DerbyCon experience (by an 8 year old)

Posted on

For the very first time in all of history, I was told that an 8 year old was going to be giving a talk at the famous security conference – DerbyCon. Thanks to Dave Kennedy (@HackingDave) and the entire speaker selection team for selecting me to speak at DerbyCon 4.0 (2014). I wondered, what you might have thought when you saw a submission from an 8 year old? I hope I made you proud!

First of all, let me start by saying “I loved DerbyCon!”

We drove from Austin, TX to Louisville, KY, over a thousand miles!!! On the way to the conference, I prepared my talk and demo, like a million times, in the car. My dad (@manopaul) and mom (Sangeetha Paul) were excited and nervous at the same time. My lil’ brother, Ittai was my cheerleader saying “You go, Reuben!” 🙂

Reuben Paul - Enroute DerbyCon Car Prep

Prepping on our way to DerbyCon

But since we got there late, I missed the keynotes by Ed Skoudis (@edskoudis) and Dave Kennedy. But I still loved the con.

Reuben Paul - with Erin Kenedy

Erin Kennedy welcoming us to DerbyCon

At the con, as we were registering, they asked me if I wanted the child badge or the speaker badge. I took the speaker badge (LOL). We got greeted first by Erin Kennedy (@MrsRel1k). Erin went to look for some toys and goodies to make me and my little brother, Ittai, feel welcome as one in the family.

It was September 26th, 2014 – the day of my talk. Just before my talk I was very nervous, but everyone is nervous on their first talk, I think, but, when I went on stage, I just went with the flow. The person in charge of the speakers, Jim Manley (@jw_manley), had to get me a chair, because I was too short for the podium. Jim said that “they’ve never had a issue like this, before” :-). Now, they call me “Chairperson” of conferences, not because I am the most important person in the conference, but because I have to stand on a chair to reach the mic to give my talk. 🙂

Reuben Paul - Chairperson at DerbyCon

Standing on a chair to deliver my talk (now you see why they call me the Chairperson of the conference)

By God’s grace, I think my talk went superb.
The title of my talk was “InfoSec from the mouth of babes (or an eight year old)”.
I talked about three things –

  1. Why do you need to teach your kids InfoSec?
  2. How can you teach your kids InfoSec? and
  3. What can kids teach you about InfoSec?

I also said why kids are the best social engineers (next to puppies and the setoolkit by Dave Kennedy and the TrustedSec team (sorry Dave) :-)) and did a demo on how to get a meterpreter shell back. I got five shells back – pwned. :-).

Here a few tweets by Dave Kennedy and Jayson Street about my talk and demo.

Reuben Paul - Dave Kennedy Tweet WOW

Dave Kennedy’s tweet about my DerbyCon talk

Reuben Paul - Jayson Tweet - AboutReubenGettingShell

Jayson Street’s tweet about me getting shell in my DerbyCon talk demo

After my talk, Jayson asked, if I could program for Android? I should have responded by saying what my mom wanted to say which was “Get yourself an iOS device“ but instead I did the business thing of saying “I should learn Android programming.” 🙂
At the end of my talk, after thanking my God, Jesus Christ for the gifts and talents he has given me, the organizers of DerbyCon and all who came to hear me speak, I closed my talk by saying “HACK ALL THE THINGS, BUT DON’T DRINK AT ALL.” (I hope Dave (@dualcoremusic) did not mind me changing his lyrics a bit :-).  It was awesome, meeting him in person as well.

Reuben Paul - with Dual Core

Me with DualCore

It was an AWESOME experience for me!!!
At the end of this writeup, I have put the video link of my debut DerbyCon talk (thanks to Adrian Crenshaw (@IronGeek_adc), whom I met in the lobby, as I was preparing for my talk).

At the end of my talk, Jim Manley came and told my dad, that for the first time, he saw people waiting in line to get into a stable talk at DerbyCon – so thank you to all the people who came and attended my talk, making it houseful.

Reuben Paul -housefull

Q&A time after my talk

After my talk, I went to the Social-Engineer booth where Chris Hadnagy (@humanhacker) gave me the Social-Engineer challenge coin for my talk and demo. This was my first challenge coin. Chris then put me on the polygraph machine. They asked me many questions and one question was “if I have ever tattletaled on my brother?” I told the truth but I think the polygraph machine was broken or it had a mind of its own. Chris then laughed out loud and said something like, “I am a damn good hacker, but a really bad liar.” Paul Asadoorian (@securityweekly) who was in the booth next to the polygraph machine, was enjoying all the truth I was saying and laughing out loud. 🙂

Reuben Paul - with Chris Hadnagy

At the booth with Chris Hadnagy and team

Reuben Paul - polygraph

Being polygraphed – Am I a good liar?

Then I got to go to the lock picking room. The company that ran it was named TOOOL. I got my first lock picked, which I think is pretty cool.

Reuben Paul - lock picking

Lockpicking at DerbyCon – My first lock picked!

At this time, one of my dad’s friend, Dave Clarke, who helped my dad settle down in America, when my dad first came to Virginia, texted him and told him that his son, Michael Clarke (@michael_clarke) was attending DerbyCon and had spoken to him about my dad and me. Michael came and met my dad and my dad was super happy to see him.

