DEF CON is a massive hacker conference which, as of writing, will have it's 27th year coming in the following months. This also means that rival hackers may even decide to mess with other devices, including your own. Hotels and establishments also have their security posture adjusted. A bouncer I met at a party at DEF CON 25 was even instructed not to turn on anything with batteries.
I will say that while the raised preparedness helps, you do not have to be paranoid, nor should you. Paranoia is not your friend. By putting security into your routine, also known as practicing good Operational Security, you'll be able to function normally with security being somewhat second nature. Before I dive into this, I should open with a disclaimer.
Warning: This guide was made for my Threat Model
Before we continue, I should tell you a few things about myself:
- Work as a computer technician
- Pursuing a career in InfoSec
- Knoxville DSA activist
- Anonymous, and nobody special
- Have implied systemic privileges in the United States
Its weird disclosing these things, but its important to note that this article was written with my Threat Model. Some people might be in the limelight (like a corporate officer, or an online personality), hold a very sensitive job (such as one that requires a Security Clearance), or even might be in a place where they are not free to be themselves (a gay man in a country with hostilities against the LGBT community for example). Such persons may have to go above and beyond what is in this guide if their threat model warrants it. One helpful guide to this is the Electronic Frontier Foundation's Surveillance Self Defense Guide module on making a Security Plan.
For all intents and purposes, this article is a guide on ways to protect yourselves from bad guys at the DEF CON Conference in Las Vegas.
On Operational Security
Operational Security (or OpSec) for the purposes of this article can simply be defined as managing risks to your devices and information. This will require changes in behavior, as well as configuration changes to your devices and applications. This particular guide will be broken down into device security, and communications.
Devices at DEF CON should be locked down so only you are able to use them if you do not intend to share them. This means that different devices may need to be configured in different ways, but generally speaking anything you bring with you should always be in your custody, and you should also be mindful of what information you might bring with you.
Maintaining custody of your devices is a sound defense from parties that would seek to make modifications to your equipment. This means of security only requires you to make sure you know where your stuff is, and whose handling your stuff. Should your phone or notebook be stolen, it is possible that whatever contents can be retained by adversaries, or that your devices could be modified to report back to them.
Taking Stock Of Your Data
Before bringing a notebook or phone, consider what could be on those devices, and what might happen if they were to be compromised. We all have contacts, messages, pictures, documents that may be used against themselves by somebody (your employer, ex-boyfriend/girlfriend/significant other, the cops, etc). If you believe that there is information that would pose an unnecessary risk to your work or well being, it is recommended that it not be brought on any devices that you take with you.
If you want to eliminate most of this risk and guesswork, you could backup your data to an external storage device that you would leave at home, and wipe your home directory. This way, most of your personal stuff does not get taken to the conference with you, and your information will be at home when you get back there.
Keep Up To Date
Any software on your laptop or phone should be updated to their latest versions. If you are using a discontinued OS that is no longer supported by the vendor, there are open source alternatives like Ubuntu or Linux Mint that works with a variety of hardware.
Full Disk Encryption
Having your hard disk and storage devices encrypted will disallow anyone who gets their physical, AFK hands on your stuff from accessing it's contents.
Many Linux distributions will allow you to install their OS with encrypted volumes during the initial setup. Typically these come in two different schemes:
- Full disk encryption - Encrypting your entire hard drive
- Private Directory Encryption - Each home directory is encrypted with each user's passphrase.
It is recommended that you go with a full disk encryption scheme, as it will encrypt almost all of your filesystem. Private directory encryption only encrypts home directories, which leaves system files and configurations exposed to tampering. It is also possible to implement both schemes, so those with access to the computer cannot access the home directories of other users.
Encryption, and your constitutional rights
Full disclosure: I am not a lawyer.
An encrypted volume can be secured with either a keyfile/token, or a passphrase. It is important to know that you do not have to surrender knowledge to the police to unlock your devices (such as PIN numbers and passphrases). Being compelled to do so may constitute a violation of your 5th Amendment rights.
Police may however obtain and execute a warrant to obtain tangible info or items that can be used to unlock your devices. While your password is a product of your mind, a token is not, and therefore is not subject to 5th Amendment protections.
