 We're going to be starting here in just a minute. If you could possibly tar yourselves up a bit, get a bit closer. I have a feeling there's going to be more people joining us, and we want to make sure that as many people as possible can attend this. Couple of housekeeping notes. Please remember to close the door quietly when you enter and leave talks whilst they're still talking. Please tweet using the hashtag devconfcz and define future. I think that's it for housekeeping. Please welcome Josh Bressers. Save the applause for the end, right? All right, so hello, everybody. My name's Josh. I'm going to talk about security. Everything is on fire, and I'll tell you why, right? So who am I? My name's Josh Bressers. I go by the title of Red Hat Security Strategist because I think it sounds cool. I actually work with product management in the BU. So yeah, I hung up the t-shirt and the jeans for a suit. I was just talking to a bunch of people. I own a suit, and I use it now. So I go out, and I talk to a lot of folks. That's my Twitter handle. That's my email address. If anyone has any questions, because I know that we're kind of hurting for time here during these talks, is send me an email, hit me up on Twitter or something. I'd love to keep talking, because as we go, you're going to find out there's a lot of questions, and I don't have very many answers. So anyone who has to? Really? Oh, I'm sorry. OK, I will speak slower. Let me move the mic up a little bit, maybe. All right, is that better? Maybe, sort of? All right, sorry. I will speak slower. I apologize. So anyway, if you have questions or ideas, by all means, this is what I'm going to do here. I'll just kind of hold it. All right, let me know, OK? There we go. All right, good, good. All right, so why should you listen to me, right? All right, so here's the deal. I worked in what's called Product Security Team at Red Hat for 11 years and seven days, I figured out, before I moved over to Product Management. Yeah, it's very tech, right? Exactly to the day. So I spent a long time doing very technical work understanding what's going on in terms of Red Hat's products, what's going around around security, what's going on at open source. I helped groups like Mozilla and groups like GNOME and WebKit, and a great deal of other open source projects that would show up and needed help, and I would take care of it. Now, when I was in that group, I thought I understood all of the security problems and what was going on and what was wrong. I was completely mistaken, right? So I move over to the BU, and now I'm in a group that goes out. I talk to customers. I talk to the press. I talk to analysts. I talk to engineers. I will talk to anyone who will listen to me, quite frankly. If any of you want to talk, let me know. I'd be happy to talk to you. And so it turns out that most of the things I thought were going on are not the case. And this is what we're going to talk about in this talk. Is everything on fire? It kind of is, but it's not the things most of us think they are, right? There's a bunch of product security guys right here in front of me, and I'll give you guys a spoiler. I'm going to blame you all for the problems we have. So I'm going to talk about three things. We'll talk about the past briefly, just because it kind of lets you know how we got to where we are today. We'll talk about what's going on now, and then we're going to talk about what comes next. And that's really where we are today, is how do we start dealing with this. So actually, I went and took these pictures the other day. If you've not been to the computer museum across the way, it's very cool. Go see it. So the big mechanical looking thing, I think, is a fantastic security story. You look at that and you think, the computer security, haha, let's find our shell prompt on that, right? But it turns out there were two of them, and one of them got stolen, right? So that's a security problem, right? And I don't know the other thing. It just looked kind of cool. So here's the deal. Way back in the day, this is probably most of you weren't even born yet, was like the 1990s and maybe a little before even, there wasn't really computer security kind of the way we think about it, right? Nothing was secure, but there was nothing too secure as part of the problem. You would have computers on the internet that were no such thing as security updates. Nobody wrote web cross-site scripting flaws because nobody cared. It wasn't really a point. If you're a bad guy, I won't even use the word bad guy, right? If you're a hacker, you'd break into a system, you look around, you'd say, well, that's neat. Probably fix the problem so someone else couldn't come around and kick you out, or you'd kick out the dude who didn't fix the problem, you know, who got him before you, and you just kind of keep going, right? And that's the way it was. The internet was held together by Perl scripts, excuse me, and it was terrible code. I wrote a bunch of that back in the day. If any of the code I wrote in the 90s was still running websites today, I guarantee you any pen tester would weep for the quality of that code, but everyone did that. That's just the way it was, right? No one really cared. Nothing really mattered. It's just how it is. And so I put together a list here of some special dates. So 62 to 95 is what I'm going to call the past, really. 