Getting punched in the face

623 views

Published on

Presentation by Nick Arvanitis at ZaCon 1 in 2009.

The presentation is a Zen look at information security.

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
623
On SlideShare
0
From Embeds
0
Number of Embeds
20
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Getting punched in the face

  1. 1. getting punched in the face nick@sensepost.com
  2. 2. whatʼs all this...?-Tyson - Everybody has a plan until they get punched in the face-Humans aren’t wired to deal with risks and uncertainty well...-Newtonian...our brains evolved (well, some of us) from peanuts aimed atkeeping us alive...-We see evidence of the same mistakes in some very disparate unrelatedfields-We’re doomed to forever repeat the cycle unless we recognize this
  3. 3. #whoami-Don’t believe me?-Competitive boxer / MMA-World class competitive painball-Hax0r for 14 years...7 professionally-Poor trader...-Gambling step-dad...every weekend
  4. 4. combat sports
  5. 5. boxing-People fear getting hit-Natural inclination is to cover up / turn away - gets you hurt even more!-The better you get, the more you have to entice the bastard to hit you, soyou can hit him!-Over-defensive and over-aggressive are not good...
  6. 6. brazilian jiu-jitsu-When you think you’re screwing them...-Again, natural inclination is to lock up, use strength, stay still in a “safeposition”-Fluidity, speed, mercurial moves are the key...get into bad positionspurposely to force errors-Think 3 moves ahead...umoplata -> triangle -> armbar == pwned
  7. 7. remember kids...For Ian...
  8. 8. paintball-Once again, getting shot hurts, so put your head down! Natural, but totallywrong...-Shooting left handed throws everyone...-Snap shots! Can’t adjust fast enough..-The big moves bust the game wide open...and instill permanent fear (6balls in the face)-Why not sacrifice a runner?
  9. 9. gambling
  10. 10. winners!-Winning too much too early can be a bad thing...-Get onto a hot streak...
  11. 11. -Mistake 1 - Betting “the house’s” money..-Mistake 2 - “I’ve called it twice...I’m all in this time...”-Mistake 3 - Poor money management...forgetting the house has the edge
  12. 12. losers...-Losing is equally bad...-We sulk, we drink, we pout, we lose more...
  13. 13. -Mistake 1 - Paralyzed by fear...irrational...-Mistake 2 - Want to break even...or even worse, get back at thecasino...lose more...-Mistake 3 - Money management (again)
  14. 14. misconceptions-We make stupid conclusions:-Coin toss...50/50...even if it’s come up 70 heads in row...the next toss can beheads or tails-”This machine paid out, it’s hot!” ... right...-Roulette, anyone? Or the lottery...you picked 36 and 35 came up..-Card games, however, are not independent events...-Need to understand Expected Value... what the player can expect to win or lose if they were to play many times with the same bet-The house has positive EV in many games...
  15. 15. trading / investing
  16. 16. system du jour-Tons of holy grails...-Lots of gurus-Fundamental, technical, fibonacci, elliot wave, bollinger bands...-Lunar Cycles...
  17. 17. srsly?!Wait? Lunar Cycles???Seriously?!
  18. 18. fundamentals...-Yeah, read the fundamentals in that one, mofos...-Analyst Recommendations - MUST BUY-The devils in the detail...(or in the footnotes to financial statements...) butyou gotta look!-Value investors bought all the way down...hey, it was getting cheaper!-If you’d followed price....
  19. 19. but why?- A bird in hand beats two in the bush?- Totally natural to lock in profits and hold onto losses hoping they’llturn...but totally wrong- We’re driven by fear and greed...look anywhere and it’s clear...we live byemotions- Kahneman and Tversky - Prospect Theory How people make choices between alternatives that involve risk (usuallyfinancial) Given alternatives :sure win of 500 vs possible win of 1000 :sure loss atsame
  20. 20. weʼre so smart...-We explain everything after the fact-We look for logical explanations, reasons and patterns (coin toss) wherethere really are none-We make a call and stick to it adamantly, tying our ego to it...then we fearbeing wrong, which makes us hold on even when we know we’re wrong...-Confirmation bias...-Black Swan-It takes major testicular fortitude to kill your idea (and your ego) andswitch based on what’s actually happening...but that’s the hallmark of thelegends...
  21. 21. infosec
  22. 22. we suck-We suck at infosec-Ownage fast and furious-10 years of webapps and we’re worse then ever-AV? Psssht-Phishing...
  23. 23. overconfidence kills-But there is a clear issue, we know this...clearly it’s endemic however...-Even the professionals overestimate their skills / underestimate the risks-The password choosing scheme of a 6-year old...when you’re atarget...really?
  24. 24. no, not just dan...-Ok, so using your www as *anything* but a www is an abysmal idea...-But come on...customer details...keys...creds...source to your products?!Come on!-WTF happened to security 101...-Would you trust a lawyer with a criminal record?
  25. 25. play it again sam!-We make silly decisions...-We don’t base our decisions on accurate / relevant data...or we read whatwe want into it-Recent events - availability theory-We underestimate risks / overestimate our skills-SQLi 10 years ago...who’da thunk it...?
  26. 26. and so?
  27. 27. where to from here?-We need to think, think objectively, and look at things empirically, not emotionally-We need to constantly re-check what’s *actually* going on, and adjust without emotion-A dose of realism-We need to get out of our comfort zone and think about things carefully...eg Threat Model-We take tons of risks and make tons of decisions every day, almost unconsciously...makemore-Zero-sum - I’m more than happy to keep owning you...-Common thread...clearly the problem isn’t in each domain...it’s an issue with *us*-Think differently...
  28. 28. thank you!questions?

×