Season 3 / Episode 124
DerbyCon was all about making the community - a family. Dave Kennedy, one of the founders of DerbyCon, talks about the unique vibe of the conference, his fear of clowns, and why he'll never - NEVER - listen to a Busta Rhymes album again.
- Episode 22
- Episode 23
- Episode 24
- Episode 25
- Episode 26
- Episode 27
- Episode 28
- Episode 29
- Episode 30
- Episode 31
- Episode 32
- Episode 33
- Episode 34
- Episode 35
- Episode 36
- Episode 37
- Episode 38
- Episode 40
- Episode 42
- Episode 43
- Episode 44
- Episode 45
- Episode 46
- Episode 47
- Episode 48
- Episode 49
- Episode 50
- Episode 51
- Episode 52
- Episode 53
- Episode 54
- Episode 55
- Episode 56
- Episode 57
- Episode 58
- Episode 59
- Episode 60
- Episode 62
- Episode 63
- Episode 64
- Episode 65
- Episode 66
- Episode 67
- Episode 68
- Episode 70
- Episode 71
- Episode 72
- Episode 73
- Episode 74
- Episode 75
- Episode 77
- Episode 78
- Episode 79
- Episode 80
- Episode 81
- Episode 82
- Episode 83
- Episode 84
- Episode 85
- Episode 86
- Episode 87
- Episode 88
- Episode 89
- Episode 90
- Episode 91
- Episode 92
- Episode 93
- Episode 94
- Episode 95
- Episode 96
- Episode 97
- Episode 98
- Episode 99
- Episode 100
- Episode 101
- Episode 102
- Episode 103
- Episode 104
- Episode 105
- Episode 106
- Episode 107
- Episode 108
- Episode 109
- Episode 110
- Episode 111
- Episode 112
- Episode 113
- Episode 114
- Episode 115
- Episode 116
- Episode 117
- Episode 118
- Episode 119
- Episode 120
- Episode 121
- Episode 122
- Episode 123
- Episode 124
- Episode 125
- Episode 126
- Episode 127
- Episode 128
- Episode 129
- Episode 130
- Episode 131
- Episode 132
- Episode 133
- Episode 134
- Episode 135
- Episode 136
- Episode 137
- Episode 138
- Episode 139
- Episode 140
- Episode 141
- Episode 142
- Episode 143
- Episode 144
- Episode 145
- Episode 146
- Episode 147
- Episode 148
- Episode 149
- Episode 150
- Episode 151
- Episode 152
- Episode 153
- Episode 154
- Episode 155
- Episode 156
- Episode 157
- Episode 158
- Episode 159
- Episode 160
- Episode 161
- Episode 162
- Episode 163
- Episode 164
- Episode 165
- Episode 166
- Episode 167
- Episode 168
- Episode 169
- Episode 170
- Episode 171
- Episode 172
- Episode 173
- Episode 174
- Episode 175
- Episode 176
- Episode 177
- Episode 178
- Episode 179
- Episode 180
- Episode 181
- Episode 182
- Episode 183
- Episode 184
- Episode 185
- Episode 186
- Episode 187
- Episode 188
- Episode 189
- Episode 190
- Episode 191
- Episode 192
- Episode 193
- Episode 194
- Episode 195
- Episode 196
- Episode 197
- Episode 198
- Episode 199
- Episode 200
- Episode 201
- Episode 202
- Episode 203
- Episode 204
- Episode 205
- Episode 206
- Episode 207
- Episode 208
- Episode 209
- Episode 210
- Episode 211
- Episode 212
- Episode 213
- Episode 214
- Episode 215
- Episode 216
- Episode 217
- Episode 218
- Episode 219
- Episode 220
- Episode 221
- Episode 222
- Episode 223
- Episode 224
- Episode 225
- Episode 226
- Episode 227
- Episode 228
- Episode 229
- Episode 230
- Episode 231
- Episode 232
- Episode 233
- Episode 234
- Episode 235
- Episode 236
- Episode 237
- Episode 238
- Episode 239
- Episode 240
- Episode 241
- Episode 242
- Episode 243
- Episode 244
- Episode 245
- Episode 246
- Episode 247
- Episode 248
- Episode 249
- Episode 250
- Episode 251
- Episode 252
- Episode 253
- Episode 254
- Episode 255
- Episode 256
Hosted By
Ran Levi
Born in Israel in 1975, Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast, Making History, with over 14 million downloads as of Oct. 2019.
