Defensive Security Research is Sexy too (& Real Sign of Skill)

so thanks very much everyone yes is that title kind of explains it i'm quite big advocate on defensive research and why doesn't necessarily get the same level of respect in our industries it maybe should and i'm going to go into why i do pull apologize in advance hopefully none of this is egg-sucking obligatory advert where massive were also am always looking for people so firstly offensive versus defense you know that's I guess what we're looking at here so we have two sides of research we have those that kind of break systems and then those that defend and I was fortunate enough very early on in my career to be encouraged to do both so I worked for a

team that did offensive research but then we did the defense of research to counteract that and then basically turner's into marketable products so that's the kind of driver if we look at kind of the ease of both sides of that equation in actual fact offensive research is relatively easy you have a market which is driven to make products which is constrained by time money knowledge around security they need to make the products usable there's a metric ton of applications frameworks that people can use of which no one is an expert in you have as we saw with openssl kind of certain mala cultures emerging around certain technologies we have ridiculously short life cycles now on certain technologies and all of these

basically stop us being able to make secure products and so that's why you know you only have to find one or a handful of bugs to be able to kind of basically destroy the security of it so it's relatively easy and I I would argue that offensive research while it's getting more complex and especially with the more modern mitigations it's not impossible by any stretch on the other hand you know we have defensive research and so why do we do it so really the motivation for defensive research unfortunate it's not going to make you famous like offensive will but we're trying to drive down kind of the costs of security generally so we're trying to

keep the pit bad people out if that fails and see what you'll see here kind of the keep aggressors out minimize the impact know what happened when it didn't this is all kind of standard defense debt stuff but that's kind of why we're trying to do if we're trying to improve our general awareness of the initial robustness of the product but then awareness of when those things fail so what we see all we have seen historically is it's very hard outside of academia to do lots of forward-looking research in terms of real blue sky stuff because this is no appetite for it so in fact of fact what we end up doing is something becomes a

problem and we do the research to counteract that and we've seen it with spam we've seen it and as you'll see I go through some concrete examples we're always very reactive and it is kind of extremely annoying in actual fact if we look at for example one of the classes of issue that we talked about memory corruption if we'd honestly sat down and said okay we understand what stack overflows are we could have probably predicted heap overflows and then we could you know predicted a lot of the subsequent classes of issue but we didn't take the opportunity when we start feeling on the pain to do that in actual fact what it takes us to do is

you know we get punched in the face and so we kind of we learn how to kind of block our head then it punched in the stomach and so we learn how to body block and it's this kind of continual war of pain that we end up going through because we need to be feeling this in order to kind of justify the research which is massively frustrating for those of you that are looking to do defensive research there are a variety of different vehicles and a variety of different areas of which you can do in so i'm not going to go through all of those you can all read but if you are a hardcore technologists and you love

hardware so I've been fortunate enough to work at kind of silicon level designing instruction sets for new CPUs that's awesome it's very fascinating but if you're not into that and you're and more into human sciences you know there's a vast especially around fishing for example while speaking to our some of our team that's here doing fishing and you know they understand that basically humans want to get stuff done and going to they know how to solicit kind of kind of information out of people as a result and so there has to be more study around defensive Human Sciences as a result through to all of the kind of the different elements of system design so the point of this is

really if you want to do defensive research don't feel that you have to be the best code that you have to be the best you know have to work with a product manufacturers is such a broad industry or area that we can benefit in many areas this kind of highlights the point which I mentioned it is basically and what I'm going to go through now a number of concrete examples of where we simply haven't learnt significantly so if we take XSS an example cross-site scripting so we found out originally there was you know cross-site scripting okay oh my god so we then start trying to defend against it and then Dom XSS is found when people start kind of looking

for kind of less than script more than script etc inputs people then found Dom XSS is an event as an evolution of that attack the solutions that we managed to come up with so far we're in built browser-based XSS protection feature which was so effective that it managed to turn some previously non exploitable XSS bugs into exploitable ones which was absolutely brilliant we've got content security policy which in actual fact you know anyone that's actually had to implement a CSP you have to know how your application works and all the frameworks you're using which is a rarity and a law software development these days and now we've got this kind of slightly clunky approach with Dom

