News & Insights

DEF CON Security Guidance

DEFCON logo

I’m looking forward to seeing folks at DEF CON again this year! I hope this post helps you find a good security mindset. Please reach out if you have any questions: brian@secureactivism.org 

Think about your threat model

Your biggest concern at DEF CON is… Hackers!

  • Likely: Messing with existing networks, setting up fake networks, tampering with infrastructure (hotels, elevators, ATMs, transportation).
  • Likely: Gaining access to unprotected devices via social engineering, seeding malicious accessories (USB drives, cables, etc).

Mid-level concerns at DEF CON are: Aggressive hotel staff/police, and any criminality found in large gatherings.

  • Moderately likely: Arbitrary hotel room searches. It has happened at previous DEF CONs at multiple hotels.
  • Moderately Likely: Stealing devices, petty theft, financial fraud.

Your lowest concern at DEF CON is… Aggressive foreign Nation States!

  • Very Unlikely: Compulsory access to your devices via force or coercion.
  • Very Unlikely: Unusual mass surveillance or broad, sophisticated network-based attacks.
  • Very Unlikely: Active ongoing compromise of the cellular network or sophisticated attacks via rogue cellular infrastructure.

If you believe that your threat model is different, please contact me, let’s talk!

A note about burner phones (my top frequently-asked question):

Burner phones, when procured and managed correctly, can make it more difficult for a government conducting mass surveillance to identify you through the presence of your phone. They can also reduce the amount of information available to a determined, advanced adversary if they obtain physical access to your phone. However, properly procuring a true burner phone is VERY DIFFICULT. Also, this situation does not apply to DEF CON (if you secure your phone with a long, unique PIN, see the checklist below). Read more about burner phones here: https://secureactivism.org/understanding-burner-phones/
 

Pre-DEF CON Checklist

  • Update ALL of your phone and laptop software:
    • Operating systems
    • Apps
  • Back up all your devices!
  • Secure your laptop:
    • Engage full-disk encryption: BitLocker for Windows, FileVault for Mac.
    • Disable auto-login.
    • Use a long, unique, random, un-guessable password.
      • Either at least 12 random, non-word letters, numbers, and special characters, OR
      • At least four unrelated words in a row, preferably with numbers scattered between and at the end, where this entire “passphrase” is at least 24 characters long.
    • Log out of accounts you don’t intend to use at DEF CON.
  • Secure your phone:
    • Remove apps/software you don’t need, log out of accounts you don’t intend to use at DEF CON.
    • Make sure your phone has a long, unique PIN (at least 8 digits)
      • Biometric unlock (fingerprint or face) is actually a good idea in this situation, as no-one can “shoulder surf” you and see you enter your PIN
        • It’s unlikely that anyone is going to force you to unlock your phone (our threat model doesn’t include violent criminals/extrajudicial police action)
    • Consider activating the “Find My” feature
      • Track a lost or stolen devices
      • Remotely wipe a device
    • Install and start using Signal!
  • Secure your external storage:
    • Activate full-disk encryption on USB drives:
      • Bitlocker for Windows, FileVault for Mac
      • Consider creating VeraCrypt volumes instead, which can be opened on both Windows, Mac, and Linux.
  • Delete any unnecessary saved WiFi networks to which your devices might try to auto-connect.
  • Set up a VPN on all your devices.
    • Many of the most popular VPNs will suffice. In my somewhat arbitrary order of preference: Mullvad, ProtonVPN, Nord, TorGuard, TunnelBear.
    • Do NOT use free VPNs! They’re just collecting your information and selling it.
  • Consider procuring an RFID-blocking wallet for your tap-to-pay credit cards.
    • Don’t worry about things like Faraday Bags for your phones (see the Threat Model discussion earlier).
  • If you’re traveling with a passport with an embedded RFID (all US passports have this), procure an RFID-blocking pouch for it.


At DEF CON

DO:

  • Keep your devices on your person at all times.
    • Or leave them, powered completely off, in your hotel room.
  • Pay with cash when feasible and reasonable.
  • Be very intentional about using your credit card
    • Preferably on a portable terminal at a restaurant table (for example).
  • Turn off your Bluetooth, NFC, AirDrop, and WiFi. Turn them on only when absolutely necessary, then turn them back off again.
  • Run your VPN whenever possible.
  • Monitor your credit card and hotel charges.

DO NOT:

  • DO NOT use WiFi, either at the conference, the hotel, or restaurants, without very careful consideration! Especially DO NOT use FREE WiFi without a password!
    • At past DEF CONs there has been an official, actively-protected DEF CON WiFi. You must explicitly sign up for it and get an encryption certificate. Info is usually at https://wifireg.defcon.org/
    • If your cell service is bad in your hotel, double-check with your hotel to make sure you are on their REAL WiFi network. Seeing a “captive portal” which asks for your name and room number is a good indication, but that can also be faked so be wary!
  • DO NOT click on links in text messages, emails, or any other communications unless you’re ABSOLUTELY certain who they came from, you’re expecting them, and you trust them 100%.
  • DO NOT scan QR codes. These are just like clicking on unexpected links, except you can’t even read them before you click!
    • Consider using an app like URLCheck (Android) to let you examine links after you scan them or click on them, but before your browser opens them.
  • DO NOT use ATMs at DEF CON or at hotels popular with DEF CON attendees.
    • If you must use an ATM, use one built into a wall (not a stand-alone portable kiosk), and make aggressive attempts to dislodge any “skimming” devices which might be placed over the card slot or keypad. These devices can be incredibly convincing and quite thin, so be suspicious!
  • DO NOT connect ANY DEVICES, INCLUDING CABLES to your own devices unless you 100% trust those devices, where they’ve been, and who gave them to you. This includes: USB drives, USB CABLES (!!!), charging blocks, cameras, mice, keyboards, network cables, etc etc.