 and vulnerability management, desktop, AV, firewalls. So I'm more on the coder side, and this is my colleague tonight, Lane. Thanks, Jim. I'm actually just here to look bad so that Dave looks good. Yeah, so I've been working in IT and software engineering and security for about 13 years. I got a PhD from Georgia Tech, electrical computer engineering, and five years dedicated to security working at what used to be in Sarpa, but now Tripwater. We're doing vulnerability management. So I'm just gonna put some cards here, because if you have questions about anything, internet security, and you don't necessarily want to raise your hand and be part of the discussion, you can just write your question down on the card, and we can get to some of that stuff after the presentation. That way you guys don't have to feel like you need to necessarily be all public about your questions. And if you have a question, you're too embarrassed to ask or whatever. You can also save them until the end of the presentation and just hang out, meet up with me, and we can talk about this stuff there. So one point before I get started, I wanna thank Holly over here in One Spring for the first time in space. I really appreciate it, Holly. You're welcome very much. Hopefully we live up to all your expectations. Dave, we also have handouts and stickers if you're interested on that table on the left. It's one of the right of our stuff, but feel free to take some of these pamphlets on the left side if you're interested. After I finish talking. You're welcome. You can also have handouts if you wanna do that later. Yeah, yeah. I've got handouts here on the table as well. So if anybody wants these, feel free to grab these and pass them out around the room because this is basically my slides and my notes and printed out one sheet form front and back. So you don't have to feel like you're rushing to take notes down on the cell phone covering. So that should save you some time and you can bring this home and talk to your friends and neighbors about it. So let's get started. This is supposed to look like a classic arcade system kind of booting up. And today we're gonna be talking about strategies for protecting the things that matter to you. And so first off, why security? Like why have people come here today? What questions do you have in your mind, concerns about security? Do you guys wanna raise their hand and throw something out there? Okay. I was wondering how much is enough? Indeed, indeed. Anything else? I'm always curious with my kids on their iPads, what actually installing, what communications are going out where, and what information are they sharing where. What are they doing? Are they spending all my money? Find all the apps? I've got control of the money. It's just the information I don't know. It only verbally beat them so much. Any Hollywood? Medical devices. Tell me more. Just like afraid of them getting hacked. Correct. I have a base maker. It can be accessed from it. How do I know the company and it has really awesome, scary kind of thing to do? Yeah, good point. Anyone else want to throw anything out there? I'll throw a couple up myself. So the ones I came up with are protecting your family. Especially like children, never really. So identity theft and reputation. This is a big one these days for a little statistic on this. I think the last statistics I saw were that 7% of the population over age 16 had been involved with some sort of identity theft. And out of those, 7% of those were victims of multiple identity theft. And that all of them suffered some sort of financial damage. So this is definitely something you want to try to prevent. And like the reputation, this can affect your future. Things like your job prospects. Also preventing scams, losing the money. And a lot of these are correlated too. So preventing scams and protecting your family and that they don't get scammed. Another one is being a good citizen and avoiding implication and crime. So the good citizen part is just keeping your computer in a state where hackers aren't breaking into it and then using your computer for denial of service attacks against other companies. And also because sourcing of who's involved with certain hacks is so difficult. You don't want to be the person who's called in the long enforcement saying we saw your computer was doing this thing when that's not something that you were involved in. Last but not least, just a circumventing targeted ads. I got a lot of questions from my friends about this. Like, how come it seems like I was looking at something on Amazon and now it's following me around the web? So just that kind of creepy factor of why does it feel like the web that has been tracking me? And this is a related, all right. So now we'll talk about some goals for tonight's presentation. And we've got four goals in particular. So one is we want you to leave here and I'll walk away tonight understanding what are the some limitations of security training. Security training is a very highly moving target. And one key take, one key point here is that security is not just something you do once, it's something you got to continue working on. And learning and sharing that information is one thing you should continuously be doing. We're also gonna talk about threat modeling. And if you have zero security knowledge to whether you have some security knowledge, we wanna let you walk away here tonight understanding how to do some basic risk assessment to help maximize your security and minimize your risk. Thirdly, we want you to leave here tonight and be able to share some of this information with your friends, maybe help spread the word of this new reboot of EFGA and it's interesting helping you to be more secure and such. And lastly, we want you to take away understanding that you need to stay current with security topics. So that's some of the goals we have here tonight. So I really like this quote I found, it's that there's no such thing as permanent perfect security. Security is something you're always working towards. And it's always changing. And we'll talk about kind of why that's the case in this next slide and our limitations. So first off, even diligent companies who spend a lot of money on IT and security get compromised and software gets compromised. So I can tell you today, go out and use this software package and then in the news tomorrow, that software package is compromised. So this is, and again, software releases change a lot. You add new features, you get some bugs and that's the inevitable way that this sort of thing works. So these things change very rapidly. And that's why tonight, we're not gonna sit down and say install this, install this, install this. We're gonna focus on methods. So this is things like the risk assessment or at modeling. So you will know how to approach this as a method. And then you can tailor the software to those methods. Makes you a lot more flexible. Hackers discovering new vulnerabilities and techniques. I think that kind of goes without saying is that they're always looking to break stuff. Right, Lane? Don't you guys know over there? He's a researcher, so he's always trying to break stuff. And then the other one is that this course is really for general day-to-day guidelines. So I've got a lot of buddies here from my company and stuff like that. We're not necessarily gonna cover in-depth into a lot of topics. And this course also doesn't cover a lot of things like a lot of physical security. And it's not really for at-risk populations. Like if you're a journalist working overseas and you're worried about your messaging and stuff like that, we're not gonna get into that. If those are things you're interested in, it's possible that there could be follow-up events more centralized to certain concerns. And if that's the case, you know, talk to me afterwards, write it on your note cards, whatever, but this is really just general day-to-day guidelines for you. All right, Edward Snowden. Anybody ever heard of him? Yeah, that'd be great. So argue, I'm just gonna read it straight out. So argue that you don't care about the right to privacy because you have nothing to hide. It's no different than saying you don't care about free speech because you have nothing to say. Quite an interesting comment. So, nothing to hide. So, oh, we talked to different people. And you kind of get different schools of thought when it comes to privacy and how you might be able to manage your privacy, you know. Oh, one day you might have people like me who just don't really care, just kidding. But then you have others that don't know that they need to care. And when they do find out they need to care, it might seem overwhelming. It's just something that you just can't, the problem you can't solve. But don't give up, you can do this. Keep calm and we're gonna learn