Slashdot Mirror
Hackers Who Attended Black Hat and DefCon Conferences Say Hotel Security Personnel Demanded Access To Their Rooms (the-parallax.com)
More than two dozen hackers and security experts who attended security events last week say security personnel at the Mandalay Bay, Luxor, Caesars Palace, Flamingo, Aria, Cromwell, Tuscany, Linq, or Mirage hotels had entered their rooms. Security news site The Parallax reports: Except for Tuscany, which is independent, all of these hotels are owned by either Caesars Entertainment or MGM Resorts International. And of the three hotel companies, only Caesars returned a request for comment. Richard Broome, executive vice president of communications and government relations for Caesars Entertainment, whose Caesars Palace is co-hosting DefCon this year with the Flamingo, said that following the deadliest mass shooting in U.S. history last year, "periodic" hotel room checks are now standard operating procedure in Las Vegas. On October 1, 2017, from his room at the Mandalay Bay, Stephen Paddock used semiautomatic weapons he'd outfitted with bump stocks to kill 58 people and wound at least 527 others attending a gated country music concert on the Strip below. [...] Two apparent Caesars security officers wearing hotel name tags displaying only the first names "Cynthia" and "Keith," respectively, as well as sheriff's style badges that looked like they came out of a Halloween costume kit, visited my room while I was writing this story. Cynthia told me that they are instructed to refer to the front desk guests who decline to allow their room to be searched.
After Cynthia and Keith declined to disclose their last names to me, I asked what they intended to do in the room. They told me that they would enter it, type a code into the room's phone line to signal that it's been checked, and then do a visual spot check. When I asked what they would be looking for, Cynthia replied, "WMDs -- that sort of thing." Other conference attendees reported similar but less pleasant interactions. Katie Moussouris, CEO of Luta Security, wrote on Twitter that two hotel security personnel were "banging" on her room door and "shouted" at her. She also said the hotel's security team supervisor "dismissed" her concerns over how the hotel was treating single, female travelers. Google security engineer Maddie Stone tweeted that a man wearing a light-blue shirt and a walkie-talkie entered her Caesars Palace room with a key, but without knocking, while she was getting dressed. "He left when I started screaming," she wrote, adding that a hotel manager, upon her request, said Caesars would look into whether the man was actually an employee. Stone tweeted that she left DefCon early because of the incident.
After Cynthia and Keith declined to disclose their last names to me, I asked what they intended to do in the room. They told me that they would enter it, type a code into the room's phone line to signal that it's been checked, and then do a visual spot check. When I asked what they would be looking for, Cynthia replied, "WMDs -- that sort of thing." Other conference attendees reported similar but less pleasant interactions. Katie Moussouris, CEO of Luta Security, wrote on Twitter that two hotel security personnel were "banging" on her room door and "shouted" at her. She also said the hotel's security team supervisor "dismissed" her concerns over how the hotel was treating single, female travelers. Google security engineer Maddie Stone tweeted that a man wearing a light-blue shirt and a walkie-talkie entered her Caesars Palace room with a key, but without knocking, while she was getting dressed. "He left when I started screaming," she wrote, adding that a hotel manager, upon her request, said Caesars would look into whether the man was actually an employee. Stone tweeted that she left DefCon early because of the incident.
Shooting the guy who entered while she was dressing would have helped educate him and others for the future...
Simple - Why on earth would you use that place to host your customers if that's how they're going to be treated.
I'd get the f*ck out of there and never come back.
It seems to me that a simpler solution is to have someone actually watch and pay attention to the cameras. They aren't going to catch some guy with one gun either way considering how you can break them down. This only works for someone with an arsenal.
When that shooter was allowed to carry all that hardware, unchecked, and massacred all those innocent people, that was a hotel fuck-up. Now the same hotels fuck-up in the other direction. Wow, just wow.