purify which is this kind of JavaScript client side mitigation and none of these are elegant you know these are all been piecemeal approaches to the problem which we haven't fundamentally solved which is this is a game of source which is user input versus sync with something that affects the dorm or JavaScript or whatever so you know this is a great example of where we have this kind of iterative game of aggressive versus defender sequel injection that similarly so we had you know sequin jection was found so what we're going to do what we're going to try and do first is blacklisting so we're kind of only kind of flag like ticks and simpler stuff which didn't work so what we're going to

do there is not fix the issue we're going to hide its presence by giving non verbose error messaging so then the aggressors worked out you could use timing based attacks to verify your sequin jection was working and similar so then parameterization so then people worked out that you could do stuff in you know oh come one more logic based issues and then we kind of get into the no sequel world but all of these again you know we have under we haven't sold sequel injection in any elegant for we've made it harder but we still find it as an opportunity for people to screw up I guess they're kind of the better solutions we are seeing

now are where frameworks are coming in the abstract the sequel technology bit my sequel BMS sequel and it allow developers to write queries and they have to go out of their way to break the security model but you know fundamentally still not perfect this is code is a great example as well malicious codes arrive we develop AV signatures attackers realize that they develop packers so don't match the signatures so AV companies develop unpack herbs and then et cetera et cetera and you kind of you see this backwards and forwards and so we're down back basically back down to the level now where we rely on binary reputation in so like modern semantic engines have for the last six six seven years use

kind of reputation eleni ins to work out if you have if your machine is considered dirty I you know you're John whereas you download all the way as you keep getting infected when kind of new signature updates they consider you a dirty user so they just don't trust the binaries you download so your reputation is poor within the herd whereas kind of my gran who only runs word and only kind of buyers her software and it has never had a navy signature kind of fire on her machine all of her binaries are generally considered clean and set up the reputation of those so we're now at the stage of where we use these reputational engines in AV wait I can

predict that the race researchers offensive researchers are going to work out how to gain those reputational systems that's a logical step in the arms race right anyway basically this will continue and it will keep going and it will keep going but again we've not solved malicious code because even if we have even if we do all of this as we keep seeing with you know people want stuff for free or cheap and so they'll get infected by that way which is through social engineering memory corruption is one of those great car crashes which is you know we've known a memory corruption I think was a 1960s I mean karada was the first documented case of a stack overflow and the

potential ramifications for arbitrary code execution yeah well that's not bad you know we're whatever ridiculous time after that and we can see that I want to try to list here are kind of the areas that have been attacked and basically the subsequent kind of subversions to it so we can see like stack overflows we first went through they went stack cookies okay so people worked out that you didn't need to corrupt the stack cookie what you could do is you could attack variables on the local stack so then introduced verbal reordering a compiler level and a multi stack and similar all of these they have been have required the defender to go you're causing me

pain I develop a mitigation and then some smart-arse to come out and then just kind of destroy it again and rather than that being done proactively and collaboratively by an attacking like mindset during the initial development similarly what we've seen in kind of kernel and and and kind of other kind of mitigations as times moved on we can see that kind of sufficient mitigations have been developed so we're now at the stage where return orientated programming exploitation technique which is used to kind of subvert depp and those types of technologies you know the mitigations required there are called flow analysis and gadget less code well call flow analysis is very hard if you're using jetted environments like javascript and

gadget Lascaux it ends up to kind of have a performance impact both in terms of memory and execution speed so we're now at a stage where we're having to make actually quite significant trade-offs to actually produce these mitigations which means they can't be applied universally so what I'm saying here is there is more research to be done it is not solved by any stretch code review so any of you that do code review you would have started probably in a school of grep reppin for mem copy and dangerous functions and then you go ice a bit crappy and then you go watch a tour like John butlers and you go from you know taint analysis that's amazing i

