 Welcome to the annual Defconn convention. This meeting was held in exciting Las Vegas, Nevada from July 9th through the 11th, 1999. This is videotape number 23, The Myths of Hiring Hackers. What's going on is this is about the myth of hiring hackers, because what I found is that everybody wants to go out and hire a hacker. And as the presentation before just started to discuss, it's sort of like you don't know what you get when you hire a hacker. You know, you could get somebody like Mudge, or on the other hand, you could get somebody like the people that are out there trying to figure out that kill-9 is actually a UNIX command and are trying to do that on Windows 95. So we're going around and again, trying to figure out what's going on and talk about this. And again, what I'm trying to do is a few things. First of all, distinguish what is actually the myth of hiring hackers, what is a hacker, what are real hackers. Then go ahead and define skill sets, because part of the issue, I don't think I have a, well, it doesn't matter whether or not I have a slide for it, because you're never going to see it anyway, apparently. But what's going to go on is what you're trying to hire when you hire somebody is a skill set, not an identity. Saying you're hiring a hacker is like hiring, oh, hire me, because I wear like an earring and black t-shirts all the time. And I'll work for free for pizza. That's the thing we want to address. First of all, again, the main issue is that the companies and government try to make you believe that hackers have some sort of unique skills and abilities that can't be picked up by other people. And we'll talk about that in a little bit. And since it was just after ABC.com, another issue is the media feeds off the issue and lets everybody know what, you know, they let people know the impressions. Honestly, the government wants you to think that there is a major computer problem with hackers and that hackers are just the tip of the iceberg. In some ways that is true, but in other ways, honestly, what it is is a way to justify things to Congress. I would somehow like to assume that Solar Sunrise, you know, what is it? The Cloverdale Teen Solar Sunrise, whatever you want to call it. It's just ironic that they started building it up. That's the most coordinated attack they saw to date. Right before they asked for $63 million for the NIPC. So again, you know, just a few things going on there. The underlying issue is that being called a hacker is an identity that people take on themselves. You know, all of a sudden you walk around, you call yourself a hacker, and 60 minutes is putting a camera in front of your face these days. You know, that's just not the right way. And again, there's no criteria. There's no skill set. You know, I was going to say there's no certification like for security professionals, but even that isn't saying anything either. But what you're doing is, you know, again, there's no way of knowing you're a hacker. You're a where's kitty tool, puppy, whatever you want to call yourself. And again, it's kind of like there are the good and skilled hackers that meet what you would call what I say the myth is. Again, when you look at the people like the law, the CDC, a bunch of other people going around, these people are people who actually could do everything the press says. Unfortunately, that's about, you know, half percent of the hacker population. And when you go out to hire a hacker, figure the odds, 99.5 percent of the time, you're not going to get somebody with Mudge's capability. And that's it. Okay, let's talk about identities. You know, this is a little bit of an esoteric thing because some people tend to like it. How many people are here from Penn State? No, nobody. Oh, well, one person. Actually, oh, okay. But anyway, people from Penn State, they wear that on their license plates. If you ever work with them, they have those little mugs on their desks. You go places. People from the military, a lot of people like it. Anybody here a Marine? You know, you go there, you play proud to be an American, and they line up, they stand up. You know, they love to be a Marines. Marines are in their identity. They just want to take on that identity and live with it. Then the worst one I ever saw is fraternities and sororities. Anybody in a fraternity or sorority? Those people joined or were in a fraternity or sorority. Those people joined those things because they have to be with a group of people. When you go around with them, they are no longer them. They are now Zeta Psi or whatever it is. And again, they go through a period of brainwashing for the most part. You know, you go through Hell Week. Again, some of the African American fraternities are really bad because you take on the identity. And that's a big thing. Getting the identity of those people is key to them. Also, sometimes, anybody here from the D.C. area? Yeah. Yeah, I was a fed. But you know, what you have there are Redskins fans. I mean, everybody is like cheering Redskins, Redskins, Redskins. It's like built into their identity. People have tattoos with Redskins. You can't get anywhere around the Redskins day. Some radio personalities were making fun of Redskins and they got debt threats. But again, it's the concept. You call yourself a hacker. It doesn't mean you're good. You call yourself a die-hard Redskins fan. It doesn't mean you're like Daryl Green or something like that. But that's what