The Language of Security Why Our Fail To Communicate Makes Security Harder by Augusto Barros

perfect thank you hello everyone good afternoon i am so happy to be here has been in a long time since i last spoke besides toronto uh last time was six years ago and and i believe kind of that it points to more or less to the type of session that i like to bring to the these types of events right last time i was here was live by the way when that those previous previous times where you used to see people uh kind of in real world uh but i was speaking about behavior economics and their influence in security at that time and that's the kind of interest that always that i always have about these adjacent

scientific sites and how they would normally affect the security word and that's something similar to what i'm bringing here today right so what i'm looking at now is how the language that we use in the security realm affects kind of how we perform from a security delivering security right so that's kind of what i want to explore a bit more today and i hope canada will bring some uh some action items some insights or things that will help you make kind of security better based on this assessment or this uh this view of the language that we use in our in our world and when we talk about language we are essentially looking uh at the

the practice of communication right because that process where we try to exchange information using a common and i think a common is a word that is quite important here a common system of symbols signs or behavior and it won't take much time for me to show that in our realm right live in our fields we suck at it and uh if i wanted to do kind of an entire fail panel style session i'm talking how bad we screw things up in in badly with bad communication and security i could do that i could spend probably could an entire afternoon bring an example after example right so that i think kind of i'm gonna show a

few for those that may not believe right that that's kind of that's a problem that exists in our area but it really kind of something that we have to improve so looking a bit more into communication and security right uh security by itself requires intense cooperation between the parties so we can actually do it right it's just not achievable when you cannot agree in certain key concepts and how it represents uh the things that we are dealing with and kind of what type of standards you use for that imagine someone who go and look into an application for example and they'll that you're responsible for security and they'll go back and say you know there's

some funny things there right but they they may be bad right and two hours later your website is completely compromised man they said well i told you you never told me there was a big vulnerability there was something bad there right and it could be an issue where is the there is a vulnerability here vulnerabilities are well understood concept i'm going to talk a bit more about that how serious was that that could use something like cvss for example to represent the measure of severity in a better manner as well right so you see how the communication can improve when we can use the language in a more precise manner now many times when you bring these

types of concerns about communicating better etc for those that are really kind of in uh in the weeds into things like researching or developing new types of exploitation etc it may look like a smaller problem to deal with but i like to point to probably kind of uh one of the most famous cases of uh using bad communication or bad standards and bad lang bad language from one side to the other in a more technical and probably more scientifical uh environment but so kind of how big how how much of a big deal we can be and this is kind of the case of the mars climate orbiter uh it was one of these probes where they you been

sending to mars uh about what 20 20 years ago or so and it was built right kind of with those kind of millions of dollars in investment it was launched successfully he spent a few months right kind of moving kind of from earth to mars when it was about to get in orbit where it would start to do its job uh that process of kind of getting into orbit just failed spectacularly and the probe was lost forever so there was a lot of work on kind of the trying to understand exactly what happened the lessons learned kind of looking for a root cause uh that yes there was a root cause essentially there was a mismatch in the

units that were used to represent certain quantities right so kind of the the how much trust the the engine would produce right so there there were two ways of of measuring that right those american standards that kind of only america uses like the pound force things and then there was the international uh metric system that was kind of in newton seconds right and there was a difference in those measures in those units by a factor of 4.45 so essentially your tenant put 10 uh newton seconds there and the software was interpreting as good 10 pound four seconds so that was of course written a pretty different quantity from one side to the other and the sound the the probe

just went to somewhere else right and it crashed miserably in mars so this is a typical right and simple example of how you're trying to communicate a quantity and you fail in using a common language and you just destroy and you throw in the garbage millions of dollars kind of research projects and and a lot of other things and opportunity costs and so on so i think keep in mind that communicating badly can generate a result like what happened with the mars climate orbiter but even then right if we understand that these things can happen you may still argue that well it's not really something that happened in our field in security and here i'll bring kind of my

personal opinion i'll say i believe it is also a big issue in in our words and i observed over time many cases where that thing was really kind of causing uh issues into how things are being performed in the security in a security world and there are multiple levels for this discussion i i will divide the problem uh later into some key concepts buzz words knowledge representation there are different levels where you can look at this problem but uh i think the classic uh concepts around risk uh is really kind of a very good example to see here and then uh alex hutton likes to use the example about kind of trying to multiply some uh quantities that are

