Oh Hotel No! How A Hopeless Hooligan Helped A Homie From Homeless To Homeowner In 9 Months

Everyone, I am Justin. I went on a major side quest with Marriott in 2024 resulting in this talk. I originally gave it at Bides Prague in um March 2024, then RVASC where it was recorded and then uh last August for Besides Vegas as a Defcon Sky talk. It's a crazy story to this day. Um it's hard to believe all the events that unfolded. The long and short of it is um I was able to exploit Marriott system to help uh this homeless guy Earl Jones get a job while in the hotel and become a homeowner in 292 days. And so this is the story uh soup to nuts. I hate that saying but it's funny of uh how this happened and what

the purpose of this whole thing was. It started out as a mere interest in hotel security and ended up as a sociological experiment that could pave the way to real meaningful change in society. Whoops. Am I here? So, this all started in a pretty um bleak situation. Uh it was February 28th, 2023. I got stuck in a hotel elevator for 6 hours and 18 minutes. Nobody came. I'm at the hotel. I'm with EMS. Where are you at? I'm in College Park, Maryland. The place is literally called the hotel. Which hotel? The hotel. There's no service. The hotel staff thought that the maintenance window was going off, which is why the elevator was there. I like could have

died. It it it caused in me like it it was so traumatic that um I uh you know, it it left an indelible mark with me. Uh when I got out of the elevator, the hotel was so embarrassed that they couldn't take accountability. They actually kicked me out and claimed that I was stealing from the gift shop. And it wasn't until the following week when EMS reviewed the footage and they said, "This is like the most terrible blunder we've seen in our like history of our fire department. We think that you should like sue them for multi-million dollars." I said, "No, I believe in taking the high road." I didn't really know what that meant at the time, but I

over over it period it kind of crystallized in my mind what I wanted to do. Um, and then just as a some these videos are embedded if they don't work, but I have a whole playlist after for people to watch. Um, the funny thing is, so then I got stuck. I ended up Washington DC here, there, and everywhere. I go back to get my stuff cuz I'm kicked out at this point to room 911. Irony. And at 8:27 p.m., I got stuck again for 57 minutes. And then when law enforcement finally did show up for the day, um, it was 14 hours and 10 minutes. If you look at your SLA, that's like um terrible. That's like 59s or 95s

or whatever. But it's, you know, it's unreal. Um and that and it definitely changed me that day. Yeah. You know, Die Hard John McLean. I may have had a bad one, but I had one that was a thousand times worse, let me tell you. Uh so what is the high road? Originally, I'm just looking at these hotels and I've always had an interest in um being a hooligan, but most importantly, I think it's 2026 and nobody should be homeless. And when I went to this hotel, the hotel University of Maryland, I was talking to the guy at the front desk, Jamal, and I was like, "Hey man, like what's the occupancy ratio, etc." He's like, "Well, there's

464 rooms here. On average, 78 are vacant per month or per night." And I'm like, "Okay, so if you look at the fire code, that's four people per room. Um, that's literally 350 people. There's 280 homeless people in College Park if you can solve that problem." He's like, "I wish it was that easy, my man." And I'm like, you know, actually, I think it is. And so I just decided, I'm going to barrel through this. And I went and I got obsessed with hotels. Um, wait, let me let me go back. So yeah, so March 14th, it's uh it's a very cold day here in Richmond and I was kind of sick of the situation. I had also,

for the record, I had to go to the hospital. I was like in an extreme manic episode and I get out on literally the 14th and I go down and I see people there and I was like screw it. Um I'm going to do something about it. I go and I book uh four different rooms at the Richard Mer right across the street from where I live. I cloned, I believe, 37 key cards and I gave them to these homeless people and it was a scene out of a movie. My friend Cassandra who worked at the Starbucks didn't know me at the time. She's like, "Wow, I remember that day that [ __ ] went down."

Um, people are converging in into the hotel. I eventually walk in probably an hour later after everyone's there and I'm escorted by the manager to room 256. In that room is Marriott security, two police officers. The officers were actually super interested. They're like, "Wow, that's really cool. How did you like clone it?" You know, it's basic My Fair Classic card. But the head of security is like, "Well, we care about homelessness, but we can't do it." And I was like, "No, you [ __ ] don't. You know, you don't care." I just stormed out and I said, "Boom." It was obvious to me that the buckshot approach did not work. So, I needed to refine my

strategy. >> Hey, can I jump in here real quick, Justin? >> Yeah, of course. >> Uh, hey, um, yeah, my name is Don. I've been, uh, working with Justin on some of this stuff uh, for some time. right at that part of the story is probably where I got introduced to a lot of this stuff with him. Um, we had been friends prior to this and um, you know, uh, I had heard about the elevator incident that he had went through and I know he said, you know, he was going to make it right in some form or fashion. I don't think either of us really understood what that was at the time, but I do remember

