Wow! So That Was DerbyCon...

Monday, October 03, 2011

Michael SecurityMoey

A8054e07abdfdcadb09322585cb2e085

As bad of a birthday that I had on Sunday, it could not wipe away the afterglow of only a security conference can give me. That is right - DERBYCON.

All the hype and excitement exploded in KY this weekend (only bad Kentucky joke, promise). For those that didn’t have a chance to attend the event I am going to try to run through my take.

The Venue: Hyatt Louisville was a great place to have this con. For me it was right over the Indiana border so I had no problems finding it. The setup was great since the conference area was circular and just about everything was on the same floor. It wasn’t one of these places were you were struggling to find everything.

Also, the hotel was located in great area in Louisville. No offense to anyone who lives in KY but such an affluent area who would not expect to find. The nice touch was the centrally located bar which was a great place to hang out and chill.

Day 0 -Always start with oh

I missed all the excitement of the arrival day of DerbyCon. From what I hear it was pretty awesome and lots of fun. The most interesting thing that I heard about was BurbonCon which was a tour and tasting of KY’s most well-known water. I won’t be making that mistake next year!

Day 1 -Getting to know you; getting to hope you like me

I thought that I would wake up and drive down since I has doing the conference on the cheap and didn’t want to spend the extra cash for another night in the hotel. I had a plan of the time I would leave so there wasn’t a lot of wasted time. However, I think I was way too excited so woke up earlier than planned and hit the Illinois road about 0130. I arrived in Louisville on Friday morning about 0715 local time.

It was nice to be in a little early cause I was able to walk around and get a flair for the place. This is probably a good spot to mention ‘Cycle Override’ but big ‘wow’ to those guys who all met up in Ohio to bike ride into DerbyCon to raise money for the EFF. Not to cheese it up but I enjoyed the inspirational blogging at the site and I have to be honest I may want to do this next week. Check out their info here on the site:

I try to meet and have quality conversations with all the people that I can so I typically do not go to many of the talks. DerbyCon was different though. The speaker line up had so many speakers that if you go to DefCon or BlackHat it would be standing room only if you were able to get in the room at all. The environment was much different too… maybe it was a Midwest thing or a KY thing but the mood was smaller so you were able to stop and talk to many of the speakers that you would not typically get a chance too.

There was something different that I liked about DerbyCon too that I haven’t seen before at a Con. They had a great theater in the hotel that was showing movies throughout the Con. I used this place Friday a few times when the morning drive got to me and I wanted to rest. It was a cool chill out place. Aside from that the only other thing was that the training going on as well. The classes and teachers looked stellar but at a very affordable price!

Highlighted Talks:

  • Keynote with H.D. Moore – I can’t lie I missed HD talk cause I had to take a work call. However I got the lowdown from several people who were there and it sounds like it was fantastic. That is all I can really say since I don’t like to give 3rd party accounts of what has happened
  • Adaptive Penetration Testing w/Keven Mitnick & Dave Kennedy – I have to be honest I have hear Dave and Kevin speak in different forums but haven’t ever heard them give a talk before. It was exactly what I expected with a solid mixture of technical information and personal stories that made the whole thing so entertaining.
  • Hackers for Charity Update w/Johnny Long – So I think my last blog post, I talked about Johnny’s update on Info Sec w/o borders but this was the first time I heard Johnny’s full story which is something he states the first time he talks at a new con. I have to be honest it was very humbling for me since it makes me feel like what the hell am I doing to make a difference. It was also awesome that the organizers of DerbyCon paid for Johnny to fly in to be there at the conference….
  • Who’s slide is it anyway – I haven’t been to Not-a-Con so this was my first attendance of this. It was hilarious but since no pictures are allowed what happens in the theater stays in the theater. Attaboy to Rafal Los and Zack Fasel for keeping the crowd and participants in order


Day 2: The party continues

Saturday was the party day however day 2 of DerbyCon did not let up. Hitting the attendees with more great talks. After a day full of fun the con goers packed the grand ball room for the easy listening soft rock music of Zack Fasel (who always burns the wheels of steel), our favorite Dual Core who rocked it hard, and Scott Ullrich who did an awesome job of closing down the house.