not necessarily something that you can multiply right so like ordinary numbers and trying to multiply them and he uses an example that sometimes what we do in those crazy risk calculations uh for someone out of our field that has probably got a stronger mathematical uh skill set it sounds like peanut butter times jet engine equals chinese right equals shiny it is something that is completely nonsense but it's sometimes what we are seeing in these reports in this risk assessment some things that are just not multipliable being added been multiplied and generating some numbers that actually do not mean anything right but looking at all those things just to think and we expand them let's expand

and see there are other problems can you tell me for sure and can you can you bet money in saying that everyone that is watching this session right now will define threat hunting in the same manner i can bet money that no we're going to see different different uh definitions or different interpretations of what that means but if it is something important that the organization should be doing uh how can we work towards that ends if they cannot agree into what we are trying to do what we're trying to accomplish right so that's one of the only examples do you have a red team right what is a red team right we can even go

further and talk about blue team purple team and whatever color you want to have a team is still we're gonna have different interpretations of all those things what about x freaking dr right uh well still look at i am a vendor and we have an xdr product and i believe that lots of people out there will not understand that what i'm selling is an xdr solution because their definition of xdr is different than mine and you know that's pretty bad right so do you still think we don't have a problem here yes we do and we need to try to to make it better let's try to get a better view of this problem and see kind of what it looks like and

where right what are those layers that i mentioned we're going to find this issue and i want to look first at the key concepts right nothing important right just like saying telling someone what is an asset what is a vulnerability what is a threat risk the triad right a confidentiality integrity availability the list of key concepts goes on and kind of it's pretty big uh it may seem like okay people will just tell kind of that vulnerability sometimes no mistake vulnerability for threats etc right um it may look as something that is not that much of a problem but i remember kind of i used to work for gartner in the garden one of the things that you do very

frequently is taking calls right from from gartner clients and they have a challenge in their hands and they are calling you for advice right so uh i would spend an hour with a client discussing a certain problem and there was one customer that one gartner client that i remember that they were reviewing uh or they were building an rfp or or a request for vendors to submit proposals for a pen testing exercise and when they're saying they're describing what they wanted to see as the result of that exercise they were asking that the vendor will identify any threats vulnerabilities and breaches in their environment what the heck right have you ever seen a penetration test that can identify

breaches i never seen one right and what happened when i started kind of having that conversation with that customer i realized that for them any word that has some kind of negative connotation in in in this kind of within these concepts for them was the same thing was something what it was and you say kind of probably kind of on their minds was the vulnerability right on a weakness that kind of was to be identified as part of that exercise and then uh fixed right after they would see that in the report so for them vulnerability threats and and breaches were the same thing that's pretty bad right kind of and you see that kind of when the vendor will

receive the type of description what should be delivered right the vendor may not understand that it was just kind of a bad case of communication or miscommunication and adds to their proposal uh compromise assessment because they have to find breaches anyway right so you end up kind of giving a proposal right any kind of a statement of work that would be very different from the expectation of the of the customer on that case right so you see kind of how much of a problem it can become you're gonna see for example uh cases where you are trying to accomplish a threat assessment i want to understand which threats i'm exposed to and how bad they are and

someone will give you a vulnerability assessment will find weaknesses right and then in your environment that that threat could exploit to cause you harm they see there are different things so the way that you use in a different way slightly different way these key concepts will cause miscommunication and it also can cause gonna cause a misalignment of expectations and really kind of ruin up everything it starts with a very small problem right of of understanding key concepts but it can really escalate in a way that you end up with this different in expectations of what's going on here now key concepts is a problem that you see it's big enough right but there are other trick words and terms that make

things even harder kind of from a communication standpoint for security right think about what what exactly is an attack right and now that we're seeing more things in the news about the ransomware cases oh there was a cyber attack okay some people just laughed right okay there was a kind of a commodity malware right that kind of does extortion right kind of ransomware and they're calling that a cyber attack for me cyber attack involves people doing something in a more proactive manner well for me maybe but someone else may have a different interpretation of what a cyber attack is when you start going into more contentious uh spaces like what is a hack right oh there was a hack some

people get really kind of bothered about that that negative connotation that hacking will sometimes carry on right kind of and kind of win sometimes we're going to have that more pure understanding now hacking is not going to only kind of breach into systems in a non-authorized manner there are many other things that can be considered as hacking that doesn't have the negative perspective right so you see how misaligned we have and if it's a problem on the key concepts when we start expanding to this space where we have breach threat hunting red team cyber something what is cyber anyway right we're gonna see that the misalignment starts to grow substantially now that's where we get into a point and

