Security Heretic:
We’re Doing It Wrong
    James Arlen aka Myrcurial
          SecTor 2008
        October 8, 2008
Hi.




2008-10-08   Security Heretic: We're Doing It Wrong   2
Great title huh?




2008-10-08     Security Heretic: We're Doing It Wrong   3
Disclaimer:

I am actively employed in the Infosec
   industry, but not authorized to speak on
   behalf of my employer.

...
Disclaimer:

I am actively* employed in the Infosec
   industry, but not authorized to speak on
   behalf of my employer.
...
Disclaimer (2):

I am going to say some startling things.
   There are no sacred entities when the
   heretic starts ranti...
Disclaimer (3):

If you are easily offended, you might want
   to get yourself a cool compress or some
   sort of smelling...
Heretic

Her"e*tic, n. [L. haereticus, Gr. ? able to choose, heretical, fr. ? to
     take, choose: cf. F. h['e]r['e]tique...
I’m tired of looking silly.




2008-10-08          Security Heretic: We're Doing It Wrong   9
2008-10-08   Security Heretic: We're Doing It Wrong   10
Really tired.



2008-10-08   Security Heretic: We're Doing It Wrong   11
Security “Industry” =




2008-10-08         Security Heretic: We're Doing It Wrong   12
We can change that.




2008-10-08     Security Heretic: We're Doing It Wrong   13
We can change that. We can fix that.




2008-10-08     Security Heretic: We're Doing It Wrong   14
We can change that. We can fix that.



             But it’s going to really irritate people.



2008-10-08              ...
We can change that. We can fix that.



             But it’s going to really irritate people.

                          ...
The Past




2008-10-08              Security Heretic: We're Doing It Wrong   17
"Those that fail to learn
  from history, are
  doomed to repeat it."

             - Winston Churchill




2008-10-08    ...
Information Security

» Confidentiality
» Integrity
» Availability




2008-10-08      Security Heretic: We're Doing It Wr...
Julius Caesar: Mr.
           Confidentiality




2008-10-08               Security Heretic: We're Doing It Wrong   20
Sumer: Integrity




2008-10-08                 Security Heretic: We're Doing It Wrong   21
Jewish Scribes:
               Availability




2008-10-08                 Security Heretic: We're Doing It Wrong   22
»     Guilds
»     Seals
»     Obfuscation
»     Physical security




2008-10-08           Security Heretic: We're Doing ...
Computer Security




2008-10-08     Security Heretic: We're Doing It Wrong   24
»     Theories
»     1970s
»     Multics
»     US Military
»     Cambridge University
»     Research Microkernels



2008-...
The Religion




2008-10-08                  Security Heretic: We're Doing It Wrong   26
Religion

Re*li"gion (r[-e]*l[i^]j"[u^]n), n. [F., from L. religio; cf. religens pious,
   revering the gods, Gr. 'ale`gei...
Best Practices




2008-10-08    Security Heretic: We're Doing It Wrong   28
Common Practices




2008-10-08      Security Heretic: We're Doing It Wrong   29
Habitual Responses




2008-10-08      Security Heretic: We're Doing It Wrong   30
Insanity: doing the
  same thing over and
  over again and
  expecting different
  results.

             - Albert Einstei...
2008-10-08   Security Heretic: We're Doing It Wrong   32
2008-10-08   Security Heretic: We're Doing It Wrong   33
Proselytize

Pros"e*ly*tize, v. t. [imp. & p. p. proselytized; p. pr. & vb. n.
   Proselytizing.]


To convert to some rel...
2008-10-08   Security Heretic: We're Doing It Wrong   35
2008-10-08   Security Heretic: We're Doing It Wrong   36
2008-10-08   Security Heretic: We're Doing It Wrong   37
2008-10-08   Security Heretic: We're Doing It Wrong   38
2008-10-08   Security Heretic: We're Doing It Wrong   39
2008-10-08   Security Heretic: We're Doing It Wrong   40
2008-10-08   Security Heretic: We're Doing It Wrong   41
How many CPE hours will you gain for
                  questioning your religion?