how to do a re-success movement later on. So the right to privacy, and this one really resonated with me, the right to privacy is the right to self. You know, I mean, you own you and you own what you win. You can choose to share. So, for example, with myself, I'd like to, let me preface this with, anytime you deal with security, we have this curve, we call it the security usability curve. You'll find that the more security you try to add to your life, the less usable your technology might be. On the other hand, the more usable it might be, the less secure it might need to be. So when it comes to privacy and how you use technology nowadays, you know, you have to personally measure your own, how much risk are you willing to take on if you use a particular piece of technology versus trying to hide yourself from that particular technology. But at the end of the day, if you wanna share a photo on Facebook, you should be able to say, I wanna share this photo on Facebook. But when you go to your bank account or your online banking account, you should be able to say no, nobody should be able to see any of this information. So that's the key point I'm trying to make right here. So another question is, you know, when you come to this, you know, idea of privacy, it's a question of something simple like day to day, like do you wanna lock your doors? Do you wanna have curtains on your windows? Or do you sing in the shower? If you do sing in the shower, you might not want anyone in the world to know this. On the other hand, you might. So at the end of the day, it should be your choice. So next, we're gonna talk about risk assessments and really just boil down. This is focusing security on the things that matter to you. And that's gonna be different for each person. So there's really five steps. And here's a, this cat, what matters is money. So it's like, hey, it's among money. Or maybe pause, I don't know. It's another cat trying to get the money. So the first step is just identifying what you need to protect. These are your assets. And these are things you can just make a list of. So what's important to you, you can rank that. Is it your privacy? Is it privacy online? Is it, you know, the items you have in your house? This doesn't have to be limited to just internet sort of things. So I might ask people, are there any things you can just think of off the top of your head that are assets you wanna protect? Emails? So like the content of the emails? How about your information? What I do in the new business? Exactly. Anyone else? Things you wanna protect? Photographs? Oh, what? Photographs. Photographs? Next question you ask yourself is who do I need to protect it from? Those are gonna be your adversaries. So you gotta think kind of who's, who would come after this? And this isn't necessarily just hackers. You know, this could be, I don't want my neighbor when I have him over for a barbecue, like kind of walking around my house and picking stuff up. Or this could be, I don't want the government, like reading information I have and transferring it online. Next up, how likely will I need to protect this? Like what's my risk here? And as you can see, covering kind of the next topic too, is how bad are the consequences if they get it? That's the severity. So one way you can kind of decide what you're gonna focus on is how likely is this gonna happen? And also, how bad are the consequences? This is a nice graph for that. You know, if it's very likely this is gonna happen and the consequences are very severe, you're gonna lose a lot of money, then it's something you might wanna put at the top of your list of things to focus on. Last but not least, what list will you go to prevent it? So, you know, what are my trade-offs? Because any of these things are gonna have trade-offs, whether it be your time to install like a security system, whether it's your money, whether it's just your inconvenience, whether it's slowing down your technology. I mean, if you're running a VPN for connecting the particular networks, going through another system is gonna slow your internet connection down a little bit, but that's a trade-off you might be willing to make. So let's just cover one example of this as it pertains to a deal with your house. You wanna do this one? Sure, sure. So as he said, you know, let's just think about this. How would you wanna protect your home? And so, obviously the asset is your home. Or is it? Maybe it's through a read inside the home. Other things. So just to kind of drill in these steps, we're gonna look at the asset being the home. And so, when we think about a home, who could be an adversary? Just generally speaking, you might say criminal. Could be a pesky uncle that you don't want coming around. It could be a nosy neighbor sitting next door, peeking in your windows. Hornet's nest, outside the front door. Yeah. Hate those things. Got strength, but hey, whatever. So what is the likelihood for this to happen? Do you live in a neighborhood with a lot of crime? Do you travel a lot? Do you have lots of neighbors or are you secluded? These are the types of things you have to think about in terms of likelihood. And then severity. You have to think about, okay, what if someone breaks in or they peek through the window, take a picture of you while you're taking a shower and put it on Facebook. What's the severity of these types of issues? And then, there's always trade-offs. That's kind of almost to that security, the same kind of analogy, the security versus usability thing. You're gonna have trade-offs. How secure do you want it versus how insecure do you want it? You wanna have just good locks on your door, security system, or do you wanna go off and hire a security guard? And as you can see, this is kind of, depending on what you determine your likelihood of having your house broken into and the severity of what might be stolen, you may have increasing trade-offs to prevent that. So, at the very bottom of the spectrum might be you don't lock your doors and now you wanna lock your doors, right? Going up the list might be you wanna buy better door locks. Going up the list even more is maybe investing a security system. So, now we're gonna talk about strategies once you know your risk. And hustle and carbonite doesn't really have anything in particular to do with containment harden. It's just the fact that I wanted an image that would make you think about containment harden and I guess, hemphrozen and carbonite might do that. So, some strategies you can approach. Contain, this is just separating outside from inside. And this could be applied to different things. This could be with your accounts, with your Wi-Fi networks. I particularly like this image because it's your little Wi-Fi thing that it's separated and divided. So this would be like with your Wi-Fi setting up separate guest accounts from your own internal personal accounts that you've got your devices on. So if you have guests over at your house and you're throwing them on your Wi-Fi network, they don't have access to everything in your house. And also your accounts. So, good idea to separate things like in Facebook if you've got a work account and you do your work there. Maybe you also have a family account which is where you post photos of your family members or talk to your family, have different friends sets. And then also like if you've had a different hobby setting or different accounts for those. So some of the ideas of just separation of what information you share and what friends you have on there. Let's talk about hardening. So this is just what you need for as long as it's necessary. And it helps minimize your attack surface which is how many things you have that can have vulnerabilities that could lead to you having vulnerability and getting hacked. So the fewer things you have, obviously the fewer things you have to maintain, the fewer things you have to worry about. So some examples of that are applications, users on the system, browser plugins, and then even things that are just not things you install but features of these products. So like Wi-Fi, Bluetooth, and even sharing like Dropbox and stuff like this. So I would say a couple examples of this. You know, if you're traveling, maybe you wanna have your airlines app on your phone and use that. You know when you're not traveling? Do you really need it on there? Yeah, but do you wanna worry about it? Do you wanna have to use the bandwidth to keep it updated all the time? You know, maybe you remove it for a certain period of time. With sharing, you know, you're sharing some family photos of a Dropbox, Google Drive, iCloud, whatever service you use. You know, share it with just the people you wanna actually share it with. When you're done sharing it, turn it off. You could go as far as trying to install it if you want to, but basically don't