It's to be hoped that the conference organizers vote with their dollars...
... shirley there must other conference venues that offer just as much fun. I hear Harrogate is nice at this time of year.
 Hookers and drugs, or so I've heard.
At midnight on Thursday, Matt Linton, a senior Google bod who was one of the key players in sorting out the Spectre CPU security hole mess, went to his hotel room in Caesars Palace, Las Vegas – and found his key no longer worked. When he went to reception to find out what the problem was, he was met by two security guards who …
"Nowadays the NSA, CIA and defense contractors routinely recruit at the two shows"
I don't think they care about what they do when they allow the NSA, the CIA and defence contractors as _recruiters_. I mean recruiters by itself are already not welcome at European conferences, even less so when they come from organisations that have on multiple times worked against the population. I mean what's next, a Mozilla stand?
While somewhat off-colour, anyone with an ounce of security knowledge could see that this was a joke about how hackers attack the dumbest and easiest low-hanging fruit.
But unfortunately there are people out there without an ounce of brains that won't see that this is was a joke, and think the tweet is a call to action. They'll interpret the word "attack" in an unfortunate way, with results ranging from inconvenient to lethal.
In today's hostile online culture there are people tweeting calls for attacks, and the mentally-challenged are reading those tweets and taking them seriously.
I would not criticize the sluggards. They will always be with us. It's the hackers who are at fault for using a word such as "attack" as slang. Really? What did you expect, especially in the United States? One could safely use all manner of words, even "tickle".
Chess is an untapped source for new possible slang words without baggage. Sente, joseki, atari. Oops, wrong game. Combination, pawn storm, checkmate, Zwischenzug, Zugzwang, Sitzfleisch, outpost, passer, board room, isolani, back rank, ... maybe "colour complex" would be risky in some contexts. The chess word stalemate is prodigiously misused because it ends the game, while time and death may loosen an impasse, a deadlock, or a Mexican standoff. Pedant alert: it's "risk-averse", not "risk adverse".
@GrapeBunch - But "attack" isn't slang, it is a general term that can be correctly applied to any harmful or destructive act... even chess players use it. Terms like Zwischenzug are highly specific; hackers have lots of specific terms, too.
How about handing out dictionaries to hotel staff and the police?
'He has either never been to Umm Qasr or he's never been to Southampton. There's no beer, no prostitutes and people are shooting at us. It's more like Portsmouth.'
A British soldier's reaction to a claim by Defence Secretary Geoff Hoon that the port of Umm Qasr is 'like the city of Southampton.'
Harrogate's much the same I take it?
There's something inherent in the Tweet medium that is incompatible with thoughtful discourse. Clearly, it is causing vastly more harm than good. Shut it down already.
At the very least, all governments and corporations should explicitly ban its official use, 100%, no exceptions. Go back to carefully-considered news releases.
Clearly, the world would be better without Twitter.
Anyone disagree? LOL...
"There's something inherent in the Tweet medium that is incompatible with thoughtful discourse. Clearly, it is causing vastly more harm than "
And that's where the idea died, right there - because it was over 140 chars long.
If you want this idea to grow legs and run, you need to rephrase it.
Something like: Tweets incompatible with thoughtful discourse. Gov./Biz. should officially ban and return to news releases. World better without Twitter.
Then the twitterati might actually see it - for once, you do need to preach to the
choir converted perverted
I gave this an upvote, but only as to use by government officials* in a context in which the messages might be construed as statements of public policy. There are plenty of other ways to announce public policies and programs, nearly all of them better.
As a matter of personal liberty, individuals generally are free, and arguably should be, to say what they wish and make asses of themselves in the bargain if they are so inclined. Twitter, which as a private entity can set what standards it wishes and censor content as it pleases, rightly or wrongly has chosen to leave the platform quite open, providing them a very convenient vehicle for that.
Corporations, as private entities generally should be able to behave similarly to natural persons within various legal constraints imposed by such things as securities laws and regulations. Both corporations and individuals, of course, often would be wiser than it sometimes appears they are to suppress the urge to tweet.
* and we all can think of at least one government official who violates this without apparent end.
Can't invasively advertise your loyalty program to your "guests" on every page they visit if you haven't got them fully covered across their social media presence.
And if you just happen to have your security drones monitoring the same feeds, well, that's just efficient.
In all seriousness, Vegas casinos have some of the most comprehensive and sophisticated monitoring and data analysis setups on the planet. The things they can do if they so choose are often terrifying.
