I suspect Caesar's dropped DEF CON because the DEF CON attendees likely have a fairly low "avg revenue per attendee" yield because fewer of them gamble compared to the avg Vegas conference attendee. They also probably spend less on high-end restaurant dining and bar drinking inside the hotel.
Since the pandemic Vegas has had a pretty strong resurgence in general and this may be a sign that Caesar's is doing well enough they've decided there are higher-revenue guests they can put in those rooms — even in the doldrums of August (a traditionally slow month for Vegas tourism).
I happen to regularly attend an unrelated, non-tech conference that's always right around the same week as DEF CON. That conference also happens to attract attendees who don't gamble or spend much at the hotel other than room costs. The reason the conference organizer chooses August is they get better discounts on their costs from the hotel in exchange for filling up rooms that would otherwise be empty (except this hotel is lower-end and cheaper than Caesar's). This works out because unlike Caesar's this hotel is far off the strip and doesn't have nearly as much dining or gambling revenue potential anyway.
>But canceling an already scheduled event because of low revenue per guest doesn't seem very likely to me?
Not to be TOO snarky, but given how quickly corporate cancels employee labor despite rising revenue, it would not surprise me for other corporate to also cancel "low paying customers" for "high paying customers". Loyalty is beyond dead so cancelling a contract is just a cost of business if they feel the alternative gives more money.
> it would not surprise me for other corporate to also cancel "low paying customers" for "high paying customers"
At least going by all the entrepreneurship articles I've read over the decade, "firing your customers" is a term of art, and a recommended approach for dealing with unprofitable and/or annoying customers - so I guess this shouldn't be surprising.
> Loyalty is beyond dead so cancelling a contract is just a cost of business if they feel the alternative gives more money.
Not to be TOO snarky, but that's kind of the point of contracts - contract cancellation terms aren't an "or else..." threat, but rather an agreed upon exit strategy. Termination fines aren't punishment, they're compensation for inconvenience.
I mean they were both being intentionally snarky. The second snarky comment was used in a mocking tone because the first comment didnt seem to have much empirical evidence to support it
I don't, and that's why I preferenced it as such. Sort of like how you'll self-preface yourself with something like "nit:" before making a nitpick that's meant to be treated as a small note but nothing to consider or delve too strongly over.
The idea is to diffuse siutations like this before it comes about, but I guess nothing is perfect.
Not to be TOO snarky, but given how quickly corporate cancels employee labor despite rising revenue, it would not surprise me for other corporate to also cancel "low paying customers" for "high paying customers". Loyalty is beyond dead so cancelling a contract is just a cost of business if they feel the alternative gives more money.
If they canceled a year or so before the con, I could see that. But to cancel seven month before the conference? There's no way they will get a decent-sized substitute in the space before then, so I don't see how this would be anything but a money-loser. Not to mention other conferences might be less willing to commit to long-term deals if they see that the contract can be canceled on a whim.
> Or maybe it was some sort of ongoing agreement and canceling it was effectively "not renewing".
The announcement effectively calls it "no-notice cancellation" and overall it reads like they were already deep in the planning phase when it happened, which seems unlikely if a renewal was pending.
Its odd though - i would assume a conference of this size would have penalties in the contract if the venue decides to pull out without cause or sufficient notice.
To a point yeah but the venue also has the power not to sign the contract in the first place (ime the venue is the side typically negotiating from the position of power) if they think the penalties are too high on their end.
In all likelihood they ran the math and figured it was worth it to yank the rug out from under Defcon, penalties be damned.
I will need to dig up the archives from DC 27 when the deal with Caesars forum was officially announced, but if memory serves me correctly DT said it was a 5 or 10 year contract. So unless there was some verbaige in the contract that allows Caesars to cancel for any reason, they're going to be cutting DEFCON a check.
Who knows? But a more likely hypothesis is that the organizers were betting that they could come to terms on a renewal and at the end of the day they couldn't.
I see people go all out in LV and drop a lot of money at restaurants. I guess it depends. Then again if you've already been in LV for a few days due to BH you might be over the bell curve on spending for the week. I guess it depends on when you get in. I tend to drop more money Wed-Thur.
Everyone is missing "but now held at the Las Vegas Convention Center (LVCC) with workshops and training at the Sahara" part. So this more like they got passed to a different venue. Not "vegas hates them".
The post says they had to do significant work to secure another venue. While it's possible the author could be lying there is no evidence of this so we must, at this point, take them at their word.
All of the more recent years that I did DEF CON I was with large groups of people going to high end restaurants and (ab)using the hotel bars. In fact the hotel bars were always packed.
My suspicion is that Caesars is trying to do something like play with headcount. Late summer is not just a weak time for conferences but DEF CON needs a ton more space and a ton more human babysitting across that space than any other conference. You don't see EVO or BlackHat getting cancelled (same exactly time window) because they're pretty contained in one place.
My guess is that Caesars needs to staff up a little for DEF CON or that they may even be considering reducing staffing in late summer. Con attendees are going to stay at their properties and use their bars/restaurants/tables anyway.
...although now that I think about it, EVO was moved up 2 weeks and has a new unannounced venue this year, so maybe this isn't isolated to DEF CON.
...and also the Venetian is having its convention space renovated until 2026...
Black Hat is a giant commercial conference run by a company that runs dozens and dozens of giant commercial conferences. No event venue is ever going to fuck with them.
Also Black Hat brings a lot of more-corporate, less-hacker types, who are probably likely to have much higher spend, possibly more gambling, and certainly dining expenses covered.
I attended an earlier DEF CON (5 or 6?) where the attendees:
1) Hacked the in-circuit TV system and broadcast their own pirate show
2) Gained roof access and removed the satellite dish
3) Spilled hookah coals onto the bed starting a fire
4) drove the janitor's golf cart into the pool
and that is only what I witnessed firsthand. I can only imagine what else went on. Maybe the attendees low spend was only part of the equation?
I attended Def Con 7 and witnessed people pick the lock of a utility room on my hotel floor and change the phone wiring.
Also, I was a 17 year old girl at the time, and I felt sexually threatened several times during the event. That is the only place I have visited where I would make a statement of that nature.
That sounds like DefCon 7 at the Alexis Park. I think I remember seeing a photo of a golf cart in the pool.
I quit going after 7. It seemed like they partying had vastly I overtaken any actual technical content. I don't drink and I'm not super social, so it just seemed like it wasn't "for me" anymore.
Edit: It has probably changed in the intervening years but every time I looked into it it seemed like more spectacle than tech. DerbyCon filled the niche for me for a few years but then it got impossible to get tickets for and imploded. (I know there's a lot of backstory about DerbyCon that I don't know, too. For me it was just a fun way to feel a little of the DefCon 3 vibes again.)
I've seen bottles of alcohol passed around doing talks and heard more than a few really off color jokes about criminal sex acts and such. Vegas waitresses have seen it all also but there was over the top behavior.
We're in a victim dominant culture now, "it's not you or what you've done, you're just a victim of evil or something" but at more than a few Def Cons and more than a few times, it was really uncomfortable to be there and see some of the stuff that was happening.
And they are perfectly fine with the crowd. I've chatted with many hotel staff and almost all of them are happy with the DC crowd. Generally tips well and are polite even when drunk, some assholes, but thats normal with any crowd.
Worst case scenario is usually they tell people to disperse, but otherwise, they always seemed to laugh when they saw shenanigans (except for people fucking with Casino machines, thats a fast way to make them mad)
Probably, because of what mrandish said at the start of the thread. Management thinks they can earn more money from others. If hotel staff is treated well and/or gets good tips doesn't factor in the decision process which event is hosted. As long as someone spends enough for managers to get their bonuses management is happy.
