SlideShare a Scribd company logo

Getting punched in the face

SensePost
SensePost

Presentation by Nick Arvanitis at ZaCon 1 in 2009. The presentation is a Zen look at information security.

TechnologyEntertainment & HumorBusiness
1 of 28
Download to read offline
getting punched in the face nick@sensepost.com
whatʼs all this...? -Tyson - Everybody has a plan until they get punched in the face -Humans aren’t wired to deal with risks and uncertainty well... -Newtonian...our brains evolved (well, some of us) from peanuts aimed at keeping us alive... -We see evidence of the same mistakes in some very disparate unrelated fields -We’re doomed to forever repeat the cycle unless we recognize this
#whoami -Don’t believe me? -Competitive boxer / MMA -World class competitive painball -Hax0r for 14 years...7 professionally -Poor trader... -Gambling step-dad...every weekend
combat sports
boxing -People fear getting hit -Natural inclination is to cover up / turn away - gets you hurt even more! -The better you get, the more you have to entice the bastard to hit you, so you can hit him! -Over-defensive and over-aggressive are not good...
brazilian jiu-jitsu -When you think you’re screwing them... -Again, natural inclination is to lock up, use strength, stay still in a “safe position” -Fluidity, speed, mercurial moves are the key...get into bad positions purposely to force errors -Think 3 moves ahead...umoplata -> triangle -> armbar == pwned
remember kids... For Ian...
paintball -Once again, getting shot hurts, so put your head down! Natural, but totally wrong... -Shooting left handed throws everyone... -Snap shots! Can’t adjust fast enough.. -The big moves bust the game wide open...and instill permanent fear (6 balls in the face) -Why not sacrifice a runner?
gambling
winners! -Winning too much too early can be a bad thing... -Get onto a hot streak...
-Mistake 1 - Betting “the house’s” money.. -Mistake 2 - “I’ve called it twice...I’m all in this time...” -Mistake 3 - Poor money management...forgetting the house has the edge
losers... -Losing is equally bad... -We sulk, we drink, we pout, we lose more...
-Mistake 1 - Paralyzed by fear...irrational... -Mistake 2 - Want to break even...or even worse, get back at the casino...lose more... -Mistake 3 - Money management (again)
misconceptions -We make stupid conclusions: -Coin toss...50/50...even if it’s come up 70 heads in row...the next toss can be heads or tails -”This machine paid out, it’s hot!” ... right... -Roulette, anyone? Or the lottery...you picked 36 and 35 came up.. -Card games, however, are not independent events... -Need to understand Expected Value... what the player can expect to win or lose if they were to play many times with the same bet -The house has positive EV in many games...
trading / investing
system du jour -Tons of holy grails... -Lots of gurus -Fundamental, technical, fibonacci, elliot wave, bollinger bands... -Lunar Cycles...
srsly?! Wait? Lunar Cycles??? Seriously?!
fundamentals... -Yeah, read the fundamentals in that one, mofos... -Analyst Recommendations - MUST BUY -The devils in the detail...(or in the footnotes to financial statements...) but you gotta look! -Value investors bought all the way down...hey, it was getting cheaper! -If you’d followed price....
but why? - A bird in hand beats two in the bush? - Totally natural to lock in profits and hold onto losses hoping they’ll turn...but totally wrong - We’re driven by fear and greed...look anywhere and it’s clear...we live by emotions - Kahneman and Tversky - Prospect Theory How people make choices between alternatives that involve risk (usually financial) Given alternatives :sure win of 500 vs possible win of 1000 :sure loss at same
weʼre so smart... -We explain everything after the fact -We look for logical explanations, reasons and patterns (coin toss) where there really are none -We make a call and stick to it adamantly, tying our ego to it...then we fear being wrong, which makes us hold on even when we know we’re wrong... -Confirmation bias... -Black Swan -It takes major testicular fortitude to kill your idea (and your ego) and switch based on what’s actually happening...but that’s the hallmark of the legends...
infosec
we suck -We suck at infosec -Ownage fast and furious -10 years of webapps and we’re worse then ever -AV? Psssht -Phishing...
overconfidence kills -But there is a clear issue, we know this...clearly it’s endemic however... -Even the professionals overestimate their skills / underestimate the risks -The password choosing scheme of a 6-year old...when you’re a target...really?
no, not just dan... -Ok, so using your www as *anything* but a www is an abysmal idea... -But come on...customer details...keys...creds...source to your products?! Come on! -WTF happened to security 101... -Would you trust a lawyer with a criminal record?
play it again sam! -We make silly decisions... -We don’t base our decisions on accurate / relevant data...or we read what we want into it -Recent events - availability theory -We underestimate risks / overestimate our skills -SQLi 10 years ago...who’da thunk it...?
and so?
where to from here? -We need to think, think objectively, and look at things empirically, not emotionally -We need to constantly re-check what’s *actually* going on, and adjust without emotion -A dose of realism -We need to get out of our comfort zone and think about things carefully...eg Threat Model -We take tons of risks and make tons of decisions every day, almost unconsciously...make more -Zero-sum - I’m more than happy to keep owning you... -Common thread...clearly the problem isn’t in each domain...it’s an issue with *us* -Think differently...
thank you! questions?

