>> From the Hard Rock Hotel in Las Vegas, It's theCUBE, covering HoshoCon 2018. Brought to you by Hosho. >> Okay, welcome back everyone. We're here for CUBE's live coverage here in Las Vegas for HoshoCon. This is the first industry conference where the smartest people in security are together talking about blockchain security. That's all they're talking about here. It's a bridge between multiple diverse communities from developers, white hat hackers, technologist, the business people all kind of coming together. This is theCUBE's coverage, I'm John, for our next guest Anand Prakash, who's the founder for AppSecure. He's also the number one bounty hunter in the world. He's hacked everything you could think of; exchanges, crypto exchanges, Facebook, Twitter, Uber. Welcome to theCUBE, thanks for joining me. >> Uh, thank you John. >> So, you've hacked a lot of people, so let's, before we get started, who have you hacked? You've hacked an exchange. >> Yeah. >> Exchanges plural? >> Most of the exchanges. >> Mostly the exchanges? >> Yeah, ICOs. >> ICOs? >> Yeah, and bunch of other MNCs. >> Twitter, Facebook? >> Twitter, Uber, Facebook, and then Tinder. Yeah. >> A lot. >> Yeah, a lot. I cannot say the name. >> You're the number one bounty hunter. Just to clarify you're a white hat hacker, which means you go out and you do a service for companies. And it's well known that Facebook has put bounties out there. So, you take them up on their offer, or-- >> Yeah, so basically companies say us, hack us, and we'll pay you. So, we go and try to hack their systems, and say this is how we are able to discover a vulnerability, and this is how it can be exploited against your users to steal data, to hack your systems. And then they basically say, this is how much we are going to pay you for this exploit. How did you get into this, how did you get started? >> So, it started with a simple Phishing hack in 2008. It was an Orkut phishing hack, and one of my friend telling me to hack his Orkut account. And I Googled, how to hack Orkut account, and I wasn't having any technical knowledge at that point of time. No coding, no knowledge, nothing. I just Googled it and found ten steps, and I followed that ten steps. Created a fake page, I sent it to my friend, and he basically clicked on it, and there it is, username and password. (laughs) >> He fell for the trap >> Definitely, >> right away. >> Yeah. >> So, quick Google kiddie script kind of thing going on there, which is cool. Okay, now you're doing it full-time, and it's interesting here, this is the top security conference. Those are big names up there, Andreas was giving keynote. But I was fascinated by your two discussion panels, or sessions. Yesterday you talked about hacking an exchange, and today it was about how to hack Facebook, Twitter, these guys as part of the bounties. This is fascinating because everyone's getting hacked. I mean you see the numbers. >> Yeah. >> I mean, half a billion dollars, 60 million here, 10 million. So, people are vulnerable and it's pretty easy. So, first question for you is how easy is it these days and how hard is it to protect yourself? >> So, the attacks, the technologies, and then attacks are getting more sophisticated, and hackers are trying newer and newer exploits. So, it's good for companies and descryptpexion just to employ ethical hackers, white hat hackers, and moodapentas, and bunch of other stuff to secure their assets. So, it's, you wouldn't say for companies not doing security, then it's very easy for someone like us to hack their systems, but there were companies doing Golden Security. They are already have an internal security team, external folks securing their systems, then it's difficult. But, it's not that difficult. Let's talk about your talk yesterday about the exchange. Take us through what you talked about there that got some rave reviews. How did you attack the exchange? What did you learn? Take us through some of the exchanges you hacked and how, and why the outcome? >> Yeah, so, we have been auditing bunch of ISOs and exchanges from past two months, and quite a good number. So, what we see is most of them, don't have security, basic security text in place. So I can log into anyone's account. They have a password screen on the UA, but I can simply type it in without, without no indication or alteration, I can just log into anyone's account, and then I can get fund's out of their system. Very similar to, one issue which we found in talk in sale, was we were able to see PIA information of all the users. All the passwords details and everything, who has done KYC. So, there are lot of information disclosures in the API. And the main thing which we hackers do is we try to test this systems manually instead of going more into an automated kind of approach, running some scanner to figure out sets of hues. So, scanners are, sorry. Scanners are obviously good, but they're not that much good in finding out all the logical loopholes. >> So, you manually go in there, brute force, kind of thing? >> Yeah, not exactly, not that brute forcing, >> Not brute force. >> but of our own ways of doing things, and there are lot of good bounty hunters or