For those who stepped out of the party for a bit at 1-2 in the morning the great location provided lots to do. I walked out with Adam on Fourth street to do some people watching which proved to be full of fun.

Anyway, let me tell you about some of the great talks:

  • Tactical Post Exploitation w/Carol Perez – It was a great talk with detailed information on post exploitation techniques. The thing I found most valuable was all the information he provided on OS X. I am a new MacBook owner myself and honestly haven’t spent much time on the OS so it was all valuable information. It was also standing room only so it definitely brought in the crowd. The room was cleared so I wasn’t able to listen to Paul Asadoorian talk.
  • Get off of My Cloud w/Jeff Jarmoc – Ok, so Jeff’s cloud talk was pretty awesome. Those who think that they are safe in the nebulous matter get their eyes opened up with Jeff’s talk. He showed skills with the company that used a book store as a beta. To his and Amazon’s credit though it seem that he was able to work well together on his research.
  • Your perimeter sucks w/Boris Sverdlik – Did not fail to entertain with a great talk but an even better interaction with the audience. This was a common sense approach to information security with the realization that this is all dependent on risk management.
  • Anti-Forensics for the Louise w/int0x80 – DualCore doesn’t just rap, what, what? His talk on my favorite topics ‘forensics’ was just fantastic. You think he does some damage with a mic give the man bash and step back. While familiar with several of the forensic and anti-forensic techniques I never thought about taking the additional step to automatic the things that I would want to hide.

Day 3: The last day at band camp…

Right off the bat, I am going to tell you I did not stay for the closing ceremonies. As quickly as I slipped into KY I had to slip out (now that is the last Kentucky joke). I couldn’t since I had to go home to the family so we could celebrate my birthday which didn’t turn out so great (but that’s another story).

What a great way to start a birthday though but at DerbyCon. It was incredible that when I arrived back at the Hyatt there were so many people up considering some of the hard partiers from Saturday night. I can’t cover any of the closing ceremonies stuff but I can tell you the stuff that I saw.

I have to give it to the organizers they did a something that a lot of cons don’t do and is packed the last day with even more goodies. There were a lot folks that I know stayed and didn’t ditch out like me. While I was able to see about 2.5 talks before I cut out there is only one that I thought was absolutely phenomenal:

  • Steal Everything, Kill Everyone, Cause Total Financial Ruin! W/Jayson Street delivered a modified talk that was delivered at DefCon (but I never saw the DefCon one). We walked through his antics and general mayhem that he causes. There was one major take away that I got from Jayson’s talk (and some of the other talks at the con) is that if your users are doing dumb stuff it’s yours fault. If you trained them and they still do dumb still then let’s make fun of them. This whole User awareness training thing got a few us thinking (but more on that for another post).

Conclusion:

There were two things that stood out for DerbyCon from the other cons that I have been too:

  • I usually see everyone in the hallway tracks but DerbyCon I was actually sitting with people in the talks.
  • I spoke to a lot of people who said the same thing as I will here but DerbyCon did not fill like a first year con.

I have to contribute this to the organizers (Dave Kennedy, Martin Bos, Adrian Crenshaw, @nick8ch) of DerbyCon. It was apparent that they put a lot of work into planning DerbyCon. I also want to call out a lot of the volunteers, sponsors and countless others behind the scenes that made DerbyCon happen.

I do have to highlight a negative about DerbyCon which is now it’s adds another ‘must attend’ con in my annual calendar! See you next year at DerbyCon but hopefully sooner!

Cross-posted from SecurityMoey

Possibly Related Articles:
6240
Security Training
Information Security
Training Penetration Testing Information Security Infosec Conferences Ethical Hacking DerbyCon
Post Rating I Like this!
5d3b9af5a870b9a89f8fa51fb390d488
Joe Schorr Agree with you 100% Moey. My comments to others have been 'you know those talks you wait in line for, but fill up and you can't get in? At DerbyCon, you don't just hear them, but get to hang out with those speakers'. It was small enough that real information exchange took place. At the bigger cons, it feels like you just spend the whole time trying to find people. Awesome work by the team of organizers.
1317741619
A8054e07abdfdcadb09322585cb2e085
Michael SecurityMoey Joe great point! I meant to write that as well
1317742255
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.