Slashdot Mirror
Hackers Who Attended Black Hat and DefCon Conferences Say Hotel Security Personnel Demanded Access To Their Rooms (the-parallax.com)
More than two dozen hackers and security experts who attended security events last week say security personnel at the Mandalay Bay, Luxor, Caesars Palace, Flamingo, Aria, Cromwell, Tuscany, Linq, or Mirage hotels had entered their rooms. Security news site The Parallax reports: Except for Tuscany, which is independent, all of these hotels are owned by either Caesars Entertainment or MGM Resorts International. And of the three hotel companies, only Caesars returned a request for comment. Richard Broome, executive vice president of communications and government relations for Caesars Entertainment, whose Caesars Palace is co-hosting DefCon this year with the Flamingo, said that following the deadliest mass shooting in U.S. history last year, "periodic" hotel room checks are now standard operating procedure in Las Vegas. On October 1, 2017, from his room at the Mandalay Bay, Stephen Paddock used semiautomatic weapons he'd outfitted with bump stocks to kill 58 people and wound at least 527 others attending a gated country music concert on the Strip below. [...] Two apparent Caesars security officers wearing hotel name tags displaying only the first names "Cynthia" and "Keith," respectively, as well as sheriff's style badges that looked like they came out of a Halloween costume kit, visited my room while I was writing this story. Cynthia told me that they are instructed to refer to the front desk guests who decline to allow their room to be searched.
After Cynthia and Keith declined to disclose their last names to me, I asked what they intended to do in the room. They told me that they would enter it, type a code into the room's phone line to signal that it's been checked, and then do a visual spot check. When I asked what they would be looking for, Cynthia replied, "WMDs -- that sort of thing." Other conference attendees reported similar but less pleasant interactions. Katie Moussouris, CEO of Luta Security, wrote on Twitter that two hotel security personnel were "banging" on her room door and "shouted" at her. She also said the hotel's security team supervisor "dismissed" her concerns over how the hotel was treating single, female travelers. Google security engineer Maddie Stone tweeted that a man wearing a light-blue shirt and a walkie-talkie entered her Caesars Palace room with a key, but without knocking, while she was getting dressed. "He left when I started screaming," she wrote, adding that a hotel manager, upon her request, said Caesars would look into whether the man was actually an employee. Stone tweeted that she left DefCon early because of the incident.
After Cynthia and Keith declined to disclose their last names to me, I asked what they intended to do in the room. They told me that they would enter it, type a code into the room's phone line to signal that it's been checked, and then do a visual spot check. When I asked what they would be looking for, Cynthia replied, "WMDs -- that sort of thing." Other conference attendees reported similar but less pleasant interactions. Katie Moussouris, CEO of Luta Security, wrote on Twitter that two hotel security personnel were "banging" on her room door and "shouted" at her. She also said the hotel's security team supervisor "dismissed" her concerns over how the hotel was treating single, female travelers. Google security engineer Maddie Stone tweeted that a man wearing a light-blue shirt and a walkie-talkie entered her Caesars Palace room with a key, but without knocking, while she was getting dressed. "He left when I started screaming," she wrote, adding that a hotel manager, upon her request, said Caesars would look into whether the man was actually an employee. Stone tweeted that she left DefCon early because of the incident.
Is the US really the only safe place to have such meetings?
Shooting the guy who entered while she was dressing would have helped educate him and others for the future...
Simple - Why on earth would you use that place to host your customers if that's how they're going to be treated.
I'd get the f*ck out of there and never come back.
It seems to me that a simpler solution is to have someone actually watch and pay attention to the cameras. They aren't going to catch some guy with one gun either way considering how you can break them down. This only works for someone with an arsenal.
When that shooter was allowed to carry all that hardware, unchecked, and massacred all those innocent people, that was a hotel fuck-up. Now the same hotels fuck-up in the other direction. Wow, just wow.
...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
Unfortunately, it isn't clear whether the hotel was inspecting the rooms of all guests or just Defcon/BlackHat attendees. I'm assuming the former, since the Vegas shooter wasn't involving in the CompSec scene. Since this hasn't been reported widely, it could be just selectively enforced as most security theater.
It's hotel property that they agreed to rent to you. There are laws governing this agreement, among them being hotel staff can't barge in to your room whenever they like.
https://www.gsblaw.com/duff-on-hospitality-law/guest-room-privacy-and-the-fourth-amendment
why can't we see you nekkid?
Google security engineer Maddie Stone tweeted that a man wearing a light-blue shirt and a walkie-talkie entered her Caesars Palace room with a key, but without knocking, while she was getting dressed.
