 Hello! This is the third episode of Ask an Analyst with Fabian and Sarah. Welcome! Hello! Hello! And today's topic is a very interesting one, in my opinion. It's about our career and how to become an analyst and how to balance this with your life. So we will be starting with the easy questions first, or maybe for me. A college code asks, are there any certifications that Mervi analysts must have? No. Yeah, probably not. Some jobs do require it, but I don't think it's in this... Not everyone has to have it, and you can always find jobs where you don't need to have it. I mean, most of the people I know don't have them. I personally don't even have a school degree, so there's that. And I'm not alone in that. Most people didn't visit college. Most people... Well, most people do have a school degree because they aren't idiots like I am. But in general, those certifications didn't exist even a couple of years ago, so nobody really requires them. And if you look through them, most of them teach pretty much basic stuff, which is kind of pointless. And you can easily learn those yourself. So yeah, I don't think the certifications are required. Yeah, same here. So most of my colleagues don't have a certificate and certification. And some of them also don't have a degree of any kind. Yeah. Another question from College Code. What kind of skills, experience are employers mostly interested in when hiring a new malware analyst? So, Sarah? It kind of depends on what level you're going into. So if you're going into the most basic malware analyst, you don't need that. You just need experience compared to... It probably goes for most of the job, but you just need experience with knowing how to find out what malware does. And that's mostly what you'll be doing at the lowest level in some companies. For other companies, it might require you to have more experience in actually looking at the assembly and reversing malware. So practicing that is always a good idea. Fabian, you are a CTO, so you have kind of a say in who might be a new employee for your company. Yeah, I do. But to be honest, I'm very... How should I put it? I'm more interested in the problem-solving and learning skills of people compared to what they already know. Because if people are good problem-solvers and easily pick up new stuff, then you can always teach them in a relatively short time. So those skills are way more important to me than someone who knows every single opcode in the Intel instruction set, for example. Do people actually know that, though? I doubt it. I doubt it. But I mean, you don't really have to, right? All you need to know is how to read the Intel reference manual, and then you can always look it up. I guess when you're talking about reversing malware, being able to reverse a sample you've never seen before, like problem-solving kind of thing. I guess that's what you mean, in a way. Yeah, I also think that's more an attitude than a skill. Yeah, it is. It really is. Yeah, definitely. Also, if you never ask for help or any questions in an interview with me, then you're definitely doing it wrong. Because the questions in the interviews I do are usually designed for you not to know the answer, because I want to know how you will react if you don't know anything. Oh, that sounds mean. Oh, it is. But it kind of sets you up for the work environment where you should be comfortable with asking for help if you need it. Yeah, of course, but if you're in an interview, you wouldn't ask for help, would you? Yeah, you should, though. I mean, I tell them to simply ask if they don't know anything, so I can explain it to them, so if they don't, then... I thought it might be better to try for a bit, and then if you really don't know to say, I don't know, rather than sitting there just kind of feeling really awkward. Yeah. I guess that would be better. I mean, there are some people who don't admit, but you just know that they are googling it right now. It's very interesting. I have an addition to make. At one point we got an application from someone who told us he writes malware, and this is really a no-go. I don't know why a lot of people think this is an advantage. The problem this creates is that the AV industry already has this reputation problem that some people think they create malware, so they can secure you from that malware. Which is amazingly dumb, because there's plenty of malware out there we don't need to write anymore. Exactly. It's a little bit similar to the pharmacy industry. If people are sick, there will never be the case that people are not sick, and still people believe the pharmacy industry makes us sick. I doubt that though. So yeah, I would say even if you at some point have written malware, I think it makes sense at some point if you write malware and just to test it for yourself and see how it works and learn from it. But if you say to people that you did that, your employer will assume that you also tell this other people, so they have really a reputation problem if they take you for the job. So don't do that. Yeah. I mean you could say that you've done like a kind of proof of concept. I guess it's how you word it. Saying malware kind of assumes that you've kind of spread it or maybe used it on someone, whereas if you say I made a proof of concept where I did this thing, I know someone made a ransomware in macros for Word documents and it doesn't have any files, which is quite interesting. But he has to be careful about what you say in terms of being kind of a black hat as such. Yeah, I agree. I think it's also like just the wrong assumption that in order to be good