Las Vegas Summer Camp Survival Guide
I've written "guides" for attending the week of conferences that surround DEF CON in the past, and as the landscape changes so does the advice. Originally, DEF CON was an extended weekend conference, then Black Hat was started by the DEF CON folk for the more corporate crowd - taking place right before DEF CON. BSides Las Vegas takes place at the same time as Black Hat and the beginning of DEF CON, additional conferences have cropped up as well. Some of these conferences are "inside" of DEF CON itself, in that you have to pay for DEF CON to get to the "inside" conference. At this point a lot of people simply refer to the week as "Summer Camp" or some variation of that for the week's festivities. Hackers of all hat colors, US federal agencies, corporate professionals, vendors, spies from other countries, wannabes, newbies, and the curious all are in attendance, and the entire event is concentrated against one of the most horridly corrosive backgrounds ever - the Las Vegas strip. There is usually at least one other major conference going on at the same time (one year it was the annual Star Trek convention, that was fun), and it is the summertime with plenty of tourists on summer vacation. Consider this a survival guide, but really it is more of a warning than a guide, and is geared toward first-time visitors.
You Will Be Offended
If you are a first-time attendee, and you are easily offended or "triggered" then this is going to be a long week. Some of those rough and evil commenting trolls from various online forums and social media outlets will be there, not afraid to unfurl their troll flag. DEF CON is considered counter-culture to a degree so you could encounter people that will purposely try to offend, just for a laugh or to stir the pot. They’re not everywhere and you could attend for years and never have such an interaction, but keeping this in mind will help. By that same token, they are more "tolerated" during this week than in most other settings, so you might see someone doing something offensive and a number of bystanders laughing at them instead of trying to reign them in.
It is a mixed bag for sure. You will encounter great folks who watch out for each other and certainly watch out for our community, but you may also encounter someone yelling and cursing, nudity, or something else entirely. In spite of this, some people bring their kids (I brought my youngest when he was 12) and there are even events just for kids.
A lot of people say things like "don't bring a phone or laptop" and other nonsense. While one can understand the simple reasoning behind the sentiment (and it is an option), the truth is that with some security basics any security-minded person should be just fine with a laptop and phone in tow.
But let's talk about the threat model first. What is one really up against? Outside of the in-your-face slap of Las Vegas culture that exists on the strip year-round, there are four main threats around Summer Camp: spies aka the Intelligence Community (IC), hackers, hotel staff (really!), and good old-fashioned crime. Spoiler alert, the latter is the main threat, but we will discuss all four.
Spy vs Spy
There are several reasons why the various US government agencies started going to Vegas for DEF CON, and all of the other events that make up Summer Camp. Originally, it was seen as this fringe group of hackers who might have been involved in criminal activity now hanging out at a conference, so the feds wanted to show up and check them out. The FBI and Secret Service were the main ones, and more followed. Often they wanted to attend the talks and learn, several were there recruiting, but many were also involved in actual field work - working undercover, monitoring attendees currently under investigation, starting new investigations, and so on.
A lot of foreign intelligence attend Black Hat and DEF CON. This is also to learn and network, but often it is for spying or attempting to steal information from unsuspecting conference attendees - up to and including breaking into hotel rooms to steal hacker secrets from unattended laptops. However as dramatic as it sounds, many of these nation state spies come to the United States to spy on each other. For example, if one country learns that another country is sending some spies to DEF CON to learn and network, they will send their own spies to spy on them.
As a result of all of the other foreign intelligence activity, along with plenty of hacker-types, the US government sends a substantial amount of representation. The hotels themselves have reported to the Black Hat and DEF CON organizers that the number of people requesting the US government hotel room discount rate skyrockets, and when you compare that with the amount of federal employee conference attendees, some quick math reveals the large majority of federal agents in Vegas are there working and not attending conferences. They are spying on hackers, but also spying on other spies.
While all of this sounds like a great setting for a spy movie, it is rare that this activity directly impacts the average attendee. Yes, hotel rooms have been broken into by spies, hotel rooms have been bugged, evidence collected, and in some cases, arrests have been made. Researchers, security companies, and representatives from all kinds of target companies do attract the interest of these spies. But the average attendee has little to concern themselves with - just be aware that this does help add to the overall paranoid state among attendees.
This is a substantial threat. There is a combination of former, current, and up-and-coming hackers along with other security types in a highly stimulating environment. There are vendor-sponsored open bar parties (mainly during Black Hat), detailed conference talks covering new hacking techniques, and a sometimes unhealthy level of "I am better than you" tossed in for good measure. Many old friends who met while breaking into systems together start reminiscing over drinks. Seeing old rivals in person might trigger a paranoid hacking reaction. In other words, the possibility of collateral damage - if not direct attack - is there.
