.51)
critical bugs etc and most of my bonuses that I ever got was just like chill and tell bonus or like funniest bug they wanted to put the most creative bug award I also have that one

Justin Gardner (@rhynorater) (02:37.654)
Yeah.

Oh yeah, that's also known as the NT award. That's great, man. Yeah, seriously. And I think Show & Tell has a really unique part of, it's a unique part of the live hacking event experiences because it is what helps.

Inti De Ceukelaire (02:47.172)
Yeah, should get a trademark on that.

Justin Gardner (@rhynorater) (03:01.271)
I mean, obviously, when you're at the live hack events, you're collaborating with other hackers, you're talking with other hackers as well, right? But the show and tell piece, that is what really, you get an in-depth explanation with visuals, with, in your case, very engaging humor and very creative attack vectors. And that's what helps us grow as hackers in that sort of context as well. And I know some of the...

times that I've grown the most from live hacking events is looking at show and tell, specifically yours.

Inti De Ceukelaire (03:31.254)
You know the best moment in a show and tell, it's like when you're at like slide two or three and everybody sees like a page that everybody, literally everybody in the audience looked at and you just know, oh damn, I just realized what I missed there. And everybody's like super excited but also a little bit bummed out because they could have found that book.

Justin Gardner (@rhynorater) (03:37.495)
Mm.

Justin Gardner (@rhynorater) (03:49.267)
Yeah, I know. Dude, I think you did that. You used to do that so well to, you know, with the show and tells because it's like and then there's the moment you go to that slide and everyone's like, ah, you know, like no, like and you can almost hear the vision. I mean, you really sometimes you can you're like what's like this place? So yeah, I think I think that's such a great piece.

Joel Margolis (teknogeek) (04:11.424)
Yeah.

I can't even tell you how many times I've seen a bug in a show and tell that I've tried like almost either that exact same thing on a different target or I tried like I was trying similar things and I just gave up and I was like, ah, okay, I can't get around this. And I just moved on. So it's, oh man, it's amazing. I think the big thing about your show and tell skills is just like, you have this amazing presentation ability where like, yeah, like it's, it's the showmanship. It's like, you have a very good like speaking.

Justin Gardner (@rhynorater) (04:29.241)
It's-

Mm.

Justin Gardner (@rhynorater) (04:36.231)
It's the showmanship, yeah.

Joel Margolis (teknogeek) (04:42.826)
like experience, I don't know, your public speaking skills are very good. And so your way of presenting your bugs is very like everybody can understand it. Everybody's very involved. Like you really hook the whole audience, myself included. And so I think that that's just what, one of those things that makes the indie show and tell just like so much more elevated.

Justin Gardner (@rhynorater) (04:45.243)
Mm-hmm. Yeah.

Justin Gardner (@rhynorater) (04:54.916)
Yeah.

Justin Gardner (@rhynorater) (05:00.791)
Legendary man and so

Inti De Ceukelaire (05:01.954)
Well, thank you. And it's a nice compliment coming from both of you. And I think that honestly, it's in a show and tell. It's more about the story than the book because in all honesty, not all of my books are great. In fact, I think I have the still hold and holding the record of having the lowest ratings rated book with the highest bonus on Hacker 1. So I'm quite proud of that. So I think that attack scenario involved like kidnapping the

Justin Gardner (@rhynorater) (05:06.203)
Mm.

Justin Gardner (@rhynorater) (05:12.529)
Mm-hmm.

Justin Gardner (@rhynorater) (05:23.364)
Ha ha!

Inti De Ceukelaire (05:31.766)
the Queen of England back like something like that. It was ridiculous. And I remember the program managers like telling me like, I can't believe we're paying for this, but still they did. It's about the story.

Justin Gardner (@rhynorater) (05:32.778)
Huh. Ha.

Justin Gardner (@rhynorater) (05:37.703)
I remember that.

Justin Gardner (@rhynorater) (05:46.555)
Dude, oh my gosh, I just got flooded with memories that I remember that show and tell. There's like some, some like, like the character limit was too long for you to show the destination of where they were going. So you could kidnap the Queen. Oh man. Oh gosh. Um, yeah. Yeah. I mean, that would be a disaster.

Joel Margolis (teknogeek) (05:57.57)
Hehehehe

Inti De Ceukelaire (06:03.298)
I'm gonna go.

Joel Margolis (teknogeek) (06:04.39)
Hehehehe

Inti De Ceukelaire (06:05.678)
Just think about the impact. Think about the impact, like yeah. All the royalists would be super upset about that, so... Yeah.

Joel Margolis (teknogeek) (06:08.619)
Yes.

Justin Gardner (@rhynorater) (06:13.096)
That would be terrible.

Joel Margolis (teknogeek) (06:14.89)
It is really interesting that you point that out though, because I think like, there's always like two aspects to like a bug bounty report. And a lot of people, when they write a bug bounty report, they think about it like, as if it's they're doing a show and tell. Like, they'll write it out and they'll be like, well, I was looking through your website one day and I came across this really interesting endpoint. And like, from a report perspective, most of the time they don't really care about that. But if you were to take that exact report and like put it into a show and tell context, it would probably do like pretty well, because it's very like,

Justin Gardner (@rhynorater) (06:28.391)
Mm-hmm.

Justin Gardner (@rhynorater) (06:37.062)
Yeah.

Justin Gardner (@rhynorater) (06:42.893)
Oh yeah.

Joel Margolis (teknogeek) (06:43.766)
that storytelling, like it explains where you were coming from as a hacker, like the whole like mind, like mental aspect, like how you're approaching the problem. Those things really matter for a show and tell. They don't matter so much for a report, but I think like everybody kind of has that ability and it's about sort of like harnessing it to like show it in the right way.

Justin Gardner (@rhynorater) (06:55.215)
Mm.

Justin Gardner (@rhynorater) (06:59.908)
Yeah.

Inti De Ceukelaire (07:01.374)
But still during a live hacking event, I would argue that you have to, I mean, that team and you know this best of all, Joe, like you're getting hundreds of reports in a few days. And if you want to get that show and tell, you got to ask yourself the question if you're drafting a report, how can I make this report memorable without, you know, exaggerating too much because then they will think I'm a stammer. Like there's a thin line. But I remember in that report, my title said like...

Justin Gardner (@rhynorater) (07:12.165)
Mm-hmm.

Justin Gardner (@rhynorater) (07:20.569)
Yeah, yeah.

Justin Gardner (@rhynorater) (07:25.319)
Hahaha

Yeah.

Inti De Ceukelaire (07:30.502)
literally results in kidnapping and it was it was not a lie and my report got triaged right away so

Justin Gardner (@rhynorater) (07:32.744)
Oh my gosh.

Justin Gardner (@rhynorater) (07:39.445)
Dude, that's some serious impact. Yeah.

Joel Margolis (teknogeek) (07:42.435)
I don't think there's many people who can say that they reported a bug on HackerOne or any hacking platform that says results in kidnapping.

Justin Gardner (@rhynorater) (07:47.793)
It... Results in kidnapping. Oh my gosh. Okay. We have a section. Yeah, go go.

Inti De Ceukelaire (07:50.646)
Yeah, but one last thing I need to say about that, about impact. And then I'll let you do your thing. And recently, and this was at Integrity and I do have permission to talk about this. But it was with a client of course, of course, I cannot tell you which clients. And so basically what the hacker reported was simply like an authorization bug. I mean, there was like a missing permission check.

Justin Gardner (@rhynorater) (08:04.821)
Mmm, great.

Justin Gardner (@rhynorater) (08:09.441)
Mm-hmm.

Justin Gardner (@rhynorater) (08:17.158)
Mm-hmm.

Inti De Ceukelaire (08:19.07)
And we got to the clients because it was fairly critical. And the clients started panicking and they said, the actual impact of this is that people could die. So, so that was their impact assessment. And sometimes if you think about it, we, but bounty hunters, you know, we look at an eye door and we will say, okay, I can change this bit of data, but if that bit of data is for example, and it was not in that case, but if that's for example, a

Justin Gardner (@rhynorater) (08:30.582)
Oh no.

Justin Gardner (@rhynorater) (08:39.766)
Mm-hmm.

Justin Gardner (@rhynorater) (08:45.646)
Mm.

Justin Gardner (@rhynorater) (08:48.908)
Oh yeah. Yeah.

Inti De Ceukelaire (08:49.022)
in a production environment, then you have a serious problem. And not all hackers think like that. I would say that if you want to find good bugs, you have to think like a hacker, not as a Q&A tester. And I all respect for Q&A testers. They can find good bugs. They can probably get paid more if they think about the story.

Justin Gardner (@rhynorater) (08:54.884)
Yeah.

Justin Gardner (@rhynorater) (08:59.179)
Oh yeah. Yeah. Mmhmm.

Mm-hmm. Yeah, no, absolutely. That's crazy. And whenever you're dealing with those products that intersect with...

with real life, you know? Sometimes it's information, and we'll talk about information a little bit more later in some of your work that you've done with privacy-related stuff, and all of that is very important, but when it comes down to stuff like transportation, like medical stuff, like all of these things that interact with our bodies, then things become way more critical, and it does start to make you realize that the work that we do here, especially in those environments,

people and I have no doubt that you know the Bug Bounty reports have saved lives. So that's a really cool, a really cool place to be.

Joel Margolis (teknogeek) (09:51.246)
It's super interesting to me when we think about how internet is starting to affect more and more things. I know we've talked about internet of things, how everything is more internet connected. I think especially nowadays, it's getting more and more so where almost everything is on the internet. Heart pacemakers, cars, computers, phones, cameras, door sensors, door lock, everything. It's all on the internet. So many of those things are vulnerable to attack surfaces.

Justin Gardner (@rhynorater) (10:18.416)
Mm-hmm.

Joel Margolis (teknogeek) (10:21.134)
to the point where even certain programs will pull things out of scope. Like United is a great example where nothing on the in-flight infotainment or any of that stuff is in scope because they don't want people to risk hacking stuff while the plane is in the air because there's so much risk involved there. Even if the systems are completely separated, they don't want to even take the chance of having somebody test on it. It's super, super interesting to see how that's changing over time and how...

Justin Gardner (@rhynorater) (10:25.639)
Mm-hmm. Yeah.

Justin Gardner (@rhynorater) (10:36.848)
Yeah.

Justin Gardner (@rhynorater) (10:41.595)
Yeah.

Joel Margolis (teknogeek) (10:48.178)
Even though it's dangerous, more and more stuff is going online that probably shouldn't be online, but is online. And now those impacts of like, chance of death. Like this is like a real thing, and it's not just like an edge case now.

Justin Gardner (@rhynorater) (10:54.51)
Mm.

Justin Gardner (@rhynorater) (11:03.012)
Yeah, yeah, absolutely. And NT, you've worked a little bit with the United program, right? Have you hacked on them?

Inti De Ceukelaire (11:13.026)
I have, yeah, I have in the past. I'm not sure if I can disclose a lot about them. I think they're a great team. They have their own way of assessing severities, which is a choice. But then again.

Justin Gardner (@rhynorater) (11:18.199)
Yeah.

Justin Gardner (@rhynorater) (11:23.527)
Yeah. Did you say it? He said he said it's a choice.

Joel Margolis (teknogeek) (11:30.222)
That is a choice.

