It’s almost August, which means it’s almost time for the most anticipated (or dreaded, depending on your point of view) time of the year: hacker summer camp, the roughly week-long, back-to-back conferences Black Hat, BSides, and Def Con in Las Vegas, Nevada.
I’ve been going to hacker summer camp for the last six years. I remember how worried I was the first time: are hackers going to read my emails? Are they going to infect my phone with spyware? Should I even bring a credit card? Part of Def Con’s allure is this aura of danger, this idea that if you step into the filthy halls of the Las Vegas hotel it’s hosted in, you better be prepared to get pwned.
I’m here today to tell you that this is all, frankly speaking, dumb.
But, in truth, only a fraction of the attendees at Def Con really need a burner phone—one that they bring just to Def Con to protect their other devices with valuable data on.
Modern smartphones such as the iPhone and Google Pixel phones have state of the art security. There’s a reason exploits for these devices go for half a million or sometimes even several million dollars. People don’t pay that much money to hack every random person who goes to Def Con.
Have a tip about a data breach or a security incident? You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, OTR chat at firstname.lastname@example.org, or email email@example.com
If you work in the infosec industry and you really believe you need a burner phone for these conferences, you may need to do some soul searching. What’s the point of having a $100 billion industry if it can’t secure phones in a place where a bunch of hackers gather?
Also, as well-known hacker Space Rogue said, the Def Con network is now one of the safest (and better monitored) in the whole world. That means it’s harder to do mischievous stuff on it, and if you do, it’s easier to get caught.
As Marcus Hutchins, also known as MalwareTech, wrote on Twitter, “Defcon burner devices are yet another example of how people in an industry that should be largely focused on threat modeling can’t come up with sane threat models.”
That is the point here. What is your threat model? Do you really need a burner for that? If you’re going to some parts of western China, the answer is yes. Depending who you are, and if you’re crossing certain borders (even the US one), the answer is probably yes.
But a conference in Vegas? Perhaps you are part of the minority who needs a burner, but most likely you are not.
“I always thought it was immature behavior from neophytes trying to scare even newer people with their secret knowledge,” Jason Syversen, a long-time security researcher who used to work at DARPA, tweeted. “The comments on gatekeeping are good too, it’s the opposite of welcoming people. And makes you look foolish.”
Of course, not everyone agrees. Long-time security researcher Roel Schouwenberg said that there are legitimate threats at conferences like Black Hat and Def Con, and people who may be interesting to them should take precautions.
“How do the different intel agencies that operate during the event figure out who is who?” said Schouwenberg, who’s the director of intelligence and research at the consulting firm Celsus Advisory Group. “It’s like airport security. Just because you know you have no bad intent doesn’t mean you don’t have to go through TSA.”
Subscribe to our new cybersecurity podcast, CYBER.