people in the hacker community tend to want. Because again, Daryl Green is obviously a football player that gets on the field. The hacker identity is you just take it on and you know, it's like there is no real field. Everybody could claim they're on the field and nobody knows the difference. Let's talk about why people want identities for the most part. It makes them part of something bigger. Again, it's not just their little existence. Now they are part of something. They could go to a bar and share with people they don't know, but they're one of the gang because they're Redskins fans or something like that. Or again, Penn State fans, God forbid. And again, the reality is no matter how red and gold you paint your face, you're never going to be a Redskins. You know, maybe the difference is if you start learning computer skills, maybe you could actually become that identity of being a hacker. So there is somewhat of a difference here. And also, this people might appreciate this, no matter what your business card says, that doesn't automatically guarantee your quote-unquote security expert either. And that's a big issue these days because again, I tend to think I'm more concerned about security people going around calling themselves security experts as opposed to hackers calling themselves hackers these days. So about the hacker identity first. The hacker identity, that's a really cool identity. You know, first of all, let's think of where it started. The first time, at least the first time I found the term hacker used was the people at MIT. These were like the super cool first hackers. These were people for whom hacking actually meant something and really had, you know, computers were just a part of it. They were looking for really cool things to do. For example, you know how you got those big, you know, marble buildings and everything like that with the, what do you call those things? When Braindead columns in front of there, they decided to rename buildings. So what they did was they went out and got styrofoam and engraved into the styrofoam letters just like the letters that were up on the building, you know, like Boone Hole or whatever it is over there. And they engraved, you know, hole of computer science majors and actually went ahead in the middle of the night and put these styrofoam things up on the wall. Then the next morning, people were trying to figure out if somebody actually defaced the building or they went ahead and did something cool. And yes, they did something cool. It was non-destructive and it was cool. At the same time though, these people got state-of-the-art computers because MIT got really good stuff. However, the reality was they got really cool computers that they didn't know what to do with them because they never had any good use of manuals because documentation wasn't a part of building a computer back then. So they went ahead and had to figure out how to use computers. They figured out how to fix the problems that they found and stuff like that. Hackers at MIT were really true hackers in the sense of the word. They had to do computers. And again, it was the same thing for people who were hacking kind of up to about, I'd say, starting the 1990s. If you really wanted to learn about computers, you had to teach yourself. You know, there weren't any books out there. I mean, now you have like 1,000 books on Windows NT in some way, shape, or another. It doesn't take a lot of effort. You don't have to go ahead and play with the software anymore if you want to learn about it. But again, the same thing, the internet made information out there. You don't have to find the information out for your own, you know, for yourself. So these people are it. Now, the identity started taking on. It's like, well, you know, because of those first people, and again, Kevin Poulson is one of the classic examples doing stuff with computers from way back when. However, you know, they got the impression of computer geniuses, but now these days, because a lot of people are really computer literate, anybody that knows how to use Microsoft Word, like knows what a macro is, is considered computer genius these days. And now hackers are trying to jump on this because they know a little bit more than Microsoft Word. They start going on, it's like, hey, I know there's this operating system called Linux, which is kind of better than Windows. And they say, well, let's push that. And the identity also says that they push the limits of technology. They're pushing the edge. They have the answers to all things technical. Again, I was breaking into a company once. It was really bizarre, because here I was, under the guise of a clerical worker, I was just a file clerk and people thought I had some concept of computer security. Well, not computer security, but just, you know, I knew how to use their applications, like meeting maker and the word processor stuff. And people started coming to me, even though I was a file clerk, do you know how to do this? Do you know how to do that? And they started giving me, you know, it's like, I knew much more than them and they wanted to reassign me. It's like, you know, I left the company in five minutes, but that was okay. They still wanted me back, just for the computer stuff. Anyway, clueless government makes it a lot worse. Also, the media kind of feeds off the clueless government stuff. Again, who remembers the quote, the most coordinated and sophisticated attack