Surviving a hacker conference

concrowd

With another hacker conference looming in front of us, it’s time to start thinking about hardware security. Hacker conventions have the most hostile network you’ll ever encounter. [Security4all] points out that 25C3 already has an extensive page on securing your hardware. It starts from the ground up with physical security, BIOS passwords, and locking down bootloaders. There’s a section on securing your actual OS and session. Finally, they cover network usage. It mentions using SSH for dynamic forwarding, which we feel is a skill everyone should have. We’ve used it not just for security, but for bypassing brainless bandwidth restrictions too. There’s also the more trick transparent version. Every piece of data you bring with you, you risk losing, so they actually recommend just wiping your iPhone and other devices before attending. It’s important to remember that it’s not just your own data at risk, but everyone/thing you communicate with as well.

Comments

  1. Anonymous says:

    I think the best tip I can offer to someone going to a hacker conference is this: Bring a friend. I had never been to a hacker conference before when The Last Hope started coming near, and I wanted to go. Trouble was, none of my friends who were into that sort of thing were in town, and even if they were I doubt any of them would have dropped ~$80 for the event. I then made the mistake of going by myself. I figured I could meet people there to have discussions with, since everyone had more-or-less similar interests. Basically everyone there was one of two types of people. Either they were willing to talk but were somewhat shy and awkward, or they were complete assholes who were very unfriendly and gruff if you tried to talk to them. Additionally, the event staff were complete dicks. I remember one guy wouldn’t let people into an area near the “main stage” even though there was plenty of space and when people didn’t realize and would think they could walk over there to stand, he’d go “WHAT THE HELL DO YOU THINK YOU’RE DOING?!!”. A lot of people were angry at this guy and making comments about him. This wasn’t the only guy either, a lot of the event staff were definitely enjoying feeling “superior” at the expense of the convention-goers as they power tripped their way around the Hotel Pennsylvania.

    As far as HOPE goes, I think it’s over-hyped. If it was cheaper it wouldn’t be so bad, but as it is it’s just such a high price to pay for spending the day with nerds who can’t function socially IRL.

  2. broken_thought says:

    Shouldn’t a hacker conference be the most secure anyway? Shouldn’t they actually take measures to keep the malicious hackers out of and away from these sorts of conferences?!

    I mean, I can understand that some people just suck and like to use their genius and/or skills for evil because it’s generally more fun but still…

    I just really think that there should be more “ethical” hacker conferences and if there are lots of ethical hacker conferences then they should get more publicity

  3. Matt says:

    How is it possible to bypass bandwidth restrictions with SSH tunnelling? Does the summary mean bypassing traffic shaping rules, or bandwidth caps? I can’t see how tunnelling bypasses caps.

  4. O Mattos says:

    matt: many bandwidth caps only count certain kinds of traffic – for example one I saw only counts IP traffic addressed outside the building, therefore by sshing into another machine in the building and then from there sshing outside the building, you could bypass the cap.

    Also, most places don’t apply their bandwidth cap to their own DNS server – some server software can be used to relay quite large quantities of data fast, but it has the downside the DNS server may crash.

  5. Jonas says:

    broken_thought:
    you want to take this kind of precautions on _any_ public network. it does not matter if it is the coffee shop, university or hacker con network

  6. Andrew says:

    Instead of wiping your iphone, etc…
    why not just turn it off?
    If your phone is -dumb- and stays on if you turn it off (you know what i mean) pull the battery.
    wait until you leave the convention to turn it on, and live like normal. Tell your loved ones they’ll just HAVE to wait to talk to you for a few hours.

    What do you guys say to a complete noobie going to one of these things, to perhaps learn about the ways of hacking? Would there be informative presentations that the noobie would potentially understand and learn from?
    [talking about myself]

  7. hacker says:

    MY one suggestion would be to NOT drink too much the first night… made a terrible mistake of that last notacon.

  8. j-striker says:

    I think the point of wiping your phone is you won’t lose the data if it’s physically stolen. Presumably you have backup somewhere you can restore after the con.