2008-10-08               Security He...
2008-10-08   Security Heretic: We're Doing It Wrong   43
2008-10-08   Security Heretic: We're Doing It Wrong   44
Actually, I’m claiming this presentation as
                   CPE hours.

               You should too.



2008-10-08   ...
Sshhhhh…

             Maybe they won’t notice the topic.




2008-10-08              Security Heretic: We're Doing It Wro...
The Vendors




2008-10-08   Security Heretic: We're Doing It Wrong   47
Professional Services




2008-10-08           Security Heretic: We're Doing It Wrong   48
Hardware and Software




2008-10-08      Security Heretic: We're Doing It Wrong   49
Pundits and the Media




2008-10-08         Security Heretic: We're Doing It Wrong   50
The Dogma




2008-10-08               Security Heretic: We're Doing It Wrong   51
Dogma

Dog"ma, n.; pl. E. Dogmas, L. Dogmata. [L. dogma, Gr. ?, pl. ?, fr. ?
  to think, seem, appear; akin to L. decet it...
The iPod Data Thief




2008-10-08        Security Heretic: We're Doing It Wrong   53
The Complex Password




2008-10-08      Security Heretic: We're Doing It Wrong   54
“Blood on the Walls”
  Metrics




2008-10-08        Security Heretic: We're Doing It Wrong   55
The answer is “No”




2008-10-08       Security Heretic: We're Doing It Wrong   56
No Personal Use




2008-10-08        Security Heretic: We're Doing It Wrong   57
I’m only responsible for
  logical security




2008-10-08         Security Heretic: We're Doing It Wrong   58
The Renaissance




2008-10-08          Security Heretic: We're Doing It Wrong   59
Individual Contributions




2008-10-08         Security Heretic: We're Doing It Wrong   60
Research and Development




2008-10-08          Security Heretic: We're Doing It Wrong   61
Synthesis

Syn"the*sis, n.; pl. Syntheses. [L., a mixture, properly, a putting
   together, Gr. ?, fr. ? to place or put t...
Enlightenment




2008-10-08    Security Heretic: We're Doing It Wrong   63
The Ninety-Five Theses




2008-10-08        Security Heretic: We're Doing It Wrong   64
The Twelve Step
                  Program




2008-10-08                Security Heretic: We're Doing It Wrong   65
Reduced to 9 steps for irony.




2008-10-08            Security Heretic: We're Doing It Wrong   66
1. Admitting the problem.




2008-10-08          Security Heretic: We're Doing It Wrong   67
2. Admitting our complicity.




2008-10-08           Security Heretic: We're Doing It Wrong   68
3. Reasserting ethics.




2008-10-08        Security Heretic: We're Doing It Wrong   69
4. Regaining our self-respect.




2008-10-08            Security Heretic: We're Doing It Wrong   70
5. Finding a new path.




2008-10-08        Security Heretic: We're Doing It Wrong   71
6. Eating our own dog-food.




2008-10-08           Security Heretic: We're Doing It Wrong   72
7. Re-discovering passion.




2008-10-08          Security Heretic: We're Doing It Wrong   73
8. Communicating for success.




2008-10-08            Security Heretic: We're Doing It Wrong   74
9. Owning the suck.




2008-10-08       Security Heretic: We're Doing It Wrong   75
NOT: Pwning          teh 5uC|<0rz.




2008-10-08        Security Heretic: We're Doing It Wrong   76
That’s a different talk altogether.




2008-10-08              Security Heretic: We're Doing It Wrong   77
Q&A



             followup: myrcurial@100percentgeek.net


2008-10-08               Security Heretic: We're Doing It Wro...
Credits, Links and Notices.
Me:           http://myrcurial.com and
              http://www.linkedin.com/in/jamesarlen and...
Upcoming SlideShare
Loading in...5
×

SecTor 2008 - Security Heretic: We're Doing It Wrong

530

Published on

Security Heretic: We're Doing It Wrong - James Arlen

Information and Computer Security is a multi-million dollar business. I am part of that business. And it's wrong. An industry that was started with the highest of ideals, the most pure of motives has deteriorated into a crass, commercial race-to-the-bottom. Or at least it feels that way most of the time. In this presentation, a security heretic will outline a very personal journey through the meat-grinder of the information security industry and will ask you to join in this interactive discussion and walk through some critical self-analysis, some harsh criticism, some ludicrous stories, and hopefully exact the answers you need as you work through your own crises of faith in your career in Information and Computer Security.

