Team EverSec photo

DerbyCon Was the Golden Age of InfoSec Conferences

With DerbyCon canceled, I wanted to combine all of my yearly posts into one memoir.

DerbyCon was THE information security conference to go to, at least in my opinion. It was a medium to a large-sized conference but still had that family feeling. That, combined with the fact that Louisville was an awesome place to be, made me come back year after year.

Table of Contents

  1. DerbyCon InfoSec Conference – I’ll Miss You
  2. DerbyCon 6 – Recharge (Sept. 2016)
  3. Legacy of DerbyCon 7 (September 2017)
  4. DerbyCon 8 – Evolution
  5. Is this the Finish Line? (September 2019)
  6. Biggest Cyber Security Conferences? DerbyCon Conclusion

DerbyCon InfoSec Conference – I’ll Miss You

While I love DEF CON and BSides RDU, DerbyCon hit that sweet spot right in the middle.

The title might be a little on the dramatic side for the clicks, but hopefully, it gets the point across for what makes an amazing conference.

THAT SAID, HackingDave still owes me a Black Badge for our DerbyCon 9 victory, so bother him for me if you will.

DerbyCon 6 – Recharge (Sept. 2016)

I traveled to DerbyCon 6 – Recharge this past weekend (23-25 September 2016), and it was an awesome event.

Louisville in General

Louisville is no Vegas, but that was often a good thing this weekend. The crowds were MUCH smaller (con and non), the prices were lower, and sleep was (a little) easier to obtain.

First of all, there was far less bourbon and horses than I had expected. While I had good bourbon, I expected it to flow into the streets and out of water fountains! Contrary to expectations though, it was about the same as any other major city, albeit with a few more distilleries.

There was also no gambling in the hotel this time, which had its pros and cons this time around. Having the option never hurts, but I couldn’t lose money this trip, which was nice.

All in all, an enjoyable city, with decent food, that I’d like to go back and visit.

The Con/People

Going to DerbyCon for the first time was a great experience, and it’s something that I hope to repeat.

DerbyCon is in a smaller venue, which made getting around easier and less stressful. It also meant that there was less of a chance to miss something fun/important.

There was also a much more familiar atmosphere. Everyone wanted to get to know everyone else, and there were fewer cliques than some of the bigger cons. Even the people running the con encouraged newcomers to join in on any conversations that they wanted.

Meeting more people who I’ve only read about or spoken to on the internet was fun, and maybe one day I’ll be that person to others at cons.

Even if you don’t go to any talks, the people and the environment alone are reason enough to head to DerbyCon at least once.

Talks…ok, Talk. FINE, THE KEYNOTE AND PART OF A TALK STREAMED TO YOUTUBE

So, I definitely did Grifter proud this con; “no talks, not even one”.

The closest I got was discussing a few that my teammates went to, and streaming one to my laptop while a few of the CTF machines were down.

I attended the keynote though, which was a talk I was highly anticipating. The official title was, “Vulnerability disclosure, cloudy clouds, and million-dollar shopping trips” by Jeffrey Snover and Lee Holmes from Microsoft. It was everything I hoped it would be and more.

During the keynote, Jeff and Lee touched on problems with today’s security landscape, how we can make the world more secure, and behaviors that need to change.

There is no way that I can come close to summarizing their awesome keynote, so I can only recommend that you watch the video for yourself:

Youtube – 101 Key Note Jeffrey Snover Lee Holmes

During the CTF (more below), I also streamed “Adam Compton, Austin Lane - Scripting Myself Out of a Job - Automating the Penetration Test with APT2”.

APT2 was a talk that I missed during DefCon, so I was glad to at least stream part of it during the competition. This is a tool that I’ve long thought of/started myself, but far more fleshed out already. Their general idea is automating the rote process of, “run an NMAP scan, review the results, choose interesting services to enumerate and attack, and perform post-exploitation activities”.

For more on this tool, see the talk and GitHub repo.

CTF

The DerbyCon CTF is where I spent most of my time, and we ended up with plenty to show for it.

We placed 2nd by a mere 500 points when it was all said and done.

