I downloaded my first copy of BackTrack when I was 13. I had no idea what I was doing, or how to use it, but I knew that I was hooked. I’ve been fascinated with technology since I was a kid, so the idea that I could interact with that technology in new and unexpected ways was exciting. I followed my passion for technology into my adult life, but had always played it relatively safe. I got into satellite and other RF communications, then found myself working various IT roles. I worked my way up to an admin role for a hosting provider, decided it wasn’t for me, and found myself back where I originally started: information security. I began pursuing a career in InfoSec and rediscovered my passion for red team work, but felt disconnected from the community. I didn’t feel like I had the talent or experience required to get involved in any hackerspaces, and was holding myself back from interacting with other people like myself. This is a story of how I overcame that by doing something I’ve always wanted to do, but never had the social courage to take on: attend a security conference, and involve myself in a community that I’ve always admired from afar.
DerbyCon is a security conference that puts an emphasis on learning and collaboration, while also promoting hospitality and family values. It takes place in Louisville, KY each fall and ticket sales are limited in order to promote a more intimate and welcoming experience. Conceptualized in a pizza shop by a group of friends, the conference was intended for a community of peers, learning from one another. With so much thought clearly put into the conference planning, it seemed like the perfect opportunity for anyone looking to connect with the InfoSec community for the first time. None of us at Defiant had ever been to DerbyCon, so a few of us had the opportunity to check it out.
Upon my arrival I made the typical rounds, speaking to vendors and checking the clever swag they give out to attendees. As I explored the venue I noted the thought put into simple things, like the group-friendly seating in the main conference area and water coolers every twenty yards or so. The organizers certainly accomplished their goal of making attendees feel welcome, because after only an hour I was interacting and connecting with new people. It didn’t matter what they were doing, whether or not I was familiar with the technology, or what their title might be; each person I spoke with was excited to share their passion and knowledge, and was open to questions. I met many interesting and impressive people, and through our conversations I finally understood something that I’ve been repeatedly advised: everyone struggles with something, and that’s okay. The community is there to help, as long as you’re open and honest in those conversations.
Sitting in talks was a great way to be introduced to new ideas, techniques, and technology, because it removed the pressure of admitting when something was new. The talks available at DerbyCon spanned many subject fields, but they were kept to a reasonable number so that attendees rarely felt pressured to choose between two talks that held their interest. Whether you were into exploiting Ubiquiti networks and IOT devices, getting into buildings via bypassing physical security measures, Google dorking, or even some friendly social engineering, there was always something interesting going on in a track or a stable talk.
I visited each village in turn, and simply marveled at the amount of knowledge sharing and collaboration I witnessed. I saw locksmiths helping hobbyists learn how to use their new rake or plastic shim in the lockpicking village, and got the time to pick through a few locks myself. The vendors onsite were happy to show off the various tools and techniques employed by locksmiths, and offer advice to anyone struggling with a particular lock or tool. A short walk would take you to the car hacking village, the hardware hacking village, or even a room dedicated to ham radio and chess. The social engineering village offered a two-day panel with industry experts, as well as a Mission Impossible themed challenge that pitted volunteer contestants against obstacles like handcuffs, locks, and a laser grid. It’s no secret that our field contains a high percentage of individuals who struggle with mental health concerns like anxiety, depression, and imposter syndrome, so DerbyCon thoughtfully included a Mental Health Village. If the crowds became too much, it was a calm place to find your bearings, sip some tea, and maybe even sharpen your crafting skills.
A large portion of any conference will be the content provided in the talks, as well as the hands-on experiences gained by participating in the villages, and DerbyCon certainly delivered in those areas. One thing I didn’t expect was the global collaborative and accepting mindset that seemed to be shared by most. Walking through the halls, I saw people from different backgrounds, ideologies, and skill sets talking and working together. I overheard conversations where experienced developers or engineers were explaining programming theory to someone who’d never written a line of code. I saw physical intrusion and social engineering experts breaking down their techniques to people who spend most of their time behind a keyboard. It didn’t seem to matter what you knew, only that you wanted to learn.
It was great seeing Winn and the gang heckle teams brave enough to go onstage to compete in Hacker Jeopardy. The questions spanned a large range of topics, and several questions stumped the teams and had to be passed to the audience. Not answering in the form of the question would earn a little friendly humiliation, but answering correctly would earn a free shirt and roaring applause. This general mindset of being tough on issues and playfully tough on people, really took me out of my comfort zone, and allowed me to interact with others without feeling the need to explain myself. Once the doors closed for the day, groups spilled out onto the sidewalks, and into various restaurants and bars around town. The odd collections of professionals and enthusiasts carried their antics out into the public, where spirited debates and complicated conversations could continue to evolve organically. In my personal experience, many of those after-hours conversations held as much weight as any of the experiences I had within the conference walls. It was hard not to get swept up in everyone’s excitement with the novelty of it all, like the guy covered in neon broadcasting song lyrics as WiFi SSIDs.
Photo used with permission from @securid
“A trade show for practitioners” is a description that I heard from another attendee over the course of the weekend, and I couldn’t agree more. While I regret not getting involved in the community sooner, DerbyCon was exactly what I needed to break out of my own shell, and interact with others as passionate about security as I am. If you’re passionate about information security, and are concerned about involving yourself in the community for any reason, keep in mind that everyone is there to learn and collaborate. My advice for attending your first security conference: simply remain honest, open, and ready to learn and make connections with other people like yourself. I’d like to thank the organizers, speakers, and attendees for coming together to put together something that impacted me, and others like me, in such a meaningful way. I look forward to seeing you at the next con!