white hat hackers, who are better than me and who are doing things. So, it becomes more and more sophisticated. We don't know when you get hacked. >> So, when the bounties are out there, does Facebook just say, hey, go to town? Or they give you specific guidance, so, you just, they say go at us? What do you do? >> Yeah, so basically the publicist sends some kind of legal documentation around it, and some kind of scoping on the top targets to hack. And then, they basically publish their reward size, and everything, and the policy and everything around. And then we just go through it. We try to hack it and then we report it to their team, via channel, and then they fix it, and then they come back to us saying, this is how we fixed it and this is what the impact was, and this is how much we're going to pay you. >> And then they just they pay you. >> Yeah, my yesterday's talk was mainly focused on hacking these ICOs, and descryptpexion in the past. Some of the case studies which we have done in the past, and obviously we can't disclose customer names, but we directed some of the information, and showed them how we helped them. >> What should ICO's learn, what should exchanges learn from your experience? What's the walkaway for them? Besides being focused on security. What specifically do you share? >> Yeah, so to be very frank, I know few of the companies and bunch of companies who don't appreciate white hat hackers at all. So, these are ICOs and crypexinges. So, the first and foremost thing they should do is, if they are not having any internal, external, if they are having any internal security team right now, then they should go further back down the program to make sure people like us, or people like other white hat hackers, go and hack their systems and tell them ethically. >> How does a bounty, how does someone set that up? >> So, uh-- >> Have you helped people do that? >> Yeah, so, our company does that. We help them setting up a bug bounty program from scratch, and we manage it by our typewriting platforms, and we invite private, and we do it privately, and we invite ethical hackers to hack into their systems ethically. And then we do have arguments with bunch of them, and that's how they're going to secure. >> So, how does that work, they call you up on the phone? Or they send you an email? They send you a telegram? How do they get in touch with, the website? They do face-to-face with you? They have to do it electronically? What's the process? >> For the bounty hunting? >> Yeah, for setting up a bounty program. >> Yeah, for setting up a bounty program with our company, we basically get on Skype call with them, we explain them what is going to be their budget and everything. How good their security team is, and if they are not having any internal security team, what I know, then we never suggest them going for the bounty program because they may end up paying huge amount of money. (John laughs) So, then we basically sell our pen testing services to them, and say, this is, you should go out for a pen testing service first, and then you should go for a bounty program. >> Because they could be paying way too much in bounties. >> Yeah, yeah. >> Yeah, 'cause they don't know what their exposure is. So, you do some advisory, consulting, get them set up, help them scale up their security practice basically. >> Yes, yes, yes. Their entire security team. >> So what was the questions at the sessions? What were some of the things the audience was asking you? Did any good questions come out that you were surprised by, or you expected? >> No, so, all of, so, for the very first talk, about the hacking the crypexion and all, all of them were surprised. They thought putting up a two-factor authentication, or something like that, makes their account secure. But it's not like that. (both laughing) We hack on the APIs. So, it's very, very, very super easy for us most of the time. >> So, the APIs are where the vulnerabilities are? >> Yeah. >> Mainly. >> The APIs, the URLs. >> Yeah. So, you guys use cloud computing at all? Do you use extra resource? I saw a bunch of stories out there about quantum computers, and that makes things better on the encryption side. What's your thoughts on all that, and hubbub? >> Yeah, so mainly we use anomaly intercepting proxy to intercept these calls, which are going on a straight to PS outputting, out of our own SSLP, 'cause the safety we get, and then trusting it. So, we try to plane to the APIs and them doing stuff. We don't need a big, high-end machine to hack into services. >> Gotcha, so you're dealing with them in the wire transmission. So, what do you, tell me about the conference here, what of some of the hallway conversations you've had? What's your observation? The folks that could not make it here, what's it like? What's the vibe like? What's it like here? >> So, they missed lot of things. (both laughing) And um, it was first Blockchain Security Conference, and I've been flying from all over doing the art, to just attend this conference. I was here one month back for Defcon and Black Hat, and for some other hacking event. >> So, you wanted to come here? >> Yeah. >> Yeah, I meet a lot of cool people