In two weeks, hackers, practitioners, vendors, suits, and spooks will return to Vegas after a 3-year break.
I usually write a piece for first-timers and newbies on how to get the most out of Hacker Summer Camp and how to stay safe digitally and physically. This tradition began in the early days of Bugcrowd, when DEF CON was part of new-hire induction. There's no better way to introduce someone to the hacker community than to throw them into DEF CON for a few days, but Vegas is a pretty intense place, so helping people avoid the common traps became important very early on.
This year, with the COVID pandemic still lurking and after 3 years of muscle memory loss, that's 1,000x truer. This post is for those who've calculated the risks and decided to go.
Sidenote: I know lots of people who've made the call to sit this one out. As I said on Twitter the other day, I applaud your decisiveness and definitely don't want this to trivialize that decision or exclude you - I'm looking forward to the day when this is all a little more straightforward. <3
Digital and Opsec
We'll start with digital and operational security, because that's the thing most people worry about when they're heading to #hackersummercamp for the first time. This post from 2019 was basically lifted from Bugcrowd internal training for "hostile environments" - and it has held up quite well: https://cje.io/2019/08/01/practical-prepping-for-hacker-summer-camp/
Note that I've drawn from TheGrugq's school of opsec a fair bit here - Most of the meaningfully useful stuff happens before you get to the airport to fly to McCarran. Much like opsec, personal cybersecurity tends not to be as effective when you apply it in hindsight. It's also important to note that these suggestions are still very much subject to the "Mossad/Not-Mossad" threat model, and subject to applying your own threat model to figure out what's important and what isn't. I might cover this in another post - The unique thing about Hacker Summer Camp threat modelling is that "lulz" shoots to the top of the list of threat actor motivations that you're likely to encounter.
- If you don't need it, don't bring it. This applies to hardware, software, and ideally the data that on your stuff.
- If you don't need it turned on, turn it off.
- The visibility of hacking shenanigans is lower during Blackhat, and ramp up as DEF CON kicks off. A lot of the hacking going on during DEF CON is in the interest of experimentation and general lulz, and stealth isn't as high on the list of priorities - This doesn't mean that actual motivated attacks aren't happening during Blackhat.
- ...yes, this includes the hotel room.
- Hard-wired tethering is generally safer than using wi-fi, even with a VPN.
- Burners are overrated, but you should have a good idea of what data is on your equipment and what it might automatically connect to. Saved wifi networks will get you onto the wall of sheep and newer, more promiscuous-by-design features like Apple's Universal Control do all kinds of weird and wonderful things over the airwaves to work out where their brothers and sisters are. As a general guide, if you aren't using it (Bluetooth, Wifi, etc), it's safer to turn it off.
- Typically the cell networks start getting weird around DEF CON kick-off as LEO, researchers, and Lord-only-knows who else deploy IMSE catchers and other downgrade gear. Check out this presentation to see what I mean by that: https://github.com/MrVaughan/Defcon2016GSMData. Cell interception resistance has definitely evolved since 2016, but in my experience this is something that you can count on pretty much every year. VPN over hard-wire tethering is a decent defensive tool if you're concerned about this (I recommend Algo as an easy to set up personal VPN), as is using E2E messaging and voice tools like Signal.
- The tragic shooting in 2017 prompted a bunch of changes to hotel inspection policies in Las Vegas which changed the rules and norms quite a bit around inspections, unexpected visitors, and the general sanctity of a hotel room. With the operational and economic changes brought about by COVID, I quite honestly have no idea what that is going to look like this year. In general, ensuring equipment left in your room is fully powered down is an easy-to-remember and relatively effective mitigation to evil-maid risk.
- Aside from this, the absolutely kick-ass FlipperZero has greatly reduced the cost of NFC attacks, and it's fairly safe to expect at least some shenanigans of this nature, as well as the potential for actual attacks. A potential mitigation for this is buying a nanny-cam or two off of Amazon, setting them up in your room, and leaving a very obvious note to let people know that if they are in the room, they are being recorded. The note alone might be useful as a deterrent, or if you're concerned about the legalities of setting this type of thing up.
