Black Hat If you're heading off the Black Hat and DEF CON security conferences in Las Vegas, USA, this week, be prepared to have your hotel room searched if - for any reason - you shoo maid service away and stop staff from cleaning your room.
Most hotels in the city enforce mandatory checks within their rooms following the October 1, 2017 mass shooting from the Mandalay Bay hotel, now the home of the Black Hat conference. A murderer, whose name isn't worth recording, killed 58 people and wounded 422 after hauling an arsenal of weapons into his hotel room, and raining bullets on a music festival crowd below.
In the aftermath, the Las Vegas police and hotel chains became more security minded, enacting policies that took hackers and infosec professionals visiting Sin City by surprise. These policies included mandatory searches of rooms for guns and suchlike, and zero tolerance for any kind of talk of threats against people.
As such, last year, a jokey tweet about attacking tourists got one senior Googler temporarily banned from Caesars; by attack, he meant a cyber-attack, not a physical one, and he was speaking hypothetically. Meanwhile, other folks were shocked when, without warning, hotel security barged into and rifled through their rooms to check for firearms, weapons, and illicit gear.
Women were particularly concerned: one infosec expert was naked in the bathroom when security guards forced their way in. During these searches, the staffers were not carrying anything like proper identification, and so guests feared they were about to be seriously assaulted by these mystery intruders. More than a few have decided to stay away from the conferences this year, or at least move to accommodations off the strip.
Black Hat USA axes anti-abortion congressman as keynote speaker after outcry – and more news from infosec landREAD MORE
The events colored DEF CON so much so that the event's head of security offered his resignation, though he was buoyed by a huge wave of support from attendees and so stayed on in his volunteer role. You would hope the hotels would be a little bit clearer about their policies of room searches this year. Sadly, that hasn't been the case for everyone.
We contacted the two big hotel chains that control many strip hotels: MGM and Caesars. MGM flat-out refused to comment, saying it doesn't discuss security procedures. Caesars, possibly mindful of last year's kerfuffle, was more forthcoming.
"In an effort to ensure the safety of our guests and employees, certain hotel team members may periodically enter guest rooms to perform standard wellness checks, if – and only if – a room has not otherwise been serviced or accessed by a team member for an extended period," a spokesperson told The Register.
"In other words, even if a team member accesses your room, by opting out of housekeeping services or posting a room occupied sign on the door, for example, team members may still periodically enter the room. This policy applies to all guest rooms and is intended to help us ensure guests and employees are safe."
Other hotels contacted by The Register had similar policies or refused to say one way or the other. The venue for Bsides, the Tuscany, will be searching rooms, we're told. We did find an off-strip Motel 6 which said it wouldn't be checking unless a complaint was made but, let's face it: who really wants to stay in a Motel 6?
Dark Tangent's advice
Naturally the DEF CON organizers were more than a little concerned about last year's problems.
According to conference founder Dark Tangent, aka Jeff Moss, all the hotels involved in the event promised to write up an official set of guidelines in time for this year's hacker summer camp and, in the case of Caesars, this appears to have happened – albeit at the last minute.
In a forum posting late last week, Moss said hotel security would not carry out room checks; instead, that will be left to housekeeping. A staffer of the same gender can be requested by guests to carry out the inspection, and the hotel said it will be doing visual searches only.
Then again, they said that last year, and hackers who claim to have rigged cameras in their rooms say that wasn't true and that staff had rummaged through drawers and belongings. The Reg did not see any of this claimed footage, however.
Certain items deemed a fire hazard have been banned from rooms, such as hot pots, soldering irons, rice cookers, and camp stoves. If found, they will be confiscated and stored before being handed back to guests when they leave.
Quite a few guests bring firearms for the ever-popular DEF CON Shoot, an event out in the desert where attendees fire off everything from handguns to small artillery. Coordinator Deviant Ollam said that guns are (understandably) not allowed in rooms but can be checked into hotel secure storage so long as they are in their proper cases, although space is limited.
Also, be advised that both the police and hotels seem to be keeping a close eye on social media during the show. So no "joke" tweets about violence or hacking please, or you may well find yourself in hot water. ®