 We shoot the new. New speakers get the option of having a shot and we're going to do that right now for Thomas Jank. Can we please thank him for giving his first talk at DEF CON? All right. Can we flip it? It's a bit late to be worrying about drunk doing your talk. Can we flip the slides on? Thank you. So for a long time, bucket. To our fallen brother and Kaminsky, Grover, tuna, everybody we've lost, their family, we love you, to them. All right. So damned if you do, the risks appointed to the emperor is buck naked other than seeing the emperor's dingus. Legal stuff. Opinions are expressed for our own. Please don't sue us. We do not represent employers in any way. Do not pet, eat, or taunt the super happy fun ball. Yeah, you probably know who I am. Every DC since seven, except to play years. I think I'm like eight or nine talks. I measure badges by the pound. Black badge holder, three-time hacker Jeopardy, public church Wi-Fi, hacker of sex toys, heroism, pain in the ass most. Yeah, I'm way shorter than others. I'm going to lower this way down here. But I'm Thomas. I'm mostly here for the politician jokes. I'm a recovering politician, I promise. It's my second def con. I was 28. That's my first one post safe mode. First time I'm talking, as you saw, I currently work as a security architect for a sub national government in Canada. I once did a thing with the government, which is most leading to this talk. I'm here for the vibes. My goal is to not be so hung over that I sleep through any of the talks. And here's a very serious picture that looks like I belong at Black Hat, not def con. I definitely don't represent my employer here. My views are going to be my own. So yeah, I think my director is in the audience somewhere. So definitely don't speak on behalf of them. So why are we here? So there's this whole mentality of, you know, if you see something, say something, you know, after 9-11. But hackers are going to hack, and generally we do so to try to make things better. Pointing out problems in systems nowadays is extraordinarily perilous and way more than it needs to be. We've both had run ins with these issues with our local government and, you know, here's me, you know, a researcher and an actual elected politician and we still worry about all of these things. There's a problem here. We are Canadians, so sorry. But this applies to, like, most countries and jurisdictions. So let's look for some mistakes, fix the legislation and policies, and hopefully we can now get back to, like, the bigger problems we actually need to be solving. So why do I care about things like this? So I was employed at a bank called ATB Financial in Alberta, senior security analyst, kind of a dream job. I got to say, you know, I hack banks for a living, and in the evenings I hack sex toys. Like, who gets to say that? September 2018 at our local B-sides, I gave a talk basically about why we can't have nice things. The first day of the conference, the CISO for service Alberta gets up there on a panel and says, oh, yeah, we scan our stuff all the time and are constantly patching. Well, I'm in the audience, I get on a showdown on my phone, I'm like, no, you don't. So I put some of this into my slides for my talk the next day. I gave my heads up saying, hey, this is, I got to do this, are you okay with this? He's like, sure. Through this stuff into my slides last minute, there was open printers where you could see the logs of what had been printed and emailed. End of life servers. Servers ten years behind on patching. Sent them the data immediately afterwards. Thought all was well. Met with them a week later for lunch. You say, oh, yeah, that was cool. You ruffled some feathers, but it's all good. All was well, but ATV financial is what we call a crown corporation, so it's technically owned by the government. It's run like a regular corporation, but the government still has some hooks in there. Supposed to be arm's length, but that's apparently a very short arm. Service Alberta, the department owned the government of Alberta's IP address space, but they basically handed out addresses like an ISP. They would hand them out to other ministries or agencies. They had absolutely no oversight or control over what they did with them. There was no central policies for security or anything like that. This caused an absolute panic across the chain of command at the government of Alberta that I had pointed out, you know, that the emperor had no clothes. Emails were sent, calls were made, meetings were held, and I suddenly found myself without a job. They got me a code of conduct violation of causing embarrassment to the organization, which I find very humorous considering some of the other crap that I pulled that they didn't fire me over. So yeah, they suddenly gave me a lot of time on my hands, which is never a good idea as my wife could attest. So I began to dig into the problem on Shodan further, more than I could just do on my phone in the audience. 