Inti De Ceukelaire (11:30.398)
Yeah, but one thing I do have to say there is that I always, and you know, I, as a working at the BookBounty platform, I work with a lot of clients that may have their reasons. And Joel, I mean, you've also seen both sides, right? Sometimes we hackers, we easily assume, or we just take, you don't even want to know how many reports, for example, we see like in this HackerOne report or in this...

Justin Gardner (@rhynorater) (11:33.615)
Well said.

Justin Gardner (@rhynorater) (11:41.657)
Mm-hmm.

Justin Gardner (@rhynorater) (11:48.986)
Mm-hmm.

Inti De Ceukelaire (11:59.682)
Big crowd people are just going to assess this way. And for some companies, things are just different. And what I just think is really important and in United's case, they do point that out in the program description, I put in the references. You have to be transparent. It's all about expectation management. If you're upfront with the way you score vulnerabilities, even though I as a hacker do not agree with that, then that's, I mean, no.

Justin Gardner (@rhynorater) (12:00.826)
Mm-hmm. Mm.

Justin Gardner (@rhynorater) (12:17.836)
Mm-hmm.

Justin Gardner (@rhynorater) (12:26.597)
Mm-hmm.

Inti De Ceukelaire (12:29.218)
their problem necessarily, I can just choose to move on and to do something else instead.

Justin Gardner (@rhynorater) (12:30.223)
Yeah.

Justin Gardner (@rhynorater) (12:34.411)
Yeah, or in the case that we saw recently with VISS being implemented in the Zoom Bunk Bounty Program, you can also choose to game the system with that same set of standards, right? So, you know, I think Zoom uses VISS, a lot of other places use CVSS, and then I believe United uses the OWASP model for, yeah, OWASP Risk Rating Model, yeah.

Inti De Ceukelaire (12:57.718)
Rescrating ya.

Justin Gardner (@rhynorater) (13:01.391)
And, but each one of these models has their own, I guess, quirks, right? Little weird things that you can do as an attacker. And one of the things we saw at the Zoom event was one of the hackers, Tom Anthony, found a great way to game the system for VISS, right? And get bugs rated higher than you would normally expect them to be rated. And that worked out well for him in the event. And I think that's just a part of the system, right? That's a part of the...

Inti De Ceukelaire (13:27.572)
Uh-huh.

Justin Gardner (@rhynorater) (13:30.351)
the game for hackers and programs.

Inti De Ceukelaire (13:33.278)
Yeah, I think that's a Twilight's territory, honestly, because I mean, sometimes, and I mean, we do see both sides of the table. Sometimes people will game the system to death. And if you're a large enterprise, you can afford that. And you know, it's just the rounding error. Especially for smaller companies, while they still care about, of course, being consistent,

Justin Gardner (@rhynorater) (13:45.179)
Mm-hmm.

Justin Gardner (@rhynorater) (13:49.639)
Mm-hmm. Yeah.

Justin Gardner (@rhynorater) (13:57.892)
Yeah, that hurts.

Inti De Ceukelaire (14:03.134)
It can be a little bit tricky. So I do expect hackers to point out, I mean, I prefer hackers to point out any flaws that they may see in the policy. Because we may even give an additional bonus for that. It wouldn't be the first time that we said, okay, your report resulted in a policy change, we're actually going to pay out for the policy change rather than for the bug that turned out to be.

Justin Gardner (@rhynorater) (14:12.324)
Mm-mm.

Justin Gardner (@rhynorater) (14:16.792)
Mm.

Justin Gardner (@rhynorater) (14:24.358)
Mm.

Justin Gardner (@rhynorater) (14:30.439)
Wow.

Inti De Ceukelaire (14:30.626)
So, I mean, even duplicates can sometimes be very exotic because like sometimes you will have, it's not necessarily the same root cause as it is not necessarily the same code patch. But then if you would look to the process, for example, on how to deploy all the instances, they could also have fixed it over there. So if a program wakes up with 100 submissions of essentially the same finding,

Justin Gardner (@rhynorater) (14:49.681)
Mm-hmm.

Yeah.

Inti De Ceukelaire (14:57.858)
Well, are they really expected to pay out 120? I wouldn't say it would be correct to pay out one. I wouldn't say that it would be correct to pay out 120. Sometimes you got these edge cases. And Hack Luke, just to give him a shout out, has done a very interesting proposal on how programs or platforms should deal with these situations. And I do think, yeah, he's created big bounty standards on GitHub. I wouldn't, yeah.

Justin Gardner (@rhynorater) (15:01.653)
Yeah, I don't think so.

Justin Gardner (@rhynorater) (15:07.992)
Yeah.

Justin Gardner (@rhynorater) (15:12.212)
Mm.

Justin Gardner (@rhynorater) (15:18.724)
Oh really? I don't know that I've seen that.

Joel Margolis (teknogeek) (15:20.694)
have neither.

Joel Margolis (teknogeek) (15:25.282)
Oh yeah, I did actually see that.

Inti De Ceukelaire (15:29.118)
It's it's.

Joel Margolis (teknogeek) (15:29.13)
Yeah, it's super interesting. I think it's exactly what you're talking about. Like you see this a lot, both from like the program side. I'm sure every hacker has kind of dealt with this situation in one form or another. But essentially you're put in a situation where you may have found something systemic or you may have found like a repeated issue or something like that. And you realize that this is something that team cares about and something that they'll pay for, but it may be very, very similar. And then you're in this ethical dilemma where it's like, should I make as much money as I can here?

Justin Gardner (@rhynorater) (15:50.212)
Mm-hmm.

Joel Margolis (teknogeek) (15:58.634)
and report these things as separate issues, or should I group them together in good faith and tell the team and hope that they award me accordingly for that, and they'll probably fix it in one place and I'll lose a bunch of money, but it's the right thing to do. And I think that there's no real clean cut answer, but I'll have to take a look at what HackLuke put together there, because that sounds really interesting. I do agree that like, I don't think it should be really one or the other, should be kind of in between, but it's really hard to define where that is.

Justin Gardner (@rhynorater) (16:00.796)
Mm-hmm.

Justin Gardner (@rhynorater) (16:10.02)
Hmm.

Yeah.

Justin Gardner (@rhynorater) (16:22.948)
Mm.

Inti De Ceukelaire (16:27.266)
And ideally, there's also consistency across all platforms. And that is also why, at least for the first time with Integrity, that we have had a meeting in Las Vegas during DevCon with both DeCroix, HecoOne, and Integrity to discuss some of the, I would say, issues that may be more challenges that we can work on together just so that the community and the client base and just the industry as a

Justin Gardner (@rhynorater) (16:31.578)
Yeah.

Justin Gardner (@rhynorater) (16:41.607)
Mm.

Yeah.

Inti De Ceukelaire (16:56.366)
would benefit from. And I think we need to align on step like proposals for standards like that, but also other things. For example, we had the unfortunate event that two life hacking events were colliding. So they were basically doing the same date. But a lot of the top talent is present on all the platforms and then nobody really wins because as a platform, you see that your talent may want to go to the other or vice versa.

Justin Gardner (@rhynorater) (17:03.399)
Mm-hmm.

Justin Gardner (@rhynorater) (17:11.791)
Mm. Yeah.

Justin Gardner (@rhynorater) (17:17.381)
Yeah.

Justin Gardner (@rhynorater) (17:23.921)
Mm-hmm.

Inti De Ceukelaire (17:24.862)
And then the hackers are also missing out on that additional event. So I think it's just good for us to align a little bit more and just work together when it comes to the community. And it's been really great. I mean, there's such cooperative, wonderful people to work together with.

Justin Gardner (@rhynorater) (17:29.284)
Yeah.

Justin Gardner (@rhynorater) (17:38.885)
Yeah.

Justin Gardner (@rhynorater) (17:42.619)
That's awesome. And I was, the heart was warmed when I saw that post on Twitter, you know, with you and when Codingo and Jessica, and it's just like, you know, mom and dad and dad all living together in harmony and it's just, it's great. Um, and so I mean, Oh, that's cute. I like that. That's great. Um, yeah. And so, I mean, did, did that go, I guess that was one of the things I had on the list to talk about it. Did that go like.

Inti De Ceukelaire (17:56.816)
Yeah, we did a little swagging change.

Joel Margolis (teknogeek) (18:00.622)
Yeah, awesome.

Justin Gardner (@rhynorater) (18:11.927)
I mean, do you think you'll see that collaboration? Was that bridge sort of formed? How did that meeting go from your perspective?

Inti De Ceukelaire (18:18.942)
So actually there was already some sort of collaboration. I mean we think emailing we've been slacking a lot Just I mean because if there's for example new trends in the or a concern with the community or in the industry I mean, it's always best for us to align Just I mean nobody literally nobody wins from having disagreements on a community level. It's also extremely confusing for the community

Justin Gardner (@rhynorater) (18:22.471)
Mm-hmm. That's good. Yeah.

Justin Gardner (@rhynorater) (18:30.316)
Mm-hmm. Yeah.

Justin Gardner (@rhynorater) (18:35.821)
Mm-hmm.

Justin Gardner (@rhynorater) (18:43.611)
Yeah.

Inti De Ceukelaire (18:46.326)
Ideally, everybody has the same experience regardless of the platform and Holospy also regardless of the program. So I think it's, I mean, we've been doing that in a more informal way and it was just good to now have the discussions in person as well. And also go for a more formal approach, meaning that if I suddenly drop that tomorrow, that this thing can be continued as well. I'm not planning to, by the way, but you get what I'm saying.

Justin Gardner (@rhynorater) (18:50.161)
Mm-hmm.

Right.

Justin Gardner (@rhynorater) (19:05.282)
Mm.

Joel Margolis (teknogeek) (19:10.186)
Yeah. This. Oh, I mean, we were talking about death earlier. It's no way. Yeah. This does remind me. This does remind me a lot, though, of like the Safe Harbor discussions that were happening, like a couple of years ago before Safe Harbor was sort of like a default.

Justin Gardner (@rhynorater) (19:10.191)
Right, right. Yeah, kidnapped because of a bug. Yeah. As long as the hackers are doing our jobs, keep Inti live.

Inti De Ceukelaire (19:16.33)
Yeah

Justin Gardner (@rhynorater) (19:28.084)
Mm.

Joel Margolis (teknogeek) (19:32.022)
type of thing across a lot of programs and platforms where everybody was kind of aligned in terms of like how we felt like things should be going and how things should be handled. But it was very much so up to programs and platforms individually to determine and set out the guidelines and the guardrails for how things would actually happen and be like this program specifically designates safe harbor in their and if they don't then it's not there right. And like I think now that it's

It's been sort of like adopted as safe harbor. It's not like a hacker one thing. It's not like a bug crowd thing. It's not an integrity thing. It's just like safe harbor is safe harbor. And generally most programs should have it and should try and adhere to it because that's what makes security research a safe and a productive thing. And I think we're starting to get there with this same type of like relationship where the programs like, it really makes me think back on like the old

Justin Gardner (@rhynorater) (20:04.646)
Mmm.

Inti De Ceukelaire (20:13.838)
Mm-hmm.

Yeah, exactly.

