DEF CON 32 Was Canceled. We Un-Canceled it

I suspect Caesar's dropped DEF CON because the DEF CON attendees likely have a fairly low "avg revenue per attendee" yield because fewer of them gamble compared to the avg Vegas conference attendee. They also probably spend less on high-end restaurant dining and bar drinking inside the hotel.

Since the pandemic Vegas has had a pretty strong resurgence in general and this may be a sign that Caesar's is doing well enough they've decided there are higher-revenue guests they can put in those rooms — even in the doldrums of August (a traditionally slow month for Vegas tourism).

I happen to regularly attend an unrelated, non-tech conference that's always right around the same week as DEF CON. That conference also happens to attract attendees who don't gamble or spend much at the hotel other than room costs. The reason the conference organizer chooses August is they get better discounts on their costs from the hotel in exchange for filling up rooms that would otherwise be empty (except this hotel is lower-end and cheaper than Caesar's). This works out because unlike Caesar's this hotel is far off the strip and doesn't have nearly as much dining or gambling revenue potential anyway.

Or they figured they're somehow net negative when they do gamble :D

There are certainly a lot of DefCon attendees who think that this describes them. In my observation they are all very incorrect, usually humorously so fortunately.

Vegas makes a fuckload of money off everyone who thinks they’re smart but doesn’t understand statistics

There are only two types of people: those that believe they can outsmart the house, and those that never gamble.

And card counters.

Do they still exist? They have closed most of the gaps previously exploited by card counters, and continuous shufflers are everywhere.

I think the only ones who can make money are those playing poker and are really good at it. That's because they are playing against other players and not the bank. They still have to beat the rake.

I'm not even sure comp players, that is those who play to get non-cash rewards like travels, restaurant and hotel stays while minimizing their losses can still have an advantage. I heard that casinos calculate comps by expected losses, making sure they stay on top (statistically).

And they are cheaters, but it is like saying thieves can make money.

And they are cheaters, but it is like saying thieves can make money.

Absolutely not. Using your brains to keep track of cards is not cheating in any way, shape or form. They are simply using all the available information and some pretty basic math to them to gain an advantage.

Calling card counters cheaters is like calling chess players with better knowledge of patterns than their opponents cheaters. They are not cheaters.

The post you are responding to addressed card counters at the top, claiming the casinos have closed most of the loopholes that enabled card counting to be profitable.

The cheating it mentions at the bottom is not card counting (technically legal), but genuine cheating.

Card counting isn't cheating, it's how you play card games.

Until the houses realises and chucks you out.

Card counting is cheating. Thinking before playing is cheating. Also, knowing the rules of the game is cheating. You should only play at random and never ever think

They do, and some even document it on Youtube: https://www.youtube.com/@stevenbridges/videos Can recommend his videos, quite interesting and nice insights into casino procedures.

Not sure if casinos still bend rules/give special deals to high rollers but it sure worked out for this guy:

https://www.theatlantic.com/magazine/archive/2012/04/the-man...

If that was true, the house wouldn't throw people out for suspected card counting.

If they threw you out, you clearly didn't outsmart them.

You don't always get thrown out. Part of the game is monitoring the atmosphere on the floor and behave accordingly in order to not get thrown out.

Even if you do get thrown out it is already after you have won some money thanks to your edge and therefore 'outsmarted' them.

Not really, no card counter goes unnoticed forever. It's about making sure you get enough time to play when the count is high that you manage to earn money. If you're curious about the life of card counters I can't recommend this YouTube channel enough: https://www.youtube.com/stevenbridges

Aka "we don't want you here because you might win".

A strange game; the only winning move is not to play.

Well, there are occasionally a few other legal options.. https://wizardofodds.com/games/slots/loss-rebate/

Also a couple of video poker variants have actual positive (!) returns with perfect play. https://wizardofodds.com/games/video-poker/basics/#playing-s...

That's deffinately not true, I used to go to the casino under no illusion I'd come out poorer. I'd just do it because it was fun.

And then there's David Walsh and his syndicate

Not just statistic. There are plenty of smart defcon people who understand statistics but don't understand that if you start winning they'll just kick you out.

I am very doubtful. Outside sports betting (where you can actually outsmart the house) we loved winning players when I worked in online gambling. Winning players are much more likely to return and lose more than they ever won.

How did you handle winning sports betters? Did you decline to take their bets, cap their bet size or just move the line to compensate?

You ban them off your platform when they win.

They don't kick you out for being lucky.

The only reason to kick you out would be if they believed you somehow have an edge on them.

The customer who got lucky at first and is willing to try to be lucky again and again is the best customer for the casinos.

Not sure that's true, actually. The usual strategy appears to be to comp the gambler with generous stays at the casino they're a patron of, with the expectation that they'll dump their winnings back in the next day.

Taken with a grain of salt, as my only knowledge of this is via Hollywood movies. It does make sense from a game theory perspective though.

They probably make quite a lot off people who think they understand statistics as well.

I'd be willing to be that the intersection of people who think this and then choose to engage in gambling anyway, is probably one of the highest grossing demographics that exist.

If true, we'll eventually see casinos sponsoring statistics MOOCs or other forms of relevant education.

Or people who understand the statistics but find it to be fun and do it anyways

My first thought was that GP was saying DefCon attendees would be counting cards, which is an effective and legal way to beat the house[1] (until you're caught and banned from the casino).

1. https://www.freep.com/story/entertainment/nightlife/2016/04/...

'legal' has no meaning here when it's against every single casino policy in the world.

Uh, yes, it does?

There’s a huge difference between: “if you do X, you will be asked to leave” and “if you do X, the police will arrest you”

Like, when I invite someone over to a dinner party, it is against my policy to insult my dog. If you do that I will kick you out (not actually, he’s a dumb klutz, you can insult him all you want), but that doesn’t make it illegal to insult my dog.

True but not relevant. Police and legality do not need to be involved with certain kinds of casino justice. Security may just offer to beat your ass if you won't cease and desist, avoiding the paperwork. Could be bluff but they know where cameras are and have cop friends..

You need to check a calendar and see the current year - the days of Casinos' roughing up card counters is long long long gone. Might be great for your screenplay or fan fiction but doesn't match reality.

Strange that you can be so confident about this with private security when even actual police are sometimes involved in cases of excessive force, corruption, coverups. Besides, whatever your personal knowledge/experience is it can't be vast enough to prove a negative here, and only one counter example is needed.

Regardless of the year I think you might want to reconsider your overly confident notions about fiction/reality or at least the condescending tone. I don't know what is institutionalized in what places, but have been threatened by casino security. Fuck around and find out I guess

and only one counter example is needed.

From where I stand, you'd need to show it's systematic. One single instance is not enough for me. Because your claims are general, as if they applied to many casinos.

Caesars has a $9.3B market cap. They're not beating anybody up for "casino justice".

Security may just offer to beat your ass if you won't cease and desist

To be clear, if they tell you to stop playing, and you don’t, then they absolutely can call the police for trespassing, which is a crime.

I don’t think most casinos have private security that will beat you any more, since they can tell you to stop playing and enforce that with police.

As I understand, in Las Vegas, as long as you do not use a device to aid with card counting (mind/mental only), it is legal. Is that still true?

Sure, it's "legal"—but so is them banning you from playing blackjack or tresspassing you from their property.

Great point. Thank you to clarify. Casinos in Las Vegas are private. They have the right to ask anyone to leave for any reason.

Winning is against casino policy too but that doesnt stop people trying.

Casinos in Vegas use too many decks and reshuffle frequently enough that there is no edge gained over the house when card counting.

This is not true. Besides continuous shuffler machines, most casinos have 6 or 8 deck games that have plenty of 'penetration' (card counter term for depth into the deck that the cut card is placed) to offer an edge if you properly card count. There's also a big game to be played where rubes think they can card count and instead lose tons of money attempting to do so.

The problem with card counting generally is that the casino has infinite money and never runs out, thereby they can sustain large expected value swings... whereas you need an enormous bankroll to handle those swings, assuming they don't throw you out before that happens.

The book "Bringing Down the House" by Ben Mezrich explains in layman's terms how card counting works for blackjack.

There's plenty of doubledeck blackjack with good penetration in Vegas, especially in high limits rooms. The problem nowadays is that the casinos are also counting, and the patterns are simple and easy to track with the tech we all have. Changing your bet even a couple times based on the count can have the pit boss getting a call to remove you.

effective ... way to beat the house

Statistically, it is not effective. Your card counting needs to be (basically) perfect, and you need very deep pockets to handle extended drawdowns.

Doubtful, I'm sure it's related to the constant attacks against their infrastructure they must defend against (let's be honest, I'm sure Caesars is not defending successfully). The juice just ain't worth the squeeze. They have a business to run, and the risk of having a bunch of drunken and high hackers who happen to be the best in the world running amuck is not their idea of a good corporate event.

Caesar's apparently explicitly said it wasn't related to anything the community did. It's possible that they're lying for some reason, but it's also possible that they're telling the truth.

