There's a good chance that those guys didn't even have their phones on. If something is that urgent you don't text, you call, and if the call doesn't go through you find someone else that you can call who can go to the people involved and so on until you have guaranteed timely delivery and if you can't achieve that then you're going to have to live with the consequences.
Doing a 'fire-and-forget' text message and then attaching grave consequences to the timing is ridiculous.
>> There's a good chance that those guys didn't even have their phones on.
Nevermind the fact that it was defcon, I'm a regular presenter at conferences and meetups, and literally #1 on my last-minute checklist is to text my wife that I'm now unreachable and silence my phone.
Nevermind the fact that it was defcon. Having your phone on in a place where thousands of security experts are running amok is a surefire recipe for ensuing hilarity.
I used burners at DEFCON 2016. Eventually moved back to my actual phones. But, I talked with other people and according to them there were cell sites that were suspect. Never found out if it was true or not. But, as others have stated I turned off my WiFi.
I was at this past DEFCON, we had cell sites named "Arnold's Biggest Scam" and "AT&T Totally 1337 Tower".
There are others, but those two were prominent because I could access them in my room lol.
From what I’ve read, all you really need to do is turn off wi-fi, which is already fairly paranoid given that no one is realistically going to burn a serious chipset zero-day on random people at a conference. Fake cell towers do occasionally happen but rapidly lead to arrests.
Why wouldn’t they burn a chipset 0-day? It’s unlikely that only one exploit has been and will ever be uncovered. Imagine the shitstorm if you phoned all of DEFCON with a recording to attend your talk, on their radio “off” devices, because you powered them back on at the right time. Imagine the respect. That would be worth a 0-day.
"random people" who with high probability may have undisclosed 0day exploits stockpiled on other devices.... yeah if I'm an APT author DEFCON attendees are (the hardest to exploit and most paranoid [read: likely to get caught by]) the ideal target for any nation-state. not to mention that the conference is often attended by multiple state agencies which makes the target even juicer. yes it's an extremely hard and dangerous group of people to attempt to exploit, but that doesn't detract from the potential value and payoff of a successful APT exploit on said group of people
That's not how Nation State actors work. One of the things that makes Nation State actors dangerous is they have the patience and resources to attack a high value target at the most likely to succeed point. Backing that up, they generally have the intelligence to know when that best time is. And they for sure know that it's not at defcon when everyone is, as you say, paranoid and on the alert. They're going to get you at home, at happy hour with your non-security friends, in that bar with the great but insecure wifi and no 4g.
There are no arrests listed for cellular activities at Wikipedia’s “Notable Incidents” list for DEFCON, so if you have direct confirmation of any such arrests, you should add them to the page at https://en.m.wikipedia.org/wiki/DEF_CON
> all you really need to do is turn off wi-fi, which is already fairly paranoid given that no one is realistically going to burn a serious chipset zero-day on random people at a conferenc
I know very little about security or defcon, but I was under the illusion that stuff like running Wifi Pineapple to trick people to connect to their hotspots was common and doesn't require any 0-days.
Here's what I do with my phone before heading to DEF CON (yes, I don't bother with burners anymore):
1) Make sure it has an Apple logo on the back and is up to date. I'm serious on this one. Too many Android phones don't get updated by the carrier and that's why I'm not a fan. Yes, if you have the latest phone from Google, you are fine. From another manufacturer, very questionable. The sheer number of Android phones which have connected to my open research WiFi networks over the years and exposed some secret is just tragic, from user PINs thanks to a carrier installed warranty app to e-mail passwords thanks to broken Samsung KNOX TLS middling implementations.
2) Shut off all background activity from apps when not on and in front of me: settings -> general -> background app refresh. Slide that one to off for everything.
3) Turn off WiFi and Bluetooth.
4) For added paranoia, put it in airplane mode when not being used.
5) Make sure it doesn't have any information or accounts on it which I'd not like to be made public.
6) Back it up.
7) A quick audit of apps I'll be using at the con to ensure they are reasonably secure on the wire by using working TLS exclusively. Yeah, very few people will ever do this but thankfully 1-6 should be sufficient.
There was also this one for which I had involvement: http://www.falseconnect.com/ which while impacting nearly every major technology vendor was particularly bad for Apple. Pretty much anyone who'd been using a proxy service (which includes some VPN providers like TorGuard) for privacy with iOS or macOS opened themselves up to full compromise of the cryptographic channel. The thing is, Apple recognized it was a big problem and got it patched and that patch distributed to all impacted devices in under 45 days from the first report. A similar flaw I reported to Samsung a few years earlier is still not patched on every Android phone impacted because some carriers didn't push the patch.
What good is the magically secure Apple logo on top, when you actually have a Broadcom doing the work down in the metal? I doubt this was the only existing hole: http://thehackernews.com/2017/07/android-ios-broadcom-hackin... (but Apple updated fastest, I do concede that)
Indeed, the same Broadcom chip used in a bunch of Android phones and to my original point, yes Apple was not only the quickest to patch, but there's a good chance a large number of Android phones will never get a patch.
Reminds me of a friend who said his MySpace password was just "password123" because "It's such a stupid password that nobody would ever use it, so hackers don't even bother trying it!"
I wish I had multiple faces so I could palm more than one.
p good analogy, people will generally ACK a phone call since it implies a higher level of importance and could be about anything under the sun, but right before giving a talk at a conference i think most people would drop that text message UDP packet.
Doing a 'fire-and-forget' text message and then attaching grave consequences to the timing is ridiculous.