Maybe some people leave dull lives and have nothing to fear, but I think we have seen that the environment can change drastically. From 0-days on the Nobel website to the recent spate of attacks against CA (and resulting widespread MITM in Iran), basing your security posture on whether or not you trust your local “Free Public WiFi” or whether or not you can run into an 0-day in the wild, is risky. Do you really want to click that link in Twitter? In your email?

For example, how many of you are running Cert Patrol and would have noticed a DigiNotar cert? Is all your software (esp. plugins) up to date?

I wouldn’t care about using my devices because the cost-reward is relatively bad. I don’t _really_ care about using my devices and nobody is giving me a sack of money telling me I should care. Securing your devices is great if you want people to erroneously attribute that to your ability but crap if you want to spend your evenings with your family.

If I properly secured all my personal systems assuming high priority threats all the time, whilst doing a full time job + researching and authoring, I’d never get any sleep or have time to eat!

Secondly the threat model is entirely different at Black Hat to a cafe, since the threats are distinctly different even if the ultimate risks are the same. Ergo the calculation of how much resource to dedicate to the problem is different.

My question to you would be: If you hired a security expert and he spent his days securing his personal devices on the basis that he’s off to a conference next week, wouldn’t you be a bit pissed and consider it wasteful? Now lets say he wanted to borrow your testing department to make sure they were secure. And wanted a budget to hire external pen testers double-check his iPad was safe. And then have the network support team sign off on all the software on his computer. And buy licenses for his tools…. etc, etc.

Of course you wouldn’t accept that – but how else is a security researcher supposed to get access to those things? Unless he’s a millionare, he’s not going to get it. Minimal assets means minimal ability to react to threats. Closing off surface area is an appropriate response in that circumstance if the cost is low (and seriously, who the hell needs an iPad that badly?)

To use another analogy, how many expert architects live in their own personal skyscrapers? …. That doesn’t mean they’re not expert architects. It just means they don’t have sacks of cash and oodles of time to throw away on looking good. Their work speaks for itself – not how much of their own free time and assets they’re prepared to throw away on posturing.

Defcon/Black Hat:

o High threat (Threat agents are dangerous and likely to hit within small window)
o High cost-to-resource ratio (My free time is precious and my personal devices are not intended to be highly secure)
o Low reward (Do I really care about using my phone that badly?)

Hotel:

o Low threat (Threat limited to few agents, mean skill is low, likelihood of encounter is low)
o Low cost-to-resource ratio (I’m probably there on business so the machine will hold at least some data worth protecting. It’s company time, so the resource is there to spend on securing it)
o High reward (I would die of boredom without internet in a hotel)

They are different circumstances with different threats and risks. To pass them off as the same (required to make the ‘overestimate/underestimate’ statement) doesn’t strike me as valid.

Perhaps a similar question would be why does Firefox have a privacy mode? Shouldn’t Firefox have privacy as standard?

The funny thing about that question is I’ve actually had people ask me that in all seriousness :)

Yes, that open wifi might be a trap to steal my passwords, but far more likely it’s just a cafe owner who wants to sell more coffee. Would you be willing to make the same bet at defcon?

There are loads unpatched vulnerability out there, so surely the fact that they’re not being exploited more shows that there aren’t that many people trying to exploit them.