Mastodawn

Use the Defcon Wifi (new blog)

Many security professionals, especially on social media, have an unfortunate tendency towards what we might call performative security. It’s where people broadcast their security measures to show how aware they are, and they suggest others follow their lead. It’s the inverse of security theater where ineffective security is imposed on us by organizations. It’s often ineffective, inconvenient, or both.

And today’s bad advice is “Don't use the defcon wifi.”

The #Defcon and #Blackhat networks are some of the most monitored networks anywhere. No one's going to blow an 0-day by using it on either network. This assumes everything's up to date and fully patched, and that you join the official networks, which are listed on signage around the venues. It also assumes that all your apps are using TLS everywhere. In contrast, there is a never-ending parade of warnings about malware in telecom infrastructure. There are routinely reports of extra base stations around Las Vegas. (I’ve heard numbers on the order of an extra 50, of which I’d guess many are simply just-in-time capacity from authorized suppliers.) The lack of authentication of base stations is apparently a ...feature... that’s never going to be fixed.

Now, there’s another way to interpret this, which is to put your devices in airplane mode or a Faraday cage, and that’s not awful advice. Disconnect. Be present. Enjoy the events. Talk to the people around you. If you want to disconnect, a well-constructed Faraday cage is safer than airplane mode, which let bluetooth and wifi work.

When I was at Microsoft, some of my co-workers made a big deal of how they locked down their laptop, or bought a burner for Defcon. Me? I asked why our products weren’t safe enough to use in that environment, given that they’re certainly used in more dangerous places.

https://shostack.org/blog/use-the-defcon-wifi/

Shostack + Friends Blog > Use the Defcon Wifi

Why it’s ok to use the Defcon wifi

Is iVerify still the best iOS lockdown config checker?

Aranjedeath Aug 4, 2023

> When I was at Microsoft, some of my co-workers made a big deal of how they locked down their laptop, or bought a burner for Defcon. Me? I asked why our products weren’t safe enough to use in that environment, given that they’re certainly used in more dangerous places.

Yeah, and that's the real takeaway. If you don't think your personal devices can handle that, it's an industry problem not a personal one

Ian McKellar Aug 4, 2023

@Aranjedeath @adamshostack @tml
One large tech company doesn't let their employees attach their laptops to WiFi other than home or work. Not a great endorsement, but given the prevalence of WiFi firmware exploits I guess it makes a lot of sense.

LisPi Aug 8, 2023

@Aranjedeath @adamshostack While true it's an industry problem, it can still also screw you over as an individual.

indrora, hacker at small Aug 9, 2023

@Aranjedeath @adamshostack I've summarized this quite simply in recent years:

If you're upping your security for defcon, you've already been popped at the starbucks you visited last week.

Dan Goodin Aug 4, 2023

@adamshostack Sound analysis/advice, Adam.

Andrew Zonenberg Aug 4, 2023

@adamshostack I'm less concerned about 0days than 0ldays against e.g. Android devices where the carrier/handset manufacturer is lagging the official patch cycle.

Spamming week-old CVEs has almost no opportunity cost (the bug is already burned) and might get you some low hanging fruit.

Also, one of the points of a burner phone isn't that it's particular secure (it's often not, most are cheap androids way beyond official patch cycles), it's that it *has nothing worth stealing on it*. When you're in a densely crowded place, possibly overtired and/or somewhat intoxicated, losing it is a real possibility. Defcon is a target-rich environment for someone looking to score points against security professionals who slipped up.

Sure, you should have FDE'd the phone, but how good is your password? How many people were close enough to watch you type it in over the course of the night and saw an opportunity for some lulz when you stepped out to the bathroom and left it next to your beer?

Andrew Zonenberg Aug 4, 2023

@adamshostack As someone who doesn't drink that last bit is less concerning to me, but it's Vegas we're talking about so statistically, most folks attending will probably be indulging in the local scene to some degree.

That, not TAO's finest, is the real threat at defcon IMO.