We don’t know why Caesars canceled us, they won’t say beyond it being a strategy change and it is not related to anything that DEF CON or our community has done.

https://www.reddit.com/r/Defcon/comments/1aj6ixn/def_con_was...

for some reason

To avoid any legal liability. Stating a specific reason would open them to possible "breach of contract" depending on whether the act(s) were significant enough or justifiable, based on the contract terms. Just say nothing, part amicably, everyone moves on without drama.

With that said, they probably weren't lying. Most likely, months after ponying up $10 million to a sophisticated international hacking group, Caesars Entertainment probably doesn't want to invite some of the world's best hackers to stay and meet at its flagship resort.

Most likely, months after ponying up $10 million to a sophisticated international hacking group, Caesars Entertainment probably doesn't want to invite some of the world's best hackers to stay and meet at its flagship resort.

Most Def con visitors would be white hats so that would be a bit disingenious. I would expect most attendees to behave (reporting issues after finding one)

Especially considering they just got hacked, a few pentests would be good for their business.

you say that like a person informed enough to know what a white hat is lol. Let’s be real here, even the ethical hacker bunch can look VERY wonky and rowdy to an outsider, especially if you are as far removed as the hospitality industry. The only time they had to deal with hackers in the recent past was decidedly painful for them

If they hadn't hosted Def Con for the last 20 years I'd agree, but this community certainly isn't new to them.

being ambivalent towards a group, filling up your hotel, but otherwise alien to you, may be a little less polarizing than just having been forced to shell out $100M to a similar sounding demographic.

Def Con has 30,000 attendees. And maybe 99% of them aren't assholes.

But in such a large group, there's always going to be some people who'll decide to muck around with their hotel room's locks or something like that.

Primarily, it's about public image. It would look idiotic to host this group, regardless of intention. And it's about insurance -- logical or not, their insurer probably insisted they quit inviting DEF CON and associating, in any capacity, with self-identified hackers.

To avoid any legal liability. Stating a specific reason would open them to possible "breach of contract" depending on whether the act(s) were significant enough or justifiable, based on the contract terms.

This is how it works for at-will employment, but it would be a very weird contract that allows backing out only if you don't say why you're backing out.

Let's say Caesars states, "we just got hacked and, as has been reported in every major newspaper, paid $10 million as ransom. We have reason to believe one or more attendees of DEF CON were part of that group."

How does making this statement this benefit Caesars in any way? Now DEF CON can demand some proof of this claim, or sue for defamation, or state that without proof, Caesars isn't acting in good faith, whatever.

I mean, attendees of DEFCON can hack Caesars even if someone else owns the projectors used for the Powerpoint presentations.

Yes, most likely. That's why it would make zero sense for Caesars to state anything publicly that would antagonize members of the community. Saying nothing (or even praising DEF CON, and claiming it was a "change in strategy") is the smarter route.

the constant attacks against their infrastructure they must defend against (let's be honest, I'm sure Caesars is not defending successfully)

If there's any place in the private sector where I'd expect security (including digital security) to be literally top notch, a casino would be it.

And casinos don't fuck around. If they catch some "uber haxor" laying a finger on their networks, you can bet they'd have him arrested in a heartbeat, regardless of whether he is a conference attendee or not.

I'd expect security (including digital security) to be literally top notch

I know why you'd expect that, regardless, you'd be very wrong

Which private sector businesses would you say have top notch security?

Ummm, they did get hacked and held for ransom (paid millions) and lost untold millions more in revenue just recently.

You're getting flamed by accounts below but they're largely wrong.

Most casinos rent their gaming equipment from IGT, who directly manage most of these systems. IGT also has a fairly robust security team, having worked with them back when I was still a PM in the space.

Organizations like Caesar's aren't the greatest security wise, but that's largely because they have low margins because they are primarily property holding companies that are operating Casino/Gaming that they rent out from vendors like IGT.

This has been changing after MGM, but I don't think I can discuss it deeply.

Last year was pretty bad for digital security in Vegas

There are actually very few people with pentesting skills at Defcon stronger than running burp suite, and fewer still of those that are blackhats. Those with skill can do very well for themselves legally, and know better than to risk their careers getting caught messing with casino systems.

In practice the biggest abuse from Defcon to the venues is in the form of a subset of people constantly defacing casino property which no one reports because no one has sympathy for casinos.

My favorite trolling of casinos at Defcon is the people dumping prop money everywhere. Casinos do not -like- that and spend a lot of resources running around picking them up which is funny to watch.

Not sure I agree with the idea there are very few world class hackers there. I've watched a few of the capture the flags and almost immediately they went over my head and I felt inadequate. lol.

I'd argue that the CTF competitors are a minority in attendance (but that doesn't mean they are none at DEFCON).

The people you see on stage and competing in the CTFs are like 0.1% of the attendees.

Dunno if it has anything to do with it but they did get haxx0red last year at the same time as MGM, except Caesars paid up and MGM didn't. Hotel room cards, casino play cards, etc were down for ten days at a bunch of the MGM-owned properties (a.k.a. the half of the Strip not owned by Caesars) https://en.wikipedia.org/wiki/MGM_Resorts_International#Las_...

https://www.bloomberg.com/news/articles/2023-09-13/caesars-e...

https://www.vox.com/technology/2023/9/15/23875113/mgm-hack-c...

Seems mildly plausible for a connection.

About a month after the conference would be enough time to discredit an obvious connection to the conference, while still making use of security breaches that might have been found during the conference. Most security experts know you have to abandon security hopes if you give the hardware to the user with direct access. And with a conference of DEF CON's size, you only need 1% malicious actors for 300 tragedy of the commons results.

MGM's not that far away on the strip for somebody to find a security exploit, and then start checking every nearby casino to see if it works at those casinos. Found a $1 million exploit? Might walk a few blocks to see if it can turn into a $10 million exploit.

https://www.youtube.com/watch?v=7oM7-Jsa168&t=111s

Wouldn’t you think that canceling and angering that community would be an even worse idea then?

I doubt they would cancel a contract already in place for that reason.

Not renew the contract - sure. But canceling an already scheduled event because of low revenue per guest doesn't seem very likely to me?

Or maybe it was some sort of ongoing agreement and canceling it was effectively "not renewing".

But canceling an already scheduled event because of low revenue per guest doesn't seem very likely to me?

Not to be TOO snarky, but given how quickly corporate cancels employee labor despite rising revenue, it would not surprise me for other corporate to also cancel "low paying customers" for "high paying customers". Loyalty is beyond dead so cancelling a contract is just a cost of business if they feel the alternative gives more money.

it would not surprise me for other corporate to also cancel "low paying customers" for "high paying customers"

At least going by all the entrepreneurship articles I've read over the decade, "firing your customers" is a term of art, and a recommended approach for dealing with unprofitable and/or annoying customers - so I guess this shouldn't be surprising.

Loyalty is beyond dead so cancelling a contract is just a cost of business if they feel the alternative gives more money.

Not to be TOO snarky, but that's kind of the point of contracts - contract cancellation terms aren't an "or else..." threat, but rather an agreed upon exit strategy. Termination fines aren't punishment, they're compensation for inconvenience.

Not to be TOO snarky

Repeating this verbatim in your reply means you are trying to be pretty snarky, fyi.

I mean they were both being intentionally snarky. The second snarky comment was used in a mocking tone because the first comment didnt seem to have much empirical evidence to support it

If they canceled a year or so before the con, I could see that. But to cancel seven month before the conference? There's no way they will get a decent-sized substitute in the space before then, so I don't see how this would be anything but a money-loser. Not to mention other conferences might be less willing to commit to long-term deals if they see that the contract can be canceled on a whim.

I will need to dig up the archives from DC 27 when the deal with Caesars forum was officially announced, but if memory serves me correctly DT said it was a 5 or 10 year contract. So unless there was some verbaige in the contract that allows Caesars to cancel for any reason, they're going to be cutting DEFCON a check.

A 5-year contract starting at DC 27 would hold thru DC 31, so DC 32 fits the "not renewing" hypothesis.

Who knows? But a more likely hypothesis is that the organizers were betting that they could come to terms on a renewal and at the end of the day they couldn't.

There was some announcement at the closing talks last year of the same venue being booked for the next 2-3 cons I think.

Everyone is missing "but now held at the Las Vegas Convention Center (LVCC) with workshops and training at the Sahara" part. So this more like they got passed to a different venue. Not "vegas hates them".

The post says they had to do significant work to secure another venue. While it's possible the author could be lying there is no evidence of this so we must, at this point, take them at their word.

Arranging a convention site contract is always a lot of work, even if (hypothetically) the Caesar's rep suggested that they try LVCC.

The convention has been in Las Vegas for decades so I suspect they know ALL the options anyway.

Or maybe it was some sort of ongoing agreement and canceling it was effectively "not renewing".

The announcement effectively calls it "no-notice cancellation" and overall it reads like they were already deep in the planning phase when it happened, which seems unlikely if a renewal was pending.

Its odd though - i would assume a conference of this size would have penalties in the contract if the venue decides to pull out without cause or sufficient notice.

