Notes from HOPE and DEF CON

author: Nathan Acks
date: 2022-08-15

Now that both HOPE and DEF CON are behind me, I want to summarize some of my initial thoughts. This is not a “what did I learn about hacking” post, but rather musings about attending these events.

Device Security

The internet is awash with advice to only bring burner phones/laptops to DEF CON (or hacker conferences in general), to assume any credit card you use while attending (or even being near) DEF CON is compromised, etc.

After much consideration, I’ve come to believe that much of this “advice” is ill-conceived, and shows either the advice-giver’s poor risk modeling abilities or inflated sense of their own importance. Rob Graham’s advice is much better: Encrypt your stuff and be careful about Wi-Fi and Bluetooth, and you’ll almost certainly be fine.

Assuming that you’re using up-to-date devices, the main risks of going to a hacker conference are the same as any sort of travel: Theft, assault, abuse by the local authorities. I’m not the kind of person who needs to worry as much about the second two of these, so theft is my main concern. Here’s my general travel setup, which I think is also pretty solid for hacker conferences:

Now, hacker conferences do generally have a more hostile radio frequency environment, so I do take extra care here.

Finally, you want to be careful what you’re plugging into your devices. Personally, I bring my own cables and charger, and don’t use anything provided by another conference attendee or plug in any devices (for example, USB drives) that I didn’t bring with me.

There’s not some kind of magical “hacker miasma” at these conferences that puts your device at risk - someone looking to compromise your device needs to be able to get data to it. By limiting connections to radio networks and avoiding untrusted devices, the opportunity for an attack is severely curtailed (though it cannot be eliminated). The main risk here is someone attempting to subvert a trusted connection (the DEF CON secure Wi-Fi network, the Bluetooth connection to my Apple Pencil, or the cellular radio on my iPhone); the best defense is simply keeping your shit up-to-date and pre-configure trusted connections. It’s very unlikely that someone is going to burn a cellular zero day on you at a hacker conference.

If your risk model is that a nation state is gunning for you, then you need to be worrying about a lot more than just conference security! Needless to say, this guide is not, then, for you.

A Note About Credential Management

An important layer of defense at hacker conferences, when traveling, or just in life is good credential management.

I use different usernames/emails for almost every service. Both Proton Mail and Google Workspace can be configured with catch-all email addresses. If you don’t want to pay money, then sign up for Gmail and liberally use the + functionality.

Use unique, random passwords for as many services as you can. Use a password manager (KeePassXC and compatible applications are good choices) to make this easy to manage. Don’t store these credentials in your browser or system keychain.

Set up multi-factor authentication on every account that supports it. Whenever possible, use a hardware key (like a YubiKey). As a bonus, you can use hardware security keys to further lock down access to your password manager: Do this using either built-in support, or by storing a long random string in one of your security key “slots” and then using this in addition to a string that you’ve memorized to access your password vault (full-featured YubiKeys - not the lower-end “security keys” Yubico sells - support both options).

Packing

I’m a light packer, partly because I don’t like checking bags, and partly because I enjoy the challenge. This year I managed to fit all of my gear into a single Peak Design 20 L Everyday Backpack (with the help of two small packing cubes). However, this is all a tight fit - there’s next to no room for conference swag on the return trip, and the laptop compartments are compressed more than I’m comfortable with. Moving forward, I intend to switch to a Peak Design 30 L Everyday Backpack, as I think that the extra 10 L should be more than enough for me.

There’s enough (low profile) pockets in the Peak Design Everyday backpack that I don’t need a cord bag, and it’s a reasonable size to use as a day bag at the conference itself. This requires some unpacking/repacking at the hotel, but that’s a small price to pay to avoid having to carry an entire additional bag. Peak Design products are a bit pricy, but I’ve experimented with a lot of different bags over the years and they’re hands-down the most durable, versatile bags I’ve ever owned.

One thing that’s enables me to pack light is that I’ve moved away from wearing jeans. Instead, I’ve switched to Bluffworks’ Ascender 5-Pocket Pants, which are tough, light, wrinkle-resistant, very compressible, and have the bonus of being much harder to pick pocket than most other mens’ pants (though again, a determined thief can still defeat them). I pair these with Icebreaker underwear and socks, which are also exceptionally light and durable. Bluffworks also makes travel blazers and other outfits for less casual situations; these are also good for traveling light, but by necessity take up a bit more space. There’s a trade-off between looking nice and packing light that is just difficult to navigate.

One disadvantage of this setup is that it’s difficult to bring multiple pairs of shoes. I opt to just wear a pair of black running shoes - they’re not dress shoes, but they’re comfortable and sufficiently understated that you can get away with using them in less casual situations in a pinch.

At the Con

At the conference, or really when traveling in general, I try to avoid being conspicuous. I don’t wear conference swag/merch. I don’t put stickers on my devices. I take off my conference badge and put it in my backpack when it’s not required. I don’t flash (or carry) big wads of cash.

In short, I try not to look like a target. Ideally, there should be no way for someone who sees you outside of the conference to know that you are an attendee.

A Note on Masks

I don’t like wearing masks, but if I’m going to wear one I’m going to wear an effective one. Since HOPE and DEF CON were both masked events, I brought along tight-fitting N95 masks for use while attending the conference.

The problem with a well-fitted N95 masks is that they’re kind of a pain to take off. This makes both eating and (more importantly) drinking a less attractive proposition. I wound up going back to my hotel to do both during the day, which created larger gaps in my schedule than I planned.

Moving forward, I don’t think it makes sense to bring a water bottle to any events that have a mask requirement. I also need to remember that I can’t effectively pull off my normal back-to-back-to-back event schedule at conferences with mask requirements. This means doing less at these events than I otherwise would, but c’est la vie in the time of plague.