scene to date? Who is that by? John Hamry, assistant secretary of defense. What was this in reaction to? This was in reaction to 250 government websites attacked, right? They thought this was a national effort. They thought the North Koreans, the Russians, whoever was involved. And then lo and behold, you know, they start saying, this is why we need millions of dollars. And three days later, they arrested, you know, the two kids from Cloverdale, the analyzer, and a bunch of other people. And think about this way, you know, it's really hard to get caught over international lines. And this guy was caught over international lines. Could this guy have actually launched the most coordinated and sophisticated attack scene to date? But no. But what happened was the media painted themselves as doing this. And again, they exploited the RSTAT-D vulnerability, which was published by the certs seven months before that. So what happened? These people who were attacked, who were totally clueless, or I'm sorry, they were totally clueless, by the way, because they didn't fix known problems. Then they had relatively clueless people attacking them with something very preventable. And they painted them as the hackers to be the world's, you know, super people. And what happened? Benjamin Netanyahu, the Israeli Prime Minister, called the analyzer a misguided genius. I like that one. And now, just in case you think, oh yeah, by the way, they also said it was a wake-up call for them. You know, I have to stop and think. How many people remember the Hanover Hackers, the cuckoo's egg? You know, people were stealing military secrets, real secret nuclear stuff. Then you had kind of like the telephone systems falling apart towards like the early 1990s. You know, should that have been a wake-up call? Then you had like all those other things, like the eligible receiver exercises, going on for five years up to that, where they took down the whole Pacific Military Command and a few other things along the way. They did those things once a year. They had GAO reports saying the government's wide open. And then all of a sudden, these teenagers here were a wake-up call. But actually, compared to the last Army Hack that went on, I think about a week ago, for the first time the press said, which is good, there's something hacked because of widely preventable things. But anyway, that's one aspect of the government driving this hacker myth. Who here heard of the Cyber Corps? Anybody hear Jeffrey Hunker talk about that? He has this concept because he read a bad science fiction novel. Let's hire teenagers right out of high school and we'll train them our way to be like the information warriors of the future. Again, bad science fiction novel story. So what's happening here? Really, when you stop and think about it, he's hiring people and 70% of people who go to the college change their major so they might, you know, 70% of them are not going to be good computer people. So that's one thing. And then also, it's an insult to the people inside the government because, again, he said he wants people on the edge. Or, I'm sorry, maybe it was Richard Clark instead of him. But they want people on the edge. But really, look at the eligible receiver exercises where those people took over the government. You know, again, those people are very good and no, they were not living on the edge. They were making $30,000 in the government and they were very good. And the list of government planes keeps going on. Also, the media, honestly, this conference makes great visuals for them. That was their quote. I mean, they love people with earrings. They love people with spiked hair and stuff like that. And they want to help drive some of this stuff. They want to show this. They want to show people popping around. They would love to see at this conference, they would love to film people breaking into computers. You know, to capture the flag doesn't really work for them because that kind of shows real skills, but it's a set up environment. They would rather see people who, come on, let's go up to your room and, you know, if you're going to hack something, please let us film that type of stuff. Let's talk about the reality of the things. First of all, there are many hackers who fit the real identity. You know, but again, there are many more that don't. And acclaimed identity really doesn't indicate skills and that's the issue. What you want to hire, again, is to get a job. Maybe you might work for some moron who says, ooh, you're a hacker. Let me hire you. But the reality is that they're not very smart and they're probably not going to pay you what you're worth if you're good anyway. If you're not good, you might as well take anything you could get, though. Let's face it. And again, the only issue is that only skills can indicate skills and that's the question. You've got to find people who, if you're claimed to be an identity, that means you don't have the skills because I know people, if they say they're a hacker, they're not going to tell you about hacking. If they say I'm a hacker, they're going to say I know send mail, I know NT, I know Nobel, blah, blah, blah, blah, blah. Although some people argue if you say you're a hacker and you say you know NT, you're not a real hacker. So then there are also, the real story is there are many non-hackers who have those skills as well. Again, when you look at people who don't consider themselves to be hackers, like