Kill Unnecessary Wi-Fi Transmissions
Some devices will retain a history of SSIDs that they have connected to. If your device is set to connect to an access point automatically, it may send multiple probe requests containing an SSID that you have previously connected to. This can be used to set up a rouge AP, and force your device to connect to it.
Unless you are using a access point, it is recommended that you leave your wi-fi feature disabled. When connecting to new access points, ensure that you will not be connecting to them automatically.
Tails is a Linux distribution made to work with Tor users and the privacy conscious. By default, it will route all your web traffic through Tor. You can even boot it off a live disc or external storage so any information that is in the live environment will be wiped when you turn your computer off. This is useful if your primary OS fails, as you would be able to fall back on the live distro to work with.
Attendees are going to be sniffing packets and frames out of the air like crazy. Here are a few of the steps you can take to secure your communications at the conference.
DEF CON Secure Wi-Fi
Prior to the event, you can setup your device to work with DEF CON's secure wireless networks. Check DEF CON's Twitter feed for when they post the registration link.
Communications on the wireless spectrum are going to be constantly sniffed by other attendees that are interested in the wireless traffic at the conference. It is recommended that you use a service that routes all your traffic through an encrypted tunnel, and forwards it to the rest of the internet, so that way nothing that gets intercepted can be read.
Virtual Private Networks
I've been using PrivateInternetAccess as my VPN provider, and has been fast, reliable, and also has a killswitch feature in their proprietary application. A few of my colleges have recommended NordVPN as well.
There are several to choose from, but it is recommended that you do your research on them, as they will have different policies with respect for your privacy, what they keep tabs of, and implement their solutions differently. TorrentFreak has a reoccuring blogpost that examines several different VPN services, and inquires about different aspects of the service such as how they handle different legal requests, external vendors they use, how they keep and maintain logs, and other details.
Tor is the only truly free traffic tunneling and anonymizing service. It is maintained by The Tor Project, as well as all the volunteers that maintains their own Tor nodes to use. Along with the aforementioned Tails OS, Tor is also accessible through the Tor browser.
This is also useful if you do not use, or cannot afford a VPN subscription. Other 'free' services exist, but they likely make their money by selling the information they mined from their userbase. These no-cost VPN or proxy services may even sell you out to the authorities when it is convenient for them to do so (as Hide My Ass did with a lulzsec hacktivist). If you're not being sold a service, chances are you are the product.
One major drawback with using Tor however is that you may be locked out of several services that you would normally be able to connect to. This is mainly because several different people are trying to visit the same sites using the same exit node, and this can be interpreted as automated connection attempts to the server. Exit nodes may also blacklisted due to the fact that Tor could be used for criminal activity, and the maintainers of a service do not want anonymous users connecting to their services.
SMS communications are likely to get read by anyone who happens to be sniffing the cellular bands. There are applications availible that provide end to end encryption in the event that messages do get intercepted. They have their own specific purposes and needs, but they have been useful to me:
- Signal - An open source application from OpenWhisper systems. This application has the lowest barrier to entry to deploying secure communications by phone. Features like message verification, video chat, and disappearing messages come standard. While there is a work around for this, it will require a phone number to setup as intended.
- Keybase - A service that uses social media contacts to verify public keys, which provides secure messaging services as well. Contacts can be searched by linked account handles in order to get in touch with someone, so you can directly message them without exchanging phone numbers.
- Threema - This is a chat application with it's own wide variety of features. It's services are based in Switzerland, which has very comprehensive privacy laws (also GDPR compliant). The application also does not require a phone number or email to use, and only uses an ID number (Threema ID) as a unique identifier. The only drawback is that it costs money to install on your phone.
All this isn't just for DEF CON
While this guide was written for preparation for DEF CON, in reality this advice is useful wherever you go within most of the United States. I've observed the local establishments going above and beyond in their security efforts in Las Vegas, and this may be happening because all of the threats are the most overt while the conference is happening.
Even after DEF CON is over, bad guys are still gonna do bad guy related stuff, ad companies will still be trying to illicit information about your online habits, and governments will continue their cyberwarfare efforts against each other. They will be doing all of this without all the outright tells of a hostile network environment.
What you do at DEF CON for OpSec can be taken beyond the conference to deter the possibility of being a victim of a crime, or make it more difficult for other parties to track you.
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.