 I'm really pleased here to announce Oskar Kuro, I pronounce as well. Yes. Oskar is working at KPN, at the Department of CISO, the Chief Information Security Office. Yes, and in there he's responsible for the technology, strategy and policy. He works a lot with open source stuff, but I understood he's always, you know, you'll know that being corporate environments, there are things that you discuss really in a certain way. And other things keep dark matter. But I think he's going to reveal something that shows you that dark matter really matters. Yeah. One applause for him. Please, enjoy. First off, I'm not going to talk off or on behalf of my company. This is a slide deck that I've created myself, so disclaimer, disclaimer. I will only speak about generic problems that exist in all kinds of service providers and infrastructural providers. So you might see things that come along and see and look at the same or have a relationship with what my company is doing. But this is a very generic talk about the technology itself and what can actually come towards these kinds of infrastructural service providers. Playing defense is very complicated. There's a lot of details that go into playing the defense. And one of the things that the service providers and infrastructural providers actually should think about as a baseline is that it's not a question. If you get hacked, but when? A lot of infrastructural providers don't actually take this past year. I think it's a bit of an old fashioned thing that everything should be secured from the get go. Unfortunately, reality kicks in or should kick in sometime and people will get hacked or get a problem to solve. There's a wide variety of attackers that could actually get towards or play around with your infrastructure. You can think of the individual hacker or has a personal motivation to just discover or run a muck or whatever positive or negative. That's not really relevant. To the infrastructural provider, it is of interest. What does actually happen to the service? Will it go down because of some mockery, some playing around? We've seen this here on the field itself. If you play around with some of the APIs that are open on our field and through the wireless infrastructure, accidentally provided, you can actually make the things go boom, reboot or something else. If this happens in a real-life environment or in a bigger infrastructure, small problems could actually turn into a big massive effect. Then again, then you have the hacktivists and the hacktivists obviously have a different motivation to hack. We've seen this in 2003 where the DDoS has happened on two infrastructural providers for banks to make a statement. If you cut off the financial lines towards, in that case, WikiLeaks, you will be triggering some kind of effect. In this case, the effect was in the form of a DDoS attack, volumetric attacks, just to flood the pipelines and no activities could actually emerge from those links anymore. It might look like just the front page is not active or not available anymore, but the biggest problem could actually be that something more actually happened when you DDoS the front website because they share infrastructure, because they share the same pipeline, they share the same VLANs perhaps or something else, and these are viable simple effects. Then you've got the cybercrime. These guys just have money in their minds and they will actually try to hack an infrastructure or a service provider for premium services or for other kinds of services, whatever they offer, whatever is of their interest. They could just use your machine for Bitcoin mining or gain access to a Bitcoin mining facility and get all the goods whatever they want. Then you've got the state actor, a very complicated attacker. They have a lot of time, they've got a lot of resources and they can do a lot. They can also influence your supply chain and in that case, all bets are off because if they influence the supply chain, you definitely have a problem already before even you installed the server. That's a very complicated attacker to actually deal with. There are ways of doing this, but it takes quite some effort to get all the supply chain problems into your hands and have a lot of reliable steps after that and procedures in place to actually deal with those kinds of attackers. You see an interesting trend in the cybercrime activities. Also, you see an interesting change into what normal people can actually achieve onto your infrastructure. Individual script kitties could actually launch a very significant flood and have a very interesting effect on your infrastructure. This can make it so that the service providers or the customers of a service provider actually get into the news because there was a breakage of some kind. Obviously, the simple statement that they make is the infrastructure was hacked or the bank was hacked while it wasn't really hacked. It was just occupied with all kinds of other activities. Thank you. The criminals who use digital infrastructure seem to be of a very diffuse range. You have the petty thieves that just want to use simple tools to gain a foothold in your infrastructure and use it for different ways like sending spam, use open relays or do all kinds of other simple things. But the other side of the range of the digital criminal is just organized crime. They are very organized. They have means of getting activities spun up by technical people. They buy exploits. They use exploits. They get people into their community and actually start out to be of equal quality what nascent states could actually do depending on how much time and effort or what kind of goods they can actually achieve and want to