 Thank you very much. Right, good afternoon. Oh, look at them sitting there. Good afternoon. Hey, thank you. Hey, I thought I'd start this afternoon with three really dumb questions for you. So the first two come off a thing called a 994. Now most of you won't have to fill these in. It's an immigration form for the United States. So the first one it says, have you ever been, are you now involved in espionage or sabotage or in terrorist activities or genocide or between 1933 and 1945 were involved in any way in persecution associated with Nazi Germany or its allies? Answer yes or no. The second question they ask you when entering the United States, this is a current United States immigration form. Have you ever been arrested or convicted for an offense or crime involving moral turpitude? Anyone know what moral turpitude is? Please tell me afterwards. Or a violation related to controlled substances or been arrested or convicted for two or more offenses for which the aggregate sentence to confinement was five years, etc., etc. Answer again yes or no. Would anyone be daft enough to answer yes to any of those questions especially with the humor that the United States Border Patrol are renowned for? The third question is how many of you out there believe that your corporate firewalls, your business firewalls are actually stopping the hackers out there? Anyone care to answer? Oh, some very brave people out there. If you look at the Gartner report and it was reported yesterday in another talk at Black Hat, 70% currently say Gartner, if you believe Gartner, 70% of all attacks are application attacks. In other words, they walk straight through your firewalls. Think about it. Fishing, all the attacks that we get, all the blended threats, again, they're sending you emails with the intent of trying to get you to click on a poison web link. Again, it walks straight through your firewalls. Your firewalls do no good whatsoever. So, where does the Jericho Forum fit into this? Well, basically the Jericho Forum is a group of the Global 2000 corporates out there and vendors looking at just that. How we are going to operate our businesses, our corporations, our users, our home users in the future without a firewall. The reason is not doing you any good at the moment. All it's actually doing is inhibiting business. Now, don't get me wrong. It is stopping the script kiddies. It is stopping the lumps on the Internet. It's stopping the denial of service attacks. But actually, more than that, effectively, it's not a security boundary anymore. All it's doing is keeping the noise level down off your network. It's a quality of service boundary. If you think about it, it is not a security boundary. Don't get confused by the two. So, the Jericho Forum very quickly before we get on to the panel session exists as a group of corporate companies, mainly. It doesn't stop individuals joining in to demonstrate the fact that corporates want to operate in this new paradigm. Want to operate so that they can deliver better services, more secure services from the premise that you can't trust your Internet, let alone the Internet. And as it says there, aims to demonstrate how deprimaturized solutions can work in the corporate space. What is the Jericho Forum? Not just to fight up front. The Jericho Forum is not about defining standards. It is not a standards body. It's certainly not a cartel because this isn't about buying a single solution. And it's not here to compete or even dismantle existing good security. Jericho and a deprimaturized solution is reliant on good security. Don't get that wrong. But all we're doing is saying you actually need to look at it from a particular point of view. In other words, don't trust your Internet any more than you trust your Internet. So, for the day job, I'm actually the CISO at ICI, which is one of the largest chemical companies in the world. And that's the principle we've been working on for a number of years. My enterprise, my WAN, my corporate WAN, spreads to 335 sites in 55 countries and has 36,000 IP addresses on it. Can I secure that? Absolutely not. And we're not going to waste time trying. Yes, we're going to do good security. Yes, we're going to cut down on the really obvious stuff that we're going to do. Do we still have firewalls? Absolutely we still have firewalls because it acts as that quality of service boundary. But we don't believe our Internet is secure. And we certainly don't build systems based on that premise. So, what is deprimaturization? Well, first of all, it's a hell of a long word. Don't try using it after some of the parties tonight, okay? Very difficult. Fundamentally, an acceptance that all your decent exploits are going to transit your perimeter security anyway. This is the email web. If you haven't been asked by your corporation to do it, you're going to be asked in the next year or two to let through voiceover IP as a business imperative. It's coming. It'll come to you if you're a security professional very soon, sooner than you think. We let through lots of encrypted traffic. SSL, SMTP, TLS, all the VPN tunnels