here. I met so many great people. >> I planned it out even before Defcon Black Hat. (laughs) >> Okay, go 'head. >> I had to go to Hosho. (giggles) >> I think this is an important event 'cause I think it's like a new kind of black hat. Because it's a new culture, new architecture. Blockchain's super important, there's a lot of interest. And there's a lot of immature companies out there that are building fast, and they need to ramp up. And they're getting ICO money, which is like going public, so, it's like being grown-up before you're grown-up. And you got to get there faster. And I mean, that seems to be, do you agree with that? >> Um, yeah, definitely so. A lot of people love putting money into ICOs then what if they go tag, then people don't know about security that much, so, it's a big-- >> So, what are you excited about? Stepping back from the bounty hunter that you are, as you look at the tech industry, security, and blockchain in general, what are you most excited about? What are you working on? >> So, frankly saying, so, I'm looking forward to hack, articulately hack more and more exchanges, and uh, I believe none of them should die the legal tag, but, that's where most of the money is going to be in the future. So, that's the most interesting thing. Blockchain security is the most-- >> Yeah, that's where the money is. >> Yeah, yeah, yeah. >> The modern day bank robbery. It's happening. Global, modern, bank robbery. (Anand laughs) Andreas is right, by the way. (Anand giggles) He talked about that today. It's not like the old machine gun, give me the teller way. Give me your cash drawer, on, it's-- >> That was a very nice talk. >> It's other people from other banks with licenses. >> Yup. >> The new bank robbers. Well, thanks for coming on theCUBE, sharing your story, appreciate it. >> Thank you. >> Great to have you on. >> Thank you for inviting me. >> You're a real big celebrity in the space, and your work's awesome, and love the fact that you're ethically hacking. >> Yeah, by the way, I'm not the world's number one bounty hunter. I'm just-- >> Number two. >> Not number two, maybe, there are lot people out there. >> You're up there. >> I'm just learning and-- >> We could do a whole special or a Netflix series on the bounty hunting. >> Yeah, yeah. (laughs) >> And follow you around. (both laughing) And now, thanks for coming out, appreciate it. >> Thank you. >> Good to see you. >> Good to see-- >> All right. More CUBE coverage after this short break, stay with us. Here, live, in HoshoCon. First security conference around Blockchain. I'm John Furrier, thanks for watching. (upbeat techno music)

>> From the Hard Rock Hotel in Las Vegas, it's theCUBE covering HoshoCon 2018. Brought to you by Hosho. >> Okay, welcome back everyone. It's theCUBE live coverage here in Las Vegas for the first annual blockchain security conference. The brightest minds in the industry coming together, it's called HoshoCon, and it's presented by, and sponsored by Hosho. But it's not their event, it's an industry event. And we're here with the co-founder and president, Hartej Sawhney, who is theCUBE alumni. Great to see you. You guys are doing a great event. Thanks for coming on. >> Yeah, it's always good to see you, and I'm so glad theCUBE is here at HoshoCon. >> So you've talked with us many times, but recently in Toronto about this event. This is not your company's event. You guys are putting it together. You're holding it because there's no other conferences that do this, but it's not just you guys. You guys are bringing the industry brains together. >> Yeah, I mean, we see ourselves as being on the intersection of cybersecurity and blockchain. And (coughs) just getting over a cold, but not a lot of conferences are out there that have a open discussion about cyber security in the blockchain industry. And hundreds of millions of dollars are stolen from exchanges. And 10% of all the money in the ICO space has been lost or stolen. And there's simply not enough platforms for this to be discussed. So, we figured we'd start the first conference that solely focuses on being a blockchain security conference. We chose not to have any ICO pitch competition. And it feels like there's more and more typical blockchain conferences out there, but it's important to be home base for anyone who wants to affiliate themselves with cyber security and the blockchain industry. >> And the depth and breadth of security is changing. We are hearing talks with, unfortunately I won't be able to attend the sessions, we're interviewing people all day, but amazing talks. How to hack an exchange, all these new surface areas. I mean, people kind of generally know they're unsecure, but this growth going on. There's new things happening. This is exposing some of the security vulnerabilities. What is the hot topics in the talk tracks here at HoshoCon? >> We have Anand Prakash, who runs a company called AppSecure. He's one of the worlds best white hat hackers. Who has hacked into the likes of Linkedin, Facebook, Google, all the top names. And to have someone walk us through today, Anand Prakash said, "Here's how you hack into a crypto "currency exchange and here's how they