 Okay, welcome everyone. I'm dead addict. My battery life is a little bit low on here still trying to get a power cord So this might die at any moment and become less structured Wow Well answer that that's my power cord potentially. Hey there Four four one eight it might be coming. All right So I'm dead addict It's interesting The the audience for this obviously this is a hacker convention a hacker conference and Most of my rent is gonna be talking to vendors And people that write this buggy software and want to squash the speech It might not seem like an obvious audience because you're gonna find the bugs and humiliate the vendors But it's it's my proposition that we're all gonna wear many hats and I know I have in the past. I Do consider myself a hacker. I have worked for many many vendors with many many security issues I've been a customer of these vendors and I've also been involved with PR and in media activities So I think it's inevitable that most of you will have two or three of these hats. So Keep this in mind. If you're not a vendor currently, there's a good chance. I'll be working for one at some point in your career and what I would hope to do is to convince you to take away some of these lessons and Convince people in the organizations you're going to be working for or are working for to do the right thing I Don't want to talk about these vendors as unified companies are not single entities just as governments aren't single entities There's politics within these organizations. There's people within these organizations that are trying to do the right thing and even when they do the wrong thing there there's employees and people in these organizations that are really unhappy about that so To do the right thing there's going to be internal battles And I hope you fight the internal battles and fight your company's politics to to enable you to do the right thing I Can talk about my qualifications. I've been speaking for a while. I've been involved with Defcon for a long time I've worked for large multinational organizations at the end of the day. All this is irrelevant It doesn't matter what I've done in the past. What matters is the value of my words and you can judge that for yourself And and there's many more people that have PhD and all sorts of wonderful titles and acronyms after their names that say Completely bullshit things. So don't listen to them either because of who they are By the way, I plagiarized that last one if anyone can recognize the general gist of that You know who I plagiarized that from But it was a long time ago. So I think I'm safe so like I said you're You wear all these hats You are the hackers. You are finding the bugs. You're the vendors. You are creating the bugs There's some government folks here Probably not legislature, but there's people involved government has a lot of rules government is actually a customer of these bugs and I'll give an example at the end of Michael Lynn's talk at Cisco gate some time ago. There are a lot of government agents that were very unhappy Michael Lynn Michael Lynn was very nervous about that But they were unhappy at Cisco. It turns out as customers of the software They were unhappy that they were not informed about it and that they were vulnerable and Cisco knew about it I'm not going to talk too much about Cisco I'm gonna bring up a bunch of examples of various issues that have happened here I won't bring up Cisco too much because the darkest of tangents is speaking on that matter in depth in a couple of Hours and there'll be a fascinating speech. I look forward to attending it myself And I generally don't attend speeches. I recommend you go to that speech Also, I very much recommend that you go to the speech two hours ago. That was an excellent speech That was Jennifer Granik. She gave legal advice sort of She talked about the legal environment that exists for security researchers At some point her slides will be available the talk will be available. I recommend everyone Understand the legal environment that exists for security researchers One thing that Granik said in her Q&A afterwards that I thought was remarkable I I asked her the question couldn't most of the speeches that have occurred at both black hat and Defconn Couldn't the researchers have been threatened and the way they have in some of these dramatic cases Isn't all of this stuff we're doing on the gray area where teams of lawyers could go after us Jennifer said yes. Yes, we could all be in trouble for all of this activity all of this research all of this passionate discovery of issues and She said it's a credit to the entire industry that more of these incidents haven't happened So I'm gonna talk about some bad things that then vendors have done But these are dramatic issues that the when vendors mess up it becomes news It becomes newsworthy and it gets all of our attention What doesn't get everyone's attention is all the bugs that the vendors deal with appropriately and most of the time They do deal with these appropriately and this is not newsworthy So just think of all the speeches at all the Defconn's have occurred from here in the past and at black hat and realize if the vendors were truly the bad guys they would These conferences wouldn't exist at all and they would be asserting their dubious legal rights to squash all of our speech continually so Most of my speech like I said will be focused at the vendors mainly because they're Their decisions to attempt to squash the the speech of the researchers is the cause of the problems There's there's some other problems too. Sometimes the hackers that do this research aren't doing a communicating effectively their case If they were actual bad guys, they wouldn't be up here on stage discussing the vulnerabilities. They would be selling them to Russia or Hostile governments or our government Finally, I'm going to talk to a little bit to the media and I'm going to try to encourage the media to report some of the success stories it's interesting the success stories are Not discussed and there's a couple of companies I know of and have inside scoops about them dealing with these