we make. And of course, if you want to wind up a checkpoint salesman who tell you, you know, I can do deep packet inspection. You say, yeah, but what happens when I use an SSL link? Oh, I can't look at that. Well, there's a problem, isn't it? We have multiple partner connections as well as all my connections. I have 3,000 connections to my network of stuff that we don't own. Joint ventures, third parties, business partners, connections with people who maintain our networks, people who maintain just one server on our network. Being a chemical company, we have some very strange applications on our network doing very bespoke things. And so we literally have a company who wrote the software who have the ability to come into our network so they can do the admin on it because they're the guys who wrote the software. If you look, I suspect you'll be exactly the same. What we're seeing is the border is an untenable solution going forwards. So, as we've said, your border is effectively a quality service boundary. Protection has little or no benefit at the perimeter. And ultimately, and we've seen this before, haven't we all know this? I mean, you only have to talk to the Secret Service who look after President Bush. They don't try to use the border guards with a nice I-94 to actually keep the bad guys away from the president, do they? They do a thing called close protection. Why? Because it's easier to protect something the closer we get to it. It is as simple as that. Works just the same in the computer world as it does in the physical world. Ultimately, from a business point of view, business does not want another DMZ. Because you know the old story, don't you? The business comes to you and says, we've got this nice new application. We've just bought this company or we're just going to start up doing business with these people and we need it next week. And you say, well, hang on a second. We're going to have to do a study. We're going to have to look at it. We're going to have to put it into the DMZ. We're going to have to put some special kind of proxy server in there. That's going to need some custom code in there. We're going to have to buy some bits and pieces, probably about two months. And you wonder why senior management, regardless of security people, is the guys who like to say no. So what is deprimaturization actually? It's not a solution. I'm not going to stand up here today and offer you a solution. Because what it is, it's a concept. It's the concept that when you're designing any system for any enterprise, no matter whether it's internet, intranet, corporate, user, or whatever, you have to design it on the principle that the transport layer, the network over which it is transiting, is not secure. It is quite as simple as that. Anyone care to tell me what the default protocol for managing a Cisco router is? Absolutely. Telnet, username, password, and all data sent in clear. Yet Cisco would proudly tell us that they manage the entire internet and the backbone and the fabric of everything we do. If you want to update a Cisco router, I'm picking on Cisco because I can. But if you want to update a Cisco router, what do we use? TFTP. TFTP, absolutely. Even worse, no username, no password, all data sent in clear. Crazy, isn't it? And we don't seem to learn. So, deprotorization, set of solutions within a framework we can pick and mix from. It is defense in depth. It is a business-driven solution. And it's not a single solution. It is a way of thinking. We have as an industry to change our way of thinking. Like all good vendors, and I'm not a vendor, thankfully, but like all good vendors, they say, here are some of our customers. Well, here are some of our members. And hopefully you'll recognize an awful lot of them up there. We've got a few people up here today from some who are Jericho members, some who aren't. Unless I can get at Cisco because they're Jericho members. Okay, what we're going to talk about very quickly before we get on to the Jericho challenge is some of the fundamental work that's come out of Jericho. Jericho is aligned to the open group. Everyone heard of the open group? Some people might not have. The open group are based out of California. They own such intellectual property, open source intellectual property as Kerberos on behalf of the internet community. And they are pledged that everything they produce will be open source and will be freely available to the community. So Jericho is part of the open group. It's a management trick, more than anything else, to make sure that we don't have to do the day-to-day management of Jericho. And we can get on with our day jobs. But they manage it for us. But the key thing is that intellectual property that we produce is owned, therefore, by the open group. But what it means is you can go download all this stuff I'm going to talk about from the Jericho forum website for free. Use it, take it, adapt it, change it, whatever you need to do within your businesses to actually raise the profile, use the documentation that we're producing to go out and do requests for, quote, with vendors