[ETA: Added in James Lee's excellent State of the Metasploit Framework talk, which I stupidly omitted by accident!]
Once you hang around in infosec for a little while, you learn that each of the major cons have their own reputation, their own mini-scene. This one's got the great parties, that one has the best speakers, that other one is where the fresh research is presented, et cetera. One I kept hearing lots of good things about -- full of great content and really great people -- was Derbycon, a newer con entering its 5th year this year in Louisville, Kentucky.
With these words of praise in mind I went to Louisville last weekend and learned very quickly that Derbycon really does live up to its great reputation. It's a space where not only are n00bs (like me) welcome, but even seasoned pros bask in the positivity and family feel of the space. I don't think I've ever seen quite so many whole families with kids at an infosec con as I did at Derby. Maybe it's the genteel kindness of Louisville that rubs off on the attendees, but at Derby everyone was so friendly and the whole con felt very welcoming. Linecon, barcon, outside-the-front-entrance-smoking-con -- anywhere you went you had a great conversation with someone. (And it really can't be a coincidence that the 2 Black badges up for auction at the closing ceremonies each went for $7000, with all money going to Hackers for Charity. That's really amazing.)
... True enough, the beer and bourbon were flowing a-plenty -- and boy was that bourbon good -- and the community and surrounding company were the best part of the con. No surprise, the talks were top-notch too. I'm embedding a few videos of my favorite sessions below, but admittedly I am not as up on my technical knowledge as most of you. You can peruse the ENTIRE list of Derbycon 5 talks in this playlist: https://www.youtube.com/playlist?list=PLNhlcxQZJSm8cr3iBN27VZ4Rm11Erbae-
But for those of you looking for a little taste of it, take a look:
The State of the Metasploit Framework -- by Egypt
What changed this year? What community contributions did we see? What are the cool and new shiny things are in Metasploit Framework that you might have missed? Everyone who uses Metasploit should tune in.
The Opening Keynote - Information Security Today and in the Future -- featuring Ed Skoudis, John Strand, Chris Nickerson, Kevin Johnson & HD Moore
This was a really fascinating keynote -- there was a lot of emphasis on pen testing in this, but it touches on a lot of topics from the importance of relationships with your IT and devops team to educating the workforce. There's a ton in here, give it a listen.
Started from the bottom and now I'm here: How to ruin your life by getting everything you ever wanted - by Chris Nickerson
I missed this one in person and regret it IMMENSELY. Thankfully, Egypt shared it on twitter with a hearty endorsement, and I hugely agree. This isn't a tech talk, but if you work in infosec or with people who work in infosec... you need to see this talk. What happens to "infosec rockstars"? What is the real cost? What is the state of our community today?
Gray Hat PowerShell - by Ben Ten/@Ben0xA
Now this one IS a more technical talk, so if you already grok Powershell this one's for you (not for Powershell newbies). I couldn't get in to this as the line was out the door and around the hotel so... check it out.
The Metasploit Town Hall -- with todb, Egypt, thelightcosine & busterbcook
Back again to Derbycon, our High Priests of Metasploit give the community an update on what's new in Metasploit and take questions from those in attendance on what they'd like to see or improve.
Developers: Care and Feeding -- by Bill Sempf
If you work with developers, and feel like you and they are speaking two very different languages and have massively different priorities, you need to hear this talk.
Other random things I learned at Derby:
- Some of you guys can drink a lot -- a LOT -- of bourbon and beer. Wow.
- It is entirely likely that you will walk in to the Hyatt bar on any Derbycon evening and see several Cards Against Humanity games going on concurrently
- I have now righted a GREAT wrong in my life and finally saw the "classic" 90s movie Hackers thanks to the 20th anniversary screening at Derby. (Yes, yes, I know, it's unfathomable that I hadn't seen it before. But now I can shout HACK THE PLANET!!!! with the best of them.)
- Judging by the references and fsociety shirts I saw, Mr Robot seems to be pretty popular in our scene -- and I'm glad, because I already can't wait for season 2.
- I know it's not the 90s anymore, but The Crystal Method can still really rock the house, and some of you look quite lovely in blinky cyberpunk headgear.
- If you are at all a light sleeper, make sure you book a hotel room above the 10th floor. I was on the 4th floor, and the parties were on the 2nd floor and, well, not much sleep was had.
- The Meme-Fu from some of the speakers at Derby was just so damn high:
'Til next year, Derbycon. Let's keep that welcoming feeling going even outside of Louisville.