Thread: So, for my first time, I went to #BHUSA2018 (@BlackHatEvents) and #DEFCON26. I took my main phone and laptop, and on conference day 1 went completely non-anonymous with an Android platform security team T-shirt on. Let me tell you what happened. 1/n
For context, prior to the first main conference day, I did 2 days training with @colinoflynn on power analysis and clock glitching with #ChipWhisperer and learned a ton. This has shown me how easy such hardware attacks can be today. 2/n
For those 2 days, I brought an old loaner laptop to work with the provided #VirtualBox images (which is not supported on ChromeOS at this time). Yes, I did plug in @colinoflynn's USB stick into this loaner laptop (without configured accounts). 3/n
On the other days, I simply brought my main Pixel 2 and Pixelbook, both with my personal accounts as well as @Google corporate accounts configured (on Android using work profile to keep personal and work lives apart - I really like that feature!). 4/n
And yes, against common advice, I did log into all my mail and many other accounts while there, call my family, etc. Stupid, I know, but usability wins over paranoia even for security geeks while traveling.... 5/n
In the spirit of full disclosure, I did break my normal pattern on one account: on the Pixel 2, I disabled WiFi and Bluetooth (which, on most days, I simply leave on all the time). 6/n
The main reason was battery usage (I wanted to get through loooong days with high screen time), but I admit that I am not yet fully happy with the radio-side attack surface (working on more fuzzing and mitigations on that side, so stay tuned for next year's experiment ;) ). 7/n
Now, finally, after all that intro/context, the list of all the bad things that happened to my devices and accounts:
1. I got 2 spam calls (well, normal in the US).
2. I got more spam emails (well, the hotel now has my address).
3. My Twitter account took way too much time to read (thanks to #BHUSA2018 craziness).
4. So far, nothing else.

Thanks for staying with me for that long for a complete anti-climax. I will keep watching my personal servers, and Google will certainly watch my corp account. 9/n
Why wasn't I concerned going there? Because I consider the network (outside my very own LAN) untrusted anyways, use TLS or VPN for everything including server verification, 2FA where possible, and have a reasonable device lock screen (and keep an eye on my physical devices). 10/n
Doing that only during time spent at security conferences but not otherwise would be foolish. Attacks can happen anywhere, especially when you are a potentially exposed target. Just use proper IT security hygiene, and you don't have to be afraid of #BHUSA2018/#DEFCON26. 11/11

• • •

Missing some Tweet in this thread? You can try to force a refresh

Keep Current with René Mayrhofer 🇺🇦 🇹🇼

René Mayrhofer 🇺🇦 🇹🇼 Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!


Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!


0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy


3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!