 How you doing? So I'm Big Easy. I'm part of DC 217 and we're putting together the Ethics Village and when we were doing the CFP it was my privilege to read the CFP of this man, Enore, who happens to be, he has a conference in Germany and I did my first public talk at his conference in Germany over a decade ago. So it's my privilege to introduce Enore from troopers in Germany and the circles now complete Enno because Enno is a first-time DEF CON attendee and this is his first DEF CON talk and we chose him to do the keynote to kick off the village so thank you for coming Enno very much. Thank you for the warm words. Actually it's not only my first DEF CON talk, it's my first talk on ethics at all so I'm a bit so to say nervous but happy to see you so many of you. Just a quick intro who I am. I have been in infosec in different roles since 97. I have a technical background which means I'm from large-scale networking from carrier space. I've given a number of technical talks so that's my domain usually and one thing that could be of relevance for my talk today is that I run a company since many years and within that company we have an ethics committee which I installed and I will later lay out why I did that and this is one part or this part of one of the case studies. The purpose of today's talk is say free-fold that is to make clear that once say ethical questions ethical I use the European plural of dilemma which is Dilemata so once a Dilemata occur how to handle those so to understand there's different ways on a maybe structural level to tackle them then to like provide a I wouldn't say guideline but maybe some questions to us once you face a dilemma which say with steps of reflection to go through and then to make clear all this is not easy it's not just this is not about as Richard already laid out 15 minutes ago taking easy decisions that is so just that is the main the main intent here to educate you a bit but also to make you think in a certain in a critical way about dilemma dilemma you might face so where is ethics relevant for infosec practitioners pretty much everywhere there is spaces which are going to be discussed later on in more detail vulnerability disclosure exploit sales there is some debate already going on but other than that whenever there is an intersection between infosec and humans ethical questions might come into play again I will have a number of case studies later on where this becomes more clear some disclaimers in advance I don't have a formal education and ethics actually I have a formal education and literature which you will see later on in my slides somewhat but and during my studies in the 90s I worked with computers and I worked with networks this is how I got into this but from a formal perspective French and German literature as my background second disclaimer ethics is not something which you should discuss on Twitter I tried that's not the right format actually for the type of questions we are going to discuss today and the last one there is a there is a guy who I'd like to mention here Ben Zevenbergen I owe him a lot of the things I talk about today he said Princeton at the moment so if you want to look up his walk and that would be say going further than what I do here in this talk from a say definition perspective what is ethics or what is actually the part of ethics that I'm going to tackle that is practical ethics this is a formal definition which I took from from the work of Ben which he started at the Oxford Internet Institute the task of practical ethics is to identify more problems so it's about problems about dilemma to clarify and then to clarify say what is what are the values affected what to reflect on how possible actions could look like this closer vulnerability refrain from the clothes disclosing disclosed it via certain channels identify the the causes of action and then choose one which ideally reflects best say the the world use and the decisions you took earlier on so in short it's about doing the right thing based on a certain type of reasoning and again it's about dilemma time if it was about easy situations if the things that we are going to discuss today are which are being discussed in in ethics in general could be solved easily then it we wouldn't all wouldn't need this ethics domain it would be sufficient to have laws or to have stuff like 10 Commandments if that would be sufficient to steer human life and decision-taking then I could stop here but it's about dilemma time dilemma time means it's not easy this is I'm very keen on stressing this many times and in the talk this is not about the easy path and taking easy decisions as you will see later on the case studies from a formal perspective just to give you an idea of how to tackle say certain types of questions I will lay very quickly lay out three principle three approaches of the of the within the ethics world which is a which is a huge one there was many schools of thought there was many approaches there's different frameworks there was different types of terminology I'm going just to tackle very quickly three of those as those might be important for the for the discussion later on at the first one is so-called consequentialism there was one flavor of that which is UT literalism in short it's about say the end justify the means so the approach of a consequentialist would be okay here's some possible actions that I could take parts of action let me identify what has the highest benefit whatever its benefit might be or the spending but how this benefit could be identified and then choose the path that provides the highest benefit that could be one possible approach the problem with conflict consequentialism is in the end of the day you can justify all types of actions with that you can come up with oh I have to like torture people or I have to shoot down the plane because in the end of the day this is better for everybody or taking things into account doing this has overall for society higher benefit than another course of action that is actually the main problem of this one let me already state that in the technical domain which has a high highly represented at DEF CON there is always a temptation for say consequentialist line of reasoning we are used to solve problems to tackle problems and to to write problems by the body by the result and a consequentialist a UT literalist