Disobey 2020, First Edition
Disobey 2020 is now over. And it was marvelous two days around topics like hacking Boeing, getting grasp of logs, various hacking competitions, red teaming workshops, etc.
This post is named 'First Edition' because of two reasons. Firstly, this was my first Disobey. Secondly, I don't yet know how many posts I will write around this topic. Most probably this first post will be a general introduction and include also competition stuff, and then there will be one or two posts about presentations and workshops.
I've wanted to go to Disobey for many years, but previously it has not been possible, for various reasons. Luckily this year it finally happened. Disobey 2020 was also my first ICT conference, so I didn't really know what to expect. But I'm glad that I started from Disobey!
Disobey is a hacker conference from hackers to hackers, if you want to summarize it somehow. Program is built around different infosec/cybersec/etc fields, but in generally the hacker attitude is the foundation. And if you want to somehow describe what is hacker attitude, I would go along the following idea: How can the system in question be changed/tuned to work better, or what are the weak points in the system working parameters, and can you make the system do things the original designer didn't even think it could/would/should do. So it's not only about breaking into ICT systems, or trying to prevent people doing that.
Disobey 2017 page describes the idea behind conference
So, what are my primary thoughts now regarding the conference? First, the flood of information was monstrous. To put it mildly. Every talk I listened to, every workshop I attended to and every competition I took part in taught me absolutely too many things I even didn't know that I don't know. :) And I couldn't attend to all of those activities I would have liked to. :/ Just too many interesting things happening at the same time!
One thing which really resonated my own thoughts was told from the main stage by Jayson E. Street who was the other keynote speaker. Even though his speech was a bit too long and rant like, I fully agree that if you want to become "pro" in infosec related fields, you must be keen to learn things even outside of 'business hours'. Jayson said something like 'If you are coming to infosec world because you want money, but you don't actually think yourself as a hacker who has genuine interest in things related to the field, it's better that you'll turn around and run fast and far away. You won't cope for long.'
I have had discussion about this topic at work, and the usual counterargument is that 'It must be enough what I'll do during work hours. Employer can't expect me to use my own time to learn things I'm using at work!'
Yup. I agree with that fully. But. And that's BIG BUT. If you really want to have long lasting and successful career in infosec, you must be keen to really understand how things are working. I don't mean those few things you are doing and needing at work. I mean everything. Sounds a bit... cryptic and impossible? Yes. I agree. But it means that you have the correct attitude. You want to learn. You want to learn new things. You want to learn old things better. You want to learn to understand things.
The ICT systems are hyper complex already, and they are getting more and more complex everyday. No one can understand everything. Or have deep knowledge of everything. But the more information you have from as diverse topics as just possible, the better you probably can cope in your work. Whether it's breaking into things or trying to prevent someone breaking into things.
Oh. Sorry. Now I got sidetracked "a bit". So let's return back to the topic. This won't ever happen again! I promise! Really! <remember to add The Correct Smiley(tm)>
Disobey has talks, and workshops. That's already clear. There are also booths from various Finnish ICT companies and organizations where they have some challenges related to this conference. It's a good place to meet hackers, after all. Luckily it's still not too 'businesslike' or anything, and I hope that it won't become that. It wouldn't be Disobey anymore if that happens!
Disobey has also The Badge(tm). Naturally, it's an IoT thingie, is there any other way? It's a small(?) PCB made in the spirit of the conference you can carry around. Every year different. Every year more complex. There is some hidden puzzle/challenge included, and you'll get at least fame and glory if you can solve that. Or you can write your own firmware for the badge. Or hack it with other ways.
Here's a bad video of the badge they had made this year. I had to download the app via WLAN to do this colorwheel stuff, but it was just lovely! ;) Firmware etc can be found from https://github.com/badgeteam/ESP32-platform-firmware
They also had the repair booth if your badge had issues. I had to go there twice, because some of those leds fell off.
In addition to things mentioned above, there is the official CTF competition. Capture the Flag is a competition, where you have various hacking challenges you need to solve. It can be anything. Crypto related, configuration related, steganographic, memory forensics, reverse engineering, etc.