"In all seriousness, Vegas casinos have some of the most comprehensive and sophisticated monitoring and data analysis setups on the planet. The things they can do if they so choose are often terrifying."
Which inspired the lyrics 'I am the Eye in the Sky, looking at you, I can read your mind/I can cheat you blind'
THAT is what inspired that song? Wow. In any event, my company did Vegas for the annual one year. Most stressful week of my life. (Worse than basic training.) Almost all retail these days is predatory, but there my defensive warnings just would not turn off.
Not my town. Not my town at all.
This post has been deleted by its author
I doubt anyone at the hotel was monitoring all the guests Twitter accounts, but the FBI probably was. Though IMHO more likely in a conference this size there are a few people who don't like this guy for whatever reason, saw his tweet, and anonymously reported it to the hotel as a threat to cause trouble for him.
Could be anything, maybe he stole the girl someone was talking to in the bar the previous night, professional jealousy at his recent success, or maybe he's just an asshole in person and disliked by many for perfectly understandable reasons.
"I doubt anyone at the hotel was monitoring all the guests Twitter accounts,"
Want to bet? (phrasing relevant)
I suspect they have a system with filters like "vegas, break bank, cardsharp, cheat, rig, sure thing, caesars palace" that picks out relevant tweets from all of twitter (you can do this yourself on sites like twitterfall) , flags up relevant tweets, and then checks the name/handle against current and upcoming guests . Wouldn't take much work to add "gun, attack, shoot" etc. to that existing system after the previous shooting.
And how is the hotel going to know your Twitter handle is Justicesays, since I'm assuming that's not your real name? It isn't like most people use their real name on Twitter, or if they do that the hotel would have any way to link their real name to one of the many accounts with the same real name.
Besides, if they searched on "break the bank" they'd probably have dozens of hits a day. Everyone always makes some smart ass comment like that when they post in social media about going to Vegas.
Sorry, there just isn't any way for them to link social media to real life, unless they decided to act like US Immigration and required people to turn over a list of their social media accounts (and passwords, in case their posts threatening to count cards weren't public)
Even if you did want to move black hat where would you send it to?
The obvious choice for maximum privacy and freedom of expression legal protection is Geneva but Switzerland is absurdly expensive, and most of the other countries I can think of are also a member of the 5 eyes B$
The obvious choice for maximum privacy and freedom of expression legal protection is Geneva
In that case I'd prefer to be closer to Bern. Not only is that where the Data Protection people actually have their official office, but it's also so full of retiring diplomats that privacy is a given. And they don't speak French :)
However,it is rather boring ..
I'm sure Reno would be happy to take away some of LV's biz.
Having visited Reno once, before my many trips to Vegas, they might as well relocate to Blackpool as Reno.
The first motel we (group of guys travelling) tried to rent a room at had the front desk guy literally sitting in a jail cell - to prevent visitors accosting him. Hugely entertaining, and Reno is a fun place, but it pales in comparisson to Vegas. Sorry Reno - I'll always remember you fondly, but I'll probably not be back.
They cannot move the conference to the UK because the visa issuing department will reject most of the applications.
... which would be a big improvement for unfortunate victims like Sklyarov or Hutchins.
Not sure where to suggest. There are a few countries with more liberal track records re: the 'net, but such things are subject to change (e.g. Oz, Germany). Perhaps a venue with a well-developed hospitality industry but busted government might suit. Greece, for instance?
Even if you did want to move black hat where would you send it to?
Any number of small, island nations would love to host, would be affordable and already have the kind of environment that would make for a good fit due to their banking sector. Not naming any names, just throwing that out there.
I found Switzerland not that expensive in the shoulder season between summer hiking and winter skiing. Beginning of November, for example.
But if you have to hold your do in August, why not Slovenia, or Denver? Or both; it's a connected world, it says here on this packet of crisps.
The airlines are quite clear about this kind of thing. Cracking jokes about attacking their facilities will get you arrested. I don't see why any other business should be expected to put up with jerks who do similar things, and just do nothing about it.
And this is not in spite of, but BECAUSE of things like Mandalay Bay.
58 people might like to object to your remembering them as such (but can't) and 851 others still might want to (and can). Why do *none* of the above comments reflect the fact all that happened less than a year ago? You have left your humanity behind I think.
Context matters damn it. Some people mourn for years after their losses. Can't you pay attention for even one?