for example, I guess Bill Cheswick spoke at the Black Hat Conference last week. I don't think he calls himself a hacker, but by God he's a genius. He puts many of the even the better people that we could name to shame. But he doesn't call himself a hacker, the people who did eligible receiver for the government. They're not technically quote-unquote hackers like you would expect with the earrings. Again, a lot of people are the feds you might point out or whatever. You wouldn't know it. But again, eligible receiver proves that you can take people. Why don't these people do it though? Why aren't these people, you know, you could say quote-unquote they have a real life. Nobody asks them to go ahead with their computer. Because again, when I'm going to go into this a little bit when we start talking about skill sets, the people who know how to break into computers best are the really good system and network administrators. Those are the people who know the systems in their soul. They know if something goes wrong. They could tweak send mail if they have to to make it a relatively secure thing. But the deal is nobody ever says, hey, by the way, can you break into systems? Can you learn more how to break into systems? So that's why you don't see a lot of the quote-unquote computer professionals call themselves or get into security as much because nobody ever asks them to learn those issues. So let's talk about who are the hackers as a group? People who love to call themselves hackers. First of all, you got the real geniuses. And again, these are people like Loft, CDC, etc. These are people who find problems. These are people who go out. They reverse engineer software. They do software engineering and testing. They are hackers because I think it's an insult. You know, that kind of belittles their skills. They are highly skilled software engineers and testers. That's the way I look at it because that's their technical skills that they're demonstrating. Then you also have another group of people who aren't as good as like the real geniuses, but they're also highly skilled computer people. And again, these are the quiet ones that know how to use tools very well. They might use the little scripts that everybody else writes, but what they do is they combine it with their own skills. They do the penetration test under contract. They'll use the same tools the tools puppies use. But also what they'll do is they'll go to manual techniques after that if the tools don't work. They will get in eventually. They're not out there looking for the problems analyzing the stuff, but they know networks and computers well. Then you got the group of people that are out there that the press loves because they tend to be good visuals are the script kiddies and wears puppies. They don't like hackers as opposed to being in front of a computer, or when they are in front of a computer, they're surfing websites trying to just like, you know, run RstatD against people at random. And these are people who really demonstrate no real skills in computers. And let me first of all say it takes, well, I'm kind of famous for this, but it takes no real skills to break into computers. And I should say that I will no longer say I can teach a monkey to hack a computer in a few hours because I thank you. I found out there are very talented people who take offense at this and I didn't mean to offend them, but I don't consider what they do hacking. But again, the wrong population was offended so I'm not going to say I can train a monkey to hack a computer. But anyway, just breaking into a computer and installed computer doesn't take any skill at all, especially when you look at how systems are maintained. And again, the script kiddies don't really know anything. As far as this, it would have been a great visual. I still need some quote, by the way, as opposed to how to train, you know, I can train monkeys to hack computers, and actually I'm giving a presentation to about a hundred, like Fortune, like 1,000 CIOs. And I'm going to say I'm rephrasing I can train a monkey to hack a computer in a few hours so I can teach a CIO to break into a computer in a few hours. But honestly, though, I'm not sure if that's less insulting in the meantime. But in the meantime, I need something better. It doesn't catch the attention of people, because again, when I say that quote, I mean to get the attention of the press that you don't look at like those damn website hacks that people keep doing, and saying that this took computer genius, and then honestly, you know, Kevin, in my opinion, Kevin Mitnick did crimes. He deserves to go to jail, but they are honestly making a martyr out of him for people. And that's an issue, you know, they wouldn't have to make a martyr out of him if there weren't all these little script kiddies who were perceived to be geniuses as Kevin Mitnick as the modern day Fagan. So again, just help me get some, just willing to take ideas. Anyway, script kiddies aren't the answers I've already mentioned, because it's much more difficult to protect a computer than to break into it. How many people here are system admins? How many people here who were system admins have like previously tried to break into systems at some point in their life? Which is harder? Does it take, is there any question as to which is harder? There are so many ways in, and you have to think of all of them. And again, the example I tend to give people, maybe