Recommended

IBM Connections 4.0 Installation - From Zero To Social Hero 1.16 for Domino LDAP
IBM Connections 4.0 Installation - From Zero To Social Hero 1.16 for Domino LDAPIBM Connections 4.0 Installation - From Zero To Social Hero 1.16 for Domino LDAP
IBM Connections 4.0 Installation - From Zero To Social Hero 1.16 for Domino LDAP
Frank Altenburg
 
Iot sistemler ve güvenlik
Iot sistemler ve güvenlikIot sistemler ve güvenlik
Iot sistemler ve güvenlik
Barkın Kılıç
 
Web Uygulama Güvenliği (Akademik Bilişim 2016)
Web Uygulama Güvenliği (Akademik Bilişim 2016)Web Uygulama Güvenliği (Akademik Bilişim 2016)
Web Uygulama Güvenliği (Akademik Bilişim 2016)
Ömer Çıtak
 
Network security
Network securityNetwork security
Network security
mustafa aadel
 
The Top Skills That Can Get You Hired in 2017
The Top Skills That Can Get You Hired in 2017The Top Skills That Can Get You Hired in 2017
The Top Skills That Can Get You Hired in 2017
LinkedIn
 
Play and Design Process - SXSW 2010 by Sara Summers
Play and Design Process - SXSW 2010 by Sara SummersPlay and Design Process - SXSW 2010 by Sara Summers
Play and Design Process - SXSW 2010 by Sara Summers
Sara Summers
 
The hacker manifesto by The Mentor January 8,1986
The hacker manifesto by The Mentor January 8,1986The hacker manifesto by The Mentor January 8,1986
The hacker manifesto by The Mentor January 8,1986
Nicola Pasianot
 
Tarot Reading Example: Horse Shoe Spread
Tarot Reading Example: Horse Shoe SpreadTarot Reading Example: Horse Shoe Spread
Tarot Reading Example: Horse Shoe Spread
Ian Eshey
 

Recommended

IBM Connections 4.0 Installation - From Zero To Social Hero 1.16 for Domino LDAP
IBM Connections 4.0 Installation - From Zero To Social Hero 1.16 for Domino LDAPIBM Connections 4.0 Installation - From Zero To Social Hero 1.16 for Domino LDAP
IBM Connections 4.0 Installation - From Zero To Social Hero 1.16 for Domino LDAP
Frank Altenburg
 
Iot sistemler ve güvenlik
Iot sistemler ve güvenlikIot sistemler ve güvenlik
Iot sistemler ve güvenlik
Barkın Kılıç
 
Web Uygulama Güvenliği (Akademik Bilişim 2016)
Web Uygulama Güvenliği (Akademik Bilişim 2016)Web Uygulama Güvenliği (Akademik Bilişim 2016)
Web Uygulama Güvenliği (Akademik Bilişim 2016)
Ömer Çıtak
 
Network security
Network securityNetwork security
Network security
mustafa aadel
 
The Top Skills That Can Get You Hired in 2017
The Top Skills That Can Get You Hired in 2017The Top Skills That Can Get You Hired in 2017
The Top Skills That Can Get You Hired in 2017
LinkedIn
 
Play and Design Process - SXSW 2010 by Sara Summers
Play and Design Process - SXSW 2010 by Sara SummersPlay and Design Process - SXSW 2010 by Sara Summers
Play and Design Process - SXSW 2010 by Sara Summers
Sara Summers
 
The hacker manifesto by The Mentor January 8,1986
The hacker manifesto by The Mentor January 8,1986The hacker manifesto by The Mentor January 8,1986
The hacker manifesto by The Mentor January 8,1986
Nicola Pasianot
 