around that time uh, with this key card incident of getting a call. I got a call from Justin and uh, he was mentioning some, you know, the homeless people outside how cold it was. was he was like, you know, I think I'm going to book some rooms. You know, in my head, I was like, all right, you know, maybe he's just going to like buy a bunch of hotels for some of these people. And ended up with that mean, he didn't mention he was going to be cloning key cards for all the homeless people that were that were going to be outside, which I thought in the end turned out to be really interesting. It really piqued my

interest in this and kind of helped me go forward with them as well. Um, but yeah, by the time I really understood the full scope of what is happening, the hotel security was already involved. And um, in my experience in working with Justin, that's kind of how it goes. you know, you'll get this and then you'll get the full kind of story later on with what it really was. But I just wanted to throw that fact in there. >> Yeah, it's a bit petty, but buckshot Yeah. did not work, needless to say. And Don Don could attest to that. Um, yeah. So, and I already went through this, but I take a page out of my dad, JBird. He's

quite a character. And after this, I told him about it, and I knew he'd be proud. He's like, he used to say this thing like, I put my pants on the same way they do, one leg at a time, kiss my black ass pants. Anyway, he uh he he really inspired me, this sort of anti- athoritarian streak. And um I uh you know, for me, it's like if you can do something, you have to, you know, and I've always had a problem with authority. So for me, physical security, office of security hacking is like the perfect avenue for me to to just, you know, channel my energy and actually affect change. Um and then so after that

I got obsessed with hotels, right? For the next like seven months I there was only one so there's only one Mar or hotel in College Park I was allowed into. It was the Rich Marriott, right? So that was kind of my target because I still had business in College Park. I was working at this quantum computing company and and I really like the town and um I uh you know had unfinished business. So, and it's a interesting hotel in that it's like a four-star hotel, but it's only got five levels. There's 200 there's two different sides. Um, 286 rooms, but there's really no security. And, um, because it's a college town hotel. And, you know, when

I say no security, there's like no key cards to get in. You can go into sideways. And for me, I'm like, this is a great PC. I'm just going to like run through it and I'm going to um and I'm just going to sample it. Well, I ended up meeting the head of the manager, uh, this guy Jay. I'm gonna keep him sort of anonymous. Just I told people in Defcon the deal, but just, you know, keep keep it on Marriott. But I asked him, I was like, "Hey, Jay, like, have you ever done any assessments here? Have you seen if um there have been people living in this hotel for like maybe days, weeks,

months out for free?" He's like, "What do you mean?" I was like, "Well, I'll tell you what. Go to this restaurant across this like really across the the way on building two. I'm gonna like make a video for 20 minutes. Um, and I'm gonna show you what I'm talking about. And so I actually just did this yesterday, too. I went to the fifth floor. I um I start talking to a maid. I pretend that I like left and I needed to get in because my laptop was in there. Um, you know, talk to her about, "Sure, sweet. No problem." She like puts her key card up and I was pretending to use my uh Prox Mark III as like my mobile

phone and she has a skeleton key. So, when I'm holding it up, it looks like I'm testing my mobile phone, but I'm actually copying her key. So, I go in, I get into the room, there's no laptop. Oh, so sorry, ma'am. Uh, whatever. I go down to the fourth floor, which is the presidential suite. And I'm taking video, and I'm doing um a 4x4 floor, just to show that I have access to every room. And I go up to the fifth floor. This takes me 11 minutes 37 seconds to completely sleep that building. I go meet Jay across the street. I show him the video. He was stunned. I think he said something like, "Oh my shit." He

like could not um Oh, somebody's asking something. >> Wait, was that a raised hand? >> What? Oh, yeah. That whenever you get a second, that was me. I had something I wanted to put on there. >> Oh, okay. Cool. And then Yeah. And then that was that. So, go ahead, Doug. >> Um, yeah. I think uh the only thing I really wanted to add to this is you know in the beginning of this I think you know he saw an opportunity uh you know going back to like cloning key cards and all that saw an opportunity for you know something else to get done and um around this time when we started talking this is kind of when it went from like the

beginning of something that was kind of chaotic right like having all those homeless people like kind of storm on a Marriott like in a way it was doing a public service and I think we could all you know get behind it's a public good um but this is where it started to shift you know to working with some kind of Marriott management is something where it was a little more methodical, right? He really started treating this like a red team engagement where things were going to be documented. This is how it was going to go. We're going to look at this, this, this, and this. And um it was really something that was just awesome to be a part of. Um, and yeah,

he talked about um, you know, um, doing some of these walkthroughs with hotel security and I've been a part I've been a part of plenty of these walkthroughs with them and a lot of these start, you know, initial access getting in through basically just a hotel lobby, right? Most of the people there are just going to assume you're a guest. So, while you're in this lobby, I mean, you can start looking at all kinds of things in the lobby, right? One of us could be distracting somebody at the front desk and look at different things that we're, you know, see if, you know, what's happening on shift change, how are the maids coming in, what floors are they

doing, um what floors are they cleaning, so we can have this kind of access later. Um even, you know, noticing things like sometimes doors might get propped open on shift change. You know, a lot of this stuff you can see right from that standpoint. And um it's really interesting when you start doing it. And the other cool thing is I've seen him do where he talked about the maid situation. It happens so fast. You know, it's like, you know, all of a sudden these maids go in under five minutes. All of a sudden, I'm in the room. Like, it is like, it's just really It's really just impressive. It's really just impressive to watch. It really just

takes a little bit of confidence going through. He talked about the thing with the Prox Mark. Um, and it really opens your eyes to see how hotel security is and what kind of change we could possibly make in that. So, go ahead, Justin. I mean to interrupt you there. No, >> it's good good context. Yeah, it's it's amazing. Yeah, like I said, I just did a run through yesterday and it took me 57 seconds to get in the room. Anyway, at a certain point, you're like, wow. And the reason I I've been targeting hotels, they are highly resourced and poorly secured. And they hold the key to solving a lot of problems around homelessness, addressing a lot of levels

of insecurity. It's not just housing, it's food, it's internet, it's laundry, it's etc. I'll get more to that here, but hotels hold the key to solving all these problems. Oops. Shoot. Um, so yeah, as Don alluded to, I started to structure this whole thing as a red team campaign. And I'm like, I'm going to go med red man with the method man. And I'm going to design this in a way that and with the support of an executive sponsor. So Jay is a manager of Marriott. He gets me hooked into this PC where I pilot going through other Marriotts. He's like, I want you to do 10 hotels. This is uh November 2023. And um and kind of just

demonstrated because like I have a very powerful friend like Batman who who uh would be really interested in this work. And so I start designing this and um going through the phases, right? And so red team campaign, you know, recon as Don said, you can passively observe and learn so much about an environment without ever touching the network. You can understand um where the cameras are, when people come and go. You get into the lobby, even the Wi-Fi if it's unsecured, um if there's key cards, how how many floors are there, um all that stuff, you can walk through and do that as a guest. Like the thing with hotels is like you can't just be turning them

into Fort Knox because you have paid people there that need to enjoy it. So it's kind of a balancing act, right? And you learn a lot of interesting things like pretty much no hotels cameras in the stairwell. Like the only ones that do are like the Venetian, the Bellagio and like really expensive fivestar hotels. But and also another interesting trend that I'll cover more is as the prestige of the hotel goes up, the security goes down. And a lot of that has to do with the presumption that if you have money, you're trusted, you know, but then they meet someone like me and they're completely split upside down. So yeah, phases of a general red

team campaign that you design, you know, you got your recon, you learn tons during that. Um and then um once you've got initial access, that's inverse order. Um you know, you can then enumerate, right? So once you're in there, you can start to really like um establish your beach head because once you get in the hotel too and you've piggybacked in, you've now used stolen credentials, right? You're essentially using that person's access. So you can get on the Wi-Fi, you can build bill stuff to the room, you can do all that stuff like as this you're personating this, you know, you're doing a typical um yeah, just an impersonation attack. And then uh once you're in there, you

can get morph rooms. The other interesting thing about this is you can go straight up like rogue and do this without any legitimate room. But the way that I did it was I had a hybrid model where I had a legitimate room booked but I also was taking over other rooms, you know? So like I was a guest know and that's kind of what allows you to have some sort of credence to give you an actual key card. Uh like a lot of things like there's a there's a combination of legitimate and illegitimate access. Um and then uh yeah, you can you can do privilege escalation. There's a nice little trick that uh I was covering

in a video on the place like a month ago um called the uh the two for one special and so what happens is you go and you book a hotel and you tell them like hey this hotel is I'm not feeling it whatever I need a different room nine times out of 10 they'll give you a key card for the other room without revoking the other one and a lot of times that room will be valid until the next day so you get a two for one special right and then um and then there's also like a lot of uh you know like all right so living off the And right, how do you stay

there? Once you have access, you can go to the M lounge. This is what the homeless guy did, Earl. He was able to eat at the M Club. Um, you know, drink, be merry, and then persistence is really key here because if you've gotten illegitimately, and even if you haven't, once they revoke your key cards, rather than going through the process of initial access, you want to be able to get the back door in. There's a lot of tricks there. Like the pen trick, the wedge trick is my favorite. Um, you use a little sign that says do not disturb, and you shove it right between where it's supposed to lock with the door. It

looks like it's closed, but boom. And if it's after the shift in the day when you supposed to have checked out, they will not check until the next day, like literally. And so you can just stay there and like you don't need a legitimate card or somebody else is in the room, they'll let you in. But like this is this is how easy this is. Um so yeah, like I said, sort of the recon uh phase. Um you know, passive intelligence. Don't it's it's the equivalent of Osen. You know, you can figure out everyone in the company. Anthony Capiano, CEO. Um Jake Lindo, you know, he's the now the director of corporate security. Talk to the staff,

understand um the floor plans of the buildings. You can get those online so you can just walk through. You know, I use a GoPro uh which is awesome. You can even map the floors with different technology. Um like it sounds like it's futuristic like Tom hunt, but you can actually like use uh uh imaging to do that if you really want to go hardcore. um figure out where the security office is, etc. Um and then once you're in there, yeah, like once you're in in your room, then um use it as an opportunity to be uh less conspicuous, right? Because if you can pivot off of that, um it's similar to OSI, but like I said, it's like it's the

