
Heavy-handed security searches of hotel rooms at Defcon/Black Hat - tonyztan
https://www.secjuice.com/defcon-hotel-security-fiasco
======
Rotdhizon
Okay hardly anyone on this thread of 84 comments is even discussing the
article. Half the comments are just people going back and forth about the
Vegas shooting.

What this hotel(s) did was unacceptable. I hope some lawsuits come out of it
for the more egregious violations. No one was worried about some hackers going
off the deep end, this was a heavy handed display of power over guests. I'm
surprised none of the intruders had guns drawn on them. These were
unidentifiable goons seemingly breaking into rooms. DEFCON is the most
important security event of the year, I do hope there is a boycott after this
event and all of these hotels are blacklisted by the security community.

~~~
walterbell
[https://www.the-parallax.com/2018/08/12/vegas-hotel-room-
sec...](https://www.the-parallax.com/2018/08/12/vegas-hotel-room-security-
privacy-defcon/)

" _In a statement released to reporters, Caesars says DefCon organizers were
informed before the conference of the new policy ... .. Marc Rogers, DefCon’s
head of SecOps and vice president of cybersecurity strategy for identity
management company Okta, said the conference is aware of the room problems and
is working with Caesars on reducing conflicts for next year. “These changes
represent the new reality that all hotels have to face in their work to keep
guests safe,” he said at the conference’s closing ceremony Sunday. Caesars is
“working closely with DefCon management to figure out the best way forward for
next year.”

Some DefCon attendees are claiming on Twitter that they will refuse to attend
the conference next year, if it returns to Las Vegas. Of the more than 1,650
votes in response to an informal poll started by Twitter user @notdan, a
security researcher at a tech company in the San Francisco Bay Area who
requested anonymity, 35 percent said they would not return to DefCon over room
privacy concerns ... Moussouris emphasized a similar concern: that hotel room
privacy is of paramount importance, especially for female travelers. “No
matter whether DefCon moves or stays put, all hotels should have basic
protocols for allowing any guest to easily authenticate a supposed hotel
employee,” she wrote."_

~~~
deadbunny
> “These changes represent the new reality that all hotels have to face in
> their work to keep guests safe,”

"Now we have an excuse to violate your privacy and steal your shit we're going
to take it and make you accept it".

~~~
sky_rw
That logic has worked for the TSA going on 17 years now.

~~~
deadbunny
I don't have a viable alternative for flying 99% of the time, I do for hotels.

------
jarym
In most hotels I've been to in more volatile parts of the world they just
search bags on entry to the property - which would seem an easier and more
thorough approach. If security are so concerned why aren't they doing that
here?

If hotel security forced their way into my room in any property I stay at at
I'd be checking out immediately and would be doing a credit card charge back
on any charges.

~~~
unixhero
I would also have done that, but I don't see how.

How do you perform a credit card charge back yourself?

~~~
jarym
as @nickthemagicman says - except (at least in Europe) you have to write to
the merchant (hotel) asking them to refund all charges and explain why.

If they refuse or don't reply you call your credit card company and tell them
you dispute the charges; they usually immediately refund you and take it up
with the hotel.

~~~
viraptor
This should probably say "some parts of Europe", or a specific country. At
least in the UK, the reversal can be initiated with a single call to the bank.
They contact the merchant then and give you the money back immediately. In
good banks it actually works with both credit and debit cards.

------
huffmsa
"Let's piss off a large, drunken gathering of red teamers, and the blue
teamers who've probably designed some of the underlying systems we use! What
could go wrong?"

This is how you get your speaker system stuck on 24hrs of wpic sax guy radio.

~~~
zaarn
Epic Sax Guy? I'd either run Never Gonna Give You Up or the My Little Pony G4
Intro.

Alternatively there is always the Tetris Brainworm or Bob Ross sessions.

~~~
tzs
All I know about "My Little Pony" is that it is a cartoon based on a line of
toys, is written for little girls, has been around for a long time, for some
reason attracts a lot of adult male fans (called "bronies"), and HN user
nickthemagician suggested that a blogger using an MLP avatar lost credibility
and HN user tern delivered the perfect response that I'm still chuckling over
5 years later [1].

A bit of Googling turned up a video on the evolution of the MLP theme from
1984-2014 [2], and contained therein was the G4 theme. But also in there or in
the subsequent Googling it inspired I learned 3 other interesting things:

1\. Some of the earlier themes would probably be more cutely annoying than G4
for this application,

2\. Sandy Duncan and Tony Randall were voice actors in the earliest MLP
stories in 1984. They were both pretty well established, critically and
popularly acclaimed, actors. I would not have expected such big names in this
kind of cartoon in 1984.

3\. That's nothing...the 1986 movie had Randall, Danny DeVito, Rhea Perlman,
Madeline Kahn, and Cloris Leachman. Either I'm totally misremembering the
state of animation in 1986, or MLP was a way bigger deal then I remember.

[1]
[https://news.ycombinator.com/item?id=6042590](https://news.ycombinator.com/item?id=6042590)

[2]
[https://www.youtube.com/watch?v=5vI3YypGhnA](https://www.youtube.com/watch?v=5vI3YypGhnA)

~~~
zaarn
Surprisingly enough, I know the guy that wrote the blogpost in [1] and talked
to him this morning.