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
530
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

SecTor 2008 - Security Heretic: We're Doing It Wrong

  1. 1. Security Heretic: We’re Doing It Wrong James Arlen aka Myrcurial SecTor 2008 October 8, 2008
  2. 2. Hi. 2008-10-08 Security Heretic: We're Doing It Wrong 2
  3. 3. Great title huh? 2008-10-08 Security Heretic: We're Doing It Wrong 3
  4. 4. Disclaimer: I am actively employed in the Infosec industry, but not authorized to speak on behalf of my employer. 2008-10-08 Security Heretic: We're Doing It Wrong 4
  5. 5. Disclaimer: I am actively* employed in the Infosec industry, but not authorized to speak on behalf of my employer. * (I hope…) 2008-10-08 Security Heretic: We're Doing It Wrong 5
  6. 6. Disclaimer (2): I am going to say some startling things. There are no sacred entities when the heretic starts ranting. 2008-10-08 Security Heretic: We're Doing It Wrong 6
  7. 7. Disclaimer (3): If you are easily offended, you might want to get yourself a cool compress or some sort of smelling salts, it’s going to be a stressful hour. 2008-10-08 Security Heretic: We're Doing It Wrong 7
  8. 8. Heretic Her"e*tic, n. [L. haereticus, Gr. ? able to choose, heretical, fr. ? to take, choose: cf. F. h['e]r['e]tique. See Heresy.] 1. One who holds to a heresy; one who believes some doctrine contrary to the established faith or prevailing religion. Webster's Revised Unabridged Dictionary, © 1996, 1998 MICRA, Inc. 2008-10-08 Security Heretic: We're Doing It Wrong 8
  9. 9. I’m tired of looking silly. 2008-10-08 Security Heretic: We're Doing It Wrong 9
  10. 10. 2008-10-08 Security Heretic: We're Doing It Wrong 10
  11. 11. Really tired. 2008-10-08 Security Heretic: We're Doing It Wrong 11
  12. 12. Security “Industry” = 2008-10-08 Security Heretic: We're Doing It Wrong 12
  13. 13. We can change that. 2008-10-08 Security Heretic: We're Doing It Wrong 13
  14. 14. We can change that. We can fix that. 2008-10-08 Security Heretic: We're Doing It Wrong 14
  15. 15. We can change that. We can fix that. But it’s going to really irritate people. 2008-10-08 Security Heretic: We're Doing It Wrong 15
  16. 16. We can change that. We can fix that. But it’s going to really irritate people. In a good way. 2008-10-08 Security Heretic: We're Doing It Wrong 16
  17. 17. The Past 2008-10-08 Security Heretic: We're Doing It Wrong 17
  18. 18. "Those that fail to learn from history, are doomed to repeat it." - Winston Churchill 2008-10-08 Security Heretic: We're Doing It Wrong 18
  19. 19. Information Security » Confidentiality » Integrity » Availability 2008-10-08 Security Heretic: We're Doing It Wrong 19
  20. 20. Julius Caesar: Mr. Confidentiality 2008-10-08 Security Heretic: We're Doing It Wrong 20
  21. 21. Sumer: Integrity 2008-10-08 Security Heretic: We're Doing It Wrong 21
  22. 22. Jewish Scribes: Availability 2008-10-08 Security Heretic: We're Doing It Wrong 22
  23. 23. » Guilds » Seals » Obfuscation » Physical security 2008-10-08 Security Heretic: We're Doing It Wrong 23
  24. 24. Computer Security 2008-10-08 Security Heretic: We're Doing It Wrong 24
