Blog

Apr 14, 2024

HACKER SUMMER CAMP 2023 GUIDES — Part One: Surviving Las Vegas & Virtually Anywhere

DCG 201 Follow -- Listen Share Welcome to the DCG 201 Guides for Hacker Summer Camp 2023! This is part of a series where we are going to cover all the various hacker conventions and shenanigans both

DCG 201

Follow

--

Listen

Share

Welcome to the DCG 201 Guides for Hacker Summer Camp 2023! This is part of a series where we are going to cover all the various hacker conventions and shenanigans both In-Person & Digital! This year in 2023 somehow bigger than it was in 2022 and thus we will have a total of 15 guides spanning 3 Months of Hacker Insanity!

As more blog posts are uploaded, you will be able to jump through the guide via these links:

HACKER SUMMER CAMP 2023 — Part One: Surviving Las Vegas & Virtually Anywhere

HACKER SUMMER CAMP 2023 — Part Two: Capture The Flags & Hackathons

HACKER SUMMER CAMP 2023 — Part Three: SummerC0n

HACKER SUMMER CAMP 2023 — Part Four: Zero Gravity by RingZero

HACKER SUMMER CAMP 2023 — Part Five: The Diana Initiative

HACKER SUMMER CAMP 2023 — Part Six: BSides Las Vegas

HACKER SUMMER CAMP 2023 — Part Seven: Black Hat USA

HACKER SUMMER CAMP 2023 — Part Eight: SquadCon by Black Girls Hack

HACKER SUMMER CAMP 2023 — Part Nine: DEFCON 31

HACKER SUMMER CAMP 2023 — Part Ten: USENIX + SOUPS

HACKER SUMMER CAMP 2023 — Part Eleven: Chaos Computer Camp

HACKER SUMMER CAMP 2023 — Part Twelve: Wikimania 2023

HACKER SUMMER CAMP 2023 — Part Thirteen: HackCon XI

HACKER SUMMER CAMP 2023 — Part Fourteen: Blue Team Con

HACKER SUMMER CAMP 2023 — Part Fifteen: Hack Red Con

HACKER SUMMER CAMP 2023 — Part Sixteen: SIGS, EVENTS & PARTIES

So first off lets answer the question…what the f%@k is “Hacker Summer Camp”!?

The term “Hacker Summer Camp” is a nickname for the crazy time in the summer where three computer security conventions: BSides Las Vegas, Black Hat USA and DEF CON take place during the entire week. Due to the literal overlap of activities, locations, speakers and organizations the term was coined to summarize the entire week.

Last year, we thought that was the largest our guides will ever get. We were hoping we could just rest on our laurels in 2023 and just do one big copypasta job. Fortunately for you all, and unfortunately for us, hackers are insane. So we some how TRIPLED the amount of guides this year, including some much needed updates to some of our main stays this year.

Compounding this is that due to various…back end developments *gigity* many of the events, especially the main ones, are coming in with information about their conventions more closer to their con date than normal. We as always will stay vigilant and update the guides to the best of our ability as things change, crap out and new shenanigans are added. All guides are LIVE Documents until the that convention ends so make sure to check back here often even during the convention itself for more & updated info!

Also about the nature of our guides expecially this guide in particular. Our survival guides are just that, a guide. We have to cover a WIDE VARIETY of user cases, threat models and personal prefrences. Meaning that (expecially the tech sections) you DON’T HAVE TO DO EVERY SINGLE THING IN THESE GUIDES! What you need to do is figure out what you are trying to accomplish in attending these conventions and if you are new or have any questions about said subjects we have text, videos and links so you can do research and preperations on them. In fact, if we had to recommend something, skim through the tech sections and focus on the How To Pack, How To Dress and About Las Vegas sections. These guides are worthless if you have an NSA-proof machine but die melting in the sun.

If you have time, check out anything you have skipped because it might give you ideas and perspectives you never though of before.

The lastthing that has changed this year is the sanitation strategy. Despite not being in the middle of a pandemic, both COVID-19 and Monkeypox are still around (and the whatever “Woke Mind Virus” that Elon Musk can’t stop yammering about on his failed bird site) so each gathering will have it’s own policies.

Here are the known ones so far (list to be completed soon):

If you are attending and have the option to participate virtually…

VIRTUAL COMMUNITY CONNECTIONS

During these uncertain times, DCG 201 is providing some tools for the Community to connect and stay healthy. Keep checking back, as we will be regularly updating the information below and providing opportunities to engage with your fellow InfoSec professionals.

humanresources.columbia.edu

holisticly.io

www.mentalhealthhackers.org

WAYS TO PROMOTE WELL BEING

TIPS TO MANAGING STRESS

Feeling lonely or overwhelmed and not sure what resources are available — check out this list of resources from Mental Health Hackers.

NETWORK WITH FELLOW INFOSEC PROFESSIONALS

CSA — Join CSA’s global community Circle that facilitates resources and security discussions.

ISC2 — A platform from ISC2 to share your cybersecurity knowledge and experience with other pros.

WSC — Gain access to educational tools, study groups, workshops and networking opportunities, as well as special discounts on respected training, certifications and education programs.

WISP — Their mission is to advance, advocate for, and increase the participation of women in the Privacy and Information Security fields.