DerbyCon 6 - CTF Scoreboard

I had never done a CTF like this before, and it was addictive. The design was closer to something like the OffSec labs where you are given an open network and an unknown number of challenges to solve.

The organizers gave us the subnet hosting the target machines, and what was/wasn’t allowed to start. Early on, we realized that it was politically themed, but it was still fairly unclear what was/wasn’t a flag. This was in contrast to most CTFs that I had done in the past, where the flag was usually CTFNAME{flag_here} or something similar.

Some of the more difficult challenges involved blind SQL injection with DNS exfiltration, a fully patched machine only running RDP, and .wav file steganography.

There were also several unique challenges that we had to face. There were multiple Windows 98 machines, an obscure programming language to exploit, and even a text-based adventure game to beat!

I may publish a write-up or two depending on my documentation, so be on the lookout.

It was a lot of late nights, but we had some great teamwork and collaboration on a lot of the challenges. At the very end, we were down by 300 points, submitted a 500 point flag, and saw that we were now down by 500 points. While heartbreaking, once we got over silver medalist syndrome, we realized that it was an awesome finish considering.

The people in the CTF room were great fun, and I got plenty of free bourbon and snacks from other teams.

When it was time for closing ceremonies, they announced the teams to come to select a prize. As the black badge went to first place, we ended up selecting the Proxmark3 RDV2 Kit. This might come in handy when trying to clone badges or other RFID cards.

(all pictures shamelessly stolen from the closing ceremony Youtube video below)

(Eversec deciding on a prize)
DerbyCon 6 - Eversec Selecting a Prize

(me flashing the crowd – pictured @doylersec, @LuxCupitor, @ch1kpee, @Matt, and @Recviking’s right arm, beard, and gut)
DerbyCon 6 - Victory Pose

(telling them what we selected as @ch1kpee harasses @HackingDave)
DerbyCon 6 - Prize Confirmation

There were also some statistics about the CTF, participants, and flags. For these, as well as the rest of the winners and prizes, see the Youtube – Derbycon Closing Ceremonies (CTF timestamp) video.

DerbyCon 6 Conclusion

Also during the Closing Ceremonies was the 2nd Hackers for Charity auction. This was like nothing I had ever seen before. People who had donated their entire weekends at DerbyCon to charitable purposes raising thousands of dollars. At one point, a Louisville slugger made by Eddie sold for $2048 and was immediately re-donated. It then sold for $1024, being donated back one more time. The 3rd, and final price, was $769, making the total price (and donation) $3841.

The best way to sum up my feelings after DerbyCon was this Tweet of mine below:

DerbyCon 6 - Tweet

All in all, I am more excited about my career and side projects. I want to go to DefCon every year that I can from now on.

Legacy of DerbyCon 7 (September 2017)

Another year, and DerbyCon 7 – Legacy is in the books.

Louisville

I was actually in Louisville two weeks before DerbyCon 7 for a bachelor party, so that was awesome.

This year I didn’t wander around too much, just spent a little time on 3rd and 4th Street.

Went a bit lighter on the bourbon this year after the bachelor party, but still partied hard Thursday. I ended up waking up to multiple texts/messages from my CTF and work team members asking if I was alive. I’ll consider that a successful night in Louisville!

DerbyCon 2017 – The Con/People

It was another great year and I got to meet even more interesting people.

Spent a little time talking to Lee and crew again, and it was nice to catch up after Vegas.

Other than that, spent a lot of time drinking and hanging out with people whose names and handles I have since forgotten.

I also was able to meet up with hexwaxwing and get one of her super awesome stickers!

While I did eat at Smash Burger (the day after), I think the #TrevorForget got a bit ridiculous.

Talks

Well…this is an easy section this year. I think I read the title of most of the talks in the program, and that’s it.

CTF

Ah yes, the DerbyCon 7 CTF. Just like last year, I spent most/all of my time huddled around a table with the rest of EverSec.

In the end, we placed in 3rd, so not quite as good as last year. We ended up 425 points behind 2nd (SWaG) and a whopping 13,625 points behind first (SpicyWeasel).