It doesn't appear there are any similar sized conferences scheduled for the original time slot though? Or that there will be one in the near future, unless you know of some information.
I was at DEF CON 26 & 27 and people had punched/torn holes in the drywall in several places, and at one stairwell where you could reach up and slap the ceiling, chunks of ceiling were falling off from where people were gouging it.
DEF CON is a hell of a party, and I hope to go this year, but the attendees are a force to be reckoned with. Even I ended up fucking up a homemade badge, and tossing a failing lithium battery into the trash in the middle of a casino, only to learn later I created a trash fire, so I know firsthand that we're a problematic bunch.
"I suspect Caesar's dropped DEF CON because the DEF CON attendees likely have a fairly low "avg revenue per attendee" yield because fewer of them gamble compared to the avg Vegas conference attendee."
There is the story that the American Physical Society was not allowed back after in 1986 Vegas supposedly suffered its worst week in history.
First of all there is no real evidence that this story is true and secondly it doesn't make sense to me that they would cancel DEF CON after so many years for that reason. They would have done so much earlier, probably.
I heard this story many times. One of them was froma graduate student who attended this meeting. APS March meeting happened in Las Vegas again last year (2023). While there was no official ban for APS Conferences, there was a little interest in las vegas to host anything for APS for a ~35 years.
There are certainly a lot of DefCon attendees who think that this describes them. In my observation they are all very incorrect, usually humorously so fortunately.
Not really, no card counter goes unnoticed forever. It's about making sure you get enough time to play when the count is high that you manage to earn money. If you're curious about the life of card counters I can't recommend this YouTube channel enough: https://www.youtube.com/stevenbridges
…because it’s actually extremely difficult to do with the countermeasures casinos now use, more decks and random cutoffs. Letting you try is very profitable though.
The whole environment part is of course not useful. None of the monitoring happening where you can see.
Which they rarely do now because the number of people able and willing to count a 7 deck shoe with a random cutoff is extremely small and it benefits them to let people try.
Do they still exist? They have closed most of the gaps previously exploited by card counters, and continuous shufflers are everywhere.
I think the only ones who can make money are those playing poker and are really good at it. That's because they are playing against other players and not the bank. They still have to beat the rake.
I'm not even sure comp players, that is those who play to get non-cash rewards like travels, restaurant and hotel stays while minimizing their losses can still have an advantage. I heard that casinos calculate comps by expected losses, making sure they stay on top (statistically).
And they are cheaters, but it is like saying thieves can make money.
> And they are cheaters, but it is like saying thieves can make money.
Absolutely not. Using your brains to keep track of cards is not cheating in any way, shape or form. They are simply using all the available information and some pretty basic math to them to gain an advantage.
Calling card counters cheaters is like calling chess players with better knowledge of patterns than their opponents cheaters. They are not cheaters.
The post you are responding to addressed card counters at the top, claiming the casinos have closed most of the loopholes that enabled card counting to be profitable.
The cheating it mentions at the bottom is not card counting (technically legal), but genuine cheating.
Card counting is cheating.
Thinking before playing is cheating.
Also, knowing the rules of the game is cheating.
You should only play at random and never ever think
I'd be willing to be that the intersection of people who think this and then choose to engage in gambling anyway, is probably one of the highest grossing demographics that exist.
Not just statistic. There are plenty of smart defcon people who understand statistics but don't understand that if you start winning they'll just kick you out.
I am very doubtful. Outside sports betting (where you can actually outsmart the house) we loved winning players when I worked in online gambling. Winning players are much more likely to return and lose more than they ever won.
Not sure that's true, actually. The usual strategy appears to be to comp the gambler with generous stays at the casino they're a patron of, with the expectation that they'll dump their winnings back in the next day.
Taken with a grain of salt, as my only knowledge of this is via Hollywood movies. It does make sense from a game theory perspective though.
My first thought was that GP was saying DefCon attendees would be counting cards, which is an effective and legal way to beat the house[1] (until you're caught and banned from the casino).
This is not true. Besides continuous shuffler machines, most casinos have 6 or 8 deck games that have plenty of 'penetration' (card counter term for depth into the deck that the cut card is placed) to offer an edge if you properly card count. There's also a big game to be played where rubes think they can card count and instead lose tons of money attempting to do so.
The problem with card counting generally is that the casino has infinite money and never runs out, thereby they can sustain large expected value swings... whereas you need an enormous bankroll to handle those swings, assuming they don't throw you out before that happens.
There's plenty of doubledeck blackjack with good penetration in Vegas, especially in high limits rooms. The problem nowadays is that the casinos are also counting, and the patterns are simple and easy to track with the tech we all have. Changing your bet even a couple times based on the count can have the pit boss getting a call to remove you.
There’s a huge difference between: “if you do X, you will be asked to leave” and “if you do X, the police will arrest you”
Like, when I invite someone over to a dinner party, it is against my policy to insult my dog. If you do that I will kick you out (not actually, he’s a dumb klutz, you can insult him all you want), but that doesn’t make it illegal to insult my dog.
True but not relevant. Police and legality do not need to be involved with certain kinds of casino justice. Security may just offer to beat your ass if you won't cease and desist, avoiding the paperwork. Could be bluff but they know where cameras are and have cop friends..
You need to check a calendar and see the current year - the days of Casinos' roughing up card counters is long long long gone. Might be great for your screenplay or fan fiction but doesn't match reality.
Strange that you can be so confident about this with private security when even actual police are sometimes involved in cases of excessive force, corruption, coverups. Besides, whatever your personal knowledge/experience is it can't be vast enough to prove a negative here, and only one counter example is needed.
Regardless of the year I think you might want to reconsider your overly confident notions about fiction/reality or at least the condescending tone. I don't know what is institutionalized in what places, but have been threatened by casino security. Fuck around and find out I guess
From where I stand, you'd need to show it's systematic. One single instance is not enough for me. Because your claims are general, as if they applied to many casinos.
I'm kind of perplexed by the blanket assertions here as if private security everywhere will never offer either threatened or actual violence in either official or unofficial capacity.
Nevermind casinos, do people think every bouncer at every bar is merely for show? Since "management reserves the right", trespassing, threats and assault are not really a huge due-process kind of thing, and local establishments/insiders rank higher than outsiders. Within reason they know what is allowed and that isn't always going to be exactly and only whatever the law technically says.
Edit for even more context. For people that don't know already, not every casino or bar is owned by some megacorp who gives a shit about PR, has tons of cameras, has some HR department to educate staff on doctrine, etc. Many casinos are literally in sovereign territory of indigenous peoples also. Not that summary execution for offenders will be status quo there, but come on folks. The world is large and complicated, so simple stories about it are usually incomplete
I mean, I think you're making up blanket assertions where there are none. I haven't made a blanket assertion. I specified the difference between policy and legality.
I then said "I don’t think most casinos have private security that will beat you any more" That's not a blanket assertion. It specifically says "most casinos".
I have never asserted that it NEVER happens and can NEVER happen.
So, I think your confusion is a product of your own assumptions.
Fair, you're as careful to use qualified language as I think I have been. Guess I wasn't really replying to you but just frustrated by the thread in general.
I heard a joke a tech conference people in Vegas many years ago. It goes something like "people who go to tech conferences in Vegas bring one shirt and a $20 bill and never change either." So yea, programmers generally aren't gamblers because they know enough math to know the house always wins.
In my experience, programmers like poker, but not games of chance. This also describes me. Poker is a data-heavy game of skill and memory, Craps is about the opposite.
Most people appreciate the skill poker requires, but like me never want to bother learning it. If I (very rarely) go to casino I'd just play games of chance for a defined loss budget and just stop playing when I either lose it or win enough to get dinner for the group.