malware analyst, the easiest way to do that is just to start writing malware. I mean, I don't see any trauma surgeons out there running around shooting people. So you don't have to do that to learn your, well, the ropes of the job, really. So somewhat related to that question is Kali, I'm sorry if I pronounced it wrong. Kali and Kumar asked what are the top five topics beginner analysts must learn. So what do you say Fabian? I think like in so many cases, it really depends. There are malware analysts and research jobs out there that never have to do with any code because all this huge phishing and support scam ecosystem exists. And you need completely different skills for those than when you actually reverse engineer ransomware, for example, or some actual malware. I think just, well, large exposure to malware in general is always helpful. Like if you know how to remove malware without just running a tool, for example, it's quite helpful. With that usually comes a good knowledge about like a Winston channel, Dragon 3, all that stuff. It's always helpful if you know how to program, preferably in C or C++. But just if you know the abstract constructs of programming languages in some kind of scripting language, if it isn't necessarily JavaScript, then you're pretty well off as well. Then it really depends on what area you're going to work. If you want to work with Windows malware, then obviously you have to know the ropes of the PE executable format and all that stuff. If you want to do Linux malware, then you obviously have to know ELF. So it really depends. But most of the time, as long as you know one programming language and know about malware in general and the operating system internals, then you are pretty well set in my opinion. I also had the basics about malware. I mean, I think that's kind of obvious. Sometimes people forget about that, that you have to be able to classify malware and to know how basic malware detection works and what typical behaviors are and how you classify it based on that. So all right, now there are more interesting questions, at least in my opinion, about balancing family learning and work or balancing university, infocyc learning and work. So I think, Sarah, you have probably something to say about the letter. That question is from Fernando and he asks, how would you balance work full-time university and infocyc learning? Yeah, it's interesting. I think it's just kind of dividing your time between what you have to do and what else. So I work part-time, kind of. So I basically do it whenever I have free time too. So that gives me a bit more flexibility compared to having a job where I have to work X amount of hours. So that's quite nice, which kind of comes with, I guess, the whole kind of job. But yeah, I think just make sure you have enough time to get through school and supervising and everything like that. And also just making sure to not get overwhelmed. So taking some time off just to relax as well is important. Yeah, I personally, I have also never worked full-time besides while I was studying at the university. But I had a part-time job. I was student assistant and I also had my son by then. So I had a little baby and I was studying. So my advice is that you can try to kill birds, two birds with one stone by combining the subjects that you can choose with infocyc-related stuff. For instance, if you have a project where you can choose a topic, someone, then do something that you like that's related to infocyc, if that's what you like. And choose the subjects according to that. Then you might want to inform the pros professors of your situation. I really learned this the hard way because I knew one pros professor of mine who was very sensitive if students didn't show up to his courses. And I had my son and my son was in daycare and the daycare closed at 4 p.m. So every course after 4 p.m. I couldn't attend. And for some reason I just assumed it would be okay. He wouldn't care so much because I don't know, I just didn't tell him and thought that would be okay. But it turned out when the aura exam came he was very upset about me and I got bad grade because of that. He actually said that to me. And at that point it's too late. If you are already at the aura exam and tell your professor, oh, but I didn't come to your course because of that and because of that, then he's not really open to that anymore. So please tell that before if you have kind of a rough situation there. So they understand it better and don't angry about you. Yeah, also I use the time while I was traveling from home to university to learn in the tram. I also think it's important that you don't expect to perform at your best level. If you are handling so many things at a time you just can't be perfect. Don't expect this from yourself. It's making you crazy if you do. So be lazy on less important things and don't feel bad about it. It's just the way it is. And concentrate on passing the exams, not on making them well. Also try to understand that if you get stuck in some subject and you try to solve this on your own it will be much more time consuming than getting help from somewhere. So don't be afraid to ask us your professor or whatever. Ask other students, but don't be afraid to get help and it will be much more effective if you do that. So that's my experience. Fabian, do you have anything to add to that? Not really, but that's mostly due to the fact that I have no idea how to balance my work and my real life. I'm simply a workaholic, so I work all the time. The other question was how do you balance family learning and work? So that's