'twas the week before DefCon.

Jul 16, 2017

So, after many years I've decided that it's my turn to write a first-timer's guide to Defcon.  There are many like it, so I'll try to be as frank as I can about the topic.  I'm going to try to write for people who've never been to Defcon before (but may have been to other hacker cons).  I'm not going to lie or joke around (which some of the guides tend to do) and give as much personal advice as I can.  I'm also going to try to not sound like your parents, because nobody likes to read stuff like that.

It's been said that it is a common thing for people to write about their OPSEC protocols for Defcon that they don't use any other time, with the implication that they aren't serious about their security or privacy any other time and are sitting ducks any other time.  I would politely like to point out that not everybody has the same threat model: Defcon has one of the most hostile network environments on the planet, one which is not often found anywhere else.  It is erroneous to assume that people who only talk about how they prepare for Defcon do not take the same kinds of precautions at any other time.  What those people do may not be your business or anyone else's at any other time.

To that end, here are some of the security protocols that I use at Defcon, and happen to use at other times while I'm traveling, as well as some friendly advice to folks new to Defcon.

For the love of Pete do NOT bring any equipment from work.  Unless you have brand-new equipment from work, it will have work-related data on it, and there is no guarantee that you won't accidently bring something nasty home with you.  I've personally seen this happen and it was a disaster that took weeks to clean up.  Upon showing some of the compromised hardware to contacts at the manufacturer because I couldn't make heads or tails of it, I've was told "We have never seen malware like this before."

Make of that what you will.

It is not uncommon for people to practice on the Defcon networks because it is pretty much a free-for-all, and I don't mean CTF.  It is also not uncommon for people to field-test new exploits on the Defcon networks.  Conversely, if you want to field test your latest 0-days on the Defcon wireless network, there are people who record all of the traffic hoping to capture some new ones in flight.  Anyway, think twice about bringing your good, personal hardware with you because personal data stored on it will be at risk.  Things like tax returns (lots of abusable PII), credentials stored in web browsers, cryptocurrency wallets, and random files that you've forgotten you have.  Adding everything up, just eliminate the risk by not bringing it with you.  Buy a cheap, relatively disposable computer for Defcon and only for Defcon.  Sometimes you can get a returned, open box laptop from an appliance or department store for $100us or $200us.  Reformat it and install (and properly configure) a Linux (or even better, a BSD), then patch it.  Install all the stuff you think you'll need while you're at home, and then copy anything you've picked up while at the con to non-volatile media.  Wipe the drive for next time.  Also, you may wish to consider not bringing any hardware with you.  You can, in fact, go analog and still enjoy Defcon.  For the last couple of years I've not had a computer with me at all and didn't really miss anything.

Bluetooth is dangerous.  Do not use it.  Go wired or do without.

If you absolutely feel the need to get online while at Defcon, set up a VPN server and access everything (and I do mean everything) over that.  I use Nyr/openvpn-install to make life easy when building VPN servers.  If you've never done it before, set up an account at Digital Ocean and follow the instructions I linked to above.  Feel free to use my referral code to get a discount; you'll get $10us of credit.  It's really not difficult if you follow the instructions and the openvpn-install.sh script makes it so much easier to so.  If you're going in a group to Defcon (and I highly recommend it, if only to make affording rooms easier), consider setting up a VPN server for everybody, or at least ask someone in your group to do it.  Giving the person that does so a few $currency to help defray the cost would be a polite thing to do.  Don't forget to install an OpenVPN client on your mobile device (Android) (Apple iOS).  Here's how to make the .ovpn config file those clients need and use it the moment you get to Defcon because mobile devices constantly send and receive data traffic without the user necessarily being aware of it.  You don't want to wind up on the Wall of Sheep.  Just in case, set up 2FA on everything you might access.  There's a chance you might get your login credentials snaffled, so a second line of defense would be good to have.