DerbyCon 7 - CTF Scoreboard

The 2nd place team was the Secureworks Adversary Group (SwAG), aka my current employer.

DerbyCon 7 - SwAG

While it was all in good fun, I did catch plenty of flak for being a traitor. They ended up beating us in the end (even with our last-second flags), so I get to keep my job as well!

The style of the CTF was similar to last year, with an open network and an unknown number of challenges to solve.

The theme this year was the DPRK/North Korea, and it was pretty fun.

To make it even more difficult than last year, there was even an 0day challenge in the environment. This was a vulnerability that TrustedSec found recently, and had already notified the vendor.

Thankfully, there was no Windows 98 this year, so we didn’t have to worry about that!

I plan on publishing at least one challenge write-up, so be on the lookout for that.

I may publish a write-up or two depending on my documentation, so be on the lookout. That said, if you can’t wait, Nettitude/SpicyWeasel already posted theirs, and they got challenges that even I didn’t.

It was a lot of late nights, but we had some great teamwork and collaboration on a lot of the challenges. The people in the CTF room were great fun, and I got plenty of free bourbon and snacks from other teams.

The prizes weren’t given during the closing ceremonies this year, so we had some time to ourselves during them. We ended up receiving $500 in cash that we donated to HFC‘s Puerto Rican mission.

(No pictures from the closing ceremonies, but here is one that @LuxCupitor took of the back of us while receiving our prize)
DerbyCon 7 - CTF Prize

DerbyCon 2017 – Conclusion

While I missed the closing ceremonies this year, we were able to grab some lunch and relax. In the end, over $15,000 was raised for Puerto Rican aid over multiple cons.

Unfortunately, this year’s tweets summed up some different feelings than last year

Also during the Closing Ceremonies was the 2nd Hackers for Charity auction. This was like nothing I had ever seen before. People who had donated their entire weekends at DerbyCon to charitable purposes raising thousands of dollars. At one point, a Louisville slugger made by Eddie sold for $2048 and was immediately re-donated. It then sold for $1024, being donated back one more time. The 3rd, and final price, was $769, making the total price (and donation) $3841.

The best way to sum up my feelings after DerbyCon was this Tweet of mine. I did get over the Louisville flu though and made a speedy enough recovery.

Not as much excitement after this year, but plenty of ideas for challenges, write-ups, and exploits!

DerbyCon 8 – Evolution

DerbyCon 8 was another fun time, and it again proved why Derby is one of my favorite conferences.

Introduction

No bachelor party this year, so it had been a full year since I was in Louisville this go-round.

That said, we had some team meetings before the conference itself, so I was there for almost a week.

This was another great year, and I love this conference and city.

Louisville

I ate and drank at a lot of the same places as last year, but also hit up a few more.

Our team meeting (and team drinking the night before) was held at O’Sheas, which was great fun.

I also went back to the Jim Beam Urban Stillhouse, to bring home a bottle of the Select.

DerbyCon 8 - Jim Beam Stillhouse Select

Matt brought the bottle home with him, although it had a safe journey.

DerbyCon 8 - Car Seat Stillhouse

I also received a bottle of the Buffalo Trace Bourbon Cream from Dan, and I’m looking forward to trying this.

DerbyCon 8 - Bourbon Cream

Other than that, I of course brought back some DerbyConFlu from the Ohio River.

DerbyCon 8 - DerbyConFlu

The Con/People

I had an awesome time this year and hung out with a few fun people.

Spent more time talking to Lee, and we discussed the idea of a hobby swap at a future con. We also got to send Chrissy a picture, and she guessed that it was DerbyCon time.

The Marriott was a great site, although it did seem a little understaffed at times.

I got to walk around the vendor area, and talk to some of them about their swag and products.

The arcade setups were awesome though, and I got to play some MvC2.

I wish I had more time to visit the Mental Health Village, but I heard great things about it.

Other than that, spent a lot of time drinking and hanging out with people whose names and handles I have since forgotten.