tackles things from a result perspective to illustrate a program of consequentialism nutshell say if in 15th century South America it hasn't rained for a number of weeks a possible cause of action was well we should come up with a sacrifice because that's good for everybody when it rains okay maybe one or two young persons might not agree with that statement but well this is a very consequentialist line of reasoning then there is a completely different line of thought school of thought that is called a deontology deontology usually works on the basis of very strict rules like do not torture period that would be a deautonomist approach to a specific question the problem here is this might actually lead to situations which can can have very bad consequences say you followed had a deautonomist approach of do not lie and in World War Germany you hit some people in your in your in your house and Gestapo turns up and ask you okay is there anybody hidden in your house and you follow that do not lie approach that could have very bad consequences so there is some the problems with this one as well but those two are in say from a certain perspective the main antagonists and then there is one which has gained quite some ground in the in the last say decade especially in the information technology domain which is called principlism which tries to identify okay what are the common values to for society or for groups of people and then walk along those values and say there is a well-known flavor of principlism works around okay there was a well your autonomy then we should take into account when discussing ethical questions what's the actual benefit for of causes for actions let's talk about do not cause harm do not be evil would would be a typical of a principlist approach and justice like when be fair in weighing options there is a say in the information I have to use a thing that I'm not used to use some but okay I'm working with this in the information in the IT domain there is a well-known say document the so-called mental report guiding principles for information communication research in the information and communication domain authored by Dave Dietrich and another guy and looking at the table of content you already get an idea what this say ethical framework is about so respect persons to get their informed consent try to identify who benefits from a from an action balance this with possible risks and in the end of today try to be fair when looking at the options this is an IT flavor of principlism so now once we want to do this a bit more in real life in general it's a good approach and this is one that I want to to lay out to you to once you face a dilemma very simple said okay try to understand the dilemma try to write it down try to identify what what actual once you have a feeling well this doesn't feel right and I should maybe shouldn't do this or your sweatshirt had okay we are in general I well maybe I should perform a well ability disclosure but in this case well maybe it might not be the right cause of auction try to write it down get effects again this will be I have some case studies this will be very important later on try to identify who's involved and what are the stakeholders of a decision and what are the values affected and then evaluate and this is often overlooked evaluate alternative options evaluate okay what if I didn't do this or whether any other approaches to get the same to gain the same insight say in the once you perform research projects involving stuff like pot scanning or so is there any other ways to find out a specific thing you're interested in many people don't do that actually and the last one I will skip this for a second oh no I will not skip the last one this one of those from my perspective my experience very good approach to when you go through options like I could act like this so I could do another thing is to ask yourself if I did the following would it reflect me as as a person I would like to be I mean you could say can I still look into the mirror but this is a bit a bit more formal approach my personal value system is an action which I perform aligned with my personal value system obviously you have a feeling for that already when you come up with well this doesn't feel right but still in the end of the day ask yourself is this consistent to what degree is this consistent with how I want to be and I want to act and maybe even act as a sample as a leader and of course evaluate in hindsight again this very often doesn't happen so this is a bit the very generic thing how to tackle an ethical dilemma facts stakeholders the values the causes of action choose one and reiterate at some point of time there were some additional things before we get into the actual case studies I would like to to provide as an advice be aware there in that in many questions and many say situations there might be a power imbalance or a knowledge imbalance especially when people like from a technical domain decide on well I should do the following because that's good for everybody how do you know it's good for everybody how do you know that everybody else is sharing your perspective that you maybe as a person from the Silicon Valley has so you might know more or you might be in a more privileged position than others you perceivingly speak for try to keep this in mind try to ask yourself in a specific situation is there a knowledge of power in the lens the sex one over this the next one keep in mind that the internet is a say social technical system which was designed by a specific or many parts of the internet very signed by a specific group of people and so things happening in the internet might reflect certain understandings and certain well your systems try to keep this one in mind maybe try to avoid always keep in mind your cause of action might act as a sample for the better or for the worse for others there was a common there was a very well-known ethical say the lemma thought of the so-called Kana botnet some of you might notice some where I think it's in the terms like eight years ago a botnet was created to map the internet and the guys who did this were actually arguing like oh this is good for everybody you have an in a map of the internet and they well they compromised systems for that which maybe you can come up with in an ethical reasoning perspective is the proper cause of action