"Where it's not the context of your original statement or action that's important, but how some snowflake can misinterpret/misunderstand it and get into a total flap."
"Context matters damn it. Some people mourn for years after their losses. Can't you pay attention for even one?"
Uhm, I think thats what they said? They were in no way belittling victims or their families... but the lack of understanding the context of the tweet by the Hotel (even after the police cleared it).
Yet somehow you ignored the context, all while complaining that context does in fact matter... The irony.
TL;DR: I got written up at the aforementioned tool and die shop for leaving a homemade 3s3p LiIon pack in the men's locker room, after someone somehow mistook it for a bomb.
I had (hopefully) made it somewhat rain-resistant by wrapping in clear packing tape, which also held the NdFeB onto the bottom/back (normally for holding it to my bike, for the lights that make it street legal at 6 AM during most of the year). The clear packing tape was because I hoped to be able to see when there was water getting in and if the strips joining the cells were rusting (they were, lightly).
I don't have a locker-- it was supposed to go into my backpack as usual. My mistake was sticking it onto an I-beam while I got my shirt out of said backpack and changed into it, and then forgetting it. Their mistake was being a paranoid mindless Murkin-- who believes their favurite government official that tells them "land of the free, home of the brave" means the worst is about to happen and we all have to act accordingly-- and assuming that same worst thing, without spending another 30 seconds working on an awareness of their "situation."
It wouldn't have been so difficult. All 9 cells were positioned with the label printing facing out: ICR18650A220 (can you believe it? 18650 form, 2200mAh) and the letters YLE (the manufacturer in China) and 3.7V and a plus and a minus at either end... and a bar code which matched a 12-digit serial number, which would be pretty important for quality control, or something. Very readable. Very obvious. It would have been nothing for someone to notice and look it up on their phone, but instead they got on the phone with the cops and started evacuating until a guy recognized it and had a good laugh (and many more in the following weeks). But I'm the one who incited a panic. Not that whistleblower.
A few rhetorical questions: what kind of self-respecting terrorist is masturbating in the village of <deleted> instead of getting busy in a real city with lots of potential victims? What kind of self-respecting terrorist takes a bomb to a factory and then puts it in the vicinity of toilets and clothes racks instead of near some industrial chemicals, preferably flammable ones? What kind of self-respecting terrorist puts a bomb on/near a wall, at chest level, almost directly in front of a mirror where lots of people will have a good reason to look directly at it, instead of hiding it anywhere?
More recently there is a suggestion/subliminal message posted around, whereby this tool and die shop ironically encourages "attention to detail." The company has more than a few ongoing quality problems-- they're on what is basically probation with their more important customers including Honda. My unhappy conclusion due to this and a dozen other obscenities: the people who make decisions there also kind of suck at thinking, fail at creative problem solving, and generally aren't as properly addicted to believing true things as one would hope.
the company president heartily promotes Trump, probably because Trump is a fellow businessman, besides incidentally being on the correct wing. Everything humans do (well or otherwise) ultimately reveals the quality of our information, and their quality problems go all the way to the top.
"It’s the Vegas of the North, or so I keep hearing."
Or BrisVegas? (One of the common nicknames for Brisbane, capital city of the Australian state of Queensland. Earned coz we have a casino here, soon to be two casinos next door to each other. There's not a lot of casinos in Oz.)
Is for both parties in this to agree to disagree. The SPECTRE guy is too important, and though he might have made a minor faux pas Caesar have responded by swatting a fly with a bazooka.
I think it sends out the wrong message to permaban him.
(expecting to be downvoted back to the Cretaceous for this)
It is not simply that they are swatting flies with a bazooka.
It is that this whole exercise was useless. We know it, they know it, and Mr. Lindon knows it, but organizations are desperate to look like they are doing something, while in reality helping nothing to eradicate the real terrorism/insecurity problem.
It is a highly visible move that allows them to say "we take the security of our guest very seriously", but is it conductive in any way to actually make Las Vegas, or USA or the world any safer? of course not.
It is the same train of thought that leads corporations to fire people because of a stupid joke they did years ago as if that helps to fight the rampant sexism and abuse in the industries.
These actions are hateful because they are nothing but PR at the cost of a person that everybody knows is innocent. If (or $Deity forbids, when) the next attack occurs, this stupidity will help nothing to prevent it.
If (or $Deity forbids, when) the next attack occurs...