Author of 3 books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.
Special Guest
Dave Kennedy
Founder, Senior Principal Security Consultant of TrustedSec
Co-Author of Metasploit: The Penetration Tester’s Guide
Co-Creator of the Penetration Testing Execution Standard (PTES)
Creator of the Social Engineer Toolkit (SET)
Episode Transcript:
Transcription edited by SODA
[Ran] Hi and welcome to Cybereason’s Malicious Life, I’m Ran Levy.
In the past few months we covered in our B-side episodes a number of cybersecurity conferences ThotCon, B-sides and DEF CON. I think it’s interesting to talk about conferences and explore the ideas behind them, not only because they play such an important role in shaping and disseminating ideas and bringing people together, but also because each conference represents a different facet of the cybersecurity community.
For example, the B-sides conference emphasizes openness and grassroots work, THOTCON is all about hackers, DEF CON has its competitiveness, Black Hat is more commercial in nature, each conference is like a window into a different room in that big house we call the cybersecurity industry. If DerbyCon, the focus of this episode, was a room in that big house, it would probably be the living room, because as Dave Kennedy, our guest today puts it, DerbyCon is all about making the community a family.
DerbyCon was founded in by Dave, Martin Boss, Alex Kay and Adrian Crenshaw, and it was never about the money, in fact, as you’ll hear from Dave shortly, none of them ever made any money of the event. Another thing that makes DerbyCon unique among the conferences we already covered in our
podcast is that it is the only one of them which is no longer active. As you’ll hear shortly, the reason why it is no longer active has a lot to do with DerbyCon’s emphasis on familiarity and community, and not necessarily in a good way.
Dave Kennedy is one of the key figures in cybersecurity today, he is known as a world class expert on social engineering and created the Social Engineering Toolkit which is used by many organizations to evaluate and improve their security posture in that aspect. Dave already appeared on our podcast before, but in this interview, however, we’ll discover a few somewhat unknown sides of Dave’s personality. Like why is he afraid of clowns, and why he’ll never again listen to an album by the rapper Busta Rhymes. Dave talked to our producer Eliad Kimchie.
As I often do, I’ll pop up here and there during the interview to fill in some needed context.
Enjoy the interview.
[Eliad] So today we have with us Dave Kennedy, also known as HackingDave. Dave is the founder of DerbyCon, which is one of the most fun conferences that I’ve been to and started in Louisville, Kentucky.
[Dave] It’s Louisville, it’s got… You gotta –
[Eliad] You gotta, yeah – you gotta say it right.
[Dave] Louisville.
[Eliad] Louisville.
[Dave] There you go.
[Eliad] So yeah, started in Louisville, Kentucky, one of the best conferences I’ve had the privilege of going to. And today we want to talk about a little bit about the history of that con, how it ended up in Louisville, and what made it so special. For those who don’t know you, would you mind telling us a little bit about who you are?
[Dave] Sure. My name is Dave Kennedy.
I’m the founder and CEO of TrustedSec and Binary Defense. We’re a global company focusing on everything from consulting to managed security services. So we’ve been in the industry for over years, was everything from a chief security officer for a Fortune company to working in the military intelligence side of the house for cyber warfare. Found the news quite frequently, co-authored the book Metasploit the Penetration Tester’s Guide and one of the co-founders of DerbyCon.
So look forward to chatting today about a little bit of the history and a little bit of the fun that we had back then.
[Eliad] Yeah. So I mean, I’ve had the privilege of talking to a couple of conference founders and I always have this one question in my head for everybody. Why start a conference?
[Dave] When I first started in the security industry back in or so, DEF CON was just kind of starting and happening. There’s been a few of them obviously, but it was a real small type of event at Alexis Park in Vegas. And I remember I had flown out there to Vegas to go see it because I was in the military intelligence cybersecurity side of the house. So they flew me out to DEF CON to check it out and potentially learn some stuff. And what I found then was it was such a new industry, right?