maybe not the thing just is this might set a precedent and keep this in mind I have been just to give a very quick example here it's as I mentioned I've given a number of talks in many conferences so I attend conferences as well not just until today because my daughter's birthday is in early August this is one of the reasons but at CCC I was once in in in a talk where a guy discussed how to compromise like the airport the airline codes like and he wasn't making fun of people well those guys are so dumb to put their tickets on Instagram and once you get the you get a code you could lock in or you could use their minds whatever I'm not a big fan of say this type of making fun of people anyway but there was different styles of speakers and you might find mine dry for example but the thing is in that talk my my at the time 13 year old son was sitting next to me and the first thing he did when getting back to the hotel room was like going to Instagram looking at airport tickets and hey the guy on stage did this so I'm I can do this too well you get the idea think about if a cause of action that you jump into it could be a precedent in one way or another for somebody else and this was mentioned during the ask your friend session as well I suggest to be very careful with analogies between the physical and the digital world like well if we do this this is like breaking into somebody's house I did my experience is very often analogies as do not really help or apply be careful with that one last thing be honest with your agenda obviously we are all humans and it's perfectly valid to have an agenda but well put it into the equation once it's about gaining you say famous speaker or getting money that's all these might be legitimate reasons and objectives of human action but be honest and put it on the table very often say in the in the academic internet research world for many years has been very popular to write papers based on numbers like we scan the internet forum IPv6 or open ports on that specific protocol and then we perform some some action to find out to find out which version of a protocol is used and this is a good contribution to scientific research if you look closer it turns out I mean the academic world they have their own incentives and their own ways like publications and being cited and quotations and all this that's a specific ecosystem when you look closer many of the things that have been have been done there might not have been necessary there might have been other ways of gaining the same type of information it was just well it's in many years it was a bit on walk to write papers of that specific type so everybody did it oh I scan the internet and I was entitled to do so as I'm a scientific researcher and obviously it helps to once you face a dilemma to discuss it with somebody who's not of you domain it's not of the technical domain actually in my case I'm not an overly say religious passion but I live in a small town and there was a that's a preacher I think a guy from the church who has an official position in the church he's a he's 80 I very much respect him and it already happened several times when I had a dilemma I just went to visit him and discusses with him as he has a very different and experienced perspective on the wall so that's it from the theoretical part now let's get a bit into the meat the case studies with one last warning before ethical dilemma to get through those is not an easy task if you have an answer like you you face a problem and you have an answer after five minutes you might have been doing it wrong you might have not have all the facts you might have not considered say the values in the stakeholders affected or you might not have say being self aware of your agenda case studies all the case studies I'm going to discuss have mostly they have happened in real life in our organization so I've been facing those and at some point in life let's start with the first one the organization which I which I founded and which I well then to some that we obviously represent here we do a lot of vulnerability research both in customer engagements and like as part of our company DNA and there was a situation where we have identified vulnerabilities in an alarm system in a type of alarm system which was sold in Germany in electronic shops like in the US that would be a best buy or a radio shake doesn't exist any longer isn't it but in these types of stores you can get an alarm system for your house or for your property and we found out for a commonly sold model it wasn't it wasn't exactly rocket science with software defined radio to actually correct the codes of communication which at the first glance doesn't seem so problematic from an ethical perspective but if you think closer about this would you disclose this we have at E&W in general we follow a mostly very conservative and since 10 years what at the time was called responsible disclosure I'm happy to see the time the time back there was a whole debate if the term responsible is appropriate or not but I'm not going to stick into this the idea is like have a defined time frame in form a window and after a specific time frame you disclose the things and you hope for that the window has some fix the problem in the interim the patches available in this patch can can be rolled out the thing is this disclosure approach might not work in this specific case very well getting the facts laid out at the first step that's not too difficult in this case we know the model we could identify okay with who are the stakeholders affected well anybody using this who else is involved well that's okay there's a users perspective there was a vendors perspective it wasn't really possible to identify the window as this was kind of OEM stuff sold again in popular electronic stores but the facts that were easy the values like okay is the harm versus benefit equation and who is affected this one becomes very interesting very quickly as looking from a traditional disclosure perspective there are some assumptions in this disclosure process which are vulnerabilities as close to the window when the producers a patch the patch can be rolled out and actually the people affected by the patch you know that the patches available and they can actually apply the patch that's the basic idea behind this like since 15 years when rainforest puppy wrote down