just sit there, at least remove the things from the folder or stop sharing them. So that way you don't just have stuff on the network all the time that you have to worry about. And kind of one of the biggest ones here too is with your software, keep it current. You wanna always install your updates and you can enable auto updates for that. Most systems now come with auto update enabled by default. Definitely recommend that. And for things that don't, a lot of software now has like a once a month cadence or somewhere around third or fourth a week in a month, they will push upgrades so you can check like one night for upgrades. Did you have a question? Yeah, because you were mentioning sharing things like Dropbox. Even when I delete things from there, they've backed them up. So it still exists out there. Yeah, a lot of times. So, you know, I'm wondering about because I've been examining this myself, I'd like to hear your opinions of actually encrypting the stuff out on Dropbox before you put it out there. Yes. Things like Boxcryptor and other pieces of software. You used to be another one. I can't remember the name, but apparently at a day of vulnerability is they stopped using it. Yeah, I would definitely recommend that you encrypt your backups. You know anything that might contain any sense of information like your laptop, you might have tax returns on it. If you're creating an off-site backup of that or even an on-site backup. Because you have to again think about adversaries. And if I'm doing an off-site backup, if the site might get compromised for my own personal backup in my house, somebody could break in and just take that drive and then they've got my data too. And we're gonna actually kind of address that as one of our use cases. But yeah, I would recommend encryption. And that brings up our next section on tools. So you're like ahead of the game now. I'm sorry. I think we need to jump together. Whatever you need. All right, tools. Encryption makes data unreadable by other than we were just talking about it. I don't know if you're familiar with encryption or not, but they're really two main types of encryption that we were concerned with nowadays when we're talking about tools. One is the data on your devices. And this can get really tricky when you start defining devices, but at a minimum you might talk about your cell phone, your laptops, your personal computers, et cetera, et cetera. Encrypting the data on those devices. And in particular, your mobile devices. The ones that can be encrypted at least. Because if you lose your phone, encrypting that data is one significant measure you can take to prevent. The other aspect of security is gonna be security and transit. So, for example, the world just runs off of the web slash the hypertext transfer protocol, HTTP. And you wanna be very keen on using HTTPS when you can. Many sites will have dual sites that run on both HTTPN and HTTPS. But sometimes they might not necessarily redirect you there. So certain tools, for example, VPN tools and such, they'll try to do that part for you. Now if there's one thing I wanted to mention here, kind of irks me, in the app world, you might not know this, but a significant proportion of the apps you might use on your phone is gonna run over HTTP. You hope they run over HTTPS. So when you're using an app, if you're gonna do banking, I'm just using an example, if you're gonna connect to your bank, they'll ever do it with a third party type tool. I wouldn't even suggest doing it on the browser. You have to assume that the bank itself is gonna, you know, they're concerned about securing or protecting your money just as much as you are. So like if I was going to Bank of America, I wouldn't use the Bank of America app on my phone because I know that the bottom end is gonna be using HTTPS. So the point I'm trying to make there is, all of the apps we use today, many of them will use HTTP or HTTPS. So when you're using your apps, you wanna make sure you get an app you can trust that would be using HTTPS on the bottom end. Passwords, passwords. Use them, use them, use passwords. We're gonna talk about this a little bit more in just a minute, but passwords, you wanna make sure you use good passwords. I'm not gonna dig into that because we've got a slide that's coming up, but multi-factor authentication. Anybody know what multi-factor MFA is? DFA, dual factor authentication. It's based on the premise of, the password is one particular token that you have to keep, that lets you get access to your information. When you have multiple of those, it becomes harder to break into that particular system and use it. So nowadays, dual factor authentication, especially on websites, become very common and it's something you should consider using. It's based on the premise, as I said, of something you know and first of something you own. In this case, oftentimes these applications nowadays are residing on your phone, which is something you own. It generates a token that you can couple with your password. So passwords, even I know what that is in the background, by chance? I think it's an A1. An A1? You got it back to, I see it back there. Let's talk about passwords, you go a little bit. There's so much fun to talk about. Using a password manager. So how many of us feel like this when we're on the web and that everything's gotta log in in the password and you gotta remember all of them, you gotta keep them up to date, change them from time to time and make them secure and you really want unique passwords for every site you visit. And the reason for that is because sites do get compromised like we discussed, like even ones with great security, they could compromise from time to time for various reasons and nowadays like log in for every site's, what, like your email address, right? So then they just can go take email addresses, try different sites right down the line. So you gotta drop off LinkedIn, Facebook, Google, right down the line. So you wanna have unique passwords for each site and that's not easy, right? So one recommendation is using a password manager. The one that electronic frontiers recommend is PpassX and that's one you can find on the web, just search for it. The interesting thing is it's key, KEE instead of K-E-Y. So just pointing that out, I think there is also a key, K-E-Y pass. But this helps automate some of this process where, well I see taking a picture of how you can also, if you need the information, you can grab a sheet too. So you know, we've got sheets up here that's kind of a recap of the information in case anybody came in, later needs it. But this way you can generate strong unique passwords for every site and store them. The one caveat I do wanna say about that is password managers do introduce their own risk because now you're taking all your passwords and putting them in one place on your computer. So keep that in mind. But the trade-off for most people is usually worth it. This is the risk versus the reward and the trade-off. You know, strong passwords in site. And if you are creating your own passwords, one thing I think people should be familiar with is instead of using a password, it doesn't have to be a password, it can be a phrase. And so by having a longer phrase, you're actually setting yourself up for having a harder password to hack. So some recommendations around this that you sometimes see, think of a line from a movie or a song or something that you'll remember. And then you go in and add things like spaces and capitalization, then you do funky things with the letters, like turn the E's and the threes and O's and the zeros and stuff. And now you have something that's got a lot more complexity than just password and one single word. And then again, talking about enabling multi-factor authentication. Whenever you can, for whatever site you can. And it probably goes without saying, but don't write down or store them in clear text, unencrypted, because then you're just kind of defeats the purpose of storing them. So next up, we're gonna talk about app hardening. So this is just some of the principles for hardening applied to app and where you're installing from. So take away anything. Yeah, as I mentioned earlier, you wanna make sure you're using reputable sources. So I mean, Google, if you're on Android, Google Play, if you're on iPhone, you've got the Apple store, I don't use, what is the name of the Apple? Apple store. Apple store, okay, sorry. So when you start using apps from third party sites, you really are stepping into a minefield. This usually happens if you, okay, I'm sorry, I was stepping ahead of myself. Well, I don't know that I necessarily, you're gonna say jailbreak. Jailbreak. I didn't throw that into the vices, but. Jailbreak, okay. Jailbreaking is one thing that lets you easy, use third party apps easier, but at the