The Art of the Jedi Mind Trick - Jeff Man

the little abstract we're really talking about is effective communication said a little bit about myself my contact information is by the end of the talk we still wanna get in touch with you know we're going to talk about this afternoon about me why am i calling myself a Jedi won't get out be talking about a little bit of a problem that I think we have in the industry some ideas of how to be better communications and you have a little bit of discussion about that but yeah I'm gonna grease as quickly as it can so I've been in this industry for 35 years now spent quite a bit of time that year the early days the

private sector as of September it will be officially 20 years that's where I used to work primarily so if you want to ask me about Snowden every time I stood cost you a drink a little bit of a teaser is anybody going after the Vegas for hacker summer camp next week it's not too late I'm going to be giving a talk at Eastside sauce Vegas where I actually tell a little bit of a story about what happened to me 20 years ago at NSA and why I say I was the first Edward Snowden list I did things in the manual cryptography space like I was talking to John earlier he was ex-special forces and every time I'd

hear some aggression Special Forces I asked him if he ever just special forces call this the wizzy wheel it's actually an algorithm is taking the a square which is rotten 1 through 26 that is the algorithm this

[Music]

[Music] my first started it and I say the fact that we allies is brokenness total secret why do you think it was so CD is it was still in use it was only publicized we do have it ready expect a mouse and late eighties it was because there was smaller Soviet bloc countries with less important communications channels that are actually still using sheep into the eighties about this movie sneakers there's a book that came out earlier this year called dark territories a very heard of this I'm not promoting it or anything but the fact that I worked with a lot happened a little bit was reading it sent out an email to a bunch of us who used to work

together gonna say he was reading a section in the middle there and say I was moved but he knew this is the story and that's in you're gonna say we don't we don't we don't get to this little part here the red team worked it out of the chamber for college kid well I used to work in them too and we world we really were the hackers learning how to do just erecting in the very beginning early in mid 90s or the guys have worked in the pit with memes a guy might be familiar name with his name's Ron Gulen is a founder of the network security that's our background idea anyway 15 minutes I haven't read the book yet

either but commerce because like most things they get the story sore right but they miss out certain key elements course will ever correct 20 years ago we have the private sector greener pastures on depend testings go work for us and you know start out boutique security company teach everybody how to be secure and and you know make the world a better place pen testing the assessments back when it was to meet some people why they needed to have a firewall to deal with the internet and all the other things get a little bit which meant we did a lot of security program developing architecture early I just also maybe somewhere along the line and ended up in the pieces

actually she was a between and so terrible came along about three years ago see me and said they want to promote really sad subject matter experts been in business a long time Ron's an old friend of mine said what you just start doing the lecture circuit disputes or if you got people things to talk about so if you're in the last three years that's telling it not only dimensions tenable to if you're not sure about tenable neccessity I was going around last year giving the talk called the state of information security and the one go a lot of times to this d sides Derby con certain city downtown in pledged at here a lot of great talks by

a lot of really smart people like you've heard today and what started nagging at me was you know there's a lot of people talking about how we know what's wrong with everything and you know all of the different places in groups lots of smart people and yet really bad things are still happening to a lot of different companies yeah but it's like gather over here your videos there's my even more things different companies you can put up there so I started you know what's wrong I mean why do all the smart people not seem to get the point across a messenger cross to the people within their companies or impure consultants or an auditor your

customers why aren't they getting the answer and that was sort of the genesis of this top well you know I've been in solving for twenty years and a pretty good job over the years of trying to help educate my customers on my security matters why they shouldn't do certain things whether it should do other things so I love it pull together a talk they kind of talked about some of the things that I have learned to do over the years in terms of communication but I'm not a benefit of the rest of the community I'm sure there's smart people out there your academics that in fact you know study this and they have names for all the

different techniques that you use I didn't bother trying to figure them out at least initially it is going to talk about some of the things that I've learned over the years tricks Jedi Mind one of the problems I think young the lack of communication is we have to do the popular movie I remember the crypto wheel I showed you the one that actually has its cryptographic call signal or designation is actually that the hallowed one so when we invented it and figured out what we were all over like my point here is that we tend to focus on the technology we understand the technology obviously we work with people that don't have a deep understanding of

technology and somehow we have to bridge that gap but too often it seems like we focus on the technology and lose and you lose the people that are the decision makers the the moneymakers the bean counters be able to invest in the technologies that you necessarily have to have but also in the training and putting in the processes newbie directly or they do you know part of this Jedi mind-trick idea and I cross over into Star Trek cause I'm more of a training is you know let me do something different to weed does anybody know why what the Kobayashi Maru is contstantly disappointed it was a passable tester of ink on partly Abbas yeah exactly the idea of the Kobayashi

