The Hacker's Guide To Perception

hello and thank you for joining me after the lunch break to talk called the ACA's guide to perception so I've been introduced already my name is Stephan Hagar I work for a company called dot if in Germany if you're not from Germany it's completely normal that you have never heard about that company we are doing software for text consultants mainly and this is saying that 80% of the literature on Texas is in German so we're a big company with a turnover of nearly a billion euro and 7,000 employees I'm part of the internet security team and we are looking at the security of our company from the outside and that's where some of those ideas

come from this is not a hugely technical talk it's not a talk about zero-days exploits patching whatever it's a talk that more or less tries to get you in in touch with your perception how we perceive things and what might be good or wrong about that this also means since it's not technical that some of the information in this talk might seem relevant to you and some might not so please just take away what you can and if you want the slides are going to be online afterwards please share freely in case you want or need to leave early the things I'm talking about are that I think you are shaping a big part of your reality and thus can change

it if you don't like it and that if you leave your brain running on autopilot that it will severely limit your choices and that a little bit of creativity in whatever you're doing is always an asset and let's try whether we get there but one of the questions that I want to answer at the beginning is why do I feel the need for this talk because talking about the brain about perception about your handle things about all that stuff is usually not the content of a technical conference so how does it apply to hackers um I hope it does and I think personally that what we see now industry with egos InfoSec Rockstar superstars egomaniacs behavioral

patterns and not just with the InfoSec people but with the regular users behavioral changes are actually something that I would love to see so I think it's a topic that concerns us an info security because we very often for quite and forget the human element and sometimes that human element seems to be ourselves so part one your brain is lying to you and if I say your brain is lying to you I might be exaggerating a little your brain is not lying to you all the time but your brain is never giving you the full picture and I'm not just saying that and leave you with that statement I'm going to try to illustrate what I mean our brains and nervous

systems have a bandwidth problem if you moved recently or in the last 10 years and needed a new internet provider you probably all know these advertisements saying this internet line will give you up to X and bit per second power bandwidth whatever and a few years ago it was a running joke that you would never reach that number and I think with our brains it's quite the same let's have a look at the senses and the input that our senses get our brain gets from our senses this the eyes usually deliver the most input to our brain with about 10 million bits per second down to the tongue and taste with about a thousand bits per second and if you add that all

up then you get a number that says something like ten point seven and bit per second it really depends whether I am able to do my math correctly but with all the numbers I'm talking about right here they are orders of magnitude it doesn't matter whether it's exactly ten point seven or eleven or twenty or maybe even because as you will see a study from the MIT said that the brain doesn't process data faster than about 60 bits per second if you compare 60 bits per second to 11.10 point 7 n bit per second it really doesn't matter its orders of magnitude the question is what are we going to do with an information it is

something like up to indeed so what we can take away from that is that our senses deliver lot more information than our brain our conscious brain can actually handle and the interesting thing for me is somebody interested in hacking and everything is what faculty in my body actually chooses what kind of information gets forwarded because there are other studies saying that about 3 percent of the information that is that you get bombarded with every moment is being forwarded and again it's not really a matter of the correct number it's just a real fraction of what it's what is going on that leaves me to a few models that I think might be useful in looking at this problem our brains can

be seen as having two distinct halves everybody knows that but I'm not talking about the left and right hemisphere I'm talking about a model by a doctor or and this model has been expanded by somebody called Robert Anton Wilson whom you might or might not know as the author of Illuminatus and other interesting books and they said the brain basically has a thinker and approver so the thinker can think about anything you think I can think he's standing on a planet that is flat or spherical or inside a spherical planet the thing I can think that the planet revolves around the Sun or that the Sun revolves around the planet the thing basically can think itself

