Email or username:

Password:

Forgot your password?
All posts Adam Shostack :donor: :rebelverified:'s posts Post Back to profile
Adam Shostack :donor: :rebelverified:

Use the Defcon Wifi (new blog)

Many security professionals, especially on social media, have an unfortunate tendency towards what we might call performative security. It’s where people broadcast their security measures to show how aware they are, and they suggest others follow their lead. It’s the inverse of security theater where ineffective security is imposed on us by organizations. It’s often ineffective, inconvenient, or both.

And today’s bad advice is “Don't use the defcon wifi.”

The #Defcon and #Blackhat networks are some of the most monitored networks anywhere. No one's going to blow an 0-day by using it on either network. This assumes everything's up to date and fully patched, and that you join the official networks, which are listed on signage around the venues. It also assumes that all your apps are using TLS everywhere. In contrast, there is a never-ending parade of warnings about malware in telecom infrastructure. There are routinely reports of extra base stations around Las Vegas. (I’ve heard numbers on the order of an extra 50, of which I’d guess many are simply just-in-time capacity from authorized suppliers.) The lack of authentication of base stations is apparently a ...feature... that’s never going to be fixed.

Now, there’s another way to interpret this, which is to put your devices in airplane mode or a Faraday cage, and that’s not awful advice. Disconnect. Be present. Enjoy the events. Talk to the people around you. If you want to disconnect, a well-constructed Faraday cage is safer than airplane mode, which let bluetooth and wifi work.

When I was at Microsoft, some of my co-workers made a big deal of how they locked down their laptop, or bought a burner for Defcon. Me? I asked why our products weren’t safe enough to use in that environment, given that they’re certainly used in more dangerous places.

shostack.org/blog/use-the-defc
4 Aug 2023 at 14:49 | Open on infosec.exchange
8 comments
Aranjedeath

@adamshostack

> When I was at Microsoft, some of my co-workers made a big deal of how they locked down their laptop, or bought a burner for Defcon. Me? I asked why our products weren’t safe enough to use in that environment, given that they’re certainly used in more dangerous places.

Yeah, and that's the real takeaway. If you don't think your personal devices can handle that, it's an industry problem not a personal one

4 Aug 2023 at 14:54 | Open on hachyderm.io
Xavier «X» Santolaria :verified_paw: :donor:

@adamshostack Yep. Last paragraph is key. Thanks for sharing, Adam!

4 Aug 2023 at 14:57 | Open on infosec.exchange
Dan Goodin
Andrew Zonenberg

@adamshostack I'm less concerned about 0days than 0ldays against e.g. Android devices where the carrier/handset manufacturer is lagging the official patch cycle.

Spamming week-old CVEs has almost no opportunity cost (the bug is already burned) and might get you some low hanging fruit.

Also, one of the points of a burner phone isn't that it's particular secure (it's often not, most are cheap androids way beyond official patch cycles), it's that it *has nothing worth stealing on it*. When you're in a densely crowded place, possibly overtired and/or somewhat intoxicated, losing it is a real possibility. Defcon is a target-rich environment for someone looking to score points against security professionals who slipped up.

Sure, you should have FDE'd the phone, but how good is your password? How many people were close enough to watch you type it in over the course of the night and saw an opportunity for some lulz when you stepped out to the bathroom and left it next to your beer?

@adamshostack I'm less concerned about 0days than 0ldays against e.g. Android devices where the carrier/handset manufacturer is lagging the official patch cycle.

Spamming week-old CVEs has almost no opportunity cost (the bug is already burned) and might get you some low hanging fruit.

Also, one of the points of a burner phone isn't that it's particular secure (it's often not, most are cheap androids way beyond official patch cycles), it's that it *has nothing worth stealing on it*. When you're in...

4 Aug 2023 at 16:24 | Open on ioc.exchange
Andrew Zonenberg

@adamshostack As someone who doesn't drink that last bit is less concerning to me, but it's Vegas we're talking about so statistically, most folks attending will probably be indulging in the local scene to some degree.

That, not TAO's finest, is the real threat at defcon IMO.

4 Aug 2023 at 16:25 | Open on ioc.exchange
Andrew Zonenberg

@adamshostack Additionally, bringing a device with nothing worth stealing on it avoids the temptation to check company email or something in an environment where the shoulder-surfing level is probably off the charts.

Not that reading sensitive mail in public is a great idea in general, but doing it surrounded by people waiting for a chance to make an example out of you is particularly dumb.

4 Aug 2023 at 16:30 | Open on ioc.exchange
axleyjc

@adamshostack Especially if you just use a VPN over untrusted wifi - you've probably removed most local threats.

It's ideal if your threat model demands is not to rely on host configuration but use some hardware device (wifi bridge with wireguard VPN or something) as an intermediary to avoid "forgetting" to secure a host and because there's so much crap on hosts you don't control - it's nontrivial to guarantee something isn't going to phone home insecurely in the background and leak something.

4 Aug 2023 at 16:27 | Open on federate.social
axleyjc

@adamshostack Learn from the opsec fails of nation states that forget to start a VPN when attacking and leak their real IP "oops!"

4 Aug 2023 at 16:28 | Open on federate.social
Go Up