Welcome to the Azure Security Podcast, where we discuss topics relating to security, privacy, reliability and compliance on the Microsoft Cloud Platform. Hey everybody, welcome to episode 103. This week is myself, Michael, with Sarah. Our guest this week is Nick Fillingham, who's here to talk to us about security conferences, most notably Microsoft Blue Hat. Before we get to our guest, let's take a little wrap around the news. I'll kick things off just to get going.
First one is Azure Database for Postgres SQL, my old stomping ground. By the way, that's always Azure Database for Postgres SQL flexible server. Now has support for Postgres SQL anonymizer version 1.3.2. One of the cool things about Postgres is there's like an extension for absolutely everything. The Postgres anonymizer we've now updated to 1.3.2, which I assume is a good thing, but we'll provide a link in the show notes.
Next one, and this is awesome to see, I've already talked about this, I think I talk about this kind of stuff every other episode, is Microsoft, especially Azure, the services that we provide are moving, a lot of the services are moving away from using say tokens or SaaS tokens and that sort of stuff for authentication and authorization. So a dedicated gateway now has support for using RBAC support as opposed to using say a SaaS token.
So historically this dedicated gateway for Cosmos DB, I should have mentioned that, would use a primary key to the Cosmos DB account. Well now you can use a managed identity. This is incredibly important. I know I've talked about this so much, but I really want to hammer this home. It is incredibly important that we, the industry, move away from using essentially secrets and these sort of credentials that you have to persist and then protect.
So managed identities and Entra ID identities are certainly the way to go because that way the credential information is stored by Entra ID. It's managed and it's rotated and protected and audited by Entra ID and you don't have to worry about it. And the last bit of news that I have is in public preview is Azure Virtual Network IP address management. We've got a tool for it, which is really, really cool because sort of handling IP addresses is like where are all my IP addresses?
It can be a bit of a pain. So now we have a tool, that's a new feature called the IP address management feature and that certainly simplifies that process substantially. So that's all my news. So we've got a couple of things in Azure AI Studio we've got that have gone into public preview that you might want to play around with. We've got evaluations for protected material, text based and then we've also got evaluations for indirect prompt injection attacks.
Now indirect prompt injection attacks are very cool. Oh, well, they're cool and they're very interesting. So that's where you essentially rather than try and jailbreak the prompt directly, you actually get the prompt to go and reference other things that are malicious and then that's how you break the model. It's very, very interesting.
With the Azure AI evaluation SDK, you can now simulate indirect prompt injection attacks and you can drill into the evaluation and of course protect the AI you're building much better. And then the last one that I have for today is the container support for pre-built text PII, which means if you've got container stuff with PII in it, you can actually look at redacting that when it gets into your system. So go and have a play around with that.
That's obviously some security and privacy stuff that definitely at least some folks will need to use. And yeah, that's my news for this time. By the way, just in case people don't recognize this, Sarah's not feeling very well right now. So give her some slack if she feels a bit snotty and a bit under the weather. Yeah. Hopefully I don't feel too well because we all have nice mics, I'm hoping and nice software.
I'm hoping Michael's going to make me sound very good in the post edit, but I actually do have the flu and might sound a little bit croaky today. We need to have a filter in Adobe Audition that says make someone sound like they don't have flu filter. But anyway, all right, so look, let's go and introduce our guests. So this week we have Nick Fillingham, who's here to talk to us, as I mentioned before, about sort of security conferences, most specifically Microsoft Blue Hat.
Nick, welcome to the podcast. Will I take a moment and introduce yourself to our listeners? Yeah, hi. Thank you so much for having me. Hi, Michael. Hi, Sarah. So I'm Nick Fillingham. I'm a Microsoft employee. I work for the MSRC, Microsoft Security Response Center. I run the Blue Hat program, which is, it's been, the Blue Hat program has been going on coming up on 20 years. Started with a conference in 2005, which I was not at, but I do believe one of the hosts of this podcast was.
And yeah, I have the great opportunity to work with security researchers, both inside of Microsoft and then out in the external community to really, you know, I'll say attract and get them to know about our conference and hopefully come and present their findings and their learnings and share what they've found and what they've discovered with the world as part of the Blue Hat conference or as part of some other sort of Blue Hat event,
whether it's a, whether it's our podcast or a blog or some other way that we, that we engage with the community. But that's what I do. It's a great job. I love it. And I've also got a podcast, Blue Hat podcast, which I'll probably plug 25 times throughout this episode. We'll add a link to the podcast and also other material about the Blue Hat conference. So we want to sort of talk just generally about security conferences and specifically about Blue Hat.