issues very effectively and Doing the right thing and not squashing the research and going through the internal battles legally and Telling their companies look as a security person in my company if you sick the lawyers on this problem I'm going to walk away and have nothing to do with you at all Unfortunately for some reason when companies do the right thing. They want to be very quiet about it It turns out that companies want the to have the option to pursue these dubious legal remedies in the future and Essentially the lawyers say well even though we haven't won this battle and even though the security researcher in our company said Let's not go after this guy. We still want to be able to go after people in the future So don't discuss the fact that we're playing nice I would hope that that that changes Why is this important? Well? at this point in time the critical infrastructure of the globe is written in software and if we allow Research to be squashed and not be publicly discussed the research is not going to go away the true truly bad guys are going to be pursuing this research and The public safety will be affected The quality of the software and the quality of the the security industry depends on open discourse I Want to I don't want to beat up on the vendors To say they're they're doing the bad thing for ethical and moral reasons Although in many of these cases that I believe they're acting unethically and immorally But what instead I want to do instead of just beating up on the vendors is I want to convince them that this isn't their best interests Their best interest is to have a positive relationship with security researchers to encourage security researchers to come to them with issues And to essentially have some harmony with the hacker and security community Not for altruistic purposes, but because it's good for their product. It's good for their customers and It's good for their reputation Yeah, also I want these conferences to continue as I mentioned before if these organizations continue to assert dubious legal rights and and threaten us all All these conferences can go away and that wouldn't be any fun for any of us so When I talk about dropping the zero day or when I talk about picking up the zero day It's largely not not exactly zero day. I'm talking about There's no announcement of zero day if you're dropping a zero day if you're if you just release something It's largely too late for the corporations to do anything about it so That's not what I'm talking about. I'm talking about announcing You're going to release research, which is a very legitimate thing to do, you know you Professor Felton was going to release some research at a academic conference and he announced he was going to do so before announcing your research before you publish it is a very legitimate thing to do But essentially this is This is about not asking the vendor's permission beforehand and and what happens at that point It's interesting too in the HID case very much confused me and blew me away And so many of these cases are the thing that bewilders me is how much it's not in the vendor's self-interest So I'm going to refer to a number of cases here where you can do a lot of research to get the background on them I don't want to go into detailed case studies about them, but HID makes proximity badges and There was going to be some demonstrations of how to clone these proximity badges and Iowactive the company that did this research Was concerned because they lived in or they worked in a building where there was critical infrastructure housed They realized it was protected by something that was not secure What confused me about this was twofold One this research was already done people had made these badge copiers the academic research was out there Schematics were already available. I respect Very much the people at Iowactive the work they do there's some brilliant people there But as far as I could determine it wasn't entirely groundbreaking research So they the HID attempted and succeeded in stopping a talk of information that was already known The second thing that bewildered me about this is HID as a vendor had solutions to the problem All right the the the technology that was going to be released. They had more secure versions that would allow better access control and Their marketing people should have stepped up to the plate and realized this is a better way to upgrade all their user base released at critical infrastructure and and they didn't do so so Because of my modesty, I'm going to tell everyone what to do And I think like I said I'm not going to tell everyone what to do because it's the right thing to do Although I believe it is I'm going to I'm going to try to tell everyone What the right things do that's in their own self-interest and it's in the interest of consumers of vendors of hackers of everyone Except some offensive folks in the government. I'm sure you're you won't be spotted here and Corporate lawyers whose billable hours Make them a lot of money harassing security researchers The problem the problem with these threats with these legal threats is it's chilling to free speech And this is of great concern to me if we don't have this discussions of Problems and the products we all use then we won't be able to make informed decisions on which products to buy Which products to purchase as customers? We won't be able to pressure the vendors to fix their products and Again and again again the companies after all this happened and try to backtrack about what their actual stance was We weren't trying to squash this research HID when they sent their threatening letters saying they would use every legal remedy at the available Later said no no no we didn't say don't do the presentation But yeah, I didn't quite purse the words That way and looking at their their actual threats. It seemed to me that indeed They succeeded in chilling the speech the fact is When the companies make that when the vendors make the poor decisions when the Vendors decide to be confrontational They they are squashing a free speech and I believe they're squashing our First