Before heading to Las Vegas get a pre-paid burner phone and keep your "real" personal phone in airline mode (or better yet, powered off entirely) from the moment you arrive in Las Vegas.  Open source cellular infrastructure has been a thing for a couple of years and it's easy to abuse if one knows what one is doing.  By "abuse" I mean carrying out man-in-the-middle attacks against people's cellphone calls.  Last year, I had opportunity to talk to some old colleagues from the telecom industry (they were in cellular, I worked in VoIP for a while).  The day before Defcon started, they drove up and down the Las Vegas strip and used their field equipment to survey the cellular environment.  On Saturday, they did it again and tallied nearly twice the number of cell towers as before.  Another time, at Defcon 23 my burner phone recieved a notification of a pending over-the-air update.  The firmware update was from com.google.trust-me.no.really.  At the time I was using a crappy flip phone so this was pointless but amusing but someone using a more advanced phone that didn't show error messages might have gotten a nasty surprise later.  However, if you're anything like me these days, trying to peck in T9 using those tiny buttons on a crappy phone will drive you nuts so buy a pre-paid smartphone.  Check Craig's List for a super cheap Android phone or an obsolete iPhone.  If you pay more than $100us for it, you did it wrong.  If you don't feel comfortable using a pre-owned phone, hit up Amazon for a pre-paid smartphone.  Don't forget to buy a top-up card while you're at it.  Depending on how much you use your phone, $120us worth of airtime should be enough for Defcon with a little airport time left over.

Install any pending updates at home and then install Signal from the appropriate app store.  Share your pre-paid number with your friends who are also going to Defcon so you can coordinate with each other.  Only put essential contact information on your burner phone, including an emergency contact or two.  Why?  Especially if all you're going to do is coordinate where you're going to have lunch and figure out what talks you're going to go to?  Simple: It's nobody's business but yours.  You can't really stop anyone from trying to listen in but you can get in the habit of protecting your communications so measures are in place when you don't think you need them.

Take a realistic look at the list of stuff you're bringing with you.  It's a hacker con, so you might be considering bringing a bunch of toys with you to mess around with in an environment where it feels safe (i.e., you won't get caught) to do so.  But ask yourself: Do you really need that SDR?  All that cable?  The reflow soldering rig?  Your HT and programming cables?  There's a lot of stuff going on at Defcon, you will not use everything you bring.  And you will curse the amount of stuff you brought by the end of the first day and leave almost all of it in your hotel room, and then probably complain while trying to find room for all the stuff you bought.  Be realistic about everything you're going to do at Defcon.  Consider cutting the amount of gear you bring in half.

While we're on the subject, save plenty of room in your luggage for stuff that you buy at Defcon.  You will find things you've never dreamed of in the dealer's room and you'll want to buy at least some of it.  You will also find things that you've had your eye on for a while in the dealers' room at a much better price than anywhere else you've looked.  At the very least you'll probably pick up a couple of t-shirts.  Make life easy on yourself and save room in your luggage.  I typically bring an expandable suitcase to Las Vegas but I leave it un-expanded as I pack so I'll have room for swag.  You can easily buy an entire wardrobe at Defcon so you may want to pack fewer shirts and compensate by buying them there.

Bring twice as much cash as you think you'll need, at least twice the price of admission (in 2017, $260us).  Las Vegas is an expensive place to visit and, again, you'll want to buy stuff in the dealers' room.  My advice is to only use heavily surveilled ATMs while at Defcon, like the ones on the casino floors within the footprints of at least one securicam.  Or, go a couple of streets off the Vegas strip and use ATMs at large stores.  ATM hacking is a thing, watch your back.

Food is stupidly expensive in Las Vegas.  A crappy lunch can run you around $38us.  Consider hitting a grocery store when you get to your hotel and make use of the fridge in your room.  Defcon typically doesn't have much in the way of food so don't expect to graze while you're there.  If you have any dietary restrictions you might be better off packing your own food.  I'm not an expert on that particular point, so I leave it to the discretion of the reader.

Dress cool because it is not unusual for daytime temperatures to be in the low hundreds Fahrenheit in the desert.  When stepping outside of McKarren Airport the heat hits you like a sledgehammer to the face and it doesn't let up.  Drink water.  Lots of it.  I recommend bringing a 1L water bottle, filling it up, and drinking it several times a day.  I try to drink five or six of them every day I'm at Defcon.  If you're the sort of person to party at night consider upping that to seven or eight liters a day to stave off alcohol-related as well as dance party-related dehydration.  Also, please consider showering twice a day, once in the morning and once in the early evening to wash the sweat off because you will sweat endlessly.  From personal experience, heatstroke at Defcon can happen.  If you stop sweating, go somewhere cool and find some way to cool off.  And, ask for help.  At the very least flag down a security goon (they wear red shirts, radios with curly-cord earpieces and usually lots of tactical gear) or have someone do it for you.

