Forum servers are being overloaded, from DEF CON's homepage:
After a great 25 year relationship Caesars abruptly terminated their contract with DEF CON, leaving us with no venue for DC 32, and just about seven months to Con!
We don’t know why Caesars canceled us, they won’t say beyond it being a strategy change and it is not related to anything that DEF CON or our community has done. This kind of no-notice cancellation of a contract is unheard of in the conference business. The parting is confusing, but amicable.
TL;DR - DEF CON 32 will still be August 8-11 2024, but now held at the Las Vegas Convention Center (LVCC) with workshops and training at the Sahara.
If you already have a reservation at a Caesars property, from what I saw you can keep it, you'll just have to find transportation to LVCC via the monorail or other means.
Not sure on transfers. They have negotiated with Sahara on a rate and are looking to add more.
That “just” is doing some heavy lifting. It was a minor hassle running back and forth from the Forum to Flamingo to pick stuff up and drop it off. Commuting from strip hotels to LVCC is going to be a pain in the ass.
You can cancel up to 72 hours before the reservation. New room blocks are still being negotiated and will be posted at (link) as they become available. Please help us negotiate rates by booking rooms in our reserved blocks.
I suspect Caesar's dropped DEF CON because the DEF CON attendees likely have a fairly low "avg revenue per attendee" yield because fewer of them gamble compared to the avg Vegas conference attendee. They also probably spend less on high-end restaurant dining and bar drinking inside the hotel.
Since the pandemic Vegas has had a pretty strong resurgence in general and this may be a sign that Caesar's is doing well enough they've decided there are higher-revenue guests they can put in those rooms — even in the doldrums of August (a traditionally slow month for Vegas tourism).
I happen to regularly attend an unrelated, non-tech conference that's always right around the same week as DEF CON. That conference also happens to attract attendees who don't gamble or spend much at the hotel other than room costs. The reason the conference organizer chooses August is they get better discounts on their costs from the hotel in exchange for filling up rooms that would otherwise be empty (except this hotel is lower-end and cheaper than Caesar's). This works out because unlike Caesar's this hotel is far off the strip and doesn't have nearly as much dining or gambling revenue potential anyway.
>But canceling an already scheduled event because of low revenue per guest doesn't seem very likely to me?
Not to be TOO snarky, but given how quickly corporate cancels employee labor despite rising revenue, it would not surprise me for other corporate to also cancel "low paying customers" for "high paying customers". Loyalty is beyond dead so cancelling a contract is just a cost of business if they feel the alternative gives more money.
> it would not surprise me for other corporate to also cancel "low paying customers" for "high paying customers"
At least going by all the entrepreneurship articles I've read over the decade, "firing your customers" is a term of art, and a recommended approach for dealing with unprofitable and/or annoying customers - so I guess this shouldn't be surprising.
> Loyalty is beyond dead so cancelling a contract is just a cost of business if they feel the alternative gives more money.
Not to be TOO snarky, but that's kind of the point of contracts - contract cancellation terms aren't an "or else..." threat, but rather an agreed upon exit strategy. Termination fines aren't punishment, they're compensation for inconvenience.
I mean they were both being intentionally snarky. The second snarky comment was used in a mocking tone because the first comment didnt seem to have much empirical evidence to support it
I don't, and that's why I preferenced it as such. Sort of like how you'll self-preface yourself with something like "nit:" before making a nitpick that's meant to be treated as a small note but nothing to consider or delve too strongly over.
The idea is to diffuse siutations like this before it comes about, but I guess nothing is perfect.
Not to be TOO snarky, but given how quickly corporate cancels employee labor despite rising revenue, it would not surprise me for other corporate to also cancel "low paying customers" for "high paying customers". Loyalty is beyond dead so cancelling a contract is just a cost of business if they feel the alternative gives more money.
If they canceled a year or so before the con, I could see that. But to cancel seven month before the conference? There's no way they will get a decent-sized substitute in the space before then, so I don't see how this would be anything but a money-loser. Not to mention other conferences might be less willing to commit to long-term deals if they see that the contract can be canceled on a whim.
Everyone is missing "but now held at the Las Vegas Convention Center (LVCC) with workshops and training at the Sahara" part. So this more like they got passed to a different venue. Not "vegas hates them".
The post says they had to do significant work to secure another venue. While it's possible the author could be lying there is no evidence of this so we must, at this point, take them at their word.
I will need to dig up the archives from DC 27 when the deal with Caesars forum was officially announced, but if memory serves me correctly DT said it was a 5 or 10 year contract. So unless there was some verbaige in the contract that allows Caesars to cancel for any reason, they're going to be cutting DEFCON a check.
Who knows? But a more likely hypothesis is that the organizers were betting that they could come to terms on a renewal and at the end of the day they couldn't.
I see people go all out in LV and drop a lot of money at restaurants. I guess it depends. Then again if you've already been in LV for a few days due to BH you might be over the bell curve on spending for the week. I guess it depends on when you get in. I tend to drop more money Wed-Thur.
> Or maybe it was some sort of ongoing agreement and canceling it was effectively "not renewing".
The announcement effectively calls it "no-notice cancellation" and overall it reads like they were already deep in the planning phase when it happened, which seems unlikely if a renewal was pending.
Its odd though - i would assume a conference of this size would have penalties in the contract if the venue decides to pull out without cause or sufficient notice.
To a point yeah but the venue also has the power not to sign the contract in the first place (ime the venue is the side typically negotiating from the position of power) if they think the penalties are too high on their end.
In all likelihood they ran the math and figured it was worth it to yank the rug out from under Defcon, penalties be damned.
The simplest explanation is often the correct one. Casinos aren't exactly known for having moral qualms. They are, however, known for caring about their bottom line. They probably analyze every single event they host and then shuffle things around to maximize their expected revenue based on their past experiences with the same type of event.
Companies/Vendors usually host corporate conferences around this time as well.
A large company has probably decided to move a conference to Caesar's during that period, and that got Defcon bumped. Especially because DefCon has become massive, so the RoI has shrunk due to staffing overhead.
There are certainly a lot of DefCon attendees who think that this describes them. In my observation they are all very incorrect, usually humorously so fortunately.
My first thought was that GP was saying DefCon attendees would be counting cards, which is an effective and legal way to beat the house[1] (until you're caught and banned from the casino).
This is not true. Besides continuous shuffler machines, most casinos have 6 or 8 deck games that have plenty of 'penetration' (card counter term for depth into the deck that the cut card is placed) to offer an edge if you properly card count. There's also a big game to be played where rubes think they can card count and instead lose tons of money attempting to do so.
The problem with card counting generally is that the casino has infinite money and never runs out, thereby they can sustain large expected value swings... whereas you need an enormous bankroll to handle those swings, assuming they don't throw you out before that happens.
There's plenty of doubledeck blackjack with good penetration in Vegas, especially in high limits rooms. The problem nowadays is that the casinos are also counting, and the patterns are simple and easy to track with the tech we all have. Changing your bet even a couple times based on the count can have the pit boss getting a call to remove you.
There’s a huge difference between: “if you do X, you will be asked to leave” and “if you do X, the police will arrest you”
Like, when I invite someone over to a dinner party, it is against my policy to insult my dog. If you do that I will kick you out (not actually, he’s a dumb klutz, you can insult him all you want), but that doesn’t make it illegal to insult my dog.
True but not relevant. Police and legality do not need to be involved with certain kinds of casino justice. Security may just offer to beat your ass if you won't cease and desist, avoiding the paperwork. Could be bluff but they know where cameras are and have cop friends..
You need to check a calendar and see the current year - the days of Casinos' roughing up card counters is long long long gone. Might be great for your screenplay or fan fiction but doesn't match reality.
Strange that you can be so confident about this with private security when even actual police are sometimes involved in cases of excessive force, corruption, coverups. Besides, whatever your personal knowledge/experience is it can't be vast enough to prove a negative here, and only one counter example is needed.
Regardless of the year I think you might want to reconsider your overly confident notions about fiction/reality or at least the condescending tone. I don't know what is institutionalized in what places, but have been threatened by casino security. Fuck around and find out I guess
From where I stand, you'd need to show it's systematic. One single instance is not enough for me. Because your claims are general, as if they applied to many casinos.
I'm kind of perplexed by the blanket assertions here as if private security everywhere will never offer either threatened or actual violence in either official or unofficial capacity.
Nevermind casinos, do people think every bouncer at every bar is merely for show? Since "management reserves the right", trespassing, threats and assault are not really a huge due-process kind of thing, and local establishments/insiders rank higher than outsiders. Within reason they know what is allowed and that isn't always going to be exactly and only whatever the law technically says.
Edit for even more context. For people that don't know already, not every casino or bar is owned by some megacorp who gives a shit about PR, has tons of cameras, has some HR department to educate staff on doctrine, etc. Many casinos are literally in sovereign territory of indigenous peoples also. Not that summary execution for offenders will be status quo there, but come on folks. The world is large and complicated, so simple stories about it are usually incomplete
I mean, I think you're making up blanket assertions where there are none. I haven't made a blanket assertion. I specified the difference between policy and legality.
