 Welcome to MCH 2022, the abacus stage. And I'm very happy to introduce Breno de Winter, talking about open cat security through cat's eyes. So take away Breno. Yeah, thank you very much. Yeah, you are going to see a lot of cat pictures in this presentation. So be alert and be aware. If you hate cats, bad luck for you. I'm Breno de Winter. I'm the harbormaster and at the Ministry of Health, Welfare, and Sports, I'm the Chief Security Privacy Operation for the Corona Tech. We talked about it yesterday, just a quick reminder. This is my cat, Brani. Brani Benani is how I cuddle her. And that was the name of a project. So we started the website. Then people said, like, that's kind of stupid. This is Hiro, Brani, and Keiko. In a government system, it looks like this. Then somebody said, like, stop using cat names. Then the minister said, you can use cat names. So this is what we are going to talk about today. And with the Corona Tech, there are a few projects that we have to do. Contact Tracing, Contact Tracing App, the Brani Benani I talked about, the EU DCC, the QR codes. We built a EHR for hospitals in six weeks times. We have exception routes. We do fraud protection, red teaming. And we're also supporting the other nations in our kingdom, Curacao, Ayruba, and St. Martin. So that's a lot to deal with. And then what do we need to do? Of course, the continuous monitoring. And you have all the occasional issues, the shortage of people, the high stress level, especially the political environment that you're in, and then all the tasks you have to do, starting with pentest and code reviews, ending with your risk assessments, and your weekly starting at 7 PM on a Saturday DDoS. It's those standard things you have to deal with all the time. And with a small group of people doing that, that is kind of a hard thing. Now, I've been in security for over 30 years and nearly 40. And one of the things I've learned from the thousands of incidents I saw is whenever shit hits the van, a configuration management database is totally different from reality. On the left-hand side, you see Amsterdam in 1538. And that is generally the map when you end up at an incident that they give you. This is Amsterdam in reality. So, yeah, and for my colleague, Cleo, sorry, but this is the harsh reality. So this needs to change. And this is an issue for us as well. And then what we're doing to prevent incidents is basically finding the famous needle in a haystack. And as I've shown you, we've got all sorts of projects going on and different nations to support. So basically, I'm searching in more haystacks than basically would fit on a PowerPoint slide. So far, so good. Then the game this day when we had this corona testing facility that was hacked by the Dutch news outlet, RTL News. And basically what they found was a Google Firebase that was in development mode. And yeah, then you can go through all the data. And Parliament said to the minister, you have to investigate all these parties. Yeah, but it's not our job. Yes, you have to. So we started continuous monitoring. And that was for up to 70 companies at the same time. There isn't a single security company that will say like, oh, sure, we'll help you with this one because it's highly political sensitive. It's all open. So there we were. So we did a lot of manual scanning in a weekend, found hundreds of vulnerabilities at these facilities. And then the next question came, OK, now we've sent the information over. How do we know for sure that it was all fixed? And then you start scanning again. And then this company will go like, no, no, no. There was nothing wrong. It's a false positive, or it wasn't really a problem. And then we found other stuff as well. For instance, one of these facilities basically said, OK, we've got secure mail for health care applications. We let them be part of our system. And then somebody by accident discovered that they turned that off because you have to buy a subscription of a couple of euros per month. That apparently was too expensive. How do you monitor that altogether? So there were a lot of issues. And it's not even that simple because there's one other issue as well. It's not only about security. It's also about what makes us as team, but also the minister vulnerable. And that might also be security issues that aren't there. So we stopped talking about security. And we started to talk about everything that makes you vulnerable. That really doesn't skill down the problem. So we decided to go for a tool. And since we're talking about vulnerabilities, the Dutch word is Quetsperheden. And we want to analyze them. And it's a tool. So we called it the Quetsperheden Analyser Tool. And full behold, that's the Dutch word CAT. For the ones that were in my lecture yesterday, this is our team logo. That is perfectly fine for the tool as well. So we learned a couple of lessons. And one of the things that we should do is prove that if we found something, that this is really true. And if something changes, I want to be alerted. And I don't know what can change. But if anything changes, I want to be alerted. And then we found that there were basically no tools that really understood the Dutch context properly, let alone the medical context. So long story short, we needed something that would be able to scan, would be able to do other stuff, but also doesn't violate the Dutch laws. Or one could say, I was looking for an ayah-leek in the Wolmiigzaal. So how do I realize this? Help. So I found my friend Jan Klopper and said like, Jan, help. And Jan is a hacker. Oh, I know I have aged a bit. Yes, it's true. So yeah, we had a problem. And Ben had decided on calling me. I don't know why, but these things happen. Well, I picked