I suspect Caesar's dropped DEF CON because the DEF CON attendees likely have a fairly low "avg revenue per attendee" yield because fewer of them gamble compared to the avg Vegas conference attendee. They also probably spend less on high-end restaurant dining and bar drinking inside the hotel.
Since the pandemic Vegas has had a pretty strong resurgence in general and this may be a sign that Caesar's is doing well enough they've decided there are higher-revenue guests they can put in those rooms — even in the doldrums of August (a traditionally slow month for Vegas tourism).
I happen to regularly attend an unrelated, non-tech conference that's always right around the same week as DEF CON. That conference also happens to attract attendees who don't gamble or spend much at the hotel other than room costs. The reason the conference organizer chooses August is they get better discounts on their costs from the hotel in exchange for filling up rooms that would otherwise be empty (except this hotel is lower-end and cheaper than Caesar's). This works out because unlike Caesar's this hotel is far off the strip and doesn't have nearly as much dining or gambling revenue potential anyway.
>But canceling an already scheduled event because of low revenue per guest doesn't seem very likely to me?
Not to be TOO snarky, but given how quickly corporate cancels employee labor despite rising revenue, it would not surprise me for other corporate to also cancel "low paying customers" for "high paying customers". Loyalty is beyond dead so cancelling a contract is just a cost of business if they feel the alternative gives more money.
> Or maybe it was some sort of ongoing agreement and canceling it was effectively "not renewing".
The announcement effectively calls it "no-notice cancellation" and overall it reads like they were already deep in the planning phase when it happened, which seems unlikely if a renewal was pending.
I will need to dig up the archives from DC 27 when the deal with Caesars forum was officially announced, but if memory serves me correctly DT said it was a 5 or 10 year contract. So unless there was some verbaige in the contract that allows Caesars to cancel for any reason, they're going to be cutting DEFCON a check.
I see people go all out in LV and drop a lot of money at restaurants. I guess it depends. Then again if you've already been in LV for a few days due to BH you might be over the bell curve on spending for the week. I guess it depends on when you get in. I tend to drop more money Wed-Thur.
Everyone is missing "but now held at the Las Vegas Convention Center (LVCC) with workshops and training at the Sahara" part. So this more like they got passed to a different venue. Not "vegas hates them".
All of the more recent years that I did DEF CON I was with large groups of people going to high end restaurants and (ab)using the hotel bars. In fact the hotel bars were always packed.
My suspicion is that Caesars is trying to do something like play with headcount. Late summer is not just a weak time for conferences but DEF CON needs a ton more space and a ton more human babysitting across that space than any other conference. You don't see EVO or BlackHat getting cancelled (same exactly time window) because they're pretty contained in one place.
My guess is that Caesars needs to staff up a little for DEF CON or that they may even be considering reducing staffing in late summer. Con attendees are going to stay at their properties and use their bars/restaurants/tables anyway.
...although now that I think about it, EVO was moved up 2 weeks and has a new unannounced venue this year, so maybe this isn't isolated to DEF CON.
...and also the Venetian is having its convention space renovated until 2026...
Black Hat is a giant commercial conference run by a company that runs dozens and dozens of giant commercial conferences. No event venue is ever going to fuck with them.
I attended an earlier DEF CON (5 or 6?) where the attendees:
1) Hacked the in-circuit TV system and broadcast their own pirate show
2) Gained roof access and removed the satellite dish
3) Spilled hookah coals onto the bed starting a fire
4) drove the janitor's golf cart into the pool
and that is only what I witnessed firsthand. I can only imagine what else went on. Maybe the attendees low spend was only part of the equation?
I attended Def Con 7 and witnessed people pick the lock of a utility room on my hotel floor and change the phone wiring.
Also, I was a 17 year old girl at the time, and I felt sexually threatened several times during the event. That is the only place I have visited where I would make a statement of that nature.
That sounds like DefCon 7 at the Alexis Park. I think I remember seeing a photo of a golf cart in the pool.
I quit going after 7. It seemed like they partying had vastly I overtaken any actual technical content. I don't drink and I'm not super social, so it just seemed like it wasn't "for me" anymore.
Edit: It has probably changed in the intervening years but every time I looked into it it seemed like more spectacle than tech. DerbyCon filled the niche for me for a few years but then it got impossible to get tickets for and imploded. (I know there's a lot of backstory about DerbyCon that I don't know, too. For me it was just a fun way to feel a little of the DefCon 3 vibes again.)