Tarot Reading Example: Horse Shoe Spread
Tarot Reading Example: Horse Shoe SpreadTarot Reading Example: Horse Shoe Spread
Tarot Reading Example: Horse Shoe Spread
Ian Eshey
 
Casino Games For Your Personality
Casino Games For Your PersonalityCasino Games For Your Personality
Casino Games For Your Personality
rakeshwadhhwa
 
Data Science versus Jungle Cats
Data Science versus Jungle Cats Data Science versus Jungle Cats
Data Science versus Jungle Cats
Ashlee Bennett
 
Dov Jacobson - Hands On Learning
Dov Jacobson - Hands On LearningDov Jacobson - Hands On Learning
Dov Jacobson - Hands On Learning
SeriousGamesAssoc
 
Failure Talk (Abridged)
Failure Talk (Abridged)Failure Talk (Abridged)
Failure Talk (Abridged)
Darryl Gray
 
Infosec & failures
Infosec & failuresInfosec & failures
Infosec & failures
Ange Albertini
 
Net eng 4
Net eng 4Net eng 4
Net eng 4
teczowaszkola
 
objection - runtime mobile exploration
objection - runtime mobile explorationobjection - runtime mobile exploration
objection - runtime mobile exploration
SensePost
 
Vulnerabilities in TN3270 based Application
Vulnerabilities in TN3270 based ApplicationVulnerabilities in TN3270 based Application
Vulnerabilities in TN3270 based Application
SensePost
 
Ruler and Liniaal @ Troopers 17
Ruler and Liniaal @ Troopers 17Ruler and Liniaal @ Troopers 17
Ruler and Liniaal @ Troopers 17
SensePost
 
Introducing (DET) the Data Exfiltration Toolkit
Introducing (DET) the Data Exfiltration ToolkitIntroducing (DET) the Data Exfiltration Toolkit
Introducing (DET) the Data Exfiltration Toolkit
SensePost
 
ZaCon 2015 - Zombie Mana Attacks
ZaCon 2015 - Zombie Mana AttacksZaCon 2015 - Zombie Mana Attacks
ZaCon 2015 - Zombie Mana Attacks
SensePost
 
Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22
SensePost
 
Heartbleed Overview
Heartbleed OverviewHeartbleed Overview
Heartbleed Overview
SensePost
 
Botconf 2013 - DNS-based Botnet C2 Server Detection
Botconf 2013 - DNS-based Botnet C2 Server DetectionBotconf 2013 - DNS-based Botnet C2 Server Detection
Botconf 2013 - DNS-based Botnet C2 Server Detection
SensePost
 
Rat a-tat-tat
Rat a-tat-tatRat a-tat-tat
Rat a-tat-tat
SensePost
 
Hacking Z-Wave Home Automation Systems
Hacking Z-Wave Home Automation SystemsHacking Z-Wave Home Automation Systems
Hacking Z-Wave Home Automation Systems
SensePost
 
Offence oriented Defence
Offence oriented DefenceOffence oriented Defence
Offence oriented Defence
SensePost
 
Threats to machine clouds
Threats to machine cloudsThreats to machine clouds
Threats to machine clouds
SensePost
 
Inside .NET Smart Card Operating System
Inside .NET Smart Card Operating SystemInside .NET Smart Card Operating System
Inside .NET Smart Card Operating System
SensePost
 
SNMP : Simple Network Mediated (Cisco) Pwnage
SNMP : Simple Network Mediated (Cisco) PwnageSNMP : Simple Network Mediated (Cisco) Pwnage
SNMP : Simple Network Mediated (Cisco) Pwnage
SensePost
 
Its Ok To Get Hacked
Its Ok To Get HackedIts Ok To Get Hacked
Its Ok To Get Hacked
SensePost
 
Web Application Hacking
Web Application HackingWeb Application Hacking
Web Application Hacking
SensePost
 

More Related Content

Similar to Getting punched in the face

Similar to Getting punched in the face (6)

Casino Games For Your Personality
Casino Games For Your PersonalityCasino Games For Your Personality
Casino Games For Your Personality
 
Data Science versus Jungle Cats
Data Science versus Jungle Cats Data Science versus Jungle Cats
Data Science versus Jungle Cats
 
Dov Jacobson - Hands On Learning
Dov Jacobson - Hands On LearningDov Jacobson - Hands On Learning
Dov Jacobson - Hands On Learning
 
