Capture the Flag 8.0 

2nd floor – Rose room and wifi available throughout the 2nd floor
Contest runs from Friday 12pm to Sunday 12pm

Friday: 12pm to 9pm, Saturday: 9am to 9pm

Sunday: 10am to 12pm

Come and test your skillz! Come and compete against other

people in the industry!

The capture the flag event is an open event and there are no qualifiers. Anyone can participate via self-registration. There will be posters around the venue with information on how to connect and play as well as information regularly distributed through the official DerbyCon CTF Twitter account @DerbyConCTF.

The wireless network information is:

Wireless SSID: DerbyCon-CTF

Password: DerbyCon-CTF

After connecting to CTF network, registration and rules located at


Black Badge

2019 Conference Ticket   –   $500 cash   –   $350 cash

$200 cash   –   $100 cash   –   $100 Visa gift card   –   $100 Visa gift card

$50 Amazon gift card   –   $50 Amazon gift card
Winners announced @ closing ceremony

BYOEPC – Bring your own ethernet patch cord

Sponsored By: Synack


Social Engineer Village 

1st floor – Kentucky Ballroom A&B

2pm SECTF opening

2:30 SECTF Call 1

3:00 SECTF Call 2

3:30 SECTF Call 3

4:00 SECTF Call 4

4:30 SECTF Call 5

5:30 SECTF Call 6



9:30 Open the Doors

Explain Poly Challenge, take sign ups

10:00 to 12:30 – Poly Challenge

1:30 to 5:00 – Mission SE Impossible

6:00 to 8:00 – SEPanel – “Ethics in SE” – Chris Silvers, Chris Hadnagy, Rachel Tobac, Grifter


Can you fool the Polygraph?

Polygraph: Noun. 1. an instrument for receiving and recording simultaneously tracings of variations in certain body activities 2. a test using such an instrument to determine if a person is telling the truth.

Many fear it, many have studied how to beat it…want to try your hand at it? Only at Derby Con do we bring the “Can you fool the Polygraph?” event. We bring in a professional polygraph examiner and ask a series of questions. If you can beat it there is some awesome SE schwag that is all yours.

If you want to join in on the fun then come to the SE Village at Derby Con on Saturday, October 6 where we will be taking live sign ups.


Mission SE Impossible

What is Mission SE Impossible (MSI)? Maybe the best way to describe it is if the Gringo Warrior Challenge had a baby with Ethan Hunt while getting some scotch soaked DNA from the Human Hacker, it would give birth to Mission SE Impossible. Also, this baby could shoot lasers out of it’s eyes.

With lock picking, hand cuffs, laser obstacle course, some ciphers, and safe cracking MSI quickly became extremely popular in the SE Village. Folks of all ages have signed up and competed in this event and are watched by an enthusiastic crowd who is always willing to help out and heckle.


SECTF at DerbyCon

This truly unique event will challenge you and test your abilities to use social engineering skills to gather small amounts of data from unsuspecting companies over the phone. Each contestant will be assigned a target company.  Each contestant will be provided with flags, a sample report and their call time. Each contestant was given three weeks to work on information gathering and reporting.

At DerbyCon, each contestant will have 20 minutes to call the target company and attempt to extract as many flags as possible. Then the true battle begins to determine “WHO IS THE SOCIAL ENGINEER CHAMPION”


SE Panels
It all started in 2016, at DerbyCon. A “rectangle table” (we couldn’t find a round table) was created where the greatest minds in social engineering sat and discussed their views on the ever changing social engineering landscape as well as answered your social engineering questions.

We’re bringing back the SE Panel this year not only on one but two days! You won’t want to miss your chance to learn from the top leading experts and ask them the questions you’ve wanted answers to
The SE panel will be held on Saturday, October 6 in the SE Village at Derby Con.