achieve. The downside is that sometimes you see that these prices for DDoS attacks go down. This even is an old slide. Prices are down, but the fun part is not everybody is actually paying any money because the DDoS providers, the Buddha server providers will just have you use a test account. You can use a DDoS attack for just five to ten minutes to test and see if the infrastructure of the DDoS facility is functioning according to specs of the buyer. If you are a student and you do not have any money or if you are not even working yet, you can actually look on these kinds of pages, get a free test account and with the free testing facility you can already run amok on a service provider because they will test that you can actually send five to ten or more gigabits a second towards an infrastructure for just a few minutes. If you are on the response team side of a service provider, this means while at a time that you realize that the monitoring is spiking up and you are making the calls, we need to do stuff, it might already be gone. So it is a very volatile attack. But on the other hand it is also very fluent and can actually move away very quickly. So the prices might be low, but not everybody is actually using this en masse. The testing accounts is actually the things that people are using because then you get a new email address and you test again. And students might actually do this on their own school because they don't want to make an exam. This has happened, this has reached the news even and the service provider is picking up the pieces and needs to do stuff to keep its own infrastructure and other customers available. As a service provider you see also a big change in the attack service. On the one side we have a 19 inch rack facility in data centers but nowadays we see an expansion of the responsibilities of infrastructure into people's homes. People know about all the smart TVs and all the smart facilities but if you are part of the infrastructure providing a video system or settle boxes or routers or other facilities or even an integrated... interesting... or even an integrated solution with webcams and an entire service around that that means that you now just moved your service not just from a telco perspective or service provider but into people's homes. So now you have a responsibility also to take care of the other side of the network which is just attached to yours. You didn't have any responsibility there. Legally wise this is very interesting. You are now already by an okay of the user and acceptance of the user already present in their homes and if your devices get hacked you are responsible... you have a responsibility due to the duty of care rules at least in this country to attain and service these boxes. This is something that we haven't seen before. This will happen more often but luckily we do have all kinds of security measures in place but not everybody has it and we've seen that for instance with the MIRAE effect. This is one of the... this was earlier this year where the MIRAE botnet and made use of webcams and webcams are these days pretty powerful devices. Some of the webcams can actually do 4K video quality or HD. So there is quite some CPU power available and these are very very problematic effects. You have now entered this problem that you are perhaps responsible for the devices or a service around devices created by a manufacturer on the eastern side of the world and in that case and there they have a different quality setting and perhaps you didn't pay attention to the quality of the devices that you've integrated into several services and then this might be the effect that you are now part of the problem because of a low standard of security request to the vendor. This is something that happens a lot. It becomes a bit more dangerous if the same effect happens when it's slightly closer to your heart. In the healthcare industry you see a lot of developments where the service providers are moving into the healthcare activities and make devices for doctors. So the doctors can actually read out Bluetooth low energy equipped pacemakers and make a quality scan and upload the scan or if they have a status scope and the status scope measurements or just measuring your heart and those measurements can also go towards an infrastructure. Now it might always be enclosed and very secure but there's always a moment in time where you fly or you transport your data from the device, from the equipment over the internet or if you are in an enclosed environment it is just that you have a separate offline or it's not really offline but you have your own little network environment this is also possible but the thing is if these kinds of measurements and data fly over the internet what kind of protocol is being used? I've seen devices that were first introduced and used FTP. Think about it, this is technology from the 70s going into your high-tech quality new modern device. A practitioner has a cool new device created in 2016 and can now measure heart rate information uploaded to a service and that service keeps track of the patient's information or can put it back into the patient's file. Now the back-end part can be fully secured because of all the regulations but what you don't always see is what happened with the device towards the infrastructure and unfortunately the oldest protocols are the easiest to implement so you'll see a lot of recurring problems in the newest devices that you see so if you measure them, if you break them open if you actually look inside what's going on in this particular device you might actually have a new problem introduced in the newest device. You also have new developments of infrastructure