Last view of the crime scene that was my invaded hotel room and violated space, courtesy of @CaesarsPalace who still have not told me anything, offered me anything (except to move my room - like that really would prevent their security team screaming at me again). My last #DEFCON
The reporting out of this event so far has noted "privacy" concerns. The fact of the matter is, a male's chief concern is privacy. Women's includes that, but our high order bit is that this policy designed to keep people safe from gun attacks *increases* our chance of assault.
Threat models change, & we as security professionals know that. October 1 changed the threat model for Vegas hotels. That in no way changed the threat models for women traveling alone. Only @CaesarsPalace security did that. They are sacrificing women's safety for gun inspections.
They added a check for the Oct 1 new threat, obliterating the existing safety controls that make women safer in hotels. Demanding unquestioning compliance is going to enable assault. *ANYONE* could claim they are hotel security & demand to be let in to the room.
No key is needed to access the floors via the elevator. The hotel employee ID card I was finally shown had the photo rubbed off. It was only shown after I had been screamed at & the door pounded on, which was after I had politely asked to verify their IDs by calling downstairs.
I was trying to follow a reasonable authentication process, in fact I was walking the supervisor on the phone through it as he talked over me about the necessity of the search. I wasn't arguing about my privacy. I was protecting my life & body from assault. He missed the point.
Anyone who thinks this compares to enhanced security at airports also misses the point. TSA is not creating a process that forces women alone to accept strange men into her room, without a protocol to verify their identity. TSA doesn't increase my chances of being raped & killed.
Hotel room inspections may be the new normal, but refusing to work with any woman who feels unsafe is ridiculous. I happen to be a woman who is listened to by the DoD & foreign allied govs, & was simply trying to verify that the men pounding on the door were not there to rape me.
Think I'm exaggerating the risk? Well, that's not true. Five years ago in Paris at a nice hotel, a man followed my female colleague in the elevator to our door, knocked on it, trying to get to her. Long story short - he turned out to be an escaped mental patient posing as a guest
Hotel security is supposed to make us *all* feel safer. No security measure that increases an already common risk of rape & assault of women should be considered effective at reducing the risk of a mass shooting. Privacy isn't the main concern here. It's only a main male concern.
Crickets from @CaesarsPalace . Not even a gesture of goodwill to comp the violated nights of my reservation (the prices were low when I reserved, this would cost them a few hundred bucks). Because they don't care about women. They care about looking like they are doing something.
If @CaesarsPalace won't create a simple process for authenticating hotel personnel when guests request it, then women will be assaulted as a direct result of their lack of accepting my feedback & that of other security professionals here. They should be held 100% at legal fault.
While I'll be saddened to hear about the inevitable tragedy, I hope the victims & their families will be awarded tons for the gross negligence of @CaesarsPalace . I'm not coming back to Vegas *ever* while this is still unaddressed. My chief concern isn't privacy, it's for my life
Employee ID cards are insufficient proof. I saw ID cards w the pictures so worn off, they were gone except the top of the head of the person. Those "ID"s alone even with a visible picture were the kind that are easily faked. Authentication via a call to the front desk is needed.
Full names given via phone from the front desk, a request by the guest for the people outside the door to produce their names (not say yes to a name given) before opening the door, & a government issued ID check upon opening it would have SOLVED THIS PROBLEM FOR ME. They wouldn't
Frankly, if this industry cares about having more women join & more women stay, authentication protocol changes should be demanded. Not some BS about cooperating with the hotel because of one changed threat model. Women's threat models are the oldest threat models in the book.
Fix this. Or I'm skipping my 20th #DEFCON and all others. I'm not risking my life to come here. I've traveled alone to Abu Dhabi, to Nairobi under State Dept warnings, all alone. I'm not afraid for my safety in those situations. I am terrified of what can happen to me in Vegas.
If you're a supporter of women, time to demand simple authentication protocol updates so that women's safety isn't thrown away for some ineffective security theater. Don't take "we're working on it" as an answer. @DianaInitiative @wisporg @defcon @BlackHatEvents @CaesarsPalace