equivalent of OSIN versus Nap scanning, right? So you might you might go with a key card and you might start running like to room to room and seeing if this works. And so you're going to be more on the active side. That's where enumeration comes in. Um, oh, these are inverted. I have to flip the slides actually. So, you get initial access and then you enumerate. And a lot of times for initial access, it's like I said, it's the maids. It's either getting the maids to let you in, finding a key card. People leave key cards on all the time. Like I I managed to get one off of a key a cleaning cart from a maid that led me

to the JW Marathon that I'll talk about in a few slides. Um, and then there's other really interesting features with the app where like you can book a room and there are a lot of cases where they're going to issue a room and not even charge if you use a virtual payment method. So like if you use uh Capital One Eno or whatever, places will issue you and let you check in and some of them will give you a room and then you can request a mobile key, especially if you snuck in because then you can say, "Oh, I'm in this room as this person. I need you to retroactively issue a key." Right? And it works. It's kind of you

work backwards and then there's a lot of uh vulnerabilities in not only Marriott Bond boy but the Hilton honors where you can book a room for 33 days and then it completely falls out of registration. Why? 33 is the magic number, right? Um uh then lateral movement once you're in that room get more rooms. You know, I had this wild thought back when that was happening that I'll probably dial back on, but like what about this idea that you book a room on a floor and you just slowly start to take over adjacent rooms and next thing you know, you just start launching in your friends, your family, the homeless people, the d the strippers, and you've taken over the

hotel. It wouldn't take that long, honestly. It'll probably take a couple days, and you you have established hotel dominance at that point. Do with it what you will. That may or may not still happen. Um, end of the damn dungeon. Yeah. And then live off the land. Like I said, literally there's so many resources. If you're in the M Club Lounge, which is either through platinum membership or like I said, you can con you can steal it or convince the the front desk to give it to you. You'll get um breakfast, lunch, dinner through hotel, as Jabber would say. Um for these places and uh also access to the lounge. Like you don't even need to stay in a

room. That's the thing like these lounge commentaries have so much stuff. Um, and they're only at uh the four and five stars. So like the Risk Carin, the Sherin, the Renaissance, St. Regis, um, the the original Marriott brands, and they're great. You know, like it's an extremely valuable benefit that will allows you to address food insecurity, etc. Um, persistence, like I said, 90% success is 90% masturbation, 10% in imagination. Anyway, make sure you can still get access to the rooms of your choice. Skeleton key is the way to go. The skeleton key is notorious because it gets you in every room. And one of the issues is that I've talked to Mera extensively about that they don't really

fix is the maids or the managers whoever when they get access they have um persistent like admin access, right? It's essentially like okay we're going to give someone root AWS credence just to use what should be used is just in time privilege access management. when the maids come in, they authenticate their key card. When they leave, they deauthenticate. That just doesn't happen. You know, you get this key card and you're in the system. There's a lot of issues with that. There's a lot of very most hotels do not log properly. They do not provide any sense of real-time alerting. It's all reactive. So, they might have security cameras, but there's no way in hell they're going

to be able to correlate stuff in real time and figure out that someone like me in the hotel is doing this thing until well after the fact. though. But skeleton key is easy, but like I said, once you're in a room, there's many ways. Um, you know, you could straight up just prop it, but you want to make it look like um, no one's in there. And so, the pen trick is a technique from Freaky Glam. He wrote the book um, I Rob Banks or How I Rob Banks. And you put it in the wedge of the door and you smash it. And the pen barely keeps the door open, but it's there. But it still gives you

access in. But like I said, the wedge trick is another one where you put the little door stopper in and it closes. that looks like it closes and then next thing you know, boom, you kick it open. Um, you can also just have somebody else stay in the room, right? You know, that'll let you in. Um, whatever because then they can stay in the room and they can close it off and like, you know, and put up the uh the security bolt and everything until most times they're just going to leave the room because here's the funny thing about hotels, right? If you leave your stuff in the room, right, they deactivate your card. They don't

care beyond that. Like if you're in the room or whatever, you can get your stuff out. They're trying to lock you out of your room so that you pay for your stuff. They're holding it hostage. But if you're already in the room and um whatever they'll and if they can't charge you, like they're assuming they can just charge a payment method, but they're holding your whole stuff hostage. So if you here's another little trick, too. I call it the 11 p.m. checkout. If you want to stay in a room without paying, you book another reservation again with a virtual card and you just say, "I'm going to book it the same night." you check in early, the

staff that come by that try to clean out the room around 12, oh, are you staying for another night? Yes, I am. They're not going to figure out until accounting at night that you actually haven't paid. So, that's your key will get them activated, but you'll have persistent access. 11 p.m. checkout. I have a whole series of videos on the playlist you can watch to see this in action. Um, and then what really matters a lot to Marriott, to the client, to Hilton, whatever, is the actual reporting, right? Um, and the data like seeing is believing. So, I um I walk around with a GoPro. I'm constantly talking and capturing it. And um every little detail

