- Espen Sande Larsen
So it was that time of year again—the week-long celebration of technology in Oslo Spektrum. This would be my 13th NDC and the third year in a row I was doing more than just attending.
NDC has a special place in my heart. It was my first tech conference experience, and I loved it! The talks were great, the showroom was great, and the food was continuously great, but the people were the best. To spend a week with your entire industry in a social setting is an enriching experience. The chats at lunch, the conversations between talks and the most stimulating pub sessions you could imagine - made it an experience I would do almost anything to ensure I could go back to year after year.
I submitted papers to NDC for over 10 years before accepting my first one. Still, I finally got my spot talking about ethical hacking and the importance of integrating pen testing into your daily development cycle. If there ever was a clear example, hard work and perseverance will pay off.
My talk "How Hacking Works" received a 98% rating from the audience and has received over 4000 views on Youtube, with no downvotes as of now. That is not too shabby for a technical talk for a very narrow audience.
Needless to say, I felt honoured to be asked to turn my talk into a two-day workshop. I immediately said yes—as I always do—but I failed to consider just how much work goes into creating a course for two whole working days. It is not like I don't have a day job and a family to keep me occupied, so finding time and space to create something meaningful was quite the challenge!
When I give talks or other public performances, the audience experience is my most important aspect. We all know what it is like to sit in a boring talk for sixty minutes, tired and slightly hungover from yesterday's pub session, skipping breakfast to get into the venue on time, only to sneak a seat in the back row. If the speaker is not engaging or monotone, the subject matter is dry, and there are just black-on-white slides with facts, it feels like you are dying a slow death of agony. So, I swore I would not let that happen in my sessions! If I don't get a reaction within the first 5 minutes, I will start to adlib and riff to get the audience engaged - otherwise, what is the point?
How was I supposed to create a complete workshop and get developers who were novices in the world of hacking excited and motivated to learn these skills? I know from experience that the vast majority of developers feel that hacking is one of those disciplines reserved only for the elite and most intelligent people. This is not the case at all; in fact, if I can do it, anyone can!
I have a soft spot in my heart for CTF tournaments (Capture The Flag) because they gamify the learning of software exploitation. In addition, they do it in a safe environment, and you are allowed to break into real systems. That is a great tool, which I knew I wanted to integrate into my workshop. I didn't want them to listen to me talk for hours. How on earth could anybody learn anything from that? Did any of you truly learn anything from teachers using that pedagogical strategy? My conjecture is not likely. You probably learned from repeating exercises in your homework or practical work at school.
Luckily, my wife is a teacher, so I asked her for advice. She teaches the first three years of primary school, so she was hesitant about whether her approaches would work for an adult classroom. Her methods try to maximize the learning potential of young children while still catering to their restless and playful nature. I told her that this is just what a room of slightly hungover geeks needs because we nerds are as playful and restless as they get.
So we agreed on a structure: each session would start with an introduction to a concept, followed by lab exercises that would allow participants to self-discover, followed by a practical walkthrough and more exercises. I now had my architectural framework for the workshop, and I just needed content.
I decided that this should be a boot camp for web developers because everything is web these days. Who would have thought that the world would settle on HTML as the primary application development platform for everything? If you had asked 1995 Espen, he would have said that this notion was preposterous. It just goes to show how little we really know about the future.
Web development and security were the topics, and the OWASP top 10 was the logical conclusion for the content. But we wouldn't attack this from a threat modelling, disaster planning or defensive point of view. We would go red.
I spent weeks, months, late nights, and all the spare moments I could conjure up writing this course. Waiting in the car while your kids are at sports practice, for instance, is a very zen moment for getting into the flow state. Just let Led Zeppelin, Pink Floyd, and Iron Maiden roar on the sound system, and I got hours of work done in that little 90-minute time bubble.
I built a container-based CTF platform with five labs in total. Each lab was built like an onion, and every challenge you completed followed the stages of a hack and got you one step closer to the final challenge—pwning the box or a complete system takeover.
