SlideShare ist ein Scribd-Unternehmen logo
1 von 67
Security Heretic:
We’re Doing It Wrong
    James Arlen aka Myrcurial
           DEFCON 17
I’m tired of looking silly.




2008-10-08          Security Heretic: We're Doing It Wrong   2
2008-10-08   Security Heretic: We're Doing It Wrong   3
Really tired.



2008-10-08   Security Heretic: We're Doing It Wrong   4
Security “Industry” =




2008-10-08         Security Heretic: We're Doing It Wrong   5
We can change that.




2008-10-08     Security Heretic: We're Doing It Wrong   6
We can change that. We can fix that.




2008-10-08      Security Heretic: We're Doing It Wrong   7
We can change that. We can fix that.



        But it’s going to really irritate people.



2008-10-08             Security Heretic: We're Doing It Wrong   8
We can change that. We can fix that.



        But it’s going to really irritate people.

                                                                In a good way.
2008-10-08             Security Heretic: We're Doing It Wrong                9
The Past




2008-10-08              Security Heretic: We're Doing It Wrong   10
"Those that fail to learn
  from history, are
  doomed to repeat it."

             - Winston Churchill




2008-10-08                Security Heretic: We're Doing It Wrong   11
»  Guilds
»  Seals
»  Obfuscation
»  Physical security




2008-10-08        Security Heretic: We're Doing It Wrong   12
Computer Security




2008-10-08     Security Heretic: We're Doing It Wrong   13
»  Theories
»  1970s
»  Multics
»  US Military
»  Cambridge University
»  Research Microkernels



2008-10-08      Security Heretic: We're Doing It Wrong   14
The Religion




2008-10-08                  Security Heretic: We're Doing It Wrong   15
Religion

Re*li"gion (r[-e]*l[i^]j"[u^]n), n. [F., from L. religio; cf. religens pious,
   revering the gods, Gr. 'ale`gein to heed, have a care. Cf. Neglect.]


4. Strictness of fidelity in conforming to
  any practice, as if it were an enjoined
  rule of conduct. [R.]

                                       Webster's Revised Unabridged Dictionary, © 1996, 1998 MICRA, Inc.

2008-10-08                      Security Heretic: We're Doing It Wrong                                16
Best Practices




2008-10-08    Security Heretic: We're Doing It Wrong   17
Common Practices




2008-10-08      Security Heretic: We're Doing It Wrong   18
Habitual Responses




2008-10-08      Security Heretic: We're Doing It Wrong   19
Insanity: doing the
  same thing over and
  over again and
  expecting different
  results.

             - Albert Einstein



2008-10-08              Security Heretic: We're Doing It Wrong   20
2008-10-08   Security Heretic: We're Doing It Wrong   21
2008-10-08   Security Heretic: We're Doing It Wrong   22
Proselytize

Pros"e*ly*tize, v. t. [imp. & p. p. proselytized; p. pr. & vb. n.
   Proselytizing.]


To convert to some religion, system,
 opinion, or the like; to bring, or cause to
 come, over; to proselyte.

                        Webster's Revised Unabridged Dictionary, © 1996, 1998 MICRA, Inc.


2008-10-08                  Security Heretic: We're Doing It Wrong                     23
2008-10-08   Security Heretic: We're Doing It Wrong   24
2008-10-08   Security Heretic: We're Doing It Wrong   25
2008-10-08   Security Heretic: We're Doing It Wrong   26
2008-10-08   Security Heretic: We're Doing It Wrong   27
2008-10-08   Security Heretic: We're Doing It Wrong   28
2008-10-08   Security Heretic: We're Doing It Wrong   29
2008-10-08   Security Heretic: We're Doing It Wrong   30
How many CPE hours will you gain for
                  questioning your religion?




2008-10-08               Security Heretic: We're Doing It Wrong   31
2008-10-08   Security Heretic: We're Doing It Wrong   32
2008-10-08   Security Heretic: We're Doing It Wrong   33
Actually, I’m claiming this presentation as
                    CPE hours.

                You should too.



2008-10-08         Security Heretic: We're Doing It Wrong   34
Sshhhhh…

             Maybe they won’t notice the topic.




