Fear and Ignorance in Las Vegas, how FUD has Directly Impacted DEF CON 32 Attendees

The story so far is that Resorts World Las Vegas sent out a memo from leadership that they were going to be conducting room searches looking for suspicious items which “Hackers” might bring into their rooms while attending The DEF CON “hacking conference”. The list of items was goofy and seemed to be fueled by someone who watched too much Mr. Robot or other TV and Movies. Housekeeping staff were to visually inspect the rooms regardless of any do not disturb signs or status. This eventually led to housekeeping asking to enter an occupied room. When the occupants did not want housekeeping to enter, they (housekeeping) informed security and things escalated very quickly from there including threats to have the guests removed from the hotel and the police called. I am intentionally being vague on some details here as the incident and issue is still being discussed and investigated by the Hilton (the parent company) and DEF CON. Some statements have been made, but nothing that really justifies or explains the actions in any satisfactory way. It was and is a massive breach of privacy and a terrible guest experience. Further it was only targeting guests who reserved rooms as part of the DEF CON block, making it exceptionally targeted.

So, how did we get here? Well, as usual it is a combination of ignorance, and just terrible messaging. Back in the 70s a similar form of ignorance combined with media sensationalism (and Hollywood wanting to cash in) created a massive panic over certain aspects of entertainment. In particular Music and games like Dungeons and Dragons, were seen as gateways to Satan Worship. The NEWS latched onto this and had prominent members of “the church” blather on in what can be best called verbal diarrhea on how these things were corrupting “the children” and leading them away from God. Meanwhile, Hollywood was churning our Horror movies with which seemed to feed this while books on “how I escaped a cult” littered shelves. I vividly remember seeing posters and school flyers on “how to tell if your friends might be influenced by “Satan”” Well, much like the Satanic Panic in the 70s, there is something of a Hacker Panic in modern times, including the “how to tell if your kid might be a hacker” posters. The word “Hacker” is the new “Satan” here.

But what Is a Hacker? This is where things get interesting for me and for most people Hacker most certainly started as a label for … let’s call it less than good behavior. However, over the years this term has changed in the cybersecurity/infosec community. It is, in reality, the equivalent of gearhead. Let me explain; when I was a wee lad, taking apart the radio, vacuum, VCR etc. while certainly a groundable offense, was seen as a sign of intelligence and curiosity. If you could reassemble it, wow!! What a smart kid. As I got older this later led to working on cars, taking them apart and rebuilding them better than they were before (i.e. faster). I know many hackers today that still work on cars or build electronic devices as another hobby. It is this exact same curiosity that they bring to the digital world. Hackers want to know; what makes this work, why does it work this way, can I “take it apart and put it back together”. For the vast majority there is no malicious intent here, it is pure “let’s see what we can do” and often leads to some pretty amazing discoveries. The opposite side of this is that it also often leads to the discovery of problems in products and services that the companies providing these services might not want everyone to know about (which is a whole other article). Are there some people with malicious intent? Oh, good lord yes, but if you talk to the “Hacker” community you might notice that they are, for the most part, not participating in that type of behavior and usually are working against it. This is why terms like Threat Actor, Malicious Actor, Cybercriminal, and even APT are commonly used. They are intended to separate the “Hacker” community from the actual criminals.

Even with these distinctions, the stigma of the word Hacker remains. It is also not helped by many in the hacker community getting a bit of pride out of being misunderstood, and the dismay that some of their pranks bring. However, that is only a very small part of things as they stand.

Now, before anyone says, “What about Black Hat?” I want to point out that Black Hat is perceived as a corporate event like CES. In conversation with many people, it is looked on as busy, but good for the local economy as big companies come out and spend a fuck ton of money during those few days. The attendees also spend money on food, rooms, and even gambling… there is little to no stigma attached while DEF CON is not viewed in the same light at all. Instead, perception changes with the convergence of the community coming into Vegas, the big money is gone and most people coming out are not spending tons of cash at the casinos or gambling (I know that some do gamble, but it is not a terribly big percentage). One person at a hotel said that it was like an extended clean up and was more of a pain in the ass than it was worth, to them. They even went on to talk about all of the “crazy things” they saw people walking around with etc.

So, you have a bunch of people who are overly curious and … let’s face it mischievous in a non-malicious way … at a gathering where they know they are amongst likeminded people yet needing to interact with people who have absolutely no clue about them (except for FUD augmented messaging). The same people who the “Hackers” now have to mingle with have likely heard or read stories of how “Hackers” did X or Y bad thing or maybe even the, hilariously wrong, “How to spot a Hacker” posters all during what they are being told is nothing more than a big party with “Bad Guys”. Even in casual conversation with Uber and Cab drivers they had no idea what DEF CON really was and some were wondering how “criminals” could meet like that so openly (yes I was really asked that). This is like Three’s Company level of misunderstanding and would make for a great sit-com in other circumstances. Instead, someone in authority took that ignorance and instead of actually talking to anyone about it and decided to “Purge the Evil” from their organization. This individual or individuals likely felt they were in the right and were only protecting their organization from harm after the Ceasar’s and MGM breaches. Still, it was a full-on Church Lady type of reaction, and it gave me flashbacks to protests and cancellations of Bands and Gaming conventions during the Satanic Panic and even the Congressional Hearings on music in the 80s.

Is there a fix for this? Sadly, I am not sure that there is. We are talking about overcoming decades of terrible messaging around Hackers. I mean come on, some of the “How to Tell” posters included things like “uses Linux” as an indicator along with other terribly ignorant suggestions to exacerbate an already terrible messaging. Considering there are people who still think Playing D&D or listening to Ozzy is basically worshiping Satan 40+ years later, I am not sure that the Hacker Community will ever really reach full acceptance by the general public. To me this is incredibly sad as the Hacker Community is such an amazingly diverse and open community, I would think people would look at it as an example instead of with the fear and ignorance it gets. For people in the community, I would say please be aware of the fact that most people have no clue what you do, why you do it, or anything about you other than what they have seen and read (which is more likely than not complete crap). To people who are not a part of the community, please take the time to learn about it, Engage (see what I did there?) with people who are attending DEF CON, and get to know more about it. With few exceptions, the only way to find common ground is through communication, so maybe the solution to the challenges starts there and with better understanding on both sides. Fear combined with ignorance is a powerful and dangerous thing. When you learn about something the fear of the unknown starts to fade and while there might never be full acceptance and a kumbaya moment, but at least some of the hostility might fade and the potential for events like the one at Resorts World Las Vegas (and others in previous years) will be less likely.

Before I wrap things up, I do need to say that the Resorts World Las Vegas incident was not indicative of what everyone went through with Hotel Staff. There are many reports of people who had zero issues and who had an excellent experience during their stay. I personally had no conference related issues with the hotel I stayed at and would stay there again in the future. Still, it only takes one incident like what happened at Resorts World Las Vegas, especially after DEF CON was moved on short notice out of Caesar’s to further the already bad perception of the event. The rumors I heard from “normies” about why the con got moved were all very entertaining even if they had no basis in reality and only shows how goofy things can get when it comes to public perception.

I guess this is a long way of saying that People are goofy. It is easy to fear what you do not understand, and that ignorance can and does lead to doing some stupid things. The perception of DEF CON is never going to be stellar (until it goes the way of RSA and Black Hat) and the variety of people who attend and love going are never really going to be understood by the general public. Still there are ways to take the open and accepting nature of the Hacker Community and bring the normies a bit behind the curtain so they lose some of that fear. With time and effort from both sides, things might change for the better.

Anyway, just my .57 cents.