Vegas - Where Thugs Come Into Your Room And Search Your Stuff
Hotel thugs at DEFCON tried to burst into your room and photograph your things? You aren't alone, its happened to lots of DEFCON attendees.
Hotel security thugs at DEFCON tried to burst into your room and photograph your things? You aren't alone, its happened to lots of DEFCON attendees and it's absolutely terrifying for some of them.
It's worth stating that nobody in the infosec space objects to enhanced security operations in the wake of the Vegas hotel shooting. With so many members of our community attending DEFCON and Black Hat, we absolutely want our peers to be safe; we support the work of the security services to this end.
We expect a venue where our attendees are secure in their persons and effects, and a security policy that is codified, predictable and verifiable. Thank you for your patience while we work this out.
— DEF CON preparing for DEF CON 27 (@defcon) August 13, 2018
But what is very clear is that Vegas hotel security has been incredibly invasive, unprofessional and heavy handed during the conference. They seem to forget that they are dealing with other security professionals, ones who would understand if you explained it to them, but also ones who are deeply distrustful of unverified security personnel entering their rooms and searching their belongings without permission.
Image courtesy of @kurtopsahl.
In case you had not already heard, hotel security in a number of official DEFCON hotels has been rudely invading upon the privacy of the attendees.
Current status: two members of hotel security banging on my door after I asked to go into my room and verify them with hotel security. I'm on speaker phone with hotel security, asking for a supervisor to come verify. I'm terrified. What the hell is this @CaesarsPalace #DEFCON
— Katie Moussouris (@k8em0) August 11, 2018
Yes thats right, unverified members of hotel security at a number of hotels are forcing themselves into attendees rooms, it doesn't matter if you have had maid service that day or not, they are coming in any way with or without your permission.
Retweeting this so everyone in Vegas for BlackHat/DefCon know that security will probably enter your hotel room - whether you're in it or not - if you declined maid service. https://t.co/e8s7yYGTPc
— Kim Zetter (@KimZetter) August 10, 2018
Security is entering rooms without consent at Linq. Make sure y'all are being safe and making sure it's really "hotel security". #DEFCON26
— Captain Wonderland @ DEFCON (@saintmayhem) August 11, 2018
Our intrepid on-the-spot reporter the @HoodlessHacker managed to get some footage of the hotel goons making their way into an innocent hackers room; a cleaning lady looks on in disgust at the total invasion of privacy.
Hotel security are also confiscating attendees lock picks, although we can kind of see why they would do that. The sight of a hacker with lock picks in your five star hotel must scare the bejeesus out of any security guard. But still, lockpicks are part of hacker culture and organizers are trying to get them back for you.
Hey @defcon if you have had lockpicks confiscated at #defcon26 by hotel security please reach out to me.
— Steve Ragan (@SteveD3) August 11, 2018
Its not just confiscating items that they can see in rooms, there are reports of hotel security going through attendees personal belongings too, they have very clearly been searching through suitcases, an unnaceptable violation of their guests privacy.
For anyone at #Defcon concered with hotel security goons going through Pelican cases in your room, I recommend getting Abloy PL321 padlocks. they fit and are pick proof. If they cut shackld, you'll know someone was in your gear. zip ties work as well but pain to keep replacing
— Squelchtone (@Squelchtone) August 12, 2018
Hey, I've had problems the last 2 days, leave for a wick breakfast and come back to my room that was "cleaned" by housekeeping. My "do not disturb" sign is on the door. And, someone took the watch key out of my watch and left it on the counter....
— Brent White @ DEF CON (@brentwdesign) August 12, 2018
Total invasion of privacy. pic.twitter.com/O5Z1LNVA3j
But ignoring the confiscations of lock picks (and for some reason soldering irons), what the hell is hotel security playing at? This is a very poorly thought out security operation whichever way you look at it and they are ignoring advice on how best to deal with hackers from some of the most prominent members of our community. They are even threatening attendees with permanent banning from the hotel if they talk about these incidents publicly.
If you're attending Defcon be EXTREMELY careful about your Tweets. @CaesarsPalace will ban you over anything perceived to be a threat. They will take ZERO context into account. Matt is a rediculously nice guy, if it can happen to him it can happen to you! https://t.co/HYqobB5LNP
— mandatory/Matthew Bryant (@IAmMandatory) August 10, 2018
Some attendees have resorted to writing privacy notices on their doors and it seems to be working as far as we can tell from different reports, but a lot of these have been torn off doors by security or strangers we have been told. Its not an effective strategy.