To a point yeah but the venue also has the power not to sign the contract in the first place (ime the venue is the side typically negotiating from the position of power) if they think the penalties are too high on their end.

In all likelihood they ran the math and figured it was worth it to yank the rug out from under Defcon, penalties be damned.

I see people go all out in LV and drop a lot of money at restaurants. I guess it depends. Then again if you've already been in LV for a few days due to BH you might be over the bell curve on spending for the week. I guess it depends on when you get in. I tend to drop more money Wed-Thur.

I attended an earlier DEF CON (5 or 6?) where the attendees:

    1) Hacked the in-circuit TV system and broadcast their own pirate show
    2) Gained roof access and removed the satellite dish 
    3) Spilled hookah coals onto the bed starting a fire
    4) drove the janitor's golf cart into the pool

and that is only what I witnessed firsthand. I can only imagine what else went on. Maybe the attendees low spend was only part of the equation?

Among some other really cringey behaviors.

I've seen bottles of alcohol passed around doing talks and heard more than a few really off color jokes about criminal sex acts and such. Vegas waitresses have seen it all also but there was over the top behavior.

We're in a victim dominant culture now, "it's not you or what you've done, you're just a victim of evil or something" but at more than a few Def Cons and more than a few times, it was really uncomfortable to be there and see some of the stuff that was happening.

Yes, counter-culture is counter-culture. It was meant to make normals uncomfy.

Guess what? Hotels are run by normals.

And they are perfectly fine with the crowd. I've chatted with many hotel staff and almost all of them are happy with the DC crowd. Generally tips well and are polite even when drunk, some assholes, but thats normal with any crowd.

Worst case scenario is usually they tell people to disperse, but otherwise, they always seemed to laugh when they saw shenanigans (except for people fucking with Casino machines, thats a fast way to make them mad)

Defcon was always a very boozy conference. It's not a professional event. It's Burning Man for high school AV clubs.

Other than the first item, this does not seem especially extreme by Vegas standards.

You don't think breaking into a secured area and removing expensive hardware from the roof is extreme?

Removing expensive hardware is crossing a line but a lot of people break into secured areas a lot.

Remember, this is the Las Vegas strip. The frame of reference for normal is a bit different.

Sounds pretty fun. Maybe not if you are an organizer though.

I attended Def Con 7 and witnessed people pick the lock of a utility room on my hotel floor and change the phone wiring.

Also, I was a 17 year old girl at the time, and I felt sexually threatened several times during the event. That is the only place I have visited where I would make a statement of that nature.

I was at DEF CON 26 & 27 and people had punched/torn holes in the drywall in several places, and at one stairwell where you could reach up and slap the ceiling, chunks of ceiling were falling off from where people were gouging it.

DEF CON is a hell of a party, and I hope to go this year, but the attendees are a force to be reckoned with. Even I ended up fucking up a homemade badge, and tossing a failing lithium battery into the trash in the middle of a casino, only to learn later I created a trash fire, so I know firsthand that we're a problematic bunch.

There are still shenanigans, but all of the wildness has calmed down -- both via goon enforcement and casino staff knowledge.

For example, the ATMs on casino floors are probably some of the most secure in the nation during the con. Harassment is also taken actually seriously.

That sounds like DefCon 7 at the Alexis Park. I think I remember seeing a photo of a golf cart in the pool.

I quit going after 7. It seemed like they partying had vastly I overtaken any actual technical content. I don't drink and I'm not super social, so it just seemed like it wasn't "for me" anymore.

Edit: It has probably changed in the intervening years but every time I looked into it it seemed like more spectacle than tech. DerbyCon filled the niche for me for a few years but then it got impossible to get tickets for and imploded. (I know there's a lot of backstory about DerbyCon that I don't know, too. For me it was just a fun way to feel a little of the DefCon 3 vibes again.)

Gambling isn’t the big margin for the casino and hackers aren’t immune to gambling. Most people who gamble know the odds aren’t in their favor.

You can view their financial statements [1]. I am sure the 'casino' category includes things besides gambling, but it looks like the largest share of their revenue.

[1] https://investor.caesars.com/news-releases/news-release-deta...

Be sure to subtract expenses. So for 2022 you have 2500 for casino, 500 for food, 1500 for hotel, 800 for "other." And there's definitely some counterintuitive accounting going on there, because that 2500 would imply a profit margin of 41% on casino, but Vegas regulations require gaming machines to pay out at least 75%, leaving a profit margin max of 25%. The card games and other games of skill wouldn't have such restrictions, but it seems pretty difficult to imagine that they'd be high enough margin to result an overall of 41%.

You seem to misunderstand the 75% rate:

The requirement is that the expected value for a play on a machine is >75%. And most are >90%. But that’s not a cap on profit margin, as 25% of the expense for a play may be more than the cost of that play.

Eg, having a machine that costs $1 with $0.75 expected return (and $0.25 revenue for the casino) may only cost the casino $0.10 a play — which would be a 60% profit margin.

Expected return on a machine and profit margin on that machine are literally identical. Imagine there's a hypothetical $1 machine where we simply remove variance. So you insert $1 and you get $0.75 back. It should be clear that for each $1 of revenue, the casino profits $0.25. This is a 25% profit margin. Variance can add some noise, but does not change the long-term expectation, which is what the regulations are based on.

That sounds intuitive, but that's just not how revenue is defined for a business like a casino. The casino had $0.25 revenue, and its profit is whatever is left from the $0.25 after paying for heat, light, maintenance, cashiers, security, etc.

Other businesses are treated like this too. If you are a high frequency trading firm and you buy 1000 shares stock for $99.99 each and sell for $100, you didn't have $100k of revenue - you had $10, and your profit is what's left after paying for staff and computers.

Yes, if your business was a supermarket, it would indeed work the other way, and it's not obvious to the literal- minded where one treatment should stop and the other should start.

This is similar to not counting bank deposits as revenue and withdrawals as costs. Only when your money goes to pay fees is it booked as bank revenue. The same for money transmitters like Western Union.

And perhaps is more obvious when you consider what happens when there’s only players, eg, poker. The pot is held in trust, until the game ends and the losers forfeit their money to the winner. At no point does it belong to the casino.

That doesn’t change when the casino is also a player.

Yip, I agree. I'm aware of gross gaming revenue and was involved in the industry in a past life, though obviously never filing as a casino. The thing that misled me, at a glance, was their costs - $3.5 billion. I wasn't aware there'd been massive consolidation in the casino industry, and thought I was looking at a casino's costs/revenue (in which $3.5 billion would be insane without it including losses), not a sprawling corporate enterprise.

Look at it a different way. The casino never had that dollar, you inserted a quarter and they gave you light show that cost them a cent to put on. You enjoyed it so much, you did it four times.

Now the casino has your dollar and it's "costs" were four cents in electricity/maintenance. A much higher profit tham 25%.

You don't understand casino accounting. Gaming WIN is revenue. If you put $100 in and get $75 out, that's $25 in marginal revenue with zero corresponding costs. The $100 is a statistic that the casino records, but it does not factor into profit calculations (total, or margin).

Gaming does have expenses -- labor (mostly dealers and slot attendants & mechanics), costs of purchasing and leasing the machines, and some other miscellaneous stuff... but profit margins on pure gaming are very high (and not limited in any way by the 25% maximum hold percentage that you reference)

Except that you have expenses, like rent for the machine, maintenance for the machine and building, energy costs, staff salaries, cleaning costs, security and IT spend, etc. etc.

So no, profit is more like gross revenue minus expenses and taxes.

You could easily have a machine with positive EV for the house that has negative profit.

What's the big margin for the casino if not gambling?

What is the big margin? Rooms?

I heard a joke a tech conference people in Vegas many years ago. It goes something like "people who go to tech conferences in Vegas bring one shirt and a $20 bill and never change either." So yea, programmers generally aren't gamblers because they know enough math to know the house always wins.

In my experience, programmers like poker, but not games of chance. This also describes me. Poker is a data-heavy game of skill and memory, Craps is about the opposite.

I went with a bunch of CS/bioinformatics/MD IITians to Reno, NV once. They were just there to gamble on games of chance. Personally, I think gambling is boring and stupid if the expectation isn't significantly positive. I'd gamble if skill was the dominating factor and the expectation wasn't so abysmal.

You would like Poker. I mostly play with friends for chips, but it still takes concentration and memory. Excellent game.

If it was skill based, you'd be competing against a pro who does nothing else. At least with chance you have a chance :)

If skill is the dominating factor, almost by definition it isn’t gambling. This is what allows bars and other institutions not licensed as gambling centers to host poker games. (which might be of interest to you)

In my experience, potential gambling addiction has nothing to do with rationality or smartness.

I’d broaden that to addiction generally.

Craps is not the opposite. Quite the opposite, actually.

The magnitude of entropy casinos require you inject into the system each round is quite low in practice.

Profiting off of that is all skill.

Most people appreciate the skill poker requires, but like me never want to bother learning it. If I (very rarely) go to casino I'd just play games of chance for a defined loss budget and just stop playing when I either lose it or win enough to get dinner for the group.