you because you were allergic to cats. This is true, yes. But you didn't know that back then. Yeah, and the first thing you said was, Brennan, stop throwing data away. Yeah. So what we see in the general availability of security tools that you start scanning, and the end product is always the vulnerability that you find. The end product is always this report saying, you have to fix this, you have to fix that. But to get there, you're probably going to do a lot of queries, collect a lot of information. And all of these tools next to each other do that again and again. Every time they do a DNS query, do a connection to the server, collect some information, parse it in their own way, make their own answers, put the answer in the report, and you get only the answer in the report. And we decided to do it a bit differently and say, OK, each one of these little steps should be a little program by itself, the UNIX philosophy. And every time we do one of these little loops, we're going to collect the information both raw, so we can actually prove that we did it. And we're going to collect whatever comes out of it in the database, in a corrupt database. How do we prove it? Good question. So we decided on running all the tools in containers. Very fancy. But it's not a means to an end in it. It's actually something that helps us. And we run the container, for example, Nmap, very simple tool. We run it. We collect the information that goes into the container, the IP address. We collect the version, the hash of the image. And we collect whatever comes out of it. And that gives a pretty good, pretty good complete answer of what the tool did. And then we allow someone else, an external party, to sign that package, hash it, sign it, timestamp it, so we can actually prove what we did. So basically the external timestamp service makes sure it's forensically sound. Correct. And then we do that for every step along the way while collecting information to build this graph. Yeah, and this graph we built in a cross-time database so that we can see the status of an object in all moments in time. So I can compare an object on January 1st around midnight to the status of the object right now. Yeah, so we have the graph. And the graph that we have today might be slightly different than the graph we had yesterday. And that allows us to obviously see the differences. But since we have this database of information, we have all the little nodes of information, we can use that graph to then and only then start looking for patterns, start looking for objects, start looking for things that we don't like in our graph, in our reality, within our set of business rules. So if you put everything in objects, you put needles with needles and hey with hey. So if you say I'm looking for a needle, then basically you can say, hey, here's a batch of needles. Here's your bunch of needles, yes. OK, the question is, how do we get the data and we get data with Bufius? You're going to learn a little bit of Dutch as well. Bufius is the Dutch word of Reskel. And basically, it's a plugin. Yeah, so we have a bunch of different plugins and Bufius is the first one. And it's the one that goes out and gets data. It goes on the internet or it goes, look at the various tools or APIs, or maybe internal or external databases. And it only has a question. It goes and fetch the raw data. It doesn't really matter which format it is in. And it collects it to be stored in our forensic database. And they are just facts. So in a regular tool, for example, if you run Nmap and a lot of tools will immediately say, oh, you got port 22 open. Don't do that. I don't care about port, it's fine. Do whatever you want. I get that a pentester probably has a reason not to do port 22 on the internet, but that's a business rule. And the business rule comes later. Because we made a distinction between facts and conclusions. I have got this guy walking around along Kneterman. And he's basically always doing a finding and then saying, OK, you have to decide if it's important for you or not. So he says, OK, Brenno, I'm looking at your house. I see smoke coming out of the roof. And flames, if this is important to you, the logic step would be to dial 112 and ask for the fire brigade. Optionally. Optionally. Optionally. I don't know what your context is. By the way, I call him my chief conspiracy officer. We have a whole bunch of plugins already. We need a lot more. So I'll do the shout out now. Come to your open cat tent and join the scene. But then I've got data. And data is still something that is unstructured. Yeah. So by now, we've ran all these boofyers and we collected all this raw information, probably just command line outputs or JSON blobs from somewhere. And in that data is a lot of extra information. We need to process that to actually make sense of make needles. And what we do is we have a separate set of plugins, normalizers, or whiskers, as we call them. And we couple each whisker either to a boofy or to a mime type and say, oh, let's see. We have text HTML forensic proof. What can we do with that? We have end map output. What can we do with that? And we scan that data from the store, check it. And if we find something that we understand, then we add it to the database. But Jan, today I understand only so much. And then all these people are going to help. And then I understand a little more. Yes, I know. That's very interesting. So imagine having this vault of data that you collected over many, many years over systems that you have in production. And you had done this, as you would, because Brando asked you to. And it's a good morning. You wake up and you notice there's something wrong with your website. CPUs are spiking. Every time