While the Coronavirus-induced lockdown surely makes life easier for the socially anxious and awkward ones among us, it also takes away the one thing that provides a feeling of belonging and home: conferences. Luckily, there are plenty of videos of past events available online, helping to bypass the time until we can mingle among like-minded folks again. To put one additional option on the list, one event you probably never even heard of is Disobey, Finland’s annual security conference that took place for its fifth time in Helsinki earlier this year, and they recently published the playlist of this year’s talks on their YouTube channel.
With slightly under 1500 hackers, makers, and generally curious people attending this year, Disobey is still on the smaller side of conferences, but comes with everything you’d expect: talks, workshops, CTF challenges, and a puzzle-ridden badge. Labeling itself as “The Nordic Security Event”, its main focus is indeed on computer and network security, and most of the talks are presented by professional security researchers, oftentimes Red Teamers, telling about some of their real-world work.
In general, every talk that teaches something new, discusses important matters, or simply provides food for thought and new insight is worth watching, but we also don’t want to give everything away here either. The conference’s program page offers some outline of all the talks if you want to check some more information up front. But still, we can’t just mention a random conference and not give at least some examples with few details on what to expect from it either, so let’s do that.
Security And Breaking Things
If you’re not too familiar with the work of security researchers or the field itself, but are still curious about it, or simply like to hear stories from the trenches of messed up security in practice, Security Expedition in b0rkenLand by [Hetti] might be a good starting point for you. For something more avionics related regarding the latter, you should check [Chris Kubecka]’s More Than Turbulence, where she talks about her work looking into the state of Boeing’s digital security — assuming you’re not already uncomfortable with the thought of flying.
Now, having a license to break things, i.e. being a pentester / security consultant / white hat hacker, will definitely spark a few interesting subjects on a conference like this. [Antti Virtanen] for example shows in I’m in your office a good dozen of different ways he was able to bypass access control in buildings. Some of them seem so stereotypical that you would just roll your eyes if you saw them in yet another movie, but turns out it might just be as easy as Hollywood wants us to believe.
An entirely different subject is Breaking Detection with x86 ISA Specific Malware by [Chris Hernandez], whose idea is to use different x86 Instruction Set Architecture versions to prevent malware detection. Assuming a sandboxed or otherwise isolated system that checks for malware is using a different architecture than the target system, using opcodes not supported by the detection system could prevent it from properly analyzing malicious code, and potentially letting an attacker succeed executing it on the target system. Lots of assumptions in here, yes, but remember, this is as much about having fun breaking things as it is about education — maybe there’s more to an illegal instruction crash than meets the eye.
Likewise worth watching is Live Memory Attacks and Forensics by [Ulf Frisk], the author of PCILeech and MemProcFS. Both the tools and the talk are about DMA over PCIe attacks, which [Ulf] demonstrates and, among other things, uses to turn the tables when he compromises a Kali Linux system from within Windows, go figure!
Privacy And Philosophy
Of course, no security conference would be complete without talking about privacy. Considering Disobey took place a couple of weeks before COVID-19 was declared a pandemic and tracking apps to prevent its spread became a normal thing to talk about, [Anne Oikarinen] and [Tuisku Sarrala] discussing Privacy Threat Modeling Based on Data Lifecycle seems even more relevant today. Looking at different aspects and stages in the data life cycle, and possible privacy concerns caused by it, their main message is directed towards developers who may not fully realize how their own view on data might expose or endanger others.
[Antti Kurittu] points out a similar cognitive bias in his Paradigm Shift talk: developers oftentimes fail to see how they’re part of a small, tech-savvy elite that understands how computers actually work. The majority of the population on the other hand, who is also the majority of users today, doesn’t though — and neither are they interested enough. But that mismatch is what causes infamous user errors, and turns the user into a security issue itself. As [Antti] puts it, “if it’s difficult to use, it’s difficult to use securely”, and maybe it’s time we seriously rethink user interfaces.
The Keynote Talks
Sure, blaming the user is easy, but it’s not going to solve anything, as [Mikko Hyppönen], Finland’s Security Daddy and, among many things, curator of the Malware Museum, addresses in Friday’s Keynote. He’s starting off with the general state of the internet, how it’s on its way becoming as fundamentally crucial to society as electricity, and the consequences this development will have from a security perspective. Showcasing a few high-profile individuals and scenarios from the past, he enters machine learning into the equation and forms his prediction about the future of malware.
An entirely different talk is Saturday’s Keynote given by [Jayson E. Street], and if you had to choose just one talk from Disobey, this is the one that should resonate the most with any present and future hacker, and anyone interacting with the hacker community. Using Matrix references, he reminds us about the meaning of being a hacker, and how it isn’t about computers but passion and challenging the norm, which requires a constant curiosity-driven learning with many failures ahead.
The hacker community is a manifold world where everyone should and does have their own ideas and goals, and no one will ever have the one true answer to anything — thinking so would actually be the total opposite of what the community is supposed to stand for. In conclusion, [Jayson] settles the score with all the gatekeeping, judging and discrimination inside the community, and encourages everyone to stop being their own biggest critic and just do what they enjoy doing, regardless what anyone else might think.
Disobey’s main organizer [Benjamin Särkkä] delivers a similar message in the conference’s Opening Remarks, and in the end, that’s what conferences and the community they’re addressed to should really be about: learning, sharing knowledge, being passionate about the things you love doing, and enjoying yourself in a surrounding where — maybe for the first time — you feel like you belong.
“As [Antti] puts it, “if it’s difficult to use, it’s difficult to use securely” ”
Brings to mind that old saw “If you want a totally secure linux system, build it from scratch from source yourself” yeah, no, I’ve got half a clue and I’d trust any random pick off distrowatch not to have so many gaping holes as I would undoubtedly have on my first try. Security complaints about popular distros are more along the lines of “a couple of shingles are loose if you know where to look on the roof” vs “I completely forgot (Or didn’t know how) to install doors and windows on the ground floor.” So I get his point, the more security knobs and dials you’re able to twiddle, the more “control” you have, but the more likely you are to set them badly, by mistake, inattention, or plain lack of knowledge.
I like BSD, especially OpenBSD (secure by default) although with Linux there was a time Torvalds and his Linux Foundation cared nothing for hobbyists and newcomers… When their only experience of humanity was a toilet seat coming at them down a steel corridor. I’m glad Ubuntu came and changed that attitude.
Where on earth did all that come from ???
> Coronavirus-induced lockdown surely makes life easier for the socially anxious and awkward ones among us
No, just no, don’t assume your experiences are universal, ESPECIALLY when it comes to mental health. It is entirely likely that someone might treat a socially anxious person with less kindness after being influenced by comments like this. As a member of society with the responsibility that comes with the use of a platform with large readership you have the responsibility to try to avoid influencing people in ways that could cause harm.
Oh. My. God. The Boeing presentation by Chris Kubecka is frightening.
And if only the company had spent the tiniest, tiniest fraction of the amount they spent on intimidation lawsuits on *basic* security instead, they wouldn’t be in the position she demonstrates. The most expensive executives & lawyers, the cheapest outsourced developers–way to go, guys!
It’s probably nothing whatsoever to do with the likelihood that all the programmers available to hire in Seattle were incompetent enough to even get fired from Microsoft. :-D