Joel Margolis (teknogeek) (20:26.358)
rivalries between like Google and Apple and Adobe and how like Apple would never add Flash Player into Safari or on iOS and stuff like that. Or how like iMessage is with like Android and that kind of stuff where we're now getting to a point where regulators are stepping in and saying this like type of business like disagreement or like business competitiveness isn't productive for the rest of the people who are within the ecosystem. And it's time to step past that and put it to the side.

Justin Gardner (@rhynorater) (20:40.697)
So annoying.

Justin Gardner (@rhynorater) (20:52.819)
Mm.

Joel Margolis (teknogeek) (20:55.946)
and just like move on and let your business be competitive in other ways and let there be certain ground-based factors that are shared across all of the companies and across the entire community that everybody can take advantage of.

Justin Gardner (@rhynorater) (21:07.396)
Mm.

Inti De Ceukelaire (21:07.582)
Yeah, and honestly, I mean, I've been doing this, I've joined Integrity in 2017 and maybe I've just been looking, but I've rarely come across any form of toxic competition with Bookrout and Echo One. Of course, I mean, sometimes it may happen that, you know, a salesperson may say something that is not fully aligned and then it's allows to better coach them, etc.

Justin Gardner (@rhynorater) (21:13.203)
Mm.

Justin Gardner (@rhynorater) (21:20.965)
Mmm, that's great.

Justin Gardner (@rhynorater) (21:27.797)
Mm-hmm.

Inti De Ceukelaire (21:31.766)
But I've always felt like in the eyes of the community, I mean, we share the same super valuable community. And at the end of the day, all platforms right now are still a hundred percent dependent on the willingness of that community. So it's community that is boss and it's up to us to figure out how we can make sure that we make progress while maintaining the, we see our community as a client. And then of course we also have the.

Justin Gardner (@rhynorater) (21:31.931)
Mm.

Justin Gardner (@rhynorater) (21:36.996)
Mm.

Justin Gardner (@rhynorater) (21:44.357)
Mm.

Inti De Ceukelaire (21:57.826)
client base and sometimes it's hard to balance that out. I mean, I also sometimes read blog articles from well-meaning and well-intending hackers saying, but Bounty should be like this or like this. And, and the thing is like, hypothetically, I agree with them. They're making good points. But then if you're walking in a platform environment where, you know, you have the industry, you have the clients and you need to make sure that

Justin Gardner (@rhynorater) (21:58.904)
Right.

Justin Gardner (@rhynorater) (22:10.342)
Mm-hmm.

Inti De Ceukelaire (22:27.426)
everybody moves at the same pace, not only the hackers, but also the clients. And I think that change can only accelerate if we as the three biggest platforms can just work together. So yeah, I'm super stoked about this and I hope to be able to update you on more progress.

Justin Gardner (@rhynorater) (22:46.191)
That's awesome, man. Yeah, it seems like we're moving in the right direction with that, and I think that'll improve the experience for everyone involved. So, I guess we went down a little rabbit trail. I'm gonna bring it back, because one of the things we were talking about in the beginning was your ability to present and your ability to do show and tell and your public speaking prowess, and I think that's a pretty core piece of the way that you've been in the community as a hacker. And I imagine all of that actually started

from your radio experience. And as a podcast, we're sort of like, I guess, radio adjacent. So I wanna get some, I wanna hear about your radio history and how you kinda got into that field and any tips and tricks you might've picked up along the way.

Inti De Ceukelaire (23:29.566)
Yeah. I mean, just to get that out of the way, I didn't have my own show or anything. I was no radio presenter. I worked at the radio station, however, and sometimes I was called in to tell a little bit about, like, about cybersecurity in general. If there was something going on, like one client or whatever, I would typically go in and talk about it for a national audience. And basically then the two.

Justin Gardner (@rhynorater) (23:35.536)
Yeah.

Justin Gardner (@rhynorater) (23:39.339)
Okay, gotcha.

Justin Gardner (@rhynorater) (23:46.744)
Oh cool.

Justin Gardner (@rhynorater) (23:54.278)
Mm.

Inti De Ceukelaire (23:59.082)
challenge was to make sure that you explain things in a way that is actually correct while still making sure that people don't just switch stations because you're getting too technical and that is I've learned a lot in that space and it's a real art honestly because then you also like if you're not technical enough then your core fan base or the people that really appreciate you as a hacker will start thinking like

Justin Gardner (@rhynorater) (24:06.181)
Mm.

Justin Gardner (@rhynorater) (24:11.43)
Right.

Justin Gardner (@rhynorater) (24:16.888)
Mm.

Inti De Ceukelaire (24:27.726)
What is this guy saying? Like, can't he just give some proper details? And I always loved that balance. I think radio for me, because most of the times I was mostly doing the socials, like just doing website stuff as well. But I was in an environment surrounded by passionate people that knew everything about the subject that I didn't know anything about, which was music. They were extremely passionate and like they were the best of Belgium. And what I really like about Belgium as well is that...

Justin Gardner (@rhynorater) (24:28.923)
Mm-hmm. Ha ha ha.

Justin Gardner (@rhynorater) (24:38.417)
Mm.

Mm-hmm.

Justin Gardner (@rhynorater) (24:45.361)
Mm.

Justin Gardner (@rhynorater) (24:50.255)
Right.

Inti De Ceukelaire (24:57.538)
me the best of Belgium, you can, there's only 11 million people here, right? I'm not sure how many people live in New York, but maybe it's about equal. Yeah. So, um, but it also, I mean, I'm grateful for it because we all still have stuff like the public broadcast company and the national stations and it makes it, I guess, a little bit easier for a person like me to step up.

Justin Gardner (@rhynorater) (25:03.529)
Mm.

Justin Gardner (@rhynorater) (25:06.739)
Yeah, it's probably less than that, yeah.

Joel Margolis (teknogeek) (25:09.051)
It's like four times that in California.

Justin Gardner (@rhynorater) (25:11.536)
Yeah.

Inti De Ceukelaire (25:26.578)
and to reach audience and I would come into the studio and we would talk with the Prime Minister of Belgium with politicians that actually can make change happen. And one of those changes that I'm particularly proud about and this is not only my work, I played a very tiny role in that, is that unauthorized testing in some conditions is now completely illegal in Belgium. So you can go and hack.

Justin Gardner (@rhynorater) (25:36.699)
Wow.

Justin Gardner (@rhynorater) (25:52.688)
Mmm. Oh.

Inti De Ceukelaire (25:55.362)
Belgian company as long as afterwards you make your reports and that can be on their computer there's a couple of rules attached to it but if there's like a SaaS business in Belgium then you can just if their computers are in Belgian and you're a Belgian citizen you will no longer be prosecuted for hacking them and reporting a vulnerability to them which I think is super cool

Joel Margolis (teknogeek) (25:55.97)
That is.

Justin Gardner (@rhynorater) (26:16.017)
Wow.

Yeah, that's awesome and it almost feels like, you know, like the parallel that you hear all the time with like enterprise organizations and then startups, right, like, you know, in Belgium, or I was actually just speaking to someone the other day from South Sudan, and they were like, yeah, I was like talking to the minister of Bloody Blind, I'm like, oh really, oh that's cool, you know, cause you know, in these smaller countries, you can get access to, you know, these people a little bit easier.

And you can actually influence change, which is really cool.

Inti De Ceukelaire (26:47.116)
Yeah.

During our last life hacking event in Belgium, we almost, but then a crisis happened so it didn't go through, but we almost got like the Prime Minister of Belgium to just visit us. Yeah, he really wanted to see the life hacking event, but something came in between. But that was really cool.

Justin Gardner (@rhynorater) (26:59.135)
No way. Dude.

Joel Margolis (teknogeek) (27:01.022)
Wow.

Justin Gardner (@rhynorater) (27:05.987)
Ah, that would have been pretty sick. I think I was also talking to somebody who, I wanna say it was Saudi Arabia, that was at a live hacking event there, and then one of the princes or something came by the event and I was like, whoa, no way, that's kinda nuts. Yeah, I know, right? And it's a little bit weird, right?

Inti De Ceukelaire (27:23.165)
I just hope they didn't have whatsapp on their phone

Joel Margolis (teknogeek) (27:26.19)
Ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha

Justin Gardner (@rhynorater) (27:31.376)
It's a little bit weird, right? Because sometimes in security, we feel so niched down, right? Like, we're, you know, even within our community, there are celebrities within our community and stuff like that. But at the end of the day, we're a very, very small community. And so whenever there's interactions with stuff like that, like people that are well known by the normal populace, right, like the prime minister, you know, whoever, I think that's really cool to see that intersection.

Joel Margolis (teknogeek) (28:00.714)
Yeah.

Inti De Ceukelaire (28:01.365)
It is.

Justin Gardner (@rhynorater) (28:01.423)
Okay, so that's the radio backstory a little bit. So you came on, you were talking about cybersecurity in front of a national audience, that's great. Now, I wanna hear a little bit of the hacker backstory. So how did you get into hacking and how did you land in Bug Bounty?

Inti De Ceukelaire (28:18.734)
Good question. I guess and this goes for most of us I'm a cheater but not in relationships like in just that does the disclaimer that I always have to say for my wife But I was never really good at video games or any games in general It's just lacking and then I guess I have enough time on my hands to try to find a way to win

Justin Gardner (@rhynorater) (28:32.452)
Nice.

Inti De Ceukelaire (28:45.47)
And it started off with video games. Do you remember like Pokemon where, you know, everybody was like trading Pokemons and there was like this missing dog bug, like this mysterious Pokemon. And to me, that was just magic that you could catch a Pokemon that was more than a Pokedex by doing what? By first going to talk to an old dude in Viridian Town and then flying over to the other side of the map to swim. I mean, it didn't make any sense. And I really wanted to know, and by the way, live overflowed the...

Justin Gardner (@rhynorater) (28:50.552)
Oh yeah.

Justin Gardner (@rhynorater) (28:54.528)
Yeah. Yep.

Inti De Ceukelaire (29:13.222)
Excellent video on that which we will link in the description Just giving you some work here Um, I really wanted to know how that how that stuff worked, um, and Yeah, like it just started from there and then I also figured like I think everybody comes at the point where they have to decide Do I want to risk it? Do I want to become a criminal or not? But I was well raised by my I loved hacking

Joel Margolis (teknogeek) (29:17.102)
Wow, look at... We don't even have to do anything anymore. Here, let's just let him lead all of it.

Justin Gardner (@rhynorater) (29:18.73)
Mm, mm. Wow, OK, very nice. This guy's a pro, all right.

Justin Gardner (@rhynorater) (29:40.241)
Right.

Inti De Ceukelaire (29:42.91)
I always wanted to break in, but I didn't want to break into jail. So, yeah. Then I found Yahoo. Yahoo was my first program. And I got to see, they had a terrible submission form. It was like, do you know these mail tool links that would open your email client? So you would fill in this form and then you would press submit. And I had like mail tool links, of course, like any sensible person. I had it disabled in my browser.

Justin Gardner (@rhynorater) (30:00.03)
Oh no, yeah.

Inti De Ceukelaire (30:11.758)
So I would fill in the form, click the button, nothing happened, so I was just assuming that it was getting sent. But no, it was supposed to open your email client, so you had to send there. So yeah, I was pretty disappointed. I was quite happy with the launch of HackerOne, but basically my reports would arrive. And that's how I started with silly cross-site scripting bugs. Then I...

Justin Gardner (@rhynorater) (30:24.258)
No.