150 hosts, 3200 vulnerabilities later, just from Shodan data and looking at server headers. F5 and min console login pages, publicly facing, debug interfaces, there was a land sweeper default install with click button to log in as administrator, you know, heaps of unpatched servers and end of life stuff. It was like embarrassing to be from Alberta in this case. Documented as much of this as I could with Shodan links saying, hey, this is all public. Ethically and morally, I still felt I had to report this because my information is in these systems too and I'm legally obligated to put some of it in there. But there was no official reporting channel for government of Alberta systems because every ministry and everything like that was a silo and it wasn't a parent who owned what. The buck stopped nowhere, knocked on a lot of doors to get attention to the matter, handed over the data to a couple different departments and agencies but little or no action. I got the public interest commissioner involved. Those are the ones that look for like fraud and graft and waste and stuff like that. They didn't really take me seriously until I pointed out there was 70 vulnerabilities in their secure reporting website for whistleblowers. That got their attention. They leaned on the government to do something. I think it was like a case of either we have you stop everything and we do an investigation for six months or you acknowledge yes, there's a problem and just work on, you know, solve this. Finally got a paper letter from the service Alberta CISA's office saying, you know, please report vulnerabilities to this email address and, you know, this is your point of contact. Which I very promptly did in February 2019 and waited. Their publicly available policy said they will fix criticals in 30 days. Now whether or not that policy was meant to be publicly available on that website, I don't think so. But 21 days later, you know, a couple of weeks away from an election at the time, 21 days they hadn't done anything. So I'm like, hey guys, just so you know, morally and ethically, I have no problems going public with this after 30 days. Well, they took that as a threat. And I mean, one can debate, you know, my judgment and my phrasing of things, you know, that's a whole other talk. But they called the cops on me. The city police, computer crimes investigators, you know, wanted to have a chat about threats I had been making. Agreed finally to be in a public coffee shop where there was cameras and, you know, of course caffeine. I walked them through everything. They learned a bunch of stuff because most of the stuff they deal with is, you know, my boyfriend hacked my Facebook account. Walked them through everything. GOA never told, the government never told them that their policy was 30 days to fix this stuff. So they're like, oh, that changes the context dramatically. They were thanking me at the end because there are information in these computers, too. And they wanted to see it fixed, too. So at the end of this chat, I said, no one from the government has actually like talked to me. You know, it's always been like these letters or this indirect communication. Just have somebody call me. Like we can sort this out. And they did, they passed that along. CISO for service, over to a different person that I've been dealing with previously. Had coffee with him. Turns out he was a guy who actually called the cops on me on their lawyers advice because it was a case of, well, if we don't report this possibly as a threat and something happens and like liabilities and like weird stuff. It's a good map. It's a tough position. You know, governments change, priorities change, budgets are thin. Explained to me a lot of the systemic problems they've been seeing in this, the IT infrastructure. The hatchet's buried. You know, fortunately not in anyone's head. But I still want to be part of the solution. So I'm trying to play nice, but I am a strategic pain in the ass. Reminding them that they need to do things like vulnerability disclosure programs and, you know, have like a way to report these things and also to keep up on this stuff. I mean, there was a lot of things here that were problematic besides my choices in phrasing and such. Lack of a vulnerability disclosure program, guidance, policy or official channels. Like there was nothing. Whistleblower statutes don't apply to the general public. You know, it's like if you are employed by that department, you have the potential for whistleblower protections, but the public doesn't. There's anecdotal evidence and some documentation of ass covering where I had basically pointed out literally the emperor had no clothes, but instead of slinking back to the palace in their shame, yeah, they basically shot the kid. Some exaggerated and untrue claims of breaching confidentiality because like I said, all this was on showdown and I had the links. I can show you. It's all behind me. Better job, better life now. But, you know, this was a thing that happened and it's been stuck with me. So let's fast forward to this case in Mississippi. Something you may have heard of this. October 2021, St. Louis post-dispatch journalist Josh Renaud found there was a website for looking up the licensing status for teachers. You know, you put the teacher's name in and it would say are they licensed, how long they've been, whether they're active, et cetera. Well, if you actually looked at the response in the source for the HTML, their social security number was in there amongst other information. It was pulling the full record and just the JavaScript was rendering just, you know, the licensing status. Like this is a brain-dead simple vulnerability that, you know, he confirmed with a computer science professor saying, you know, is this as big a problem as I think and it's like, hell yeah. The department, you know, reported it, held off on, you know, publishing anything until it was fixed. The department of education had, it was drafting a press release thanking him for reporting this and getting it fixed and everything. Then the governor stepped in. Yeah, and I think this is a good part to talk about some things about politics, right? The governor claimed that the reporter was a hacker who was acting against the state agency and trying to compromise teachers' information. But I