It has long been known that DerbyCon was one of our favorite cons. The organizers, the attendees, the family atmosphere…all of it together made Derby feel like home for the SEVillage crew. And for the past 9 years, the SEVillage has had a presence at DerbyCon. We started with just a table and graduated to an entire room, running events from morning until night. In 2017, we brought our flagship event, the SECTF. The response by the Derby community was amazing; we had dozens of signups and hundreds filled the SEVillage to watch the competition. For several years, we ran our Derby-exclusive Beat the Polygraph competition. With a professional polygrapher administering, contestant after contestant would allow themselves to be strapped in and to be asked a series of questions in attempt to fool the polygraph. Mission SE Impossible (MSI) has been a staple of the SEVillage for the last few years and Derby has loved every minute of it. SE Panels was even invented at DerbyCon! With so many attendees coming to the SEVillage to pick the minds of the experts, we grabbed a table, sat down, and started answering questions. It was such a huge success, we brought it back year after year. With a panel of the community’s smartest and brightest, topics the attendees actually wanted to hear about were discussed. Yes, we’ve had an amazing run at DerbyCon. And while this year was the final year, we went out with a bang. So, both here and in our hearts, we pay tribute to DerbyCon – The Finish Line.
Practical OSINT For Everyday Social Engineers
For the 26 students who managed to get into our Practical Open Source Intelligence For Everyday Social Engineers training course in the TWELVE seconds (not a joke) before it completely sold out, we salute you for your ninja-registering skills. Everyone brought their A-game to both days of our training. The class was engaged, quick to pick up content, and asked amazing questions which kept our trainers on their feet. The highlight of the course was when not one, but TWO teams won the course’s final challenge at the exact same time. This was history-making for our OSINT training; never have we had two final challenge winners!
Friday – Risk Taking, MSI, and Security Awareness Training
We kicked off Friday with a speech by our own human hacker, Chris Hadnagy. He spoke on “Dynamic Risk Taking and Social Engineering”. One of our favorite qualities in our beloved leader is his ability to try anything, no matter the risk, and this has paid off several times in his career. Between developing a multidimensional training course that he created on a napkin while drinking whiskey…or getting arrested while trying to break into a bank in a foreign country…driving away from armed guards and almost off a cliff…he’s taken almost every risk there was to take (all legally, by the way). His speech focused on how sometimes we must step outside of our comfort zone, recreate the wheel a few times, and take the plunge when the opportunity presents itself. Chris recounted real-life stories, experiences, and what he’s learned in his 17+ years as a social engineer. You can check out his speech on here.
After the encouraging words and thoughtful advice from Chris, it was time for the SEVillage to officially kick off with our MSI competition. If you’ve never seen our MSI competition, let us paint a picture for you. In this contest, you were captured attempting to break into Chris’s office building. You were handcuffed AND leg-cuffed in a jail cell, and you had to shim your handcuffs, pick a lock, successfully identify facial expressions from Dr. Paul Ekman’s micro-expressions training, and to escape, you must traverse a laser grid with sharks with lasers on their heads. The fastest time won! That excited panic you just felt reading that, is what MSI is all about. Because MSI is such a popular event, on Friday, we took signups while Colin gave some great hands-on practice and demos so that we would have all day Saturday to compete.
We finished off our day with a special SE Panel, “Security Awareness Training – What’s Effective and What’s Not?” featuring Chris Hadnagy, Neil ‘Grifter’, April Wright, Jamison Scheeres and Eric Khron. These leaders within InfoSec presented many forward-thinking ideas and perspectives on security awareness training. If you missed it or want to relive it, the panel recording is available on YouTube!
Saturday – OSINT CTF, Rise of the MSI Ninja, and the last SE Panel of DerbyCon
We knew we wanted to bring something new and exciting to our last SEVillage at DerbyCon. After a lot of discussion within our team, we turned to the dynamic duo of Chris Silvers and Kris Silvers to help us develop a live OSINT CTF. While the Silvers team have put on several OSINT CTFs in their career, this was the first live version of the competition they had ever done. Let us break it down for you… We opened contestant sign-ups via our website and asked them to tell us why we should choose them to compete. After reviewing all the potential candidates, we selected 14 people to come to the SEVillage and compete live, in front of our audience. With REAL targets who
were coerced willingly volunteered to be part of the competition, competitors were given four hours to gain as many flags as possible using only OSINT. All flags were pre-approved by our ‘Voluntargets’, of course. No calls or contact with the targets in anyway was allowed. To keep the audience entertained, our contestants were on camera and projected onto a large screen so that the entire Village could see what was happening the entire time. We invited special guests Whitney Maxwell, former SECTF Champion, and Johnny Long, former and current legend, who dropped in to review flags and discuss how these findings could be used by a malicious attacker. After a grueling four-hours going head to head, our winners were maru37 in 3rd place, geelint in 2nd, and dualcoremusic taking 1st place! Thank you to everyone who competed!
