Security Heretic: We're Doing It Wrong - James Arlen Information and Computer Security is a multi-million dollar business. I am part of that business. And it's wrong. An industry that was started with the highest of ideals, the most pure of motives has deteriorated into a crass, commercial race-to-the-bottom. Or at least it feels that way most of the time. In this presentation, a security heretic will outline a very personal journey through the meat-grinder of the information security industry and will ask you to join in this interactive discussion and walk through some critical self-analysis, some harsh criticism, some ludicrous stories, and hopefully exact the answers you need as you work through your own crises of faith in your career in Information and Computer Security.

1. Security Heretic:
We’re Doing It Wrong
James Arlen aka Myrcurial
SecTor 2008
October 8, 2008

2. Hi.
2008-10-08 Security Heretic: We're Doing It Wrong 2

3. Great title huh?
2008-10-08 Security Heretic: We're Doing It Wrong 3

4. Disclaimer:
I am actively employed in the Infosec
industry, but not authorized to speak on
behalf of my employer.
2008-10-08 Security Heretic: We're Doing It Wrong 4

5. Disclaimer:
I am actively* employed in the Infosec
industry, but not authorized to speak on
behalf of my employer.
* (I hope…)
2008-10-08 Security Heretic: We're Doing It Wrong 5

6. Disclaimer (2):
I am going to say some startling things.
There are no sacred entities when the
heretic starts ranting.
2008-10-08 Security Heretic: We're Doing It Wrong 6

7. Disclaimer (3):
If you are easily offended, you might want
to get yourself a cool compress or some
sort of smelling salts, it’s going to be a
stressful hour.
2008-10-08 Security Heretic: We're Doing It Wrong 7

8. Heretic
Her"e*tic, n. [L. haereticus, Gr. ? able to choose, heretical, fr. ? to
take, choose: cf. F. h['e]r['e]tique. See Heresy.]
1. One who holds to a heresy; one who
believes some doctrine contrary to the
established faith or prevailing religion.
Webster's Revised Unabridged Dictionary, © 1996, 1998 MICRA, Inc.
2008-10-08 Security Heretic: We're Doing It Wrong 8

9. I’m tired of looking silly.
2008-10-08 Security Heretic: We're Doing It Wrong 9

10. 2008-10-08 Security Heretic: We're Doing It Wrong 10

11. Really tired.
2008-10-08 Security Heretic: We're Doing It Wrong 11

12. Security “Industry” =
2008-10-08 Security Heretic: We're Doing It Wrong 12

13. We can change that.
2008-10-08 Security Heretic: We're Doing It Wrong 13

14. We can change that. We can fix that.
2008-10-08 Security Heretic: We're Doing It Wrong 14

15. We can change that. We can fix that.
But it’s going to really irritate people.
2008-10-08 Security Heretic: We're Doing It Wrong 15

16. We can change that. We can fix that.
But it’s going to really irritate people.
In a good way.
2008-10-08 Security Heretic: We're Doing It Wrong 16

17. The Past
2008-10-08 Security Heretic: We're Doing It Wrong 17

18. "Those that fail to learn
from history, are
doomed to repeat it."
- Winston Churchill
2008-10-08 Security Heretic: We're Doing It Wrong 18

19. Information Security
» Confidentiality
» Integrity
» Availability
2008-10-08 Security Heretic: We're Doing It Wrong 19

20. Julius Caesar: Mr.
Confidentiality
2008-10-08 Security Heretic: We're Doing It Wrong 20

21. Sumer: Integrity
2008-10-08 Security Heretic: We're Doing It Wrong 21

22. Jewish Scribes:
Availability
2008-10-08 Security Heretic: We're Doing It Wrong 22

23. » Guilds
» Seals
» Obfuscation
» Physical security
2008-10-08 Security Heretic: We're Doing It Wrong 23

24. Computer Security
2008-10-08 Security Heretic: We're Doing It Wrong 24

25. » Theories
» 1970s
» Multics
» US Military
» Cambridge University
» Research Microkernels
2008-10-08 Security Heretic: We're Doing It Wrong 25

26. The Religion
2008-10-08 Security Heretic: We're Doing It Wrong 26

27. Religion
Re*li"gion (r[-e]*l[i^]j"[u^]n), n. [F., from L. religio; cf. religens pious,
revering the gods, Gr. 'ale`gein to heed, have a care. Cf. Neglect.]
4. Strictness of fidelity in conforming to
any practice, as if it were an enjoined
rule of conduct. [R.]
Webster's Revised Unabridged Dictionary, © 1996, 1998 MICRA, Inc.
2008-10-08 Security Heretic: We're Doing It Wrong 27

28. Best Practices
2008-10-08 Security Heretic: We're Doing It Wrong 28

29. Common Practices
2008-10-08 Security Heretic: We're Doing It Wrong 29

30. Habitual Responses
2008-10-08 Security Heretic: We're Doing It Wrong 30

31. Insanity: doing the
same thing over and
over again and
expecting different
results.
- Albert Einstein
2008-10-08 Security Heretic: We're Doing It Wrong 31

32. 2008-10-08 Security Heretic: We're Doing It Wrong 32

33. 2008-10-08 Security Heretic: We're Doing It Wrong 33

34. Proselytize
Pros"e*ly*tize, v. t. [imp. & p. p. proselytized; p. pr. & vb. n.
Proselytizing.]
To convert to some religion, system,
opinion, or the like; to bring, or cause to
come, over; to proselyte.
Webster's Revised Unabridged Dictionary, © 1996, 1998 MICRA, Inc.
2008-10-08 Security Heretic: We're Doing It Wrong 34

