[SecTor Review] Zen and the Art of Cybersecurity
SecTor Keynote
Speaker: Ira Winkler
Presentation (ppt)
It's lunch time, the food is great and the first day is on it's way to being half over. Although I've never seen him talk before, I've heard the hype about Ira Winkler... a great speaker with an interesting background, I was really looking forward to this keynote... and it didn't disappoint.
Ira was full of stories... with his PowerPoint acting as more of a map. The story of an email saying, "Hello, I've finally gotten a company to agree to let me perform a pentest against their systems... what do I do now?" was good for a laugh but it also demonstrated a point... If you have to ask, you probably shouldn't be doing it... it also demonstrated a previous point about people 'not knowing how much they don't know'.
Another story looked at martial arts... That it's important to master the basics. Ira discussed how a white belt and a black belt both know the same moves, because there are only so many ways that you can punch, kick and block. It's the years of application, practice and theory that make it appear as though black belts know so much more than white belts. The same is true in computers and Ira pointed out that there are only two ways to hack a computer:
- Take advantage of configuration problems
- Take advantage of problems built into software
It boils down to being that basic, beyond that you are just honing your skill and your method.
One point that had to be left out because of time limitations, but that I would liked to have heard the story that went with it, was the 'Wizard of Oz' approach. In the story, everyone seeks out the great and almighty wizard, each for their own reason. What they find out when they find the wizard is that they all had everything they needed. Dorothy had the shoes, Lion had courage, Tinman had a heart and Scarecrow had a brain... they didn't know what they were looking for, so how could they know that they already had it.
The talk was captivating and a lot of fun... it was great to hear the stories... I definitely recommend looking through the slide deck... it loses a lot without the talk itself (although I believe the SecTor page will have the talk posted in the future [I'll link to it when it's posted]) but for now you can read through the slide deck from a past conference.