For those trying to figure out how to avoid the hotel room (in)security checks, I’ve used this setup and so far no intrusions in two days. pic.twitter.com/oVaucxajGK
— Beau Woods (@beauwoods) August 11, 2018
Others have been hacking (of course they have, its DEFCON) the hotels system for validating which rooms have been checked by hotel security. But this is not advisable and would provoke a direct confrontation with hotel security if you are caught.
Thanks to some volunteers we pwned Caesars room inspection bullshit at @defcon. If you don't want your room searched pick up your hotel room phone and dial extension 1864, you should get a dialtone, dial *421. This will mark your room as already having maid service for the day.
— Lucky225🍀✸ (@lucky225) August 12, 2018
I think what is upsetting the attendees the most is that their concerns are being dismissed. What is particularly disturbing is that many attendees are women staying in rooms on their own; these random security checks are absolutely terrifying for them and there have been reports of strangers posing as security guards trying to gain entry into rooms. What is happening is wrong.
Please beware we have at least one instance of strangers entering rooms in @CaesarsPalace without legit issued keys. Please spread the word and call hotel security if it happens to you. @defcon please RT
— Heather Adkins (@argvee) August 12, 2018
What kind of world do we live in where this is acceptable? Surely hotel security realize that they are providing cover to any creep who wants to enter your room without permission? The hotels need to put a stop to this immediately until they have properly thought out their operational procedures and are able to carry proper identification.
To clarify, Caesars has said this was not 1 of their security personnel nor one of their “security/wellness checks”. They are still investigating whether it was an employee or someone else wearing clothes similar to the maintenance uniform.https://t.co/jgrdeoLJCU
— Maddie Stone @ BH/DC (@maddiestone) August 12, 2018
The hotels engaged in these security operations have clearly failed in their approach, they failed to provide their security officers with proper identification and failed to instruct them on how to properly go about their business in a professional way. They are also failing to validate their security personnel when guests call reception.
I don't mind hotel security checking up (had to call them myself at the @MandalayBay this week due to a problem with another guest). I *do* mind them not being able to validate they are who they say they are. #BHUSA #DEFCON https://t.co/mxWRbLM7HC
— Tío Kyle (@kylemaxwell) August 11, 2018
Ceasar's gave a statement about these intrusions, one that claims their staff were easily identifiable and that their staff did not search personal belongings. We know that both of these claims are false from our own eye witness reports. We hate it that they do not think they did anything wrong and we hate it that they have been threatening DEFCON attendees with bans for talking about these incidents.
A whole lot of @defcon participants staying at Caesar's, where the con is held, have complained that hotel staff entered their rooms without permission (hackers tend to be a paranoid people, and protective of their stuff). Here's the hotel's statement.https://t.co/5kBnDHkFHp pic.twitter.com/2uwDknthQO
— Kevin Collier (@kevincollier) August 12, 2018
The problem with this though is the fourth amendment, it fully applies to hotel rooms and states that "The right to privacy must be accorded with equal vigor both to transient hotel guests and to occupants of private, permanent dwellings". To further compound matters the courts have previously found in favor of guests when their privacy was uneccesarily invaded by hotel staff. With more than one attendee submitting a formal complaint, it is fair to say that a large number of DEFCON attendees have the legal standing to take further action.
It’s also worth noting that the Fourth Amendmemt fully applies to a hotel room. “The right to privacy must be accorded with equal vigor both to transient hotel guests and to occupants of private, permanent dwellings." pic.twitter.com/K4NxKI7ign
— Kurt Opsahl (@kurtopsahl) August 12, 2018
UPDATE
Nobody is happy about these security incidents at DEFCON, it was a clear violation of absolutely everyones privacy and furthermore we believe that it was unlawful. Members of the infosec space are beginning to take a stand, they are right to do so.
As @k8emo eloquently explains, privacy is very important, but it’s not my #1 concern as a woman traveling solo: protecting myself from violence is. Mutually understood and respected privacy, processes, and records, help me protect myself from violence. https://t.co/d7fULDY4sx
— Maddie Stone (@maddiestone) August 14, 2018
We have enough people on the ground at DEFCON to know this threat was very real. We have spoken to lots of people and they all tell us the same thing, men forced their way into rooms and were unable to verify their identity in a satisfactory manner, not when reception was called or with a credible ID. This provides cover for criminals to take advantage of this fail in operation security from the hotel security staff.
The inevitable outcome of Vegas hotels like @CaesarsPalace ignoring the need to authenticate security staff is simple: Someone will be assaulted by an impersonator, because it's a simple way to abuse authority that has no ability to be verified.