------
konschubert
The introduction basically says: "You can't treat security people like this.

I'd personally say that you shouldn't treat anyone like this.

------
dotBen
As a former DEFCON attendee I remain confused why the hotels feel there is
enough cost/benefit to host this event. I remember one year at the Rio
attendees pwn'd most of their systems, took down the POS systems of most of
the retailers, installed fake ATMs and even set up a rogue cell phone tower in
someone's room that pwned everyone's Android phone with a side loaded poisoned
Android update.

It was great fun. But if I had been staying as a non-DEFCON guest I would be
furious.

~~~
Rotdhizon
There's an article on security weekly that gives some tips on staying safe at
hacker conferences. Most people there do not do anything malicious, but
there's always a few ass hats who are trying to prove themselves by doing
illegal things. I don't think a lot of them understand, you get caught doing
something like that as an adult and any career you thought you might have in
the security industry is over.

------
sp0ck
This just confirms that Casinos companies are mentally more gang/mafia than
business with "customer first" approach. Best "lesson" for hotels would be to
move DEFCON to some more pleasant place.

~~~
emodendroket
Don't be naive. There is no reason to think that the same thing could not
happen in some other city.

~~~
tgsovlerkhgsel
There's no reason to think the same thing could not have happened in some
other city, but if it became common knowledge amongst hotels that doing this
will potentially cost your city this business opportunity, it would be very
unlikely to happen afterwards.

~~~
emodendroket
On the other hand, if this is simply standard procedure at any hotel you could
use, what choice do you have?

~~~
admax88q
But it's not standard procedure at any hotel. So far it has only been reported
of it happening in Vegas.

Move DEFCON to somewhere else next year in protest. Then they might learn
their lesson.

~~~
ryandrake
I guarantee other hotel chains will be watching this situation with great
interest. If Caesars suffers no consequences, then they will all see it as a
green light that they can also treat their customers this way, and soon it
will be normalized.

~~~
emodendroket
Precisely my thoughts

------
sky_rw
Let's remember that is has been < 12 months since the Vegas shooting, and the
biggest question people have been asking (aside from motive) is how a man
managed to bring that much firepower into his hotel room and keep it there for
so long. Now you have a large and diverse group of counter-culture oriented
people bringing large padlocked hard cases to their rooms and declining maid
service for days at a time. What did they expect? Of course hotel security is
going to be all over that. Its a destination resort for gambling and drinking,
have some perspective.

~~~
pjc50
Someone explain to a non-American here; given the second amendment, would/does
the hotel actually have a policy against guns in rooms?

> large and diverse group of counter-culture oriented people

Ironically this is the exact opposite of the mass shooter "profile".

~~~
sky_rw
Rules related to Firearms on private property vary state to state. In Nevada
and Las Vegas explicitly, 'Gun Free' zones on private property are not legally
enforced. Casinos do not allow you to carry firearms openly or concealed on
their property and while it's not illegal to do so, they can/will ask you to
leave. If you don't then it's trespassing.

They do allow you to have firearms in your hotel room, but request that they
are kept secured in locked containers. Many firearms industry trade events
take place in Las Vegas, including Shot Show. I have personally been in hotel
suites during that show that had several dozens of firearms on display.

From what I understand the big change to security now at vegas hotels is an
increased awareness of people who refuse maid service for days at a time, as
this specifically allowed the mass shooter to prepare his room without
alerting anybody.

~~~
nanna
As a non-American, I find the idea that the right to bring weapons to a hotel
room trumps your privacy within that room a very counter-intuitive
proposition.

~~~
nanna
I mean in general, that the very fact that you can carry weapons at all
(subject to local regulations) implies a system whereby guards can ransack
your room for fear that you might actually use your guns. Pretty much
everywhere else on the planet carrying around weapons designed to kill are
simply illegal, and therefore there isn't the worry that they might be used.
Simply having weapons would get you locked up.

I know this is a right dear to many Americans -- certainly not all though --
but hn is a global forum and I'm giving an outsider's perspective. Wouldn't
have thought that'd merit downvotes?

nb: that was a reply to vageli, but there wasn't a reply button yet.