actually did it." And to have a white hat hacker walk us through that, it opens up our eye balls as to how easy it actually was for a Japanese exchange to loose 500 million dollars. That's no small sum of money. And this industry is only going to survive if we together as a community come together and evaluate how was it that 500 million dollars got stolen? And how can we as a community of global lovers of bitcoin make sure that this does not happen moving forward? >> On that exchange hack, 500 million dollars in Japan, was that white hat done or was that black hat? >> It was black hat. Unfortunately the money's not been given back. >> So it's not given back. So that's a half a billion dollars? >> It's half a billion dollars stolen, yeah you know. How many industries are worth just about that much? >> Yes, you could feed a couple countries. This is legit, right? Obviously it's like total, you know, wild west if you want to call it. Stage coach robberies they got the mask on. No one knows who it is. This is real, this is absolutely real. What are you guys doing as an industry? What's happening here to prevent this? What are the key, you know hygiene or social, anti-social engineering? What are the key things that are going on that are solving this problem? >> So, every exchange needs to value security and get a penetration test. Every company needs to make sure that somebody at their company is in charge of their in house security practices. Most companies when you ask them, "Who's in charge of security?" They point their finger at the CTO. The CTO is in charge of architecting the software. You need to have somebody full time, in house taking care of the security. Ideally a CISO and if you can afford it, pay someone five to ten thousand dollars a month as a consultant to come in for a couple of months and take care of your in house security. These are basic things that, you know, surprisingly most bitcoin exchanges often times when they're hacked, they're hacked by a basic phishing attack. That one of your employees opened up the wrong email. They opened up a PDF and the hacker gained access to your computer and is now monitoring your keyboard strokes and stole millions of dollars. Or the exchange didn't get an actual penetration test of their exchange. Or exchanges are listing contracts that have not gone through a professional smart contract audit. These things are now, also we're seeing them service in regulation with central governments. And it seems that all the smaller island nations are spearheading the way in terms of writing clarity on regulation. In Malta, Bermuda, Gibraltar, all of them are trying to spearhead the way. I'm much more excited, to be honest, about some of the larger nations bringing clarity on regulation in the next two to three years. We all can't just move to a small island off the coast of Italy that is infamous for actually laundering money in the gaming space. Yes, now they're trying to bring clean clarity doing KYC and AML in Malta and write a actual regulation about security. And if you're domiciled in Malta and you're a exchange then you can only list a token that's been audited. It's wonderful but at the end of the day Malta is also a part of the EU and if the EU changes their mind, things can change Malta. I just feel like it shows the immaturity of the space. If very legitimate companies are all going to flee to small countries like Malta or to islands like Bermuda. Good on those island nations for being so pragmatic and forward thinking and for bringing legal clarity. I mean if I was in an exchange today, arguably yes you have to go to Malta if you want clarity on regulation and you don't want to be in the United States. Right now, Malta is your choice. I'm just personally a little bit much more excited about the next three years where, I make a joke to my co-founder and I say, "The suits are coming." That we look around these conferences and you don't see that many suits but the fortunate 500, many of them are either writing private blockchains, they're evaluating how they're going to leverage blockchain technology in their major businesses and they're going to leverage decentralized applications and tokenization for already running products that have millions of customers, that are already profitable and then when they get tokenized they're going to be up and running right away. So the next two to three years are going to be very interesting. From Hosho's perspective we've taken a big turn towards catering towards more publicly traded large sophisticated companies. We've partnered up with Telefonica. Telefonica is a Fortune 200 company. Its wonderful to be able to leverage that kind of a brand. To deal with major world wide entities that are publicly traded come to Telefonica and evaluate how they can leverage blockchain technology and get one bundled security package that includes Hosho, Rivets, and Telefonica. >> Yeah the Rivets solution is interesting. It's a hardware based solution. So the subscriber of the phone becomes the entity. It's really interesting and I think this points to new paradigms of security, which I want to get to in a second but I want to just unpack what you