and service providers moving into a totally new field something that people call either smart cities although there's a bit of a misnomer there are two types of explanations for the word smart cities you've got smart cities where these kinds of interactive moving devices are happening and the other is processing of big data with multiple stakeholders and multiple organizations into one field I'm now focusing on all the smart stuff that actually has interesting things like this what you see here on the picture is just is that the vehicles can talk to each other but what kind of protocols are they actually using here? Again, it becomes very interesting it looks very modern, it looks very sexy but what kind of technology is actually behind this? I'm going to go into that in a few seconds this is a picture of a cow this is the connected cow what you can see here is a band, a necklace on the cow and the cow is connected to a LoRa network low energy high range and it measures what the temperature is of the cow where the cow is located on the field so if you have a huge field now you actually know where the cow is or if she went off field where she went farmers are an interesting set of people where they want to do as much as possible with the least amount of humans so technology moved into farming quite early you've already perhaps know about the earrings that you see on cows those are forbidden if I'm not mistaken due to regulations against animal harm but those already had barcodes and this was in the 90s so now this moved up into NFC chips and now we've got LoRa chips so they don't even have to pass anywhere they just are connected as a hive in a kettle there are different ways of connecting all these kinds of examples you've got Wi-Fi, you've got 5G coming up 5G has a specific low energy spec specifically for a uptake of roughly 40 billion 60 billion devices around the planet in a couple of years at least that's the prospect if I'm not mistaken it was 2025 for that kind of number so there's a huge amount of 5G devices that will move into the IoT devices because now you have the freedom of a phone but now into your fridge or whatever there are different types of Wi-Fi we see the traditional ones that we have on our laptops but there's also another spec and LoRa is also very upcoming and the low energy and the cost efficiency of LoRa makes it very easy to implement the Bluetooth we already saw and obviously we still have old school Ethernet still in all kinds of devices let's dive into the Wi-Fi this is a spec that not everybody knows this is 802.11P my laptop does A, N, B, G yeah I don't have AC unfortunately not on this device and this is the wave spec wireless access in vehicular environments and what you see on this picture is that there is a car and it might be connected over 4G or directly through this wireless protocol which is more or less like a peer-to-peer wireless protocol between the car and the traffic light so the traffic light works we now have a fast binding connection and with that you can send data to the traffic light one of the purpose is for flow control with cars if you have a traffic light and a certain moment of the day you have a cool configuration where everything is flowing efficiently but when traffic jams start and when you have the rush hour time suddenly you have to shift the traffic lights differently and now you can actually interactively speak from your car to the traffic light which obviously is a pass-through to another infrastructure that actually makes the decision then it moves down and gives a hint that at least there's one car, two cars, five cars or whatever or if you're a truck then you have huge occupants and it will tell the dimensions of the truck to the traffic lights so that they know that this truck will take two spaces and there's obviously a priority queue for police and for ambulances so that the green traffic lights will flow perfectly for them why is this relevant especially for the priority devices? Each and every manufacturer of a traffic light system has a different protocol related to canvas or varieties of this on the inside to actually shift it so if you want to have a green flowing environment like okay I've got three traffic lights connected to each other you can chain them up and make a flow of green lights if you stick to the 50 kilometer speed limit unfortunately this only works for one fender and for one installation so now you have the freedom of having this interconnectivity between all the traffic lights and smart traffic throughout the entire country if you wish to do so also if there is a collision somewhere you can actually get a hint that the collision happened further away obviously 4G, nice I mean the 4G protocol good luck with cracking that one that's still a bit big problem if all the specs are implemented properly I must add to that because otherwise 4G can be vulnerable too but in most cases it's not so much but now you have a very open protocol that can speak 802.11p but yeah I could perhaps fake five cars 10, 20, 100 and influence the traffic light in the way that I want so I always want to have a green light I also get annoyed if I stand there too long or perhaps I want to play an ambulance so security in this system is very relevant because it could actually mean that traffic jams could increase or even collisions could actually be triggered by it because if you switch too fast between red and green or you influence it wrongly you still have and require all kinds of control systems so this is getting pretty cool first demonstration is already live in the Netherlands with this system but then only over the 4G not the 802.11p but that will be more scalable