5 ways to inspire response,

cause impact, create change

O This is all done through attack modeling
 Intro slides
O #2 Give the audience something to call/reference me. First
name only to set informality
O #3 Personal pix that are “funny/candid” to show I am a real
person and create sameness that we all have a private life
outside of the cons
O #4-5 Credentials: a tounge n cheek hit on all the years we have
boasted our own credentials to essentially tell the audience “
this is why you should listen to me” Why blank? To plainly state
that no matter what… there is no reason to listen. You will only
listen if it interests you and I want that option to be ok and
available. Too often we don’t ask questions in a speech
because the speakers “creds” outweigh that of our own. So,
when we don’t agree we tend to keep our mouth shut for fear
that we are not the expert and therefore wrong. This leads to a
weird air that you may feel sometime where the audience looks
almost “ashamed” in itself. They make the meaning that if they
don’t agree with the expert..THEY are the dumb ones and end
up almost scolding themselves. Silly, but we all do it. So …
mine was blank to try and remove that.
 Slide 6
O Deck TOC without the shock value. This was made to set the
undercurrent.
O Shell doesn’t matter – to highlight the connection to OUR needs vs
their.
O What do they care about? To let the listeners know…they MUST find
out! This was something for the audience to think about during the
shocking parts… as a way to roll it back to the “”our vs. their” needs
O Top 5. a silly hook used because people in this industry IMHO have an
affinity towards lists/rankings/hirearchy and ease of use. 5 seemed
like a common list #.
O Born from fire: Foreshadow of the takeaway. My job in the preso will
be to mentally, emotionally, physically engage people through shock
and brutal honesty. The use of profanity, lewd pictures and provocative
therapy techniques in speech should “light up” the audience and
hopefully some of them will be reborn with a new understanding of
the job ahead and a new mindset of how to overcome the “norm.” the
more abnormal I can be, the further they will believe “normal”
extends..thus…causing progress
 Slide 7-8
O 1st touchpoint of shock. Early on, I said that I would swear (use foul
inappropriate language/terms), and act “american” and boast, and
push them. Here is visual proof that I am Willing to be honest with the
audience. I am also willing to be casual. To skip the “politically
correct” filters that often cause us to lose a point in translation
O On the other hand, this is the first chance to test the members of the
audience that may already not be willing to take a presentation that
had a forced sensationalism. We will later exaggerate these points to
try and find boundaries.
O Eye candy for those that are READY to tackle the subject
O A statement to those that may be on the fence. No one cares about
YOUR findings. I want them to throw away SELF… if they are angry here
that I am attacking them… they will be quickly connected in the next
slides with the “emotions” point.
O #8 Rollercoaster effects… after all that build from the first “shock” we
have to calm them down.
 Slide 7-8
O 1st touchpoint of shock. Early on, I said that I would swear (use foul
inappropriate language/terms), and act “american” and boast, and
push them. Here is visual proof that I am Willing to be honest with the
audience. I am also willing to be casual. To skip the “politically
correct” filters that often cause us to lose a point in translation
O On the other hand, this is the first chance to test the members of the
audience that may already not be willing to take a presentation that
had a forced sensationalism. We will later exaggerate these points to
try and find boundaries.
O Eye candy for those that are READY to tackle the subject
O A statement to those that may be on the fence. No one cares about
YOUR findings. I want them to throw away SELF… if they are angry here
that I am attacking them… they will be quickly connected in the next
slides with the “emotions” point.
O #8 Rollercoaster effects… after all that build from the first “shock” we
have to calm them down.
O
Slide 9-10
#9 Ahh yes… what they are used to seeing at cons. Shell, scripting, victory
conditions, root.,hashes…etc
O This builds hope for the preso to go the path of the norm and fall back to
what we have done as an industry that has put us in this defunct spot in
the first place.
O Conversation here is about the way we are self serving.We look at the
results and we show off what makes up feel important, empowered, and
almost godlike…
O #10 Godlike… but only to US. This slide is no only HYSTERICAL… (to me…)
but proves a large point. By being self serving, all we are doing is stroking
our own ego. We are ignoring the needs of our customers and using shell
to compensate for our lack of true understanding of why they REALLY hired
us.
O Under the surface… there is another meaning I got from it. It may be a
shocking and inappropriate figure… but hell… it took a signifigant amount
of skill to get there. To me, the same elite skill we use to get the shells in
the first place. If a sysadmin feels slapped in the face and their pride
broken from your shell.. Imagine how the audience will feel then they are
forced to stare at a huge phallic symbol that is NOT ACCEPTABLE in their
world.?
O
Slide 11-14
#11 I love happy bunny. Classic Freudian humor stuff…Nothing is funnier
to me than the truth. Happy bunny is an example of those internal
monologs we all have but refuse to let out out of respect, kindness,
upbringing etc…. But when we hear someone else say it for us…. It is
relieving and gives us sameness. The execs that w feel act like robots,
have the same “fire’y” emotions we do.