I see, observations, you know, you need to be able to capture this seeing is believing. Um you know, I wish I could make this stuff up, but then you see it on video. It's like I've done crazy stuff. I've I was at the Ritz Carlin in uh DC in June, and there was a lot of uh uh notice about being on guard for homeless people that were sleeping in the stairwell because guess what? There was no security key cards on either side and it wasn't for me. I just happened to be doing this job. And so the maids were a little more defensive as far as like the person trying to come up. However, I'm like, "Hey, let's look at

psychology. Is anyone going to stop a fireman or someone with a fire extinguisher?" So, I grabbed one out of the rental truck I had and I literally I grabbed it. I went to the top floor and I ran from to the presidential suite. This room is like p it was pristine. Not anymore, but it was 177 years old. The host of royalty like macaron, Angela Merkel. I'm running at the maid. She like opens the door up. I destroy it like with the fire extinguisher. And I sent the footage to the person who hired me. And at that point, I thought I would be fired and he just said, "Well, that's really cool, kid. Keep it going." So, at

that point, I knew that I was there at Marriott forever. Like, we had an understanding that he could never actually get rid of me because I'd have permanent backtoxis. So yeah, you got to you got to get creative and you got to get crazy. Um and and something will work, right? It's humans are infinitely fallible and able to be manipulated. Um and then yeah, like to educate and remediate. So part of the followup for what I do is uh returning to these hotels to retest or providing them a comprehensive list of like solutions and a lot of it is similar to like actual cyber solutions where it's fundamental like you know um defense and depth. So,

you know, have better logging, deauthenticate the people when they come in actually have key cards, use something that's running on like Desfire. So, a lot of the Myfare Classic cards, they um if they if there isn't even even a key card in the uh reader in the in the elevator, it'll just you use it, it goes to the floor. DeskFire is a newer technology where it's um access controlled to the floor you're on, which is great. And it also kind of um is used in the way that the rooms are keyed in that you can only have like two active keys. So if you just go down and you request anyone from the lobby, they'll

deactivate the one you have. So that makes it so you can't infinitely clone keys, right? And that makes sense. Um but a lot of these hotels just don't do it. They use my you know 4K1B cards. They don't use ultralite C or EV1 or any of that stuff. So they easily clone and they the thing is physical security is very hard and Marriott and hotels are essentially physical devices like running with uh digital security controls other than locks if you think about it like cameras are digital um access controls digital and if you get physical access to a digital system you can undermine all the controls which is why it's very hard and there's a funny um there's like an

excerpt in the in the Snowden book um about NSA and he says the only way to do physical security in NSA they talk about is uh is barb wire Faraday and guard right it's like okay you need you need you need someone to shoot guns you need barb wire and you need to kill actual like RFID otherwise um it's security is really hard so um and then yeah so I went on a rampage I hit 87 hotels in 2024 I didn't stay at all of them these are just ones I did and Like I mentioned, there's a whole video of uh of these and why the the prestige up in the and the um security down is an interesting

correlation and a lot of it, like I said, has to do with just the assumption that if you're a wealthy guest that you're of privilege that you're not a threat. I don't really know, but it kind of plays into the psychology of how we um we perceive people. The best security I've seen have been at like the three star residence ins and the element and stuff, which by the way, those are my favorite brands. I'm not a fan of Ritz Carlton and all these like elitist hotels. They're just not my thing. And I mean, they're fun to hit for sure because like I said, the security is non-existent. But as far as like the value, the quality experience, nah, not

not my not interesting to me. Um, yeah. So, at this point, it's like, did I really have a plan amidst all this? Not really. But it kind of came together in the ways that I hoped it would. And so a lot of uh like I had mentioned my thought around this was housing and hotels can deal with a lot of different types of insecurity. Food like um you need tele telecommunications access you get print uh you get an address right this is what's really helpful. So for this guy Earl Jones in order for him to qualify for uh Medicaid and other services you need an address. You can use a hotel. I end up just shipping

stuff to hotels a lot of times. I like whatever. And you can also use it to store stuff. I use the hotels as my personal dumping ground, you know, because one little fun trick is you can go to a hotel with even without a reservation, you go to the concierge, they'll store your stuff. So if you're traveling for the day in the city, you don't need to pay for lockers. You just leave it there indefinitely. Um, so like again, there's resources galore. And anyway, so I'm thinking about this whole thing and oh, this is a little out of order. Sorry. Uh okay. So then to continue on all of this as the journey continued with housing. I um I started hitting

high high like high Futin hotels and then Jay puts me up in he's like I want to head to JW Marriott. This is hotel number 10 on the PC. There's a G17 political summit. I guarantee that if you can get some footage here I'll be able to send it to my main man who's very highly esteemed in Marriott and uh we're going to get some action. And so JW Marriott's right across from the White House. It's five-star hotel, pissed for security. You go in there, they has a really funny elevator system. There's 15 floors. You go to the elevator, you say, "I want to go to 15. Go to elevator B." So they make it even

