Tweet
So the new venue seems to have been a bit of a mixed bag, what with the whole "we're going to search the rooms of everyone who used the DEF CON discount" thing. Speaking as an attendee, I'll probably never be best friends forever with a rich hotel chain, but I think it _would_ be nice if our community and the hotels could have a sort of mutual understanding, instead of uneasy borderline hostility. Any vendor onboarding has growing pains, so for once I've decided to be hopeful that it can actually be fixed, instead of just being cynical.
The DEF CON staff have a much greater capability to get in contact with Vegas businesses than I do though, and would probably be more polite about it. I figured that if I'm not alone in this line of thinking, by sharing these thoughts with the broader community, maybe someone with more official reach and business acumen will pick it up and try to communicate it to the appropriate parties in a way that they'll understand. It seemed like a good idea at the time, anyways.
Hotel management need to understand that the practice of DEF CON room searches is worse than malicious: it's stupid. They not only fail to protect the businesses, they in fact expose the business to increased financial risk. These policies aren't a mere inconvenience to attendees, they're bad for everyone involved.
Here are the reasons why hotels should be motivated to end these bullshit room search policies:
Reason #1: they fail to improve hotels' security posture.
There are two kinds of staff conducting the room checks. Neither have any clue what the hell they're even supposed to be looking for.
The first kind of staff recognize management's FUD for what it is. They understand that there's no way they can actually tell who is hacking the hotel and who is just hacking, and will look around for 5 seconds before leaving, regardless of what you're doing. A lot of people have posted photos of all the h4x0r equipment they had set up while hotel staff were in, which staff apparently didn't have a problem with. Those attendees were dealing with this kind of staff.
The second kind of staff are the mall cop rejects who think they're actually helping. These are the staff who will confiscate your breadboards, who think they've walked in on a criminal endeavor when they walk in and see a SDR on the table.
It's not a secret that we have hacking equipment. It's a hacking convention. Forget the haystack, spotting criminals by looking for hacking equipment is like trying to find a needle _in a pile of fucking needles_.
And in all likelihood, the needle they're looking for isn't even _in_ the pile. If I was going to hack a hotel, I'd sit with with a directional antenna at different hotel, that doesn't search my shit. I wouldn't do it during the weekend of peak hacker alertness, to the same hotel I'm giving my personal and financial information, and literally warning that I'm a hacker by way of using the hacker discount.
Reason #2: in fact, they make hotels' security posture actively worse.
If attendees feel they're being hosted by companies who don't respect us, who insult us by invading our privacy and confiscating our equipment, who resent us, then any concern for the companies' well-being goes out the window, and the effects of this will be seen in the form of shenanigans. Hotels that have a hostile relationship with hackers foster shenanigans that are intentionally and maliciously disruptive. Room searches don't merely fail to help, they paint a target on your back.
Reason #3: things don't have to be this way.
It's just a reality of dealing with hackers that shenanigans are inevitably going to happen. Hotels may not be able to stop any and all shenanigans, but they _can_ affect the spirit in which shenanigans are carried out. If attendees feel they're being hosted by companies that understand what they're getting into and are willing to work with us, they'll get fewer disruptive shenanigans, and maybe even some free disclosures. There is a way for hotels to improve their security posture during DEF CON. And that is to have an understanding with the DEF CON community. If they can be a good sport about some shenanigans - if they don't go out of their way to fuck with our privacy - if they don't confiscate our shit when we've done nothing wrong - not only will we have a better time, so will their bottom line.
The DEF CON staff have a much greater capability to get in contact with Vegas businesses than I do though, and would probably be more polite about it. I figured that if I'm not alone in this line of thinking, by sharing these thoughts with the broader community, maybe someone with more official reach and business acumen will pick it up and try to communicate it to the appropriate parties in a way that they'll understand. It seemed like a good idea at the time, anyways.
Hotel management need to understand that the practice of DEF CON room searches is worse than malicious: it's stupid. They not only fail to protect the businesses, they in fact expose the business to increased financial risk. These policies aren't a mere inconvenience to attendees, they're bad for everyone involved.
Here are the reasons why hotels should be motivated to end these bullshit room search policies:
Reason #1: they fail to improve hotels' security posture.
There are two kinds of staff conducting the room checks. Neither have any clue what the hell they're even supposed to be looking for.
The first kind of staff recognize management's FUD for what it is. They understand that there's no way they can actually tell who is hacking the hotel and who is just hacking, and will look around for 5 seconds before leaving, regardless of what you're doing. A lot of people have posted photos of all the h4x0r equipment they had set up while hotel staff were in, which staff apparently didn't have a problem with. Those attendees were dealing with this kind of staff.
The second kind of staff are the mall cop rejects who think they're actually helping. These are the staff who will confiscate your breadboards, who think they've walked in on a criminal endeavor when they walk in and see a SDR on the table.
It's not a secret that we have hacking equipment. It's a hacking convention. Forget the haystack, spotting criminals by looking for hacking equipment is like trying to find a needle _in a pile of fucking needles_.
And in all likelihood, the needle they're looking for isn't even _in_ the pile. If I was going to hack a hotel, I'd sit with with a directional antenna at different hotel, that doesn't search my shit. I wouldn't do it during the weekend of peak hacker alertness, to the same hotel I'm giving my personal and financial information, and literally warning that I'm a hacker by way of using the hacker discount.
Reason #2: in fact, they make hotels' security posture actively worse.
If attendees feel they're being hosted by companies who don't respect us, who insult us by invading our privacy and confiscating our equipment, who resent us, then any concern for the companies' well-being goes out the window, and the effects of this will be seen in the form of shenanigans. Hotels that have a hostile relationship with hackers foster shenanigans that are intentionally and maliciously disruptive. Room searches don't merely fail to help, they paint a target on your back.
Reason #3: things don't have to be this way.
It's just a reality of dealing with hackers that shenanigans are inevitably going to happen. Hotels may not be able to stop any and all shenanigans, but they _can_ affect the spirit in which shenanigans are carried out. If attendees feel they're being hosted by companies that understand what they're getting into and are willing to work with us, they'll get fewer disruptive shenanigans, and maybe even some free disclosures. There is a way for hotels to improve their security posture during DEF CON. And that is to have an understanding with the DEF CON community. If they can be a good sport about some shenanigans - if they don't go out of their way to fuck with our privacy - if they don't confiscate our shit when we've done nothing wrong - not only will we have a better time, so will their bottom line.
Comment