just what I'm doing now. Yeah, I mean I'm kind of talking too much right now I think. No, it's fine. It's fine, yeah. So to answer that, I'm not sure if I should give tips or if I should talk about myself at this point. We divide the childcare evenly, my husband and me. We don't have any relatives nearby, so sadly there's some support missing. But it still works. I mean, I love my work and I also do not have to separate this to stay insane. To stay sane, I don't have to separate the work from my free time because I love it so much that I enjoy doing it, I have fun doing it. So I also do this in my free time and that's why I don't get stressed out about it. But if you feel stressed out from your work, of course you should separate it more. What's also important for me personally is exercising because I feel much better about my body and about myself doing that. And yeah, I think it's really good for you to have better concentration if you exercise. So yeah, now I talked so much. Is there anything you want to add? No, I don't think so. Just if you enjoy doing your work, don't worry about spending lots of time on it. But if you feel stressed, go ask your boss or something, be like, hey, I'm feeling a bit stressed at the moment. Just let them know. They'll probably be okay with it generally, just if you let them know. Yeah, letting people know what was important always. No matter if the professor or the boss. Yeah, I mean, usually people have been in the same situation as you before. So they usually tend to be very understanding. Yeah. Mr. Graham asks, what is something that noticeably improved your skills in this area? So I guess in Melvia analysis. Fabian. Honestly, I mean, I am kind of an autodidact. So I learn by just doing things. So just go to one of the many tutorial sites that post a lot of crack me's and then have a go at them. I mean, often they come with solutions as well. So after you crack the crack me, you can look how other people did the crack me and maybe find more efficient or different ways, which is always helpful. So yeah, just go out and do lots of stuff pretty much and don't be afraid to not know anything. Just try it out. Sarah. I guess just like reading a lot of different articles and lots of different malware because usually antivirus vendors and other like security researchers will put out kind of analysis blogs occasionally. So they're really good to like read through and then you can see, oh, look, that malware did that and that's interesting for me to know. Yeah. When I started out on my analysis, I had already my computer science degree or almost done. And I think these foundations were a good prerequisite to, well, learn the other stuff very fast. Yeah, I know how to do software development and I knew the basics and computer science so that made it quite easy. And I also think learning by doing is the best you can. It's a bit like learning how to drive a car. If you just read books, you will never learn it. So do it and start with it. The J-hacks asks if you could go back when you first started out. What advice would you give to yourself? Sarah. I mean, I don't really have a perspective on this because I'm just like, I'm quite young and I'm just starting out. So I guess just like, if you want to do something, go for it. Just don't like, hesitate, I guess, and just do it. Also, don't wear a pumpkin costume for Halloween. Why that? Oh, it's it's a cute story. No, it's not. Yeah, it is. No, the question is, do you want to tell the story? There's not really a story behind it. It was just one Halloween. I didn't have a costume. So my friend gave me this like pumpkin costume and it looked really bad. In my opinion, it looked very cute. Okay. And it was hindering your progress in starting out with my analysis. Definitely. I can't get over it to this day. Wow. Whenever she sees malware with the pumpkin icon, she just gets triggered and thrown back into those times. So that's why you were put off by the Trump ransomware because it also looks kind of pumpkin-ish. Yeah, it's scary. It's just scary. I understand. Now, what I would do to answer the question, what I would do, say to myself is, please don't pursue a job or degree or education just because your parents want you to. Because that's what I did at first. I was, I learned how to be a kindergarten teacher because my mother kind of wanted to me to be there. And she also gave me, well, the impression that I can't do anything related to math or computer science because I was perceived as a girl. So it turned out that this was just, I mean, I don't regret doing this kindergarten stuff because I can now use it for my own son. But I still believe it was the right thing to change my path and just do what I like and do what I want and not do things because my parents want me to. Your parents don't know what's best for you. They don't. They just believe what would have been best for them most of the time. Or they are afraid that you might not... That's very true. Yeah, that you might not get a job. They might be afraid, but really fear is not a good advisor. So do what you like and you will be good at it if you like it. For me personally, I would just go back and tell myself, don't be an idiot. Stay in school. Okay. So it's very typical. But why? Yes. I mean, while the school degree isn't really important for my job, I would still like to have one. Yeah, so you don't feel... How should I put it? So you don't feel kind of at a disadvantage, I would think. Plus, if you ever actually go for a higher degree or like a college degree or university degree, then you will just have to redo