Security suggestions for Devcon in Bogota
===== HELLO PARANOID FRIENDS
For those of you who thought twice about going to Bogota for Devcon due to security concerns, and then decided to go anyway, this is written for you. You’re cautious and sensible, but you’re willing to take some risks in the interest of… well, you decide what you’re doing it for.
This is a practical (“how”) guide, not a philosophical (“why”) guide. It’s written with some of the knowledge on physical security that I picked up while pitching Anchorage the crypto custodian to HNWI customers, and a good dose of intrinsic paranoia. Also, #DYOR!
You have a few days left to order and prep these things — get started now!
(PS — someone more familiar with Bogota might think this is OTT, but I prefer to spend a few hours to prevent crime than to spend months dealing with financial and mental fallout.)
===== OVERVIEW: THE THREATS
First, let’s break down the threats. Here are the things you could lose:
Here are some ways you could lose those things:
1) Walking on the street and getting robbed at knife point
2) Sitting in a taxi/Uber and getting kidnapped
3) Home (Airbnb) intrusion, with or without you at home4) Using insecure Internet
5) Your credit/debit card being copied when making payment
Here are the threat actors:
1) Opportunistic criminals
2) Organized criminals
They could attack stealthily, use violence, or some mix of both.
===== SPECIFIC RECCS
I’ve broken them down so they are easy to execute chronologically as you prep for the trip.
=== BEFORE you go:
Things to NOT bring
Dramatically reduce your attack surface!
* Hardware wallets, if you can avoid it
* Delete browser and mobile wallets that you don’t need during the conference period (make sure you store the backups safely and do not travel with them)
* 2FA hardware that you don’t need (e.g. Yubikeys)
* More than 1–2 debit/credit cards. If you can, call ahead to reduce the ATM withdrawal limit. Consider bringing cards with these features: prepaid debit cards (you can only spend what’s on the card — a lot of crypto-linked cards are like that), cards with good spending notifications (e.g. Apple Card), and cards linked to bank accounts with low balances
* expensive or expensive-looking watches and jewelry. Don’t be an idiot. In Colombia they actually have a saying for setting yourself up to be taken advantage of: “No dar papaya (don’t give a payaya)” :) A friend of mine just got held up at knife point in Mexico City because he forgot about his $$$ watch. The thief didn’t even bother asking for his wallet cos he was so happy with the watch. (Lucky for me, I like my watches plastic and rubber =/)
Things to bring
* A whistle or some other personal alarm with loud sound (option, option)
* Pepper spray. Attach it to the outside of your bag or to your belt for quick access (option)
* Home security camera(s). Add a subscription so that videos are uploaded to the cloud, in case you ever need to investigate. Ideally they have alerts for when wifi or power go off. If wifi gets cut, some camera models have an in-built SD card so video can keep recording. If power gets cut, unless it’s a widespread shortage, I would investigate the recording after the fact (and if the SD card is missing… well, you know for a fact someone took it) (many options, here is one)
* Door sensors with alarm function. These sre like the chimes that go off when you enter retail stores — when one side is separated from the other, an alarm sounds. Or, an electronic door stop with an alarm function (option)
* Travel router and VPN service (explained below) (router option; vpn: choose your own)
* Make sure to get travel insurance so you get protection against theft and injury. Carry your insurance info with you. If anything happens, it’ll be easier for friends to coordinate your care
Things to do
* Try to pay with mobile payments when you can (e.g. Apple Pay / Google Pay). This means someone cannot simply copy your card number (although, for when you have to use a card, i have a special place in my heart for cards that do not have the numbers printed on them — again, the Apple Card)
* Activate Find My for your family. Consider turning that on for trusted friends also at Devcon since they would be first to notice if you didn’t show up on time. But, that may also increase your attack surface (if one person get compromised, the others are easier to find); I don’t know what the best solution is
=== AFTER you arrive:
Traveling to the conference during the day
* Travel in a group if you can
* Take Uber. Do not take local taxis that you flag down. Someone advised not using the local equivalent of Uber (shrug, I dunno)
When taking your Uber, make sure to check
(a) the driver’s # of trips and ratings (feel free to cancel if they have less than 4 stars and thousands of trips),
(b) share your ride with a friend at your destination before you get on the car,
(c) confirm the car plate (don’t take excuses for why the number is different from what you see in the app),
(d) confirm his face BEFORE you get in (!),
(e) lock the door after you get in,
(f) make sure to check in on the Uber app to make sure you’re on the pre-set path.
