Sakura Samurai was founded December 2020. This blog post is a story about how I got involved.
Sakura Samurai is a security research group that my close friend John Jackson started with his friend Nick. I was asked to join as it was being put together. All of the hacking I have done for many years has been secret for the most part: I was hacking for private organizations that were highly confidential and I was under many NDA’s — and that’s before even getting into government stuff that requires a basic security clearance just to get access.
As far as being public about being in InfoSec — I have been in various books in the Tribe of Hackers series and have traveled across the United States to attend many cons. I’ve presented as a speaker at cons as well, and regularly interact with friends in the industry on Twitter (my username is @rej_ex). The coolest stuff I’ve done with specifics on hacks has been in wide release books I cannot mention, where I was put under a fake name for my own protection.
I wanted to be more public about hacking cool stuff and my close friend John was taking this route and really putting himself out there with his hacking, I was intrigued.
As a hobby (outside of my day job as a security professional) I started making comic books. The pandemic had me stuck inside my house since March of 2020 and I needed a creative outlet before going insane. After launching a successful Kickstarter that was funded within 24 hours, and eventually being over 300% funded over the goal, I was moonlighting as a comic book publisher which included drawing, coloring, writing, doing all the layout and graphic design work, and building relationships with a printer and fulfillment house. This was fun to do at night after working in security all day.
My buddy John had been hacking at night regularly and I told him that since my comics were almost done that I wanted to hack together. I knew he had been doing things with the 15-year old wunderkind Kanshi, and I wanted to jump in and have fun — while learning the ‘public release’ side of things. At this point when I would find what would be a 0day or CVE I would never submit anything anywhere — it was usually behind closed doors and highly confidential. This aspect of public release was new to me — the legal aspects, the different kind of reporting (outside of penetration test and vulnerability assessment reports I had been doing for years).
I knew about bug bounty programs as they are a big thing in the industry I’ve been in for many years, and I’ve worked with building many security programs and bug bounties are a part of a mature program — but I avoided actively hacking with them because of the low pay or no pay associated with many.
VDP’s (Vulnerability Disclosure Programs) were not widespread, and as of writing this the federal government is still not required yet to even have a VDP (which is changing March 3rd, 2021). I never submitted a CVE before hacking with Sakura Samurai. I never publicly disclosed a 0day I found. All the stuff I’ve done has had a predefined scope directly with a company I was hired to test the assets of.
After talking to John he said he was putting something together and next thing I knew I was a member of a group that was just created: Sakura Samurai. Before I knew it, I was coloring my final page while with the team in a shared file looking over findings for the first official Sakura Samurai breach involving the United Nations.
I now hack about (5) nights a week while in constant communication with my good friends John, Kanshi, and Kirtaner.