One of the largest gatherings of hackers is rolling into Las Vegas this week, with Black Hat and Defcon taking place back to back. The cybersecurity conferences are often referred to as "Hacker Summer Camp," which raises questions about keeping yourself safe when you're surrounded by hackers.
Each year, on the Defcon subreddit and on Twitter, there are questions safety and security. I remember having the same concerns my first year about bringing my personal devices to the conference, worried about getting hacked if I connected to the wrong Wi-Fi network. I had three phones that year -- though one of them I was purposely using to try to get onto malicious networks.
The truth is, there isn't that much to sweat.
"I honestly have never ran into anyone at any conference that has a burner phone," said Stephanie Carruthers, a white hat hacker at IBM. "If you're losing sleep over it and think you're being targeted, then you can get a burner phone."
Carruthers, also known as Snow, has been going to Defcon since 2011. Her first year, she didn't take any precautions except to keep her Wi-Fi turned off. Beyond being mindful of your wireless settings, Carruthers recommends packing a comfortable pair of walking shoes.
This'll be my third year attending hacker summer camp, and I decided to ask some Defcon veterans what I should pack, starting with its founder, Jeff Moss, also known as Dark Tangent. He's never brought a burner phone to the conference.
"I use my mobile, I'm on the Defcon secure network, I have my Bluetooth turned off, if they get me, they're going to get me over a zero-day," Moss said.
A zero-day is a vulnerability that is unknown to the companies that can fix the flaw. They can be worth up to $500,000 for malicious exploits and aren't likely going to be wasted on average conference attendees.
Moss's best recommendations aren't even security-related.
"The more important things are stay hydrated and have a snack bar," the Defcon founder said.
This is by no means a definitive list of recommendations of what you should bring, it's just what I've learned and plan on bringing to keep myself secure. A dedicated attacker could easily hack me if I'm targeted, just like how no matter how many self-defense classes I take, a dedicated fighter would flatten me in seconds.
With that being said, here are my suggestions. Side bonus: These are also generally good tips for situations when you aren't surrounded by hackers.
Before I head out, I'm making sure my iPhone is on the latest iOS. While vulnerabilities for iOS aren't impossible, they're pretty rare. It's why Apple is willing to pay $200,000 for security researchers who can find vulnerabilities on iOS.
If someone is willing to waste $200,000 to hack me, I'm extremely flattered.
No Bluetooth or Wi-Fi
The more important thing is to adjust settings on your phone to keep it safe from avoidable attacks. That means keeping your Wi-Fi and Bluetooth turned off (sorry, AirPods).
You should also use a VPN, said Mike Spicer, a security researcher speaking at Defcon. He's spent three years analyzing network traffic at Defcon and will present his findings on Friday.
"The biggest threat is going to be somebody tricking you to connect to their Wi-Fi network," he said.
I always dread August because I know I'll be spending a week in Las Vegas, where it's hotter than the devil's armpits. There's a lot of walking, and staying hydrated is going to be important.
Bonus points if it's filtered, Carruthers said.
"A lot of hotels offer free water, and they're very nice, but it sometimes smells and tastes like repurposed pool water," she said.
This is not a cybersecurity tip, but hey, staying alive is also important.
Despite what I just said about bringing burner phones, Chromebooks are a cheap alternative to my work laptop with some pretty damn good built-in security. Its walled garden approach makes it harder for malware to pop up, even though they do exist through malicious extensions.
Also, the powerwash tool is pretty handy if I'm worried anything happened to my device.
You can only pay for your Defcon badge with cash, as well as most things at the hacker conference. With card skimmers available and ATM vulnerabilities frequently disclosed at Defcon, cash is king at hacker summer camp.
Ted Harrington is the Internet-of-Things Village organizer at Defcon and noted that it's hosting a zero-day contest on an ATM this year, with a cash prize for people who find vulnerabilities on the machine.
"Don't take out money at the casino where the conference is being held," he said.
Against all advice to turn off my Bluetooth, I am bringing my Nintendo Switch and a wireless Gamecube controller that uses Bluetooth 5.0. But look, a guy's gotta play Super Smash Bros. If you know of vulnerabilities for the Switch or this popular wireless controller, please reach out to me.
Or if you just want to play Smash, PLEASE reach out.
Look…. This is the pinnacle of security, OK. Please, tell me more about your unhackable Blockchain wallet.
I realize that it is completely awful OPSEC to let the world know exactly what devices I'm going to be bringing, but, if you have a zero-day vulnerability on the gadgets that I am using, let's talk!