There really wasn’t an information security industry yet fully born or breath yet. And when you went to this place in the middle of Las Vegas, you saw this amazing spark, this collaboration of a lot of brilliant individuals sharing their research and showing what they could do and really starting off what we consider the information security industry today. And I remember seeing folks like the Shmoo Group and CDC and called that COWS and Phil Zimmerman and FIDOR and all those different, just amazing folks that really kind of kick started the security industry and obviously Jeff Moss and the Dark Tangent, all heroes of mine kind of coming through this industry of just people that I really admired. And they were all approachable. You could go to them and get to talk to them, really just cool individuals just in general.
And as the security industry kind of grew, DEF CON blew up and became a massive event. When you build something amazing, people want to go to it. And DEF CON was definitely one of those success stories of, listen, you build it and they will come to reference Wayne’s World. And one thing that I missed about DEF CON was that intimacy that you had with individuals, being able to talk to anybody, the no rock star type of mentality, everybody’s kind of on the same level peer group, regardless if you’re in security, one month or six months or two years or years, whatever it ends up being, there was no barriers.
I felt there. I felt like I could go up to anybody and talk to them.
And I live in Cleveland, Ohio, actually not from Louisville. And one of my friends, Adrian Crenshaw, reached out to me and was like, hey, Dave, can you
come speak at this Metasploit class in Louisville, Metasploit, exploit development, things like that? Can you come and talk? And I said, dude, for sure. That sounds awesome. Let’s do it.
Adrian had me out and I gave a presentation, I gave a few presentations and so did Martin Boss and a few other folks that ended up being some of the initial founders of DerbyCon. And what we found there was it was such a tight knit community of people that wanted to learn and that were, again, that barrier level was down. It reminded me very much of the early days of DEFCON. And so a few of us went to a pizza shop afterwards. And you know, I’m sitting there talking to everybody, I’m like, man, this would be a perfect place to throw a conference because if you look at downtown Louisville area, it’s all kind of self-contained. You don’t need a car to go anywhere. You can walk out and you’re on 4th Street Live. There’s a bunch of bars, there’s a bunch of food, everything you could possibly need to sustain kind of like this small ecosystem. And it wasn’t overly crowded, even on the weekends in Kentucky, it wasn’t like a crazy city that you’re going into. And I was like, man, we should really just throw a conference here to really go back to the roots of sharing and collaboration information and removing those barriers of the rock star mentality and all this other stuff and really just be a family type conference where everybody’s welcome, everybody’s accepted.
Regardless if you’re just in for a year, you’re shy, you’re apprehensive of going into groups. Let’s remove those barriers and let’s teach security to the next generation of folks and to folks that are already in the industry. And so we kind of went home and it was a few of us. So it was Adrian, Martin, myself, and a guy named Alex Ka that really kind of started going through the cycles around what do we need to do to kind of build something like this out. And I remember talking to my wife and we were going through some of the costing numbers. if we didn’t get 500 people for DerbyCon1 , I would have to take out a second mortgage on my house. It was a very risky situation, but it was one that I believed in. It was one that the whole group believed in. And one thing I say is that Aaron was the planning master every year behind DerbyCon. She was the staple that kept us all grounded and managed the entire process for us. She’s an amazing organizer. So she was really the brains behind all of the organizations at DerbyCon. And it was really cool because each one of us had our own specialties like Adrian from a video recording perspective and making sure that we had the individuals recorded from a streaming perspective. We had Martin who had really worked with bands before in the past and knew how to set up big shows and those types of things.
We needed 500 people. We ended up getting 1000, the first year, over double of what we expected to get. And luckily, I didn’t have to take out a second mortgage on my house. And then from there, it just kind of grew exponentially year after year because we threw just one heck of a con.
[Eliad] It sounds like you put a lot of yourself into it and the theme of family is something that comes up. I mean, literally in the name, DerbyCon3 was all in the family, right? And then family matters is all these things and you’re a family man yourself.
[Dave] Yeah.
[Eliad] And is it something, is it a part of you that you’re kind of putting into the con?
[Dave] Yeah, 100%.