I then said "I don’t think most casinos have private security that will beat you any more" That's not a blanket assertion. It specifically says "most casinos".
I have never asserted that it NEVER happens and can NEVER happen.
So, I think your confusion is a product of your own assumptions.
Fair, you're as careful to use qualified language as I think I have been. Guess I wasn't really replying to you but just frustrated by the thread in general.
I'd be willing to be that the intersection of people who think this and then choose to engage in gambling anyway, is probably one of the highest grossing demographics that exist.
Not just statistic. There are plenty of smart defcon people who understand statistics but don't understand that if you start winning they'll just kick you out.
Not sure that's true, actually. The usual strategy appears to be to comp the gambler with generous stays at the casino they're a patron of, with the expectation that they'll dump their winnings back in the next day.
Taken with a grain of salt, as my only knowledge of this is via Hollywood movies. It does make sense from a game theory perspective though.
I am very doubtful. Outside sports betting (where you can actually outsmart the house) we loved winning players when I worked in online gambling. Winning players are much more likely to return and lose more than they ever won.
Not really, no card counter goes unnoticed forever. It's about making sure you get enough time to play when the count is high that you manage to earn money. If you're curious about the life of card counters I can't recommend this YouTube channel enough: https://www.youtube.com/stevenbridges
…because it’s actually extremely difficult to do with the countermeasures casinos now use, more decks and random cutoffs. Letting you try is very profitable though.
The whole environment part is of course not useful. None of the monitoring happening where you can see.
Which they rarely do now because the number of people able and willing to count a 7 deck shoe with a random cutoff is extremely small and it benefits them to let people try.
Do they still exist? They have closed most of the gaps previously exploited by card counters, and continuous shufflers are everywhere.
I think the only ones who can make money are those playing poker and are really good at it. That's because they are playing against other players and not the bank. They still have to beat the rake.
I'm not even sure comp players, that is those who play to get non-cash rewards like travels, restaurant and hotel stays while minimizing their losses can still have an advantage. I heard that casinos calculate comps by expected losses, making sure they stay on top (statistically).
And they are cheaters, but it is like saying thieves can make money.
> And they are cheaters, but it is like saying thieves can make money.
Absolutely not. Using your brains to keep track of cards is not cheating in any way, shape or form. They are simply using all the available information and some pretty basic math to them to gain an advantage.
Calling card counters cheaters is like calling chess players with better knowledge of patterns than their opponents cheaters. They are not cheaters.
The post you are responding to addressed card counters at the top, claiming the casinos have closed most of the loopholes that enabled card counting to be profitable.
The cheating it mentions at the bottom is not card counting (technically legal), but genuine cheating.
Card counting is cheating.
Thinking before playing is cheating.
Also, knowing the rules of the game is cheating.
You should only play at random and never ever think
Not everything is about money or the bottom line. Sometimes it's about politics. Vegas takes a loss on so many things. Nevada has grown more and more corporate over the years. This move doesn't surprise me at all.
> Sometimes it's about politics.
> Nevada has grown more and more corporate over the years.
You make it sound like it's entirely about money and the bottom line.
I have a hard time believing gaming doesn't provide _huge_ contributions to favorable politicians. I feel like you've got something to say, and maybe something really interesting. But what you've got if awfully vague.
If you've got the time or inclination, I'd definitely read an elaboration of your meaning.
Ideologically Clark County has changed from the influx of Silicon Valley influences starting in the 90s, which is why we have CES here.
Financially the strips have massive amounts of money flowing into it from every angle. Construction is booming and housing cannot keep up with the demand. If you view LV from the surface then it seems like the economy is trashed - lower travel rates, millennials are not into gaming as much, and the virtualization of gaming is competing. But the reality is business for "living" is doing better than ever before.
Because recent politics has changed ideologies with modern corporations several things have changed. For example skids were never part of LV ever, but that has changed in the last 10 years directly because of these ideologies. https://www.cbsnews.com/news/u-s-first-public-needle-vending...
Do you think these same Corporations look fondly upon DEFCON? They would push it out eventually as it's not safe-hacking.
What are the politics? One of the richest and most profitable industries on Earth wants to have a conference where they show slide shows to each other. Really not much different than any other conference, and probably more ethical than most of them.
Doubtful, I'm sure it's related to the constant attacks against their infrastructure they must defend against (let's be honest, I'm sure Caesars is not defending successfully). The juice just ain't worth the squeeze. They have a business to run, and the risk of having a bunch of drunken and high hackers who happen to be the best in the world running amuck is not their idea of a good corporate event.
Caesar's apparently explicitly said it wasn't related to anything the community did. It's possible that they're lying for some reason, but it's also possible that they're telling the truth.
> We don’t know why Caesars canceled us, they won’t say beyond it being a strategy change and it is not related to anything that DEF CON or our community has done.
To avoid any legal liability. Stating a specific reason would open them to possible "breach of contract" depending on whether the act(s) were significant enough or justifiable, based on the contract terms. Just say nothing, part amicably, everyone moves on without drama.
With that said, they probably weren't lying. Most likely, months after ponying up $10 million to a sophisticated international hacking group, Caesars Entertainment probably doesn't want to invite some of the world's best hackers to stay and meet at its flagship resort.
> To avoid any legal liability. Stating a specific reason would open them to possible "breach of contract" depending on whether the act(s) were significant enough or justifiable, based on the contract terms.
This is how it works for at-will employment, but it would be a very weird contract that allows backing out only if you don't say why you're backing out.
Let's say Caesars states, "we just got hacked and, as has been reported in every major newspaper, paid $10 million as ransom. We have reason to believe one or more attendees of DEF CON were part of that group."
How does making this statement this benefit Caesars in any way? Now DEF CON can demand some proof of this claim, or sue for defamation, or state that without proof, Caesars isn't acting in good faith, whatever.
Yes, most likely. That's why it would make zero sense for Caesars to state anything publicly that would antagonize members of the community. Saying nothing (or even praising DEF CON, and claiming it was a "change in strategy") is the smarter route.
> Most likely, months after ponying up $10 million to a sophisticated international hacking group, Caesars Entertainment probably doesn't want to invite some of the world's best hackers to stay and meet at its flagship resort.
Most Def con visitors would be white hats so that would be a bit disingenious. I would expect most attendees to behave (reporting issues after finding one)
Especially considering they just got hacked, a few pentests would be good for their business.
you say that like a person informed enough to know what a white hat is lol. Let’s be real here, even the ethical hacker bunch can look VERY wonky and rowdy to an outsider, especially if you are as far removed as the hospitality industry. The only time they had to deal with hackers in the recent past was decidedly painful for them
being ambivalent towards a group, filling up your hotel, but otherwise alien to you, may be a little less polarizing than just having been forced to shell out $100M to a similar sounding demographic.
Primarily, it's about public image. It would look idiotic to host this group, regardless of intention. And it's about insurance -- logical or not, their insurer probably insisted they quit inviting DEF CON and associating, in any capacity, with self-identified hackers.
Dunno if it has anything to do with it but they did get haxx0red last year at the same time as MGM, except Caesars paid up and MGM didn't. Hotel room cards, casino play cards, etc were down for ten days at a bunch of the MGM-owned properties (a.k.a. the half of the Strip not owned by Caesars) https://en.wikipedia.org/wiki/MGM_Resorts_International#Las_...
About a month after the conference would be enough time to discredit an obvious connection to the conference, while still making use of security breaches that might have been found during the conference. Most security experts know you have to abandon security hopes if you give the hardware to the user with direct access. And with a conference of DEF CON's size, you only need 1% malicious actors for 300 tragedy of the commons results.
MGM's not that far away on the strip for somebody to find a security exploit, and then start checking every nearby casino to see if it works at those casinos. Found a $1 million exploit? Might walk a few blocks to see if it can turn into a $10 million exploit. Non-negligible risk from a casino perspective.
Average casino-win per customer is usually ~$100/admission. [1] Three days [2] gambling for 30,000 = 9,000,000. Hotel stay revenue helps, yet it's usually only 25% of revenue per guest. [3] Casino visitation and attendance has also rebounded significantly in the last few years. [4]
So, higher than normal costs per attendee, attendees who believe they all spend less than normal conference participants, anecdotal stories of repeated high cost issues each year to resolve (ex: concrete poured in sinks on purpose, rooms broken into, satellite dishes stolen), increasing attendance numbers in Vegas, and a multi-$10 million slap a month afterward based on social engineering.
> the constant attacks against their infrastructure they must defend against (let's be honest, I'm sure Caesars is not defending successfully)
If there's any place in the private sector where I'd expect security (including digital security) to be literally top notch, a casino would be it.