where the vendors and i include even kind of the the space where i am right i am a security vendor i sell security analytics or uh sim or xdr or whatever what i'm what i'm what am i selling right and we can look at the buzzword bingo to see how exactly we describe the solutions this is actually kind of a buzzword bingo that was created by someone to carry on the expo for an rsa there are many people that do that by joke just the the number of buzzwords that are created in this space is so crazy right that we can play buzzword bingo right you can kind of bring something something like this and go on

the floor you're gonna see the vendors use the most crazy buzzwords to try to describe what they offer describe what they're fighting against and and so on if it was only a thing about vendors but threat researchers right and kind of people there are identifying certain vulnerabilities they have their part of guilt as well right look at these logos here we are looking at all those vulnerabilities that become so fancy that they have a logo as well right not only they have a fancy name and they have a logo like heart bleed shell shock right kind of all these things right kind of why do we need that we kind of why we need to create this additional

level of confusion about these vulnerabilities not to look into kind of the technologies as they come up right kind of the hype around certain ideas end up kind of pushing forward the vendors the industry analysts to create new acronyms right and i was mentioning xdr before right but there is a new one now about something that does kind of the the attack surface kind of uh analysis and management i think is caasm or chasm the number of acronyms that we create in this industry is just crazy right and who is guilty right for all these things right the vendors and their marketing side because they need to find a way to differentiate and sometimes just by

trying to represent themselves as playing a green field that only them kind of kind of kind of is is that we'll be able to do that right so instead of saying i am another sim vendor and there are other sending vendors that compete with me i'm going to sell you i'm not a sim i'm not competing with all these guys i have an intake fully integrated security analytics and operations platform that's creating it that sounds amazing right and now there's no one like me so i'm the only one in this field so that's kind of some uh approach that some vendors will try to do to try to avoid competing with some other with other vendors right when they see

that they won't be able to compete in a in a fair manner or in a manner that will give them some chance security researchers as i mentioned trying to get notice getting more visibility to the vulnerabilities that they are finding techniques that they are finding and the industry analysts sometimes can they have different views if they want to create that acronym because then it becomes really something like oh garter gartner has carter right it's a view that is more complex and more complete than zero trust that came from forrester so you see that even the industry analysts and i've seen that from and i saw that from inside right they end up competing for certain definitions and

sometimes they end up going overboard and creating some definitions that were maybe not necessary to try to get some uh privileged position where they are the ones that are telling exactly what that is why that concept is important and so on now can i try to get out of some of these probably kind of more human language uh challenges and we also have challenges when we try to represent knowledge in this field and in many ways we're talking about knowledge that you even become produced and consumed by machines right and that's kind of where sometimes we have data format standards and other things that kind of also come as a challenge for the language of

security think about security events right okay i want to send an event for technology a like an ids to a sim what is the standard i should use to tell the sim exactly what this event is about surprisingly we do not have good standards for that and that's why the sims and i'm gonna here kind of putting kind of my vendor head for a moment that's why our job is so challenging because something that will be described as an authentication event by one vendor will be called an access control event by another they will be described there's not they'll say unified code that will define that event although it's coming from different technologies is the same so

all their work in normalizing that information goes to the sim same thing is going to go for incidents for trade intelligence for vulnerabilities and there was a comment when there was an assessment of my json program kind of many years ago they were saying that security community need a common language and a set of basic concepts see i'm highlighting these things here that you allow them to develop and share the common understanding and operate in a more scientific manner that's something that they also said at that time right so if we look into some of these kind of knowledge representation problems i like to look at the threat intelligence side where the track actor name in so okay identify

that a certain threat has a certain threat actor operating right kind of behind it and we're going to see that the different vendors are doing all this stretch research use their own schemas right crowdstrike and their bears mandiant and their apt certain number right kaspersky and some monsters that's very cool right but doesn't that doesn't help us in making sure that when you are talking about a certain threat actor that threat actor is the same that i am referring to right why can't we just use the binomial naming system that the biology uses right okay those those species number are normally going to use in latin it's harder there is sense right can it and can

