SlideShare ist ein Scribd-Unternehmen logo

Getting punched in the face

SensePost
SensePost

Presentation by Nick Arvanitis at ZaCon 1 in 2009. The presentation is a Zen look at information security.

TechnologieUnterhaltung & HumorBusiness
1 von 28
Downloaden Sie, um offline zu lesen
getting punched in the face nick@sensepost.com
whatʼs all this...? -Tyson - Everybody has a plan until they get punched in the face -Humans aren’t wired to deal with risks and uncertainty well... -Newtonian...our brains evolved (well, some of us) from peanuts aimed at keeping us alive... -We see evidence of the same mistakes in some very disparate unrelated fields -We’re doomed to forever repeat the cycle unless we recognize this
#whoami -Don’t believe me? -Competitive boxer / MMA -World class competitive painball -Hax0r for 14 years...7 professionally -Poor trader... -Gambling step-dad...every weekend
combat sports
boxing -People fear getting hit -Natural inclination is to cover up / turn away - gets you hurt even more! -The better you get, the more you have to entice the bastard to hit you, so you can hit him! -Over-defensive and over-aggressive are not good...
brazilian jiu-jitsu -When you think you’re screwing them... -Again, natural inclination is to lock up, use strength, stay still in a “safe position” -Fluidity, speed, mercurial moves are the key...get into bad positions purposely to force errors -Think 3 moves ahead...umoplata -> triangle -> armbar == pwned
remember kids... For Ian...
paintball -Once again, getting shot hurts, so put your head down! Natural, but totally wrong... -Shooting left handed throws everyone... -Snap shots! Can’t adjust fast enough.. -The big moves bust the game wide open...and instill permanent fear (6 balls in the face) -Why not sacrifice a runner?
gambling
winners! -Winning too much too early can be a bad thing... -Get onto a hot streak...
-Mistake 1 - Betting “the house’s” money.. -Mistake 2 - “I’ve called it twice...I’m all in this time...” -Mistake 3 - Poor money management...forgetting the house has the edge
losers... -Losing is equally bad... -We sulk, we drink, we pout, we lose more...
-Mistake 1 - Paralyzed by fear...irrational... -Mistake 2 - Want to break even...or even worse, get back at the casino...lose more... -Mistake 3 - Money management (again)
misconceptions -We make stupid conclusions: -Coin toss...50/50...even if it’s come up 70 heads in row...the next toss can be heads or tails -”This machine paid out, it’s hot!” ... right... -Roulette, anyone? Or the lottery...you picked 36 and 35 came up.. -Card games, however, are not independent events... -Need to understand Expected Value... what the player can expect to win or lose if they were to play many times with the same bet -The house has positive EV in many games...
trading / investing
system du jour -Tons of holy grails... -Lots of gurus -Fundamental, technical, fibonacci, elliot wave, bollinger bands... -Lunar Cycles...
srsly?! Wait? Lunar Cycles??? Seriously?!
fundamentals... -Yeah, read the fundamentals in that one, mofos... -Analyst Recommendations - MUST BUY -The devils in the detail...(or in the footnotes to financial statements...) but you gotta look! -Value investors bought all the way down...hey, it was getting cheaper! -If you’d followed price....
but why? - A bird in hand beats two in the bush? - Totally natural to lock in profits and hold onto losses hoping they’ll turn...but totally wrong - We’re driven by fear and greed...look anywhere and it’s clear...we live by emotions - Kahneman and Tversky - Prospect Theory How people make choices between alternatives that involve risk (usually financial) Given alternatives :sure win of 500 vs possible win of 1000 :sure loss at same
weʼre so smart... -We explain everything after the fact -We look for logical explanations, reasons and patterns (coin toss) where there really are none -We make a call and stick to it adamantly, tying our ego to it...then we fear being wrong, which makes us hold on even when we know we’re wrong... -Confirmation bias... -Black Swan -It takes major testicular fortitude to kill your idea (and your ego) and switch based on what’s actually happening...but that’s the hallmark of the legends...
infosec
we suck -We suck at infosec -Ownage fast and furious -10 years of webapps and we’re worse then ever -AV? Psssht -Phishing...
overconfidence kills -But there is a clear issue, we know this...clearly it’s endemic however... -Even the professionals overestimate their skills / underestimate the risks -The password choosing scheme of a 6-year old...when you’re a target...really?
no, not just dan... -Ok, so using your www as *anything* but a www is an abysmal idea... -But come on...customer details...keys...creds...source to your products?! Come on! -WTF happened to security 101... -Would you trust a lawyer with a criminal record?
play it again sam! -We make silly decisions... -We don’t base our decisions on accurate / relevant data...or we read what we want into it -Recent events - availability theory -We underestimate risks / overestimate our skills -SQLi 10 years ago...who’da thunk it...?
and so?
where to from here? -We need to think, think objectively, and look at things empirically, not emotionally -We need to constantly re-check what’s *actually* going on, and adjust without emotion -A dose of realism -We need to get out of our comfort zone and think about things carefully...eg Threat Model -We take tons of risks and make tons of decisions every day, almost unconsciously...make more -Zero-sum - I’m more than happy to keep owning you... -Common thread...clearly the problem isn’t in each domain...it’s an issue with *us* -Think differently...
thank you! questions?