This year the only flag I found had name 'Mistake' and some website URL as hint. Nothing more. There was a "hidden" GIT repo you had to clone, but because it was "hidden", you just couldn't do 'git clone URL'. You had to use a tool to dump it first. I was told to try this: https://github.com/arthaud/git-dumper It worked perfectly. When you had cloned the repo, you needed to browse through it with various methods to find the flags. In this particular challenge 'git log' showed one commit with message 'Secret file removed' and 'git show <hash>' revealed the contents with the correct flag.
So, the easy ones are quite easy. You just need to have some idea what could go wrong, and how to circumvent things. If it's web related CTF, you quite often need to pass suitable headers to the web server, etc. It works correctly when you use GET, but if you pass the same information with POST with some additional field, you'll get different response. Just as an example, what kind of things there are.
Quite many persons seemed to do only/mostly CTF and didn't attend talks/workshops. I participated some hours, and got much help from Pystyy Vetää open CTF team, because this was my first CTF ever. :) Thanks for that! It was really fun, and I really, really would like to do more. I just need to find some free time for that... CTF is good way to learn new things. Quite often you need to write some script, or read documentation to find those obscure methods how things could go wrong. After this event I understand much more about GIT than before, and I also scripted quite much Python networking. Even though the last one was not successful try, but I learned to script better. So, definitely not waste of time at all!
To summarize. I really, really can recommend this event for everyone who is even remotely interested in these topics. And I already told my boss that I will go there also next year. :)
Ps. The price shouldn't be an issue. This year normal access was 50-60e, depending on when you bought the ticket. And if you are a 'business customer' so are not paying it with your own money, it's better to buy the 'support ticket' which had price 199e this year. This for two day event with the caliber of Disobey. It's peanuts.
This post is named 'First Edition' because of two reasons. Firstly, this was my first Disobey. Secondly, I don't yet know how many posts I will write around this topic. Most probably this first post will be a general introduction and include also competition stuff, and then there will be one or two posts about presentations and workshops.
I've wanted to go to Disobey for many years, but previously it has not been possible, for various reasons. Luckily this year it finally happened. Disobey 2020 was also my first ICT conference, so I didn't really know what to expect. But I'm glad that I started from Disobey!
Disobey is a hacker conference from hackers to hackers, if you want to summarize it somehow. Program is built around different infosec/cybersec/etc fields, but in generally the hacker attitude is the foundation. And if you want to somehow describe what is hacker attitude, I would go along the following idea: How can the system in question be changed/tuned to work better, or what are the weak points in the system working parameters, and can you make the system do things the original designer didn't even think it could/would/should do. So it's not only about breaking into ICT systems, or trying to prevent people doing that.
Disobey 2017 page describes the idea behind conference
We here at Disobey wish to encourage hacker culture, and bring together like minded individuals at a gathering to share information and to train the skills our adversaries use against us. Our goal is to foster a vibrant community of creators, makers and breakers.Links to programs of 2018 (presentation videos), 2019 (presentation videos) and 2020 if you want to check what kind of presentations there has been. Depending on the year also the workshops are on the same page, but they may be on some other page.
We value encouragement, creativity and sharing and believe everyone can teach us something about the world.
So, what are my primary thoughts now regarding the conference? First, the flood of information was monstrous. To put it mildly. Every talk I listened to, every workshop I attended to and every competition I took part in taught me absolutely too many things I even didn't know that I don't know. :) And I couldn't attend to all of those activities I would have liked to. :/ Just too many interesting things happening at the same time!
One thing which really resonated my own thoughts was told from the main stage by Jayson E. Street who was the other keynote speaker. Even though his speech was a bit too long and rant like, I fully agree that if you want to become "pro" in infosec related fields, you must be keen to learn things even outside of 'business hours'. Jayson said something like 'If you are coming to infosec world because you want money, but you don't actually think yourself as a hacker who has genuine interest in things related to the field, it's better that you'll turn around and run fast and far away. You won't cope for long.'
I have had discussion about this topic at work, and the usual counterargument is that 'It must be enough what I'll do during work hours. Employer can't expect me to use my own time to learn things I'm using at work!'