I went with a bunch of CS/bioinformatics/MD IITians to Reno, NV once. They were just there to gamble on games of chance. Personally, I think gambling is boring and stupid if the expectation isn't significantly positive. I'd gamble if skill was the dominating factor and the expectation wasn't so abysmal.
If skill is the dominating factor, almost by definition it isn’t gambling. This is what allows bars and other institutions not licensed as gambling centers to host poker games. (which might be of interest to you)
House sets the mean and variance, how could they ever lose? Only thing left to make it work is volume, transactions volume, so variance can be minimized.
Eh, I’m a programmer and I go to vegas with other programmers fairly regularly. We know enough math to know the expected cost per entertainment•hour is comparable to many other pass-times.
But even so we’re actually all net-positive on the city, thanks to a couple “lucky” craps runs.
I agree that's the right approach. Have a budget, play fun games. When your money runs out, quit. In the meantime, enjoy the free watered-down drinks and unhealthy food. Just like when my friends and I would go to the arcade with a handful of quarters, except they charged money for snacks.
I've heard stories about "hackers" at former DEF CON's pouring concrete down sinks and doing all sorts of other socially clueless vandalism, and resulting backlash for the organizers. While the infosec community is much bigger and more... "normal" than it was back then, I imagine the guests are still more of a liability than the average conference attendee and as you said, probably not big spenders.
Combine low ARPU with perceived risk (in the wake of the Vegas hacks last year) and a termination for convenience clause and this is a no brained for Caesars. There’s just not enough upside for Caesars to host in their marquee properties.
im really sure you have found the answer, it’s most likely more of a perceived thing than any of us wants to admit. DEFCON attendees can be walking stereotypes at times anyways, but the combination of drunk, low yielding hacker(wo)men(tm) roaming your hotel probably just made the juice not worth the squeeze.
It's basically "a no harm, no faul" termination of an existing contract, and is fairly common in competitive markets where there is no long term strategic partnership to develop an unique product.
If it's the buyer terminating it's either because the product is either no longer needed or an cheaper supplier was found, and if it's the seller it's caused by all sorts of resource optimization reasons(aka someone being willing to pay more for the same limited resources, or an increase in cost making unprofitable).
It's mostly with liquor bought from offsite and drunk in rooms/private parties, not via Caesar's venues or catering (there's a lot of that too, and this is summer dead period, so it still may be good).
I accidentally bumped into a random guy there before the con started, and we ended up chatting and he bought me a beer. I saw him there the next morning. And that evening. And at 2AM. Almost every time I walked past, the same guy was in the same seat, enthusiastically laughing and drinking with his buddies.
The simplest explanation is often the correct one. Casinos aren't exactly known for having moral qualms. They are, however, known for caring about their bottom line. They probably analyze every single event they host and then shuffle things around to maximize their expected revenue based on their past experiences with the same type of event.
Companies/Vendors usually host corporate conferences around this time as well.
A large company has probably decided to move a conference to Caesar's during that period, and that got Defcon bumped. Especially because DefCon has become massive, so the RoI has shrunk due to staffing overhead.
The simplest explanation is they don’t like hackers after their experience. So they push a bunch of hackers buttons with a last minute notice and prepare the honey pot to pen test their post ransom security posture and maybe in the process they find an amateur to pin it all on.
I think you're on to something. Most DEFCON attendees can do rough calculations in their head that their chances of coming out on top in Las Vegas is extremely unlikely, and choose just look around and buy some drinks and cheap food.
Doubtful, I'm sure it's related to the constant attacks against their infrastructure they must defend against (let's be honest, I'm sure Caesars is not defending successfully). The juice just ain't worth the squeeze. They have a business to run, and the risk of having a bunch of drunken and high hackers who happen to be the best in the world running amuck is not their idea of a good corporate event.
Caesar's apparently explicitly said it wasn't related to anything the community did. It's possible that they're lying for some reason, but it's also possible that they're telling the truth.
> We don’t know why Caesars canceled us, they won’t say beyond it being a strategy change and it is not related to anything that DEF CON or our community has done.
To avoid any legal liability. Stating a specific reason would open them to possible "breach of contract" depending on whether the act(s) were significant enough or justifiable, based on the contract terms. Just say nothing, part amicably, everyone moves on without drama.
With that said, they probably weren't lying. Most likely, months after ponying up $10 million to a sophisticated international hacking group, Caesars Entertainment probably doesn't want to invite some of the world's best hackers to stay and meet at its flagship resort.
> To avoid any legal liability. Stating a specific reason would open them to possible "breach of contract" depending on whether the act(s) were significant enough or justifiable, based on the contract terms.
This is how it works for at-will employment, but it would be a very weird contract that allows backing out only if you don't say why you're backing out.
Let's say Caesars states, "we just got hacked and, as has been reported in every major newspaper, paid $10 million as ransom. We have reason to believe one or more attendees of DEF CON were part of that group."
How does making this statement this benefit Caesars in any way? Now DEF CON can demand some proof of this claim, or sue for defamation, or state that without proof, Caesars isn't acting in good faith, whatever.
Yes, most likely. That's why it would make zero sense for Caesars to state anything publicly that would antagonize members of the community. Saying nothing (or even praising DEF CON, and claiming it was a "change in strategy") is the smarter route.
> Most likely, months after ponying up $10 million to a sophisticated international hacking group, Caesars Entertainment probably doesn't want to invite some of the world's best hackers to stay and meet at its flagship resort.
Most Def con visitors would be white hats so that would be a bit disingenious. I would expect most attendees to behave (reporting issues after finding one)
Especially considering they just got hacked, a few pentests would be good for their business.
you say that like a person informed enough to know what a white hat is lol. Let’s be real here, even the ethical hacker bunch can look VERY wonky and rowdy to an outsider, especially if you are as far removed as the hospitality industry. The only time they had to deal with hackers in the recent past was decidedly painful for them
being ambivalent towards a group, filling up your hotel, but otherwise alien to you, may be a little less polarizing than just having been forced to shell out $100M to a similar sounding demographic.
Primarily, it's about public image. It would look idiotic to host this group, regardless of intention. And it's about insurance -- logical or not, their insurer probably insisted they quit inviting DEF CON and associating, in any capacity, with self-identified hackers.
Dunno if it has anything to do with it but they did get haxx0red last year at the same time as MGM, except Caesars paid up and MGM didn't. Hotel room cards, casino play cards, etc were down for ten days at a bunch of the MGM-owned properties (a.k.a. the half of the Strip not owned by Caesars) https://en.wikipedia.org/wiki/MGM_Resorts_International#Las_...
About a month after the conference would be enough time to discredit an obvious connection to the conference, while still making use of security breaches that might have been found during the conference. Most security experts know you have to abandon security hopes if you give the hardware to the user with direct access. And with a conference of DEF CON's size, you only need 1% malicious actors for 300 tragedy of the commons results.
MGM's not that far away on the strip for somebody to find a security exploit, and then start checking every nearby casino to see if it works at those casinos. Found a $1 million exploit? Might walk a few blocks to see if it can turn into a $10 million exploit. Non-negligible risk from a casino perspective.
Average casino-win per customer is usually ~$100/admission. [1] Three days [2] gambling for 30,000 = 9,000,000. Hotel stay revenue helps, yet it's usually only 25% of revenue per guest. [3] Casino visitation and attendance has also rebounded significantly in the last few years. [4]
So, higher than normal costs per attendee, attendees who believe they all spend less than normal conference participants, anecdotal stories of repeated high cost issues each year to resolve (ex: concrete poured in sinks on purpose, rooms broken into, satellite dishes stolen), increasing attendance numbers in Vegas, and a multi-$10 million slap a month afterward based on social engineering.