~~~
Mirioron
Guns aren't as illegal and uncommon "in the rest of the world" as people
think.

------
AndyMcConachie
Maybe Defcon should just go somewhere else next year.

~~~
copperx
DEFCON has always been in Las Vegas. That would be a difficult change.

~~~
zaarn
"In January of 2018, the DEF CON China [Beta] event was announced. The
conference will be held May 11-13, 2018 in Beijing, and it marks DEF CON's
first conference outside the United States."

~~~
betterunix2
...because the Chinese security people will definitely respect the privacy
rights of DEF CON attendees.

~~~
zaarn
From what I can see in this article, they respect the privacy of DEFCON
attendees more than the US.

------
sailfast
This article asserts the fourth amendment applies to hotels. The ruling the
article cites is about police entering a hotel room, not about private
security hired by the hotel entering the room. I'm not a lawyer, but I
wouldn't recommend relying on 4th amendment protections in a hotel. Pretty
much have to treat a hotel room as compromised space, especially if you're not
in the room.

------
drukenemo
Not a directly related comment, but Snowden's backed Haven is an Android app
that can monitor a room. It's activated by motion or sound and notifies the
user on another end. I've never tested it myself (iOS user), but found it very
interesting.

[https://guardianproject.github.io/haven/](https://guardianproject.github.io/haven/)

~~~
philip1209
If the Haven phone is stolen - I think it's hard to recover the recorded
video. So, I opt for Alfred, which is more of a managed Dropcam-style service.

~~~
drukenemo
Wasn't aware of Alfred. Thanks for sharing!

------
curiousgal
"Security experts"

[https://twitter.com/beauwoods/status/1028387331927986176/pho...](https://twitter.com/beauwoods/status/1028387331927986176/photo/1)

This is as useless as sharing a Facebook status update saying you don't
consent to your data being used.

~~~
amdavidson
It might not have any legal weight (though I don't see him saying that it
does), but it could be enough to give someone pause.

------
mistrial9
This is most certainly a show of force by the hotel. I recall a visit to a
$500+ per night hotel by a colleague participating in a high-level industry
conference, representing an 'open' side of the negotiating table. The
conference leadership had committed to paying perhaps four nights of the bill.
On the third day, a hotel representative unlocked and walked into the room
unannounced to "see what was going on" and refused to leave when asked. This
was not a goon, but a smiling mid-level lackey. After ten minutes of "looking"
it was over. When checkout time came, the bill was not pre-paid, but instead
an unexpected two days were not paid, resulting in a surprise thousand dollar
balance due. It was obviously harassment by someone. My point is that this is
not new, and you are not safe from harassment at an expensive event.

------
rburhum
Time to do the conference somewhere else

------
kqr2
Coincidentally Defcon is moving back to Paris / Ballys + Planet Hollywood next
year:

[https://www.reddit.com/r/Defcon/comments/96u2u3/next_year_is...](https://www.reddit.com/r/Defcon/comments/96u2u3/next_year_is_paris_ballys_see_you_there/)

[https://imgur.com/W0MCEVQ](https://imgur.com/W0MCEVQ)

~~~
ianhawes
They’re all still owned by the same parent company.

------
LyndsySimon
I stayed at a hotel in Santa Monica last week, and declined cleaning services.
They left a card that said they would enter the room every other day,
regardless of the sign I put on the door. It was annoying to make sure I
packed up all of my valuables and carried them with me the next day, but as
far as I could tell they didn't actually enter the room the next day. There
was another identical card under the door when I got back, and my "tells"
weren't disturbed.

------
tropo
Of course I want to skip maid service.

It is disgusting. They just mopped the room next door, where people are
vomiting everywhere, and then they drag that mop around my room. I'll have to
disinfect it again, as I do every time the maid has been in. This is such a
pain. (wiping every switch/knob/handle with Lysol or similar)

Then there is theft and breakage. So now I have to lug my stuff around instead
of leaving it in the room.

Then there is me. Maybe I like to do things in private that might be
embarrassing. Maybe I want to sleep during the day.

For all these reasons, maid service should be opt-in. I should have to leave
the room unlocked; there should be no maid key. Entry without my permission
should require a boltcutter, prybar, breaching round, battering ram, or saw.
(and yes, guests who needlessly cause this should be charged for the damage)
For the time during which I am paying for the room, it should be mine alone.

------
RickJWagner
Surely, the hotel must have some reason to justify this.

Can someone please tell us why the hotel might choose to do this to some
guests? (Be fair in your statement, please. I'm just looking for the 'other
side of the coin' out of curiosity.)