Andrew Zonenberg Aug 4, 2023

@adamshostack Additionally, bringing a device with nothing worth stealing on it avoids the temptation to check company email or something in an environment where the shoulder-surfing level is probably off the charts.

Not that reading sensitive mail in public is a great idea in general, but doing it surrounded by people waiting for a chance to make an example out of you is particularly dumb.

Chris Petrilli Aug 4, 2023

@adamshostack sadly, i feel like 80%+ of the infosec world is performative security

wirepair Aug 4, 2023

@petrillic @adamshostack will have I got some news for you! It’s not just a feeling!

Haelwenn /элвэн/

@adamshostack I wish the OS would be the only place where security holes could be on a laptop though. (I would probably just stay offline)

Jim Aug 4, 2023

@adamshostack Infosec has a lot of weird social tics that can make the community seem like hard work.

Carl (He/Him)Aug 4, 2023

@adamshostack
It's very likely you know something I don't. (You certainly know many things I don't.) However, at least according to the device itself, my Android phone turns off BlueTooth and WiFi when it's in Airplane Mode.

@nitpicking On iPhone you can turn on Wifi (connect to the plane) and Bluetooth (headphones etc). I think they’re off by default but you can reactivate manuallu

Michael Weiss Aug 5, 2023

@adamshostack @nitpicking Most flavors of Android as well.

TProphet Aug 4, 2023

@adamshostack The biggest risk of trying to stay connected at DEF CON is that connectivity is unreliable because of how hostile the radio environment is there. My advice would be "use the DEF CON wired network for anything important" - it's rock solid reliable, and best of all, it's fast so you can download ALL of the warez.

@tprophet "The Defcon wifi is very user friendly. It just has very specific ideas about who its friends are."

@adamshostack guess why I don't use Windows nor go to DEFCON?

It's likely of similar reasons why you ain't at Microsoft anymore...

Personally, I'd say using any GAFAM-based device / OS means one's f**ked and regardless if DEFCON or genrrally travelling to the USA, "P.R." China or elsewhere, I'd always recommend using burner devices and identities.

There's a reason a lot of folks I know have at least 4 valid travel passports at the same time...
And no, almost all have only single citizenships!

@adamshostack that being said it's not as if #Microsoft doesn't know how to make devices #secure...

https://www.youtube.com/watch?v=U7VwtOrwceo

Guarding Against Physical Attacks: The Xbox One Story — Tony Chen, Microsoft

YouTube

@adamshostack ...it's just that they deliberately decided to keep #Windows #insecure...

https://www.youtube.com/watch?v=x8JuUW41pbQ

The True Story of the Windows _NSAKEY

YouTube

@adamshostack ...whereas the #Xbox360 to this day can't be "#Softmodded" in the sense of just doing a #Savegame-#Exploit or plugging in a #USB-Device...

https://www.youtube.com/watch?v=2yQCOso_4hc

How a USB key defeated security on the Sony PlayStation 3 | MVG

YouTube

@adamshostack and the closest to it is #RGH3 which still requires soldering at leadt pin headers into the mainboard and extracting as well as modifying the firmware and glitching the CPU, something that Microsoft fixed woth the last revision of the #Xbox360, the "Winchester", which can't be modded to this very day!

Thus I'd argue it's safer than #Windows10 or #Windows11 ever could be.

@adamshostack
> When I was at Microsoft, some of my co-workers made a big deal of how they locked down their laptop, or bought a burner for Defcon. Me? I asked why our products weren’t safe enough to use in that environment, given that they’re certainly used in more dangerous places.

Its quite simple.
I guess as a Microsoft employee you have certain insights and you feel more confident in using your own product. However, alternative operating systems verifiably offer less attack surface, dont hide their source and can be controlled much better. These are all things that are considered very important in the target audience of Defcon and that is why you are one of the few people who act like you do

Michael Weiss Aug 5, 2023

@adamshostack you're aware, of course, that Windows can be configured to be substantially more secure than its OOB settings. And that's what you need if you're going to use it in more hostile environments. It's not entirely about how much you trust the OS itself; it's also how much you trust the security of your configuration choices.