Michael Clarke with my Dad

Michael Clarke and my Dad


After this, I went to the CTF room, managed by Scott White (@s4squatch) but we could never get to connect to the internet over Wi-Fi (next time when you run CTF, think about kinda adding a little bit of some WIRELESS CONNECTION that actually works – Scott :-)). Then Tom Moore (@c0ncealed) from Proverbs Hackers list gave me a network wire for me to use. I think it was a God sent gift at that time. Then my dad helped me identify some flags, since this was my first CTF. Our team name was team RAPstar, and in the one hour, we were there we got a score of 720 for about 6 to 7 flags (not bad for my first time, I think). 🙂 Scott also gave me a DerbyCon CTF challenge coin. Thanks Scott. 🙂

Reuben Paul - DerbyCon CTF coin

At the DerbyCon CTF – Scott White gives me a challenge coin. 🙂

Reuben Paul - DerbyCon CTF Scott White

Team RAPstar (my first CTF) on the DerbyCon CTF score board.

I met a lot of people at DerbyCon. Like many people from the Proverbs Hackers list (Michael Farnum, Carl Sampson, Tyler Halfpop, Michael Sudduth, Tom Moore …), Hackers For Charity (Johnny Long, Justin Brown), TrustedSec team (Dave Kennedy, Erin Kennedy, Scott White, Paul Koblitz, Larry Spohn) and friends of HackFormers (Rich Grimes, Ed Skoudis).

Reuben Paul - with Dave Kennedy

Me and my brother Ittai with Dave Kennedy

It was good to meet Metasploit expert @egyp7 who had come to my talk, and  tweeted that I was hardcore after my talk. Thanks @egyp7. Ed Skoudis also encouraged me about my talk and I knew him from before as he had come and stayed at our house, to speak at HackFormers, before DerbyCon.

Reuben Paul - with Ed Skoudis

Ed Skoudis chatting with my brother Ittai and me at DerbyCon

I was thrilled to meet Johnny Long who started Hackers For Charity and get my first awkward hug from Jayson Street.

Reuben Paul - with Johnny

Meeting Johnny Long from I Hack Charities

Reuben Paul - Awkward hug with Jayson Street

Awkward Hug from Jayson Street (my First) 🙂

I also met Kevin Johnson from SecureIdeas, who is a good friend of my dad, whom I also knew from meeting him at our house. Another Kevin, I got to meet was Kevin Mitnick, who is well known in the security industry, and got to take a picture with him (with our DerbyCon speaker badges) 🙂 which was really cool.

Reuben Paul - with Kevin Johnson

Kevin Johnson from SecureIdeas checking out my card 🙂

Reuben Paul - with Kevin Mitnick

Meeting Kevin Mitnick

I also got to take a picture with Erin Jacobs (@secbarbie), the Barbie who is not hackable 🙂

Reuben Paul - Erin Jacobs

Meeting Erin Jacobs (@secbarbie)

@t1as gave me some Godly advice of not becoming proud as fame is short-lived, but to be humble and a child of God, all the time, which I liked very much. Thank you @t1as.

Reuben Paul - with @tlas

@tlas giving Godly counsel (Loved this)

I was thrilled to meet the best hacker artist ever, Eddie Mize (@EddieTheYeti) and take a picture with him. What an honor I felt when Eddie painted my face after DerbyCon – an honor which I am not sure, if I deserve. You can see Eddie’s painting of me. My dad told me that while most people who are painted by Eddie need to be painted only once, in my case, since I am growing, he may have to paint me again 🙂 (lol)

Reuben Paul - with EddietheYeti

My family with Eddie Mize (@EddieTheYeti)

Reuben Paul - Painting by @EddieTheYeti

Eddie’s (@EddieTheYeti) painting of me – Truly an honor

My dad has spoken to me much about some of his other friends, Khalil Sehnaoui (@sehnaoui), Dave Marcus (@DaveMarcus) and Nate Sanders (@mauvehed), whom I hoped to meet, but did not get a chance too. Hopefully, I will get to meet them in DerbyCon next year (if I get selected again for a talk :-)).

In closing, I would like to say, “DerbyCon was awesome.”

I loved meeting many people and seeing everybody. I loved the family like environment. It felt nice, to not be judged even though I am only 8 years old and be respected for what I knew and what I could do. Most of all, I loved DerbyCon, because it made me feel included to be part of such a wonderful family (of hackers). Truly, DerbyCon lived up to its theme this year – Family Rootz.

Reuben Paul - Family Rootz

With Jim Manley and the DerbyCon Family RootZ board (has my dad’s and my signature on it – WooHoo)

I hope to be back for DerbyCon 5.0wned. 🙂


My talk – InfoSec From the mouth of Babes (or an 8 year old). Debut at DerbyCon. Enjoy and share.

Tags: , , , , , , , ,

One Comment

  1. Rick Catley

    Great Job!

    I met Eddie this week at work and was blown away! He had great thing to say about you! It is really nice to see a hard working young man up and coming. Way to go Pal!

Leave a Reply

Your email address will not be published. Required fields are marked *