can now kind of do kind of dodgy input too vulnerable code tracking and then you start trying to wrap that up into an expensive product like Coverity and fortify and then you realize the false positives and the noise it produces creates nose bleeding work with some poor sap to sit there and triage all of the issues so you throw that out and go back to your code review in a smart team of people which doesn't skate so again in cayuga is by no means solved the more interesting one here is the very game stuffs a gamification what they've done is they've come up with a way of taking code snippets and automatically generating puzzle games and so basically

you get people to play these games to provide you formal verification proofs so you basically are using humans to solve these routes and I basically feed those into your proof models and I think that's actually quite inspired you know thumbs up to a Washington and then DARPA for funding it but it's by no means assault game sandboxing so we realized basically at this point that we can't stop any of these being exploited and kind of bit and causing us pain so into what can you do now is we're going to try and contain the impact so we're going to develop these things called sand boxes and I guess shuru was one of the first earliest ghettoest versions of

a sandbox we can restrict we're on the file system something can read and write from yep naturally it failed it took a bright smart person to understand actually how operating systems work to work out Harrow a handle inheritance within processes to be able to poke outside the Shahrukh jails and so then they introduced them other many levels so we have to do filesystem networking inter procedure interprocess procedure calls and similar all of this again is not a fine art anyone that has tried to use things like a polymer or similar sandboxing tools in the real world in a production environment will tell you what the pain isn't just terms of configuring it and then no one will

provide you support because you've sandboxed it again not solved in it easy to workable manner so then we go on to put a protective monitoring which is the kind of the great snake oil of the 20th century 1st century so what I'm going to do is I'm going to deploy IDs and IPS and they've run into all manner of problems you know from reconstructing complex network streams to the different OS behavior in terms of reconstructing packet fragments so if you go back certain Tim Newsham and similar go back to the old days where they looked at all days 2000s where they looked at how different OS is like the BSD s vs Linux vs windows all

different all reconstruct out order packets and different ways and then you work out as a network level protective monitoring you need to implement all of those so they release their paper how to subvert every possible IDs there is on the planet and then so IDs vendors have their pants around their ankles and they run around and have to go and implement all of this new logic then we have all the encryption problems and then kind of the increasing network speeds etc etc all of these answers had to come through research by someone but it's still not solved and in forensics like forensics is an absolute pain in the ass now the reality is is that we had a forensics

world where we did physical acquisition and then we went to all the data and we Colombo dit basically the reality is now is that the data sizes are so vast we're having to do logical acquisition which is we know or we suspect this went down or we got an inkling this is where we start let's now find positive proof of that within the vast quantity of data that we've got or where it you know interested in owning email or something similar we've had to introduce memory forensics because again you know greg was talking about anti forensics Knox not touching disk in like 2000 2001 hey what happened people started actually using non disk touching forensics

techniques in terms of their payloads so we now have to introduce you know and actually understand how to use volatility and those types of things and doing in process memory reconstruction from stomped RAM we have to worry about kind of structured and unstructured data analysis and correlation so palantir I guess is one of the leaders in this space how do we draw relationships between vast bodies of structured data like email stores and unstructured data that we may have got from another source so expert systems in inference engines there's a number of pieces of research around this in terms of identifying certain attack patterns and or file fragments in in disk images but it's a fancy way of saying AI but it's not

particularly AI again not solved and is going to get far far worse and it all needs answers honey pots we've all seen the value in honey pots in terms of sorry in terms of kind of threat Intel but the reality is now we're not we have yes some people scanning the internet and popping your web server but in the more client orientated world where potentially mobile devices are being targeted how do we emulate and build mobile and similar kind of client-side driven honey pots so again in a semantic well just wear my experience came from some of this now we had honey monkeys the visited websites and kind of tried to get infected and that was all very good and it's highly

