The Lost Policymaker worked with Marc Rogers (@marcwrogers), head of DEF CON physical and network security for the past decade, to cut through the FUD (Fear, Uncertainty, and Doubt) about security and safety at Hacker Summer Camp. There’s a lot of #baddefconadvice out there to avoid, but not much recent, authoritative guidance on what really works to keep you safe and secure.
The bottom line
- Paper and plastic. Though many conference vendors accept credit cards, several (including badge sales) are cash only. Casinos have the world’s most surveilled ATMs, so they’re a pretty safe bet these days - though avoid any that look temporary.
- Secure Connectivity. Mobile carrier networks are by far the most trustworthy, followed by secure conference wireless. Use a trustworthy VPN, and consider turning off WiFi/Bluetooth (if not the device) when not in use.
- Avoid laptops; favor phones/tablets. Laptops - even those configured by experts - tend to be less securable than a fully updated phone or tablet made in the last 1-2 years.
- Data security. Avoid connecting to work systems while in or near the conference areas, and treat anything with USB (including fans, power adapters, etc.) like candy - don’t take it from strangers or pick it up off the floor.
- “Burner” phone optional. Bring a clean phone (or wipe your primary) set up as new, with minimal apps and accounts, and your primary number. Operating systems and apps other than the latest versions are at high risk in this environment.
- Dress for the event. The events are laid back and so are the dress codes. You’ll blend in and better endure the high heat and time on your feet by dressing simply and comfortably.
- Hotel room (in)security. Ask your hotel about any room search policies and ask at check in how to verify staff that conduct these searches. Avoid leaving valuables or technology in your rooms - safes are not safe (see the Lockpick Villages for more).
- Photo courtesy. Privacy is important to the hacker community. No wide shots. If you do want to take a photo, ask the people in the area first.
- Conference safety and security. If you have any questions about physical safety or security, find one of the red-shirted Goons. They are there to help.
- Healthy dose of paranoia. If something looks suspicious, it probably is. Be cautious and skeptical, while exploring and finding what you’ll enjoy about the conferences. Too much paranoia can be debilitating (trust us).
Safety and security at Hacker Summer Camp
Money and Finances - Bring Cash. While Las Vegas casinos would love to extend you a line of credit, the hacker conferences that take place there don’t always accept credit cards. Many of the independent vendors that sell swag (souvenirs like clothing), electronic badges, and tools, sometimes find it troublesome to deal with credit cards. Casino ATMs may be the world’s most monitored cash points, and are official ones are generally safe, though they may be down in the immediate area of the conferences, victims of their own insecurity or network problems. Avoid ATMs that look unusual or temporary.
What to wear. Las Vegas casinos and conference speaking areas can get frigid, despite the hellish weather outside, even at night. A light, packable jacket - or yes, a hoodie - can help regulate the temperature swings. Many attendees rarely leave the relative comfort of hotels and taxis, though if you do, wear sunscreen to avoid quickly getting burned. And whatever you do, bring comfortable shoes for walking and standing!
Securing technology - Update your devices beforehand. The technology environment at Hacker Summer Camp has been described as “the world’s most hostile network,” for good reason. There are hundreds or thousands of active attacks on the open conference networks at any given time. However, they are also some of the world’s most surveilled networks, with dozens or hundreds of individuals and groups looking to discover attacks. Still, mobile carrier networks are likely to be more reliable and more secure. Fake base station attacks are less likely than in years past, as some conference staff routinely hunt these devices and get rid of them. A reputable VPN (installed and set up before you travel), in use at all times, further reduces risk of interception, eavesdropping, and tampering.
Mobile and tablet devices running the latest versions of iOS and Android, and fully updated, are some of the most secure commercial technology platforms ever. Security flaws (and attacks that exploit them) that are made public tend to be fixed quickly, and unknown attacks tend to be expensive to execute. So it’s unlikely that adversaries would use these expensive attacks at Hacker Summer Camp, especially when everyone has their guard up. Sophisticated adversaries are more likely to target individuals in other settings.
Cautious attendees bring new, clean phones and create new accounts that they will discard after the conferences are over. Others bring their primary phones, backing them up, wiping them, and setting them up as new, with the minimum necessary applications and accounts. It’s usually more of a hassle than a benefit to get a new number. And keep in mind that hotel safes aren’t really safe (ask the Lockpicking Village to tell you why).
It takes a lot to remember all of this and practice good OPSEC (Operational Security). It’s why some attendees decide to leave all their tech at home.
Masking up. With a sizeable population having been vaccinated, most venues have stopped checking vaccine status for indoor events. COVID-19 testing has similarly slowed down and is mostly done privately with at-home kits. Yet, there are still new COVID-19 variants and diseases (Hello Monkeypox) on the move. Spikes in infections and hosptializations are not uncommon. Masks remain the most effective way to protect yourself and others, especially when travelling or at an indoor event. Hacker Summer Camp events cover a range of masking policies: The Diana Initiative requires a N95 or equivalent face mask for all attendees; BSides Las Vegas requires face masks to be worn at all times at the event; DEF CON requires a face mask; and Black Hat encourages attendees to make decisions based on personal health needs.
With DEF CON’s history of drawing in at least 30,000 attendees, a cautious attendee may seek out a higher-grade face mask. Robert Graham did an at-home comparison and assessment on the efficacy of various face mask types, keeping DEF CON in mind. Attendees looking to protect themselves best would do well procuring either a set of disposable NIOSH N95 certified masks, or a elastomeric mask with the correct disposable filter.
Health and Safety. Goons are volunteer conference security staff, there to make sure the events go well and to take care of health and safety issues. You can spot them by their red badges and red shirts, often with a backpack strolling the halls.
You’re expected to get at least 3 hours of sleep, 2 meals, and 1 shower - every day. This is known as the 3-2-1 rule for Hacker Summer Camp. There’s a note of humor here, yet also sound advice, as DEF CON - and Las Vegas - can become overwhelming. One of the secrets to survival is to be able to sneak off to a quiet place to just relax a little bit. DEF CON streams talks to the conference hotel rooms, Bsides Las Vegas streams to the web, so you can watch the event from afar if you still feel like you’re missing out.
Las Vegas is HOT and dry; August is usually the hottest and driest time of year. Stock your hotel room with water and carry a couple of bottles at all times - one to drink and one to share. And no matter what your map tells you, walking outside to the next hotel over is NOT as close as it seems - stay indoors and take taxis or ride shares.
DEF CON has established an anonymous 20-hour per day (8am-4am) hotline for reporting issues or getting help. Call their trained volunteers at +1 (725) 222-0934.