Before I saying anything, to be clear:
1. Ms. Stone did nothing wrong.
2. The man entering the room was absolutely criminal in entering a room like that without knocking.
That said, when you're in your room, lock your doors. Use the deadbolt, use the little chain, and anything else available.
Normally, the deadbolt alone will prevent the key card from working.
While the chain is nearly useless from keeping someone from breaking in, it gives a few seconds of delay to the intruder, giving you time to respond.
Same category as leaving your laptop in the passenger seat of a car. You don't deserve to have your window smashed and laptop stolen, and it is NOT your fault if someone does it.
It still is a better idea to put it out of sight, though.
Grammer Nazis - I mod you "troll" unless you actually add something on-topic. Yes, I know I have mispellings in my sig.
If it starts to dip because no one wants to be subjected to this shit, the venue will soon be changed.
Caesars would look into whether the man was actually an employee.
This alone is sad.
Even sadder is the fact that they are doing these "checks" at all
And the saddest thing is probably that after the Las Vegas shooter, this could be even justified. More or less. Not in a "this will help" way, but in "how can we prevent this in the future" way. I bet someone was forced to present an "action plan" to his managers.
bickerdyke
Nah, we're more the passive-aggressive type. We FUBAR your card-based hotel room locks to retaliate.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
So if someone else abuses his privilege (because it's kinda odd to call it a right if you can abuse it), and I get punished for it?
When did the US turn into a Stalinist country, complete with clan liability? And even in the Soviet Union you were just strung up for the sins of your father, not just any random person you never met.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I can confirm that Bally's was included in the searches as well. Every time I left or came back to the hotel from the con there were security folks banging on a different door. I think my floor was mostly con folks.
Immediately after the white guy shot up the concert last year, all hotels on the strip changed their rules. From that point on they would not observe the Do Not Disturb sign on doors and would do spot checks of hotel rooms.
Caesar's says they will check rooms daily.
That these checks happened isn't surprising since the hotels did publicly announce their new policies. Then again, had that white guy not gone a shooting spree, none of this would have happened. Actions have consequences and all that.
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
Are there private hotel safes still in Las Vegas hotels you can put the things that the hotel staff shouldn't have access to in any way? DefCon, Black Hat, and all that..
I am shocked to say this article was balanced, well researched, and carefully written. Unfortunately, it is very rare that I get to say this.
and I get punished for it?
You don't get punished, you get checked out. Just like you bend over at the airport for that unsolicited finger in your ass from the TSA.
When did the US turn into a Stalinist country
It has always been one. Remember the beatings of the "occupy" folks? What about McCarthy? How about Sacco and Vanzetti?
Well, back in McCarthy's time people at least folded when asked "have you no shame, have you no decency?"
Today, they'd simply say "nope" and carry on.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
They took out the a lot machines at the Linq in retaliation.
Then you're an idiot. Random searches tp allegedly prevent something that statistically won't happen again even if nobody does anything are wrong. The idea of submitting to a search is wrong. The idea of rent a cops pounding on doors demanding access for zero reason belongs in a bad movie and not in the United States. Ever. For any reason.
No, back in the day it was not really different.
McCarthy folded, because he was drinking too much and attacking people who were too powerful for him.
The really dangerous types like Dulles and Hoover said "nope" and carried on, and everyone else folded, congresspeople and presidents included.
That's why I always have 2 wedges in my baggage, to put under the hotel door, blocking it, so that nobody can enter while I'm in the room, key or no key, cleaning, security or robbers.
Ugly fat "hacker" snowflakes are harmless, unlike the average white businessman with the five shotguns and the 20 ammo cases.
Comment removed based on user account deletion
Seriously, unless you want to gamble, or take advantage of prostitution being legal, Las Vegas has nothing to offer.
And if the two items above are of serious interest to you, you have a very sad life.
There's no indication the Las Vegas shooter's ethnicity had anything to do with his spree. So why note it unless you're a racist?
They don't want you anyway.
How do they fit and work? How big are these gaps in the floor that you can fit a wedge under the door and between the sill? Also what stops the staff from poking it out from the other side of the door?
I call bullshit. You do no such thing.
Comment removed based on user account deletion
The few attendees who s tweet bloody murder about this were in rooms with signs "Don't disturb" hanging for days, and had gotten in with large cases of who knows what. In modern Murricah, that's an invitation for a check. Nobody wants to be the next place where the mass murderer shoots from.
So many comments from people who don't go to Las Vegas often.
