 Welcome to Become a Cyber Security Ninja, a 10-part webinar series. Today's session, the Ninja Toolkit, 80 tools in 30 minutes. By the way, this is session eight of our Become a Ninja series in two weeks. We'll be doing, well, we'll get to that in just a moment. And we are delighted to be joined again by Keith Burner up. Here we go. Our P.J. kitchen is underway. So today is your Ninja Toolkit, a review of our favorite tools and services. Not all of these, by the way, are our favorites, but many of them are, and many of them are ones that we've known. And next week, or two weeks from now, we're gonna have incident response. Now what? Incident response. I, of course, am Joshua Peske, Vice President of Technology Strategy for Roundtable Technology, and Roundtable provides IT services to nonprofits and small businesses all over the world, but predominantly in New York City and around New York and in Maine, where we have most of our personnel and operations. Keith, go ahead and tell us about yourself. Hi, there's a lot to read there, but basically I am your classic accidental techie Become Director of IT. My own background is in international relations, which is where Freedom House is focused. And really what I do is I leverage others' expertise. That is, I am not the expert in anything. And as you're noticing, we are doing Peachakucha. We're not gonna do this for the whole webinar today, but for the first 20 slides, the slides will be auto-advancing every 20 seconds. You'll also see the parenthetical J and K. Those are just for me and Keith to know which slides for which we are responsible. And once this starts going, we are, every 20 seconds, the slides are auto-advancing. We thought this would add a little bit of fun to an otherwise perhaps dry webinar presenting a bunch of tools. So hopefully you'll agree with us. At least it adds stress for us. Exactly, stress for us if nothing else. But we didn't go for the whole thing. Our learning objectives today, we're gonna give you actually quite a bit more than 80 resources. If anyone actually wants to count how many resources, I lost count, I think they're on 85. How to research your tools, the limits of researching your tools. You're gonna experience a Peachakucha style presentation, 20 slides, 20 seconds, and further reading and resources, of course. All right, some cautions. First of all, there are very few good sources that objectively analyze these tools. Also know that there's no guarantee that any tool will give you the security you need. Remember that the very best tool technically may not do you any good if nobody uses it. And finally, use tools properly. So the next set of things we're gonna talk about are ways to browse securely and also to search securely on the web. We've got a couple of different areas coming up here. And this is one of those cases where I'm just talking to fill the 20 seconds until the next slide magically comes up. And there it is. And it's me and I'm gonna talk about Tor, your anonymous browser. So it is a free open source browser for all platforms. And it gives you anonymous browsing again. You need to install it and use it correctly. They provide excellent instructions for doing so. And it will allow you to have a mostly anonymous browsing experience. In my personal life, Google is not my enemy. In my personal life, it is. I use DuckDuckGo or StartPage to do all my internet searching. Neither of these sends any data back to Google. And I have found that the quality of the search results is just as good as Google. So. Privacy Badger. This is another browsing tool from the Electronic Frontier Foundation. You'll see them mentioned an awful lot today. And it blocks spying ads and invisible trackers from your browser, free add-on for Firefox or Chrome. And very, very highly recommend it. Doesn't impact your browsing experience very much at all in my experience. And also from the Electronic Frontier Foundation, HTTPS everywhere. This forces all sites onto encrypted connections. So there's, you know, the best way to do this is to have a free plugin in the web and also a free plugin for Firefox, Chrome and Opera and recommend using that as well. And again, it doesn't impact your browsing experience too much. There is no such thing as a definitive list of which are the best VPNs. The site that we're showing you here is the best that exists out there. But basically, if you want the most secure VPN, roll your own. This site, on the other hand, will have commercial VPN services across a wide range of criteria. Password managers or vaults, you cannot possibly create complex passwords, memorize them, change them on a regular basis, which is where the next set of tools comes in. These are encrypted password vaults that also include random password generators. The one I like the best is LastPass. It's free, except for on an enterprise level. We use it here at Freedom House, and it includes, as I said, both the vault itself and a random password generator. So the only passwords you need to remember in your life is the one for your password vault. By the way, don't lose your master password or you will lose your data. KeyPass is also highly respected. Difference is it stores the data locally, which you could consider safer than storing it in the web. On the other hand, if it's stored on your hard