Talks

For the second year in a row, I managed to miss all the talks.

That said, Adrian already has most of the videos uploaded, so you can catch up with me if you missed any!

SwAG / Booth Babe

The Secureworks Adversary Group (SwAG) had an entire booth this year, which was fun.

We got some team t-shirts, which I like.

DerbyCon 8 - SwAG Shirt

I worked the booth for a few hours and got to talk to some potential customers as well as employees.

We also had a crypto challenge, that over thirty people managed to solve! The prize for the first solution was a Surface Pro, and then we drew names for a HackRF as well as a Yardstick One.

It was awesome having everyone there, and I think we ended up bring 60+ people to the conference.

While I didn’t take part with the SwAG CTF team, we still had plenty of drinking, meals, and hanging out together.

Concert

Unfortunately, I missed the Vanilla Ice concert this year. This might be my biggest DerbyCon regret, and I heard it was pretty awesome.

That said, I was able to catch the entire Offspring concert!

DerbyCon 8 - Offspring

They rocked the house, and it was a fun time. They played a bunch of songs I knew, though I didn’t realize how young I was when they became hits.

The only real issue with the concert was the vocal audio, but it was still an enjoyable concert.

CTF

Another year, another DerbyCon CTF. As usually, I participated with EverSec. We had 5 core members, plus a new person that reached out to us before the con!

Unfortunately, I wasn’t able/wanting to spend all of my time in the CTF room this year. That meant that no one else wanted to either, so we didn’t do as well as in earlier years.

In the end, we still ended up in 7th place, which isn’t bad considering the time spent and the number of team members.

DerbyCon 8 - CTF Scoreboard

SwAG ended up in 2nd place (Illuminopi), and I was able to discuss some challenges and hints with them at night when my team was asleep. I still caught plenty of flack as a traitor, but it was worth it.

Matt has posted one write-up so far, so be sure to check it out.

Unfortunately, but congratulations to them, Spicy Weasel (Nettitude) was able to pull out the victory again.

You can already find their write-ups here, which is awesome of them.

The style of the CTF was the same as the past two years, with an open network and an unknown number of challenges to solve.

The theme this year was the Equifax breach, with plenty of Equihax references.

There were no 0days or Windows 98 as far as I know, but there was a pretty in-depth MUD that had command execution.

I plan on publishing at least one challenge write-up, so be on the lookout for that.

We got $100 in cash as our prize that we donated to HFC.

DerbyCon 8 – Conclusion

I was able to catch the closing ceremonies this year, even after we grabbed a quick lunch at Gordon Biersch. I’m not sure how much that attendees donated in the end, but there were some fun items up for auction.

This was a great conference again, though I was tired out after spending almost an entire week in con mode.

Oh, and thanks to DerbyCon for bringing back the aluminum bottles that are dishwasher safe! I prefer these to the ones from last year.

DerbyCon 8 - Water Bottle

I kept it low-key enough this year, and I’ve got plenty of CTF challenge ideas and write-ups in the works.

Is this the Finish Line? (September 2019)

I went to DerbyCon 9, which was, unfortunately, the last DerbyCon there will be.

DerbyCon 9 – Introduction

If you have never made it to a DerbyCon, then you missed out. This was a wonderful conference in Louisville that felt like a family gathering.

Note: I know this post is a few months late, but I couldn’t bring myself to finish it up right away.

This was another wonderful year, and it wrapped everything up as nicely as possible.

Louisville

At this point, I’m familiar with Louisville, but it is always nice to go back.

To start the week, those of us that arrived earliest grabbed a quick lunch, including a cup of bacon.

DerbyCon 9 - Bacon cup

First sandwich

I also made sure to continue my fitness program, and the Marriott gym was pretty nice.

Marriott gym

It wasn’t all food and whiskey this week, and I made sure to try out some local beers.

DerbyCon 9 - Beer

Even before official ceremonies started, you could find EverSec topping other scoreboards.

EverSec Mario

I also managed to party harder than expected in Steve‘s room with Sean and some others, as indicated to what I woke up to the next morning.

