How to level up your technical documentation with Microsoft's style guide and LLMs
Speed up technical documentation with the open-source llm-styleguide-helper. It pairs Vale linting and AI to fix Microsoft Style Guide violations in...
Every time we join the Black Hat NOC, we are reminded that security conferences are not immune to the same issues we help customers detect in their own networks. This time, it was... drum roll (pun intended, as you will soon discover)... a music trivia game.
While monitoring network traffic during Black Hat Asia 2026, we noticed unencrypted HTTP traffic from devices on the General Wi-Fi hitting an unfamiliar HTTP server. The payloads were JSON with fields like "score," "play," and "username." At first, we thought it might be some kind of video game.
But as we dug into the data, we saw many unique IPs from the General Wi-Fi that were connecting to the same server, all submitting scores to the same API. That volume suggested something public-facing. It is common for vendors to run contests and interactive games at their booths during these conferences, so our next hypothesis was that this was a vendor activity in the business hall.
POST requests to /submit_score carried JSON payloads with usernames, scores, and timing data, all without encryption. The Investigator screenshot below shows the score submissions with usernames and scores in plaintext.

Additionally, there were GET requests to /api/legend-data that returned what turned out to be music trivia questions and answers, all in the clear. Using nothing but passive network observation, we reconstructed the full leaderboard along with every question and answer.


So we walked the floor to find out. Sure enough, one vendor booth was running "Legends Never Die 2," a music trivia contest accessible via QR code. And the grand prize? A LEGO Star Wars Millennium Falcon, as the photo of the vendor booth shows.


Seeing the game in person confirmed our theory and showed us exactly what was exposed. And while the prize was the mid-scale Millennium Falcon, not quite the Ultimate Collector Series version worthy of a coffee table, I will not lie, my mind started scheming. It is still a seriously impressive LEGO set.

We wanted to demonstrate just how easily exploitable this was. So we pointed Claude Code at our findings and asked it to play with the “Klaud” username. Within seconds, it had figured out the scoring system (25 rounds, 100 points max per round, speed-based tiebreaker), crafted a perfect submission, and posted it. The result was a perfect score of 2500 points with a 3.30-second tiebreaker, good for the number-one spot on the leaderboard by a wide margin.


We had no intention of claiming the prize. The plan was to walk over to the booth and let the organizers know. But they noticed first, realized something was off (a perfect score combined with a very low reaction time was obviously not humanly possible), and removed "Klaud" from the leaderboard before we could introduce ourselves. Fair enough.
Sure, it’s just a low-stakes trivia game, not a production database holding personally identifiable information (PII). But the core issue is the same one we see constantly in production networks: vulnerable services and misconfigurations exist everywhere. And with AI tooling, the path from discovery to active exploitation gets very short.
NDR surfaces these findings routinely. Not every detection involves a nation-state actor. Sometimes it is a misconfigured application, an overlooked service, or a trivia game running without TLS at a security conference. The value of network visibility is that it reveals what is actually happening on your network, not just what you expect to be there.
Speed up technical documentation with the open-source llm-styleguide-helper. It pairs Vale linting and AI to fix Microsoft Style Guide violations in...
Our new collaboration with CrowdStrike and Humio allows our customers and the community to experience the value of evidence.
Corelight Federal CTO Jean Schaffer on how validating what asset management and vulnerability detection practices are producing is vital for BOD...