(For those unfamiliar: there's a tired annual joke about DEF CON being cancelled, the scene's equivalent of trying to sell the freshmen elevator passes, so expect lots of jokes about how the conference hasn't been cancelled. It has, predictably, been in fact cancelled this year.)
Along with Black Hat (the "professional" version of Defcon) and B-Sides Las Vegas, this is "security summer camp", the weeks at the end of July and beginning of August. None of these events are likely to occur on-site this year.
Later
And, on cue, in-person Black Hat is cancelled as well:
To bad the Wikipedia entry is completely wrong on when he coined the term. If it was in response to the July 2011 tornados in Joplin, then how come I have a video of him giving the WFI anecdote in November 2009 at RHOK#0 (Random Hacks of Kindness hack day).
> What else might be options for securely accessing the event?
I generally recommend ensuring that your security posture for DEFCON is the same baseline security posture you should have at all times, and for all websites, and then adjusting your habits accordingly months in advance... and then just chilling out because you've adopted a more secure normal (and DEFCON isn't particularly risky compared to everyday life).
Pantomiming paranoid-level security during hacker summer camp is silly. This is true for both in-person events and this year's virtual event.
If you're worried about getting hacked at DEFCON, don't wait until DEFCON to become secure, and don't become lax after DEFCON is over.
If you were a blackhat, burning a 0-day at DEFCON would be a huge waste. You probably wouldn't get anything interesting, and chances are someone would catch it.
Nope, you definitely do not. It would definitely get the attention of some vulnerability development types! But there are also more professional - if occasionally less fun - ways to go about that.
If memory serves, the "open" network has seen novel attacks used in years past. But not many.
For example, I might choose not to bring a laptop and just use my phone + take paper notes.
But that's more about not wanting to have to keep track of my laptop than fear of evil maids. Unplugging for a bit can be rewarding mentally and if it's not with you it's one less thing that can be lost or stolen.
Physical based attacks were the majority of the risk, and that was, practically, pretty minimal. If you want to watch from inside a VM, great, but mass attacks against watchers? I'm not seeing it. (Been going since DEFCON 9)
Indeed if someone could 0wn your box simply from you watching a stream of a talk at a conference, it would already have happened.
The bigger risk is IMHO to end up on someone's watchlist, especially if the country you live in isn't particularly respectful of your individual freedom.
There's no doubt that I already am on a watchlist in the USA. Most anybody who's given talks at hacker cons, and then approached by the mil side of govt is. And frankly, I don't care.
Hacker con sec can be boiled down to 2 simple principles: Update yo shit, and if you have access turned on (ssh, etc) to know their threat model.
Well, yeah. But the US progression to being on a watchlist is a (metaphoric) white van for more watching. Other countries get you a (metaphoric) black van that takes you somewhere unpleasant.
This will be fascinating to attend/watch not just to see the impacts of doing it all virtual, but the fact that it’s free is going to attract a monstrous (virtual) crowd.
Last time I went in person, you couldn't get into the best talks unless you picked one or two and camped for the day, because all the halls were overflowing with people. I think it was the last year they held it at the Rio.
That’s been a constant DEF CON theme at least since the Rivera days but had (IMO) improved incrementally with the move to multiple larger venues and was expected to be all but resolved with the move to the new Caesars Forum
(New venue is/will be (?) absolutely enormous; featuring the largest “pillar-less” ballrooms in the world it promised the ability to accommodate not only all talks and villages in a single venue again but everyone in a single keynote talk. Looking forward to witnessing that next year.)
edit: It's occurred to me that it could conceivably be more difficult to get into talks at this year's virtual event than it would have been in-person. Perhaps they'll implement a virtual waiting room so we can get our LINECON fix.
> but had (IMO) improved incrementally with the move to multiple larger venues
I feel like it is getting worse, and can't wait for Caesars. With the multiple venues and hallway congestion most the people in my company were able to get to 2-3 talks a day max.
Counterfeit DEF CON badges (and a sanctioned competition for them) have really added to capacity issues since about 2016. I know of one vendor that sold over 1,500 last year.
I'm sure I'm devoting more time to villages, workshops, and non-DEF CON talks than I used to (after all the official talks end up on YT a couple months after the event). It did seem to me--CP elevator choke point notwithstanding--that separating talks from the rest of the con by a 20+ minute walk did shorten LINECON but I'll concede there's a small chance that I'm becoming more patient or (more likely) that my experience was not representative.
Regardless, I am very intrigued by your experience with counterfeit badges. I'm familiar with the counterfeit badge contest and many jokes were made about last year's "urinal cakes on a lanyard" but this is the first I've heard suggesting there was effectively mass production of counterfeit badges. Can you tell us more?
While lame, that certainly seems much more feasible than mass-producing 1500 copies of an electronic badge (or even a mock thereof) in the span of a couple days but it also renders mention of the sanctioned (actual) badge counterfeiting competition (which to my knowledge involves paying competitors) irrelevant.
Given that #badgelife folks have difficulty manufacturing hundreds of badges they themselves designed and there's been no real scrutiny of attendee badges as would surely result if it were found that 5%+ of attendees had counterfeits, I have to call bullshit.
If reasonable evidence is presented to the contrary, I will eat my hat by donating the $300 I won't be spending for this year's DEF CON admission to the EFF.
Given the attendees, I'm surprised some didn't seriously mess with anybody entering their rooms. At the very least, one would expect all the goons getting doxxed, their phones pwned, and the whole shaming posted somewhere.