said about the small country, big country dynamic. Great for the small countries to be opportunistic. To be creative and capture this opportunity. But people want stability. They want clarity on regulations, yes, but also standards, technical standards. >> We can't all just move to the small country of Malta. >> Yeah I'll be in a plane the whole time. >> It just doesn't work. >> Yeah and by the way the game changes too. Whats the implications of say, Malta decides one day, "You know what?" "We're getting out, we're changing things." A company would have to move their domicile again. So it's a moving train, you don't know what you're going to get. It might be stable now but it's not a scalable opportunity. >> Yeah, people have families and they want to stay where they are. Simple as that. We have large countries that have a strong crypto community that's growing and let's see how they pan out. Singapore seems like a likely next candidate. You have Korea. I would argue to say that the worlds first decentralized application that will be massively adopted will be in Korea. Korea is going to be the place where we have the worlds first decentralized application launched with mass adoption, a paradigm shift. The kind of shift where you forgot what it was like before you used Gmail regularly. >> Yeah, total, total infrastructure change. Alright so I got to ask you the hallway conversation question. Obviously you're very popular here. It's you event, you're sponsoring with the community. I see you talking to a lot of people at the VIP dinner last night. What are some of the hallway conversations that you're having? A lot of interesting people here from diverse backgrounds, in security, technology, some policy, some regulatory, some business, and legal, but really bright minds. What's the hallway conversation like? What are you talking about? >> We're talking about how all of us are going to survive crypto winter that we just entered. We've entered a time where fund raising has become extremely difficult. A lot of funds are simply bleeding. They lost a lot of money and they're not cutting checks right now. So the companies that are going to survive and stick around through this crypto winter, they're making a strong statement and they're going to be the ones that are going to stick around. And a lot of them are here at this conference at HoshoCon. And it amazing to have discussions to see what are the problems that fellow founders are facing? Building companies that will survive this crypto winter. Another thing has been just what are we going to do as a community to self-regulate? Are we going to create self-regulatory organizations? Are we going to let another Moody's get created? What is our viewpoint on regulation in the space overall, right? We love Max Keiser. His viewpoint on regulation is very extreme where he believes bitcoin is a self-regulatory technology. And on the other hand we have people saying, "No, we need to quickly move to regulate the space. "Work with central banks, work with central governments, "and write out the regulations." That's been lot of the hallway conversation. And a lot of other ones that have been really intriguing to me has been people talking about what are things that they have done within their company to protect their employees. Because the reality is in the crypto currency space every single employee of a major company in this industry is a target by naturally being in this industry. And this includes you. We are all naturally targets. And it's not about how much bitcoin you have maybe its about how much bitcoin someone thinks you have. And all of a sudden you become a target. And we need to think about things like our physical security. So some of the more interesting conversations I've been having with people have been around, along the lines of what are you doing to protect you and your family in regards to your physical security? On top of that your online presences. >> So ransoms, people getting kidnapped and or extorted. These kinds of physical pressures? >> Yeah, like ShapeShift has a lot of great stories. Michael Perklin from, the CIS of ShapeShift is here. You should totally talk to him and get him on theCUBE. Michael Perklin has a long list of war stories that ShapeShift has been through. Some of them they went through before he was actually hired as a CISO. And ShapeShift would've also not been hacked of millions of dollars if they had brought on a CISO earlier such as Michael Perklin. I believe they had hired him as a consultant. Did not renew the contract, got hacked, and brought him on as CISO. And he was like, "If you had continued working with me "I would of, this would of been avoided." And that's really-- >> It's foolish. >> One other thing I've seen with ShapeShift actually is online you'll notice that all the employees of ShapeShift, their last names are not online. So on the website it says, their chief marketing officers name is Emily, it says "Emily Shape Shift". And their badges at conferences also says "Emily Shape Shift". These are interesting things to learn from other companies that this is what you're doing to protect your employees from them being hacked. It's