New signs from 2020 SecHack365, the first fully online event

This is a program that teaches the attitude of making things, in which you present your own ideas and awareness of issues in a tangible form, and use the opinions and evaluations you receive as a source of inspiration to improve each other. It's SecHack365. Every year, we have been making things through six gathering events held all over the country, but due to the untimely outbreak of the new coronavirus, in 2020, everything was moved online.

In the world, there may be a deep-rooted prejudice that "real brainstorming and communication can be done face-to-face." However, at the presentation of the results held on March 5, 2021, there was an array of unique ideas and “works” with fresh eyes that easily dismissed such voices.

Results presentation held on March 5

SecHack365 in 2020 held online, various results produced in a short period of time

SecHack365 in 2020 will start in July 2020 It was held until March 2021, and 43 trainees who passed the selection participated from all over the country. Until last year, the gathering event held offline for 3 days and 2 nights was replaced with an "event week" of about 1 week to 1 month. This is the schedule for making videos. An “event day” was set up at the beginning and end of the event week to separate them.

The event day is held in a bright atmosphere even online

It was the first time to bring all the programs online, so not only trainees but also trainers have been through trial and error for a year. However, in addition to active efforts during the event week, as a result of frequently holding "meetings around trainers" to enjoy discussions on various themes in chat in order to reproduce the spontaneous conversations that occur at offline events, communication has improved. quite activated. It is said that some of the assistants said, "It's more fun than usual to see them having fun online."

In this way, I warmed up my ideas, referred to the ideas of other trainees, and made use of the opinions received.

Mr. Nomoto, who thought that it would be useful and impactful in the real world, analyzed the mechanism of the new coronavirus contact confirmation "COCOA", which is still attracting attention in various ways. It is possible to carry out a “positive person identification attack” that can identify the information of the individual who tested positive, which is information that should be kept secret, and a “fake close contact attack” that makes the app display that there was a fake contact history even though they are not infected. It was selected as one of the excellent works. Mr. Nomoto reported the vulnerability to the developer of COCOA and Google via JPCERT/CC while referring to the opinions of the trainers, and received a reply that "we will consider countermeasures in the future."

Makihiro Kudo, who created ``smart locks equipped with fingerprint combination authentication and smart door handles that can be unlocked simply by squeezing them,'' said, ``Recently, ``smart locks'' that combine smartphones have appeared. However, I thought that even a smartphone was troublesome, so I created a smart lock that combines biometric authentication to achieve both strong security and usability, and a smart door handle that allows authentication with a natural operation of gripping with vein authentication. I did,” he says. In an interview at the results presentation, he recalled, "Compared to software, it cost more money, and it took a long time to arrive even if I ordered something."

Whether orthodox is the right term or not, there were also works that explored the specialized field of cybersecurity. One of them is Kazuya Nomura's "GTotal - Is Antivirus Really Accurate? -".

While working on malware detection research, I wondered what kind of impact it would have if there was a mistake in "VirusTotal", which can inspect suspicious files using multiple antivirus software. collected and validated over 330,000 specimens. As a result, we found out in what cases mistakes are likely to occur, such as ``the more time passes after scanning, the more blurring occurs, so the timing of the final scan is important,'' and presented the results at the ICSS study group. It is said that

Masahiro Fujimura also developed a vulnerability detection tool for virtual machine images, "Molysis, a vulnerability detection tool for virtual machine images." Recently, some tools for scanning container images for vulnerabilities have appeared, but in the case of virtual machines, they cannot be scanned until they are built. Therefore, we have developed Molysis, which devises and deciphers the specifications and file systems of virtual machines, transparently analyzes virtual machine images with few resources, and detects them by matching them with vulnerability databases. Detecting vulnerabilities in the build pipeline as well as in the container cycle will help create a more secure environment.

Personally, I was interested in Karen Furuta's efforts to raise awareness of security through stories. With the concept of knowing security technology and using it correctly according to the law, she wrote "Security Short Shorts" to learn security in story format and sold it in a technical book. It is said that the ``SecHack365 Literature Club'' was launched as a result of this activity. When we think of engineering and making things, we tend to think of them as science-based activities, but I was strongly impressed by the fact that there are other approaches as well.