mean, you all know that when you request something from a website, they send it back and it just like sits in your cache and they're sending you things you didn't even ask for, right? Like, this is very much, I think, showing that like, the hack was pressing F12, right? It was viewing the source, it was looking at the request that were already coming back. Things that were probably cached in proxy servers and cached in their web browsers and all those things. That's not a hack in any sense, right? But the case was referred to prosecutors, right? So it was sent to investigation and five months later, lo and behold, surprise, no charges, no crimes. But the issue was that it's the governor's office that was responsible for this website in question. So it's something that we look at and we say, oh, it's funny on the surface, right? It's funny to think about somebody going after a reporter who hits F12. But five months of basically hell for somebody to have to have a lawyer and do all these things is something really problematic. So let's talk about what happened with me. It's September 2021. It feels like year 345 of the pandemic, even if it's only like day 345. But vaccines are rolling out in most areas. We're not out of the woods yet. People are getting their first dose-ish. And in Alberta, the premier, Jason Kenny, declares that it's the best summer ever. And he rolls back all COVID restrictions. Now, we know how that goes in most restrictions. It's not different in Alberta. And by September, things are worse than ever. I'm an elected official at the time and the premier, Kenny, had stated that there would never be vaccine passports, right? So instead, in the fall, they bring in the restrictions exemption program. So everyone still needs proof of vaccination. But in the REP, if you do that, now you can go to things that you wouldn't be allowed to go to if you didn't have your proof of vaccination. So it's not a vaccine passport. It's just a pass that allows you into places if you have your vaccine. But everybody needs this proof, the online health records portal that we have, that already existed to display your health records was slammed and not working. So they needed to build a portal that could retrieve these vaccinations very, very quickly. And that first release left a bit to be desired. So it basically required three things to verify your information, right? It required your Alberta healthcare number, your HN, your date of birth and the month or year of any of your doses. And most people at that point had only one dose. So the original site, when you put in your information, spat out this unsigned unlock PDF, no way to verify, no QR code, nothing. And people were on Twitter basically immediately putting any type of name, any type of vaccine that they received, whatever, all over the PDF because that's the only thing it was. It was just anybody can print it out. But looking deeper, there was some other problems. There was room for things like maybe some sort of enumeration attack because date of birth and dose dates, if you do any OSINT on anybody, those are pretty easy. Most people are posting their doses on social media at the time, right? They do those videos and they're spinning their arm or whatever, right? And there's only one thing that's unique here and it happens to be a piece of PHI, right? It happens to be your Alberta healthcare number. The Alberta healthcare number is, I think it's nine digits, but it has a tech digit as well, so that space is actually quite a bit smaller. And I received some concerns from an Albertan who knew that out of the computer science background and said, hey, I think this type of attack, this brute force enumeration might be possible. I decided to take a look. And I wrote a very simple script. I think I described it to the cops as a high school level script. It was a little Python script. It had some, the site had some IP based street limiting, but no other controls to speak of. That's a pretty simple solution, right? You just pipe it through the Torproxy, you got running anyways. And what I did is I decided, well, you have to minimize the impact, right? When you go and do this type of investigation, you don't want to actually have any type of PHI that could be dangerous. So I tried to use the premier's date of birth, which was public records on his Wikipedia page, used a vaccination date, which a month and year, which was on Twitter, and many requests later, a couple days later, got a hit. The script just ran by itself. It wasn't him who went proven. So I reported it to one of our staff members, had them figure out who to report it to officially, and I basically forgot about it. Within about a week or a week or two later, they quietly made the change, put in a cap chip, put in some controls on things like geo fencing, and things seemed fine. Then comes December 20, 2021. I'm away on a ski trip because it's December, and I want to go skiing. My sister's isolating, she's traveling home to visit us in my house, and the RCMP decided at like 6.30 or 5.30 in the morning or something like that, that they've got a search warrant, they're going to raid my home. So not a very happy sister when they're in your house trying to sleep at 6.30 in the morning and the RCMP flash badge at the door. But I do have some very nice doorbell footage of police trying to serve a warrant on me. And they were serving an investigation under the Health Information Act of the Borough of HIA, which basically says, no person shall knowingly gain or attempt to gain access to health information and contravention of the act. Attempt is going to be a key word here. There's no