After the shooting, hotel policies changed at ALL hotels on the Strip, among all companies. As someone who stays at Caesars properties heavily and at MGM properties occasionally, I can tell you that the "Do Not Disturb sign is a thing of the past. DefCon attendees in particular should be aware of this, and caterwauling on Slashdot is a sign of their own obliviousness. The Strip hotel I'm staying at now says "Room Occupied" on the front -- not "Do Not Disturb". No one has "Do Not Disturb" any more, and it says right there on the sign in not-quite-fine-print:
While you are actively in the room, if you wish for privacy, you should lock the deadbolt and engage the latch. If security is making a check, that allows you to have them not walk in on you naked, but it doesn't mean they won't ask to be let in to do a verification.
As with police (who don't have a warrant), if you have concern about their identification, call down to the Operator/Front Desk to verify that they're an employee before letting them in.
To re-iterate, after the Vegas shooting this is standard policy across the board at ALL HOTELS. In case anyone missed it, MGM got a lot of flack for missing the signs here, where a security check might have caught something obvious. One might argue that they should have made this more explicit via a press release, but if you're here a lot it's obvious already what's changed. As to whether DefCon attendees were more singled out in particular, it would be hard to say. If I were hotel security, I'd have more reason to suspect them of ripping apart the Ethernet jacks or something and trying to hack into the hotel security system than anything with weapons -- an elevated stance is probably expected.
Hire a Linux system administrator, systems engineer,
Hackers =/= Anything, your compiler will return an error about it being unassignable.
The word has become laughably nebulous.
If it wasn't, maybe we could have an argument about whether the stable definition matches for "criminals". Which is to say you're so fucking off, we can't even discuss if you're wrong. Which is to say, you're so far off we can call you a dumbass or any number of insults.
My first and maybe last def con. If I can't find an alternative hotel that doesn't pull this bull shit I won't be back. I'm not a gun enthusiast, but would agree that shooting an employee entering when a DND sign was hung does justify murder. But it is not reasonable to shoot some one simply because they entered the room without knocking. The justification is that they are violating fundamental rights we should all have when we rent or own property to that property. This erosion of these rights is dangerous just as is all forms of censorship or punishment thereof for communications. You can't justify such things based on safety or children or whatever because once you do others can take advantage of that to undermine freedom, democracy, and stability of peace of all. This policy is morally reprehensible. The law does not make right. Laws are made by man and the men making those laws are near always on the morally reprehensible side.
- Don't schedule conference events in Las Vagas
- Don't attend any conferences scheduled in Las Vagas
Looks like Vegas is wanting to strangle the one and only thing keeping it alive. Their visitors. You alienate to many people and soon you'll find yourself wondering where everyone went.
If they keep up this practice in the guise of "security", Vegas will go under. This is something people will not tolerate and there are plenty of other, though less fun, places to gamble. Clue in here Vegas, you'll never once find anything bad, not once, other than some drug paraphernalia and trust me, you want your visitors high, they spend more. Your security checks would have never found this gun man and if they some how had, your joke of security guards would be dead and he would have still done his deed.
Why is it every time some sort of awful tragedy happens, we have to go completely overboard with "preventative measures." Who runs a hotel like that? No one! These hotels will likely not be in business much longer if they persist on this. This sort of behavior garners a lot of bad reviews and publicity. Yes yes, no such thing as bad PR, but this could be the rare case of.. yeah, security goons barging into your room unannounced, that's going to ward off potential guests. At least, I hope it does.
That alone is a HUGE problem. The other security checks.. meh.. I mean if they're being polite, knocking, etc, I suppose it might be ok-ish, but not really. But barging in unannounced? Completely out of line.
I love the following statement. Now remember, this is a hotel that is loaded with hackers.
"Maddie Stone tweeted that a man wearing a light-blue shirt and a walkie-talkie entered her Caesars Palace room with a key, but without knocking, while she was getting dressed. "He left when I started screaming," she wrote,"
First, how did she know it wasn't a fellow hacker? Was it the light-blue shirt? Or was it a device that looked like a walkie-talkie?
For a hacker, she sure doesn't have a clue of how to hack safely.
I suggest that people spray Liquid Ass in their rooms.
JFC... DefCon attendees should be among those most aware of security policy changes, and this has been going on since last Winter. Changes are everywhere, but it's especially prevalent in "soft target" vacation destination areas, such as Las Vegas or Orlando.
https://www.meetingstoday.com/newsevents/industrynews/industrynewsdetails/articleid/31803/title/-do-not-disturb-policy-updates-spark-debate
Hire a Linux system administrator, systems engineer,
The other problem with Vegas is that itâ(TM)s impossible to do much of anything in the public area without getting solicited by at least one skanky whore. Actually the really skanky ones usually come in pairs.
metal coat hanger and 2 sec to get inside.
