[Endlessly]

Given they have picked a few platforms, but are leaving a lot of choices up to the individual organizers, presenters, etc — aside from having:

— burner hardware, — one-time network connections, — one-time user accounts, — one-time identifiers, — read-only OS builds, — physically disabling sensors, — (insert suggestions)

What else might be options for securely accessing the event?

[some_furry]

> What else might be options for securely accessing the event?

I generally recommend ensuring that your security posture for DEFCON is the same baseline security posture you should have at all times, and for all websites, and then adjusting your habits accordingly months in advance... and then just chilling out because you've adopted a more secure normal (and DEFCON isn't particularly risky compared to everyday life).

Pantomiming paranoid-level security during hacker summer camp is silly. This is true for both in-person events and this year's virtual event.

If you're worried about getting hacked at DEFCON, don't wait until DEFCON to become secure, and don't become lax after DEFCON is over.

[rhinoceraptor]

If you were a blackhat, burning a 0-day at DEFCON would be a huge waste. You probably wouldn't get anything interesting, and chances are someone would catch it.

[Kalium]

At DEFCON, it'd be a job interview. Assuming you are looking to work for Raytheon or similar.

[tptacek]

You don't need to do any kind of performative hacking to get a job at Raytheon.

[Kalium]

Nope, you definitely do not. It would definitely get the attention of some vulnerability development types! But there are also more professional - if occasionally less fun - ways to go about that.

If memory serves, the "open" network has seen novel attacks used in years past. But not many.

[p1necone]

It would be fun though

[jjoonathan]

And even more importantly, it might prove somebody wrong about something.

[saagarjha]

A lot of people burn zero days for cred.

[dontbenebby]

Eh I'd argue some measures are reasonable.

For example, I might choose not to bring a laptop and just use my phone + take paper notes.

But that's more about not wanting to have to keep track of my laptop than fear of evil maids. Unplugging for a bit can be rewarding mentally and if it's not with you it's one less thing that can be lost or stolen.

[mentat]

Physical based attacks were the majority of the risk, and that was, practically, pretty minimal. If you want to watch from inside a VM, great, but mass attacks against watchers? I'm not seeing it. (Been going since DEFCON 9)

[crankylinuxuser]

It's nowhere near that bad. Sure do safe comms but people arent popping 0days against other people. 0days are much too valuable.

[eqvinox]

Indeed if someone could 0wn your box simply from you watching a stream of a talk at a conference, it would already have happened.

The bigger risk is IMHO to end up on someone's watchlist, especially if the country you live in isn't particularly respectful of your individual freedom.

[crankylinuxuser]

There's no doubt that I already am on a watchlist in the USA. Most anybody who's given talks at hacker cons, and then approached by the mil side of govt is. And frankly, I don't care.

Hacker con sec can be boiled down to 2 simple principles: Update yo shit, and if you have access turned on (ssh, etc) to know their threat model.

[eqvinox]

Well, yeah. But the US progression to being on a watchlist is a (metaphoric) white van for more watching. Other countries get you a (metaphoric) black van that takes you somewhere unpleasant.

[dontbenebby]

That’s why registration has traditionally been in cash and a “spot the fed” competition held.