markofu’s blog

Late in December 2015, I sent the email below to all of "Engineering" across Riot Games. I want to share this externally because it's core to the security culture that we want to build in Riot, i.e. one of accountability and responsibility, where we aren't afraid to talk about our screw-ups. ############################################################ Hey Folks, So as most of you know, I'm a bit of a perfectionist with high standards :) Well recently, I screwed up and didn't come close to meeting my own expectations. What did I do? Well, when testing (locally) Netflix's Security Monkey in 2014, I copied over some aws-related scripts I was using and found useful to a local directory on  my work laptop, where my Github repo was stored. I also mistakenly copied over a flask configuration file ( config-deploy.py ) from the local version of Security Monkey that I was testing at the time. To compound this mistake, prior to committing file...

Back in early July 2015, on a uniquely dry Thursday evening, the Riot InfoSec team ran a small meet-up at our new Dublin office as I previously mentioned here . The goal of the event was to engage with the local security community, several of whom are also huge League players as I noticed by negative KDA :'( My main memories of the gaming that night being constantly head-butted away by 60 minute Alistair (also spamming his heal) and an extremely fed, axe-wielding and catching Draven, killing at will. As a team, we felt that the event went well and it seems to have been well received by those who attended. My talk was about the lessons that I have learned from hiring a team into Riot Engineering, which is the first time I've ever had the opportunity to build a team from scratch. It's not only be incredibly educational and exciting, but also humbling as I've had phenomenal support from so many folk in both the Dublin and LA :) Given there's probably quit...

On July 9th, the Riot InfoSec team will be hosting a security event in our new office , which will include: talks from Rioters the chance for you to see and play with some of our security tools time to play some games with us! Riot is dedicated to positively engaging with the industry and its community, and the Riot InfoSec team are psyched to further that mission in Dublin - we want to share and to learn.  If you work in Riot or engage with Rioters, you may hear the term “default to trust” and this is a huge part of our culture. It’s not just “talk”, it’s something that I see on a daily basis and to me, this is very special. I've linked two posts that touch on this aspect below - http://venturebeat.com/2015/02/04/riot-games-brandon-beck-says-game-industry-is-under-investing-in-its-people/ https://www.linkedin.com/pulse/hard-realities-working-riot-games-one-year-later-jonathan-pan As a result, we (in Riot InfoSec) wanted to “walk the walk” also...

It's no surprise that attackers will use recruiters as targets for a compromise and like many companies, we've seen the usual applications with XSS and macros. Today I received something slightly different which I figured was worth sharing - As you'd expect, the candidate details are fabricated so we can't progress :( P.S. We are actually hiring in Dublin, Istanbul, St Louis and LA for security engineers:) 

Socialising Security @ Riot Quick Link: Presentation here . Background In late November last year, I had the honour of following the illustrious David Rook (ex-SecurityNinja :) ) in the Owasp Dublin Chapter meeting (thanks Ow en & Owasp Ireland) . Quite a few people (mostly Chris John Riley ) reached out and said: “The presentation looks cool and I'm jealous of the cool artwork but context, need MOAR context!” From an OpSec perspective, it's not always possible to include all the context when it comes to publicising security presentations, but @Riot, the goal of the InfoSec team is to socialise security within Riot, our players, the gaming community and the security community. Tl;dr Each Rioter is responsible for their own security   Riot has posed very new challenges (for me) - Scale Volume of Incidents (i.e. a successful compromise, a leak, a ddos attack) Open policy to security ( this is the bit that will draw the crowd ) We want to...