 the end of day one our final talk something that I've been super excited to hear about but before we get to that again if you haven't gotten a t-shirt head out to the apsach village website you can pick up a shirt there and let's give a big thumbs up to everybody who helped to put this on this year this is fantastic definitely want to thank everyone the next speaker Mario is going to talk about threat modeling the death star which what a better model that can we use right Mario is a software developer with ten years of experience in four different countries his expertise involves security dev ops and agile practices Mario helps teams to deliver value quickly while keeping applications infrastructure and data safe with that let's welcome Mario to the stage hello everyone welcome to my talk try the modeling the death star my name is Mario I have been a software developer for over ten years and recently I have moved to be a full-time secure engineer two or three years ago and today nowadays I'm a software engineer again today I want to talk about threat modeling and try them all is a subject that feels very important and it's very dear to my heart for many different reasons but the main reason is a reason that was shown on the state of the box report from last year so the state of the box report is a report done by puppet and different companies where they look to survive different companies and they try to get information about how efficient they are in the DevOps world and one of the things they look at is security and they have like looking at all different companies on all different sizes is the most effective way to improve a secure posture is to do security collaborative trend models with the security team and the development teams that's really really important to improve a secure posture and that's what I have seen my experience as well as a secure engineer every time introduce trend modeling to a company or to a team I could see the benefits of it very quickly like the improve of the secure posture but before we're going to jump in about and go more advanced details about trend modeling I want to talk a little bit what the definition is right and if you look if you try to Google it you're going to see like many different definitions but this one I like the best is that trend modeling is a process to identify enumerate trends that's what trend modeling that's what trend modeling is at the end of the day right and that makes a lot of sense for security people but then when you try to go not secure people or not try modeling arts they don't get very impressed right it's a very dry concept it's a very abstract concept and it's really hard to engage people who are not from security to actually understand and get involved with trend modeling and that's a hard situation isn't it like where you have trend modeling brings so much benefits to the organization but in the other hand it's really hard to gather people to do it and it was my position a few years ago and try to introduce trend modeling in a company and I really knew that like trend modeling is quite important but I also knew that's not very engaging at all I was trying to find a balance where I could reap the benefits of trend modeling while make sure people were motivated enough to engage and participate in the process it's not only more of one checkbox that you need to do at the end of the day right anyway then I come up with a list of requirements and what the requirements are the requirements are something like I felt if there wasn't there for the trend modeling process they wouldn't be very successful I wouldn't think that actually something that's available to the company and I come up with three different requirements right one is it needs to be engaging trend modeling definitely needs to be engaging it shouldn't be one another boring meeting people need to attend should be something like more fun and more engaging so people can go have a good time at least in the trend modeling session it needs to be highly collaborative again like the magic of the trend modeling happens when you get the security doing it and the development seems doing as well together and like collaborating against process done it's not like a process for me it was like a known goal my process where the security in the day that behind the scenes and it just return a report to the development team it's definitely like wasn't something I wanted to do it and finally it needs to be valuable for everyone and sounds like a bit silly but it's very easy for people to think like I'm doing this right modeling just like to make sure the security is happy and then it could do my stuff on that's not the idea that I want to do for the trend modeling when it's something that if people are participating collaborating they could get something out of it they could like understand the process and see the value of it and then do it again and again not only because security wants to have the software more secure because they also see value and they also want to get their software more secure and then I look at very different methodologies I look at stride I look at pasta I look at many others but the software methodology that I like the most is a touch race I think that resonates well with me my experience and resonates very well with the company teams and companies I have worked for where I introduced that I really like the way to see because it's very simple and it's very easy to do it that doesn't mean is the best methodology for everyone like how different people have different styles different companies have different cultures we might find just something different for yourself but for me that was very like when I saw that actually they really understood the concept they really could see that being rolled out to the company but before I actually try to do the role for the company I did a pilot first I chose like a few selected teams they were doing some interesting work and they were trying to all in what a great value at that phase of the work and with that I talked to then I did some pilots I did a few training models and then I did this via the end of it to see what people think about the process and I really asked them to be very honest because if it wasn't working for them chances are wouldn't work for other people in the company so wouldn't be successful and we should just like start from scratching and