So why don't we kick things off with just talking about what sort of common conferences that people should really look into the different audiences that those conferences expect. And then we'll sort of wrap things up towards the end by going through Blue Hat, like its origins. By the way, I want everyone to know on the, who's listening, we have absolutely no agenda for this whatsoever. Literally our pre-meeting yesterday was let's talk about conferences.
We're all professionals here and we all agreed. That's basically it. So why don't we kick things off in that way with, okay, Nick, what's your opinion? And then Sarah, you chime in as well about the various security conferences around the world and the ones that you feel are sort of the most impactful.
So I think what I love about the security research space, which is a sort of a subset of people, obviously within the broader security community, is that it is a very grassroots organization, or very, excuse me. It's a very grassroots community. And so what I've learned in these last couple of years being in the security research space, and especially looking at conferences, is that there are specialists or just sort of community-based conferences everywhere that are just sort of popping up.
And you really only need someone with an idea and a little bit of energy and a little bit of passion to bring together hackers, researchers, and responders to have a conference. And so you have sort of at the tippy top of the pyramid, you have the Black Hats and the DEF CON, and Black Hat is sort of the commercial side, and DEF CON is sort of more of the underground grassroots community side. And then from there, you have a lot of the sort of regional versions of, especially Black Hat.
There'll be an Asia or Europe version that happens throughout the year. And then you start to sort of filter out into more of the grassroots efforts like your B-sides, and then down into individual CONs that are happening in certain cities or areas. And I think any community can do this.
It's not exclusive to security researchers, but it really does feel like if you can pull together 20, 30, 40 people in the security research hacker response space, that's enough to have a really interesting set of talks or conversations. And that can be enough to actually spur an event or a conference that in just a few years could actually turn into something.
And I'm sure there are hundreds of other industries or sub-elements of industries where that happens as well, but it's just very cool to see that in the security research space. So yeah, I think you've got the Black Hats and the DEF CONs at the top. And then you've got sort of the B-sides somewhere sort of in the middle. I like to think sort of Blue Hat maybe sits around there.
And then you've got all those incredible sort of community meetups and other sort of hacker groups that get together on a regular basis, whether it's 20, 30 people all the way up to several hundred or a thousand. But it's interesting that the hacker space is constantly going backwards and forwards or sort of dancing around the sort of traditional image of the hacker as the hooded, the hoodie, the dark hooded figure at a laptop up to no good.
And certain times that will be embraced and celebrated and other times that will be pushed away in favor of some other sort of emblem. But yeah, it's a really interesting subspace. I'll sort of pause there. I don't know, Michael, you've been around for a little bit longer than me. Does that align with your perspective on security conferences and maybe with a bend on the research space?
To me, I think Black Hat started out very much as a true dyed in the wool sort of hacking conference for the hacking community. It's a little bit like RSA. Look at this. It's going to sound really cynical. And I don't mean it to sound really cynical, but that's the way it's going to come out. If you look at RSA, right? So the original RSA was really a conference just for cryptographic researchers. I mean, that's really what it was. But now it's very much just a straight up industry event.
I'm not going to say it's not technical. I mean, obviously there are technical tracks and people talk about technical things. But at the end of the day, it's also very much a sales conference. And then Black Hat, I think, started life as a true dyed in the wool hacking conference. Would it be fair to say that, say, DEF CON has taken over the hardcore of the hacking community? I would say that.
Yeah, I certainly think that if you were to put DEF CON and Black Hat side by side, I think even the DEF CON and the Black Hat crew that run those events would agree that Black Hat is maybe more of a suit and tie and DEF CON is more of the rorer, undergroundy sort of community grassroots bottom up approach. But they run sit side by side in Las Vegas every year.
So there's a huge overlap between the two and a lot of sort of connective tissue and the communities very much are overlapped and integrated with each other. Yeah, it's quite normal for people to take to attend both. So they'll do Black Hat first and then the more hardcore folks will stay behind and attend DEF CON. Where do the three letter agencies go? Is it RSA? Is it Black Hat? Is it DEF CON? Where do they go to hire people? I mean, I think they go to all of them.
It's just a question of whether or not those three letters are visible on their attendee badge or not. Yeah, I've heard I actually have heard of people, actually some people that I know quite well attending the conferences under sort of different guises. I have visions of Groucho Marx turning up. So Sarah, you got an interesting perspective as well because you have talked at various security related conferences, but development related, right? I've done, yeah, I've done most.