I've seen bottles of alcohol passed around doing talks and heard more than a few really off color jokes about criminal sex acts and such. Vegas waitresses have seen it all also but there was over the top behavior.
We're in a victim dominant culture now, "it's not you or what you've done, you're just a victim of evil or something" but at more than a few Def Cons and more than a few times, it was really uncomfortable to be there and see some of the stuff that was happening.
I was at DEF CON 26 & 27 and people had punched/torn holes in the drywall in several places, and at one stairwell where you could reach up and slap the ceiling, chunks of ceiling were falling off from where people were gouging it.
DEF CON is a hell of a party, and I hope to go this year, but the attendees are a force to be reckoned with. Even I ended up fucking up a homemade badge, and tossing a failing lithium battery into the trash in the middle of a casino, only to learn later I created a trash fire, so I know firsthand that we're a problematic bunch.
"I suspect Caesar's dropped DEF CON because the DEF CON attendees likely have a fairly low "avg revenue per attendee" yield because fewer of them gamble compared to the avg Vegas conference attendee."
There is the story that the American Physical Society was not allowed back after in 1986 Vegas supposedly suffered its worst week in history.
First of all there is no real evidence that this story is true and secondly it doesn't make sense to me that they would cancel DEF CON after so many years for that reason. They would have done so much earlier, probably.
I heard this story many times. One of them was froma graduate student who attended this meeting. APS March meeting happened in Las Vegas again last year (2023). While there was no official ban for APS Conferences, there was a little interest in las vegas to host anything for APS for a ~35 years.
There are certainly a lot of DefCon attendees who think that this describes them. In my observation they are all very incorrect, usually humorously so fortunately.
I heard a joke a tech conference people in Vegas many years ago. It goes something like "people who go to tech conferences in Vegas bring one shirt and a $20 bill and never change either." So yea, programmers generally aren't gamblers because they know enough math to know the house always wins.
In my experience, programmers like poker, but not games of chance. This also describes me. Poker is a data-heavy game of skill and memory, Craps is about the opposite.
House sets the mean and variance, how could they ever lose? Only thing left to make it work is volume, transactions volume, so variance can be minimized.
Eh, I’m a programmer and I go to vegas with other programmers fairly regularly. We know enough math to know the expected cost per entertainment•hour is comparable to many other pass-times.
But even so we’re actually all net-positive on the city, thanks to a couple “lucky” craps runs.
I've heard stories about "hackers" at former DEF CON's pouring concrete down sinks and doing all sorts of other socially clueless vandalism, and resulting backlash for the organizers. While the infosec community is much bigger and more... "normal" than it was back then, I imagine the guests are still more of a liability than the average conference attendee and as you said, probably not big spenders.
Combine low ARPU with perceived risk (in the wake of the Vegas hacks last year) and a termination for convenience clause and this is a no brained for Caesars. There’s just not enough upside for Caesars to host in their marquee properties.
im really sure you have found the answer, it’s most likely more of a perceived thing than any of us wants to admit. DEFCON attendees can be walking stereotypes at times anyways, but the combination of drunk, low yielding hacker(wo)men(tm) roaming your hotel probably just made the juice not worth the squeeze.
It's mostly with liquor bought from offsite and drunk in rooms/private parties, not via Caesar's venues or catering (there's a lot of that too, and this is summer dead period, so it still may be good).
The simplest explanation is often the correct one. Casinos aren't exactly known for having moral qualms. They are, however, known for caring about their bottom line. They probably analyze every single event they host and then shuffle things around to maximize their expected revenue based on their past experiences with the same type of event.
The simplest explanation is they don’t like hackers after their experience. So they push a bunch of hackers buttons with a last minute notice and prepare the honey pot to pen test their post ransom security posture and maybe in the process they find an amateur to pin it all on.
I think you're on to something. Most DEFCON attendees can do rough calculations in their head that their chances of coming out on top in Las Vegas is extremely unlikely, and choose just look around and buy some drinks and cheap food.
Doubtful, I'm sure it's related to the constant attacks against their infrastructure they must defend against (let's be honest, I'm sure Caesars is not defending successfully). The juice just ain't worth the squeeze. They have a business to run, and the risk of having a bunch of drunken and high hackers who happen to be the best in the world running amuck is not their idea of a good corporate event.
Caesar's apparently explicitly said it wasn't related to anything the community did. It's possible that they're lying for some reason, but it's also possible that they're telling the truth.
> We don’t know why Caesars canceled us, they won’t say beyond it being a strategy change and it is not related to anything that DEF CON or our community has done.
