I did a “lecture”/“workshop” about this at work today. 16-bit DOS, real mode. 💾 Pretty cool and the audience (devs and sysadmins) seemed quite interested. 🥳

• People used the Intel docs to figure out the instruction encodings.
  
• Then they wrote a little DOS program that exits with a return code and they used uhex in DOSBox to do that. Yes, we wrote a COM file manually, no Assembler involved. (Many of them had never used DOS before.)
  
• DEBUG from FreeDOS was used to single-step through the program, showing what it does.
  
• This gets tedious rather quickly, so we switched to SVED from SvarDOS for writing the rest of the program in Assembly language. nasm worked great for us.
  
• At the end, we switched to BIOS calls instead of DOS syscalls to demonstrate that the same binary COM file works on another OS. Also a good opportunity to talk about bootloaders a little bit.
  
• (I think they even understood the basics of segmentation in the end.)
  

The 8086 / 16-bit real-mode DOS is a great platform to explain a lot of the fundamentals without having to deal with OS semantics or executable file formats.

Now that was a lot of fun. 🥳 It’s very rare that we do something like this, sadly. I love doing this kind of low-level stuff.

@movq@www.uninformativ.de Interesting internal education sessions are way too infrequent here as well. There are a bunch of “knowledge transfer” meetings actually, but 90% of the topics already sound totally boring to me. The other 9% talks turned out to be underwhelming, sadly. I only attended a single one where it was delivered what has been promised. They’re all talks, not real hands-on trainings like you did.

Once a year the security guys organize a really great hacking event, though. Teams can volunteer to hand in their software dev instances and all workmates are invited to hack them and report security vulnerabilities. That’s a lot of fun, but also gets frustrating towards the end when you don’t make any progress. :-) There’s also some actual hands-on training in advance for preparation of the two days. Unfortunately, I missed the last event due to my own project being very stressful at the time.

When I had a Do What You Want Day I also show my direct teammates what I learned in the hopes of this being interesting to them as well. I’m the only one in my team using this opportunity, sadly.

@lyse@lyse.isobeef.org

They’re all talks, not real hands-on trainings like you did.

I love listening to good, well-structured talks. Problem is, not everybody is a good speaker and many screw it up. 🥴 I’m certainly not a great speaker, which is why I gravitate more towards “workshops”, in the hopes that people ask questions and discussions arise. Doesn’t always work out. 🤣 At the very least, I almost always have some other person connect to the projector/beamer/screenshare and then they do the stuff – this avoids me being wwwwaaaaaaaaayyyy too fast.

We are usually drowned in stress and tight deadlines, hence events like today are super rare … We used to do it more often until ~10 years ago.

Once a year the security guys organize a really great hacking event, though.

Oh dear, I’d love to participate in that. 🤯 That sounds like a lot of fun. (Why don’t we do this?!)

@movq@www.uninformativ.de I also don’t think that I’m a particularly good speaker. :-) The workshop model is a good idea, I like that.

Yeah, it’s really good fun. I can highly recommend it. This is also a good way to train (new) developers to think like attackers, how to break in, destroy something or raise awareness of some classes of bugs. Then you can avoid them next time. It’s surprising to me what vulnerabilities come up during this event every time. So, absolutely worth it, win, win.