Eh, I’m a programmer and I go to vegas with other programmers fairly regularly. We know enough math to know the expected cost per entertainment•hour is comparable to many other pass-times.

But even so we’re actually all net-positive on the city, thanks to a couple “lucky” craps runs.

Came to make the same comment. Vegas is a fun place. We spend some money and get some fun just like anything else.

And same. A couple of roulette results has us “positive”.

House sets the mean and variance, how could they ever lose? Only thing left to make it work is volume, transactions volume, so variance can be minimized.

They also probably spend less on high-end restaurant dining and bar drinking inside the hotel.

I'm not so sure. There's a _lot_ of drinking at DEF CON

It's mostly with liquor bought from offsite and drunk in rooms/private parties, not via Caesar's venues or catering (there's a lot of that too, and this is summer dead period, so it still may be good).

I can think of plenty of in-hotel bars packed with DEF CON attendees 24 hours a day during the conference.

The linq bar turned into a 24hr party after the bomb threat last year

A bomb threat last year? Hmmm, I wonder why Caesars chose not to renew the contract.

Yeah, I think those things are more likely to be the issue. Tech people tend not to be shy with racking up huge bar tabs.

I explicitly remember them tapping out every keg at a bar there by 2pm about 10 years ago.

All of the more recent years that I did DEF CON I was with large groups of people going to high end restaurants and (ab)using the hotel bars. In fact the hotel bars were always packed.

My suspicion is that Caesars is trying to do something like play with headcount. Late summer is not just a weak time for conferences but DEF CON needs a ton more space and a ton more human babysitting across that space than any other conference. You don't see EVO or BlackHat getting cancelled (same exactly time window) because they're pretty contained in one place.

My guess is that Caesars needs to staff up a little for DEF CON or that they may even be considering reducing staffing in late summer. Con attendees are going to stay at their properties and use their bars/restaurants/tables anyway.

...although now that I think about it, EVO was moved up 2 weeks and has a new unannounced venue this year, so maybe this isn't isolated to DEF CON. ...and also the Venetian is having its convention space renovated until 2026...

Black Hat is a giant commercial conference run by a company that runs dozens and dozens of giant commercial conferences. No event venue is ever going to fuck with them.

Also Black Hat brings a lot of more-corporate, less-hacker types, who are probably likely to have much higher spend, possibly more gambling, and certainly dining expenses covered.

IIRC EVO only moved because they outgrew the space/slot they'd been working in. The other reply to you outlines Black Hat.

I very much doubt there's any conspiracy here.

I wasn't suggesting there was?

Combine low ARPU with perceived risk (in the wake of the Vegas hacks last year) and a termination for convenience clause and this is a no brained for Caesars. There’s just not enough upside for Caesars to host in their marquee properties.

termination for convenience clause

I never heard of this. Can you tell us more?

an good example from an us gov standard contract is here https://www.acquisition.gov/far/52.249-2

It's basically "a no harm, no faul" termination of an existing contract, and is fairly common in competitive markets where there is no long term strategic partnership to develop an unique product.

If it's the buyer terminating it's either because the product is either no longer needed or an cheaper supplier was found, and if it's the seller it's caused by all sorts of resource optimization reasons(aka someone being willing to pay more for the same limited resources, or an increase in cost making unprofitable).

im really sure you have found the answer, it’s most likely more of a perceived thing than any of us wants to admit. DEFCON attendees can be walking stereotypes at times anyways, but the combination of drunk, low yielding hacker(wo)men(tm) roaming your hotel probably just made the juice not worth the squeeze.

The simplest explanation is often the correct one. Casinos aren't exactly known for having moral qualms. They are, however, known for caring about their bottom line. They probably analyze every single event they host and then shuffle things around to maximize their expected revenue based on their past experiences with the same type of event.

Put another way, they got a better offer

That’s the weird part. I doubt they’re using the space so this strikes me as “think of the money we’ll save on hours” bean counting

Companies/Vendors usually host corporate conferences around this time as well.

A large company has probably decided to move a conference to Caesar's during that period, and that got Defcon bumped. Especially because DefCon has become massive, so the RoI has shrunk due to staffing overhead.

Not everything is about money or the bottom line. Sometimes it's about politics. Vegas takes a loss on so many things. Nevada has grown more and more corporate over the years. This move doesn't surprise me at all.

What are the politics? One of the richest and most profitable industries on Earth wants to have a conference where they show slide shows to each other. Really not much different than any other conference, and probably more ethical than most of them.

Sometimes it's about politics. > Nevada has grown more and more corporate over the years.

You make it sound like it's entirely about money and the bottom line.

I have a hard time believing gaming doesn't provide _huge_ contributions to favorable politicians. I feel like you've got something to say, and maybe something really interesting. But what you've got if awfully vague.

If you've got the time or inclination, I'd definitely read an elaboration of your meaning.

Is DEF CON a highly political thing?

The simplest explanation is they don’t like hackers after their experience. So they push a bunch of hackers buttons with a last minute notice and prepare the honey pot to pen test their post ransom security posture and maybe in the process they find an amateur to pin it all on.

Cool. Drop kick a hornets nest in a zorb ball. What could go wrong? Not everyone attending DEFCON is getting 6 figures to red team, I suspect.

You are not wrong. Plenty of the attendees really don’t like bullies. It may be interesting.

"I suspect Caesar's dropped DEF CON because the DEF CON attendees likely have a fairly low "avg revenue per attendee" yield because fewer of them gamble compared to the avg Vegas conference attendee."

There is the story that the American Physical Society was not allowed back after in 1986 Vegas supposedly suffered its worst week in history.

First of all there is no real evidence that this story is true and secondly it doesn't make sense to me that they would cancel DEF CON after so many years for that reason. They would have done so much earlier, probably.

https://skeptics.stackexchange.com/questions/39668/did-a-cas...

I heard this story many times. One of them was froma graduate student who attended this meeting. APS March meeting happened in Las Vegas again last year (2023). While there was no official ban for APS Conferences, there was a little interest in las vegas to host anything for APS for a ~35 years.

It might be interesting to see what is happening in Caesars during the week DEFCON was supposed to happen.

ha ha this comment can be interpreted different ways given the audience we are talking about.

It may have happened to physicists in 1986, although the APS conference was back in Las Vegas in 2023

https://qz.com/work/1249513/was-a-convention-of-physicists-r... (2018)

I've heard stories about "hackers" at former DEF CON's pouring concrete down sinks and doing all sorts of other socially clueless vandalism, and resulting backlash for the organizers. While the infosec community is much bigger and more... "normal" than it was back then, I imagine the guests are still more of a liability than the average conference attendee and as you said, probably not big spenders.

So… see you at Magic Live?

You know, why the fuck is DEFCON in August, in Vegas? Like, you know a nice place to visit in August? Kodiak, Alaska. Portsmouth, Maine. Sydney. List of places I would never want to visit in August? Vegas. Houston. Vegas. New Orleans. Vegas. Mumbai? Maybe. Baghdad? Definitely not. Also, Vegas. My friends in Christ, why, does anyone, think Vegas is a good idea in August?

Check out https://www.flightsfrom.com/explorer/LAS — particularly comparing its direct flights from all over the continental US to the same for other American cities.

That settles it, DEF CON in Dubai, London or Amsterdam. I vote for Amsterdam.

Frankfurt also has the most international destinations (just not volume).

(Probably not Dubai, considering a few speakers would be thrown out at the border - or worse if they get though. It's also artificially inflated because it's almost all transit traffic).

https://en.wikipedia.org/wiki/List_of_busiest_airports_by_in...

It's also artificially inflated because it's almost all transit traffic

Dubai is a center for large conferences and Expos.

The row of High rise hotels along Sheik Zayed Road across from Dubai World Trade Center (the largest exhibition hall in Dubai) is astounding.

Gitex, Gulfood and Arab Health are all conference that are largest in their class world wide.

And while A lot of DXBs traffic is transfers, the city does see 15 million international visitors a year, putting it in the top 5 most visited cities.

They can easily accommodate Def Con.

There’s a lot to criticize Dubai for, but they literally built the city to be a center for international conferences.

but they literally built the city to be a center for international conferences. //

Well, they literally enslaved foreign men to work as indentured workers, stripping their human rights, in order to build the city...

No community which has a healthy amount thinking about ethics and stuff would want to go to Dubai. Sorry but Dubai is one of the worst rich citys in existence.

There’s a lot to criticize Dubai for

Terrible location for any conference that cares about everyone being able to attend. While one could argue about "hiding the gay" (I'd still say that's hard to impossible), I would never be able to attend as visibly trans.

center for large conferences and Expos

Aimed largely at the MENA, SAARC, and a bit of the APJ market.

Most DefCon attendees are in North America, which makes the flight to the UAE hellishly long and expensive.

Most attendees are also expensing the trip, so a $700-900 round trip ticket plus an additional $500-700 for hotels makes Managers balk, as that's a major expense coming out of your yearly budget.