Sadly, it will probably be a couple of days from now...
This post has been deleted by its author
Yes, but Def Con is considered to be the BlackHat after party by many. You go to BH, see some decent talks, then feel abused by all the corporates selling “security”, and then go to Def Con to get rid of that feeling.
If you move to another place on the strip you have the same problems. You think Bally’s would have been any different after the Mandy Bay atrocity?
If you move away from Vegas, or even the US you lose the BH carry over. I’m not saying ppl won’t go, but there’s a risk not as many might, and risk is to be avoided these days. Ergo what happened to Linton.
This post has been deleted by its author
@Iain: "when a scumbag whose name isn’t worth remembering "
Thank you. This is something we need to do more often in cases like this, both on SocMed and in journalism! Kudos!
Looking at the tweet, yes, it is in context clearly a joke by someone who is actually *capable* of the implicit 'threat', the problem, I suspect, was that someone in the security team on the hotel side went "Oh shit man, this guy could make all the slot machines shit tokens all over the carpets!"
Issue: Cost management processes, the hotel is employing cheaper security and they've not the wherewithal to deal with the idea that someone could live by the 'just because you can doesn't mean you should' perspective.
I think that, from the context, we all read that tweet and read "attack" as "hacking attack". I suspect the hotel read it as "violent physical attack, perhaps with guns".
That makes a big difference. Try reading the tweet again with that change.
Now of course, to us it was clearly a joke about the traditional hacking that happens on DefCon's wifi network. To a physical security person who missed all the context, it could be taken as a terrorist threat.
I think the hotel took the tweet out of context, massively overreacted, and lied to him (which is never acceptable) about DefCon being involved with kicking him out. If DefCon security or management had gotten involved, they would have seen the context and tried to fix the hotel's misunderstanding.
Many modern humanoids don't have intellectual capacity to muster an attention span of sufficiently lengthy duration to enable them to keep reading an entire sentence that exceeds about six words.
In this example, they got as far as "If I had the time [&] money...", got bored, and then skipped ahead to 'The Threat' (sic) part.
I've not yet figured out how to reliably communicate with this subspecies. Leads to issues...
These humanoids are the same sort that have eyes that glaze over while you're trying to explain things to them. Their eyes glaze over, and their ears stop hearing, as they begin to slowly formulate a sentence that they will speak, no matter what's going on around them, in 4, 3, 2, 1, they speak.
Even if an Air Raid started on '3', they begin to speak on '0'.
It's because they're cut-off to all sensory inputs while processing thoughts.
I'll just stop, mid-phrase, when I see the glazing appear in their eyes. They don't even notice. I mentally run the count-down, 3..., 2..., 1..., and - right on cue - they blurt out their thought.
'"I've not yet figured out how to reliably communicate with this subspecies. Leads to issues..."
Short and shouty is the most reliable way. Ignore facts, they're just inconvenient. Raise up boogiemen to attack.'
What? You mean like in no more than 140 or 280 characters?
This post has been deleted by its author
A Vegas casino will ban card counters or anyone else who makes things troublesome for them (i.e., might slow the flow of money through their "gaming" operations). Given the fact Caesar's has a preprinted trespass form (as pictured in one of Linton's followup tweets linked in the article), they must do this regularly. I assume if I went onto the floor and started shouting about which gamblers I'd hypothetically try to rob, even jokingly, I would be asked to leave by a large man in a tight-fitting suit.
This reminds me of the year 2000 Hope conference at the Hotel Pensylvania in New York City.
The phone company circulated a memo to their employees warning about hackers in town.
Conference organiser Emmanuel Goldstein kicked off the social engineering session by telephoning the telco security person who issued the memo and asking about it. After a minute or two the teleco person said something like "I'm not seeing you on the list of employees.."
According to Goldstein the hotel management later got a call complaining that H2K people where trying to hack their mainframe and took it to mean that someone was physically breaking into telco equipment with an axe.
Why waste your time in LA when you can have your conference in God’s Own Country!
Harrogate is classy or you can go to the fleshpots in Leeds or Sheffield. Go for a curry in Bradford and then have your fish and chips in Whitby!
You can relax on Scarborough’s beach and feel the warmth of the North Sea between your toes and if you have a sweet tooth may I suggest a trip to Pontefract to pick up your Pontefract Cakes.
You see LA isn’t in Yorkshire so why would you go there?