Failure Talk (Abridged)
Failure Talk (Abridged)Failure Talk (Abridged)
Failure Talk (Abridged)
 
Infosec & failures
Infosec & failuresInfosec & failures
Infosec & failures
 
Net eng 4
Net eng 4Net eng 4
Net eng 4
 

More from SensePost

Hacking Z-Wave Home Automation Systems
Hacking Z-Wave Home Automation SystemsHacking Z-Wave Home Automation Systems
Hacking Z-Wave Home Automation Systems
SensePost
 

More from SensePost (20)

objection - runtime mobile exploration
objection - runtime mobile explorationobjection - runtime mobile exploration
objection - runtime mobile exploration
 
Vulnerabilities in TN3270 based Application
Vulnerabilities in TN3270 based ApplicationVulnerabilities in TN3270 based Application
Vulnerabilities in TN3270 based Application
 
Ruler and Liniaal @ Troopers 17
Ruler and Liniaal @ Troopers 17Ruler and Liniaal @ Troopers 17
Ruler and Liniaal @ Troopers 17
 
Introducing (DET) the Data Exfiltration Toolkit
Introducing (DET) the Data Exfiltration ToolkitIntroducing (DET) the Data Exfiltration Toolkit
Introducing (DET) the Data Exfiltration Toolkit
 
ZaCon 2015 - Zombie Mana Attacks
ZaCon 2015 - Zombie Mana AttacksZaCon 2015 - Zombie Mana Attacks
ZaCon 2015 - Zombie Mana Attacks
 
Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22
 
Heartbleed Overview
Heartbleed OverviewHeartbleed Overview
Heartbleed Overview
 
Botconf 2013 - DNS-based Botnet C2 Server Detection
Botconf 2013 - DNS-based Botnet C2 Server DetectionBotconf 2013 - DNS-based Botnet C2 Server Detection
Botconf 2013 - DNS-based Botnet C2 Server Detection
 
Rat a-tat-tat
Rat a-tat-tatRat a-tat-tat
Rat a-tat-tat
 
Hacking Z-Wave Home Automation Systems
Hacking Z-Wave Home Automation SystemsHacking Z-Wave Home Automation Systems
Hacking Z-Wave Home Automation Systems
 
Offence oriented Defence
Offence oriented DefenceOffence oriented Defence
Offence oriented Defence
 
Threats to machine clouds
Threats to machine cloudsThreats to machine clouds
Threats to machine clouds
 
Inside .NET Smart Card Operating System
Inside .NET Smart Card Operating SystemInside .NET Smart Card Operating System
Inside .NET Smart Card Operating System
 
SNMP : Simple Network Mediated (Cisco) Pwnage
SNMP : Simple Network Mediated (Cisco) PwnageSNMP : Simple Network Mediated (Cisco) Pwnage
SNMP : Simple Network Mediated (Cisco) Pwnage
 
Its Ok To Get Hacked
Its Ok To Get HackedIts Ok To Get Hacked
Its Ok To Get Hacked
 
Web Application Hacking
Web Application HackingWeb Application Hacking
Web Application Hacking
 
Putting the tea back into cyber terrorism
Putting the tea back into cyber terrorismPutting the tea back into cyber terrorism
Putting the tea back into cyber terrorism
 
Major global information security trends - a summary
Major global information security trends - a summaryMajor global information security trends - a summary
Major global information security trends - a summary
 
Attacks and Defences
Attacks and DefencesAttacks and Defences
Attacks and Defences
 
Corporate Threat Modeling v2
Corporate Threat Modeling v2Corporate Threat Modeling v2
Corporate Threat Modeling v2
 

Recently uploaded

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 

Recently uploaded (20)