Joel Margolis (teknogeek) (30:24.544)
Uh...

Justin Gardner (@rhynorater) (30:36.507)
Mm.

Inti De Ceukelaire (30:39.154)
I also did a lot of inauthorized testing because I didn't know better. I got lucky with that though, so I think one of the best stories there, and by the way, kids don't try this anymore because I guess it's new management. And I've been telling the story a lot of times and I don't think they will allow me in their concerts anymore. But I was a big fan of Metallica, so the rock and roll or the heavy metal band, let's say.

Justin Gardner (@rhynorater) (30:42.276)
Yeah, yeah, of course.

Justin Gardner (@rhynorater) (30:51.173)
Mm-hmm.

Joel Margolis (teknogeek) (31:00.782)
Hehehehe

Justin Gardner (@rhynorater) (31:02.976)
Oh no.

Justin Gardner (@rhynorater) (31:06.982)
Yeah.

Inti De Ceukelaire (31:07.634)
And I knew that they had to deal with hackers like a few years back when somebody, I think stole their whole album or something. And they had like these meet and greets and I really wanted to meet them. And it was like an online lottery system. Basically I found a way to do some cheating on the website, but at the end of the day, because the ethical hacker in me stood up, I was like, I cannot take this spot. I need to email that webmaster and tell.

Justin Gardner (@rhynorater) (31:15.416)
oof

Justin Gardner (@rhynorater) (31:26.096)
Mm.

Inti De Ceukelaire (31:35.202)
tell them what I've done, tell them of course that you know this is not in bad faith please just fix it and they said hey you know what Inti, you can still come to their show in Belgium you can come and meet Metallica they signed my keyboard I have a key with me, this is for the YouTube watchers so this is like Metallica 2014 this is like yeah they all loved it

Justin Gardner (@rhynorater) (31:51.591)
Dude.

No way!

Whoa.

Joel Margolis (teknogeek) (31:59.918)
That's crazy.

Justin Gardner (@rhynorater) (32:02.429)
Dude!

Inti De Ceukelaire (32:03.458)
They all loved it. And then I got on stage with them and I could do like the backing vocals of, they had a song called Creeping Death. And I was just supposed to say, death, death. And I think they turned the microphone all the way down, but still I was standing there in front of that audience with Metallica just realizing, wow, this is the best idol that I've ever found. So.

Justin Gardner (@rhynorater) (32:05.103)
That's awesome.

Joel Margolis (teknogeek) (32:05.57)
So crazy.

Justin Gardner (@rhynorater) (32:11.945)
What

Justin Gardner (@rhynorater) (32:28.295)
D-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h-h

Inti De Ceukelaire (32:30.282)
Yeah. And that's basically, I mean, that was pretty cool swag. And they're just, you know, then I was, I was working at, in a, in a grocery store. I quit my job the same day. I was like, I'm going to do this with my life. And I guess it's sometimes timing and being a little bit lucky and just keep on. I think your first bug is the hardest bug. And I just, you know, once I got there, everything followed.

Joel Margolis (teknogeek) (32:35.438)
Dude.

Justin Gardner (@rhynorater) (32:55.888)
Yeah.

Joel Margolis (teknogeek) (32:56.086)
Yeah, for sure. I definitely, that's a common thing that I've seen with new hackers and I mean, old hackers too, but like finding that first bug, some of it is timing and some of it is just like, there is like a natural, like, you know, acumen or whatever towards hacking, where some people just, it clicks like really quickly and they're able to just be like, oh, like that's all I have to, that's what's considered hacking. I can definitely do that. And then they just like, go do it. Right. And for other people.

Justin Gardner (@rhynorater) (33:16.475)
Mm.

Justin Gardner (@rhynorater) (33:22.151)
Mm.

Joel Margolis (teknogeek) (33:25.634)
takes a little bit and they like find that first bug and then it clicks and then they understand that that's what hacking is but I think whatever it is like there's always that like light switch moment where you'd find it finally sort of like you understand like oh that's hacking like it's just like I always like to say that hacking is not a skill it's a mindset and it's a way that you have to think about stuff like you just have to take ordinary situations and you have to kind of like flip it on its head and say okay like if I approach this from a different angle

Justin Gardner (@rhynorater) (33:30.862)
Mm.

Inti De Ceukelaire (33:36.333)
Yeah.

Justin Gardner (@rhynorater) (33:40.953)
Mmm.

Justin Gardner (@rhynorater) (33:45.585)
Mm.

Joel Margolis (teknogeek) (33:53.894)
I use this system in a different way. I could, you know, abuse this in, in some unintentional manner and I could make it do things that it never was intended to do or never expected that it would be doing. And that's, that's what hacking is. It's, it's not like, you know, all this like, Oh, I'm going to put a ball of clava on and sit in the dark. Like it's no, it's like, you know, you're just like putting a somebody else's ID and where it shouldn't be or something like that.

Justin Gardner (@rhynorater) (34:06.374)
Mm.

Justin Gardner (@rhynorater) (34:11.471)
Hahaha

Justin Gardner (@rhynorater) (34:16.888)
Yeah.

Inti De Ceukelaire (34:17.042)
Exactly and so many people also think that you need this huge amount of technical skill set. That's the problem of some people, lots of people that I've talked to, especially I see this with CTF players a lot, like oh I'm not good enough yet, I need to learn more. But then I will ask them like when do you think you've learned enough? Because some of these bugs are embarrassingly easy but you know you just need some persistence. I remember this story from I mean

Justin Gardner (@rhynorater) (34:39.466)
Mm-hmm.

Inti De Ceukelaire (34:45.258)
I was just sitting downstairs and all of a sudden my wife came down and she said, I found it, I found it, I found it. I was like, honey, I mean, she works in HR and communications, by the way. I was like, what did you find? And she popped the cross-site scripting while she was doing online shopping. And I was like, how did you? She was like, I saw you doing that. Remember a couple of months ago when you, I finally asked, what is that mysterious cross-site scripting thing?

Justin Gardner (@rhynorater) (35:03.431)
Dude.

Inti De Ceukelaire (35:13.878)
And I showed her that she remembered it and she was like just entering it in every single search bar of every single website that she would come across. And then months later, yeah, she found it and she then expected a bounty but I had to tell her like, no honey, not all websites have a big bounty program. And stop doing this by the way because this will get you in trouble.

Joel Margolis (teknogeek) (35:22.306)
Hahaha, that's awesome.

Justin Gardner (@rhynorater) (35:32.55)
Yeah.

Joel Margolis (teknogeek) (35:34.15)
The harsh reality.

Justin Gardner (@rhynorater) (35:38.32)
Yeah, exactly. Wow, that's super hilarious though. And it is like you guys were saying, that sort of flash moment. And you see it. Sometimes it comes a little bit sooner and sometimes it comes a little bit later. And I was talking to a friend the other day. We actually ended up recording it. So I think we'll probably put out some shorts or something like that a little bit later. But it was just a really good authentic conversation with somebody who's newer to hacking.

but has a high propensity, has that, that clearly has that mentality, right, for hacking. And he's already found a bunch of bugs, you know, in a hardware device actually, just from playing around with it and bypassing stuff. And, you know, we were just kind of talking about that. And I think that is a blessing and a curse, that propensity, that, you know, ability to do it right off the way, right in the beginning, because, you know, when you have a natural knack for it,

and you find some bugs right away, you have to grind a little bit less. And then when you go up against a target that doesn't match with your style, it becomes very disappointing and very challenging and really destructive to your ability, your self perception as a hacker, right? And so, yeah, it's a double edged sword, I always say to people that are kinda coming in and it's great if you've got it, but if you don't, you're gonna learn what hacking really looks like most of the time.

which is sitting there reading the JavaScript files, playing with the endpoints, opening 500 repeater tabs until your eyes bleed, and then finally, you know, breaking in.

Inti De Ceukelaire (37:11.822)
There's always a better hacker and you know, you may be super happy with the book that you found or you may not find a week Book for a week or something But I especially got this during life hacking events when you see maybe you had a bad day or maybe the target was Just not for you and you see all these people making so much money on exactly the same things that you've been looking at and then You know, I just remember

Justin Gardner (@rhynorater) (37:13.893)
Yeah.

Justin Gardner (@rhynorater) (37:20.868)
Mm-hmm.

Mm-hmm.

Inti De Ceukelaire (37:37.782)
I try to then look at previous scoreboards and see, oh yeah, but in last events, they were way behind me. So it just all evens out. Nobody can be good at anything. My personal technique was totally different than other people's technique. And sometimes that technique pays off. What I would do is I would really try to first set myself an objective. What do I want to achieve? I'm the hacker, I'm the attacker. What kind of data do I want?

Justin Gardner (@rhynorater) (37:43.248)
Mm-hmm.

Mm-hmm.

Justin Gardner (@rhynorater) (38:02.757)
Mm-hmm.

Inti De Ceukelaire (38:05.31)
And then I would look for the most exotic ways to get there. Like not the standard ways where I just like, I wouldn't even test like the search bar for cross-site scripting, let's say doing a live tagging because it's even if it only takes 15 seconds, it's gonna be a waste of time just making an invoice for that $3 split that you would be getting. So.

Justin Gardner (@rhynorater) (38:09.252)
Mmm.

Justin Gardner (@rhynorater) (38:23.887)
Mm-hmm. Yep, yeah, exactly. Yeah, that's a very important part of, I think.

And something we've talked about as well, Joel, in the past, these sort of goal setting piece. And I think it's core to a lot of hackers' mentalities. And I think it really allows you to, I tested this in a live hacking event recently, and I achieved both of the goals that I was going for. And I think it allows you to really set up something that you want that's very critical and then get there. But for me, I only got those two bugs during this event. It was like those two bugs and nothing else because I was just laser focused on that.

Definitely do miss stuff when you go after that.

Inti De Ceukelaire (39:06.422)
But I would rather find nothing and learn something than finding a lot of mediums and earning maybe a little bit more. But I've had so many occasions where I had this great idea that is totally show and tell, work deep, and I just can't make it work. But then the next event or the next engagement, I tried that idea again, and I just have, you know, I saved my notes, crazy ideas.

Justin Gardner (@rhynorater) (39:13.063)
Mm-hmm. Yeah.

Justin Gardner (@rhynorater) (39:23.505)
Mm-hmm.

Justin Gardner (@rhynorater) (39:30.299)
Yeah.

Inti De Ceukelaire (39:32.254)
And I tested them and it may work on another target. There's so many times where I just, even after watching other people's show and tells, you go home, you test something on different targets and it just works. And that is always nice. I've had hackers reach out to me after live hacking and say, Hey, you know what you presented there? I tested it at some of the other targets that I was working on. It worked and they offer me a 50-50 split, which is always, I mean, they shouldn't even do that, but I think it's, it's quite a nice gesture.

Joel Margolis (teknogeek) (40:01.866)
Yeah. And I think that objective based hacking, I mean, it's something that I see so commonly in so many like of the top hackers is that like, even if it's just how they started hacking, like for example, very common, common example that you gave yourself into is that game hacking, like a lot of people, either they're not good at games. So they, that's the like start using cheats or writing cheats or like getting into hacking games that way, or they want to like, you know, beat their friends or whatever, like, and so there's like that drive, there's like that objective that like.