in terms of what they need to provide for features, a whole load of stuff. It's there, it's free, take it and use it. So Jericho forum in a nutshell, your security perimeters are disappearing. What are you going to do about it? We need to express it in high-level terms. We need to do a distinction between good security and there's some very good security around there and deprimaturized security, which is good security working on the principle that the media that you're transiting over is not secure. Think of the Jericho forum commandments. We couldn't quite get it down to 10 commandments. We only made it to 11. But there we are, again, freely available. The 11 Jericho forum commandments sitting on the website. We haven't got time to go through them today. If you were at Defcon yesterday, we actually went through them. But I hope you'll agree with the rationale behind them and go get them. As I said, you'll get used to this freely available www.jerichoforum.org. On top of that, we've been doing a whole load of what we call position papers. The position papers are a look in detail at various aspects around deprimaturization. And the aim behind this is to pick a subject, either because it's currently media friendly or sexy, or because it just needs addressing, and actually looking at what we produce. What we aim to be a two-page document, that is it. So in other words, your CIO might actually read it. So we aim to have them as two pages. I think the worst we've ever got to is four. But the idea is they are short, they are CIO friendly, so they can understand them. This is part of one that we produced. And like any good Gartner analyst, if I was a Gartner analyst, you have to have a four-box model. So here's the JerichoForum four-box model. And this is about good and bad protocols. And we've said already, what's bad about the internet? Well, we're still using too much Telnet, we're still using FTP, we're still using TFTP, we're still using all these insecure protocols that are out there. So here's the model and basically it works like this, that currently where we work today is sort of this space here. We work generally insecure-closed with a little bit of open and insecure and a couple of point-solution stuff up the top. We're moving as an industry into sort of this kind of space and where we need to move ourselves is here. We need to get up into this top box. We start needing as an industry to use inherently secure protocols for everything we do. And that means everything. And yeah, okay, we use HTTPS on a reasonably regular basis. But as someone was saying, SMTP, there is a secure version out there. SMTP TLS exists in every single version or modern version of SMTP server that is out there, even though just notes has it. There is no reason why you can't go to your SMTP server today and switch on TLS. It is literally a config line change for most systems. You can self-certify with TLS, you do not need. I mean, if you want to put a public cert in, you can, that's fine, but you can self-certify with TLS, there is nothing to stop you doing that. The correct, no one is going to trust it is you, but at least it means it is encrypted in transit. So yeah, basically, if you are a public company, you should be using a public cert on TLS. But that is just an example. It is available today. How many people in this room have got SMTP TLS enabled on their servers? Probably around about 20, 30%. So if you take anything away from this conference, go back to your organizations and just switch it on. It costs you nothing to do because it is backward compatible. It defaults and falls back. So it costs you nothing, nothing to change, nothing to configure other than generally one configuration line and perhaps putting a cert in. Not hard at all, we can all do it tomorrow. So anyway, position paper on secure protocols. I said you are going to get fit up with this. Go and get it, it is free, Jerichoforum.org. We are there for you to go and use with your businesses. Wi-Fi. Sexy subject, we are all using it at DEFCON at the moment. The Jerichoforum position, again, is that you shouldn't trust what goes over the air. We have had a whole load of fuss, haven't we, with Wi-Fi, with people trying to secure the air interface. Why? If you actually used a deprimaturized solution, you wouldn't care about the air interface because the principle behind deprimaturization is you don't trust the wired interface, the transport, or anything else that goes with it. Again, paper available, Jerichoforum.org. Voice over IP. Of course, we all know there's, you know, anyone using the secure version of voice over IP? Absolutely. Why? Because there isn't one. It doesn't exist. So, okay, you might go and argue with me that I'm using Skype, but that isn't really corporate-ready. Ashley, if you want an interesting trick, take your corporate name and go and put it into the search for it in the Skype name and address book. It's really, really interesting what you find. We put ICI into the Skype corporate address book and found ICI Indonesia reception. Yeah. We soon put stop to that one. Anyway, it's