a browser visits it. And you find a bit of JavaScript code in there. And it's Bitcoin mining. So it's essentially destroying the planet. You find that bit of Bitcoin code, the crypto miner. And you notice that you obviously missed it, because you didn't know it was there. What you can do from that point on is collect that information. You write a normalizer that looks for this specific bit of JavaScript, add it to cut, to open cut. And it will probably find another few of these injected bits of HTML or JavaScript in your various sites, because we had already downloaded all the HTML. We had already collected the proof. So you can immediately start fixing these things. But you also have all the historic information in your forensic store. So now the normalizer can start working backwards, overall that collected data, and pinpoint the moment in time, because we have a cross-time database where we saw that bit of JavaScript for the first time. And this obviously helps with pinpointing when you were attacked. And by having that specific moment, you can probably also dumb it down and look at other log files to see how the hell they came in. Because seeing a bit of JavaScript in your website is one thing. Knowing how they got in is probably very expensive research. A bit of expensive research, yeah. Yeah, and then we store all the data in bytes. Is that one of my cats? Definitely not. It's Simon's. Simon is here. But we store it forensically in our data store. And then basically we go for the business rules. Yeah, so business rules. Very enterprising name, I know. Business rules are more or less like complex CSS queries. And you have a set of data. You have a tree of information. And what a business rule actually does, we have one on screen here that says, okay, every time an IP address is added to the graph, I'd like to be ran. So it's more or less a state machine. And it does collect some other additional IP information. So an IP port and a website might be related to this IP address. And then we do some Python magic, run over some curates on websites. We collect some ports. And if we have all the ports at this IP address, and we can do this bit of logic saying, okay, if port 80 is open, or port 443 is open, or not, then there's probably something wrong. If so, we'll add a finding, we'll yield a finding to the database. And what this does is it creates a new object in the graph. So if A exists, B must also exist. But A or B or C, this might be more complex queries. We try to keep them simple. And that opens up, for instance, one possibility is that you say like, okay, yesterday you had five ports open. Today it's 12, maybe your firewall configuration is no longer good. Yep, but there's more. If I see that you're running a bit of software, for example WordPress, I can do a query over all software instances. I can see that you're running WordPress. If this is WordPress, then there must also exist these other 1,568 dependencies. It's deduction. It's very simple. It's a simple business rule, and the business rule feeds on external information, and it handles every bit of WordPress in your site, or whatever you want. Yeah, there was this nice example of this Corona test street. They were using WordPress, and a new common filmability exposure came out. And that basically gave a CVSS score of 9.8, which is kind of serious. So after we downloaded it, I phoned the director of that testing street, and within 10 minutes of getting the alert, the website was fixed. I can't prove that we prevented the hack, but likely we did. Yeah, so the business rule was triggered again when we renewed the list of CVEs, and this thing that happened, we added all the extra facts to the database. Yeah, there's only one thing. The booths just get the data. The bytes feed them to their whiskers. The octopus is what we call the system that basically does all the handling of the data, and then ultimately it ends up with bits, and bits is basically... Sorry, we rerun the bits, and then basically you can do your reporting, et cetera. We've obviously got the interface for that. One of the interesting... Yeah, no, I'm not happy. Oh, yeah, go ahead. One of the interesting things about these bits is that, like I said, they add data and objects back into the graph. They don't have to be findings, but they could be. And once you alter the graph, you can then have another set of bits looking at that data again, and say, oh, wait a minute, if you have that little technical issue, then you're not compliant with, for example, internet.nl. And if you're not compliant with internet.nl, we've added a finding for this thing, oh, you're not compliant with this. Then we can add another business rule saying, oh, if you're not compliant with internet.nl, you're not compliant with NTA7516. 7516, which is safe email for the healthcare, yeah. So you build these really big compliancy questions and strip them down into smaller technical questions, simple queries. Yeah, there's only one thing that I'm totally not happy about. And that is, so far I have to do everything myself. Start it, click it. So we've got a scheduler. Yeah, Mula, another cat of one of the developers. Mula is our scheduler and we're now kind of in the volume of search engines. So we have lots of objects and every object that we add to the graph either triggers a bit or business rule, but they can also be input for another set of Bufius. If we find a host name, it doesn't matter where we collected it from, then we can probably do a bunch of things like DNS queries. We can try and see if there's any subdomains. We can look for certificates via transparency records. So deciding on which Bufius to run and in what order is something that the scheduler