For the very first time in all of history, I was told that an 8 year old was going to be giving a talk at the famous security conference – DerbyCon. Thanks to Dave Kennedy (@HackingDave) and the entire speaker selection team for selecting me to speak at DerbyCon 4.0 (2014). I wondered, what you might have thought when you saw a submission from an 8 year old? I hope I made you proud!

First of all, let me start by saying “I loved DerbyCon!”

We drove from Austin, TX to Louisville, KY, over a thousand miles!!! On the way to the conference, I prepared my talk and demo, like a million times, in the car. My dad (@manopaul) and mom (Sangeetha Paul) were excited and nervous at the same time. My lil’ brother, Ittai was my cheerleader saying “You go, Reuben!” 🙂

But since we got there late, I missed the keynotes by Ed Skoudis (@edskoudis) and Dave Kennedy. But I still loved the con.

At the con, as we were registering, they asked me if I wanted the child badge or the speaker badge. I took the speaker badge (LOL). We got greeted first by Erin Kennedy (@MrsRel1k). Erin went to look for some toys and goodies to make me and my little brother, Ittai, feel welcome as one in the family.

It was September 26th, 2014 – the day of my talk. Just before my talk I was very nervous, but everyone is nervous on their first talk, I think, but, when I went on stage, I just went with the flow. The person in charge of the speakers, Jim Manley (@jw_manley), had to get me a chair, because I was too short for the podium. Jim said that “they’ve never had a issue like this, before” :-). Now, they call me “Chairperson” of conferences, not because I am the most important person in the conference, but because I have to stand on a chair to reach the mic to give my talk. 🙂

By God’s grace, I think my talk went superb.
The title of my talk was “InfoSec from the mouth of babes (or an eight year old)”.
I talked about three things –

1. Why do you need to teach your kids InfoSec?
2. How can you teach your kids InfoSec? and
3. What can kids teach you about InfoSec?

I also said why kids are the best social engineers (next to puppies and the setoolkit by Dave Kennedy and the TrustedSec team (sorry Dave) :-)) and did a demo on how to get a meterpreter shell back. I got five shells back – pwned. :-).

Here a few tweets by Dave Kennedy and Jayson Street about my talk and demo.

After my talk, Jayson asked, if I could program for Android? I should have responded by saying what my mom wanted to say which was “Get yourself an iOS device“ but instead I did the business thing of saying “I should learn Android programming.” 🙂
At the end of my talk, after thanking my God, Jesus Christ for the gifts and talents he has given me, the organizers of DerbyCon and all who came to hear me speak, I closed my talk by saying “HACK ALL THE THINGS, BUT DON’T DRINK AT ALL.” (I hope Dave (@dualcoremusic) did not mind me changing his lyrics a bit :-).  It was awesome, meeting him in person as well.

It was an AWESOME experience for me!!!
At the end of this writeup, I have put the video link of my debut DerbyCon talk (thanks to Adrian Crenshaw (@IronGeek_adc), whom I met in the lobby, as I was preparing for my talk).

At the end of my talk, Jim Manley came and told my dad, that for the first time, he saw people waiting in line to get into a stable talk at DerbyCon – so thank you to all the people who came and attended my talk, making it houseful.

After my talk, I went to the Social-Engineer booth where Chris Hadnagy (@humanhacker) gave me the Social-Engineer challenge coin for my talk and demo. This was my first challenge coin. Chris then put me on the polygraph machine. They asked me many questions and one question was “if I have ever tattletaled on my brother?” I told the truth but I think the polygraph machine was broken or it had a mind of its own. Chris then laughed out loud and said something like, “I am a damn good hacker, but a really bad liar.” Paul Asadoorian (@securityweekly) who was in the booth next to the polygraph machine, was enjoying all the truth I was saying and laughing out loud. 🙂

Then I got to go to the lock picking room. The company that ran it was named TOOOL. I got my first lock picked, which I think is pretty cool.

At this time, one of my dad’s friend, Dave Clarke, who helped my dad settle down in America, when my dad first came to Virginia, texted him and told him that his son, Michael Clarke (@michael_clarke) was attending DerbyCon and had spoken to him about my dad and me. Michael came and met my dad and my dad was super happy to see him.

After this, I went to the CTF room, managed by Scott White (@s4squatch) but we could never get to connect to the internet over Wi-Fi (next time when you run CTF, think about kinda adding a little bit of some WIRELESS CONNECTION that actually works – Scott :-)). Then Tom Moore (@c0ncealed) from Proverbs Hackers list gave me a network wire for me to use. I think it was a God sent gift at that time. Then my dad helped me identify some flags, since this was my first CTF. Our team name was team RAPstar, and in the one hour, we were there we got a score of 720 for about 6 to 7 flags (not bad for my first time, I think). 🙂 Scott also gave me a DerbyCon CTF challenge coin. Thanks Scott. 🙂

I met a lot of people at DerbyCon. Like many people from the Proverbs Hackers list (Michael Farnum, Carl Sampson, Tyler Halfpop, Michael Sudduth, Tom Moore …), Hackers For Charity (Johnny Long, Justin Brown), TrustedSec team (Dave Kennedy, Erin Kennedy, Scott White, Paul Koblitz, Larry Spohn) and friends of HackFormers (Rich Grimes, Ed Skoudis).

It was good to meet Metasploit expert @egyp7 who had come to my talk, and  tweeted that I was hardcore after my talk. Thanks @egyp7. Ed Skoudis also encouraged me about my talk and I knew him from before as he had come and stayed at our house, to speak at HackFormers, before DerbyCon.

I was thrilled to meet Johnny Long who started Hackers For Charity and get my first awkward hug from Jayson Street.

I also met Kevin Johnson from SecureIdeas, who is a good friend of my dad, whom I also knew from meeting him at our house. Another Kevin, I got to meet was Kevin Mitnick, who is well known in the security industry, and got to take a picture with him (with our DerbyCon speaker badges) 🙂 which was really cool.

I also got to take a picture with Erin Jacobs (@secbarbie), the Barbie who is not hackable 🙂

@t1as gave me some Godly advice of not becoming proud as fame is short-lived, but to be humble and a child of God, all the time, which I liked very much. Thank you @t1as.

I was thrilled to meet the best hacker artist ever, Eddie Mize (@EddieTheYeti) and take a picture with him. What an honor I felt when Eddie painted my face after DerbyCon – an honor which I am not sure, if I deserve. You can see Eddie’s painting of me. My dad told me that while most people who are painted by Eddie need to be painted only once, in my case, since I am growing, he may have to paint me again 🙂 (lol)

My dad has spoken to me much about some of his other friends, Khalil Sehnaoui (@sehnaoui), Dave Marcus (@DaveMarcus) and Nate Sanders (@mauvehed), whom I hoped to meet, but did not get a chance too. Hopefully, I will get to meet them in DerbyCon next year (if I get selected again for a talk :-)).

In closing, I would like to say, “DerbyCon was awesome.”

I loved meeting many people and seeing everybody. I loved the family like environment. It felt nice, to not be judged even though I am only 8 years old and be respected for what I knew and what I could do. Most of all, I loved DerbyCon, because it made me feel included to be part of such a wonderful family (of hackers). Truly, DerbyCon lived up to its theme this year – Family Rootz.

I hope to be back for DerbyCon 5.0wned. 🙂

Originally published in Prudent Games website blog.

——–

Link:
My talk – InfoSec From the mouth of Babes (or an 8 year old). Debut at DerbyCon. Enjoy and share.