On 20-21 December 2019, the University of Georgia held an event Cyber Hackathon 2019. It was organized by OWASP Tbilisi members, CERT.GOV.GE and GreenNet employees. I think the whole event is a manual for other organizers on how to bury any hackathon.
Let's start from the beginning. My friend shared with me the link to this event and I decided to check it out. Usually I don't spend time on Georgian events due to my previous awful experiences. Georgian events are mostly disorganized and judging isn't always fair from my point of view. So participation was not in my plans, I just wanted to socialize and meet new hackers.
The first strange decision organizers had made is starting the event at 11:00 AM on Friday. Most people have job or study at university and it's not the best time for them. My assumption came true when I saw at the event room only four people, plus organizers. Organizers seemed nervous waiting for participants. Just imagine 600 people pressed GOING button on the best SM platform and next day you have only 5 persons. They moved event starting time to 12:00 AM with a hope someone will come. Try to guess. No one came. It was the first signal for me to leave, but I got curious. I never have been on a small event like this.
At 12:00 participants were still five people. Organizers moved us to another hall, where at the same time was going another event. Cyber EXE was held for company employees solving network-related problems in a given time. The youngest organizer started a presentation about Cyber Hackathon 2019. Briefly listed organizers, sponsors. Prizes were the following:
Then he cloned an example project from GitHub and opened a small bash script. You may be surprised, but the script was changing file permission and owner. That's all. The guy explained that this reduces two-step process to one. And he expects this kind of projects. It's a shame I don't have a URL to share it. At that moment I decided to stay. Three places, solid prizes and easy project expectation. What else do you need to hack?
I chose my project very quickly. In Georgia, there is an app called Mobile Numbers Database. You can check it out following this link: https://nomrebi.com/. You can download the app on your smartphone and if you agree to share your contacts you can find out how others have written queried numbers in their contact list. My project idea was to query this service for every possible mobile number and save responses in a local database. This way the original database would be cloned and I would be able to search someone's phone number by name. Of course, after successful run some missing numbers would be left, but it is still something right?
In Georgia, there are several mobile communications providers and each of them has several networks. For example:
Simple combinatorial calculations tell us that we need to check a few billion numbers.
As a scripting language I took Python and started investigating how their API works. Besides downloading the app you can register on the website with your information and phone number. After receiving verification code via SMS you can log in and search for numbers. I quickly found out login and search route via Firefox Developer Tools. After a few tests I noticed receiving error instead of a response. It turns out that API puts a limit on you after 15 queries for a day. To increase this limitation you are offered to share this app on Facebook or download it on your smartphone. But even after that you hit a limit after 20 queries.
My next attempt to overcome the limit was to automate account creation. The script would register with a random number and details and then would try to guess 4 digit verification code. This approach partially failed since after 3 incorrect tries server invalidates sent code. The script required almost an hour to hit a correct verification code. And taking into consideration the amount of numbers I had to check, also the limit per day I decided to stop there. Overall my script is very inefficient, spending most of the time trying to guess a verification code. It seems some curious individuals already bothered app's servers and developers had to increase their security. To be honest I was not expecting such complexity from them.
The original goal wasn't accomplished, but for me the result was acceptable. I answered my question and the process of my investigation seems interesting to me. Around 19:00 organizer approached me asking if I want to present my project today. I was surprised by this offer and he explained since there are only two participants (me and 10th-grade student) we can already present today. I accepted the offer and explained my script and work to one of the organizers. His questions were mostly out of context. And at the end of my presentation he gave me a sticky note with his Gmail address on it. I had to send my script to him. I agreed and left the event.
After getting some rest at home, I sent my script and contacted him via phone to verify delivery. He replied to send my script again on his working email. Okay, easy, done. I got another message asking me to send a description of the script and what it is supposed to do. At that moment I knew he hasn't even opened it. Otherwise he would saw comments and descriptions I wrote in a script file on English. I translated my comments word by word on Georgian and sent it as a description. Finally I got a message: "All good. I will contact you tomorrow after 13:00.". Nice! Time to watch some TV show.
On the second day no one contacted me. I was already feeling what's going to happen but still went in the Uni to see it myself. All organizers were in a hall waiting for someone. I asked if ceremonial is at 15:00 and one of them agreed. A few seconds later someone starts explaining to me that after checking my project they made a conclusion my project is out of cyber theme and so I am expelled. And that's why they haven't messaged me. I felt aggression immediately. I asked what does it mean the cyber theme is not fulfilled. In answer received some mumbling about not having an original idea. I pointed to yesterday's presentation author and asked if script changing owner and permission is okay in their understanding of Cyber Theme, why my work isn't? The Bash script author honestly admitted that he never saw my script yet. The guy I had discussion with before suggested to get on computer and review my project again. Everything was clear for me at this point so I rejected the offer saying if they haven't checked my script already, now I don't need their 'professional opinion' on my work. Finally he admitted that since they received a project only from me, the hackathon is declared as canceled. The explanation in my head said that they wanted to get prizes themselves or save them for the next event. I left. On my way out I met 10th-grade student going to a ceremonial.
I got very angry. Never have met such unprofessional organizers before.
P.S During the preparation of this blog post, I was searching for event poster to use it as a thumbnail. Accidentally I found two interesting pictures, showing winners of the canceled hackathon. Rest of the decisions I leave up to you.
Below you can see 10th-grade student who never sent a project. He won either a voucher or a free course. Unfortunately it's unclear due to image quality. I failed to find description text anywhere online.
And this guy is the winner of the first place and a laptop. I never saw him on the event and my attempts to find any information online about him have failed.