Maru though is it's the unwinnable scenario the river sort of wargaming it's a lot of exercise later in later years they do it on the whole of there

but the idea is to see how the captains or the potential captain would react in an unwinnable situation and in the movies Archer to throughout time they keep talking about how Kirk and beat it out perfect appears the only one is for you to start pleat Academy that it actually beat the test and at the spoiler alert is entered a movie by now and it turns out that he basically hacked the program and rewrote the code so that there was a scenario of a winning situation that he did you know that's sometimes the the mindset that we need to have and to me the puzzle is how do you get the information to the right

people so that they can make the right decision and if we can be really honest with ourselves I think this is a huge part of the problem I don't think I saw any of this today but we in the community intended sometimes and I've heard it expressed in many ways locations but you know referring to even you know there's the techies of the non-techies the smart and stupid referring to the non-technical people as muggles you know all of this steps up if they overhear these are the people that you're trying to make a decision you're trying to convince them if you go in with it while you're stupid and you don't understand what I'm talking about

this is what I need to do may not be the best act so anyway moving on to what could we try different what can we do differently in terms of the techniques at the very beginning if you're approaching what I will call an audience and you have a message that you want to get across your audience can be one person that can be a group that can be you know the managers to be your team members of your boss it could be you know public speaking where you're speaking to a larger audience but one of the things I tried to do over the years is trying to get to know the audience a little bit just try to understand what

your frame of mind is where they're coming from what's their understanding though so often what I will do is just something take something that somewhat innocuous may be related maybe not related and just kind of break the ice it's actually as erm as in dynamic Safe Routes a an icebreaker so for example raise your hand if you think black hat is the best hacker movie ever made Zoe is over racing in any other state no more games won yay sneakers - it's okay more hackers firewall it's worth it I just throw some these out of arbitrary how many of you have never seen any of these movies that I have up here I realize he's a little bit dated

oh lot of word games Viceroy games are known as a it's a lot of people say that's popular for a lot of before because it really enhances social engineering I was talking with somebody that's I don't know if they're in the room oh there's the sienna sneakers we were talking about having to defeat in you know intrusion detection systems how do you defeat the monitoring technology there's a scene in sneakers where Robert Redford within character is trying to break into a room and they heat the room up the body temperature because there's a sensor in the room little detective aha if there's a temperature aviation which a body walking through the room would trigger and it also has to move

really really slowly because there's a motion detection detect work in place but his movement said I forget what the details were but he can only move like in a minute or something like that so that they don't show the whole thing I'm asleep it's just see where he's moving really slowly and he's sweating because the rooms 98 advances they're really sort of introduced in my opinion is where it introduced the culture but the initial rate Segal understood that the disproportionate response to like this kid yep-yep angry and so on and so forth it doesn't matter what your favorite Packer movie is it does give you an idea if you're talking to an audience where people are at most people

raise their hand for any of this so I mean you're a lot younger than all the next important thing and this is a really really super important thing is when you're trying to communicate with someone you need to be able to listen and there's all sorts of different ways of listening I actually did a workshop on the Jedi Mind Tricks that with a half ago to talk about Circle City Town it was that calm it's up in Indianapolis we got into this discussion about how the Millennials young people that live on their technology to their phones how they don't necessarily have a lot of training or skill or experience in listening especially in terms of picking

up nonverbal communication body posture the way people are sitting the way people are moving facial expressions and things like that and somebody would say well young people they just use a stream of emoticons and we were talking about whether maybe that's a new language that some of us need to learn learn how to read emotion there's a lot of times what you're reading a nonverbal is the emotions that people are experience so anyway moving you know you're making very good listening part of listening is also curing what they say so you can learn to speak their language this is not technically a new because anybody seen this TV commercial what's what's going on here is do you have protection

yes we offer fraud protection fraud protection yes fraud protection are we saying the same thing we're absolutely saying the same thing we're on the same thing so I learned very very early and crimes this often is when you communicating with people you need to listen to what they're saying because that will help you pick up on whether they're keeping up on what you're saying frankly and sometimes if you think that they're not getting it you kind of have to regroup try a different way of explaining things to so it takes practice it takes time but the more you've gotten to know your audience the more chances you have you know trying something different you know walk into