very interesting for us to all exchange notes-- >> Shoot I'm out there, (mumbles) everywhere pretty much online. >> Well I'm out there as well. We just got to protect ourselves and we got to think about things like our physical security. People feel uncomfortable thinking about their physical security. They think that, "Oh no we're in America, "we'll just call the cops." What about when we travel? What about when you and I are in a village in Thailand hanging out? We are microorganisms and when microorganisms are hungry they'll do what ever it takes to eat. So if they smell abundance, you and I are in trouble. >> Yeah, we got to be careful. And this is something that you really got to worry about because there's been tons of war stories. Now ultimately when you get back down to the wallet, it's one of the things we've been talking a lot this morning on, with Rivets, was on about the notion of how hard it is for mainstream to use tokens. Where's my private key? This has always been the crypto problem, even with private key encryption. >> Yeah, or should we build a multi-sig wallet to store your tokens in a secure manner? People have been asking us for a long time, Crypto funds, ICO's, "How do we store our tokens!" And our problem was that A, we've either hacked into the other wallets that are available and we saw that they're insecure or the UI and UX completely sucks. So we said lets build our own and so we built our own. >> Are you open sourcing that, is that-- >> No, we're going to be, this is going to be a unique multi-sig wallet that we release, it's not. You're open sourcing the actual code of the wallet or else it's not going to be considered legitimate. >> Yeah, it's good, it's a goldmine. >> It's a profitable venture. >> And that's going to be 100% bullet proof? >> It's going to be very secure. >> Let's talk about Meadow Suite. >> So, we came to a point where our engineers needed better tooling to find security vulnerabilities in smart contracts. And what is available, Truffle, is weak and slow. And so we built Meadow Suite. We built in a long list of tools and a full suite of tooling that we believe are going to be used by a long list of people that are building on the Ethereum blockchain. Including a lot of our competitors. And so we've open sourced it and we're excited for people to check out Meadow Suite. It's on GitHub and our engineers have put a lot of time and effort into it. We even have our own logo for it. >> And the goal is to automate things, make it easier? What's the main, main initial goals? >> I would say, long story short, is to find security vulnerabilities in smart contracts and to build tooling around that. And to effectively build and find vulnerabilities in smart contracts. >> So they build it into their development process natively? >> Correct. >> Alright Hartej great to have you on and hey congratulations for putting on this event. I know we've talked about >> Awesome to be here. it in the past, it actually happened. It's the first inaugural one. >> We had this vision and I'm glad it came through. We had a great global events team. Gabriel Shepherd, and Ryan Shewchuk, and Brad Horspool, and Michelle Yon. And like they've put on conference's the size of Southwest by Southwest. And our vision is, look we're not in the events business. And we're a cyber security business at the end of the day. But we found it necessary that there has to be a conference where there's a platform for people to talk about cyber security intersecting with the blockchain industry. There's got to be a platform for someone to get on stage and say, "Hey here's lessons that "we learned from getting hacked" And if this industry is going to survive, this topic needs to survive. And the brands that want to affiliate themselves with blockchain security and that want to be apart of the discussion. This will be a go to conference every single year. We're going to keep doing it and I look forward to having you at every single one, coming. >> It's been great. And you know what's key is having reputable people working together in a community, building an open community, sharing data, sharing best practices, and having candid conversations. >> Yep, it's the only way to get someone as epic as Andreas Antonopoulos to your conference. I mean my co-founder and I have been looking up to Andreas for so long. Watching videos of Andreas. Watching videos of Max Keiser, Stacy Herbert. To have them here is really just truly remarkable and I'm grateful, I'm honored, I'm touched. I'm touched to have you here. I miss David Vellante, I wish he was here. >> He's in San Francisco, he says hi. He was going to fly in tonight but-- >> He texted me. >> He did, okay. >> Hartej it's great to see you. >> Great to see you >> Congratulations. as well. thank you. >> Great event. Okay we're here live with theCUBe coverage for HoshoCon 2018, the first inaugural security conference on blockchain. Industry leaders coming together. The brilliant, bright minds of the industry working out the solutions, trying to pedal faster. Better security, check it out HoshoCon.com. I'm John Furrier stay with us for more coverage after this short break. (techno music)