rather than try to roll out that process and the numbers I got were very positive let's say this 80% of developers found like a useful they found valuable and they would participate again and for me the parts of it again was the like ultimate metric if they would participate again is because I I hit the three requirements they saw value in it it was collaborative and was engaging right and they see value they actually saw value for them and they wanted to do it again so that makes me like made me feel confident and then I did roll out that to the rest of the company and I'm gonna want to talk about that how what's the process I did roll out but I want to use Star Wars for that because again try the modeling is very dry the various abstract concept so I always try to get different ways to make try them only a bit more engaging and Star Wars one of the funnest way that I have seen so far so let's start with Star Wars and that story starts with yourself in the audience watching this and at this point where you are the new CSO of the Galactic Empire Chief Security Officer well done you start as a low-level strong trooper fighting the trenches against the rebellion and you made all your way to the top now you are a Chief Security Officer well well done but not every team likes perfect isn't it that guy now he's our new boss yeah and how can I say this he's a very different style of leadership this whole thing you know you learn about today blameless culture or servant leadership definitely not something he believes in he's more like an old-school kind of guy he really thinks like high accountability is the way what before but that's okay right like everybody had like some problematic boss at some point in their careers and pretty sure you can like work around the guy and you was being like a CSO you start to look at the crowd use of the Empire right what's the most important assets and what you need to protect first before everything else and the answer was very easy and very big as well the answer was the Death Star is the most expensive project in the whole Galactic Empire is costing around like two trillion credits it's been 20 years in the making is the biggest weapon of the galaxy and like a major strategic asset for the Galactic Empire so definitely that's the way you need to that's the asset we need to focus on however it's a project that's been like as any waterfall project they had like over budget and overdue and the business not happy with it and the business would like to release that as quickly as they can to productions being like delayed delay and delay or over too many years so your boss and the Emperor they're not very happy but that's fine you can work with that your professional right okay so you've got this fire ready what you need to protect that's a Death Star it's a good first step but you need to have some sort of understanding what kind of a different star is going to happen like what kind of attackers you're going to have it and you use a simple exercise called like evil personas so the Galactic Empire has been attacked for too many years already so you kind of know exactly what kind of attackers the Empire can have so let's talk about it because we need to protect the Death Star against them and the first one is very is very interesting it's Charger Bix right like Charger Bix just represents a class of attackers where they don't know very well what they are doing they don't have too many resources they also very competitive so they keeping like trying to show their colleagues how good they are sometimes it can be annoying for the Empire but honestly when it comes to the Death Star they are not very important personas so although it's good to listen then to list them but it's not very good like for them for your trend modeling for the Death Star so just move to the next persona now we're gonna talk about Han Solo right and Han Solo is a very interesting persona because Han Solo is a lot more expertise Han Solo knows what they are doing like any other world hunters they know what they're doing they have more resources as well they have more in their own ship they might have like different weapons but then again they are there for the money and they don't organize themselves very well both hunters are very competitive as well they keep trying to go to the easy prey and get some easy money but they don't try anything too big or anything like that for coming comes to the Death Star it can be annoying but the other hand like they're probably not a big threat as well but these people these people can be problematic right Jedi's first their expertise it's huge well not only because they have been training for like many many years but because like they have magic in their favor right like they use how can you defend against magic if you have a guard and they do is like you didn't see me or whatever it's really really hard to defend against them like you it seems your boss managed to kill most of them like years and years ago and the ones they're like out there they're probably like hidden and they are not much of a threat anyway so although you least them as a threat because they're very likely to show up and it's very hard to protect against these people you also don't focus them very much you trust like your boss is a very good job and eliminated and then I thought about like more interesting personas and comes to the Death Star and here we talk about like insider threat but honestly I said the threats should be many different personas because the Empire has many different levels ranking levels right I start trooper that's inside the threat is not as dangerous are a sea level is active like yourself becoming inside the threat right regardless of the position though they have been training training by the Galactic Empire right so they have a strong training training and they know what they need to do they are very good what they do they might have like again resources a bit of an interesting thing if you're a strong trooper you don't have much money but it was a sea lab is active like yourself they have lots of money lots of resources for regardless again of their position they're gonna ask the South Korea well I'll like the Galactic Empire is a military organization so they're gonna is holding side the threats they can like join terrorist groups they can form their own terrorist groups so they can't come problem