How To Not Get Hacked at the World's Preeminent Hacker Conference
At the Las Vegas hacker convention Defcon, any old bachelor party could become collateral damage.
Before I arrived at the Rio Hotel for Defcon, the giant Las Vegas hacker convention that tends to draw digital mischief-makers by the thousands, I received some simple but startling advice: Do not, under any circumstances, use the free conference wifi. Don't access anything on your phone that has a password that you don't want other people to find out. And, to be extra safe, bring a burner laptop.
Since I am not Batman, I do not have a burner laptop. My only laptop, a Macbook from 2007, should probably be someone's burner by now, but it's not.
So I do what I can: I turn off the wifi on my computer before I arrive at the hotel. I change the settings on my phone so that wifi, Bluetooth and cellular data are all turned off. That eliminates the temptation to check any of my password-protected apps, since I can't access the Internet anymore. My phone isn't a smart phone anymore. I know it's just psychological, but it actually feels lighter in my hand, like a corpse that's lost the apocryphal 21 grams of the human soul. It's not a honing device anymore. It doesn't know me now. It's just a piece of metal. The only internet I access (for reading up on the Russian Billion-Password Hack, for instance, or how not to get hacked at Defcon) is the plug-in Ethernet from the secure press room. So I'm okay. I think.
But I wonder about the other people, the innocents. The Rio is a giant luxury hotel and casino with four pools, three whirlpools, two bars, and a seemingly endlessly mirrored poker and blackjack and roulette tables. It's also catering to other guests besides those who are in town for Defcon and the other giant hacker conference that immediately preceded it, Black Hat.
The elderly Chinese woman wearing slippers in the elevator mirror is probably not an information security engineer. The teetering bros on a bachelor weekend could only be the most undercover of undercover Feds. The lovebirds at the bar are on Facetime, so clearly they haven't turned off their apps and cellular data. And I'm going to go ahead and guess that their wifi is also on.
A security vendor I meet in the line for badges answers my question fairly succinctly. The other guests at the hotel? "They're collateral damage."
He and his friends also add some pointers to the advice I've already received: don't send any text messages you don't want someone to read. Don't open any links in text messages, even if they come from people you know. One of the cohort, I'm informed, had already received a text from her husband that contained a link with a virus.
Also, do not use any of the hotel's ATMs.
Of course, people who vacation in Vegas aren't exactly protecting themselves from being hacked the old-fashioned way, by the croupier or the one-armed bandit. (After an embarrassing night at a roulette table, I can personally attest to this fact.) Still, visitors to Vegas have made some kind of calculated risk. There is a chance, however unlikely, that one of them is going to go home rich. Getting hacked doesn't carry much upside.
I take another uneasy glance around the casino floor and while I may not be Batman, now I feel like I'm in Gotham City: All these nameless tourists, strangers, bystanders, each of them ignorant of the cyber threats potentially looming amidst the palm trees. (The National Cyber Security Alliance warns of "identity theft, financial fraud, stalking, bullying, hacking, e-mail spoofing, information piracy and forgery, intellectual property crime, and more.") Should I, like, do something?
Holding out hope that perhaps a public service announcement has gone out to civilians in the hotel warning them about the various potential threats in the air, I approach the desk labeled "Security" for clarification.
The guard there, a middle-aged man with a Nevada drawl and a lot of gel in his hair, is not particularly interested in speaking to me. I don't want to give the impression that I'm trying to root out unprofessionalism—that's the surest way to not get an interview, especially in Vegas—so I just say that I have a few questions. Whom could I ask? Could I ask him?
What about his manager?
No, he doesn't think so.
Is your manager here? I ask. I can wait.
He says he's going to have to speak with corporate about scheduling any kind of interview, and finally consents to calling his manager to ask for the number I can call to get through to corporate.
Slowly, he picks up the phone and has a brief conversation in which he makes no attempt to disguise his skepticism about me and my enterprise. Then he hangs up and tells me that he doesn't have the number right now, but if I come back later, he can try to get it for me.
A few minutes later, I'm in the hotel elevator with one other passenger. Looking to interview someone about how they feel about being in a hotel full of hackers, I ask him if he's there for the conference. But my plans are foiled because he is there for the conference, and think I'm asking for advice for my own protection. He says that I shouldn't be too worried. "You'll probably be fine so long as you don't use ATMs or wireless and try to use your cell phone as little as possible."