Dunno if it has anything to do with it but they did get haxx0red last year at the same time as MGM, except Caesars paid up and MGM didn't. Hotel room cards, casino play cards, etc were down for ten days at a bunch of the MGM-owned properties (a.k.a. the half of the Strip not owned by Caesars) https://en.wikipedia.org/wiki/MGM_Resorts_International#Las_...
There are actually very few people with pentesting skills at Defcon stronger than running burp suite, and fewer still of those that are blackhats. Those with skill can do very well for themselves legally, and know better than to risk their careers getting caught messing with casino systems.
In practice the biggest abuse from Defcon to the venues is in the form of a subset of people constantly defacing casino property which no one reports because no one has sympathy for casinos.
My favorite trolling of casinos at Defcon is the people dumping prop money everywhere. Casinos do not -like- that and spend a lot of resources running around picking them up which is funny to watch.
> the constant attacks against their infrastructure they must defend against (let's be honest, I'm sure Caesars is not defending successfully)
If there's any place in the private sector where I'd expect security (including digital security) to be literally top notch, a casino would be it.
And casinos don't fuck around. If they catch some "uber haxor" laying a finger on their networks, you can bet they'd have him arrested in a heartbeat, regardless of whether he is a conference attendee or not.
You can view their financial statements [1]. I am sure the 'casino' category includes things besides gambling, but it looks like the largest share of their revenue.
Not everything is about money or the bottom line. Sometimes it's about politics. Vegas takes a loss on so many things. Nevada has grown more and more corporate over the years. This move doesn't surprise me at all.
What are the politics? One of the richest and most profitable industries on Earth wants to have a conference where they show slide shows to each other. Really not much different than any other conference, and probably more ethical than most of them.
> Sometimes it's about politics.
> Nevada has grown more and more corporate over the years.
You make it sound like it's entirely about money and the bottom line.
I have a hard time believing gaming doesn't provide _huge_ contributions to favorable politicians. I feel like you've got something to say, and maybe something really interesting. But what you've got if awfully vague.
If you've got the time or inclination, I'd definitely read an elaboration of your meaning.
You know, why the fuck is DEFCON in August, in Vegas? Like, you know a nice place to visit in August? Kodiak, Alaska. Portsmouth, Maine. Sydney. List of places I would never want to visit in August? Vegas. Houston. Vegas. New Orleans. Vegas. Mumbai? Maybe. Baghdad? Definitely not. Also, Vegas. My friends in Christ, why, does anyone, think Vegas is a good idea in August?
Convention space and room blocks are fairly cheap to rent in Las Vegas.
No other city in North America has a similar amount of space or options for low cost block booking.
Also, plenty of DefCon attendees and sponsors are also attending BlackHat at around the same time, so it makes it easier to justify expensing most of the cost as an employee.
It started there initially because a bunch of hackers wanted to hang out together and the cheapest way to do that was to all fly in the Vegas in August. It’s tradition but also still somewhat true for the reasons you articulate.
If we wanna be frank: lotta tech is in silicon valley and Vegas is probably the closest "large" hub to travel to (Maybe Los Angeles is closer, but not by much). It's the cheapest option without simply staying in SV.
I'm sure the other places suggested would have been nice, but you turn one flight into 2, maybe even 3, have to search for a venue and accommodation for 100s/1000s persons (even if they self book), etc
Conference tourism is big business and the big conferences want friendly places that fit their budget and make it possible for people to attend it
The heat is really not that bad. I absolutely hate the heat, living in the midwest the summers are unbearable to me.
Yes, it's hot, but you can still walk outside without becoming a sweaty mess because it's so dry. And you're probably not going to be walking outside very far, it's a very unfriendly place to walk outside of the prescribed separated paths on the strip.
The problem is that the con was now spread out over multiple casinos/hotels so the odds of having to walk outside at some point have increased, even with some of the hotels connected internally.
The fact that it js now at the convention center and likely all under one roof is an improvement, IMO
I don't care to go to Las Vegas, and I don't care to go to DEFCON, but you can easily fly from anywhere to Las Vegas, any time of year. (Subject to US visa issues, of course)
Others have said August is off-peak for Vegas (perhaps because of the weather), which means its a good time for a conference as space should be less expensive.
Check out https://www.flightsfrom.com/explorer/LAS — particularly comparing its direct flights from all over the continental US to the same for other American cities.
That settles it, DEF CON in Dubai, London or Amsterdam. I vote for Amsterdam.
Frankfurt also has the most international destinations (just not volume).