end of the day, you know, unless you're just hacking and trying to develop technology, you just really just don't do it, especially if it's your personal devices. You wanna ask yourself, is the app authentic? You know, what's the purpose of this app? What is there really, what's the underlying bottom end? You know, is it free? There's nothing in the world called free. So that's the first thing that you want to think about when you start downloading a free app. What's the underlying motives of these developers? I mean, is it a data collection system at the end of the day, et cetera, et cetera. Sometimes it takes a day. Sometimes it takes a day, absolutely. Commitment, how specialized are they? If someone's, you know, if this app provider, if they're doing just all types of apps, or they specialize in one particular type of app, you know, if it's some, you know, jack-of-all-trade shop, then you can automatically assume that the application probably not gonna be as secure as someone that's, you know, dedicated to building that app with that device as well. You know, another example is, in terms of devices, is, you know, your Wi-Fi router at home. You know, is it coming out of, you know, some low-end shop in China, or is it somebody dedicated to these devices? Because even the guys that are dedicated, as we mentioned earlier, can't get security one. But the ones that don't care and just wanna make a profit, I can assure you that it's zero interest in looking at security. One thing I kinda wanted to add to this is this is app bargaining. But these same principles also apply like hardware and things like that. Like if you're buying a new Wi-Fi router, same rules apply, lose the source. As I say, the security priority. One way you can check that is how frequently they update. A lot of them have support sites and you can check out how frequently they, but out of firmware updates, right? Yes, absolutely. And in terms of automatic updating, you know, this has been a real stickler for a long time. So nowadays with your devices, you know, at one time it was like, oh goodness, they're gonna install an update, what's gonna tear out, what's gonna, what am I gonna have to reconfigure, et cetera, et cetera. End of the day, it's still good to make sure you're getting with auto update stuff. Just turn it on and forget it. In the world, if you start going and looking at your personal computers, your laptops and such, you know, if you have, in the enterprise, we find issues where auto update is just not really a solution. We have to really work with it. But it's in our normal day-to-day lives. Auto update, turning on, you know, forget about it, it was really a good model to follow. Not sharing. This is another thing. You know, you download it now, you install it, the first thing it's gonna do is pop up this long list of, okay, I've got to access this, this, and this. You know, you're gonna play some game that it wants access to, I don't know, it's your GPS, okay. Maybe it does need access to your GPS. You're playing, you know, the OSF game pulls out, you know, that Pokemon, Pokemon game now. Don't you catch them all? I don't play Pokemon at all, man. You guys like them all. But then, you know, it might need access to GPS, but it does it need access to your local file system or, you know, your special file system or anything like that. You really gotta take, you know, take a close look at those. Oftentimes, the application developers will want more access than they really need. Yeah, one part actually was just noticing with the phone the other day. Some of them want access to the GPS, but they'll have different levels you can either get access all the time, even when the app isn't running, or only when the app is running. And you can actually go in and, I know, I don't know about my Android phone, I don't play it, I don't know. But on the phone, you can go into the GPS section and see which apps are trying to use, even Google Maps wants to default to using it even when it's off. And I'm like, no, why does Google need to know that? And you can kind of sit here and go, well, you know, maybe they want to advertise, you're looking for coffee and you're in an area with coffee or something in the future, but exactly what you said. Yeah, exactly what I said. And it's still accessing my GPS. Like Google Maps wants access to my photos and my contacts, contacts, maybe it wants to make it easier for me to say, drive to my friend's house, but, you know, is the trade off there that I like better? And this actually ties into the types of data you might want to share. If we could just actually just move on that scenario. It could be that Maps is wanting to take one of your pictures and stamp it somewhere so that someone can see your picture. Well, if that is hidden in the, you know, what you're going to let it do, then, you know, you're doing it, even though you didn't really know you wanted to do it. So at this point, I was going to say we've really come to the end of the techniques and tools section. And this is where we're just going to like show how you can apply some of this stuff. So like I said, you know, just getting started with this for everyday use. You don't need a whole lot of tools. You don't need to know a whole lot of things. It's more important that you dive in, make your risk model. Know what's important to you and then start applying some of these techniques. So at this point, what I'm really hoping is that you're all going to get bored and be like just forward through that slide. We already covered that. We already talked about that. Just move on. We already have heard that. So let's talk about security at home. And when you do this, you want to of course work your way from the outside to the inside. So you're going to start with your gateways and wireless setups and secure those and then get to things like TVs and stuff like that that's inside your network. And dealing with that, setting up your Wi-Fi, let's apply like containing hard principles. So we're going to use strong encryption. There's the encryption tool at the moment. That's WPA2. Who knows from the future? Something else, WPA3, whatever they want to call it. So use whatever the strongest encryption you have. Use strong passwords and separate your guests and your internal networks. Again, containing and passwords and uniqueness. Disable features you're not using. That's again, the hardening principle of what you don't need, don't use, turn it off. The one we recommend to everybody, just go ahead and disable if you can on your model of router is WPS, horrible, horrible feature for security. Just turn it off. And then if you have unused services like remote management, you're not needing to log in to your Wi-Fi that often. Your remote management, you can turn that off like web interfaces always have a lot of vulnerabilities. It's got a remote web interface, you can disable that, do it. DLNA, UP&D, just other things like file sharing and device setup. If you're not using them, if you don't know, turn it off. See if it changes anything, like your TV still works, your phone still works. You know, leave it off until you need it. And then update it frequently. I got one more bullet on it for you. Change the damn default password of that router, because all you have to do is Google it. You can find the default username and password for any device out there. Yeah, that's a really good one everybody would write down on their sheet. If you need a pen, let me know. I brought a whole piece. Anyone? Is there a question about routers? I've read about how hackers can sit outside their home and if they collect enough of your Wi-Fi signals, they can, are there certain routers that are better at defeating that than others? I think it's more protocol. So like WP, for example, is a specific case but not mistaken about where they can collect another data and try to then break in. Sorry? Yeah, yeah, great. Well, even with WPA2, you can enterprise version of EAP where you can listen to enough traffic and be able to push the keys, bring it up on your computer. Yeah. Incredible. You're outside signal at that point. So literally, no. But you brought up your phone by second, I think, too. Yeah. Yeah, and also the fact that this also falls in your threat model, in your adversaries, like, I'm not that interesting. Like, I don't know anybody who can sit in front of my house and do that. Maybe, but a lot of that falls into what are you trying to protect against? It's kind of like with windows on your house. You know, if somebody really wants to get in your house, they're going to get a rock and throw it through the window. They're going to find the most vulnerable spot. So you do kind of have to triage and say, what do I want? What do I want to look at? Did anybody else have any? Well, actually, this gets into the convenience