Drunk undressing

That said, nothing treats a hangover like an early afternoon hot brown.

DerbyCon 9 - Hangover hot brown

While I was in Louisville, I made sure to visit my favorite burger joint, Bunz.

Bunz menu

Bunz Burgers

DerbyCon 9 - Bunz map

The Con/People

I loved my time at DerbyCon, as usual. That said, I wish I had some more time to spend at the conference or with people. I spent even more time on the CTF this year, and I’ll cover that below.

Even when I wasn’t taking part in the CTF, I was getting ready for it to start.

Hashcat preparation

As is tradition, I took my yearly photo with Lee to send to Chrissy.

Photo with Lee

I did get the chance to help a few other teams with the BofA CTF, so that was fun.

We also spent some time with the eLearnSecurity guys and brought home some cool swag.

DerbyCon 9 - eLearnSecurity swag

eLearnSecurity socks

Other than that, I spent a lot of time drinking and hanging out with people whose names and handles I have since forgotten.

DerbyCon 9 – Talks

I’ll be honest, I barely looked at the talk schedule this year. I spent all my time on the CTF, but I heard great things about a few of them.

I did Grifter proud this con again; “no talks, not even one”.

That said, Adrian already has the videos posted, so I recommend checking them out.

Let me know if you see any that I might not have watched yet or thought I would enjoy!

CTF

Ah yes, the DerbyCon CTF. This is where I’ve spent most of my time the last three years, and this was no different.

If you haven’t been following the trials and tribulations of EverSec, then this is how we’ve done.

We’ve come so close every year but haven’t been able to come away with a win.

As you can see, we had a decent lead with 24 hours left in the competition.

I also got a few points with some help from Chris and NeverSec.

We had a ton of people this year, thanks to various new members and friends.

Team mid-CTF

Someone iced the organizers for the first time ever, which was fitting for the last DerbyCon.

DerbyCon 9 - CTF iced

More CTF icing

Delicious Smirnoff

I also got a wonderful gift from some other competitors, in playful fun.

DerbyCon 9 - Bag of dicks

In the end, we ended up winning for the first time, finally beating Spicy Weasel (Nettitude)!

Final CTF scoreboard

Final scoreboard

This was a great feeling, and I loved moving these tickets.

DerbyCon 9 - Trello update

Beat Spicy Weasel

Here was a group shot of everyone that was left at the end, and I couldn’t be prouder of this group.

Team EverSec photo

This has been the CTF that I’ve wanted to win the most, and I’m so happy that we won the final one. You can find every scoreboard below, but now we are champions in perpetuity!

DerbyCon 9 - Four years of DerbyCon CTF

I still haven’t started on write-ups yet, but you can find one from WTG here, and the Nettitude one’s here

Illuminopi/SwAG also managed to take fourth, which was hilarious after Trenton said that he was hoping to win and beat us just for fun.

In the end, we won $1000 cash that we donated back to HFC.

CTF victory

Closing Ceremonies

I got to go to the closing ceremonies again this year, and I was only crying through part of them.

That said, there was one fun typo in a slide, which we managed to catch photo evidence of.

Metal Health Village

DerbyCon also shared the CTF stats, and we got to feel one more giant burst of pride seeing ourselves on top.

DerbyCon 9 - CTF stats

DerbyCon 9 – Conclusion

I love DerbyCon, and I’m going to miss it.

Leaving DerbyCon

I’m sure that I will be back in Louisville, but I grabbed a last-minute lunch at the Bourbon Academy before my flight left.

Bourbon Academy

DerbyCon 9 - Final lunch

As usual, I managed to bring home some Ohio River con-flu, which is never.

Oh, and the water bottle was dishwasher safe again this year thankfully!

So long DerbyCon, and thanks for all the fish bourbon

CTF, I can’t recommend stealing ideas from this one enough.

Let me know in the comments if you ever went to DerbyCon, or if you’ve been to another great security conference!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Address
304 North Cardinal St.
Dorchester Center, MA 02124

Work Hours
Monday to Friday: 7AM - 7PM
Weekend: 10AM - 5PM