Just another DEF CON guide
America’s premiere hacker conference is almost here: DEF CON 26 is August 9-12 at Caesar’s Palace and Flamingo, in Las Vegas, Nevada. Many people will be there early to attend Black Hat and BSides Las Vegas.

There are lots of DEF CON guides out there; many are created to grab search traffic. There is no one-size-fits-all guide: Everyone has different needs, expectations, interests, concerns, physical concerns, and boundaries. What works best is going to be unique to you. Above all, never forget that DEF CON is a roll-your-own experience. There will be massive crowds, long lines for everything from coffee to talks, and the area it covers is physically huge. Be prepared to spend longer than you expect getting from one thing to another.

Read the FAQ before you go. Put the DEF CON app on your burner phone. I also recommend the Queercon app (and Queercon in general). Definitely check out the #GoodDefconAdvice hashtag on Twitter.

Below is a small selection of recommended DEF CON guides. My personal guide for those new to DEF CON is after these links (updated):


HACKER SUMMER CAMP 2018 GUIDE — Part One: Surviving Vegas (Medium | Defcon201 - there are five great detailed guides here on everything)

Greetings ladies and packets and welcome to our Hacker Summer Camp Guide for 2018! We had a fantastic response last year where we made a similar guide as a presentation for our DEFCON 201 Meet Up before DEFCON 25 and we wanted to provide a similar comprehensive guide for 2018.


DEF CON for N00bs [non-fiction] (davidhashmiller.com)

“DEF CON has so many dimensions to it, that any summary will necessarily fall short of encompassing its full scope. Nevertheless, we’ll attempt it here. There are several main “tracks” (I use this term loosely) within DEF CON, more or less broken down as follows …”


A practical survival guide to Black Hat and DEF CON (CSO Online)

“Use a credit card if you must, and carry some cash, but not a large amount. The one rule about money that you need to remember, this goes for Black Hat and DEF CON, is to never – EVER – use the ATMs. Not only are the fees outrageous, it is likely that it might be tagged with a skimmer or they’re completely fake. It’s happened before.”


On Preparing For Black Hat / BSides LV / DEF CON in Las Vegas (mchow01.github.io)

“I originally wanted to write a list of dos/don’ts but it was more difficult than I thought: the list was never-ending. There are many lists of dos/don’ts at BSides LV / Black Hat / DEF CON out there. Having been to Las Vegas for DEF CON since 2006 (except for 2009), I can say three basic facts …”


Surviving the Def Con hacker conference (Engadget)

“The hackers and security researchers are there to present vulnerabilities within the systems we rely on. But there’s a tinge of mischief that permeates the event. Because of that, everyone that attends is fair game for hacking. That meant taking certain precautions that I wouldn’t regularly take while covering an event.”


MY ADVICE

This section is not intended for ‘activists’ or ‘hacktivists’ or seasoned hacker con attendees who have advanced needs and knowledge. This is for non-technical hacking scene outsiders who end up around our conferences for a few days, whether by choice or by chance.

Black Hat, DEF CON, and BSidesLV are hacker and infosec business conferences with strong subcultures. They are what you’d consider digitally hostile environments, especially DEF CON. Their networks have best-of-the-best security in terms of operations, but the atmospheres are a free-for-all for hacking, spoofing, surveilling, and trying out new attacks.

I have been to hacker conferences all over the world, from the most corporate to the shadiest. I’ve also taught digital safety for journalists at international human rights conferences, and immersive media trainings I’ve done for crisis workers with folks from Doctors Without Borders. Telling you about all this is my way of saying that my path navigates the extremes of digital hostility, and I have kept my sources protected and my life intact. Basically, I have what you might call a harm reduction approach to digital security.

HARM REDUCTION
The most helpful way to think about digital security, especially in this atmosphere, is in terms of harm reduction. This is where you learn about the risks you’re taking and take steps to reduce those risks. Do the things that make the most sense for you and your specific situation and needs. Harm reduction allows us to individuate blanket advice that may not work for everyone. When you identify and understand the risks, you can do what makes the most sense for your situation — to reduce potential harm to yourself and those you care about. Remember that risks you take with your phone on a hostile network are risks that you extend to everyone in your address book.

Harm reduction is part of safer sex culture as well. Notice that it’s called “safer” sex and not “safe” sex. That’s because there is no such thing as a technique that is 100% safe for every person; each individual’s situation (and environmental/situational factors) are different for every experience. Same goes for security. 

You can never be “no risk” on a computer, phone, tablet, connected device, or automobile. But you can be safer than most people, and a more difficult (or less desirable) target than the people around you. If things do go awry, harm reduction prepares you to keep things under your control and limit damage.

See also: Harm reduction for hackers (CCC/29c3)

JERKS
You may encounter people who look down on you, or are outright rude and humiliating about the kind of phone or laptop, or operating system you use. For instance, they will say things like “anyone who uses an Android phone is stupid or poor,” or they will engage in cruel sarcasm like “sucks for you.” Do know that the activist scene has become particularly toxic, and viciousness related to social class is rampant in cybersecurity.