wiggle room or anything or understanding for good interest or public interest in securing records and things like that. And it becomes a bit of a problem obviously, hence why I'm here. But we can note that of course the Health Information Act does require custodians and affiliates of custodians of the information to take reasonable steps in accordance with the regs to maintain the technical administrative and physical safeguards and protect against anticipated threats, right? So this is something that they should have anticipated. A reasonable person would say like, yeah, this is a normal enumeration. Yeah, there should be types of controls against this. But basically it concludes after a year or so of investigation going to court, lots of lawyer freeze, no criminal charges and I paid a $7,500 Canadian fine, so like $5,000 American or something for breach of the Health Information Act, which was that attempt to access records part. I did step out of my caucus and I didn't seek reelection when the election came around in May of 2023. So what are the problems that are existing here? You have governments advocating for people to report risks that they see on one hand out of abundance of safety, they'd rather have a bunch of false alarms and rather than potentially miss something, they'll say, if you see something, say something, except for this and this and this and this and this and this, like, but they're not making that very clear. There's no proactive planning for not if, but when someone comes to them with a report because many eyes make bugs shallow, people will find things. Lack of vulnerability disclosure pathways, no clear safe harbor, you know, chilling effect from laws that have no exceptions to carve out in Thomas's case. It's like, if I ever found myself just purely by random looking at somebody else's health information, I'm like, nope, nope, nope, nope, like, I'm not going to say a damn thing because I am, I access something that was, I was not authorized to therefore I'm in violation of the law. I'm screwed. There's no whistleblower of tax protections against the government retaliating against the public. Strangely that. You know, in our case, there was no major oversight over IT systems or accountability for the government systems. There was also problem problems we've seen and parts of some of my behaviors. Lack of researchers understanding the laws and where these landmines are, you know, so somebody could be looking at things for perfectly legitimate reasons but not realize the danger they're putting themselves in. You also run into situations of governments of changes in leadership, you know, your parties change, your leadership changes and it's like, oh, well, this thing that we had planned to do, we're shelving that and going a different direction, which means we got to, like, star all over again. So nothing ever gets done. You lose institutional knowledge from those sort of things, you know, the attrition of employees. Reporting to companies is equally fraught. And I've done a lot of this. If they have no vulnerability disclosure program, it is such a gray area. It's never clear what's safe. Companies are often described as more lawyers and brains. I in the Catholic has this wonderful graphic of the five motivations of security researchers, you know, the protectors, those look at as a puzzle, those who want some, like, sort of pride or prestige. Some people are in for the money other people are doing to make a statement, you know, some sort of protest. Those are not understood by business very well. They'll realize that most of those are actually fairly altruistic and their benefit. Some genuine, you know, some of my other research, you know, these companies are genuinely naive. They don't understand the security problems and that's okay. We do need to educate them. So many others really should know better. So let's talk about some of the problems we have with researchers. Like I said, I'm a recovering politician. I know all about ego and bravado. But it's a problem, right? It's a real problem because this lack of transparency on where these lines are going to be if there's no VDP vulnerability program means that there's going to be times where people are unintentionally crossing lines, right? So we have to understand that there are instances where these researchers aren't going to even understand what they should look at. And the poor choices in things like wording where if we look at the multi-case where four students tried to report an issue and I think they put in it that they wanted to see if there was a bug bounty available, if they reported it, and they also had this disclosure timeline. They used this type of very aggressive wording, was treated as a threat and received some investigation for that. Like those are things where we look at researchers and say like hey, this is not a cooperative way to work with government, right? It's not a cooperative way that's going to have a policy positive effect. So there's just desire for that publicity, right? It also is a problem when researchers just don't understand the laws, right? They don't understand which types of information might be radioactive in a way, right? PHI or other types of information. And the other thing with researchers is sometimes researchers have a lack of empathy, right? Because organizations are oftentimes genuinely either naive or under-resourced, right? You're talking about a security team of only maybe four or five people. I think the Alberta government one is still comparable size to that. And you're looking at an organization with thousands of employees and thousands of servers across