Also, DefCon sponsors largely showed up because it was occuring around the same time and same location as BlackHat

Source: travelled a lot for corporate tech conferences in my PM days.

If we’re ignoring the second sentence of my reply, Anchorage would probably be the winner.

If we're ignoring your ninja edit.

Europe has CCC. CCC is older than DEFCON. It sucks for Americans to go across the ocean. Also given that I just came back from a month long eurotrip, hospitality services in post COVID Europe is even worse than it was before COVID. I'll stay in Vegas.

Vote for Qatar since they offer most visa-free access.

That’s the stupidest thing I’ve heard. It’s nice and hot in Vegas in August. Alaska? At best it’s fucking 50F, that’s deeply uncomfortable. Walking around in that feels like I’m dying inside. Also, it’s a goddamn convention not a business meeting. People want to drink, watch some shows, gamble a little bit, walk around on the strip. Have a good time in general. What the fuck are you gonna do in Alaska?

It’s nice and hot in Vegas in August

A high of 40C / 104F is not generally considered "nice".

That’s subjective. I love being in 100F weather. Makes me feel alive.

One's personal opinion on 40C of dry heat may vary subjectively, that is true.

But that is beside the point; is it "generally considered nice" ? - emphasis added to the words that I chose with care above.

It is not.

Well, tropical beaches are generally considered nice and those approach 100F pretty much around the year.

tropical beaches approach 100F pretty much around the year.

Checking climate for Barbados, I rate that as factually incorrect. And of little relevance.

The highs get above 90F in August which is approaching 100F. I can also think of lots of popular beaches in Mexico that do get above 100.

It’s very relevant because that’s what qualifies my “considered generally nice” statement.

And 40C is _over_ 100F.

Your useless pedantry about beaches is becoming boring now.

> It’s nice and hot in Vegas in August. Alaska? At best it’s fucking 50F

The average high in Kodiak Alaska is 60F.

(But your parent was mostly being silly.)

Why Vegas in the first place really. This city should not even exist.

but it does exist

We might as well enjoy it while it lasts. At least we will have the memories once the desert claims its land back.

Humans shouldn't be flying 600mph at 30,000 feet yet here we are.

"Follow the money."

Convention space and room blocks are fairly cheap to rent in Las Vegas.

No other city in North America has a similar amount of space or options for low cost block booking.

Also, plenty of DefCon attendees and sponsors are also attending BlackHat at around the same time, so it makes it easier to justify expensing most of the cost as an employee.

No other city in North America has a similar amount of space or options for low cost block booking

Not even in Mexico? You know, the country that's part of North America? Why not just say America?

Not even in Mexico

Yep. Not even in Mexico. The largest expo center in Mexico is Expo Guadalajara, which is smaller than Salt Lake City's Salt Palace Expo Center.

You know, the country that's part of North America

Ik it is. I'm usually the one who reminds people about that on HN

Also, why go outside? Vegas is very comfortable inside the buildings.

Now you're thinking like a hacker!

Sydney is pretty cold in August. Definitely not the time of year to be there.

Pretty sure that was the entire point.

The heat is really not that bad. I absolutely hate the heat, living in the midwest the summers are unbearable to me.

Yes, it's hot, but you can still walk outside without becoming a sweaty mess because it's so dry. And you're probably not going to be walking outside very far, it's a very unfriendly place to walk outside of the prescribed separated paths on the strip.

The problem is that the con was now spread out over multiple casinos/hotels so the odds of having to walk outside at some point have increased, even with some of the hotels connected internally.

The fact that it js now at the convention center and likely all under one roof is an improvement, IMO

If we wanna be frank: lotta tech is in silicon valley and Vegas is probably the closest "large" hub to travel to (Maybe Los Angeles is closer, but not by much). It's the cheapest option without simply staying in SV.

Correct. Do not underestimate these aspects

I'm sure the other places suggested would have been nice, but you turn one flight into 2, maybe even 3, have to search for a venue and accommodation for 100s/1000s persons (even if they self book), etc

Conference tourism is big business and the big conferences want friendly places that fit their budget and make it possible for people to attend it

I don't care to go to Las Vegas, and I don't care to go to DEFCON, but you can easily fly from anywhere to Las Vegas, any time of year. (Subject to US visa issues, of course)

Others have said August is off-peak for Vegas (perhaps because of the weather), which means its a good time for a conference as space should be less expensive.

I can stay in an acceptable room for two digit dollars a night in Vegas. That’s not true even in Mumbai.

Cheap flights too.

It started there initially because a bunch of hackers wanted to hang out together and the cheapest way to do that was to all fly in the Vegas in August. It’s tradition but also still somewhat true for the reasons you articulate.

Def Con in Dubai.. in August.. that'll be fun :D

How about Denver?

Vegas is great in August. It might be super hot but it's also dry. Whenever I go out to DEF CON, I take a day to go out quadding around the desert and shoot some guns outdoors.

The whole damn strip is air conditioned and misted so it's not really a problem. A few years back I participated in a scavenger hunt during DEF CON and it was taxing but I would do it again.

New Orleans is hell on earth that time of year though -- never again.

I would rather avoid Vegas all year long.

Vegas is probably cheap in August, both for the con to reserve space and also for the attendees to get hotels.

Mumbai will be raining buckets in August, I'd avoid that city like a plague

We also believe in constant air conditioning unlike the East coast and defcon is probably not the group walking around outside the hotels much.

The heat sucks but it’s not like it’s that hard to avoid on a conference trip. It’s when you live here and have to hop in your plasma generating car that makes you wonder what the fuck is wrong with you

Please, for the sake of your own health, calm down.

After the impact of the MGM hack this year Cesars probably revisited their insurance on getting compromised. After the auditors and lawyers looked at all the risks they came across DEF CON and said no because of the wording of how DEF CON is marketed. Their choice was probably to drop them or loose coverage.

DEF CON is listed as a "hacker convention held annually in Las Vegas, Nevada." where Blackhat is "Black Hat is an internationally recognized cybersecurity event series providing the most technical and relevant information security..."

I imagine places like the convention center cant afford or care about insurance at this level.

Caesars was hacked by the same attackers that pwned Okta, and used the stolen keys and tokens to get into Caesars. It was nothing carried out by Defcon in any way.

Anyone that takes this scene seriously knows Defcon is the place to be. Blackhat is a overpriced vendor circle jerk. The only way to make Blackhat relevant again is to kick out all of the vendors and if you can't do that, forbid them from collecting peoples information.

This is going to be my 11th year at Defcon this year. I snuck into a couple of blackhats and didn't get any value from them. I've been around the block a few times.

BlackHat isn't a con you attend. You go there for the training sessions that are required to obtain/upkeep your certifications.

The infosec industry sorta runs separately from the rest of tech in that it's entirely a status economy. Name recognition, certification and publication are the most important things to maintain stable employment.

On the other hand none of the planned programming at DEFCON has any professional value whatsoever and it's merely a metacon for connecting with people in varying niches in the space.

Trainings run days before Black Hat and are not part of the conference proper.

Clarification not needed -- the trainings are the only sensible reason to be there.

I don't know what to say to someone who thinks the Black Hat talk schedule and lobby conference isn't a reason to go, but a $5000 training course on "Active Directory Security Fundamentals" is. You do you, I guess.

I don't care if you go or not. I'm not trying to sell anybody on Black Hat. If you work in this field, you know what Black Hat is, and if you care about Security Summer Camp you're in the lobby bar at Mandalay. My only nit here is people claiming that the actual Black Hat conference is a vendor event (like RSA). It is not. Almost every good Defcon talk was a Black Hat submission (as you'd expect; it's the highest-status mainstream security conference, and it pays honoraria and travel expenses for speakers). There's a whole other conference, BSides, that started just to soak up the talks Black Hat doesn't accept.

Fair enough. BH as vendor event wasn't my axe to grind but the parent poster's. I was just complaining about the industry and the event in general as only having status-economy value.

e.g., the only reason I would go is if I needed to for industry certifications. Talks aren't a reason for me to go to anything (they'll be streamed eventually and I can filter them better). I'll agree the talks are better here than most other events

I guess if your employer is footing the bill, sure, fine, whatever.

Talks having no attendance value to me might be a personal thing, but you can blame Netflix and re:Invent 2017 for that. I sat through 4 different talks given by 4 different people that were supposed to talk about different parts of their architecture but were basically the same slides and staff engineers from 4 different departments claiming responsibility for the same parts of the system. Sure that has nothing to do with Infosec, but talks can be an epic waste of time and I'm much more suspicious of them these days.

Again: I'm not trying to sell you on Black Hat. But re:Invent is nothing at all like Black Hat. Black Hat is a peer-reviewed research conference focusing on presentation of security research results. You pay to see Black Hat talks if breaking the encryption on police TETRA radio or defeating Apple's PAC pointer authentication is professionally useful to you. For most Black Hat talks, that stage will be the first public airing of that research. At events like re:Invent, the new stuff is just product announcements.

I can see not wanting to sit through a bunch of vulnerability research talks! Defcon is certainly the more "fun" event.