  25. 25. » Theories » 1970s » Multics » US Military » Cambridge University » Research Microkernels 2008-10-08 Security Heretic: We're Doing It Wrong 25
  26. 26. The Religion 2008-10-08 Security Heretic: We're Doing It Wrong 26
  27. 27. Religion Re*li"gion (r[-e]*l[i^]j"[u^]n), n. [F., from L. religio; cf. religens pious, revering the gods, Gr. 'ale`gein to heed, have a care. Cf. Neglect.] 4. Strictness of fidelity in conforming to any practice, as if it were an enjoined rule of conduct. [R.] Webster's Revised Unabridged Dictionary, © 1996, 1998 MICRA, Inc. 2008-10-08 Security Heretic: We're Doing It Wrong 27
  28. 28. Best Practices 2008-10-08 Security Heretic: We're Doing It Wrong 28
  29. 29. Common Practices 2008-10-08 Security Heretic: We're Doing It Wrong 29
  30. 30. Habitual Responses 2008-10-08 Security Heretic: We're Doing It Wrong 30
  31. 31. Insanity: doing the same thing over and over again and expecting different results. - Albert Einstein 2008-10-08 Security Heretic: We're Doing It Wrong 31
  32. 32. 2008-10-08 Security Heretic: We're Doing It Wrong 32
  33. 33. 2008-10-08 Security Heretic: We're Doing It Wrong 33
  34. 34. Proselytize Pros"e*ly*tize, v. t. [imp. & p. p. proselytized; p. pr. & vb. n. Proselytizing.] To convert to some religion, system, opinion, or the like; to bring, or cause to come, over; to proselyte. Webster's Revised Unabridged Dictionary, © 1996, 1998 MICRA, Inc. 2008-10-08 Security Heretic: We're Doing It Wrong 34
  35. 35. 2008-10-08 Security Heretic: We're Doing It Wrong 35
  36. 36. 2008-10-08 Security Heretic: We're Doing It Wrong 36
  37. 37. 2008-10-08 Security Heretic: We're Doing It Wrong 37
  38. 38. 2008-10-08 Security Heretic: We're Doing It Wrong 38
  39. 39. 2008-10-08 Security Heretic: We're Doing It Wrong 39
  40. 40. 2008-10-08 Security Heretic: We're Doing It Wrong 40
  41. 41. 2008-10-08 Security Heretic: We're Doing It Wrong 41
  42. 42. How many CPE hours will you gain for questioning your religion? 2008-10-08 Security Heretic: We're Doing It Wrong 42
  43. 43. 2008-10-08 Security Heretic: We're Doing It Wrong 43
  44. 44. 2008-10-08 Security Heretic: We're Doing It Wrong 44
  45. 45. Actually, I’m claiming this presentation as CPE hours. You should too. 2008-10-08 Security Heretic: We're Doing It Wrong 45
  46. 46. Sshhhhh… Maybe they won’t notice the topic. 2008-10-08 Security Heretic: We're Doing It Wrong 46
  47. 47. The Vendors 2008-10-08 Security Heretic: We're Doing It Wrong 47
  48. 48. Professional Services 2008-10-08 Security Heretic: We're Doing It Wrong 48
  49. 49. Hardware and Software 2008-10-08 Security Heretic: We're Doing It Wrong 49
  50. 50. Pundits and the Media 2008-10-08 Security Heretic: We're Doing It Wrong 50
  51. 51. The Dogma 2008-10-08 Security Heretic: We're Doing It Wrong 51
  52. 52. Dogma Dog"ma, n.; pl. E. Dogmas, L. Dogmata. [L. dogma, Gr. ?, pl. ?, fr. ? to think, seem, appear; akin to L. decet it is becoming. Cf. Decent.] 3. A doctrinal notion asserted without regard to evidence or truth; an arbitrary dictum. Webster's Revised Unabridged Dictionary, © 1996, 1998 MICRA, Inc. 2008-10-08 Security Heretic: We're Doing It Wrong 52
  53. 53. The iPod Data Thief 2008-10-08 Security Heretic: We're Doing It Wrong 53