I want to win at this game, how do I win at this game? Like, let me find all the ways that I can win at this game. And even if it's not like traditional hacking, it's figuring out ways to exploit the system and to, again, that hacker mindset of like reworking the situation and setting that objective and figuring out how you can get there in a creative way that like still works within the bounds of that system. So I was curious to that extent, like for example, integrity XSS challenges, how is that like something that

Justin Gardner (@rhynorater) (40:51.664)
Mm.

Inti De Ceukelaire (40:52.878)
100%, yeah.

Joel Margolis (teknogeek) (41:01.562)
is helping to train that skill set while also being a real world example. Do you think that having an objective like that is really useful? Because it feels like it's basically the same thing. Like you have an objective, you know this is vulnerable to XSS. The question is how.

Justin Gardner (@rhynorater) (41:04.166)
Mm.

Justin Gardner (@rhynorater) (41:15.383)
Mm.

Inti De Ceukelaire (41:15.726)
Uh-huh. Good question. I think with, so we've actually stopped doing solely cross-site scripting challenges because people were asking for different stuff as well. But the, the thing about cross-site scripting is that there's just so many ways and it's, it's also, I mean, whenever we try to do a challenge, we have like one criteria. What do people actually learn from this? And it's not about like,

Justin Gardner (@rhynorater) (41:24.696)
Mm.

Inti De Ceukelaire (41:43.466)
In all transparency, it rarely occurs that we will see one of these payloads actually ending up working on some of the programs because they're so exotic, but it does help us filter out the people that are willing to go that extra mile and willing to do some research and then, you know, maybe then they will put the same effort into debugging GraphQL, for example. Some hackers will see a GraphQL endpoint and there it stops, you know, they move on. But we really need these people that are.

Justin Gardner (@rhynorater) (41:51.035)
Mm.

Justin Gardner (@rhynorater) (42:06.359)
Mm-mm.

Justin Gardner (@rhynorater) (42:11.279)
Mm.

Inti De Ceukelaire (42:13.638)
extremely good, not necessarily already have the knowledge because I guess you can just figure out most of the knowledge you need on a specific target in a week unless it's maybe hardware, but even then like programs like Intel they've set up fantastic educational tracks for people just to learn how that stuff works. Yeah, I think it's on the platforms to help educate people.

with challenges, but also to enable educators. Because we cannot do this alone. And that is like, if there's one thing that I'm proud of with Antiquity is that, I think we were one of the first platforms to actively engage with the creator community, like sponsoring people on YouTube, et cetera. Just like in the first place, just to give them something back. And we were so small, we didn't have the biggest budget, but still to say, hey, this is really cool.

Justin Gardner (@rhynorater) (43:00.077)
Mm.

Inti De Ceukelaire (43:12.09)
And it's also interesting to see, even as a small player, what kind of an impact that made on the, dare I say, hack fluency scene in general.

Justin Gardner (@rhynorater) (43:20.817)
Mmm.

Yeah, absolutely. And I really liked what you were touching on just a moment ago with the XSS challenges. They don't necessarily, and sometimes they do equip hackers with knowledge that they need to actually exploit above on a program. But what they do, what this does result in is you identify hackers that are willing to go that extra mile to learn the thing that they don't know and make that happen.

Right? And I think that's one of the key skills in hacking and especially in bug bounty is this concept of like, okay, I know just from my general, you know, inch deep knowledge that this is sort of roughly possible, or I have a suspicion that this is roughly possible. Let's take this larger understanding of web architecture of, you know, browser mechanics of API, you know, structure and apply it.

and try to learn the details that I need to make this specific bug work. And it's almost never all in the brain. You almost always have to Google something. You've almost always got to fiddle with your exploit for 20, 30 minutes at least. And I think that's the kind of skill that really, really takes you far in hacking.

Inti De Ceukelaire (44:20.556)
Mm-hmm.

Inti De Ceukelaire (44:36.734)
Yeah, I would call it like learning how to brainstorm on your own. Lots of people can't like, what really helped for me is just to get a notebook and to just start scribbling things and like start drawing diagrams, et cetera. Like, okay, here's my goal, here's all. And just like a lot of people are very good in the brainstorm if they're with a team. They're just taking a moment. I mean, you can also buy a whiteboard and start.

Justin Gardner (@rhynorater) (44:41.028)
Yeah.

Justin Gardner (@rhynorater) (44:49.459)
Mm.

Justin Gardner (@rhynorater) (44:56.988)
Love that.

Inti De Ceukelaire (45:03.638)
like putting post-its on that. You don't need any other people from that. And sometimes it can be relieving to be away from the screen. It can be very, very stimulating from your brain to just like, I would try to limit my screen time and try to do most of the thinking while I was walking. I need to walk around in order for my brain to function.

Justin Gardner (@rhynorater) (45:23.044)
Mmm.

It's so common, yeah.

Joel Margolis (teknogeek) (45:27.242)
Yeah, I will say some of the best thinking moments I've had are when I've had a light bulb or something just clicked, I've been either on the toilet or in the shower. It's like every time I'm just sitting there thinking, just like I've got nothing better to be doing, and then it just snaps and I'm like, oh shit, go, pop the bug.

Justin Gardner (@rhynorater) (45:38.7)
Yeah.

Inti De Ceukelaire (45:39.022)
Okay.

Inti De Ceukelaire (45:48.294)
Man, sometimes it also brings you in embarrassing situations or uncomfortable situations like I remember, I'm not sure, I don't think I can reveal the target, but basically I found this vulnerability involving email bounces that would basically result in a full account takeover, zero click. And I was working on that for like three or four days already, took the plane, didn't figure it out, bought like the crappy wifi, but

Justin Gardner (@rhynorater) (46:07.588)
Mm.

Inti De Ceukelaire (46:16.374)
didn't help, that's an over 15 bucks loss, because I was not able to guess like a T-mobile number, usually I'm united if you just guess a T-mobile number, you can get in. Not eligible for a big bounty by the way. But I arrived and we went for a drink with some people that I haven't seen in years. And after the second beer, like there's something with the second beer always, all of a sudden I was distracted, I was thinking of my book and it clicked and I...

Justin Gardner (@rhynorater) (46:22.815)
Yeah.

Justin Gardner (@rhynorater) (46:29.5)
Uh.

Justin Gardner (@rhynorater) (46:39.488)
Mm-hmm. Bombers peak.

Inti De Ceukelaire (46:45.61)
Remember apologizing saying I'm so sorry. I have to go to the hotel right now I just took some cash smashed it on there and I ran to the hotel because I could no longer wait I had this thing and it needed to happen then and that's when it happens But it also happens, you know the feeling at 2 a.m. Right before you want to go to sleep

Justin Gardner (@rhynorater) (47:06.785)
Yep.

Inti De Ceukelaire (47:06.818)
that you find like, oh, one more request. It's like gamblers like, oh, one more spin. And then all of a sudden you're like, oh, I'm hitting the jackpot. And next thing you know, it's 8 a.m. and your wife gets up and she wonders, what the hell have you been doing last night?

Justin Gardner (@rhynorater) (47:17.339)
Haha

Justin Gardner (@rhynorater) (47:21.163)
Oh my gosh, dude, I definitely feel that with the, right before you go to bed. So many times I'll be like three, right? I'll go to bed. This is normally my peak is three here. Like I can't, there's no 8 a.m. for Justin. Justin goes to bed at four or, yeah. But I'll go to bed, I'll go to bed at three, I'll be laying in bed just as I'm about to fall asleep and then.

Joel Margolis (teknogeek) (47:22.946)
So true.

Justin Gardner (@rhynorater) (47:45.603)
You know, the eyes, the eyes shoot open and I get out of bed and I'm like, I've got it and you go downstairs and you get it and it's so common, you know, you mentioned before as well, such a common theme with top hackers that, um, you know, going for a walk, taking a shower, getting in the hot tub as I always endorse, um, it gets the brains going in it. And especially when you're trying to exploit something and you're very close, this isn't necessarily going to help you, you know, when you're, you don't really have an active lead, right? Um,

not very likely but you know if you do have an active lead and you're about to exploit something you just can't get it taking that step away helps so much

Inti De Ceukelaire (48:20.898)
Yeah, or talking to somebody about it. And there's a lot of people that want to collaborate with something that I really appreciated about life hacking events is like the happy hour with the customer. And then you see like some sort of people, some people will just hang around with the hackers, other people, if it's one hour, they will spend every minute of the 60 minutes, they will spend like screening the customer, talking to them and seeing.

Justin Gardner (@rhynorater) (48:33.098)
Mm.

Justin Gardner (@rhynorater) (48:49.008)
Mm-hmm.

Inti De Ceukelaire (48:49.782)
Like I remember Franz Rosen's first question would be, where would you look if you were to find a critical vulnerability? And very often they would call it something and some people would call it social engineering. I call it surprise collaboration. But I mean, at the end of the day, everybody wins and typically, the customers is very, like we recently had the life hacking event as well.

Justin Gardner (@rhynorater) (48:54.627)
Yeah. Yep.

Justin Gardner (@rhynorater) (49:01.765)
Mm-hmm.

Hahaha!

Justin Gardner (@rhynorater) (49:08.327)
Surprise collaboration, I like that.

Inti De Ceukelaire (49:19.082)
And we came up with the crazy idea, hey, can we just have some sort of system where we can have hackers grabbed through the source code if they have a very good suggestion. And I loved how that team was, yeah, why not? I mean, we have NDA science. So, and they're like, I believe that some people found some really good bugs because of that. And I'm looking to extend that principle, depends on whether the customers want it or not, to other life hacking events as well. Because you know the feeling that you're

Justin Gardner (@rhynorater) (49:27.267)
Mm-mm.

Justin Gardner (@rhynorater) (49:39.575)
Oh absolutely.

Inti De Ceukelaire (49:48.218)
Almost there and like I can spend another 10 hours on this or focusing on something else I want to know how many books people have lost simply because they didn't find that last mile and Yeah

Justin Gardner (@rhynorater) (50:00.207)
little smidgen yeah that's brilliant

Inti De Ceukelaire (50:05.738)
And typically a co- Yeah? Go ahead. Thanks for watching!

Joel Margolis (teknogeek) (50:05.814)
We've seen this with, well, at the most recent event, AWS, I think we could say this, AWS did this thing called bar raisers, where essentially they had a couple people who were employees who worked at the company, and if you were really close on something or you felt like you could raise the impact somehow or you had something that you just thought, like, might just need some escalation, you could bring it to them, and they would help you escalate it from an internal perspective, like, oh, here's what you can do with this, here's how you can help.

Justin Gardner (@rhynorater) (50:12.858)
Yeah.

Justin Gardner (@rhynorater) (50:34.16)
Wow.

Joel Margolis (teknogeek) (50:35.082)
you know, raise that impact. And I think that's so valuable because yeah, like a hacker can get to that level. I we've, we've all seen it. Like certain hackers get to the point where they're like at or beyond what an employee is in terms of like their internal knowledge of how the internal systems work, but getting there takes so much time and effort that having a shortcut makes it so much easier and such a better hacker experience to just say. Yeah. Like I'm, I'm like one step away. Can you save me five hours?

Justin Gardner (@rhynorater) (50:48.859)
Mm-hmm.

Justin Gardner (@rhynorater) (50:59.043)
and more productive.

