Skip directly to content

DerbyCon 2019: Finish Line – ‘Don’t Cry Because It’s Over, Smile Because It Happened’

on September 15, 2019 - 3:32pm
Opening ceremony at DerbyCon, the InfoSec conference Sept. 6-8 in Louisville, Ky. Photo by Becky Rutherford
DerbyCon panel on ‘DerbyCon Story Time’. Photo by Becky Rutherford
Los Alamos

I’ve been in cybersecurity for a little over a year, and I decided it was about time I went to an InfoSec conference.

Defcon/Black Hat in Vegas sounded intimidatingly huge; I wanted something less terrifying. A friend suggested DerbyCon. I was still a bit intimidated by the idea of attending an InfoSec conference, but then I heard about it from several other colleagues and friends, and also that this would be the last year of the conference.

I mentally flipped a coin and decided to go for it; the last DerbyCon would be my first real InfoSec conference.

What is DerbyCon and why would I care this was the last year? DerbyCon is an InfoSec conference in Louisville, Ky. This year was its 9th and last year; the con has been running since 2011. It was founded by Dave Kennedy, Martin Bos, Adrian Crenshaw and Alex Kah in a Louisville pizza shop after a Metasploit (a tool used by penetration testers) course that Crenshaw had organized. A year later, they had the first conference, which attracted 1,000 people. Their goal was to make a truly inclusive InfoSec conference where all attendees would be on the same level and would be free to learn and share knowledge.

This year’s conference was held Sept. 6-8; I arrived in Louisville the evening of Sept. 5. The conference opened that night with comedy acts by Jason Blanchard and Michael Carbonaro. Both were hilarious, but I can honestly say I will never be the same after watching Carbonaro’s “Shaving Dream” closing act. Feel free to Google it if you also want to be traumatized forever.

On Sept. 6 the conference kicked off with a keynote by the venerable Ed Skoudis, featuring InfoSec career tips inspired by the likes of Santa and Forrest Gump. Ultimately, Skoudis feels we should all try to make the world a better place, which is what DerbyCon has been about for years. My favorite slide was a quote from Dr. Seuss, “Don’t smile because it’s over, smile because it happened”. This was the first of many times that I would tear up throughout the weekend; conference rooms should have come equipped with Kleenex.

A panel discussed the history of DerbyCon, including “favorite DerbyCon moment ever”. One of the most hilarious moments was the #TrevorForget movement, which started at DerbyCon 2017 when an attendee who goes by the handle (a “handle” is the nicknames hackers call each other) Grifter found a cockroach in his shake from the Smashburger across the street from the conference venue.

He posted it on Twitter and named the roach “Trevor”. This spiraled into a whole movement including a trending #TrevorForget hashtag on Twitter, and a makeshift shrine to Trevor outside the offending Smashburger.

In addition to these shenanigans, they started a GoFundMe me for “Trevor’s relatives” in Puerto Rico who were victims of the hurricane. All money raised from this went to the non-profit “Friends of Puerto Rico” and in total, they raised $4,150 for charity.

This year’s event featured booths and raffles/auctions for the charitable organizations Rural Tech Fund and Hackers for Charity. Hackers for Charity’s mission is “to highlight the good work of the hacker community, participate in altruistic projects and flatten the learning curve for those wishing to get involved and in the process change the misconceptions about our great community.”

Rural Tech Fund is all about “helping rural students recognize opportunities in technology careers and gain the education necessary to work in the computer industry.” Rural Tech Fund raised $11,000 from donations at DerbyCon. More than $1,000 of prize money from the CTF (Capture the Flag) contest was donated to charities. These hackers are all about helping, not hurting, the communities they live in.

DerbyCon featured amazing talks from speakers across the industry including Jake Williams, Ronnie Tokazowski, John Strand, Leslie Carhart, Jayson Street, and so many other talented people. Recordings of these talks are available here;

Topics ranged from highly technical topics to career-building talks, and even a talk on cooking a gourmet meal in your hotel room for those who travel a ton. My favorite talk was “The ‘Art’ of the BEC (Business Email Compromise) - What Three Years of Fighting has Taught Us” by Ronnie Tokazowski of Agari. This talk focused on phishing, in particular, BEC and romance scams, and the collateral damage inflicted by these scams on everyday people.