all the school stuff again and that would be pretty much a waste of time. It's like the only reason why I don't pursue a university degree is because I don't... Well, I can't be bothered with going to evening school for like three years here in Germany to get my Abitur. Yeah, it's harder to go back to school once you're already out there. It's not that, to be honest. It's just like a huge time commitment. I mean, if we had like the UK model or like the US model where you can just take a test, then I would probably just do it. But here in Germany, it's a lot more complicated. Yeah, of course. When I made my hostel called the Abitur. Yeah, Abitur. It's like a high school degree or the A-levels in the UK. Yeah, when I did this, I also did this after I had done the kindergarten apprenticeship. So most of the people there already had jobs before they got their degree to be able to study. And they really said to me, they have a lot of difficulties after being out of school for so long. They had difficulties to sit in school all the time and to be again in this position that there's an authority figure telling you what to do. And so, yeah, it was kind of hard for some people to do that and go back to learning again. I can't imagine it's difficult. Okay, so now I guess we can go to the next question now. Schallnach asks, what guidance and advice would you give to people who wish to pursue malware analysis? And where would you want them to begin from? And related to that is college codes questions. Can a fresh college graduate get a job in the malware analysis field? And if so, do you have any tips you are willing to share? Fabian. Yes, fresh college graduates can get a job in the malware analysis field. Although I don't necessarily believe that the reason for that is because they have a college degree. You probably would have gotten in without it as well. Yeah, I think the most basic problem solving skills are necessary and the basic learning skills, critical thinking skills. It's always helpful if you have a little bit of background, if you got involved with open source projects that are related to malware. Like, for example, if you participated in a honeypot project or if you participated in something like Cuckoo, for example. Or really any programming related stuff, especially if it's kind of security focus. Like maybe you contributed to Mozilla in some way or another, or maybe you reported some vulnerability somewhere. Last but not least, it's like just try to integrate yourself within the community. That's always helpful. One way you can do that, for example, is just to join a community like Sleeping Computer and get some training malware removal. So you know how current malware infections look like. Or you can simply be very active on Twitter or try to simply seek out and find new compromised websites on the web that spread malware and report them and stuff like that. So yeah, those are like the three big things that will definitely help you get a job in malware analysis. Sarah, you also got into this with Sleeping Computer, right? Yep, that's pretty much true. So I met Fabian because of Sleeping Computer and then eventually he offered me a part-time job. So that's kind of an example of how getting involved in the kind of Sleeping Computer malware removal and also getting involved in like ransomware helped me to get a job. Also, if you have like, I guess kind of indication of like, reversing malware. So like for example, if you wrote a blog post about a certain malware where you showed off some skills, that's quite useful. And also the whole Twitter thing and just getting involved in the community is also quite great because they'll help you try, usually help you try and get a job as well. I also think that the project is like the best starting point. You have some kind of project, doesn't matter what it is. Like, yeah, you named the examples. And you can then use your project to build connections. Like, it's no use if you're on Twitter and you have nothing to show for. That's true. I think starting out on Twitter, if you have nothing like, not saying you have nothing, but like it's difficult to style if you don't have something like to present to the community. Yeah. And that's why I would also say just just start a project and then share it and build your connections. And that's the best thing you can do. And the project will also show. Yeah. Yeah. No, you can continue. It's fine. I will just my stuff later. Okay. The project can also show your future employer that you are motivated and interested in the topic. And I think that's more interesting to them than your degrees. Fabian? Yeah, pretty much. It kind of shows your employer that you know how to follow through and how to actually complete something, which, to be honest, is quite difficult sometimes. There's also another aspect. I mean, there's this idea in many people's heart that there's something like the perfect software developer, right? Like the genius programmer that writes code that is so goddamn beautiful. You want to print it out and put it on your wall. And it doesn't have any bugs. Yeah. It doesn't have any bugs and it's just kind of a piece of art, right? That's untrue. That person doesn't exist or maybe it did exist, but I'm pretty sure that person died like two weeks ago. So it doesn't exist anymore. All labels have really simple software, I guess. If you write complicated software, you will find that it's a lot more difficult to make it pretty and you will find that you make bugs. Yeah. But the main thing is when you do a project, it's very important that you share that