really, you know, Skype, forget it, it's not corporate-ready, it's not corporate-friendly. Do you really want to expose all your corporate users onto a public address book? I don't think so. Anyway, secure void doesn't exist. Secure void needs to exist at the end of the day. If teams from DEF CON want to go away and work on a problem that's actually going to benefit mankind at the moment, go and work on secure voice over IP. Yes, sir? The question was, have I heard a Z-phone? And the answer is yes, I know Phil Zimmerman very well and I have heard a Z-phone. I've yet to see, I mean, again, he's only in beta-3 at the moment. I wouldn't call it corporate-scalable as yet. So, I think it's a very neat technology. Is it corporate-ready? Absolutely not. So, if you think about it, what are the parameters you need from secure voice over IP? It's got to be secure at the box, got to withstand attack. Who went to the voice over IP hacking demo at Black Hat? Few people. I don't know if they're repeating it here, but I hope they are because it was very impressive. They just basically spend the entire hour crashing telephones all over the place and doing nasty things with them. It was really funny. Very good presentation. You've got to have phones that are remotely and securely maintained, especially in a corporate environment. It's up there. Again, go get the paper. It's all in there. Tell your vendors what you actually need rather than the nonsense they're going to give you. Web access. Web access is great, isn't it? Who here uses either, well, you know, the popular ones, Surf Control, WebSense or one of the others at their corporate boundaries? Yeah, absolutely. Why? Because, you know, that's the right thing to do, isn't it? But it's funny. If you think about it, you know, my CFO travels around the world, you know, corporate results time. The most valuable thing for any corporation we dual list both on London and New York stock exchanges. The most valuable piece of information a corporation ever holds is its annual financial results. And at one minute to midnight before they're released, in my organization, they are known by five people and five people only in the world. And at one minute to midnight, they become public information. So while my CFO is travelling around the world and in hotels and connecting his laptop, standard, you know, standard Dell laptop just like this one, he's got the corporate financial results sitting on his laptop. And how are we protecting him? Well, you know, personal firewall, all the standard stuff. Meanwhile, back in the office, his secretary is doing email and all the routine office stuff. And what are we doing to protect her? Well, we've got a nice intranet and we've got some IDS floating around and we've got some firewalls at the border and we've got surf control doing all the proxy stuff out to the web. We're spending an awful disproportionate amount of money protecting his secretary doing email from protecting him when he's actually out in the big bad internet. You know, what is wrong with this picture? The Jericho principle, the Jericho form deprimaturization principle says we shouldn't differentiate. We should apply the same level of protection to all our devices we're trying to protect irrespective of where they connect. It's a fundamental principle, isn't it? It's obvious when you think about it. But we don't do it because it's hard, isn't it? So web access, we need to have a single corporate access policy regardless of location, regardless of connection methods and we need to protect all our users, especially our web users. And again, you can fit up with this, aren't you? Position paper available from the Jericho form.org website. If you go and get this one, just as a reminder, currently version 1.0 is up there. 1.1 was released last Friday. I don't think it has quite made it to the website. So if what you pull down is 1.0, wait a couple of days and go and pull the new version. It's just got some pretty pictures in it more than anything else. Nothing major. I think it's fine anyway. Digital rights management. Well, you know, we all know this one's been usurped by the media industry, hasn't it? But if you think about enterprise DRM, we talked earlier about, you know, it's easy to protect the data the closer you get to it. Again, easy to say, hard to do. Ultimately, this is what DRM is about. Enterprise DRM needs to go out and protect your data at the data level, such that we don't have the crazy situation we have with Windows at the moment that if I can read, you know, if I've got a secure server and it's got some data in a file area, I can go out and read that data. If I have rights to read the data, it then resides on my machine. Now if I hit the Save button and save it somewhere else, it's mine. I own it. I'm now the creator owner in Windows terms. I can now say who has rights and privileges to it, and I can totally change it. And obviously as that document gets passed around, we all know what happens and we wonder why there's information leakages out of companies. The answer obviously is that as the original