drive, you better be backing up that file or you could lose all your passwords. One password is one that I've been using in my personal life for quite a long time. Frankly, after having used LastPass and OnePassword, I don't see any reason to pay the money for OnePassword because LastPass is really just as good. But this is generally, these three that we just did are generally listed among the best password vaults by most observers. Some key success for password managers. Make sure, of course, you have a strong master password. If it supports two-factor authentication, that's even better. And I would definitely recommend using that. If you're implementing this to your organization, provide lots of support and change management to your staff, allow time for effective adoption. Two-factor authentication. Here's the thing, if somebody hacks your password, but there's a second factor required for somebody to get into your account, they can't do it unless they have that second factor. This is an essential security tool for organizations and for individuals. Aussie. Aussie is a nice two-factor authentication that you can use to add two-factor authentication to multiple applications. It's one of the leaders in this space. A lot of different options for use of Aussie, very inexpensive to implement for your organization. Duo is the one we use here at Freedom House. It has come recommended by a number of security experts. Note that it can be used across a variety of applications. In our pricing comparisons, it has shown itself to be more inexpensive or less expensive than some other tools and it includes a phishing testing module. And Ubiqui is a different form of two-factor authentication that uses a physical key that plugs in your USB slot or uses wireless encryption to authenticate you to a device. And that is an incredibly secure mode of two-factor authentication. Next, for folks who need to have private phone calls, we're gonna talk about a couple of options for having to use voice cover systems. Note, of course, the other person has to have the same tool you do for that voice conversation to be encrypted. First one we're gonna talk about, I would say is the gold standard among both voice and messaging encryption. We'll talk about it later as messaging is signal by open whisper systems. This is a free service. Again, you, as Keith mentioned, the other person has to have it as well. You have to have the other person's signal number, which will not be the same as their regular phone number. And then you can have an encrypted conversation. Silent phone by Silent Circle is also well-respected. One thing to note about it is that there is an optional feature that allows communication with any mobile or landline. Note also that the full burn functionality means you can set expiration timing for messages sent and received. Keith, we did it. We did it. I am now, you know, I'm ready to pop open a beverage right now. That was, you know, I actually really enjoyed that quite a bit. I would highly recommend doing that more. I did too. And I just hope that our audience didn't have their eyes glazed over by too much information at once. It was very fast. So we decided, we did a run-through yesterday just for the audience. And we decided that it would not be in the best interest of everybody here to do the Pechakucha style for the entire presentation. So hopefully everybody is now seeing a blue slide called Messaging. Keith or Ben, if you can verify that. I've switched over to the other screen. We're gonna advance this manually, kind of the old fashioned way from here on out. We're gonna continue to move at a pretty brisk pace, but we now can sort of stop for questions. We're not, we can stay less for 20 seconds on a slide, more for 20 seconds on a slide, but we're gonna continue moving in a brisk pace because we wanna get through all these tools. All right, so messaging, we just talked about signal. So signal also works for private encrypted messaging. Still free. Again, you'll have a private signal number. Someone else also needs to be on signal for that to be encrypted. And it's an extraordinarily secure thing. Another point that we, while we're on the Pechakucha, and I'm just gonna say it applies to all of these things and security in general, none of these things are gonna be secure if you don't use them correctly. And so the ultimate caution I have for all of these tools is if you're not going to use them in a proper way on a system itself that is secure, then there's obviously no guarantee of security with these systems. But that said, signal very, very highly regarded as an encrypted private messaging system. Now, I'll note just kind of still talking about signal. If it were up to me, there wouldn't be any other messaging app that I would use. But here's a problem. If the people you're communicating with are used to a different app, that's the one you've gotta use to communicate with them. So even though I can highly recommend signal, if you're dealing with a bunch of activists on the ground and that whole activist community is using WhatsApp, well, that's what you're gonna have to use. WhatsApp has been highly respected. But Facebook bought it recently. One thing is you have to set your Facebook, I guess, preferences so that you are not automatically sharing the data back