Derbycon Mental Health Workshop 

2nd floor – Bluegrass room
Friday and Saturday 8:00am to 6:00pm

We as a community struggle with large amounts of stress, mental health issues, and general emotional well being troubles. The purpose of this workshop is to learn about the issues themselves, coping mechanisms, help others close to us, and have a no judgement area to share stories and provide and receive guidance. There will be both structured and unstructured time given in this workshop.

Click Here for the schedule and more info



Mock Interview and Resume Review Workshop 

2nd floor – Marriott Ballroom V & VI
Friday Noon to 4:00pm

The Mock Interview and Resume Review Workshop provides an opportunity for folks in need of resume review and/or assistance with interview tips and techniques to receive, free of charge, one-on-one time with an experienced hiring manager to work on areas of weakness. The sessions are 30 min, by appointment, with limited availability for walk-ins. This is a great opportunity to pair hiring experts with job seekers in the security community. This is not a recruiting event and slots fill quickly, so organizers ask folks to send notification if they’re unable to attend during scheduled time. Although there are no guarantees, in 2017 around 50% of participants had a successful interview, job offer, and/or promotion within 30 days of attending the MIRR workshop. Interested in holding a workshop like this at your conference of event? The framework is on Github and we’re happy to get you started!



Lockpick Village 

2nd floor – Skybox Room

Friday and Saturday 10:00am to 7:00pm 

Lock Picking Pachinko will be making a comeback this year! We have plenty of other games and locks for all skill levels including the “Rumble Challenge” multi-round competition. Picking, bumping, more games, and other surprises are waiting for you in the lockpicking village! Awesome schwag will be awarded for top places in all competitions. Come to learn, stay to compete!



Car Hacking Village 

2nd floor – Filly room
Friday and Saturday 10:00am to 7:00pm

The Car Hacking Village is an interactive, hand-on event where village goers can learn about vehicle electronic systems. At DerbyCon we’ll run a CTF where we’ll have vehicle hacking trivia, electronic controllers for hacking, and we’ll sell tools related vehicle hacking.

Check out for info and contact. Follow us @CarHackVillage on Twitter.



Hardware Hacking Village 

2nd floor – Paddock room

Friday and Saturday 10:00am to 7:00pm

LVL1, Louisville’s Hackerspace, will be hosting a hardware hacking village, complete with devious and useful kits to solder together (no experience required! Through hole and surface mount kits available!) along with a showcase of projects. New this year: make your own essential-oils (while supplies last). Need some bling for the party?  We’ll have LED based kits to solder together, too. Interested in the low-level stuff? Stop by the hardware hacking village to hack together something of your own, chat with other hardware hackers, and check out some cool stuff. Interested in learning more about LVL1 and hackerspaces? Visit



SoHopelessly Broken 

2nd floor – Thoroughbred Room
Friday 11:00am to 7:00pm
Saturday 11:00am to 7:00pm

SoHopelessly Broken, presented by Independent Security Evaluators (ISE), is back at DerbyCon for our fourth year! We have expanded the contest to not only include SOHO routers, but other types of IoT devices such as network storage systems, cameras, and IP enabled toys!

Track 1: Players compete against one another by exploiting off-the-shelf IoT devices. These 15+ devices all have known vulnerabilities, but to successfully exploit these devices requires lateral thinking, knowledge of networking, and competency in exploit development. CTFs are a great experience to learn more about security and test your skills, so join up in a team (or even by yourself) and compete for fun and prizes! Exploit as many as you can over the weekend and the top three teams will be rewarded.

Track 2:  Hack shop area for people to actively hack and collaborate on selected devices.

Track 3: A variety of workshops and talks will be delivered throughout the weekend.

 Pawns: Hacking The Game of Kings 

2nd floor – Grandstand room
Friday 1:00pm to 3:00pm

Strategy, improvisation, analytics, stress reduction, thinking fast & slow, knowledge of offense & defensive techniques. What do all of these things have in common? They are all areas of skill that we as a collective group of security professionals can never have enough of. Few activities in this life encompass them more than the game of chess.

