[dash488]

After the impact of the MGM hack this year Cesars probably revisited their insurance on getting compromised. After the auditors and lawyers looked at all the risks they came across DEF CON and said no because of the wording of how DEF CON is marketed. Their choice was probably to drop them or loose coverage.

DEF CON is listed as a "hacker convention held annually in Las Vegas, Nevada." where Blackhat is "Black Hat is an internationally recognized cybersecurity event series providing the most technical and relevant information security..."

I imagine places like the convention center cant afford or care about insurance at this level.

[technick]

Caesars was hacked by the same attackers that pwned Okta, and used the stolen keys and tokens to get into Caesars. It was nothing carried out by Defcon in any way.

Anyone that takes this scene seriously knows Defcon is the place to be. Blackhat is a overpriced vendor circle jerk. The only way to make Blackhat relevant again is to kick out all of the vendors and if you can't do that, forbid them from collecting peoples information.

This is going to be my 11th year at Defcon this year. I snuck into a couple of blackhats and didn't get any value from them. I've been around the block a few times.

[waihtis]

> It was nothing carried out by Defcon in any way.

You think insurance providers are capable of doing this level of analysis? They see "hacker conference" in which Defcon may still hold some notoriety in and decide it's a risk.

[alephnerd]

They are able to. I've worked with AXA and Chubbs before in this space.

I don't think this was done because of cyber insurance

They most likely got bumped to make space for a better paying corporate conference.

Most vendors are now running a Cisco Live/AWS Re:invent type conference, and they've increasingly consolidated on Las Vegas because venue booking and block room booking is much easier there than in any other city in North America.

Also, DefCon has become massive, so the RoI has most likely shrunk due to staffing overhead.

[waihtis]

> They most likely got bumped to make space for a better paying corporate conference

This is the occams razor explanation

[tptacek]

People love saying this about Black Hat and Defcon, but I can't think of an important research result disclosed at Defcon 31 that wasn't a Black Hat talk. More good research gets turned down for Black Hat (which can only accept 3-5 talks per track) than appears at Defcon. Median Defcon talk quantity is approximately that of a good regional conference.

And that makes sense. Talks aren't really the point of Defcon, and they are (besides the lobby conf) the sole point of Black Hat. Black Hat is also a vendor circlejerk, but that fact confuses people who don't actually practice in the field.

[busterarm]

BlackHat isn't a con you attend. You go there for the training sessions that are required to obtain/upkeep your certifications.

The infosec industry sorta runs separately from the rest of tech in that it's entirely a status economy. Name recognition, certification and publication are the most important things to maintain stable employment.

On the other hand none of the planned programming at DEFCON has any professional value whatsoever and it's merely a metacon for connecting with people in varying niches in the space.

[tptacek]

Trainings run days before Black Hat and are not part of the conference proper.

[busterarm]

Clarification not needed -- the trainings are the only sensible reason to be there.

[tptacek]

I don't know what to say to someone who thinks the Black Hat talk schedule and lobby conference isn't a reason to go, but a $5000 training course on "Active Directory Security Fundamentals" is. You do you, I guess.

I don't care if you go or not. I'm not trying to sell anybody on Black Hat. If you work in this field, you know what Black Hat is, and if you care about Security Summer Camp you're in the lobby bar at Mandalay. My only nit here is people claiming that the actual Black Hat conference is a vendor event (like RSA). It is not. Almost every good Defcon talk was a Black Hat submission (as you'd expect; it's the highest-status mainstream security conference, and it pays honoraria and travel expenses for speakers). There's a whole other conference, BSides, that started just to soak up the talks Black Hat doesn't accept.

[busterarm]

Fair enough. BH as vendor event wasn't my axe to grind but the parent poster's. I was just complaining about the industry and the event in general as only having status-economy value.

e.g., the only reason I would go is if I needed to for industry certifications. Talks aren't a reason for me to go to anything (they'll be streamed eventually and I can filter them better). I'll agree the talks are better here than most other events

I guess if your employer is footing the bill, sure, fine, whatever.

