I'm heading to my first Defcon on Wednesday, and naturally, I'm a little bit anxious about prepping my devices so as to not get pwned. The advice I've seen for this varies wildly – some people go all out and use a separate phone and laptop for the convention, while others simply turn off wi-fi and Bluetooth.
I'm thinking the best strategy for me is somewhere in the middle – make sure I'm locked down and have backups, but don't put myself through hell when the odds of anything bad happening are realistically low. I'm not a worthwhile target; anyone who would waste 0days on the likes of me is probably not smart enough to have found a 0day in the first place.
So, I'll be bringing my normal work laptop (MacBook Pro), my normal cell phone (HTC 10), and even my tablet (Asus ZenPad 3S 10 – probably won't be using this much besides on my flight though). Without further ado, here is the checklist I'll be following to prepare for Defcon:
- Patch, patch, patch!
- OS X system updates
brew update; brew upgrade
- app updates
- Android updates (if available)
- Backup everything.
- Shut down local web/database servers.
- Port scan myself with nmap – make sure I'm not running anything else.
- Enable 1Password Travel Mode.
- Withdraw enough cash that I never have to use an ATM in Vegas.
- Remove RFID cards from my wallet (namely my office badge).
During the con
- Keep all unnecessary radios off (Wi-fi, Bluetooth, NFC, GPS).
- Due to BroadPwn, I'm not gonna be using wi-fi at all on my Android devices (neither of them is up to the July update yet).
- In the con, only use direct-to-internet wi-fi. In the hotel, only use wired.
- Always use VPN, and turn it on before connecting to wi-fi.
- Leave laptop/tablet in the hotel safe unless I have a specific reason to bring them out.
- Do not let any of my devices leave my vision.
- Don't trust any device anyone gives me.
- The last two are obvious, but I'm particularly keen on mentioning them now that PoisonTap is a thing.
- Use USB condom if using a public charging station.
- Only communicate using Signal if possible.
So that's my list. It might not be perfect, but I think it should be sufficient for me. What do you think? Am I too carefree, or even too paranoid? Did I miss anything crucial?