Check youtube, dude.
This is at a hacker conference. EVERYONE attending knows how to defeat the chains and those u-swinging lock dealies. ... er... at defcon, black hat, and almost every regional security conference the last 5 yrs.
60% know how to defeat those keycards they use for the door locks too. There have been multiple training sessions about them
I went to Vegas once, hated it. Too many kids. too many ads directed at cis males. Too many beggars. Too many people trying to hand you cards for various bullshit. They didn't have Uber back then, the taxis sucked, and walking was impossible because the Strip is "automotive scale". (and the monorail is very slow)
However, given that this might now start happening at other hotels:
- I'm getting a couple of those door wedges with alarms
- I might actually try the 'cover the card reader with a message stating you don't consent' thing. Though I usually prefer hotels that have switched to the RFID cards, my phone and wallet tend to demagnetize the old swipe cards.
- I'd like someone to start selling a security camera with built-in LTE. A portable, self-contained unit would be perfect. It won't use much data if it only uploads when it detects motion. I'm willing to pay $200-300, maybe as much as $400.
The right to protest the State is more sacred than the State.
Currently in Caesars.. killing time in our room - just got the security visit.
Came in, entered the code into the phone... .and left.
There's and upcoming VMWorld conference in LV in the MGM properties. I know this is their last of a 3-year agreement, then they're moving back to SF (at least for a while.) But, I suspect if this is the new 'normal' for hotel security, then they can probably expect a downturn in large convention business. I suspect that IT Nerds on both side of the black/white line will be very happy to be vocal about their displeasure, and have a good understanding of how Social Networking/Media works.
I don't think it will go well for the hotels if this is going to be SOP.
Awk! Pieces of eight. Pieces of eight. Pieces of seven... ERROR: General Protection Fault. [Paroty Error.]
So... they're searching the rooms looking for nuclear or chemical weapons?
Oh, sorry... I forgot we jumped the shark and now anything that might possibly be used to hurt someone is considered a "weapon of mass destruction."
Def Con is the land of hacks and attacks - including Social Engineering workshops.
The hotels may really have search protocols like this -- and some random person shows up using that knowledge and claims to be a hotel employee. The idea is in a hotel guests head so they figure "sounds legit"
Seems they need to take a page from Banks "our employees will never call and ask you for this information" -- Hotel security staff will never do X/Y/Z.
Yes, this did happen. To several people. We had also head that hotel security was instructed to look for other things like soldering irons and other "hacker tools" that would be removed from the room. We immediately labeled our soldering iron "Curling Iron" and then installed a healthy amount of monitoring devices in our room at Caesar's. Given the sheer number of rooms in the hotel, it's unlikely that they searched every room. If they searched ours, the would have to have done it before we started our surveillance efforts.
FWIW, the cleaning crew seemed both very curious and very afraid to touch our desks and coffee tables full of curling irons and other assorted hardware hacking cosmetic aids.
Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety.
Some people are reporting that theyâ(TM)ve found wireless surveillance cameras in their rooms. Can anyone confirm this?
I stayed at the Rio and then Caesars and attended Defcon. I had my room searched at both hotels. At the Rio they were polite enough about it, but I thought it strange they did wish to see in the safe. They didn't want to look in the closet, in my giant suitcase or anywhere else I could have stashed a weapon, just the tiny safe.
At Caesars they were just plain rude about the searches. I know others that had their soldering irons confiscated. Also if any lock picks where seen hotel security called the cops and those persons were arrested. For those that don't know Defcon has an entire lockpicking pavilion.
I will never again stay at any Caesars property and I really hope the Dark Tangent is considering moving Defcon to another hotel chain.
I do not belong to the church of the lowercase 'i'
Fuck Caesars! Fuck MGM! Fuck their hidden wireless cameras in rooms and room invasion policies! Hack the planet!
Fuck them in the ass. Duck them in the mouth. Fuck then in every produce they have.
Oh, I just can't wait until the black hats respond to this incident with the full extent of their abilities. These hotel monkeys fucked with the wrong people. Watch all their employee records get leaked or all of their money disappear. I'm sure many of these attendees are cooking up something delicious right now, as a way of saying thank you for such hospitality.
I don't assign any credibility to the testimony of prostitutes working a hacker con in Las Vegas. It's getting way out of hand.
Stand your ground laws require you to have a JUSTIFIABLE reason to believe your life is threatened.
Someone entering your room unexpectedly is MOST CERTAINLY NOT THAT, otherwise there would be a trivial method of commiting murder.
If the person entering came at you - perhaps.
If the person smashed their way in - perhaps.