In Brief After a year off due to a certain virus, the Black Hat and DEF CON security conferences returned to Las Vegas last week, just in time for the US government's attempts to foster more collaboration across the infosec industry.
The newly appointed Security Director of the Cybersecurity and Infrastructure Agency Jen Easterly took to the virtual Black Hat stage last week (although there was a limited and well-spaced physical conference this year) and announced the Joint Cyber Defense Collaborative (JCDC), which she claimed would be a true public/private partnership to try to lock down security incidents by sharing data and skills.
Microsoft, AWS, Google and several US telcos have signed up, but Easterly's keynote was particularly aimed at bringing in independent talent. Among the suggestions were increasing public sector salaries and taking a more flexible approach to hiring.
Black Hat Just as America was getting a grip on improving the security of its electronic ballot boxes, the coronavirus pandemic hit, throwing a potential surge in remote voting unexpectedly into the mix, the Black Hat hacking conference was told today.
In his keynote address to the now-virtual infosec confab, Georgetown Professor Matt Blaze said election officials will likely have to deal with a larger-than-normal number of citizens voting by mail, rather than in person, and all that entails, as people are encouraged to socially distance and stay away from crowds to curb the COVID-19 virus outbreak.
"Election security at the beginning of the year was just a matter of getting it implemented. There was reason for optimism," said Prof Blaze. "Then the pandemic came along and that added a whole new set of concerns that were always there, but got brought sharply into focus."
In brief A city in Colorado, USA, has swallowed its pride and paid off a malware gang after deciding the cost of a network nuke-and-pave was too high.
The city of Lafayette – technically a home-rule municipality – with a population of around 30,000, said it has opted to pay ransomware criminals a $45,000 (£35,000) fee after deciding that it was a better use of cash than spending time and money wiping and reformatting all of their machines.
"Ransom payment was not the direction the city wanted to go, and pursued all avenues to find alternative solutions," Lafayette officials admitted. "In a cost/benefit scenario of rebuilding the city’s data versus paying the ransom, the ransom option far outweighed attempting to rebuild. The inconvenience of a lengthy service outage for residents was also taken into consideration."
DEF CON Writing a successful Windows rootkit is easier than you would think. All you need is do is learn assembly and C/C++ programming, plus exploit development, reverse engineering, and Windows internals, and then find and abuse a buggy driver, and inject and install your rootkit, and bam. Happy days.
Alternatively, write your own malicious driver, sign it with a stolen or leaked certificate or your own paid-for cert so that Windows trusts it, and load it.
This is according to undergraduate bug-hunter Bill Demirkapi in a talk he gave at the now-virtual DEF CON hacking conference, which you can watch below. He told the web audience on Thursday many common Windows drivers provide the conduit rootkit writers need to compromise PCs at a level most antivirus can't or won't reach.
Black Hat While China is the bête noire du jour of the US government, Russia is the master of spreading disinformation, fostering conflict, and derailing discourse online, the Black Hat security conference was told today.
At her Thursday keynote, Stanford Internet Observatory's research manager Renee DiResta explained how Russian military intelligence – the GRU – and the private Internet Research Agency (IRA) were putting the likes of China to shame. Security companies and government agencies have good reason to move their focus from Beijing to Moscow, she warned.
The basic methods of hacking public opinion are fairly simple, DiResta explained. Fake accounts generate content and spam it out on social media to amplify the message. If enough real people pick up and the posts go viral the mainstream media kicks in and amplifies the desired message still further.
Black Hat Just hours after Professor Matt Blaze today discussed the state of election system security in America, one of the largest US voting machine makers stepped forward to say it's trying to improve its vulnerability research program.
Election Systems and Software (ES&S), whose products include electronic ballot boxes and voter registration software, said it is working with infosec outfits and bug-finders to improve the security of its products.
Speaking at this year's online Black Hat USA conference, CISO Chris Wlaschin outlined a number of steps his biz has already or will soon take to overhaul its relationship with bug-bounty hunters.
Black Hat The two penetration testers whose arrest and imprisonment made headlines last year are finally sharing their story, and it is a doozy.
Florida man Justin Wynn and Seattle resident Gary DeMercurio, both pentesters at infosec shop Coalfire Systems, said the ordeal they experienced in Iowa last September could have been avoided had they just done a better job of documenting the scope of their audit in writing.
That and not running into an ornery sheriff. A favorable judge died suddenly, too, mid-case.
Biting the hand that feeds IT © 1998–2022