Doubtful, I'm sure it's related to the constant attacks against their infrastructure they must defend against (let's be honest, I'm sure Caesars is not defending successfully). The juice just ain't worth the squeeze. They have a business to run, and the risk of having a bunch of drunken and high hackers who happen to be the best in the world running amuck is not their idea of a good corporate event.
Caesar's apparently explicitly said it wasn't related to anything the community did. It's possible that they're lying for some reason, but it's also possible that they're telling the truth.
> We don’t know why Caesars canceled us, they won’t say beyond it being a strategy change and it is not related to anything that DEF CON or our community has done.
To avoid any legal liability. Stating a specific reason would open them to possible "breach of contract" depending on whether the act(s) were significant enough or justifiable, based on the contract terms. Just say nothing, part amicably, everyone moves on without drama.
With that said, they probably weren't lying. Most likely, months after ponying up $10 million to a sophisticated international hacking group, Caesars Entertainment probably doesn't want to invite some of the world's best hackers to stay and meet at its flagship resort.
> To avoid any legal liability. Stating a specific reason would open them to possible "breach of contract" depending on whether the act(s) were significant enough or justifiable, based on the contract terms.
This is how it works for at-will employment, but it would be a very weird contract that allows backing out only if you don't say why you're backing out.
Let's say Caesars states, "we just got hacked and, as has been reported in every major newspaper, paid $10 million as ransom. We have reason to believe one or more attendees of DEF CON were part of that group."
How does making this statement this benefit Caesars in any way? Now DEF CON can demand some proof of this claim, or sue for defamation, or state that without proof, Caesars isn't acting in good faith, whatever.
Yes, most likely. That's why it would make zero sense for Caesars to state anything publicly that would antagonize members of the community. Saying nothing (or even praising DEF CON, and claiming it was a "change in strategy") is the smarter route.
> Most likely, months after ponying up $10 million to a sophisticated international hacking group, Caesars Entertainment probably doesn't want to invite some of the world's best hackers to stay and meet at its flagship resort.
Most Def con visitors would be white hats so that would be a bit disingenious. I would expect most attendees to behave (reporting issues after finding one)
Especially considering they just got hacked, a few pentests would be good for their business.
you say that like a person informed enough to know what a white hat is lol. Let’s be real here, even the ethical hacker bunch can look VERY wonky and rowdy to an outsider, especially if you are as far removed as the hospitality industry. The only time they had to deal with hackers in the recent past was decidedly painful for them
being ambivalent towards a group, filling up your hotel, but otherwise alien to you, may be a little less polarizing than just having been forced to shell out $100M to a similar sounding demographic.
Primarily, it's about public image. It would look idiotic to host this group, regardless of intention. And it's about insurance -- logical or not, their insurer probably insisted they quit inviting DEF CON and associating, in any capacity, with self-identified hackers.
Dunno if it has anything to do with it but they did get haxx0red last year at the same time as MGM, except Caesars paid up and MGM didn't. Hotel room cards, casino play cards, etc were down for ten days at a bunch of the MGM-owned properties (a.k.a. the half of the Strip not owned by Caesars) https://en.wikipedia.org/wiki/MGM_Resorts_International#Las_...
About a month after the conference would be enough time to discredit an obvious connection to the conference, while still making use of security breaches that might have been found during the conference. Most security experts know you have to abandon security hopes if you give the hardware to the user with direct access. And with a conference of DEF CON's size, you only need 1% malicious actors for 300 tragedy of the commons results.
MGM's not that far away on the strip for somebody to find a security exploit, and then start checking every nearby casino to see if it works at those casinos. Found a $1 million exploit? Might walk a few blocks to see if it can turn into a $10 million exploit. Non-negligible risk from a casino perspective.
Average casino-win per customer is usually ~$100/admission. [1] Three days [2] gambling for 30,000 = 9,000,000. Hotel stay revenue helps, yet it's usually only 25% of revenue per guest. [3] Casino visitation and attendance has also rebounded significantly in the last few years. [4]
So, higher than normal costs per attendee, attendees who believe they all spend less than normal conference participants, anecdotal stories of repeated high cost issues each year to resolve (ex: concrete poured in sinks on purpose, rooms broken into, satellite dishes stolen), increasing attendance numbers in Vegas, and a multi-$10 million slap a month afterward based on social engineering.
There are actually very few people with pentesting skills at Defcon stronger than running burp suite, and fewer still of those that are blackhats. Those with skill can do very well for themselves legally, and know better than to risk their careers getting caught messing with casino systems.
In practice the biggest abuse from Defcon to the venues is in the form of a subset of people constantly defacing casino property which no one reports because no one has sympathy for casinos.
My favorite trolling of casinos at Defcon is the people dumping prop money everywhere. Casinos do not -like- that and spend a lot of resources running around picking them up which is funny to watch.
Not sure I agree with the idea there are very few world class hackers there. I've watched a few of the capture the flags and almost immediately they went over my head and I felt inadequate. lol.
> the constant attacks against their infrastructure they must defend against (let's be honest, I'm sure Caesars is not defending successfully)
If there's any place in the private sector where I'd expect security (including digital security) to be literally top notch, a casino would be it.
And casinos don't fuck around. If they catch some "uber haxor" laying a finger on their networks, you can bet they'd have him arrested in a heartbeat, regardless of whether he is a conference attendee or not.
You're getting flamed by accounts below but they're largely wrong.
Most casinos rent their gaming equipment from IGT, who directly manage most of these systems. IGT also has a fairly robust security team, having worked with them back when I was still a PM in the space.
Organizations like Caesar's aren't the greatest security wise, but that's largely because they have low margins because they are primarily property holding companies that are operating Casino/Gaming that they rent out from vendors like IGT.
This has been changing after MGM, but I don't think I can discuss it deeply.