the the first policy laying out your responsible disclosure idea there were some assumptions in that when that can be identified when the producer will produce a patch affected users get to hold of that and can apply it and many of those assumptions if not all which I mentioned do not apply here we couldn't really identify the window some well in Southeast Asia and in some country stuff was produced and it was sold with different labels on it throughout Europe so how to identify the vendor we didn't even couldn't really find out if it still existed well the stuff was sold so it was manufactured somewhere but that was already difficult but even if there was a patch how would the users know the patch was available and even if they knew like there was a public broadcasting all the following type of systems has a problem please show up in your electronics store if you are affected they will provide you an upgrade how would that upgrade be beyond the system so was traditional disclosure would have not worked here and what made the thing very interesting was the like harm and benefit equation as this affects well people's property so even if we had say perform and we happen as you will see in a second but if we had performed traditional disclosure and after like 90 or maybe prolonged that a bit make it 180 days publish the thing what if say some people would have known that not that have applied a patch and into their property was was broken into there would be harm caused real harm in a real world and that is one thing and maybe they would have showed up in the before in front of our company building with the fox like since you guys published this you have helped the bad guys to break into my house so the stakeholders and the well use affected this makes this a very interesting and kind of complicated case I will skip this so you might ask what did we do the thing is we try to identify by some channels in some ways the window this didn't easily work out we refrain from publishing the thing we had a free series blog post on like okay how to how to analyze wireless protocols with SDR and then here is say a case study but it was planned to have a third one on like okay the case study revealed the following and we never published that one it remained the draft in the in the block for for a while and then it was removed in a nutshell we did nothing which from a hindsight perspective that's highly unsatisfactory what we should have done but this is like five years ago we should have gone through a through a start nowadays that would be that the best possible action from from my perspective but at the time and at some point we like lost interest and we didn't follow up on this it was like it's still in our I think that there's the thing is still sold but we if we went public with this we would have to re-evaluate as the problem still exists and we were not willing to put time into this but there was an outcome which from today's perspective I'm not happy with that one second case study let's imagine you and this is a very typical type of engagements we have that large organizations bring us in like okay we plan to procure the following devices whatever those might be in this case a network security device can you have a closer look on this before we deploy this so there was a device and we stumbled across something which well you could consider this a backdoor a backdoor which looking closer you might get an idea like okay there is a specific actors behind this backdoor so how to handle this one this closest one funny enough the question was brought up in the similar question was brought up in the in the earlier session let's take a structured approach which I propose at a fast glance okay this might look like a vulnerability disclosure which looking closer it is not or maybe it is that's already an interesting question is a vulnerability is a backdoor vulnerability from the it depends on your perspective actually from the one who puts it in there it's it's not a vulnerability as it's a plant feature kind of from the ones not being aware of that are from the non-five-ice countries well it might be considered a vulnerability probably yes the friend of mine who leads a threat intelligence unit in a German highly specialized shop he uses to say one country's white list is another country's blacklist and there is a much truth in that what does this mean for handling this case I mean Germany is not a five-ice country so we are it's from the customer engagement the organization who made us look at the thing it's probably not what they want so this brings up some interesting questions and there is what made that the case or this type of cases much more complicated than they might already be then there is a thing a whole different alien in that moment type of value system is brought in as say confronting the entities responsible for the backdoor that would be immediately well we need this for national security this is needed to be to get hold of the bad guys in Syria or wherever which might be what might be a proof or not it might also just be used for industrial espionage whatever the thing is there is a whole different value system brought into the discussion which by the way applies as well once there is there's a lot of especially in the UK a lot of reasoning of measures surveillance measures which from probably a perspective many people in the room we would consider unethical but as always like oh this is this is meant to prevent a specific type of crimes against children and with that argument you kill everything which I mean I have three children myself I'm not against fighting crimes against children I just want to make you aware that this brings a whole universe of say questions to a technical or technology ethics debate and one has to be very very clear and aware of what is in the mingling of these when your systems actually produces again let's take the structured approach who are the effective stakeholders then again this is an interesting question as from a very simple equation we have a customer brought us in there is say probably a stakeholders here the entity who put the backdoor in it there might be thinking about it there might be other countries which are not five eyes which is again another group of stakeholders this raises some and you might come up with the line of reasoning well this is about internet