Amendment rights Jennifer Granik and her talk a couple of hours ago talked about a litany of tools that could be used against security researchers And there's a lot of law involved Like I said, I'm gonna try not to give anyone legal advice whatsoever And Jennifer actually didn't give anyone legal advice, but she was the expert so definitely listen to her it It doesn't matter the the the one of the other problematic things about these legal threats that the these organizations pursue against researchers is Even if the researcher would prevail in a court of law Even if the law at the end of the day would be on their side It it doesn't matter because the defense costs and and IO activists an excellent excellent example They're a small company just to defend themselves and to litigate the matter which Many many people believe they would have prevailed in It would have possibly destroyed their company And if they lost They certainly it would have been demolished as a small company and a lot of the most interesting research That's not being done independently is being done by small firms small security firms such as IO active also These threats Don't help the security posture of the industry lawyers Can't fix bugs lawyers do not make a safer I guess I would argue some of the civil libertarians that are here to do make a safer Jennifer Granik the EFF There's some good folks here. I think everyone loses when we're silenced and hopefully we can Create an approach and fight fight these battles internally to to prevent everyone from doing the wrong thing As I mentioned before I believe this is a public safety issue and the previous I Granik mentioned in her speech The unsafe at any speed would not be allowed if the car manufacturers were to say well You can't discuss this vulnerability in this danger in our cars People would die because of it. That's sort of a dramatic thing to say people would die but The software in question and the software that runs our world is is running our critical infrastructure hospitals are running this code public safety institutions are running this code The most bewildering thing about this is that when companies do attempt to squash research. It doesn't work. They fail miserably Many of these talks the IO active one for example, I don't think that would have generated much press With all due respect to IO active. I don't think it was that Dramatic or groundbreaking of work. It was only when the legal threats were created that suddenly those schematics Schematics that were online for a long time were suddenly accessed and referenced and talked about and people suddenly had a lot of interest in these products and and these vulnerabilities and people that Couldn't understand Michael Lynn's talk We're downloading and mirroring this all over the globe and that wouldn't have happened if there weren't legal threats and The internet does really a wonderful job at distributing information when when there's threats of censorship And I don't think the PR folks at the organizations that have made these poor decisions understand this I don't think the lawyers understand this. It's not good business for anyone and I I'm I'm honestly baffled that people still continue to attempt to squash this research Even even if they could squash it Even if they're the entire public did not realize these vulnerabilities even if they were able to prevent it from making the Wall Street Journal and whatnot There's no reason not to believe this information still wouldn't be disseminated in the underground In which case the the customers would be Would lose even more But by the way, I like the idea of using very bright people and well respected people to make my points I I think that's a lovely method it's so hard in any relationship to to to build trust and Many of these organizations depend on independent security researchers from con to contact them and to point out issues that occur and I think the the month of Apple bugs is an excellent example of what happens when a Vendor has poor relationships with a security community the security community instead of going to the vendor now We'll very often say you know what I'm just going to release this and it doesn't really matter Working with the vendor is is is going to be counterproductive. I mentioned some of these Adobe versus lcom soft it wasn't necessarily about Squashed research that was being presented, but it certainly was an attempt by a corporation to to stop research Being published into their work. There's a very interesting case The SDMI versus professor felt was an excellent example of not only a so-called hackers doing this research But very well-esteemed respected academics doing this research and still feeling As if their research was being squashed and successfully so man, oh So a number of years ago, I would say seven eight years ago Microsoft had an incredibly poor reputation In regards to not only their security profile on their security stance Their security methodology, but also the relationship with the community And Microsoft in the last five years while their software isn't necessarily secure They are surprisingly a leader in secure development life cycles With community relationships with hackers And they haven't they haven't had any of these incidences that I'm going to describe They've been doing the right thing. I'm not endorsing their software But I'm just saying if Microsoft gets it right, why can't why can't everyone else? It's it's possible that there are actual tools that can be used to Successfully to squash this research It's possible that the law is on on the side of the vendors in many of these cases and the lawyers and the internal Discussions that these organizations have present these options these business options To to to the vendors to decide whether or not they were going to attack the the research or not But they're not attacking the right people the people that are going public and publicly disclosing these issues They're not the enemy the the enemy are the people that are selling these exploits to people that will commercially profit from them And selling them to to governments