I’m getting ready for PuppetConf shortly and that got me thinking about how to survive conferences with your gadgets operations security (opsec) intact. Here are a few things I’ve learned over the last few years, in no particular order:
- Charge your devices every night. Check them in the morning to see they actually charged; if not, make sure they’re plugged in while you’re taking a shower and getting breakfast so they can survive the long day. Nothing like sitting down in the keynote and realizing your phone is at 20% and it hasn’t even started. Don’t forget to charge any battery packs you brought.
- Reduce brightness settings on anything with a screen. Your lapaptop, tablet, phone, watch, etc. It should be very low, somewhere between “no-one else can read this” and “I can’t read this.” This serves two purposes:
- Prevent others from reading your screen. The person behind you probably doesn’t need to read your email, and definitely not your KeePass/LastPass/etc. Nor do they need to be blinded by it during a presentation where the lights are dimmed.
- Save battery life. You won’t miss as much of the conference and you save yourself from another risky event…
- Bring your own charging cables/adapters and battery packs. Do not borrow them or use USB charging stations. (If you really must borrow a charge, make sure you trust that person with your digital life.) Most devices use a USB cable of some sort, and in case you haven’t heard, USB security is pretty horrible and opens you up to being rooted and data exfiltration (see BadUSB, Mactans, USB keystroke loggers and plenty of others). It’s just not worth it.
- Determine if you want to bring your gadgets at all. This is especially true at security-oriented conferences. Hacks abound at these things, including hacking the cell service. If you must bring a device, it might be best to acquire something for use only at that conference and destroy it afterward. That seems harsh, but flashing the device may not remove some infections. Are you willing to risk it?
- Use a VPN or at least prefer cell service over wifi. Make sure that any data you transmit is protected from malicious and inadvertent snooping. Most of us are not at security conferences where the cell service is hacked, so if you don’t have a VPN it’s probably pretty secure in comparison to wifi, but not always (know the atmostphere). Adding the VPN on top is the best, though. If your company doesn’t provide one, find a trustworthy service or set one up at home.
- Ensure you have good password hygiene. At a minimum, make sure they’re of reasonable quality and aren’t shared between services. Jessy Irwin talks about this on a Digital Underground PodCast.
- Don’t log into anything you don’t have to. For persistent-access services, like email or file sync, log in at home so you have a working token and do not need to enter the password again. For anything you need to authenticate to every time, it’s probably not a good idea. Every use of credentials potentially exposes them to onlookers. Pay your mortgage before you leave or after you get back, not from the hotel wifi.
- Have a Two Factor Authentication (TFA) backup plan. TFA is much more secure than Two Step Authentication (TSA), but often has some limitations for certain use cases that you need to understand. TSA codes can usually be sent to a new device, whereas adding a new device to your TFA device list may require the existing TFA device. If the original is lost or hacked, you may have no way to recover your account, or it may take significant effort above your “worth my time” threshold. Understand what services would be affected and make sure you have another way to recover access. This might include disabling TFA for the duration – if so, ask yourself again if you really want to bring that gadget. This is best thought through before converting a service to TFA, but now is the time to double check.
- Keep your devices with you, or in something more secure than the hotel safe. Those safes are often easily broken, as shown here and here. Especially at those security conferences. Definitely don’t leave your laptop unlocked and unattended at the bloggers table. Same thing with your charging and battery equipment.
- If you don’t need a particular gadget, leave it at home. This is so important, I’m mentioning it twice. Earlier I talked about devices being hacked, but you also cannot lose something if it’s in the dresser at home. Maybe you need your phone, but the FitBit can stay.
- Bring non-gadget backups. This is especially true for payments. If your phone is hacked, lost, or falls in the toilet, make sure you have at least one physical credit card with you.
- Maintain a list of devices, services, payment methods you travel with. When something bad does happen, it’s really helpful to have a list of what’s affected. Keep a list at home in case you lose it all, as well as taking a (modified?) copy with you. The list should help you determine what you need to recover, but not have information that someone else could use to steal your identity. In other words, “Bank account check card, $phone” is fine, “Bank Of Bad Opsec, $phone, $card_number, $expiration, $ccv” is way too much. If something happens, start making phone calls. If the list was lost as well, that’s why you have a list at home. Make the calls now, do not wait till you get home and find $20k in charges to dispute or that your enter cloud drive was emptied.
- Be paranoid. It may not come naturally to all of us, but it is key to good OpSec. If you think something might expose you unnecessarily, don’t do it. It is better to be safe than sorry.
I also have one non-opsec tip for conferences: always call your vendor reps and ask what they have going on at the conference. You can usually arrange some one on one time with their engineering team or attend their event where you can meet others using the same products and compare notes.
If you have your own tips, drop them in the comments or send them to me on twitter!