On 20-21 December 2019, the University of Georgia held an event Cyber Hackathon 2019. It was organized by OWASP Tbilisi members, CERT.GOV.GE, and GreenNet employees. I think the whole event is a manual for other organizers on how to bury any hackathon.
Let's start from the beginning. My friend shared with me the link to this event and I decided to check it out. I don't usually spend time on Georgian events due to my previous awful experiences. Georgian events are mostly disorganized and judging isn't always fair from my point of view. So participation was not in my plans, I just wanted to socialize and meet new hackers.
The first strange decision organizers made was to start the event at 11:00 AM on Friday. Most people have a job or study at university and it's not the best time for them. My assumption came true when I saw at the event room only four people, plus organizers. Organizers seemed nervous waiting for participants. Just imagine 600 people press the GOING button on the best social media platform and the next day you have only 5 people. They moved the event starting time to 12:00 PM with the hope someone would come. Try to guess. No one came. It was the first signal for me to leave, but I got curious. I never have been to a small event like this.
At 12:00 participants were still five people. Organizers moved us to another hall, where at the same time was going to another event. Cyber EXE was held for company employees to solve network-related problems in a given time. The youngest organizer started a presentation about Cyber Hackathon 2019. Briefly listed organizers, sponsors. Prizes were the following:
- 1st Place - Laptop (No model specified).
- 2nd Place - 500 GEL voucher for PCShop.ge.
- 3rd Place - Free course from GreenNet. (No course specified).
Then he cloned an example project from GitHub and opened a small bash script. You may be surprised, but the script was changing file permission and owner. That's all. The guy explained that this reduces the two-step process to one. And he expects this kind of project. It's a shame I don't have a URL to share it. At that moment I decided to stay. Three places, solid prizes, and easy project expectations. What else do you need to hack?
I chose my project very quickly. In Georgia, there is an app called Mobile Numbers Database. You can check it out following this link: https://nomrebi.com/. You can download the app on your smartphone and if you agree to share your contacts you can find out how others have written queried numbers in their contact list. My project idea was to query this service for every possible mobile number and save responses in a local database. This way the original database would be cloned and I would be able to search someone's phone number by name. Of course, after a successful run, some missing numbers would be left, but it is still something right?
In Georgia, there are several mobile communications providers and each of them has several networks. For example:
- (+995) 557 (6 digit phone number)
- (+995) 577 (6 digit phone number)
- (+995) 574 (6 digit phone number)
- And so on.
Simple combinatorial calculations tell us that we need to check a few billion numbers.
As a scripting language, I took Python and started investigating how their API works. Besides downloading the app you can register on the website with your information and phone number. After receiving the verification code via SMS you can log in and search for numbers. I quickly found out the login and search route via Firefox Developer Tools. After a few tests, I noticed receiving an error instead of a response. It turns out that API puts a limit on you after 15 queries for a day. To increase this limitation you are offered to share this app on Facebook or download it on your smartphone. But even after that, you hit a limit after 20 queries.
My next attempt to overcome the limit was to automate account creation. The script would register with a random number and details and then would try to guess 4 digit verification code. This approach partially failed since after 3 incorrect tries server invalidates the sent code. The script required almost an hour to hit the correct verification code. And taking into consideration the number of mobile numbers I had to check, also the limit per day I decided to stop there. Overall my script is very inefficient, spending most of the time trying to guess a verification code. It seems some curious individuals already bothered the app's servers and developers had to increase their security. To be honest I was not expecting such complexity from them.
The original goal wasn't accomplished, but for me the result was acceptable. I answered my question and the process of my investigation seems interesting to me. Around 19:00 organizer approached me asking if I wanted to present my project today. I was surprised by this offer and he explained since there are only two participants (me and a 10th-grade student) we can already present today. I accepted the offer and explained my script and work with one of the organizers. His questions were mostly out of context. And at the end of my presentation, he gave me a sticky note with his Gmail address on it. I had to send my script to him. I agreed and left the event.
After getting some rest at home, I sent my script and contacted him via phone to verify delivery. He replied to send my script again on his working email. Okay, easy, done. I got another message asking me to send a description of the script and what it is supposed to do. At that moment I knew he hadn't even opened it. Otherwise, he would see comments and descriptions I wrote in a script file in English. I translated my comments word by word in Georgian and sent them as a description. Finally, I got a message: "All good. I will contact you tomorrow after 13:00.". Nice! Time to watch some TV show.
On the second day, no one contacted me. I was already feeling what was going to happen but still went to the Uni to see it myself. All the organizers were in a hall waiting for someone. I asked if the ceremony was at 15:00 and one of them agreed. A few seconds later someone started explaining to me that after checking my project they made a conclusion my project was out of cyber theme and so I was expelled. And that's why they haven't messaged me. I felt aggression immediately. I asked what does it mean the cyber theme was not fulfilled. In answer received some mumbling about not having an original idea. I pointed to yesterday's presentation author and asked if script changing owner and permission is okay in their understanding of Cyber Theme, why my work isn't? The Bash script author honestly admitted that he never seen my script yet. The guy I discussed with before suggested getting on the computer and reviewing my project again. Everything was clear to me at this point so I rejected the offer saying if they hadn't checked my script already, I didn't need their 'professional opinion' on my work. Finally, he admitted that since they received a project only from me, the hackathon was declared as canceled. The explanation in my head said that they wanted to get prizes themselves or save them for the next event. I left. On my way out I met a 10th-grade student going to a ceremony.
I got very angry. Never have met such unprofessional organizers before.
P.S During the preparation of this blog post, I was searching for the event poster to use it as a thumbnail. Accidentally I found two interesting pictures, showing winners of the canceled hackathon. Rest of the decisions I leave up to you.
Below you can see a 10th-grade student who never sent a project. He won either a voucher or a free course. Unfortunately, it's unclear due to image quality. I failed to find description text anywhere online.
And this guy is the winner of first place and a laptop. I never saw him at the event and my attempts to find any information online about him have failed.
P.S.S Save your time and emotions, avoid any event organized by people portrayed in these pictures. They don't care about participants or projects at all. What matters to them is their name and giving prizes to their relatives or friends.