Empfohlen

IBM Connections 4.0 Installation - From Zero To Social Hero 1.16 for Domino LDAP
IBM Connections 4.0 Installation - From Zero To Social Hero 1.16 for Domino LDAPIBM Connections 4.0 Installation - From Zero To Social Hero 1.16 for Domino LDAP
IBM Connections 4.0 Installation - From Zero To Social Hero 1.16 for Domino LDAP
Frank Altenburg
 
Iot sistemler ve güvenlik
Iot sistemler ve güvenlikIot sistemler ve güvenlik
Iot sistemler ve güvenlik
Barkın Kılıç
 
Web Uygulama Güvenliği (Akademik Bilişim 2016)
Web Uygulama Güvenliği (Akademik Bilişim 2016)Web Uygulama Güvenliği (Akademik Bilişim 2016)
Web Uygulama Güvenliği (Akademik Bilişim 2016)
Ömer Çıtak
 
Network security
Network securityNetwork security
Network security
mustafa aadel
 
The Top Skills That Can Get You Hired in 2017
The Top Skills That Can Get You Hired in 2017The Top Skills That Can Get You Hired in 2017
The Top Skills That Can Get You Hired in 2017
LinkedIn
 
Play and Design Process - SXSW 2010 by Sara Summers
Play and Design Process - SXSW 2010 by Sara SummersPlay and Design Process - SXSW 2010 by Sara Summers
Play and Design Process - SXSW 2010 by Sara Summers
Sara Summers
 
The hacker manifesto by The Mentor January 8,1986
The hacker manifesto by The Mentor January 8,1986The hacker manifesto by The Mentor January 8,1986
The hacker manifesto by The Mentor January 8,1986
Nicola Pasianot
 
Tarot Reading Example: Horse Shoe Spread
Tarot Reading Example: Horse Shoe SpreadTarot Reading Example: Horse Shoe Spread
Tarot Reading Example: Horse Shoe Spread
Ian Eshey
 

Empfohlen

IBM Connections 4.0 Installation - From Zero To Social Hero 1.16 for Domino LDAP
IBM Connections 4.0 Installation - From Zero To Social Hero 1.16 for Domino LDAPIBM Connections 4.0 Installation - From Zero To Social Hero 1.16 for Domino LDAP
IBM Connections 4.0 Installation - From Zero To Social Hero 1.16 for Domino LDAP
Frank Altenburg
 
Iot sistemler ve güvenlik
Iot sistemler ve güvenlikIot sistemler ve güvenlik
Iot sistemler ve güvenlik
Barkın Kılıç
 
Web Uygulama Güvenliği (Akademik Bilişim 2016)
Web Uygulama Güvenliği (Akademik Bilişim 2016)Web Uygulama Güvenliği (Akademik Bilişim 2016)
Web Uygulama Güvenliği (Akademik Bilişim 2016)
Ömer Çıtak
 
Network security
Network securityNetwork security
Network security
mustafa aadel
 
The Top Skills That Can Get You Hired in 2017
The Top Skills That Can Get You Hired in 2017The Top Skills That Can Get You Hired in 2017
The Top Skills That Can Get You Hired in 2017
LinkedIn
 
Play and Design Process - SXSW 2010 by Sara Summers
Play and Design Process - SXSW 2010 by Sara SummersPlay and Design Process - SXSW 2010 by Sara Summers
Play and Design Process - SXSW 2010 by Sara Summers
Sara Summers
 
The hacker manifesto by The Mentor January 8,1986
The hacker manifesto by The Mentor January 8,1986The hacker manifesto by The Mentor January 8,1986
The hacker manifesto by The Mentor January 8,1986
Nicola Pasianot
 