healthy or even sick and the Provost chop is so much easier the Provost job is just to prove that the thing is right the prove approves what the thinker thinks that is the basic thing in that which means if we have biases then these biases get reaffirmed on a daily basis let's not call it biases we have a certain kind of worldview and usually most humans are comfortable if that worldview is affirmed again and again for example I can walk through Munich without getting a knife in my back it's a very comforting thought and each time I walk through Munich and don't get a knife in my back this is reaffirmed I like being reaffirmed in my

thoughts most people are the other thing is I could talk I could probably fill all the 45 minutes with talking about biases and it's not just the confirmation bias that you probably have heard about it's really about everything we think about could be biased it's not a bad thing it's just something we should bear in mind when making decisions and things like that and since not all information is getting forwarded to our brain something is with health so let's consider this street scene somewhere in Asia I'm a completely ignorant Westerner so I can't really read the signs and everything but let's assume I have to go to the toilet and it doesn't matter whether it's in an Asian city or

somewhere else it's just if I need to go to the toilet somewhere my brain will automatically pick up signs and try to give me a good direction maybe pick out a hotel sign in that case maybe pick up the sign saying tourist information now if I was hungry for example my brain probably would ignore the tourist information because they don't sell food but maybe my smell or my eyes would be distracted by the by the food carts and by the people I'm close to the close to the vegetables and the fruit so I probably would go there it really depends on what I'm focusing on which kind of information is being forwarded there's one thing that

always takes precedence in our lives and that is if something is being perceived as being dangerous I apologize to that guy with a mobile phone I don't think he's dangerous I just picked him out at random if we perceive something as dangerous everything else goes to - the background starts a background process and I am completely aware and tried to deal with the dangerous situation whatever it might be and then of course this the thing that we are able to glitch reality we you probably all know about optical illusions some of them are a little bit funny some of them have a little bit more impact if you have seen this I apologize because you will know

the effect but just touching from that picture who are few things that a and B are a different color just from what you see all right so the squares to the left of the slide are the same color si I hope we can agree on that and I probably shouldn't say that in a Microsoft Building but I use PowerPoint to demonstrate that because it's horrendous ly difficult to get PowerPoint to cheat on that or to work with it so if we just move them here you will see the following just to do it once again because the effect is interesting even when it moves there the thing about optical illusions is some of them are funny but what you should know

is that your brain does calculations for you your brain knows there's a green cylinder that cylinders throwing a shadow whatever moves into the shadow thus has to have a lighter color then what appears in the shadow so your brain is filling out that gap for you so if you never questioned that or if you never questioned that input that your brain gives you then of course a and B are of a different color but really they are not to illustrate this further and don't worry I'm not going to bore you with just optical illusions all the talk although that might be funny for me but I won't I never am sure how that comes out on projectors but this

should be a uniform gray bar it is in my presentation if I change the background you will see that the left hand of the bar seems to be a much lighter color than the right hand right and it's still the same bar so especially when it comes to colors and things like that our brain does a lot of lot for us it's not restricted to optical illusions though there are auditory illusions as well I picked out one at random which is mineral beats I don't know whether you're aware of them it's a kind of sine wave for each year and if you listen to them with headphones the sine waves will create an interference pattern which

taps out a rhythm or something like that it's an interesting effect it's very often used in meditation and things like that and it is completely lost as soon as you play the music while loudspeakers because it really just needs your brain to create that interference pattern between the years more illusions or factory illusions which means smell that basically isn't there so the thing with demonstrating something like that smell that is very difficult because basically you need a chemical laboratory setup and and try to prove that there's a smell that smells not there I only have one example for an olfactory illusion from personal experience I was driving the Gipper River Road in Australia and this

is in the outback there's nobody for miles and miles and miles and I was refilling the gas tank of the car and all of a sudden the diesel the petrol smelled like the most delicious onions and bacon funny thing I I was living my fingers yes umm it's now video I'm sniffing my fingers but they smelt of onions and bacon not of petrol and I was fascinated because I knew I was the only person around for miles so those happen if you are suffering from tactile illusions then re don't envy you each of us probably knows the feeling that we set somewhere in the summer in a nice shady place and all of a sudden we feel an insect crawling on