35. 2008-10-08 Security Heretic: We're Doing It Wrong 35

36. 2008-10-08 Security Heretic: We're Doing It Wrong 36

37. 2008-10-08 Security Heretic: We're Doing It Wrong 37

38. 2008-10-08 Security Heretic: We're Doing It Wrong 38

39. 2008-10-08 Security Heretic: We're Doing It Wrong 39

40. 2008-10-08 Security Heretic: We're Doing It Wrong 40

41. 2008-10-08 Security Heretic: We're Doing It Wrong 41

42. How many CPE hours will you gain for
questioning your religion?
2008-10-08 Security Heretic: We're Doing It Wrong 42

43. 2008-10-08 Security Heretic: We're Doing It Wrong 43

44. 2008-10-08 Security Heretic: We're Doing It Wrong 44

45. Actually, I’m claiming this presentation as
CPE hours.
You should too.
2008-10-08 Security Heretic: We're Doing It Wrong 45

46. Sshhhhh…
Maybe they won’t notice the topic.
2008-10-08 Security Heretic: We're Doing It Wrong 46

47. The Vendors
2008-10-08 Security Heretic: We're Doing It Wrong 47

48. Professional Services
2008-10-08 Security Heretic: We're Doing It Wrong 48

49. Hardware and Software
2008-10-08 Security Heretic: We're Doing It Wrong 49

50. Pundits and the Media
2008-10-08 Security Heretic: We're Doing It Wrong 50

51. The Dogma
2008-10-08 Security Heretic: We're Doing It Wrong 51

52. Dogma
Dog"ma, n.; pl. E. Dogmas, L. Dogmata. [L. dogma, Gr. ?, pl. ?, fr. ?
to think, seem, appear; akin to L. decet it is becoming. Cf.
Decent.]
3. A doctrinal notion asserted without
regard to evidence or truth; an arbitrary
dictum.
Webster's Revised Unabridged Dictionary, © 1996, 1998 MICRA, Inc.
2008-10-08 Security Heretic: We're Doing It Wrong 52

53. The iPod Data Thief
2008-10-08 Security Heretic: We're Doing It Wrong 53

54. The Complex Password
2008-10-08 Security Heretic: We're Doing It Wrong 54

55. “Blood on the Walls”
Metrics
2008-10-08 Security Heretic: We're Doing It Wrong 55

56. The answer is “No”
2008-10-08 Security Heretic: We're Doing It Wrong 56

57. No Personal Use
2008-10-08 Security Heretic: We're Doing It Wrong 57

58. I’m only responsible for
logical security
2008-10-08 Security Heretic: We're Doing It Wrong 58

59. The Renaissance
2008-10-08 Security Heretic: We're Doing It Wrong 59

60. Individual Contributions
2008-10-08 Security Heretic: We're Doing It Wrong 60

61. Research and Development
2008-10-08 Security Heretic: We're Doing It Wrong 61

62. Synthesis
Syn"the*sis, n.; pl. Syntheses. [L., a mixture, properly, a putting
together, Gr. ?, fr. ? to place or put together; sy`n with + ? to
place. See Thesis.]
3. (Logic) The combination of separate elements
of thought into a whole, as of simple into
complex conceptions, species into genera,
individual propositions into systems; -- the
opposite of analysis.
Webster's Revised Unabridged Dictionary, © 1996, 1998 MICRA, Inc.
2008-10-08 Security Heretic: We're Doing It Wrong 62

63. Enlightenment
2008-10-08 Security Heretic: We're Doing It Wrong 63

64. The Ninety-Five Theses
2008-10-08 Security Heretic: We're Doing It Wrong 64

65. The Twelve Step
Program
2008-10-08 Security Heretic: We're Doing It Wrong 65

66. Reduced to 9 steps for irony.
2008-10-08 Security Heretic: We're Doing It Wrong 66

67. 1. Admitting the problem.
2008-10-08 Security Heretic: We're Doing It Wrong 67

68. 2. Admitting our complicity.
2008-10-08 Security Heretic: We're Doing It Wrong 68

69. 3. Reasserting ethics.
2008-10-08 Security Heretic: We're Doing It Wrong 69

70. 4. Regaining our self-respect.
2008-10-08 Security Heretic: We're Doing It Wrong 70

71. 5. Finding a new path.
2008-10-08 Security Heretic: We're Doing It Wrong 71

72. 6. Eating our own dog-food.
2008-10-08 Security Heretic: We're Doing It Wrong 72

73. 7. Re-discovering passion.
2008-10-08 Security Heretic: We're Doing It Wrong 73

74. 8. Communicating for success.
2008-10-08 Security Heretic: We're Doing It Wrong 74

75. 9. Owning the suck.
2008-10-08 Security Heretic: We're Doing It Wrong 75

76. NOT: Pwning teh 5uC|<0rz.
2008-10-08 Security Heretic: We're Doing It Wrong 76

77. That’s a different talk altogether.
2008-10-08 Security Heretic: We're Doing It Wrong 77

78. Q&A
followup: myrcurial@100percentgeek.net
2008-10-08 Security Heretic: We're Doing It Wrong 78

79. Credits, Links and Notices.
Me: http://myrcurial.com and
http://www.linkedin.com/in/jamesarlen and sometimes
http://liquidmatrix.org/blog
Thanks: My Family, Friends, and the SecTor Advisory Committee.
Sources: notations and copies of materials are embedded within
“notes” of the PPT file.
Inspiration: coffee, omelets made by my lovely wife, Strattera, Club
Mate, Information Society, NIN, altruism.
Constructed with: Asus eeePC 701, Firefox, Powerpoint, angst.
http://creativecommons.org/licenses/by-nc-sa/2.5/ca/
2008-10-08 Security Heretic: We're Doing It Wrong 79