COVID-19 RESOURCES FROM THEIR PARTNERS

JOIN A VIRTUAL MEET-UP OR PARTICIPATE IN COMPETITION

www.commonhealth.org

Headspace

Guides you through mindfulness mediation, which can help reduce stress and worry.

www.headspace.com

Andrew Johnson

Teaches relaxation and coping skills in various situations, including an app to guide you through relaxation exercises that you can do in a coffee break.

www.withandrewjohnson.com

WRAP

The Wellness Recovery Action Plan is a self-designed prevention and wellness process that anyone can use to make their life the way they want it to be.

https://itunes.apple.com/gb/app/wellness-recovery-action-plan/id657937563?mt=8

Relax Melodies

A popular free relaxation sound and music app to help you fall asleep or just to switch off. Mix and match nature sounds with music, lay back and listen.

itunes.apple.com

BellyBio

Teaches a deep breathing technique useful in fighting anxiety and stress. A simple interface uses biofeedback to monitor your breathing.

itunes.apple.com

WhatsMyM3

M3 is a confidential screen that reveals an overview of your potential risk of anxiety, depression, bipolar disorder or PTSD and prevention strategies.

https://itunes.apple.com/app/whatsmym3/id515945611?mt=8

BODY

gadgetbridge.org

MIND

STRAIN

Oh and uh…

hovancik.net

A reminder what outside looks like…we think…

If you do attend in person here are some other non-Plague related things you might want to know:

Here are a few items that you should pack for your trip:

— Hygiene Products: Travel Toothbrush, Toothpaste, Deodorant, Lotion, Hair Products, ect.

— Appropriate Nevada Summer Clothing: We will deal with this in the next section.

— Hacker Tools: Burner Laptop, Burner Phone, Multi-Tool, Hacking Wears and Tools, Lock-picks, Micro-controllers, Portable Sewing Kit (serious), ect.

— Business Cards: You will be doing a ton of networking at any of these events so make sure you have something to give to people to remember you by (and note, diseases don’t count!)

— Reusable Water Bottles: Vegas gets super hot, in August it can peak at 107 Degrees F so you should make sure you have water on you AT ALL TIMES!

— Cash: Leave your credit cards in your RFID Wallet, make sure you set a budget for yourself and before the trip take that amount out of cash for you. Not only is cash easier to use in a pinch but you can make sure you bank account is safe too! We also recommend to not use Cryptocurrency at the convention but if you must make new accounts, transfer your coins there and make a Crypto-Paper Wallet to bring with you (and guard it with your life) instead of using an app on a device.

— Medication: Bring a First Aid Kit or something containing Band Aid, Headache Medicine, Earplugs, Swabs, ect. Also, any medication you need to survive normally would be a good idea to take with you. Also, condoms. Because Vegas…

— Entertainment: Break out that Nintendo Switch, Smartphone game, Downloaded Movies and even more useful, a book.

— Con Guide: Before your trip, you should look at the con schedule online, copy and paste all the things you want to see plus the date and time of each activity into a document/spreadsheet. Then, print out two copies and carry them with you. Most conventions can give you a guide but in case they run out, you loose it or don’t have it on you having a personalized planner will help in this.

— Notebook: Again, you will be doing a lot of networking and you also might get inspiration while interacting at the convention. Bring a small notebook and pen (graph paper FTW) to jot down ideas, phone numbers, IP Addresses, still art sketches or whatever floats your fancy to document.

DO NOT BRING:

— A Bad State Of Mind: You are here to learn new things, network, relax and have fun!

redteamtools.com

hak5.org

supporters.eff.org

www.amazon.com

https://www.amazon.com/Aigee-Protector-Protectors-Protection-Complimentary/dp/B092CZNPX5

www.sparrowslockpicks.com

www.amazon.com

https://www.amazon.com/PortaPow-3rd-Data-Blocker-Pack/dp/B00T0DW3F8/ref=as_li_ss_tl?keywords=data%2Bblocker&qid=1564595050&s=gateway&sr=8-3&linkCode=sl1&tag=nbtv0b-20&linkId=f3d9b9fda507a97cad008b253b690603&language=en_US&th=1

https://www.amazon.com/gp/product/B08HRYT25N?ie=UTF8&psc=1&linkCode=sl1&tag=nbtv0b-20&linkId=0f7fbbffdecbd7cedbd43e418c00bb6b&language=en_US&ref_=as_li_ss_tl

supporters.eff.org

slnt.com

www.cleverhiker.com

www.verywellfit.com

www.cnet.com

www.travelandleisure.com

www.healthline.com

https://www.amazon.com/Espro-Travel-Coffee-Press-Stainless/dp/B00UTO8YKU?crid=XYLPNYSBX5AK&keywords=espro+french+press+yellow&qid=1659881352&sprefix=espro+french+press+yellow,aps,82&sr=8-9&linkCode=sl1&tag=cha3838-20&linkId=10e442359b41f4ec4a131c3a55b9264c&language=en_US&ref_=as_li_ss_tl

soylent.com

www.verywellhealth.com

www.highthreatinnovations.com

www.redcross.org

preparecenter.org

www.sja.org.uk

firstaidfastapp.com.au

store.samhsa.gov

www.rescusaveslives.com

pacsafe.com

pacsafe.com

pacsafe.com

www.selfdefenseproducts.com

www.stjohns.edu

www.sparrowslockpicks.com

www.sparrowslockpicks.com

SecureSpend VISA Prepaid Card: https://www.securespend.com/

There are a number of services which provide “virtual debit cards” which you can use with online merchants without revealing your actual banking or billing information in most cases. It’s important to note that these financial services are not anonymous and are subject to “Know Your Customer” (KYC) laws and may require your ID or other identifying information. These services are primarily useful for protecting you from merchant data breaches, less sophisticated tracking or purchase correlation by marketing agencies, and online data theft; and not for making a purchase completely anonymously.

privacy.com

mysudo.com

These services allow you to purchase gift cards for a variety of merchants online with cryptocurrency. Some of these services offer ID verification options for higher limits, but they also allow accounts with just an email address. Basic limits typically start at $5,000–10,000 a day for basic accounts, and significantly higher limits for ID verified accounts (if offered).

cakepay.com

coincards.com

blockgeeks.com

cakewallet.com

www.exodus.com

www.privacytools.io

www.privacytools.io

www.privacytools.io

bisq.network

HOW TO DRESS TO NOT MELT IN NEW YORK OR NEVADA’S CLIMATE:

Ever seen the film Fear & Loathing in Las Vegas?