(Probably not Dubai, considering a few speakers would be thrown out at the border - or worse if they get though. It's also artificially inflated because it's almost all transit traffic).
We also believe in constant air conditioning unlike the East coast and defcon is probably not the group walking around outside the hotels much.
The heat sucks but it’s not like it’s that hard to avoid on a conference trip. It’s when you live here and have to hop in your plasma generating car that makes you wonder what the fuck is wrong with you
Vegas is great in August. It might be super hot but it's also dry. Whenever I go out to DEF CON, I take a day to go out quadding around the desert and shoot some guns outdoors.
The whole damn strip is air conditioned and misted so it's not really a problem. A few years back I participated in a scavenger hunt during DEF CON and it was taxing but I would do it again.
New Orleans is hell on earth that time of year though -- never again.
That’s the stupidest thing I’ve heard. It’s nice and hot in Vegas in August. Alaska? At best it’s fucking 50F, that’s deeply uncomfortable. Walking around in that feels like I’m dying inside. Also, it’s a goddamn convention not a business meeting. People want to drink, watch some shows, gamble a little bit, walk around on the strip. Have a good time in general. What the fuck are you gonna do in Alaska?
After the impact of the MGM hack this year Cesars probably revisited their insurance on getting compromised. After the auditors and lawyers looked at all the risks they came across DEF CON and said no because of the wording of how DEF CON is marketed. Their choice was probably to drop them or loose coverage.
DEF CON is listed as a "hacker convention held annually in Las Vegas, Nevada." where Blackhat is "Black Hat is an internationally recognized cybersecurity event series providing the most technical and relevant information security..."
I imagine places like the convention center cant afford or care about insurance at this level.
Caesars was hacked by the same attackers that pwned Okta, and used the stolen keys and tokens to get into Caesars. It was nothing carried out by Defcon in any way.
Anyone that takes this scene seriously knows Defcon is the place to be. Blackhat is a overpriced vendor circle jerk. The only way to make Blackhat relevant again is to kick out all of the vendors and if you can't do that, forbid them from collecting peoples information.
This is going to be my 11th year at Defcon this year. I snuck into a couple of blackhats and didn't get any value from them. I've been around the block a few times.
> It was nothing carried out by Defcon in any way.
You think insurance providers are capable of doing this level of analysis? They see "hacker conference" in which Defcon may still hold some notoriety in and decide it's a risk.
People love saying this about Black Hat and Defcon, but I can't think of an important research result disclosed at Defcon 31 that wasn't a Black Hat talk. More good research gets turned down for Black Hat (which can only accept 3-5 talks per track) than appears at Defcon. Median Defcon talk quantity is approximately that of a good regional conference.
And that makes sense. Talks aren't really the point of Defcon, and they are (besides the lobby conf) the sole point of Black Hat. Black Hat is also a vendor circlejerk, but that fact confuses people who don't actually practice in the field.
BlackHat isn't a con you attend. You go there for the training sessions that are required to obtain/upkeep your certifications.
The infosec industry sorta runs separately from the rest of tech in that it's entirely a status economy. Name recognition, certification and publication are the most important things to maintain stable employment.
On the other hand none of the planned programming at DEFCON has any professional value whatsoever and it's merely a metacon for connecting with people in varying niches in the space.
My comment was around the wording as advertised. It will also be my 11th DEF CON next year, never been to Blackhat. We should grab a beer.
I have personally worried after seeing Cesars transform after the events at the Mandalay Bay with the new addition of their own paramilitary group (the SRTs) and their actions during DEF CON. Just check out their job descriptions: https://www.linkedin.com/jobs/view/security-officer-srt-i-fu...
Before the SRTs, I personally know from knowing the staff who run the conference that they have helped Cesars Entertainment in previous years strengthen and work with them hand-in-hand to secure their networks and train their staff. Even work with the goons to make sure people didn't get trespassed over shenanigans. I honestly think the mid level management is sad we are gone.
The other side is the Okta was just a taste of what could go wrong. Seeing MGM totally shut down and loosing millions was scary for upper management. Auditors weren't comparing Blackhat to DEF CON but that the listing on the spreadsheet was not "boat show" but "hacking con" and they deemed that was too much risk for the level of coverage Cesars Entertainment wanted.
Never the less, we all hated Cesars and I am personally excited to see what this next year will look like.
This explanation makes the most sense. A team of lawyers/risk analysts saw "hacker conference", superficially dug in and noted previous incidents that coincided with the "hacker conference" in previous years (bomb threat, the shooter) and decided it wasn't worth it
The bomb threat last year is a funny story that I cant share here. It was very much a nothing burger but their security doing what they are paid to do.