Tarot Reading Example: Horse Shoe Spread
Tarot Reading Example: Horse Shoe SpreadTarot Reading Example: Horse Shoe Spread
Tarot Reading Example: Horse Shoe Spread
Ian Eshey
 
Casino Games For Your Personality
Casino Games For Your PersonalityCasino Games For Your Personality
Casino Games For Your Personality
rakeshwadhhwa
 
Data Science versus Jungle Cats
Data Science versus Jungle Cats Data Science versus Jungle Cats
Data Science versus Jungle Cats
Ashlee Bennett
 
Dov Jacobson - Hands On Learning
Dov Jacobson - Hands On LearningDov Jacobson - Hands On Learning
Dov Jacobson - Hands On Learning
SeriousGamesAssoc
 
Failure Talk (Abridged)
Failure Talk (Abridged)Failure Talk (Abridged)
Failure Talk (Abridged)
Darryl Gray
 
Infosec & failures
Infosec & failuresInfosec & failures
Infosec & failures
Ange Albertini
 
Net eng 4
Net eng 4Net eng 4
Net eng 4
teczowaszkola
 
objection - runtime mobile exploration
objection - runtime mobile explorationobjection - runtime mobile exploration
objection - runtime mobile exploration
SensePost
 
Vulnerabilities in TN3270 based Application
Vulnerabilities in TN3270 based ApplicationVulnerabilities in TN3270 based Application
Vulnerabilities in TN3270 based Application
SensePost
 
Ruler and Liniaal @ Troopers 17
Ruler and Liniaal @ Troopers 17Ruler and Liniaal @ Troopers 17
Ruler and Liniaal @ Troopers 17
SensePost
 
Introducing (DET) the Data Exfiltration Toolkit
Introducing (DET) the Data Exfiltration ToolkitIntroducing (DET) the Data Exfiltration Toolkit
Introducing (DET) the Data Exfiltration Toolkit
SensePost
 
ZaCon 2015 - Zombie Mana Attacks
ZaCon 2015 - Zombie Mana AttacksZaCon 2015 - Zombie Mana Attacks
ZaCon 2015 - Zombie Mana Attacks
SensePost
 
Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22
SensePost
 
Heartbleed Overview
Heartbleed OverviewHeartbleed Overview
Heartbleed Overview
SensePost
 
Botconf 2013 - DNS-based Botnet C2 Server Detection
Botconf 2013 - DNS-based Botnet C2 Server DetectionBotconf 2013 - DNS-based Botnet C2 Server Detection
Botconf 2013 - DNS-based Botnet C2 Server Detection
SensePost
 
Rat a-tat-tat
Rat a-tat-tatRat a-tat-tat
Rat a-tat-tat
SensePost
 
Hacking Z-Wave Home Automation Systems
Hacking Z-Wave Home Automation SystemsHacking Z-Wave Home Automation Systems
Hacking Z-Wave Home Automation Systems
SensePost
 
Offence oriented Defence
Offence oriented DefenceOffence oriented Defence
Offence oriented Defence
SensePost
 
Threats to machine clouds
Threats to machine cloudsThreats to machine clouds
Threats to machine clouds
SensePost
 
Inside .NET Smart Card Operating System
Inside .NET Smart Card Operating SystemInside .NET Smart Card Operating System
Inside .NET Smart Card Operating System
SensePost
 
SNMP : Simple Network Mediated (Cisco) Pwnage
SNMP : Simple Network Mediated (Cisco) PwnageSNMP : Simple Network Mediated (Cisco) Pwnage
SNMP : Simple Network Mediated (Cisco) Pwnage
SensePost
 
Its Ok To Get Hacked
Its Ok To Get HackedIts Ok To Get Hacked
Its Ok To Get Hacked
SensePost
 
Web Application Hacking
Web Application HackingWeb Application Hacking
Web Application Hacking
SensePost
 

Weitere ähnliche Inhalte

Ähnlich wie Getting punched in the face

Ähnlich wie Getting punched in the face (6)

Casino Games For Your Personality
Casino Games For Your PersonalityCasino Games For Your Personality
Casino Games For Your Personality
 
Data Science versus Jungle Cats
Data Science versus Jungle Cats Data Science versus Jungle Cats
Data Science versus Jungle Cats
 