95 is when things really started to change, but 95 is when Windows 95 came out, right? Anyone who can remember that, that was a big deal. Amazon and eBay started in 95. That's when the internet really became a thing. That's when people started doing business on the internet. That was, that's huge, right? Because now we move from a place that was full of random bits of hardware, not necessarily doing anything super important, to now we're talking about real money, real money from real people, OK? And of course, the Hackers movie, which if you've never seen, you need to watch because it's fantastic. So anyway, then we go, if you look there, we've got 99 to 01. That's when there were some worms and viruses. And the thing there was everything on the internet was a Microsoft computer back then. You had your open source and your Unix and whatnot, but the vast majority of users were using Windows. And that's just kind of the way it was. Excuse me. And they found out that when you have a large number of computers all attached to the internet, bad things can happen if you don't take security seriously, right? So from 95 to about now, right? So you think the first 30 years, nothing exciting happened. Then you go from 95 to about 2015, give or take, 20 years, and everything got crazy. It's kind of where we are now, right? You think Stuxnet and Snowden, I blame, for really changing the rules for everybody. OK, right. So what's happening now? Anyone who pays any attention, it feels like everything is on fire all the time. I've been through all the crazy that's gone on. These guys in front have been through all the crazy that's gone on. And there's days you feel like you just can't take it anymore. So here's the thing. The internet's on fire, but it's not the technology. The problem with the internet is that the security people aren't talking to anyone else. I came from that. I didn't talk to anyone else. And if I was sitting out there one year ago from today, now mind you, I've been in the BU for eight months now, one year ago I'd be like, that guy is an idiot, and he doesn't know what he's talking about. I'm fully willing to admit that, OK? So what's different? Why does it feel like it's on fire, whereas before it didn't seem quite so bad, OK? There's a couple of things that happen. There's cloud, I'm going to blame a little bit. We'll blame containers, because we can. Maybe some DevOps. Yeah, why not, right? And then also this, right? What are most of these on this list? Does anyone know? Well, it's not even that. They're name security issues. Why are we naming security, you name pets, right? Why are we naming these things? So the thing is, Heartbleed is kind of where it all began. And anyone who lived through Heartbleed knows it was a miserable couple of weeks. What kind of happened was there was a security phone on OpenSSL, and it came out, and we're like, wow, that's kind of a need security issue, right? It's you can read random server memory. We didn't think too much of it. And then people started figuring out what it was. In about a week or two afterwards, everything really exploded. And the press started asking questions, OK? Excuse me. So the press is like, what's going on? Everything's on fire, you know? Let's interview everyone we can. We'll talk to anyone who's willing to talk to us. And there's people talking to them, just making stuff up, honestly. And it was crazy. And so Heartbleed comes out, we make it through that. And then there were a couple of other these happened. Shell Shock was actually a real issue. That one was pretty bad too. But the press went crazy. Why is the press going crazy over some security issues with silly names? And here's the deal that we found out. Is the press wants to write stories. And we'll hit on this in a few minutes. But we go through this. All right, so we got our named issues. Ransomware, anyone who doesn't know what that is. That is where there's now a new class of, are they even viruses? I don't know what even classified them as. It doesn't matter, right? Ransomware. These are computer programs you end up with. And there's some for Linux, so we're not immune anymore. We are days of basking in the glory of laughing at the Windows people have ended, unfortunately. But ransomware is basically a computer virus that comes onto your system and it encrypts your files. And then it says, hey, if you want your files decrypted, I want you to pay me a Bitcoin. And then I'll send you the decryption key. And if you don't send me a Bitcoin, in two days I'm deleting them all, right? So backups are the key to that, mind you. But regardless, now this is a big deal. These are people making money off of computer viruses. What did computer viruses do? What did computer viruses used to do? They were just annoying, right? Why did people do them? Who knows? Now people are making money off of it. You look at things like all the places getting hacked. Why do people get hacked now? For fun? No, they're making tons of money off this, right? This is a big deal. You look at what happened with Edward Snowden. He leaked all that information. I've got a great story. I'd be happy to tell someone afterwards about what happened when Snowden leaks came out. There were a series of coincidences in my life that concerned me greatly when that happened. But I was not being spied on it, turned out. Anyway, then like Stuxnet, right? Stuxnet is an example of industrial espionage, where your talking real stuff was really destroyed with code. And so why is this happening, OK? I'm going to blame the security guys. We'll get to you guys in a little bit. But in the