Ironically the main character of Raoul Duke’s (based off of Hunter S. Thompson) odd fashion choices is a good overall idea for how to dress in Vegas:

This might look strange but remember, Nevada is VERY HOT even in August. Again, temperatures can peak at 107 Degrees F so you will want to dress for such brutal desert weather, especially in contrast to the super air-conditioned interiors of Vegas buildings.

We originally recommended this in our previous guide in the NYC section because normally NYC rains a ton in the summer and Vegas is dry AF. However, last year the script flipped due to a little thing you may have heard of called Global Warming.

For a reminder on why you should bring an umbrella to Vegas now:

Gimaix 7 Colours LED Light Blade Runner Style Umbrella (Black-adult): https://www.amazon.com/exec/obidos/ASIN/B014GHMRBW/20140003-20

XXLMIJP 8 Rib Light Up Blade Runner Style Changing Color LED Umbrella with Flashlight Transparent: https://www.amazon.com/exec/obidos/ASIN/B07T1SW5W1/20140003-20

www.amazon.com

Holographic Umbrella: https://www.amazon.com/Hipsterkid-Holographic-Umbrella-White/dp/B079ZB85BS/

Umbrella With Built In Fan: https://www.amazon.com/exec/obidos/ASIN/B092HGJJ3Q/20140003-20

UV Reflective Umbrella: https://www.amazon.com/Suck-UK-SK-UMBRELLAREF1-Reflective/dp/B00EOTBCEG/

— Loose and Airy Clothing: Don’t bring anything tight fitting. The optimal ideal are loose T-Shirts/Blouses with Shorts/Skirts/Kilts. Something that hangs and that air will flow through. Try to put two or three finger through the sleeves or hug points while wearing it, if you can’t fit them or it’s snug, then it’s not loose enough!

— Storage: Make sure your pants ideally have cargo pockets or bring a Purse of Backpack that has Zippers or Secure Snaps, NOT MAGNETS (how do they work?) Reason being that although uncommon, pick-pocketing does exist in Vegas and this will be the most resilient to their attempts.

— Cover Your Head: Even if you don’t normally wear a hat, please go out an get one. It can be any kind as long as it can loosely and comfortably cover your entire scalp. Remember, your scalp is the most sensitive 0day on your body where heat can escape easily and most of your blood vessels are exposed the pounding sun near your brain. You can also optionally wear a visor to block out the sun.

— Shades: They are not just there to make you a 1337 H@X0R like Neo or Trinity, Vegas is not only hot but BRIGHT and you will want to protect your eyes from the harsh sunlight at all times. Plus the harder it is for the camera’s with AI’s to figure out who you are on Facebook the better.

— High FPS Sunscreen and Lip Balm: Again, Vegas is HOT and BRIGHT so those harmful UV rays will damage your skin. Get yourself a good sun screen, we recommend something at 50 SPF and NOTHING OVER IT (the value over 50 SPF is negligible and Sunscreen from the USA protects less from UVA rays than UVB rays). In addition, wear a comparable lip balm to lock in moisture and protect your lips from the elements, moisturize and lotion every night and try to stay in cool areas or shade and NOT outside for long periods of time. If you don’t have a clue on what to shop for, here is a great list of sunscreen options:

www.sunbum.com

www.byrdie.com

medicalgearoutfitters.com

www.thespruce.com

— Anti-Swamp Ass Undies: It’s going to be hot out which means you will form Niagara Falls with the sweat running into your but crack and your genitals will feel like they came from a horror movie. DO NOT WEAR COTTON UNDERWEAR! Not only will it chafe and cause skin reactions but it’s absorption will make it feel like you are wearing a diaper that’s also a waterbed. Instead look for nylon boxers/panties and look for specifically designed ones for heat flow and antiperspirant. A good brand is Ex Officio which you can find BOXERS HERE and PANTIES HERE

— Comfortable Shoes: You will be doing a lot of walking. Repeat: A LOT OF WALKING! And we know how awesome those Armani Suides or Vajazzled Stilettos are with your executive playboy look (you can reuse them later, see below) but they will kill your feet after 30 minutes never mind 16+ hours of going up and down elevators, across vendor halls, between workshops or talks and never mind the dance floor! Make sure to wear the most comfortable worn in shoes you can, ideally sneakers. You can always change into something else later in the day, in fact, having a pair of slippers for your hotel room would be a great idea.

BONUS: Wear a pedometer or set one up on your smart device, check it every night or on the flight back from the con and you will be SHOCKED how much you walk. Here is data on how much our Co-Founder Sidepocket walked during the Circle of HOPE hacker convention in New York City for comparison:

…and remember, Hacker Summer Camp 2023 is 30x the size of The Circle of HOPE!

Finally, we have three specialty outfits we recommend to bring in addition to your normal con look.

BUSINESS OUTFIT — This does not have to be a full suit, just a loose polo or button down shirt and some business slacks with nice comfy business shoes for masc looks and a light designer dress with open toed shoes for examples of a fem look. There are a lot of jobs and professional information security events around, so make sure you do research into what type of event you are attending and if it’s more corporate you have a look that matches.

SWIMWEAR OUTFIT — Either a swimsuit or water resistant clothing with NO electronics so you can hang out near the pool at your hotel and at parties.