Dov Jacobson - Hands On Learning
Dov Jacobson - Hands On LearningDov Jacobson - Hands On Learning
Dov Jacobson - Hands On Learning
 
Failure Talk (Abridged)
Failure Talk (Abridged)Failure Talk (Abridged)
Failure Talk (Abridged)
 
Infosec & failures
Infosec & failuresInfosec & failures
Infosec & failures
 
Net eng 4
Net eng 4Net eng 4
Net eng 4
 

Mehr von SensePost

Hacking Z-Wave Home Automation Systems
Hacking Z-Wave Home Automation SystemsHacking Z-Wave Home Automation Systems
Hacking Z-Wave Home Automation Systems
SensePost
 

Mehr von SensePost (20)

objection - runtime mobile exploration
objection - runtime mobile explorationobjection - runtime mobile exploration
objection - runtime mobile exploration
 
Vulnerabilities in TN3270 based Application
Vulnerabilities in TN3270 based ApplicationVulnerabilities in TN3270 based Application
Vulnerabilities in TN3270 based Application
 
Ruler and Liniaal @ Troopers 17
Ruler and Liniaal @ Troopers 17Ruler and Liniaal @ Troopers 17
Ruler and Liniaal @ Troopers 17
 
Introducing (DET) the Data Exfiltration Toolkit
Introducing (DET) the Data Exfiltration ToolkitIntroducing (DET) the Data Exfiltration Toolkit
Introducing (DET) the Data Exfiltration Toolkit
 
ZaCon 2015 - Zombie Mana Attacks
ZaCon 2015 - Zombie Mana AttacksZaCon 2015 - Zombie Mana Attacks
ZaCon 2015 - Zombie Mana Attacks
 
Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22
 
Heartbleed Overview
Heartbleed OverviewHeartbleed Overview
Heartbleed Overview
 
Botconf 2013 - DNS-based Botnet C2 Server Detection
Botconf 2013 - DNS-based Botnet C2 Server DetectionBotconf 2013 - DNS-based Botnet C2 Server Detection
Botconf 2013 - DNS-based Botnet C2 Server Detection
 
Rat a-tat-tat
Rat a-tat-tatRat a-tat-tat
Rat a-tat-tat
 
Hacking Z-Wave Home Automation Systems
Hacking Z-Wave Home Automation SystemsHacking Z-Wave Home Automation Systems
Hacking Z-Wave Home Automation Systems
 
Offence oriented Defence
Offence oriented DefenceOffence oriented Defence
Offence oriented Defence
 
Threats to machine clouds
Threats to machine cloudsThreats to machine clouds
Threats to machine clouds
 
Inside .NET Smart Card Operating System
Inside .NET Smart Card Operating SystemInside .NET Smart Card Operating System
Inside .NET Smart Card Operating System
 
SNMP : Simple Network Mediated (Cisco) Pwnage
SNMP : Simple Network Mediated (Cisco) PwnageSNMP : Simple Network Mediated (Cisco) Pwnage
SNMP : Simple Network Mediated (Cisco) Pwnage
 
Its Ok To Get Hacked
Its Ok To Get HackedIts Ok To Get Hacked
Its Ok To Get Hacked
 
Web Application Hacking
Web Application HackingWeb Application Hacking
Web Application Hacking
 
Putting the tea back into cyber terrorism
Putting the tea back into cyber terrorismPutting the tea back into cyber terrorism
Putting the tea back into cyber terrorism
 
Major global information security trends - a summary
Major global information security trends - a summaryMajor global information security trends - a summary
Major global information security trends - a summary
 
Attacks and Defences
Attacks and DefencesAttacks and Defences
Attacks and Defences
 
Corporate Threat Modeling v2
Corporate Threat Modeling v2Corporate Threat Modeling v2
Corporate Threat Modeling v2
 

Kürzlich hochgeladen

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 

Kürzlich hochgeladen (20)