our skin touching this hair and the other and just moving and when we looked nothing was there people who are actually suffering from tactile illusions don't have that feeling with one insect but with thousands or ten thousands so these illusions exist as well so not only do our nerves not deliver all the info to our conscious brain because they can't they are also wrong every now and then the last example here our gustatory illusions has anybody of you ever had a miracle fruit or wonder berry if you haven't this is still a very street legal thing to do it is called miracle fruit I think and you can find you can find that online everything and the interesting thing is

it goes to the sour receptors of your tongue and numbs them so usually if you eat a lemon your tongue and all your senses will deliver to your brain this is sour because this is the overpowering thing that the lemon does the overpowering taste now if you pluck out the receptors on your tongue that say this is sour you will find new tastes in stuff that you have been eating for years like pineapples strawberries everything that has a sour touch to it will taste completely different because you actually taste the aspect of the fruit that you have never tasted before because your brain was just saying sour sour sour all in all it leads me to the

conclusion to say that brains are slightly random filters with dynamic rules aka firewalls something like that when it comes to the information that is going to your consciousness which i think is quite cool the problem is you don't have an audit trail so usually at no point when you are not really aware of what's happening can you say what kind of filters or what kind of senses delivered the stuff to your brain and why you don't have an audit trail and there's only one relatively simple solution to that and that is you have to use yourself to observe yourself in order to change yourself all the time and some recursion involved of course because usually when we watch ourselves

very closely and we humans are thankfully that meter that we can observe ourselves very often we react differently but that is the whole point because we are not running on automatic anymore and as soon as I observe what I'm doing and I'm running into some pattern or knee-jerk reaction that I wanted to do anyway as soon as I observed myself I can hopefully at some point choose to react differently so now comes apart that you probably won't appreciate Jen I'm sorry for that because we have defense mechanisms in our brain as well and in order to overcome them we have to keep in very open mind and with that I'd like to ask you to keep a very open mind and imagine

a guy riding a hard steel [ __ ] and after that I would like that you think about a very open-minded Darth Vader so and while your brain was probably preparing you for an extreme graphic image in the first example or something at least somehow sexual and try to prepare you for that your brain might not have been prepared for the dark waiter from a much sexier universe and even innocent things like spongebob could be abused and we all know where this probably is headed and what's going on there and I'm sure InfoSec conference is because it allows me to bring stuff like [ __ ] magazines and show it around this is [ __ ] magazine and magazine for

cats by cats and the thing is our brains love to be surprised in a good way we don't like bad surprises but our consciousness deals with the same kind of situations every now and then and whenever something happens that doesn't fit the preconception it might be funny it might be scary as well but our brain likes to be entertained as well so and apart from [ __ ] there's also pitch magazines for the Dhokla of dog lovers so and whoever wants to have a look at my [ __ ] magazine afterwards so I'll consider so basically there are some similarities to all the defense mechanisms that we employ in info security and that we have in our brain

as every comparison it might be a little bit crude but I think it helps to illustrate that our brains are doing a lot more than we usually give them credit for in info security we have anti-ddos stuff so whenever somebody is trying to get one of our servers down and bombarded with lots and lots and lots of traffic the anti-ddos thing chumps comes comes into play and filters out the bad traffic and just leaves the good traffic our mind has lots and lots and lots of ideas all the time and probably thankfully only a handful is led through and the rest is just discarded you can drive it out for yourself if you catch yourself being in a very creative

face and having idea of the right year just wait ten minutes and try which ones you remember and which ones you don't so always write down your good ideas we have mechanisms like ids/ips and to some extent antivirus in info security mechanisms that look for known patterns and know that these patterns are either good or bad and then we either drop them or forward them which basically is what i PS we'll do ideas just reports on them within our mind we have something similar and that is behavioral patterns scripted reactions if you think about it there might be something in your life some situation that you try to avoid but if you run into the situation you tend to