does. Also deciding on when to rescan. Some things don't need to be rescan every day. Some do. So if we're rescanning, then I can also see that if somebody fixed something, it is fixed. Correct, yeah. So if we see something broken today, we collect proof of that and by the time we rescan either manually or through the scheduler, we also collect evidence on when you fixed it, which is obviously very useful. Yeah, but now we need to use the real life practices and we need some help for that because I don't know how to do that. So I would like to invite Oscar Kuro. If he still dares. Well, actually the actual joke is that this is a government approved picture in an actual interview that I gave. But let's face it, with respect to what my day job is because my night job is, well, having fun and doing stuff, but on the day job site, my responsibility is for an entire ministry. It consists out of, depending on how you count, either 11 or 25 or even more organizations. So I know what kind of things are coming to me with respect to how to prove that you're compliant, how to prove that you have your security in control, that you prove that your privacy controls are, if you can test them with technical means, that they are okay. Yeah, but before we do that, now that we are the three of us, we need to get the open cut out. Yeah, and that needs to be published. So when did we do that? We did that on July 1st, at 2,200 hours. And in the next morning, we got a call from Davey Day, the nice guys who were before us and good going. And we had the information disclosure. So I dare to say open source seems to work. Yeah, so thanks to the work of them that they actually looked at the code so quickly, so fast and found something that we've missed. That's the thing that I think it's what open source should be. Well, it not just us. I think it speaks to why we do open cut. Yeah. Many people have been looking at open cut, including some companies, and we all missed it. And I think this is also one of the examples again because we've seen all kinds of other improvements that we've had in the talk that we've had with Breno and Ron in other days. That open source can work if you actually put your mind to it and do the right steps. And then this can work again. So it's really appreciative. Okay, but your mission is really to make cat holistic, MCH. Make cat holistic. I'll slide, you know, I'll let it slide that this one is not what it came. So one of the goals is that we can scan all the resources that we can actually get from the infrastructure. And if we can't then use the agent services, which is gonna be a lot because the amount of organizations that you had to deal with with the pandemic, that's fine, that's a lot, but the ministry itself has at least three... It's a bit bigger. It's a bit bigger and I've got more suppliers even to deal with and each of them need to be compliant and the compliance rules and regulations will improve because of all the... Yeah, this thing only works if the objects are being filled. So if you've got sufficient assets to add. Discover assets. Well, this is one of the things that I had to do myself in the weekends because that's the night job, is try to scan the infrastructure itself and then discover, oh my gosh, we have more APIs, we have more things to do, more things to control and everything is getting more and more. So we need to have scale in what we do. And this is why I think this is a cool thing that we have now is that we have the opportunity for scaling. Yeah, and the cool thing is if you really understand this, think of Log4J. What did most organizations do? They started scanning the moment the house is on fire. Collecting where Log4J was even included. We didn't know, I didn't know what it was. I mean, I know Java, but that's about it. But we already knew where it was. Yeah, so one of the... Yeah, Fridays, if I'm not mistaken. I looked at the code. Kudos to the North Wave guys because I thought that was the most readable Python implementation of scanning Log4J. Then extending that and then, well, telling to the guys, hey, look, I've scanned the entire ministry, at least from what I could get. Please help me. I need to make it into the service. Yeah, and sharing is caring. Sharing is caring, so... So yeah, what we also do is we also have to be open to Parliament and state, look, this is what we do. And one of the important things is that we don't just keep it to ourselves, but also make it available for all the other ministries who have the same challenges. Well, not just ministries, I mean... And then we can go big, you know, bigger. And why limit ourselves to that? Yeah, we've got our friends at C-Sert who are going to scan hospitals with it. So that's kind of cool. There are so many opportunities. Yeah, well, this is basically the overview if you want to know more. There is time for questions. We deliberately left some time for questions. We can think, we can understand if it's hard for you to think about questions. So we thought of a couple of questions for you. I still have questions, so you should have questions as well. Exactly, and if you don't dare to ask questions now, come to the OpenCAD tent and ask questions then. Any questions? Hi, I was wondering if there are plans for an API. Yeah, so the question was if we have any plans for APIs, and I'm guessing you mean to extract data from CAD and use it somewhere else, right? Yeah, also to configure it. Yeah, sure, sure. So CAD is OpenCAD is built out of various containers. As you saw, we have bytes, the forensic store you can use and interact with that. If you skip the boofies part and inject data right into bytes, the normal system will pick them up. You can also query bytes as well and