Et tu, Brute? Then fail, Caesars: When it's hotel staff, not the hackers, invading folks' privacy
El Reg vulture's take on the upset at this year's Black Hat and DEF CON
Comment The hacking world's summer camp has ended. The last of the Black Hat USA, BSides Las Vegas, and DEF CON attendees and organizers have now left Sin City after a week of lectures, networking, and partying.
What unfolded over those seven or so days will have knock-on effects for years to come – not just from researchers and miscreants using fresh inside information, tools, and skills gained from the conference trilogy, but as a consequence of poorly executed hotel policy.
Las Vegas is a notably different place from this time last August, in minor ways and one major one. As an example of a minor change, marijuana is now legal in Nevada, and the smell of sour diesel in the streets doesn't just come from its trucks and busses.
Here's the major revision: people are now, understandably, still tense following the mass murder of revelers at a music festival on the Las Vegas strip last October. A gunman opened fire on hundreds of concertgoers from the window of his Mandalay Bay hotel room, which was crammed with weapons, killing 58 and wounding 851.
This tension would manifest itself in the middle of the week and then grow to be one of the major talking points of DEF CON, leading to the head of the show’s security tending his resignation, and some attendees threatening a boycott.
A smooth start
BSides Las Vegas kicked off its sessions on Tuesday with a series of talks, many highly technical, on how to break in various vulnerable bits of technology. BSides started life as an alternative to the increasingly corporate-friendly events, and the quality of the talks was better than many of those being held down the road at the larger Black Hat. Then again, your humble hack is possibly biased because he co-presented at BSides LV.
The other strength of BSides is the networking opportunities, if you want to get to know people elbows deep in firmware and the glue that keeps the internet stuck together. It’s the smallest show of the three, and has, to my mind, the highest percentage of security vulnerability researchers and exploiters of the trio, plus a growing number of academics.
Over the past few years, there have been concerns Black Hat USA was just becoming RSA with blackjack and hookers, thanks to its overly corporate posture. Yet, this year there was a ton of good stuff, much of it fresh and serious, and the show was generally much better run.
Be it backdoors, er, features in x86 processors and data center servers, autonomous car hacking or satellite communications hijacking, the effects of machine learning on malware creation, the quality of the content was strong. There was even time to make fun of John McAfee’s latest publicity stunt at Wednesday night’s security Oscars, the Pwnie Awards.
Thursday’s talks were also well attended but, as the day progressed, many people began to drift off to DEF CON up the road at Caesar’s Palace. A few talks had already started at the hacker show, there were drinks to be had, and Black Hat emptied out fast.
Getting to know you
Part of the rush to DEF CON is to make sure you get one of the now-legendary attendee badges before stocks run out. Rather than being just a bit of plastic with your name and barcode on them, these conference passes are working circuit boards featuring lights, sensors, microprocessors, and other kit, for you to hack and explore.
This year was a stroke of genius: the badges contained a retro roleplaying game you could access via USB, 30 LEDs, and other IO ports. You could unlock new RPG levels if you connected your badge to another badge types – human, press, speaker and so forth – with the lights telling you if the link was successful.
As a result everyone was looking to hook up, electronically, with everyone else, and it was a great way for people to introduce themselves and chat. Most of the action at DEF CON on the Thursday night is in the chill-out zones and private parties.
It was during that night that we were tipped off that senior Googler Matt Linton, who was in town that week for the conferences, had been unceremoniously kicked out of his hotel room at Caesars at roughly midnight, and barred from the premises. We had interviewed Linton earlier in the week after he spoke on a panel detailing the development and rollout of mitigations for the Spectre and Meltdown CPU design blunders.
Things get weird
It turned out Linton had received a visit from officers at the Las Vegas Police Department to lightly quiz him about an off-color joke he earlier made about attacking conference attendees on Twitter. By attacking, he meant hacking, and also in a theoretical sense. However, speculating publicly about attacking people in Vegas near the anniversary of a mass shooting in the city went down like a
shutdown -h now on a production database.
You can read the offending tweet yourself below...
If I had the time, budget, and motive to launch really good attacks in Vegas, I would:— Matt Linton 🐦👨💻⚕️⚒️🥋🎻 (@0xMatt) August 8, 2018
❌ Attack random Defcon nerds who are probably mostly broke and powerless
✔️ Attack ppl at BlackHat who are way more likely to be in positions of power somewhere with 💰 to drop on tickets
It's possible the LVPD is running social media surveillance software on the lookout for this sort of thing, however we understand someone saw it and reported it to the cops. In any case, the plod popped by for a chat with Linton, which was by all accounts brief and friendly. The matter was resolved amicably, Linton apologized in a followup tweet, and the matter was settled.
