Sunday, October 7, 2012

DerbyCon 2.0 review and other ramblings

Yes this is another DerbyCon review.  I'll try not to write the same stuff as the other 1500 blog reviews already out there.  I will say that it was awesome, and I think those of us that attended will agree on that fact.    First and foremost, if you are interested in pursuing a career in Information Security, you must attend a conference such as this.  The setup makes it very accessible for attendees to engage in great discussions around hacking, InfoSec and just about anything else.  Don't worry, you don't need to be a traditional hacker to get something out of this Con.  I met a programmer who currently does nothing with InfoSec.  He wants to learn more about the threats as well as why secure coding is important.  Even though you don't need to hack to enjoy yourself, you may find yourself attempting to pop a lock in the LockPick Village, or maybe picking up a soldering gun in the hardware village.  After you leave this Con, you may even look at picking up a Raspberry Pi to play around with.  This is a true community event where one is surrounded by people willing to share their knowledge.

The speakers made themselves pretty accessible, you did not need to wait in long lines to get seat for a talk, and you didn't need to leave a talk early to get to another talk.  Speaking of talks... well they had such a large volume of CFP entries, that they had 4 main tracks, they were separated into: Break Me, Fix Me, Teach Me, and The 3-way (a mix of the other 3) and opened a 5th track called "Stable Talks."  There were so many great topics, it was very difficult to determine which ones to attend.  Luckily they captured the 4 main tracks on video and most of them are posted to YouTube.  You can get to the full list at IronGeek's (Adrian Crenshaw) page: DerbyCon Videos.  Although the Stable Talks were shorter, that didn't affect the quality.  I think some of these talks will move into the main tracks next year.

So I arrived Thursday afternoon. Unfortunately, I was not there early for the training, which was going on Thursday and Friday morning.  They had a number of quality training opportunities which covered everything from Social Engineering to Reverse Engineering.  Thursday evening I was able to grab some dinner with a fellow EH netter (ethicalhacker.net member).  We discussed some of the finer points of working in a large organization and trying to push proper security procedures.  We were later joined by two more members and continued the discussion over Ethiopian food (which was mighty tasty).  Later that evening I was able to experience my first SlideShare Roulette at "Whose Slide Is It?".  For those that don't know, this is basically a test of one's presentation skills.  The moderator will pick a random slide deck from the slideshare.net site based on topic suggestions from the audience.  The presenter then must use his/her skills and work with the given slides.  It got interesting when the hotel staff arrived with 100 shots of bourbon courtesy of HD Moore (CSO/Chief Architect @ Rapid7).

Friday morning was pretty much just hanging out and waiting for the opening ceremonies.  There were some great discussions going on in the hallways and main lobby of the Hyatt.  Some of the best talks can be found in these "hallway cons" so I highly recommend getting involved in these sorts of discussions.  You will learn something and you may even have a different point of view to add that could benefit the group.  Eventually 1:00 pm rolled around and the talks began!  They kicked it off with keynotes from HD Moore's The Wild West, Dan Kaminsky's Black Ops, and Mudge's talk about the Cyber Fast Track program from DARPA.  After dinner the 5 tracks began and continued through the weekend.  I will not do a review of the talks I attended since I was pretty much in absorption mode and I am still catching up on the ones I missed as well as re-watching those I attended.

As I touched upon earlier, there were a number of events going on during and after the talks.  The big one was the CTF (Capture The Flag) competition.  Your mission is to use your skills in hacking to find all the flags on the CTF network.  I attempted but never got on long enough to even find the "beginner" flags.  This was in part due to the WiFi network for the event being unavailable and the bouncing in and out of talks.  These competitions are best handled by teams since the expertise needed to find the flags will vary.  You may have to write an exploit or use some forensic skills to find the various flags.  Hackers For Charity (HFC) held both a silent and regular auction throughout the weekend.  They raised over $33,000 thanks to the very generous community.  If you wanted to just wind down you can head over to the theater for the Hacker Movie Marathon.  Maybe you want to know if you should get your CISSP, but you aren't sure if you have the right knowledge, then you could have headed over to "Are You Smarter Than a CISSP?" held on Friday night.  You were given questions from each of the 10 CISSP domains, you can choose to answer them yourself or discuss it with the panel of actual CISSPs.  They were also available to save you if you got a question wrong.

Sadly Sunday morning came and it was time for me to leave the land of bourbon and horses.  Unfortunately there were still a slew of talks and the closing ceremonies to attend but I will catch them on video.  Next year I will plan on taking the training and staying until the closing ceremonies!  One more thing specific to the conference, a big THANKS! to the organizers and volunteers.  They made this such a great experience that I am still missing it a week later.