security if those devices are deployed in the internet and the bad guys can whoever the bad guys are could compromise those this is bad for everybody's security in the internet but and this is why I asked that the question earlier when there was this oh would you report them if say a nation state actor compromised and an NGO the immediate answer of most of us would probably yes assuming and I'm not judging anything here I just want to make you aware of things assuming that the majority of people here in the room are US citizens what if well this is about a matter of national security for the US would you answer be the same so we have a conflict and this is a kind of classical conflict and I call this a conflict of scope where scope means okay what is good for the or bad for the internet maybe might be different once you look at it from a more narrow perspective something that could be good for my country and be bad for the internet as a whole whoever that is and these types of scoping and conflicts based on scoping we will face we will see there's this of course often there is no easy solution to this as to many questions the thing just is you have to be aware of this you must sit down and as part of your reasoning and your decision-taking process it's just to make this clear I'm not judging any type of outcome of your decision-taking process I just want to help you to have a structure decision-taking process if at that if the end of that one comes out well I'm a US citizen or I'm a citizen might be a German citizen I'm a family father whoever and that's that's why I decide or I think the proper cause of action is the following one that's perfectly legitimate you just have to be aware well maybe when I take this decision it's different it's another broader scope of stakeholders is affected in a detrimental way maybe so and then there is this thing what I mentioned values talk about from the principalism approach talk about autonomy talk about being beneficial talk about justice the the autonomy angle that's an interesting one for the back door how does say having a back door or not disclosing it affect the autonomy of all the organizations which might be affected if if like by keeping your mouth closed you you foster the practice that systems can be compromised by a nation-state actor which is maybe not in the interest of I don't know how many exactly how many countries are there in the world that say 212 or so minus five 207 countries might be affected in a way that is different from those from from five countries and 207 countries might be affected in a way that violates their auto autonomic decision-taking like informed consent think about a main law report there is the state there's this thing informed consent what about informed consent for the for the people who use this device which has a back door built into it so this was a was a quite interesting one and it serves as a nice example not so nice example as a very telling example why this principalism thing do not harm be good to everybody treat everybody fairly and in an equal way and respect the autonomy of human beings all this is nice I'm pretty much everybody in the room is probably willing to well check yes that's good but well the world is more complex you will see conflicts and you will see the amateur which principalism alone can can can solve and this is that the main weak point of principalism it's abroad usually it's good to say reflect on things but for actual decision-taking in actual situations might not be too helpful this is my experience so you might ask obviously what we did well this was a speculative case study it didn't really happen and I can neither confirm nor deny that this thing ever happened so I kind of skip that one I'm in I'm in in favor of disclosing the thing but if you do well think about countries affected and well get a good lawyer that's what I would in that case suggest but again this was wholly speculative next one domain controller case study customer shows up ask us like okay we have we have a team which is specialized in AD and Windows security and they got a request from customer can you help us with analyzing the logs of a domain controller for specific say behavior and we are like sure we could do this there's this well we have the expertise to do so could you please describe it in a bit more detail what what you need from our side well you know we have that guy Frank and Frank he's the leader of the local activist movement and Frank we think that Frank is leaking information well okay and so what and you need to you need to find out that Frank is leading leaking information and we were like wait a second this is not only a technical question can you tell us a bit more yeah hey you guys must help us getting Frank sued I mean it was not that drastic but thinking about it the more questions that we asked them what was like it became dubious what you want what is your what is your objective of the activity you want us to bring us in for this was brought to the ethics committee and again as a line of the structure the approach was kind of followed get effects well that's not easy in that case as well it's okay that's that's lots lots to look at the customer couldn't really specify which type of activity to look for but this could have been solved in a technical way or another but it there was some some elements remained unclear which didn't really help like well informed or ethical decision-taking the next one is some well look at a well use affected that's out of the first one is always autonomy you could ask a well what about Frank's autonomy when we perform this activity but the thing is Frank is has a has a contract with the organization which by the nature of the contract and this is fully legitimate there's laws and there's laws of contracts and there's laws of laws of walk restrict his autonomy and in some way and so there is a there's a frame which restricts that and you can easily like surpass this based on ethical reasoning well you could there is there might be situations where law and ethics conflict but when those situations occur be very clear about your own agenda and you should accept that laws are there for a reason and in most countries laws are based on common reasoning in some sense I'm not against like civil obedience or anything of that it's just life some at times more complex than