By: Terresa Monroe-Hamilton
We all saw this coming. It’s just a smidge more fascistic than I even imagined. What would you do if you owned a hotel on the Las Vegas Strip after the Vegas shooting to increase security? Why, of course… you’d perform surprise security checks on the most paranoid group that visits there – DEF CON. Caesar’s Palace in their stupidity has allegedly implemented a practice where hotel security, using keys to the rooms there, are doing random security checks where they enter the rooms without knocking and seize items from the rooms. And if Caesar’s Palace is doing it, the rest of the hotels on the Strip won’t be far behind. Any highrise hotel will fall in line. You probably don’t have to worry about Best Westerns or Holiday Inns… yet.
These policies were evidently crafted after last October’s mass shooting spree by Stephen Paddock who fired more than 1,100 rounds from the Mandalay Bay hotel at an outdoor country music festival in October of 2017, killing 58 people and injuring 851. Police never found the motive or solved the case, but closed it anyway. Now, jack-booted thug tactics are being used against hotel guests. I bet Airbnb bookings will increase as people shun the Strip hotels over this. I figured they would install metal detectors, but I never dreamed that security would just burst unannounced into guests’ rooms like this.
If you are not familiar with DEF CON, it is one of the world’s largest hacker conventions, held annually in Las Vegas, Nevada, with the first DEF CON taking place in June 1993. Many of the attendees at DEF CON include computer security professionals, journalists, lawyers, federal government employees, security researchers, students, and hackers with a general interest in software, computer architecture, phone phreaking, hardware modification, and anything else that can be “hacked.” These are not people that you get your fascism on with lightly.
Many of the DEF CON attendees stayed at Caesar’s Palance this year. After this experience, they feel violated, harassed and abused. They took their grievances immediately to Twitter as this was happening. These hotels may be privately or publicly held, but this smacks of an unconstitutional violation of privacy.
Caesars first started rolling out tightened security measures this last February. They mandated room searches when staff had not had access to rooms for over 24 hours. Usually, Caesar’s Palace and other hotels on the strip are very tolerant of the eccentricities of this group. This time, with new policies in place, the staff were not prepared to handle the DEF CON community. Since they didn’t know what to do with some of the things found in their rooms, they simply confiscated them. Soldering irons and other gear were seized, and some attendees reported being intimidated by security staff. Not cool.
Because these searches were done with master keys and no advance warning by knocking, the staff embarrassed and frightened the hell out of attendees. Katie Moussouris, who is a bug bounty and vulnerability disclosure program pioneer at Microsoft, an advocate for security researchers, and now the founder and CEO of Luta Security, was confronted by two male members of hotel security as she returned to her room. When she went into the room to call the desk to verify who they were, they banged on the door and screamed at her to immediately open it. She was terrified.
Current status: two members of hotel security banging on my door after I asked to go into my room and verify them with hotel security. I'm on speaker phone with hotel security, asking for a supervisor to come verify. I'm terrified. What the hell is this @CaesarsPalace #DEFCON
— Katie Moussouris (@k8em0) August 11, 2018
Jason Painter, who is the president of QueerCon, an LGBT hacker conference within DEF CON, reported that members were subjected to searches as well. I feel lawsuits coming on here. They have audio and video recordings of two of Caesar’s security staff photographing and video recording their rooms. The security staff also allegedly told them they were going to share the photos on Snapchat. If that happened, Caesar’s is going to find themselves in massive legalistic hot water.
In yet another instance, a hotel employee entered the room of a woman without knocking. Maddie Stone, who is a malware reverse engineer at Google, later posted that the hotel had informed her that the man who entered was a Caesars maintenance employee who was supposed to be visiting the room next door. “Caesars doesn’t know why he didn’t knock, announce himself, respect DND sign, nor report it to managers after,” she tweeted. Caesars is now engaging in ‘re-education’ on security procedures.
DEF CON has released the following statement on the intrusions: “We understand that attendees want a statement from DEF CON about the Caesars room search policy. We are actively engaged with the hotel, seeking answers and a clear policy document we can share with you. Please know that we hear your concerns and we’ve shared them with Caesar’s. We expect a venue where our attendees are secure in their persons and effects and a security policy that is codified, predictable, and verifiable. Thank you for your patience while we work this out.”
This evening, a man in a light blue collared shirt with a walkie talkie, entered my room with a key without knocking while I was getting dressed. He left when I started screaming. @CaesarsPalace is investigating whether it was a hotel employee. @defcon has also been alerted.
— Maddie Stone (@maddiestone) August 12, 2018
This PR black eye can’t help but hurt Caesar’s Palace. There is a long history of legal precedent surrounding the expectation of privacy in hotel rooms. I would refer Caesar’s legal counsel to the Fourth Amendment on this one. There is a gray area when the search is conducted by a property owner, but I would say it is still unconstitutional. Not to mention the concern for the physical safety of the guests. When you sacrifice privacy for security like this everyone loses. Some of the guests who were treated in such an egregious manner will never attend DEF CON again because of it.
Caesar’s Entertainment has since issued their own statement claiming that the room search policy had been implemented in January and that DEF CON organizers had been briefed on the searches, which “involve only a visual review of the bedroom, bathroom and additional seating area if any.” That was obviously not what happened here. Marc Rogers, a well-known security researcher who leads DEF CON’s security team and initiated the conference’s transparency report on incidents, contradicted this in an open letter he posted to his blog:
If I had received this, in the interest of transparency, I would have informed you all. After all, that’s EXACTLY why I started the DEF CON transparency report. The timing of it looks odd.
I do not support or endorse these room searches or how they are executed. I sympathize with the challenge these hotels are facing but believe they need to take a harder look at the efficiency, impact and long-term cost of this strategy.
We MUST NOT let our hotels become like our airports. If we do, then the terrorists win.
Since then, Rogers has also tendered his resignation from the DEF CON team. I don’t blame him. This should never have happened in this manner and Caesar’s Palace should not only be ashamed, they should be held accountable for it. I guarantee you, other Strip hotels will follow their lead. I’m done with Vegas.
For those trying to figure out how to avoid the hotel room (in)security checks, I’ve used this setup and so far no intrusions in two days. pic.twitter.com/oVaucxajGK
— Beau Woods (@beauwoods) August 11, 2018
Last view of the crime scene that was my invaded hotel room and violated space, courtesy of @CaesarsPalace who still have not told me anything, offered me anything (except to move my room – like that really would prevent their security team screaming at me again). My last #DEFCON pic.twitter.com/OG19Dfx3El
— Katie Moussouris (@k8em0) August 13, 2018