Thread: So, for my first time, I went to #BHUSA2018 (@BlackHatEvents) and #DEFCON26. I took my main phone and laptop, and on conference day 1 went completely non-anonymous with an Android platform security team T-shirt on. Let me tell you what happened. 1/n
For context, prior to the first main conference day, I did 2 days training with @colinoflynn on power analysis and clock glitching with #ChipWhisperer and learned a ton. This has shown me how easy such hardware attacks can be today. 2/n
For those 2 days, I brought an old loaner laptop to work with the provided #VirtualBox images (which is not supported on ChromeOS at this time). Yes, I did plug in @colinoflynn's USB stick into this loaner laptop (without configured accounts). 3/n
On the other days, I simply brought my main Pixel 2 and Pixelbook, both with my personal accounts as well as @Google corporate accounts configured (on Android using work profile to keep personal and work lives apart - I really like that feature!). 4/n
And yes, against common advice, I did log into all my mail and many other accounts while there, call my family, etc. Stupid, I know, but usability wins over paranoia even for security geeks while traveling.... 5/n
In the spirit of full disclosure, I did break my normal pattern on one account: on the Pixel 2, I disabled WiFi and Bluetooth (which, on most days, I simply leave on all the time). 6/n
The main reason was battery usage (I wanted to get through loooong days with high screen time), but I admit that I am not yet fully happy with the radio-side attack surface (working on more fuzzing and mitigations on that side, so stay tuned for next year's experiment ;) ). 7/n
Now, finally, after all that intro/context, the list of all the bad things that happened to my devices and accounts:
.
.
.
.
.
.
.
.
1. I got 2 spam calls (well, normal in the US).
2. I got more spam emails (well, the hotel now has my address).
8/n
.
.
.
.
.
.
.
.
1. I got 2 spam calls (well, normal in the US).
2. I got more spam emails (well, the hotel now has my address).
8/n
3. My Twitter account took way too much time to read (thanks to #BHUSA2018 craziness).
4. So far, nothing else.
Thanks for staying with me for that long for a complete anti-climax. I will keep watching my personal servers, and Google will certainly watch my corp account. 9/n
4. So far, nothing else.
Thanks for staying with me for that long for a complete anti-climax. I will keep watching my personal servers, and Google will certainly watch my corp account. 9/n
Why wasn't I concerned going there? Because I consider the network (outside my very own LAN) untrusted anyways, use TLS or VPN for everything including server verification, 2FA where possible, and have a reasonable device lock screen (and keep an eye on my physical devices). 10/n
Doing that only during time spent at security conferences but not otherwise would be foolish. Attacks can happen anywhere, especially when you are a potentially exposed target. Just use proper IT security hygiene, and you don't have to be afraid of #BHUSA2018/#DEFCON26. 11/11