When you look at conferences, the conference is made up of people, right? And those people are, if you look at a lot of things around tribes and Marcus Carey’s tribe of hackers and things to that effect, we all have our kind of different tribes that we attest to based on our levels of experience and friends that we have and everything else. For me, the family feel of DerbyCon was the most important. And I think that comes from the leadership team that we had down to the conference itself of making sure everybody feels welcome.
We were out there scanning the barcodes and giving people hugs and welcoming them to the family and saying, hey, everybody’s welcome here. This is just a place for you to learn, to expand your knowledge. And we have so many countless examples of where DerbyCon changed people’s lives. Not just from the charity aspects.
We were still to this day the biggest charity conference in information security from a donation perspective of any other conference that’s out there, including DEFCON and those ones that are massively large. We were sending tens and hundreds of thousands of dollars to charity organizations to make things better. But on top of that, we kicked off people’s careers, got them motivated, first time speaking at DerbyCon. We had so many first time speakers. It was incredible.
The diversity aspects of things. You look at DerbyCon1 versus our final DerbyCon. You had more women in there, more people of color, all these different amazing things that started to happen where, again, everybody felt welcome to come into this conference because we are accepting of anybody and everybody. I had my kids there, especially for the last year. They got to see Michael Carbonaro. My daughter got to go on stage and a magician. It was definitely all about family and I made some amazing friends there and I got to see my friends and just get to hang out with them and meet new people was just an amazing experience.
[Eliad] Did you find that the different atmosphere, the family atmosphere made a difference to people? Did it feel like a different type of conference? How did it change people’s experience?
[Dave] Here’s the difference between, I think, a conference and then what we were doing at DerbyCon. A conference, you go to talks and you listen to those talks and you learn. That’s a great thing and there’s some amazing talks that we had. It was the community effort and coming together as friends, as family, as a group of people that may have differences or differences of opinions, but we all are working together for one goal because we’re very passionate about that.
You could definitely see the level in smaller sized conferences. You look at B-sides, for example. You go to a lot of B-sides and you’ll see a lot of that same type of vibe because the conferences are small. When you start to get to those large conferences, it becomes very difficult to emulate that. I think we were able to scale that and keep it going. It was just really awesome to see people smiling and laughing.
That’s the biggest thing I miss, honestly, to be perfectly honest with you, is seeing people’s lives changed or to experience some sense of joy or happiness. That was by far the most rewarding aspect of doing DerbyCon.
[Eliad] Well, it really clicked with people. One year, you sold out before you even had the tickets.
[Dave] I can’t believe you brought that up. I still get crap for that one. That was an accident. I decided one year, or one year, I made a joke like, oh, our tickets are going to be on sale, let’s just say at noon, and I opened them up at like 11:15, or something like that. Of course, they didn’t sell out, but everybody started purchasing them early and it became this running joke. Most folks on social media knew that every year I opened it up somewhat early and it was just a random time to get your tickets. The folks that really wanted tickets, they’d be there at like 11o’clock just f-fiving the hell out of my server. My server would be like, pew.
I opened up early a couple of years. In one year, when it had gotten so popular, I opened up the tickets five minutes early and before the actual sale went on, the tickets sold out. And so, when it hit noon, people are like, what the heck, they’re already sold out. I’m like, oh man, I messed up. The internet burned down at that point. People were so mad at me because they got on at noon to check to see whether or not it had already sold out because I’d opened them up early. I never did that again after that and I apologize to the folks that may have missed it because of it.
My biggest thing that I hated about that was selling out. Selling out was the worst thing for me because that means people couldn’t experience DerbyCon. To be perfectly honest with you, and I never publicly have said this because I didn’t want it to get out of hand. Anybody that messaged me and was like, hey, I really wanted to get a ticket. I would just give them a ticket for free. I literally probably handed out…. So Aaron used to get always mad at me because I literally would give out 500 additional tickets every year. Just the people that were going through problems or people that really wanted to go to a conference have been there the prior year. I just literally would just give the tickets out. So if someone was like, hey, I couldn’t make it, I’d be like, what’s your email address? And I would just send them a ticket. Or I’d see it on Twitter like, I’m so bummed I can’t make it to DerbyCon. I just send them a ticket. I never made that public because I didn’t want people to be like, hey, man, can I get a DerbyCon ticket? And it starts to become this problem where I’m sending out a thousand, and then I’m sleeping on the couch. But I definitely inflated those numbers quite a bit to help people out.