Probably Paul Aug 5, 2023

@mweiss @adamshostack Properly configured at installation - for example by disabling all telemetry - Windows 10 Pro is actually significantly more secure than the vanilla Linux kernel...although probably still not as secure as a Linux kernel hardened with something like grsecurity.

And of course if you want to get deep into it, you can always run Windows or Windows applications in a VM over something like Qubes OS using a hypervisor, although it's costly to purchase the hardware.

@mweiss Yes and I don’t think it matters for defcon. The defenses you need (deal with a hostile network) are roughly the same as you need for a coffee shop.

@mweiss You’re more likely to have hostile or fake dhcp, but dhcp shouldn’t be able to screw you that badly.

Michael Weiss Aug 5, 2023

@adamshostack it's a bit more complicated than that. The likelihood of a hostile party on the network at a random coffee shop at any given moment is lower than at DC.

That said, I'd posit that a work laptop should be at least CIS L2 to be at the coffee shop as well, if your employer has anything of value to protect.

@mweiss So? How does a product make that assessment? Shouldn’t it be secure by default?

@mweiss I mean I don’t disagree with the assessment of danger, but I’m not sure how that translates into a design choice

Michael Weiss Aug 5, 2023

@adamshostack the high level principle of "secure by default" is fine. But the devil is in the details. What's your risk appetite? How much daily pain are you willing to put up with in exchange for the higher level of security?

So often, we in the security community talk as if there were a single answer that applies to everyone, but of course it's not true. And computer security is still too complicated for most people to understand. So, we end up where we are. It could be better. It should be better. I'd say more but this isn't a particularly good medium for long, complex, nuanced messages.

nothing personal Aug 5, 2023

@adamshostack thanks for sharing your thoughts. I've had the same belief but unable to communicate it as clearly as you did.

@adamshostack @Saren42 That last part. I ask that question all the time. I’m pretty sure I know the answer, though, and I don’t like it.

@adamshostack
@jwgoerlich

THIS times a thousand.

If you do only two basic things, set up an account and download a suspected-good copy of the cert off-site, the #defcon wireless is the most secure network that, frankly, you may ever have access to. You'll have a layer of secure authentication that beats anything else you have access to on the road - especially the hotel wireless.

The only team you have to worry about on that immediate network is efffn and the DC NOC goons, and I can personally guarantee that they have vastly less interest in sharing where you go or do then anyone maybe ever - much less than, say, your mobile provider or your own home ISP.

And if you're worried about that, layer VPN over it, which you should already be doing if you're doing any kind of business communication anyway.

And I'd also like to thoroughly second the observation that while you will probably need your devices, You really should use them as little as his practical. Because you should be spending time with interesting people and learning new shit, and spending little time on socials. Or work. Those things will keep. Lobbycon, though, waits for no one

@mav @jwgoerlich as an aside I tried to find the defcon cert and gave up after a few minutes. Where is it, and how is a normal human expected to find it starting from defcon.org?

@adamshostack @jwgoerlich

so, def con officially starts Thursday the 10th, and is (edit: **almost**) entirely run by volunteers, which means that noc_defcon twitter and wifireg.defcon.org. will probably heat up in the next day or two.

When the network is running, the con usually announces its availability via the usual channels - blog, forum, socials, etc.

@adamshostack @jwgoerlich

speaking of which, wifireg.defcon.org is up

@mav @jwgoerlich Thanks for looping back. Can you check the URL? I'm getting timeouts.

@adamshostack @jwgoerlich

I'm not a NOC GOON, but I'm gonna guess that the reason you're getting timeouts is because frickin 30000 nerds just tried to register. It worked fine earlier.

@adamshostack @jwgoerlich it looks like there's some issue with defcon infra, it's being looked into