There are actually very few people with pentesting skills at Defcon stronger than running burp suite, and fewer still of those that are blackhats. Those with skill can do very well for themselves legally, and know better than to risk their careers getting caught messing with casino systems.
In practice the biggest abuse from Defcon to the venues is in the form of a subset of people constantly defacing casino property which no one reports because no one has sympathy for casinos.
My favorite trolling of casinos at Defcon is the people dumping prop money everywhere. Casinos do not -like- that and spend a lot of resources running around picking them up which is funny to watch.
Not sure I agree with the idea there are very few world class hackers there. I've watched a few of the capture the flags and almost immediately they went over my head and I felt inadequate. lol.
> the constant attacks against their infrastructure they must defend against (let's be honest, I'm sure Caesars is not defending successfully)
If there's any place in the private sector where I'd expect security (including digital security) to be literally top notch, a casino would be it.
And casinos don't fuck around. If they catch some "uber haxor" laying a finger on their networks, you can bet they'd have him arrested in a heartbeat, regardless of whether he is a conference attendee or not.
You're getting flamed by accounts below but they're largely wrong.
Most casinos rent their gaming equipment from IGT, who directly manage most of these systems. IGT also has a fairly robust security team, having worked with them back when I was still a PM in the space.
Organizations like Caesar's aren't the greatest security wise, but that's largely because they have low margins because they are primarily property holding companies that are operating Casino/Gaming that they rent out from vendors like IGT.
This has been changing after MGM, but I don't think I can discuss it deeply.
You can view their financial statements [1]. I am sure the 'casino' category includes things besides gambling, but it looks like the largest share of their revenue.
Be sure to subtract expenses. So for 2022 you have 2500 for casino, 500 for food, 1500 for hotel, 800 for "other." And there's definitely some counterintuitive accounting going on there, because that 2500 would imply a profit margin of 41% on casino, but Vegas regulations require gaming machines to pay out at least 75%, leaving a profit margin max of 25%. The card games and other games of skill wouldn't have such restrictions, but it seems pretty difficult to imagine that they'd be high enough margin to result an overall of 41%.
The requirement is that the expected value for a play on a machine is >75%. And most are >90%. But that’s not a cap on profit margin, as 25% of the expense for a play may be more than the cost of that play.
Eg, having a machine that costs $1 with $0.75 expected return (and $0.25 revenue for the casino) may only cost the casino $0.10 a play — which would be a 60% profit margin.
Expected return on a machine and profit margin on that machine are literally identical. Imagine there's a hypothetical $1 machine where we simply remove variance. So you insert $1 and you get $0.75 back. It should be clear that for each $1 of revenue, the casino profits $0.25. This is a 25% profit margin. Variance can add some noise, but does not change the long-term expectation, which is what the regulations are based on.
That sounds intuitive, but that's just not how revenue is defined for a business like a casino. The casino had $0.25 revenue, and its profit is whatever is left from the $0.25 after paying for heat, light, maintenance, cashiers, security, etc.
Other businesses are treated like this too. If you are a high frequency trading firm and you buy 1000 shares stock for $99.99 each and sell for $100, you didn't have $100k of revenue - you had $10, and your profit is what's left after paying for staff and computers.
Yes, if your business was a supermarket, it would indeed work the other way, and it's not obvious to the literal- minded where one treatment should stop and the other should start.
Yip, I agree. I'm aware of gross gaming revenue and was involved in the industry in a past life, though obviously never filing as a casino. The thing that misled me, at a glance, was their costs - $3.5 billion. I wasn't aware there'd been massive consolidation in the casino industry, and thought I was looking at a casino's costs/revenue (in which $3.5 billion would be insane without it including losses), not a sprawling corporate enterprise.
This is similar to not counting bank deposits as revenue and withdrawals as costs. Only when your money goes to pay fees is it booked as bank revenue. The same for money transmitters like Western Union.
And perhaps is more obvious when you consider what happens when there’s only players, eg, poker. The pot is held in trust, until the game ends and the losers forfeit their money to the winner. At no point does it belong to the casino.
That doesn’t change when the casino is also a player.
Look at it a different way. The casino never had that dollar, you inserted a quarter and they gave you light show that cost them a cent to put on. You enjoyed it so much, you did it four times.
Now the casino has your dollar and it's "costs" were four cents in electricity/maintenance. A much higher profit tham 25%.
Except that you have expenses, like rent for the machine, maintenance for the machine and building, energy costs, staff salaries, cleaning costs, security and IT spend, etc. etc.
So no, profit is more like gross revenue minus expenses and taxes.
You could easily have a machine with positive EV for the house that has negative profit.
You don't understand casino accounting. Gaming WIN is revenue. If you put $100 in and get $75 out, that's $25 in marginal revenue with zero corresponding costs. The $100 is a statistic that the casino records, but it does not factor into profit calculations (total, or margin).
Gaming does have expenses -- labor (mostly dealers and slot attendants & mechanics), costs of purchasing and leasing the machines, and some other miscellaneous stuff... but profit margins on pure gaming are very high (and not limited in any way by the 25% maximum hold percentage that you reference)
Not everything is about money or the bottom line. Sometimes it's about politics. Vegas takes a loss on so many things. Nevada has grown more and more corporate over the years. This move doesn't surprise me at all.
What are the politics? One of the richest and most profitable industries on Earth wants to have a conference where they show slide shows to each other. Really not much different than any other conference, and probably more ethical than most of them.
> Sometimes it's about politics.
> Nevada has grown more and more corporate over the years.
You make it sound like it's entirely about money and the bottom line.
I have a hard time believing gaming doesn't provide _huge_ contributions to favorable politicians. I feel like you've got something to say, and maybe something really interesting. But what you've got if awfully vague.
If you've got the time or inclination, I'd definitely read an elaboration of your meaning.
Ideologically Clark County has changed from the influx of Silicon Valley influences starting in the 90s, which is why we have CES here.
Financially the strips have massive amounts of money flowing into it from every angle. Construction is booming and housing cannot keep up with the demand. If you view LV from the surface then it seems like the economy is trashed - lower travel rates, millennials are not into gaming as much, and the virtualization of gaming is competing. But the reality is business for "living" is doing better than ever before.
Because recent politics has changed ideologies with modern corporations several things have changed. For example skids were never part of LV ever, but that has changed in the last 10 years directly because of these ideologies. https://www.cbsnews.com/news/u-s-first-public-needle-vending...
Do you think these same Corporations look fondly upon DEFCON? They would push it out eventually as it's not safe-hacking.
You know, why the fuck is DEFCON in August, in Vegas? Like, you know a nice place to visit in August? Kodiak, Alaska. Portsmouth, Maine. Sydney. List of places I would never want to visit in August? Vegas. Houston. Vegas. New Orleans. Vegas. Mumbai? Maybe. Baghdad? Definitely not. Also, Vegas. My friends in Christ, why, does anyone, think Vegas is a good idea in August?
Convention space and room blocks are fairly cheap to rent in Las Vegas.
No other city in North America has a similar amount of space or options for low cost block booking.
Also, plenty of DefCon attendees and sponsors are also attending BlackHat at around the same time, so it makes it easier to justify expensing most of the cost as an employee.
It started there initially because a bunch of hackers wanted to hang out together and the cheapest way to do that was to all fly in the Vegas in August. It’s tradition but also still somewhat true for the reasons you articulate.
If we wanna be frank: lotta tech is in silicon valley and Vegas is probably the closest "large" hub to travel to (Maybe Los Angeles is closer, but not by much). It's the cheapest option without simply staying in SV.