...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
Unfortunately, it isn't clear whether the hotel was inspecting the rooms of all guests or just Defcon/BlackHat attendees. I'm assuming the former, since the Vegas shooter wasn't involving in the CompSec scene. Since this hasn't been reported widely, it could be just selectively enforced as most security theater.
why can't we see you nekkid?
Google security engineer Maddie Stone tweeted that a man wearing a light-blue shirt and a walkie-talkie entered her Caesars Palace room with a key, but without knocking, while she was getting dressed.
Before I saying anything, to be clear:
1. Ms. Stone did nothing wrong.
2. The man entering the room was absolutely criminal in entering a room like that without knocking.
That said, when you're in your room, lock your doors. Use the deadbolt, use the little chain, and anything else available.
Normally, the deadbolt alone will prevent the key card from working.
While the chain is nearly useless from keeping someone from breaking in, it gives a few seconds of delay to the intruder, giving you time to respond.
Same category as leaving your laptop in the passenger seat of a car. You don't deserve to have your window smashed and laptop stolen, and it is NOT your fault if someone does it.
It still is a better idea to put it out of sight, though.
Grammer Nazis - I mod you "troll" unless you actually add something on-topic. Yes, I know I have mispellings in my sig.
If it starts to dip because no one wants to be subjected to this shit, the venue will soon be changed.
Caesars would look into whether the man was actually an employee.
This alone is sad.
Even sadder is the fact that they are doing these "checks" at all
And the saddest thing is probably that after the Las Vegas shooter, this could be even justified. More or less. Not in a "this will help" way, but in "how can we prevent this in the future" way. I bet someone was forced to present an "action plan" to his managers.
bickerdyke
Nah, we're more the passive-aggressive type. We FUBAR your card-based hotel room locks to retaliate.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
That..isn't what the law says. They are talking about law enforcement entering the room for search and seizure. You guys are plain nuts. MAGA I guess. I will stop responding now.
Immediately after the white guy shot up the concert last year, all hotels on the strip changed their rules. From that point on they would not observe the Do Not Disturb sign on doors and would do spot checks of hotel rooms.
Caesar's says they will check rooms daily.
That these checks happened isn't surprising since the hotels did publicly announce their new policies. Then again, had that white guy not gone a shooting spree, none of this would have happened. Actions have consequences and all that.
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
I usually leave an USB key or two lying about in my hotel room. If you're lucky, you steal the one with the malware. If you're unlucky, you steal that one.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Well, back in McCarthy's time people at least folded when asked "have you no shame, have you no decency?"
Today, they'd simply say "nope" and carry on.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
It's hotel property that they agreed to rent to you. There are laws governing this agreement, among them being hotel staff can't barge in to your room whenever they like.
https://www.gsblaw.com/duff-on-hospitality-law/guest-room-privacy-and-the-fourth-amendment
That link only discusses the 4th amendment expiations of a hotel gest. Hotels may not allow searches of a room without a warrant, but hotel employees may enter rooms for cleaning and maintenance. So they can fix and clean stuff, but they may not allow Police access w/o a warrant.
The question here is one of self defense. Are you afforded your 2nd amendment rights in a hotel room? The answer basically is that you have all the same rights you would have if the room was your home. So, if you can legally shoot an intruder entering your home in the local jurisdiction, you can do the same in your hotel room under the same circumstances.
In NV, had the guy been shot entering a guests room, there would be serious legal issues for the shooter. The shooter would have to justify their belief that deadly force was required (as opposed to less force) and it would be a hard hill to climb. But this is NV where you have to justify the use of force. In other states, the assumption would be in favor of the shooter, where the state would have the burden of proof that the shooting was unjust.
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
That's why I always have 2 wedges in my baggage, to put under the hotel door, blocking it, so that nobody can enter while I'm in the room, key or no key, cleaning, security or robbers.
Comment removed based on user account deletion
They don't want you anyway.
