Soatok Dreamseeker

RE: https://hachyderm.io/@evacide/116274789062787020

Tangent, but this is one reason why I don't bother with "burner phones" at DEFCON.

If my day to day security practices are insufficient for DEFCON, they're insufficient for day to day life. I'm just as likely to get attacked in a random cafe.

I roll my eyes a bit at people who insist that burner phones are necessary.

Mar 22 at 11:44pmWeb
Show threadSoatok Dreamseeker1d ago

A lot of security rituals you hear about from folks online are like this.

This is the kind of culture that leads to giving blanket paranoid security advice without threat modelling first.

Show threadRabbit1d ago
@soatok It’s the security equivalent of cargo cults. If the ritual is complex, the protection must be strong!
Show threadRichard Penner1d ago

@ra6bit @soatok And lo, the number 42 arrived with wit from a very clever man. And from then on, we agreed our random seed would be 42 so that we too might be clever men. And the API key shall be checked into the public repo lest we lose it in our sticky notes ....

#SecurityAntiPatterns #AntiPatterns #GeekHumor

Show threadEmelia/Emi1d ago

@soatok Indeed. About the only reason I'd bother with bringing a burner phone to a conference is if I wanted to make it hard*er* for anyone surveilling the conference to confirm that I went (forcing them to gather additional evidence), or if I was going with the expectation that the hardware wasn't coming back with me.

Neither of which apply to most conferences I'd even remotely consider attending, therefore I don't bother with doing that. (Except laptops. Unless I need the chonkpad's hardware, I always take my old shitty one where possible, as it's an order of magnitude cheaper to replace that one should it grow legs and walk away...)

Show threadSoatok Dreamseeker1d ago
@becomethewaifu See, this is a reasonable threat model: laptops getting lost or stolen is more common than APT ninjutsu
Show threadkasia  1d ago
@soatok this this this this
I know this is a bit off-topic, but there's this strange mindset common in some privacy-centric communities, that everything you need to achieve Absolutely Perfect Privacy™ (100% unbreakable!!!) is to buy a specific set of expensive products and then proceed to commit to some random trends with negligible impact (e.g. people who use extremely outdated, ME-cleaned hardware or non-systemd distros due to... security concerns, I guess?)

And in this entire process, this snowball of a multitude of cargo cults, no one dares to suggest that maybe you should attempt to recognize what's your actual threat model
Show threadaronowski20h ago

@nullenvk @soatok

people who use extremely outdated, ME-cleaned hardware

Using such outdated CPUs, which no longer receive microcode updates, and pretending that CPU bugs don't exist doesn't seem like a good security strategy.

Show threadLasagne1d ago

@soatok

I did it with laptop.
More out of the, loss would be massive hassle, angle.
I'll not carry laptops on me all the time. Thats way different than a phone, as in more chance for physical shenanigans, shoulder surfing and then steal without "Raub" (German legal definition).

The goal of "thorough disassociation" is exponential effort. With so many footguns its not even funny.
Better don't carry a phone at all while being clandestine in a way that phones are relevant.

Show threadThe Orange Theme1d ago
@soatok "But what if someone pops a totally novel 0-day at this Starbucks!?"
Show threadS-Config1d ago
@soatok Huh, never thought burner phones as a security thing as much as one of those things people who drink.. And I mean... drink heavily!!! don't want to destroy their 1000+ dollar phone.
Show threadjk1d ago
@soatok personally if I were an evil HACKER who wanted to steal your DATA I would do it at a conference full of turbo nerds who would catch me immediately instead of a random cafe where nobody is looking
Show threadDan Sugalski1d ago
@soatok I assume anyone recommending burner stuff at DEFCON got badly pranked by someone in the past and got all huffy about it, probably because they deserved it.
Show threadevacide1d ago
@soatok It is possible that for some threat models, a burner phone for DEFCON is appropriate. But I have been to 20ish DEFCONs and I have never felt the need to bring one.
Show threadSoatok Dreamseeker1d ago
@evacide Yeah, exactly as you say: It could be appropriate for some folks. I'm not one of them. :3
Show threadjones22h ago

@soatok @evacide I can see a burner phone beeing appropriare if you are traveling to the US from abroad and have potentially sensitive data on it. Say you are working for a government, critical infrastructure provider, etc.

Not due to DEF CON though, just regular security practices when traveling abroad.

Show threadClara1d ago

@soatok I would argue more likely.

Ain't nobody going to burn the zero day at defcon. Like, you've got a couple of the world's most impressive hackers, not very many but more than average density, going to defcon. If you burn a zero day there, it's going to be spotted and no longer be a zero day.

Whereas, random ass Starbucks, the chance that you've got someone who can decode your zero day on site? Slim to none.

Show threadJeremy1d ago
@soatok Necessary? Of course not. Make me feel cooler and more important than I am, like a named extra in Hackers? Absolutely
Show threadAndrew22h ago
@soatok any phone can be a burner phone if you abuse the battery enough
Show threadslash11h ago

@soatok @evacide My first Defcon, I went full paranoid. Burner phone, laptop without a hard drive, etc. My evaluation was that Defcon isn't a horrible place, as long as you remember where you are. I also don't do anything like online banking either. And my phone has no apps. But that's _normal_ for me, along with "no web surfing" on phones.

If I've been breached, they've been polite and responsible. ;)