get data out of it. Octopus, same story, you could add objects there. You can query octopus for objects at any time. Yeah, just as with prani-banani, what we did is make a big problem. That's actually what I learned from MendoMobar. If you have a big puzzle, make it a bunch of small puzzles. So what we did is that's why we have all these little projects so that you make it a little bit smaller. Yep. Hello, congratulations on building and releasing such an excellent tool. I have a question regarding the forensics collection and the keeping data of why discard it. Do you keep the P-caps of all your scans? And if not, why not? Very good question. Thank you. Yes, it's on the roadmap. And yes, we have promised this. And no, we don't do it yet. So since we're running all the containers with the boofies in there, it's a very logical question, a very logical thing to also collect all the network traffic that is being generated. Because Nmap might just output something, but it might have seen something else. It might have been collecting data. And once we have that data, we could easily make normalizers to scan through that data as well, to scan through the P-cap files, and pick them apart, and collect even more data points from there. Because we might not know what we're looking for until we discover this in the future. And also have to prove what kind of data we've actually sent out over the network per scan, or in this case, per container. So one of the reasons we do this, there's actually two main reasons why we do this. We want to make sure that if we scan, that we have a proof of that we actually scanned. This is something that's missing from lots and lots of pentesting reports. Did you actually scan this? I don't know. So if, for example, you do end mapping on an IP address, and if it doesn't return any IP addresses or ports, does it show up in your pentest? I'm guessing not. How do you prove that you've actually scanned it? By showing that you have the input, you have the output, you probably have the P-cap file somewhere, then you have actually a proof that you've done your work and that you didn't find anything. But if, for some other reason, Nmap is broken in that version, and it skips port 22, I want to make sure that I have proof of running that specific version and doing my job. I have run Nmap. There was a very good reason for that. There was this one case where I was involved in this incident with a city in the east of the Netherlands and they got fully ransomware. And then I stumbled across this pentest and it didn't say that RDP was open. But the funny thing was when you went to Shodan, I could see that all the days of the pentest, except one or two, this port actually was open. So how can that be? And this is why you want to have that proof. Excellent answer, thank you. Also, if you're negotiating secure connections like TLS, keep a copy of all the keys that you've negotiated. We do, yes, thank you. Thank you. So my question was about your CMDB. You said it was not complete enough. Is OpenCAD more complete than your CMDB? Or is it more than the CMDB? No, I would not say that at this moment, definitely not. But this is why we are focusing on the asset management. Because this is what you really want and of course we'll draw all your inferences from that. Modern CMDBs have extra modules to scan the network and have from actual collections of whatever agents or whatever data input you can then state, oh, look, the CMDB is not complete in these kinds of elements. But today, yeah, and today we got actually an offer of somebody who is looking in making a boofy that connects to ACMDB. So yeah, this is what we want to trigger as well. Yeah, there's two routes there actually. So you can use your existing CMDB or admin panel or whatever to feed into OpenCAD saying, hey, I have these assets, please scan them. You could go the other way as well and say, let's scan everything that we can find and then have a business rule saying, if there's something in the OpenCAD in Octopus in the database which is not present in my CMDB, there's a finding, right? Something's missing in your CMDB. So you can use both ways as whatever you wanna do with it. You said you scanned log files and is that from outwards, inwards? The reason for the question is like, if you have normal users using the system, you log IP addresses and then maybe the GDPR comes into play. If you say you have them hashed, subscribe that this wasn't changed, how do you handle that? We're just looking at it, we're not just figuring out the answer. Yes, yes. So a bunch of questions in there actually. So yes, we are currently scanning from the outside in and that means that we're not collecting information on clients, for example, but we are working on having more runtimes, so internal runtimes like in your network, in your VLANs, possibly even agents that are on your server and collect raw files, collect forensic information and then we can normalize that and build the graph. Once you start doing that, obviously, you might get personal information in there and then you obviously have to deal with that. The way you do that is defined in the model and we don't have it yet, but we can probably add something like encrypted models saying this has a key roll over after so many months and it gets destroyed through that means. At the moment, we don't have any objects that actually collect private information because we as the ministry don't want to do that. Nothing's stopping you though from creating these models and adding these boofies yourself. And also, of course, we already have the namespacing that makes it possible to do internal scanning as well and we've already got a project name for that and that is