I was somewhere around the Paris Hotel on the edge of the Las Vegas Strip when the paranoia began to take hold.
I glanced down at my phone. Sitting in a talk by Lavabit CEO Ladar Levison, I noticed my WiFi was left turned on, though it wasn't connected to a network.
Was someone sniffing my phone's data? Could I have been hacked?
I quickly turned it off and put it back in my pocket.
This is what it's like to attend Def Con, the world's largest hacker conference and home to what's billed asthe most "profoundly hostile" wireless network anywhere. Before that, I was at Black Hat USA, the information security conference during the same week.
Though both are a fun time to meet awesome people, learn from the best, and party, it can be overwhelming to the first-time attendee like me.
Chances are, my smallerror didn't inspireany mischief among the "black hat" hackers who blend in among government agents and the "white hat" types who protect companies from attack. But it was a moment of realization that would come up repeatedly over the week: The possibilityof getting hacked ― "owned" as they say in the hacker world ― is not something that should be feared by the vast majority of people, but for journalists, activists, and even hackers themselves, a little paranoia can be a good thing.
This realization is particularlyevidentwhen there's a giant screen projected inside a room on the Bally's 26th floor showing off the "Wall of Sheep" ― the unlucky souls who were letting datapackets with usernames, passwords, and other informationfly out in the clear, withDef Con's "packet hunters" picking them up.
Italso didn't help that some were spreading rumors ofpeople employing IMSI catchers to intercept phone calls, whileothers on Reddit were saying feds were setting up the infamous " Stingrays "around the hotels. I wasn't able to confirm that either way.
The idea of staying on guard was made clearwhile attending a talk earlier in the week at Black Hat USA, in which Claudio Guarnieri and Collin Anderson debuted three years of research on what is believed to be multiple groups of government-linked Iranian hackers targeting external human rights groupsand dissidents within the country.
The methods they used were crude, but effective: Simple emails enticing victimsto click a link to a website the attacker loaded with malicious code, or others came withattachments that download malware.
At Def Con, there were speakersfocused on hacking cars, or exploiting software specifically designedto thwart hackers such asLittle Snitch. Two security researchers evendebuted the first-ever ransomware on a smartthermostat.
All in all, the week of hacking conferences I attended made me greater appreciate the work that security researchers do in pointing out vulnerabilities, as well astheir attempts at patchingthem.
But it also reinforced the importance of the user to proactively keep themselves safe online.If I learned anything during a week of talking with and hanging around hackers, it's that it's easier than everfor even inexperienced hackerswith high-tech tools to target someone.
The Wickr Foundation's " tips for surviving Def Con " sayto completely turn off WiFi and Bluetooth, cover cameras with tape, never use ATM's, and neverconnect phone chargers except for your own ― even at the airport. While this may be totally paranoid advice for a week where 20,000 hackers are in town, it can be overkill for the average journalist or activist.
Still,the absolute basics are so simple to implement that it's incredibly surprising to see so many people leave themselves wide open to attack. Though theywon't make a person"unhackable" ― that's not possible ― taking basic precautionswill make for a hard target, which can immediately deteran attacker and cause them tomove on to someone else.
For example, a hacker can execute a "man-in-the-middle" attack on thecoffee shop's WiFi network and intercept everything, but if you used a free VPN service they'dsee nothing but encrypted traffic. And while a brute force attack or social engineering a target can glean a super simple password, it would be much harder if a victim wasusinga password manager like 1Password or LastPass to generate 30-plus character passwords that are safely stored.
Most importantly, no one should just mindlessly click on a link they'vebeen emailed by someonethey don't even know.
Perhaps myparanoia will wear off. But, if you hackedme at Def Con, please activate my webcam andlet me know. Or shoot me an email withthe key ID8948807D.
I'd be happy to chat about how to do better next time.