Black hat is just one giant bunch of sales pitches. No I haven't been there but I've had to sift through recordings that my boss (who did attend) wanted me to look at because he was too drunk himself to do a proper evaluation.
It doesn't provide information, it just provides sales suits a chance to blow their hot air :P
If I'd ever go there it would just be an excuse to go to vegas to see DEF CON as well :P I work in security but I have no time for corporatism and sales bullshit.
Edit: I know it's a bit of a hot take but I've been to so many conferences where sales goons spew all the pretty pictures and then later when we actually got our hands on the product it turned out that it couldn't do half the stuff that was promised. Or there were other weaknesses like excruciatingly bad support. I've become very cynical due to this.
if we're going with hot takes, I've watched a lot of DefCon vids and many presenters come off as outlandish arrogant. not simply smug, more "I am levitating above the normies."
>Black hat is just one giant bunch of sales pitches.
> No I haven't been there
The first sentence is not true. Many good talks are give, often breaking ground. Yes, you can find sales pitches, but there are good fundamentally technology talks.
Black Hat is peer reviewed and accepts a tiny fraction of submissions (tracks will accept 3-5 talks out of a typical pool of 20-50). Reviewers --- all of them vulnerability researchers --- barely have time to read outlines and look for any possible excuse to DQ a submission and move on to the next one, and the single most common DQ is "the presenter has a commercial interest in this topic, vendor talk, 1.0 rating".
There is also a giant vendor expo that runs alongside Black Hat, and vendors do whatever they can to stage events that look like Black Hat talks but are not. I submit that you have probably confused those for actual talks. Or: you watched the keynote? I don't understand what the keynote is for.
Point being that it’s been a rough ride over the last few years. Combine that with corporate events probably being far more lucrative for Caesars I.e suits drink and gamble harder than geeks - I’m not surprised by this.
TBH my team and I skipped DEF CON last year and threw our own event in Banff instead because DEF CON has become quite boring with long lines and a Groundhog Day feel to it. If you’re looking for a proper con check out a local B-sides or a smaller legit con like Shmoocon.
After last year, Caesars likely has a large insurance policy covering against ransomware attacks. That policy probably says something along the lines of "valid as long as you don't knowingly invite tens of thousands of hackers to your property"
I find this strange but not surprising. I've heard of speed bumps in the past related to 'hackers in town' and I wouldn't be surprised if it comes out later that it had something to do with it, even if unfounded. I think overall, having that many 'hackers' in town makes people overly paranoid.
<tinfoil hat> I wonder if the ransomware incident last year played a role in this decision? [0] I'm guessing they wouldn't announce it for fear of boycott, but who knows. </tinfoil hat>
Not a fan of what DEF CON has become in the last years, so I selfishly hope it somehow "goes away" and reborn in a more technical and actual hacker note.
Too many "security researchers", "staff engineers" and people playing politics.
But I suspect they will have no problem finding another venue, sponsor money has been flowing quite well, so I wish them well.
I don't have a ton of love for politicking, but security researchers and staff engineers, a lot of the time, are people who either have a career in a really interesting area in infosec and can bring a lot to the table as teachers/presenters, or people who want to get into that area and who'd benefit massively from a place like DEF CON considering how accessible its talks, demos, and villages are to people of all skill levels.
Socialising, learning hacking history, and getting to know the traditions is always a great side effect that the DC crowd's been good at passing on to new generations. Goons still give people shit for misbehaving, speakers still take shots, TOOOL still has some of the best workshops and tutorials on the conference floor and usually has some people who'll talk about breaking open Medecos or Fichets to anyone who'll listen.
I'd venture to say it's against the spirit of the con to try and gatekeep it.
Having said all that (and the irony not being lost on me) -- linecon's definitely getting worse, and I'm worried that DC's becoming a victim of its own success, with its accessible pricing and subject matter being counterbalanced by having to manage a 20-30k person crowd. I don't have a solution for this outside of decentralization, but I don't know if that's a good solution.
I can't edit my original comment anymore, but I'll add: OG DEF CON stuff still happens, too. Parties, secret parties, parties that take a full day or two of codebreaking a badge to get to, demoscene stuff, drinking, public art, you name it, it's there -- it takes a back seat because DC does have to focus on mass appeal these days (I believe, because of its accessibility promise coupled with the number of people coming out).