Even though I managed to get a good amount of work done, I was not able to make the deadline, which made me super anxious. My wife said I could always back down, but that was not an option for me. I was on a mission; I genuinely believe in this cause because securing systems is essential! And if you know how things break, you can learn how to make them robust. If you were an engineer building bridges, would you not try to trigger a hurricane in a safe environment instead and make it fall down? We can actually do that in the realm of software, while the physical world sadly can only rely on simulation for such endeavours.
So I pushed on, and by Sunday, I had one whole day's worth of content ready, and I decided to test everything. Nothing worked, errors were all over the place, and things that worked previously suddenly failed. What a nightmare, a nightmare that appears too often in the world of software development. If that doesn't resonate with you, in the words of Yoda, "You will, you will...". Luckily, I had a train ride and a whole evening in a hotel room to fix it. That is loads of time! So I got things popping on the train, made it to my room, and ordered room service. I didn't want to go out to find food, which would take too long. Around 1 AM, I fell asleep at my keyboard, with a running container cluster and all tests green.
0800: I walked over to the venue and found my classroom. The room was named "Piano," which I thought was poetic and funny. I am a pianist by trade, and this process up until this point had been more "forte" than "piano." Then it hit me; I had forgotten one thing. Slides!! I need slides!! So I got PowerPoint running like an Olympic sprinter and tossed together some slides. No death by PowerPoint here; no time for it! It does help to have extensive knowledge about the subject matter if you ever find yourself in a situation like this. The slides were solid!
The first session went OK, but we had many technical issues. I specified that everyone should have a way of running Linux, preferably a virtualized version of Kali. Since it comes with many tools, I prefer Debian-based distributions. But I didn't think that we would have platform issues. Admittedly, I should have known about this; I am a systems programmer at heart, after all. However, I completely overlooked this key detail in the chaotic and frantic process that pushed this project to fruition. Some students had Windows 10 computers, some had Windows 11, some had Linux native on an ARM-based Chrome Book, some had ARM-based Macs, and a couple even had brought their super locked-down corporate PCs. Since I had containerized everything, it did mitigate some of these issues. However, containers are not emulators, so we still had problems with packages not being built for every CPU architecture, and the different strategies and setups had a lot of networking and security issues.
By lunchtime, we had sorted all of these things out using many solutions; we did have to resort to some creative solutions, though. Through all of this, I still managed to give a nice presentation and teach part of the course, and we had a great atmosphere in the room. It was a cheerful and engaged crowd, so I was lucky there.
The second half of day one went great. The students were engaged and excited about breaking into systems. When they finally breached the last layer to take over the entire system, there was laughter and cheers and a true feeling of astonishment and accomplishment. We ended the day with a great conversation and happy students. I rewarded myself with a beer and some food at the hotel bar. Because I still had a complete day to prepare!
In my room, I completed the entire set of material for the second day before midnight, which felt really good. It was gratifying to get a complete night's sleep for once. The next morning, I even managed to wake up early enough to catch breakfast at the hotel! That is not a common thing for me. Those who know me well can attest to it!
Day two was great. I changed the pace of the course because of the technical issues the day before. Also, the students' novice level taught me that I needed to make it easier for them to complete. So we went through the topics and would do box challenges this time. Here, I would go through a topic and issue one specific challenge. They would have twenty minutes to solve it, followed by the same joint walkthrough exercise we did the day before. This walkthrough approach was so successful that I could have done the entire workshop in that fashion.
After the day was over, I felt a set of mixed emotions. I was very proud of my achievement, again, another rare occurrence. On the other hand, I felt melancholy. I really enjoyed sharing my knowledge and seeing how invigorated and inspired the students were. It was sad that I only got to feel like this for two short days. But there was no time for grovelling; this was a remarkable feat, so I decided to treat myself to a dinner at a restaurant, a few beers at the bar, and a long night's sleep. The only thing left on the agenda was thoroughly enjoying the rest of the conference!
I really want to offer this workshop to my colleagues in DNB. So, if you are interested, let me know. Maybe we can make it an internal event. I am ready if you are! Join my bootcamp: "I don't know but i've been told, hacking is fun and don't get old!".