I've done lots of them, but recently I have been doing a lot more of talking at developer conferences because I think like I am no hardcore security researcher, but I think it's important that we actually go talk as security folk to the rest of IT because they're the ones that we actually need to get on board with doing some of the basics because that's often where mistakes and vulnerabilities come in.
So I have been, yeah, I've spent a lot of time the last couple of years talking at other types of IT conferences because you'll find if you go speak to dev conferences and other types that they are actually often quite open to having a security talk as long as it's pitched in the right way. I mean, they're not going to want a DEF CON hacking talk probably, but if it's a, hey, developers, you've been building this stuff really and securely, how can we do it better?
That is very relevant for their audiences. So what is interesting is when I go to those conferences, a line that I often throw out, it's a slide that I put in pretty much all the talks is hands up, who here has ever felt personally victimized by security? And that comes from mean girls if you don't know and you're not of the correct generation. But literally when I go to conferences like that, everyone puts their hands up.
And what that tells me is that, and this is sad, but I think it's good that we know this, is that a lot of folks in the wider IT space have had poor experiences with security in the past. And so, and whether that's you or someone else, they just generally have quite a negative idea of security because security just stop you doing things. You say no, security are kind of a pain in the butt.
And so I think we as a security industry need to go and do better and probably like try and undo some of the damage we've done with those relationships to prove that nowadays, well, we should be, security is trying to help you. We're not just going to say no, we're going to help you come up with a solution that's better for everybody.
I'm going to say Michael, with all the work you do nowadays, I'm sure you can relate to this because it is a challenge, no matter if you're a big or a small organization, that security often, security priorities often conflict with other IT and business priorities, but we need to find a better way to deal with that. Yeah, I agree 100%. I think the days of the security people just being curmudgeon whose job it is to stop stuff from shipping and what have you.
You need to work together with the engineering teams to help them do the right thing. I'm a big fan of just not being a complete curmudgeon. I'm pretty upbeat about this sort of stuff and just helping people basically ship a more secure product and help them see it as a fundamental part of shipping any product, just like with any other illity, reliability, scalability, usability, the security. No, it's not an illity, but you know what I mean. So yeah, I'm a big fan of that.
I do get very angry actually at security people who are just absolute curmudgeons and won't ... almost take great delight in telling people that they're not going to ship their product. I take no delight in that whatsoever. So anyway, yeah, I agree 100%. That's why it's really cool talking to the developer community. I remember many, many years ago I talked at one of the Microsoft Professional Developer conferences a long, long time ago in the late 90s.
Actually, it may have even been the mid 90s. Oh my God, I'm really aging myself now. I talked about SQL injection and I'll never forget the fire marshal came in and was really kind of a bit angry because there was way too many people in the room. But when I actually talked about SQL injection, you could see people get nervous and you could see people getting on there.
But I think back then it may have even been pages, but they were talking to people back at the office and what have you to go looking for these kinds of issues. Because I actually demonstrated SQL injection and the demo was actually so good that I actually destroyed the demo through SQL injection. I actually deleted the database or one of the tables that I was going to use during the demo. So I actually cut my demo short, but it kind of made the point.
It's like, oops, I accidentally deleted one of the tables for the demo. Well, I think we're done talking about SQL injection. So yeah, I think the intersection of security and development is certainly an area that I really, really like. Mainly if for no other reason than if you look at the topics that are discussed at Black Hat and Defcon and B-sides and obviously Blue Hat, a lot of them are dev related. They're dev related. Hey, there's a memory corruption vulnerability over here.
All those things riddled with SQL injection or the web discovered a new class of vulnerabilities. So yeah, I'm a big fan of that intersection of developers and communities. So where does B-sides fit in? Nick, is that something you're closer to? Oh, I know B-sides. If Sarah knows the true origin, I can take a stab at it, but again, I certainly don't claim to be an expert on that one. Okay, well, I have done quite a few B-sides. I think now I've done a B-sides.
One of my bucket list things was to try and do a B-sides in most parts of the world or at least on most continents. I've done B-sides down here in Oceania. I've done it in North America. I've done it in Europe. I think I've still got a couple of continents to go, but for those who do not know, B-sides is and this is my understanding, though, of course, you can feel free to tweet as if I have this wrong.