Joel Margolis (teknogeek) (51:04.794)
or five days worth of worth of trying to escalate this and just like help me help me get that last bit because if I was a determined hacker or like a third-party adversary or whatever I would definitely spend that time but I don't want to right now and like making it easier so much so much like it just makes it so much better

Justin Gardner (@rhynorater) (51:05.355)
Mm-hmm.

Inti De Ceukelaire (51:07.618)
Yeah.

Justin Gardner (@rhynorater) (51:07.771)
Yeah.

Justin Gardner (@rhynorater) (51:19.471)
Well, it's not just I don't want to.

Justin Gardner (@rhynorater) (51:25.183)
It does. And it's not just, I don't want to either. It's, it's also like, let's, let's work together to make this a most efficient process, because then, you know, is what are you going to do once they save you that five hours, you're going to go hack other stuff, right? And so I have this conversation with the team a lot, you know, in live hacking adjacent, you know, sort of scenarios or even live hacking events, um, where it's like, okay, Hey, I've got this thing. Um, and, uh, I know it's, I know I am positive that it's, it's going to be, uh, you know, exploitable.

I just need this one piece of information. I can spend five hours exploiting it, or you can give, you know, look at the code, just tell me what the route needs to be, and then we can just say, you know, all said and done, and I go and find other vulnerabilities for you in that five hours, right? So it's really a win-win, and I'd love to hear that into, you know, that you guys have integrated that in some scenarios at Intiquity. Creping through source code would be such a huge asset. So that's really cool to hear. So...

Okay, so we've talked a lot about methodology, we've talked about live hacking events, we've talked about all sorts of fun things. Like we mentioned sort of before, and unlike your experience on national television, Critical Thinking is a very technical podcast and we like to get in the weeds about technical stuff. So I was thinking when before you came on the podcast, I was like, man, what are some cool bugs that Inti's found? And then like...

Like you said, like 16 of them, you know, came into my head. The ones that I thought would be the most interesting would be the ticket trick, that weird little CSS injection font weirdness that you found at that live hacking event, that bug crowd live hacking event, and somehow you're presenting it to us inside of like a little train car. Do you remember that? That was weird. Yeah, I know, right? Yeah, that was, it was, little mini show and tell.

Inti De Ceukelaire (53:12.626)
Yeah, not sure if that was legal, but it was a surprise show and devil.

Justin Gardner (@rhynorater) (53:19.875)
And then this password slash API key capture bug. So I guess, you know, take your pick. Where do you want to start?

Inti De Ceukelaire (53:31.274)
Maybe let's start with the CSS injection because it's, I mean, in essence, it was just a terrible bug, but it resulted in me getting plain text passwords. And it's always like, how do you, like, I've had a few, I even had like a content injection that the actual impact was remote code execution because, you know, I could just inject something in a code that people were supposed to.

Justin Gardner (@rhynorater) (53:34.266)
Okay.

Inti De Ceukelaire (53:57.266)
like copy and paste and execute as root on our system. So that.

Justin Gardner (@rhynorater) (54:00.335)
That was my first live hacking event, by the way, when you did that and I was like, who the heck is this guy? You know, so that's amazing. Yeah, I remember that.

Inti De Ceukelaire (54:05.448)
I'm sorry.

Yeah, that one was really simple. But then the CSS one, I mean, I feel really sorry for the team. I wasn't doing particularly great. And you know, the feeling where you're like, I'm exhausted of this target. It's pretty hard. And, but I had this one little bug and I was like, I just want to max this out. So I wrote this like nine page report that I don't think anybody read in the end. I think they just.

Justin Gardner (@rhynorater) (54:23.419)
Yeah.

Mm-hmm.

Inti De Ceukelaire (54:35.834)
called me and said, we don't have time for this. Like give us a demo, give us a TLDR, because we're not going to triage this. I do understand that. But what I did is I found the CSS injection and basically the only thing I could do is like add a font and change like the position and basically style of the page. I couldn't even, yeah.

Justin Gardner (@rhynorater) (54:39.96)
Right.

Justin Gardner (@rhynorater) (54:43.353)
Yeah.

Justin Gardner (@rhynorater) (54:58.269)
So was this a CSS injection by a query parameter? Was it a post body request? Was it an upload? It was stored, okay.

Inti De Ceukelaire (55:03.018)
was stored. So basically, yeah, it was like some sort of online collaboration thingy. And I could just, like, as an other platform user, I could send you like an invite and it would kind of show up on your, on your homepage. So I basically had like, I could not pop any cross-eye scripting tried really hard, didn't work, but I could mess around with the styles. But because it was on the homepage, I was like, hmm.

Justin Gardner (@rhynorater) (55:09.808)
Mm-hmm.

Justin Gardner (@rhynorater) (55:19.948)
Oh sure, yeah yeah.

Inti De Ceukelaire (55:31.766)
This is not a login page, but what if I can make it look like the login page? And then I started just moving all stuff around and around and around because you cannot like with the CSS injection, you cannot really add elements easily. You have to just work with the elements and every single element you can probably like make it look totally different. But then at the end of the day, I wanted to have like a hundred percent match of the login page.

Justin Gardner (@rhynorater) (55:47.163)
Mm-hmm.

Justin Gardner (@rhynorater) (55:57.371)
Yeah.

Inti De Ceukelaire (55:57.706)
And then I took like a text box and what was interesting about the text books is that if people, it was basically a form where people, I don't remember exactly what it was, but let's say in the event of me inviting you that you could type something back, like maybe a chat. Yeah. Something that I could see if you would like hit enter. And I would take that as the password field. So basically then I found the font because, you know, nobody.

Justin Gardner (@rhynorater) (56:07.847)
Mm.

Justin Gardner (@rhynorater) (56:13.263)
Like a comment or something. Yeah, yeah.

Inti De Ceukelaire (56:27.19)
would just see their own password and then submit it. So I found the font that it's like all dots, like it's really like, you know, the black dots if you type a password. And I would just replace for that specific form field, I would replace that with the black font style. I think I made the font myself, it didn't exist or something, but I made it myself. Yeah, and I hosted it somewhere and it got loaded. And then basically what ended up happening is that

Justin Gardner (@rhynorater) (56:29.904)
Right.

Joel Margolis (teknogeek) (56:38.363)
Hahaha

Justin Gardner (@rhynorater) (56:49.972)
Yeah, you mentioned that you had, yeah.

Inti De Ceukelaire (56:57.054)
I would send you this invite, you would open your, like it was stored, so next time you would go to the page, you would see the login screen, and you would just try to login. And even though it was not a password field, it would look like a password field, you would press login, nothing would happen, but you had then sent me a chat message with your

Justin Gardner (@rhynorater) (57:20.667)
Oh my gosh, dude, that is like an amazing vulnerability. Okay, so you send us, you know, like an invite or something like that. It gets there, you trigger the CSS injection. The CSS injection allows you to reorder elements. So like, maybe you like grabbed a div or something like that, you know, put it as white background, overlay it over the whole page, you know, position, absolute, right? And then you took elements from the page, moved them around.

put them into spot to make it look like the homepage. And then whenever they would press the submit button or whatever, that would, yeah, the login button, right? That would take their password, which was concealed via a custom font and send it directly to you.

Inti De Ceukelaire (57:57.299)
Login, yeah, login basically.

Inti De Ceukelaire (58:02.858)
chat.

Inti De Ceukelaire (58:06.39)
Yeah, exactly.

Joel Margolis (teknogeek) (58:08.755)
So crazy.

Justin Gardner (@rhynorater) (58:08.831)
Oh my gosh dude, I just, I don't know that I fully understood that when you did that show and tell. I have goosebumps right now, man. That is amazing. And actually, and so, but I do remember that day. One thing that I do remember from that conversation we had in that little weird train car thing was that CSS is a lot more powerful than I thought it was, right? So I've been looking at CSS in bugs ever since and one of my highest paid bounties at this point well into the five figure range.

was a CSS injection bug. So thank you for that, for one. But for two, this actually reminds me of a bug that I found that I'll just mention really shortly, quickly here, which is very similar, actually. You'd send an invite and it would go to the homepage and it would be stored and there was a CSS injection, but it was only in an image, right? So you could define the background image, right? So what I did was I put the logout URL there.

Right? As that background image. So every time they log in, it would go to the homepage, it would load up my invite and then it would log them back out. And so it dosed the whole application. And so these sort of like, I think being exposed to these sort of creative attack vectors, like reordering the whole page or like reinforcing the logout, those should really expand your attack vector ideation and help, you know.

Joel Margolis (teknogeek) (59:13.898)
you

Justin Gardner (@rhynorater) (59:33.139)
you understand what kind of bugs are possible out there. So, Inti, thanks for sharing that, man.

Inti De Ceukelaire (59:36.126)
Yeah, and it's not about the bug per se, because a lot of people will say, oh, its CSS reaction must be low, its cross-site scripting must be medium. That doesn't always count. I mean, you will have programs that are more receptive to the actual impact, and we always encourage them to. Obviously, when it comes to CVS, it may be a little bit more tricky because then, you know, CVS doesn't really consider, at least not a CFSv3. If...

Justin Gardner (@rhynorater) (59:57.532)
Mm-hmm.

Inti De Ceukelaire (01:00:03.882)
Like it's the password that you're stealing or something else. And yeah, then maybe you would argue that you could have full control, but you know, it can get messy quite quickly. Well, last example, I would know that I'm thinking about it, about a cool CSS injection that I once found that I think go over 5k reward, maybe it was 6k. That was like in, I won't tell the service, but it was some sort of document signing service, like

Justin Gardner (@rhynorater) (01:00:09.219)
Mm.

Justin Gardner (@rhynorater) (01:00:13.356)
It can.

Justin Gardner (@rhynorater) (01:00:24.568)
Mm.

Inti De Ceukelaire (01:00:32.742)
I just knew that it had some legal importance. And I found a way within the PDF that would first preview to the user before they would sign it. I had this like CSS injection. There's not a lot you can do with it because at the end of the day, they read it and they sign it. And both the CSS injection was present on the front end and in the actual downloaded PDF, that would be the official PDF that is now legally by...

Justin Gardner (@rhynorater) (01:00:35.792)
Mm.

Justin Gardner (@rhynorater) (01:00:51.601)
Mm-hmm.

Justin Gardner (@rhynorater) (01:01:01.318)
Mm.

Inti De Ceukelaire (01:01:01.386)
So the only thing I did is I put like an image over the whole screen, like over the whole page. Um, but then I looked at the user agent. So I, this was an externally hosted image and my user agent would do like, depending on the user agent, my, my server would like file a normal contract the moment they would see it. But the moment that the PDF parser would do its thing and make everything legal.

it would see that it's now like PDF, Wiki, whatever, like some sort of library. And it would serve a totally different document still with their signature on it. So I could basically have people sign whatever I wanted just by having a CS as injection, server side CS as injection. That was also in the front end. So just by looking at the user agent, I was able to, you know, that impact is quite high of course, because you can just...

Justin Gardner (@rhynorater) (01:01:39.081)
Oh no.

Joel Margolis (teknogeek) (01:01:39.49)
Hmm.

Inti De Ceukelaire (01:01:56.502)
then you can start gaslighting people like, oh, you didn't read the contact properly and you can just change it afterwards. It was a mess. And I'm very happy that the company properly assessed that. Yeah.