Get some sleep while you're at Defcon, you'll enjoy it more.  Trust me on this.  It is possible to stay awake for 72 to 96 hours straight, all the way through Defcon.  I doubt you'll remember much of the experience.  You'll probably crush your immune system, too.  Just don't do it.  I tend to get about six hours a night every night and do just about everything I want to do.

Do not fuck with the goons.  They run the con.  You do not.  Their lives are hard enough as it is.  They will not find your wacky shenanagains cute, they will throw you out and possibly hand you over to the Las Vegas police (or worse, hotel internal security) if they involve vandalism, incapacitation, explosives, or a body count.  Conversely, if you run into Priest (chief of the goons), please thank him for all of his hard work.  Being staff at a con is an exhausting, frustrating, sanity draining, and thankless job and it's nice to know that at least one person there doesn't think you're the enemy.  If you hear someone shouting "Make a hole!" put your back to the wall and let the goons through.  I've never seen them plow anyone over or otherwise physically move people out of the way, but neither can I rule it out.

Do not take pictures unless you ask all of the people you want to photograph.  At all.  If you are caught you will be ejected.  Period.  Full stop.  Con attendees may also take it poorly.  Don't be that being.  Conversely, you are well within your rights to refuse being photographed by anyone at Defcon.

If you are the sort of person who doesn't handle high data rate environments well for very long (like, oh, a hacker con with several tens of thousands of attendees), nobody will think less of you if you need to bail.  There is a chill room set aside specifically for this purpose.  Your hotel room works even better, assuming that you're not staying too far away from the con hotel.  Bring earplugs (bring an entire container - I do).  Punch out if you need to.  Come back when you can.

I wrestled with writing this next bit rather a lot and asked a lot of people for advice.  So, here goes.  Sadly, Defcon is like much of USian culture and that means that sexual harassment happens at Defcon.  If you are female-presenting and going to Defcon, it may happen.  If you are not female-presenting, harassment can and is known to have happened at Defcon, but it is most likely if you are presenting as feminine.  Knowing in advance how you might respond and what to do will help you manage harassment better if it does happen, as well as creating an opportunity for the hacker community to address this matter.  Sexual harassment is not a requirement or a rite of passage in the hacker community and nobody should have to put up with it.  Defcon has a code of conduct (local mirror, 20170716) for its attendees that is fairly specific about what you should do if you're on the receiving end:

Anyone can report harassment. If you are being harassed, notice that someone else is being harassed, or have any other concerns, you can contact a Goon, go to the registration desk, or info booth.

Conference staff will be happy to help participants contact hotel security, local law enforcement, or otherwise assist those experiencing harassment to feel safe for the duration of DEF CON.

tl;dr - get the attention of the goons.  They are there to help.

If you present as male at Defcon, you are not entitled to anything at all and that includes Defcon attendees.  Don't be That Guy.  Please respect people's boundries.  For those of you going to Defcon who don't want to be That Guy, please read this.  (local mirror, posted without permission)  Then reread it.  Then read it again.

And now, a personal request:

There will be people at Defcon who are shy, anxious, stressed out, unused to being around thousands of people at a time (really), dealing with something in their lives that isn't anybody else's business, or otherwise aren't themselves right now.  They might come across as being... let's say of a lower caliber than one would expect of somebody who would attend Defcon.  Please be kind to them.  They might be dealing with a lot that you don't know about and they may not be handling the con well.  Sometimes being kind to someone will be the best help they could receive under the circumstances.

If you want to find out what's going to happen at Defcon, the best way is to haunt the Defcon Forums.  All of the discussion and announcements show up there first.  Additionally, some stuff that happens at Defcon (like Deafcon, Coindroids, Whose Slide Is It Anyway, and the DC Darknet) has their own websites and they're linked off of the forums.  Spend a day or two poking around and running searches to find the pulse of the con this year.

Special thanks to everybody who beta read this article and helped me rewrite some parts.  I couldn't have done it without you.  You know who you are.