However, if they just entered, not a fucking chance - I suspect what, in your mind, you would consider your defense here would be to LIE about what happened and claim they 'came at you'.
But sorry, lying to the court is not a justifiable defense, it is lying about murdering someone to cover your arse.
now, you are trying to twist a duty to retreat to apply here, It DOES NOT. for that to apply - a) they must reasonably expect that it IS your residence, and b) you must have actually warned them and given them a chance to retreat!
But no, you think that them simply entering gives you the right to murder them, NOT EVEN CLOSE.
You would have had to warn them, ask them to leave, given them reason to believe you were the resident (remember, THEY THINK THEY ARE, AND WITH GOOD REASON), then it start becoming arguable, in such a state.
Stop pretending you are 'educating' anyone, you are making up shit and trying to pass your opinion (which is wrong) off as 'law'.
This doesn't mesh with the drinkypoo I seem to recall. That rational one.
What is the percentage chance of someone entering a room being a) a dangerous attacker or b) an innocent cleaner/inspector/lost person?
What is the percentage chance of a gun going off when pointed at someone?
What do you do with your ideology when the numbers say you are more likely to harm an innocent person than to defend yourself successfully from danger?
I worry about the reasoning ability of gun enthusiasts. I understand hunters, recreational shooters, farmers, even soldiers on the battle field. But hand gun enthusiasts who claim self defense motivates them? There's something going on, but it's not reason. And it's dangerous to everyone around them, so it has to stop.
Oh absoutely. How long until we see a series of rapes and murders by people claiming to be the security guys?
I'd call this policy dumber than rocks if it weren't so insulting to perfectly nice rocks.
I'd rather that "everyone else" ALSO not be treated that way.
Their mistake was expecting security at a hacking convention. Oh, it's all fine and well breaking into someone else's property but you suddenly take issue with someone breaking in to yours? ROFLMAO!
I'm posting this as AC because I was at the Linq and had literally a half-dozen automatic weapons in my room during DEFCON. I had attended the DEFCON shoot immediately beforehand and had no fewer than a half-dozen semi-auto and select fire weapons including an MP5, M4, M4 with an M203, an automatic Glock, and some suppressors. I wasn't going to leave the whole slew of weapons in my vehicle in the parking deck, so I left them in locked containers in my room. Brought them all up from my vehicle at once, using the self-parking elevators and everything.
This is entirely security theater. It accomplished absolutely nothing whatsoever to further either safety or security.
When I asked what they would be looking for, Cynthia replied, "WMDs -- that sort of thing."
Whoops! How clumsy of me. I seem to have left my nuclear warhead in the MIDDLE of my hotel room! Won't you please overlook it this one time, pretty please?
With today's tech it's easy to have video of some of the room (say, the half containing the entrance) recorded for the duration of your stay. If that lady had video of that dude entering without knocking... she wouldn't even need to pursue legal action. One post to YouTube would change their policy whip-crack fast.
So if someone else abuses his privilege (because it's kinda odd to call it a right if you can abuse it), and I get punished for it?
Yes. Yes, that's correct. That is how it works, and that's how it's ALWAYS worked. The US has always talked a good talk and pretend its a bastion of freedom, but when there's a hint of danger, we're all too quick to intern Japanese, to ruin the lives of people we suspect are communists, and use the excuse of 'reefer madness' to jail people whose real crime was opposing the Vietnam War. And then we go right back to pretending that we're the paragons of freedom.
We didn't used to do this? Well sure, but that ignore the plenty of times when we have. But all those examples though were when we curtailed freedom for an 'other.' They were just as American as anyone else, but Japanese, possible socialists, blacks, hippies, as long as it wasn't our own direct freedoms being infringed, it was just those non-mainstreamers, we were ok with it. And we could still hold ourselves up as a paragon of virtue.
Two words: Castle Doctrine - and there's a bevy of statutory and case law that will give me the A-OK to empty a magazine of 9mm jacketed hollow points into you. Come into my room without me letting you in and you'll be staring down the barrel my carry concealed handgun that always goes where I goIf your direction of travel is not out that door, I will turn you into a human fountain and not lose a minute's sleep over your poor choice.
I was in Vegas in March for a tech conference and as usual, being a female traveling alone, I had my do not disturb sign up the entire time. I, too, had people banging on my door my 3rd day there. They didn't come in. They just radioed back when I answered the door that I was ok, told me it was a security check to make sure I was fine, and left. Now, this could be because my room was reserved through my company (major hardware/software company), so I was less of a threat and they didn't come in. But, it did scare the crap out of me to hear banging and someone yelling Security at my door. How are we to verify who these people are? As a female traveling alone, it was unnerving.