[Eliad] Yeah, that’s really sweet.
Let me ask you this. If you go back in time, DerbyCon, what are some of your favorite moments at DerbyCon?
[Dave] So many.
One of my favorite memories is I used to always get Chris Hadnagy in his talks. And one year, I went to go sneak up to Chris. And he had a person dressed up as a clown that I didn’t realize that was in the corner. And I’m terrified of clowns in real life. That’s just one of my things. And I see this clown charging me at full force. And I’m literally crapping my pants. There is a sheer look of death and terror on my face as I see this… this horrible masked clown coming towards me.
[Ran] Okay, that’s not something I thought I’d ever research for malicious life. But it turns out that fear of clowns is a real thing. It even has a name, Colorophobia. And it turns out it’s not so rare.
According to a survey, almost 8% of adults say they are afraid of clowns. It’s not considered by the medical profession to be a quote unquote real phobia, like fear of heights for example, but it can cause real discomfort to the people who have it, like what Dave is describing.
Now you might be asking yourselves why is Ran talking about fear of clowns in a podcast about cyber security? Well the truth is that I have absolutely no concrete reason to do so aside from the fact that I find the whole thing fascinating and since I’m the executive editor of this joint I can basically do whatever I want.
So did you know that clowns started as court jesters in ancient times, but over time they morphed into tricksters, which is a somewhat more sinister figure, which might be the reason why so many people feel uncomfortable around clowns. Apparently, fear of clowns was a big thing in the 80s in the US. I can’t really vouch for that since I grew up in Israel, which is probably why Stephen King’s most famous book, It, was such a big hit. Ok, enough with the clowning around, let’s get back to Eliad and Dave.
[Dave] And I remember running in the back and the person I was doing was Jameson, Jameson, one of my buddies, Jameson is charging at me behind the stage, you can’t see this, but then he grabs me and he literally looks at my face and he sees that I’m ready to die, like my face, my eyes are wide, I’m pale, like my heart’s about to shut down.
[Eliad] I don’t think anybody would have imagined you have that big of a phobia of clowns.
[Dave] My mom for some reason decided it would be a great idea when I was like six or seven years old to dress my room up as an entire clown thing, so I used to see clowns at night and waking up. Yeah, it was not good.
And then I saw the movie It and it was just kind of like all over for me. But I’m better now since my dad decided to let everybody know I hated clowns and then the security community does what it does and it just pounds you with clowns every single day for the rest of your life, you eventually become immune to it. So I’ve gotten over my fear. Thank you all for the countless hours and days and weeks and months and years of sending me clown pictures.
But the funny part about that was Jameson, you know, he rips his mask off because he now feels terrible. Like he feels bad because I really am like not doing good. And he’s like, dude, dude, dude, it’s just me, it’s just Jameson. And he felt so bad that he gave me the clown outfit and I put the clown outfit on. And so Chris is like celebrating victory for Dave, you know, is able to for Dave attacking him in the middle of his presentation. And it’s me on there and he’s like, come here, Jameson, you know, and it’s me underneath the hood. And I handed him a spirit off ice and then I ripped my mask off and I got him still.
So that was the goofball, things like that. The people that you meet, you know, we develop relationships with folks at the Hyatt that, you know, transcended just, you know, being employees, they were friends. You know, they loved us at Derby kind, the Hyatt loved us. Like they loved the people there.
What we did, you know, they’ve come to our parties, you know, they they thought we were like the greatest group of folks ever that were so kind and willing to help out and we tipped well, which is always a great thing for folks that are there trying to make a living. You know, it was just, you know, but, you know, not just that, but the people’s lives we changed. You know, we helped out with the Puerto Rican hurricane, we were able to raise funds and get food and water to two folks that desperately needed it.