meantime, the crime, right? It's an industry. The mob, anyone who watches any of the shows on TV around the mob, they're great, fun. These guys do this as their business, OK? The press. What's the job of the press? Is the job of the press to inform people? No, it's to sell newspapers, right? That's their job. And then the security professionals, right? These are people like me and these guys. How many of you guys work in the security industry? Let me see some hands. It's pretty solid. That's good. I'm also glad, though, it's about half, because that means I'm also talking to some people who need to understand what's going on, and you're going to help me convince them how to fix all this. So first of all, crime. If you've never read this, this is a book by a fellow named Mark Goodman. It talks about all of the crazy things going on around the crime and the industry around the info security crime, right? This is things like malware, and hacking, and stealing personal information, and devices. It's fascinating, right? This is huge business now. We're talking about billions and billions of dollars worth of business these guys do, right? This is, it's money. Money's going to drive these guys, and so what is going to drive us? If you look at the physical world, crime has almost always led whatever is going on in terms of security. And then you've got the security industry kind of comes in behind that, and has to figure out how do we stop these guys, and how do we, you never get ahead, right? Crime is an innovator, security lags a crime. And we're no different, absolutely not. All right, and you think about, you've got, what's the Google project? Project zero, right? Where they buy the bugs? Where these are people are now, computer hackers are finding computer bugs, and they can sell them for money. You could make a living finding computer bugs. That's crazy, not fixing them, finding bugs. So, all the rules are starting to change, right? Data is a commodity. Anyone ever seen the movie, Johnny Pneumonic? It's a Keanu Reeves movie? He had 80 gigabytes in his head, which I remember when that came out, I was amazed by how much that was. But, yeah, now it's a joke, right? But you think about that, is that's where we're headed, where information is worth real money now, which is kind of neat, but it's also a bit terrifying. The press, right? The press loves a good story. My sister used to work at her college newspaper. She was an editor, and I remember talking to her, and the big saying is always, if it bleeds, it leads when you're writing news stories, right? And this is no different around security. Nobody wants to read a boring security story, right? They want something exciting that they're gonna read, and it's gonna be interesting, and it's gonna make people click on their links. Because today, if you write news stories, you get paid by how many people click on your story. So you need a good headline, and you need to make sure it's a good story people are gonna wanna share with their friends, right? Excuse me. However, luckily for us, the name security issues have stopped because I think they found out that most of these huge bugs, you know, scrambled to fix huge Heartbleed security bug and bigger than Heartbleed and bigger than Shell Shock, yeah, not so much. But we'll kinda get to that later, right? So now, part of the problem with the press, though, is who was talking to the press about this stuff when it came out, right? Were you guys? No, I wasn't either, right? I was in that group of people. We weren't talking to the press. Who was talking to these guys? Nobody was part of it, so they're making stuff up, which reporters, if you don't tell them what they need to know, they will make it up, right? That's part of what they do. Not that they want to. I know a lot of reporters, very nice people. I'm not picking on them, okay? That's just how it is. They have the job to do, okay? However, there's also people who are very interested in making a name for themselves. And they don't care if they tell the truth. They don't care if they make stuff up. They're gonna get their name in a news story. So they're gonna make up whatever information gets them quoted, okay? Now, at the same time, the press also isn't necessarily telling people things they need to know. How many of you really understood what Heartbleed was? Really understood what Shell Shock was when it came out, all right, your security guy, yeah, yeah, yeah. But normal people, right? I laugh because Heartbleed was the first time in my life my mother called me and asked me a question about my work, right? That has never happened before. It may never happen again, but I remember. Do you know what this Heartbleed thing is? I was like, I hadn't slept in days. And I'm like, don't, just, no, go away. So, and then these guys, right? I'm sorry, guys. I told you, you aren't gonna like me when I was done. So here's the thing, all right? Security people can't really tell you what's going wrong. We know what a lot of the problems are. We can talk about security bugs. We can talk about all the things we see happen. We can talk about if someone's developing code securely or someone's not. Well, I'll tell you, no one's doing it securely, okay, that's just part of the problem. So, we kind of understand the what, but we don't know the why. Security people don't know why everything is on fire. If you gave me a billion dollars and said, go fix security, I could probably spend it, but I don't think I can make things