versus other, which is, on some of these routers, you can actually limit the MAC addresses that can even attach to the network. So unless they're doing MAC address spoofing, you can really add limits to that. But then that means anybody that wants to get in your phone, you've got to put that new MAC address in and add it to the list of approved. Yeah, and also, usually on these devices, one of the things that has a lot of vulnerabilities is the built-in web server serving up your configuration. You were going to say this. I was going to say today, you're big. I'm going to tell you, this is Craig Yellam, who was going to be here tonight. I'm standing in for Craig. Did a lot of research on hacking routers. And the router itself out there are very, very vulnerable. You've got more of a chance of someone hacking into your router and just breaking in, just using a web-based vulnerability and then cracking your Wi-Fi encryption. That is where this piece, and what we were saying earlier about when you're looking at your devices, become very important. And this piece right here really irks me in this topic, because when you talk about who updates the router at home. 5%? He's a pentester, by the way. It's OK, you can count. You go to a general audience, and that hand is going to be less than 1%. This piece right here is very, very difficult to bet. They don't have an auto update feature by and large up to date. Maybe they're going to start doing this. But once again, these are low-cost commodity devices and they don't care. So it's a sticky, sticky situation. I've found that many of the off-the-shelf routers, they don't do suffer updates all that often. Then all of a sudden, like a bad habit, they stop. And then if you want to get updates, you're going to go out and find your router, which is why I gave up on it and built a PSN spot on the wall. And while it was access-plot. I keep throwing away $80, $250 all the time buying new routers. I will mention any like, anything like this. They're pretty bad about it, like you get the one firmware and then they never update again. And so factor that into when you buy their equipment for other ones. And there's another piece I want to add here. Very, very key piece. The remote management disabling is very, very key on having that happen. Because the opposite means they have to hack into your, they have to get into your encrypted wireless network and then hack into the router. If most of these by default nowadays do become, I don't know the statistics on it, but the remote management is now often disabled. But that is a key piece to this. If you have remote management on your Wi-Fi, then you are really setting yourself up. Is that what you were talking about earlier with the web browser, Dave? Yeah. Yeah, there's different ones. But a lot of them will be a remote web interface you can disable or some of them as well. Like you big with your routers, they have like a remote web interface that you can enable when you need it and disable it or they have software that you can use. And I'm sorry, I didn't mean to get your question. These things, they're designed, the design of these things that use web interface to actually let you manage it. Yeah, yeah. Yeah, so you basically, you know, go to your web browser 192.168 or some other address that's on your network and that's your gateway address. So it's like hitting a web page. You're configuring it through a web interface like a website to define web-based user. Even their face and app, you show a few equity links and others when you're using the app on your phone, it's still getting booked. Now it is HTTPS, but it's getting sold. Rest API, that's my friend. All right, security while traveling, lane. All right, so your local favorite coffee shop is not your friend when it comes to Wi-Fi. You better be careful. So in terms of security, traveling or just moving around basic stuff, you know, this goes without saying, but you can pick up habits and you just don't think about it. So devices, leaving your devices unattended. So Dave came to me today in my office and my phone's sitting there and said, phew, I left your phone unattended. Okay, but when you're traveling, now you lay your phone down on the table, you lose it, you know, it can happen. But that's one of the reasons we've stressed like, doing disk encryption on your devices and stuff. But at the end of the day, try to keep a hand on your phone because these things are full-fledged computers now, your life is on them. So I wanna say one more thing about that. So there's probably a Starbucks within under a mile of here. Actually, I don't know if it's because I work here, but if you walk into pretty much any Starbucks or other coffee shop, you're just gonna see people's laptops sitting there. No password with their phone sitting on it and they're using the restroom or talking to a friend or whatever. And at airports too, I love it. People do the like, charge my phone and then like, sleeping across the airport in the corner somewhere because there's not that many chargers. So I just don't do that. Right, just connected from this, so that's fine. Treat public systems as untrustworthy. I mean, you know, use them at your own risk. If you're going to a hotel or something, for example, and you don't have your laptop, I mean, if you've got to use the computer, the public computer they have there, be very careful, but do not log into a site, go into your password or information there. Print your ticket if it's very, very safe, but other than that, don't do it. Avoid Wi-Fi, as I was alluding to when we first started, IE, the coffee shop, your favorite bookstore. Open Wi-Fi is something you just need to really be, you need to understand that your information is a little over-networked that other people can connect to. If you do have to do it, use some type of a VPN, what we call a secure tunnel, so that even if you're on that network, at least your data is encrypted to a better level as it's going through. But refrain from it when you can. As we said, just don't use public computers, mostly because you don't know the reputation of that computer, you don't know who's been on that computer, installed a keystroke logger, logging your keystrokes, sending it to their server or what malware has been installed on there, so you don't know how trustworthy that system is, so it's really best to stay off of it. And if you know you have that situation where you absolutely have to use it, it's really better to try to use your phone if you can, or maybe change your passwords afterwards. I don't have a lot of great strategies for if you end up in a situation where you have to use it. And lastly, I know this sounds, when I first saw this slide, I was like, don't leave items in the printer in fax, but I got to think about it, my wife comes home all the time and I hear the printer start kicking on because she's printed somewhere else and now it's just pointing to my wife's printer at home. And I'm like, what is this? Is what if she's printing some kind of confidential information? My wife's a nurse practitioner, so she did it with medical records. So that's actually, I've had to work with her like, really, you've got to be careful where you print, so that's just one implication of the idea of just don't leave the stuff in the printer in the fax. I've seen people in our office print things, I've had social security numbers and things like that on them and then everyone forgets to pick that stuff up because then you get called to a meeting and then I'm in the printer room like, oh, I've got all these nice social security numbers. We went on a good vector track this week, I just scanned the printer. I'm sure you can print that. So again, I hope a lot of that was just review of things you've already seen. Let's talk a little bit now about the my security. You left something down, USB sticks. Yes, evil printing death. I think I recovered that somewhere. There was a section, oh, it's actually the bottom of this one. Yes, I got you, man. Don't worry, I got you. So device security, full disk encryption. This is something you do once, set it and forget it. Protect you if you'd like to leave your cell phone in the cab, enable lock screen and password and something we've said several times now. Hard name, Lane already discussed that don't jailbreak and only install what you need, keep that stuff updated. The jailbreaking thing besides just making the sources you're getting things from, be possibly unreviewable sources. The other principle that kind of breaks is the fact that some things, if you jailbreak them, you can't then install OS updates and you always want to be installing your OS updates. So you're setting yourself back. Containing, this is mostly laptops, but this is separating accounts. So on the laptop, if you don't need admin, don't give it to