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 

Getting punched in the face

  • 1. getting punched in the face nick@sensepost.com
  • 2. whatʼs all this...? -Tyson - Everybody has a plan until they get punched in the face -Humans aren’t wired to deal with risks and uncertainty well... -Newtonian...our brains evolved (well, some of us) from peanuts aimed at keeping us alive... -We see evidence of the same mistakes in some very disparate unrelated fields -We’re doomed to forever repeat the cycle unless we recognize this
  • 3. #whoami -Don’t believe me? -Competitive boxer / MMA -World class competitive painball -Hax0r for 14 years...7 professionally -Poor trader... -Gambling step-dad...every weekend
  • 5. boxing -People fear getting hit -Natural inclination is to cover up / turn away - gets you hurt even more! -The better you get, the more you have to entice the bastard to hit you, so you can hit him! -Over-defensive and over-aggressive are not good...
  • 6. brazilian jiu-jitsu -When you think you’re screwing them... -Again, natural inclination is to lock up, use strength, stay still in a “safe position” -Fluidity, speed, mercurial moves are the key...get into bad positions purposely to force errors -Think 3 moves ahead...umoplata -> triangle -> armbar == pwned
  • 8. paintball -Once again, getting shot hurts, so put your head down! Natural, but totally wrong... -Shooting left handed throws everyone... -Snap shots! Can’t adjust fast enough.. -The big moves bust the game wide open...and instill permanent fear (6 balls in the face) -Why not sacrifice a runner?
  • 10. winners! -Winning too much too early can be a bad thing... -Get onto a hot streak...
  • 11. -Mistake 1 - Betting “the house’s” money.. -Mistake 2 - “I’ve called it twice...I’m all in this time...” -Mistake 3 - Poor money management...forgetting the house has the edge
  • 12. losers... -Losing is equally bad... -We sulk, we drink, we pout, we lose more...
  • 13. -Mistake 1 - Paralyzed by fear...irrational... -Mistake 2 - Want to break even...or even worse, get back at the casino...lose more... -Mistake 3 - Money management (again)
  • 14. misconceptions -We make stupid conclusions: -Coin toss...50/50...even if it’s come up 70 heads in row...the next toss can be heads or tails -”This machine paid out, it’s hot!” ... right... -Roulette, anyone? Or the lottery...you picked 36 and 35 came up.. -Card games, however, are not independent events... -Need to understand Expected Value... what the player can expect to win or lose if they were to play many times with the same bet -The house has positive EV in many games...
  • 16. system du jour -Tons of holy grails... -Lots of gurus -Fundamental, technical, fibonacci, elliot wave, bollinger bands... -Lunar Cycles...
  • 18. fundamentals... -Yeah, read the fundamentals in that one, mofos... -Analyst Recommendations - MUST BUY -The devils in the detail...(or in the footnotes to financial statements...) but you gotta look! -Value investors bought all the way down...hey, it was getting cheaper! -If you’d followed price....
  • 19. but why? - A bird in hand beats two in the bush? - Totally natural to lock in profits and hold onto losses hoping they’ll turn...but totally wrong - We’re driven by fear and greed...look anywhere and it’s clear...we live by emotions - Kahneman and Tversky - Prospect Theory How people make choices between alternatives that involve risk (usually financial) Given alternatives :sure win of 500 vs possible win of 1000 :sure loss at same
  • 20. weʼre so smart... -We explain everything after the fact -We look for logical explanations, reasons and patterns (coin toss) where there really are none -We make a call and stick to it adamantly, tying our ego to it...then we fear being wrong, which makes us hold on even when we know we’re wrong... -Confirmation bias... -Black Swan -It takes major testicular fortitude to kill your idea (and your ego) and switch based on what’s actually happening...but that’s the hallmark of the legends...
  • 22. we suck -We suck at infosec -Ownage fast and furious -10 years of webapps and we’re worse then ever -AV? Psssht -Phishing...
  • 23. overconfidence kills -But there is a clear issue, we know this...clearly it’s endemic however... -Even the professionals overestimate their skills / underestimate the risks -The password choosing scheme of a 6-year old...when you’re a target...really?
  • 24. no, not just dan... -Ok, so using your www as *anything* but a www is an abysmal idea... -But come on...customer details...keys...creds...source to your products?! Come on! -WTF happened to security 101... -Would you trust a lawyer with a criminal record?
  • 25. play it again sam! -We make silly decisions... -We don’t base our decisions on accurate / relevant data...or we read what we want into it -Recent events - availability theory -We underestimate risks / overestimate our skills -SQLi 10 years ago...who’da thunk it...?
  • 27. where to from here? -We need to think, think objectively, and look at things empirically, not emotionally -We need to constantly re-check what’s *actually* going on, and adjust without emotion -A dose of realism -We need to get out of our comfort zone and think about things carefully...eg Threat Model -We take tons of risks and make tons of decisions every day, almost unconsciously...make more -Zero-sum - I’m more than happy to keep owning you... -Common thread...clearly the problem isn’t in each domain...it’s an issue with *us* -Think differently...