first kind of especially when we look at the threat intelligence side there are questions about are we really seeing the same thing is it really the same threat actor uh they're gonna use shared infrastructure shared tool sets and not to talk about all the group dynamics that sometimes people that are part of a group will split and create a new one right oh there would be a merger right of two threat actor groups sometimes they will rebrand themselves so all that makes the challenge of of arriving at a standard or a common language uh something that is not that easy right so you see here that although it may look like uh an over effect of marketing from the

security vendors no it's not an easy challenge so they're really kind of there there really are kind of additional challenges that prevents us from getting an easy solution to have a simple standard or a simple naming convention for threat actors okay we have a problem right but how do we fix it can i i think that many times when you look at these types of of challenges we end with kind of a problem contemplation part right kind of when we develop kind of uh uh presentations in in an organization like gartner right can we we're normally kind of uh uh strongly incentivized by our managers right to avoid kind of problem contemplation all this is very

interesting but what are you going to do about it what are you going to tell people about kind of how to address this problem and when you look at this these things that are not necessarily a domain specific problem right language issues right or are getting kind of the right standards communicate not appropriate communication is something that affects many fields so what are the others doing about it how do they fix it right uh i think first for things that we where we have uh quantities that are being measured math helps a lot right and especially when you're looking at the risk domain i think that there are lots of things that we can do just using just math

principles that will really help in reducing that confusion reducing the level of misunderstanding of concepts so really can we have to rely on math when math is really applicable another kind of page that we can take from other fields is the engineering drawing principles and when you're trying to understand something that a system that is very complex you can describe that in drawing and engineering has really kind of advanced into what a blueprint should look like the list of parts exploding the views in a way you can see how the parts are assembled together and i think on this case uh we we've been doing a probably kind of decent job when you look at some of the

older things like kind of the network diagrams where we even kind of have some kind of common understanding what certain icons are right uh these stencils on visio now when we move to the clouds we may be losing some of that common standardization uh we i i can see some some people using the the logos from the aws different aws products for example for lambda for s3 for ec2 and that kind of also kind of helps in the same manner but you need to be careful to not lose that small level of standardization that we are able to achieve when we move to this new realm of technology where we need to have different pictures and

different ways to represent things biology as i mentioned before right they have the binomial naming system right where they have something that defines the genomes of the the creature right of that living form and something that will be more specific app is melithera right the honeybee right happy is kind of it's all the only the bees right kind of and then the liver the one that produces honey uh there is this interesting one right the spongy formula is query pansy right that's kind of the it's the scientific name of uh of a fungus right kind of a sponge essentially right and you can clearly see what it's referring to so when i look here the answer seems to be

standards and conventions right we can do that too right yes we can and let's try to see how we do it uh and i think that probably where we got a better result here is with the basic concept remember what is a vulnerability what is a threat what is risk and we already have plenty of standards that address the problem right and i have consumed my recommendations here from a worldwide perspective there's the iso 27 000 family if you look at nist's nest produced 812 830 in fact within the 800 family there are many very good uh standards that can be used to standardize language rfc 21 19 also help you with things like an

issued must show when how you interpret those those more conditional terms if you're writing a security policy you know that that's a big deal right uh if you do if you say that something should be done what does that mean to the reader right do should they uh what if they do not do right if they do not follow the requirement what happens to them so that's something that can you can clearly just describe what those terms mean from the practical standpoint of the reader and really kind of eliminate a lot of confusion there are also certification bodies that can help here and as much as we like to to complain or to make fun of certain

credentials like the cissp they can help a lot on this case basic concept if these exams can put a higher uh heavier weight in how people manage or how many how much they grasp on basic concepts we can really reduce a lot of the the confusion on this area uh would i only hire css cissps no i mean there are many people they're just kind of brilliant they never went to the border of getting their certifications but i know that people that went to getting their cisse they had at least to read about this concept because there is a substantial part of the exam that you cover them they may not have retained much right they may have done horribly

in the the concepts part and just they managed to answer right all the things about the right fire extinguisher for each type of fire right yes i have my criticisms about how the weight of certain things uh kind of work within the cissp exam but it's something that i know that if people had gone through studying for that credential they may have been more exposed to the right or the more appropriate definitions for certain key concepts now when we say all these things it may look like the only thing that we need to do here is just create new standards right let's standardize everything and we're good and and i when we say that i like to