I mean, we were actually making a difference outside of the conference, too. One of the stories I love remembering is Matt Graber, mad at manifestation, you know, phenomenal, one of the top security researchers in our industry. You know, Matt was just getting into security and was like, hey, man, you like to pick your brain for a few minutes. And, you know, I had never met Matt before, didn’t know who Matt was. And I was like, of course, you know, let’s chat and, you know, spoke to him about how I kind of came through my career, what I recommend for him.
And I’m not saying I had anything to do with this, Matt, Matt has everything to do with what he did. But, you know, he took that information, he amplified it, and now he’s one of the top security researchers in the industry based on his own motivation and dedication. So, you know, it’s just like the people that you were able to impact and change for the better to give people opportunities that didn’t necessarily have them before in the past and to make a difference outside of the conference.
You know, those are memories that I will take, you know, to my grave and to just smile on because it was just, you know, an amazing experience.
[AD] Malicious Life is sponsored by Cybereason.
There is nothing better than a live simulation, especially when you’re fighting cyberattacks that are becoming more and more complex. Defenders are always looking for the critical edge to reverse the attacker’s advantage, and it’s only through live attack simulations that you can truly see what might provide you that winning edge.
Join Cybereason’s global attack simulations to watch firsthand how attackers use the latest infiltration methods and execute on sophisticated malicious operations, and more importantly, how to end these operations before they happen. Reserve your spot today at cyberreason.com/attacksim.
[Eliad] There are conferences in so many cities, speaking of Hyatt and Louisville, what do you think made Louisville like the town for a conference?
[Dave] It’s just, you know, first of all, the kind of like the southern twang atmosphere, I think, was a cool one because, you know, so many good places to eat that were, you know, important, but I think the conference was great, right?
Because we also, on top of just, you know, the speaking and the hallway cons and all that other stuff that we had, you know, we threw some badass parties, like, you know, our parties were second to none in any other conference that anybody’s ever been at. And we hold that record.
Like, there’s nobody shattering our record anytime soon on the parties that we threw. You know, you know, Martin was like, let’s just go big, you know, go bigger, go bigger, go bigger. I mean, we had Wu tang, we had vanilla ice, we had, you know, sublime, we had infected mushroom, crystal method, did we had, you know, the offspring, you know, you know, just incredible bands coming to this whole thing that we could throw just for the security, you know, community. And it was funny because like all of our budget for the whole conference, we never made any money whatsoever off of DerbyCon. That was never the intention.
It was to either a donated to charity or B make the conference even better. That was literally our mindset with every aspect of the conference. We did this for fun. We didn’t do it for money. We didn’t do it for anything else other than to help each other out and to make one awesome conference for the community. And so I think that was a big piece of it.
But there’s also some stats too, like something like like 67% of the US population can make it to Louisville in a, you know, short timeframe. It’s like an under 9 hours or under eight hours. So you know, you could you could get there fairly easy. And it was kind of like a central point for a lot of places, both East West. So it was just it was just I think a culmination of a lot of things that kind of brought it all together.
[Eliad] It’s also, you know, somewhat unassuming as a city. What are some other parties that that you that are really memorable to you?
[Dave] You know, man, there’s so many good ones. I mean, infected was great because they were, you know, when infected first played, that was kind of like a pinnacle for me because infected mushroom was such a huge inspiration for a lot of the tools that I wrote, like a lot of my tools, like artillery, for example, named off of a song from infected mushroom. You know, they have been one of my favorite bands, you know, growing through the information security. I’ve written more code and infected mushroom than any other band by far that there is out there. I mean, there’s just something about their music that that just resonates with me and how they do things. You know, at the end of the day, everybody was just just really humble and really cool. It was really cool to deal with them.
You know, no, no horror stories except for Busta Rhymes. I will never listen to a Busta Rhymes album ever again since he stood us up. We had we had paid for him like everything. We had limos. We had jets waiting for him. The jet was waiting at the tarmac for Busta Rhymes to show up. And he decided to go out and party with Exhibit that night because, you know, of course, the security industry does OSINT on him and figures out that he’s partying with Exhibit and doesn’t show up for the doesn’t show up for his his thing. So we’re sitting there literally on the phone with everybody. Everybody’s just like at an all time low. You know, everybody’s outside calling Busta Rhymes, Busta Rhymes were waiting. He’s not even not even he didn’t even get in the jet. You know, it was it was horrible. And so, you know, I had to go up on stage that year and there was people dressed up in full Busta Rhymes outfits and everything. I felt terrible.