And casinos don't fuck around. If they catch some "uber haxor" laying a finger on their networks, you can bet they'd have him arrested in a heartbeat, regardless of whether he is a conference attendee or not.
You're getting flamed by accounts below but they're largely wrong.
Most casinos rent their gaming equipment from IGT, who directly manage most of these systems. IGT also has a fairly robust security team, having worked with them back when I was still a PM in the space.
Organizations like Caesar's aren't the greatest security wise, but that's largely because they have low margins because they are primarily property holding companies that are operating Casino/Gaming that they rent out from vendors like IGT.
This has been changing after MGM, but I don't think I can discuss it deeply.
There are actually very few people with pentesting skills at Defcon stronger than running burp suite, and fewer still of those that are blackhats. Those with skill can do very well for themselves legally, and know better than to risk their careers getting caught messing with casino systems.
In practice the biggest abuse from Defcon to the venues is in the form of a subset of people constantly defacing casino property which no one reports because no one has sympathy for casinos.
My favorite trolling of casinos at Defcon is the people dumping prop money everywhere. Casinos do not -like- that and spend a lot of resources running around picking them up which is funny to watch.
Not sure I agree with the idea there are very few world class hackers there. I've watched a few of the capture the flags and almost immediately they went over my head and I felt inadequate. lol.
It's mostly with liquor bought from offsite and drunk in rooms/private parties, not via Caesar's venues or catering (there's a lot of that too, and this is summer dead period, so it still may be good).
I accidentally bumped into a random guy there before the con started, and we ended up chatting and he bought me a beer. I saw him there the next morning. And that evening. And at 2AM. Almost every time I walked past, the same guy was in the same seat, enthusiastically laughing and drinking with his buddies.
I heard a joke a tech conference people in Vegas many years ago. It goes something like "people who go to tech conferences in Vegas bring one shirt and a $20 bill and never change either." So yea, programmers generally aren't gamblers because they know enough math to know the house always wins.
In my experience, programmers like poker, but not games of chance. This also describes me. Poker is a data-heavy game of skill and memory, Craps is about the opposite.
I went with a bunch of CS/bioinformatics/MD IITians to Reno, NV once. They were just there to gamble on games of chance. Personally, I think gambling is boring and stupid if the expectation isn't significantly positive. I'd gamble if skill was the dominating factor and the expectation wasn't so abysmal.
If skill is the dominating factor, almost by definition it isn’t gambling. This is what allows bars and other institutions not licensed as gambling centers to host poker games. (which might be of interest to you)
Most people appreciate the skill poker requires, but like me never want to bother learning it. If I (very rarely) go to casino I'd just play games of chance for a defined loss budget and just stop playing when I either lose it or win enough to get dinner for the group.
Eh, I’m a programmer and I go to vegas with other programmers fairly regularly. We know enough math to know the expected cost per entertainment•hour is comparable to many other pass-times.
But even so we’re actually all net-positive on the city, thanks to a couple “lucky” craps runs.
I agree that's the right approach. Have a budget, play fun games. When your money runs out, quit. In the meantime, enjoy the free watered-down drinks and unhealthy food. Just like when my friends and I would go to the arcade with a handful of quarters, except they charged money for snacks.
House sets the mean and variance, how could they ever lose? Only thing left to make it work is volume, transactions volume, so variance can be minimized.
You can view their financial statements [1]. I am sure the 'casino' category includes things besides gambling, but it looks like the largest share of their revenue.
Be sure to subtract expenses. So for 2022 you have 2500 for casino, 500 for food, 1500 for hotel, 800 for "other." And there's definitely some counterintuitive accounting going on there, because that 2500 would imply a profit margin of 41% on casino, but Vegas regulations require gaming machines to pay out at least 75%, leaving a profit margin max of 25%. The card games and other games of skill wouldn't have such restrictions, but it seems pretty difficult to imagine that they'd be high enough margin to result an overall of 41%.
The requirement is that the expected value for a play on a machine is >75%. And most are >90%. But that’s not a cap on profit margin, as 25% of the expense for a play may be more than the cost of that play.
Eg, having a machine that costs $1 with $0.75 expected return (and $0.25 revenue for the casino) may only cost the casino $0.10 a play — which would be a 60% profit margin.
Expected return on a machine and profit margin on that machine are literally identical. Imagine there's a hypothetical $1 machine where we simply remove variance. So you insert $1 and you get $0.75 back. It should be clear that for each $1 of revenue, the casino profits $0.25. This is a 25% profit margin. Variance can add some noise, but does not change the long-term expectation, which is what the regulations are based on.
You don't understand casino accounting. Gaming WIN is revenue. If you put $100 in and get $75 out, that's $25 in marginal revenue with zero corresponding costs. The $100 is a statistic that the casino records, but it does not factor into profit calculations (total, or margin).
Gaming does have expenses -- labor (mostly dealers and slot attendants & mechanics), costs of purchasing and leasing the machines, and some other miscellaneous stuff... but profit margins on pure gaming are very high (and not limited in any way by the 25% maximum hold percentage that you reference)
Look at it a different way. The casino never had that dollar, you inserted a quarter and they gave you light show that cost them a cent to put on. You enjoyed it so much, you did it four times.
Now the casino has your dollar and it's "costs" were four cents in electricity/maintenance. A much higher profit tham 25%.
That sounds intuitive, but that's just not how revenue is defined for a business like a casino. The casino had $0.25 revenue, and its profit is whatever is left from the $0.25 after paying for heat, light, maintenance, cashiers, security, etc.
Other businesses are treated like this too. If you are a high frequency trading firm and you buy 1000 shares stock for $99.99 each and sell for $100, you didn't have $100k of revenue - you had $10, and your profit is what's left after paying for staff and computers.
Yes, if your business was a supermarket, it would indeed work the other way, and it's not obvious to the literal- minded where one treatment should stop and the other should start.
This is similar to not counting bank deposits as revenue and withdrawals as costs. Only when your money goes to pay fees is it booked as bank revenue. The same for money transmitters like Western Union.
And perhaps is more obvious when you consider what happens when there’s only players, eg, poker. The pot is held in trust, until the game ends and the losers forfeit their money to the winner. At no point does it belong to the casino.
That doesn’t change when the casino is also a player.
Yip, I agree. I'm aware of gross gaming revenue and was involved in the industry in a past life, though obviously never filing as a casino. The thing that misled me, at a glance, was their costs - $3.5 billion. I wasn't aware there'd been massive consolidation in the casino industry, and thought I was looking at a casino's costs/revenue (in which $3.5 billion would be insane without it including losses), not a sprawling corporate enterprise.
Except that you have expenses, like rent for the machine, maintenance for the machine and building, energy costs, staff salaries, cleaning costs, security and IT spend, etc. etc.
So no, profit is more like gross revenue minus expenses and taxes.
You could easily have a machine with positive EV for the house that has negative profit.
"I suspect Caesar's dropped DEF CON because the DEF CON attendees likely have a fairly low "avg revenue per attendee" yield because fewer of them gamble compared to the avg Vegas conference attendee."
There is the story that the American Physical Society was not allowed back after in 1986 Vegas supposedly suffered its worst week in history.
First of all there is no real evidence that this story is true and secondly it doesn't make sense to me that they would cancel DEF CON after so many years for that reason. They would have done so much earlier, probably.
I heard this story many times. One of them was froma graduate student who attended this meeting. APS March meeting happened in Las Vegas again last year (2023). While there was no official ban for APS Conferences, there was a little interest in las vegas to host anything for APS for a ~35 years.
All of the more recent years that I did DEF CON I was with large groups of people going to high end restaurants and (ab)using the hotel bars. In fact the hotel bars were always packed.
My suspicion is that Caesars is trying to do something like play with headcount. Late summer is not just a weak time for conferences but DEF CON needs a ton more space and a ton more human babysitting across that space than any other conference. You don't see EVO or BlackHat getting cancelled (same exactly time window) because they're pretty contained in one place.
My guess is that Caesars needs to staff up a little for DEF CON or that they may even be considering reducing staffing in late summer. Con attendees are going to stay at their properties and use their bars/restaurants/tables anyway.
...although now that I think about it, EVO was moved up 2 weeks and has a new unannounced venue this year, so maybe this isn't isolated to DEF CON.
...and also the Venetian is having its convention space renovated until 2026...
Black Hat is a giant commercial conference run by a company that runs dozens and dozens of giant commercial conferences. No event venue is ever going to fuck with them.
Also Black Hat brings a lot of more-corporate, less-hacker types, who are probably likely to have much higher spend, possibly more gambling, and certainly dining expenses covered.
Combine low ARPU with perceived risk (in the wake of the Vegas hacks last year) and a termination for convenience clause and this is a no brained for Caesars. There’s just not enough upside for Caesars to host in their marquee properties.
im really sure you have found the answer, it’s most likely more of a perceived thing than any of us wants to admit. DEFCON attendees can be walking stereotypes at times anyways, but the combination of drunk, low yielding hacker(wo)men(tm) roaming your hotel probably just made the juice not worth the squeeze.