because organized themselves very well even if you had a low level some trooper but the most important persona for the Death Star is Princess Lia right Princess Lia is the represents the rebellion rebellion as well know is terrorist organization trying like bring trouble to the Galactic Empire where the Empire is just trying to like make the galaxy stable you know a bit of order here that but although the terrorist organization they have lots of expertise they have pilots they have diplomats they have spies and they are very good they can sometimes go toe-to-toe with the Galactic Empire so they do have a lot of expertise even for like a terrorist organization they have lots of resources you know you're not by sure what they get the money from but they do get so they have lots of money they have like a small army they have ships they have bases across the galaxy so they have like lots of resources and for a terrorist organization they got organized themselves pretty well they have become like a major pain pain for the Galactic Empire in the last few years sometimes shut down like um Empire operations or shut down entire armies so definitely Princess Lia is your like most important persona and the one you need to craft up cool so that's the summary of your personas right from skip kitty going through Bota Hanta inside the threat Jedi's even like Princess Lia the rebellion now going back a little bit to the real world personas if you like want to do that in your own organization if a large organization it shouldn't be very hard for you because have your organization probably has been attacking before so you just talk to the security me on you know our company the ones who look more incident response they might have like an idea of kind of of attackers you have if you know the hand likes working for a smaller company you might try to look at other websites and find like places where they define generic attackers you start with them and then as you grow as you scale and then have like real attacks you can like tweak your personas as you go but it's important to have like a kind of understanding of the attackers are and not keep only on the abstract level of an immeasurable attacker cool so now you have the asset that's a death star you have the personas so now it's time to build the attack 3 and the first thing you need to do is get the right people in the room and remember when my first flight was talking about like I'll try to only should be collaborative exercise and everybody should participate together so that's what you try to do you try to get everybody's at the room so you could run the exercise you got the death star designers and architects you got your own team you took so much trouble to go through that because imagine it's really hard already to go into the time zones and book everybody out in the same time when you're across the galaxy where time zones are not even the thing but somehow you manage you put everyone in the room you even go like a Darth Vader to do an introduction for you for for the meeting to give some motivation for people you know like the kind of sea level introduction and then you start to run the factory session and the factory session starts like um if the root node is kind of the attacker go right what the attacker wants to do against your asset and you could look at very different kind of attacks for example if you look and Han Solo and a bounty hunter when he looks at that star he's probably like trying to make some money out of it you might steal some weapons I might steal food I don't know they may have like still lots of stuff but then you need to look and focus on what's most damaging for the galaxy empire even if Han Solo manages to steal a bunch of weapons or a bunch of food there really doesn't impact very much the galaxy empire it's annoying for sure but it's not much of a big problem so in you come up if two different like attacker goals they are very if the attacker managed to accomplish this it can be really damaging for the galaxy empire so you're gonna focus on that one and if and there are two kind of goals they need to to look at is um take control of the death star or take death star out of action and take control of the death star it will be really really bad imagine like going to 20 years of project release that production just for some kind of attacker get that weapon from you and use against the empire it'll be terrible but as well and be very unlikely for the kind of attackers you have because none of them have the resources to actually managing a ship like the death star you need to have like one million crew inside the death star so to me to manage the whole thing you need to have like a very specific expertise and there's lots of proprietary technology so even precisely I wouldn't be able to take death star out of the galaxy empire and use against the empire but they definitely definitely can look at it take this death star out of action that's probably what would be the first goal is as soon as they know about the death star you try to take out of action and take disadvantage that the galaxy empire is beauty out of the game right so we're gonna focus on that and also we're gonna focus Princess Leah as a persona but she's probably she's probably the one who can actually accomplish this so we chose that take death star out of action now we need to think about how would you try to do this right how we do accomplish take death star out of action so that's where the collaboration and the magic happens the security for some ideas the developers throw other ideas and then you try to figure out like which one of these nodes are more likely to happen and together when you got everybody in the room there are two kind of nodes that show up they're really important and then they are more likely to happen one is disabled at that start I'm gonna talk about like a 15 minutes disablement or maybe turn off the power for 15 minutes or something like that I'm talking about like some sort of disablement that is so dangerous is so problematic that probably the death start is not usable anymore you need to rebuild the death star for it's correct so you can disable so you can re-enable again so it's kind of disablement where it's probably better to spread another one rather than fix it it's like same like you break your iPhone screen for example it's so expensive they're most likely just buy