Disarray 2025: All aboard TurkuSec's cyber boat

Ahoy! All aboard the cyber boat! But first, an important notice – DO NOT HACK THE SHIP.

While Disobey kicks off the winter holiday, Disarray is quickly becoming a staple of the autumn holiday season. The second run of the TurkuSec cruise took place on the 25th–26th October. I’ve had the pleasure to attend both years, and Disarray is easily one of my favourite cyber events in Finland. With one talk track, a Capture the Flag (CTF) competition, and plenty of time for networking and hanging out, it is well worth attending.

“I believe networking and collaboration events are important for the Finnish CitySec and cyber community,” said Ismayil Hasanov, the TurkuSec chair. “Such conferences are needed, and it’s a perfect opportunity for professionals and students alike: you can listen to top-notch talks and network with people, which is super important.”

I missed the Friday night’s pre-event, but in the harbour early on Saturday morning, the Disarray crowd would have been easy to spot even had there not been familiar faces: the black hoodies were standing out from the regular cruise-participants. After a smooth boarding, I was happy to see I was sharing a cabin with three W4CFI friends. We quickly dropped off our luggage and headed up to the conference room for the first talk.

Like most CitySec events, Disarray follows the Chatham House Rule: participants are free to use the information received, but neither the identity nor the affiliation of the speakers, nor that of any other participant, may be revealed. Hence I won’t go into detail on what the talks were about, but as the programme has been published on the internet, the variety of themes may be discussed.

I’m sure many of us have heard the saying that having a T-shaped skillset is useful in cyber: that is, there are many things you know a little about and something you have deep expertise in. Events, and especially ones like Disarray which only has one talk track – meaning you’ll sit through things that may not be your personal top interest – are excellent in broadening your T. Even the most technical person working in cyber will benefit from having scratched the surface of how to communicate security to other teams. Similarly, a GRC nerd (which stands for Governance, Risk & Compliance, by the way) gains from learning about e.g. WLAN security because the better you understand something, the easier it is to manage. CitySec events are brilliant in this regard. Of course, we also heard keynotes on today’s pressing matters, such as the impact of satellite systems on cyber, hacking Windows 11, and AI hacking being important for civil liberties (you can try it yourself, by the way, e.g. at Hack AI.quest).

Having said this, I did not, in fact, hear most of the afternoon’s talks. I hadn’t planned on participating in the CTF despite joining it last year – too long a week and no time to get my Kali ready, I told myself – and consequently only had my phone on me. (And work laptop, but that was obviously out of bounds.) However, it turned out that I didn’t take a lot of convincing. “I’ll just have a quick look at the challenges” became “Whatever was I thinking not taking my laptop” became, some 7 hours later, “It’s really cold to sit right below this AC vent but I’m too preoccupied to move.” As is probably obvious, we really enjoyed the wide range of challenges, produced by TurkuAMK cyber students. To our slight surprise and elation, our team of two placed 7th out of 25 – a feat made no less impressive by only having one laptop and two phones to work with.

Besides the talks and the CTF, one of the very best parts of events like Disarray is the networking. What it really means in this context is talking to people, learning as well as sharing your own knowledge – and just making friends. The closed quarters provide another aspect to networking. When we’re on a ship among the regular travellers, we kind of know each other even if we just run into each other at random in the tax-free, and I highly recommend everyone attending a future Disarray to embrace this connection. Getting out of your comfort zone and talking to strangers may feel daunting, but it is very much worth it, especially as TurkuSec lives up to their reputation of fostering a nice and welcoming atmosphere. “It’s been great, and we highly recommend attending. Even if you don’t particularly enjoy social situations, it’s not a problem here. The reception has been very good,” said two students who were attending for the first time.

One of the Disarray (as well as TurkuSec) rules is: “Be excellent to each other.” To enforce it, there was a harassment officer present at the conference, which we appreciated. It goes a long way to show that kindness is expected and nonconformity will have consequences, especially as women made up the minority of the participants.

“We would like to see more Women4Cyber people at Disarray next year,” said Shamil Alifov, board member and one of the founders of TurkuSec.

“Women4Cyber should definitely come,” echoed chair Ismayil Hasanov. “Let’s face it, currently cybersecurity is dominated by men. That’s something we both need and want to change.”

After too short a night, sitting up late and chatting, and too early a morning, I was among a tired group who drifted through the drizzly docks to the Bore hostel for breakfast and the two final talks. Awards were given to the CTF top 3. Some other, more random awards were given out as well – Disarray was ambitious in that regard. The atmosphere was tired yet contented.

We’d learned, we’d shared, we’d had fun.

As far as we know, no one had hacked the ship.

Text & photos: Maria Talvela, W4CFI Articles