B-sides started in Vegas and I have presented at B-sides Las Vegas as kind of an overflow to Black Hat and Def Con. So it's talking about like the B-side of a record or a tape back in the day. So hopefully everyone on the, well, if you don't know what a B-side of a record or a tape is, go look that up. That means you're too young. But essentially it started as a movement to basically pick up a lot of the great talks that weren't selected at Black Hat and Def Con.
And if anybody's been involved in a conference, you'll know that generally you get way more talks than you can ever have, even if they're great. And so it can be really sad. Talks can get rejected from conferences. And I think we've talked about this on previous episodes. Talks can get rejected not because they're a bad talk. It's just the agenda is imbalanced. You don't have room, et cetera. And so B-sides was set up originally. And I think B-sides Las Vegas is the original one.
And I believe it might be coming up for about 15 years old now to pick up some of those overflow talks and still give the people an opportunity to talk. Now since then, B-sides has turned into a bit of a global movement. And so there are now B-sides in lots of different cities around the world, all throughout North America, Europe, all over the place. I think they're up to something like 200 plus B-sides events.
And the idea with the B-sides event is they're all run by individual, it's different people organizing them. But the general ethos is that B-sides is a community event. It's a mixture of experienced hackers, but also people who are new and want to get into the field. Often, the B-sides will have free or very cheap tickets for students or people looking for a job. There's talks, but they also do capture the flags. They do lot picking. Sometimes they have career villages.
Like I said, it's not like a cookie cutter, exactly one size fits all for B-sides. But that's the general gist of what they do. I've been very lucky. I've been to lots of B-sides. I'm very sad this year because my hometown B-sides, B-sides Melbourne, is whilst I am going to be in the US, so I'm going to miss it, which is the first time I've missed it for a long time. But they're generally very supportive environments.
The idea is that they encourage people who are new to come in and do the thing and even just participate. So I think if you're new into security or you haven't been to a security conference before, see if there's a B-sides near you, that's a good place to start. I totally echo that. Yeah, B-sides is such a wonderful movement and set of conferences. If you are new to this space or even just want to check it out and see what it's all about, look up if there's a B-sides happening near you.
Yeah, a lot of the tickets are either really low cost so that as many people as possible can attend or sometimes they're even free if they get sponsored by a company like Microsoft or anyone in the industry. So yeah, it's great. Big shout out to the B-sides community. So while we're on this topic of the origins of various conferences, so let's talk about something that's quite near and dear to all of our hearts for various reasons.
That is Blue Hat. So Nick, as you mentioned, this is something that you are in charge of. So you want to give us an overview of what Blue Hat is, how it started, why is it called Blue Hat, anything that people may not know. Yeah, sure. Thank you. So it started in 2005. Michael actually have a still frame here on a monitor of mine to the left of you in a very lovely chambray shirt, emceeing panel of hackers and researchers at the very first Blue Hat.
I don't know if you remember that, but I'll pick your brain on that one in a second. Hold on. You have a picture of me? I do. Okay. Well, ignoring the obvious, you know, why, but can you send that to me? We should probably post that. No, I've got, what I've got is it's the video recordings of all the sessions from the first Blue, the first Blue Hat. They were, I think they were, they were all filmed on potatoes because the resolution is just disgusting, but the audio is great.
Yeah, the audio is great. And it is, they've clearly been like transferred from VHAs or something. There's like tracking marks and tracking lines and stuff. Anyway, but very clearly you, but the audio is great and you can hear the great conversations that are happening. But yeah, 2005, I wasn't there for the beginning, as I said, but I think, you know, there was sort of two ideas. The first was let's bring sort of an external perspective to an internal audience.
This was, you know, around the time of the trustworthy computing memo and really a tools down let's focus on security and get that right. And, but that there is a need for, you know, I'll say like a reality check that we sort of, we need those external folk that can really give us a true lay of the land. What's happening? What's the external perspective on the industry and what's the external perspective on Microsoft?
And so one of the reasons it was called Blue Hat was that it was in some parts sort of bringing some of those presenters and sessions, the best of from a Black Hat style conference or even Black Hat specifically and having them come and present internally to Microsoft to folks that were in development and engineering roles in sort of nascent security roles. And that was the first Blue Hat as I understand again, I wasn't there.
So like Michael, how does that track with your understanding, you know, being there and being around the community at that time? Yeah, I remember it well. I remember it very, very well. There is a reason why it's blue. There's a reason why it's Blue Hat and not some other color. And it's because that's the, because it was only back then you had to be a permanent Microsoft employee to attend and our badges for permanent employees are blue. Blue badge. Blue badge.