Caesars staff got wind of the tweet and the police's interest, though, and booted out Linton. When he tried to get into his room that evening, his keycard stopped working, hotel security showed up, he was told to pack his bags, and he was escorted out to the curb. Being banned from the hotel was doubly annoying: not only did he have no place to stay, DEF CON was this year hosted by Caesars, and thus he was effectively barred from attending the event, too.
DEF CON staff were on the case a few hours after the expulsion, and it took the intervention of the show’s founder Jeff Moss, aka Dark Tangent, to get Linton back in. This was just the start of complaints over Caesars heavy-handedness.
Shortly afterwards, more reports surfaced regarding the behavior of the hotel giant's employees. Infosec journalist Kim Zetter, Luta Security CTO Katie Moussouris, and Google reverse-engineer Maddie Stone experienced hotel guards with little or no staff ID hammering on their hotel room doors, or walking in without warning, demanding the right to search their suites.
This being hacking conference season, the men could easily have been miscreants attempting to burgle the rooms, or worse. With no ID and no clear reason for the sudden interest in searching the place, without permission, the experience was terrifying.
Reports of pushy staff increased. Someone at the DEF CON hardware hacking village had their soldering irons confiscated, a programmer-turned-recruiter called Kirsten said she had her room checked without warning while she was naked in the bathroom, and many people claimed their belongings had been rummaged through. Some attendees set up surveillance cameras in their suites and are said to have filmed hotel security workers trying to share on Snapchat photos taken inside people's rooms.
Clash of policy and confluence of cockups
It appears DEF CON had run slap bang into a policy change by Caesars hotel properties. Worried about the prospect of someone stockpiling weapons in their suites just like the Mandalay Bay killer, and thus using their hotels for another bout of senseless slayings, the hotel giant decided that if someone has a do-not-disturb tag on their door for more than a couple of days, a search has to be made. In other words, if the maids can't be allowed in to clean up and clock any assault rifles and grenades, security guards will do the latter for them – whether guests are present or not.
There were a number of problems with this. Firstly, the hotel promotes skipping maid service as an eco-friendly option during check-in: people are thus encouraged to limit housekeeping to save on resources, and earn credits. Secondly, many people – myself included – prefer privacy, and frequently turn down maid service. Thirdly, hacker event attendees are among the most security-minded on the planet, and thus try to minimize opportunities for strangers to be in rooms with belongings unattended. And finally, bursting into rooms with no identification is not how this policy should be executed.
Amazingly enough, the conference-goers got very shirty at the prospect of unidentified people forcing their way into rooms to root around. Checking for a stockpile of weapons is one thing, such is America in 2018. However, barging in unexpected, with no prior warning, and with no ID is a rather crap way to enforce security and make people safer. And no, don't compare it to computer hacking.
As Friday evening’s parties kicked off, the policy was hotly debated. To add to the kerfuffle, online trolls began laying into those who were complaining on Twitter about the rules and searches.
Caesars issued a statement explaining the room-search policy has been in place since January this year, and that inspections by guards were simply visual checks – although video footage of staff apparently fingering through guests' belongings suggests otherwise.
The hotel giant also said it had informed the DEF CON team well in advance of the conference of the new rules, and the event organizers had agreed to the regulations. However, DEF CON’s 20-year head of security Marc Rogers said he was not aware of the new policy, and that had he known, he would have made it clear to attendees. He acknowledged hotel staff need to inspect rooms, however, it should be done in a safer manner – and he had, in his eyes, failed in his duties.
“So I offer you my resignation,” he wrote in an open letter to the community.
“By not being aware of Caesars’ statement I failed you. I WILL not let this happen again. However if you no longer feel I am the man to defend you, my community, then I will leave. I suspect much of my team will leave too but….plus ça change.”
Bad for business
Rogers received a wave of support, and was urged to stay in his position. However, it’s clear something is going to have to change, or next year people will vote with their feet and steer clear of Las Vegas and its hotels. Mark Maunder, CEO of Wordpress security shop Defiant, said he will shift his $50,000 of business elsewhere after a woman team member was visited by heavy-handed security on Saturday night.
It’s unlikely DEF CON will move from Caesars any time soon – the logistics would be too great. That said, the show does need more space. The NSA’s Rob Joyce gave a 5,000-seat presentation that was full in minutes, and left half as many again still waiting to get in.
It’s clear Caesars' security theater that overshadowed the show has turned some attendees off. Other hotel chains aren’t performing these invasive checks, although the Mandalay Bay – the home of Black Hat – is reported to be asking to examine some long bags during check-in. ®
Sponsored: Becoming a Pragmatic Security Leader