There are higher-status (non-academic) research conferences, but they're not mainstream. Of the events everybody knows about and that employers at pentest firms will pay to have people develop talks for and employers at F500 security teams will pay to have engineers attend, Black Hat is basically the most important event of the year.

For most Black Hat talks, that stage will be the first public airing of that research.

I find this aspect intriguing, and seems to contribute to the buzz around the event? Used to be true in some other areas of computer science too, but outside of security I can't think of an academic conference where it still happens. Nowadays you can almost always expect talks at top conferences to have preprints posted on arXiv (or openreview.net) ahead of the talk, often weeks or months ahead. I mean not that somewhere like NeurIPS lacks buzz either, but you're not normally expecting major surprises in the talks.

Yeah, it's an idiosyncrasy of vulnerability research and "zero day" status. Things will get discussed with the media in advance of the conference, but if you blog your whole talk before the review board sees the submission, that'll get used to shoot down accepting. Which sort of makes sense, because even if it's good, your submission will be competing with 5 more really good talks on the same track.

I'm a longtime reviewer for Black Hat, and I've reviewed (shadow) for ACM and (publicly) for Usenix (I was a PC for WOOT a few years ago). It's a different vibe. Nobody's WOOT submission got dinged for having been disclosed in advance, but Black Hat submissions will get dinged for having been presented at regional conferences prior to BH.

Again though: the single easiest way to make sure a talk has no chance at BH is to make it vendor-y. Reviewers will LinkedIn-stalk the names on the presentation to make sure nobody's connected to marketing or sales. If you're submitting something that's even tangential to your product (smart toaster firewalls), even if it's good research (elite-level zero-day vulnerabilities in smart toasters), you have to go way out of your way to assure reviewers you won't pitch on stage.

Black Hat is pretty sensitive to making sure the talks themselves aren't commercial, even though the conference trappings are extremely commercial. "This would make a better RSA talk" is an extremely common epithet.

It was nothing carried out by Defcon in any way.

You think insurance providers are capable of doing this level of analysis? They see "hacker conference" in which Defcon may still hold some notoriety in and decide it's a risk.

They are able to. I've worked with AXA and Chubbs before in this space.

I don't think this was done because of cyber insurance

They most likely got bumped to make space for a better paying corporate conference.

Most vendors are now running a Cisco Live/AWS Re:invent type conference, and they've increasingly consolidated on Las Vegas because venue booking and block room booking is much easier there than in any other city in North America.

Also, DefCon has become massive, so the RoI has most likely shrunk due to staffing overhead.

They most likely got bumped to make space for a better paying corporate conference

This is the occams razor explanation

People love saying this about Black Hat and Defcon, but I can't think of an important research result disclosed at Defcon 31 that wasn't a Black Hat talk. More good research gets turned down for Black Hat (which can only accept 3-5 talks per track) than appears at Defcon. Median Defcon talk quantity is approximately that of a good regional conference.

And that makes sense. Talks aren't really the point of Defcon, and they are (besides the lobby conf) the sole point of Black Hat. Black Hat is also a vendor circlejerk, but that fact confuses people who don't actually practice in the field.

Black hat is just one giant bunch of sales pitches. No I haven't been there but I've had to sift through recordings that my boss (who did attend) wanted me to look at because he was too drunk himself to do a proper evaluation.

It doesn't provide information, it just provides sales suits a chance to blow their hot air :P

If I'd ever go there it would just be an excuse to go to vegas to see DEF CON as well :P I work in security but I have no time for corporatism and sales bullshit.

Edit: I know it's a bit of a hot take but I've been to so many conferences where sales goons spew all the pretty pictures and then later when we actually got our hands on the product it turned out that it couldn't do half the stuff that was promised. Or there were other weaknesses like excruciatingly bad support. I've become very cynical due to this.

This isn't a hot take. It's just wrong.

Black Hat is peer reviewed and accepts a tiny fraction of submissions (tracks will accept 3-5 talks out of a typical pool of 20-50). Reviewers --- all of them vulnerability researchers --- barely have time to read outlines and look for any possible excuse to DQ a submission and move on to the next one, and the single most common DQ is "the presenter has a commercial interest in this topic, vendor talk, 1.0 rating".

There is also a giant vendor expo that runs alongside Black Hat, and vendors do whatever they can to stage events that look like Black Hat talks but are not. I submit that you have probably confused those for actual talks. Or: you watched the keynote? I don't understand what the keynote is for.

Here are the actual 2023 talks:

https://www.blackhat.com/us-23/briefings/schedule/index.html

Keynotes are terrible at almost all conferences I have been to. They mostly seem to be there to stroke the egos of management of major sponsors.

if we're going with hot takes, I've watched a lot of DefCon vids and many presenters come off as outlandish arrogant. not simply smug, more "I am levitating above the normies."

This explanation makes the most sense. A team of lawyers/risk analysts saw "hacker conference", superficially dug in and noted previous incidents that coincided with the "hacker conference" in previous years (bomb threat, the shooter) and decided it wasn't worth it

I find it hilarious that defcon.org can't handle the traffic from being on HN.

Without robust and easily scaled infrastructure in place ahead of time, an organic DDOS is one of the most difficult situations to mitigate. Not much can be done in terms of traffic shaping, rate limiting, or bot detection.

An HN front page “DDoS” is like 20K hits. This isn't some complex scaling challenge. Any website on the internet should be able to handle it, especially a purely informational one.

As a reference, 10K simultaneous hits was an achievable challenge back in ...

1999.

Now you just front it with a CDN. Easy.

This also blew up on every social media and news site as well, not just here.

I agree. Protecting against DDoS attacks is incredibly difficult. I'm just enjoying the irony of Def Con, the premiere computer security and hacking convention, not being able to handle traffic.

To be fair, I don't think they crashed; I saw a "sorry too much traffic try later" type message. Still amuses me.

To me this means they decided not to handle the traffic instead of can’t handle it.

I guess it's funny, but the attendees don't necessarily represent the organizers. The best hackers in the world may be in the building during Defcon but I don't think the Defcon organization itself necessarily employs them.

Of course, a robust and easily-scaled infrastructure is pretty easy to rent these days...

... if you're willing to trust another company with your data.

I would trust just about any company with information that I want to be available to the public

the current way to most effectively get around DDoS seems to be using a proof-of-work based frontend run on as many revolving reverse proxies around the world as you can afford. this is what kiwifarms does. seems pretty effective and a lot cheaper than what the people bankrolling the attacks on them are spending.

I had my blog be on the front page for ~6-8 hours racking up 100k+ unique loads. It also managed to survive just fine on a $5 VPS so I would hope that other sites could survive.

Why would you expect them to be that kind of resilient? It's just a conference brochure site.

It's just a conference brochure site.

That’s exactly why it should be resilient. A fully static text-heavy site can serve basically unlimited traffic on a free host or a $5 VPS these days.

Why would you even host it? Throw it on a CDN and make someone else deal with serving it.

The IP of the site reports as being a Comcast IP address. Surely this isn't hosted on some guy's home server? Even their business class service wouldn't seem like a good fit, especially for an org like Defcon.

Not a fan of what DEF CON has become in the last years, so I selfishly hope it somehow "goes away" and reborn in a more technical and actual hacker note.

Too many "security researchers", "staff engineers" and people playing politics.

But I suspect they will have no problem finding another venue, sponsor money has been flowing quite well, so I wish them well.

There are dozens of other conferences that do anything else you want a security conference to do. The point of Defcon at this point is to be the giant annual social event.

Well it's not going to do so well for that at the LVCC given the distance away from hotel parties.

It was famously at Alexis Park for years, which might as well be the moon if you're at Caesar's.

I started going to def con before the AP and I feel now that the AP were def con's golden years. At least for what I like best about it.

It's nice that it has continued to grow and reach more people but it has also changed a lot from what it used to be to what it is now.

And when it was at AP maybe 5000 people were attending? Today it's like 25k.

And AP was tolerant of people treating their property like garbage. Caesars' certainly doesn't.

Agreed, that's a pretty terrible location given what defcon is and at its current size.

I don't have a ton of love for politicking, but security researchers and staff engineers, a lot of the time, are people who either have a career in a really interesting area in infosec and can bring a lot to the table as teachers/presenters, or people who want to get into that area and who'd benefit massively from a place like DEF CON considering how accessible its talks, demos, and villages are to people of all skill levels.

Socialising, learning hacking history, and getting to know the traditions is always a great side effect that the DC crowd's been good at passing on to new generations. Goons still give people shit for misbehaving, speakers still take shots, TOOOL still has some of the best workshops and tutorials on the conference floor and usually has some people who'll talk about breaking open Medecos or Fichets to anyone who'll listen.

I'd venture to say it's against the spirit of the con to try and gatekeep it.

Having said all that (and the irony not being lost on me) -- linecon's definitely getting worse, and I'm worried that DC's becoming a victim of its own success, with its accessible pricing and subject matter being counterbalanced by having to manage a 20-30k person crowd. I don't have a solution for this outside of decentralization, but I don't know if that's a good solution.

