How experts stay safe at the Black Hat security conference

I was at a security consultancy that sent a lot of people (~30) to Defcon and quite a few to BlackHat as well. I remember the pre-conference security briefing.<p>No company laptops on the trip at all, regardless of hard drive encryption, VPN (both of which were compulsory for off-site laptop use). Company phones had to have a long unlock password, enforced centrally. No 2G - all been hacked, no 4G, hacked, only 3G, but no client details over 3G. They recommended a burner SIM, and to not use the company provided SIM at all.

Nice read. I could envision a Hollywood movie on this premise: Denzel Washington, our protagonist is the country&#x27;s leading hacker &#x2F; security expert, invited to give a talk. Only that an unknown Russian will crack him handily, stealing some government secrets. Then the movie would quickly deteriorate into gas explosions and &quot;hacking tools&quot; written in VB.NET.

&quot;He counsels staff and clients to keep their credit cards in specially shielded envelopes to or stack them one on top of the other so the signals are jumbled up.&quot;<p>Slightly terrifying advice. A few years ago Kris Padgett (iirc) demonstrated that nearly all RFID &quot;blocking&quot; wallets were useless. That and they employ some immense collision detection -if you can throw a binbag full of chips past a reader and still manage to scan them all, I find it impossible to believe 2 cards stacked does _anything_ to help.

I think you are mostly safe at Defcon&#x2F;Blackhat. I think you have to worry if you are a target for nation state &#x2F; criminals (suspected of selling vulnerabilities at the con) then your room is probably going searched.<p><a href="https:&#x2F;&#x2F;twitter.com&#x2F;thegrugq&#x2F;status&#x2F;367364810729472000" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;thegrugq&#x2F;status&#x2F;367364810729472000</a>

I&#x27;ve never been to one of the US based conferences (mostly CCC). Has the attitude towards the NSA changed a lot in recent years? A while back it was more or less friendly banter and the meet the FED panel was fairly relaxed (from watching Defcon(?) videos). I remember they gave away mugs and joked about them being bugged (which to me felt like they probably were somehow :P).

Personally, I just stay home. I go to local BSides conferences (where a minimum wage worker can reasonably be expected to afford to attend without a premeditated effort to save up) and give talks there.<p>I don&#x27;t think I&#x27;ll ever attend Black Hat. I might attend DEFCON, unless the prices go up much higher. The interests of people who can afford tickets to BH USA are already well served by the security consultants they can afford to hire.<p>And if I ever do speak at DEFCON, it will be repeating a talk I already gave to the local Bsides event. Communty &gt; Industry.

Leave your technology at home and actually <i>meet people</i>. That&#x27;s the biggest benefit of not having your laptop and primary phone with you.<p>Granted, the crowds and general culture of the conference doesn&#x27;t always support this, but to me it&#x27;s the best part.

I am planning on trying to go for defcon next year what should I prepare for, in terms of room, restaurants, and other attractions?

While shenanigans do go on at Defcon and Blackhat most of these &quot;no computers, no cell phone&quot; precautions are overreactions.

this stuff&#x27;s funny<p>except for paranoids - if you&#x27;re not able to use your regular tools at blackhat by fear of being compromised, this means you don&#x27;t trust your tools, go fix em - because if they&#x27;re not safe at bh&#x2F;defcon, they&#x27;re safe nowhere.<p>in reality, even the wifi is pretty safe, LTE-only networking with VPN works out fine etc.

I put on a condom before I even clicked the link.

Actually this sounds kind of fun sans the whole someone will read your credit&#x2F;debit card from 5 feet away. Buy a laptop on craigslist for $100, re-format, get some throw away email accounts and see if you can go about your somewhat normal daily life on the &#x27;Net without getting stomped as you connect across potentially hostile and un-trusted networks. The challenging part would be verifying you got through the conferences ok without any intrusions or someone sniffing your passwords.

Typo. I think that<p><pre><code> Having to protect a single laptop isn&#x27;t that big a deal, Black said. &quot;We get over 20,000 unauthorized probes on our system every minute,&quot; he said. </code></pre> Should be (Black -&gt; Blech)<p><pre><code> Having to protect a single laptop isn&#x27;t that big a deal, Blech said. &quot;We get over 20,000 unauthorized probes on our system every minute,&quot; he said.</code></pre>

Who are the people saying this? (I&#x27;ve never heard of Proficio before, but apparently they have a sponsored nascar car.)

&quot;And because it&#x27;s an event that brings in high-level government and corporate staff, there&#x27;s also plenty of data and networks to entice the nefarious.It&#x27;s one-stop shopping, a place were every major security executive is gathered...&quot; ---- I wonder who&#x27;s got hacked in the past

Is it completely unreasonable&#x2F;paranoid to not bring any electronics or credit cards when attending these kinds of conferences?

&gt; That means &quot;the rules are a little different,&quot; said Stan Black, chief security officer for Citrix in Fort Lauderdale, Fla. For example, he&#x27;s bringing his schedule printed out on a piece of paper so he doesn&#x27;t have to turn on his cell phone to check it.<p>&gt; &quot;And they&#x27;re all staying in the same hotel,&quot; said Steve McGregory, director of threat and application intelligence for Ixia, a security firm in Calabasas, Calif..<p>&gt; Jon Miller, vice president of the security firm Cylance in Irvine, Calif., doesn&#x27;t see the hacking at Black Hat as malicious so much as simply intellectually curious. But he still turns off Wi-Fi and Bluetooth on his phone and only logs on to the Internet from his hotel room using a virtual private network.<p>Ok I get it, it&#x27;s a hacker&#x27;s con, with hackers hacking hackers. If you don&#x27;t want your phone hacked, don&#x27;t bring it to Blackhat. &quot;It&#x27;s to be expected&quot;, right?<p>But isn&#x27;t also a little bit insane?<p>What about the people working there? Hotel staff, catering, nearby bars, shops, etc. Do they get debriefed about security countermeasures like this? Or are they left to their own devices? (or should I say &quot;0wned devices&quot;)<p>Do the hotels use computers? Do they get help protecting their systems from damage? How do they manage to get their systems back into a safe and stable state for the rest of the year for when, you know, the place isn&#x27;t swarming with people for whom &quot;the rules are a little different&quot;.<p>Sounds to me the waiting staff will be the ones with the least protected phones, attracting the &quot;intellectually curious&quot;. I&#x27;m just thinking of these additional scripts available, not the exploits, but the ones designed to slurp data after a way in has been found. They are targeted at the common types of accounts&#x2F;usage, facebook and gmail, automated email digging, further escalation to ID theft, etc. Most security researchers&#x2F;consultants know of these tools but they never <i>really</i> get to use them in their day job, because usually you don&#x27;t have to follow an exploit all the way through to begin protecting your client from it. But now, <i>they&#x27;re on Blackhat!</i> And the rules are a little different! Finally!<p>And even after all the hackers leave, the exploit&#x27;s still in your phone.<p>Perhaps I&#x27;m being a bit hyperbolic here, but grant that it is a pretty crazy situation and I&#x27;m actually curious, how do the local people working there deal with this?<p>Imagine going to a gun convention and being advised to better prepare by wearing a bulletproof vest, because &quot;the rules are a little different&quot; there :)

Do break-ins increase during security conferences because hackers realize the watchmen are busy? Or do they go down during these conferences because the people breaking in are also the people at the conferences?