Health and The 'Rona
I managed to escape COVID at this year's RSA Conference in San Francisco. I had COVID in February, avoided poorly ventilated and busy locations, and wore a mask indoors, but I think the largest factor was taking care of my energy and immune system. Eating well, hydrating, and avoiding alcohol and sleep deprivation made a major difference.
Unfortunately, the Las Vegas strip is basically designed to encourage you to forget about the importance of these things... So here are a few tips for managing comfort and stamina that I've picked up from 10 years of Hacker Summer Camp:
- The water in Las Vegas hotels is almost always bad - Not unhealthy, more of a "yeh, nah, I don't really feel like drinking water" thing. Las Vegas itself also tends to conspire to dehydrate you with all available tools (heat, lack of humidity, physical exhertion, caffeine, alcohol, etc), so this can become an annoying combination of forces to stay on top of. I carry a Sawyer Mini Filtration System in my possibles pouch, mostly for outdoors stuff, but it's handy for this particular problem as well.
- Stocking up on water from a drugstore (or, really, anything that isn't a hotel with a huge markup) can help solve the hydration problem and well.
- You're in the desert, so the air in the hotels is usually incredibly dry. A useful trick I learnt was to fill the bathtub with a few inches of cold water when you check in, and basically just leave it there throughout your stay. It won't create a rainforest, but does add enough humidity to the air make a significant difference in comfort as the days start to add up.
- Do try to get off the strip - Las Vegas is WAY more than the Casino's and the ruckus, and it's a really valuable mental reboot if you're starting to get overwhelmed with the lights and the noise.
- Bring sunglasses and keep them with you, it's quite dim in the Casino's and SUPER bright outside.
- It'll be super hot outside, but inside it's COLD. Plan accordingly - I have a backpack with me most of the time and pull the hoodie in and out of there.
- The lack of natural features on the strip creates what I like to call "Vegas Parallax Error" - It's almost impossible to accurately judge walking distance, and everyone I know has a story of the time they thought "It's only three casino's over - I'll just walk" then almost passed out from heatstroke. It's also weirdly difficult to get a taxi or rideshare from a point in-between the main entry's of the casinos, so if you make this mistake you'll be locked in until you hit the next waypoint - tl;dr: Plan ahead.
- An "Ouch Pouch" is useful to keep with you for yourself, but more often IME to be able to help other folks out. A couple of fabric bandaids for blisters, Tylenol, an NSAID of some sort, antacids, and some Immodium are a good start and can fit into your wallet. The other thing I'll tend to have with me is Emergence-C, which I'll hit when I get to that "I've been talking too much and my throat is about to blow up" stage. Carrying a chapstick is a good idea as well, even if that's not your normal thing. There's no need to go overboard with this stuff, but you'll find yourself a long way from your hotel room and not necessarily wanting to seperate from the group you're in, so they definitely come in handy.
- A decent battery pack is a must.
- If you hit the point where you need to get off your feet (speaking especially to those who are on the clock as vendors, exhibitors, village folks, etc) a trick I love is to grab a few folks in the evening and find a pool that's a little quieter. Take your shoes off, grab a beverage, relax and chat. I usually use the BSides LV pool party as the oppportunity to exhale and give my legs a rest, and it's a nice midpoint between the "suit-half" of the week (Blackhat) and the "hoodie-half" (DEF CON).
- Back on transport: There are taxi's, Uber/Lyft, and trams, as well as some interconnections between Casino's when you can mostly walk indoors.
I've missed a bunch of stuff here but it's time to hit send. If there's stuff I'm missing re operational, digital, and personal preventative self-care at Hacker Summer Camp feel free to ping me on Twitter and I'll add it in!
See y'all soon.