There are signs of a new way to behave as an engineer in the new normal era

Teruaki Yokoyama, the head trainer, looked back on SecHack365 in 2020 and said that it is true that trainers and trainees, or trainees directly In addition to not having the opportunity to meet face-to-face, the program was shorter than previous years, but the growth and results of the trainees were as wonderful as in previous years.

SecHack365 is not just a program to acquire techniques and skills. Give shape to the skills you have acquired, give them to society and the world as outputs, accept various opinions and evaluations about the outputs without fear, choose what you should accept, and continuously produce more outputs, value It is a long-term program that aims to create the foundation of such an engineer, to make it a habit, and to create "humanity", so to speak.

Based on this basic direction, some new initiatives were born while searching for a better method during the corona crisis.

The first is the aforementioned "surrounding party". “Since there are fewer opportunities to pass each other by chance and talk to each other like offline, we planned it so that as many people as possible can interact with each other. It is a place where you can chat with people who have a , and exchange opinions based on a specific topic.As a result, the number of exchanges has increased more than ever before." (Mr. Yokoyama)

At the surrounding meeting, trainees surround and discuss interesting trainers

In fact, multiple trainees were able to learn about an unexpected side of the participants through the meeting, and on the other hand, they were able to talk about a variety of unique topics, such as ``Thinking about security in curry,'' which was very enjoyable. said. Ms. Nomura, one of the excellent trainees who appeared in the "Direct hit! Excellent trainee interview" at the results presentation, said, "In a project to think about how to enlighten the world about cyber security, I thought about using an idol, and I used a ticket for a handshake event as a public key. I came up with the idea of ​​encrypting it with , and it turned into a great competition, and it was a lot of fun.

This meeting was very lively, and what was initially planned by the management as a ``trainer gathering'' naturally spread and developed into a ``trainee gathering where trainees gather to present their efforts to each other.'' It is said that he went

“There is also a unique atmosphere unique to online, and people who are interested in it gathered together and it was very exciting. I think that in the new normal era, we have seen signs of a new way of behaving as an online engineer.” (Mr. Yokoyama)

The second initiative is the use of video content. In fact, there was still a kind of "fixed concept" on the trainer's side, that it would be good to post what we had done at the training camp so far on Zoom, but we got rid of it and made 42 video contents. It was created. At the same time, we asked the trainees to take a new approach, not only presentations and poster displays, but also video presentations.

(More than 40 shared videos are freely available for viewing at any time)

“This has resulted in two interesting effects. Even Nako was able to make a presentation carefully and achieve a better presentation by creating a video in advance. I was able to learn more than I expected because it became easier to imitate the good points of other people's content," he said, looking back on the advantages of being online.

As expected, in the ``Direct hit! It was fun to see them all together and chatting with each other,” he recalled.

A direct hit at the results presentation! Excellent trainee interview

Mr. Yokoyama, based on the feedback from these trainees, said, "Even though we haven't met face-to-face over the course of a year, I found friends online and shared ideas and achievements with each other. They showed each other without hesitation, calmly expressed their opinions and criticism, and asked for it.Even in this environment, showing each other, learning from each other, and working hard through friendly rivalry was more than what the trainees themselves thought. I want to say that it's amazing and it's really wonderful." He said that the online behavior of discussing based on the work may lead to a way of life in the future.

Methods of expression, making habits, coming up with ideas—What did the trainees gain over the year

On the other hand, what did the trainees feel and what did they gain over the past year? Let's follow from the comments in "Direct Hit! Excellent Trainee Interview".

As mentioned above, SecHack365 in 2020 will not only present presentations and posters so far, but also video presentations. Kazuya Ohata, who developed the offensive post research tool ``Tesave'' and was selected as an excellent trainee, said, ``I approach from fields other than security, but from that standpoint, trainers who are active in the field of security I searched for various methods of expression and went through a process of trial and error,” he recalled.