that will use them for offensive purposes and whatnot Vendors do appreciate the research that independent hackers do They come to these conferences they send their folks to them they sit in the rooms They take notes they talk to them afterwards. I've seen this again and again But they seem to expect that the research should be done on their own terms They're very happy to get free work, but the fact is you can't get free work from people And then expect everything to be on your own terms. I'm not going to discuss In-depth the disclosure to date that's been What appropriate disclosure is that's an ongoing discussion that that's kind of interesting, but it's been happening for half a dozen years or more But I would like to point out that when someone contacts an organization And says hey, I have I have an exploit. I I found some problem in your software It's it's really inappropriate for the organization to expect the hacker to start doing full-time volunteer work for the large multinational You can have it one way or the other Again, the customers don't like this the customers don't like to be vulnerable They don't care how the problem was found They know that lawyers are not going to solve their problems or as customers will they won't protect them they need the bugs fixed and I think it looks really bad as an organization When essentially you panic and I I think I think you can characterize some of these litigious attacks on researchers as corporate panic and as a customer When I see my vendor panic and that doesn't instill confidence in me at all. What instills confidence in me is The vendors saying oh, yes, that was an excellent issue. Yeah, we're looking into that. Here's our response Here's immediately. We're gonna tell you how to mitigate the threat. It's about threat Here's how to mitigate it. We're not worried about it at all. We're gonna get a patch very quickly And it's all good. That's a response. I think as a customer that I can have some confidence in When when a vendor says oh my god, what did they release? We're all in trouble That terrifies me as a customer that's not good Also, man, so Of all the people the vendors could piss off in the world a Conference full of hackers is probably the wrong decision When you antagonize and attack a researcher, maybe you can get them to shut up Maybe that researchers is affiliated with a company that doesn't want to go under because of legal threats The problem is there's suddenly an audience of five thousand hackers that may have some free time on their hand and not Be afraid of the litigation. Maybe they live in another country Maybe they're not affiliated with the company. Maybe they're 16 years old and still can reproduce the bug You don't you don't want to upset us. It's it's not wise And and if you do upset us, we're not gonna give you that free research We're not gonna help you out. We're not going to work with you in a constructive manner If they were the bad guys if we were the bad guys We would never tell anyone and certainly that's what black hats do Black hats find these holes. They find these security issues and then they keep them in their private arsenal The private arsenal becomes useless once you release the bug to the public It's counterproductive for doing bad things when everyone knows about this. Ah excellent This tastes better than water so a Company will often say internally what are our options and Unfortunately, this is not the conversation. They often have with their PR folks or their security folks They'll they'll have this conversation with their lawyers The lawyers know how to litigate that's their job. They know how to create billable hours Their job is not to create a positive PR stance their job is not to fix software Their job is not to look at the larger ramifications of how the reputation will be impacted If you come to a problem with a lawyer to a lawyer and say how can I stop this or what are my legal options? All they're going to give you is legal options So by the mere fact of engaging Within a corporation as this disclosure process is occurring the mere act of engaging the lawyers the lawyers are going to give you legal remedies and They might find a large arsenal of Possible issues bogus patent claims Claiming reverse engineering is illegal claiming that eulahs are binding even though the software was sold third-party or was a click-through They might find many novel legal theories that are untested and inappropriate, but that's all they're going to do Yeah, this is the big one Well, one of the big ones It if you want to appear on the front page of the Wall Street Journal and a negative light You will threaten a security researcher if you want to appear in the Associated Press And in negative light and have your bugs disclosed You will threaten a security researcher The press doesn't want stories about people getting together and getting along and everything working out fine and and a Smooth process between hackers and companies. It's generally not a story I mean it might be a good in-depth story and I hope some reporters take up this challenge and I hope Some of the companies are willing to share some of their stories of working with hackers because it happens on a daily basis But the press is event-oriented So talking about good things that happen is not really an event A large legal threat against a small person. That's a story That's a juicy story that a non-technical person can be interested in that's a story that will sell newspapers That's a story. They'll get picked up by the AP and then it's not good for the vendor. The thing is no matter how bad the bug is That's not the story the still the story is this oppression of the bug The story is of the company panicking even even if it is a serious issue even if there is a large problem If the vendor is not panicking There really isn't good press there. Oh, yeah again When you attempt to squash these stories suddenly the entire world is aware of the specific bug you want to squash and What's that? Yeah, like I said see dark tangents talk for more discussion of Cisco Now so I talked a lot about what not to do as