Comment removed based on user account deletion
The few attendees who s tweet bloody murder about this were in rooms with signs "Don't disturb" hanging for days, and had gotten in with large cases of who knows what. In modern Murricah, that's an invitation for a check. Nobody wants to be the next place where the mass murderer shoots from.
So many comments from people who don't go to Las Vegas often.
After the shooting, hotel policies changed at ALL hotels on the Strip, among all companies. As someone who stays at Caesars properties heavily and at MGM properties occasionally, I can tell you that the "Do Not Disturb sign is a thing of the past. DefCon attendees in particular should be aware of this, and caterwauling on Slashdot is a sign of their own obliviousness. The Strip hotel I'm staying at now says "Room Occupied" on the front -- not "Do Not Disturb". No one has "Do Not Disturb" any more, and it says right there on the sign in not-quite-fine-print:
While you are actively in the room, if you wish for privacy, you should lock the deadbolt and engage the latch. If security is making a check, that allows you to have them not walk in on you naked, but it doesn't mean they won't ask to be let in to do a verification.
As with police (who don't have a warrant), if you have concern about their identification, call down to the Operator/Front Desk to verify that they're an employee before letting them in.
To re-iterate, after the Vegas shooting this is standard policy across the board at ALL HOTELS. In case anyone missed it, MGM got a lot of flack for missing the signs here, where a security check might have caught something obvious. One might argue that they should have made this more explicit via a press release, but if you're here a lot it's obvious already what's changed. As to whether DefCon attendees were more singled out in particular, it would be hard to say. If I were hotel security, I'd have more reason to suspect them of ripping apart the Ethernet jacks or something and trying to hack into the hotel security system than anything with weapons -- an elevated stance is probably expected.
Hire a Linux system administrator, systems engineer,
Actually, a hotel room is basically the "property" of a tenant for the duration of a stay. Same as renting an apartment -- if I'm a landlord, I can't just barge in without advance warning to the tenant.
I thought prostitution is ILLEGAL in Vegas, only legal in NV outside of Vegas and Clark County. It makes sense -- if people are busy boinking, they won't make the casinos money on gambling.
Why is it every time some sort of awful tragedy happens, we have to go completely overboard with "preventative measures." Who runs a hotel like that? No one! These hotels will likely not be in business much longer if they persist on this. This sort of behavior garners a lot of bad reviews and publicity. Yes yes, no such thing as bad PR, but this could be the rare case of.. yeah, security goons barging into your room unannounced, that's going to ward off potential guests. At least, I hope it does.
That alone is a HUGE problem. The other security checks.. meh.. I mean if they're being polite, knocking, etc, I suppose it might be ok-ish, but not really. But barging in unannounced? Completely out of line.
JFC... DefCon attendees should be among those most aware of security policy changes, and this has been going on since last Winter. Changes are everywhere, but it's especially prevalent in "soft target" vacation destination areas, such as Las Vegas or Orlando.
https://www.meetingstoday.com/newsevents/industrynews/industrynewsdetails/articleid/31803/title/-do-not-disturb-policy-updates-spark-debate
Hire a Linux system administrator, systems engineer,
Or just eat some sushi and drop some in places that aren't usually cleaned. Fish take a few days to get really ripe, well after the guest has left...
My first and maybe last def con. If I can't find an alternative hotel that doesn't pull this bull shit I won't be back. I'm not a gun enthusiast, but would agree that shooting an employee entering when a DND sign was hung does justify murder.
It probably should be your last DefCon if you're incapable of reading the door hanger that you yourself put out. It explicitly at Harrah's does NOT say "DND" -- it says "Room Occupied". Below that, it states that Caesars reserves the right to knock and enter at least once a day for security, wellness, or any other check. You can use the deadbolt and latch to physically prevent entry (for example, if you're changing), but not indefinitely.
Hire a Linux system administrator, systems engineer,
No. Defcon is full of law enforcement and intelligence operatives who will try to entrap you, blackmail you, register you, turn you, annoy you, and recruit you.