It's basically "a no harm, no faul" termination of an existing contract, and is fairly common in competitive markets where there is no long term strategic partnership to develop an unique product.
If it's the buyer terminating it's either because the product is either no longer needed or an cheaper supplier was found, and if it's the seller it's caused by all sorts of resource optimization reasons(aka someone being willing to pay more for the same limited resources, or an increase in cost making unprofitable).
I've heard stories about "hackers" at former DEF CON's pouring concrete down sinks and doing all sorts of other socially clueless vandalism, and resulting backlash for the organizers. While the infosec community is much bigger and more... "normal" than it was back then, I imagine the guests are still more of a liability than the average conference attendee and as you said, probably not big spenders.
The simplest explanation is they don’t like hackers after their experience. So they push a bunch of hackers buttons with a last minute notice and prepare the honey pot to pen test their post ransom security posture and maybe in the process they find an amateur to pin it all on.
I attended an earlier DEF CON (5 or 6?) where the attendees:
1) Hacked the in-circuit TV system and broadcast their own pirate show
2) Gained roof access and removed the satellite dish
3) Spilled hookah coals onto the bed starting a fire
4) drove the janitor's golf cart into the pool
and that is only what I witnessed firsthand. I can only imagine what else went on. Maybe the attendees low spend was only part of the equation?
That sounds like DefCon 7 at the Alexis Park. I think I remember seeing a photo of a golf cart in the pool.
I quit going after 7. It seemed like they partying had vastly I overtaken any actual technical content. I don't drink and I'm not super social, so it just seemed like it wasn't "for me" anymore.
Edit: It has probably changed in the intervening years but every time I looked into it it seemed like more spectacle than tech. DerbyCon filled the niche for me for a few years but then it got impossible to get tickets for and imploded. (I know there's a lot of backstory about DerbyCon that I don't know, too. For me it was just a fun way to feel a little of the DefCon 3 vibes again.)
I was at DEF CON 26 & 27 and people had punched/torn holes in the drywall in several places, and at one stairwell where you could reach up and slap the ceiling, chunks of ceiling were falling off from where people were gouging it.
DEF CON is a hell of a party, and I hope to go this year, but the attendees are a force to be reckoned with. Even I ended up fucking up a homemade badge, and tossing a failing lithium battery into the trash in the middle of a casino, only to learn later I created a trash fire, so I know firsthand that we're a problematic bunch.
I've seen bottles of alcohol passed around doing talks and heard more than a few really off color jokes about criminal sex acts and such. Vegas waitresses have seen it all also but there was over the top behavior.
We're in a victim dominant culture now, "it's not you or what you've done, you're just a victim of evil or something" but at more than a few Def Cons and more than a few times, it was really uncomfortable to be there and see some of the stuff that was happening.
And they are perfectly fine with the crowd. I've chatted with many hotel staff and almost all of them are happy with the DC crowd. Generally tips well and are polite even when drunk, some assholes, but thats normal with any crowd.
Worst case scenario is usually they tell people to disperse, but otherwise, they always seemed to laugh when they saw shenanigans (except for people fucking with Casino machines, thats a fast way to make them mad)
Probably, because of what mrandish said at the start of the thread. Management thinks they can earn more money from others. If hotel staff is treated well and/or gets good tips doesn't factor in the decision process which event is hosted. As long as someone spends enough for managers to get their bonuses management is happy.
It doesn't appear there are any similar sized conferences scheduled for the original time slot though? Or that there will be one in the near future, unless you know of some information.
I attended Def Con 7 and witnessed people pick the lock of a utility room on my hotel floor and change the phone wiring.
Also, I was a 17 year old girl at the time, and I felt sexually threatened several times during the event. That is the only place I have visited where I would make a statement of that nature.
I think you're on to something. Most DEFCON attendees can do rough calculations in their head that their chances of coming out on top in Las Vegas is extremely unlikely, and choose just look around and buy some drinks and cheap food.
It was Defcon 6 if I'm not mistaken and someone actually didn't go because of it which is how it became a meme.
Here's at least one source corroborating that[0]:
> "I think it's from around DC6 and is a reference to our only near brush with cancellation at the Monte Carlo for DC4," Def Con spokesperson Darington Forbes wrote me in an email. "I wish I had more to tell you—since it happened seventeen or so years ago my info is murky. Something about a casino mogul preferring we not use the Monte Carlo, threats of legal action."
> @ivydigital DEF CON - cancelled annually for over 20 years
I find this strange but not surprising. I've heard of speed bumps in the past related to 'hackers in town' and I wouldn't be surprised if it comes out later that it had something to do with it, even if unfounded. I think overall, having that many 'hackers' in town makes people overly paranoid.
<tinfoil hat> I wonder if the ransomware incident last year played a role in this decision? [0] I'm guessing they wouldn't announce it for fear of boycott, but who knows. </tinfoil hat>
I don’t think it’s that bold of a claim. Organizers ask attendees to spend a lot of money to attend, buy lodging and everything else, not to mention pay a lot to organize and it takes a lot of time and effort to line up all the required facilities. I’ve been part of organizing at least a few big events and if we had a late stage hard cancellation, there probably would’ve been lawsuits.
There's a huge difference even at this scale. Seven months was apparently long enough for them to make arrangements to hold it at another venue nearby (I'm sure rearranging it is/will be a lot of hard work, but they're doing it); would seven weeks have been?
I mean, they've been running this event, which has topped 20k attendees, for something like 30 years. So one entity with the relevant experience is... them?
In 20+ years of attending events events regularly I have never heard of a venue change on relatively short notice. In fact to the degree some conference moves from, say, SF to Vegas, they usually announce that at the previous year's conference.
Not a fan of what DEF CON has become in the last years, so I selfishly hope it somehow "goes away" and reborn in a more technical and actual hacker note.
Too many "security researchers", "staff engineers" and people playing politics.
But I suspect they will have no problem finding another venue, sponsor money has been flowing quite well, so I wish them well.
There are dozens of other conferences that do anything else you want a security conference to do. The point of Defcon at this point is to be the giant annual social event.
I don't have a ton of love for politicking, but security researchers and staff engineers, a lot of the time, are people who either have a career in a really interesting area in infosec and can bring a lot to the table as teachers/presenters, or people who want to get into that area and who'd benefit massively from a place like DEF CON considering how accessible its talks, demos, and villages are to people of all skill levels.
Socialising, learning hacking history, and getting to know the traditions is always a great side effect that the DC crowd's been good at passing on to new generations. Goons still give people shit for misbehaving, speakers still take shots, TOOOL still has some of the best workshops and tutorials on the conference floor and usually has some people who'll talk about breaking open Medecos or Fichets to anyone who'll listen.
I'd venture to say it's against the spirit of the con to try and gatekeep it.
Having said all that (and the irony not being lost on me) -- linecon's definitely getting worse, and I'm worried that DC's becoming a victim of its own success, with its accessible pricing and subject matter being counterbalanced by having to manage a 20-30k person crowd. I don't have a solution for this outside of decentralization, but I don't know if that's a good solution.
> TOOOL still has some of the best workshops and tutorials on the conference floor and usually has some people who'll talk about breaking open Medecos or Fichets to anyone who'll listen.
While you're over there look around for the Tamper Evident Village and we'll happily demonstrate and allow you to try removing Tamper Evident Seals of various kinds.
Also very cool stuff. I always see TEV bogged down with tons of people so after 4 cons I still haven't had a chance -- and while I have to miss this year, I'll hopefully swing by next year and check it out!
I can't edit my original comment anymore, but I'll add: OG DEF CON stuff still happens, too. Parties, secret parties, parties that take a full day or two of codebreaking a badge to get to, demoscene stuff, drinking, public art, you name it, it's there -- it takes a back seat because DC does have to focus on mass appeal these days (I believe, because of its accessibility promise coupled with the number of people coming out).
I forgot these when I wrote my original post at 1AM :)
I have always hated the secret parties. As soon as I found out about them, I set about infiltrating them just to fuck with them. One of the reasons I left the hacker community was the toxic elitism and posturing.
Without robust and easily scaled infrastructure in place ahead of time, an organic DDOS is one of the most difficult situations to mitigate. Not much can be done in terms of traffic shaping, rate limiting, or bot detection.
I agree. Protecting against DDoS attacks is incredibly difficult. I'm just enjoying the irony of Def Con, the premiere computer security and hacking convention, not being able to handle traffic.
To be fair, I don't think they crashed; I saw a "sorry too much traffic try later" type message. Still amuses me.
I guess it's funny, but the attendees don't necessarily represent the organizers. The best hackers in the world may be in the building during Defcon but I don't think the Defcon organization itself necessarily employs them.
the current way to most effectively get around DDoS seems to be using a proof-of-work based frontend run on as many revolving reverse proxies around the world as you can afford. this is what kiwifarms does. seems pretty effective and a lot cheaper than what the people bankrolling the attacks on them are spending.
