That’s the best way I can start this post. Wow.
I’m in the passenger seat of our rented VW Jetta, tethered to my galaxy nexus, typing this up on m tablet because I wanted to get some of these thoughts down before I started to lose them. Sorry for typos, touch keyboards aren’t my speciality.
What a great conference! I already can’t wait for next year. DerbyCon has got to be the humblest hacker conference around. I got to listen to the greats talk about their coon new projects, and then go out to eat, or drink, with them in the evening.
We arrived Thursday night and met up with some guys that we met last year. Who then introduced us to some others. We had some drinks, had some dinner, talked security and tech in general. Turned in at 2 am.
Friday, Saturday, and Sunday were all full of talks. A few highlights were.
HD Moore scans all the things
During the opening ceremonies HD told us all about his new effort to scan the entire internet. Or at least all usable ranges. He showed us some really neat statistics on what’s out there, what’s _still_ out there, and what looks like it could be vulnerable. Really interesting stuff.
Kevin Mitnick loves talking about himself
I didn’t go to this talk, but there was an hour block in one of the tracks where Kevin Mitnick recounted his life as it lead up to his arrest. He also plugged his new book. Kevin’s story is no doubt cool, and interesting, but he ate 30 minutes into lunch by pushing past his 1 hour slot. No other speaker had this much blatant disregard for the time slots. I guess Kevin’s good at disregarding the rules. Then again, I think all of us that embrace the hacker mindset are.
Chris Nickerson is a l33t drunk stalker
This was a pretty creepy talk. Chris Nickerson talked about surveillance. As it applies to penetration testing of course. All I can say is, i hope I’m never his target. The stuff he showed us makes you want to look over your shoulder at every turn. He started with tracking online using sites which link social network data with other online identity, to form a really scarily accurate picture of someones life. Then he moved into the old school photography and bugging methods we see in all the spy shows. Cool stuff. And he did it all pretty much plastered. But he wasnt the only one.
Georgia Weidman hacks all the smartphones with her new Smartphone Pen test Framework.
Last year I sat in Georgia’s talk about cel phone hacking. It was interesting, but seemed more like cool ideas with a little testing and proof of concept work behind it. A cool talk no doubt, but it felt pretty… New? Its hard to describe. Well this year she really stepped it up. She’s recently released her SmartPhone Pentest Framework. Which is sort of like Metasploit for smart phones. It’s currently a handful of automated tools to use for social engineering, or outright attacking smart phones so that the attacker can gain root on the device. She’s currently focused on iPhone and Android as they’re really the biggest platforms at the moment. She says she’d like to expand her tool to the point where it covers all major platforms, and all known exploits. Pretty cool stuff. Don’t let Brucon get you down Georgia, you have a damn nice tool there, and nice shoes… (you’ll have to watch her presentation to get that…)
Mudge has some cool red team tricks
Mudge is still at it with Armitage. Now he’s got bots to do his bidding. Cool stuff. He showed off a few hacks, and talked a bit more about CCDC, and now the blue teams are really progressing to the point where the red team needs to step up its game to keep up. Pretty cool.
The only thing that seemed lacking was defense, and Linux… seems like the world is focused on attacking windows. Apparently because its more common, and because its an easier target than Linux. I’m hoping to help remedy that next year.
A few non talk hi-lights
Hackers can drink!
So, Kentucky (where the con was held) apparently holds this yearly event called Derby Day. It’s related to the Kentucky Derby, and it’s a big party. Its one of the best selling days for bars and whatnot across the state. The hotel we stayed at relayed to DerbyCon’s organizers that the 1600 or so hackers staying in their hotel, out-drank Derby Day. And that was _BEFORE_ the saturday night party where we kicked a few kegs of free beer, and spent $400 at the cash bars in the party. Wow… They also went on to say how impressed they were, that a group this size, apparently drinking this much alcohol, were so well behaved. Think about that… A bunch of hackers, descend on your hotel, apparently remain drunk for the entire weekend, and then get compliments on how well behaved they are? One notable comment was that in the wee hours of the morning, Hotel security stumbled upon a group of drunk attendee’s…. Playing Chess!
Hackers are generous!
Hackers For Charity had their usual auction booth in the vendor area. Last year we raised more than Defcon. Which was pretty cool. Defcon is something like 6 times the size of Derbycon. I dont have the numbers from last year, but we’ll just say it was a pretty cool accomplishment. So this year Defcon stepped up their game, and between Defcon, Black Hat, and the BSides conferences, raised $21,000 for HFC. Pretty cool, I mean, this isn’t a competition, it’s charity! So no one expected Derby to beat them again this year.. BUT WE DID. By the end of the con, after the closing ceremonies, we’d totalled $31,000 for HFC! Thats like… $2K per attendee! Holy Crap! A number of items which were won at auction were then _given back_ to be auctioned again! Nice!
Leaving your bag containing a bottle of wine, a large box of condoms, and a wireless card unattended at the DerbyCon party is hilarious when it shows up on twitter!
During the derbycon party the following came across twitter. Need I say more?
Zach Fazel, Dual Core, and DJ Cyfi know how to rock the house, and my ear drums.
Classic game based dance/techno music. Techie rap, And girls grinding (litterally, angle grinders, sparks!) on codpieces. Amazing party for a Security con!
GO TO DERBYCON! I cant speak from experience about other cons, as ive only been to derby, but from what I’m hearing, this (and other cons of its size) is the only con I want to go to. Great people, great content. GREAT con.