stuff to bring - the "shit... wish i'd thought of that!" list

Good points

I plan on using Fedora Core 4 w/SElinux and all incoming ports shut off. I plan on connecting to work via the Cisco VPN client. It could actually be Fedora Core 7 because DefCon is 2 months away

Forgive me but could you elaborate on this one?

Not sure, but I will assume yes to all of the above. I will be using RSA keyfob with the 6 digits regenerating every 60 seconds as the 3rd link in the 3 factor authentication. I have however seen programs that can "predict" the key generation, such as "Cain and Abel".

I plan on having a host entry pointing to the Cisco VPN Concentrator endpoint. I will not be authenticating to the Domain Controller, however, I will be authenticating to a Domino mail server that is utilizing LDAP w/AD synch in a Server 03 Active Directory domain environment. I also had planned to direct all of my Internet traffic, including DNS query, back though the tunnel to a proxy server.
Thank you for taking the time to help
Stringslayer

No need to ask for forgiveness. :-) I'm a newbie, not elite.
Reliability is an issue in security. In addition, what use is a laptop if some dumbass yahoo thinks they are "leet" by applying a DoS attack against people's sessions?
What I was writing about here was the ancient issue of TCP and DoS with Sequence guessing and use of flags with packet generation to tell one or more hosts in a session to end their sessions. If you can passively sniff sessions, then there is little guessing needed for sequence numbers, and it is possible to kill TCP sessions through crafty packet generation.
Other DoS can be created on Layer 2 with clever use of MAC address and "by other means" as we have seen in previous DC with the wireless network.
Why mention these?:
What use is a laptop, if the network is so unreliable that you must re-establish your VPN/tunnel too often for it to be useful?

Even though LDAP is not "plain-text" it is equivalent. (LDAPS isn't.) I'm assuming your ldap, mail, and other items you mention above for authentication would only be passing through a pre-established VPN and not be required as part of the VPN build. (I'm not being a smartass here, but I am stating my assumption in case it's not correct.)

As for directing all your traffic through the VPN, that is a great idea, as is the host entry on your local machine, so as not to rely on the DNS at DC. However, it would be prudent for you to perform some basic tests before you attend DefCon:
* Go to a "new" network and plug your laptop in
* Sniff for any traffic from the laptop on the network before the VPN (it is easy to overlook things in windows. :-/ It's also possible that an implementation of some program does not work as documented. Maybe a checkbox is a vaporware option?)
* port scan it before VPN and then after VPN
* Sniff after VPN and make sure traffic is only VPN

Passing won't mean it is secure, but failure will help you identify items which are insecure.

Then do some research on the version of VPN software you are using and check out any security risks that have been unaddressed (MiM, predictable key exchange, etc) for the client and server.

Heh, hadn't thought of that. All the security in the world will do me no good if the tunnel drops every few seconds.
I will definitely be testing the items you pointed out.
I will probably try the DC connection the first day with the security measures you have laid out. If my tunnel drops too often, I will most likely opt for working offline and synch up somewhere far away from the AP :-)
Who would think you could get a great security lesson 2 months before DefCon?
Thanks for all your help.

"Expert" is a slippery concept. Let's just say I know more than most, but still know less then other (smarter) people.

The best advice I can give you about WiFi at DC is "Don't do it!" If you must use a public-use network during DC, then my order of preference would be:
1) A wired network off-site from the AP.*
2) A wired network at the AP.
3) A wireless network off-site from the AP.**
4) A wireless network at the AP.

* The further removed physically from the AP, the likelyhood decreases that a wired network you are using has been compromised by someone attending DC.

** The distance rule applies here also, but remember that several long distance WiFi records (in the area of ~50 miles) have been established at DC. While those are extreme, it is trivial to sniff traffic passively from 5 to 10 miles using COTS equipment and a clear RF line of site.

All of these assume that you'll use your favorite combinations of encryption and tunnelling, that you'll take reasonable precautions against things like shoulder surfing, and that you're paranoid enough to prevent your laptop from being stolen. If you follow CotMan's above advice on the VPN, you should be OK in that regard. Even then however, I wouldn't rely on a wireless connection anywhere in the Las Vegas for the week of BlackHat/DC for anything buy the most trivial tasks. They are just too easy to DoS or otherwise compromise.