  54. 54. The Complex Password 2008-10-08 Security Heretic: We're Doing It Wrong 54
  55. 55. “Blood on the Walls” Metrics 2008-10-08 Security Heretic: We're Doing It Wrong 55
  56. 56. The answer is “No” 2008-10-08 Security Heretic: We're Doing It Wrong 56
  57. 57. No Personal Use 2008-10-08 Security Heretic: We're Doing It Wrong 57
  58. 58. I’m only responsible for logical security 2008-10-08 Security Heretic: We're Doing It Wrong 58
  59. 59. The Renaissance 2008-10-08 Security Heretic: We're Doing It Wrong 59
  60. 60. Individual Contributions 2008-10-08 Security Heretic: We're Doing It Wrong 60
  61. 61. Research and Development 2008-10-08 Security Heretic: We're Doing It Wrong 61
  62. 62. Synthesis Syn"the*sis, n.; pl. Syntheses. [L., a mixture, properly, a putting together, Gr. ?, fr. ? to place or put together; sy`n with + ? to place. See Thesis.] 3. (Logic) The combination of separate elements of thought into a whole, as of simple into complex conceptions, species into genera, individual propositions into systems; -- the opposite of analysis. Webster's Revised Unabridged Dictionary, © 1996, 1998 MICRA, Inc. 2008-10-08 Security Heretic: We're Doing It Wrong 62
  63. 63. Enlightenment 2008-10-08 Security Heretic: We're Doing It Wrong 63
  64. 64. The Ninety-Five Theses 2008-10-08 Security Heretic: We're Doing It Wrong 64
  65. 65. The Twelve Step Program 2008-10-08 Security Heretic: We're Doing It Wrong 65
  66. 66. Reduced to 9 steps for irony. 2008-10-08 Security Heretic: We're Doing It Wrong 66
  67. 67. 1. Admitting the problem. 2008-10-08 Security Heretic: We're Doing It Wrong 67
  68. 68. 2. Admitting our complicity. 2008-10-08 Security Heretic: We're Doing It Wrong 68
  69. 69. 3. Reasserting ethics. 2008-10-08 Security Heretic: We're Doing It Wrong 69
  70. 70. 4. Regaining our self-respect. 2008-10-08 Security Heretic: We're Doing It Wrong 70
  71. 71. 5. Finding a new path. 2008-10-08 Security Heretic: We're Doing It Wrong 71
  72. 72. 6. Eating our own dog-food. 2008-10-08 Security Heretic: We're Doing It Wrong 72
  73. 73. 7. Re-discovering passion. 2008-10-08 Security Heretic: We're Doing It Wrong 73
  74. 74. 8. Communicating for success. 2008-10-08 Security Heretic: We're Doing It Wrong 74
  75. 75. 9. Owning the suck. 2008-10-08 Security Heretic: We're Doing It Wrong 75
  76. 76. NOT: Pwning teh 5uC|<0rz. 2008-10-08 Security Heretic: We're Doing It Wrong 76
  77. 77. That’s a different talk altogether. 2008-10-08 Security Heretic: We're Doing It Wrong 77
  78. 78. Q&A followup: myrcurial@100percentgeek.net 2008-10-08 Security Heretic: We're Doing It Wrong 78
  79. 79. Credits, Links and Notices. Me: http://myrcurial.com and http://www.linkedin.com/in/jamesarlen and sometimes http://liquidmatrix.org/blog Thanks: My Family, Friends, and the SecTor Advisory Committee. Sources: notations and copies of materials are embedded within “notes” of the PPT file. Inspiration: coffee, omelets made by my lovely wife, Strattera, Club Mate, Information Society, NIN, altruism. Constructed with: Asus eeePC 701, Firefox, Powerpoint, angst. http://creativecommons.org/licenses/by-nc-sa/2.5/ca/ 2008-10-08 Security Heretic: We're Doing It Wrong 79

×