I forgot these when I wrote my original post at 1AM :)
> TOOOL still has some of the best workshops and tutorials on the conference floor and usually has some people who'll talk about breaking open Medecos or Fichets to anyone who'll listen.
While you're over there look around for the Tamper Evident Village and we'll happily demonstrate and allow you to try removing Tamper Evident Seals of various kinds.
There are dozens of other conferences that do anything else you want a security conference to do. The point of Defcon at this point is to be the giant annual social event.
I wonder if Caesars' cybersecurity insurer had an opinion about writing a policy for a casino resort that hosts something like DEFCON, especially after the MGM hack.
Readit News
Since the pandemic Vegas has had a pretty strong resurgence in general and this may be a sign that Caesar's is doing well enough they've decided there are higher-revenue guests they can put in those rooms — even in the doldrums of August (a traditionally slow month for Vegas tourism).
I happen to regularly attend an unrelated, non-tech conference that's always right around the same week as DEF CON. That conference also happens to attract attendees who don't gamble or spend much at the hotel other than room costs. The reason the conference organizer chooses August is they get better discounts on their costs from the hotel in exchange for filling up rooms that would otherwise be empty (except this hotel is lower-end and cheaper than Caesar's). This works out because unlike Caesar's this hotel is far off the strip and doesn't have nearly as much dining or gambling revenue potential anyway.
Not renew the contract - sure. But canceling an already scheduled event because of low revenue per guest doesn't seem very likely to me?
Or maybe it was some sort of ongoing agreement and canceling it was effectively "not renewing".
Not to be TOO snarky, but given how quickly corporate cancels employee labor despite rising revenue, it would not surprise me for other corporate to also cancel "low paying customers" for "high paying customers". Loyalty is beyond dead so cancelling a contract is just a cost of business if they feel the alternative gives more money.
The announcement effectively calls it "no-notice cancellation" and overall it reads like they were already deep in the planning phase when it happened, which seems unlikely if a renewal was pending.
My suspicion is that Caesars is trying to do something like play with headcount. Late summer is not just a weak time for conferences but DEF CON needs a ton more space and a ton more human babysitting across that space than any other conference. You don't see EVO or BlackHat getting cancelled (same exactly time window) because they're pretty contained in one place.
My guess is that Caesars needs to staff up a little for DEF CON or that they may even be considering reducing staffing in late summer. Con attendees are going to stay at their properties and use their bars/restaurants/tables anyway.
...although now that I think about it, EVO was moved up 2 weeks and has a new unannounced venue this year, so maybe this isn't isolated to DEF CON. ...and also the Venetian is having its convention space renovated until 2026...
I very much doubt there's any conspiracy here.
Also, I was a 17 year old girl at the time, and I felt sexually threatened several times during the event. That is the only place I have visited where I would make a statement of that nature.
For example, the ATMs on casino floors are probably some of the most secure in the nation during the con. Harassment is also taken actually seriously.
I quit going after 7. It seemed like they partying had vastly I overtaken any actual technical content. I don't drink and I'm not super social, so it just seemed like it wasn't "for me" anymore.
Edit: It has probably changed in the intervening years but every time I looked into it it seemed like more spectacle than tech. DerbyCon filled the niche for me for a few years but then it got impossible to get tickets for and imploded. (I know there's a lot of backstory about DerbyCon that I don't know, too. For me it was just a fun way to feel a little of the DefCon 3 vibes again.)
I've seen bottles of alcohol passed around doing talks and heard more than a few really off color jokes about criminal sex acts and such. Vegas waitresses have seen it all also but there was over the top behavior.
We're in a victim dominant culture now, "it's not you or what you've done, you're just a victim of evil or something" but at more than a few Def Cons and more than a few times, it was really uncomfortable to be there and see some of the stuff that was happening.
DEF CON is a hell of a party, and I hope to go this year, but the attendees are a force to be reckoned with. Even I ended up fucking up a homemade badge, and tossing a failing lithium battery into the trash in the middle of a casino, only to learn later I created a trash fire, so I know firsthand that we're a problematic bunch.
There is the story that the American Physical Society was not allowed back after in 1986 Vegas supposedly suffered its worst week in history.
First of all there is no real evidence that this story is true and secondly it doesn't make sense to me that they would cancel DEF CON after so many years for that reason. They would have done so much earlier, probably.
https://skeptics.stackexchange.com/questions/39668/did-a-cas...
But even so we’re actually all net-positive on the city, thanks to a couple “lucky” craps runs.
I never heard of this. Can you tell us more?