an organization And why this is not the appropriate response for vendors why not to be confrontational What you need to do is you need to let cooler heads prevail you need to eat even if it was an inappropriate Disclosure even if the security researcher was not savvy in how they handled it Even if they were perhaps inflammatory in their rhetoric and said bad things about you as a company Confronting them in a negative way is not going to help this the situation at all Engaging the researcher is going to help the situation Finding out more about the bug finding out more about these issues And and as you're interacting with these researchers Just remember that your threats will be published your legal threats are pieces of news Remember every email that you send out to this person particularly if you have a confrontational Approach the situation very well might appear in the press and and I think that might be appropriate Microsoft has learned and other companies have learned If you just look at the sponsors of the black hat conference If you look at all the corporate parties which tend not to be that good quite honestly, but they try so so I appreciate that All these companies realize that establishing a relationship with a computer security community is advantageous to them The people that are finding bugs in their software could be future employees the people researching their their their software Could be customers of theirs in the future And and there's a lot a lot of corporations That have realized having a successful relationship with a security community is a positive thing Why while I didn't hear good things about the Cisco party the sheer black hat the fact is they were Sponsored black hat and they they did throw party and and they tried And I think that's that's a positive step And I think a lot of these companies that have made mistakes in the past can rectify them Can try to have a better stance? It takes time to rebuild these trust issues After you've stumbled people will distrust you for a while, but you know, it's interesting looking at the Microsoft story The perception of the security community regarding Microsoft's stance on security is much larger now than the general public as a rule The general public as a whole still sees the bugs that are being created. They're still nervous about them They remember when secure then might when Microsoft didn't have any security stance but as a whole the security community realizes that there's a commitment to security and That commitment to security is what everyone wants the government wants this because their critical infrastructure is running on this The customers want this The hackers want this the hackers want these bugs fixed. We're running this software The the software exploiting we're also using The reason why we scream up and down scream loudly and jump up and down regarding these bugs is because we want the world to be a safer place Bruce is very quotable I might not run out of power yet. Excellent. Thank you So I think it's important We'll wait till we see some scary blinking lights before I find the plug for that I Found issues as a customer and many vent software vendors when they're alerted to these security issues by their customers are very They'll fix it very quickly The customers you need to be savvy about the security stance of the the companies you're buying from and Having a bad relationship with the security community. It is not the only problem I think that's indicative of a larger problem that your entire security stance and your attitude towards security is Is not a good one and I think customers need to look at some of these incidents. Ah I was wrong. I found a plug that's in the podium that No, no, it's the right cable I think I'm good to go now We'll see in a second Okay, let's see if I can continue without my haphazard poorly written slides. I think I'll be able to Maybe a few less glorious Schneier quotes As customers it's your responsibility to make intelligent purchasing decisions and While some vendors will not have a good security stance Some vendors will have a better stance and I think these are the ones you want to look to and you're buying decisions I think it's terribly important as customers that you give feedback to the vendors The vendors like to hear from their customers and will largely do what they're told If you talk to to the marketing people if you talk to the people particularly after you bought licenses You know if you bring up concerns and if you say this is a deciding factor in my purchasing decisions they listen to that their company depends on customers and Flexing your power as a customer is an excellent way to help companies and vendors better increase their security stance and arguably it's your responsibility as customers to Complain loud enough to make these changes That was one reason why Microsoft finally drank the security Kool-Aid is they got enough negative feedback from all of their customers That said look no matter how usable your software is it's so insecure. We're not going to use it anymore. We can't and You know it was a long process for such a large organization to try to improve their Security stance and their security development life cycle. Yeah question. Oh Okay Very good So yeah, you have an impact and if as a customer you're dealing with a organization and a vendor that doesn't make Good security decisions. It's sort of your fault as a customer. Don't be the victim Don't be victimized by the people you buy your software from and your your voice in the market can and will make a difference So I'm gonna move on to Talk a little bit about hackers. Ah 10 minutes and what at what what y'all should do now In some of these cases like like I mentioned it some disclosure is arguably inappropriate or done in a hostile manner The fact is if you're releasing this publicly, right if you're releasing these vulnerabilities publicly I say you're not the bad guy because you would be doing other things with this vulnerability You'd be keeping it private you'd be selling it to people with nefarious ends and means So by the mere fact of publicly