yourself, have a separate account that's admin and separate your admin and user accounts so your users can't do things like install drivers and do all the admin fun things. Cover your laptop, camera and microphone. There are different exploits out there which allow you to control things like flashlights where you can take control of people's cameras. And I think there's also a JavaScript way to do that that I saw recently. So, yeah, right? What's that? Sure is. What do you need to cover up? I've got one of the things from Security Convention where it's like a little flip window where you can open it up closer. We have some of these stickers for that purpose, but here's mine. Do we have some of the EFS stickers? Yeah, they're over there on the left here. I want one. There's some on the left-hand side here and there's like five or six of them. So you can place it. No, torque really good. Cover all of the cameras. Yeah, post-it notes. And here you go. I got you covered. So this is using your own trusted peripherals, accessories. So this is really, this is both USB drives, so you really have to be careful when it comes from taking USB drives from untrusted people. And also, this applies to even like charging accessories. So, you know, you go to the airport and a lot of them will be super handy and they'll have these little USB, you know, chargers. And so you can just go in and take a phone and charge USB. Remember, USB does data and it does power. So you can get both over it. So you could mount a device over USB on one of those or possibly push data over that connection. So I recommend carry your charging accessories with the plug, plug it into power. Actually plug it into power. I know sometimes airlines will just put the USB ones and you don't really have the power option. So in that case, you know, bring like a little backup battery charger that you can use instead. There's also the one way to pass it to the USB. Yes. Which is it? Yeah, if you're not familiar with those, do you want to describe that just a little bit? I mean, you can, they gave much about the G-Sides in Las Vegas actually, with it's like a attachment you put on the end of USB when you plug it in, you only get electricity and no data. So it's like a part of your... I saw a box that also emulated a keyboard and it would be the... I forgot. I'm going to give you that. Uh-huh. Do you remember that? Yeah, I did. Did you have a question? I was going to ask, how do you know if your phone is full disk encrypted? Oh, you can general, so you can check your settings. So a lot of them, I know at least on iOS, when they upgraded to iOS 10, when it was one of the questions they asked when they installed the upgrade is, we recommend you do full disk encryption now. And that was one of the steps, but you can go in both to your laptop. It's just one of those things you have to hunt through settings. I'm sure you can do a web search for it and find it and it'll tell you whether it's on or off. And if it's not, it can take a while. Because the first time you enable encryption it's going to go through and encrypt everything. So it'll take a while, but it really is a set. I don't want to forget a thing. Question here. I was going to add something. Just like something that I see all the time, especially you guys, is that people usually, maybe that rush to go to the bathroom or something. But they'll usually leave the computer on. Whereas like, it's really easy. There's usually shortcuts to lock your computer. So who knows, it's like, the windows like, and then they'll, yeah. Then it'll just automatically put your computer to sleep. And usually you'll have to type a password in a lot of people don't really know what it is. Yeah, yeah, that's a good, that's a good thing. And also on a Mac, they don't make it as easy. What you can do is you can set a hot corner for your screen saver. And then you can have your screen saver enable and set a lock screen. So you, oh, go ahead. On Macs, there's a alt command and then the parallel. Okay, that'll do it. Computer to sleep. As long as you have the lock screen or it can go to lock screen as soon as it goes to sleep, that always works. Okay, the other thing too is the time outs on some of these things where like setting your lock screens it's usually recommended you set a pretty low frequency on that or like 30 seconds to a minute, whatever doesn't annoy the heck out of you too much. So that way, even if you do, you know, leave your phone unattended or whatever, it's gonna lock on its own after some small amount of time. Yours did today, I picked it up. Oh no, I never, it's just a habit of mine. I didn't get that power left for you. I did, that's a quick question. Is that what your phone's security? I'm just curious about the preference of having an Apple phone if you're doing a password or doing your biometric. So there's a lot of opinions on that actually. Usually they recommend if you're doing things like going to protests and doing like activism where your phone could be seized by law enforcement, they say you should use not the four digit pen but you can actually go into your settings and enable longer passwords and use that. And that's mostly a coercement thing that law enforcement is easier to coerce you to have to enter a password than just use your thumb print, get thumb prints off of other things. As far as overall security, I'm not really sure. You have a, yeah, it's a mixed bag. I guess, I don't know if one's better versus the other. I find watching people, I want to use that, use that just like it better. Now I prefer pen or digit codes. What idea would you have to have a thumb print reader? If it takes five bad reads, then it will force you to use a password. So if you're going to travel or you're getting a car or something like that here, if you're in a more compromised situation for whatever reason, you can go ahead and use the wrong finger five times and then it'll still be, your phone will still be on, but it will force you to use a password that way. So that's one, if you like the convenience of the fingerprint reader, but you want to be able to disable it selectively, that's one way to tell it not to do that. And obviously if you shut down the device and restart it, the first time you always have to enter a password in print. I think we're pretty close with that, so if you didn't do that to us. And what doesn't annoy you too much too, like if the thumbprint's convenient, so you'll have it on versus having like a 20 digit password that you're just going to go tag with this and then not have anything, you know, there's a little bit of a trade off there. Do you want to talk about security online? Let's talk about security online. So email, protecting yourself in the email. Nowadays, phishing is a huge, huge issue we have to deal with. And when we set up parents on, you know, avoid phishing, well sometimes it can be harder or not as easy to do. I find that, and most people find that, you know, the low class, so to speak, phishing emails, they're kind of easy to spot. But there can be some very, very sophisticated phishing attacks, especially if you're part of a spear phishing attack and you're a highly targeted individual. For example, if you're the CEO of a company, attackers can go to a lot of links to try to, you know, really do view it to actually downloading an attachment. Could be a spreadsheet, some folks supposedly from finance department or such. But the point here is you really want to take and put a close tie on LinkedIn attachments and the emails you get. You just get an email and you don't act on it, that's okay. But once you click the attachment and download it or hit the link, then you can really set yourself up. Nowadays, you've got to be really, really cautious about this. I want to add just a couple things on this too, is that, you know, a lot of security training will tell you, if you see a link in an email, there's some techniques where you can hover over it and it'll show you what the path is. A lot of those, I see like, no, no, don't do that. Don't do that? Yeah, because the thing is- You can hover over it and it'll still, they do this stuff, they just do that. Yeah, I'm kind of screwed. Right, and you know, a lot of them will show like a little preview while it's loading that page, you know. And also, I mean, if you're really adapted trying to get in this person's system, pentesters will do things like they'll set up a fake site or instead of apple.com, it'll be apple with like a Greek alpha for the A. It looks like apple.com I'm going to. So this whole thing of like checking the links and going, oh, it looks like apple.com, I'm safe. Even with the senders, you know, it looks like it's from support at apple.com. If somebody's actually targeting you, you know, they can fake that sort of stuff. So it looks like a reputable