instrumented you know but the reality is that instrumentation is increasingly difficult on mobile devices especially if there are no jail breaks available and similar so you know we have a lot of problems ahead of us so do we go down the emulation room so we can actually kind of build realize firmware in kind of Q mu or similar platforms to be able to simulate those mobile devices but we have you know a number of problems which we don't have the answers to again hot patching so we had a desire or there was people we used to kind of trout's windows and probably still do they had to reboot to install all the security updates so much less respond they are

going to introduce this ability to do hot patching which they didn't do in a lot of cases but they they provided it in certain instances and the way they solved it was they put basically a two button off at the beginning of key functions which has allowed them to inject code and hook the call flow but then we've now got two opposing needs so we've got call flow analysis which is our rock mitigation and we've got a conscious way to hijack call flow to be able to do hot passion so we kind of this we have a real challenge here in terms of competing security defenses drm you know DRM is a zero-sum game ultimately right so you have firstly

they have software based drm people produce cracks then so smart vendors realized well there are some motivated people in poorer countries that like cracking software so we're going to release geographic specific gr drm so if they crack it for their locality it's not a break once you use everywhere model they have to kind of collect copies from all the regions and crack it in all the instances good you know so they were cracks but they were constrained or they were enterprising and driven they did it in all regions anyway so they then come up with kind of hardware based or supported drm and I guess that's what we see more now so if you look at netflix for

example netflix have these really onerous requirements on hardware security but there's been some real clangers there you know like the trusted execution environments and vulnerabilities you know it still uses an unlocked bootloader which allows you to boot the Linux box into a nun into single user mode while decrypting its encrypted file system and then we get into conditional access control which is kind of where we're at now is like your sky box is using conditional access control to provide some drm capabilities so what the people have realized there then is you have one legitimate skybox and you have lots of others in parallel which having a relationship but chained up through that conditional access card

so they've not actually stopped it but they've created places where they can kill it if they identify it's happening so partially solved but not perfect so that's I've kind of kind of crap I've spent the last twenty much crapping on all of the things we haven't solved and I'm now going to provide you lots more things we actually haven't solved as well which is actually quite interesting so we have so we launched a cyber 10k I guess a while back and we provided some challenges so the reality is is that user and consumer let non-technical people security awareness is still shocking you know I get questioned their kind of the pet the parent question you

know should I do this should I do that you know why is this computer asking me to make a security decision from its antivirus and similar asking those types of questions that I parents is a is guaranteed to file especially if you keep my barding so how do we we have not solved how to raise or to kind of bring awareness more generally to a lot of our problems you know we have an entire generation arguably that's used to clicking through SSL dialog box errors because they're used to seeing that so many times internally you know and yet we say you know you shouldn't do that well the reality is I would challenge all of you to say when you haven't

clicked through one of those mo what most recently to do your job so we can't actually have any trust in SL everyone wants you know tech city and everyone wants to be a kind of a dot-com millionaire again no one seems to remember the last bubble but anyway so everyone's starting a start-up again but the reality is is if you're trying to get minimum viable product to market the last thing on your mind is the what encryption algorithms or how to write your code securely you want wizzy bang features you want you know animations and you want you know basically what's the stuff is going to help you sell you really don't have time to secure your

patch your environment why would I do that you know and similar things and this is really born out if we take an example where HQ was compromised so those are familiar monger HQ is DB in the cloud there that was an interesting set of ramifications so Munger HQ in the cloud mongodb in a cloud is one thing who's the client of HQ well actually it's a continual integration provider what does a continual integration provider have they have access to all of your private source code your build environment and being able to deploy into the cloud because it's continual integration yeah so no so this one database cloud provider had a knock-on effect through all of these little startups that have

been using such services and the last point here is you know when we do have incidents today we can't articulate the we can't quantify and measure the cost and the impact what we can tell you is how much time you spend doing probably a half-ass job clearing it up enough so you'd continue your business we can't actually tell you in real terms are the only example we have at the moment is nortel another Chinese problem nortel is the only example we can hold up we're basically they were systematically kind of stolen IP over a long time and about you know ten years later they went bust you know but everyone will go I'm not nortel I'm not that big but you know we