An HN front page “DDoS” is like 20K hits. This isn't some complex scaling challenge. Any website on the internet should be able to handle it, especially a purely informational one.
I had my blog be on the front page for ~6-8 hours racking up 100k+ unique loads. It also managed to survive just fine on a $5 VPS so I would hope that other sites could survive.
The IP of the site reports as being a Comcast IP address. Surely this isn't hosted on some guy's home server? Even their business class service wouldn't seem like a good fit, especially for an org like Defcon.
Absolutely, I'm already seeing some chatter from groups that want to get "even" with Caesars for displacing a 25 year tradition for strategy. I hope they have some good defenses installed now that you've pissed off no less than 10k infosec people.
This kind of comment on HN is always fascinating. Is it just simple trolling? Is it cosplay? Is it someone new (or old) to “hacking” sincerely trying to “no true scotsman” attending def con?
I have to say as a European the choice of location has always puzzled me. Corporate interests basically run las vegas, I find it a really odd choice for such a free-thinking anti-establishment community.
DEF CON started as a bunch of teenagers running away from home to get ridiculously drunk and trash some place, and it hasn't changed much. Vegas was the perfect choice. It was a party. Getting to smash up an obscene capitalist hellhole was a key perk, and still is to this day.
Ahh I see. This way it makes a lot more sense, thanks for the explanation :)
I go to a lot of European hacker parties/camps and I can certainly recognise the mindset you mention (and I identify with that mindset as well even though I work in a corporate job). For this reason Las Vegas made no sense to me but in light of your comment it does now.
And yeah getting ridiculously drunk is definitely part of the experience :D
>And yeah getting ridiculously drunk is definitely part of the experience :D
Since we are talking about stuff that we don't think should be associated with hacking this is my own pet peeve. What does "getting drunk" have to do with hacking? And why is it always "absolutely smashed" or "ridiculously drunk". I get that most hacker types are shy introverts and couple drinks makes things more fun and socially fluid, but why does it need to go to hangover(s)? 9
This is primary reason which keeps me away from many "hacking camps", they are cool for couple hours, but as the sun goes down things just get sketchy and boring when I have to take care of bunch of drunk strangers.
I don't drink alcohol and I've been to every DEF CON for the past 22 years and had a blast at every one. Some people are into that sort of thing, and that's fine. Some people like cocaine and strippers. Some people like dressing up in giant fur suits. The important thing is that whatever you're into, you'll find countless incredibly intelligent and thoughtful peers to hang out with, and talk about weird hacker shit.
DEFCON needs a HUGE convention space. The size alone rules out the majority of possible locations.
Then comes the cost. August in Las Vegas is off-peak season which helps keep the cost down. Anywhere in Silicon Valley (or really anywhere in California) would be insanely expensive.
There's also convenience of travel. Las Vegas is such a huge tourist city that it makes getting flights there cheap and easy no matter where in the world you're coming from. My first time going to DEFCON was in 2017 and my flight from Portland OR was only a hair over $200.
I wonder if Caesars' cybersecurity insurer had an opinion about writing a policy for a casino resort that hosts something like DEFCON, especially after the MGM hack.
After last year, Caesars likely has a large insurance policy covering against ransomware attacks. That policy probably says something along the lines of "valid as long as you don't knowingly invite tens of thousands of hackers to your property"
You know, why the fuck is DEFCON in August, in Vegas? Like, you know a nice place to visit in August? Kodiak, Alaska. Portsmouth, Maine. Sydney. List of places I would never want to visit in August? Vegas. Houston. Vegas. New Orleans. Vegas. Mumbai? Maybe. Baghdad? Definitely not. Also, Vegas. My friends in Christ, why, does anyone, think Vegas is a good idea in August?
Vegas is great in August. It might be super hot but it's also dry. Whenever I go out to DEF CON, I take a day to go out quadding around the desert and shoot some guns outdoors.
The whole damn strip is air conditioned and misted so it's not really a problem. A few years back I participated in a scavenger hunt during DEF CON and it was taxing but I would do it again.
New Orleans is hell on earth that time of year though -- never again.
I don't care to go to Las Vegas, and I don't care to go to DEFCON, but you can easily fly from anywhere to Las Vegas, any time of year. (Subject to US visa issues, of course)
Others have said August is off-peak for Vegas (perhaps because of the weather), which means its a good time for a conference as space should be less expensive.
If we wanna be frank: lotta tech is in silicon valley and Vegas is probably the closest "large" hub to travel to (Maybe Los Angeles is closer, but not by much). It's the cheapest option without simply staying in SV.
I'm sure the other places suggested would have been nice, but you turn one flight into 2, maybe even 3, have to search for a venue and accommodation for 100s/1000s persons (even if they self book), etc
Conference tourism is big business and the big conferences want friendly places that fit their budget and make it possible for people to attend it
We also believe in constant air conditioning unlike the East coast and defcon is probably not the group walking around outside the hotels much.
The heat sucks but it’s not like it’s that hard to avoid on a conference trip. It’s when you live here and have to hop in your plasma generating car that makes you wonder what the fuck is wrong with you
That’s the stupidest thing I’ve heard. It’s nice and hot in Vegas in August. Alaska? At best it’s fucking 50F, that’s deeply uncomfortable. Walking around in that feels like I’m dying inside. Also, it’s a goddamn convention not a business meeting. People want to drink, watch some shows, gamble a little bit, walk around on the strip. Have a good time in general. What the fuck are you gonna do in Alaska?
The heat is really not that bad. I absolutely hate the heat, living in the midwest the summers are unbearable to me.
Yes, it's hot, but you can still walk outside without becoming a sweaty mess because it's so dry. And you're probably not going to be walking outside very far, it's a very unfriendly place to walk outside of the prescribed separated paths on the strip.
The problem is that the con was now spread out over multiple casinos/hotels so the odds of having to walk outside at some point have increased, even with some of the hotels connected internally.
The fact that it js now at the convention center and likely all under one roof is an improvement, IMO
Check out https://www.flightsfrom.com/explorer/LAS — particularly comparing its direct flights from all over the continental US to the same for other American cities.
That settles it, DEF CON in Dubai, London or Amsterdam. I vote for Amsterdam.
Frankfurt also has the most international destinations (just not volume).
(Probably not Dubai, considering a few speakers would be thrown out at the border - or worse if they get though. It's also artificially inflated because it's almost all transit traffic).
Aimed largely at the MENA, SAARC, and a bit of the APJ market.
Most DefCon attendees are in North America, which makes the flight to the UAE hellishly long and expensive.
Most attendees are also expensing the trip, so a $700-900 round trip ticket plus an additional $500-700 for hotels makes Managers balk, as that's a major expense coming out of your yearly budget.
Also, DefCon sponsors largely showed up because it was occuring around the same time and same location as BlackHat
Source: travelled a lot for corporate tech conferences in my PM days.
Terrible location for any conference that cares about everyone being able to attend. While one could argue about "hiding the gay" (I'd still say that's hard to impossible), I would never be able to attend as visibly trans.
No community which has a healthy amount thinking about ethics and stuff would want to go to Dubai. Sorry but Dubai is one of the worst rich citys in existence.
Europe has CCC. CCC is older than DEFCON. It sucks for Americans to go across the ocean. Also given that I just came back from a month long eurotrip, hospitality services in post COVID Europe is even worse than it was before COVID. I'll stay in Vegas.
It started there initially because a bunch of hackers wanted to hang out together and the cheapest way to do that was to all fly in the Vegas in August. It’s tradition but also still somewhat true for the reasons you articulate.
Convention space and room blocks are fairly cheap to rent in Las Vegas.
No other city in North America has a similar amount of space or options for low cost block booking.
Also, plenty of DefCon attendees and sponsors are also attending BlackHat at around the same time, so it makes it easier to justify expensing most of the cost as an employee.
Point being that it’s been a rough ride over the last few years. Combine that with corporate events probably being far more lucrative for Caesars I.e suits drink and gamble harder than geeks - I’m not surprised by this.
TBH my team and I skipped DEF CON last year and threw our own event in Banff instead because DEF CON has become quite boring with long lines and a Groundhog Day feel to it. If you’re looking for a proper con check out a local B-sides or a smaller legit con like Shmoocon.
When I'm at DEFCON, I bring a fun little device. It's an ESP8266 that constantly listens for WiFi probes coming from people's mobile devices. It then displays the SSID (the network name) on a scrolling LED text display. I keep it plugged into one of those Anker battery banks. 10,000 mAh will power it for ~16 hours, so it lasts the entire day.
In 2021 I paid in cash, showed my physical ID and vax card, and was on my way with my badge. Nothing about the exchange was recorded. They take privacy incredibly seriously, especially the goons working registration. There was also basically no COVID that year, despite DEF CON happening right during the Delta outbreak. A big nursing conference the week before got hit hard with Delta, but DEF CON took that shit seriously, and it worked well.