Justin Gardner (@rhynorater) (01:02:03.311)
That's sick.

Justin Gardner (@rhynorater) (01:02:07.351)
Yeah, that's a very high impactful. Joel, this makes me think of a bug. I don't know, like a bug by John Bottarini. Did he tell you about that bug last year? Okay, so John, I don't know, we gotta have John on the podcast sometime, but the TLDR of it with being, you know, vague is that he found a way to force the company to violate a bunch of like...

Joel Margolis (teknogeek) (01:02:17.355)
I don't think he did.

Joel Margolis (teknogeek) (01:02:22.818)
For sure.

Justin Gardner (@rhynorater) (01:02:32.699)
standards that the government has set up that have penalties in place. Right. So he's like, he's like, all right, I, I submit this request and it's sends off this chain that like registers something with some third party, you know, government thing, right. And essentially because there was a rate limiting bone there, he could do it a bunch of times and it would result in just like massive fines for the company, like 15 K a pop sort of, sort of, uh, fines for the company.

And they like, like he reported this bug and the legal team like was in contact with him within the next like, you know, five hours, like, please, you know, let's have a conversation about this. And I just think like, that is like such a John bug for one, you know, like just very thoroughly understanding the whole system, even to the point where you understand the fines that are in place in, you know, from a governmental perspective that affects this sort of functionality.

It's beautiful to see bugs like that.

Joel Margolis (teknogeek) (01:03:31.094)
Yeah. I think one of the things that I love about sort of all the bugs that we're talking about right now is that if you were to take this from like a purely like a bug, like classification standpoint, like what kind of bug is this? Probably most of them would just be like immediately considered like out of scope or whatever, because like either phishing or HTML injection or whatever, right? But it's not, it's not about that. It's about figuring out like what is the security impact.

Justin Gardner (@rhynorater) (01:03:48.399)
Yeah, yeah, or lows.

Joel Margolis (teknogeek) (01:03:58.846)
What is the risk model for this company and how do I target my bug to apply perfectly to that risk model? Even if classically it would be like out of scope How can I make it in scope by figuring out the way that to make it impactful for this company? And I think a lot of times Packers will find a bug. They'll be like, oh, this is you know HTML injection Let me move on find something more severe find an ID or whatever and they just like leave it as is but

Inti De Ceukelaire (01:04:07.394)
Mm-hmm.

Joel Margolis (teknogeek) (01:04:27.422)
If you stick around and you like really persist and you take a little bit of extra time and effort and you figure out what is that threat model, how do I apply this to the threat model in a meaningful way, you can really escalate the impact of those bugs to take something that would typically probably not even be worth a bounty, might not even be worth a report and turn it into something that is super critical, super high, like definitely worth a bounty and one of those like forever stories that you're gonna tell about an awesome bug that you found and how you escalated it.

Justin Gardner (@rhynorater) (01:04:55.152)
Yeah.

Inti De Ceukelaire (01:04:55.23)
Yeah, absolutely. And I think that making the translation between a risk model and program guideline is still something that we as book bounty platforms, that's a problem that we need to solve.

It's a really difficult problem because CVS is quite, in terms of expectation management, at least you can debate about metrics. So still it's not perfect. I'm looking forward to see if it's this before. But then again, how do you properly translate? Because not every company as well is, like I understand this, willing to share their risk model with the outside world, especially if they have like a...

Justin Gardner (@rhynorater) (01:05:31.228)
Mm-hmm.

Inti De Ceukelaire (01:05:33.526)
the big bounty program. So I think that like in terms of transparency that is still one of the challenges that or unsolved problems that we'll have to tackle in the next few years.

Justin Gardner (@rhynorater) (01:05:38.471)
It's tricky.

Justin Gardner (@rhynorater) (01:05:44.091)
Yeah, yeah, totally agree. So let's hop back over to another vulnerable, the ticket trick. I think this is probably the bug that you're most well known for, having found it, discovered it, built the logo for it, got it out there. Yeah, yeah.

Inti De Ceukelaire (01:06:02.838)
Give it a name and a logo and you're good.

Joel Margolis (teknogeek) (01:06:06.382)
Did you give it a domain and a logo before you found it?

Justin Gardner (@rhynorater) (01:06:10.515)
Mm-hmm, yeah.

Inti De Ceukelaire (01:06:12.111)
Initially I wanted to, and the report is public initially, I believe I wanted to name it horrible decision. I wanted to name it Slackdoor, you know, backdoors, but...

Justin Gardner (@rhynorater) (01:06:20.667)
Oh, oh, I thought he was gonna say, I wanted to name it, Horrible Decision.

Joel Margolis (teknogeek) (01:06:21.432)
Oh wow.

Inti De Ceukelaire (01:06:27.158)
No, no, no. The Slack... The Slack Corporation rightfully did not agree with that. Because it was not even their problem. So, you know, we went for Tikatrik.

Joel Margolis (teknogeek) (01:06:27.786)
Yeah, same. I mean, that's one way to describe bugs.

Justin Gardner (@rhynorater) (01:06:33.607)
It's Slackjack.

Right. No, that's great. So just give us a little high level overview of that, and then maybe you can talk about some of the ways that you've used that bug to gain access to organizations.

Inti De Ceukelaire (01:06:46.316)
Yeah.

Inti De Ceukelaire (01:06:50.466)
Um, again, it started with, I was just bored and I picked a random program, which was GitLab. I think it was even like a VDP back then. Um, and I saw that they had like this, I was, you know, I'm, I've always been intrigued by, by emails. I think there's, I found a lot, lots of bugs, but I think my most interesting bugs had something to do with email.

What makes email so interesting is that basically bypasses all the security application logic, like stuff like 2FA, et cetera. If I can get into your email, I can probably like reset your password, but also like there's a whole bunch of information that these email systems will just send like links to exports, whatever. Um, so I was always intrigued by that. And I saw this, this feature of GitLab that you could send something to them.

at GitLab.com email address to create a ticket. So I was just messing around with that. And at first I was trying to send over payloads, attachments with a PHP file, whatever I didn't even realize that GitLab is not running on PHP at all. I was a skit back then. But then I was like, but what can I, this is a behavior. And a behavior plus a good story can be a probability. And...

Justin Gardner (@rhynorater) (01:07:58.169)
Mm-hmm.

Hahaha

Joel Margolis (teknogeek) (01:08:04.674)
haha

Inti De Ceukelaire (01:08:13.162)
That is actually what it turned out to be, because then I was also like, okay, what kind of other data do they have? And where are these people working with, what are they working with on a daily basis? I was going through their job section, doing some reconnaissance there, and they were presenting themselves. They're quite transparent, quite open, and they said, you know, we do a lot of things through Slack. So I went to their Slack page, I was like, I want to get into this Slack. There must be so much interesting information in there.

Um, and of course there's a couple of ways to do it. The traditional ways are just like, maybe try to hijack a work integration, try to hijack the accounts. But I saw that anybody with an at GitLab account could simply sign up. So I was like, Hey, let me like grab this email address that I got for my ticket tracker on GitLab. And it was like a very long email address and paste it in there because it was a valid at GitLab.com email address. So.

Justin Gardner (@rhynorater) (01:09:12.066)
Mm.

Inti De Ceukelaire (01:09:13.438)
I pasted the lenders, I checked, I pressed, okay, I want to sign up for the Slack. Slack said, okay, we've sent a registration email to that email address. And surely enough, a new ticket got opened on my instance, saying, Hey, welcome to the GitLab Slack. Because you know, it wasn't valid at gitlab.com email address. And yeah, that's how I got into their Slack. They were still a VDP back then. They went.

to a paid program like a couple of months later, which I still regret. But I told the CEO, which is a really cool dude, I met him during a live hacking event, like in some sort of karaoke bar, it was a weird setting. And I told him about this, like, yeah, I probably got you one of your most impactful bugs outside of the platform. And I got nothing for it because you were still a VDP. And the cool thing then was here.

Justin Gardner (@rhynorater) (01:09:43.968)
No.

Justin Gardner (@rhynorater) (01:09:55.611)
Mmm.

Justin Gardner (@rhynorater) (01:10:04.582)
Yeah.

Inti De Ceukelaire (01:10:10.402)
He took his wallet, took $100 in cash and just had it over to me and said like, thank you so much. And okay, it was only $100, but we didn't have to do that. We still did it then. I really appreciated the gesture.

Justin Gardner (@rhynorater) (01:10:14.696)
No way.

Joel Margolis (teknogeek) (01:10:14.988)
Ha ha.

Justin Gardner (@rhynorater) (01:10:21.831)
Dude, that's so meaningful. What an amazing way to connect with the hacker there. That's, yeah. Right? That's so cool. Man, what a cool guy and what a great story and what a great bug. Yeah, I've always been fascinated by that and I've never actually found one myself. I've read your research time and time again, but I've never actually gone down the, you know.

Joel Margolis (teknogeek) (01:10:23.598)
That's awesome.

Inti De Ceukelaire (01:10:26.75)
Yeah, because it was his own money. So he couldn't get expense that right. So really appreciate it.

Justin Gardner (@rhynorater) (01:10:49.155)
you know, the rabbit hole to find one. And the reason for that is, and I've seen plenty of places where I can do like, you know, send an email to, you know, at whatever.com sort of situations. But the problem for me is I have a hard time finding things like Slack and like, you know, I think maybe Asana was vulnerable for a little while or something like that where I can utilize that email. So how do you do that?

Inti De Ceukelaire (01:11:15.682)
So the thing is Slack actually mitigated the part of the problem. They didn't have to do this, but right now, if you were to sign for Slack, you will get like an invitation email and just will say like, no reply, dash, and then a very long random token at slack.com. And I really appreciated that because even though it was not necessarily their problem, that's a misconfiguration on the client side. They still understood that this could have been really impactful.

Justin Gardner (@rhynorater) (01:11:23.347)
Mm.

Inti De Ceukelaire (01:11:44.914)
And they implement it, they change the way that they... So I could basically no longer sign up for certain services with, for example, nor appliance like.com. So I would just get a ticket. And that would typically make it a little bit harder. But yeah, it's been, it's one of these books where not a single instance is the same and the impact can be greatly different.

Justin Gardner (@rhynorater) (01:11:55.74)
Mmm.

Justin Gardner (@rhynorater) (01:12:07.729)
Mmm.

Inti De Ceukelaire (01:12:11.858)
different but like the base scenario is typically look if you sometimes what happens is that a company has like a help desk and they have typically the user management system is not properly aligned because companies don't really build that themselves they still need a way for users to view their tickets

Justin Gardner (@rhynorater) (01:12:12.817)
Mm.

Justin Gardner (@rhynorater) (01:12:30.45)
Mm.

Justin Gardner (@rhynorater) (01:12:33.702)
Mm.

Inti De Ceukelaire (01:12:33.738)
And what sometimes ends up happening is that people have an account on the platform itself, but not really on the ticket portal, on the service desk. So what you can sometimes do if you know where to find like the self-registrations or API endpoints for these things is you create an account in their name. Sometimes they will not require you to validate your email address and then you can see all of their open tickets, which is, or every email that they sent to that email address to like support

Justin Gardner (@rhynorater) (01:12:58.991)
Wow, dude.