multiple departments, right? Like it becomes a real problem. So there's this reliance on this sort of deadline and inflexible process that leaves no nuance for how can we work cooperatively with the government on improving these policies, improving these sort of issues, because the government is going to be forced to take a cookie cutter response, right? They're going to be forced to call the lawyer because now you've emailed them this thing. And the lawyer says, well, we have to report this to the police. And then the police go, well, now we have to search this person's home, right? It becomes a whole, it becomes a whole issue. So some government agencies and businesses are getting it. May 2022, DOJ announced a policy not to charge good faith researchers. They'll still investigate, but the prosecutor discretion says, yeah, you have, if somebody's doing good, and you know, they're following rules and everything that, yeah, they may have stepped on the line, but you choose not to prosecute. This is a good thing. I was reminded yesterday besides that when Keith Alexander was speaking at DEF CON, he said, you know, what do we need to do to get more, more people into the service to, to help secure everything? And somebody shouted, stop arresting researchers. CISA has been doing some amazing work on this. And I've been talking in the last couple of days, I wish I could have updated the slides till now. But they've got like vulnerability disclosure templates for all the federal agencies. It's like, you'll fill in blank. And boom, you have, you know, a policy and a template. CERT has a guide to coordinate vulnerability disclosure. Many organizations have vulnerability disclosure programs with safe harbor carve out saying, you know, if you report things through this method, and you would adhere to these, you know, restrictions like, you know, don't go public with it until we fixed it, etc. You know, we, we promise not to prosecute you. I'm the cavalry has done amazing work in this category. Initiatives like the security dot text RFC. This needs to be a thing where it's like a place where security researchers know they can looked for who to report stuff to. So you don't have to have a big, you know, thing in your, your website. But it's like, if you know, you know where to look and can get the information to the people who can actually fix this stuff. I mean, I was already, I actually spoke to her yesterday. She's been doing a bunch of work on safe harbor and apparently she actually knows a bunch of her, the Canadian counterparts there is going to be leaning on them fairly extensively to get some of the same stuff put in. So yeah. But yeah, like, I think this is one of those issues, right? When we talk about things like how do researchers actually work in government and government needs to also put out that olive branch, right? We talk about things like reporting paths and security dot text, right? When I was an elected official, I had direct access to many politicians and government officials and I still didn't even know who to report to, right? I had to get the staff person to figure it out. So you need that VDP that spells out things like the rules of engagement, spells out things like who are the people you should be reporting to, what are the channels. You need information on who owns what systems and where those systems should receive the reports. And we need to look at things like legislative changes, right? We need to look at changing some of the laws that are basically saying all or nothing, right? If you, if you do any type of research, any type of accidental access or disclosure, then you're going to be prosecuted, right? The HIA has that attempt to access clause, for example, right? Like those are the types of issues where we need to start looking at what are the opportunities to make revisions that are more fitting with a modern security framework in mind. We need to work with law enforcement, right? Law enforcement needs to understand that they need to work with researchers recognize what researchers are trying to do, when they have positive intent. Like oftentimes researchers, especially if they're trying to help the government with this type of information, they're trying to disclose to the government, they're not asking for money, they're not asking for anything, they're trying to do free research work for you. And we need to have those established procedures in place to prevent the knee-jerk reaction of, well, I got a report and I don't know what to do, so the first call is to the justice lawyer who is going to call the RCMP, right? Like that's the relevant policing force, right? And that's going to be one of the most important things. It must be a way for organizations in the governments to understand that these types of reports are going to keep coming and they're going to increase in volume as more and more people are concerned about public data, right? And there's lots of ways you can do that. You can do things like canary records, you can do test systems like a CTF style flag that's like if you find this person's health care record, it's a fake record, but then we know you're actually inside, right? But if you are going to do this type of research, which I actually don't recommend, I don't think it was that enjoyable to have the RCMP sees all my things, but if you are going to do it, you should probably try to figure out who to call first, right? Who can you give a heads up? Maybe they're in a security dot text. Maybe they're in some sort of, if you look through the staff director, you're going to find a security person, right? Identify yourself and say like, hey, I want to