I'm heading to my first Defcon on Wednesday, and naturally, I'm a little bit anxious about prepping my devices so as to not get pwned. The advice I've seen for this varies wildly – some people go all out and use a separate phone and laptop for the convention, while others simply turn off wi-fi and Bluetooth.

I'm thinking the best strategy for me is somewhere in the middle – make sure I'm locked down and have backups, but don't put myself through hell when the odds of anything bad happening are realistically low. I'm not a worthwhile target; anyone who would waste 0days on the likes of me is probably not smart enough to have found a 0day in the first place.

So, I'll be bringing my normal work laptop (MacBook Pro), my normal cell phone (HTC 10), and even my tablet (Asus ZenPad 3S 10 – probably won't be using this much besides on my flight though). Without further ado, here is the checklist I'll be following to prepare for Defcon:


  • Patch, patch, patch!
    • OS X system updates
    • brew update; brew upgrade
    • app updates
    • Android updates (if available)
  • Backup everything.
  • Shut down local web/database servers.
  • Port scan myself with nmap – make sure I'm not running anything else.
  • Enable 1Password Travel Mode.
  • Withdraw enough cash that I never have to use an ATM in Vegas.
  • Remove RFID cards from my wallet (namely my office badge).

During the con

  • Keep all unnecessary radios off (Wi-fi, Bluetooth, NFC, GPS).
    • Due to BroadPwn, I'm not gonna be using wi-fi at all on my Android devices (neither of them is up to the July update yet).
  • In the con, only use direct-to-internet wi-fi. In the hotel, only use wired.
  • Always use VPN, and turn it on before connecting to wi-fi.
  • Leave laptop/tablet in the hotel safe unless I have a specific reason to bring them out.
  • Do not let any of my devices leave my vision.
  • Don't trust any device anyone gives me.
    • The last two are obvious, but I'm particularly keen on mentioning them now that PoisonTap is a thing.
  • Use USB condom if using a public charging station.
  • Only communicate using Signal if possible.

So that's my list. It might not be perfect, but I think it should be sufficient for me. What do you think? Am I too carefree, or even too paranoid? Did I miss anything crucial?

[discuss on /r/Defcon]