In addition to the talks, DerbyCon featured “villages”; Lockpicking, Social Engineering (SE), Mental Health and Wellness, Car Hacking, and Hardware Hacking. Each village offered unique hands-on experiences. The Mental Health Village was sponsored by the non-profit Mental Health Hackers group and offered relaxation activities like knitting and massage, the opportunity to try stress-relieving devices/activities free of charge, and various talks on mental health. The damaging effects of depression and other mental health issues affect people across InfoSec, and it was fantastic to see this group doing so much to help the community. I especially enjoyed the amazing, free chair massage! Their mission is “to educate tech professionals about the unique mental health risks faced by those in our field – and often by the people who we share our lives with – and provide guidance on reducing their effects and better manage the triggering causes.” The group provides these “villages” free of charge to attendees at InfoSec conferences across the world.

The event also featured several CTF (Capture the Flag) events. A CTF is a kind of InfoSec competition that challenges entrants to solve a variety of technical tasks/puzzles. CTFs at DerbyCon this year included System and Network CTF (Main CTF), Open Source Intelligence (OSINT) as part of the SE Village, SoHopelessly BrokenIOT CTF, which is for the Internet of Things (IoT). Some attendees were in the CTF all day, staying late every night to work the puzzles.

What was my favorite part of DerbyCon? The people. I got to hang out with friends I don’t see that often, and I met a ton of new, amazing InfoSec folks. One person I was chatting with said that he only comes out to socialize three times a year, DerbyCon, and presumably Defcon and Black Hat. Many hackers/InfoSec workers are introverted people, and having a community like DerbyCon to be part of is priceless. Towards the end of the trip, I was chatting with another attendee who was leaving for the airport; I said something like “Oh, I’m not super technical, and I’m pretty new, you know not really one of you yet.” And he smiled and said basically, that it didn’t matter, that I’m still one of them, and I was welcome there. That meant the world to me, and I truly felt at home and welcome the entire conference.

Another cool thing – I got an advance copy of Black Hills Security’s new incident response card game- Backdoors and Breaches. There are opportunities to get advance copies at upcoming InfoSec conferences and for educators, but the public release will be in December. We played several rounds of the game in the Louisville Marriott’s lobby. As we played, we gathered more people and expanded our game. We had an absolute blast, and I highly recommend this game if you are in incident response, or even just curious about it. It is fun, and you will learn a ton.

The game is very D+D like, you have an “Incident Master” instead of a “Dungeon Master” and they run the incident, plus you roll a D20 dice to play your cards. Players act as incident responders and try to solve the root cause of the incident and respond appropriately.

At the closing ceremonies, I will admit I cried again, though it was very much one of those “I’m not crying you are” kind of things; I really could have used some Kleenex. How can I miss this conference so much? This thing that I never knew existed until just now? I have no idea, but I will miss DerbyCon, and I know I’m not alone.

That said, I was excited to hear that DerbyCon will still exist, albeit in a modified form. The idea of DerbyCon Communities, or DerbyCom, was unveiled at the closing ceremonies. I’m not 100 percent sure what this means for the InfoSec community, but if it’s anything like DerbyCon, it will be amazing.

If you are in InfoSec, don’t be afraid to go to a “hacker” conference, you will love it, and you will learn a ton. There are lots of amazing ones out there, including local B Sides events, Grrrcon, NolaCon, Wild West Hackin’ Fest, and so many more. Just do it, you will not regret it. Not in InfoSec but curious? Go to one of these events and see what you think. Information security is one of the most exciting, rewarding fields you can get into, and there are online and locally available programs and certifications and even work-study programs. Give it a shot and see where it takes you, I did, and I have zero regrets.

Also, if any of you ever see Dave Kennedy, founder of DerbyCon, he wanted me to let you all know that he loves clowns. Feel free to dress up as a clown and chase him down until he talks InfoSec with you, he loves clowns so very much.

Dave Kennedy, one of the founders of DerbyCon. Photo by Becky Rutherford
DerbyCon attendee in his self-made, custom derby hat. Photo by Becky Rutherford
Inflatable unicorn filled with orbeez at the Mental Health Village. Photo by Becky Rutherford
Innocent Lives Foundation booth. Photo by Becky Rutherford
R2D2 exploring DerbyCon. Photo by Becky Rutherford
Car Hacking Village. Photo by Becky Rutherford
Vintage arcade game. Photo by Becky Rutherford
Scene from one of the DerbyCon CTFs. Photo by Becky Rutherford
DerbyCon attendees playing the ‘Backdoors and Breaches’ game from Black Hills Security. Photo by Becky Rutherford
DerbyCon attendees at LobbyCon. Photo by Becky Rutherford
Lockpicking Village. Photo by Becky Rutherford
Closing ceremony at DerbyCon. Photo by Becky Rutherford
Awesome t-shirt from Ronnie Tokazowski of Agari. Photo by Becky Rutherford
Slide from Ed Skoudis's talk. Photo by Becky Rutherford