No matter how fast you type, your brain moves faster. It’s a constant competition between thinking of great ideas, and making them happen at the keyboard. But inside your brain, another competition is underway. As quickly as you imagine things, you’re also evaluating them and rejecting the ones that won’t work. At least, that’s the way it’s supposed to happen. When your enthusiasm for trying something outpaces the review of consequences, then efficiency goes down, not up.

Over the past few years, I’ve made a hobby of playing crypto challenges. I’ve managed to win quite a few of them. But despite all that experience, I still make stupid mistakes. All the time. My enthusiasm drags me down blind alleys, wasting precious time and frustrating what’s supposed to be a fun game.

This talk will review some of these mistakes, incorrect assumptions, and head-meets-desk “duh!” moments, to attempt to draw useful advice from my mistakes. Advice that can be applied to any activity where ideas outstrip the ability to quickly (and safely) test those ideas. Advice that may bring additional discipline to penetration tests, web app tests, mobile app reviews, and other aspects of the security and even engineering fields.

David Schuetz

David is a Senior Consultant with Intrepidus Group, where he’s spouted off about RSA, supported large-scale iPad deployments, and found obscure bugs in Apple’s MDM system. He’s been fortunate enough to present at ShmooCon and at Black Hat, and recently co-authored an iOS programming security class for SANS.

In 2009, David won the Shmoocon V badge puzzle, and has been hooked ever since. He’s been the first to solve over a dozen such challenges, and has won prizes ranging from a Sakebomb decanter to an iPad (twice!), but he feels the best prize is simply completing the challenge. However, David also estimates that he makes at least one boneheaded mistake for every puzzle he’s solved.

Prior to Intrepidus, he spent some years performing compliance-based testing. Despite this, people actually interact with him on Twitter (@schuetzdj) and sometimes leave nice comments on his blog ( http://www.darthnull.org ).
 

Back to Derbycon 2012 video list