Have you ever wanted to learn to play chess but couldn’t find the time or were too intimidated by the learning curve? Didn’t even know where to start? This workshop is for you. We’ll cover what the pieces do, different openings, mating techniques, everything to get your gears moving towards a fun & rewarding journey of being a chess player. All skill levels are welcome.



Ham Radio Exams 

Exams – 2nd floor – Grandstand Room – Friday 4:00pm to 6:00pm

Exam Retests – 2nd floor – Thoroughbred Room – Sunday 10:00am to 12:00pm

Amateur Radio (ham radio) is a popular hobby and service that brings people, electronics and communication together. People use ham radio to talk across town, around the world, or even into space, all without the Internet or cell phones. It’s fun, social, educational, and can be a lifeline during times of need.

DerbyCon 8 will be host a ham radio licensing exam! The cost is $15 (cash or check only). Check out the ARRL website for information on what to bring to the exam, as well as exam question pools, free study resources, and other FAQ. No pre-registration is required.



Crack Me If You Can (CMIYC) Challenge 

Friday 9am to Sunday 11am (online challenge)
The annual password cracking contest “Crack Me If You Can” returned this
year to DEFCON, and are returning to DerbyCon as well!
Compete online in a 50 hour password cracking contest against the best password crackers in the world.  KoreLogic changed the rules last year, and this year’s challenge is less of a point-war, and more of a string of challenges with the goal being the first team to the end, wins! The contest will be online “forever” so you can play along at a later time, to see how long it takes you to finish. You think you can beat Team Hashcat’s time? What about the Cynosure Prime people? See how you stack up against John-Users. All worthy adversaries. Spend 50 hours of your CON behind a wall of GTX 2080s.



Hack your Derby: 

Judging 6pm, Location to be announced via @hackyourderby on Twitter

Winners announced @ closing ceremony

Hack Your Derby is a contest held annually at the DerbyCon hacker convention in Louisville, Kentucky. It is simple and straightforward: turn a derby hat — already a fine piece of functional fashion — into something more. Exactly how much more is up to you. Feel free to express your hacker spirit in the vein of technological or aesthetic development. There are points awarded by the judges in each of those categories, as well as accolades for overall originality.

You may either work on your derby creation before the conference or compete using exclusively what you can source in and around the con hotel during DerbyCon itself. Overall, however, the themes of “make something new, make something epic, make something awesome” are the order of the day.

There will be multiple winners in a variety of categories! All submissions must be displayed to the judges at 6 PM on Saturday (again, location TBA) and scoring will be totaled and finalized by Closing Ceremonies on Sunday.

For more information and full detail of the rules and categories, check Follow @hackyourderby for updates and to see amazing footage of the submissions!


Hacker Jeopardy #4.2 

(Oh, Hell Yeah, It Is! Same as last year… only different!

1st floor – Kentucky Ballroom F&G (Track 4)
Friday 8pm 
(One Night Only! Arrive Early. Limited Seating. Beer, Bribery, Humiliation and Nefarious Tactics OK.) Direct them at Lintile, Fizzgig and Winn. Let’s see how you do!

You know the game. You get publicly humiliated for saying stupid sh!t while chugging beers for a lousy 100 points a bottle! And the host and audience have all the fun making fun of your general ignorance. Or not… mayhaps? Will there be surprise SMARTS this year? You know we will taunt you, abuse you and confuse you, for our merriment, of course.

Still Want to Play? 2 – Games 6 Teams.

Then a one Category playoff for the two Winning Teams:

The Winning Team Gets:
1. Free TIX to DerbyCon 2019 (Priceless)
2. Copies of Winn’s New Book: Analogue Network Security ($100,000 value)

  1. Hall Pass to Play Hacker Jeopardy at DefCon: No Qualifications Round!

So You! Submit your Teams Now! Derby is only a few weeks off and you don’t want to miss your chance to drink free beer and demonstrate your ’skills’ in front of your guffawing peers.