and will be rolled out in the coming few years when they actually finish the specification because the specification for this on how the traffic light should actually communicate behind the scenes is partially developed partially not we move up to another protocol Lora or Lora1 because Lora is just a short name long range wide area network if you look at the components on the left hand side you see pads and water meters and vending machines and those can be connected to a gateway to the wireless gateway and it doesn't really matter how the traffic then is moved forward but then it moves into a network service and then towards an application server the actual customer of a group of Lora devices is at the application server it's their application server so you see three application servers in this example this means three typically three different customers so Lora is significantly different than 5G and other IP related protocols because there's a Lora protocol with more or less like MAC addresses so it's something like a layer 2, layer 3 network that Lora is composed of it has encryption on two levels you've got a network infrastructural provider protection which protects you from the end nodes to the base stations so it's encrypted with a key of the telecommunications provider that actually provides this infrastructure unfortunately the spec does allow like in other standards and specs that this is optional turned on so if you look at one country's installation or one company's installation of Lora it might be secured and encrypted or not secured it depends on what the infrastructure provider is willing to do with Lora then per application you can have your own application key app key and this may scope the encryption between the devices that you have like if you want to have all your refrigerators from your company be managed over Lora you can have one key for those and one key for the others now this already resulted into another problem key sharing and key management if one of the refrigerators is hacked all refrigerators are hacked so then you can influence the encryption and therefore run amok and play around with all the devices the solution is pretty heavy each and every device will have its own unique key this requires key management it's a lot of upkeep for the infrastructure provider but also for the user this can all be pasted away behind an API but that's what's really running behind the API so if you really want to attack a Lora device without hacking the Lora network with a software defined radio and running amok and you have to have a Lora installation which is not encrypted the biggest attack surface is actually at the application server because that is talking HTTP, HTTPS, APIs, REST APIs or a SOAP API to interact with devices with the infrastructure so if you want to attack or secure an environment then well Lora is pretty secure to be honest but you have to take care about the application server because that's taking the control over your devices so what you have to do is you have to match the freedom of using APIs and using this type of environment and be as reliable towards the customer and the user base as possible this means that you really need to work on hardening the devices and the infrastructure that actually is composing the upkeeping and working with the devices so this goes into the software and the hardware of the IoT devices that you put in the field and then you have to think about okay but what kind of security benchmark am I using here? A fridge is significantly different than a car but they might use the same protocol underneath what type of methods can we share? There are a lot of experiences with subtle boxes for many years and also with routers where they disable or remove certain control pins or management pins I think this community is mostly aware about the existence of certain pins and certain pieces of the electronic boards that actually can reappear and reemerge the serial interface to a device if you have the serial interface to the device you can actually gain access to a console and from the console you can actually play around with the device yourself and hopefully if you want to be depending on what your role is interact with the device in new ways that the infrastructure provider wasn't really thinking of yet like also reflashing the entire images on it and repurpose your device for something completely different which is cool on one hand unless you are the infrastructure provider and you had a hope that the device kept some keys or needed to secure materials whatever it is, identities, APIs, whatever and want to enclose this so this is why infrastructure providers make it in some cases very hard for you to open up a box or interact with the box remove pins not have any emergency repair opportunities or serial interfaces they would probably remove the entire UARTs for this and just send you a new box because that's cheaper but also better for the security of the infrastructure itself so that can also be a motivation on why we just do a device swap or somebody does a device swap and not fix the device might have multiple reasons obviously it's very important that you also secure the APIs and there are API fuzzers for this and you can use tools fortunately enough a lot of protocols are now moving towards HTTP or HTTPS based so a lot of the similar fuzzers that you use for normal websites and normal APIs can actually be used now to secure lots of these IoT devices yourself another detail or totally different angle is there's a push from the EU to think and actually supply device support statements what can a user actually expect on the support for a device if I talk to my wife or anybody