I'm not so sure. There's a _lot_ of drinking at DEF CON
https://qz.com/work/1249513/was-a-convention-of-physicists-r... (2018)
> We don’t know why Caesars canceled us, they won’t say beyond it being a strategy change and it is not related to anything that DEF CON or our community has done.
https://www.reddit.com/r/Defcon/comments/1aj6ixn/def_con_was...
https://www.bloomberg.com/news/articles/2023-09-13/caesars-e...
https://www.vox.com/technology/2023/9/15/23875113/mgm-hack-c...
In practice the biggest abuse from Defcon to the venues is in the form of a subset of people constantly defacing casino property which no one reports because no one has sympathy for casinos.
My favorite trolling of casinos at Defcon is the people dumping prop money everywhere. Casinos do not -like- that and spend a lot of resources running around picking them up which is funny to watch.
If there's any place in the private sector where I'd expect security (including digital security) to be literally top notch, a casino would be it.
And casinos don't fuck around. If they catch some "uber haxor" laying a finger on their networks, you can bet they'd have him arrested in a heartbeat, regardless of whether he is a conference attendee or not.
[1] https://investor.caesars.com/news-releases/news-release-deta...
You make it sound like it's entirely about money and the bottom line.
I have a hard time believing gaming doesn't provide _huge_ contributions to favorable politicians. I feel like you've got something to say, and maybe something really interesting. But what you've got if awfully vague.
If you've got the time or inclination, I'd definitely read an elaboration of your meaning.
No other city in North America has a similar amount of space or options for low cost block booking.
Also, plenty of DefCon attendees and sponsors are also attending BlackHat at around the same time, so it makes it easier to justify expensing most of the cost as an employee.
Not even in Mexico? You know, the country that's part of North America? Why not just say America?
I'm sure the other places suggested would have been nice, but you turn one flight into 2, maybe even 3, have to search for a venue and accommodation for 100s/1000s persons (even if they self book), etc
Conference tourism is big business and the big conferences want friendly places that fit their budget and make it possible for people to attend it
Yes, it's hot, but you can still walk outside without becoming a sweaty mess because it's so dry. And you're probably not going to be walking outside very far, it's a very unfriendly place to walk outside of the prescribed separated paths on the strip.
The fact that it js now at the convention center and likely all under one roof is an improvement, IMO
Others have said August is off-peak for Vegas (perhaps because of the weather), which means its a good time for a conference as space should be less expensive.
Frankfurt also has the most international destinations (just not volume).
(Probably not Dubai, considering a few speakers would be thrown out at the border - or worse if they get though. It's also artificially inflated because it's almost all transit traffic).
https://en.wikipedia.org/wiki/List_of_busiest_airports_by_in...
Cheap flights too.
And that is precisely why DEFCON is there in August - demand is weak so prices are low. They even state as much in their FAQ.
The heat sucks but it’s not like it’s that hard to avoid on a conference trip. It’s when you live here and have to hop in your plasma generating car that makes you wonder what the fuck is wrong with you
Deleted Comment
The whole damn strip is air conditioned and misted so it's not really a problem. A few years back I participated in a scavenger hunt during DEF CON and it was taxing but I would do it again.
New Orleans is hell on earth that time of year though -- never again.
I thought the same until visiting Kyoto and Rome in August.
Dead Comment
A high of 40C / 104F is not generally considered "nice".
The average high in Kodiak Alaska is 60F.
(But your parent was mostly being silly.)
DEF CON is listed as a "hacker convention held annually in Las Vegas, Nevada." where Blackhat is "Black Hat is an internationally recognized cybersecurity event series providing the most technical and relevant information security..."
I imagine places like the convention center cant afford or care about insurance at this level.
Anyone that takes this scene seriously knows Defcon is the place to be. Blackhat is a overpriced vendor circle jerk. The only way to make Blackhat relevant again is to kick out all of the vendors and if you can't do that, forbid them from collecting peoples information.
This is going to be my 11th year at Defcon this year. I snuck into a couple of blackhats and didn't get any value from them. I've been around the block a few times.
You think insurance providers are capable of doing this level of analysis? They see "hacker conference" in which Defcon may still hold some notoriety in and decide it's a risk.
And that makes sense. Talks aren't really the point of Defcon, and they are (besides the lobby conf) the sole point of Black Hat. Black Hat is also a vendor circlejerk, but that fact confuses people who don't actually practice in the field.
The infosec industry sorta runs separately from the rest of tech in that it's entirely a status economy. Name recognition, certification and publication are the most important things to maintain stable employment.