the press likes things simplified, is arsonists cannot put out fires or engineer fire safe buildings. They know how to take a bunch of papers together, take gasoline, spread around, light everything up. It's the same thing with script kiddies. They know how to take a bunch of tools, shoot it off at the websites, and do it. But if you ever say, it's like, damn, the quote I really hate, it's like, well, they broke in, let them fix, and it's like, first of all, that's kind of extortion in some ways. And the second place, this skill set doesn't fit. Knowing how to run a send mail hack or a loft crack doesn't make you figure out how to make NT secure. Which is hard to do even if you have incredible amount of clue. But next thing is, the script kiddies also tend to get frustrated and give up. If you hire a script kiddie, now protect my computer, they'll go, oh, well, here's how you break into it, blah, blah, blah, blah, blah. And it's like, wait a second, then you do it, it's like, damn, somebody broke in. Then they'll try to say, damn, somebody broke in again. Damn, somebody broke in. Oh, screw it. And then they'll do something else. And again, it tends to get old after a while. Kevin Polson was talking upstairs afterwards after he spoke down here. And again, he was saying by the time he was caught, quote, unquote, he was giving up computers except for the fact he was on the run. Because it just got old. That's what he never was for doing what he did. And again, it got old to him. And honestly, script kiddies give real hackers a bad name, just like the guy was saying before me. Because again, every time some website's hacked, anybody that calls himself the hacker for the right reason gets a black eye. Okay, let's look at chess first. Because again, here's where maybe even script kiddies can be useful. There was a study done about the game of chess. They wanted to find out what differentiates a grandmaster. And they went ahead and they looked at all facets of behavioral skills, cognitive abilities, and the like just to find out how they can find a good grandmaster as opposed to a master. And the only difference they found is that grandmasters have more passion for it. Grandmasters love chess more than masters do. And it's the same thing. Let's look at it this way. If you're here at this conference, you know, you're paying $50, you're paying your own way or whatever, some of you don't have the money, which is more impressive to come. You're not on corporate budgets. What's happening is you have some sort of passion for the industry. You have some sort of passion for hopefully not breaking into computers, but computers as a whole. So maybe the thought is that that could make you a better computer professional who knows security. You know, you're just kind of, if you're a script kiddie, you're just off doing the way bad things which could get you in jail. But again, they have the right passion, they're just putting in the wrong place. What I'm going to try to do now is kind of like say where you can fit in and maybe where you can direct your passion if you have one. And again, you have to see how well, in order to see if somebody's like a script kiddie who's going to go away or somebody who's like really passionate for it, when a script kiddie doesn't get in using his tools, they'll give up hacking if they're not passionate. They'll go away and say, damn that little script didn't work. I'll go find another one. And then when that one doesn't work, they'll go find another one. And after like 30 or 40 script though, who knows, hopefully find out women exist. But and then maybe the people who do keep going on who don't get in, you know, those are the people who can eventually do the things that Loft does, like going ahead finding computer programs and stuff like that, finding flaws within software that gets developed. Another problem, and this is one of my big pet peeves, is the security professional identity. Also, let's put in this, the intelligence professional identity, because I worked at NSA or CIA and therefore I know about security. I would remind you that NSA and CIA still have janitors and they don't know much about security usually either. So the deal is that security professionals, they also have to figure out why they're in the profession too. And again, most security professionals become one when their employer tells them they're a security professional, when they have to show up at a customer site. And typically, unfortunately, I found you get a lot of auditors who are handed ISS and say, please run the ISS Safe Suite against our customers and remember to tell them that you're a security expert who's studied the industry for years. Okay, let's talk about what can hackers do if you really want to learn about computers and you want to go into the profession and you want to actually do some good somewhere along the way. First of all, learn about computers. That's what hacking in its true form is supposed to be. It's not about breaking into computers. But if you want to break into computers, go ahead, break into your own computers. And again, remember, why is the loft called the loft? Because they have a loft with a lot of computer equipment. It was kind of a joke. You know, the loft was not called the Internet. These are people who break into their own computers, not the Internet's computers. And again, also, study business reality because people tend to forget about that and saying, let's