react the same every time and be angry about it afterwards if there's something like that in your life then you've just found a behavioral pattern and can work on that concrete another big thing in info security at the moment or at least the last year was user behavioral analysis where basically a machine I'm not going to say an AI but a machine learning algorithm is trying to classify users and user behavior cluster that and try to compare it to regular behavior so for example if you have a group of accountants they might come into the office between 8 and 10 they might work until 6 or 8 and probably access one or two servers and have X or other programs

they heavily work with if you compare this group of people to somebody from from the sysadmin z-- then this it's completely different because the sysadmin will log on any time of the day they will work from home they will log onto a lot of machines they will probably not use Excel if they can help it but will SSH a lot and things like that and the UBS try to get that information in for example if Tom the accountant exhibits a behavior like a sysadmin than this Verizon alarm this is something that is relatively difficult to implement in at least I think it is because the definition of normal is something that is quite difficult to do if the network is

complex enough the good thing we as humans have is we have evolved to detect anomalies so that's really easy for us so we get that point another thing we like to do is if we found some kind of threat or malware or anything that we think is malicious we put it in a sandbox we let it run we have a look at it we see what it does which kind of registry keys it wants to access which kind of values it wants to change what it wants to do generally so sandboxing is the thing I'm deliberately again not going into sandboxing evasion methods because they are there but for the sake of this example this is

sandboxing and we do much of the same whenever we have a big decision to make be it say buying a house or talking to a girl we like or really doing anything that is a little bit more than eating the next chocolate bar we like to daydream we have that situation in our heads we play it out we played out in many many myriads of ways just to get a feeling for it whether this is something we would really like or not so basically humans are doing sandboxing as well and one last example there already briefly touched upon within modern and the price networks we have firewalls everywhere at least most of the companies have that we

segmented networks we have firewalls and every time a packet goes through a network it will pass at least one firewall and thing is with the thing and the prover if our mind doesn't think that this special thought this special information is worthwhile it's going to be dropped by the internal firewall so these are a lot of comparisons between info security methods and between the human mind what I want to illustrate next is that although they serve as an example and they serve for us to actually see what our brain does with our thoughts and everything analog versus digital is still a thing that you can't really compare if you get an email or let's say a text just saying I'm

happy to see you all those 23 bytes or something like that um don't know then in a digital format this will be all the information you get in a interpersonal communication there's the nonverbal communication but I'm not talking about that this pronunciation for example so if I say I am happy to see you then the problem means I'm happy to see you but he's not or if I say I'm happy to see you then I'm happy to see you but not your mother-in-law and stuff like that so in analog communications there's a much more going on than in digital world and now you remember the 60 bit of consciousness that each of us seems to

have let's try and put it to the test I give you guys and myself much more credit and saying let's say we have 48 bytes of consciousness okay instead of 60 48 bytes it seems good so there is this movie that I hopefully can start some how does it start no yes yeah please see what you can take which kind of watch what information you can take from that movie and again I said 48 bytes because I thought you know if you take one of the squares as a really really big pixel it would be 48 bytes any takers how many colors were there in total any takers we're all the slides unique

so just have a look at it again it's going to illustrate a point because I don't think or I think that a lot of people here in the room could write a small program to analyze the video and tell me the exact answers because it's easy to analyze but it's easy to analyze for a computer so just for the curious among you tiles 2 & 7 where it's identical and tile slide 15 was slide 30 interest rotated by 90 degrees doesn't really matter because our brains are not really optimized for that kind of information have a look at that movie then which contains a lot more than 48 bytes it's the exact same length as the

previous one but after watching that I'm pretty sure most of you could answer a lot of these questions if you have a look at these questions these are much more specialized than in the video before so the whole point I'm trying to make is that brains are definitely not general-purpose as computers are we are highly specialized sometimes you need a demonstration for that there is a quote by the great toerner trama who said that precisely because we can be aware of our shoes that are too small at one point and the spanning universe in the next moment this because of that our brains are seen as having this limitless capacity but they don't because if you