have a hard time kind of measuring and quantifying kind of the impact of this and the reality is if we expect business to respond to a lot of our problems or invest more we have to show that kind of that cash impact fishing as one of our consultants told me downstairs you know when they send out 40 fishing requests and they get thirty five sets of credentials that off 35 shells sorry where the user had to click enable macro because the email told them that's absolutely shocking and ridiculous right quite simply but that is the state today you know that's not anecdotal that is what we are seeing so again when we send in the isle help desk

please click on this random link and reset your password and people do it at vast rate that is really worrying and there is at the moment we're relying on bayesian filters to catch these that is the cutting edge and kind of I guess reputation stuff but quite quite simply shocking but a fascinating area i think you know because this is a mixture of human science and potentially smarter technology but we don't have any of the answers with forensics as i said so these lists actually we worked we had a very fortunate UK university came to us and say we got 3rd year grads i need some ideas and we actually posed these six ideas as research projects for them

so if you do full packet network capture today you run out of space very quickly on any same network any modern network right no one runs 10 megabits anymore to megabit lines you know you're dealing with gig or higher so how can you reduce the storage of network captures yet still retain some of the value that we get from full network packet capture how can we do high-performance captured network data analysis these are real problems which we don't have the answer to like if you scale up your network speeds very very to the top end you're kind of common products will start to fail how do we with the network visualization one how do we create a set

of tools which allow a non security expert who can't dig into Wireshark and can't understand that bit mask to see obviously bad stuff you know there must be some way that we can kind of we can enable these people to do that through to then kind of an the red ones are the ones they selected so we said okay so we detect something is bad in a network dream how can we automatically produce her istic signatures for net flows what we're seeing increasingly on forensics cases is crypto used or people have password-protected stuff how can we recover those passwords automatically from memory in a forensic Lee safe manner and then the application of location services so geolocation

services in forensics data to understand who the user and the machine has spoken to as part of the overall case so again yeah these are some of the problems that we've posed and are relatively interesting so how do we deal with this at this point in time hopefully over at Neil's Oh l's caught we have a faux cyber home set up and we're opening front doors and we're turning on the tele camera and pointing at the journalists and scaring the out of them basically but you know this is kind of a vision of the future right we've got an increasingly electronically wired home built by random Chinese manufacturers using we know which have had products with home Reuters and

everything else CCTV cameras with demonstrated backdoors like how do we solve that from a from an assurance perspective from a research perspective we we don't have any answers to this at the moment we require smart in small motivated individual researchers to go I want to break this product for them to then sit in either while you know through their winter evenings kind of manually going through that code to find that backdoor to then go out to the market and say this Rueter has got a back door in it and then everyone goes oh oh my god has got back door in it but they've looked at probably one percent or sub one percent of the market

products which are out there and it's only going to increase and you know and I like to a bit of drama so danger to life always sounds a bit goods but you know we had the problem was it nest and their fire alarm that you could turn it off you know with some random bug so there is a potential danger to life tenuous link i appreciate but we are there and then privacy and security for nationally obviously reasons but huge problem no real answers and then everything else so we are still wrestling we know in see that using sprint f which is unbounded mem copy or memory copy basically is dangerous yet we still have people

like Terry and Theresa in development teams using this and we have still found no effective way from stopping because the reality is when you have to ship product you have to ship product and that's the reality and so you just kind of want the code to work automatic content security policy generation for web apps and refinement yet that would be hugely valuable if we could do it mapping attack surfaces of applications of systems of networks and visualizing that so people understand kind of what they need to be concerned about penetration testers where they can attack to demonstrate the risk we're increasingly seeing the emergence in cloud of kind of the traditional operating systems that we've seen such

