I just returned from what is euphemistically called Hacker Summer Camp. Three popular conferences all take place within a two-week period each summer in Las Vegas: BlackHat, BSidesLasVegas, and DefCon. This year, I was speaking at BlackHat which was hosted at Mandalay Bay, and DefCon was down the street at Caesar’s Palace. It was a balmy 110 degrees, so I wasn’t eager to be hiking around Las Vegas between events, so I stuck around BlackHat for the most part, and in my spare time found an artist to give me my first tattoo.
It was a very busy few days for me with meetings, events, speaking, and reminiscing with old friends. I enjoyed the overall event as it was energetic with intriguing speakers and active and engaged attendees. Of course, we were also treated to a variety of conference participants who take the opportunity to dress up in kilts, costumes, animal outfits, or even as their favorite superhero. In many ways, this summer event has morphed into a cross between a stuffy technical conference and ComicCon.
Viva Las Vegas?
I must admit an acquired distaste for Las Vegas conferences. I have been to dozens of them in Las Vegas over my career, and the bloom has long withered on the rose stem. The cacophony of slot machines, hordes of sunburned tourists, and walkways jammed with inebriated partiers are all I really perceive anymore. In fairness to the Chamber of Commerce, I am not a gambler, I’ve eaten at most of the restaurants, and the 24-hour-a-day party atmosphere is no longer my scene if it ever was.
This year, two very different security cultures clashed in vivid color. In the wake of the sniper shooting from Mandalay Bay last year, Las Vegas resorts and hotels have been implementing new security procedures to prevent a repeat catastrophe. One of the new security protocols is to send staff members to rooms where guests decline daily room services. The security personnel would visit these room, knock, and proved to be aggressive in ensuring the room was inspected for potentially lethal contents brought in by guests. The “hacker” community made a perfect target for these new procedures given their all-hours activities, and boxes and cases of electronic equipment. It doesn’t take much foresight to see this wouldn’t end well.
Security Encounters of the Wrong Kind
Several of our colleagues were understandably shaken up by the aggressive enforcement of room checks, and there were several reports of (hopefully) hotel security staffers walking in on people who were asleep or in various stages of undress. The led many to complain and file grievances with hotel management. Conference organizers were thrown into the middle, and many attendees are demanding a new venue for these large conferences held there each summer.
On top of this mash-up of physical security personnel vs cybersecurity personnel, some attendees proudly adopted that troublesome moniker of ‘hacker’, and enjoyed labeling themselves as such to warn innocent tourists and holidaymakers to not use WiFi or ATMs in the hotel and environs because of their nefarious skills. That was not a smart move to promote our profession or our activities. This attitude also sparked more detailed scrutiny from hotel security as attendees were ejected from the hotel for possession of lockpicking tools and making vague references to ‘attacks’ and ‘victims’ on social media.
As we enter a new era of new and evolving threats, it makes sense to carefully evaluate your role in developing and enforcing new security policies. It is also a good time to reevaluate how you present yourself and our security profession. Our goal must be to equip the humans we support to become more effective safeguards for their own safety. Whatever you do, please don’t make it worse.