I'm sure the other places suggested would have been nice, but you turn one flight into 2, maybe even 3, have to search for a venue and accommodation for 100s/1000s persons (even if they self book), etc
Conference tourism is big business and the big conferences want friendly places that fit their budget and make it possible for people to attend it
The heat is really not that bad. I absolutely hate the heat, living in the midwest the summers are unbearable to me.
Yes, it's hot, but you can still walk outside without becoming a sweaty mess because it's so dry. And you're probably not going to be walking outside very far, it's a very unfriendly place to walk outside of the prescribed separated paths on the strip.
The problem is that the con was now spread out over multiple casinos/hotels so the odds of having to walk outside at some point have increased, even with some of the hotels connected internally.
The fact that it js now at the convention center and likely all under one roof is an improvement, IMO
I don't care to go to Las Vegas, and I don't care to go to DEFCON, but you can easily fly from anywhere to Las Vegas, any time of year. (Subject to US visa issues, of course)
Others have said August is off-peak for Vegas (perhaps because of the weather), which means its a good time for a conference as space should be less expensive.
Check out https://www.flightsfrom.com/explorer/LAS — particularly comparing its direct flights from all over the continental US to the same for other American cities.
That settles it, DEF CON in Dubai, London or Amsterdam. I vote for Amsterdam.
Frankfurt also has the most international destinations (just not volume).
(Probably not Dubai, considering a few speakers would be thrown out at the border - or worse if they get though. It's also artificially inflated because it's almost all transit traffic).
Aimed largely at the MENA, SAARC, and a bit of the APJ market.
Most DefCon attendees are in North America, which makes the flight to the UAE hellishly long and expensive.
Most attendees are also expensing the trip, so a $700-900 round trip ticket plus an additional $500-700 for hotels makes Managers balk, as that's a major expense coming out of your yearly budget.
Also, DefCon sponsors largely showed up because it was occuring around the same time and same location as BlackHat
Source: travelled a lot for corporate tech conferences in my PM days.
Terrible location for any conference that cares about everyone being able to attend. While one could argue about "hiding the gay" (I'd still say that's hard to impossible), I would never be able to attend as visibly trans.
No community which has a healthy amount thinking about ethics and stuff would want to go to Dubai. Sorry but Dubai is one of the worst rich citys in existence.
Europe has CCC. CCC is older than DEFCON. It sucks for Americans to go across the ocean. Also given that I just came back from a month long eurotrip, hospitality services in post COVID Europe is even worse than it was before COVID. I'll stay in Vegas.
We also believe in constant air conditioning unlike the East coast and defcon is probably not the group walking around outside the hotels much.
The heat sucks but it’s not like it’s that hard to avoid on a conference trip. It’s when you live here and have to hop in your plasma generating car that makes you wonder what the fuck is wrong with you
Vegas is great in August. It might be super hot but it's also dry. Whenever I go out to DEF CON, I take a day to go out quadding around the desert and shoot some guns outdoors.
The whole damn strip is air conditioned and misted so it's not really a problem. A few years back I participated in a scavenger hunt during DEF CON and it was taxing but I would do it again.
New Orleans is hell on earth that time of year though -- never again.
That’s the stupidest thing I’ve heard. It’s nice and hot in Vegas in August. Alaska? At best it’s fucking 50F, that’s deeply uncomfortable. Walking around in that feels like I’m dying inside. Also, it’s a goddamn convention not a business meeting. People want to drink, watch some shows, gamble a little bit, walk around on the strip. Have a good time in general. What the fuck are you gonna do in Alaska?
After the impact of the MGM hack this year Cesars probably revisited their insurance on getting compromised. After the auditors and lawyers looked at all the risks they came across DEF CON and said no because of the wording of how DEF CON is marketed. Their choice was probably to drop them or loose coverage.
DEF CON is listed as a "hacker convention held annually in Las Vegas, Nevada." where Blackhat is "Black Hat is an internationally recognized cybersecurity event series providing the most technical and relevant information security..."
I imagine places like the convention center cant afford or care about insurance at this level.
Caesars was hacked by the same attackers that pwned Okta, and used the stolen keys and tokens to get into Caesars. It was nothing carried out by Defcon in any way.
Anyone that takes this scene seriously knows Defcon is the place to be. Blackhat is a overpriced vendor circle jerk. The only way to make Blackhat relevant again is to kick out all of the vendors and if you can't do that, forbid them from collecting peoples information.
This is going to be my 11th year at Defcon this year. I snuck into a couple of blackhats and didn't get any value from them. I've been around the block a few times.
> It was nothing carried out by Defcon in any way.
You think insurance providers are capable of doing this level of analysis? They see "hacker conference" in which Defcon may still hold some notoriety in and decide it's a risk.
They are able to. I've worked with AXA and Chubbs before in this space.
I don't think this was done because of cyber insurance
They most likely got bumped to make space for a better paying corporate conference.
Most vendors are now running a Cisco Live/AWS Re:invent type conference, and they've increasingly consolidated on Las Vegas because venue booking and block room booking is much easier there than in any other city in North America.
Also, DefCon has become massive, so the RoI has most likely shrunk due to staffing overhead.
People love saying this about Black Hat and Defcon, but I can't think of an important research result disclosed at Defcon 31 that wasn't a Black Hat talk. More good research gets turned down for Black Hat (which can only accept 3-5 talks per track) than appears at Defcon. Median Defcon talk quantity is approximately that of a good regional conference.
And that makes sense. Talks aren't really the point of Defcon, and they are (besides the lobby conf) the sole point of Black Hat. Black Hat is also a vendor circlejerk, but that fact confuses people who don't actually practice in the field.
BlackHat isn't a con you attend. You go there for the training sessions that are required to obtain/upkeep your certifications.
The infosec industry sorta runs separately from the rest of tech in that it's entirely a status economy. Name recognition, certification and publication are the most important things to maintain stable employment.
On the other hand none of the planned programming at DEFCON has any professional value whatsoever and it's merely a metacon for connecting with people in varying niches in the space.
I don't know what to say to someone who thinks the Black Hat talk schedule and lobby conference isn't a reason to go, but a $5000 training course on "Active Directory Security Fundamentals" is. You do you, I guess.
I don't care if you go or not. I'm not trying to sell anybody on Black Hat. If you work in this field, you know what Black Hat is, and if you care about Security Summer Camp you're in the lobby bar at Mandalay. My only nit here is people claiming that the actual Black Hat conference is a vendor event (like RSA). It is not. Almost every good Defcon talk was a Black Hat submission (as you'd expect; it's the highest-status mainstream security conference, and it pays honoraria and travel expenses for speakers). There's a whole other conference, BSides, that started just to soak up the talks Black Hat doesn't accept.
Fair enough. BH as vendor event wasn't my axe to grind but the parent poster's.
I was just complaining about the industry and the event in general as only having status-economy value.
e.g., the only reason I would go is if I needed to for industry certifications. Talks aren't a reason for me to go to anything (they'll be streamed eventually and I can filter them better). I'll agree the talks are better here than most other events
I guess if your employer is footing the bill, sure, fine, whatever.
Talks having no attendance value to me might be a personal thing, but you can blame Netflix and re:Invent 2017 for that. I sat through 4 different talks given by 4 different people that were supposed to talk about different parts of their architecture but were basically the same slides and staff engineers from 4 different departments claiming responsibility for the same parts of the system.
Sure that has nothing to do with Infosec, but talks can be an epic waste of time and I'm much more suspicious of them these days.
Again: I'm not trying to sell you on Black Hat. But re:Invent is nothing at all like Black Hat. Black Hat is a peer-reviewed research conference focusing on presentation of security research results. You pay to see Black Hat talks if breaking the encryption on police TETRA radio or defeating Apple's PAC pointer authentication is professionally useful to you. For most Black Hat talks, that stage will be the first public airing of that research. At events like re:Invent, the new stuff is just product announcements.