— Carmen Crincoli (@CarmenCrincoli) August 13, 2018
He is absolutely right and we already know that strangers have been taking advantage of this cover; there have been incidents. We also know that hotel security has been rummaging through luggage on multiple instances, there are just too many stories and too much evidence.
Because hotel staff have been repeatedly threatening DEFCON attendees with lifetime bans from most of the hotels in Vegas, people aren't tweeting about their experiences. They want to go to DEFCON next year too.
This is why infosec has its champions, those members of our community with too high a profile to shut up, shut down or keep quiet. We tip our hat to Mr Street and Miss Moussouris, they are fighting for anyone affected by these incidents and anyone who will be attending DEFCON next year, they deserve our support.
To @k8em0 @KimZetter and to all the others whose safety was violated in Vegas you are heard & others are raising their voices & like with most movements those who shout the warnings first usually draw the most fire I stand with you all! The policy is broken & puts people at risk!
— 🤗 (((Jayson E. Street))) 🤗 (@jaysonstreet) August 14, 2018
Nope! Nope! Wait a minute..... I found more NOPE! You need to stay the policy that put people at risk needs to GO!!!! This should not be laid at the feet of @defcon this is the poorly implemented plan of Caesars We are Hackers we speak up for others to make things better for all! https://t.co/RSqJwbq9gc
— 🤗 (((Jayson E. Street))) 🤗 (@jaysonstreet) August 14, 2018
If Vegas thinks that this is all over, that they taught the hackers a lesson and that they can hush it all up they are sorely mistaken. Wrongs must be righted, operational security must be improved upon and the infosec space is going to treat this as a teachable moment. The infosec space is a beast and she has been poked.
Same here. Lots of very large parallels.
— KillrBunn3 (@KillrBunn3) August 14, 2018
UPDATE
Marc Rogers, Head of SecOps for DEFCON has offered to resigned over these incidents in an open letter to the hacker community. As the DEFCON head of operational security he is taking responsibility for the hotel security incidents.
An open letter to the hacker community: https://t.co/AiaASG6KDQ
— Marc Rogers (@marcwrogers) August 13, 2018
We do not think that any of this is Marc's fault, he just didn't know about it and he had the job of keeping DEFCON attendees safe. Falling on his sword is an honorable act, but we need Marc more now than ever and we all make mistakes sometimes.
I believe this was a process failure on Caesars part, and even if you knew the policy, you would have expected strict protocol and training. That’s what I expected. I do not think you should hold yourself responsible. You should not resign. You will be a better advocate than ever
— SwiftOnSecurity (@SwiftOnSecurity) August 14, 2018
Tay is right, this is all on Caesars. We rightly expected better training, better processes, better identification and a lot more professionalism from Vegas hotel security. You know damn well that these hotels have everything in tight order when it comes to their own cybersecurity and the security covering their gambling floors, we expect the same standards when it comes to the security of their guests.
Do not resign. I am not even convinced you owe an apology, but the resignation is wholly unnecessary.
— Ray [Redacted] (@RayRedacted) August 13, 2018
Its clear that this will be the last DEFCON for some attendees, those with children and families sleeping in their rooms while they network and lone female attendees are rightly outraged. They no longer feel safe in Vegas while attending DEFCON.
@defcon Sorry guys but I can't go to any more #defcon 's if the hotel is gonna send random guys to come into my room. I have a wife and a small child who come with me and I can't risk their safety for @CaesarsPalace security theater. Looks like @DerbyCon next year for me.
— Ferizz (@falann_) August 14, 2018
I wasn't even at #defcon and the room intrusions has me spooked.
— Moose (@LitMoose) August 13, 2018
1. As a woman, finding someone uninvited in my room is grounds for extreme alarm.
2. My job is literally to protect people from this garbage.
3. If it was really "security" - wouldn't they check at the door? 1/n
If you are at DEF CON and feel unsafe because of this activity, please reach out to the DEF CON staff immediately dor support. You can reach DEF CON staff during normal hours of operation (8am to 4am) by calling +1 (725) 867-7255. Trained community volunteers are standing to support any attendees. You can also go to any Info Booth or talking to any SOC Goon, but sometimes you may not want to be walking around in person with a problem so try the number first.
Stay safe at DEF CON and take care of each other.
THIS STORY WILL BE REGULARLY UPDATED AS WE GET MORE INFO.
Main Image Credit : The awesome piece of artwork used to head this article is called 'Defcon Chestburster' and it was created by graphic designer Matt Cantrell.