just get rid of Windows and T and that'll solve everything. It's not a business reality. Now let's look at another example, another analogy quickly. Let's look at the martial arts. Anybody ever study karate or something like that? You know, everybody takes it when you're like four years old or something. Anyway, what is a karate master, a martial arts master? Those are people who have perfected the art. But what if they really perfect it when you look at it? They've perfected about a dozen to two dozen basic moves. They know how to do the basics perfectly. And then they can combine the basics to do the right things. It's not like you're a fourth degree black belt and all of a sudden they teach you something that you've never seen before. They teach you how to just, you can do more advanced things because you've got the basics perfected. And again, perfecting the basics is the key. So let's look at the basics. First basic is software engineering. This is the concept of writing well engineered and maintainable software. How many people know the term complexity? Software complexity. In this group I would have hoped a few more. What software complexity is, it's how well software is engineered. The lower the complexity, the more compact it is, the more now it is, the less likely there are to be bugs inside that software. When you learn how to do that, you can learn to be a software developer. You can also learn how to be better white box software testers. Because again, when you know how to engineer software, you look at things in a more specific way. And also making software upgrades. You know, you see how you can improve it. And I want to remind you that Microsoft really needs this and they pay really well. So keep that in mind too. Also, Y2K modifications are a good source of income possibly. Because I know a lot of people say they fix the problem, chances are a lot haven't. So, you know, just start thinking of that as a potential way to go next month. Also systems administration. And when you talk about information warfare, systems administrators are on the front line of what I call the real information warfare. I mean systems administrators are down in the trenches. And again, when you look at it and if you know the profession, I think of good security as really only being good systems administration. Because I don't consider that you should have a special person who has to know, gee, there's a Microsoft hot fix. You know, that's a security professional. I mean systems administrators should be aware of this just as well as they should be aware of Unix patches and stuff like that and update it. They should be aware of good configuration issues. That's basic systems administration. Next attitude is our next aspect is systems integration. And that's choosing the right systems for the right jobs. These are people who put computers together, design networks and whatever. And again, if you really want to get rid of Microsoft, that's the profession to go into. Because this is the people who design the computer systems and they decide what components go in there. They design how the network looks and stuff like that. And they can design, if you know what you're doing security and from the start, you know, engineer network choke points, user zones, things like that. Next aspect, if you don't want to get into the nitty-gritty technical stuff is you could do requirements analysis and test definition. And again, you can set security requirements up front. Not gee, you know, we should have, let's make sure nobody can log in after your system is installed. You know, go ahead and design that from the start and make it a requirement and test for the requirements existing. Key thing is you've got to understand that security is a business risk issue. Again, there's always functionality versus security. And if you're a good in an organization you have to balance it off. And if you want to make a, you know, if you want to actually be useful, make sure you can balance it off. And again, I want to point out that if you go into your boss and say, let's get rid of Microsoft because that'll solve all our security problems. In the first place, you're going to look like an idiot to him because you don't understand the system. And if you get rid of that and that's Microsoft is the only software that has problems, then you're an idiot from a security perspective too. It will make it easier not to use some of their systems. But again, just because you use an operating system, a good operating system doesn't mean you configure it well. Okay, quick test for are you clueless for security professionals too? Does anybody want that or not? Yeah. Okay, basic issues. And again, if you do well on this test, this is just saying you know the basics, it doesn't mean you're a real expert, it just means you're not clueless with the subject. Do you use PGP? One for yes, if you say what is PGP, stop counting. Next one, what is your password? If your password is seven or more characters with at least one special character, it's not a dictionary word, blah, blah, add one. And even if you just say a special character's a number, I'll say if you were ready to blur it out your password or you don't have a password, again, stop counting. Is your laptop boot password protected? Again, one for yes, what is a boot password minus two in this case? What is a buffer overflow? One point for if you know it's an abnormal software condition