a new one and the other one is destroy the death start literally destroy the the whole thing explode the pieces or whatever so that the two main ways you can take that start out of action so let's focus a little bit on disable the death start to disable the death start you'd have two kind of nodes as well two different ways to do this one is what we call like a system failure and the other one's mechanical failure and a system failure is mostly like for example you disable the navigation system you disable the heating system you disable the engine system is able to set away discord critical systems that they might cause like a chain reaction and the other systems and like shut down the death start or you can call some sort of mechanical failure and then you can call some problem on the hardware itself and the hardware can cause again another kind of chain reaction that's going to cause the whole death start to shut down right cool so how would you accomplish these things and then for the persistent failure you need to compromise a critical AT system and for the mechanical failure you need to overload the critical infrastructure let's elaborate that a little bit so there are many systems run inside the death start right and they manage like some sort of critical infrastructure so if you have access if an attacker has access to this kind of systems they can do some damage but usually the system protects against like a problematic parameter the problematic variables or any dangerous kind of action so what you want to do is when an attacker needs to do it not only have access to the systems they need to compromise so they can bypass these kind of protections to cause a system failure when it comes like to mechanical failure you might overload some critical infrastructure so you might overload the heating system somehow and to overload the heating system you need you might cause all the hardware to have problems right or you can cause like the death start to be very uncomfortable to stay with if people need to leave the ship so there are different ways you can do that but the interesting thing is regardless if you're trying to compromise the critical AT system or overload the critical infrastructure you need to have access to the internal network that's no other way so either to like have access to sensitive areas of the death start you have this kind of action and you need to have this kind of privilege or to compromise the critical AT system you need to be inside the network so you can interact with the system right and it is internal network because if you think about it death start is just a weapon right it's not like they make their system public so people can access they're not a service right they're a weapon and as a weapon they hide everything as much as they can so in order to get like privilege access you need to be inside the internal network anything that's public is probably like not very important and segregated from the other internal network and in order to get access to the internal network you need to be inside the death start there is no other way and then again death start is a weapon and they don't expose my systems to the outside world and they segregated that stuff very well so you need to be inside the death start so maybe you can go to a server room or still some kind of like an employee badge or biometrics or whatever so in order to get your privilege access the interesting thing is we could go in more detail and like how would you get physical access to the death start but as i said before the death start has one million crew right like it's very likely that an attacker like princess liya is going to be able to do that even if that's not true another attacker that we have is an internal attacker so might be a person who actually has rights to be inside the death star and then inside the death start to try to do some invalations so we're going to stop this part of the attack tree here and go to the next step so that's all we have so far so you have like take the death start all the action you have disable the death star and then you have system failure and mechanical failure and so on so forth but this is only one part of the death of the attack trees right we have the other one where you want to destroy the death start so how would you do that how would you destroy the death start and there are basically two ways to do this one is big military attack the death start is a big weapon it's a huge weapon it can cause lots of damage but also it's still vulnerable to kind of military attacks so yeah that's a way to do it and there is another way that you figure out on the train mall and you are like so proud that you actually got that there is a reactor inside the death start in the very core of the death start there's a reactor which controls everything and provides energy for the whole ship but the reactor is very very hot so it needs to like send this this heat to the space and the way to do that they build like ventilation tunnels that go from the core straight to the ship to the top of the ship so then the heat can dissipate right but this is also a vulnerability because now we have a straight path to the core and the core is very unstable so anything that goes there any kind of explosion can cause a chain reaction that's going to pull the whole death start right it's a really big problem in case an attacker can exploit this but there are some sort of protection let's say this the first one is obscurity right the this kind of port is not very like you need to know where the port is for one death start is huge and there is no easy way for an attacker from outside to know where they should hit and second the port is very small it's only two meters wide so it's really hard for any kind of pilot to send a shoot send a bomb over there so it's not like it's very likely that to happen but still not really great so in order to destroy the reactor you need to shoot the thermal port and to shoot the thermal port you need to know where the port is right so you need to obtain the death start plans you need somehow know what the port is so you can go there and shoot it right and that's the second piece of the attack trees so together with the first part of the attack tree and the second part of the attack tree that's what we found out about the the main problems the death start design or the procedures we have in the