I went to Vegas once, hated it. Too many kids. too many ads directed at cis males. Too many beggars. Too many people trying to hand you cards for various bullshit. They didn't have Uber back then, the taxis sucked, and walking was impossible because the Strip is "automotive scale". (and the monorail is very slow)
However, given that this might now start happening at other hotels:
- I'm getting a couple of those door wedges with alarms
- I might actually try the 'cover the card reader with a message stating you don't consent' thing. Though I usually prefer hotels that have switched to the RFID cards, my phone and wallet tend to demagnetize the old swipe cards.
- I'd like someone to start selling a security camera with built-in LTE. A portable, self-contained unit would be perfect. It won't use much data if it only uploads when it detects motion. I'm willing to pay $200-300, maybe as much as $400.
The right to protest the State is more sacred than the State.
You can let them in, but you don't have to be nice or polite. "You done yet, guy?" "OK, now get the fuck out of my room." "See you tomorrow, lady."
If everyone was abrasive and abusive to hotel suckurity "just doin' their jobs, doot de doot de doot" then there would be fewer people willing to do the job. Or at least they'd make the checks more cursory and faster, since no one enjoys being the target of rudeness and anger.
You wouldn't use a doorstop under the door for that, you'd use something more like door shims. If you had three it would be easy to wedge it tight up where there's a door jamb to prevent it from being removed from the outside, like installing a prehung door.
There's and upcoming VMWorld conference in LV in the MGM properties. I know this is their last of a 3-year agreement, then they're moving back to SF (at least for a while.) But, I suspect if this is the new 'normal' for hotel security, then they can probably expect a downturn in large convention business. I suspect that IT Nerds on both side of the black/white line will be very happy to be vocal about their displeasure, and have a good understanding of how Social Networking/Media works.
I don't think it will go well for the hotels if this is going to be SOP.
Awk! Pieces of eight. Pieces of eight. Pieces of seven... ERROR: General Protection Fault. [Paroty Error.]
Well done, that comment is a pretty good example of modern discourse.
"My opponent is in favor of letting people barge into rooms and rape the occupants. My opponent opposes people defending themselves from rape."
Yeah, I'm sure you really accurately captured the essence of that argument. Great job.
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
Have you ever read the agreement when you rent a room?
When you come back to your room after being gone and see that housekeeping has cleaned it, did they give you explicit advance warning that they were going to do that?
It's not "basically" the "property" of the tenant, it is "actually" the "property" of the hotel.
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
There's an expectation of privacy, though. I don't think a hotel could (legally) get away with putting cameras or microphones in a room, for example.
Now you're proposing that hotel security employees are going to force their way through a privacy lock that a) conclusively demonstrates that someone is in the room, and b) conclusively demonstrates they have made a conscious decision to enforce their privacy.
At that point, the hotel employees do deserve to be shot and killed for forcing their way in.
This isn't about attendees illegally breaking into each other's rooms at a hacker conference to rape their teddy bears. This is about hotel security employees inspecting rooms without notice. Try to pay attention.
You can let them in, but you don't have to be nice or polite. "You done yet, guy?" "OK, now get the fuck out of my room." "See you tomorrow, lady."
If everyone was abrasive and abusive to hotel suckurity "just doin' their jobs, doot de doot de doot" then there would be fewer people willing to do the job. Or at least they'd make the checks more cursory and faster, since no one enjoys being the target of rudeness and anger.
Gee, I can't imagine why some techies get bad reputations as complete douchebags *eyeroll*
Just because someone has a job you dislike, doesn't mean being a complete dick about it is the proper response. I stay in Vegas a lot and I've *never* had an unprofessional experience, nor one that lasted longer than 30 seconds at most. Long enough to look around, confirm I hadn't trashed the place, confirm I didn't have 10 suitcases with me for no apparent reason, and confirm wasn't currently recreating Lain Iwakawa's bedroom, then dial a code to confirm entry and that was that.