Send your Team Submissions (and bribes) to Winn@SecurityExperts.Com Teams will be picked live at DerbyCon Jeopardy. So, that means, remember to Be There. (Oh, the abuse has already begun…)

  • Teams consist of 3 people, no more, no less
  • Contestants must be 18 or older, 21 to consume alcohol
  • WE CARD FOR ALCOHOL! No exceptions, this is mandated by the hotel
  • If you don’t have a valid ID, you may not consume alcohol
  • If you try to pass off a fake ID, your entire team is disqualified
  • If your team is called, you must have all members present. If they aren’t, you’re out that round
  • Points are awarded for answering questions right, as well as 100 points for every beer FULLY consumed by the beginning of Final Jeopardy
  • Failing a daily double will turn your beer into a warm N/A beer, which you must finish to resume drinking (no points are awarded for these)
  • You may wager any amount you have on a Daily Double. If you have less than $500, you may still wager $500
  • Humperdink Rule: If you puke before the game is over, you lose all beer points
  • The Ref has the final say over correctness of an answer. No arguing – that’s the end of it
  • All results are final. Sometimes we fuck it up, and if we do, we’re sorry, but there are no appeals
  • Contestants and audience members are expected to behave. If you can’t, you will be told to leave. If you are a player, your team may have to forfeit

Whose Slide Is It Anyway? 

1st floor – Kentucky Ballroom C & D (Stable Talks)
Saturday 7:00pm

“Whose Slide Is It Anyway?” is an unholy union of improv comedy, hacking and slide deck sado-masochism.

Our team of slide monkeys will create a stupid amount of short slide decks on whatever nonsense tickles our abnormal fancies. Slides are not exclusive to technology, they can and will be about anything. Contestants will take the stage & be given a slide deck of our choosing. They will then improvise a minimum 5 minute / maximum 10 minute lightning talk, becoming instant subject matter experts on whatever topic/stream of consciousness appears on the screen.

What are you playing for? Awesome prize packs from one of our generous sponsors. Players are chosen on a first come, first served basis so get there early.

Whether you delight in the chaos of watching your fellow hackers squirm or would like to sacrifice yourself to the Contest Gods, it’s a night of schadenfreude for the whole family.

Hack the Hat V8 – Biking at DerbyCon 

Saturday, October 6th, at 7:30am

Most of you know that the first year we did this we actually started in Ohio and cycled our way down to Louisville in the days prior to the con. That’s a bit hard to manage on an annual basis so we settle for doing an early morning ride at the con instead. We’d love for you to join us.  Your best bet for this ride is to bring your own bike if you can. There are places to rent in Louisville and we’ll leave you to your own devices on that front as we generally don’t have enough critical mass for this ride to ask a shop for any deals or special accommodations. Be aware that renting may require you to pick up your bike the day before. Also it appears that Louisville finally has a bike share program so that’s an option as well – especially since there are pick up stations near the con venue.
Ride Details:
Meet Saturday, October 6th, at 7:30am in the Marriott Louisville lobby. You will meet Tom Tufts and Jim Elliott.
This is a no drop, no setting speed records ride but hopefully we’ll get about 15-20 miles in before finishing.
Route is TBD, but there will be no major hills (it’s Louisville after all)
We likely will NOT be back for the first talk of the day but should return with plenty of time to make that 2nd slot. Sorry Saturday morning speakers.
All riders need to have a bike, helmet, and water bottle (preferably filled with…you know…water).
Some of us have had good luck picking up a bike on Friday for the Saturday 7:30am ride from here: <- about 10 minute walk from Marriott.
Click here to let us know if you’re coming. All information gathered will be deleted after the ride is completed. Got questions? Tweet @Cycle_OverRide, or email info at