easier. They just queue you up to the right place. And um and the key cards are My Fair14B, shitty, easily clone. And so I'm like doing analysis. He's like, "But beyond just getting in the room, here's what I want you to do." He's like, "I'm going to give you the manifest of all the people that are staying there for this convention. Um, go ahead and capture, go in each of the rooms, show the world what it would look like if you actually wanted to kill them." You know, like I'm one dude, right? Imagine I'm rolling in deep with oceans eight layers of babes or um I'm a nation state. Like, how isn't this happening already? It pro. I mean, it

is. It's just you don't hear about it. Like, all right, I'm one dude. Trust me, Russian FSB is on top of this stuff. And so I um I simulate this experience. I end up walking in on two very important people, which I'm not going to cover for this in public, but needless to say, I could have killed them both. They were well esteemed like, you know, world diplomats. And that that was that was it, you know. Um that was enough for the boss man to get the footage immediately called me and say, "How do we fix this?" I said, 'Well, you can't really fix this because Marriott has 9,09 properties. They only manage 48. They used to be in the

business of real estate. Now, they're in the business of hospitality. So, all these hotels are actually managed individually as franchises, managers. They have vastly different levels of security, even within the same 34 Marriott security brands. Residents in and in and Richmond's way different than Philly. you know, the element in um Kate Canaveral is way different than King of Prussia. And so there's no real way to enforce it, but what I can do is provide like a playbook or like here's a here's best practices, right? And that's what I was offering them like, hey, here's here's what good looks like. This is how Marriott recommends you do security, but it's an individual sort of franchisee manager situation where they have to

implement it. But I'm like, hey, I can at least point out the vulnerabilities because ultimately this data was going to get compiled in an effort to get funding to actually address this. And Jay literally was the person. So he was the manager of the College Park, Marriott. When I met him when this all said and done, he was the head of global security. He sort of he pushed or let's see, he uh pulled me through Marriott as I pushed him. And it's a partnership to this day that I'm very grateful for. I taught him everything he needed to know about physical security. He helped maneuver and navigate the whole political system of Marriott to the

point where he got me in touch with the right people so that I could actually get what I needed. And you know, when I started to talk to him and the boss, I was like, "What do you want?" I was like, "I have a wild idea." And it begins with this. I went, "Ambassador Elite status." Ambassador Elite, it's a hard thing to get. You normally need to spend $100,000 or sorry, 100 uh what is it? You need to spend a hundred nights per year, $23,000 10 years in a row. If you miss a year, not doesn't count. When you have it, though, you get a lot of perks. You get 24-hour check-in. 24-hour checkout. Um,

you get uh concierge. You get uh what is it? United Silver Premiere. You get and that's another thing that's a funny thing that I'm going to talk about. They also have a Herz gold president circle perk. where you get enrolled, which I was able to abuse that to get a rental car for free for 323 days last year. I'll talk more about that in a future slide. Um, but you get all these perks and you get 100% points which allows you to stack points and in a way essentially book rooms legitimately for free. Um, that was that was goal one. But I needed to get enough points to start out to book nights. The way that Marriott

points work are it's essentially 100 points equals a dollar. And I calculated at the Richmond Marriott legitimately to get uh my room stood up would be about 3 million points for about um you know 660 nights. So, I want those in my account starting and then um I uh want to house a homeless person and I'm thinking this shit's going to get shut down and no it took him like 13 days run with it and I didn't know which homeless person but fast forward to literally exactly one year after on Pi Day buckshot I go out on the street after I'm armed with this I meet this guy Earl Jones he's right there at the bus stop and he just stood

out to me as a character you know he has on his uh he's a rainbow robe I I don't even remember this point. Pink platform boots, rainbow rope. He's a character as a he's a critter as I would say. Um, and I'm telling about it and you know it's bad when you know this person's thinking you're crazy, but I'm like I have this idea, dude. Like you seem cool. You're on the streets. I want to put you in a hotel and I think um I think I can I think I can prove something interesting. He's like whatever, Mr. Justin. That's what he says. He's like you might be on to something. Why what do I have to

lose? So um yes. Okay, more about ambassador elite though uh like I said it provides a pathway now along shortly after this time then I became a actual Marriott employee because once this pilot was underway in hum I wanted to get to the underbelly because I knew for a fact there were issues with the code and so I was there for 82 days within the first week I found things that I talked about at Defcon that are unbelievable um that yeah have been abused for for many many years that I'm not going to put on the record just yet because NDA, but I'll talk to you all individually. And so that's why I became an employee. I became an employee on

April 29th. I was a I was a consultant before that, but I wanted to get in and get code access. And big problem with that company, they uh they have 400,000 employees. They've had 22,000 people touch the codebase. There's back doors, front doors, this that and the other. And I did all this until the la my last day was on July 19th when the crowd strike incident killed all the Windows machines. Um I went nuts that night because a lot of the key card systems were just completely down, you know, because lack of access control. And then they wanted to wanted me to work on endpoints because I'm the only person that knew what was going on apparently.

