Imagine you’re a Vegas casino: hundreds of employees, thousands of guests, lots of money changing hands. Now imagine you’re a Vegas casino hosting a convention of hackers: thousands of really smart people, who really know how to use computers and really like making mischief. That is the position the Rio finds itself in every year when the DEF CON Hacking Conference comes to town.
The conference, August 1-4 this year, features sessions like “Torturing Open Government Systems for Fun, Profit and Time Travel,” “Offensive Forensics: CSI for the Bad Guy,” “Def Con Comedy Jam Part VI, Return of the Fail” and talks about “building your own robots for world domination.” There aren’t any panels on hacking casinos, but it’s not hard to imagine some of the people wandering past local tables this weekend are more than capable of doing just that.
So how did the Rio prepare for its special guests? The casino declined to comment on any specific security measures in place for DEF CON, but the Weekly did obtain an all-staff memo sent to employees on July 31 by AGM Dan Walsh.
The email asked casino employees to welcome the DEF CON crowd and advised staff that they were expecting up to 20,000 attendees, including “computer security professionals, journalists, lawyers, federal government employees, security researchers and people with a general interest in computer code, computer architecture and hardware modification.”
“Due to the nature of the convention,” the note advised employees to take some common-sense precautions, including wearing name badges in front and back of house, keeping swipe badges on them at work, locking out computers when leaving the office and locking office doors. It also warned staff to be “mindful of your personal cellular devices. Do not check any sensitive matter (bank accounts or anything with a private PIN number) on your personal cell phones using Wi-Fi or at your computers for the week of July 31-August 5.”
That’s the big one, says a man who goes by Hodge Podge during the conference’s second day. He hails from Lancaster, California, and Hodge Podge is standing at the doorway to a conference room, holding a homemade cardboard sign that reads, “Free hi5s for undercover feds.” He says he’s gotten more than 60 high fives this morning, mostly from people who claim not to be feds. (The high fives are still free.) Tomorrow’s sign will target NSA agents.
Hodge Podge echoes the Rio’s advice: “Don’t use the wireless. Definitely don’t log onto anything with a weird name.” I’m glad my phone is turned off in my purse.
One year, he recalls, someone hacked into the registers at a casino restaurant, shutting them down. “They had to use calculators,” he says with a laugh. “Anything that can cause chaos, people will do it just because.”
Hodge Podge says if he were doing casino security, he’d turn the wireless network off altogether for the week. Just to be sure.
It’s 11 a.m. and the hall is crowded with people, shuffling slowly to their next seminar. A man walks by wearing a T-shirt that says, “What happens in Vegas stays in Vegas unless you pick up a virus.” I’m pretty sure he’s not talking about herpes. Another woman has a cowboy hat covered in tinfoil. Every now and then I hear the smack of someone giving Hodge Podge a high five.
Mark Weiser sitting on a bench, looking at his smartphone as if surprised. “I just left a telephone message,” he says, chuckling. Emails are too risky, he won’t use his computer at the convention and he’s not staying at the Rio or at Caesars Palace, which hosted the complimentary Black Hat conference more targeted at cyber security professionals than those who try to best them.
Weiser, an associate dean at Oklahoma State University who specializes in digital forensics and security, agrees the Rio’s message to staff was a good idea, but suggests that perhaps it didn’t go far enough. “My big concern is for other hotel guests,” he says, imagining random vacationers getting hacked or with their usernames and passwords posted on the conference’s ignominious Wall of Sheep.
Weiser says a conference like DEF CON is an inherently risky proposition for a Vegas casino. He remembers the year all the video poker machines at another property were shut down after someone hacked them so the backgrounds showed pornographic images. Another time, he says, someone launched a balloon above a casino to sniff Wi-Fi signals over a large area.
“It’s a cost benefit thing,” he says. Sure, the hackers could wreak major havoc, but “people here are spending a bunch of money and they’re gambling. It’s hard to say no.”
And Weiser stresses that DEF CON is a very good thing. Hackers highlight vulnerabilities, point out human error and offer the opportunity to fix them. Weiser describes attendees as the type to break in but not steal anything. Of course, they might not tell the company they’ve broken into what’s up until their speaking session during the annual convention, but once they do, security pros will get to work fixing the problem and making their systems even tougher to hack. Maybe even casino systems like the Rio.