bring up the idmf case right uh idmf was standard created to define exactly the messages that will come out of something like an ids right so you know exactly all the fields that you should have in a message that is describing an attack whether it was detected uh this is great right after all i mentioned already the logs logs are a nightmare right the form is what what message means right so they try to develop a log standard especially for security solutions they even became uh an rfc right 4765 is essentially the idmf format you see kind of the screenshots from from the rfc here defining all the fields there are kind of some very good definitions about how

uh timestamps should look like timestamps are a nightmare until these days about okay try to identify something as a real timestamp and which format is using and then interpreting that appropriately it's a nightmare to these days especially for platforms like sim that are ingesting data from multiple sources and i idmf was created in a very detailed way right so it looks like a great standard but for one small problem no one uses it regular if you find something that has recently implemented idmf i would really be interested to see it because it's something that no one does right kind of in and here is where we go into the discussion about kind of real standards

and de facto standards right de facto standards are those that are not pushed as something that is required or by a by a body like the iso or nist but everyone starts using it just because it looks like a good common language it fits their needs right so he ends up being adopted by the industry in general and i can point even to the the sap format that was popularized by arcsight right many years ago so today when you look at many security technologies they have the option to generate their events in sets but even arc sites these days is not a relevant uh solution anymore it's still there but almost no one buys it but why would

someone kind of go to the the effort of being able to ingest ceph or generate seth because now it became kind of very close to a de facto standard if you want to write a log in a way that you know that someone else will be able to consume you can do in seth if you have a solution that you want to consume logs from multiple places it also makes makes a lot of sense to accept the standard because there are many sources of data that will use that standard so the factor standards can really help here and in many cases they end up being a better solution than going the full discussion and death by

committee uh path that's that that standards like the idms kind of end up falling and it's not only seth i like to bring some other success stories that we have in this field about trying to standardize our language or our knowledge representation uh one that we've been using for some time right verizon's dbir report that is probably one of the gold standards of sharing information about incidents but he uses a standard and a taxonomy called varys and can it really describe it describes to you how instant information should be structured there is fair for risk right it is a factor analysis for risk so you break risks in multiple components it also becoming a quite popular de facto

standard miter attack right i love mitre attack because it's really kind of been fastly introduced as the standard way to describe uh threats activity so many people may jump and just say well but it's not fully uh kind of encompassed and there there are things that may happen in your environment that are not described in the mitral attack framework right yes but it is a framework that kind of is being managed in a way that is quickly adapting to those needs that's one thing right it's not something that oh we have a five-year cycle of committee based discussions about what's going to get into the next version and then by the time that they hit the next iteration

someone is using something else right so it's not something that you'll die by committee right is can we have version 10 that was recently released that is getting kind of more techniques more sub techniques additional data the structures for the data sources that you can use to detect these techniques it is really kind of an amazing um standard and can and that is being used kind of by the threat intelligence by trade detection and response so we can have a common language to describe threat activity and even if you do not there is something that a technique that is not there right you can use the the concepts of the mitre attack framework to describe those techniques so so even if

it's not bringing you that technique specifically describing aligning it to tactics describing the techniques what are the data sources how it's performed which platforms are affected there are many things that you can use based on the the concepts from the microattack framework that can really help sticks is probably kind of a case where a more formal standard uh became a success uh i think that i said probably kind of a certain time there was a risk of open ioc that started being used by media to become the de facto standard but i think sticks catch up and i think that they avoided the the i think that the over standardization and over process around sticks in a way that kind of it became a

good standard for us to use as well now the risk discussion is something so important that i like to make a special note about it the the conversation around risk goes beyond making sure that they're using the right definitions right there are also many questions around how you properly represent the quantities but quantities like likelihood and impact and there are lots of math and statistics concepts and there are uh there are related to it as well i use the uh hutton example right of peanut butter times ch engine equals shiny right never think and that's uh uh something that we see very often in terms of quantities that shouldn't be mixed together uh you know kind of

putting in a in a mathematical quote-unquote equation so it's not something that is entirely about language normally there are two problems related here how you measure risk and how you analyze risk and also a problem about definitions so i think that we normally have pretty bad examples on the risk uh management risk assessment word because we have these two problems interlaced in a very deep manner right so what should you do about it for for risk uh the first thing that i would tell everyone is do not reinvent the will just not think oh i'm gonna do i'm gonna simplify all the standards out there are too complex so i'm gonna do my own scale for likelihood my own scale