try to remember something at any given moment or see what you're conscious about at that given moment it's very often not much but let's continue so how does it benefit your work how does it benefit your cyber why should you bother to think about your own defensive mechanisms and your own perception so the first thing is if you're recruiting for cyber then very often if you look at the Edwards and B monster thing or whatever it seems that recruiters have that very fixed picture of an IT guy in mind and try to recruit absolutely for the Hat and the difference between blue and red team seems to be a beard and it's exaggerated of course but what I'm

saying is the next example for that is a good in a very bad example in two ways but I'm getting to that if you are recruiting for cyber and maybe you have the picture in mind and it's not a bad picture of a person who does a really good job if you are just recruiting and try to clone that person you might end up with a fellowship of the ring looking like in the cage there was another Anna Cage talk in the rookie dragon very happy the thing is in the cage might be a good actor but probably the success of the movies would have been slightly less if he had been the only actor in the

Fellowship of the Ring and I completely agree that this is a fictional novel the success of the team was based on the different things everybody brought to the to the whole if they all had the same skill they wouldn't have succeeded so we need variety and we need creative people we need a lot more variety in when we are recruiting for cyber and in the industry as a whole I think and I said it's also very bad example because yes the Fellowship of the Rings they are all male aren't they so there's no woman there and I apologize it was the only Nic Cage related picture I could find that would illustrate my point if you

are in social engineering if you're working with that if you're working as a social engineer I don't really have to tell you that if you understand how your brain works and how you can influence your own brain that this of course is a skill that can easily be transferred to your work because other people's brains work the same one other thing is that as soon as you start trying to see why the information you get at any given moment is exactly the information you get at that moment is you start to understand yourself better I had that example of knee-jerk reactions where you just stumble into a situation and you react on autopilot you do something you

usually don't like to do like getting angry or making a sassy remark or something like that and as soon as you start observing yourself you understand that of what you're doing and you can actually change the way you react it's not an autopilot anymore and that's the whole thing about doing things actually differently this is something doing things differently it doesn't always lead to success so just because you are using IP addresses that are not RFC in 1918 in your network I've seen something like that a customer who'd just had for example building two third floor first off his first computer would be two point three point one point one this is doing things differently but this is

not necessarily better but if you for example think back to the time where you counted on fingers whether it has been 40 years or three days it doesn't matter usually we count to ten on our fingers but we are all confident with binary so if you actually take every digit as a two to the power of something you can actually count to 1023 on your fingers still look silly is doing things differently but it's also thinking about things differently it's some kind of tool that you already have and that you can already use and if you don't like that example I've got a real-world example for you I'm not a war buff I really don't like Wars but

in the Second World War there was the ghost army that was a division of the United States the 30 23rd headquarter special troops and yes 23rd for those of us counting numbers and these guys in the picture are not exceptionally strong super soldiers they just have an inflatable tank because the ghost army recruited heavily from people who were creative painters artists whatever just not military guys and the chop of the 23rd was to confuse the chairman's basically and they succeeded very well the thing is all the chop was deception they would move into somewhere at night they had sound installations where the sound was played from a division moving in like 20 30 thousand people moving in tanks moving in lorries

moving in and they had all the sounds recorded back at their home base where it was safe and just replayed during night somewhere close to the border not close enough for the Germans to just send somebody and look what happened and they would also have those inflatable tanks and a few real tanks because when the chance then went weii air to see what happened there they would see a massive amount of tanks but if there hadn't been any tank tracks that would have been suspicious so they had a few real thanks to lay the tracks and they have that inflatable things and sound installations and with that kind of deception they managed to close a gap