that results in, you know, in a sorry, long day. But anyway, it's an abnormal software condition that results in a session with access privileges or something close, give yourself a point. If you thought that it had something to do with plumbing, subtract one. When was the last time you updated your antivirus software? If it was any later than mid-June, add one. If you never did it again, stop counting. How frequently do you perform backups? If it's at least once a month and that's being generous, add one point. What version is your web browser? If it's the latest version, add one point, if you have no clues, subtract two. Do you have the most recent hot fixes and Windows service pack loaded on your system? Add one. Add five. Do you know what bug track is? One point for yes. And again, if you actually thought it had something to do with track, subtract two. Do you have your hard drive with you or locked up? One point for yes. If you answered no and you were staying in the conference hotel, subtract five. And again, that was the question. Again, those were ten simple things and those are just the basics. And that's an indication as if you know the basic issues of the profession. It doesn't mean you're any expert, it means you know the basics. And also see, because you should be preaching those things to your customers. And if you're not practicing what you preach, you don't deserve to be in the profession. At least that's my opinion. Okay, let me close up quickly by the Wizard of Oz. Anybody hear my Wizard of Oz thing before? Okay, one or two people. Basically, this is a philosophy of security that I like, hope people pick up. Because the Wizard of Oz begins besides a pink Floyd, I think it was. In the first place, let's look at how the Wizard of Oz starts. Some bad woman wants to take Dorothy's dog. So Dorothy runs away from home, goes to some snake oil salesman, and he convinces her to go home and she runs back to the thing. But then a tornado comes up, she gets hit in the back of the head, then she falls on the couch and she wakes up and she's in the land of Oz. Then she's walking around and everything like that and we're total following her and she's like we're not in Kansas anymore. Pink bubble comes floating down from the sky and it turns into the good witch and the good witch goes, are you a good witch or a bad witch? And she's like, well, I'm not a witch. The witch goes, you must be a witch. You killed a witch. And it's like, oh, I didn't kill anybody. And then it's like, oh, look over there. And they look and they see the feet sticking out from her. Oh, I didn't mean to kill her. Oh no, killing a bad witch is good. Yay you, so yay me, ding dong, the witch is dead. And they all skip around, right? So then what happens after the song is this is a musical, big black puff of smoke or somebody said it was red, big red puff of smoke. And all of a sudden, who killed my sister? And she's chasing them all around. And first of all, Dorothy admits it much like Kevin Poulsen did stupidly. You know, I didn't mean to kill her and it's like, oh, what do you, oh, you killed my sister. Oh, I'm going to get you and your little dog too. And it's like, good, thank you. I'll need you. So then she's, then the good witch goes, wait a second, what about the ruby red slippers? And she's, yeah, the ruby red slippers, she goes, gets it. And all of a sudden the ruby red slippers disappear, the legs shrivel up and, you know, go away. And then what happens? They're on Dorothy slippers, you know, Dorothy's feet. And Dorothy, you know, she goes to get a poof, you know, can't get away or anything like that. And she's like, oh, please. Once again? Yeah, once again. I'll get you, my pretty. Right. And then she goes off and now Dorothy is really in a shitload of trouble. She's really, you know, she's there, she killed this woman's sister now she has the only inheritance she wanted. And she's like, I just want to go home. And the good witch is like, oh, I can't help you, but go see the wizard because the wizard can do everything. So they go up, follow you up, follow you up, follow you up, go off along the way. They meet the scarecrow. He's once a brain and Dorothy is like, well, I never met this guy, but what the hell? You're sitting here in a field with no brain. You might as well say, hey, if he's getting a brain, I want a heart, major organ, same thing. Okay, let's go with him. Then you got the cowardly lion. Cowardly lion comes along. What happens? Oh, brain, heart, courage, no brainer, I'm going with him. So they go along the way and like the bad witch is doing stuff, the good witch is doing stuff. And finally they get to Land of Oz. They get to Land of Oz and what happens, you know, tell a sob story, they get in the gates and then all of a sudden they see Surrender Dorothy being written in the sky. Who's Dorothy? I'm Dorothy. Go to the wizard, you know, say, go to the wizard, what happens? The wizard's like, what the hell am I going to do? I can't do a damn thing. I'm a sham. Everybody knows I'm a sham, so therefore, well, nobody knows I'm a sham. If I can't do anything for them, they'll think I'm a sham. I want her to get the hell out of here. So anyway, somehow, you know, tell another sob story and like the guy lets him in and they see the wizard. The wizard's like, I'll give you everything you want. But what's he really thinking? The witch sent a Surrender Dorothy and sent her on a suicide mission right