an office where you're having to talk to a manager and you see a trophy case behind and you have a bunch of kids play let's say football or baseball maybe you can think of a football or baseball analogy to use the case that I'm going to be talking without my my experience was talking about in Vegas that happened 20 years ago the manager in that context I found I found out before I was going to speak to him that he was a car now yeah particular type of party he was a hard collector a member of our club there's a little bit of a different motivation but I told him at the end of our initial meeting we were just kind of

going over the ground rules what we're really doing wrong I said hey how's your cherry red whatever car was doing it's like yeah I was just trying to prove to him it yeah we're actors to all of that

and what I'm getting to is as you're learning people and trying to find different analogies different ways of getting between your calls very often you have to tell stories and now it's a picture break it down but you know what movie is very good you know sometimes you might embellish the story and sometimes it may not be completely accurate and it may not be a completely relevant or sensible sensible analogy but if it helps you get the point across it's a good thing to try especially if you have to do it with people on the former for Dan was by trade and then say talk about encryption and cryptography especially in my PCI days used to come in handy but

very often people start talking about different algorithms 80s RSA datas Triple DES and set the other good lengths you lose people very quickly not going to eke out a photography but most people I don't get a chance to talk that level with most people but I did a presentation your ego they wanted me to do or some of the person technologies that have become popular payment space things like and an encryption it's like tokenization and I gave a little bit of a background slide but I started by saying this is how cryptography works this is very very oversimplified but that's something that's green that something data that's a message is you want to make unreadable

you have to combine it with a key some sort of random screen using some sort of mathematical algorithm which I presented as a plus sign and equals you get this up you can't read it yet I hope enough to afternoon after his talk when she said I just went through the CISSP exam and I've learned more than you're talking my mobile training but sometimes you can break it down it is this 100% technically accurate applied to all no but it gets the point across and sometimes when you're talking to a non-technical person all you need to do is get the point across the main it's really important to have people and I've heard this a lot in various

presentations where people sort of touch on relief munication it's really helpful if you understand what business you're in I even take it further especially when I was doing PCI stuff I would ask companies you know what is it you're trying to protect and they're like credit card data obviously okay where is it the big exercise is trying to find it a lot of times companies you know and we talked about it even amongst ourselves with all these timers we talked about the need for security we don't often talk about what it is we're trying to protect what's the business you know what is the sensitive data what is the value of data once you've discovered it what it is then you

have to figure out where and depending on what business you're talking to what company you work for or what customer did she have a business they're in yeah the talks about what what we need to do in terms of security of what we're trying to communicate can vary greatly there's a lot of companies really parallel I mean I spent 10 years in DC I going to grocery stores convenience stores gas stations department stores shoe store it's going to save your customers these storage companies storage space all these companies 20 years ago to care less about security they have no interest in security costs whatsoever but then things changed and they had to start worrying about security but

they're not nearly as worried about security as say a government agency or let's say financial institution or insurance so you kind of have to learn in temper what you're trying to communicate based on what what the business is and the better you can understand the business the more comfortable your audience is going to be saying oh you understand what our endpoints are what our challenges are let me listen to you more carefully because you're obviously here to help solve the problem you're not here just you're bringing something down reproach means 5 million I was only stuff that I don't understand but you do want them to do this yeah easily this is usually the stumper pulpit so

not pulp fiction good get the long kiss goodnight yes you remember what he says in the movies it makes this slide relevant he says don't make an ass I'm sorry don't ever make an assumption because you end up making the ass about you so you might think you've done a great job breaking things down putting it in terms that they can understand telling stories and painting analogies bring it in lay language speaking in the language of your audience it's a rape and I used to use this all the time it's a great interactive method to figure out if you're being successful simply ask what did you just hear me say a weapon repeated back unfortunately very often

and I was pretty good at it you get something you like really all day so that's when you sort of this lather and repeat you go back try a different story very different approach right there I put this in almost with legal drums when you're making big decisions very often get the stuff in writing just some ingredients it's a big pivotal decision if there's a lot of money involved with your jobs on the line or it could be get the decision in writing and make sure that the right level of management still won't be signing off on and also be prepared to not win every battle be prepared to compromise that's not a word that we understand in our culture these

days but you know if you can get them to do a little bit more that's a little bit better than what you really want them to do that's a win you can double back later if you can ease them into it so be prepared you're compromised this is pretty easy the only thing that I found very often especially as a consultant especially in the early days we would ingest liability assessments going in and telling everything that's wrong what they needed to fix and actually the legacy as I learned this lesson - my father made people of damage it's really good if you're gonna get bad news to somebody if you're gonna tell them that something