That is the reason why it's Blue Hat. Ah, yes. Yeah, exactly. So it is Black Hat. So you're absolutely right. We would take some of the best talks that we thought were most relevant to Microsoft and we would bring those speakers to Redmond and they would talk. Now, what was interesting, and you can tell me how much it's changed since those days, since the early days, but we would have a day that was set aside with condensed material just for execs, right?
So the likes of, you know, Brian Valentine, who was running Windows at the time, and Paul Flesner who is running SQL Server and, you know, all the other folks running various products would also attend and it would be just for the execs, no one else. And then on the subsequent days, that would be the development teams. And the reason why we did that was just so that the, you know, you may have a different conversation with an exec, you know, as opposed to with an engineer.
So yeah, so that was, I thought was a brilliant idea. The other thing that really amazed me sort of from a cultural perspective is there was no resistance to this whatsoever. Like people were quite happy to hear, you know, areas where their products could improve or things that they could learn. And to me, one of the most telling was not long after Slammer hit. So Slammer took advantage of a vulnerability, it was a worm, that took advantage of a vulnerability in SQL Server.
Actually, technically it wasn't SQL Server, so I'm going to be totally honest, it was actually in UDP 1434, not TCP 1433. So TCP 1433 is actually SQL Server and UDP 1434 is the management. So it was actually a vulnerability in the management code, not actually in the core engine. But David Litchfield, so in the back in the day, there were really only three security researchers in the world finding bugs in SQL databases.
In that, I mean, I mean everything, you know, Oracle and DB2 and SQL Server and many, many others back in the day. And so David had found this bug and it led to Slammer and David came to talk on campus during a Blue Hat to talk about, you know, the bug, how he found it, which is fuzzing, by the way. I actually spoke to David when I was writing designing and developing secure Azure solutions, actually spoke to David and actually called out in a chapter on fuzzing about how he found that bug.
So I have it verbatim from David. So he found the bug and he came on campus to talk about it in Blue Hat. And what was interesting is, first of all, on the exact day, Flesner was totally attentive and asked David a lot of questions. But the next day, when we went into the main hall where David was talking about the bug that led to Slammer, I want to say 70% of the audience was from the SQL Server team.
And that 70% of the audience probably made up about 85, 90% of the SQL Server team at the time, development team at the time, which to me just shows like a real change in thought about what it takes to think about security in our products. So that to me was really, really an amazing thing to see. Any other insights? So there's going to be one this year. So is it always at the end of October? Is that the general schedule? Yeah. So the conference has evolved over the years.
So a couple of big changes are that it is now or it has been for a long time open to the public, open to the external security community. It's no longer just internal Microsoft Blue badges. And so the structure we have now, which we've had for quite a few years, is days one and two are open to both internal Microsoft employees as well as non-Microsoft employees or external members of the security community. And then we have a third day, which is an internal only day.
And we call that Strike Presents Blue hat. Strike is one of our internal sort of security training programs, has both a lot of online training and then in-person events.
And so we sort of merge them together so that we can have some conversations and presentations and discussions amongst just employees that may have, you know, be confidential in nature or covering vulnerabilities or exploits that may still be active in some capacity, as well as just content that might not just be as relevant for an external audience. And yes, the next one is coming up. Depending on when you're listening to this episode, it's a little bit over two weeks from now.
It's going to be October 29th and 30th in Redmond, Washington in the US on the Microsoft campus in the conference center, which we call Building 33. And that's the sort of home of Blue Hat over the years. Most of them have been in that building and most of them have been in the October timeframe, although there have been a few, there was a couple of years where there was a sort of a fall or an autumn Blue Hat and then a spring Blue Hat. So two in a year.
But the current sort of cadence we're going for is one a year aiming for October. There's also international Blue Hats. There's Blue Hat Israel, which Blue Hat IL, which has been happening for a while in obviously in Israel. And last year, we actually had, oh, excuse me, earlier this year, we had the first ever Blue Hat India, which was really cool and hopefully something that will continue as well.
But yeah, the structure which has been pretty well established now is that there is a call for papers, which we open up several months beforehand and we ask both internal Microsoft employees and the external community to submit papers, which really, you know, you don't actually have to have a paper. It's really you're submitting a talk, you're submitting a session that you would like to present at Blue Hat.