moment and these are the main goals the attacker can try to accomplish so if you get access to privilege privilege access to network that's going to be a problem they have like different ways where they can accomplish the disablement of the death start a military attack really huge but something that a rebellion can pull it out like so if you do not prepare the a rebellion can try to destroy the death start by a huge military attack and finally the thermal port if somehow an attacker can shoot the thermal port they cause a chain reaction and then can destroy the reactor and the death start all together that's good so that was part of of the try them all in and then you figure out some threats um and the way i like it why i like the attack trees is because it's a problem solving exercise and everyone in 90 has this kind of mindset of problem solving we have a problem and try to solve it that's how we do right that's how we operate but rather than like use this to build stuff now we have to change the mindset and say like now rather than use your problem solve to build you're gonna use your problem solving skills to attack and that's really really powerful to get this kind of people usually don't think about attackers or attacks at all thinking about these things and it's interesting to see how they can find vulnerabilities on their own design and it's very interesting as well because they are collaborating on the session when you need to go back to then and say hey remember that vulnerability we found we need to fix it they are at the contest they were dead maybe they were the ones who found out anyway and they are the ones who are not fixed easily as well so it's a really interesting exercise and it's really really powerful the way we can get people who never think like about attackers try to think like this it makes them think the look at their system in a very different way and they only can cause good things because they don't fix the problems and make the system more secure cool now we have identified the risks and the threats so now we need to mitigate those and the first risk we need to mitigate is privileged access to the internal network and the impact impact for that is high if an attacker actually manages to do this it can be really problematic for the empire the likelihood we put as a medium because it's not very easy you need to be inside the death star but the death star and the network of the death star is not very secure the rebellion has been have been hacking the galactic empire for many years but you are a good security professional aren't you so you come up with some measures that you can implement in the network some quick wins some testing and then you like to harden the network and make a lot harder for the attacker to get like a privileged access to this so after this work has been done you actually manage to improve like the likelihood from medium to low the impact is too high though like it's really hard to make sure the impact is going to go down but at least make it very unlikely that's gonna happen next one the next one is a military attack right and then again the impact is really high if a rebellion can pull out an attack then can destroy the death star that's really really high impact but the likelihood is also high why is that because if you are princes liya and you get to know that your biggest adversary has such a big weapon you probably want to go and try to attack them first right but there is a few things we can do to mitigate their risk the first thing is you need to come up with ways for the crew to respond to attacks very easily very efficiently right so you define the run books you make sure people they keep them on the on the call and keep on training and keep like make sure this exercise has been running so when the actual thing real thing comes the response works very well but not only that the death star is going to need some support right so that's why you get like a start destroyers start destroyers are like very big other big ships of the galactic empire and if they are close by when the death star is being attacked they can provide really helpful and strong support and probably make like less likely of the um rebellion to attack the death star when they have like a strong support as the start destroyers and finally you do not try to monitor the rebellion activities right if they try to pull out that kind of attack is a huge movementation and they need to talk so many different people and a lot of coordination so if you get some sort of signal out of them and then you interpret that you can prepare before they actually pull out the attack so it would be a lot more prepare when they come so for this you manage to get the impact from high to medium because even if the rebellion tries to attack with a strong military attack you'll be a lot well prepared and maybe you can either defeat them or at least have buy enough time to get the death star out of that so that's a good outcome and the likelihood is also medium because if the rebellion cannot actually destroy the death star they are most likely not trying to attack they only go for the victory right so if the victory is not certain they'll probably not be able to do it but regardless you need to be prepared prepare and then that's where you get very well done and finally shoot at the thermal port and the impact again is high as the other risks if somebody managed to shoot at the thermal port you destroy the reactor you destroy the death star and the likelihood was low and you didn't like how this outcome was low and why is that people are saying likelihood is low because you need to know where the port is and even if you do is a really difficult and hard shot right so you wanted to do a little bit more we want to do some sort of protections uh and maybe cause like if an attacker is coming just close down the door or open different ones or have different levels of protection you try to argue for that but remember i was talking in the beginning the project was being delayed for so many years already the budget is being like over for for many years as well so the business didn't want to like go back to the design redesign that kind of port to make sure it's more secure and then implemented that delayed the project for a few more years and so the business decided to accept the risk so but yet you you're not trying to do something right so