I can see not wanting to sit through a bunch of vulnerability research talks! Defcon is certainly the more "fun" event.
There are higher-status (non-academic) research conferences, but they're not mainstream. Of the events everybody knows about and that employers at pentest firms will pay to have people develop talks for and employers at F500 security teams will pay to have engineers attend, Black Hat is basically the most important event of the year.
> For most Black Hat talks, that stage will be the first public airing of that research.
I find this aspect intriguing, and seems to contribute to the buzz around the event? Used to be true in some other areas of computer science too, but outside of security I can't think of an academic conference where it still happens. Nowadays you can almost always expect talks at top conferences to have preprints posted on arXiv (or openreview.net) ahead of the talk, often weeks or months ahead. I mean not that somewhere like NeurIPS lacks buzz either, but you're not normally expecting major surprises in the talks.
Yeah, it's an idiosyncrasy of vulnerability research and "zero day" status. Things will get discussed with the media in advance of the conference, but if you blog your whole talk before the review board sees the submission, that'll get used to shoot down accepting. Which sort of makes sense, because even if it's good, your submission will be competing with 5 more really good talks on the same track.
I'm a longtime reviewer for Black Hat, and I've reviewed (shadow) for ACM and (publicly) for Usenix (I was a PC for WOOT a few years ago). It's a different vibe. Nobody's WOOT submission got dinged for having been disclosed in advance, but Black Hat submissions will get dinged for having been presented at regional conferences prior to BH.
Again though: the single easiest way to make sure a talk has no chance at BH is to make it vendor-y. Reviewers will LinkedIn-stalk the names on the presentation to make sure nobody's connected to marketing or sales. If you're submitting something that's even tangential to your product (smart toaster firewalls), even if it's good research (elite-level zero-day vulnerabilities in smart toasters), you have to go way out of your way to assure reviewers you won't pitch on stage.
Black Hat is pretty sensitive to making sure the talks themselves aren't commercial, even though the conference trappings are extremely commercial. "This would make a better RSA talk" is an extremely common epithet.
My comment was around the wording as advertised. It will also be my 11th DEF CON next year, never been to Blackhat. We should grab a beer.
I have personally worried after seeing Cesars transform after the events at the Mandalay Bay with the new addition of their own paramilitary group (the SRTs) and their actions during DEF CON. Just check out their job descriptions: https://www.linkedin.com/jobs/view/security-officer-srt-i-fu...
Before the SRTs, I personally know from knowing the staff who run the conference that they have helped Cesars Entertainment in previous years strengthen and work with them hand-in-hand to secure their networks and train their staff. Even work with the goons to make sure people didn't get trespassed over shenanigans. I honestly think the mid level management is sad we are gone.
The other side is the Okta was just a taste of what could go wrong. Seeing MGM totally shut down and loosing millions was scary for upper management. Auditors weren't comparing Blackhat to DEF CON but that the listing on the spreadsheet was not "boat show" but "hacking con" and they deemed that was too much risk for the level of coverage Cesars Entertainment wanted.
Never the less, we all hated Cesars and I am personally excited to see what this next year will look like.
This explanation makes the most sense. A team of lawyers/risk analysts saw "hacker conference", superficially dug in and noted previous incidents that coincided with the "hacker conference" in previous years (bomb threat, the shooter) and decided it wasn't worth it
The bomb threat last year is a funny story that I cant share here. It was very much a nothing burger but their security doing what they are paid to do.
Black hat is just one giant bunch of sales pitches. No I haven't been there but I've had to sift through recordings that my boss (who did attend) wanted me to look at because he was too drunk himself to do a proper evaluation.
It doesn't provide information, it just provides sales suits a chance to blow their hot air :P
If I'd ever go there it would just be an excuse to go to vegas to see DEF CON as well :P I work in security but I have no time for corporatism and sales bullshit.
Edit: I know it's a bit of a hot take but I've been to so many conferences where sales goons spew all the pretty pictures and then later when we actually got our hands on the product it turned out that it couldn't do half the stuff that was promised. Or there were other weaknesses like excruciatingly bad support. I've become very cynical due to this.
if we're going with hot takes, I've watched a lot of DefCon vids and many presenters come off as outlandish arrogant. not simply smug, more "I am levitating above the normies."
That's not specific to presenters; there's a lot of insecurity (no pun intended) on parade in this industry. The sort of people who can bridge air-gapped networks using bubblegum and popsicle sticks tend not to minor in human relations.
Just read it as showmanship. They're trying to be over the top for the sake of performance.
>Black hat is just one giant bunch of sales pitches.
> No I haven't been there
The first sentence is not true. Many good talks are give, often breaking ground. Yes, you can find sales pitches, but there are good fundamentally technology talks.
Black Hat is peer reviewed and accepts a tiny fraction of submissions (tracks will accept 3-5 talks out of a typical pool of 20-50). Reviewers --- all of them vulnerability researchers --- barely have time to read outlines and look for any possible excuse to DQ a submission and move on to the next one, and the single most common DQ is "the presenter has a commercial interest in this topic, vendor talk, 1.0 rating".
There is also a giant vendor expo that runs alongside Black Hat, and vendors do whatever they can to stage events that look like Black Hat talks but are not. I submit that you have probably confused those for actual talks. Or: you watched the keynote? I don't understand what the keynote is for.
Point being that it’s been a rough ride over the last few years. Combine that with corporate events probably being far more lucrative for Caesars I.e suits drink and gamble harder than geeks - I’m not surprised by this.
TBH my team and I skipped DEF CON last year and threw our own event in Banff instead because DEF CON has become quite boring with long lines and a Groundhog Day feel to it. If you’re looking for a proper con check out a local B-sides or a smaller legit con like Shmoocon.
When I'm at DEFCON, I bring a fun little device. It's an ESP8266 that constantly listens for WiFi probes coming from people's mobile devices. It then displays the SSID (the network name) on a scrolling LED text display. I keep it plugged into one of those Anker battery banks. 10,000 mAh will power it for ~16 hours, so it lasts the entire day.
After last year, Caesars likely has a large insurance policy covering against ransomware attacks. That policy probably says something along the lines of "valid as long as you don't knowingly invite tens of thousands of hackers to your property"
I find this strange but not surprising. I've heard of speed bumps in the past related to 'hackers in town' and I wouldn't be surprised if it comes out later that it had something to do with it, even if unfounded. I think overall, having that many 'hackers' in town makes people overly paranoid.
<tinfoil hat> I wonder if the ransomware incident last year played a role in this decision? [0] I'm guessing they wouldn't announce it for fear of boycott, but who knows. </tinfoil hat>
Not a fan of what DEF CON has become in the last years, so I selfishly hope it somehow "goes away" and reborn in a more technical and actual hacker note.
Too many "security researchers", "staff engineers" and people playing politics.
But I suspect they will have no problem finding another venue, sponsor money has been flowing quite well, so I wish them well.
I don't have a ton of love for politicking, but security researchers and staff engineers, a lot of the time, are people who either have a career in a really interesting area in infosec and can bring a lot to the table as teachers/presenters, or people who want to get into that area and who'd benefit massively from a place like DEF CON considering how accessible its talks, demos, and villages are to people of all skill levels.
Socialising, learning hacking history, and getting to know the traditions is always a great side effect that the DC crowd's been good at passing on to new generations. Goons still give people shit for misbehaving, speakers still take shots, TOOOL still has some of the best workshops and tutorials on the conference floor and usually has some people who'll talk about breaking open Medecos or Fichets to anyone who'll listen.
I'd venture to say it's against the spirit of the con to try and gatekeep it.