Ignore them; you don’t need the approval or friendship of anyone who humiliates other people to make themselves feel superior. What you have, what makes you happy, who you are, and what you can afford is what makes you smart, empowered, and interesting.

THINK AHEAD
You’ll often hear advice saying that before you go to DEF CON, you should get a separate phone (like a burner phone) and laptop (like a Chromebook). If this is something you can do, that’s great. But this isn’t practical or affordable advice for most people.

It’s common that upon landing in Las Vegas, you’ll grab a ride from the airport to the hotel in a cab. You’ll probably use a credit card. If you haven’t notified your credit card that you’re traveling, they might freeze your card until you call or log in to verify you’re traveling. The last place you want to be transmitting answers to security questions or the last four digits of your social security number is in the hotel lobby.

Before you go:

– Set travel notices on your credit cards
– Do all your computer, app, and phone updates
– Back up your phone and laptop
– Empty all the trash
– Remove from your devices any files that are non-essential or sensitive
– Disconnect auto-posting on any apps you’ll be using, and remove non-essential connected services (like if you have Disqus approved to use your Twitter account, etc.)
– Download a VPN and try it out

TARGET AND NON-TARGET AREAS
Consider the locations of Black Hat, DEF CON, and BSidesLV to be “target” areas during the dates of July 29-August 8. Think of it as if there’s a physical perimeter of the targeted areas. Those areas are the primary hotels for Black Hat, DEF CON, and BSidesLV, as well as the other main hotels attendees stay at. Those hotels are Caesar's, Flamingo, Mandalay Bay, Tuscany Suites, Bally’s, Paris, and Cosmopolitan.

Within those perimeters, try to avoid engaging in high-risk behaviors.

HIGH-RISK BEHAVIORS
There are things you may normally do in your everyday life that would make your DEF CON experience a bad one. Or, it will be very annoying because you’ll have to get a new phone and have to change all your passwords. Things you should assume are compromised include wifi and phone networks (spoofed cell towers), and things like charging stations. High risk behaviors include:

– Using wifi or wired (Ethernet) connections without a VPN
– Using Bluetooth
– Using phone/data (tethered) connections without a VPN
– Accessing websites that don’t use https
– Leaving your device or computer “always on” wifi or Bluetooth

Other high-risk behaviors to avoid in the perimeter:

– Logging in on services, i.e. where you might type your password
– Accessing banking or credit card services, billing services, or things where sensitive data is accessed
– Calling services where you need to provide identity codes, security question answers, or your social security number; like credit cards, your bank, etc.

If you have to engage in high-risk behaviors like accessing your credit card accounts, leave the targeted areas. Hack-savvy journalists often leave the DEF CON areas to get work done, and catch up on life’s responsibilities (like paying bills we forgot about, etc.)

MITIGATING RISK
What you’re at risk for is being hacked, which means a lot of different things. This means being spied on in your communications or through your camera, having your logins and passwords fall into malicious hands, ending up with malware on your phone, having your address books copied and stolen, and more. If you get hacked, you’ll need to change all your passwords, and you may need to get a new phone, tablet or laptop. The hassles and harm can be more and worse, of course, depending on your situation.

You can mitigate risk with a little conventional hacker wisdom:

– In general, your risk is higher with Android – but your risk is not zero with Apple/iOS.
– Unless you already use it, don’t bother with Tor
– Always use a VPN (TunnelBear for iOS, Perfect Privacy; see Torrent Freak for more recommendations)
– Consider using encrypted communication apps like WhatsApp, Threema, or Signal
– Shut your phone off when you’re not using it (airplane mode is a good fallback)
– Keep wifi and bluetooth turned off on your laptop when not needed
– Cover your cameras with stickers, post-its, or tape
– Always pretend someone is looking over your shoulder and ogling your screen; you’ll behave in safer ways
– If you know how to, encrypt external hard drives / USB sticks so they require a password
– Always require your phone, laptop, tablet (etc) to have a password
– Use a password manager app (1password is my fave), and use it to a) eliminate duplicate passwords, and b) create crazy complicated passwords.
– Double check all links for accuracy before you click them; if they look weird or have a typo, don’t click

In addition, do not ever:

– Click on strange links, or links from unexpected prompts (even if it’s a log-in page that looks legit)
– Open or respond to fishy, unexpected or unusual emails or text messages
– Open or download attachments even from trusted sources unless you’re expecting them
– Download anything from text messages or click links in texts (unless expected)
– Assume the “Google Free WiFi” you see in a list of available networks is actually Google’s wifi
– Log into anything on someone else’s phone or computer
– Plug a USB stick into your computer that isn’t yours
– Use a charging station
– Use the hotel ATMs
– Leave your phone, tablet or laptop out of your sight; it’s a hassle, but I carry mine everywhere I go when I’m on-site

Let me know in the comments if you think I missed anything, and feel free to ask me any questions. (I’m most often hanging out on Twitter.) Unlike some people, I honestly believe there is no such thing as a “stupid” question when it comes to hacking and security, and I won’t judge your choices, preferences or needs. Also: please consider becoming a patron. This is a labor of love.