The fourth incarnation of Disobey, the Nordic security event was held in Helsinki in January. This event is a place for people interested in hacker culture, information security, making and breaking, and to meet like-minded people, learn new things and share knowledge. This was my second time attending. The first one was mostly spent getting to know my way around such an event, the second one was much easier when I knew what to expect. Too bad there’s almost too much to do, so you’ll have to prioritise… So here are my personal experiences from this year’s event and hopefully some tips for the first-timer in 2020.
Photographing or recording video at the event is forbidden (see https://en.wikipedia.org/wiki/Chatham_House_Rule), so no pictures or names, sorry. The speaker list is public though, go check it out, if you want.
Talks
There were plenty of great talks, from disclosing 35-year-old vulnerabilities (https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt), Tor anonymity, timing side-channel attacks, hotel room lock security, data breach dump related thingies and browser 0-days to mechanical master-key systems. Lots of cool stuff, but you can’t just sit on your backside for the whole two days! I had picked a few talks I really wanted to see (I really dig mechanical locks, client-side vulns, and breaking things) and tried to remember to attend. And I did. Most of the others fell in the category ”oh that’d be cool oh crap it’s already starting and all the seats are taken”. But I’ll surely watch the recordings of most of them later. It’s not like re:Invent-crowded, but if you want to have a good seat where you can concentrate on the content, be early
At the time of writing, the talks are being uploaded to Disobey’s Youtube channel.
Also a new podcast, ”We need to talk about InfoSec”, recorded its first episode at Disobey, go check it out.
Workshops and things to do
In addition to talking heads, you get to do things yourself with a more experienced instructor. This year workshops included e.g. hacking Chinese web browsers, using Python for bad (and good), threat modelling and a few other topics. Pick something that interests you, check if there’s a pre-registration needed (this year there wasn’t) and enjoy the ride. I attended only the most interesting one (to me), but would’ve enjoyed many of them, I’m sure.
In addition to shorter (up to three hours) workshops, there was a lockpicking village where you could try picking different types of mechanical locks and learn from a pro.
CTF
Capture the flag, or CTF for short is a competition where teams try to solve different types of hacking puzzles for points. The puzzles range from web vulnerabilities (SQL injections, path traversal/local file inclusion, security misconfigurations etc.) to listening to radio broadcasts from a dummy satellite. The proof of success is a flag, which is entered to the competition system. Who gets the most points, wins. And this is fun, for some people at least, myself included. We had a team of seven people which included four Goforeans. Fourth place doesn’t suck that bad when there were two teams of infosec company employees ahead of us. Next year we’ll try harder!
As the CTF network is considered ”hostile” and doesn’t offer internet access, I recommend bringing a burner laptop (which you can wipe clean afterwards) or e.g. using 1) a virtual machine (Kali works fine) for the hacking 2) USB tethering (because airwaves are a bit crowded and your keyphrase strength might be tested…) to deliver internet to your host OS 3) a USB ethernet adapter which you present to your virtual machine (and the VM only) so that you can easily search the internet for things from the host and access the CTF network from the VM without extra hassle of switching cables back and forth.
Gofore had some web related challenges (created by me) of their own in the contest. Of course, my team members had to solve those without me. More info about these below, there’s even a virtual machine image you can spin up and try to get the flags yourself.
The people
To everyone I met: I’m glad we met. Let’s do it again sometime. To everyone else, I hope we’ll meet someday. A few of my friends/acquaintances told me afterwards that they kinda forgot most of the program while just mingling so be careful :-)
Gofore CTF challenges
Download link in the setup instructions. See if you can hack your way in. Encrypted (sic) walkthrough can be found at http://<machine IP>/walkthrough.txt if you’re interested in cheating…
The challenges:
- The flag is somewhere on the filesystem. Find the file’s location on the site and the contents of the flag. URL path: /blog
- Some page is behind closed doors. Find the keys and step in. URL path: /*
- Our customer database might contain more than meets the eye. URL path: /customerdb
Setup:
- Download the OVA image here. (Avaa: open, Lataa: download)
- Import it in e.g. VirtualBox, connect it to a host-only network
- Find the virtual machine’s IP with for example nmap -sn <your host-only network>
- Point your browser (and other tools) to http://<VM_IP>:80/
- Have fun!