project because you have to get into a habit of showing your code, not to be afraid that your code may be perceived as like stupid or silly. Terrible. Terrible, yeah. I know I used that word before and I still regret it. Anyway, just get into a habit of doing this so you overcome this fear of sharing your code early. Because it's important, I mean, you may think that you have this perfect idea and you have this perfect implementation. And if you shared your idea early, someone could have pointed out you a better way to do stuff. But if you disappear in a cave for like three months and, well, hide away from humanity and just do your thing there. And then after three months, you show up and say, here I am. And this is my project. Look at it and someone else goes, oh yeah, by the way, you could have done this way easier because there's this that exists. And you could have just used that and saved yourself like two months and three weeks. Then yeah, you feel pretty silly. And I get why people do it, right? Because you just think people will think that you're stupid and they see what kind of code you write. But the reality is everyone wrote horrible code at least once in their life and everyone knows that. So yeah, just get over yourself and share the code that you wrote around. Let other people read it and let them give you feedback so you can grow as a software developer. It's pretty important. I also think you can reframe criticism. Like, most people think if they get criticized, they are doing a bad thing. But actually if someone criticizes you, they take their time to write you that. That means they care about your project and that it turns out good. And that means they see a potential in that. So please reframe that. Criticism is a good thing. It means people are interested. And it means you can grow. So it's a good thing. Yeah, do you want to add anything, Sarah? Yeah, I guess if someone tells you, gives you feedback, take that on board. Obviously if it's not like your code sucks, then that's not very helpful from that person. You can probably just, I guess, ignore that or like ask them, hey, what part sucks? And then learn from that. It's a learning experience. Take that chance, I guess. Yeah, also understand that you are not your code, right? You are a person. You are a human being. You have nothing to do with code. If someone thinks that your code isn't very elegant or sucks, it doesn't mean that you as a person suck or that you as a person aren't elegant. There's no reason to get all defensive and just, oh my God, he just insulted me and stuff like that. No, they just criticized your code and that card has nothing to do with you as a person. So the last question for today, or do we want to take in the security questions as well? Yeah, we can do the other ones as well, my guys. Then it's not the last one, but it's the last one in the career topic by Andrew. What was your biggest hurdle in your career and how did you overcome it? So, Sarah? Since I'm just starting out, I already have that much, but I guess it's just making sure to put yourself out there and not be worried about what people think about you. And if you have something to share, share it. You might think, oh, it's not that important, but maybe other people like what you do. Fabian? For me, it's... Yeah, I'm personally not a very big social butterfly that flies around and makes friends easily. Yeah. We never would have guessed. Yes, yes, I know. Because I have such a lovely personality, right? Anyway, for me, it was just connecting to people, which is very important because you all work together. Also, if anyone finds a cure for imposter syndrome, that would be pretty nice. Please contact me. That would be quite helpful. And I know imposter syndrome is something that a lot of people struggle with, especially in the software area. Me too. It's like kind of... I think it's like a general problem. Yeah, it's just... Imposter syndrome is horrible. It's just horrible. So how did you overcome that? Oh, I haven't. I legitimately haven't. I guess you don't really overcome it necessarily, but you can change kind of how you think about it. I mean, that's just like a kind of hypothesis. I haven't really tried that out, but I feel like if you change the way you think about what you do and like, I guess, ask people, hey, what do you think of what I do? What can I improve on? And what do you like about what I do? Then that can possibly help. Yeah, also just taking in the evidence, right? I mean, you can tell yourself, oh, I was just lucky that I found that and nobody else found that. They looked for like over a week when debugging this problem that I just solved in five minutes and you can just put it off as luck and you can even put it off as luck when it happens twice or three times, right? But at a certain point, you just have to admit to yourself that, oh, well, now it happened like 20 times in just one year. So maybe there's some kind of skill involved and it's just not luck. So yeah, but it's overall, it's kind of interesting what kind of tricks your mind plays on yourself sometimes. Yeah, for me, it was also my own insecurity even in starting out. I mean, we mentioned that already. But at one point, I think even if you are afraid and even if you think you can't do it, you should just try. You will never know unless you try. And that means, for instance... You may be surprised. Yeah, for instance, it means if you read a job application and there are requirements that you don't fulfill, please apply nevertheless, try it. The people who write these job applications are often the marketing