What is Disobey?
Disobey is a security/hacker culture event that has been organised since 2015. The main event consists of talks, workshops covering a variety of security-related topics and parties. In addition, during the event the participants have a chance to try their skills in solving various security-related puzzles, such as hacking target servers that have been configured to contain some common vulnerabilities.
Learning to break into things
The 2020 event had three main program venues: the main stage for the talks, and two rooms for the various workshops. The talks covered a wide variety of topics from bypassing building access control and improving cybersecurity during business trips to escaping sandboxes and performing live memory attacks. The full event program description is available on the event website at Disobey 2020 for those interested.
I watched multiple talks on various topics. Perhaps the most immediately useful (in the sense of actionable information) for myself was the “Cyber security for business trips: Tips and tricks from a paranoid traveller”. The talk covered a wide variety of ways to make yourself a more difficult target during business travel ranging from simple “use 6-digit PIN codes for SIM cards and proper screen lock passwords instead of facial recognition or short PIN codes” to things like “cover screws in your laptop with glitter nail polish and take photos of the result in order to prevent someone from opening your laptop and installing spy chips on the motherboard undetected”. I did already add some minor new security measures to my standard practices, and will definitely consider others as well in the future.
Workshops provided a chance for hand-on learning on a variety of traditional topics such as log analysis and penetration testing, but also included things like body language, surface mount electronics assembly, and quantum computing. Both of the workshops I participated in, the log analytics and the penetration testing, required participants to use their own computers, with data or target servers being provided by the instructors. Using work laptops containing sensitive data was discouraged, and I prepared an old personal laptop of mine to be used in the event.
In the log analysis workshop the aim was to analyse log data from an imaginary company in order to find signs of shady activities using a certain log analysis tool. In the end it became apparent that an attacker had managed to install a backdoor to the company’s server and later used the backdoor to steal some customer data. The workshop was pretty useful in both making me aware of this type of attacks and the importance of taking these sorts of shenanigans into account when writing log parsers of my own.
The penetration testing workshop on the other hand gave me at least some idea of the types of tools that exist for attacking various types of servers. It was eye-opening to see how easy it is to perform e.g. SQL injection attacks on vulnerable servers when using tools designed exactly for that.
In addition to the official workshops, one area of the event venue was dedicated to lockpicking and related activities. Spread on a fair amount of tables there were both transparent training locks as well as some ordinary locks of various types, and an assortment of tensioners and lockpicks for anyone willing to test their skills. There were also people answering questions and giving tutorials on the basics of lockpicking. In addition to locks that open using keys, there were also some combination locks and even a couple of the kind of combination locks that are used in safes.
I did manage to pick a couple of the easier training locks, and also learned the basics of how one goes about figuring out the combination of a safe, but unfortunately didn’t have enough time (and patience) to actually go through the process of opening one of the training safes. I also got an answer to a question that I have been wondering from time to time: yes, the stethoscope is an actually useful tool when opening a safe and not just something they use in the movies.
The Disobey badge and other challenges
Another part of the Disobey event are the various challenges and puzzles, and the electronic badge that plays an integral part in one of the puzzles. The first of the puzzles can actually be solved before the event in order to obtain a special hacker badge and a cheaper ticket to the event itself. The badge itself is a circuit board filled with all kinds of functionality, such as wifi, an audio port and a microphone, a small display and multiple RGB leds, a memory card reader, and a micro USB port for charging and shell access, plus various buttons and switches.
The start of the badge challenge involved realising that the badge has a hidden connector that could be used to connect the badge to certain suspicious-looking terminals. Connecting different combinations of badges to the terminals produced new hints that could then be used to progress further in solving the puzzle. I didn’t work on the puzzle further than that, but it seemed like something that would be interesting to check out should I go to the event again in the future.
In addition to the badge challenges there was something called the Capture the Flag competition, that involved solving different scored challenges solo or in small groups and trying to collect as many points as possible. I didn’t participate in that, so I don’t have any information on the contents of those challenges.
All in all, the event was a positive experience, although I’m sure I missed some things by not going to the parties. The talks I listened to were interesting, as were the workshops and the badge challenge seemed like something that I would like to try my hand at some other time. From a professional point of view, the most useful contents were probably the tips on improving cyber security while travelling and the workshop on log analysis, but I guess it doesn’t really hurt to be more aware of different security risks that can be found in software, hardware, or for example in the access controls used in offices and the like.