In addition, there were many trainees who worked on coexisting with their studies, which is their main job. As a result of tackling a theme different from school research, there are examples such as Mr. Ohata, who was able to switch to the other and proceed successfully when one of them got stuck. I got an opinion from that place.I used entropy in my work, but the idea was also obtained from a study session on information theory at school.Throughout the year, you can find hints in various places. I wondered if there was anything like that," says Nomura.

Mr. Nomoto, who worked on the "security and privacy risk assessment of the contact confirmation application", said, "One of the things I learned through SecHack365 is habituation. What I did today, what I thought today, what I will do tomorrow. By continuing to write progress reports for more than 10 months, I realized that 'what I have to do' becomes clear, and it has been very beneficial for me that it has become the norm." . At the same time, various advice from the trainer was helpful, especially when reporting vulnerabilities.

Mr. Nomura, who will start a security-related job from the spring of 2021, said, "It's not preparation, but I got to know various security-related people, and I was able to hear stories about laws and logic. was the harvest," he said.

Of course, SecHack365 welcomes young people interested in various fields such as development and hardware, not just security. Makita Kudo, one of them, said, ``I didn't touch security at all until I started SecHack365, but when I say security in a nutshell, I know that there are various fields, including the legal aspect that Mr. Nomura touched on. I feel that I can know and it will be useful in the future."

Mr. Takeda, who worked on "iGenc (Internal GPU encrypt): A cryptographic processing mechanism that does not degrade the user experience using the GPU in the SoC", also said, "I had never studied security, but through SecHack365 I realized the possibility of combining security with the field I wanted to do.Security is involved in everything, whether it's machine learning, low-layer, or the web.When I do something in the future, I think about security in the back of my head. It became."

In response to this, Mr. Michio Sonoda of NICT said, "There is an overwhelming lack of 'plus security human resources' who can add the essence of security to it while pushing forward with manufacturing, which is our main business." In that sense, he expressed his hopes for the future of the graduates.

“I think the way I presented my ideas was most beneficial,” said Yuta Kurosawa, who created “Cassis, a tool for casually handling DID” and became one of the excellent trainees. “When I was wondering if the application would be useful only for me, my trainer told me, 'Beyond my own needs, there are other people's needs.' That gave me the idea. It was a big help in deciding.” (Mr. Kurosawa)

At SecHack365, throughout the year, we provide steps for progress, such as ``if you think about it again, you don't know what you want to do'' or ``if you know what you want to do but don't know how to make it concrete''. I have provided advice and guidance accordingly. Mr. Yokoyama would like to continue this in the future, and aim for an even higher level if he "has an idea and the technology to create it."

Teruaki Yokoyama, head trainer, who spoke with us

"For example, I would like trainees to try what happens when they apply what they are doing to the actual problem they want to solve. By actually trying it out, you will be able to understand what works and what doesn't work so well, and you may be able to find real issues to solve the problems. You may come up with an idea to do it.” (Mr. Yokoyama)

The 2021 SecHack365 Combining the Goodness of Online and Offline

Four years after the start, the number of SecHack365 graduates has increased to more than 171. Every year, we hold an alumni-like "SecHack365 Returns" to accumulate a network of people, and each of them opens their own path and works to solve problems.

“Some of the graduates decided to become researchers after being inspired by stories they heard from trainers and trainees through SecHack365. There are graduates who are working on various things based on the output, such as those who continue to pursue and continue their activities.” (Mr. Yokoyama)

The call for SecHack365 for 2021 will start soon. Considering the impact of the new coronavirus, it was decided that the first half of the event would be held online, but because of the experience of a year of completely online, it is a program that combines both the goodness of online and the goodness of offline. It will be.

"It can be said that it has become easier for friends all over the country to come in contact with each other. Let's make the environment of friendly rivalry to make it better by showing each other what we are making. (Mr. Yokoyama). SecHack365 itself aims to be better and the best every year, just like the "works" made at SecHack365. I have high hopes that the ideas of the new generation of engineers, suitable for the new normal era, will take shape and take off with their feedback.

Going beyond through making things-What the SecHack365 graduates of 2019 seized SecHack365, which creates things while struggling for a long period of one year