Inti De Ceukelaire (01:13:03.018)
You can hijack, but also knowing that people will send stuff like GDPR requests, et cetera, to there. It's always interesting to try and sign up with a victim email on the support instance, because then you can stop intercepting emails to support at from the email address.

Justin Gardner (@rhynorater) (01:13:09.412)
Mm-hmm.

Justin Gardner (@rhynorater) (01:13:22.391)
Yeah, yeah, that's extremely impactful. And all of these email things are super fascinating. I know we've only got, I think you have a hard stop in 10 minutes. So I do wanna, and unfortunately we're not gonna get to everything that we had on the list for today, but I do want you to give us a quick overview of the time you used to capture Tupone Company. Can you tell us a little bit about that?

Inti De Ceukelaire (01:13:31.49)
Yeah.

Inti De Ceukelaire (01:13:46.486)
Yeah, absolutely. It was like some sort of password manager and one of the, I was just browsing around and I saw that my own like test Facebook password was being displayed in PlayText on the website. So just like in an API endpoint. And that's normal, right? Because password managers in essence, they have to store your PlayText password, you know, that's, that's the only company that has a valid use case to do this. They literally need it to function.

Justin Gardner (@rhynorater) (01:13:51.238)
Hmm

Justin Gardner (@rhynorater) (01:14:01.7)
Hmm.

Justin Gardner (@rhynorater) (01:14:05.227)
Mm-hmm.

I have to do that, yeah.

Joel Margolis (teknogeek) (01:14:14.667)
I was gonna say, I don't think that's normal.

Justin Gardner (@rhynorater) (01:14:16.895)
Yeah, yeah, but yeah, with password managers, it makes sense. Yeah.

Joel Margolis (teknogeek) (01:14:19.254)
But in this case, yeah.

Inti De Ceukelaire (01:14:20.562)
Yeah, exactly. That's literally like the only case. And still then I think there's like some mitigations around it still. But back then it was pretty normal. So I was looking at my own password and I was like, oh damn, like I cannot, like it's probably pretty bad because if somebody has like a process scripting bug on that asset, you can just grab it. But that was not the case. It was pretty well isolated. But I did notice that you could embed it into any page.

Justin Gardner (@rhynorater) (01:14:44.641)
Mm-hmm.

Inti De Ceukelaire (01:14:49.362)
So you could just put it in like an iframe. And then I could, for example, make websites, like just in here's your Facebook password.com. And I would literally show you your Facebook password just by embedding that on my page. But you know, how sandboxes work is that I couldn't act like as the owner of that website, I would not be able to access that information. I could only display it to you. So that is of course where your hacker mindset

Justin Gardner (@rhynorater) (01:14:52.635)
Hmm. No X-frame options. OK.

Justin Gardner (@rhynorater) (01:15:09.982)
Mm-hmm.

Inti De Ceukelaire (01:15:18.734)
start holding up and then you have to figure out, okay, I can display this to my victim. How can I make them give it to me? And naturally I was just thinking of captchas because that's the only kind of scenario where somebody is shown something and they type it back to you. But nobody, literally nobody would ever just be like, oh, let me solve this captcha and be like, oh, that's my password. I mean, unless you use one of these randomly generated, then it's quite funny.

Justin Gardner (@rhynorater) (01:15:34.244)
Right.

Justin Gardner (@rhynorater) (01:15:41.468)
Hmm. Pfft. Ha ha ha.

Joel Margolis (teknogeek) (01:15:43.822)
Ha

Inti De Ceukelaire (01:15:49.062)
I would isolate because I knew why the top letters were. I would isolate all the letters, like work with the average length of a password and add something more to that. And then try to fit them all like in a catch up box, applied a whole lot of CSS, CSS is wonderful, like filters on it to make it.

Justin Gardner (@rhynorater) (01:15:54.813)
Mmm.

Justin Gardner (@rhynorater) (01:16:01.571)
Mmm.

Inti De Ceukelaire (01:16:11.174)
seem a little bit distorted, so every letter would be tilted and a little bit distorted at a different degree. So it would look like a valid capture and I would also like shift them around.

Justin Gardner (@rhynorater) (01:16:19.187)
It looked like a capture too, man. I swear to God. It was so- looked so much like a capture.

Inti De Ceukelaire (01:16:24.746)
Yeah, I would also like flip them around. So all letters would be at random positions and people would really recognize the passwords anymore. You know, if you're putting in a capture, you don't expect this, but certainly you won't think, oh, maybe this is an anagram of my password. So, yeah, it just it just worked. And I was able to during the show and tell to present like this capture that would actually just feature people's passwords and they would put it in and submit their plain text, Facebook, Google, whatever password to me.

Justin Gardner (@rhynorater) (01:16:33.829)
Right.

Justin Gardner (@rhynorater) (01:16:40.164)
What the heck?

Justin Gardner (@rhynorater) (01:16:48.111)
Mmm.

Joel Margolis (teknogeek) (01:16:53.738)
Oh wow.

Justin Gardner (@rhynorater) (01:16:54.311)
Oh my gosh dude, that's amazing. Could you imagine typing in a caption and be like, wait, this is a perfect anagram for my password, you know? Like that's...

Inti De Ceukelaire (01:17:03.664)
Yeah!

Justin Gardner (@rhynorater) (01:17:04.571)
That's hilarious. And I think you know another way you could even and I don't think this attack works anymore because of the way same site cookies would work You wouldn't be able to iframe in a page and have the cookies still sent to it cross origin but unless they have same site set to none on those cookies, but you know the other thing was like Everyone knows that time when they have to submit a capsule like two or three times too So if it was longer, right? Like you could you could say all right the first eight characters are going in this one And then they you know they submit it and it's gonna be like no

Joel Margolis (teknogeek) (01:17:05.174)
Ha ha ha.

Inti De Ceukelaire (01:17:32.77)
Yeah.

Joel Margolis (teknogeek) (01:17:34.006)
Nah, try again.

Justin Gardner (@rhynorater) (01:17:34.091)
And then and then try again and then you know, it's the next eight characters or whatever it like you could you could get up To like, you know 16, you know 20 something You know length of password. So I thought that was such a creative Yeah, and you presented this at a live hacking event and it looked exactly like a cap shot And I was like I would absolutely do this, you know, like and it's that was terrifying to me

Joel Margolis (teknogeek) (01:17:45.954)
Yeah, just keep failing this capture, I don't know.

Inti De Ceukelaire (01:17:52.331)
Yeah.

Inti De Ceukelaire (01:17:58.094)
I believe I called it the gotcha book rather than the, yeah, gotcha.

Justin Gardner (@rhynorater) (01:18:00.279)
The gotcha. That's it, dude. So freaking good. Well, that's awesome, man. Yeah, we only had a couple. Go ahead, Joel.

Joel Margolis (teknogeek) (01:18:01.922)
That's awesome.

Amazing. Cool.

Joel Margolis (teknogeek) (01:18:09.758)
Well, I was just going to say like before we run out of time, I did want you to talk a little bit about the upcoming live hacking event for integrity. I know we're like kind of heart pivoting here, but again, we only have a couple of minutes. So would you mind giving us sort of a rundown of sort of what's going on and what's coming up and all that kind of stuff?

Justin Gardner (@rhynorater) (01:18:12.591)
Mm-hmm.

Justin Gardner (@rhynorater) (01:18:16.183)
Mm. Yeah.

Inti De Ceukelaire (01:18:20.814)
All right. Sure. Yeah, I'll just give a TLDR because I do have a hard stop. But yeah, we're running a pretty exciting lifehacking event with Intel in October in Lisbon. It's going to be their first biggest lifehacking event ever. We've done education lifehacking events or smaller scale things with them before. But this one is going to be insane. The targets, I can tell you, are going to be...

Justin Gardner (@rhynorater) (01:18:30.352)
Hmm.

Justin Gardner (@rhynorater) (01:18:35.527)
Mmm. Yeah.

Justin Gardner (@rhynorater) (01:18:44.586)
Mm.

Inti De Ceukelaire (01:18:50.794)
very good. We always try to take care of our hackers as well, making sure that they not only get the opportunity to find really good bugs, but also get the opportunity just to have fun and to socialize and basically do that community building around the Intel program. Yeah, and one of the things, and maybe that's the last thing I can say about that, one of the things that I really appreciated about this kind of event is that basically...

Justin Gardner (@rhynorater) (01:18:51.84)
Oh my gosh.

Inti De Ceukelaire (01:19:17.854)
Intel is kind of democratizing life hacking events a little bit. So they're like for local hackers and for people that happen to be around, etc. They could just like apply for non-sponsored seats. So, you know, that there's always this mysterious group of people that always gets invited to life hacking event. And even there we have rules for, but to some people it seems like it's, you know, we're just inviting our friends and that's only true.

Justin Gardner (@rhynorater) (01:19:21.971)
Mm.

Justin Gardner (@rhynorater) (01:19:30.48)
Yeah.

Justin Gardner (@rhynorater) (01:19:42.954)
Mm.

Inti De Ceukelaire (01:19:43.906)
There's a lot of parameters that come into play, but still people sometimes really want to go. And what I really love about this concept is that people can just pay for their flights and go there and have fun and do it. And I, yeah, I really think that is a cool concept that we are exploring for other events as well, because I think that everybody at least should have the chance in their lifetime to attempt one of these.

Justin Gardner (@rhynorater) (01:19:48.794)
Yeah.

Justin Gardner (@rhynorater) (01:20:05.751)
Mm. Yeah, dude, that's awesome. I know so many people really appreciate that. I've been talking to people and that has been making a ruckus in the community for sure. You know, people are really excited about that. Joel and I are both going to be there. We're both very excited for it. So, yeah, really looking forward to it. Inti, thanks for coming on, man. We can find you. Actually, you have two Twitters, so I don't know which one you want to call out. OK.

Inti De Ceukelaire (01:20:28.887)
Yeah. Take security. That, yeah. So I have NTDC, but that's my Dutch account. Sometimes I tweet in English. It's, it's quite confusing. So that's, that started off as my radio account. So that is also why I have a huge Dutch follower based on there. And I've made freedom Dutch, but everything big bounty related. It's going to be secure in deep. Yeah.

Justin Gardner (@rhynorater) (01:20:33.519)
That's your Dutch account. Okay.

Justin Gardner (@rhynorater) (01:20:39.169)
Okay.

Justin Gardner (@rhynorater) (01:20:43.129)
Right.

Justin Gardner (@rhynorater) (01:20:48.023)
Secureinty on Twitter. Okay, awesome. Anything else you wanna shout out with your socials or integrity or anything?

Inti De Ceukelaire (01:20:54.576)
Shout out to you guys for setting this up and creating content for the rest of the community. I think it's super valuable. I love what you guys have been doing and I look forward to see more of it in the future. You guys are my heroes, so thank you.

Justin Gardner (@rhynorater) (01:20:58.308)
Hmm.

Joel Margolis (teknogeek) (01:21:10.158)
Well, awesome. Thank you very much.

Justin Gardner (@rhynorater) (01:21:10.324)
Thanks, it to you. That's awesome, man. We'll definitely be looking forward to the live hacking event and seeing you on the integrity platform. All right. See you, man.

Inti De Ceukelaire (01:21:19.394)
See you soon. Bye bye.

Joel Margolis (teknogeek) (01:21:19.862)
Yeah. All right, see you.