NetPhantom Security

OpSec at Scale: Keeping Your Large Team Safe at High-Risk Conferences

Thu Oct 9, 2025
OpSec Conference Security Red Team Blue Team Signal LoRa Privacy Security Protocols

🛡️ OpSec at Scale: Keeping Your Large Team Safe at High-Risk Conferences

If I am being honest, my appearance at conferences like Black Hat and DEF CON are not relaxing vacations. For me and the teams I work with, these events are live-fire exercises where we are surrounded by the most switched-on, adversarial community in the world, all packed into a few hotel floors or conference halls.

Operational Security (OpSec) isn’t just a term for buzzword engineers, though; it’s the active process of defending your critical intel (as well as your personal data and devices) from those who want to exploit your team, your friends, or your organization.

Think about the risks: Wi-Fi sniffing and Bluetooth MAC scraping are passive. More active threats include social engineering, physical badge cloning/Badge Manufacturing in the elevator line, and the not-zero chance of someone shoulder-surfing an open team chat on your laptop. You remember the stories—leaked photos of sensitive chats (or government data leaked to you-know-where), devices disappearing from hotel rooms. That’s what happens when OpSec is an afterthought.

1. The Big Four: Core Principles for Teams in the Field

A large team is simply a larger target. Your team must internalize these principles—drill them until they’re muscle memory:

  1. Least Privilege: Nobody needs to know everything. Share logistics, comms keys, or targets only on a strict need-to-know basis. Compartmentalize your mission data aggressively.
  2. Compartmentalization: This means zero personal-to-op crossover. Burner devices for work, personal devices locked away or left at home. Never mix your personal identity with operational activity.
  3. Situational Awareness: Eyes up, always. Be constantly aware of who’s around, what’s visible on your screen, and what RF is being emitted by your gear. Acknowledge the physical threat.
  4. Deconfliction: If your org has multiple teams running (say, Red and Blue), establish explicit barriers to prevent accidental information leakage. No “oops, did I just send my C2 URL to the wrong group?”

2. Primary Comms: Signal is the Only Answer

When the Wi-Fi is hostile and the cell signal is flakey, your primary communication channel has to be a fortress. Skip the corporate chat apps.

Why Signal, Every Single Time:

  • End-to-End Encryption (E2EE): Standard and non-negotiable.
  • Disappearing Messages: Set a clock on all sensitive chats. The best data is data that doesn’t exist anymore.
  • Sealed Sender: Protects the metadata. An adversary sniffing the wire can’t easily see who’s talking to whom.

Signal Best Practices for the Field:

  • Registration Lock: Mandatory. Set a PIN on every op account to stop SIM-swap or VoIP hijacking attacks.
  • Burner Identities: Register all operational Signal accounts using burner SIMs or privacy-respecting VoIP numbers. Your personal number stays home.
  • Disable Link Previews: Turn it off. It can leak your IP address or pre-fetch hostile content.
  • Aggressive Purge Policy: Set high-sensitivity channels to auto-delete messages every 5 to 30 minutes.

3. The Absolute Backup: Going Off-Grid with LoRa Mesh Radios

If the network goes down, or, more likely, is actively jammed, relying solely on internet or cellular networks is a failure. You need an off-grid fallback.

Why LoRa over Consumer Radios:

  • Off-Grid Power: No reliance on external internet or cell infrastructure.
  • Encrypted Mesh: Modern solutions like Meshtastic use encryption, unique mesh IDs, and FHSS (frequency hopping). It’s a massive upgrade from analog or consumer digital walkie-talkies.
  • Range: Works well for building a persistent, multi-hop mesh across a sprawling hotel and convention center.

Hardware & Configuration Protocol:

  • Hardware: Meshtastic-compatible devices (TTGO T-Beam, Heltec).
  • Pre-Configured: Flash your devices before arrival. Use a unique, non-default team mesh ID and an encrypted channel key.
  • Radio Lead: Assign a dedicated team member to manage the LoRa gear, conduct daily comms checks, and carry spare antennas/batteries.
  • Short TTL: Keep the message Time-to-Live (TTL) short to minimize persistence on relaying nodes.

4. Onsite Protocols: Structure is Security, Improvisation is Risk

A large team operating without a rigid plan is an OpSec vulnerability waiting to happen.

Protocol Actionable Steps
Morning Check-In A daily Signal roll call with read-receipt verification. Verify LoRa gear is powered up, connected, and in range.
Emergency Codes Establish clear, agreed-upon codewords: CODE ALPHA (Immediate Evacuation/Regroup), CODE BRAVO (Law Enforcement/Critical Incident), CODE CHARLIE (Gear Compromised/Stolen).
Comms Lockdown If the LoRa network is activated for an emergency, all other digital traffic must cease. Silence your devices and limit broadcast to essential radio comms.
Role-Based Leads Assign clear Leads for Comms, Travel, Recon, and Safety. Decisions flow through them to prevent individual panic/improvisation.

5. Physical and Digital Hygiene: Don’t Be the Easy Target

The biggest threats are often sitting right next to you.

  • Faraday Pouches Are Your Friend: Unused operational phones, laptops, and drives should be stored in Faraday pouches or bags. If it’s not needed, it’s silent.
  • Cover Cameras & Ports: Webcam covers are mandatory. Disable or cover Bluetooth, NFC, and unused external ports. You don’t need to be broadcasting your presence.
  • Minimize Affiliation: Leave the corporate swag at home. Blending in is a better security posture than wearing a target on your back.
  • Mind the Angles: Never leave an unlocked device unattended. Be hyper-aware of shoulder surfing in common areas, hotel bars, and elevators. No OpSec discussions on hotel Wi-Fi.

6. After-Action: The Data Must Be Secured

The op isn’t truly over until the data is gone and the gear is clean.

  1. Immediate Purge: Manually purge all Signal chat histories. Immediately revoke all group invite links to prevent unauthorized access.
  2. Audit & Wipe: Audit all operational devices for rogue connections. Perform a deep, secure wipe of all burner storage media.
  3. Destruction Protocol: All burner SIMs, high-risk storage, and compromised devices should follow the established destruction protocol (physical destruction) or be securely inventoried and stashed for the next op.
  4. Team Debrief: Conduct a formal team-wide debrief. Log every OpSec near-miss and success. Your failures from this mission are the data points you use to harden the playbook for the next one.

Disclaimer: LoRa radio usage is governed by regional laws (e.g., FCC in the US, ETSI in Europe). Consult your local regulations to ensure your power levels and frequencies are compliant.