I said peace. So I went back to consulting, but I had what I needed. Um yeah. So Earl Earl Jones, let's talk more about him. Not James Earl Jones. RIP. So Earl like he had been homeless for 17 years. I guess it would have been 18 this year. And he had been in and out of government housing eight times. He actually chose to be on the streets. But the situation that kind of the sort of three for that happened like his mom passed away. That's actually the number one cause of homelessness is um death of you know family passing away. And like the next day his wife left him for his best friend. He works construction in DC

and he got a job related injury, wasn't able to get workers comp. And so he basically, yeah, got kicked out of his home. This was back in 2007. So I met him and I was like, uh, yeah. And he just was like, "What stood out about me?" I'm like, "I don't know. You seem like an interesting character." Turns out Earl's actually a genius. Um, and so I started talking to him and uh, you know, we just we just hung out. We just had like a we had like a bond and a friendship and I ended up getting him into the presidential suite which is 1806 because once I had established 404 I do that as a joke you know 404 not

round because I'm not an actual like official hotel guest. I was in 404 and I quickly got him in 1806 because 1806 at the Richard Maria it's booked 23 days out of the year. The average price per night is $1,200. But what I did, of course, was once I was in my room, I just pretended I just kept booking it. I booked it with a Marriott card and I kept I kept rebooking 1806, but I wasn't actually getting charged for it, but it kept it literally said I was a guest there. And if you do this, like I said, for 33 days, um, that's a maximum reservation. It'll eventually fall out of the database, so that the the front

desk can't even book it. So, as far as I know, this room's either booked or it's blocked off. It's not available, and they have no clue that anyone's in there. They're not even checking it. Earl was in there the whole time. Granted, he's a homeless dude, so he like didn't know how to not be homeless. So, he rarely was in that hotel. He would go and eat sometimes. He would we'd do interviews in the room cuz, you know, I was getting him job interviews. Um I'd be off to the side like if you can imagine here like um you know, we have different angles doing like Earl sitting on the chair. I'm feeding him answers to questions because he's a

genius but he doesn't have any experience in tech. But basically within uh within um uh yeah so again job interviews he ends up getting a job at Apple on May May 27th uh or sorry May 15th which is amazing less than two months that faked his data I mean use a dead person's um ID faked his employment data actually they never even asked for that. That's a crazy thing. Um and I hey moral qualms aside this person was dead and his SSN was still working. Uh, so yeah, and Earl had like I didn't know what it meant for people to have like no credit. Like the government doesn't believe in you. If you're homeless, you don't even have an

ID. So for the short term, you know, we used it to do I9 verification. No problem. He got a job. But then he actually was able to establish his own. He got his passport and or got his uh state ID and all of that stuff. But then uh he ends up getting promoted because like I said, he's a ninja. He's a senior sport engineer. He's make he's I think he's now making 75k a year for someone to be on the streets for 17 years for the to cost the government however much it costs. Um it's incredible. Uh then as he's following me around and I'm getting to know him more. I'm like what do you

want man? He's like I'd really like to like own a home. I'd like to be able to you know to have people over and stuff. And so we start looking. I co-sign for him on a home. He's approved for a mortgage. He moves out of the Richmond Marriott and there's a video of me going down memory lane because it's still emotion to this day and I'll go back and visit 1806 uh on December 30th and he moves into his new home. I can't see on the slide but uh January January 5th so 219 days he was in the hotel. Um so it's crazy amazing story I mean with him. Uh but just to kind of poke more

around like Marriott Envoy and like what happened during that time because here's the most incredible part of it all. Earl stayed in that hotel for free and when he left he actually walked away with $876.52 based off the valued points that were then converted from Envoy. So he made $3 a day by staying in that fancy hotel eating it. Like if that doesn't completely change your whole perspective of housing and everything wrong, like I don't know what does. Like if people people with money could solve this problem. It's not about the money, it's the message, as a joker would say. Um and so there's a lot of ways without having like insider access to abuse these systems, right?

That's to get um to exploit Bonvoy. For example, um you can uh book uh so if you're an elite member uh with a platinum, titanium, or whatever, you get a $1,000 bonus. So, if you book individually per day, you'll get $1,000 per day, which is a good a good thing. There's also, like I alluded to, a lot of hotels that will try, you know, that will issue you a room, sometimes a mobile key, and give you credit for the night that you did not stay. All you have to do is use a virtual card with privacy.com. Probably one out of 10 hotels have that feature. There's also another um bug where you can book um you can book under

the employee code which is MMP and let's say here uh wait what was I going to say? Um yeah so you book it under the explore rate but the regular rate is like 555. So, if you go and there's a there's a difference in points, for example, like the regular rates 500, you know, there's 166, they'll uh they'll give you that many points for the regular rate because you come in and negotiate last minute. It's kind of silly. So, you book at the regular rate, you show up and you say, "Oh, it's actually the score rate or vice versa." They'll give you the multiplier for the regular rate, which is crazy. There's also a lot of point