------
Jonnax
Is everyone staying at the same hotel or is this coordinated between hotels?

~~~
astura
The majority of the hotels on the Vegas strip are owned by only two companies,
Caesars and MGM.

[https://en.wikipedia.org/wiki/List_of_Las_Vegas_Strip_hotels](https://en.wikipedia.org/wiki/List_of_Las_Vegas_Strip_hotels)

~~~
rurban
That's why the few which are not owned by these two ... are by far better.
Tropicana, Treasure Island, Venetian are recommended.

~~~
SmellyGeekBoy
Or just don't go to Vegas? It's a shithole anyway.

~~~
rurban
Of course. But if you have to avoid the MGM and Cesar's hotels like the
plague. Conferences...

------
singularity2001
So in the US police doesn't need a warrant to storm hotel rooms? Terrifying
indeed.

~~~
koboll
Police need a warrant (or probable cause) to search basically any private,
locked space.

Hotel security are not police. They are more like landlords. So the 4th
Amendment does not apply to them (which every security professional on Twitter
is currently experiencing collective amnesia about, apparently).

However, like landlords, state/local jurisdictions usually set rules on hotel
tenant rights. I'm not sure what those rules are in Nevada, but I would bet
that they are much more lenient there than elsewhere due to regulatory
capture, since gambling is such a lucrative industry.

~~~
kevin_b_er
This is the dirty secret behind calls for "privatization", "let the market
decide", and "small government". You have no rights against an oppressive
corporation that you would against an oppressive government. You didn't have a
strong financial advantage and upper head against a large multi-national
corporation in getting them to agree to not violate your human rights? No? You
lose.

------
Nicksil
Non-AMP link: [https://www.secjuice.com/defcon-hotel-security-
fiasco/](https://www.secjuice.com/defcon-hotel-security-fiasco/)

------
backspace_
non amp links would be nice.

~~~
Nicksil
Usually removing "amp" from a URL yields the correct website. When that
doesn't work, you can find the URL in the page's source: Look in <HEAD> for a
<LINK> element with a "type" attribute of "canonical"

------
nodesocket
Playing devil's advocate, I do wonder if attendee's are being well behaved or
trying to exploit hotel systems and other guests as typical hackers do trying
to show off and prove their mental superiority. If I happened to be in Vegas
at the same time as the conference, I'd think to myself, welp, can't use my
laptop here.

------
Rjevski
Seems like all it would take to resolve this is a viral story about someone
getting robbed or raped by people pretending to be security and breaking into
rooms. Defcon people should be able to easily stage something like that and
spread the news. "Fake news" used for good I guess.

~~~
jackson1way
There we go. What an absolutely horrible idea, which shows clearly the
direction of this kind of "activism". Because if the "good people" are using
"fake news" \- it's fine! But it's unacceptable if "the other" people are
using fake news to push their ideas.

Just because you think your ideas are nobel, righteous or inherently good, it
still does not allow you to use any means possible in order to push them.

What's next? Stage a murder and frame someone you think is evil?

------
program_whiz
I'm probably going to get downvoted for this, but I think this was a good move
by the hotel. I'm glad that if people are bringing suspicious looking material
into the hotel, and declining maid service for days on end that they are
searching the rooms. One search like this could have prevented the Vegas
shooting, and its worth it. There is a line we shouldn't cross as far as
privacy / safety, but if you're staying in a hotel, you're on their property
in a shared public space -- same as on an airplane or mass transit.

Edit: we already have the counter-example where the search didn't happen and
saw the result. Lets agree that there shouldn't be any unknown contraband /
dangerous items in the hotel for everyone's sake.

~~~
deadbunny
> if people are bringing suspicious looking material into the hotel, and
> declining maid service for days on end that they are searching the rooms

The Vegas shooter bough all his armaments in suitcases. Suitcases in hotels
are suspicious now?

I'll skip maid service for a the duration of my trip if it's a week or less,
and let them in once a week if longer. I don't have new towels and bed sheets
daily at home why would I need them changed daily in a hotel?

> One search like this could have prevented the Vegas shooting, and its worth
> it.

And one search of any mass shooters house would have likely stopped them as
well. Should we encourage them as well. I mean WON'T SOMEBODY THINK OF THE
CHILDREN?

> There is a line we shouldn't cross as far as privacy / safety, but if you're
> staying in a hotel, you're on their property

Then let me verify the security staff, and don't have them steal my shit. If I
have "objectional material" you ask me to leave or ditch the stuff, you don't
take it.

> in a shared public space -- same as on an airplane or mass transit.

No it's really not.

> Lets agree that there shouldn't be any unknown contraband / dangerous items
> in the hotel for everyone's sake.

Let's not. Knives are dangerous, vodka is dangerous, hell water is dangerous,
lets ban that to.