Most of the network administration provided by the conferences are done by professionals who do this for a living, who feel challenged by the daunting task of handling such a volatile network, and take great pride in providing a secure environment for attendees. Many security companies volunteer to put their latest and greatest network security products on the conference wireless networks as well. This has caused some of the more nefarious attendees to consider other networks to play hacker games: hotel-provided Wi-Fi, coffee shops, fast food restaurants, and other popular hangouts with free Wi-Fi become quite hostile. Many attendees who have experienced issues are usually on those types of networks when they encounter problems.
That being said, the dreaded zero day vulnerability being used on any of these networks is a rare occurrence indeed. No one wants to try out their zero day on a network being monitored by spies, vendors, security personnel, and hackers - you end up giving up the game. The closest thing you will find to that is if a particularly bad security bug was patched a week or so before the conference, and more than one person decides to take advantage of a bug on systems that might not be patched up.
This one may seem like a fairly recent development, but it is one that has always been there. Hotel staff can enter your room at any time, day or night, and there is not a lot you can do about it. The thing that really brought it home was the shooting from a Mandalay Bay hotel window of nearby concert attendees from a few years ago - the very next Black Hat (which was at Mandalay Bay) brought random room searches. Many conference attendees were shocked and rather scared, and media reports of hotel staff abusing their power by taking photos of personal items or needlessly harassing guests did not help the situation.
Like I said, this is something that hotel staff has done for years, it is just happening more and is more obvious. Think of it like the TSA - a part of their presence is what we refer to as security theater. Do something, but let regular people actually see you doing something, so it in itself becomes a deterrent. Actually, it makes the regular people feel safer because they can see something is being done where they didn't see it before - even if it was already being done.
Locks on doors, even the deadbolt latches, can be bypassed by hotel staff easily (or anyone, there are plenty of videos online that demonstrate this). When you rent a room, you are doing just that - renting. You don't own the place, so your rights are rather limited. In fact in the heat of the moment of hotel staff entering your room, you yelling at them is not going to convince the staff to behave any differently. In fact, it will probably just piss them off and make the situation worse.
Certainly the Vegas shooting situation brought the issue to the surface, but hotel staff - particularly security staff - have multiple reasons why they can enter a room. People die in hotel rooms, sometimes from medical issues, sometimes from murders, and sometimes from suicide. As a result hotel staff have tools and techniques to gain entrance to a locked room. They've just decided to add "sweeps for weapons stockpiles" to the list of reasons, at least in the hotels on the Vegas strip.
Straight Up Crime
Pickpockets, laptop and phone thieves, assault, robbery, credit card skimmers, and a host of other crimes are easily the most common issue one might encounter in Vegas. I know a number of people that have encountered issues during Summer Camp, and it is 95% regular crime. In the vast majority of these cases, the victim is picked out of convenience, and the criminal has no idea they are going after a conference attendee.
Here are a few steps to help make things safer:
Prepare your tech. Your laptop's hard drive should be encrypted, and you should make sure everything is up to date patch-wise. Before you leave for Vegas, update your laptop and your phone. Securing your tech means you need to lock things down a bit. Turn off Wi-Fi and Bluetooth on your phone, and use your cellular plan. When using your laptop, make sure Bluetooth is off, and tether to your phone for Internet connectivity. Bear in mind that the scariest network to attach to is the Internet itself, but there is a slight concentration of people in town with you for a hacker conference that know how to do those scary things. Basically anything you might do to shore up a server or Internet-exposed service, do that to your tech. If you're concerned that some hacker-type will put up a rogue cell tower to snarf your phone traffic, remember that the US government is there trying to spy on other spies, and they want no interference. They will shut down rogue towers ASAP, and since they're illegal and there are a zillion feds there, it could be an easy conviction against rogue tower operators. So, it is a danger, but highly unlikely.
Personal VPN. You can get away with something like CloudFlare's 184.108.40.206 (free) or opt for something a little better such as NordVPN or ExpressVPN. While this might be enough to hop on Wi-Fi, avoid it unless it is absolutely necessary - such as for work. Many of us have to work while there and tethering might be too slow to get things done, so only use Wi-Fi when it is dire, and use a VPN.
Secure your tech. Physically secure it. This means keeping an eye on it. The best way to do this is to have it with you at all times. A messenger-style laptop bag is best. Walking around with a backpack isn't great as the pockets to your tech are 100% out of your line of sight, unless your backpack supports security features that allow it to be locked. Yes you will stand out as odd at some parties holding that messenger bag, and some clubs may demand a search before entering, but you're secure in knowing where your gear is at all times. It is easiest to simply use the laptop bag as a day bag or purse with those things you need to get through the day in the bag. Remember the hotel staff threat? The spy threat? Well if they come into your hotel room while you're out and everything you care about is with you, good!
