Hotel security thugs at DEFCON tried to burst into your room and photograph your things? You aren't alone, its happened to lots of DEFCON attendees and it's absolutely terrifying for some of them.

It's worth stating that nobody in the infosec space objects to enhanced security operations in the wake of the Vegas hotel shooting. With so many members of our community attending DEFCON and Black Hat, we absolutely want our peers to be safe; we support the work of the security services to this end.


But what is very clear is that Vegas hotel security has been incredibly invasive, unprofessional and heavy handed during the conference. They seem to forget that they are dealing with other security professionals, ones who would understand if you explained it to them, but also ones who are deeply distrustful of unverified security personnel entering their rooms and searching their belongings without permission.

Notice
Image courtesy of @kurtopsahl.

In case you had not already heard, hotel security in a number of official DEFCON hotels has been rudely invading upon the privacy of the attendees.


Yes thats right, unverified members of hotel security at a number of hotels are forcing themselves into attendees rooms, it doesn't matter if you have had maid service that day or not, they are coming in any way with or without your permission.


Our intrepid on-the-spot reporter the @HoodlessHacker managed to get some footage of the hotel goons making their way into an innocent hackers room; a cleaning lady looks on in disgust at the total invasion of privacy.

Hotel security are also confiscating attendees lock picks, although we can kind of see why they would do that. The sight of a hacker with lock picks in your five star hotel must scare the bejeesus out of any security guard. But still, lockpicks are part of hacker culture and organizers are trying to get them back for you.


Its not just confiscating items that they can see in rooms, there are reports of hotel security going through attendees personal belongings too, they have very clearly been searching through suitcases, an unnaceptable violation of their guests privacy.


But ignoring the confiscations of lock picks (and for some reason soldering irons), what the hell is hotel security playing at? This is a very poorly thought out security operation whichever way you look at it and they are ignoring advice on how best to deal with hackers from some of the most prominent members of our community. They are even threatening attendees with permanent banning from the hotel if they talk about these incidents publicly.


Some attendees have resorted to writing privacy notices on their doors and it seems to be working as far as we can tell from different reports, but a lot of these have been torn off doors by security or strangers we have been told. Its not an effective strategy.


Others have been hacking (of course they have, its DEFCON) the hotels system for validating which rooms have been checked by hotel security. But this is not advisable and would provoke a direct confrontation with hotel security if you are caught.


I think what is upsetting the attendees the most is that their concerns are being dismissed. What is particularly disturbing is that many attendees are women staying in rooms on their own; these random security checks are absolutely terrifying for them and there have been reports of strangers posing as security guards trying to gain entry into rooms. What is happening is wrong.


What kind of world do we live in where this is acceptable? Surely hotel security realize that they are providing cover to any creep who wants to enter your room without permission? The hotels need to put a stop to this immediately until they have properly thought out their operational procedures and are able to carry proper identification.


The hotels engaged in these security operations have clearly failed in their approach, they failed to provide their security officers with proper identification and failed to instruct them on how to properly go about their business in a professional way. They are also failing to validate their security personnel when guests call reception.


Ceasar's gave a statement about these intrusions, one that claims their staff were easily identifiable and that their staff did not search personal belongings. We know that both of these claims are false from our own eye witness reports. We hate it that they do not think they did anything wrong and we hate it that they have been threatening DEFCON attendees with bans for talking about these incidents.


The problem with this though is the fourth amendment, it fully applies to hotel rooms and states that "The right to privacy must be accorded with equal vigor both to transient hotel guests and to occupants of private, permanent dwellings". To further compound matters the courts have previously found in favor of guests when their privacy was uneccesarily invaded by hotel staff. With more than one attendee submitting a formal complaint, it is fair to say that a large number of DEFCON attendees have the legal standing to take further action.


UPDATE

Nobody is happy about these security incidents at DEFCON, it was a clear violation of absolutely everyones privacy and furthermore we believe that it was unlawful. Members of the infosec space are beginning to take a stand, they are right to do so.


We have enough people on the ground at DEFCON to know this threat was very real. We have spoken to lots of people and they all tell us the same thing, men forced their way into rooms and were unable to verify their identity in a satisfactory manner, not when reception was called or with a credible ID. This provides cover for criminals to take advantage of this fail in operation security from the hotel security staff.


He is absolutely right and we already know that strangers have been taking advantage of this cover; there have been incidents. We also know that hotel security has been rummaging through luggage on multiple instances, there are just too many stories and too much evidence.

Because hotel staff have been repeatedly threatening DEFCON attendees with lifetime bans from most of the hotels in Vegas, people aren't tweeting about their experiences. They want to go to DEFCON next year too.

This is why infosec has its champions, those members of our community with too high a profile to shut up, shut down or keep quiet. We tip our hat to Mr Street and Miss Moussouris, they are fighting for anyone affected by these incidents and anyone who will be attending DEFCON next year, they deserve our support.


If Vegas thinks that this is all over, that they taught the hackers a lesson and that they can hush it all up they are sorely mistaken. Wrongs must be righted, operational security must be improved upon and the infosec space is going to treat this as a teachable moment. The infosec space is a beast and she has been poked.


UPDATE

Marc Rogers, Head of SecOps for DEFCON has offered to resigned over these incidents in an open letter to the hacker community. As the DEFCON head of operational security he is taking responsibility for the hotel security incidents.

Screen-Shot-2018-08-14-at-4.08.39-PM


We do not think that any of this is Marc's fault, he just didn't know about it and he had the job of keeping DEFCON attendees safe. Falling on his sword is an honorable act, but we need Marc more now than ever and we all make mistakes sometimes.


Tay is right, this is all on Caesars. We rightly expected better training, better processes, better identification and a lot more professionalism from Vegas hotel security. You know damn well that these hotels have everything in tight order when it comes to their own cybersecurity and the security covering their gambling floors, we expect the same standards when it comes to the security of their guests.


Its clear that this will be the last DEFCON for some attendees, those with children and families sleeping in their rooms while they network and lone female attendees are rightly outraged. They no longer feel safe in Vegas while attending DEFCON.


If you are at DEF CON and feel unsafe because of this activity, please reach out to the DEF CON staff immediately dor support. You can reach DEF CON staff during normal hours of operation (8am to 4am) by calling +1 (725) 867-7255. Trained community volunteers are standing to support any attendees. You can also go to any Info Booth or talking to any SOC Goon, but sometimes you may not want to be walking around in person with a problem so try the number first.

Stay safe at DEF CON and take care of each other.

THIS STORY WILL BE REGULARLY UPDATED AS WE GET MORE INFO.

Main Image Credit : The awesome piece of artwork used to head this article is called 'Defcon Chestburster' and it was created by graphic designer Matt Cantrell.