PARTY OUTFIT — This is where your creativity can go wild and wear that crazy LED light up bondage gear with wings or that fur-suit you have buried in your closet. Since you only be dragging this out at night time during parties and gatherings, you can comfortably be in this get up while not killing your body out there, just make sure to take breaks to rest and stay hydrated even at night!

dustrial.net

www.hack.xxx

www.zerodayclothing.com

myhackertech.com

www.fabricoftheuniverse.com

vapor95.com

www.teepublic.com

hack.xxx

breedwell.com

donate.defconfurs.org

www.etsy.com

www.aliveshoes.com

slnt.com

www.sparrowslockpicks.com

www.lockpickextreme.com

HOW TO FORTIFY YOUR DEVICES TO NOT GET HACKED

So here is a conundrum.

You are here to attend a hacker and information security convention. This involves tech. You are a tech person. You want to bring your tech.

BUT.

Again, it’s a hacker and information security convention. There will be so much shenanigans, traps, pitfalls and malicious activity that you don’t want to end up as part of someones security research paper.

So obviously, we are not going to tell you to leave your tech at home. How boring would a hacker convention be without technology? (Answer: It would be the RSA Conference.)

Instead, here are a few tips that will help your tech survive the experience. Remember, these are not uber 1337 hacker proof ninja skills, everything and anything can be exploited and hacked. However, these tips will help out during the journey to make sure your head is more focused on the connections and learning and not in the debugger or data recovery process:

— DO NOT BRING YOUR PERSONAL AND/OR WORK MACHINES TO THE CONVENTION!!! We can’t stress this enough, if you bring the machines you use (laptop, tablet, smartphone, servers, micro-controllers) to any of the conventions you are putting all your work and personal data at risk, even if you do back ups. Furthermore, you risk taking an compromised machine of unknown origin back to your work network or personal network which can be further damaged and 0wned.

Instead, use Burner Equipment.

spreadprivacy.com

When purchasing a burner device, we recommend getting one as new as possible. The software and firmware of mobile devices are only supported for a limited time, so buying new extends that lifespan as much as possible.

Avoid buying phones from mobile network operators. These often have a locked bootloader and do not support OEM unlocking. These phone variants will prevent you from installing any kind of alternative Android distribution.

Be very careful about buying second hand phones from online marketplaces. Always check the reputation of the seller. If the device is stolen, there’s a possibility of IMEI blacklisting. There is also a risk involved with you being associated with the activity of the previous owner.

A few more tips regarding Android devices and operating system compatibility:

We have seen a lot of discussion about the usecase of burner equipment. Many saying that, at best, it’s outdated advice and at worse, is incredibly stupid stories hackers tell n00bs to scare people.

While we agree with many of the points, we want to be realistic about your potentinal threat model at Black Hat & DEFCON. Our fear is that by telling everyone “Oh you don’t need burners” that the oposite effect will happen and people won’t do any base security at all and thus get hacked.

So here is the quick rappid-fire Q&A about buners, security, networks, ect:

EXIF is short for Exchangeable Image File, a format that is a standard for storing interchange information in digital photography image files using JPEG compression. This includes GPS information so you can easily see where the images were taken. If someone who knows about EXIF data can find it, they can find out where you took the photo, compromising your privacy.

Here are programs that can remove them:

0xacab.org

exiftool.org

github.com

codeberg.org

zininworks.com

silent.link

joyofandroid.com

www.digitalcameraworld.com

appuals.com

www.androidcentral.com

www.simoptions.com

Pixel phones have stronger hardware security than any other Android devices currently on the market, due to proper AVB support for third-party operating systems and Google’s custom Titan security chips acting as the Secure Element.

Google Pixel devices are known to have good security and properly support Verified Boot, even when installing custom operating systems.

Beginning with the Pixel 6 and 6 Pro, Pixel devices receive a minimum of 5 years of guaranteed security updates, ensuring a much longer lifespan compared to the 2–4 years competing OEMs typically offer.

Secure Elements like the Titan M2 are more limited than the processor’s Trusted Execution Environment used by most other phones as they are only used for secrets storage, hardware attestation, and rate limiting, not for running “trusted” programs. Phones without a Secure Element have to use the TEE for all of those functions, resulting in a larger attack surface.

Google Pixel phones use a TEE OS called Trusty which is open-source, unlike many other phones.

Official Store: https://store.google.com/category/phones

Swappa: https://swappa.com/buy/unlocked/google

Blackmarket: https://www.backmarket.com/en-us/l/unlocked-google-pixel/d6fd4ff1-392b-4174-9ee7-32485e10b9a5