Let me add one thought here: 99 people out of 100 at DC are seriously interested in security, have very high ethics in this regard, and would be loath to actually do anything bad with your data. The Wall of Shame/Sheep http://www.tomshardware.com/business...021/index.html is a great example: Plaintext usernames and passwords seen on the wireless network are displayed, but only the first four letters of the passwords are shown. It's done to remind people that this stuff isn't secure, not to hand out usernames and passwords for others to use.

Thanks, Cotman.

We all love to Tap Thorn..

If your just going to surf the net and read news, weather, etc. Use the WiFi. If you need to access a remote box, check email, pay bills (strange to do at conference, but I wouldn't doubt it) use your cell phone. You don't even need a black berry or sidekick to do this really. I have a phone from '98* that can give me directions, check email, and auto dial resturants from Internet search results. There is no reason to do anything private from the public network at AP/V, being as we are in the year 2005.

*Phone still works to this day, although I get a lot of flack for carrieing around an old school bulky phone. It cost me $200 in '98 and I want a good return on my investment damnit!

If you are going to the con on your work's dime, and don't want to have to hassle with connecting back up to their environment, simply tell them the risks. In years past when the mothership learned of my plans to travel to Vegas for the con, they were reluctant to allow me to even take my company laptop, due to the fact that it _might_ have remnants of customer data on it.
Most bosses will understand if you tell them that, "Due to the nature of the people who show up to these cons, I will not be checking email, instant messager, or sending/receving documents while on the road. If it is urgent, please call my cell, and I can connect via alternate methods."
If I didn't have to carry my laptop to con for competitions, I wouldn't take it out there except for the afore-mentioned picture/movie dumping.

Thank you

You all have made very good points and I appreciate your time.
Hackajar brings up an awesome point- the cell phone
I do have a phone w/usb cable that can be used as a modem.
Perhaps utilizing that connection medium w/VPN for work related items would be the best, most secure, route. It may be a little slow, but probably faster than getting kicked off the VPN via WiFi repeatedly :surprised
I plan on taking lots of pictures and maybe a few vids.
(provided the individuals are willing to be photographed and recorded)
I will share these back to the community when I return from DefCon Xlll.

If an individual does not want to be photographed, then they will politely say no thank you after you ask them for permission. If you do not ask permission, you will wonder how some bodily orifices can hold a camera. Sideways.

Something like this happened in the vendor room last year. Respect and being polite goes a long way at DefCon. Ego, and disrespect can lead to bad events, and shallow graves.

[Ask permission-- even if the person is a vendor.]

Considering the venue..

Permission would definitely be in order.

I had read about this earlier from a post including a DefCon Survival Guide
I think it will probably help to make my first DefCon more enjoyable and hopefully keep me out of the pool and keep me from being some Goon's bitch

I stepped out of the forum for awhile, so I will second alot of what Noid is recommending, I am willing to bet that more than 90% of the attendees at Defcon haven't spent any reasonable amount of time in the desert. I really dig the desert, and sitting on my greying head is a Tilley Hat.

Again, you are in the desert, in the middle of summer, the average temperature in July is around 106!!! My best non-tech purchase at Defcon 9 was buying a hydration backpack, from a vendor like Hydrastorm.

Trust me when I tell you that packing 100oz of water, or Gatorade will make humping to the Alexis Park from Terribles that much more easier!

Sure wearing black shirts adds to that air of mystery, but if you must wear them in the desert sun and you forgo the hydration backpack, you will be begging for heat stroke. Wear the black shirts after the sun has gone down. Wear light coloured shirts and shorts, for the ultimate in desert comfort, come dressed as a Bedouin and hide your hydration backpack under your robes!

Don't forget to add your PGP fingerprint on these cards!

I HIGHLY recommend reading How to Enjoy a Convention every time you are attend one!

Lastly, Please bring & use soap, daily! Nothing worse than 5000+ people wearing black shirts in the sun, sweating buckets and not bathing for the weekend.

that is a great article.. lots of good pointers that work on all sorts of levels, and I hereby reserve the right to plagerize it as I see fit, wth due credit and beers as payment ofcourse



hehehe... All your attendings are belong to us... sorry, I think it was the Desert Dog get up that threw me off