[Eliad] I would say I would say if Busta Rhymes is listening right now, this is an opportunity for for him to apologize, maybe maybe call up Exhibit. They could both do some apology.
[Dave] Yeah.
[Eliad]Yeah. An apology video. Yeah.
Does it ever become surreal? I mean, you’re getting to the point where you’re you’re you’re getting jets waiting for people to tarmac and all that stuff. Does it ever become surreal? At what point did this whole thing become so big that you were like, wow, I’ve really created something.
[Dave] Yeah. I think for me, the time for me was DerbyCon, probably five or six. I can’t remember which one it was, but I was just going up on stage and it was for one of the bands, I think it was for Infected Mushroom. I remember looking out and the whole room is just packed of people, you know, and they’re all there for this conference.
And you know, you look out and you’re like, we just created something from nothing. This is something special that I haven’t been a part of before. And this is something that means a lot, you know.
And when that happened, I just you know, I actually I don’t know if there’s any video of it, but I paused and I couldn’t even speak for just a few minutes just because I was just so overwhelmed with, you know, emotion, a great good emotion of, you know, these people are here because of something that we built and they wouldn’t be here if it wasn’t for something that we didn’t build. And that type of stuff, you know, there’s so many countless experiences like that with DerbyCon that, you know, knowing that you were a part of something bigger that was doing good for others, you know, that’s a big thing for me is making the world a better place.
And when we’re able to help other people, you know, the Hackers for Charity, Innocent Lives Foundation, a number of other organizations, you know, from a charity perspective, Cancer Research and everything else, you know, Crohn’s disease, you know, you know, we we really focused on that those aspects of DerbyCon of trying to help others out.
And you know, it definitely was a huge experience. I remember, you know, opening ceremonies, you know, when you look out in the crowd and there’s just, you know, thousands and thousands of thousands of people there and they’re they’re wanting to listen to you. And that’s a weird thing for me, like when I’m on the news, I’m like, I’m just Dave talking to people about security stuff. I’m not, you know, and people come out to me like, oh, my God, you’re Dave Kennedy. I’m like, I’m just Dave Kennedy. Like, I’m just a guy that, you know, is is doing my own thing, just like you’re doing your own thing. It doesn’t make me any better or special or anything else. We’re all here together doing what we can. And just because I’ve done the news or something else doesn’t make a difference. It just means I have different experiences. And so, you know, I think that that level set of that and everybody came together as one was the most memorable thing that I will always take back with me that I was a part of that.
You know, we eventually obviously ended DerbyCon, you know, it’s a lot of work to put into these conferences instead of it being, you know, a fun project on the side. It became our major jobs, you know, to, you know, day in and day out away from family for a week and everything else. And then, you know, you have, you know, a lot of other things you have to deal with. And, you know, it just becomes such a large conference to maintain. It’s like, you know, we looked at it and said, for one, we probably can’t continue to do the amount of effort because it just keeps growing that we’re doing. It’s a full event and all of us are involved in this, you know, 11 months out of the year of building this. You know, do we hire people to come in and build the conference out, which, you know, we felt would lose the feeling and the vibe of the conference and its, you know, its original intention, or do we just move on, you know, and go out on a high note of being one of the best conferences that’s ever been out there in the security community?
And it was a hard decision, but we all decided, you know, listen, it’s time to move on. We did our thing. We left our print. You know, now it’s up to the community to take that and move it forward. And it was a hard decision, you know, sad, but one of those ones where, you know, we knew it was the right decision. And lo and behold, luckily, or not luckily, a horrible situation, but, you know, we definitely bounced out at the right time because COVID had hit the next year, you know, and a lot of conferences had to cancel and postpone and, you know, it was just a difficult time there anyway. And conferences in general are becoming much more difficult to manage and handle. It’s just, you know, just a kind of the, I guess the noise that we have today in a lot of cases in those. So it’s just, you know, it was time to move on and we’re happy that we did what we did and went on a high note and, you know, kind of look back at that and saying, hey, I was part of that. We made that. And it was something special that people remember for their lives.