Pretty sure there was no vax check in 2022 and 2023, and I do know some people who got COVID in those years, but people who took decent precautions were generally able to dodge it.
That was only for a single event. DEFCON no longer requires proof of vaccination or ID.
And as the other commenter said, the information wasn't recorded.
Also, the majority of DEFCON attendees no longer care about being anonymous. It's not this secret underground thing. Many employers pay for their security staff to go to DEFCON. For a few years now, you can even pre-pay for your ticket online with a credit card which makes getting reimbursed for your ticket a fuckton easier. Also means you don't have to carry $500 in cash.
407 comments
[ 3.4 ms ] story [ 319 ms ] threadAfter a great 25 year relationship Caesars abruptly terminated their contract with DEF CON, leaving us with no venue for DC 32, and just about seven months to Con!
We don’t know why Caesars canceled us, they won’t say beyond it being a strategy change and it is not related to anything that DEF CON or our community has done. This kind of no-notice cancellation of a contract is unheard of in the conference business. The parting is confusing, but amicable.
TL;DR - DEF CON 32 will still be August 8-11 2024, but now held at the Las Vegas Convention Center (LVCC) with workshops and training at the Sahara.
Not sure on transfers. They have negotiated with Sahara on a rate and are looking to add more.
You can cancel up to 72 hours before the reservation. New room blocks are still being negotiated and will be posted at (link) as they become available. Please help us negotiate rates by booking rooms in our reserved blocks.
Since the pandemic Vegas has had a pretty strong resurgence in general and this may be a sign that Caesar's is doing well enough they've decided there are higher-revenue guests they can put in those rooms — even in the doldrums of August (a traditionally slow month for Vegas tourism).
I happen to regularly attend an unrelated, non-tech conference that's always right around the same week as DEF CON. That conference also happens to attract attendees who don't gamble or spend much at the hotel other than room costs. The reason the conference organizer chooses August is they get better discounts on their costs from the hotel in exchange for filling up rooms that would otherwise be empty (except this hotel is lower-end and cheaper than Caesar's). This works out because unlike Caesar's this hotel is far off the strip and doesn't have nearly as much dining or gambling revenue potential anyway.
Not renew the contract - sure. But canceling an already scheduled event because of low revenue per guest doesn't seem very likely to me?
Or maybe it was some sort of ongoing agreement and canceling it was effectively "not renewing".
Not to be TOO snarky, but given how quickly corporate cancels employee labor despite rising revenue, it would not surprise me for other corporate to also cancel "low paying customers" for "high paying customers". Loyalty is beyond dead so cancelling a contract is just a cost of business if they feel the alternative gives more money.
At least going by all the entrepreneurship articles I've read over the decade, "firing your customers" is a term of art, and a recommended approach for dealing with unprofitable and/or annoying customers - so I guess this shouldn't be surprising.
> Loyalty is beyond dead so cancelling a contract is just a cost of business if they feel the alternative gives more money.
Not to be TOO snarky, but that's kind of the point of contracts - contract cancellation terms aren't an "or else..." threat, but rather an agreed upon exit strategy. Termination fines aren't punishment, they're compensation for inconvenience.
Repeating this verbatim in your reply means you are trying to be pretty snarky, fyi.
The idea is to diffuse siutations like this before it comes about, but I guess nothing is perfect.
If they canceled a year or so before the con, I could see that. But to cancel seven month before the conference? There's no way they will get a decent-sized substitute in the space before then, so I don't see how this would be anything but a money-loser. Not to mention other conferences might be less willing to commit to long-term deals if they see that the contract can be canceled on a whim.
The announcement effectively calls it "no-notice cancellation" and overall it reads like they were already deep in the planning phase when it happened, which seems unlikely if a renewal was pending.
In all likelihood they ran the math and figured it was worth it to yank the rug out from under Defcon, penalties be damned.
A large company has probably decided to move a conference to Caesar's during that period, and that got Defcon bumped. Especially because DefCon has become massive, so the RoI has shrunk due to staffing overhead.
1. https://www.freep.com/story/entertainment/nightlife/2016/04/...
The problem with card counting generally is that the casino has infinite money and never runs out, thereby they can sustain large expected value swings... whereas you need an enormous bankroll to handle those swings, assuming they don't throw you out before that happens.
There’s a huge difference between: “if you do X, you will be asked to leave” and “if you do X, the police will arrest you”
Like, when I invite someone over to a dinner party, it is against my policy to insult my dog. If you do that I will kick you out (not actually, he’s a dumb klutz, you can insult him all you want), but that doesn’t make it illegal to insult my dog.
Regardless of the year I think you might want to reconsider your overly confident notions about fiction/reality or at least the condescending tone. I don't know what is institutionalized in what places, but have been threatened by casino security. Fuck around and find out I guess
From where I stand, you'd need to show it's systematic. One single instance is not enough for me. Because your claims are general, as if they applied to many casinos.
To be clear, if they tell you to stop playing, and you don’t, then they absolutely can call the police for trespassing, which is a crime.
I don’t think most casinos have private security that will beat you any more, since they can tell you to stop playing and enforce that with police.
Nevermind casinos, do people think every bouncer at every bar is merely for show? Since "management reserves the right", trespassing, threats and assault are not really a huge due-process kind of thing, and local establishments/insiders rank higher than outsiders. Within reason they know what is allowed and that isn't always going to be exactly and only whatever the law technically says.
Edit for even more context. For people that don't know already, not every casino or bar is owned by some megacorp who gives a shit about PR, has tons of cameras, has some HR department to educate staff on doctrine, etc. Many casinos are literally in sovereign territory of indigenous peoples also. Not that summary execution for offenders will be status quo there, but come on folks. The world is large and complicated, so simple stories about it are usually incomplete
I mean, I think you're making up blanket assertions where there are none. I haven't made a blanket assertion. I specified the difference between policy and legality.
I then said "I don’t think most casinos have private security that will beat you any more" That's not a blanket assertion. It specifically says "most casinos".
I have never asserted that it NEVER happens and can NEVER happen.
So, I think your confusion is a product of your own assumptions.
Statistically, it is not effective. Your card counting needs to be (basically) perfect, and you need very deep pockets to handle extended drawdowns.
Taken with a grain of salt, as my only knowledge of this is via Hollywood movies. It does make sense from a game theory perspective though.
The only reason to kick you out would be if they believed you somehow have an edge on them.
The customer who got lucky at first and is willing to try to be lucky again and again is the best customer for the casinos.
Even if you do get thrown out it is already after you have won some money thanks to your edge and therefore 'outsmarted' them.
…because it’s actually extremely difficult to do with the countermeasures casinos now use, more decks and random cutoffs. Letting you try is very profitable though.
The whole environment part is of course not useful. None of the monitoring happening where you can see.
I think the only ones who can make money are those playing poker and are really good at it. That's because they are playing against other players and not the bank. They still have to beat the rake.
I'm not even sure comp players, that is those who play to get non-cash rewards like travels, restaurant and hotel stays while minimizing their losses can still have an advantage. I heard that casinos calculate comps by expected losses, making sure they stay on top (statistically).
And they are cheaters, but it is like saying thieves can make money.
Absolutely not. Using your brains to keep track of cards is not cheating in any way, shape or form. They are simply using all the available information and some pretty basic math to them to gain an advantage.
Calling card counters cheaters is like calling chess players with better knowledge of patterns than their opponents cheaters. They are not cheaters.
The cheating it mentions at the bottom is not card counting (technically legal), but genuine cheating.
https://www.theatlantic.com/magazine/archive/2012/04/the-man...
Also a couple of video poker variants have actual positive (!) returns with perfect play. https://wizardofodds.com/games/video-poker/basics/#playing-s...
You make it sound like it's entirely about money and the bottom line.
I have a hard time believing gaming doesn't provide _huge_ contributions to favorable politicians. I feel like you've got something to say, and maybe something really interesting. But what you've got if awfully vague.
If you've got the time or inclination, I'd definitely read an elaboration of your meaning.
Financially the strips have massive amounts of money flowing into it from every angle. Construction is booming and housing cannot keep up with the demand. If you view LV from the surface then it seems like the economy is trashed - lower travel rates, millennials are not into gaming as much, and the virtualization of gaming is competing. But the reality is business for "living" is doing better than ever before.
Because recent politics has changed ideologies with modern corporations several things have changed. For example skids were never part of LV ever, but that has changed in the last 10 years directly because of these ideologies. https://www.cbsnews.com/news/u-s-first-public-needle-vending...
Do you think these same Corporations look fondly upon DEFCON? They would push it out eventually as it's not safe-hacking.
> We don’t know why Caesars canceled us, they won’t say beyond it being a strategy change and it is not related to anything that DEF CON or our community has done.
https://www.reddit.com/r/Defcon/comments/1aj6ixn/def_con_was...