This, and it's not about DEFCON, or conventions in general. I stayed at TI a while ago, and didn't have housekeeping come in my room for 3 days (I honestly just don't like people in my room). Eventually they did send up a security team to knock on my door. As soon as I answered and talked to them, they just went away and were happy I was alive. But this is a new pattern by Vegas hotels since the Mandalay Bay shooting, this has never happened to me in many years of Vegas before that.
I think if you just randomly visited Mandalay or Caesar's on vacation, you'd have the same likelihood of having your room looked in on. Every room has a notice to that effect now.
This isn't exactly true. If you tell them you don't want housekeeping service, they insist on having a staff member check inside your room at least once every 24 hours. If you're OK with having your room made up, they weren't searching rooms. I had no problems at DEFCON because I like having my room cleaned.
Reviewing the post, it is unclear what if anything this update by DEFCON means to those who had not intended to attend, but might since it is now appears for this year a real-time remote access event only is being held.
It's incredibly disappointing to see DEF CON, a conference where you can still show up and pay for entry in cash, adopt a centralized, hosted, unencrypted system (Discord) that requires both:
1. that you enter into an abusive legal agreement wherein you agree to give up your civil rights
and
2. that you dox yourself to get an account (you have to give either a non-VPN IP, or a non-VoIP phone number)
My Discord account got banned from being created from Tor and using a burner number and linking my own friends to my own website in DM (because they spy on all the unencrypted messages, natch).
This means I won't be able to participate in DEF CON this year. :(
The sneak.berlin instance is a small or single-user instance operated by a software author who writes hostile instance-scraping bots. On the web page for that software, in the ironically named "ethics statement", he writes:
“Publishing your toots/messages on a server without marking them private or requiring authentication and thus making them available to the web is an act of affirmative consent to allowing others to download those toots/messages (usually by viewing them in a browser on your profile page). If you don’t want your toots downloaded by remote/unauthenticated users on the web, do not publish them to the web.
If you publish them to the whole web (and your home instance serves them to all comers), do not be surprised or feel violated when people download (and optionally save) them, as your home instance permits them to.“
This is an interesting take on online privacy, to be sure: "because you have not physically restricted me from harvesting your information, you are affirmatively consenting to it". This is much the same argument as "you shouldn't have let me hit you" and carries about the same moral weight with me.
By choosing not to talk to this instance, I hope we make clear that the Free Radical community does not wish to interact with the author or his software.
> This is much the same argument as "you shouldn't have let me hit you" and carries about the same moral weight with me.
I'd rather compare it to not locking your bicycle and then complaining someone stole it. It may be illegal but you're a bit naive for expecting otherwise.
Also, in this instance the users were able to notice the data collection. What about the instances where they aren't, because the scraper just keeps to themselves? And then maybe they start getting very well-targeted spam or phishing, and maybe never find out how they were able to do that?
Yes, I wrote a web spider that allows anyone who runs it to collect and index public, published data.
If one were to run it, it does not violate anyone’s privacy because it only indexes information from the public, unauthenticated web.
It’s a bit of a stretch to claim that I myself am collecting anyone’s data. I write software. As a point of fact, I have actually never spidered or indexed the Fediverse (yet).
The software I wrote sends requests to webservers, which are in no way obligated to reply to those requests with any information. This is how the web works, and the tool I wrote is no different than any other web spider/indexer from an ethical perspective.
ActivityPub users seem have interesting concepts of what it means to have “published”.
So, you want perfect privacy for yourself, but also it’s ethical and good to harvest and archive everyone else’s information because they haven’t explicitly blocked you personally from it.
That’s why I have a bit of a hard time taking your complaints about Def Con seriously.
I believe you may be confused. I do not wish any privacy whatsoever for the information I publish unauthenticated on the public web.
Quite the contrary, I wish for the things I publish to be read and understood as widely as possible.
That's how the web works: if your webserver (or web host, or mastodon instance, or whatever) receives a request for a webpage, and then it says "yes, sure, here's the webpage", and sends it to the requesting user, there's no ethical or moral framework which at that point says that the webserver has been wronged by the requesting user having that content. It literally sent it to them voluntarily.
If you (or your server, or your host) hands out data to all comers, it is not reasonable to then say that those other people should not have access to that data. You (or your server, or your host) provided it to them.
I would like to point out that you are posting this very comment on a centralized, hosted, unencrypted system.
But in all seriousness, the DEF CON Forums are generally full of helpful knowledgeable people who can help guide you in creating a non-attrib Discord account if you are having problems.
I would like to point out that one can assume different identities on the web, and that I am fine giving my personal email and address to my bank, but perhaps not to a hacker conference. Why? Because it's my choice.
“Hosted” means, in this instance, by a third party: not DEF CON or the DEF CON attendee, but the external service Discord. HN is first-party, it is not SaaS or “hosted” in this sense of the term.
HN doesn’t have DMs, which is a very important distinction. There are no write interactions on HN other than votes and display/noprocrast settings that are not expected to be fully public.
There are no interactions with HN that are assumed to be private, such as talking to other people directly.
How well does such a bridge work in practice? I realize this isn't the case for all bridges but the matrix.org->freenode bridge is rather infamous for failing in strange ways (asymmetric message forwarding, intermittent lag, etc.)
And I'd assume such a bridge would lose some interactivity features proprietary to Discord.
Along with Black Hat (the "professional" version of Defcon) and B-Sides Las Vegas, this is "security summer camp", the weeks at the end of July and beginning of August. None of these events are likely to occur on-site this year.
Later
And, on cue, in-person Black Hat is cancelled as well:
https://twitter.com/BlackHatEvents/status/125883283428810752...
Black Hat is still going to happen virtually (we just finished selecting talks).