Talks having no attendance value to me might be a personal thing, but you can blame Netflix and re:Invent 2017 for that. I sat through 4 different talks given by 4 different people that were supposed to talk about different parts of their architecture but were basically the same slides and staff engineers from 4 different departments claiming responsibility for the same parts of the system. Sure that has nothing to do with Infosec, but talks can be an epic waste of time and I'm much more suspicious of them these days.

[dash488]

My comment was around the wording as advertised. It will also be my 11th DEF CON next year, never been to Blackhat. We should grab a beer.

I have personally worried after seeing Cesars transform after the events at the Mandalay Bay with the new addition of their own paramilitary group (the SRTs) and their actions during DEF CON. Just check out their job descriptions: https://www.linkedin.com/jobs/view/security-officer-srt-i-fu...

Before the SRTs, I personally know from knowing the staff who run the conference that they have helped Cesars Entertainment in previous years strengthen and work with them hand-in-hand to secure their networks and train their staff. Even work with the goons to make sure people didn't get trespassed over shenanigans. I honestly think the mid level management is sad we are gone.

The other side is the Okta was just a taste of what could go wrong. Seeing MGM totally shut down and loosing millions was scary for upper management. Auditors weren't comparing Blackhat to DEF CON but that the listing on the spreadsheet was not "boat show" but "hacking con" and they deemed that was too much risk for the level of coverage Cesars Entertainment wanted.

Never the less, we all hated Cesars and I am personally excited to see what this next year will look like.

[passwordoops]

This explanation makes the most sense. A team of lawyers/risk analysts saw "hacker conference", superficially dug in and noted previous incidents that coincided with the "hacker conference" in previous years (bomb threat, the shooter) and decided it wasn't worth it

[dash488]

The bomb threat last year is a funny story that I cant share here. It was very much a nothing burger but their security doing what they are paid to do.

[exadeci]

Cancelling it sounds like best way to get DEF CON attendees to try and hack your hotels

[wkat4242]

Black hat is just one giant bunch of sales pitches. No I haven't been there but I've had to sift through recordings that my boss (who did attend) wanted me to look at because he was too drunk himself to do a proper evaluation.

It doesn't provide information, it just provides sales suits a chance to blow their hot air :P

If I'd ever go there it would just be an excuse to go to vegas to see DEF CON as well :P I work in security but I have no time for corporatism and sales bullshit.

Edit: I know it's a bit of a hot take but I've been to so many conferences where sales goons spew all the pretty pictures and then later when we actually got our hands on the product it turned out that it couldn't do half the stuff that was promised. Or there were other weaknesses like excruciatingly bad support. I've become very cynical due to this.

[nopeYouAreWrong]

if we're going with hot takes, I've watched a lot of DefCon vids and many presenters come off as outlandish arrogant. not simply smug, more "I am levitating above the normies."

[jstarfish]

That's not specific to presenters; there's a lot of insecurity (no pun intended) on parade in this industry. The sort of people who can bridge air-gapped networks using bubblegum and popsicle sticks tend not to minor in human relations.

Just read it as showmanship. They're trying to be over the top for the sake of performance.

[wglb]

>Black hat is just one giant bunch of sales pitches.

> No I haven't been there

The first sentence is not true. Many good talks are give, often breaking ground. Yes, you can find sales pitches, but there are good fundamentally technology talks.

[tptacek]

This isn't a hot take. It's just wrong.

Black Hat is peer reviewed and accepts a tiny fraction of submissions (tracks will accept 3-5 talks out of a typical pool of 20-50). Reviewers --- all of them vulnerability researchers --- barely have time to read outlines and look for any possible excuse to DQ a submission and move on to the next one, and the single most common DQ is "the presenter has a commercial interest in this topic, vendor talk, 1.0 rating".

There is also a giant vendor expo that runs alongside Black Hat, and vendors do whatever they can to stage events that look like Black Hat talks but are not. I submit that you have probably confused those for actual talks. Or: you watched the keynote? I don't understand what the keynote is for.

Here are the actual 2023 talks:

https://www.blackhat.com/us-23/briefings/schedule/index.html

[jeltz]

Keynotes are terrible at almost all conferences I have been to. They mostly seem to be there to stroke the egos of management of major sponsors.