better, right? If anyone has a billion, I will take it, all right? I will try, but you get the idea, okay? So this is, those of you guys have been around for as long as me, remember a group called The Loft, and there's a guy called Mudge who used to be part of that. And he put this on Twitter some time ago, and this really hit home for me. This is what, this showed up right around the time, I, excuse me, it really started hitting this BU security strategist work. This hit home with me, because this is true. We've been crowing for as long as I can remember that nobody takes security seriously, nobody listens to us. They won't do what we tell them to, they won't fix the bugs the right way. But now, when they say, all right guys, we're ready. We want help, we know it's broke, what do we do? We got nothing, right? Really, I mean, it's unfortunate. And one of the things I've learned is when you're a security guy, it's all black and white. You're secure or you're insecure, that's it. Those are your only two options. Nobody lives in that world except security guys, right? When you are in industry or you're a business, or even a normal person, you have a sliding risk, a sliding scale that represents your risk. Some organizations are willing to take high risk with the idea of being there could be high gains from that risk, or you could crash and burn fabulously, right? You don't know which it'll be necessarily. And some places want minimal risk. That's one of the biggest things we don't understand in the industry today. People have work to get done. They wanna go home and see their family. They don't care about fixing SE Linux. SE Linux gets in the way, they turn it off. They don't wanna deal with firewalls. Firewall gets in the way, they turn it off, right? That's the reality of it. And that's one of the things we fail that. We don't make these things for people. We make them for each other. And the security people, I won't go as far as saying they're not people, but they're not normal people, all right? So here's the thing, all right, here's the good news. I say everything's on fire. I say it's all gonna explode, all that. Really? It's not that bad. It's not good, but it's not that bad. How many of you use online banking, right? I bet everyone's gonna raise their hand, right? Except the security guys probably. Uh, it's getting, but here's the thing. I use online banking all the time. Banks send transactions over networks all the time. There's code written by people in this room that are responsible for every financial transaction that happens in the world. If things were that bad, none of this would work, okay? So it's not that bad yet. However, there's a lot of work to do, all right? So now we'll talk about the dystopian future. Yeah, I found this, and I searched for dystopian future pictures, and I'm like, that's too good not to put up, right? I mean, just, that's the future, right? So here's the deal. We kinda have a shaky foundation today. That's actually my house, by the way. If anyone wants to, yeah, it was when it was way up in the air, cause you couldn't actually get into it, but. No. Anyway, so here's the thing, kind of a shaky foundation, right? So we gotta figure out how are we gonna fix the foundation we've got around this? You know, we are an industry, when I say industry, I speak of security, mind you. We're an industry trying to wedge 1995's technology into 2015, right? 1995, you saw the thing, Windows 95. Linux was fairly new. We had one computer running stuff on the internet. Now we have containers, we have cloud, we have DevOps. You don't always have a sys admin. You probably don't have a security guy. Back then, you'd have a security guy either, but that's a very different reason. So here's the thing, we need 2015 ideas. Technology's easy, ideas are hard, alright? So we're gonna kinda break this into three things, that the security guys need to start doing, and they need help from the people who aren't security guys to get this done, alright? These aren't technical problems. We can't fix this with code. If we could, we could fix a lot of stuff, right? So unfortunately, communication is the single biggest of the three. We are bad at communicating. How many times have you done something? The security guy shows up, tells you you're stupid, tells you you did something wrong, they can't believe you wrote code that way, they might throw a patch at you, then they run off to the next fire. Is that helpful? Absolutely not. In no universe is that helpful, okay? So as security people, we need to start talking to other groups, engineers, the press, analysts, customers, management, anyone who listened to you, and we're not gonna talk to them to tell them what to do. We're gonna talk to them, and we're gonna listen, because they know things we don't. And that's one of the single biggest things I have learned since taking this job, is I go out and I talk to people, I talk to customers, and I don't tell them what to do. I don't pretend I have the answers, you sit down and you say, what's going on? That's all you have to say, you don't have to ask a lot of questions, all you have to say is what's going on, and they will talk as long as you let them, because everyone has security problems, everyone has more security problems than they know to do with, right? And we're not gonna fix them with technology, we're gonna fix them by talking, and we need to understand what people are doing. When I worked in security, when I was in product security, I