Important: familiarize yourself with Uber’s safety features (within the trip UI, you can quickly indicate that something wrong is happening).
An excerpt from a Bogota guide: Unless you’re with a few friends, hailing a cab on the street isn’t recommended. Bogotá’s taxi system is generally reliable, but there are a few renegade drivers who spoil it for the rest. There have been a few incidents where drivers stop to let their armed chums into the cab, who then rob passengers blind or take them on a secuestro express tour of the city’s ATMs.
* Don’t be a phone monkey. Look up and around all the time. In Krav Maga, the Israeli self-defense martial art, one of the first things they drill into you is “situational awareness” — always be aware of your surroundings. Pretend you’re on Market Street in San Francisco, and you’ll be fine ;) If you must use your phone or open your bag on the street, do so only in a public well-lit, well-traveled area with many bystanders. Place your back to a wall so no one can sneak up behind you.
* Don’t put wallets in your backpocket unless you want someone to feel you up (and take ur wallet)
* Don’t wear your backpack the right way in a crowd. Wear it in front of you
* Familiarize yourself with common street scams. In short, there are myriad techniques used to distract you while an accomplice swoops in to grab your belongings.
* Take a moment to read the Wikitravel guide on Staying Safe Bogota. This will inform you of common scams, and which areas to avoid.
Traveling to parties during the evening
The same principles as above apply, but here are some common sense one for when the moon is out.
* If you get any last minute party invites, crosscheck them with friends. Make sure they are organized by people you actually know. Don’t let your FOMO get the better of you. There are 1000 more parties at 100 more conferences after this one
* Uber with friends. Do not travel alone at night, if you can help it. If you’re staying out especially late, consider staying over with friends instead of Ubering back alone
* Don’t wander around. Be clear where you are going. Shady areas may be two streets away from safe areas
* Don’t accept drinks from anyone. Ideally, you can see any drink being made and then delivered to you. Surprisingly, men are the principle targets of spiked drinks. Which is probably why spiked breasts are also a problem (See #5 here)
Before leaving home
* Bring your pepper spray
* Activate your camera(s) and alarms
* Leave your valuables in a locked bag, in a safe. Please buy a good lock, cos cheap locks are easy to pick
* external wallet (small amount of cash and low-value prepaid card). Easy to rob, enough to satisfy
* money pouch close to your body. Have enough to spend on food and coffee from your external wallet without having to dig out your money pouch
While at home
* Make sure your door alarm is armed before you sleep
* Lock your bedroom door if you can
Things to NOT do:
* Ed Snowden once said: “the first rule of crypto is to not talk about your crypto.” Don’t make yourself a target
* Don’t wear clothes that make you look like a tourist. Some crypto people like to wear unicorn shirts and neon pants. That might be a good idea if criminals were color blind
* Don’t look lost
* Don’t withdraw money from ATMs on the street. Only draw from ATMs in guarded banks/buildings. Better yet, get enough cash from the airport where you are departing (or when you arrive), and use cards everywhere else
* Don’t leak information that puts you at risk. E.g., apartment address, who you’re traveling with, that you work in crypto, or why you’re in town (conference). Keep conversations vague and to a minimum
When using the internet
* Consider bringing a travel router, so that you have one more layer of defense from compromised networks. You connect your router to the Airbnb/hotel/event space internet, and your devices connect to the travel router. You can turn on protection for DNS rebinding attacks and DNS encryption, which will protect you from malicious websites looking to compromise devices in a specific location
* Otherwise, where possible, consider using mobile data (and tethering your laptop to your mobile), instead of connecting to local wifi
* Turn on VPN on every device (mobile, laptop)
=== IF SH*T HAPPENS ANYWAY
If you get held up at knifepoint, please just hand over your valuables. Thanks.
A Bogota guide suggests throwing your bag on the floor and making a run for it.
1) Emergency number: 123 (not 911!). Tourist Police: (1) 3374413
2) Android and iPhone users can hit the Power button 5 times in sequence to automate a call to the local Emergency service. Try it! There is a 5-second grace period; please cancel it before the call actually goes through during your test
===== FINAL RECC
Be shameless about not following social convention if something doesn’t feel right.
If you don’t like the way an interaction is going, just walk away. Cancel that Uber, don’t share your contact details, cover your face if someone is taking a photo without your consent. You don’t owe anyone anything. You owe yourself and the people you love everything.
DM me if you have suggestions (please) or questions (don’t be shy): Twitter @michlai007