The events in that article took place in 1993. Read the whole article, but here's the best bit.
Hotel security had mistakenly kicked out attendees at that conference, so they decided to get revenge by hacking their system. The is from Cringely:
***
The meeting reconvened at 9 or 10 with the topic suddenly changed to Revenge on the Sands. Gail Thackeray, then a U. S. Attorney from Arizona who at that moment had approximately half the room under indictment, rose to offer her services representing the kids against the hotel management.
Thackeray had been invited to speak by the very people she wanted to put in jail. I told you this was surreal.
Adult assistance might be nice, but a potentially more satisfying alternative was offered by a group that had breached the hotel phone system, gained access to the computer network, obtained root level access to the VAX minicomputer that ran the Sands casino, and were ready at any moment to shut the sucker down. It came to a vote: accept Thackeray’s offer of assistance or shut down the casino.
There was no real contest: they voted to nuke the casino. Not one to be a party pooper, I voted with the majority.
Gail Thackeray, feeling her lawyer’s oats, was perfectly willing to be a party pooper, though. She explained with remarkable patience that opting en masse to commit a felony was a move that we might just want to reconsider, especially given the three strikes implications for some of the older participants.
We could accept her help or accept a date with the FBI that afternoon. The Sands (now the Venetian), which was ironically owned by the same folks who used to run Comdex, never knew how close it came to being dark.
It was a thrilling moment like you’d never see today. Everyone who was in that room shares a pirates’ bond. And though I can’t defend what we almost did, I don’t regret it.
And like the others, I wish Gail Thackeray had stayed in Arizona and we’d shut the sucker down.
In the article, yet another leak notification as well. Maybe we’ll see how much data casinos really have on us.
Caesars was hacked a month ago.
>>Caesars told the SEC it had “determined that the unauthorized actor acquired a copy of, among other data, our loyalty program database, which includes driver’s license numbers and/or social security numbers.
I should have stayed in the trenches in the 2000s and waited until Satoshi releases Bitcoin which makes all of this possible. But I didn’t.
A lot of what was happening back then compared to today is just such a stark difference. The kind of attack vectors I was chasing myself are now so obsolete that most of these gangs will just give you that info for free… I mean holy shit… you can just load up Tor and go download terabytes of information in any industry imaginable. Free of charge. No need to spend endless weeks or months planning out the perfect attack (although that process is rewarding in its own way) …
This year has been huge for ransomware attacks, how long until one of the major FAANG companies get toppled over?
If they were, how much do you think they'd pay for it to not leak to the public? (which is illegal, but that doesn't stop corporations from acting that way). If, say, Netflix got hacked (not ransomware, but user+credit card db dumped) but they paid to hush it up, how would we know? If the thieves were smart, they wouldn't use all of that dump simultaneously, so it couldn't be correlated.
For sure. I mean who knows how many big corps have been owned that we don’t know about. I suppose if you dump something like Gmail users, hypothetically, then there is no way Google wouldn’t cough up the money.
But by the looks of it a lot of these groups are after specific targets, for example - chipmakers. No way they want their secrets out in the public so they’ll happily pay up, especially if they are from places outside of the US.
I sometimes see on my Twitter feed, alerts of big Bitcoin transactions that are never disclosed publicly but are associated with well known laundering networks.
I highly doubt Google would pay. There is a 0% chance they prevent the public (and government) from finding out the attack took place, and there is no way to guarantee the attackers actually delete the data. It is lose-lose for them because of the reputation effects. Unlike the casino or other industries where people don't expect them to be cybersecurity experts nor care to change their behavior anyway.
It's a gray area - most big companies will get cybersecurity insurance - Then the insurance company pays the ransom (assuming your policy covers it.). When working at a Small Cap financial services company, our policy cost north of $2MM a year.
Such clear Game theory. If nobody pays ransom, the group suffers less over all. But targeted individuals suffer greatly. Targeted individuals have a high incentive to pay, which encourages more attacks on the group.
A previous company I worked for took the “high road”. Mostly cause the CIO was a delusional psychopath. She refused to pay the mere 1 mil ransom. Told the CEO the disaster recovery systems would bring the company back online in a few hours (everybody, except her apparently, knew the DR system was a total joke). Hackers wiped the encrypted drives of every machine in the company and said good day.
4 weeks later they had the website, basic email and server operations functioning again. 3 months later they had restored business continuity more or less.
She was fired a week after that.
I’m guessing it cost the company 10’s if not over 100 million.
I doubt it, especially if you make the executives personally liable. There are lots of other profitable things that companies generally don't do because they are illegal.
Casinos — more than anyone — understand the cost for disrupting their revenue streams. There is also the possibility of damaging future revenue streams if they take much of a reputational hit. They have all probably anticipated such an event and are prepared to negotiate and act quickly.
As far as reputation goes it looks like Caesars paid the $10m ransom after having the loyalty member db exposed with drivers licenses and social security numbers. They also have no real guarantee the data stolen will be deleted.
Still might be better for them being a "quiet" incident as opposed to disrupting operations like mgm.
Yeah, rather than take a reputational hit, they've now got a reputation for paying ransoms to hackers. They will now be targeted by more hackers wanting ransoms.