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 

Getting punched in the face

  • 1. getting punched in the face nick@sensepost.com
  • 2. whatʼs all this...? -Tyson - Everybody has a plan until they get punched in the face -Humans aren’t wired to deal with risks and uncertainty well... -Newtonian...our brains evolved (well, some of us) from peanuts aimed at keeping us alive... -We see evidence of the same mistakes in some very disparate unrelated fields -We’re doomed to forever repeat the cycle unless we recognize this
  • 3. #whoami -Don’t believe me? -Competitive boxer / MMA -World class competitive painball -Hax0r for 14 years...7 professionally -Poor trader... -Gambling step-dad...every weekend
  • 5. boxing -People fear getting hit -Natural inclination is to cover up / turn away - gets you hurt even more! -The better you get, the more you have to entice the bastard to hit you, so you can hit him! -Over-defensive and over-aggressive are not good...
  • 6. brazilian jiu-jitsu -When you think you’re screwing them... -Again, natural inclination is to lock up, use strength, stay still in a “safe position” -Fluidity, speed, mercurial moves are the key...get into bad positions purposely to force errors -Think 3 moves ahead...umoplata -> triangle -> armbar == pwned
  • 8. paintball -Once again, getting shot hurts, so put your head down! Natural, but totally wrong... -Shooting left handed throws everyone... -Snap shots! Can’t adjust fast enough.. -The big moves bust the game wide open...and instill permanent fear (6 balls in the face) -Why not sacrifice a runner?
  • 10. winners! -Winning too much too early can be a bad thing... -Get onto a hot streak...
  • 11. -Mistake 1 - Betting “the house’s” money.. -Mistake 2 - “I’ve called it twice...I’m all in this time...” -Mistake 3 - Poor money management...forgetting the house has the edge
  • 12. losers... -Losing is equally bad... -We sulk, we drink, we pout, we lose more...
  • 13. -Mistake 1 - Paralyzed by fear...irrational... -Mistake 2 - Want to break even...or even worse, get back at the casino...lose more... -Mistake 3 - Money management (again)
  • 14. misconceptions -We make stupid conclusions: -Coin toss...50/50...even if it’s come up 70 heads in row...the next toss can be heads or tails -”This machine paid out, it’s hot!” ... right... -Roulette, anyone? Or the lottery...you picked 36 and 35 came up.. -Card games, however, are not independent events... -Need to understand Expected Value... what the player can expect to win or lose if they were to play many times with the same bet -The house has positive EV in many games...
  • 16. system du jour -Tons of holy grails... -Lots of gurus -Fundamental, technical, fibonacci, elliot wave, bollinger bands... -Lunar Cycles...
  • 18. fundamentals... -Yeah, read the fundamentals in that one, mofos... -Analyst Recommendations - MUST BUY -The devils in the detail...(or in the footnotes to financial statements...) but you gotta look! -Value investors bought all the way down...hey, it was getting cheaper! -If you’d followed price....
  • 19. but why? - A bird in hand beats two in the bush? - Totally natural to lock in profits and hold onto losses hoping they’ll turn...but totally wrong - We’re driven by fear and greed...look anywhere and it’s clear...we live by emotions - Kahneman and Tversky - Prospect Theory How people make choices between alternatives that involve risk (usually financial) Given alternatives :sure win of 500 vs possible win of 1000 :sure loss at same
  • 20. weʼre so smart... -We explain everything after the fact -We look for logical explanations, reasons and patterns (coin toss) where there really are none -We make a call and stick to it adamantly, tying our ego to it...then we fear being wrong, which makes us hold on even when we know we’re wrong... -Confirmation bias... -Black Swan -It takes major testicular fortitude to kill your idea (and your ego) and switch based on what’s actually happening...but that’s the hallmark of the legends...
  • 22. we suck -We suck at infosec -Ownage fast and furious -10 years of webapps and we’re worse then ever -AV? Psssht -Phishing...
  • 23. overconfidence kills -But there is a clear issue, we know this...clearly it’s endemic however... -Even the professionals overestimate their skills / underestimate the risks -The password choosing scheme of a 6-year old...when you’re a target...really?
  • 24. no, not just dan... -Ok, so using your www as *anything* but a www is an abysmal idea... -But come on...customer details...keys...creds...source to your products?! Come on! -WTF happened to security 101... -Would you trust a lawyer with a criminal record?
  • 25. play it again sam! -We make silly decisions... -We don’t base our decisions on accurate / relevant data...or we read what we want into it -Recent events - availability theory -We underestimate risks / overestimate our skills -SQLi 10 years ago...who’da thunk it...?
  • 27. where to from here? -We need to think, think objectively, and look at things empirically, not emotionally -We need to constantly re-check what’s *actually* going on, and adjust without emotion -A dose of realism -We need to get out of our comfort zone and think about things carefully...eg Threat Model -We take tons of risks and make tons of decisions every day, almost unconsciously...make more -Zero-sum - I’m more than happy to keep owning you... -Common thread...clearly the problem isn’t in each domain...it’s an issue with *us* -Think differently...