DerbyCon, the Information Security conference that started in a Pizza Shop, just wrapped up its eighth year with DerbyCon 8.0 “Evolution”. It is hosted in the wonderful Louisville, KY roughly around the end of September / beginning of October every year. What I’d like to present to you today is my experience, some generalized tips, and lessons learned. Keep in mind, this was my first DerbyCon and also my first large InfoSec conference (with the only one prior being BSides Cincinnati.)
Don’t Stress if you dont’t get a ticket immediately.
I had heard from DerbyCon veterans that tickets go fast. I knew I wanted to go badly, so I set an alarm on my phone letting me know when the date and time was coming for purchase. I prepared my finest F5 key and stretched my finger.
And you know what? I got lucky and was able to snag the one ticket I needed. I watched Twitter and almost felt guilty as I saw others posting that they tried and were unsuccessful. But, if you kept your ear to the floor, folks began to realize they couldn’t go or bought too many tickets in the frenzy. Good news is, DerbyCon does not take kindly to ticket scalping and I didn’t see anyone online flipping them for a profit.
So, as time went on, people began to sell their tickets (at face value). Some gave them away in drawings or in a charitable fashion. The bottom line, you were not totally screwed if you didn’t get one through the official channels. The DerbyCon Twitter page and community would often retweet these opportunities as well.
Review the Schedule and plan your day.
There is a lot going on at DerbyCon. I found that looking at the schedule (available on the DerbyCon website) and marking talks I was interested in helped me cover all bases. Take the time to review the description of the talk as well. Sometimes I found the description wasn’t quite what I was expecting from the title.
The cool thing too, if talks aren’t your thing, there are numerous workshops or “villages”. This year I saw Social Engineering, Hardware Hacking, Lockpicking, Car Hacking, and IoT. (I feel like I’m missing something, sorry!)
These villages held events throughout the day where attendees could learn, and compete for prizes. Personally, I spent my time in the Social Engineering Village the majority of the time. I did attempt to get into the Lockpicking Village a few times but it was always packed to the brim with folks.
In the Social Engineering Village (hosted by HumanHacker), they had some really cool events. For starters, they had the Social Engineering Capture the Flag (SECTF) where competitors called companies in real-time and attempted to gather specific information. Watching these folks perform there craft was an absolute treat and there weren’t any open seats in the house.
Later on, they offered the option to sign-up and compete to see if you could beat a polygraph machine and they didn’t pull any punches with their questions.
I heard them ask questions such as “Do you urinate frequently in the shower?” “Have you ever stolen from a co-worker?” “Have you ever hacked an ex?” It takes a lot of guts to get in front of your peers and get blindsided by some of these questions. I tip my hat to those who did.
Others things I did throughout the day included going to the Social Engineering talks (my favorites by far), another on configuring deceptive systems (honeypots), IronPython, and digital forensics. The good news is, if you have a conflicting schedule, the talks are recorded and you can catch up that way. Talks were also being streamed to the hotel itself and you could watch them from your room if so desired.
Interact with people.
There were a ton of booths. Every single one I approached had handouts and cool swag to take including T-shirts, books, a beard comb, stress balls, pens, and more. While marketing teams wanted you to take the time to actually look at their booth/product before stealing their swag and running, I didn’t find a single one to be pushy or overzealous in trying to get me to sign up for anything and I learned about some really interesting products on the market.
If you have a specific company you want to get swag from, you should prioritize getting there as stuff can go fast! (Especially T-Shirts). I was looking forward to getting a TrustedSec shirt and unfortunately missed out this year. I did get a Binary Defense one, but not in my size.
“LobbyCon” or hanging out in the hotel lobby, was a pretty nice experience as well. I sat at a larger table by myself and slowly people migrated and sat with me. I enjoyed the conversations I had with everyone and explained that it was my first DerbyCon. Each one provided me with their personal tips and lessons learned. I had questions about a few of the events and they were all helpful in either filling in the knowledge gaps or pointing me to someone who could. Interacting with the fellow attendees was one of my favorite parts! There are so many intelligent and friendly people that I didn’t feel out of place a single time.
The after parties are legit.
After a long day of DerbyCon, they wrap it up with an after party Friday and Saturday night. This year, Vanilla Ice headlined Friday and The Offspring headlined Saturday. This was a blast.
Each night started with a DJ who came on and played music and warmed the crowd up before the main event hit the stage. This involved heavy bass, free beer, and glow-sticks galore.
With a concert inside a hotel conference room, things got loud. This is coming from a guy who served on a Naval Warship and had to listen to insanely loud HF static on the radios all watch. I’d really consider bringing some earplugs next year as my ears were ringing by the time we walked out.
Biggest complaint was the lack of consideration from other people in the venue itself. Dave Kennedy got on stage at the beginning of the night and reminded folks about personal space, but it fell on deaf ears. On the second night with The Offspring, a woman had a giant leather almost saddlebag-on-the-side-of-a-Harley looking thing on her back. She was dancing and swinging that thing around like a wrecking ball smashing into me and others in my party. There is 0% chance she didn’t realize she was doing it either, she just didn’t care. I gave a couple courtesy taps back and it seems to only encourage her. I finally just shifted in the croud and it became someone else’s problem. I would be thrilled if next year I heard bags were not permitted in the concert venue as people hitting you with them became annoying fast and they take up extra standing space anyway. Also, if folks in our party left any kind of a personal space bubble, someone or a group would wedge themselves into that space without consideration. I’m a little dude at 5'7 and an absolute tower of a man squeezed in front of us. I basically couldn’t see anything by the end of the night.
With all of that being said, I had a great time, those are minor quirks, and if its the biggest thing I have to complain about, I consider myself lucky.
Overall, I had an amazing time. I met a lot of cool people including the legendary Dave Kennedy who took the time to talk with me in his insanely busy schedule, and I learned a lot about Social Engineering (which is what I wanted to focus my energy on). The after parties were great with the exception of the couple of nuances I mentioned. I am already looking forward to attending next year and can’t wait to see the DerbyCon family again.