had a very specific view of what was going on in the world, and I thought, very black and white, right? Like this matters, this doesn't matter, this person's smart, this person's not smart. That's obviously not the case. Different things matter to different people, and it doesn't mean that what this person's worried about is more or less important than what the other person's worried about, okay? We just need to listen, you need to listen and you start understanding. That's how you understand, we don't understand by reading RFCs or going to security conferences, we don't understand by reading code, we understand by talking to people. Now, how many security people like talking to people? Yeah, look at those hands go up, right? Nobody, oh, Dimitri, you're full of it. Yeah. Well, we don't like talking to you, right? I'm sorry, no. All right, I must say, since taking this role, Dimitri and I speak on a very regular basis, and we've grown to enjoy each other, we'll say, okay? So, I'm sorry. So here's the thing, right? It's not about advice, it's about listening, okay? This is a big one. Security people love to show up and tell someone what to do, and if they don't do it the way they want, they do it for them. That's not how trust works, okay? When you're working with someone, there's two options. You can do it yourself, which as most of us know, you have scaling issues when you're trying to do everyone else's job for them, or you can let them do it their way. There is no secret option three where they do it your way, okay? And that's what a lot of people forget. That's something I was very, very bad at. I would show up and I would tell people, hey, we need to do this, we need to fix this, we should do this with the code. And then they'd sort of do something, oh, this person's an idiot, I'll just do it anyway, right? And then I'd go off and do it myself usually. That doesn't work, because it burns you out. But then the other person you're not communicating with, they're not learning from you, you're not learning from them, and nobody learns anything, and they think you're just a jerk, right? I mean, that's the thing. Once, it's easy to think someone's a jerk until you talk to them and you trust them, and you know that they're waiting for you to do something for them. Now they're a friend depending on something you're doing. And so that's kind of a big deal, and this is something we need to get way better at than we are today, because trust is super important. And then there's understanding, okay? So here's the deal, open source one. Nobody's gonna deny that fact anymore. There isn't a product on the planet that isn't full of open source, okay? And I tell that to people now, I go out and I talk to a customer, and then, is he just saying, do you know what it says? Do I want to know what it says? All right, anyway, sorry, don't tell me. So you want to talk to a customer, you say things like open source one. You have open source all over your organization. You don't even know it in most cases, right? So here's the thing. Open source used to be a problem, okay? It was a job to make open source work, and people would go and they would maybe buy an off-the-shelf product that can maybe do something better, okay? How many of you spent weeks, literally weeks, getting a Linux desktop set up back in the day, right? You young folks, you have no idea how good you have it. Seriously, it was horrible. But here's the thing. Open source itself kind of used to be the problem. Now open source is the solution you solve problems with, okay? Security today is the problem, right? Security isn't being used to solve problems today. We're part of the problem, and that's one of the things we need to do, and that comes back to that communication issue. Is if you're not communicating with people, you're not understanding the problem, okay? So we need to start working together to understand the problems so we can solve them. That's how you win. You win by solving problems, right? No one's gonna disagree with that. It sounds simple when you say it, but it's not something people think about all the time. Solving problems is the goal. Security isn't a goal, and we forget that sometimes. We think, oh, if I do this, I'll be secure. No, you need to solve problems. That's what we're gonna get to. Know what people are doing. I talk about this a lot. There are people doing fascinating things. You look at some of the regulated industries, and these guys are way ahead of the curve in some places, and they're way behind the curve in others, but we don't know. We don't know what they're doing. We don't know how they're working. Here's an example. There was a gentleman I talked to, we'll remove names, who was telling me he was talking to a large organization about some of the Java frameworks they were running. And so they look across their organization, and they try to figure out, all right, what am I running, what's going on here? Why are developers spending so much time obsessing over these frameworks? And it turned out this Java framework had 84 releases over its history, right? They were running 82 of them in their infrastructure somewhere. And we laugh, ah, that's funny, right? But this is a problem. They didn't know that was a problem, right? It's a problem because you have security updates. You have security issues in these things. And from a management perspective, disregarding the security issue, it's a management nightmare, trying to maintain 82 copies of the same thing, unless