Just your average all-round nerd with an interest in anything that has a power cable (and preferably network or an antenna) connected to it. He's also one of the BornHack organisers.
URLs for Graffen
No URLs found.
Let's do a good, old-fashioned OpenPGP key-signing event.
The concentration of OpenPGP users is probably a lot higher at BornHack than at many other social gatherings. So why not use this opportunity to extend the number of signatures on your OpenPGP key?
Feel free to bring some form of official ID. Depending on the number of participants we will make the event more or less structured to make sure everyone's keys are signed.
Please submit your keys no later than four hours before the scheduled time of the event. This gives us time to generate the final list of keys, get it printed for everyone etc.
Note: The server will be killed with fire after Bornhack for those of you who don't want your keys lying around on the Internet for one reason or another.
Scheduled Instances of "OpenPGP (or whatever) Fingerprint Verification"
- Tuesday Aug. 21 19:00 - 20:00
Workshop Saxo Bank HackMe!
Saxo Bank OpenAPI HackMe Contest
Who Are We
Saxo Bank is a Danish investment bank specializing in online trading and investment founded in 1992, and functioning as an online broker with a bank license, without offering traditional banking products.
We offer trading through our online platforms in Forex, stocks, CFDs, futures, funds, bonds and futures spreads.
Why Are We at Bornhack
Being a global player in the financial markets, we are naturally always looking for highly talented co-workers. Having a presence at BornHack, we believe we can showcase some of the cool technology we use, as well as let the classic hacker types play with an API having a more material impact, to either build something cool or surface flaws in our setup.
The contest will run from Tuesday at 13:00 and will close twenty-four hours later. We will be in one of the workshop rooms for a couple of hours when the contest starts in case you need help registering for an account etc. If you need help during the contest, catch us on IRC: graffen, pewpie or Otto_Str0m.
To enter the contest, you must sign up on the participant roster, so we know who's in. Please reach out to one of the Saxo Bank people in person or on IRC to get your name on the list. When the contest starts, you need to create an access token for yourself through our developer portal:
- Navigate to https://developer.saxo and go through the following steps to sign up for a developer account
- Click on the burger menu top right and then select "Get 24 Hour Token"
- You should now be presented with a login dialog. On the right you will see a button with the text "Simulation account signup"
- Fill out the form. You do not need to provide any identifying information (unless you want to be war-dialled by our sales people) but you will need to at least provide an email address that can receive your initial password. You can use a disposable email address like guerrillamail.com or lortemail.dk for this purpose
- Check your email and use the provided password to log in to your new Saxo Bank Simulation account
You now have full access for 24 hours to the development portal and can start poking around. Have fun! If you're curious to try out our trading application you can use the information you have received to log in to SaxoTraderGO to try some trading, and to see how the application interacts with our API.
There will be two "tracks":
- Security findings & API flaws
- Cool POCs using our API
During the contest, you must submit your entries/findings to one of the Saxo Bank representatives who will take a note of your name/handle and validate what you have found/built.
Winners of the contest in the two categories will be elected by the team of Saxo Bank representatives.
Points and Prizes
Points will be awarded for the following:
- Creativity: 25%
- Impact: 25%
- Design: 25%
- Simplicity: 25%
We will not award points for:
- 500-type error codes returned by the API. There are many places where the API could behave better by returning proper response codes - this is already known and being worked on. What we're looking for is for places where the API returns something unexpected and not just an error code.
- (D)DOS-type attacks - don't do this, please.
There will be great prizes for the winner of each of the two categories.
Rules of Engagement / Code of Conduct
TLDR; Be excellent to each other.
Before entering your name (or handle) on the contest roster, please familarise yourself with our interim Vulnerability Disclosure Policy.
The following are the general rules for the competition
- Fresh code
To level the playing field, each participant must start out fresh. Please don't build on top of previous projects. It's OK to use open-source frameworks and tools, though.
- Code review
We might want to do a proper code review to validate your hack/project, either just before we judge, or immediately after.
- Team Size
Single-human or teams of up to 3-4 humans are allowed. You may also add one cyborg, Furby, drone or Sphero.
We're doing this relatively ad-hoc. You may submit your hack/project in any way, shape or form of your choosing as long as we have a way of validating it.
- Demo your hack
Before judging, we will ask all participants to demo their hack. We won't accept slide decks (Powerpoint). Also, a partially complete hack is just fine, as long as you can prove your concept.
- Have fun
It's a HackMe contest! Use whatever languages, tools and hacks you have in your arsenal. Show us hardware, show us new concepts. Show us anything you'd like.
Examples of things that are OK:
- Signing up for a demo account and playing with the API through the developer portal
- Intercepting requests and responses from the developer portal or SaxoTraderGO using a debugging proxy like BurpSuite
- Fiddling with requests and responses using BurpSuite or the like, to see if you can provoke the API to do weird stuff
- Building an Arduino/ESP-based gadget that can talk to the API and do something fun based on market events
Examples of things that are NOT OK:
- DOS/DDOS attacks against our API. You will be playing around in our Simulation environment and this does not have a lot of protection or massive hardware specs.
- Deliberately breaking stuff "just for fun".
Scheduled Instances of "Saxo Bank HackMe!"
- Tuesday Aug. 21 13:00 - 15:00
Slacking Off Trip to Tejn open air hot tub and sauna
We have booked Friday and Monday evenings at http://www.tejnborgerforening.dk/bad_sauna.htm from 20:00 until we feel like we've had enough. You must bring your bathing suit/trunks and a towel (and an extra towel to sit on in the sauna if you prefer to do that in the buff).
There is a limit of six people per day due to the size of the sauna and hot tub. If we exceed the limit on Friday, those people will have first priority on the Monday trip.
We will depart the BornHack site at 19:15, please be punctual. Our meeting place is in front of Simon's food wagon, by the flag pole.
If you wish to bring something to drink (suggestion: beer), you can buy "to go" at the bar before we leave. We will try to bring a bucket of ice to keep things cool during transport and event.
The price of participating is 65 hax per person to cover the cost of renting the place and to cover some of the cost of driving there in Mikjaer and BlackThorne's cars. We ask that you please pay the fee when you sign up for the event. To sign up, just find Graffen or Mikjaer around the site. You can ask one of the organisers if you don't know how we look.
And finally: We prefer that you're an adult or can at least act like one. Considering the time of the event we don't expect this to be an issue :)
Scheduled Instances of "Trip to Tejn open air hot tub and sauna"
- Friday Aug. 17 19:15 - 22:00
- Monday Aug. 20 19:00 - 22:00