puri.sm

puri.sm

us.nothing.tech

puri.sm

puri.sm

tehnoetic.com

www.pine64.org

puri.sm

www.pine64.org

www.pine64.org

www.pine64.org

manjaro.org

grapheneos.org

divestos.org

www.kali.org

store.nethunter.com

security.utexas.edu

www.privacyguides.org

spreadprivacy.com

github.com

gitlab.com

Strict FOSS Only Storefront: https://accrescent.app/

www.privacyguides.org

www.mozilla.org

guardianproject.github.io

gitea.angry.im

netguard.me

attestation.app

www.jumboprivacy.com

github.com

Cryptocam: Record encrypted videos on Androidcryptocam.gitlab.io

github.com

privacyblur.app

codeberg.org

github.com

ooni.org

scannerradio.app

www.m2catalyst.com

github.com

github.com

www.burnerapp.com

Online Password Manage For Android — www.keepassdx.com

strongboxsafe.com

simplelogin.io

getaegis.app

raivo-otp.com

dripapp.org

eukiapp.com

spreadprivacy.com

www.privacyguides.org

theprivacyguide1.github.io

github.com

www.bleachbit.org

github.com

incogni.com

https://fedoraproject.org/

archlinux.org

www.qubes-os.org

www.privacyguides.org

OpenSUSE Tumbleweed: https://get.opensuse.org/tumbleweed/

Team SilverBlue: https://silverblue.fedoraproject.org/

tails.boum.org

gitlab.com

www.stationx.net

www.gnu.org

www.openbsd.org

hardenedbsd.org

www.kali.org

parrotsec.org

www.networksecuritytoolkit.org

pentoo.ch

www.blackarch.org

SecBSDwww.secbsd.org

www.privacyguides.org

sectools.org

Apple iMac machines run a POSIX compliant UNIX variant, and the hardware is essentially the same as what you would find in a high-end PC. This means that most hacking tools run on the Mac operating system. A properly set up Apple machine can do quite a bit of heavy lifting.

spreadprivacy.com

spreadprivacy.com

null-byte.wonderhowto.com

Objective-See Security Tools: https://objective-see.org/tools.html

These options can be found in

Settings → Safari → Privacy and Security.

This enables WebKit’s Intelligent Tracking Protection. The feature helps protect against unwanted tracking by using on-device machine learning to stop trackers. ITP protects against many common threats, but it does not block all tracking avenues because it is designed to not interfere with website usability.

Privacy Report provides a snapshot of cross-site trackers currently prevented from profiling you on the website you’re visiting. It can also display a weekly report to show which trackers have been blocked over time.

Privacy Report is accessible via the Page Settings menu.

Ad click measurement has traditionally used tracking technology that infringes on user privacy. Private Click Measurement is a WebKit feature and proposed web standard aimed towards allowing advertisers to measure the effectiveness of web campaigns without compromising on user privacy.

The feature has little privacy concerns on its own, so while you can choose to leave it on, we consider the fact that it’s automatically disabled in Private Browsing to be an indicator for disabling the feature.

Open Safari and tap the Tabs button, located in the bottom right. Then, expand the Tab Groups list.

Safari’s Private Browsing mode offers additional privacy protections. Private Browsing uses a new ephemeral session for each tab, meaning tabs are isolated from one another. There are also other smaller privacy benefits with Private Browsing, such as not sending a webpage’s address to Apple when using Safari’s translation feature.

Do note that Private Browsing does not save cookies and website data, so it won’t be possible to remain signed into sites. This may be an inconvenience.

Synchronization of Safari History, Tab Groups, iCloud Tabs and saved passwords are E2EE. However, by default, bookmarks are not. Apple can decrypt and access them in accordance with their privacy policy.

You can enable E2EE for you Safari bookmarks and downloads by enabling Advanced Data Protection. Go to your Apple ID name → iCloud → Advanced Data Protection.

If you use iCloud with Advanced Data Protection disabled, we also recommend checking to ensure Safari’s default download location is set to locally on your device. This option can be found in

Settings → Safari → General → Downloads.

www.zdnet.com

accesscyber.co

pi-apps.io

vpncentral.com

vpnoverview.com

www.roadtovr.com

learn.framevr.io

www.wolvic.com

— Regardless of what desktop operating system or programs you use make sure that before you go to the con you update them to their latest versions. Most exploits are found in earlier versions of code, thus the older your digital devices and their software are, the more of the attack surface will be available to malicious hackers.

— Charge your equipment with either Power Only USB Wires (how to covert an existing USB Cable into Power Only) or use USB Condoms. This is to ensure when you plug into something to charge you are only using power and not transmitting any data. Use backup battery chargers and replacement batteries for equipment whenever possible in leu of charging via outlets. DO NOT use one of those Device Charging Kiosks where you leave your device in a glass cabinet as you charge, they have been known to be spoofed to steal your data.

— Try to obtain and use pre-paid hotspots if possible on a 4G line to make calls and use cell data. In addition to encrypting your phone, make sure you configure your phone to connect to your pre-paid hotspot and not cell towers. During Hacker Summer Camp, cyber criminals are known to set up fake cell phone towers (HACKADAY guide to how to spot fake cell towers) for your devices to connect to and make it spit information you do not want them to know…

These screenshots show a scan for Cell Phone Towers before Defcon (left) and during (right). Notice the fakes? Images: Geoffrey Vaughan

— Use Tor (or i2p or a VPN) configured to FULL TUNNEL, including DNS look up. We also recommend in using the AES Algorithm to traffic data you want to send and networks you want to connect to. Beware when connecting to the con’s WIFI, while the NOCs (Network Operation Centers) of each con do a fantastic job to try to create things safe, their will be open warfare by bad hombres all over these networks and the wifi provided by the hotel will be worse. If you have to connect, try to get a wired connection if possible so you don’t also open yourself up to general wifi and bluetooth attacks. Also, if you go on the web make sure you have your VPN on in Privacy Browser Mode.

www.privacyguides.org

www.torproject.org

onionbrowser.com

onionshare.org

Tor Switch For Firefox & Chrome: https://mybrowseraddon.com/tor-button.html

github.com

mullvad.net

lokinet.org

i2p Browser: https://geti2p.net/en/download

gitlab.com

ftp.mozilla.org

NOTE: We are linking to the Mozilla FTP for Firefox because Firefox includes a unique download token in downloads from Mozilla’s website and uses telemetry in Firefox to send the token.

These options can be found in → Settings

Search suggestion features may not be available in your region.

Search suggestions send everything you type in the address bar to the default search engine, regardless of whether you submit an actual search. Disabling search suggestions allows you to more precisely control what data you send to your search engine provider.