people who have no idea about it and ask a technical person what they need. So they have expectations that are just not possible to fulfill. And even if they are realistic, you still might get the job as I did. I got a job and I had no idea how to debug malware. So why did they take me? Because I fit into the team and because I had the right attitude to... I will learn this. I convinced them that I will learn this stuff. It may also mean that you pursue a degree although other people think you can't. You won't be able to make it. Try it. And it also means that you should do things that are difficult and you should expect to fail. Failure is something that pushes you forward. So if you fail, you should be happy that you learned something and just try again. In a lot of things that you do, analyzing malware, you have endless tries to try again. And that's what I think you should do, just try. Do you have anything to add to that? Not really. Just as you already said, most of the drop... If I said drop announcement, it's more like a wish list than a list of requirements. It would be perfect if you did this. But to be honest, if you can convince me that you can pick those skills up in a reasonable amount of time, then I will still hire you if you have the right attitude. Being open to learning new things or being open to learning new things and just kind of expanding on your skills is a really great thing. So that's it with the career questions. There were... I mean, if there were enough questions for this topic for security, I would have done another podcast with it. But it's only two, so we just take this in here. And Ora asks, is there something you would like to see from the InfoSec community in 2017? And do you have anything you want to see, Sarah? That's a really difficult question. I don't know, just... It kind of depends because the InfoSec security is such a wide thing. I mean, you have kind of a Twitter sphere of your people who you connect with, but there's so much... bigger community out there you might not even get to see. So I guess just expanding into other groups would be quite good because then you get to see a different side that you might not have seen. I mean, that's not really what I would like to see, but what you can do to kind of see different things. Fabian? A couple of things, to be honest. I would prefer to see less next-gen bullshit, less PR bullshit and politics. It's just horrible and it's annoying. Also, I would hope for a little bit more communication, to be honest, especially. I mean, there are a couple of AV winners out there now that do decrypt us, right? But there's legitimately no point in releasing your decryptor for the same ransomware family that has already been broken like two or three weeks ago, when you could have instead worked on a completely new ransomware family. And I kind of get why people do it. I mean, it may be awkward for a vast support engineer to recommend an MCSoft decryptor or vice versa, but the reality is most AV vendors aren't perfect. Well, pretty much no AV vendor is perfect and they all use some kind of tools that were written by third parties when dealing with customers that got infected at one point or another, so just get the fuck over. I mean, personally, I wouldn't even mind to remove all the MCSoft branding from all the decryptors, to be honest, if it would mean that, well, a vast, for example, or Kaspersky would just use that tools and break other ransomware that hasn't been broken yet instead of just rehashing the same. I mean, they usually tend to focus on different ransomware. Yeah, they do that. Because we do talk with someone at Kaspersky, so we sometimes know what is happening before it actually happens, with them doing ransomware. Yeah, just a simple Twitter message or an email like, oh, by the way, we are working on this one. So I know and everyone else knows that there's no point in doing that. They have that covered. Just focus on something else would be really, really helpful. So basically, you want that people work more together so they don't do their work twice. And I also believe that it's a good idea. I mean, when I started out being a malware analyst, I was already surprised that A.V. companies work so closely together. They share samples. Yes, they do that with samples, but they don't really do that with anything else. Yeah, but I still was surprised about that, though. I thought that, well, they would be like any other company just doing their thing without ever sharing anything. But, yeah. And I think it's beneficial for everyone if they work more closely together. So I agree to that. All right. Another security related question, and that's the last one for today by Corey. If someone has no idea where to start on protecting their computer, what steps should they take? Sarah. Well, I say, first of all, making sure you have all updates installed. That's really important. Unless, for example, your work requires you to have an outdated version of Java. There's no reason to have an outdated version of Java. Or if you don't use Java and install it. So that's probably the first step. And then I know some people would disagree, but installing an antivirus, if you have no idea where to start on protecting your computer, chances are you might not be the most technical person. So having an antivirus just kind of, they're not perfect and sometimes they will fail. That's just the nature of the work. But usually they'll protect against a lot of different threats, especially pups, which sometimes even people in the industry can get distracted and accidentally install them. So