disclosing and shouting. Hey, there's a problem here You are the good guy now now that you're the good guy You should probably be careful of your rhetoric You know, I told the vendors to be careful all the emails they they write might be used against them Well, also all the public statements that you as a researcher make Think about how the press will react to that think about the tone of your language Write your your descriptions of these issues as if you're trying to help the world because I posit you are trying to help the world and I think Particularly when the press get involved in these stories with confrontations when the hackers were doing the right things say Inflammatory things They don't look good and they should and you should and and being really careful Ask some advice before sending emails out ask your friends about the language you use This will impact the public perception of you and that's really important It's important that we are recognized as helping Global security because we are as publicly disclosing these vulnerabilities Oh Seek legal advice when you get scared now I'm gonna quote Gail Thackeray who is a prosecutor involved with Operation Sun Devil Which happened some time ago? Gail Thackeray once said to me drug dealers give themselves better legal advice than hackers do so When you're when you're curious or concerned about what the legal impact of something is do not ask your hacker friends They will not help you at all The the advice to trust when you when you go to your hacker friends the only advice I would say to trust You know what should I do? I'm scared about some legal repercussions of something the answer you trust is Call Jennifer Granik Now she's not very scalable. So thankfully the EFF exists and even more. Thankfully. She's going to work for the EFF So she can work full-time Protecting our civil liberties our electronic civil liberties but if you're concerned See a lawyer and see a good lawyer and the EFF May not oh don't count on them now someone Just a few minutes ago complained that the that the EFF was not representing every hacker that ever got in trouble Well, I don't think they should If you go hacksore the Gibson and then you get caught and then you run to the EFF and say help help I'm being prosecuted you broke the law. There's what's your defense exactly now one in the organization comes and Exercises legal threats of dubious value towards you. That's a that's a worthy case and at the very least It's entirely likely they'll give you some advice not necessarily represent you but but give you some advice But certainly don't count on any of these organizations It's not their responsibility to defend all of us and and all of the legal adventures. We might get into Finally just have a couple minutes left here Like to address the press I mentioned before that controversy sells These things are event-oriented right when a big event occurs that becomes the story It would be nice Well a I would like you to realize that even if the hackers are not well-versed in Speaking in a manner that makes themselves look good, right? The corporation has an army of PR folks They they train their folks on how to communicate successfully just because the hacker does not necessarily speak Successfully and communicate successfully keep in mind the fact that they're Public about their disclosure the fact that they're not selling it to the bad guys They're not keeping in their private arsenal that makes them good guys now some inflammatory rhetoric that makes them inept good guys But they're still good guys so keep this in mind as you're covering some of these controversies also I would greatly appreciate it if the press out there would cover some of the stories of the good guys some of these You know for every speech that occurs at DEF CON You know 99% of them don't have legal action taken against them and often times There's panic within organizations. I've been involved with some of this panic. I've been sitting in the front row as a as a vendor Scribbling taking notes furiously and paging people and whatnot But we did the right thing But it wasn't a story. It was a non-event because there was no conflict if you can do some investigation Investigation and find some of these cooperation stories I think it it makes for interesting reading and I think it might help set an example for other customers and other vendors and everyone else Also, I don't know To yeah, I would like to speak to the government I would like to tell them to help out in these situations in the case of Michael in the Cisco case They were very supportive, but it was largely moral support Unfortunately the legal tools that were being levied against many of these researchers in many of these cases were written up by the legislature so Contact your legislature when you contact your congressmen your senators when you see laws They're being drafted up in regards to the cyber arena And cyber security in particular and voice your concerns as constituents and and don't just put it Don't frame these letters in the light of this is wrong because it's wrong Frame in the right of the the light of it. It will harm our infrastructure We're concerned as customers The overall quality of software will not improve if this legislation is is enacted Ultimately, we're supposed to be a democracy. So I would hope that participating in democracy can help impact positive change and revoking some of these dubious legal methods used to squash some of this research I'm going to Spend some time in the Q&A room. I have three minutes left. So I'll take questions and be open for discussions next door In room four and the Q&A room for also during the conference feel free to come up to me and Buy me a drink and ask me more questions. Oh Finally one one other message a little bit off topic Oh, if anyone my email address is D addict D. A. D. D. ICT at gmail.com also a Large number of us on Sunday night are going to the pen and teller show at the Rio So I thought it'd be a lot of fun if half their audience was flashing flashy badges So if you want to join us there, that'd be a lot of fun. So thanks much