else then what's expected from a dishwasher or washing machine you should have at least five to ten years of service or something else for a car that's even longer there are some cars here running around who are still from the 60s, 40s, whatever and is that something that we need to keep supporting for the end of days or when do we stop and how do we tell this to the user this is something that looks like just put it down somewhere but if you take a bad example like Apple for instance who makes a statement of well you have to have additional support if you want to have anything beyond the first year this is against EU law so okay we solve that problem but you only have typical one year everything goes support if you would do a similar thing with a dishwasher and just say okay you only have the support for the first three years or five years then yeah that might be not the thing that you want if the thing breaks down or the service board, the motherboard breaks down right after that different companies take different approaches if I look at my Samsung 46 inch TV features are dropping off per firmware update there are all kinds of features in it and because of the backend infrastructure that needs to be provided at some moment in time some of the APIs will just drop off so my device does not have the ability to tweet anymore I didn't use it but I can't do it again I can't even start doing it while it was on the box as a feature several other video systems and so on are also removed from that device it's a strategy that works and suddenly my smart TV went into a more or less smart TV with slightly cool features but not that much anymore as it was in the beginning so if you don't update it it'll just give you errors on the functionality that were dropped off I'm not really sure what will happen with a dishwasher or a car sorry you can't turn left or I don't know another nice problem that you see on the infrastructure side is how to deal with cryptography developments and we have a lot of talks especially in this community about the developments of cryptography and when certain technologies and methods are not to be used anymore how do you deal with that? you have to deal with crypto agility that really means that you can just update your software or move to a new technology it becomes a bit hard when the technology is that huge overly huge difference or uses more CPU load because it assumes that you moved your hardware with the time and developments of these new methods and technology but perhaps this is not possible in IoT devices a lot of these methods are actually baked into hardware not with nice FPGAs but in hardware itself so if you would ever switch from triple desk or from AES in some time in the future a lot of devices will just have a huge problem because it might actually be baked in the hardware and that was your only technology method that was ever possible you have to swap the motherboard to actually make a change to this so in the future when RSA would be well not so much cracked by theory but quantum computers would be a commodity device let's assume the future is 2025, 2030, 2035 whatever the date is is not so relevant on when the computer quantum computer would emerge but certain technologies would be useless but if you cannot update them you have to throw them away and if this is very relevant to a company that uses these kinds of devices for whatever security measure then it's certainly you have a problem another thing is obviously the trust models how do you deal with fleet control? how do you control them? you have to interact with them sometimes they are offline sometimes they are online what type of technology can you use? what if the technology that you use is going bad as well? and how do you set up a device? the device just got unwrapped you put it on you put it on power it starts, it boots how does the infrastructure know what type of device it is? while you perhaps didn't have any moment in time before this to enable this device into your network so bootstrapping these devices is a complicated thing an example here is written down so this is a recurring pattern that you see in all kinds of services so you have the first stage you don't have a proficient device it becomes all active it discovers the infrastructure on where it is it starts out sending a DHCP request so it could be a completely different technology and does more or less the same functionality it gets an ID and additional information from the infrastructure to do next like a pixie boot or do something else and based on markers which might actually be pretty predictable like MAC addresses, device IDs it starts booting up it moves into a different stage often not used is a hardware enclave which basically means there was already crypto material from the available from the industry and supply chain this is something that you could do with SIM cards for instance SIM cards are actually smart cards they actually have keys in them the secure keys came from a manufacturer in a secure facility and then you have to control over the supply chain again and a unique ID that can even be challenged and checked because if this cannot be challenged and checked you can spoof it if you can spoof it everybody can fake that this device can play around perhaps with the fridge of your neighbor after this you have the provisioning stage and then the application starts working with the secrets that it shoved around and suddenly something else happens and you move into the next stage so if you think about it the application data is actually protected by the application boot process in the integrity control that went into this which started out with the provisioning that might