your personal perspective or Frank's personal perspective in that case beneficials that again is an interesting one as say there's types of actions you could do the job or we can refrain from doing the job who's affected by this I say if the activity is performed oh I only have three minutes left then I will speed up a bit that is that is unfortunate can I get an extra five then I can manage thank you thank thank you oh I was I apologize then given I am giving this the first time apparently I spent too much time with the with the first part the thing is there is like human person was this organization which again is when it comes to who benefits was us who gets harmed it's a very common conflict like things that are good for an individual for one human might not be good for the broader scope or vice versa and in general humans tend to favor humans which is the whole theme some of you know might notice Casa de Papel there's a group of humans which you have some favor for and they in some way in a specific a kind of fight against or exploit a broader system and this serves as a perfect example of make clear who's affected like individual humans as opposed to an organization and in general humans tend to favor humans which is human but one has to be aware of this it might not lead to the right outcomes in or to the to the best possible from an ethical line of reasoning outcomes in specific situations not in this one I can I can already tell you what we did the ethics committee declined suggested declining the job and the ethics committee it's called recommendations but those are expected to be followed by everyone in the company including management so we didn't do the job but very quickly on this say things that might be good for smaller group might not be good for larger group there is a whole thing on on on internet scanning and I can tell you on this one it's a kind of the same dilemma there was people who are you like well we scan the internet forum IOT devices and vulnerabilities and that's good for everybody so there is a group of people technically skilled from a specific user often very often make okay the invite what and and they decide on what's good for everybody out there you can probably already get the inherent problems I'm two people show me five minutes I got that I see you I'm losing I'm losing time when I react on this I won't father yeah I know I will quickly go through this thank you this internet scanning usually violates the the principle of autonomy have those people whose devices you scan and you might turn out light bulbs or whatever with that giving you informed consent from the manual report probably have not you can already spot I'm not a fan of this at all at E&W you have to you have to cross very high say boundaries to get a project approved which does internet scanning in some way and when I was in the in the technically very sound subcontract yesterday a black hat and they were like oh we did the scanning and we found devices which at the time of the scanning there are 30 a thousand feet high vx walks shells I was scratching my head away wait a second did you have informed consent of the people in the plane at the time that you may be crushed a 20-year-old wash no vx walks by scanning it from the ground probably not these guys were these slides will be published but just to give you a quick idea the scoping thing is important the scoping might be problematic very quickly I already mentioned this we declined the project very quickly two more case studies this one was interesting as well that actually it's the first one on the time scale as this led to the creation of the ethics committee we got a request can you perform a training on telco technologies and we have expertise on this we were like yes and then exit and while we is doing the setup phase it was like well can you do it in a way with a Russian how do you call it translation in real time Russian translation and we were like well that's maybe people will learn a bit less but well if you pay us for this we can do this and then it turned out all we only want to look a whole week at interception capabilities and and surveillance some interfaces and that was why okay why why do they want this again this brings up many interesting questions who are the effective stakeholders what is the scope what and what a value what is about autonomy and form consent again we have this country was this other countries or was this the own population thing and we don't even know it might be perfectly legitimate but it sounded that's also a legitimate the thing is we did a job as we had committed but this led to the to the creation of the ethics committee to relieve individuals the guy who did it he wasn't happy about this at all we told him maybe I've all committed so do it but in the future we will have a committee which decides on this I have another one I can't tackle this one it's an interesting one as well you can probably get the main points from the slides which really published conclusions there's a thing I would like to to make clear here this one conclusions understand that ethics affect a lot of things you do and understand there is like these formal approaches and go through those get effects get a values get a stakeholders identify what could be done one way or another this is not an easy task and with this I will conclude I already told you I'm I have a literature background there is a whole genre of medieval literature with the court of artists and so and they're usually the put that the hero which in that case is pretty much always male which is I'm going to use he the hero sets out to perform a quest at some point the hero has to decide right or left and the first stage usually pretty much always a hero chooses right as this is the easier way the hero arise at court he might even win the turn at the first tournament he might even get the the the King promises you can you can marry my daughter concept of autonomy is violated but didn't so much exist at the time but then chaos kicks in and he loses everything he starts again at the same point right or left takes a left path that's more tedious that's more takes more time more reflection more walk but that's the one that leads you to to the to the Grail and this is the message I want to give you when it comes to ethics it takes time takes effort but it's worth it thank you