And so you've got to give it a title and there needs to be an abstract that explains what you would be presenting. A lot of submitters also include sort of supporting documentation, which can be a paper. It can be a white paper or it could be just more of a fleshed out outline. And then from there, we have a CAB, C-A-B, it's a content advisory board. And then they go through and they read all those submissions and they help us choose the best to present at Blue Hat.
This year, we had over 100 submissions, which is fantastic, but we have to narrow that down to about 20. And so, you know, there's a lot of content, very, very good content, very, very good speakers who, you know, don't get picked. And that's always tough to not be able to select more sessions to be presented. But we try and keep it down to 20. We have 10 sessions per day in two parallel tracks.
We try very hard to have sort of 50-50 representation in both the presenters as well as the attendees. So if you are a presenter at Blue Hat, sorry, at the Blue Hat conference, hopefully half the presenters are going to be Microsoft folk who are presenting their research and their findings and sort of guidance to the industry.
And then the other half, the presenters will be from the non-Microsoft sort of external community and from our partners who will be presenting their research findings, which are very often research findings targeted at a Microsoft product or technology.
And it is often them showing us where, you know, some sort of vulnerability has been discovered or some sort of, you know, technical approach to a solution has been found to be out of date and is no longer sort of secure and the industry needs to change.
And just, you know, looping this back to Sarah's comment about developers and the developer community and, you know, how do we create guidance and education to the developer community so that they are writing more secure code and they are starting to abandon or they're abandoning some of these techniques that have been proved to be insecure or just sort of, you know, outdated.
So there's a really interesting sort of yin-yang relationship between the external community who are coming in and showing us what they've found. And a lot of time that's issues that have been discovered in a Microsoft technology or product. How Microsoft is also showing how that we're sort of hacking our own stuff as well as looking at other platforms and also sharing what we've found. But then more importantly, how do we turn that into guidance? How do we turn that into education?
How do we turn that into instruction and teaching and learning for not just the researchers and responders but the broader technical community so that we are making more secure technology moving forward? And it's a great atmosphere because everyone is there on the same team and it's just wonderful to see the conversations that happen organically in the hallways and in the line up for tacos at lunch and while people are, you know, going around trading stickers and it's a wonderful conference.
And yeah, two weeks from now will be the 23rd, 23rd Blue Hat, which is in the 19th year. And yeah, it's gonna be great. So I don't know if you know or not, but I was, you talk about strike. So there was an internal strike event last week and I was actually the emcee for that thing. There's a secure future initiative strike. We have one of the biggest attendances that we've ever had for a security conference, like in purely internal conference. So I was actually the emcee for it.
It was a lot of fun. And just in case you don't know, Nick, the odds are, I would say 80% that I'm actually going to be at Blue Hat this year as an emcee for one of the tracks. That sounds great. And I did know that you're at the strike event because I actually sat next to you while we ate lunch together. That's what we did. That's what we did. In my Rusty shirt. Your Rusty shirt, your Etsy Rusty shirt. Well, I'm feeling very left out right now. I want to talk. Oh, I'm sorry, Sarah.
I know, I know. Well, you presented at last year's Blue Hat and it was awesome to have you come over and then you helped run a village for us. I did. That's sort of another thing too, that we've adopted over the years the elements from security conferences like B-Sides, like Defcon, that the community love, like Villagers. So we do Villagers at Blue Hat as well. And we have a call for Villagers internally at Microsoft.
And it's fantastic because we get, you might think, oh, Villagers at a Microsoft event, that's all going to be just sort of centered around product. And it's absolutely not. It's centered around other types of community groups, other types of interest groups, other types of sort of advocacy groups inside the security research community who want to come together and talk about something that's important to them. We have ERG. I don't know if you guys have used that employee resource group.
ERG is an acronym that we have at Microsoft. So we have women in cybersecurity. That'll be one of the Villagers there. There'll be other ERGs. I'm not going to try and name them all, but those will be represented as part of the village community. There's, you know, Microsoft's got a huge investment in the gaming industry. So we're going to have a gaming security village. There will undoubtedly be sort of cybersecurity career focused Villagers there. There'll be an AI Village.
There'll be the Microsoft garage will be there and we'll probably be teaching people how to do soldering or some sort of basic sort of hardware hacking skill. It's a ton of fun. And yeah, again, we sort of we unashamedly, but also in with, you know, in reverence to the community and to the amazing conferences that are out there in the security space, we sort of try and borrow some of those elements that we know folks love and we try and bring them to Blue Hat. So two things.