be a dodgy implementation so you can actually if you can influence the provisioning stage you can influence the application boot and what kind of activity is going on on the device and the application data itself so you can look at it like okay it's a bit of a complicated problem then how do you solve this well unfortunately there are a lot of open questions here also in the sense of accountability what is to be accountable for the service provider and for how long and the end user just doesn't really care it just say well I desire and I want to have my product and use it as it was actually sent to me and it's an interesting statement obviously it still works on touch I already mentioned that the key management is a very complicated problem I would like to introduce the crypto turtle approach I don't know if you know it's turtles all the way down statements if not look on Wikipedia it's an interesting story where you see the following pattern happening that if you have a key to secure or to manage because you have encrypted data you want to encrypt the data you have to deal with the key now but if you do it properly you would have the key on an encrypted storage device now how do you encrypt the storage device you yet again have a new key and how do you deal with that key and then if you just use it with just solve it with technology and don't stop somewhere and make it a procedural problem because people make it a procedural problem after this you will have turtles all the way down this key is protected by this key protected by this key and it all runs amok you can see this happening in databases and hardware security modules and if you secure everything to the max you will have to think about business continuity management if the key server goes down if it dies it's the hardware security module broken if you are lost worst case it's not just your service provider bit but also the entire fleet control is lost so if you in the most absurd weird effect could mean that you just lost control over the support of millions of devices at home it's a bit of a challenge to actually make sure that that doesn't really happen and that you have a reboot feature but it really sucks if you have to send an email to a million people or 2 million or 5 million or 10 million to ask please kindly reboot the device because otherwise we can't service your device or work with your device anymore another problem is all the keys in one basket if you have one location, one device well guarded but yeah if this one, if fire happens in this location you have the same problem again this also relates to public key infrastructure where we have a lot of faith into just a few root CAs but that's a different topic and I will not move into this people would say you could solve everything with quality control unfortunately quality control is very complicated and then you have to deal with your suppliers and have to manage them so if you actually have suppliers you actually have to do active management because otherwise it will be a garbage in, garbage out situation if you don't ask them please make secure devices please make secure services please create secure code please do something with this often not used enough is that we could actually have influence active influence on this and we could actually do more and some of the companies do more and really challenge the suppliers unfortunately the suppliers are still using legacy protocols this is just a statement on logjam from a while ago and there are a lot of websites but also APIs that are still using very old technology because somehow they couldn't really update it and a bunch of these statistics aren't just Apache services that you can just update some of these results from logjam are not just websites that you should be able to just update with up get update or anything other tool but would actually be devices Apache embedded in devices which can only be updated by firmware update which is a very tedious and specific problem to do and yeah not everybody is doing it unfortunately not all vendors have created an update feature into their software another funny little thing is zombie vulnerabilities yeah I called it I just thought about it yesterday zombie vulnerabilities vulnerabilities that you have solved but reemerge how the hell did that happen I had an update I patched it I got it into the infrastructure I moved along and after a few months or years suddenly exactly the same problem reemerges how does that happen let's assume you have a few companies but the amount of companies is not really relevant but you have to look at the main branch development of a piece of software it develops over time it improves over time but the first company had revision number one of this tool but didn't say anything about it company B gets the same revision of the tool what happens in very large software packages and software environments is that the company the supplier will branch off the source code for your company that in your case they can customize it for you because you might have a slightly different infrastructure than the other guys you have different needs and they can tailor make it the problem of this tailoring is so is that if company B states ok but we now need to do a patch on the software the patch might be done and fixed in their revision so their revision number one is actually revision number one for company B not for company A so all the other companies don't actually get it because they didn't complain so they didn't really have a problem so why should we change it then the patch goes back into the main branch but only appears way after it was deployed in many other cases and might be re-emerging into for