TOOOL still has some of the best workshops and tutorials on the conference floor and usually has some people who'll talk about breaking open Medecos or Fichets to anyone who'll listen.

While you're over there look around for the Tamper Evident Village and we'll happily demonstrate and allow you to try removing Tamper Evident Seals of various kinds.

Also very cool stuff. I always see TEV bogged down with tons of people so after 4 cons I still haven't had a chance -- and while I have to miss this year, I'll hopefully swing by next year and check it out!

I can't edit my original comment anymore, but I'll add: OG DEF CON stuff still happens, too. Parties, secret parties, parties that take a full day or two of codebreaking a badge to get to, demoscene stuff, drinking, public art, you name it, it's there -- it takes a back seat because DC does have to focus on mass appeal these days (I believe, because of its accessibility promise coupled with the number of people coming out).

I forgot these when I wrote my original post at 1AM :)

Too bad. Now I will definitely never go there. My work sometimes gets free tickets for black hat but that's a totally boring business conference. Not worth going to on its own. I hate mingling with sales suits, I'm a real techie.

Def con was something I would be looking forward to and if my work paid for black hat I could have stayed the extra days to go there.

Black Hat is the largest North American venue for vulnerability research. It's one of the closest things in the industry to a serious, peer reviewed conference, at least at this scale. It's certainly not the social scene Defcon is (indeed, it replaces that social scene with an enterprise sales hookup scene), but it's definitely not a "totally boring business conference". Black Hat talks are generally much better than Defcon talks.

It's certainly not the social scene Defcon is (indeed, it replaces that social scene with an enterprise sales hookup scene), but it's definitely not a "totally boring business conference".

It's the enterprise sales hookup thing that attracts most visitors though. The people from our company that go there go mainly for that. They're all VPs and other suits that have no interest in specific vulnerabilities. They just want the free wine and dine and to feel important.

I couldn't imagine going to that kind of thing. I'd only put up with it if it would give me a chance to go to Def Con :)

And it's really the Def Con social scene I'd be interested in. I'm not a vulnerability researcher either, I'm just very informal, I'm not comfortable socialising with business people even though I work in enterprise security. So I think for me black hat would be pretty boring.

What I love about the grassroots hacker conferences is the free sharing of information without commercial strings attached (in fact here in Europe people get booed off stage when they pull out the sales pitch) The presentations not vetted by PR departments. The tongue in cheek remarks against big tech. The activism. Drunkenly running into other makers and making good friends. Exchanging business cards and finding a new vendor is definitely not on the list. I don't normally go to too many of the talks either, especially not the huge ones.

If you're not a practitioner and you're looking for a social scene, you want Defcon, not Black Hat. But if you are a practitioner, the lobby conference at Black Hat is better than the Defcon scene. The talks are much better at Black Hat, but the guts of the important ones are public immediately and all of them are published eventually. Nobody should have FOMO about Black Hat, but to dismiss it as a commercial event (like RSA is) is to misunderstand it.

This is me being opportunistic, but I'm an organizer for indie tech conferences [0]. We're not selling tickets with set venue dates yet (although a fundraiser is happening.)

If nothing else, you might join the newsletter to see if it's your cup of tea later in the year.

[0] https://handmadecities.com

Thanks! I'm very unlikely to fly to the US for conferences though (in fact I've never been there in my life!). Especially to Seattle as it's so far away from me in Europe. I'm in Spain which is pretty much a low-wage country so things like intercontinental flights and foreign hotels are prohibitively expensive.

Boston might be an option if it just happens to be around a time I might visit for work (but again I've never been there in my life so it's not all that likely even though we have a major office there).

Understood. Well, never say never! Worst case you can attend remotely – we’re well-known for treating online attendees as first-class citizens.

In any case, thank you for entertaining the idea :)

DEF CON hasn’t been canceled, it’s just changed venues.

This kind of no-notice cancellation of a contract is unheard of in the conference business.

That's a big claim to make. Can someone with relevant experience confirm whether this is true?

It's seven months away. It's not like it's seven weeks.

For a conference at this scale, there's not a huge difference between seven weeks and seven months.

There's a huge difference even at this scale. Seven months was apparently long enough for them to make arrangements to hold it at another venue nearby (I'm sure rearranging it is/will be a lot of hard work, but they're doing it); would seven weeks have been?

I mean, they've been running this event, which has topped 20k attendees, for something like 30 years. So one entity with the relevant experience is... them?

In 20+ years of attending events events regularly I have never heard of a venue change on relatively short notice. In fact to the degree some conference moves from, say, SF to Vegas, they usually announce that at the previous year's conference.

I don’t think it’s that bold of a claim. Organizers ask attendees to spend a lot of money to attend, buy lodging and everything else, not to mention pay a lot to organize and it takes a lot of time and effort to line up all the required facilities. I’ve been part of organizing at least a few big events and if we had a late stage hard cancellation, there probably would’ve been lawsuits.

I'm surprised any hacker of any standing would want to give the corrupt state of Nevada any tax money whatsoever.

This kind of comment on HN is always fascinating. Is it just simple trolling? Is it cosplay? Is it someone new (or old) to “hacking” sincerely trying to “no true scotsman” attending def con?

I have to say as a European the choice of location has always puzzled me. Corporate interests basically run las vegas, I find it a really odd choice for such a free-thinking anti-establishment community.

DEF CON started as a bunch of teenagers running away from home to get ridiculously drunk and trash some place, and it hasn't changed much. Vegas was the perfect choice. It was a party. Getting to smash up an obscene capitalist hellhole was a key perk, and still is to this day.

Ahh I see. This way it makes a lot more sense, thanks for the explanation :)

I go to a lot of European hacker parties/camps and I can certainly recognise the mindset you mention (and I identify with that mindset as well even though I work in a corporate job). For this reason Las Vegas made no sense to me but in light of your comment it does now.

And yeah getting ridiculously drunk is definitely part of the experience :D

And yeah getting ridiculously drunk is definitely part of the experience :D

Since we are talking about stuff that we don't think should be associated with hacking this is my own pet peeve. What does "getting drunk" have to do with hacking? And why is it always "absolutely smashed" or "ridiculously drunk". I get that most hacker types are shy introverts and couple drinks makes things more fun and socially fluid, but why does it need to go to hangover(s)? 9

This is primary reason which keeps me away from many "hacking camps", they are cool for couple hours, but as the sun goes down things just get sketchy and boring when I have to take care of bunch of drunk strangers.

DEFCON needs a HUGE convention space. The size alone rules out the majority of possible locations.

Then comes the cost. August in Las Vegas is off-peak season which helps keep the cost down. Anywhere in Silicon Valley (or really anywhere in California) would be insanely expensive.

There's also convenience of travel. Las Vegas is such a huge tourist city that it makes getting flights there cheap and easy no matter where in the world you're coming from. My first time going to DEFCON was in 2017 and my flight from Portland OR was only a hair over $200.

Forum servers are being overloaded, from DEF CON's homepage:

After a great 25 year relationship Caesars abruptly terminated their contract with DEF CON, leaving us with no venue for DC 32, and just about seven months to Con!

We don’t know why Caesars canceled us, they won’t say beyond it being a strategy change and it is not related to anything that DEF CON or our community has done. This kind of no-notice cancellation of a contract is unheard of in the conference business. The parting is confusing, but amicable.

TL;DR - DEF CON 32 will still be August 8-11 2024, but now held at the Las Vegas Convention Center (LVCC) with workshops and training at the Sahara.

What happens to all the previous Caesar hotel bookings? Have they negotiated with other hotels for a conference rate?

If you already have a reservation at a Caesars property, from what I saw you can keep it, you'll just have to find transportation to LVCC via the monorail or other means.

Not sure on transfers. They have negotiated with Sahara on a rate and are looking to add more.

That “just” is doing some heavy lifting. It was a minor hassle running back and forth from the Forum to Flamingo to pick stuff up and drop it off. Commuting from strip hotels to LVCC is going to be a pain in the ass.

And yet every year the attendees at other large conventions like NAB have no issues with this.

From the forums (paraphrased):

You can cancel up to 72 hours before the reservation. New room blocks are still being negotiated and will be posted at (link) as they become available. Please help us negotiate rates by booking rooms in our reserved blocks.

Bomb threat last year caused evacuation: https://www.theregister.com/2023/08/14/def_con_bomb_scare/

In 2018 we had aggressive room searches post the Vegas shooting that caused a lot of friction: https://arstechnica.com/tech-policy/2018/08/security-theater...

Point being that it’s been a rough ride over the last few years. Combine that with corporate events probably being far more lucrative for Caesars I.e suits drink and gamble harder than geeks - I’m not surprised by this.

TBH my team and I skipped DEF CON last year and threw our own event in Banff instead because DEF CON has become quite boring with long lines and a Groundhog Day feel to it. If you’re looking for a proper con check out a local B-sides or a smaller legit con like Shmoocon.

The bomb threat wasn't even related to Defcon, though.

I heard it both from Dark Tangent and several high level Goons.

what was it related to? I thought someone reported a suspicious bag in the venue.