O #12 DO is red to emphasize that we need to DO something about this. This
should be a point where the birth of… ok.. I can hear that we being self
serving and not eliciting the right response to our work..”WHAT DO WE
DO?”
O #13 product line: Start the challenge. These are things that are obvious. It
is obvious that a product company cares about its products… so the
question is posed… why don’t we (audience)?
O #14 The brand. Many techs may not realize that in most cases the brand is
the real “special sauce” of the company. People don’t spend 100,000 on a
suit because its cotton… it is because the designer on the label. That
name stands for a slew of indicators of quality. A car is a car but a kia is
not a bugatti.
O
Slide 15-16
#15 the employees: often times infosec paints the users as insignifigant
aspects that are just a “risk” to the business. Constantly making fun of the
fact that they are stupid,patchless…etc. they forget.. That in concert with
the brand and product…they ARE the business.
O #16 The bottom line: said in business speak. Hackers keep with this “
show me the money” theme like we are loud mouth football players in jerry
mcguire. We need to get them out of this wannabe ghetto talk and start
realizing that they are part of an operational business unit, created and
alive to support the business and its growth over time. We should not just
sit around and show off how “cool we are” or how much “we” can get
into…. WE are the troops on the ground…the guardians at the gate…the
strategists and the fighters. We must get away from this egocentric view of
profit and begin to realize the true goal of business is to fortify growth and
all may prosper. If we continue to view $ as an object to TAKE and not an
object to protect…we will work ourselves out of a job and potentially an
industry.
O 11-15 were also another “relax” from the shock.
O
Slide 17-23
#17 get ready for HOW to connect to the execs. The how will likely be lost
because people will be in the “coaster” mode but should be able to create
a connection once the shock rock wears off
O #18 the pic was on purpose. Mostly geared at arousal in men and stoking
the feminism fight instinct in women. I love these types of emotional
responses because from a base perspective LOVE and HATE are INTENSE
emotions. So much so that they are wildly similar in most aspects in how
your mind and body respond. This is the last sharp jolt in the rollercoaster
ride before “the big drop.” Oh… and to further shake the hornets nest.. The
text essentially is to say “shut up… DON’T be emotional. ** I wanna shake
the soda bottle, so that when it pops, it totally explodes*
O Trek, similarity, hackspeak… the coasting used to address the emotion
and get the audience ready for the slow boring climb…to the big drop off.
Also, the straight away goal is to say… stop talking like YOU and START
talking like THEM. Stop trying to say the same thing over and over… do
research… get inside of their mind and posture. Start to think like them.
Try to BE them in the business and identify if there is a way to pitch your
comments and make them into thinks that EVERYONE can understand…
not just other “hackers” or whatever you call yourself “ researcher , auditor,
infosec professional, or just general liabilities”
O
Slide 20-23
#20 bombardment of DO WORK. Its all over the slides, but u will hear/see
it more and more.I think we do work today that is for us. Then cry as a
martyr when we have to do more or redo work to make it fit customers
O #21 All chatter aside, we need to figure out some basics. The first… What
is important. In order to go through the exercise to determine what is
important in a customized way to the companies we are working for, we
need to figure out some standards of what is important overall. I wanted to
use the basic data classification model for a reference point. This states
some basic levels of data criticality but also implies that a specific level of
protection would be implemented on each level.
O #22 but how do these levels get made and applied. How do we decide that
one “secret” is ore or less important than the others? How do we know
that we wont suffer the same catastrophic loss from public data? This
has been a common issue of ranking and weighting over time and begins
my posit on how to solve or fine tune the opinion process.
O #23 now… so we don’t have to use too many vectors to weight our
response, defense, and offensive target acquisition on.. We need to make
it into 1 score. 1 way to say, this will hurt a company if attacked..and how
bad. Also a way to say this is what to “protect first” instead of the losing
“protect all “ strategy
O
Slide 24-28
#20 bombardment of DO WORK. Its all over the slides, but u will hear/see
it more and more.I think we do work today that is for us. Then cry as a
martyr when we have to do more or redo work to make it fit customers
O #21 All chatter aside, we need to figure out some basics. The first… What
is important. In order to go through the exercise to determine what is
important in a customized way to the companies we are working for, we
need to figure out some standards of what is important overall. I wanted to
use the basic data classification model for a reference point. This states
some basic levels of data criticality but also implies that a specific level of
protection would be implemented on each level.
O #22 but how do these levels get made and applied. How do we decide that
one “secret” is ore or less important than the others? How do we know
that we wont suffer the same catastrophic loss from public data? This
has been a common issue of ranking and weighting over time and begins
my posit on how to solve or fine tune the opinion process.
O #23 now… so we don’t have to use too many vectors to weight our
response, defense, and offensive target acquisition on.. We need to make
it into 1 score. 1 way to say, this will hurt a company if attacked..and how
bad. Also a way to say this is what to “protect first” instead of the losing
“protect all “ strategy