Having said all that (and the irony not being lost on me) -- linecon's definitely getting worse, and I'm worried that DC's becoming a victim of its own success, with its accessible pricing and subject matter being counterbalanced by having to manage a 20-30k person crowd. I don't have a solution for this outside of decentralization, but I don't know if that's a good solution.
I can't edit my original comment anymore, but I'll add: OG DEF CON stuff still happens, too. Parties, secret parties, parties that take a full day or two of codebreaking a badge to get to, demoscene stuff, drinking, public art, you name it, it's there -- it takes a back seat because DC does have to focus on mass appeal these days (I believe, because of its accessibility promise coupled with the number of people coming out).
I forgot these when I wrote my original post at 1AM :)
I have always hated the secret parties. As soon as I found out about them, I set about infiltrating them just to fuck with them. One of the reasons I left the hacker community was the toxic elitism and posturing.
> TOOOL still has some of the best workshops and tutorials on the conference floor and usually has some people who'll talk about breaking open Medecos or Fichets to anyone who'll listen.
While you're over there look around for the Tamper Evident Village and we'll happily demonstrate and allow you to try removing Tamper Evident Seals of various kinds.
Also very cool stuff. I always see TEV bogged down with tons of people so after 4 cons I still haven't had a chance -- and while I have to miss this year, I'll hopefully swing by next year and check it out!
There are dozens of other conferences that do anything else you want a security conference to do. The point of Defcon at this point is to be the giant annual social event.
I wonder if Caesars' cybersecurity insurer had an opinion about writing a policy for a casino resort that hosts something like DEFCON, especially after the MGM hack.
It was Defcon 6 if I'm not mistaken and someone actually didn't go because of it which is how it became a meme.
Here's at least one source corroborating that[0]:
> "I think it's from around DC6 and is a reference to our only near brush with cancellation at the Monte Carlo for DC4," Def Con spokesperson Darington Forbes wrote me in an email. "I wish I had more to tell you—since it happened seventeen or so years ago my info is murky. Something about a casino mogul preferring we not use the Monte Carlo, threats of legal action."
> @ivydigital DEF CON - cancelled annually for over 20 years
> We don’t know why Caesars canceled us, they won’t say beyond it being a strategy change and it is not related to anything that DEF CON or our community has done. This kind of no-notice cancellation of a contract is unheard of in the conference business. The parting is confusing, but amicable.
It is absolutely related to DEF CON. Remember that Caesars suffered a massively embarrassing hack in September, and it is highly likely the top brass and investors don't want any association with hackers from an image and security standpoint, especially in the form of hosting a conference that brings tens of thousands of them to the hotel.
Absolutely, I'm already seeing some chatter from groups that want to get "even" with Caesars for displacing a 25 year tradition for strategy. I hope they have some good defenses installed now that you've pissed off no less than 10k infosec people.
As a furry, there's one thing I haven't seen discussed; maybe this is about extracting more revenue from higher paying customers, but I feel like it's probably a sacrifice of revenue in favour of brand image/perception.
Perhaps they no longer want to be known for being the place where the "weirdos" are bouncing around the hallways. A la the poor normies staying at a hotel during a fur convention, or trying to get into the bar during a meet (though the whole place is often hired out by us; we _definitely_ provide enough alcohol revenue)
Forum servers are being overloaded, from DEF CON's homepage:
After a great 25 year relationship Caesars abruptly terminated their contract with DEF CON, leaving us with no venue for DC 32, and just about seven months to Con!
We don’t know why Caesars canceled us, they won’t say beyond it being a strategy change and it is not related to anything that DEF CON or our community has done. This kind of no-notice cancellation of a contract is unheard of in the conference business. The parting is confusing, but amicable.
TL;DR - DEF CON 32 will still be August 8-11 2024, but now held at the Las Vegas Convention Center (LVCC) with workshops and training at the Sahara.
If you already have a reservation at a Caesars property, from what I saw you can keep it, you'll just have to find transportation to LVCC via the monorail or other means.
Not sure on transfers. They have negotiated with Sahara on a rate and are looking to add more.
That “just” is doing some heavy lifting. It was a minor hassle running back and forth from the Forum to Flamingo to pick stuff up and drop it off. Commuting from strip hotels to LVCC is going to be a pain in the ass.
You can cancel up to 72 hours before the reservation. New room blocks are still being negotiated and will be posted at (link) as they become available. Please help us negotiate rates by booking rooms in our reserved blocks.
This may be a blessing in disguise. DEF CON has grown massively to the point where the number of attendees who want to go to the various villages all day equals or even surpasses the attendees interested in the main talks. However, those villages have historically been given very small spaces. This past DEF CON, the Cloud Securitt village had a line down the hallway and escalator pretty much all of Friday and Saturday. Even the vendor area had to be carefully managed to ensure not too many people were inside at the same time.
Hope this allows them to really spread their wings a bit more.
I would say the blessing isn't even in disguise. I've gone twice, in 2017 and last year, and last year the crowds in the main hallways and village lines were suffocating and I'm not usually claustrophobic. An extra couple of hundred thousand square feet is a big deal and should have happened regardless. I just feel bad for the folks who have to make it happen in 7 months.
Yeah, this might actually change my mind about skipping DEFCON.
I started going to DEFCON in 2017 (DEFCON 25). After last year's event, I had decided I wasn't going to go anymore. The villages were always extremely crowded, so trying to actually participate would be a huge wait. The talks were nice, but I can just watch them on YouTube a month or so later. Hacker Jeopardy is always a blast, but I'm not going to spend $2,500 to fly and stay in Vegas just for that.
The fact that Red Team village would only be given this tiny conference room with only like 50 chairs to listen to talks was just bullshit.
If the new venue has more room and solves all my complaints, maybe I'll still go.
Early DefCons were on the strip, and for reasons never officially made public, DefCon got banned from the strip. AFAIU, that's why it was in the Alexis Park for many years. I was actually surprised when I learned it was allowed back onto the strip. Given the high rate of incidents and the surface area for attack, I completely understand why Caesar's dropped them. What I don't get is how they allowed DefCon back onto the strip in the first place.
Too bad. Now I will definitely never go there. My work sometimes gets free tickets for black hat but that's a totally boring business conference. Not worth going to on its own. I hate mingling with sales suits, I'm a real techie.
Def con was something I would be looking forward to and if my work paid for black hat I could have stayed the extra days to go there.
Black Hat is the largest North American venue for vulnerability research. It's one of the closest things in the industry to a serious, peer reviewed conference, at least at this scale. It's certainly not the social scene Defcon is (indeed, it replaces that social scene with an enterprise sales hookup scene), but it's definitely not a "totally boring business conference". Black Hat talks are generally much better than Defcon talks.
> It's certainly not the social scene Defcon is (indeed, it replaces that social scene with an enterprise sales hookup scene), but it's definitely not a "totally boring business conference".
It's the enterprise sales hookup thing that attracts most visitors though. The people from our company that go there go mainly for that. They're all VPs and other suits that have no interest in specific vulnerabilities. They just want the free wine and dine and to feel important.
I couldn't imagine going to that kind of thing. I'd only put up with it if it would give me a chance to go to Def Con :)
And it's really the Def Con social scene I'd be interested in. I'm not a vulnerability researcher either, I'm just very informal, I'm not comfortable socialising with business people even though I work in enterprise security. So I think for me black hat would be pretty boring.
What I love about the grassroots hacker conferences is the free sharing of information without commercial strings attached (in fact here in Europe people get booed off stage when they pull out the sales pitch) The presentations not vetted by PR departments. The tongue in cheek remarks against big tech. The activism. Drunkenly running into other makers and making good friends. Exchanging business cards and finding a new vendor is definitely not on the list. I don't normally go to too many of the talks either, especially not the huge ones.