at least you're going to try to hide the death star claims so if the one of the things they need to do in order to shoot at the thermal port they need to know where the port is so if at least you try to hide that and make it harder for the an attacker finds out about the death star plane uh about sorry about the death star port then it wouldn't be a problem anymore right oh at least you would mitigate to a certain level that's the only thing you could have done so you did and then you went your own with your life right uh you did the best you could then you fix you look at different other areas of the security of the galactic empire and you hope for the best and then eventually the death star has been released and the death star has been like a cause of a joy for the empire they caused lots of trouble for the galactic empire and that happened the death star was destroyed which is not good outcome for anyone in the galactic empire but you are professional right so what you do in that situation forensic analysis so you try to figure out what went wrong how the rebellion managed to destroy such important weapon and the answer is this guy Luke Skywalker he was the one who managed to shoot the thermal port but there's some interesting things about Luke Skywalker the first thing is he's a Jedi which is interesting because they were supposed to be hiding not actually attacking the empire hmm and like before he actually managed to shoot at the thermal port he was being he was about to be shut down but the person who actually helped Luke Skywalker was a bounty hunter he came up at the last minute and said look from from destroy and then Luke managed to shoot at the thermal port which is interesting because bounty hunters only help they only work for money right they don't realize themselves very well so why am I not hunters helping a Jedi there's another thing that's quite interesting is Luke Skywalker is actually Princess Leia's brother which makes him like a high-level ranking rebellion official too so he's not only a Jedi he's a a rebellion official yes interesting and the worst part of it all the worst part Luke Skywalker is the son of your boss right which makes this whole lot more complicated because Luke Skywalker is considering eternal attacker no you don't know but definitely like not your problem and you don't have a good feeling about it right that's problem for your boss to take care of his family and his own boss but yeah Luke Skywalker is definitely a problem and he was the one who managed to pull the shot but how Luke Skywalker actually managed to find out about the port right and the answer is these two people here they managed to hack the Galactic Empire and get the plans and you did a good job you put your like behind that the Death Star plans in a very secure location at least the most secure head in the Galactic Empire so these two people managed to go to this location hacking to the other centers install the hard drive and then send the copy of it to the rebellion you know what's the worst the worst thing about that is there was no encryption arrest so they only got a copy of the hard drive and sent to the rebellion that's not really good but that's how they did it so they stole the plans they sent the plans to the rebellion the rebellion quickly attacked the Death Star and for a miracle they managed to shoot the terminal port and everything was destroyed right well i wish good luck for you because now you need to deliver your report for the foreign scandalizes to your boss um good luck now let's talk a little bit about lessons learned right lessons learned of this story and the interesting thing is i use this knowledge where you found out about the problem of the terminal port at the very end of the design at the very end of the building of the software at the very end like before going to production and then there's a problem that happens like in all companies you find a secure problem at the very end and then you need to fix it but nobody wants to fix it before release to production so treadmilling is something that if you have to do early and often so in the case of the death star if you have done like the treadmilling at the design level when people are bought like design is death star and come up with this design of the terminal port you could have seen it or someone bought it from your team seen the problem and then you fix the design right there it's a lot cheaper to fix at the design level or the beginning of the construction or in the case of software beginning of the coding then actually at the very end right and there's a problem that happens all the time so if you want to do treadmilling do early and do often because things change right especially for software change change all the time we pivot we try to implement new features we scope certain features so we need to look at that a certain like amount of time there are always unknowns right um in this case like Luke Skywalker was a very unknown you are like at least three different personas right um so even though you have treadmilling and you have covered some of the risks you always need to think about it that you might have not seen something or there's some sort of information that you don't have it or that you're connecting a very different way so it's not because you haven't done treadmilling it means you're secure it means you cover some of the the worst threats but that doesn't mean you are very secure so you still need to do some work on top of it treadmilling is just beginning and finally treadmilling must be engaging and then again if people go to a meeting that's very boring and they don't like it and it's complicated or it's on a check box they don't engage if they don't engage they don't collaborate if they don't collaborate you don't have the magic of the treadmilling but the morning doesn't work as well as good as they would if people are engaging so in this case I have been using attack trees I think it's been very successful um where I have been done it but it doesn't need doesn't need to be attack trees regardless what you do for treadmilling you need to make sure that people involved they are engaging they're engaged they they have a good time they see value on it so they can keep coming back and keep doing the exercises over and over again cool that's all what I had to talk about today thank you very much maybe the first be with you