it's quite useful to have that. And then three, I guess, would just be keep an eye on security news because you'll find out about new techniques. For example, recently there was a Chrome font technique where they would kind of hijack a website and make it look the text called gibberish and then be like, you need to install this font pack, which was like an EXE, and then you ended up getting ransomware. To be honest, just don't read any technical advice online. Just keep the defaults, which are pretty secure on Windows 10. Also use Windows 10 even if you don't like it. Just use it. It's a lot better than all the Windows versions that came before. It's a lot more secure. And yes, you may be annoyed that Microsoft may want to install updates for you and it may come at an inopportune time. But just do it anyway. I mean, it will be a much bigger much bigger hassle and much bigger inconvenience for you to have all your files encrypted. So, yeah, just do that. What's all on that note? Make a backup and check your backup. Make multiple backups. Make sure, well, it's great that you do backups, but also make sure that you know how to restore your backups and make sure that you can actually restore them. Yeah, make sure you can actually restore them because in some cases they may have got uncorrupted and I know that's happened to a couple of companies. And that really sucks because at least you made the effort to backup, but you didn't check them. That's almost just as bad. Yeah, this is also important not only in regards to ransomware because even years ago when I had no idea about malware, when there was a problem with the computer and what I do, I just reinstall the operating system and got everything back from backups. And what also happened to me what was the reason that I did backups was my hard disk drive just died from one hour to another without any indication that it would die. So it just happened like that and since then I had no trust anymore in my hard drive. I backed up things twice to two different devices so I had it three times. Also just this one more thing since it's going through the press at the moment again and I'm pretty sure it will go through the press again and again because it's just cool and tipped to do it. Nobody will blow a zero day exploit to get your vacation pictures people. I mean it's not anything to happen. I mean if you do have material on your system that is so critical that maybe the NSA or the CIA or whoever would be interested in getting their hands on it it's just so much easier to just grab you on the street and break a couple of your fingers to get the password instead of just doing some kind of zero day on you. People don't really realize that the zero days are just extremely expensive like we are talking hundreds of thousands of dollars here and they simply won't do it for large-scale attack on home users to get some vacation pictures or to install some ransomware to maybe get a couple of bitcoins it's just not going to happen. I fully agree to that. A lot of people who talk about zero days don't know what it actually is. Yeah, it's kind of interesting. Yeah. So that's it. You want to add anything? Yeah, I guess just like a lot of the people who talk about zero days tend to be browser vendors they don't necessarily have a perspective on what the average user is like so fair enough if you're in a company and you have really sensitive data I mean you probably shouldn't be running Windows and I would have really good security and obviously that would be thing but for the average home user you don't have to like worry about that because it's not it's probably not going to happen. It makes great news and it's good conversation on that kind of thing but it's not the most realistic. Yeah, it's a bit like securing your door while you have a hole in the wall. Just fix first things first. Personally I would also be interested since Mozilla and I think Chrome as well said that antiviruses so greatly interfere with their security efforts. I would be interested if there's any research into that like concrete evidence which of the vulnerabilities that were found in their products and that was abused by malware was made possible by antivirus software. I mean they just say we kind of stand in their way of securing their products so they must have some evidence that points to this vulnerability could have been fixed if we didn't have to accommodate for certain antivirus software. I'm just interested in that because at the moment it's just like a whole bunch of finger pointing and I do agree that the antivirus industry has to catch up in some aspects when it comes to exploit mitigation techniques but I don't necessarily think that someone I mean I know that people on Twitter can be kind of hyperbolic sometimes but if someone tells you oh I'm not going to tell you what to do better because you don't even do that it just sounds childish to me. Do you even lift kind of thinking so yeah that's an interesting topic in itself with those you could probably make a whole podcast about talking about that indeed and also invite some browser winners for that would be interesting I think it would be interesting to have an actual conversation between some industry experts in both fields and to actually come together and have a conversation about it I think that would be interesting okay it was quite long and interesting and thank you for joining this FAQ so yeah I wish you a nice day and see you again I hope so yeah hopefully thanks for having us yes definitely thanks for having us as Sarah just said great and thanks as well bye bye bye