owner of that document, I should be able to specify who has the ability to read it, who has the ability to print it, who has the ability to copy it, who can do even do a screen print and screen capture it. And I should be able to define those parameters with that document. Such that I can then mail that document to every single one of you in this room. But the only people who can read it, change it, modify it are the people I have authorized, irrespective of how many people you then send it to. Again, easy to say, hard to do, not impossible, but the problem is, like everything else, there are some nice point solutions around for this at the moment, but a complete absence of standards. This stuff is only going to work if we have open standards. Again, spotting the trend here, go get the paper, not quite available, it is in draft, it's probably about two weeks away this one, possibly slightly more, but certainly a month away you should be able to pull this off the Jericho forum website. Oh, look, fine, yeah. NAC, we forgot about NAC. Anyone got NAC installed completely across their entire organization? Oh, no. This is a problem. Some brave person. How many computers have you got, sir? 10? NAC is a marketing idea more than anything else. I totally agree with you, sir. Absolutely, yeah, NAC is a great idea as long as you're only trying to secure 20 or 30 computers, but at the time it gets beyond there, it's a nightmare. You know, I said earlier, I've got 335 sites. Am I really going to go and pull out all of my old routers out of those sites and replace them with nice brand spanking new Cisco kit? Well, I'm sure Cisco would like me to do that. Good for my salesman's bonus, but not really good for anything else. It's a nightmare. There's also, it doesn't work in the real world. It works really nicely in confined situations. So if you're going to build it into your brand new wireless system, absolutely. But it doesn't work on an existing system particularly well because of all that legacy kit, if nothing else. And yes, there are stopgap solutions, and the vendors will tell you they can make it work, but trust me. The other problem is obviously with endpoint security, it's all about trust. That's what you're doing. You're raising the trust level. Trust is temporal. Trust has user integrity and integrity strength. There's a whole bunch of issues around this. Again, draft paper available probably in about a month's time. Endpoint security, go get it when it's available. Finally, this is finally, the picture here is for anyone who believes in the old principle of city walls as, you know, people come up to me and say, yes, but security is well tried and tested throughout the ages. You know, the idea of your castle keep and then your layers of defense with the moat and the castle walls. This is a castle wall. This is what happened to the European castles of old. They now sit on roundabouts and traffic islands, and they're there for the tourists. They don't have any practical purpose whatsoever. So architectural security drivers, you can see some of them here. There is available an architecture paper on deprimaturization. Again, freely available, go get it. Future position papers coming, stuff that's been worked on by Jericho. You can see them up there. I'm not going to read them out. A whole load of stuff. Go back and visit often. That brings us on to this thing called the Jericho Forum Challenge. Basically, the concept behind the Jericho Forum Challenge is that we feel the time is right to actually challenge the industry to start building some decent systems. And to do that, we are proposing the Jericho Forum Challenge to actually go out and design them, build demonstrator systems. Here's the format and timeline. Basically, we launched it yesterday afternoon at Defcon, at Black Hat. And the concept behind it is very simple. Build us a demonstrator system. We'll talk about the why's, the wherefores, and the rules in a second. But it might be great. It might be fantastic. It might do all the things. But then, of course, it's easily broken in two minutes. So, of course, there is this other little conference going on which happens after Black Hat. So our thinking was that you bring it to Black Hat and we judge it from a corporate and architectural point of view. And then we give it to you guys to play with. And see if you can break it. And we award prizes. Monetary prizes. So, format and timeline. We're announcing, obviously, the other part of the Jericho Forum Challenge now. August 2006 to May 2007, registering interest, plea Back Hat, obviously submitting, and we're going to finalize a short list. Black Hat 2007, we're going to get people to come and give their entrance. DEF CON. The aim is that they will be connecting their systems for you to have a go at. Simple as that. DEF CON participants will be invited to test the security claims of all those various systems with prizes for those who breach the most systems. And the result, basically, we're going to score them from a corporate point of view. And then we're going to add a multiplier based on the