Hitcon CMT 2024

First Time!

This was my first time attending HITCON CMT, and honestly my first experience at a cybersecurity community meetup. At first I thought it might be like a job fair XD, but after going I realized it’s more like a bunch of 「大神」 being invited to share their research and real-world discoveries — super interesting! Since my research is about fuzzing, I was especially excited when I saw a talk on fuzzing. It felt like a warm, familiar welcome — like being in the right place XD

Events

Booths

There weren’t many booths, so you could walk through all of them in about an hour. The most memorable one was the DEVCORE booth — they had a free ring-toss game and for a second I thought I was at night market XDD. I played with a friend: he scored 1 point (and got a small card, if I remember correctly), while I scored 10 points due to familar with the games (as I visited taiwan night market many times XDD). I won a cool folder and a webcam cover — I was ecstatic!

I also bought some merch at the HITCON booth. When they asked what to engrave, I debated using my real name or my handle. Putting my real name felt like bad security sense, so I went with my handle instead.

Buffet (Food)

Anyone who knows me knows I’m a huge foodie XD. If there’s good food, count me in! When I heard there was a buffet and a pile of cakes and desserts, I was like — wait, come to a conference and eat tasty stuff? Sign me up.

PCB Badge

This year they had a really cool PCB badge giveaway — you could even customize it. HITCON ran a PCB-badge activity where if you successfully customized your badge and plugged it into a designated laptop, you could complete a series of challenges (the final one was to get a flag without looking at the screen) and win prizes. Too bad I didn’t bring my laptop, so I just cheered my friend on while he completed the challenges QQ. Moral of the story: always carry your laptop everywhere.

Talks

There were usually at least two talks going on in each time slot, so attendees could pick whichever one looked interesting. Popular speakers or hot topics would pack the room — sometimes you’d have to queue or stand up to listen, and once a talk even had to limit entry because it was too crowded. I tended to split up with my friends and each go to the talk we were most curious about. The talks that stuck with me the most were:

• Lessons Learned from a 4-Year Journey on Developing a Generic Fuzzing Framework
• Background of those glitches in Zelda BoTW & ToTK
• Confusion Attacks: Exploiting Hidden Semantic Ambiguity in Apache HTTP Server!

Because my research focuses on fuzzing, I naturally ran to the fuzzing talk. It covered a Japanese research team’s four-year journey building fuzzing frameworks and shared a lot of practical lessons. One key takeaway was: don’t reinvent the wheel XD — many fuzzing tools are built by extending well-known fuzzers like AFL, AFL++, Honggfuzz, etc. The talk also discussed common problems people run into when researching fuzzing.

I’m also a gamer, so the talk about Zelda glitches was a highlight. That room was packed too. The speaker walked through how they found bugs/glitches in Zelda step by step. Even if you’ve never played Zelda, the talk was very accessible — and it showed how the mindset of discovering glitches in games is surprisingly similar to finding bugs in other applications.

Finally, as someone who manages web services, I was excited to see Orange’s talk on Confusion Attacks against Apache HTTP Server. It was mind-blowing. Finding those vulnerabilities and crafting useful payloads takes a ton of time, creativity, and deep understanding of underlying mechanisms. It reminded me how much more I have to learn.