site. So I generally recommend just to be safer, avoid any links coming in an email. If you need to go into the link, like it says, you need to log into your bank account, just go to your bank website. Go to bbt.com on a web browser, sign in, or call their technical support department if you have a question. You can't get to that section. And with attachments, the key here is, you know, be expecting them. If I talked to my wife, it's actually there in the front row. And I say, so you're going to send me those slides for my presentation. I forgot I'm at home. Then I'm expecting that. So I get a zip file, slides from her, something I was expecting. Or if I got it out of the blue, give her a call. Hi, I got this attachment from you that says family photos from the beach. What is that? You know, check, check on these things. They'll just download it. I see it's a zip file, let me go ahead and open it. So those are a couple of techniques. But public away messages and reply all. These are actually two things you might not really think about it first. Now in business, you might need to set up, you know, business requirements. You might dictate the need to set an auto reply message when you're away. But if you've got your public, personal accounts, you know, really, really stay away from it. Especially like, you know, depending on how the email system works, you know, you get spam coming in and the spam might automatically go to a spam folder. But it might not necessarily go there before it triggers your reply message. And reply all. You know, this is a really interesting one. You might not think about it, but if you hit the wrong button and you're, you know, you're copying confidential information, the email thread that you've been, you know, back and forth with someone, this could be a mistake. And now you're gonna reply to other people sitting down information that they don't need to get. So nowadays, you know, paying a little attention to these little details can actually go a long way. It's strange, I actually get you the option when you do a, then a wait message of only doing it to your domain. Not taking it to your domain. There's the things that you can do there, for sure. And browsing. Be careful when you're browsing. As we talked several times today, you wanna make sure you use an HTTPS, secure HTTPS so that your data's being encrypted and moving back and forth. You can use plugins in your private browser as we were mentioning earlier. For example, one such plugin is HTTPS everywhere. And that's used and supported by Electronic Frontier Foundation, I believe they're part of the software project that created that. So they're a regular source. And it will basically, when you go to a website, it's gonna try and use the encrypted version or tell you specifically you're not gonna get the encrypted version. So it gives you a little bit more visibility there. Browser types. You might think we're starting an OS war here, but in fact, we're not. You know, when it comes to Chrome or Firefox, these are folks that are dedicated to building browsers and keeping up to date with the latest standards and technologies. And they literally remove their enhancements and security features and stuff, usually moving at faster cadence. So that's why we kinda suggest those two. IE and Safari. They kinda come out once a month when you have your security updates as opposed to when needed. So using stored passwords when you're in your browser, I would say never do that. And even if you don't even wanna use, auto-fill the settings. And you want to set prompts for installs and the ability to enable plug-ins. These are the best basics. Security, hygiene, things that you can follow. Let's talk a little bit about NATO security and privacy. And then we've got one more slide and they're all done. So the website here, you can check have-i-been-publin.com, that's a fun one. Put it in your email address and see if it's anywhere on the internet. See what hacks have happened to different companies and what data's been exposed. So this is one you can check and just see what data viewers is out there. You did not like, did you give me out there? Next up, go through, yes? I've been asked this several times as well. Does it clutch or do you know you have your security mail in there? Someone said to me that it puts in a database and puts it on there, the problem it does. Honestly, it's one of those words. I've been asked this several times and I was like, I don't know. I don't know either, I don't know either. There probably are terms on the site, but for me, it's one of those things where there's cool research. It's a good question, I mean, and the trade-off. A lot of these sites, social media sites, whatnot, Facebook, Google, they actually have like privacy checkups and stuff you can go through or it'll say, hey, do you know you, we can see this information if you're not one of your friends. Go through that stuff. There's also a plug-in that EFF creates called Privacy Badger, it's a nice plug-in. It will do things like, will block things like ad trackers and stuff like that. They're annoying, so that's a good one. And also, this one is just, it mostly applies to Google, but this is just the don't sign in when you're searching. So, you know, Chrome, you don't necessarily need to sign into Chrome. You don't necessarily need to go into, when you're on Chrome's website, it says, I mean, Google's search engine says, do you want to sign in? You'll necessarily have to sign in. Like, why do you need to sign in to start the internet? And also, partner sites. So, like YouTube, part of Google, you're over at YouTube, you're searching for stuff, then you go to Google. It's kind of interesting in the way that the two of them know what you see on both sites. You can also use an anonymous search engine, DuckDuckOde, it's one example of that. I haven't audited their website either to see, like, do they collect anything on you and any of your data. They do say, this is our business model, that we don't do it, but it is a research engine. So, you kind of got to wonder, are they just making money on some other ad tracking mode? My question is regarding how I can call them. Yes. Why have you signed on this Google result and Google your images to see them? You could do that too. This is... But which one is, if anyone has done it, they've done it on various bulletins back then. You can always Google yourself and see what's out there, but when you're, it's database that you're pulling from are the big data breaches. So, if you were an Ashley Madison victim, like, it would tell you, it tells you what, where your email's popped up in different data dumps. So, if you're using a password that's relevant to any of those data dumps or anything else, people will have their scripts trying them on all their websites. I'll password for that email. I'll try it on your hotmail and I'm gonna try it on your different logins. Yeah, and it will also say like, you know, Dropbox, Compromise 2015, LinkedIn, Compromise 2016. So, it gives you a little bit of context. Mike. In addition to DuckDuckGo, it's gonna throw out startpage.com. Interesting, haven't heard of that one. Yeah, it basically anonymizes a Google search. Right. It's an $6.00 over HTTPS2, which is nice. Right, okay. Did everybody hear that? There's a couple other ones too, that I've heard of, that are in that same vein as it's like Google search, but anonymized. Encrypted messaging. I don't know if you guys have heard of Signal. So, it's an app for sending encrypted messages to anybody, family, friends, whatever. You've probably heard of WhatsApp. That's kind of the more popular system, because that's the one that Facebook bought, and then did whatever they did to it. So, if it were me, and it is, I use Signal, because it's the same system of whisper system, encrypted messaging, but not necessarily with all the same corporate flow, and possibly tracking that you would want, or not want. And last but not least, this is that creating encrypted backups that you talked about. And Lane, actually, when he saw this slide, he's like, yeah, and that's actually a good point for protecting yourself from ransomware as well, because if you've got encrypted backups, and somebody hijacks your computer and says you've got to pay this fine, what are you telling them? Just don't do it. Make sure you've got backups. Data security privacy is kind of an encrypted backup. So, encrypted, okay, I can link that to privacy. Would you think a backup is coupled to data security? Nowadays, it actually is. Your data is your life nowadays. And so, if you ensure that your most valuable data, if not all your data, is backed up, and you're kind of securing that data for yourself, encrypted is just something we're preaching about. You don't want to back it up wherever you back it up on encrypted, but