With our first ever OSINT CTF in the bag, we braced ourselves for the MSI competition. Typically, we would have had our Beat the Polygraph competition on this day, but unfortunately, due to a last-minute court hearing, our polygrapher could not make it. Luckily, the DerbyCon attendees did not disappoint in making MSI both entertaining and extremely competitive. Contestants faced some real difficulties, earned some close times, and kept us on our toes. The very last contestant in our MSI competition was d4rkm4tter who we dubbed ‘Fake Grifter’ because the real Grifter refused the challenge, likely fearing the baby power would ruin his pristine black hat. After a day of contestants being stumped by a variety of components in MSI, we weren’t sure what to expect. Fake Grifter surprised us ALL and even himself, by completing every part without practicing. We were all shocked when, facing the laser grid, he HURLED himself OVER the grid, even managing some version of a tuck-an-roll. Apparently, he’s training for a marathon and well…it shows.
After the Cirque de Soleil act, we prepared for our final SE Panel of DerbyCon. We invited past SECTF winners, Alethe Denis, Whitey Maxwell, and Chris Silvers to sit down with our own professional vishers Shelby and Colin Hadnagy to discuss “Vishing: Competition Vs. Real Life, What’s the Difference?”. You can check out the video of this panel and their interesting perspectives on our YouTube account.
Sunday – Final Goodbye to DerbyCon
On Sunday, the SEVillage was open for our old friends to come by and for new friends to be introduced. It was a very chill and somewhat somber day as we said goodbyes and bid farewell to DerbyCon. With tissues in hand, and nervous over what prank Dave has come up with this year, we all headed to closing ceremonies.
You can catch portions of Closing Ceremonies here; but we’ll sum it up as: Chris punched a unicorn, we auctioned SEVillage memorabilia to benefit The Innocent Lives Foundation (earning just over $11,000!!!), and literally everyone cried like a baby.
DerbyCon – The Finish Line
And with that, DerbyCon came to an end. It was bittersweet for us as a team to close the SEVillage for the last time in Louisville. We want to take the time to thank our sponsors, KnowBe4 and CG Silvers Consulting, for supporting the SEVillage and helping us create a fun and engaging experience.
We’ve truly enjoyed our time at DerbyCon, and the memories we have will stick with us forever. From Lobbycon to all the SEVillage fun, we want to say ‘Thank you’ to those who have joined us every step of the way. And thank you, to Dave, Erin, and the entire DerbyCon crew. We can’t tell you how much we appreciate how hard you worked to put on DerbyCon for the community. We are excited to see what the future of DerbyCon Communities is, and how Derby will continue to benefit and uplift the lives it reaches. However…can we just say…we will not miss the Icings.
With conferences like DerbyCon inspiring us, we’re excited to be hosting our own inaugural training conference in Orlando on February 20-22. It’s aptly called SEVillage: The Human Hacking Conference and registration is open now! You’ll get expert training on how to hack thoughts, actions, and the people around you.
It’s for anyone who’s looking to REALLY level-up and get serious about learning from some of the foremost experts in the world on all things SE-related: body language, cold reading, behavior, slight-of-hand, acting, deception, OSINT, and so much more.
You’ll learn from the best and be able to mingle with them at this never-before-seen conference. Plus, you’ll get:
- Your choice of up to 5 multi-hour workshops taught by world-renowned leaders in behavior, physiology, deception, technology, and psychology;
- Specialized learning tracks including Hacking the C-Level, Hacking Business, Mind Hacking, Pentesting and Red Teaming;
- A variety of speaking sessions from expert-level presenters, varying from fast-paced concentrated content to panels and keynotes;
- Exciting breakouts;
- 3 Evening Events plus many opportunities for networking; and
- All-inclusive lunches, beverages, and breaks
Register ASAP to reserve your seat in the training workshops (some are a 25-30 seat max capacity!!!), or drop us a line to let us know you’re interested. We’ll see you there!!
*** This is a Security Bloggers Network syndicated blog from Security Through Education authored by SEORG. Read the original post at: https://www.social-engineer.org/event-updates/derbycon-updates/derbycon-the-finish-line/