The document discusses how humans are wired to make irrational decisions when faced with risks and uncertainty. It provides examples from different domains like combat sports, gambling, trading, and information security to illustrate common mistakes people make due to biases. These include covering up when punched instead of enticing an attack, betting with house money when winning, and making overconfident security decisions. The document argues we need to think more objectively and empirically about risks instead of emotionally to make better choices across domains.

1. getting punched in the face
nick@sensepost.com

2. whatʼs all this...?
-Tyson - Everybody has a plan until they get punched in the face
-Humans aren’t wired to deal with risks and uncertainty well...
-Newtonian...our brains evolved (well, some of us) from peanuts aimed at
keeping us alive...
-We see evidence of the same mistakes in some very disparate unrelated
fields
-We’re doomed to forever repeat the cycle unless we recognize this

3. #whoami
-Don’t believe me?
-Competitive boxer / MMA
-World class competitive painball
-Hax0r for 14 years...7 professionally
-Poor trader...
-Gambling step-dad...every weekend

4. combat sports

5. boxing
-People fear getting hit
-Natural inclination is to cover up / turn away - gets you hurt even more!
-The better you get, the more you have to entice the bastard to hit you, so
you can hit him!
-Over-defensive and over-aggressive are not good...

6. brazilian jiu-jitsu
-When you think you’re screwing them...
-Again, natural inclination is to lock up, use strength, stay still in a “safe
position”
-Fluidity, speed, mercurial moves are the key...get into bad positions
purposely to force errors
-Think 3 moves ahead...umoplata -> triangle -> armbar == pwned

7. remember kids...
For Ian...

8. paintball
-Once again, getting shot hurts, so put your head down! Natural, but totally
wrong...
-Shooting left handed throws everyone...
-Snap shots! Can’t adjust fast enough..
-The big moves bust the game wide open...and instill permanent fear (6
balls in the face)
-Why not sacrifice a runner?

9. gambling

10. winners!
-Winning too much too early can be a bad thing...
-Get onto a hot streak...

11. -Mistake 1 - Betting “the house’s” money..
-Mistake 2 - “I’ve called it twice...I’m all in this time...”
-Mistake 3 - Poor money management...forgetting the house has the edge

12. losers...
-Losing is equally bad...
-We sulk, we drink, we pout, we lose more...

13. -Mistake 1 - Paralyzed by fear...irrational...
-Mistake 2 - Want to break even...or even worse, get back at the
casino...lose more...
-Mistake 3 - Money management (again)

14. misconceptions
-We make stupid conclusions:
-Coin toss...50/50...even if it’s come up 70 heads in row...the next toss can be
heads or tails
-”This machine paid out, it’s hot!” ... right...
-Roulette, anyone? Or the lottery...you picked 36 and 35 came up..
-Card games, however, are not independent events...
-Need to understand Expected Value...
what the player can expect to win or lose if they were to play many times with the same bet
-The house has positive EV in many games...

15. trading / investing

16. system du jour
-Tons of holy grails...
-Lots of gurus
-Fundamental, technical, fibonacci, elliot wave, bollinger bands...
-Lunar Cycles...

17. srsly?!
Wait? Lunar Cycles???
Seriously?!

18. fundamentals...
-Yeah, read the fundamentals in that one, mofos...
-Analyst Recommendations - MUST BUY
-The devils in the detail...(or in the footnotes to financial statements...) but
you gotta look!
-Value investors bought all the way down...hey, it was getting cheaper!
-If you’d followed price....

19. but why?
- A bird in hand beats two in the bush?
- Totally natural to lock in profits and hold onto losses hoping they’ll
turn...but totally wrong
- We’re driven by fear and greed...look anywhere and it’s clear...we live by
emotions
- Kahneman and Tversky - Prospect Theory
How people make choices between alternatives that involve risk (usually
financial)
Given alternatives :sure win of 500 vs possible win of 1000 :sure loss at
same

20. weʼre so smart...
-We explain everything after the fact
-We look for logical explanations, reasons and patterns (coin toss) where
there really are none
-We make a call and stick to it adamantly, tying our ego to it...then we fear
being wrong, which makes us hold on even when we know we’re wrong...
-Confirmation bias...
-Black Swan
-It takes major testicular fortitude to kill your idea (and your ego) and
switch based on what’s actually happening...but that’s the hallmark of the
legends...

21. infosec

22. we suck
-We suck at infosec
-Ownage fast and furious
-10 years of webapps and we’re worse then ever
-AV? Psssht
-Phishing...

23. overconfidence kills
-But there is a clear issue, we know this...clearly it’s endemic however...
-Even the professionals overestimate their skills / underestimate the risks
-The password choosing scheme of a 6-year old...when you’re a
target...really?

24. no, not just dan...
-Ok, so using your www as *anything* but a www is an abysmal idea...
-But come on...customer details...keys...creds...source to your products?!
Come on!
-WTF happened to security 101...
-Would you trust a lawyer with a criminal record?

25. play it again sam!
-We make silly decisions...
-We don’t base our decisions on accurate / relevant data...or we read what
we want into it
-Recent events - availability theory
-We underestimate risks / overestimate our skills
-SQLi 10 years ago...who’da thunk it...?

26. and so?

27. where to from here?
-We need to think, think objectively, and look at things empirically, not emotionally
-We need to constantly re-check what’s *actually* going on, and adjust without emotion
-A dose of realism
-We need to get out of our comfort zone and think about things carefully...eg Threat Model
-We take tons of risks and make tons of decisions every day, almost unconsciously...make
more
-Zero-sum - I’m more than happy to keep owning you...
-Common thread...clearly the problem isn’t in each domain...it’s an issue with *us*
-Think differently...

28. thank you!
questions?