instance the so it can actually happen that company B gets a revision number two and still doesn't really have the patch while company C moves into revision number one again and only that company could actually get it so they're now only in this entire picture only company B that actually had the update in that branch and only company C has the fix so if you are company A and you got a newer version like for instance company B who actually made a effort into the security testing and it got a new revision over time it was only patched on the company B revision one branch so you update but unfortunately the update actually re-emerges the same bug again or whatever it was this is a windows in a forest picture so in this case you see an infrastructure of windows systems in a forest of other devices I found it a really cool picture because it is a lot better than this one this is where you have the typical windows forest and segmentation situation if you're an infrastructure provider you have to deal with this as well this basically means that if you have a branch office you have one user environment and people can just use single sign on to log into different pieces in areas of the infrastructure it also makes the chain of HR to the identity and access management to the account management and to your infrastructure very seamless very nice but there are downsides the single sign on is very positive but it connects all kinds of machines to one particular active directory and multiple types of users can be organized into multiple units if you don't really merge them or if you merge them you can't really distinguish between different users so you really have to deal with those kind of situations because in some cases you only want to be logged on have the single sign on active in this part of the company and not in that part of the company so if you think about not petia or other activities where logon actually was part of the spreading of malware or an attacker that actually moves into your network and then tries to do lateral movement you will have to deal with this and if you can segment your windows environments properly then the attacker has less attack surface to deal with and cannot jump from the office environment into your production environment which happened in some companies another misnomer is that if you have different domains and the system administrators are different if you have the domain administrators between the two domains they could actually influence the domain that they have a trust relationship with so if you have the single sign on into multiple domains yeah, I've got my users, they can use your resources I've got my users, they can use your resources that means you have two administrative domains and these guys can actually influence each other's activities and influence each other's resources and logon well, the phone is going off another danger is that you have perhaps a system that actually has a hybrid setup for password storage so the old landman, ntlm, ntlmv2 if you have a domain that is top notch suddenly you can't even uphold this because you might need to facilitate the single sign on to an infrastructure piece of area that only has a different or older system of windows running it might be patched, it might be secured but you still see that these kinds of effects happen in a large infrastructure when you have to combine multiple multiple systems, multiple domains and without filtering of SIDs you can also control the other domain again because you have these rights because you make these trust relationships between these areas of the company yeah, so it's quite an architectural challenge and a technical challenge on how to separate this and still keep everything working because if you have your resources in one domain and you have to logon to this in your account then it might actually work in one way but you want to have a segmented environment as possible but sometimes they didn't really implement it properly and then you can't actually do the best thing for separation of your windows systems so things left out so this is the final remarks that if you do vendor assurance and you have to think about the security posture of these so if you have a supplier and it doesn't really matter if they're big or small I've seen all of them single people that can actually be very excellent in what they do and they're working in a company and they do tremendous stuff and you've got a big company of which you would think that they would have 100,000 people behind this one engineer to assist him that doesn't really work suddenly reality kicks in they're just... the engineers are mostly just groups of people assigned to a particular company and depending on the culture they would actually ask out of the context of one company that they work for and there to ask how do I solve this technical problem and then it becomes a cultural thing what kind of culture do you have do you stick to the plan and will you just and only interact with your peers surfacing this company or are these people actually having a help desk to actually ask how do I deal with crypto problems for instance that's something that I have to deal with a lot like how do you deal with cryptography in practice and it amazes me that people don't use Google often enough or don't just ask the colleague that already had to do the same thing in another company for another company sitting only one or two rooms next to them interaction and how people interact seems to be related to what kind of culture they have and what kind of sense they have on how to interact with people so you can actually try to change the world if you want to influence this and yeah, thank you