E17 - OPSEC at DEVCON 6 - 10/6/2022Download MP3
This week we'll do our usual weekly review of crypto security-related topics. We're going to dig into the issue of conference OPSEC, or operational security, as we're less than a week out from Ethereum's flagship developer conference, and rumors swirl about security concerns in Bogota.
---> Full show notes on HackMD <---
I, Degen - E17: OPSEC at DEVCON 6 - 10/06/2022
I, Degen - E17: OPSEC at DEVCON 6 - 10/06/2022
Listen at: idegen.fm
Contact us: @idegenfm
Welcome to I, Degen - A podcast about crypto technology, security, and culture. With a healthy balance of enthusiasm and skepticism, we dig into a weekly look at crypto, cutting through the misinformation and hype in search of signal in the noise.
This week we’ll do our usual weekly review of crypto security-related topics. We’re going to dig into the issue of conference OPSEC, or operational security, as we’re less than a week out from Ethereum’s flagship developer conference, and rumors swirl about security concerns in Bogota.
I,Degen - Weekly Review
- Sunday, October 2nd - Transit Swap Users Rocked for 21M
Transit Swap has lost $21M to a vulnerability which allowed an unknown attacker to drain the wallets of users who had approved the protocol’s swap contracts.
- Leading up to Ethereum’s flagship developer conference being held in Bogota, Columbia next week, a wave of Tweets and some articles surfaced questioning the safety of conference goers. FUD or legit concern? Well dig more into this on deep dive in a few minutes.
- Office of the National Cyber Director Requests Your Insight and Expertise on Cyber Workforce, Training, and Education
Our Nation continues to face a significant shortfall in cyber talent, with estimates of approximately 700,000 open positions.
- October 1st, 2022 - No Digital Dollar Act Introduced - From Bitcoin.com
U.S. Senator James Lankford (R-OK) announced Thursday that he has introduced a bill titled “No Digital Dollar Act to prohibit the U.S. Treasury and the Federal Reserve from interfering with Americans using paper currency if a digital currency is adopted and makes certain individuals can maintain privacy over their transactions using cash and coins.”
- October 4th, 2022 From Axios- Why Kim Kardashian got fined and Matt Damon didn’t
Kim Kardashian was fined $1.26 million Monday for touting crypto schemes — even as much more high-profile pitches from the likes of Matt Damon and Larry David have gone unpunished. The seeming double standard is a function of a subtle yet crucial distinction in securities law.
Where Kardashian crossed the line was when she endorsed a crypto asset security.
How it works: If you’re endorsing a company, the only rules that apply are the relatively lax ones from the FTC.
If you’re shilling a security, then disclosing that you were paid — as Kardashian did with an #AD hashtag — is not enough; you also need to disclose how much you were paid.
The bottom line: If you’re going to tout crypto, tout a crypto company, not a coin.
Moving on… Usually, we focus on looking back at crypto security-related events of the previous week. I thought maybe we could also highlight any relevant upcoming events each week.
I, Degen - Looking Forward
- Devcon next week - There will be a keynote talk on the Nomad Bridge Hack. I think there will be a live stream if you are not attending.
- November 15th, PyChain - The First Virtual Event for Python and Blockchain Developers
- Call for speakers is open
- Free Tickets
I, Degen - Deep Dive
A wave of Tweets and some articles surfaced questioning the safety of conferencegoers leading up to Ethereum’s flagship developer conference in Bogota, Columbia, next week.
Veteran Devcon attendees will remember a similar panic from previous events, including Devcon III in Cancun, Mexico, where
Is this FUD or a legit concern? Let’s dig in.
Question: Is this a credible threat, in which there is a concentrated effort to target Devcon attendees, or is this FUD?
If we follow the Tweets, the picture is unclear.
This year Devcon security panic seems to have started with news outlets picking up a tweet from crypto_mackenna.
However, it’s worth note the article in question doesn’t mention Crypto_McKenna follow-up Tweet reply on that same day which balances the original Tweet.
Also, some sensational crypto influencer tweets that we’ll ignore. Mainly because they are purely opinion based, don’t provide any credible evidence of a threat, and are likely just ego-feeding clout farmers. I mention them because it is essential to understand and acknowledge that they play into the overall perception and conversation, even if they hold little substance and merit.
Staying safe at Devcon in Bogota Twitter threads:
Good OPSEC at conferences in general
While those are important and contain good information relevant to staying safe in Bogota, I thought it might be helpful to dig deeper and tap into the wealth of existing information on conference OPSEC.
Before we continue, you should understand that everyone’s security needs are not the same.
ZW: What is the personal threat model? Most crypto people don’t need to defend against nation states.
- Maintaining custody of your devices is a sound defense from parties that would seek to make modifications to your equipment or outright steal your hardware. This means of security only requires you to make sure you know where your stuff is, and whose handling your stuff.
ZW: Physical access to a device opens a lot of new threat vectors and can make things a lot easier for an attacker.
- Before bringing a notebook or phone, consider what could be on those devices, and what might happen if they were to be compromised.
ZW: take inventory of what’s on your devices. Leave your noods at home…
- Run your updates.
ZW: Ensure your OS, browsers, and wallets are fully updated. It’s much easier to attack outdated software.
- Data Storage Encryption
ZW: You should have your HDs encrypted or know they are trivial to access.
Some devices will retain a history of SSIDs that they have connected to. If your device is set to connect to an access point automatically, it may send multiple probe requests containing an SSID that you have previously connected to. This can be used to set up a rouge AP, and force your device to connect to it.Unless you are using a access point, it is recommended that you leave your wi-fi feature disabled. When connecting to new access points, ensure that you will not be connecting to them automatically.
- Kill Unnecessary Wi-Fi Transmissions
- Use a VPN
- Use E2E apps ZW: Use end-to-end encrypted apps for chatting, like Signal
For the uber-paranoid…
OPSEC for Defcon #2 specfically, this comment:
Leave all tech at home RFID shields
Wrapping it all up
I, Degen - Freestyle Convo
On any given day now, I receive more Spam Likely calls than I do real/legit calls. While this anecdotal observation is likely specific to my number, how common is this? Nocoiners often point to the epic number of scams in crypto, which is no doubt a severe problem, but other technologies are free from spam/scams, either. This is a modern problem across various mediums. Crypto is newer and has a more direct path to profits, so it’s awful.
The seven companies have two weeks to address the agency’s concerns. Otherwise, compliant carriers will have to block their incoming traffic.
I, Degen - Personal Hack Attempt of the Week
Hunt: online weed in Bogota scam…
We do our best to report accurately on the topics we discuss but we’re not always going to get everything right. Please comment here or reach out to us @idegenfm with corrections or comments!
Select or create a markdown file