What I've found is that security conferences, no matter how awesome their content, are often hindered by the sheer number of people (and attitudes) in attendance and the overwhelming choice of (good and bad) content. DerbyCon had a great mix of both, including a refreshing sense of a community striving to change the broken security industry for the better.
As a first-year conference, DerbyCon came out swinging with a great lineup of speakers, including Dave Kennedy, Jayson Street, Chris Nickerson, Carlos Perez, and Chris Gates. While I was disappointed with some of the content, most of it lived up to the hype, and everyone I talked to had a couple of favorites that they really enjoyed, like Gates and Rob Fuller's "The Dirty Little Secrets They Didn’t Teach You In Pentesting Class," and Kevin Johnson and Tom Eston's "Desktop Betrayal: Exploiting Clients Through The Features They Demand."
In addition to the talks, there was a capture-the-flag competition, a lock-picking and hardware hacking area, and a "hacker" movie marathon. The vendor area had several tables with groups like No Starch Press, Pwnie Express, Hackers for Charity, and Hak5 with things to sell or items to auction to help promote a good cause.
One thing I picked up while there was a USB Rubber Ducky from Hak5. The quickest and simplest explanation is that it is a hardware-based attack device that acts like a USB HID device (i.e., USB keyboard). Plug it into a target machine, and it will inject keystrokes to change system settings, open a backdoor, or shovel a command shell back out to an attacker's machine. It's an interesting attack device that will likely have its own blog entry here once I've had more time to play with it.
I want to thank Dave (Rel1k) Kennedy, Adrian (Irongeek) Crenshaw, the other organizers, and volunteers for making DerbyCon a great success. My friends and I have already made plans to meet up again for DerbyCon 2.0. See you there.
Check out the videos from the DerbyCon presentations here, thanks to Irongeek.
John Sawyer is a Senior Security Analyst with InGuardians. The views and opinions expressed in this blog are his own and do not represent the views and opinions of his employer. He can be reached at [email protected] and found on Twitter @johnhsawyer.