Don't trust the hotel room. Speaking of the hotel room, this makes it easy - don't leave valuables in your hotel room. That way you don't have to worry if someone breaks in, nor do you need to fret over hotel staff barging in. Remember the hotel door can be opened from the outside with the proper tools, and hotel staff has those tools. Don't trust the room safe either. How many people do you imagine lock that safe and forget how to open it, and have to call the hotel staff to get it open? Or check out and leave something behind in it? If you have something valuable and you want to leave it at the hotel, have hotel staff lock it up in their safe downstairs. You are still trusting someone else, but at least it is in a space where there are cameras on it.
Bring cash. If you are attending both Black Hat and DEF CON, when you purchase your Black Hat badge you can also get your DEF CON badge paid in advance, otherwise you have to buy it up front. And when you buy it up front, you have to pay cash. Either way, to pick it up you have to wait in what can be long lines, so plan accordingly. It is recommended you try and stick to credit cards during the trip, but bear in mind that Las Vegas is a city that is in the business of trying to separate people from their money, and skimmers pop up with a fair amount of frequency. Anything away from a camera that accepts a credit card - a lonely ATM in a corner that is off any casino floor or the back seat of a cab with the card reader in the passenger area - is suspect. ATMs near the chip-cashing on the casino floor are fine. But to really nip it in the bud, bring cash with you. Bear in mind, too, that if you’re exploring the vendor area at DEF CON there will be vendors there that also only accept cash, so it is not just your DEF CON entrance ticket fees you need to plan for.
Alternative pay methods. If you have Samsung Pay, Google Pay (formerly Android Pay) or Apple Pay, use those wherever they are accepted if you can. It is safer than credit cards, including the entire European chip and pin model. At the crypto math level there are a few differences between these three major digital pay systems, but the difference is so minor it makes no real world difference in safety. If you can use something like say an Apple Watch for the Apple Pay part, even better - this is much safer and you’re not reaching into your purse or wallet revealing where your credit card is stored. Virtual credit cards are another alternative to regular credit card use. While intended for online purchases, there are some vendors that do supply physical cards. One could also get creative - if a vendor or business allows you to make a purchase online for in-person pickup, you could use a virtual credit card and go grab your purchase.
Avoid being a victim of crime. This means wallets in front, laptop bags and purses secured and up front, be mindful when in crowds, and make sure when you are with friends on those late night excursions. Avoid sketchy areas, because there are some really sketchy areas. Don't zombie walk while staring at your phone - remain alert and observe your surroundings.
Adult activities. There are numerous adult activities one can engage in while in Vegas. If you are "important" (and most of us are not) try to avoid activities that can lead to blackmail. Tinder and Grindr, or visiting certain establishments of an evocative adult nature in Vegas might seem like a good idea, but you are possibly setting yourself up for problems.
Imbibement. Alcohol is everywhere in Vegas it would seem. Moderate your intake. That talkative fellow nerd you just met at a vendor-sponsored party might be social engineering you. Marijuana is legal in Nevada, and while you may see (or smell) people using it on the strip, it is still illegal to consume it anywhere near businesses with gaming licenses - i.e. casinos. This is why there are no dispensaries on the strip (you'll have to rideshare or taxi to go get it). The only place to legally consume it is in a residence - not a hotel room. As of this date there are no smoking lounges or other such establishments, so you'll have to get a vape pen or edibles to consume it discreetly (again though, still illegal on the strip including your hotel room). If you leave it in your hotel room and hotel staff discovers it, they could report it and involve law enforcement, and bare minimum will probably kick you out of the hotel. And for the love of all ones and zeroes, don't take it to the airport even if you are flying to a weed-legal state or even in state (say to Reno). Remember the TSA are feds and possession is still a federal crime.
Don't hack. This one might seem simple, but don't hack stuff while you are there. This is one of the largest groupings of federal agents and spies, to say nothing of security professionals wanting to make a name for themselves by catching a hacker in the act.
Final Tips to Remember
Use common sense. Don't bring things you think you might need, bring only the must-have stuff. Only wear a conference badge at the conference (or outside events that require them), not out walking around. Have medications (including hangover medicine) with you. Dress comfortable. Don't overindulge. Stay in groups with people you know and trust. Expect to be offended, and be surprised if you are not. Embrace the crazy. Chill. Most importantly, have fun!
Special thanks to all of my co-workers on the GitLab security team who helped contribute to this writeup!