If you have a problem, bring it up with management maybe. Don't bring it up with the lady just doing her job. Do you yell at Chick-fil-A drive-through employees too?
Hire a Linux system administrator, systems engineer,
Def Con is the land of hacks and attacks - including Social Engineering workshops.
The hotels may really have search protocols like this -- and some random person shows up using that knowledge and claims to be a hotel employee. The idea is in a hotel guests head so they figure "sounds legit"
Seems they need to take a page from Banks "our employees will never call and ask you for this information" -- Hotel security staff will never do X/Y/Z.
The point is that if EVERYONE treats the employees dismissively, there will be fewer people willing to do the job. And they'll do it poorly or pretend to do it just to avoid confrontation. (i.e. "here's the damn code, dial it yourself and don't tell anyone").
Remember, that without people willing to enact privacy-invading policies, the management won't be able to enforce such policies.
The point is that if EVERYONE treats the employees dismissively, there will be fewer people willing to do the job. And they'll do it poorly or pretend to do it just to avoid confrontation. (i.e. "here's the damn code, dial it yourself and don't tell anyone").
No employee in Las Vegas (Strip or Freemont at least) would ever do that. Not until there's a personnel generation or two from the October shootings. And in fact, employees are becoming *more* security aware even aside from that. The recent housekeeper's strike threat (and initial welfare checks are usually done by managers or other personnel, not housekeeping or security -- at first) involved making sure that they had panic buttons issued to them by management precisely for any sort of unsafe perceived situation.
Hire a Linux system administrator, systems engineer,
Probably not. They can certainly legally get away with security entering your room for any reason though.
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
The point is to make the generations turn over faster, so the Paddock thing falls out of professional memory as quickly as possible. Employees who are the targets of rudeness are likely to not stay in their jobs as long.
Until the goons barge into a room where a 5' 50-something lady is drying her hair after a shower, and she whacks the security guy in the face with the hot hairdryer. I'd suspect a jury would let her walk, too, since she'd be legitimately afraid.
Maybe a jury would decline to punish the woman. The jury definitely would not punish the company who explicitly told her they were going to do that.
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
Correct, but the lawsuit from the employee with a broken nose, medical bills, and pain/suffering will take care of the latter. The hotel company has big pockets and put them in an unsafe situation...
Many really nice hotels have 'double walls' for noise insulation.
Many of those have maintenance access to those spaces...what they do is drill a hole through the drywall behind a mirror, then remove a tiny spot of aluminum from the mirror.
John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
Where do you get real mace these days? Seriously.
John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
99% of electronic locks can be opened with a rare earth magnet in the right spot.
John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
Drop a firecracker behind some drywall (remove a light switch/outlet cover for access).
Now the whole floor has to be gutted before the bomb sniffing dogs will allow super richers to stay their again. Works best in the super expensive suites.
It would make a great finger to management when quitting a shit job. Hit the high security floors, hard.
John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
https://www.amazon.co.uk/SABRE...
I stayed at the Rio and then Caesars and attended Defcon. I had my room searched at both hotels. At the Rio they were polite enough about it, but I thought it strange they did wish to see in the safe. They didn't want to look in the closet, in my giant suitcase or anywhere else I could have stashed a weapon, just the tiny safe.
At Caesars they were just plain rude about the searches. I know others that had their soldering irons confiscated. Also if any lock picks where seen hotel security called the cops and those persons were arrested. For those that don't know Defcon has an entire lockpicking pavilion.
I will never again stay at any Caesars property and I really hope the Dark Tangent is considering moving Defcon to another hotel chain.
I do not belong to the church of the lowercase 'i'
This is at a hacker conference. EVERYONE attending knows how to defeat the chains and those u-swinging lock dealies.
And every hacker should know how to make those chains and locks unhackable.
If Slashdot were chemistry it would look like this:Cadaverine
I'm not sure what else to add to this hypothetical scenario other than that I think it is highly unlikely.