look at this thing or I think this is a problem. They might say don't. They might say here's a unique header to include in all your requests, whatever, so we can identify the traffic. But those are types of conversations that are going to need to be coming from government as they work with researchers. So this is a really fundamental capitalist thing of if someone is coming to you with a vulnerability report and wants to make your product better, they're doing free work for you. Let them, right? This should not be hard to understand. Expect that reports will come in. Again, many eyes. People will do weird stuff with your products and throw weird stuff in emojis in various fields or whatever. And if something happens, you want them to tell you. Assume positive intent. Unless they actually say give me money or your dog dies, assume that they're just trying to make your product better. A vulnerability disclosure program does not equal a bug bounty. You don't have to pay. It's just having a pathway to ingest those reports. You don't have to pay out. That's a whole other thing. It costs next to nothing to do this. You could even just have a kudos page like hey, these people have found vulnerabilities. Thank you very much. Hell, Pornhub for certain levels of vulnerability sends out really awesome t-shirts to people. Stick figures that say, oh, what are you doing looking for holes? Takes on a whole new meaning there. Vulnerably disclosure program also allows you, if you're a company or government, to establish the legal lines and the rules of engagement. So you know, you can just say exactly when a line has been crossed. You can say, well, please rate limit to five requests submitted or something so you don't take this down, but somebody doing like five million requests is like, okay, that's pretty obvious. Helps your case too, if you're going to law enforcement and saying, yeah, we're under attack. It's definitely not a researcher. OSSF, Vulnerably Disclosure Working Group, has some stuff, if you're an open source project for taking invulnerably disclosures. Outsource this stuff, if you want. Hacker One, all those kind of companies. You don't, again, don't have to pay out a bug bounty. It's just a matter of having a way, a pathway to take these things in. Just think about the reputation damage from going after a researcher and trying to snuff them out and stop their message and everything versus actually fixing the problem. Being a dick is way more expensive. So just, this is going to happen. Just make sure it can easily. Researchers are part of the problem too. There's a lot of you in this room, I'm assuming. Choose your targets carefully. There are some radioactive data types, like as we found health information that you just really need to be careful with. Like, you know, minimize your impacts, rate limit, be reasonable, minimal proofs of concept, you know, don't go trying to grab the entire database or anything like that, you know, one record or at least just, if you can go to them with like a preponderance of evidence but never actually pulling the trigger on the exploit, you know, that could be enough at times saying like, I'm going to you to execute. Maybe get legal counsel on retainer. The phrase, well, talk to my lawyer, will stop a lot of awkward conversations very quickly because suddenly it's going to cost them money to talk to your lawyer and hopefully cool heads will prevail in that time. If there's a known exploit, like there's a CVE for it and a proof of concept, maybe don't execute it. You know, just say, hey, your server version because there's this proof of concept or this exploit preponderance of evidence. Saves you from like accidentally running something and going like maybe further than you thought it would. Watch your language. No threats or demands of any type. Like, don't, you know, don't ask being a free t-shirt or something like that. It's anything that could be like blackmail or extortion. Just, no leverage at all if you choose to give me something great. But I'm not going to ask for anything. Document the hell out of everything. Expect you'll wind up in court someday and you have to show this to a judge or, you know, other lawyers or prosecutors. You want to have all your ducks in a row on that one. Be very formal in your communication. It may become public. I did a bunch of free information requests for my communications were like, okay, yeah, I should not have said it that way. That was bad idea. Keep your ego in check. If somebody just doesn't want to hear from you, it's like, okay, you tried. It's all on them now. Pick your battles. But consider this whole talk, sort of a call to arms to advocate at all levels, federal, government, as well as at your own companies. Big or small, a security text file costs you nothing to put in place. Because we've got bigger problems to solve. Let's not go arresting the researchers and everything like that. They're actually trying to help. Again, free labor. So I think we're just going to get this one. So wonderful epilogue. So like we said, all those things eventually got resolved. They added that secure QR code. They added the capture, a couple of controls. Alberta now has a cybersecurity community of interest where people can voice concerns, engage with the GOA, and all these things. They have a sort of a reporting method now. There's a web portal anyways. It still needs a bit of work. But we are working with and we're hoping to continue engaging as Vendor was saying with some law enforcement agencies and all those types of things to bring about more federal changes. So since 2018, I scared them enough to open up their