This protects you by blocking social media trackers, fingerprinting scripts (note that this does not protect you from all fingerprinting), cryptominers, cross-site tracking cookies, and some other tracking content. ETP protects against many common threats, but it does not block all tracking avenues because it is designed to have minimal to no impact on site usability.

Firefox Suggest is a feature similar to search suggestions which is only available in the US. We recommend disabling it for the same reason we recommend disabling search suggestions. If you don’t see these options under the Address Bar header, you do not have the new experience and can ignore these changes.

If you want to stay logged in to particular sites, you can allow exceptions in Cookies and Site Data → Manage Exceptions…

This protects you from persistent cookies, but does not protect you against cookies acquired during any one browsing session. When this is enabled, it becomes possible to easily cleanse your browser cookies by simply restarting Firefox. You can set exceptions on a per-site basis, if you wish to stay logged in to a particular site you visit often.

Firefox sends data about your Firefox version and language; device operating system and hardware configuration; memory, basic information about crashes and errors; outcome of automated processes like updates, safebrowsing, and activation to us. When Firefox sends data to us, your IP address is temporarily collected as part of our server logs.

Additionally, the Firefox Accounts service collects some technical data. If you use a Firefox Account you can opt-out:

This prevents you from unintentionally connecting to a website in plain-text HTTP. Sites without HTTPS are uncommon nowadays, so this should have little to no impact on your day to day browsing.

Firefox Sync allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices and protects it with E2EE.

support.mozilla.org

github.com

librewolf.net

github.com

These options can be found in → Settings.

Brave includes some anti-fingerprinting measures in its Shields feature. We suggest configuring these options globally across all pages that you visit.

Shields’ options can be downgraded on a per-site basis as needed, but by default we recommend setting the following:

Disable built-in extensions you do not use in Extensions

Brave’s Web3 features can potentially add to your browser fingerprint and attack surface. Unless you use any of features, they should be disabled.

Set Default Ethereum wallet to Extensions (no fallback) Set Default Solana wallet to Extensions (no fallback) Set Method to resolve IPFS resources to Disabled

Brave Sync allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE.

Brave Rewards lets you recieve Basic Attention Token (BAT) cryptocurrency for performing certain actions within Brave. It relies on a custodial account and KYC from a select number of providers. We do not recommend BAT as a private cryptocurrency, nor do we recommend using a custodial wallet, so we would discourage using this feature.

Brave Wallet operates locally on your computer, but does not support any private cryptocurrencies, so we would discourage using this feature as well.

github.com

minbrowser.org

github.com

github.com

tosdr.org

addons.mozilla.org

chrome.google.com

addons.mozilla.org

chrome.google.com

github.com

simplelogin.io

anonaddy.com

Mailvelope is a browser extension that enables the exchange of encrypted emails following the OpenPGP encryption standard.www.mailvelope.com

donotpay.com

owasp.org

d09r.github.io

addons.mozilla.org

chrome.google.com

addons.mozilla.org

github.com

github.com

github.com

noscript.net

hat.sh

molly.im

blog.privacyguides.org

getsession.org

simplex.chat

delta.chat

element.io

- BriarSecure messaging, anywherebriarproject.org

xmpp.org

hexchat.github.io

irssi.org

github.com

WARNING: Using a VPN will not keep your browsing habits anonymous, nor will it add additional security to non-secure (HTTP) traffic.

If you are looking for anonymity, you should use the Tor Browser instead of a VPN. (SEE BELOW)

If you’re looking for added security, you should always ensure you’re connecting to websites using encrypted DNS and HTTPS. A VPN is not a replacement for good security practices.

If you’re looking for additional privacy from your ISP, on a public Wi-Fi network, or while torrenting files, a VPN may be the solution for you as long as you understand the risks involved.

Beginner:

riseup.net

calyxinstitute.org

Intermediate:

protonvpn.com

mullvad.net

Advance:

orbot.app

www.ivpn.net

en.amnezia.org

Encrypted DNS with third-party servers should only be used to get around basic DNS blocking when you can be sure there won’t be any consequences. Encrypted DNS will not help you hide any of your browsing activity.

www.privacyguides.org

DNS-over-TLS (DoT): A security protocol for encrypted DNS on a dedicated port 853. Some providers support port 443 which generally works everywhere while port 853 is often blocked by restrictive firewalls.

DNS-over-HTTPS (DoH): Similar to DoT, but uses HTTPS instead, being indistinguishable from “normal” HTTPS traffic on port 443 and more difficult to block. DoH contains metadata such as user-agent (which may include system information) that is sent to the DNS server.

DNSCrypt: With an open specification, DNSCrypt is an older, yet robust method for encrypting DNS.

Android 9 and above support DNS over TLS. The settings can be found in: Settings → Network & Internet → Private DNS.

The latest versions of iOS, iPadOS, tvOS, and macOS, support both DoT and DoH. Both protocols are supported natively via configuration profiles or through the DNS Settings API.

After installation of either a configuration profile or an app that uses the DNS Settings API, the DNS configuration can be selected. If a VPN is active, resolution within the VPN tunnel will use the VPN’s DNS settings and not your system-wide settings.