To avoid any legal liability. Stating a specific reason would open them to possible "breach of contract" depending on whether the act(s) were significant enough or justifiable, based on the contract terms. Just say nothing, part amicably, everyone moves on without drama.
With that said, they probably weren't lying. Most likely, months after ponying up $10 million to a sophisticated international hacking group, Caesars Entertainment probably doesn't want to invite some of the world's best hackers to stay and meet at its flagship resort.
This is how it works for at-will employment, but it would be a very weird contract that allows backing out only if you don't say why you're backing out.
How does making this statement this benefit Caesars in any way? Now DEF CON can demand some proof of this claim, or sue for defamation, or state that without proof, Caesars isn't acting in good faith, whatever.
Most Def con visitors would be white hats so that would be a bit disingenious. I would expect most attendees to behave (reporting issues after finding one)
Especially considering they just got hacked, a few pentests would be good for their business.
But in such a large group, there's always going to be some people who'll decide to muck around with their hotel room's locks or something like that.
https://www.bloomberg.com/news/articles/2023-09-13/caesars-e...
https://www.vox.com/technology/2023/9/15/23875113/mgm-hack-c...
About a month after the conference would be enough time to discredit an obvious connection to the conference, while still making use of security breaches that might have been found during the conference. Most security experts know you have to abandon security hopes if you give the hardware to the user with direct access. And with a conference of DEF CON's size, you only need 1% malicious actors for 300 tragedy of the commons results.
MGM's not that far away on the strip for somebody to find a security exploit, and then start checking every nearby casino to see if it works at those casinos. Found a $1 million exploit? Might walk a few blocks to see if it can turn into a $10 million exploit. Non-negligible risk from a casino perspective.
Average casino-win per customer is usually ~$100/admission. [1] Three days [2] gambling for 30,000 = 9,000,000. Hotel stay revenue helps, yet it's usually only 25% of revenue per guest. [3] Casino visitation and attendance has also rebounded significantly in the last few years. [4]
So, higher than normal costs per attendee, attendees who believe they all spend less than normal conference participants, anecdotal stories of repeated high cost issues each year to resolve (ex: concrete poured in sinks on purpose, rooms broken into, satellite dishes stolen), increasing attendance numbers in Vegas, and a multi-$10 million slap a month afterward based on social engineering.
[1] https://www.americangaming.org/wp-content/uploads/2021/02/CG...
[2] https://forum.defcon.org/node/248358
[3] https://www.playusa.com/las-vegas-casino-hotel-revenue-numbe...
[4] https://gaming.library.unlv.edu/reports/national_monthly.pdf
If there's any place in the private sector where I'd expect security (including digital security) to be literally top notch, a casino would be it.
And casinos don't fuck around. If they catch some "uber haxor" laying a finger on their networks, you can bet they'd have him arrested in a heartbeat, regardless of whether he is a conference attendee or not.
I know why you'd expect that, regardless, you'd be very wrong
Most casinos rent their gaming equipment from IGT, who directly manage most of these systems. IGT also has a fairly robust security team, having worked with them back when I was still a PM in the space.
Organizations like Caesar's aren't the greatest security wise, but that's largely because they have low margins because they are primarily property holding companies that are operating Casino/Gaming that they rent out from vendors like IGT.
This has been changing after MGM, but I don't think I can discuss it deeply.
In practice the biggest abuse from Defcon to the venues is in the form of a subset of people constantly defacing casino property which no one reports because no one has sympathy for casinos.
My favorite trolling of casinos at Defcon is the people dumping prop money everywhere. Casinos do not -like- that and spend a lot of resources running around picking them up which is funny to watch.
I'm not so sure. There's a _lot_ of drinking at DEF CON
I'm sure their insurers might not be too happy about them hosting hacker conventions these days.
I accidentally bumped into a random guy there before the con started, and we ended up chatting and he bought me a beer. I saw him there the next morning. And that evening. And at 2AM. Almost every time I walked past, the same guy was in the same seat, enthusiastically laughing and drinking with his buddies.
Dios mio, amigo.
The magnitude of entropy casinos require you inject into the system each round is quite low in practice.
Profiting off of that is all skill.
But even so we’re actually all net-positive on the city, thanks to a couple “lucky” craps runs.
And same. A couple of roulette results has us “positive”.
[1] https://investor.caesars.com/news-releases/news-release-deta...
The requirement is that the expected value for a play on a machine is >75%. And most are >90%. But that’s not a cap on profit margin, as 25% of the expense for a play may be more than the cost of that play.
Eg, having a machine that costs $1 with $0.75 expected return (and $0.25 revenue for the casino) may only cost the casino $0.10 a play — which would be a 60% profit margin.
Gaming does have expenses -- labor (mostly dealers and slot attendants & mechanics), costs of purchasing and leasing the machines, and some other miscellaneous stuff... but profit margins on pure gaming are very high (and not limited in any way by the 25% maximum hold percentage that you reference)
Now the casino has your dollar and it's "costs" were four cents in electricity/maintenance. A much higher profit tham 25%.
Other businesses are treated like this too. If you are a high frequency trading firm and you buy 1000 shares stock for $99.99 each and sell for $100, you didn't have $100k of revenue - you had $10, and your profit is what's left after paying for staff and computers.
Yes, if your business was a supermarket, it would indeed work the other way, and it's not obvious to the literal- minded where one treatment should stop and the other should start.
And perhaps is more obvious when you consider what happens when there’s only players, eg, poker. The pot is held in trust, until the game ends and the losers forfeit their money to the winner. At no point does it belong to the casino.
That doesn’t change when the casino is also a player.
So no, profit is more like gross revenue minus expenses and taxes.
You could easily have a machine with positive EV for the house that has negative profit.
There is the story that the American Physical Society was not allowed back after in 1986 Vegas supposedly suffered its worst week in history.
First of all there is no real evidence that this story is true and secondly it doesn't make sense to me that they would cancel DEF CON after so many years for that reason. They would have done so much earlier, probably.
https://skeptics.stackexchange.com/questions/39668/did-a-cas...
My suspicion is that Caesars is trying to do something like play with headcount. Late summer is not just a weak time for conferences but DEF CON needs a ton more space and a ton more human babysitting across that space than any other conference. You don't see EVO or BlackHat getting cancelled (same exactly time window) because they're pretty contained in one place.
My guess is that Caesars needs to staff up a little for DEF CON or that they may even be considering reducing staffing in late summer. Con attendees are going to stay at their properties and use their bars/restaurants/tables anyway.
...although now that I think about it, EVO was moved up 2 weeks and has a new unannounced venue this year, so maybe this isn't isolated to DEF CON. ...and also the Venetian is having its convention space renovated until 2026...
I very much doubt there's any conspiracy here.
I never heard of this. Can you tell us more?
It's basically "a no harm, no faul" termination of an existing contract, and is fairly common in competitive markets where there is no long term strategic partnership to develop an unique product.
If it's the buyer terminating it's either because the product is either no longer needed or an cheaper supplier was found, and if it's the seller it's caused by all sorts of resource optimization reasons(aka someone being willing to pay more for the same limited resources, or an increase in cost making unprofitable).
https://qz.com/work/1249513/was-a-convention-of-physicists-r... (2018)
For example, the ATMs on casino floors are probably some of the most secure in the nation during the con. Harassment is also taken actually seriously.
I quit going after 7. It seemed like they partying had vastly I overtaken any actual technical content. I don't drink and I'm not super social, so it just seemed like it wasn't "for me" anymore.
Edit: It has probably changed in the intervening years but every time I looked into it it seemed like more spectacle than tech. DerbyCon filled the niche for me for a few years but then it got impossible to get tickets for and imploded. (I know there's a lot of backstory about DerbyCon that I don't know, too. For me it was just a fun way to feel a little of the DefCon 3 vibes again.)
DEF CON is a hell of a party, and I hope to go this year, but the attendees are a force to be reckoned with. Even I ended up fucking up a homemade badge, and tossing a failing lithium battery into the trash in the middle of a casino, only to learn later I created a trash fire, so I know firsthand that we're a problematic bunch.
I've seen bottles of alcohol passed around doing talks and heard more than a few really off color jokes about criminal sex acts and such. Vegas waitresses have seen it all also but there was over the top behavior.
We're in a victim dominant culture now, "it's not you or what you've done, you're just a victim of evil or something" but at more than a few Def Cons and more than a few times, it was really uncomfortable to be there and see some of the stuff that was happening.
Worst case scenario is usually they tell people to disperse, but otherwise, they always seemed to laugh when they saw shenanigans (except for people fucking with Casino machines, thats a fast way to make them mad)
Also, I was a 17 year old girl at the time, and I felt sexually threatened several times during the event. That is the only place I have visited where I would make a statement of that nature.
Here's at least one source corroborating that[0]:
> "I think it's from around DC6 and is a reference to our only near brush with cancellation at the Monte Carlo for DC4," Def Con spokesperson Darington Forbes wrote me in an email. "I wish I had more to tell you—since it happened seventeen or so years ago my info is murky. Something about a casino mogul preferring we not use the Monte Carlo, threats of legal action."