If you're not a practitioner and you're looking for a social scene, you want Defcon, not Black Hat. But if you are a practitioner, the lobby conference at Black Hat is better than the Defcon scene. The talks are much better at Black Hat, but the guts of the important ones are public immediately and all of them are published eventually. Nobody should have FOMO about Black Hat, but to dismiss it as a commercial event (like RSA is) is to misunderstand it.
This is me being opportunistic, but I'm an organizer for indie tech conferences [0]. We're not selling tickets with set venue dates yet (although a fundraiser is happening.)
If nothing else, you might join the newsletter to see if it's your cup of tea later in the year.
Thanks! I'm very unlikely to fly to the US for conferences though (in fact I've never been there in my life!). Especially to Seattle as it's so far away from me in Europe. I'm in Spain which is pretty much a low-wage country so things like intercontinental flights and foreign hotels are prohibitively expensive.
Boston might be an option if it just happens to be around a time I might visit for work (but again I've never been there in my life so it's not all that likely even though we have a major office there).
The IP of the site reports as being a Comcast IP address. Surely this isn't hosted on some guy's home server? Even their business class service wouldn't seem like a good fit, especially for an org like Defcon.
Without robust and easily scaled infrastructure in place ahead of time, an organic DDOS is one of the most difficult situations to mitigate. Not much can be done in terms of traffic shaping, rate limiting, or bot detection.
An HN front page “DDoS” is like 20K hits. This isn't some complex scaling challenge. Any website on the internet should be able to handle it, especially a purely informational one.
I had my blog be on the front page for ~6-8 hours racking up 100k+ unique loads. It also managed to survive just fine on a $5 VPS so I would hope that other sites could survive.
I agree. Protecting against DDoS attacks is incredibly difficult. I'm just enjoying the irony of Def Con, the premiere computer security and hacking convention, not being able to handle traffic.
To be fair, I don't think they crashed; I saw a "sorry too much traffic try later" type message. Still amuses me.
I guess it's funny, but the attendees don't necessarily represent the organizers. The best hackers in the world may be in the building during Defcon but I don't think the Defcon organization itself necessarily employs them.
the current way to most effectively get around DDoS seems to be using a proof-of-work based frontend run on as many revolving reverse proxies around the world as you can afford. this is what kiwifarms does. seems pretty effective and a lot cheaper than what the people bankrolling the attacks on them are spending.
I don’t think it’s that bold of a claim. Organizers ask attendees to spend a lot of money to attend, buy lodging and everything else, not to mention pay a lot to organize and it takes a lot of time and effort to line up all the required facilities. I’ve been part of organizing at least a few big events and if we had a late stage hard cancellation, there probably would’ve been lawsuits.
I mean, they've been running this event, which has topped 20k attendees, for something like 30 years. So one entity with the relevant experience is... them?
In 20+ years of attending events events regularly I have never heard of a venue change on relatively short notice. In fact to the degree some conference moves from, say, SF to Vegas, they usually announce that at the previous year's conference.
There's a huge difference even at this scale. Seven months was apparently long enough for them to make arrangements to hold it at another venue nearby (I'm sure rearranging it is/will be a lot of hard work, but they're doing it); would seven weeks have been?
Sort of a weird story. I have never heard of a convention venue randomly canceling a conference with less than a year to go and I was very involved with events at one point. Obviously lots of atypical stuff happened during COVID but I've literally never seen something along these lines as it supposedly went down. Barring some anomalous event, conference venues don't suddenly decide some event just isn't a good deal for them.
Count me out. LVCC is even less cool than Caesars and it's a mile from the strip. It's only selling point is the Loop.[0] In the past, it was convenient to book at Caesars, or nearby at the Bellagio or Venetian-Palazzo.
In 2021 I paid in cash, showed my physical ID and vax card, and was on my way with my badge. Nothing about the exchange was recorded. They take privacy incredibly seriously, especially the goons working registration. There was also basically no COVID that year, despite DEF CON happening right during the Delta outbreak. A big nursing conference the week before got hit hard with Delta, but DEF CON took that shit seriously, and it worked well.
Pretty sure there was no vax check in 2022 and 2023, and I do know some people who got COVID in those years, but people who took decent precautions were generally able to dodge it.
That was only for a single event. DEFCON no longer requires proof of vaccination or ID.
And as the other commenter said, the information wasn't recorded.
Also, the majority of DEFCON attendees no longer care about being anonymous. It's not this secret underground thing. Many employers pay for their security staff to go to DEFCON. For a few years now, you can even pre-pay for your ticket online with a credit card which makes getting reimbursed for your ticket a fuckton easier. Also means you don't have to carry $500 in cash.
This kind of comment on HN is always fascinating. Is it just simple trolling? Is it cosplay? Is it someone new (or old) to “hacking” sincerely trying to “no true scotsman” attending def con?
I have to say as a European the choice of location has always puzzled me. Corporate interests basically run las vegas, I find it a really odd choice for such a free-thinking anti-establishment community.
DEFCON needs a HUGE convention space. The size alone rules out the majority of possible locations.
Then comes the cost. August in Las Vegas is off-peak season which helps keep the cost down. Anywhere in Silicon Valley (or really anywhere in California) would be insanely expensive.
There's also convenience of travel. Las Vegas is such a huge tourist city that it makes getting flights there cheap and easy no matter where in the world you're coming from. My first time going to DEFCON was in 2017 and my flight from Portland OR was only a hair over $200.
DEF CON started as a bunch of teenagers running away from home to get ridiculously drunk and trash some place, and it hasn't changed much. Vegas was the perfect choice. It was a party. Getting to smash up an obscene capitalist hellhole was a key perk, and still is to this day.
Ahh I see. This way it makes a lot more sense, thanks for the explanation :)
I go to a lot of European hacker parties/camps and I can certainly recognise the mindset you mention (and I identify with that mindset as well even though I work in a corporate job). For this reason Las Vegas made no sense to me but in light of your comment it does now.
And yeah getting ridiculously drunk is definitely part of the experience :D
>And yeah getting ridiculously drunk is definitely part of the experience :D
Since we are talking about stuff that we don't think should be associated with hacking this is my own pet peeve. What does "getting drunk" have to do with hacking? And why is it always "absolutely smashed" or "ridiculously drunk". I get that most hacker types are shy introverts and couple drinks makes things more fun and socially fluid, but why does it need to go to hangover(s)? 9
This is primary reason which keeps me away from many "hacking camps", they are cool for couple hours, but as the sun goes down things just get sketchy and boring when I have to take care of bunch of drunk strangers.
I don't drink alcohol and I've been to every DEF CON for the past 22 years and had a blast at every one. Some people are into that sort of thing, and that's fine. Some people like cocaine and strippers. Some people like dressing up in giant fur suits. The important thing is that whatever you're into, you'll find countless incredibly intelligent and thoughtful peers to hang out with, and talk about weird hacker shit.
Since the pandemic Vegas has had a pretty strong resurgence in general and this may be a sign that Caesar's is doing well enough they've decided there are higher-revenue guests they can put in those rooms — even in the doldrums of August (a traditionally slow month for Vegas tourism).
I happen to regularly attend an unrelated, non-tech conference that's always right around the same week as DEF CON. That conference also happens to attract attendees who don't gamble or spend much at the hotel other than room costs. The reason the conference organizer chooses August is they get better discounts on their costs from the hotel in exchange for filling up rooms that would otherwise be empty (except this hotel is lower-end and cheaper than Caesar's). This works out because unlike Caesar's this hotel is far off the strip and doesn't have nearly as much dining or gambling revenue potential anyway.