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Katie🌻Moussouris (she/her) is not coming to Vegas

Katie🌻Moussouris (she/her) is not coming to Vegas Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @k8em0

Sep 21, 2018
I just got this from Twitter, so I asked:
"I received notice that Twitter employees had access to some of my DMs. Which DMs were they exactly? How many Twitter employees had access to them? Were the recipients of my DMs also told that my private messages to them were compromised?
Putting this at the top of the replies so that people can stop feeling like they need to correct my original tweet. :) Clarification is in my timeline, but not high enough in the replies to see that it is *even worse* than I initially thought:
Read 5 tweets
Sep 21, 2018
I got 2 consecutive restraining orders against an MIT professor, the 1st of which he forced an evidentiary hearing w his own character witnesses & full cross examination of me on the stand, he wasn't disciplined at all.
I was 21. He was 34.
Why do that ever again
#WhyIDidntReport
I left my job at MIT, where I'd worked 4 years, moved across the country & became a Linux dev. I chose not to get a 3rd restraining order in San Francisco, so that he wouldn't know where I lived. To this day, now that I'm a public figure, I worry that he will snap & come hurt me.
It's been over 20 years. He was known to hit on undergrads. Known to MIT by complaints by students. Even when court found him to be a credible threat to me, his position at MIT remained unchanged. I spoke up loudly for myself & to stop him from hurting anyone else. MIT failed us.
Read 6 tweets
Aug 29, 2018
Marketing can often get things wrong. So can media. I expect technical folk to use technical terms correctly.
"Integration in SDLC" which I've discussed extensively regarding vuln disclosure/bug bounties has little to do with nifty JIRA bug bounty integration (which is cool).
It sure makes for glossy marketing to say that it does - but that labels a feature erroneously. It is actually a process. The process can still be missing. Why does it matter so much?
It's like saying a bug bounty can make you more secure - which is a lie without back-end process
It's accurate to say that bug bouny platform-JIRA integration streamlines the vulnerability response process, because that is all that it does. This is quite useful without the marketing deception & complete misuse of the technical process term "SDLC". That's for preventing bugs.
Read 11 tweets
Jul 26, 2018
TFW you're happy folks are celebrating others & you, yet there's still an annoying focus on your least significant bit, nothing to do with your work. I'm so fucking sick of the "women in" lists. The equality I crave is that professional lists have plenty of unscripted diversity.
Also annoying as hell: people coming to me, expecting me to be an expert in diversity & diversity hiring. What the fuck does hacking (my tech background) or policy work have to do with recruiting skills? To me, it's as offensive as expecting all women to know how to cook & clean.
For the record: I don't know anything about how to recruit more women. Please tax the men w fixing their own shitty hiring pipeline they created. We pay enough overhead just being recognized for our work. We aren't typically paid or promoted equally. I'm already fighting that.
Read 4 tweets
Mar 19, 2018
What used to frustrate me as a young professional pen tester was needing to overprove myself each time, whereas junior males were assumed to be more technical than me. Now I get it on Twitter w people who know my work, yet still think dismissing my expertise counts as "debate".
Feed the pipeline, they say. Get more♀️interested in STEM. We don't have enough qualified candidates, or we'd totally hire them/have them speak. As a♀️who's done pro hacking, IT admin, development, & shifted major company bounty policy w data, I can tell you it's not worth it
Read 5 tweets
Feb 7, 2018
Yes.
1. @four did a great job under tremendous pressure & made zero excuses. I don't think anyone could've done better under the circumstances. He said Uber made a mistake in both paying extortion (he was clear it wasn't a bug bounty) & failing to notify affected users & drivers.
2. I made the following points:
- it's great that there are more legal ways to report bugs, & ways to be paid bounties, but we are creating a skewed market by saying everyone needs a bug bounty without building a robust overall defense. More bug hunters does not = more bug fixers
- muddying defense market waters by misapplying the term bug bounty to the extortion payment Uber made makes it more likely others will try for a data theft $100,000 payout instead of a $10,000 legit bug bounty
- markets are created deliberately, & we must take care to shape them
Read 12 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(