> @ivydigital DEF CON - cancelled annually for over 20 years
> — Rich Trouton (@rtrouton) July 31, 2015
[0] https://www.vice.com/en/article/ezvez4/def-con-is-cancelled-...
<tinfoil hat> I wonder if the ransomware incident last year played a role in this decision? [0] I'm guessing they wouldn't announce it for fear of boycott, but who knows. </tinfoil hat>
[0] https://www.cnbc.com/2023/09/14/caesars-paid-millions-in-ran...
This makes more sense to me than the other explanations. Probably coupled with an underinformed general manager or company president.
I’d wager a bet that the perpetrators of the hack had visited Cesar’s during defcon
That's a big claim to make. Can someone with relevant experience confirm whether this is true?
Too many "security researchers", "staff engineers" and people playing politics.
But I suspect they will have no problem finding another venue, sponsor money has been flowing quite well, so I wish them well.
And AP was tolerant of people treating their property like garbage. Caesars' certainly doesn't.
It's nice that it has continued to grow and reach more people but it has also changed a lot from what it used to be to what it is now.
Socialising, learning hacking history, and getting to know the traditions is always a great side effect that the DC crowd's been good at passing on to new generations. Goons still give people shit for misbehaving, speakers still take shots, TOOOL still has some of the best workshops and tutorials on the conference floor and usually has some people who'll talk about breaking open Medecos or Fichets to anyone who'll listen.
I'd venture to say it's against the spirit of the con to try and gatekeep it.
Having said all that (and the irony not being lost on me) -- linecon's definitely getting worse, and I'm worried that DC's becoming a victim of its own success, with its accessible pricing and subject matter being counterbalanced by having to manage a 20-30k person crowd. I don't have a solution for this outside of decentralization, but I don't know if that's a good solution.
While you're over there look around for the Tamper Evident Village and we'll happily demonstrate and allow you to try removing Tamper Evident Seals of various kinds.
I forgot these when I wrote my original post at 1AM :)
To be fair, I don't think they crashed; I saw a "sorry too much traffic try later" type message. Still amuses me.
... if you're willing to trust another company with your data.
1999.
That’s exactly why it should be resilient. A fully static text-heavy site can serve basically unlimited traffic on a free host or a $5 VPS these days.
https://www.securityweek.com/caesars-confirms-ransomware-hac...
I go to a lot of European hacker parties/camps and I can certainly recognise the mindset you mention (and I identify with that mindset as well even though I work in a corporate job). For this reason Las Vegas made no sense to me but in light of your comment it does now.
And yeah getting ridiculously drunk is definitely part of the experience :D
Since we are talking about stuff that we don't think should be associated with hacking this is my own pet peeve. What does "getting drunk" have to do with hacking? And why is it always "absolutely smashed" or "ridiculously drunk". I get that most hacker types are shy introverts and couple drinks makes things more fun and socially fluid, but why does it need to go to hangover(s)? 9
This is primary reason which keeps me away from many "hacking camps", they are cool for couple hours, but as the sun goes down things just get sketchy and boring when I have to take care of bunch of drunk strangers.
Then comes the cost. August in Las Vegas is off-peak season which helps keep the cost down. Anywhere in Silicon Valley (or really anywhere in California) would be insanely expensive.
There's also convenience of travel. Las Vegas is such a huge tourist city that it makes getting flights there cheap and easy no matter where in the world you're coming from. My first time going to DEFCON was in 2017 and my flight from Portland OR was only a hair over $200.
Looking on the bright side, having a better option for a snack or meal on site would be nice. It was slim pickings in 2023.
Honestly though, if your venue gets turned upside down by a Flipper, you should probably change a few things...
Someone probably convinced them their new fancy XDR is hacker proof and they are playing for skins now.
The whole damn strip is air conditioned and misted so it's not really a problem. A few years back I participated in a scavenger hunt during DEF CON and it was taxing but I would do it again.
New Orleans is hell on earth that time of year though -- never again.
I thought the same until visiting Kyoto and Rome in August.
Cheap flights too.
Others have said August is off-peak for Vegas (perhaps because of the weather), which means its a good time for a conference as space should be less expensive.
I'm sure the other places suggested would have been nice, but you turn one flight into 2, maybe even 3, have to search for a venue and accommodation for 100s/1000s persons (even if they self book), etc
Conference tourism is big business and the big conferences want friendly places that fit their budget and make it possible for people to attend it
The heat sucks but it’s not like it’s that hard to avoid on a conference trip. It’s when you live here and have to hop in your plasma generating car that makes you wonder what the fuck is wrong with you
A high of 40C / 104F is not generally considered "nice".
But that is beside the point; is it "generally considered nice" ? - emphasis added to the words that I chose with care above.
It is not.
Checking climate for Barbados, I rate that as factually incorrect. And of little relevance.
It’s very relevant because that’s what qualifies my “considered generally nice” statement.
Your useless pedantry about beaches is becoming boring now.
The average high in Kodiak Alaska is 60F.
(But your parent was mostly being silly.)
Yes, it's hot, but you can still walk outside without becoming a sweaty mess because it's so dry. And you're probably not going to be walking outside very far, it's a very unfriendly place to walk outside of the prescribed separated paths on the strip.
The fact that it js now at the convention center and likely all under one roof is an improvement, IMO
Frankfurt also has the most international destinations (just not volume).
(Probably not Dubai, considering a few speakers would be thrown out at the border - or worse if they get though. It's also artificially inflated because it's almost all transit traffic).
https://en.wikipedia.org/wiki/List_of_busiest_airports_by_in...
Dubai is a center for large conferences and Expos.
The row of High rise hotels along Sheik Zayed Road across from Dubai World Trade Center (the largest exhibition hall in Dubai) is astounding.
Gitex, Gulfood and Arab Health are all conference that are largest in their class world wide.
And while A lot of DXBs traffic is transfers, the city does see 15 million international visitors a year, putting it in the top 5 most visited cities.
They can easily accommodate Def Con.
There’s a lot to criticize Dubai for, but they literally built the city to be a center for international conferences.
Well, they literally enslaved foreign men to work as indentured workers, stripping their human rights, in order to build the city...
Aimed largely at the MENA, SAARC, and a bit of the APJ market.
Most DefCon attendees are in North America, which makes the flight to the UAE hellishly long and expensive.
Most attendees are also expensing the trip, so a $700-900 round trip ticket plus an additional $500-700 for hotels makes Managers balk, as that's a major expense coming out of your yearly budget.
Also, DefCon sponsors largely showed up because it was occuring around the same time and same location as BlackHat
Source: travelled a lot for corporate tech conferences in my PM days.
Terrible location for any conference that cares about everyone being able to attend. While one could argue about "hiding the gay" (I'd still say that's hard to impossible), I would never be able to attend as visibly trans.
No other city in North America has a similar amount of space or options for low cost block booking.
Also, plenty of DefCon attendees and sponsors are also attending BlackHat at around the same time, so it makes it easier to justify expensing most of the cost as an employee.
Not even in Mexico? You know, the country that's part of North America? Why not just say America?
Yep. Not even in Mexico. The largest expo center in Mexico is Expo Guadalajara, which is smaller than Salt Lake City's Salt Palace Expo Center.
> You know, the country that's part of North America
Ik it is. I'm usually the one who reminds people about that on HN
And that is precisely why DEFCON is there in August - demand is weak so prices are low. They even state as much in their FAQ.
In 2018 we had aggressive room searches post the Vegas shooting that caused a lot of friction: https://arstechnica.com/tech-policy/2018/08/security-theater...
Point being that it’s been a rough ride over the last few years. Combine that with corporate events probably being far more lucrative for Caesars I.e suits drink and gamble harder than geeks - I’m not surprised by this.
TBH my team and I skipped DEF CON last year and threw our own event in Banff instead because DEF CON has become quite boring with long lines and a Groundhog Day feel to it. If you’re looking for a proper con check out a local B-sides or a smaller legit con like Shmoocon.
I heard it both from Dark Tangent and several high level Goons.
When I'm at DEFCON, I bring a fun little device. It's an ESP8266 that constantly listens for WiFi probes coming from people's mobile devices. It then displays the SSID (the network name) on a scrolling LED text display. I keep it plugged into one of those Anker battery banks. 10,000 mAh will power it for ~16 hours, so it lasts the entire day.
Pretty sure there was no vax check in 2022 and 2023, and I do know some people who got COVID in those years, but people who took decent precautions were generally able to dodge it.
And as the other commenter said, the information wasn't recorded.
Also, the majority of DEFCON attendees no longer care about being anonymous. It's not this secret underground thing. Many employers pay for their security staff to go to DEFCON. For a few years now, you can even pre-pay for your ticket online with a credit card which makes getting reimbursed for your ticket a fuckton easier. Also means you don't have to carry $500 in cash.