wallets. The threat intel team was massively shaken up and reorganized because apparently they missed a bunch of things. Huge reorganization in the IT department including providing teams to departments that maybe didn't have the budget or the resources to fix things and while they couldn't be told that they needed to fix things because they had their own policies, they're like, here's a bunch of people who work for you for free to fix this because it's all in our best interest. And I have to say it took them about a year but they really got their crap together. It's way better than it is. Occasionally I'll throw a report at them embarrassment that it was previously. In that subsequent time and connected with Thomas when things hit the fan for him, wrote a letter to the editor basically saying yeah, okay, he violated the letter of the law but the law is stupid and if you prosecute him then there's this chilling effect that nobody else is going to want to speak up and point out the emperor has been really weird. It's like really good court's going to listen to me and my friends like do they know me? And while he was in MLA because he had stepped down from caucus he was still an elected member he just wasn't part of any party at that point but he was still a sitting member of our legislature and he saw the opportunity for a glorious bit of trolling. So for those of you not in a common country who was the second platinum jubilee was last year which is 70 years of being the monarch in Canada so all the provinces and the federal government commissioned these awards for citizens and Alberta 7000 were made a bunch of people got them automatically MLA's mayors those types of egotistical people but MLA's got this opportunity as elected to nominate somebody where this is going so why don't we nominate somebody who found and report a bunch of vulnerabilities to the Alberta government in 2018-19 I will point out Render originally thought the email from my office was spam well it was like hey you've been nominated for an award please give us all this personal information I only asked for like birthday to give out an award but the same government that didn't need render services anymore was going to honour him with this distinguished medal and you can see how he dressed yeah so that's a joker inspired suit by the way and we had the opportunity to I had a certain number of guests that I could invite and Thomas was kind enough to put on letterhead all official an invitation of service Alberta who had called the cops on me as one of my invited guests to the ceremony he was unfortunately in Vancouver giving a speech but he couldn't attend but he appreciated you know the whole humour in this and everything the irony Evilmog the church of Wi-Fi's Bishop friend of mine was also giving an award in this too so two of us have this service giving it out quite generously we figure if we should continue to do so yeah so we have the church of Wi-Fi Defconn Medal of Service awarded to those who are providing service to others in the community I made these on my CNC at home they are janky as hell but made about 220 of them and we'll be handing these out through the weekend to those we see doing cool things or teaching a bunch of people things in the hallway or you buy us a lot of drinks or something too we'll give you one of these don't buy the drinks all at the same time 200 is too much so the outline ones are new service the solid ones are going to people who have done me solids in the past or people who really are the ones that pull off Defconn like Nikita get those so wow five minutes left I guess questions well I think Thomas you should get the first one of these for excellence in trolling and excellence in service to my ego so no questions I think being the troll sorry I think being the troll was why render knew I yeah oh yeah he's saying as a researcher the thing that will have the least risk to you is to do nothing problem is I have unfortunately burned with a conscience so I see something like that and it's like I had to try yeah the second least risky thing is to drop it on pay spin or something like that something to think about though when you say that is especially when you're talking about government organizations that's not necessarily the least risky thing because your information is in that system right like so that's a real issue for you and your friends and your family I'm protecting my own ass and I like my ass so yeah just basically putting out to the government that making it so that they that we could come to them with a report is better than the other two options yes nope so he's correcting me on which state that was the case of I mean you guys have got way too many of them and some of you will begin with M so I'm Canadian so I'm just going to like claim ignorance or something here so I mean keeping track of bad shit insane states is like a full-time job so one more time for one more here so do we think there's something in VDPs and things like that I think that a big piece of it's going to be the legislation piece talking to them saying like hey you need to have these systems in place you need to have the policies in place that are going to allow this disclosure yeah and if law enforcement you know steps in and says well if you have a way for people to report this stuff anybody who doesn't it's much more obvious their malicious intent actually might be a barbaric covered bat you know like just browbeat them into doing it because it's in their best interest to debt free labor like we need thousands of security experts well there's a people lined up to do work for you for free let them thank you