Perimeter
10/7/2011
04:11 PM
John H. Sawyer
John H. Sawyer
Commentary
Connect Directly
RSS
E-Mail
50%
50%

DerbyCon Fosters Community -- Videos Available Online

DerbyCon's successful first year reminds us of what the security community is all about: sharing and learning from others, promoting new ideas, and advancing the art of security

After spending this past weekend in Louisville, I've finally experienced one of the best conferences I've ever been to: DerbyCon. I'll admit that my conference experience has been limited to DefCon, Black Hat, ShmooCon, B-Sides Las Vegas, and SANS -- all of which have their pros and cons -- but I think they serve as a good sampling of what's out there.

What I've found is that security conferences, no matter how awesome their content, are often hindered by the sheer number of people (and attitudes) in attendance and the overwhelming choice of (good and bad) content. DerbyCon had a great mix of both, including a refreshing sense of a community striving to change the broken security industry for the better.

As a first-year conference, DerbyCon came out swinging with a great lineup of speakers, including Dave Kennedy, Jayson Street, Chris Nickerson, Carlos Perez, and Chris Gates. While I was disappointed with some of the content, most of it lived up to the hype, and everyone I talked to had a couple of favorites that they really enjoyed, like Gates and Rob Fuller's "The Dirty Little Secrets They Didn’t Teach You In Pentesting Class," and Kevin Johnson and Tom Eston's "Desktop Betrayal: Exploiting Clients Through The Features They Demand."

In addition to the talks, there was a capture-the-flag competition, a lock-picking and hardware hacking area, and a "hacker" movie marathon. The vendor area had several tables with groups like No Starch Press, Pwnie Express, Hackers for Charity, and Hak5 with things to sell or items to auction to help promote a good cause.

One thing I picked up while there was a USB Rubber Ducky from Hak5. The quickest and simplest explanation is that it is a hardware-based attack device that acts like a USB HID device (i.e., USB keyboard). Plug it into a target machine, and it will inject keystrokes to change system settings, open a backdoor, or shovel a command shell back out to an attacker's machine. It's an interesting attack device that will likely have its own blog entry here once I've had more time to play with it.

I want to thank Dave (Rel1k) Kennedy, Adrian (Irongeek) Crenshaw, the other organizers, and volunteers for making DerbyCon a great success. My friends and I have already made plans to meet up again for DerbyCon 2.0. See you there.

Check out the videos from the DerbyCon presentations here, thanks to Irongeek.

John Sawyer is a Senior Security Analyst with InGuardians. The views and opinions expressed in this blog are his own and do not represent the views and opinions of his employer. He can be reached at johnhsawyer@gmail.com and found on Twitter @johnhsawyer.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6335
Published: 2014-08-26
The Backup-Archive client in IBM Tivoli Storage Manager (TSM) for Space Management 5.x and 6.x before 6.2.5.3, 6.3.x before 6.3.2, 6.4.x before 6.4.2, and 7.1.x before 7.1.0.3 on Linux and AIX, and 5.x and 6.x before 6.1.5.6 on Solaris and HP-UX, does not preserve file permissions across backup and ...

CVE-2014-0480
Published: 2014-08-26
The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not properly validate URLs, which allows remote attackers to conduct phishing attacks via a // (slash slash) in a URL, which triggers a scheme-relative URL ...

CVE-2014-0481
Published: 2014-08-26
The default configuration for the file upload handling system in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 uses a sequential file name generation process when a file with a conflicting name is uploaded, which allows remote attackers to cause a d...

CVE-2014-0482
Published: 2014-08-26
The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors relate...

CVE-2014-0483
Published: 2014-08-26
The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field ...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.