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
The douchebags are the ones demanding to search rooms that people paid for - douchebag.
Yes. People paid for. And if the people can't read the contracts they've signed and look at the hotel's own policies (in accordance with the innkeepers' laws for that state), it's their own damn fault.
Hire a Linux system administrator, systems engineer,
No, because Chick-Fil-A drive-through employees don't sneak into my home and rummage through my shit.
It's your home when you're a tenant, dipshit. When you're renting a hotel room for a short duration you're a guest.
Hire a Linux system administrator, systems engineer,
Do you like your corporatist boots black, or do you like them with a bit of sugar? Your landlord may also have a stipulation in rental agreements that they can come and examine your prostate at a moment's notice. You have no choice in agreeing to such a stipulation if every other landlord has the same stipulation - which is why tenants have rights, and you and the landlord can both sod off, bootlicker.
Stand your ground laws require you to have a JUSTIFIABLE reason to believe your life is threatened.
Someone entering your room unexpectedly is MOST CERTAINLY NOT THAT, otherwise there would be a trivial method of commiting murder.
If the person entering came at you - perhaps.
If the person smashed their way in - perhaps.
However, if they just entered, not a fucking chance - I suspect what, in your mind, you would consider your defense here would be to LIE about what happened and claim they 'came at you'.
But sorry, lying to the court is not a justifiable defense, it is lying about murdering someone to cover your arse.
now, you are trying to twist a duty to retreat to apply here, It DOES NOT. for that to apply - a) they must reasonably expect that it IS your residence, and b) you must have actually warned them and given them a chance to retreat!
But no, you think that them simply entering gives you the right to murder them, NOT EVEN CLOSE.
You would have had to warn them, ask them to leave, given them reason to believe you were the resident (remember, THEY THINK THEY ARE, AND WITH GOOD REASON), then it start becoming arguable, in such a state.
Stop pretending you are 'educating' anyone, you are making up shit and trying to pass your opinion (which is wrong) off as 'law'.
Strange, I didn't see him state that at all. Could you perhaps quote the specific admission that this is indeed his view?
Security entering a room with the express intent of assuring the safety of guests and the public at large is a fucking long way away from attempted rape.
We even have a case study in the fucking article: The undressed lady that was interrupted adopted an ideal response, which was audibly making the hotel employee aware that they were not welcome. In response the hotel employee left the room.
No violence, nobody harmed, no attempted or actual rape. Although the hotel policy should include, "Knock before entry" that refers to the hotel door; the security staff clearly already apply that criteria to guests' vaginas.
If you're abusive to the hotel staff I would expect and support the hotel in kicking you out and throwing your bags into the gutter after you.
You're right, you don't have to be nice or polite. You do have to avoid being a total cunt though, if you don't want consequences.
Umm. Why? Which unsafe hacking was she engaged in?
Thus, you plan your level of rudeness to increase their levels of stress without actually crossing a line that will get you kicked out. Remember, this is deliberate and with malice, not out of immediate anger.
And of course, turn up the heat on the last day of your stay.
I'd rather that "everyone else" ALSO not be treated that way.
When I asked what they would be looking for, Cynthia replied, "WMDs -- that sort of thing."
Whoops! How clumsy of me. I seem to have left my nuclear warhead in the MIDDLE of my hotel room! Won't you please overlook it this one time, pretty please?
I was in Vegas in March for a tech conference and as usual, being a female traveling alone, I had my do not disturb sign up the entire time. I, too, had people banging on my door my 3rd day there. They didn't come in. They just radioed back when I answered the door that I was ok, told me it was a security check to make sure I was fine, and left. Now, this could be because my room was reserved through my company (major hardware/software company), so I was less of a threat and they didn't come in. But, it did scare the crap out of me to hear banging and someone yelling Security at my door. How are we to verify who these people are? As a female traveling alone, it was unnerving.