It was someone called in “a suspicious backpack with wires” which is absolutely hilarious at DEF CON

Hah...that could easily have been MY backpack.

When I'm at DEFCON, I bring a fun little device. It's an ESP8266 that constantly listens for WiFi probes coming from people's mobile devices. It then displays the SSID (the network name) on a scrolling LED text display. I keep it plugged into one of those Anker battery banks. 10,000 mAh will power it for ~16 hours, so it lasts the entire day.

Haha, would you want ESP32 hackers at your venue? Breaking into wifi and rooms to make tech points? Hosting this never made sense.

I smell potential for the hotel to get (free) help to become the most cybersecure hotel in the world.

That's not what's happening.

What's an 'ESP32 hacker'?

Basically a script kiddie with an ESP32 SOC deauthing WiFi and other radio protocols. Probably more likely to see them with a Flipper these days.

Honestly though, if your venue gets turned upside down by a Flipper, you should probably change a few things...

Christ I'm old. I still remember when it was at the AP. Although I've left that part of my life behind, I'm glad DEF CON is still around.

The last Defcon I went to was at the Aladdin.

It went a bit downhill after the AP days imo.

Rivera

Also DEF CON was canceled, but we uncanceled it : https://www.reddit.com/r/Defcon/comments/1aj6ixn/def_con_was...

So they're making a marketing campaign out of it with 'un-canceled' t-shirts https://shop.defcon.org/

i'm pretty sure "defcon is cancelled" is an _ooooold_ meme

It was Defcon 6 if I'm not mistaken and someone actually didn't go because of it which is how it became a meme.

Here's at least one source corroborating that[0]:

"I think it's from around DC6 and is a reference to our only near brush with cancellation at the Monte Carlo for DC4," Def Con spokesperson Darington Forbes wrote me in an email. "I wish I had more to tell you—since it happened seventeen or so years ago my info is murky. Something about a casino mogul preferring we not use the Monte Carlo, threats of legal action."

@ivydigital DEF CON - cancelled annually for over 20 years

— Rich Trouton (@rtrouton) July 31, 2015

[0] https://www.vice.com/en/article/ezvez4/def-con-is-cancelled-...

I find this strange but not surprising. I've heard of speed bumps in the past related to 'hackers in town' and I wouldn't be surprised if it comes out later that it had something to do with it, even if unfounded. I think overall, having that many 'hackers' in town makes people overly paranoid.

<tinfoil hat> I wonder if the ransomware incident last year played a role in this decision? [0] I'm guessing they wouldn't announce it for fear of boycott, but who knows. </tinfoil hat>

[0] https://www.cnbc.com/2023/09/14/caesars-paid-millions-in-ran...

<tinfoil hat> I wonder if the ransomware incident last year played a role in this decision?

This makes more sense to me than the other explanations. Probably coupled with an underinformed general manager or company president.

That’s probably not even tin foil hat-y.

I’d wager a bet that the perpetrators of the hack had visited Cesar’s during defcon

Hypothesis : Result of last years bomb-scare and evacuation?

Or Caesar's being hacked last year and a belief (right/wrong/indifferent) that they don’t want to be hosting the kind of folks who could do that.

https://www.securityweek.com/caesars-confirms-ransomware-hac...

It's really much more likely the people that are in the business of defending against just that.

Take it international new venue each year, maybe London?

Stockholm please!

Istanbul please.

After last year, Caesars likely has a large insurance policy covering against ransomware attacks. That policy probably says something along the lines of "valid as long as you don't knowingly invite tens of thousands of hackers to your property"

Which is stupid because Caesars breach was directly tied to Okta's breach.

Best hypothesis so far.

To be honest, requiring an ID and a proof of vaccination to attend was against the anonymity principle of the convention in the first place.

In 2021 I paid in cash, showed my physical ID and vax card, and was on my way with my badge. Nothing about the exchange was recorded. They take privacy incredibly seriously, especially the goons working registration. There was also basically no COVID that year, despite DEF CON happening right during the Delta outbreak. A big nursing conference the week before got hit hard with Delta, but DEF CON took that shit seriously, and it worked well.

Pretty sure there was no vax check in 2022 and 2023, and I do know some people who got COVID in those years, but people who took decent precautions were generally able to dodge it.

That was only for a single event. DEFCON no longer requires proof of vaccination or ID.

And as the other commenter said, the information wasn't recorded.

Also, the majority of DEFCON attendees no longer care about being anonymous. It's not this secret underground thing. Many employers pay for their security staff to go to DEFCON. For a few years now, you can even pre-pay for your ticket online with a credit card which makes getting reimbursed for your ticket a fuckton easier. Also means you don't have to carry $500 in cash.

This may be a blessing in disguise. DEF CON has grown massively to the point where the number of attendees who want to go to the various villages all day equals or even surpasses the attendees interested in the main talks. However, those villages have historically been given very small spaces. This past DEF CON, the Cloud Securitt village had a line down the hallway and escalator pretty much all of Friday and Saturday. Even the vendor area had to be carefully managed to ensure not too many people were inside at the same time.

Hope this allows them to really spread their wings a bit more.

Yeah, this might actually change my mind about skipping DEFCON.

I started going to DEFCON in 2017 (DEFCON 25). After last year's event, I had decided I wasn't going to go anymore. The villages were always extremely crowded, so trying to actually participate would be a huge wait. The talks were nice, but I can just watch them on YouTube a month or so later. Hacker Jeopardy is always a blast, but I'm not going to spend $2,500 to fly and stay in Vegas just for that.

The fact that Red Team village would only be given this tiny conference room with only like 50 chairs to listen to talks was just bullshit.

If the new venue has more room and solves all my complaints, maybe I'll still go.

We don’t know why Caesars canceled us, they won’t say beyond it being a strategy change and it is not related to anything that DEF CON or our community has done. This kind of no-notice cancellation of a contract is unheard of in the conference business. The parting is confusing, but amicable.

It is absolutely related to DEF CON. Remember that Caesars suffered a massively embarrassing hack in September, and it is highly likely the top brass and investors don't want any association with hackers from an image and security standpoint, especially in the form of hosting a conference that brings tens of thousands of them to the hotel.

Yeah that is the unspoken truth here, MGM took way too big of a hit this last year from that for it not to impact the hacker summer camp.

Should have played more blackjack, nerdos!

Sir you have 20... Hit me!

The problem is the casino doesn't want a bunch of hackers playing casino games the way the hackers want to play them...

If hackers could hack casino games, they would have fixed the hacks a long time ago.

Next Year's DEFCON Keynote... "How We Hacked Caesar's Booking System"

Absolutely, I'm already seeing some chatter from groups that want to get "even" with Caesars for displacing a 25 year tradition for strategy. I hope they have some good defenses installed now that you've pissed off no less than 10k infosec people.

Reminds me that I need to make my DEF CON travel plans. Thanks for the reminder!

It’s a honey pot. Antagonize “the world’s best hackers” to test their post MGM/Ceasars attack security posture.

Someone probably convinced them their new fancy XDR is hacker proof and they are playing for skins now.

We need a space that can handle an event our size, and configurable enough to accommodate our content.

I love this sounds like a pun about loading/executing a payload.

Interesting that they didn't get the MGM, the biggest and cheapest strip hotel, but the LVCC. Still ok

Lemonade!

I bet it was the googly eyes

I haven't been since DEF CON 19.

Count me out. LVCC is even less cool than Caesars and it's a mile from the strip. It's only selling point is the Loop.[0] In the past, it was convenient to book at Caesars, or nearby at the Bellagio or Venetian-Palazzo.

0. https://en.wikipedia.org/wiki/Las_Vegas_Convention_Center_Lo...

Don't expect much from that food court unless it's improved a lot over the last few years.

Caesars canceled DEF CON could it be because CaesarsPalace was hacked this year? I doubt they did it?

I wonder if Caesars' cybersecurity insurer had an opinion about writing a policy for a casino resort that hosts something like DEFCON, especially after the MGM hack.

Sort of a weird story. I have never heard of a convention venue randomly canceling a conference with less than a year to go and I was very involved with events at one point. Obviously lots of atypical stuff happened during COVID but I've literally never seen something along these lines as it supposedly went down. Barring some anomalous event, conference venues don't suddenly decide some event just isn't a good deal for them.

So what are the consequences for Caesars doing this? It seems like this will cause a lot of extra work and maybe damages for DEF CON's organizers.

Early DefCons were on the strip, and for reasons never officially made public, DefCon got banned from the strip. AFAIU, that's why it was in the Alexis Park for many years. I was actually surprised when I learned it was allowed back onto the strip. Given the high rate of incidents and the surface area for attack, I completely understand why Caesar's dropped them. What I don't get is how they allowed DefCon back onto the strip in the first place.

a proper food court

Looking on the bright side, having a better option for a snack or meal on site would be nice. It was slim pickings in 2023.

Now they have another thing in common with furry conventions! (tech people, furries, nonprofit, hotels randomly cancelling contracts)

Stop making conferences in Las Vegas is the most depressing place to visit