This is the strange thing. To a person, everyone I talk to is nice and helpful, as I develop strategies to not get hacked.
"Nerds and hackers are the nicest people you'll ever meet," says a conference volunteer organizer (known in Defcon parlance as a "Goon"). "If you left your iPhone on the ground, someone would bring it to you."
But, I press him: it's not very nice to hack people in the hotel, is it?
"That's different. That's like: hahaha."
Like much hacking, the hacking at Defcon is a game of gotcha. Most of these guys—most of them are guys—are white hats. The point is not to steal people's identities, just to scare them, to warn them, and maybe have a little fun at their expense. Hey, their victims might even learn something about security too.
But what about the Black Hats in attendance? What about the Feds?
Several hours after the first attempt, I return to the desk marked "Security," where I am impressed to see that the same guard now has the number that I need. He's written it for me on a piece of paper. I thank him and I ask him if he can do me a favor: will he let me know if anyone complains about being hacked?
He's confused. "What do you mean? Like a department of the casino?"
No, I say, like an individual person staying at the hotel.
Now he's more baffled than he was before. "That would be the first I'd heard of it."
I explain that I'm asking because there's a hacker conference going on. He doesn't have much to say about that, or seem to understand whatever strange, European-sounding connection I'm making. But he readily tells me that it would be against his protocol to tell me anything about anything, without going through corporate. Good operational security, I thought.
Over the next two days, I leave messages at the corporate number but get no response.
The situation is an interesting microcosm for the world now: some people have the power to wreak havoc on other people, and most of those other people are blithely going about their lives without thinking about the threat at all. Maybe with the persistent drumbeat of the media about hackers out to get our passwords and credit cards and identities and the general shift in conversation as a result of the Edward Snowden revelations, people are at least aware that they can get hacked. But basically, you have to be methodical and hyper-vigilant to employ any cybersecurity approach more effective than occasionally thinking, "Damn, I hope no one is hacking me right now."
As the day goes on, I have many opportunities to interview a civilian, someone who is clearly not part of the back-to-back hacker conferences, about hackers and how they feel being surrounded by them. But when it comes down to it, I don't have the heart. They're on family vacations. They're on love retreats. They're having affairs. They're trying to make a few interesting mistakes. Why ruin their fun? Why tamper with their pleasant ignorance? What happens here stays here, paranoia be damned.
Finally, I approach a group of people by the slot machines to ask them how they felt about being in a hotel with thousands of hackers. They hadn't heard of the hacker conventions though, nor seen much evidence of the fourteen thousand Defcon attendees. One of them shrugged off the threat. "I have nothing to hide," he said, his hand on the lever of a slot machine. The machine had a giant hamburger on it and was called "Double Triple Diamond Deluxe with Cheese."
What about your credit card information?
"I don't buy a lot online."
The women who were standing near him were a little more interested. Hacking seemed like an obscure threat. "It's never happened to us," said one, who then translated this to her curious friend, who didn't speak English. "Thank you for telling us," they said (I had told them about the prospect of hacking by wifi.)
Those who get hacked through the wifi are punished by having their information sent to the conference's infamous "Wall of Sheep" – a wall-sized projection that displays their email addresses, redacted passwords and IP addresses on a giant projection screen. "It's about shaming," explains another conference Goon. "We're just doing it to show you how insecure your networks are." Especially since it's unlikely that anything bad will really come of it. "The goal," a security professional tells me, "is really to hack other hackers."
Just by googling some of the email addresses, I am able to identify the people who've been hacked. There's a software developer at Rackspace.com. There's a Dutch information security specialist. There's an early adapter who was able to get the address of "John" @ one of the major email providers. There's someone with a silly-sounding AOL address.
For the technology professionals, getting hacked in this way, advertised on an electronic board like so many sports scores at the adjacent casino, is embarrassing, but it's all in good fun. As for all of that sun-drenched, just married, drunk, hungover, sobered up, almost married, retired, adulterous, broke, hopeful, good-at-cards, bad-at-cards, getting-fleeced, killing-it collateral damage? Those people who arguably need the wake up call? This is their best chance to get hacked for their own good.
As far as I can tell, I escaped unscathed. Which raises another essential and unresolved question about hacking, this one veering into the philosophical: if you get hacked in a forest of hackers and you never find out about it, did you even get hacked?
Follow Lucy at @lucyteitler.