results of the DEF CON. So, if it lasts for two days and no one gets into it, it gets a one. That's the multiplier. If it lasts for 10 minutes, it gets a zero. And at the end of the day, at the end of DEF CON, we will know the winner and not before then. Main sponsorship. What we're looking at, the kind of figures, we're in discussion at the moment. Currently, we're looking for the main demonstration systems. Currently sitting at about $50,000. We are looking and talking to people at the moment about getting sponsorship up to quarter of a million or half a million dollars. This is a serious competition. Currently thinking for DEF CON is the first prize for actually breaking these systems is going to be $10,000. That's not bad for a weekend at DEF CON, is it? So, what's this space? And that brings us nicely onto the panel. With down one, Pam censor apologies, I'm afraid. She got run up by work and asked to do some real work. Today, they had a slight panic of some description, and so she censor apologies. Can't be with us. But we have a very distinguished panel. On my left, David Mortman, former CISO for Siebel Systems. Henry Tang, Enterprise Security Compliance Officer from Philips in the Netherlands. And finally, Steve Whitlock, Chief Security Architect for the Bone Corporation. Now, we want to try and make this in the... What have we got? 10, 15 minutes that we've got left. Slightly interactive. What we're doing is, if you haven't noticed it, there's a little pair of microphones here. And I'm sitting recording this. We recorded yesterday's session when we looked at the other side of this question. And what you're going to see next is some of the work that came out of that. So this is real hot off the press. This was 5 a.m. this morning when I got up, putting this slide together. But what we're doing is recording this. So if you do have a question, we're either going to have... You're going to have to shaft it out so we can hear it and repeat it. Or there is a microphone up here for anyone who's in this vicinity to come and sort of talk into. And what we want to understand, what we want to try and do is gauge from people what they think a fair test is going to be for next year's DEFCON. So here's what we came up with out of yesterday's meeting, looking at the other side of what we would like to see from a corporate point of view as a demonstration system. So the first one was to define it as the business problem. Deliberately vague. Because we didn't want to stifle original thinking. The solution has to be recognized by the business. You know, it has to be said, yeah, I could see that working in my business. So there's the draft specification. I'll go back to that one in a second. So the question initially for the panel and quickly for the audience if people want to chip in, or afterwards, feel free to grab me. I'm here till Sunday afternoon. So if people want to grab hold of me and say, hey Paul, I thought about it. What about doing this? Or wouldn't this be a good idea or anything else? Please feel free, grab me and give me your suggestions. So what we want to know is what you think would be, the panel thinks initially, then you think would be a fair testing criteria. Panel, who would like to start? They're not normally that shy. I suppose... Ann? I suppose capturing a file or something is fairly typical, but I think forging a sequence of transactions might be a little more interesting. Yes, this is Henry. Well, I have a compliance job to do, so some of my test criteria probably will come from that perspective. We work with auditors quite a bit, and as part of the test criteria, I would say I like to see a QA based on some of the audit ways of working. And in this particular case, Jericho, well, the principles and details obviously are posting quite some challenges to the audit community because of the increase of gap versus what they already have in mind of what is a total control environment. And when Jericho brings in these new principles or basically challenges, certainly the control framework is being challenged as well. So from this perspective, at least from my perspective, I think it's important that as part of the test is to make sure that what we have understood as a control framework is either meeting that challenge or we may have to actually up the framework. So it's a more challenge on both ends. Okay. David. That's an excellent question. One of the things I'd like to see is how the system can be gained in a broader sense, especially given the requirement for mutual authentication. I'd like to see how that can be used in abuse to say actually pretend to be in one of the authentication servers or one of the actual main servers in a malicious way to get access to data you're not even supposed to ever see. Sir, there's a mic up there if you want to stand up. It'll be probably easier for all of us. It says me having to repeat it anyway. Are you taking into account how you're going to be putting compartmentalization and the assets that are going to be protected because really what you're dealing with is a scoping and you're also