for impact and i'm gonna do this math here that will give a pretty good measure of risk you probably did something stupid from the mathematical point of view even if you're not aware of it right uh it's pretty hard to do it in a way that it is sound from from a statistical a mathematical perspective so try to not reinvent them it's very similar to crypto right no one's creates their own crypto uh standards just because it's very hard to do it well and i'll say try to avoid that for risk the same way use a reputable taxonomy right and it took what describes the components of risk and i'll point to fair here fairies are is your friend is

kind of one of those things that are becoming the factory standards and if you want to get in the details from the math perspective the statistical perspective how to do it properly take a look at doug hubbard's book how to measure anything in cyber security risk i'd say today is maybe kind of the bible that we have for this type of discussion for all the other things that we have right um there's something that journalists do a lot right they use style guides how do we know that how what do journalists do when they need to to to mention certain things then we may use different words right to to describe right or different conventions about how to write about

something they rely a lot on style books style guides manuals of style there are some very famous ones like the associated press style book we can use those as well from a general language point of view like how to write in a way that you're following conventions kind of people can clearly understand what you're saying but there are some resources that we have that are more specific to information security as well uh some time ago there was kind of some pretty good work from bishop bishop fox i actually have a typo there just realize where they uh created a cyber security style guide so there are uh the right way to just to to write

right a certain concept kind of where you need to capitalize gonna there are certain words separates or together but also kind of the description of what those concepts are so you know that you're actually using it in a proper manner there's also a book called the language of cyber security compiled and edited by marie antonieta flores and she also does a pretty good job into helping us knowing that we are using the terms in the proper manner so this is for us humans writing right uh when we talk about machines there is another level of this discussion that is about the use of ontologies uh ontologists in in this or in this on the computer

science world is about setting categories concepts of the framework of kind of the specific area or domain like ours we have here an example of an ontology for incident management right what is an incident right what are the response activities that you have right uh what are the roles of people in the so there are lots of things that we need to define in these realms and ontologies are a formal manner for you to just to do that an ontologist ends up being very useful because it helps you connect different technologies because they're interpreting things in the same manner right think for example sometimes how a sim would try to correlate things into a certain uh

in in an in a higher priority or in a higher level case like like curator kind of calls it offenses right while for example within securonic we may call that an incident and we use a threat model for that we use different terms and again right can i exchange a curator uh offense by kind of an incident within sacronics maybe not because you may not be referring to exactly the same things so i think the use and the adoption of ontologies in our technologies will really enable the next level of security technology integration gartner has been talking about something that they call the security mesh right if you want to get to that level we need

to see the adoption of certain uh ontologies in a more formal manner the only thing that we need to be careful on ontologies is that they don't follow ibmf in the way of the dodo in a way it's so complex that no one will use it i had a call with a vendor a technology vendor when i was a gartner and it was funny that everything about behind their idea of product was around an ontology but they spent an hour talking about the ontology and never about what the product were actually able to do or what problem they are trying to solve so we just kind of gave up on listening from from that vendor because i think they're

probably gonna with too much on the pro investing too much on the challenge of the communication and describing things properly and not solving any real problem so where do we go from here uh say first thing you can do is pay attention to your language change starts with us keep it simple don't exaggerate and kind of try to build the two uh too much flourish along your language and second right put together a glossary or a style guide for your employer right it doesn't have to be very complex but even sometimes there is one so use the one that exists right if you're involved in regulatory bodies try to avoid the edm faith by streamlining the creation

of these standards if you're in marketing for a technology vendor please just shut up do not create terms that do not make any sense and i promise i'll try it too and support any kind of good standard initiatives that are becoming the factory standards let's talk about sigma let's talk about uh all this kind of affair right and all these other cases i think kind of we should support them because they are good initiatives and they are helping the community i am getting over time but i want to throw in here uh a bonus recommendation but i know that we have another session and by the end of the day that you'll talk about exactly about this

it is working to get rid and abandoned exclusionary language and things that end up being uh creating microaggression to certain kind of right uh just to too many people that are kind of that we try to be we're being more inclusive and and bring to this field as well right so let's replace a few uh terms that we've been using for a long time and that may carry some kind of negative connotation for certain populations so kind of they can feel more welcome in our community as well words have power please remember that uh so many references should go in in detail um i hope we can i can share the deck after i can talk about the

references in discord later if you want but thank you for listening i am one minute over time not sure sorry if we have time for questions or i can just jump in discord and trying to help them there yeah thank you so much for the slides it was a great presentation and we have a lot of discussions going on in this