that's really bad you know something good you know it's laid out well it's working right as well pretty colors like the farm let's say something good about it before you ease into the matter and I learned this as a young person I never got straight A's in school because I was dumb because I was bored but one time I tried really hard to get straight A's one in history just once just to say I had done it and I think I got 6,000 of these I forget what I get the B brought my report card on was s report card every day I showed it to my dad what do you think the first thing was that he said that he needed to

sign why did you get to be so you know I'm flying through this but you know these are just techniques that I've learned over the years that we can all apply and whatever role award and whether it's my peers or management higher level management there's it's not an exact science it's an art form but there's different ways and I think there's a real need for us as a community is you know my asking a lot is there a lot Walt here yeah this is almost as complicated as it is to learn how that you've been tested and learn how to break things in fact in some ways breaking things is easy fixing things so that they can't be broken can be really

large and communicating to companies why while this can be very dumped so sometimes he may want to wish that you take one I've heard a set of a lot of conferences people talking with kind of on the subject and security in general they talk about it being a game the company that I said I wouldn't mention again that I work for our theme last summer at blackhat was a video arcade retro nineties video arcade so we're all about leveling up to the next level of security big thing you know you've got these big toe games we grown big days and the bringing thing in we had we actually had a video arcade dude yeah but it's tricky movie I think I think of

security and especially getting the message across and getting things to be as Secours need to defeat in whatever your environment is I think of it more as a puzzle and when I say that it's a little bit it might go back when I'm I guess but there there isn't always just one solution there might be multiple solutions to the puzzle and you might have to work at it really hard you might have to keep trying and it may be daunting but you know if you haven't figured it out yet with games video games you ultimately walk away a loser most days I'm thinking video arcades eventually your money runs out you gotta walk away movie's gonna save time so my

people of slides summarize you know a lot of this especially when you're in a position where you're trying to make change the idea that building the trust relationship is pretty valuable if you're a trust and part of the company if you're a trusted part of the decision-making process and you've earned that trust because you've made it people feel comfortable made it felt understood you feel like they feel like you're listening to that as much there was into you that's huge in terms of building trucks that will get them to take a chance okay I didn't want to spend the money but maybe we should and it's not necessarily just Miami technology again it could be investing

in more people investing in training it's not too late to talk to bosses if you're in that type of situation and sending any debt got the biggest the idea to compromise security if you haven't figured it out yet the security is not a place that you get to and you're done security is really more like a lifestyle this is something you do continuously I've been in this business a long time in the talk that I was going around giving last year the state of infamy information security my entire presentation my punchline is the entire presentation that gave witches had program processes people you all decided the other it was a it was a topic 80 to

90 98 verbatim and I presented it as this is new in the correction this is what we need to do initially yeah and then I say by the way this is what we can say so this is what we're really after who the you got the analogy changing the culture is kind of like turning the tide can you know you can do it it takes time and you do it too late so don't wait for somebody else to do with lead by example take your chance it's somebody else an afterthought said well we've got all these problems in our company just like you're saying what should we do is it going to find somebody to talk to find somebody that's

not in your group ask them what they do off of what you do but mostly us and what they do it's okay to be confident just don't be egotistical arrogant I'm sure you've all been for no conferences you know talk about or you know the type of person I think the speaker to be violent I always used to say when I swear got out of the pen testing business and one consulting business I could talk to the techniques because I could speak their language that kind of lived it but I could also talk to the business people because technically a business major and I could understand the business and speak their life which is putting it put it into terms they

understood I think more of us even be able to do that and if you know something to keep something again learn to listen if you get really good at it you go to conferences where they hire artists that draw these legal things while you're giving your call something that was hierarchy was really else and though I here is yours [Music] any questions comments this is you know this is all about communication now's your chance agree disagree have war stories things that you tried that worked that didn't work this it's time to go drink it once any of these things too late I mean you know after every major thing really okay that should be early and often you know

well the longer you wait the more you have to back down so and you don't want to overdo it but yeah I did look up a little bit of the science of this because I thought the workshop and there's basically two types of communication one is you're teaching two is you're trying to convince somebody to buy something okay so the more you can apply the more you can practice the earlier you do it and we're like that you're going to teach them the more likely you're going to get them mostly in our context we're trying to get them to buy something yeah understand it up using an analogy but that's really what this is all about our business any other