as Linux windows all very good when you want general purpose ose stuff but we're now seeing the emergence of these kind of micro races which are they sit between the kind of the cloud hypervisors and your application stack so there are a lot more refined I bet if you look at any of those it will be like shooting fish in a barrel from a security perspective so if you are an offensive researcher and you want to have kind of your next black cat talk kind of go after that its cloud sits buzzword friendly its new so it's going to be like kicking puppies you know and it won't be afforded any of the other OS

protections the windows and linux is built in over the last 20 years so it will be fun software-defined networking so some bright spark says we're going to take our traditional networking which has a control plane and a data plane and we're going to throw out that model and we're going to come into a world where we can dynamically reconfigure our data plane through some nebulous software that has many inputs and is really smart and again no one I don't think has kind of systemically taken a pass off with the fine networking to show what the ramifications are in terms of lack of segregation so how would you do that in a secure way people are now using anti

forensic so we now need anti anti forensics or the orange tree is great for kind of sexy words or offensive forensics as I saw which is the application of forensic like techniques by aggressors to extract forensic artifacts to further attack okay that's called hacking isn't it but anyway and then actually making certain Linux security features and similar so if you're if you're tin-pot kind of device manufacturer you really probably don't want to learn a parma you want everything to run as root because it works first time when you build that appliance right so how do we you know linux and similar operating systems have very robust security models how do we actually make it usable and easy to use

for these low-skilled loan center wise vendors in foreign lands and UK but you know we kind of you kind of see a general theme here all of these we don't have that system and the reward for doing all of this really diligent defensive security research you don't get any trips to Vegas you get no worldwide contour just riding that talk to Hawaii to Singapore people probably complain when it doesn't work because they've not actually read the documentation you diligently provided the BBC won't cover it because who likes good news you know Jim saved us from a potential threat again you know it doesn't quite have the same headline but you may get two hundred grand from

Microsoft if you can kind of show it on Windows but unfortunately that is really the appreciation that we've got so on the happy you know I think personally defensive research is one of the most rewarding areas in so much as I can see my defensive research has existed in product for far longer and had a far wider impact than that one bug I found in that one product it's in a piece of code that died you know I can find a bar Gainey day and it will be closed when the vendor fixes it but the remediation or the mitigation or the design principle that came up that lasted for ten years that's pretty rad and I and I personally enjoy that I

don't think you have to be an academic I struggle with academics quite a lot because I don't think they have a grasp on the real world because they have someone else's money to spend whereas we're kind of a bit more attuned to the real kind of pressures of life and you don't have to say out to solve world hunger but if you set out and go I don't to solve some unrealistic goal well go big or go home or but you know I think you can start small and iteratively grow and I think really the trick is yeah we see lots of smart ideas but unless you get traction and actually them used and deployed and

people behind you they just slide is right and so the reality is is to kind of start grassroots and kind of build them in and you know submit patches to open-source products and kind of just kind of Bajor people and Lobby and similar and so here's a great example so I have a lot of respect for the pact team so that for those aren't familiar pax is basically a lot of exploit mitigations stuff which was built into linux over the years six years ago they came up with you direct air and then intel ended up implemented in silicon which i think is pretty rad it's the same technology that they developed as an open-source patch to linux to stop

kind of exploitation from Colonel to user land to executing code in user land from Colonel and then kind of Intel come along and implement in silicon and if that's not a validation that you at home you know team packs is depending on your belief is either one's really smart Hungarian or two really smart Hungarians but it's not much more than that and if someone can do that six years before Intel realize they should be doing it I think that's that's pretty smart so if you like this Manchester b-sides is coming and this is the final four really is at the moment we focus on at least defensively generally trying to stop all the vulnerabilities that's our strategy

that's not going to work I think fishing has shown us that right we can solve technology problems we can create systems so secure they're not usable you know we're successful at all of this the reality is is that we need to be designing constructing researching systems that are just far better with coping with successful compromise limiting the impact when that happens and being able to kind of provably clean up afterwards and unless we do that it's just going to the pain is going to continue because that is the fundamental problem you will not stop people getting it yeah and I think that is on that note oh yeah here is it here's the reality as well

