Teaching Good Developers to be Bad People

Laura BellFounder – safestack.io@lady_nerd

ARC111

Disclaimer:do not do actual crimedo not encourage others to do actual crime

public service announcement

you are all good people

hackers are bad people

In today’s talk….Good and bad are problematic words and we need to start separating actions from intentions.Embracing bad behaviour can be challenging but you can avoid common pitfalls.Five simple steps that can bring bad behaviour to any organization thus improving security and resilience

What’s so bad about being bad?

Terms like 'good' and 'bad' are extremely simplistic in what is a far more complex situation.

Badly behaved disobedient bad misbehaved misbehaving wayward defiant unruly insubordinate wilful delinquent undisciplined unmanageable uncontrollable ungovernable unbiddable disorderly disruptive mutinous fractious refractory recalcitrant errant wild wicked obstreperous difficult troublesome awkward contrary perverse attention-seeking exasperating incorrigible bad-mannered rude impolite mischievous playful impish roguish puckish rascally prankish tricksy brattish scampish

Anything that gives pain is bad and anything that serves pleasure is good

Epicurus, around 307 BC  

hedonism to compassion

One should treat others as one would like others to treat oneself

Also known as ‘The Golden Rule’ 

self portrait

we are all liars, cheats and thievesas long as nobody gets hurt

Experiment…let’s play a little game

Bad != Bad

actions vs. intentions

Breaking things isn’t always about breaking things

Don’t touch that please

I mean it.

don’t make me count to

three

You’ll break it and then

Daddy will be crossone

two

………

three

don’t break the buildthat’s totally different though

right?

What could possibly go wrong?(warning: this section contains cautionary tales and adult themes)

This.Will.Not.End.Well.

We feel cheated if the attack is not sophisticated or elegant

we are all romantics at heart

I blame Hollywood

we are engineerswe love the puzzles

it’s all fun and games until someone gets

blamed

psychopath

spoiler: nothing in this talk or any

talk/book/movie will ‘turn you into a psychopath’

Five steps:Get good at being bad

1. Be objective…keep your eyes on the prize

it’s rarely about the technology

Learn to see invisible things

There are two kinds of thieves in this world: The ones who steal to enrich their lives, and those who steal to define their lives. Don't be the latter.

2. Think like a villain…and make defence personal

You’re not paranoidthey really are out to get you

Make everything personal

Tell bad stories

3. Create a safe place…to create a little chaos in

Create space for destruction

Monitor all the things

you’ll be surprised what you learn

Reward the breakersBut reward the fixers a little bit more

4. Play…like you never read the

rulebook

make time to play

Prepare yourself for play

There is no such thing as:

‘the wrong way to play’

5. Break bad for life…not just for TechEd

Security fails when it

is a special event

continuous noise

Security is suitable for all ages and

abilities

A challenge…a little inspiration to

change

TL;DR versionGood and bad are problematic words and we need to start separating actions from intentions.Embracing bad behaviour can be challenging but you can avoid common pitfalls.Five simple steps that can bring bad behaviour to any organization thus improving security and resilience

Complete your session evaluation now and win!

© 2014 Microsoft Corporation All rights reserved Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U S and/or other countries MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION