Getting punched in the face
Upcoming SlideShare
Loading in...5
×
 

Getting punched in the face

on

  • 526 views

Presentation by Nick Arvanitis at ZaCon 1 in 2009.

Presentation by Nick Arvanitis at ZaCon 1 in 2009.

The presentation is a Zen look at information security.

Statistics

Views

Total Views
526
Views on SlideShare
509
Embed Views
17

Actions

Likes
0
Downloads
2
Comments
0

4 Embeds 17

http://www.sensepost.com 9
http://research.sensepost.com 6
http://localhost 1
http://sensepost.com 1

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Getting punched in the face Getting punched in the face Presentation Transcript

  • getting punched in the face nick@sensepost.com
  • whatʼs all this...?-Tyson - Everybody has a plan until they get punched in the face-Humans aren’t wired to deal with risks and uncertainty well...-Newtonian...our brains evolved (well, some of us) from peanuts aimed atkeeping us alive...-We see evidence of the same mistakes in some very disparate unrelatedfields-We’re doomed to forever repeat the cycle unless we recognize this
  • #whoami-Don’t believe me?-Competitive boxer / MMA-World class competitive painball-Hax0r for 14 years...7 professionally-Poor trader...-Gambling step-dad...every weekend
  • combat sports
  • boxing-People fear getting hit-Natural inclination is to cover up / turn away - gets you hurt even more!-The better you get, the more you have to entice the bastard to hit you, soyou can hit him!-Over-defensive and over-aggressive are not good...
  • brazilian jiu-jitsu-When you think you’re screwing them...-Again, natural inclination is to lock up, use strength, stay still in a “safeposition”-Fluidity, speed, mercurial moves are the key...get into bad positionspurposely to force errors-Think 3 moves ahead...umoplata -> triangle -> armbar == pwned
  • remember kids...For Ian...
  • paintball-Once again, getting shot hurts, so put your head down! Natural, but totallywrong...-Shooting left handed throws everyone...-Snap shots! Can’t adjust fast enough..-The big moves bust the game wide open...and instill permanent fear (6balls in the face)-Why not sacrifice a runner?
  • gambling
  • winners!-Winning too much too early can be a bad thing...-Get onto a hot streak...
  • -Mistake 1 - Betting “the house’s” money..-Mistake 2 - “I’ve called it twice...I’m all in this time...”-Mistake 3 - Poor money management...forgetting the house has the edge
  • losers...-Losing is equally bad...-We sulk, we drink, we pout, we lose more...
  • -Mistake 1 - Paralyzed by fear...irrational...-Mistake 2 - Want to break even...or even worse, get back at thecasino...lose more...-Mistake 3 - Money management (again)
  • misconceptions-We make stupid conclusions:-Coin toss...50/50...even if it’s come up 70 heads in row...the next toss can beheads or tails-”This machine paid out, it’s hot!” ... right...-Roulette, anyone? Or the lottery...you picked 36 and 35 came up..-Card games, however, are not independent events...-Need to understand Expected Value... what the player can expect to win or lose if they were to play many times with the same bet-The house has positive EV in many games...
  • trading / investing
  • system du jour-Tons of holy grails...-Lots of gurus-Fundamental, technical, fibonacci, elliot wave, bollinger bands...-Lunar Cycles...
  • srsly?!Wait? Lunar Cycles???Seriously?!
  • fundamentals...-Yeah, read the fundamentals in that one, mofos...-Analyst Recommendations - MUST BUY-The devils in the detail...(or in the footnotes to financial statements...) butyou gotta look!-Value investors bought all the way down...hey, it was getting cheaper!-If you’d followed price....
  • but why?- A bird in hand beats two in the bush?- Totally natural to lock in profits and hold onto losses hoping they’llturn...but totally wrong- We’re driven by fear and greed...look anywhere and it’s clear...we live byemotions- Kahneman and Tversky - Prospect Theory How people make choices between alternatives that involve risk (usuallyfinancial) Given alternatives :sure win of 500 vs possible win of 1000 :sure loss atsame
  • weʼre so smart...-We explain everything after the fact-We look for logical explanations, reasons and patterns (coin toss) wherethere really are none-We make a call and stick to it adamantly, tying our ego to it...then we fearbeing wrong, which makes us hold on even when we know we’re wrong...-Confirmation bias...-Black Swan-It takes major testicular fortitude to kill your idea (and your ego) andswitch based on what’s actually happening...but that’s the hallmark of thelegends...
  • infosec
  • we suck-We suck at infosec-Ownage fast and furious-10 years of webapps and we’re worse then ever-AV? Psssht-Phishing...
  • overconfidence kills-But there is a clear issue, we know this...clearly it’s endemic however...-Even the professionals overestimate their skills / underestimate the risks-The password choosing scheme of a 6-year old...when you’re atarget...really?
  • no, not just dan...-Ok, so using your www as *anything* but a www is an abysmal idea...-But come on...customer details...keys...creds...source to your products?!Come on!-WTF happened to security 101...-Would you trust a lawyer with a criminal record?
  • play it again sam!-We make silly decisions...-We don’t base our decisions on accurate / relevant data...or we read whatwe want into it-Recent events - availability theory-We underestimate risks / overestimate our skills-SQLi 10 years ago...who’da thunk it...?
  • and so?
  • where to from here?-We need to think, think objectively, and look at things empirically, not emotionally-We need to constantly re-check what’s *actually* going on, and adjust without emotion-A dose of realism-We need to get out of our comfort zone and think about things carefully...eg Threat Model-We take tons of risks and make tons of decisions every day, almost unconsciously...makemore-Zero-sum - I’m more than happy to keep owning you...-Common thread...clearly the problem isn’t in each domain...it’s an issue with *us*-Think differently...
  • thank you!questions?