final bit you should all fail if you do this expect to fail failure is good otherwise it's not research we know the answers so I know we internally ncc sometimes to show how I fail so its educational it's fun and I think it's okay to but they set out to kind of knock their research out of the park you know that's why you go on offensive because easy because you know you'll get root in the end you know it's just kind of finding the right bug finding the right piece of software if you set out on some of the defensive streams it may not come to anything it may not be workable you may be 10 years ahead of

the time when it's ready but it's fun so on that this is a conference that will never exist but we can have a dream you know I don't think that the defensive research will ever have a black cat or a sigh scan or Chaka Khan in Hawaii or anything else like that but well this is it yes yeah but we you know we may have a defend to spend competition to fight poet alone and things like that but the reality is is that it is underappreciated but it is extremely valuable and so I hope that you know we do more of it as an industry and just kind of be the silent success almost so

now I'm quite happy to take any questions not sure there will be any comments etc yes sir a lot of what you're speaking about here is problems with the wider community that uses the products yep and every time I go to a a con people say well we its lack of education we need to educate these people but people who completely understand the issues pull down their firewalls because they think it'll make the internet running faster and you talk to them and they understand what a firewall is they understand this people trying to get through and then they understand all of it and they still do it and it's not like once or twice that

that's one case i can think of and again the game because people think for some reason that yeah this is all happening but it won't happen to me well all the reality is is that to repair you can have the most spending firewalls in the world but if you've got no business to pay for those firewalls you're doing it wrong so the reality is is we end up seeing that the motivators are get stuff done because what the business demands it's too complex I don't have the skills all the time we're under a time pressure so we should be making it easier we should be able to show and articulate the benefits of doing it how

difficulties far wall on firewall off and the user still makes the wrong choice but insist well is it the wrong choice if I have to transfer a 3 terabyte file and that gives me a 50 it makes it fifty percent faster and I'm under a time pressure probably a business risk if that's temporary just for that transfer or those sets of transfers probably isn't the wrong decision it has to be risk managed you know but are these people making it from an informed decision probably not and that's that's a different question but you know better tools you know making sure that I turn that firewall on after I've done that before I go down the pub

that's a different trick yeah

Yeah right like they look exactly like a lot of device manufacturers that one it is rude because it just works first time and they'll have the best intentions that they'll they'll lock that down as they get before you know closer to closer to release and just the time evaporates right and the reality is you know we've just got to ship it get out the door and make some money people you know welcome to the world and that's why you pay about seventy percent or for government systems because there are actually a security which is considered okay well thank you very much email jeff sorry one more question not so much a question actually but then you were

saying that the u.s. all over dramatizing with the risk to life I mean of course you do have embedded medical appliances these days pacemakers and the life of our yeah and to be fair the elise and the system for anesthetizing people that if you plugged your phone in it stopped working that was a little case last week I think it was so if you don't ever visit that kind of relative and just plug your phone into charge it off there Neath or a knee in emphasizing equipment because they may die but yes yes oh there's the threats are you you're right you know and the reality i think the FDA will lead the example there but the reality is is in more

emergent markets like I'm regulated sub-saharan Africa India you know basically though and care and people will die and it will require some bright spark to like some we think Snowden's bad now but you wait until someone reaches out and kill someone you know it's going to take something dramatic like that and it be proven beyond all reasonable doubt that that's happened then people run around the hair on fire well have the you know yes we take your life very seriously but you know it's proportional to the risk

well so I had this crap circle which is product development and it talks about when you should start repaying back your security debt and the reality is is you're not going to invest up front to make a secure product if you don't know a market exists and if you want to get market advantage and that's the reality there is no incentive to be proactive in this yes going to programming the supplier and the first question out of asking the presenters of teachers try convincing to complain what do you do about Cody's yes teaching skills to code security I visited five establishments and the fine basically told me it's an option in per year right so that's why

2recent arias though that's fine my pension fund is very glad of that fancy good oh yeah jobs for life right it is awesome Bay's demoralizing the same time on that happy note beer