Last month saw the inaugural SensePost hackathon happen in our new offices in Brooklyn, South Africa. It was the first time the entire company would be in the same room, let alone the same continent, together and away from the pressures of daily work constraints. The idea was simple: weeks before the date, we sent out emails to everyone in the company (not just the tech teams but everyone) to think about ideas, tools, approaches or new business lines that they felt would make us even better at what we did.

Hackathons are used by many tech companies to give their employees breathing space to work on new ideas. Google and Facebook are big fans and Facebook's Like button was conceived as part of a hackathon. Getting everyone together at the same time was no mean feat, the term 'herding cats' springs to mind but on the week of 12th of November, all SensePost'rs were in our new offices and ready to break, build and develop.

Prior to the event, we asked everyone to think about what they wanted to work on. As mentioned above, there was no specific guideline as to what anyone could come up with, as you can't force creativity. After a brainstorming session, the following ideas were given and solutions made during the hackathon period*:

1. SensePost World App

A mobile application (multi-platform) that will streamline the process of receipts, expenses, travel requests, holiday leave etc.

2. SensePost IRC Bot

A IRC bot that will offer:

1. Integration with our internal twitter clone
2. SMS functionality to summon $person
3. Location whereabouts functionality (who is in the office, who's at a client etc.)
4. Cool links functionality
5. SensePost short URL functionality
6. Ability to call $username via Gtalk/Skype

3. SensePost SMS Gateway App

An application that allows us to utilise SMS from a company-wide perspective, including:

1. Ability to receive OTP passwords to a central number
2. Ability to send passwords to clients via web interface (for sales)
3. Ability to send HackRack passwords to clients via web interface

Rogan decided to use kannel to interface with a GSM dongle in an Ubuntu server. This exposed a web API. Glenn then wrote a Python script to monitor for new mail arriving to a SensePost email address, which then dispatched SMSs via kannel.

4. Magstripe Hacking

Having moved into our new fancy offices, we decided to look at the current implementation of magstripe used to work out if we could read the data, clone the data and create free parking for us (at the same time, potentially looking for flaws in the magstripe implementation). The magstripes on the parking tickets were very unsual. Between the reader in the office, and Andrew Mohawk's more advanced ones, we could not get a consistent read. It is possible that the cards use an unusual arrangement of tracks. Typically there are 3 horizontal tracks at predefined heights. If the tracks are at unusual heights we may have been getting interference between said tracks. Andrew has tried to dissect one of the cards, but no luck yet.

Watch this space. 5. AV VirusTotal Project

Rather than submitting our payloads to VirusTotal (who then inform the vendors), we will create our own version that uses all vendors, to determine if our custom payloads could be detected.

6. SensePost Green Project

A project to make our business greener in approach and ideas. How responsibly were we using resources? What was our consumption of electricity and water like and could it be made better?

With teams created and everyone clear on what they had to do, 48-hours were given to create the above ideas. Food, drink, hardware and toys were provided. Vlad brought some amazing Russian Vodka and energy drinks were supplied.

Whilst the older farts faded quickly (I'll put my hand up, 1am and I was broken), the younger crowd went through the night and into the next morning. From simple ideas at first, fully-fledged solutions were designed and then developed in a short space of time. The idea was that once the hackathon 48-hour period was over, everyone would present the results and we'd head outside to our balcony to have a traditional SA braai (barbecue)

The cool thing about the hackathon was that some of the top ideas came from traditionally non-technical people, such as our finance wizard who came up with the idea of the SensePost world app. This was the outcome that we wanted: to prove that you don't need to be a heavy tech-orientated person to come up with meaningful projects or ideas.

Overall the 2012 Hackathon was a brilliant time had. Some amazing ideas have come to light, ones that will see us pushing offensive approaches and also ones that will have an impact on the way we work at SensePost.

For those thinking about running an internal hackathon, I'd say go for it. Giving people the space to work on ideas with likeminded colleagues will only bring benefits.

*There were other projects, but they won't see the light of day as of yet, so will remain confidential until the time is right.