question of your time that's like headed dr. L Street would move here here going to who doctored one thing they asked was what a murderer if you liked pictures you like instructions would be like to do with yourself and be watched doing it right try to clue it under like the person you're dealing with female right yeah that's a very interesting analogy because we all learn differently we all take in information differently and it's good to know that about yourself and hopefully that helps you to pick up on the cues and the tell-tale signs when in fact and the other questions or comments in sir yeah we just went through means Six Sigma for our business processes related

is security but but you realize how much people don't know about their own what they do themselves it may take a while you know if you're dealing yeah I mean at one level these is basically you want to have like a successful happy life no matter what business you're in you can benefit by learning to communicate today we're there any other questions okay this is so near to my heart because as a developer cares about security and the number of times that we have to make it because of something else and so sometimes for example security is not naturally a requirement immune systems or which it needs to be and one of the reasons is that it is called a

non-functional requirement however if non-functional is treated as worried about later than us and I'm sorry which means it has to become any like crap and chip or quality of workmanship in the product and process and we're dead a culture so you know no matter how you feel about it security is part of it how in your opinion do we start changing that culture because you see especially the security professionals if 80% of people in this room are on the red team and the blue team is drastically under represented and either they're just trying to do their job which was not to do security or let's face it their junior developer or an absence provider who are in no power position to achieve

me are how do we create that culture and when he's not going to happen overnight what would you say as a discussion here how do we make it a little bit better every year

hearing we don't live in security study this is on top of that point people say all the time security of always viewed is an expense and we're easily to be scared is realizing that a business is going to pay expense by being hit in a lot of ways where there's failings in the development cycle even means if you can say our our software is here and this is how it's secure now a little sudden becomes a valued asset for that things as being as so [Music]

well historically those interests in the PCI a target had a reputation for actually doing it right I mean they they had a large security staff had a large security so they invested a lot of security technology and when they got popped that was a wake-up call what the people weren't hearing knew is that Wow it could happen to them you could happen to us five our lecture on PC our world there's a lot of companies out there that security is not their core competency they really don't care about it is they never happy here that was sort of the one of the next talks I'm working on they'll give it shortly soon maybe next year but I come from the DoD

world and I used to get when I was in the ECI world and I was a I would say publicly I was the QoS station of ggx companies for six years after their breach so I'm very intimately aware of large retailers but they struggle with your anger who distributed the IPC and trying to be PCI compliant and still try to make money to be a successful property business and discussions with people they're explaining what all the security man and very often they'd say yeah that we don't need to hear be level secure and after the target breach the Home Depot gratian sonu so for they started thinking it myself yeah and to do but again its its its

security and its very nature is reactive stop and think about it everything we know without security what we do in terms of peda testing in defense red team and whatnot it's all based on somebody's done it there's very little and it's very difficult for developers to try to anticipate figure out all the things you can go wrong all the things can happen in patience so it's really a culture it's really a mindset yes so what you're even saying missing right so what are you hearing me say right bill be different - Anders disagree we're going and clients see it an ollie you know they absolutely view it was amazing I moved a second page much time

as well so how many people know or familiar with PCI oh you know it exists I mean PCI has six major goals and Barrett bear with me build a secure Network protect the data keep the systems current test them control access to users control access to the data access control and wrap it all up in a written policy set of procedures I based on my 30-plus years of experience I think that's a fairly comprehensive comprehensive framework for security what's missing that's why I disagree that it's a pair of minimal it's pretty comprehensive now does it get specific into the technologies and the changing things and all that kind of stuff no but it never was intended to be it's

a framework I'll get off my soapbox did I answer or address your question at all oh god just make you mad it's just an observation but what's wrong with PCI is the way that most companies have approached it is what's the bare minimum I need to do to make this go away not oh this is a pretty decent security standard I should I should follow this for not only my you know my credit card data the wedding date I have it sensitive but we've solved that problem too because now we have summary there's a friction between we know what needs to be done what's right and companies out there that don't understand don't care about superior

they just want to make money what's the variable what how can I touch this one too and that's there's no good answer board but I think it for me the bottom line is more of us need to learn how to communicate and educate because a lot of security is pre common sense when we get down to it and if you knew better you wouldn't do it the company's doing stupid things but they don't know any better and there's I can shove it in your face aren't you stupid or that it's email there's this thing that I've heard that maybe yeah that's that's how this is here you should change that default password because you know it's not an

exact science but I think we all need to become educators and teachers that's the only way that we ever get from reactive modes of the lifecycle culture yes they all want to get their prizes moving right now that's it you