maybe Denise's team probably does that a lot, right? So this is part of the issue, is by going out and talking to these customers and by talking to the developers. So why did the developers do that, right? It's easy to pick on the stupid developers, right? They wanted to solve a problem. That's why they did that. They don't care. They don't care what version it is. They want to solve a problem. That's what it's really about. Excuse me. And so that's the thing. Go out and help them. Historically, we tell people what to do. We're not there to help, right? That's not what we're after here. We want to help people solve their problems. Today, we are the problem. And I put this quote up because here's the thing. Everything's different, right? Everything today is different than it was 10 years ago. In 10 years, everything's gonna be different than it is today. But for security, nothing has changed. The work I did 12 years ago when I started at Red Hat, in fact, I was even doing open source security before I came to Red Hat. Almost nothing is different from the way it used to work. But you look at open source and nothing is the same the way it was back then. First of all, I mean, I remember back in the day, we'd go, we'd talk to these companies. Be like, why, I'm not running that crap. You know, who runs Linux? What's that thing? And now, no one questions Linux. No one questions if it's secure. No one questions if it can do its job. It's all different. The way we develop it's different. There's huge projects. There's huge money. There's huge companies. Red Hat's a huge company now. But for security, we're not really doing anything different. And so that's the trick. All right, so I spent a lot of time picking on these poor guys up here. This is product security from Red Hat, by the way. These are a fantastic group of people. I worked with them for a long time. They're very smart. I would dare say they're the best in the industry, but I'm slightly biased, I'll admit. And so the thing is, the whole point of this, everything I've been talking about, it's all about just go out and talk to someone, right? That's what it comes down to. It's not about telling anyone what to do. It's about understanding what their problems are. And like I said, a year ago, I would have been out there and I would have been saying, this guy doesn't know what he's talking about. I guarantee it. I would have said that. That's what I do now. I go out, I talk to people. I listen to what they have to say. I talk to engineering. I talk to customers. I talk to analysts. Talk to the press. I'll talk to anyone who'll listen. And I have learned way more from them than they've ever learned from me. All right, gang. I'm happy to end up early here. What do you think? I've got scarves here, if anyone asks a good question. Yes? I'm scared again. I'm sorry. It tends to be pushed down. This is a social problem and this is an economic problem. Do you have any thoughts on how we address this problem in particular? I do. Because if we don't sort of make security part of this dialogue, part of this exchange in the same way with Galician, then we're just gonna continue to believe. So funny enough, that's actually one of the next talks I'm working on right now. It's about this very topic. So here's the thing. How many industries are out there that you succeed when nothing happens, right? That's security. If you screw up, you got news stories written about what you've done. If you do your job right, nothing happens. So. Testing can generate reports at least. Like, oh, we found a hundred bugs, right? But no, seriously. I mean, this is one of the problems. I mean, it's been pointed out to me that airline security is similar, right? How many people get news stories about airline security doing its job? Right? You don't hear about that. You hear when they don't do their job and it's the same thing with security. And so the economics are a huge part of it. So first of all, I think the industry is starting to change and people are starting to pay attention to security. Okay? Now I don't know if it's for the right reasons yet. I haven't decided that. Or if it's just because there've been a lot of news stories and they think it sounds neat. Now on that note, Red Hat did a survey. I'll give you guys, I'll read a blog about this soon. But we surveyed a whole bunch of customers and one of the findings was that everyone considered security super important, but like 75% of the organizations also said their security budget will remain flat or decrease, right? That's kind of an oxymoron, right? If it's important, you don't kill the budget. But I think the economics are gonna be a big part of it because I think once people start making certain security demands, then you can start justifying some costs and some of those features. Whereas today it's very difficult to justify this because like I said, if you do it right, nothing happens. So I mean that's a challenge, right? All right, I saw your hand first. I don't know. I think it's too early to say anything. Oh, I'm sorry, I'm sorry, I apologize. So the question was what about funding some of the critical infrastructure projects like OpenSSL or Bind? And I don't know yet. Part of me thinks it's a good idea. Part of me wonders what's going to happen. I'm going to not give an opinion on that yet. I think we'll let history be the judge as to how that works out. Denise, I don't know. So the question was how should we be measuring how secure we are or are not? And