Apple does not provide a native interface for creating encrypted DNS profiles. Secure DNS profile creator is an unofficial tool for creating your own encrypted DNS profiles, however they will not be signed. Signed profiles are preferred; signing validates a profile’s origin and helps to ensure the integrity of the profiles. A green “Verified” label is given to signed configuration profiles. For more information on code signing, see About Code Signing. Signed profiles are offered by AdGuard, NextDNS, and Quad9.

systemd-resolved, which many Linux distributions use to do their DNS lookups, doesn't yet support DoH. If you want to use DoH, you'll need to install a proxy like dnscrypt-proxy and configure it to take all the DNS queries from your system resolver and forward them over HTTPS.

adguard.com

developers.cloudflare.com

controld.com

mullvad.net

www.nextdns.io

A public and free DNS service for a better security and privacyquad9.net

github.com

rethinkdns.com

git.frostnerd.com

github.com

TIP: A cool idea that is not required for your desktop OS, you can also run a firewall on your laptop via a VM (Virtual Machine) that will isolate your trusted host. Do note that while this in a more advance technique and is difficult to set up and for red team to hack, there are hackers that know how to manipulate hypervisors to break this method. Remember, when you are at a popular open convention, trying to connect to anything is a risk!

HOW TO FLY AND NOT GET MOLESTED BY THE TSA

This should hopefully be the worst part of your trip, getting there. Some will try to drive there (like our Co-Founder GI Jack because he is not right in the head and from New Jersey to boot) and others will take more unorthodox means of getting there. Most of you, are most likely to fly there via an airline. Besides some general knowledge of airline tips, here are some additional tips that are unique to going to Hacker Summer Camp.

— Make sure to pre-charge all your devices you are going to use and bring before the flight. This sounds like a no-brainer but while many airlines do have power plugs many still don’t (especially on the plane) and they also might be fully occupied by your other travelers. Make sure all your devices are powered and ready to go so once you get off the plane you can hack right when your feet touch the ground!

— GET TO YOUR FLIGHT ON TIME! Again, a no-brainer but an important one. Airlines are very fickle about times, and you should show up at least a half an hour before your flight if not earlier. It can be difficult to reschedule your flight and often later times are many hour later delaying everything. Now if your flight is delayed, raise hell-erm-don’t hack the airport (we don’t support that idea) just complain to customer service and the airline until you get what you need.

— DO NOT BRING WEAPONS, DRUGS, EXPLOSIVES OR ANY OTHER SCARY LOOKING THING ON A PLANE!!! In addition, try not to code or do network ops while in flight. We have heard too many stories of friends trying to remote tunnel into their network while flying only to be thrown in a room with blue gloves groping them because the airline staff thought they were ISIS hacking into the Pentagon.

— Here is are two tips to secure your luggage. First, DO NOT USE TSA APPROVED KEYS AND LOCKS. Get your own locks, you can reach out to your local TOOOL Chapter or contact them online and they will give you advice on what to do. Here is a talk by Nite0wl, JohnnyXmas and DarkSim on why TSA locks are a bad idea (HINT: Nite0wl dropped a 0day on the “safe” skies travel locks). Second, if you are an American who legally owns a FIREARM, you can use that firearm to store other valuables you don’t want to get lost. You can find more info on that via clicking this link for an amazing talk by Deviant Ollam on the subject of flying with firearms.

NOTE: Unlock your luggage before you check it on a plane. The TSA will simply cut the lock off your bag. Pack your lock in your bag, and then relock it when you get out of the airport.

— Make sure you have all your essential items that are valuable to you and/or you are going to frequently use on your carry on (and make sure they meet carry on standards). Sadly, luggage loss by airlines is a thing and we have known people who have lost thousands of dollars in equipment and clothes via their onboard stored luggage disappearing.

— This is also where those portable entertainment items will come in handy. Suggestions include your latest and favorite 2600 Magazine, the book Turing’s Cathedral by George Dyson, Mr. Robot Season 3 (look out for our Co-Founder Sidepocket’s cameo in the Hacker Space scene of Episode One) any Nintendo Switch video game or the DEF CON 30 Main Stage & Village Talks and A New Hope 2022 Talks (and please wear headphones!)

CHECKING INTO YOUR HOTEL ROOM AND RECON YOUR LOCATION

So, you have finally arrived in Vegas or NYC at the hotel you have booked. You are not done yet! Here are some more tips once you got your room key card and have opened the door:

The keyword here is YOUR. Please do not copy anyone else’s room key that you do not have permission to!

These keycards are usually Mifare Classic 1k so these are the steps I took using the Unleashed firmware. If you don’t have any apps listed here, search them on github and google how to compile for your firmware.

This whole process may take some time (up to a few hours) so be patient!

This disables the room occupancy sensor and lets you lower the min temp.

> Hold down “display” button

>Press “off”

>Then hit the “Up” arrow

>Then release “display” button

You Will Need:

>Pack of Soy Sauce

>Napkin

>Rubber Band

>Plastic Tumbler (or a drinking glass)

If someone enters your room, the glass will get knocked over and the symbol or letter on the napkin will become unreadable, tipping you off that someone entered into you room with out consent!

redteamtools.com

www.sparrowslockpicks.com

— Explore the hotel and spend a night walking around the immediate hotel area and the overall Las Vegas strip and/or NYC Campus if you can. Important things to map are shops, fast food places, bars, banks, security surveillance and other important points of interests. In fact, you can the day before print out a Google Map/Open Street Maps of the strip to keep on your persons (as well as a close up of the hotel and it’s surrounding area) and psychically map things out with marker and pen as you go. As a heads up, here is a list of resurant locations in Las Vegas and below is a picture map of every Walgreens on the strip:

A quick guide for supplies, make sure to make your own map of the Las Vegas Strip!

Monday: 7 am — 12 MidnightTuesday: 7 am — 2 amWednesday: 7 am — 2 amThursday: 7 am — 2 amFriday: 7 am — 3 amSaturday: 7 am — 3 amSunday: 7 am — 3 am

The Las Vegas Monorail is excited to introduce Mobile Ticketing. Get to your destination even faster with our Scan & Go technology! No more fumbling with paper tickets, confirmations or redemption codes. Now riders can take advantage of our eTicket discounts as a thank you for helping us reduce paper use and landfill waste.