  9. crobicha says:

    To the anonymous poster who attended The Last Hope alone:

    I was in the same boat as you, all of my friends bailed on me at the last minute so rather than miss the conference I chose to go alone and I had the complete opposite experience as you. I found that the majority of people were friendly and would talk to you about just about anything. True there were a few people that were rude or had a know-it-all attitude but most people would open up if you were willing to do the same. Actually, though I had never been to NYC before, after a few hours on the first day I felt so at home that I completely forgot that I was by myself. The staff was firm but helpful, they had to deal with fire codes and lots of hacker-types who aren’t always the most obedient people to the rules. Overall I had a great time, met a lot of cool people and can’t wait to attend The Next Hope in 2010.

  10. ssn says:

    The c3 was always a very nice place to talk to people and learn stuff. That’s the reason to go there. The talks can be streamed from anywhere.

  11. @matt

    It was a very silly situation: they were only restricting bandwidth for port 80. Which made browsing obnoxious. Everything would screech to a halt after 30 seconds if you started to download something.

    The solution was tunnel the traffic over another port.

  12. beakmyn says:

    Go with an open mind. Most people aren’t there to be malicious. Although some are. If you absolutely have to send that email, don’t. But if you’re a freek and have to then use the secured Con network not the hotel. Even it’s not 100% secure but it’s safer. Last year’s ShmooCon network was quite good and required a certificate based authentication. Even then set up a VPN connection or some other type of encrypted tunnel. Me? I have a VPN set up at home that tunnels all my traffic through it, including DNS.

    As for securing your personal items the normal things apply. Granted I don’t think you’ll run into a snatch and grab but if you leave something lyiing around unattended chances are it could walk off. Or if you left it near me or some other folks it’ll still be there but it might have some extra stuff on it.

    Having outside interests helps at a Con, while we all go wanting to learn about the same things we don’t neccesarily want to talk about it 24/7. Read any good books? Know how to play cards? (Mao?).

    And get your immune system up to par. I made the mistake last year and caught the 24hr DC bug that was going around. Put me out for 18hrs straight. Trust me it’s worse then a hangover.

  13. I guess you should not use your network card unless you really really trust the firmware. And do you trust it? Mmmmhhh…

    Do you really **need** network access during the conference at the conference hall?

  14. Myrcurial says:

    @anonymous – sorry you didn’t have a better time. Low Cost cons generally run entirely on volunteers – you get what you pay for. FWIW, the HOPE security staff were no worse than the average. As for getting connected with people, remember that most geeks/nerds/hackers fall *deeply* to one end of the sociability (autism/aspergers) scale. Mostly, you’ve just got to be really open to all kinds of experiences. If you happen to be at any other con and see me, feel free to say hi, I’m pretty good with the social skillz.

    @broken_thought – wow, you’ve missed the point completely haven’t you? What’s the difference between a locksmith and a burgular? Ethics and intent, the knowlege base is pretty much the same. Do you have a sure fire test for ethics and intent? If so, I know people who will pay billions of dollars for it, not to mention the incredible utility that your test would have for law enforcement. Please send me your bank account information so that I can wire you payment in advance of you providing the test to me. KTHX-BYE.

    As for what I do?

    Trust is very expensive at cons. It’s also EXTREMELY expensive at hotels and in airports. Trust as little as possible. Take only what you need. Revise your packing list after each trip – if you used it only once or could’ve borrowed it, leave it out for the next trip. The only real exception is “things I can trade for other cool things” – eg: H-a-D t-shirts — of which I still would love one btw.

    VPNs are good – especially ones that do not rely on DNS to be correctly functioning.

    Turning off bluetooth is also good.

    Having a computer with a use-once-and-discard image on it is also a good plan — I’ve used my eeePC for this.

    Putting down the computer and talking to someone in the hallway is probably better for you anyways. Consider leaving the computer at home.

    Most of all – go. Run. You know you want to.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 92,427 other followers