unfortunately I don't have that answer. That's something I think about a lot. Is how do we have metrics for secure? Fabio, do you have an idea? Oh, okay, I'll get you in a second. I mean, I don't know, right? That is one of the great questions. Especially now that I'm in product management, right? How am I justifying my job? Because when you're on the business side of things, like they don't just pay you to do stuff. Like you have to prove your adding value and bringing revenue in. So, I don't know, I don't know the answer to that yet. But I have a very good incentive to figure it out, right? So, Ellen? Okay, no, no, no. All right, so Ellen said, as security people, we don't want security bolted out, we want security baked in, right? So she's then said a very critical thing is we need to advise developers. No, we need to listen to developers. That's the first thing we do. And we'll hear what they have to say and then we can start teaching them what to do. And I don't think they're asking the right questions. And I don't think we're giving, and here's the thing. If they were asking the right questions and we were giving them the right answers, we wouldn't be in the mess room today. And that's just the reality of it. But I agree with you. I mean, that's a hard problem we need to solve. And I think the first step to solving it is to listen. It's not to talk. And we always go in and talk and then leave before listening. All right, anyone else? We're darn near out of time. All right, all right. So the question was, will the security guys talk to engineers more frequently? Demetri likes talking. Demetri does like to talk. No, I mean, this is something actually I've been thinking about is how do we start connecting some of the security people with some of the engineers and even some of the customers and I mean, that's part of the promise. How do we start doing that? And if anyone has ideas, please let me know. I would love to listen to you guys. All right, Fabio is about to jump out of the seat. You listen. That's step one. No, and if it's Fabio's question, he said, with communication, where do we start? With privacy, or, and then I interrupted him. But really, don't come with a topic. Show up and just say, what's up. And just listen. Like, really, I know what you're thinking. You're like, this guy's an idiot. But like, this is what I started to do is I talked to a customer and engineer and I'd have an idea. I'd be like, I want to talk about this. I'm going to go and talk about security updates. I'm going to go and talk about DNS sector. They don't care, right? They've got something they want to talk about. And just listen. It goes a long way. They're terrible. Making the secure path the obvious and easy solution for a problem. Yes, all right. So the question, it was kind of a statement, was that using things like OpenSSL, we'll pick on, is very hard to use. It's poorly documented and the APIs are terrible. And he said, why don't we make it hard to do it wrong? Basically. And I agree. I mean, I think that's part of it. But how are we going to do that? The OpenSSL developers have to listen to somebody using it. Because they probably wrote that API for themselves. I don't know if they even wrote it for that. That's part of the problem, absolutely. So the question is pointing out that IT generally hates customers. And then it talks about how developers and engineers, or I'm sorry, developers and security people have a similar relationship. That's why you talk to people, really. And even your customers, once you sit down with your customers and talk to them, now they're not your enemy anymore. You make them your friend. Because once you talk to a human, it's very difficult to be mad at them. It's kind of like it's easy to be angry with some group of people, like minorities or whatever, until you know someone in that group. Now they're not so mad, right? I mean, really, what it comes down to. All right, am I, all right, a few more minutes. Yes. It's easy enough to say. It's hard to do. Yeah, so the question was, as a company, it's easy to go find your customers and talk to them. But for the open source community, it can be difficult to go and talk to your customers necessarily. And I don't know the answer to that from the open source perspective. I think that's where people like Red Hat can bring a lot of value to this discussion. And in fact, I talk about this to a degree, something I call the open source secure supply chain, is the way open source works doesn't lend itself always to certain, we'll say, best practices in the business world. And I think communication is probably one of them, where this is part of Red Hat's value. As we go from the customer, and then we can go back into upstream with that. Oh, SEMO, what? So SEMO suggests we all stop being jerks to each other on mailing lists, which funny enough, and if you guys haven't done it yet, watch Tim Burke's keynote from yesterday. I sent him a mail and I said, I wish I'd seen this 10 years ago. He really kind of hits a lot of that communication stuff right on the head. All right, I'm about to be kicked off stage, it looks like. So, all right gang, if anyone wants to chat about this later, you know, the slides will be online, send me an email, hit me up on Twitter, catch me in the hallway, I'd love to chat. It's fantastic. Thank you all so much, I really appreciate it. I'm done. Dunel, your daly sucks. Your daly ain't never done. mamma dow. I've just seen him sitting around on one of the deck's.