What did you talk about last year, Sarah? That's the first thing. And the second thing is, is there going to be a lockpicking village this year? Yes, I did speak at Blue Hat last year. I spoke, I actually spoke on strike day. So the internal Microsoft day and I was talking about how we write things and how we create content for the wider world as security people. And there's a recording of it online. Something I was going to say.
Well, if Nick can't covered it already is that eventually and I think most years now, Nick, we do record all the sessions and put them up online a little bit after the conference. So if you're not able to join, actually go to Blue Hat, you can watch the sessions later. That's absolutely right. Yeah. Thank you, Sarah, for reminding me. Yes, we record everything. And I would say 95 percent of it is able to be published. And so, yeah, we have a YouTube channel, so they all go up there.
And we are we do have ambition to go back through the archives and publish some of the Blue Hat videos from back in the day. You can see Michael Howard in his chambray shirt emceeing this panel at Blue Hat 1. I hope that'll get that up in YouTube soon. But yeah, you know, obviously, it's amazing to be there in person and it's great to be there in person, but we appreciate that not everyone is able to make the trip to be at Redmond or the state of Washington or the country of the US.
So we record as much as we can and we put it up online. And then the other thing is we have our own podcast, Blue Hat podcast. And one of the things we like to do there is we bring on some of those presenters and then also some of the folks that are just sort of part of the community and maybe didn't have a session, but have some content to share and we bring them on the Blue Hat podcast as well.
So we try and we try and share and spread the wealth and the fantastic content that comes through the Blue Hat community as much as possible. Lockpicking Village, I believe is the answer is yes. We try for that every single year. Yeah, I mean, if we can provide links to the Blue Hat YouTube channel, that'd be really cool too. All right. So one thing that you mentioned is he wants to open this more up to the public. So can people actually register for this outside of Microsoft? Absolutely.
So depending on when you're listening to this episode, registration for Blue Hat may still be open. Blue Hat is again, it's in Redmond, Washington on the Microsoft campus. So the tickets are free. We don't charge any money for the ticket, but you need to apply.
And then we go through and sort of read the applications and we make sure that the folks that are asking to attend would really sort of add value to be there and certainly are relevant for the security research community and response community. But yes, in theory, when you're listening to this podcast, the registration may still be open. You can go to aka.mswacbhreg, B-H-R-E-G as in Blue Hat registration, but B-H-REG. And you fill out an application form there.
And we're really just trying to make sure that everyone that applies, you know, really, really is applying for the right reason. And I will also point out that we have a really interesting sort of unwritten rule for Blue Hat where we say no sales, no marketing, no dunking, no fluff. And so Blue Hat is not a conference where either Microsoft employees or attendees are permitted to sell or pitch anything, certainly not anything for sale.
So this is not a platform for Microsoft to sort of pitch their tools and services that are sold. It's not a sales conference. It's not a marketing event. We don't sort of announce and launch products or anything or do any sort of marketing in that sense. We also don't allow our attendees or our partners to do that as well. And we also, you know, we're not there to dunk on folks like, yes, you may have discovered a vulnerability in a product or service or technology.
But the point is to use it as an opportunity for learning and for sharing guidance to make technology a better place and not to dunk. I really need a better analogy or something for dunking. But we don't allow people to speak. What was that? Yeah, dunking is like, you know, you can't, you know, you can't, you know, don't, don't. You got to be respectful, right? I mean. Absolutely.
If you found a bug in someone's product, you know, it's like there's a constructive way of communicating and there's let's just say the other way. I'm all for being constructive. Look, my philosophy in life is just be kind to people. And I don't think this is any different. So yeah, I think dunking is probably the right word. All in the US, it could be donuts as well. I think it's actually I think as a basketball, I think it's a US term. So I need to get it.
I need to get something better than that. But yeah, you don't don't diss anyone. Don't don't be disparaging. Don't be disrespectful, you know, assume, assume best intention. And we're not there to make anyone look bad. We're just we're just there to, you know, generate new ideas and push the industry forward so that everyone can be more secure. But yeah, aka dot Ms. Whack B H Reg B H R E G. And hopefully you can squeeze in and get yourself a ticket to Blue Hat.
Yeah. But let's be honest, it is kind of late, you know, so the odds are not fantastic. But if you're a security researcher. Yeah, if we were half smart, we would have recorded this two months ago. But here we are. It's all good. It's all good. I probably can get in early for next year. All right, let's let's start to bring this thing to an end for a group of people where we had absolutely no agenda whatsoever. I'm kind of surprised how long we how long we went. But anyway, there you go.