in the world of ransomware, when they, however your system might compromise via ransomware, just blow it away, start it over, pull your data back in. That's really the best model to follow nowadays. And social media is kind of tied into a lot of these things, but we put a slide up, just, you know, because social media is a big thing these days. You want to grab this one, Lane? It's always good. You guys all recognize this guy? Yes? Show of hands, who's seen this video before? How long ago was this? Does anybody know? It's like, five years? I don't know, man. Has it been that long? It's always been, yeah. Yeah, I think it first came to my, Yeah, all right. Yeah. So, you know, I did a quick Google for Star Wars kid or whatever to get this video and it popped right up. So, you know, online forever. That four guys, 20s, 30s, 40s now. He's still there. So think before you share. So, you want things, you know, practices you want to follow, removing a sense of information from your various sides. You don't have to give them information, just don't give it. If you gotta give them your birthday, give them a fake birthday, stuff like that. You know, in Facebook, that kind of information you want to make public versus private is really kind of an individual choice, but at the end of the day, if you want to be more secure, you want to limit the amount of information you can provide to any source. When you travel, you know, if you're posting and tagging photos when you're away, well, for one, when you start, you know, if there are criminals targeting vacationers, well, they could use that public information to locate where you are and such. Likewise, if there's a criminal scope in your house out and they can access that information, well, then they know you're out of town and boom, home alone. Home alone, yep, absolutely. Remove photo metadata, you know, data, if you've ever looked at an image somewhere and said, how did Google know this? Well, that's the metadata inside your photos when you take them. So if you use a tool to remove that metadata, that's a good technique to follow. And I think some online services now will give you an option when you post you can remove metadata. I think YouTube will do that, but you can also use third party ones. Okay, using acts like Lightroom and you're exporting to Facebook or whatever, it will strip the metadata off. If you just tell it, no metadata. Perfect. Or at mine, just tell it to keep the copyright. And it strips off the metadata and just leaves the copyright down. Well, and I've always shown off your values. Do it on KTV. That was my house. I've got a little story to tell of this. So there's some friend I have or somehow I saw it on Facebook, this lady, or something, I don't know if it's a lady or man, I forget, so good while back, but they bought this little widget, had it on their desk and took a picture of it and posted it on Facebook. And then right behind it, they had the checkbook open. Oh, didn't even realize it took a picture of the checkbook. Now, when you think about social media, I mean, you might say, oh, I'm gonna delete this photo, but does it really get deleted, especially after it starts propagating through the network? So that lady's bank account could be on Facebook forever and else. But watch for a cheer to take a picture of it. It's just a quick comment on that. When you're sharing on Facebook, you have the option to privatize what you share. If you wanted to go to just your friends or you wanted to go to friends, friends, you wanted to go public. And if you choose which one you wanted to go, then you have something to deliberate. That's how, for example, as many pictures of some of us we have, we don't show up on Google search because you privatize how far it can go. You knew like third degree of Kevin Dagen? Yeah, I like to, must have said it before. But a friend of a friend could be a thief, so it's true. Maybe a little, maybe a little. All right, lastly, separate accounts. Maybe think about, we mentioned this earlier, maybe think about creating a different persona for your various interests. Is it families at work? Is it your hobbies, whatever? Is this a good idea to keep your account separate? Cool. So we applied the principles. Talk about staying current. You can see how current this cat is because it's looking at a newspaper, like a printed newspaper. So these are just a couple of links. I'm sure you guys only have ones that interest you too. One I like to check is Creps on security blog. It's, he'll talk about security issues, different vulnerabilities. It's an entertaining read, even if you're not a security professional and he has a lot of good stuff on there. And also, the Electronic Frontiers Foundation has a great site for a lot of the stuff. They actually have a SSD stand for security self-defense. They do some of their own courses. And they also have sections of their security self-defense that focuses on things like, I'm an activist going to a protest. What extra steps should I take? Or I'm a journalist working in a country or something. So you can check that out. A lot of good resources there. See if I also have ones that you guys like that, you know, I'm doing the list. How about Snack? I just described it on Twitter just as security. Oh yeah? Yeah. You get the best updates. It was like a hundred stories a day. That's true. Reddit. So, moving on. Key takeaways. And then this is just a total recap of stuff. Somewhat in priority order of the things that are maybe most likely to get shipped. Sorry, I went through that one pretty fast. It started with fishing. It's the main one. Like the one I would really recommend you guys be careful about. Those are also all on your sheet. And that were, so, what did you learn? Is there anything in here today you're like, I hadn't heard that before or? I think I didn't even hear that. I think I didn't even hear that. That happens sometimes. Especially after you guys wanted this so hopelessly broken. Oh, you didn't do that one? Greg won a year or two, maybe last year. And I think the team came in third place this year. So this was a hacking competition for Riders. Defconn? No. Because you did that one? I did not? Yeah. You did? You did? Crank did it. I'm just a software developer, man. Nice to meet you. I'm talking about device security. Go to Defconn, turn the phone off. No, I don't need a burner phone for that. A little bit of that. Probably made it into a computer. Well, you can have to watch out when you like burner phones. Like you share contact lists or somebody calls you on that. There's even. Yeah, there's nothing to say. No. You're at Defconn, you're at Target. There's a lot of people that you know. Can you get a compromise there? I'm not sure. I saw it on the book about it before. Was this this year? I don't know. It was like a defeat. Well, they do have the wall of shame for people. Yeah, they have the wall of shame. Wall of sheep. Crank right there. If I understand anything else, they learn. Ain't it cool? Not cool? Don't do that again, Dave. Don't say that again. Anyone? Very far. All right, so last, any questions? So this originally was just a cat raising its hands. And then my wife was like, you are not giving equal treatment to dogs. And we're dog people. So thank you. Did you guys have any questions? We need to somewhere else. Yes, so a couple of things I guess I can say to close. One is our next event that we're doing the same. Well, not our next event. But our next event that's security self-defense will be in Norcross. And I'm pretty much going through the same slides, plus any feedback I get. So you've already seen it once. If you want to see it again, if you want to send friends, family, neighbors, it's out in the Norcross area to place prototype crime on Wednesday, September 13. You can keep up with all of our events. We have a meetup group. You can go to ef-ga.org, which is our site. And our very next event is a event that's going to be in TechSquare Labs in your Georgia Tech, where we're going to talk about compromising voting machines and gerrymandering and all sorts of fun voting stuff. Right, Scott? Voter suppression, all sorts of good stuff. So we're trying to come up with topics. And if you guys are in the security community and you have your own interests or want to give your own talks or talk about, teach whatever, let us know. Come up to us and introduce yourselves. And again, there's material over here from EFF, stickers to your laptop, other phone stickers. And probably after this, there's a lot of dining and beer around here. So we can pick a place and all grab some brews. So hang around, come ask me questions. We'll probably hang around here for what, another 15, 20 minutes, and then head out. Holly's like, I don't want to get out of here. I want to go to bed. All right, thank you, everybody. Thank you.