Nobody wants to assume they cannot get out of the mess. At some point, someone has to make the tough call to sign a check to make the problem disappear.
My understanding is that a small minority of a casino's users are responsible for the bulk of their revenue and if you take a small leap of faith and assume that many or most of that subset of users are gambling addicts, you can see how a casino might be heavily incentivized to need to be operational again quickly before their addicts seek a new source of gambling.
Bulk of their revenue comes from non-gambling. 69.8% of casinos revenue is non-gambling. [1]
For gambling revenue, slots are responsible for 67%. [2] I doubt that it is a small minority that is gambling away at thousands and thousands of the slot machines.
You would be surprised. Most casual gamblers will put <$1k on a weekend visit.
Even setting aside the high roller slots, the regular machines will allow $25/spin now and 5 seconds a spin means it’s easy to cruise through $1k in 5 minutes.
I’ve sat and watched one person so that (not in the high roller slots) and they left down about $4000 after a 20 minute sit. They didn’t even seem phased in the slightest and only left due to what seemed like the need to meet someone rather than running out of cash.
First, a trip to Vegas for most of Americans will cost much more than a $1K per weekend. Second, my link said exactly this - most of the revenue comes from slots. People using them are by definition is not a small minority. Minority gambles away hundreds of thousands per trip.
I think there is a misunderstanding here. My point is that gambling is less important part of casino's revenue. Hence few whales don't make or break Vegas.
I.e even if we take the top of your guess (<$1000), it is still much less than other expenses (lodging, dining, entertainment, etc).
I’m replying to your claim about doubting a small minority gamble thousands at slot machines. Your intuition is wrong and whales dominate gambling revenue, even in slot machines.
Casinos are a luxury vice where participation is optional. Hospitals are a necessity of society who know that they will be supported by the government if required. I also believe it is technically illegal to pay the ransom, and given the tight connection between hospitals and government, may have more red-tape to sign off on such an action.
Hospitals can also shame the criminal organization better. Shutting down hospitals gets more eyes on you, and as criminals, you don't want that. I'm sure MGM is a major political donor, but most people don't have much sympathy for them in this case, either.
Same as when the hackers shut down pipelines then immediately apologized and backed down saying it was never their intention to cause a international incident
You realize those movies were inspired by something actually happening right? Like criminal enterprises are intertwined with legal businesses all the time. Whether it’s embezzlement/kickback schemes, espionage, or extortion there are independent agents or cut out organizations which undertake these illicit, clandestine activities. The casinos have been tied to mafia activity for many many years.
Yes, I'm aware of casinos ties to organized crime. However, they're a lot more above ground these days and the money that was extorted wasn't illegally gained. If you go to a casino on the strip tonight and cheat or steal chips you'll be arrested face felony charges. You won't be taken to an alley and shot or even worked over like you might have 50 years ago. It makes no sense for them to commit serious violent crimes when they can ruin you through 100% legal avenues.
The idea that they're paying because a hit squad is about to drop in, murder them all and get the money back is pure fantasy. If modern casinos figure out who did this they'll forward it to law enforcement. In all likelihood they have no idea, though.
If there's any evidence that these casinos still commit murder like that I'm all ears.
I hope so, I hate going to the hottest spot in the US every year. This year Toxic BBQ was acceptable in terms of heat but other years has been miserable. I would love a more outdoor friendly hacker conference. I’m so tired of Vegas. I know Toor Camp exists but we need so much more.
https://www.cringely.com/2013/07/30/the-origins-of-defcon/
The events in that article took place in 1993. Read the whole article, but here's the best bit.
Hotel security had mistakenly kicked out attendees at that conference, so they decided to get revenge by hacking their system. The is from Cringely:
***
The meeting reconvened at 9 or 10 with the topic suddenly changed to Revenge on the Sands. Gail Thackeray, then a U. S. Attorney from Arizona who at that moment had approximately half the room under indictment, rose to offer her services representing the kids against the hotel management.
Thackeray had been invited to speak by the very people she wanted to put in jail. I told you this was surreal.
Adult assistance might be nice, but a potentially more satisfying alternative was offered by a group that had breached the hotel phone system, gained access to the computer network, obtained root level access to the VAX minicomputer that ran the Sands casino, and were ready at any moment to shut the sucker down. It came to a vote: accept Thackeray’s offer of assistance or shut down the casino.
There was no real contest: they voted to nuke the casino. Not one to be a party pooper, I voted with the majority.
Gail Thackeray, feeling her lawyer’s oats, was perfectly willing to be a party pooper, though. She explained with remarkable patience that opting en masse to commit a felony was a move that we might just want to reconsider, especially given the three strikes implications for some of the older participants.
We could accept her help or accept a date with the FBI that afternoon. The Sands (now the Venetian), which was ironically owned by the same folks who used to run Comdex, never knew how close it came to being dark.
It was a thrilling moment like you’d never see today. Everyone who was in that room shares a pirates’ bond. And though I can’t defend what we almost did, I don’t regret it.
And like the others, I wish Gail Thackeray had stayed in Arizona and we’d shut the sucker down.