On the other hand none of the planned programming at DEFCON has any professional value whatsoever and it's merely a metacon for connecting with people in varying niches in the space.
I have personally worried after seeing Cesars transform after the events at the Mandalay Bay with the new addition of their own paramilitary group (the SRTs) and their actions during DEF CON. Just check out their job descriptions: https://www.linkedin.com/jobs/view/security-officer-srt-i-fu...
Before the SRTs, I personally know from knowing the staff who run the conference that they have helped Cesars Entertainment in previous years strengthen and work with them hand-in-hand to secure their networks and train their staff. Even work with the goons to make sure people didn't get trespassed over shenanigans. I honestly think the mid level management is sad we are gone.
The other side is the Okta was just a taste of what could go wrong. Seeing MGM totally shut down and loosing millions was scary for upper management. Auditors weren't comparing Blackhat to DEF CON but that the listing on the spreadsheet was not "boat show" but "hacking con" and they deemed that was too much risk for the level of coverage Cesars Entertainment wanted.
Never the less, we all hated Cesars and I am personally excited to see what this next year will look like.
It doesn't provide information, it just provides sales suits a chance to blow their hot air :P
If I'd ever go there it would just be an excuse to go to vegas to see DEF CON as well :P I work in security but I have no time for corporatism and sales bullshit.
Edit: I know it's a bit of a hot take but I've been to so many conferences where sales goons spew all the pretty pictures and then later when we actually got our hands on the product it turned out that it couldn't do half the stuff that was promised. Or there were other weaknesses like excruciatingly bad support. I've become very cynical due to this.
> No I haven't been there
The first sentence is not true. Many good talks are give, often breaking ground. Yes, you can find sales pitches, but there are good fundamentally technology talks.
Black Hat is peer reviewed and accepts a tiny fraction of submissions (tracks will accept 3-5 talks out of a typical pool of 20-50). Reviewers --- all of them vulnerability researchers --- barely have time to read outlines and look for any possible excuse to DQ a submission and move on to the next one, and the single most common DQ is "the presenter has a commercial interest in this topic, vendor talk, 1.0 rating".
There is also a giant vendor expo that runs alongside Black Hat, and vendors do whatever they can to stage events that look like Black Hat talks but are not. I submit that you have probably confused those for actual talks. Or: you watched the keynote? I don't understand what the keynote is for.
Here are the actual 2023 talks:
https://www.blackhat.com/us-23/briefings/schedule/index.html
In 2018 we had aggressive room searches post the Vegas shooting that caused a lot of friction: https://arstechnica.com/tech-policy/2018/08/security-theater...
Point being that it’s been a rough ride over the last few years. Combine that with corporate events probably being far more lucrative for Caesars I.e suits drink and gamble harder than geeks - I’m not surprised by this.
TBH my team and I skipped DEF CON last year and threw our own event in Banff instead because DEF CON has become quite boring with long lines and a Groundhog Day feel to it. If you’re looking for a proper con check out a local B-sides or a smaller legit con like Shmoocon.
I heard it both from Dark Tangent and several high level Goons.
<tinfoil hat> I wonder if the ransomware incident last year played a role in this decision? [0] I'm guessing they wouldn't announce it for fear of boycott, but who knows. </tinfoil hat>
[0] https://www.cnbc.com/2023/09/14/caesars-paid-millions-in-ran...
This makes more sense to me than the other explanations. Probably coupled with an underinformed general manager or company president.
I’d wager a bet that the perpetrators of the hack had visited Cesar’s during defcon
Too many "security researchers", "staff engineers" and people playing politics.
But I suspect they will have no problem finding another venue, sponsor money has been flowing quite well, so I wish them well.
Socialising, learning hacking history, and getting to know the traditions is always a great side effect that the DC crowd's been good at passing on to new generations. Goons still give people shit for misbehaving, speakers still take shots, TOOOL still has some of the best workshops and tutorials on the conference floor and usually has some people who'll talk about breaking open Medecos or Fichets to anyone who'll listen.
I'd venture to say it's against the spirit of the con to try and gatekeep it.
Having said all that (and the irony not being lost on me) -- linecon's definitely getting worse, and I'm worried that DC's becoming a victim of its own success, with its accessible pricing and subject matter being counterbalanced by having to manage a 20-30k person crowd. I don't have a solution for this outside of decentralization, but I don't know if that's a good solution.
I forgot these when I wrote my original post at 1AM :)
While you're over there look around for the Tamper Evident Village and we'll happily demonstrate and allow you to try removing Tamper Evident Seals of various kinds.