[Ran] There’s another reason why Derbycon came to an end that Dave chose not to address directly in the interview, although you might have caught a whiff of it in his last few sentences, the so-called noise he was referring to. That noise is what Dave called, quote, a small yet vocal group of people creating negativity, polarization and disruption, end quote, in the blog post in which he stated that Derbycon 9, which was held in 2019, will also be the last one. It’s no secret that in the past few years we’re witnessing a sort of a culture war being fought, mainly on social media, but also in traditional media and in politics. We have the MeToo movement and Make America Great Again and cancel culture and whatnot, and all these social stresses are naturally seeping into the cybersecurity conference scene as well and causing real headaches to the organizers.
Like what’s the right thing to do when a speaker is accused of sexual harassment or when an attendee is expressing some unwelcome political view? It seems that these headaches were part of the reason why Dave and his co-founders decided to end the conference in 2019.
Here’s what Dave wrote in the said blog post titled Every Beginning Has an End, quote, This year we had to handle issues that honestly, as an adult, we would never expect to have to handle from other adults. Conferences in general have shifted focus to not upsetting individuals and having to police people’s beliefs, politics and feelings. Instead of coming to a conference to learn and share, it’s about how loud of a message a person can make about a specific topic regardless of who they tear down or attempt to destroy. This is not what we signed up for, and each year it becomes increasingly harder for us to handle, end quote.
It is, I think, a bit ironic and sad that a conference that was built around the ideals of helping the community become more of a welcoming family had to be discontinued partly because of such social tensions. I guess that’s just how things are.
[Eliad] Your favorite talk is about some of these mother and the influence, and whether you noticed or not, this is all very, very unique and family oriented and group oriented. I want to ask you, what is your message to the family, the security family moving forward? What do you wish for the family? What would you like to see manifest in the community?
[Dave] I think we already see some of this, which is helping one another when somebody’s down and being positive. It’s very easy to let your life be consumed with negativity. Life is positive for some, it’s negative for others. Some of us have issues, some of us don’t. It’s all a whole spectrum of things. I think recognizing that we’re all human, we all need help, we all need support, and that our jobs consume a substantial amount of time for us. We’re in our jobs 70% of our life. That’s an important piece to recognize that burnout is a real thing and recognizing that you have a support system of people that will help you and pick you up in the event that you’re down. I think that’s really the community aspect that we have in security.
I think from a DerbyCon perspective, we helped out with a lot of the kickstart and the start of that feeling and that method or those motives, but we just need to keep continuing with that and helping out our new generation of folks coming into the industry. I think that’s going to be an important piece next.
[Eliad] All right.
That’s a beautiful note to end on. I want to thank you.
Before I end here, is there anything that I haven’t asked about that you think is important to share about DerbyCon or anything else?
[Dave] No, I think the only thing that I would ever mention is that DerbyCon wasn’t us.
It was everybody.
It was a community that accepted one another, that came together to help one another. That’s the most beautiful thing about the whole thing is we started this from no idea if it was going to be a success or not, or if there’s even a want or need for something like this.
I mean, you can go to a conference, you can go listen to presentations, you can walk out and be smarter, but did you walk away better as a person? That was ultimately our goal is to be a better person, better than when you first came in to the conference.
That’s what I miss the most. I miss that feeling of having that big impact, but I also know that I’m able to still do that in different capacities, and that’s what we should all strive for. Yes, maybe you can’t create a DerbyCon, or maybe you can, by the way. Please do. If you need any tips, just let me know. Happy to talk to you anytime. Knowing that you can have a big impact on somebody else or new people coming into the industry, be a mentor for somebody. Be somebody that will be receptive to one another. Don’t be a person that is standoffish or wants to argue with somebody. Work with somebody to figure out their differences of opinions.
I think it all comes into what we are today and the mission of DerbyCon, and I think you hit all the other points well done, but this is a community effort. It’s not an individual, it’s not a group of individuals, it’s all of us working together.
[Eliad] Lovely. Thank you so much, Dave. It’s always a pleasure talking to you.
[Dave] Awesome. Thank you so much, man.