Your SlideShare is downloading. ×
0
Getting punched in the face
Getting punched in the face
Getting punched in the face
Getting punched in the face
Getting punched in the face
Getting punched in the face
Getting punched in the face
Getting punched in the face
Getting punched in the face
Getting punched in the face
Getting punched in the face
Getting punched in the face
Getting punched in the face
Getting punched in the face
Getting punched in the face
Getting punched in the face
Getting punched in the face
Getting punched in the face
Getting punched in the face
Getting punched in the face
Getting punched in the face
Getting punched in the face
Getting punched in the face
Getting punched in the face
Getting punched in the face
Getting punched in the face
Getting punched in the face
Getting punched in the face
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Getting punched in the face

681

Published on

Nick Arvanitis …

Nick Arvanitis
ZaCon 2009
http://www.zacon.org.za/Archives/2009/slides/

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
681
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
7
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. getting punched in the face nick@sensepost.com
  • 2. whatʼs all this...? -Tyson - Everybody has a plan until they get punched in the face -Humans aren’t wired to deal with risks and uncertainty well... -Newtonian...our brains evolved (well, some of us) from peanuts aimed at keeping us alive... -We see evidence of the same mistakes in some very disparate unrelated fields -We’re doomed to forever repeat the cycle unless we recognize this
  • 3. #whoami -Don’t believe me? -Competitive boxer / MMA -World class competitive painball -Hax0r for 14 years...7 professionally -Poor trader... -Gambling step-dad...every weekend
  • 4. combat sports
  • 5. boxing -People fear getting hit -Natural inclination is to cover up / turn away - gets you hurt even more! -The better you get, the more you have to entice the bastard to hit you, so you can hit him! -Over-defensive and over-aggressive are not good...
  • 6. brazilian jiu-jitsu -When you think you’re screwing them... -Again, natural inclination is to lock up, use strength, stay still in a “safe position” -Fluidity, speed, mercurial moves are the key...get into bad positions purposely to force errors -Think 3 moves ahead...umoplata -> triangle -> armbar == pwned
  • 7. remember kids... For Ian...
  • 8. paintball -Once again, getting shot hurts, so put your head down! Natural, but totally wrong... -Shooting left handed throws everyone... -Snap shots! Can’t adjust fast enough.. -The big moves bust the game wide open...and instill permanent fear (6 balls in the face) -Why not sacrifice a runner?
  • 9. gambling
  • 10. winners! -Winning too much too early can be a bad thing... -Get onto a hot streak...
  • 11. -Mistake 1 - Betting “the house’s” money.. -Mistake 2 - “I’ve called it twice...I’m all in this time...” -Mistake 3 - Poor money management...forgetting the house has the edge
  • 12. losers... -Losing is equally bad... -We sulk, we drink, we pout, we lose more...
  • 13. -Mistake 1 - Paralyzed by fear...irrational... -Mistake 2 - Want to break even...or even worse, get back at the casino...lose more... -Mistake 3 - Money management (again)
  • 14. misconceptions -We make stupid conclusions: -Coin toss...50/50...even if it’s come up 70 heads in row...the next toss can be heads or tails -”This machine paid out, it’s hot!” ... right... -Roulette, anyone? Or the lottery...you picked 36 and 35 came up.. -Card games, however, are not independent events... -Need to understand Expected Value... what the player can expect to win or lose if they were to play many times with the same bet -The house has positive EV in many games...
  • 15. trading / investing
  • 16. system du jour -Tons of holy grails... -Lots of gurus -Fundamental, technical, fibonacci, elliot wave, bollinger bands... -Lunar Cycles...
  • 17. srsly?! Wait? Lunar Cycles??? Seriously?!
  • 18. fundamentals... -Yeah, read the fundamentals in that one, mofos... -Analyst Recommendations - MUST BUY -The devils in the detail...(or in the footnotes to financial statements...) but you gotta look! -Value investors bought all the way down...hey, it was getting cheaper! -If you’d followed price....
  • 19. but why? - A bird in hand beats two in the bush? - Totally natural to lock in profits and hold onto losses hoping they’ll turn...but totally wrong - We’re driven by fear and greed...look anywhere and it’s clear...we live by emotions - Kahneman and Tversky - Prospect Theory How people make choices between alternatives that involve risk (usually financial) Given alternatives :sure win of 500 vs possible win of 1000 :sure loss at same
  • 20. weʼre so smart... -We explain everything after the fact -We look for logical explanations, reasons and patterns (coin toss) where there really are none -We make a call and stick to it adamantly, tying our ego to it...then we fear being wrong, which makes us hold on even when we know we’re wrong... -Confirmation bias... -Black Swan -It takes major testicular fortitude to kill your idea (and your ego) and switch based on what’s actually happening...but that’s the hallmark of the legends...
  • 21. infosec
  • 22. we suck -We suck at infosec -Ownage fast and furious -10 years of webapps and we’re worse then ever -AV? Psssht -Phishing...
  • 23. overconfidence kills -But there is a clear issue, we know this...clearly it’s endemic however... -Even the professionals overestimate their skills / underestimate the risks -The password choosing scheme of a 6-year old...when you’re a target...really?
  • 24. no, not just dan... -Ok, so using your www as *anything* but a www is an abysmal idea... -But come on...customer details...keys...creds...source to your products?! Come on! -WTF happened to security 101... -Would you trust a lawyer with a criminal record?
  • 25. play it again sam! -We make silly decisions... -We don’t base our decisions on accurate / relevant data...or we read what we want into it -Recent events - availability theory -We underestimate risks / overestimate our skills -SQLi 10 years ago...who’da thunk it...?
  • 26. and so?
  • 27. where to from here? -We need to think, think objectively, and look at things empirically, not emotionally -We need to constantly re-check what’s *actually* going on, and adjust without emotion -A dose of realism -We need to get out of our comfort zone and think about things carefully...eg Threat Model -We take tons of risks and make tons of decisions every day, almost unconsciously...make more -Zero-sum - I’m more than happy to keep owning you... -Common thread...clearly the problem isn’t in each domain...it’s an issue with *us* -Think differently...
  • 28. thank you! questions?

×