arbitration that can happen. So you can convert like Marriott points united to Hertz and back and you'll get 2x multiplier. Why? Nobody knows. So you can literally just shuffle points around. There's like a whole business of point arbitration that goes on. Um and all kinds of stuff. There's a lot more uh ways to just abuse it. Oh, is that um yeah 4049. Somebody slides are out of order. Here's an example. So you book like uh the explore rate. these words where it's when you're employed. It's generally it depends on the availability, but they'll give you it's not like 70% off. So, you know, there's it's a really huge benefit working for Marriott or having a friend or family

that can get you in on that deal because look at the difference in prices when I was in Prague. You know, 166 versus 5.84. Um, but like I said, you can book under the expensive rate and then show up and say it's actually explore and they won't reconcile in the database. They'll just give you the points for the original rate. Why? because hotels are stupid as [ __ ] Um, and here's the funny thing, too. As a result of my work, there's no longer a separate tier for ambassador points. They've converged into Titanium. There used to be 100% points. Um, it's 75% because literally what happened was Marriott Finance ran the numbers and what they determined

that if Ambassador was Titanium, they would have broke even from Earl. So, he wouldn't have made money. for them that's acceptable to to have not lost or not gained money from a homeless person being there because they felt pretty embarrassed. So if you look at um yeah if you look at Titanium versus Ambassador it's um it's 75% uh is what you get. The only difference between Titanium and Ambassador now is you'll get um you'll get uh what the hell is it? you'll get Hertz um not present circle but gold and you'll get um something that's very basic whatever it's it's the same program but normally but for ambassador you only need 75 nights to get there and or sit titanium

75 nights ambassador still 100 it's not really worth it anymore because I broke in half um and then yeah here's kind of how the points arbitration works like you can just convert points to airlines to whatever it's just literally like commodity trading you know you can make tons tons of money like just moving numbers around. So that's that's a fun way for people that really want to dig into that. Plus like for me as an insider, I came across a lot of accounts, service accounts with millions of points. You can transfer points to other members all gone. That's one way. Um yeah, shoot. And I that sort of captures it all, but it's just the beginning,

right? Because giving this talk here, giving it to Milwaukee, the po this started as a proof of concept with no wild end in sight and now Marriott has said that they are committing to sponsoring this program by the end of Q3 2026. I'll believe it when I see it. But the point is like Captain America says like I'm not asking for permission and I'm past forgiveness, right? You got to do the thing sometimes to shake the foundation of society and push it forward. And um yeah, it's a wild ride, but thank you. Yeah, thank you. And like I said, there's a ton of content on the playlist and wanted to open up for questions. >> Yeah, I think uh too some of the biggest

things to take away from this too, we talked about uh prestige going up, security going down. I think that was something that we found consistently throughout this whole thing. And um you know, I think there's a line that people don't want to walk with with uh how do you not annoy the guests when it comes to security? How do you not annoy the staff so much when it comes to security? But a lot of these things are something that needs to be addressed. And even things that you would think that would probably be resolved pretty quickly, like, you know, why wouldn't somebody get an alarm when, you know, a door to a a hotel room is left open for some time,

you know, things like that that could probably be addressed, you know, pretty easily. Um, and a lot of this stuff, you know, or even going up to a maid and saying, you know, I haven't checked out yet or no, I'm staying another night and how long that'll actually get you, you know, in this whole thing, which is really interesting to see throughout this whole journey. And, uh, yeah, when it comes to Earl too, um, the whole story with him was just absolutely when it came down to it with, you know, his issue with homelessness when there was just like a simple foundation laid out that [ __ ] >> things where all of a sudden, you know,

I have a place to take a shower, I have a cell phone where I can take a job interview, I have internet at my house, you know, I think it was just really cool to see that transformation. So, this whole story of starting out at something that was a little bit chaotic in the beginning to really transforming someone's life and hopefully tackling a different issue of homelessness, I think this story just had like a profound impact on both of us and hopefully millions of other people. So, Also, one little note about Earl, he is now traveling around with keratas, helping homeless people, which is actually pretty amazing. I think he's also a critter, so he's he's really hard to

nail down. I think he's in Chicago. I don't know. He actually last uh summer I started this uh job and he actually found me in Chicago, which is the craziest thing. But he's also kind of a ghost. Um he said something to me a while ago. He's like, you know, you're the first person to ever see me as a person like on the streets. I don't want to be seen now just cuz I have a home. So he's a very private person, you know, which seems kind of ironic being out in public, but like no, it makes total sense. So >> crazy. But yeah, there's a playlist. So yeah, a couple other shout outs as well. My my Titanium

Turbo Princesses. I'm crazy. But there's a couple other devices here, too. The Flipper Zero actually is great. Um that kind of captures all the high and low frequency stuff. Um, and yeah, wild ride. >> Mhm. >> Questions, concerns, comments? back >> or I'm going to