Yup. I agree with that fully. But. And that's BIG BUT. If you really want to have long lasting and successful career in infosec, you must be keen to really understand how things are working. I don't mean those few things you are doing and needing at work. I mean everything. Sounds a bit... cryptic and impossible? Yes. I agree. But it means that you have the correct attitude. You want to learn. You want to learn new things. You want to learn old things better. You want to learn to understand things.
The ICT systems are hyper complex already, and they are getting more and more complex everyday. No one can understand everything. Or have deep knowledge of everything. But the more information you have from as diverse topics as just possible, the better you probably can cope in your work. Whether it's breaking into things or trying to prevent someone breaking into things.
Oh. Sorry. Now I got sidetracked "a bit". So let's return back to the topic. This won't ever happen again! I promise! Really! <remember to add The Correct Smiley(tm)>
Disobey has talks, and workshops. That's already clear. There are also booths from various Finnish ICT companies and organizations where they have some challenges related to this conference. It's a good place to meet hackers, after all. Luckily it's still not too 'businesslike' or anything, and I hope that it won't become that. It wouldn't be Disobey anymore if that happens!
Disobey has also The Badge(tm). Naturally, it's an IoT thingie, is there any other way? It's a small(?) PCB made in the spirit of the conference you can carry around. Every year different. Every year more complex. There is some hidden puzzle/challenge included, and you'll get at least fame and glory if you can solve that. Or you can write your own firmware for the badge. Or hack it with other ways.
Here's a bad video of the badge they had made this year. I had to download the app via WLAN to do this colorwheel stuff, but it was just lovely! ;) Firmware etc can be found from https://github.com/badgeteam/ESP32-platform-firmware
They also had the repair booth if your badge had issues. I had to go there twice, because some of those leds fell off.
In addition to things mentioned above, there is the official CTF competition. Capture the Flag is a competition, where you have various hacking challenges you need to solve. It can be anything. Crypto related, configuration related, steganographic, memory forensics, reverse engineering, etc.
This year the only flag I found had name 'Mistake' and some website URL as hint. Nothing more. There was a "hidden" GIT repo you had to clone, but because it was "hidden", you just couldn't do 'git clone URL'. You had to use a tool to dump it first. I was told to try this: https://github.com/arthaud/git-dumper It worked perfectly. When you had cloned the repo, you needed to browse through it with various methods to find the flags. In this particular challenge 'git log' showed one commit with message 'Secret file removed' and 'git show <hash>' revealed the contents with the correct flag.
So, the easy ones are quite easy. You just need to have some idea what could go wrong, and how to circumvent things. If it's web related CTF, you quite often need to pass suitable headers to the web server, etc. It works correctly when you use GET, but if you pass the same information with POST with some additional field, you'll get different response. Just as an example, what kind of things there are.
Quite many persons seemed to do only/mostly CTF and didn't attend talks/workshops. I participated some hours, and got much help from Pystyy Vetää open CTF team, because this was my first CTF ever. :) Thanks for that! It was really fun, and I really, really would like to do more. I just need to find some free time for that... CTF is good way to learn new things. Quite often you need to write some script, or read documentation to find those obscure methods how things could go wrong. After this event I understand much more about GIT than before, and I also scripted quite much Python networking. Even though the last one was not successful try, but I learned to script better. So, definitely not waste of time at all!
To summarize. I really, really can recommend this event for everyone who is even remotely interested in these topics. And I already told my boss that I will go there also next year. :)
Ps. The price shouldn't be an issue. This year normal access was 50-60e, depending on when you bought the ticket. And if you are a 'business customer' so are not paying it with your own money, it's better to buy the 'support ticket' which had price 199e this year. This for two day event with the caliber of Disobey. It's peanuts.
Some CTF writeups, so if you are interested about what kind of challenges there were, you can find them from here.
ReplyDeletehttp://lauri.westerlund.us/blog/006_blog_disobey_2020_ctf_web_all.html
http://lauri.westerlund.us/blog/005_blog_disobey_2020_ctf_stego_hacker_wallpaper.html
http://lauri.westerlund.us/blog/004_blog_disobey_2020_ctf_stego_the_boss.html