2008-10-08              Security Heretic: We're Doing It Wrong   35
The Vendors




2008-10-08   Security Heretic: We're Doing It Wrong   36
Professional Services




2008-10-08           Security Heretic: We're Doing It Wrong   37
Hardware and Software




2008-10-08       Security Heretic: We're Doing It Wrong   38
Pundits and the Media




2008-10-08         Security Heretic: We're Doing It Wrong   39
The Dogma




2008-10-08               Security Heretic: We're Doing It Wrong   40
Dogma

Dog"ma, n.; pl. E. Dogmas, L. Dogmata. [L. dogma, Gr. ?, pl. ?, fr. ?
  to think, seem, appear; akin to L. decet it is becoming. Cf.
  Decent.]


3. A doctrinal notion asserted without
  regard to evidence or truth; an arbitrary
  dictum.
                                  Webster's Revised Unabridged Dictionary, © 1996, 1998 MICRA, Inc.


2008-10-08                 Security Heretic: We're Doing It Wrong                                41
The iPod Data Thief




2008-10-08        Security Heretic: We're Doing It Wrong   42
The Complex Password




2008-10-08      Security Heretic: We're Doing It Wrong   43
“Blood on the Walls”
  Metrics




2008-10-08        Security Heretic: We're Doing It Wrong   44
The answer is “No”




2008-10-08       Security Heretic: We're Doing It Wrong   45
No Personal Use




2008-10-08        Security Heretic: We're Doing It Wrong   46
I’m only responsible for
  logical security




2008-10-08         Security Heretic: We're Doing It Wrong   47
The Renaissance




2008-10-08          Security Heretic: We're Doing It Wrong   48
Individual Contributions




2008-10-08         Security Heretic: We're Doing It Wrong   49
Research and Development




2008-10-08          Security Heretic: We're Doing It Wrong   50
Synthesis

Syn"the*sis, n.; pl. Syntheses. [L., a mixture, properly, a putting
   together, Gr. ?, fr. ? to place or put together; sy`n with + ? to
   place. See Thesis.]


3. (Logic) The combination of separate elements
  of thought into a whole, as of simple into
  complex conceptions, species into genera,
  individual propositions into systems; -- the
  opposite of analysis.

                        Webster's Revised Unabridged Dictionary, © 1996, 1998 MICRA, Inc.

2008-10-08                  Security Heretic: We're Doing It Wrong                     51
Enlightenment




2008-10-08    Security Heretic: We're Doing It Wrong   52
The Ninety-Five Theses




2008-10-08        Security Heretic: We're Doing It Wrong   53
The Twelve Step
                  Program




2008-10-08                Security Heretic: We're Doing It Wrong   54
Reduced to 9 steps for irony.




2008-10-08            Security Heretic: We're Doing It Wrong   55
1. Admitting the problem.




2008-10-08          Security Heretic: We're Doing It Wrong   56
2. Admitting our complicity.




2008-10-08           Security Heretic: We're Doing It Wrong   57
3. Reasserting ethics.




2008-10-08        Security Heretic: We're Doing It Wrong   58
4. Regaining our self-respect.




2008-10-08            Security Heretic: We're Doing It Wrong   59
5. Finding a new path.




2008-10-08        Security Heretic: We're Doing It Wrong   60
6. Eating our own dog-food.




2008-10-08           Security Heretic: We're Doing It Wrong   61
7. Re-discovering passion.




2008-10-08          Security Heretic: We're Doing It Wrong   62
8. Communicating for success.




2008-10-08            Security Heretic: We're Doing It Wrong   63
9. Owning the suck.




2008-10-08       Security Heretic: We're Doing It Wrong   64
NOT:   Pwning teh 5uC|<0rz.




2008-10-08          Security Heretic: We're Doing It Wrong   65
That’s a different talk altogether.




2008-10-08              Security Heretic: We're Doing It Wrong   66
Q&A



             followup: myrcurial@100percentgeek.net


2008-10-08               Security Heretic: We're Doing It Wrong   67

Weitere ähnliche Inhalte

Kürzlich hochgeladen

Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?IES VE
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsSafe Software
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxUdaiappa Ramachandran
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 

Kürzlich hochgeladen (20)

Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptx
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 

DEFCON17 - Fail Panel