Nick, one question we started asking all our guests is, so what is a typical day in the in the life of Nick look like? What do you do on a daily basis? Gosh, well, I don't know if right now it's a it's a typical time for me because, you know, we're coming up on two weeks out of Blue Hat. So right now I am madly teamsing, emailing, signaling any any sort of communication vehicle possible with the prospective speakers at Blue Hat.
So that's the that's the folks that have submitted a paper and have been selected by our cab. And I'm going backwards and forwards with them. I'm going backwards and forwards with folks on the MSRC case management and vulnerability response team. We have a we have a commitment to coordinated vulnerability disclosure, which basically means we we we do our absolute best to make sure that we we don't O day anyone. We don't zero day customers. We don't zero day partners. We don't zero to ourselves.
And so there's a sort of a negotiation that has to happen between between the folks that have submitted content to present and have been accepted to present. And we need to make sure that if there are active or recently disclosed or recently addressed vulnerabilities or exploits or techniques that we've we've met all our commitments there from a sort of responsible disclosure perspective. So that's a lot of a lot of a lot of time at the moment.
And then, you know, trying to work out how to fit all these incredible sessions into into an agenda as well as all the other things that have to happen around a conference, which some of them are all sort of logistics like what are we going to have for lunch on day one and how many coffee carts do we need and all the way through to coming up with some really cool ideas for for swag and the conference t-shirts and, you know, sort of enamel pins that we're going to have the attendees trade.
So that's sort of a day in the life at the moment outside of outside of the Blue Hat Conference, certainly looking for really interesting people to come on the Blue Hat podcast, talk about research, talk about security research. That's a part of it.
And then and then really sort of also just engaging with the security research community, which is both inside of Microsoft and and external and again, looking for ways that that we as as Microsoft and MSRC as a part of Microsoft can just better engage with the community, how we can be a better partner with them, how we can learn from them, how we can create content that we feel that would be beneficial for the community or how we could partner with other researchers to help amplify their work.
All right. So let's bring this thing officially to an end. So one thing we always ask is if you had just one thought to leave our listeners with, what would it be? All right.
I think what I want to leave folks with is a bit of inspiration that anyone can really be a security researcher, because security researchers really are just people that are looking under the hood at how does stuff work and coming up with ways to make that thing potentially work a little bit more efficiently or a little bit more securely.
And so if in your you know, I'm sure the folks listening to this podcast have long, long lists of tips and tricks that they would give to their customers, their clients, their friends, their family. And I would encourage them to think about how some of those things might be able to be packaged together into a story that they could submit to a Blue Hat, to a B-Sides, to a Defcon as you know, as guidance and as as learnings and as stuff they want to pass on to help make the world a better place.
And yeah, you don't have to have security researcher on your LinkedIn profile to be able to be someone who is researching or searching to make things more secure. So I just encourage everyone to give it a go. Yeah, actually, I want to emphasize that last point. I was a reviewer, I was asked to look at some of the submissions to this year's Blue Hat, just a couple of them, just because of the nature of what they were.
And I was really amazed at a couple of them, which were actually for lightning talks. So something else I didn't even talk about was lightning talks, right? Just like 15 minute talks on a specific topic. Big fan of those things. And it was a really interesting lightning talk idea. It was a little bit out of left field. But it's one of those talks where the person who was proposing it, and by the way, it looks like that person got OK to do it, got accepted to do it.
It was just a different way of thinking about things. That's all it was. But was it a true security vulnerability, a real spicy security kind of thing? Not really. But it was just an interesting way of looking at the problem space. And yes, it got accepted. So yeah, 100%. You don't have to be a complete dyed in the wall security nerd to present at these conferences. Sometimes a different perspective is all that's needed. All right, so let's bring this thing, this episode, to an end.
This has been a great episode. Actually, again, we've been completely, basically been totally free with what we're talking about. But yes, always good talking to you, Nate. So again, thanks, Nick, for joining us this week. Been great having you on. And to all our listeners out there, again, we realize we kind of rambled a little bit, but hopefully you found this episode of interest. Stay safe and we'll see you next time. Thanks for listening to the Azure Security Podcast.
You can find show notes and other resources at our website, azsecuritypodcast.net. If you have any questions, please find us on Twitter at Azure Set Pod. Background music is from ccmixtor.com and licensed under the Creative Commons license.