that had opened from Germany to Paris after Paris had been retaken and about 2,000 people in the ghost army simulated 70,000 people and so the Germans didn't push through so deception and doing things differently and thinking about stuff does have a few real implications the next slide of course why should you think that not um you're losing weight doesn't happen for me or maybe I don't think a lot but your brain takes about 20 percent of your calories and burns those so whenever you're thinking you're doing your body a favor this is causes with a with a smile alright so if I have managed to get you into the whole thing of thinking about yourself in perception

you might ask for tools there are few tools and you need to work out what works for you the one thing that always works or that is the beginning beginning of everything is to be more conscious of how you react what you do how you deal with certain situations and if you observe yourself I'd like to ask you to not judge yourself at that moment because that happens later anyway but just see in that situations that you don't like see what happens and then try to figure out why it happens in the aftermath and one thing that really works for me is if you have some strong concepts about anything and just go on a

holiday and pick a country where you have no cultural reference point at all so for me that would probably be something in either have maybe Africa Asia somewhere and see what what is important to the people there and see that the stuff that is important to you for example that you have fingernail color matches your clothes is something that is of total non importance to them and find out what actually am how you can overcome your own and preconceptions of what culture is or what you are what what you have to be just by diving into a different kind of culture and seeing that most of it is nonsense and then there's the thing whenever you do

something like that whenever you try to get to the bottom of your reactions your perceptions yourself there will come the point where you offend yourself probably read appends on your character but if you have strong beliefs in something and you start a question then then it's going to be uncomfortable for for you probably so as long as it's yourself and you're dealing with please don't be afraid to offend yourself because what are you going to do sue yourself but on the other hand if somebody holds the same belief and then just try to offer not to offend them because they have their own issues and everything just be kind to yourself and others I guess and before I

come to the end a few pitfalls and conclusions that go along with that this is a definition of being scientific that whenever you're doing an experiment there might be some results and facts which are counterintuitive but if you repeat the experiment often enough and the result is always the same then the result must be true even if it's counterintuitive can you agree to the definition hopefully now if you're going into the whole mind hacker mindset mind to mindset then it gets a little bit more vague like my personal perception leads me to a different assumption therefore that aspect of the model seems wrong to me see there's nothing hard in there because I can't say I believe the earth

is cubic because I believe it I mean I can say that but it doesn't make it true but with any kind of observation you make about yourself I think this is completely true because the kind of experience you have with your perception of or as a human being it's different from everybody else and you might have some points where you connect but the thing is it's still your individual reality and stuff like that flat earthers and I hope I don't offend any you if you're flat earthers but I really really don't think anybody's here and a flat earther it's a thin line and to begin completely honest the one thing I think most hackers can can stand behind

is that we're doing that for freedom because most of us really like freedom I don't like the thought that there are automatic reactions and behavioral patterns that were imprinted on me or that I imprinted upon myself when I was younger and everything reacting to situations I actually like to analyze them and be free in my decisions because it gives me freedom of choice and that this is probably the main reason why I'm doing that and as always I try to stay on the scientific side on that on the side that I can be proven and so on and so forth but from - OSIS - homeopathy or any other things there are so many other

things our brain does or can do when it's convinced that this is the thing to do that the rabbit hole I'm talking about goes a lot deeper than that I'm always too happy to discuss those things so if you're interested um hit me up on Twitter or email or whatever or in the coffee break because I love talking about that stuff I also like to thank all those nice websites that gave me stock pictures because their way I could stay more or less legal when doing a presentation and actually that's it for me for me are there any questions [Music] thank you are there any questions for Stefan so that means you're all going to

go home and reflect upon how you perceived his presentation today now I guess it means that I didn't do a good job in waking them up after lunch sorry guys see he's already observing what has just occurred and he's judging now what did we learn from this presentation today um that's a quote I would like to say from JR Bob tops which says I don't act as I preach because I'm not the person I'm preaching to you yeah well that's that's a joke of course do as I say and not as I do okay no um I won't be happy if you think about that and if you found it a worthwhile talk here at besides Munich thank you again

for having me and again if you have questions I'm I'm there all day thank you Stefan [Applause]