kitten cat on a pie. Small cat, kitten. Okay, thank you. Hello and congratulations on this beautiful product. And my question is really since this does look like a bunch of awesomeness, this is bound to take off. It's that more people want an open cat and one day a different ministry or hospital is going to come along and says we would like to get an open cat instance, but we would like to get help with that. Is there a company that can do that for me? And the question is, have you given any thought about a hybrid commercial ecosystem around this because the question is going to come. Yeah. Jan and I had a lot of Thursday evenings. So one of the bullet points missing on my slide is serial entrepreneur, because it's so cheesy. My mic is canceling sometimes, but yeah, have been thinking about this, but obviously we just want to do this within the industry first. Someone else is bound to take the source and take it, build some cloud platform out of this. We do have the name for it though. It's gas. Cat has a surface. So, you know, we have in fact done half the work already. But Brenno, how much introductions and stories do you tell? How much presentations do you give about cat to how many people? We have, don't like dozens and dozens of presentations. Per which timeframe? I think dozens, per. No, I think we've done about 150 demonstrations in the last six months. So that means you are lighting a fire of enthusiasm. Oh yeah. Very much, and I speak from experience, I would very much urge you to get the thinking done early. Bert, it's open, so hey, here's your commercial option. But I must say, look, open, yeah, but it's not open. Look, it's on GitHub. Download, clone, do what you want. No, no, it's the thing that I like about this is that it's being told. There's a story being told. There's a story behind it. Why? A philosophy. And this is also being told at each of the presentations, not just to, look, how cool this tool is. No, why did we do it? And how do we do it? And this is also one of the first, well, let's face it, tries from a ministry perspective to share something that we've built for ourselves to a wider community, way beyond the scope of what we have. This is not quite the place to hash this out, but let me, I want to tell you I'm super enthusiastic and I'm more worried that it will be, that it will get too hot. So I have a theory about this. If you're in this kind of space and you're innovating, what happens is as soon as a commercial company stumbles upon something that makes money, the sales drones come in. And that could become terrible. But let us, I'm available for further discussions because I did it once and it nearly failed. But I've got the feeling that we are going to have some Grappa at the Italian Embassy later. I'm looking forward to it. But, yeah, thank you. This is my view because we have a Grappa emergency. There is a Grappa emergency going on on MCH. There is no more Grappa at the Italian Embassy. What? So tonight at 10, we will be having fun at the Open Cut Village. Yes. And because Jan was so kind to present the original design of her. This is the original, original, original, original one. My sister is the designer of this. She made this and we'd like to opt it off for the good cause. It's the only one in existence, so. And Niels is doing kick-ass stuff, going back and forth, delivering ambulances to the Ukraine, delivering all sorts of shit that they really, really need. Can I start bidding now? I have already made a 250 euro bid. So 250 from this gentleman here? Yeah. Who is offering more? I'm offering 300. Open Cut Village. We can do that later. But tonight at 10, Open Cut Village, guys, come over, we'll have a blast together. And stealing your mic to auction it off. I have a very serious question. And that is, what is FreeCut? And how does it work? FreeCut is stupid, because it's the cut website made by Anayon. And I don't like it. The funny thing is, Anayon presented FreeCut to us after we launched the Open Cut website. And I couldn't resist and put FreeCut in Open Cut, the software. And then I asked Anayon, where are these? And he's like, oh, is that still online shit? Yeah, exactly. Older than the poster. So in that case, is the relation between FreeCut and OpenCut comparable to the relation between FreeBSD and OpenBSD? No. At this moment, it's complicated. It's politically charged. I think it's complicated. That'll be the status. Okay, I have one statement and one silly question. The first statement is, I have some experience in open source stuff and government. Please listen to Bert. Please. We will. So, why the Comic Sans? I'll give you the question. Okay. Well, I was one slide because to be honest, I actually find the content of the Comic Slide kind of interesting. Yeah, the Comic Sans was basically made because I wanted to annoy Anayon because I can. And there we have him. Hey, Anayon, that's so good to see you. I still have one more question. That is, why was FreeCut released five minutes before OpenCut? I'm guessing four sites. It's complicated. Thank you. I guess there are no more questions. I've got a question, actually. So, if we want to implement Cat ourselves, is there a KitCat to help us do that? The name? I don't know if we get that one, but hopefully, I'll try. Yeah. No, that's been really interesting. Thank you very much. So, any ask, comments, and the auction, just to repeat. I was just wondering, I expected really somebody to ask the question, is MCH 2022 in control, but nobody did. Tell us, we've got a few minutes. Okay. No, we don't think so, because those are all the findings. But there we go. I think that's the false positives, unlikely. Thank you very much indeed for a very interesting talk. Thank you.