Hola amigos,

We will be running our elite "Combat Training" at the BlackHat Briefings in Barcelona this March (talk lineup) and this course is the flagship of our established Hacking by Numbers series. From the first hour to the final minutes students are placed in different attacker scenarios as they race the clock to "capture the flag". The trainers are highly skilled (as well as having the standard Southern African humour, looks, and charm) and the course is full of new hacks.

I was involved in the training last year, and I'd highly recommend you come along. The BlackHat vibe was fantastic, the people were great, and the city was bustling. So, if you're interested in sharpening your skills, and would like to do so in a great environment, click here to sign up for Combat Training.

Other than the course, I'd recommend you see the sights while you're there. I thoroughly enjoyed my time in Barcelona last year. After the civil war the Catalan identity exploded and it's a nice alternative to the traditional Spanish culture. Whether it's visiting the last cathedral in the world still under construction, or wandering the Montjuïc hill with breathtaking views, or relaxing by the amazing beaches, Barcelona is a wonderful destination. Also, if you're lucky, you could catch a game by the best football team in the world.

So, to summarize:

What? Hacking by Numbers, Combat Edition Where? BlackHat Briefings, Barcelona, Spain When? March 15-16 Can I still signup? Yes

Adiós, Glenn

Hey. Charl here. Lots of stuff is happening on the training front right now (ed: right now!), and I wanted to make sure everyone is aware of it.

1. New schedule published

At the start of the year we always try publish a schedule of when and where our various training courses are happening. Of course it changes a bit as the year progresses, but its a pretty good overview of where you need to be if you want to participate in one of the courses. The current 2011 schedule can be found here.

2. Early registration discount extended

If you're thinking of participating in the Extended Edition course happening in Pretoria in March, you've missed the early registration discount cut-off. But there's good news! We're extending the early-bird registration deadline by one more week until Friday February 18th. So register now to enjoy discounted rates.

3. New course - "Building Security In" - with ThinkSmart

In partnership with SensePost, ThinkSmart's "Building security in" training course is a one-day, detailed review of the practice of building secure applications, from the governance drivers for application security to practical examples of how to defend against common vulnerabilities. We're pleased to be offering this course, in series with our own "Developer Edition", the next time we run it in July.

4. Hacking By Numbers "Combat Edition" - Barcelona - Now Open

As if you needed an excuse to visit Barcelona, we're pleased to announce that we'll be running our acclaimed "Combat Edition" at the Black Hat Briefings there on March 15-16. This course is the flagship course of the established Hacking by Numbers series. From the first hour to the final minutes students are placed in different attacker scenarios as they race the clock to "capture the flag". In the SensePost tradition, the solutions lie much more in technique and an out-of-box thought process than in the use of scripts or tools. Each exercise is designed to teach a specific lesson and will be discussed in detail after it is completed. In this way you learn from your instructors, your colleagues and your own successes and failures. Our trainers travel a long way to get to Barcelona, they're very charming and good looking, the course is full of sexy new hacks, and we'd really appreciate your support. To be a part of it register here.

After hearing our talk was accepted at BlackHat, we're happy to announce that our training will be back for it's 9th straight run. Speaking of a run, we're going to be hosting the usual marathon of courses: cadet, bootcamp, combat, web 2.0. But, while the names remain, we've spent some time updating the material. In particular, bootcamp, combat & web 2.0 have been through the ringer. We're hoping to get some detailed info on the updates out in the coming weeks.

In the meantime, if you're interested, check out our BlackHat training page, or sign-up.

In a cheap marketing ploy to introduce our new twitter account and remind people of our training, we're running one of those retweet competition things on twitter. In short, retweet this tweet, and if you're going to BH Vegas this year, you could win free attendance to one of our courses of your choice. That's worth about $2 700 at regular prices. Cheap marketing tricks for us == expensive training for you. We won't force you to tweet about how good looking we are (we are very good looking), or ask you for you password.

I wanted to remind folk that the CFP for the ITWeb Security Summit closes on 26 Jan 2009. You can check it out at http://www.itweb.co.za/events/securitysummit/2009/. Local (ZA) should please make themselves heard, but the organizers are also sponsoring travel for international speakers so if you ever wanted to visit the gool ol' RS of A (that's in Africa) then here's your chance....