dealing with the trust that you're trying to assign to each individual that has information that is trying to be protected. By that, whenever you were giving the example of having the secretary and the CFO, okay, the CFO has very sensitive information as opposed to the secretary maybe having access to it but not garnering it directly. And with anything that you're doing, am I looking at using something like DAC as a standard access control or can I go into Mac but that's still going back to the person having control over what's being shared as opposed to if I pull in something with TPM all of a sudden I've taken out control of who of what you have or hit he has and brought it into a more process driven the computer is taking care of it as opposed to the person themselves. Okay, so basically what we're talking about is subverting either the access control method or the trust method. Well, no, I'm bringing it out to you've got scoping issues that are there. In other words, I can build one system that I can guarantee you a severe problem getting any information out of it unless you're authorized. Yes. But that won't necessarily translate to 30,000 systems. Correct. I cannot do Mac accurately across that many systems because I start losing the granularity that I need. Yes, one of the asset tests for the first for the actual the CSOs to do at Black Hat will be does this scale to a corporate environment? Well, but that's what I'm talking about with you need to for what you're trying to bring out tell us what the scope is that you're going after. Are you going after the compartmentalization of financial information which is very sensitive or are we trying to stop mail going across an entire network? Those are hugely different problems. Yes. Essentially the idea at the moment certainly with this specification up here is to try and give us broadened attack surface and as a realistic attack surface as possible. Yeah, I just want to make a comment. I think the question is excellent because part of the thinking here is when it comes to classification of information here basically what we're trying to understand is the risk because if you have different types of information that you need to protect and you have different ways of partitioning or segmenting that information the risk analysis comes out different and therefore actually the test criteria may change. So giving example like on a system if the system actually is breaking it is not completely saying that that system is 100% gone because if the system actually has a certain partition and certain what we call sensitive or maybe confidential or even personal information is protected then from a risk perspective I can still or put this way the business can still live with that breaking situation that maybe just sacrifice some email and in this case I assume that the email is properly protected but not or in this case confidential information is protected to some degree. So breaking into the system is part of the story but the second part is how much are you actually getting access to and then determining the value that you were able to obtain I would say is part of the test criteria as well. Good point. Sir I'm being told we've got to wind this up so you get the final question. Okay I wanted to make a couple of points. Certainly. Your metric should be everyday usage metric for any organization so the system needs to be available you need to maintain integrity data integrity and system integrity at the same time making it available to local and remote users and users that use the system in a variety of environments from filthy computing environments like DEF CON to sitting in your office and you know just using it very generically so you know and it needs to adhere in my opinion it needs to adhere to the same set of issues compromise of data regardless of what that data is compromise of data the integrity of data the privacy of data the availability of the systems in terms of denial of service and those types of metrics so you know I think I'm taking a step back and rather than dealing with you know what happens to email versus your confidential data files what if that email contains confidential data files so you know it needs to adhere to all of those one other point I wanted to make stepping back you made two disparate points one is security is not privacy is not security and security is not privacy so a lot of the points you put up on the board in the you know right upper quadrant were privacy driven and not necessarily security driven so if you take HTTPS into consideration or if you take TLS into consideration someone can use HTTPS or TLS and get a private connection into your environment and then have a field day into your systems you're actually right yes wouldn't disagree with you at all I mean don't I got to wind up all I can say is what's this space there's going to be a lot happening with the Jericho forum challenge in the next few months so what's the Jericho website I suspect what's the DEF CON and Black Hat websites what's the press and thank you very much for your attention and your input