STEP ONE

Purchase discounted tickets online and receive an electronic ticket to the email address of your choice. Mobile Tickets can be purchased in advance on a desktop, tablet or mobile device. You can also purchase from any mobile device once you have arrived in Las Vegas.

STEP TWO: SCAN

Arrive at one of our seven stations and locate your ticket on your mobile device. Proceed to the Las Vegas Monorail fare gates and simply scan the QR code on your phone.

Electronic tickets may also be printed at home and scanned directly at the fare gates.

STEP THREE: GO!

Proceed through the fare gates and board the next train headed in your chosen direction. Trains arrive every 4–8 minutes

Want to keep your ticket as a souvenir? Paper tickets are still available at our Ticketing Vending Machines or at one of our Customer Service Offices for regular, full-price purchases.

Please note that Ticket Vending Machines only offer the following ticket types:

Additional Multi-Day ticket types can be purchased at a discount online or at full price at one of our Customer Service Offices, open 10 am-6 pm, daily.

Mobile tickets are valid for one year from their purchase date. The One-Ride Ticket loses its value after the ride has been taken.

Unlimited-Ride Passes are valid for unlimited rides for the period listed on the mobile ticket. This period begins the first time you use the ticket at a fare gate during operational hours and remains valid for the number of consecutive days, as listed on the ticket. Each “day” equals a 24-hour period.

Look for a Las Vegas Monorail employee and we can assist you. If no Monorail employee is available, please press the button on the emergency telephone located near the fare gates and wait for an operator to answer your call. We’re here to assist with any malfunction or in the case of an emergency.

ONE-RIDE TICKETS

One-Ride tickets are good for one person for one entry/ride.

UNLIMITED PASSES

Unlimited-ride passes are good for unlimited travel for one person for a consecutive period during operational hours.

Please visit our FAQ page for some of our most common questions, or visit our Contact page so we may assist you directly.

tix.lvmonorail.com

taxi.nv.gov

www.marriott.com

The Westin Las Vegas Hotel & Spa (160 E Flamingo Rd, Las Vegas, NV 89109)

www.alexispark.com

Alexis Park Resort (375 E Harmon Ave, Las Vegas, NV 89169)

www.caesars.com

The Cromwell Las Vegas Hotel & Casino (3595 S Las Vegas Blvd, Las Vegas, NV 89109)

www.caesars.com

The Horsehoe Las Vegas (3645 S Las Vegas Blvd, Las Vegas, NV 89109)

www.thelexilasvegas.com

The Lexi Las Vegas (1501 W Sahara Ave, Las Vegas, NV 89102)

www.goldengatecasino.com

Golden Gate Hotel & Casino (1 E Fremont St, Las Vegas, NV 89101)

www.visitlasvegas.com

en.clubpoker.net

thingstodoinlasvegas.com

www.happycow.net

jewishhacker.com

www.zabihah.com

www.belikebuddy.com

www.swaidvegas.org

EMERGENCY NUMBERS IN LAS VEGAS:

Fire / Police / Ambulance : 911

Poison Control : (702) 732–4989

Rape Crisis Center Hot Line : (702) 366–1640

Mental Health Crisis Unit : (702) 486–8020

Gamblers Anonymous : (702) 385–7732

Alcoholics Anonymous : (702) 598–1888

Domestic Crisis Shelter : (702) 646–4981

Juvenile Court Services Abuse and Neglect Hot Line : (702) 399–0081

Youth Runaway Shelter : (702) 385–3330

Internal Revenue Service : (800) 829–1040

Department of Motor Vehicles : (702) 486–4368

Clark County District Attorney : (702) 455–4204

Federal Bureau of Investigation (FBI) : (702) 385–1281

Bureau of Alcohol, Tobacco and Firearms : (702) 388–6584

American Red Cross : (702) 248–2770

Alzheimer’s Association Southern Nevada Chapter : (702) 248–2770

American Heart Association : (702) 367–1366

American Cancer Society : (702) 798–6877

American Lung Association : (702) 431–6333

United Way : (702) 455–4291

Senior Protective Services : (702) 455–4291

Clark County Social Services : (702) 455–4270

Salvation Army : (702) 649–8240

Traffic Hotline : 511

Amtrak Railroad : (702) 386–6896

McCarran International Airport : (702) 261–5211

Las Vegas Public Bus Transportation : (702) CAT-RIDE

Information Assistance : 411

Information and Referral HELP of Southern Nevada : (702) 369–4357

Time / Weather : (702) 248–4800

— Lastly but certainty not least, we must remind you that while you are any of the three conventions to PLEASE work with con security and staff and not AGAINST them, obey their Code of Conducts (DEFCON CoC, Black Hat CoC, BSidesLV CoC) and OBEY the 5–2–1 rule.

That’s:

>FIVE HOUR OF SLEEP (MINIMUM)

>TWO FULL MEALS WITH ACTUAL NUTRITION (MINIMUM)

>And please…for the love of everyone’s nasal glands…SHOWER EVERY DAY!!!!!

If you have your own tips, tricks and advice for surviving Las Vegas, Nevada or New York City that we forgot to miss here, you can reach out to us on our social media or email us at INFO {at} DEFCON201 <dot> ORG

Enjoy your time in LAS VEGAS and remember,

What happens in Vegas…

Appears on YouTube!

P.S. Cannabis is LEGAL in the State of Nevada! Click here to read up on the laws! NOTE: CASINOS ARE RULED BY FEDERAL LAW SO NO SMOKING CBD AND/OR THC PRODUCTS INDOORS!

CONTINUE TO :: HACKER SUMMER CAMP 2023 — Part Two: Capture The Flags & Hackathons