to the witch, because think about it. He said, get me the witch's broomstick. So he's like, and he sends them right to the witch's castle. So the witch sends the flying monkeys, the flying monkeys come, take away, literally kick the stuffing out of the scarecrow. I like that part. And then they go ahead and like Dorothy's trapped in the thing and like the witch wants to blow her up. So the witch tries to blow her up and all of a sudden, you know, like Toto jumps out the back of the, oh, I'm sorry, key thing I almost missed. What happens? They get to the castle, you know, the three stooges or whatever, and they're standing outside and what happens? You know, the scarecrow thinks of an idea. Let's go ahead and, you know, they jump the guys, let's follow them in, follow those oleobiolum guys in there. And they follow the oleobiolum guys in and then they get Dorothy with the axe because the tin man finally realizes he has a weapon with him. So he goes ahead and breaks it down. And they get this is the evil witch and she's really one of the all-time classic movie witches because she's evil to the core and always seems to know what she's doing. Anyway, they chase them, get it, you know, follow them up, get to the tower. And then what happens? They're in the tower and all of a sudden, you know, witch has them trapped and he's like, now Dorothy, I'm still going to get you. However, since I have this wonderful opportunity, you're going to watch all your friends die a horrible death in the meantime. So let's set the scarecrow on fire. Dorothy, put it on the scarecrow accidentally. And remember, it was an accident, he hits the witch. Yeah, I'm melting, melting, melting, she's dead. Then they go around and all of a sudden, you know, it's like one of the oleobiolum guys comes up, it's like you've killed the witch. And Dorothy goes, I didn't mean to. And like she never got a clue yet. But then what happens is they're like, no, that's a good thing. And she's like, oh, can I have the broomstick? Yeah, go take it, get out. Then they're back to the wizard. The witch is like, what the hell, if I can't send her back to Kansas any more than anybody else. So he goes ahead and he says, go away. But Toto, the only creature in Oz that doesn't seem to have a rational thought in his head, is the only one that looks behind the curtain. He looks behind the curtain and what happens. They see it's like this guy there. And all of a sudden, they're getting really pissed, right? And they realize that Tim Man has an axe, but it's like he hasn't chopped me up yet, so that's a good thing. So what does the wizard do? He goes ahead and thinks, wait a second, there's been intelligence throughout this whole time. You've had a brain the whole time, you just don't have something to prove to yourself you have it. So here's a worthless piece of paper. And then he goes to lying. You want courage? Well, you've had courage the whole time. You went on that charade, you know, that suicide mission. The only thing you don't have is a medal. Here's a worthless piece of tin. Now you can say you have courage. Tim Man, you want a heart, you know, you've been crying the whole time. Get with the wizard. And somebody says he is a wizard. Why is he a wizard? Because he showed him they had what they were looking for and needed the whole time. Then Dorothy says, well, there's nothing in there for me, even though you might still claim to be a wizard. And she goes, well, my gig here is up. I'm going to go back to Kansas and my balloon. Why don't you come with me? So anyway, what happens, he gets in the balloon, total jumps out just at the wrong moment in time, the balloon starts taking off. And then all of a sudden, you know, they're all talking and then all of a sudden, a big pink bubble comes floating down from the sky. And what's the first thing that was said? Those ruby red slippers could have taken you home any time. Think about it. I would have smacked the bitch. Here she is. She gets them sent on a suicide mission just to teach Dorothy how to use the balloon. And then Dorothy says, you know, there's nothing in there for me. It's a suicide mission just to teach Dorothy a lesson. No, it's to get a good movie. You know, let's face it, if she got to the outland of Oz and it was like, you know, here's the ruby red slippers, go home, five minutes of black and white, 37 seconds of color, two minutes of black and white, the movie's over. It would have been like Bambi versus Godzilla, if anybody's ever seen that before. But anyway, you know, think about this. What's the real more of the Wizard of Oz? The real more of the Wizard of Oz is that you have a lot of resources. The vendors usually have fixes for all the problems. You have internal scanning tools. You have Saints. You have cops, tiger, tripwire. Some of the commercial things are also good and things like that. But, you know, also just remember one thing. Who are the only two people killed in the Wizard of Oz? The two bad witches. First which was killed how? Wicked Witch of the East. Tornado, a natural disaster. How was the Wicked Witch of the West killed? Accidental water damage. And those are the real problem. So before you start trying to protect yourself from hackers, make sure you take care of the real two problems that are in the real disaster recovery things. And anyway, I don't know if I'm out of time or whatever, but I'm out of time. Okay, he says I'm out of time. So anyway, thanks.