with Facebook. The other thing is that very recently it came out that a backdoor allows Facebook to see the data in any case. The danger there is not that Facebook is actually mining your WhatsApp communication, but that in a hostile environment, if a government issues a subpoena to them, if they can access the data, they will have to turn it over. That, by the way, that flaw is not in signal. This one does not have anywhere sign to it. Keith, you wanna take this one? I will, I'll take this one away. Telegram is very, very popular. Here's the hazard. In normal mode, it is not encrypted. You have to manually turn on its secret messaging add-on, and the other person has to respond to it for your communication to be encrypted. Also, that secret message functionality doesn't exist in every platform. So I recommend against using Telegram because of the likelihood that you will forget or you won't be able to set the encryption. Pigeon is really a very simple chat tool for the desktop. The other apps that we were talking about were primarily intended for mobile, though some of them and some of the ones we're going to talk about also have components that will work from the desktop. Hey, I'm still on. How about that? Perio has a little more functionality than the other messaging tools in that it also includes file storage and sharing. This is, well, not as widely reviewed and respected as signal, it also has been peer reviewed and is indeed respected. So it's worth giving a try. I'm still on. Yeah, there's no escape. Oh, man, I'm glad we're not still on the 22nd auto advance. So Wicker, frankly, I cannot find any peer reviews of it. People who use it like it a lot. It's got some very nice functionality. And again, worth a try, though I'm not sure if I were dealing with the most dangerous environments, whether it would be my first choice if I could use signal. I will say that email key sharing, though, is a useful feature in terms of verifying who you're talking to. Still use it. That's right, yep. Wire, I would put in the same category as Wicker. It's got some great functionality and note that he doesn't store conversations at all. That's something that is not true of all the other ones. And I do want to ask the audience, by the way, if you have any tools or services that are in the category that we're talking about and you want to throw those in here, or if you've used one of the tools that we're talking about and have something to say about it, file me and throw that into the question box. And now we're going to talk about email encryption. First thing we're going to talk about is the GNU Privacy Guard. I was deeply confused by this, by the way, because I'm familiar, much more familiar with PGP, which is pretty good privacy. And I assume this is a typo. I actually hadn't heard of the GPG suite, but it is a GNU Privacy Guard that actually uses public private key encryption, just like PGP, and provides a whole suite of tools for Macs and for OSX and for Windows that you can use to encrypt email. So very, very good platform and free and a bit complex to implement. I would say would be the big guy down side of that one. I actually want to add to that if I can real quick. And that is if you know the tools to install, it's not hard to install them. The hard thing is training end users, including perhaps activists on the ground whom you've never met, to use the sharing of public keys with a private key in the background. This is not something that is highly intuitive to people who are not technical. And that's the biggest hurdle for using this approach. The other thing I would just say real quickly, the better known PGP is a semantic tool and is many thousands of dollars. Yeah, this GPG is the free open source millennial version with lots of use, but not a lot of walkthroughs and guides. It's an Edward Snowden tool, as opposed to a, you know, Josh Robins gay tool. Yeah. Corporeal. Yes. Mailvalope. I'm going to go ahead and say I resent that much. I'm going to go ahead and say. Mailvalope is really the same principle as GPG, except that it works in web-based mode as opposed to working in a desktop client. But there again, your users are going to have to know how to be comfortable with creating and sharing keys. Virtru is I think the best tool for the money out there. I'll let the others here disagree with me if they care to when their slides come up. Virtru is what we're using at Freedom House, except in our most highly sensitive cases that really need the GPG level of encryption. Virtru includes functionality for expiring the messages you send for preventing forwarding of the messages and also allows you to revoke permissions once you've given them. They have discounted pricing for nonprofits and they work both for commercial web mail. They also work in Outlook for Mac and PC and they are just now developing, it's in beta, a client that works in your web browser with Outlook web access. Note that they have no plans ever to make this work with Mac mail because Mac doesn't play nice in the mailbox, sorry. And for users, it is brain dead simple to use, which means they will use it. And you'll get no arguments for me about it being, I would say the most user friendly and still secure option of all of these. And again, it being used correctly by people is something that, Virtru, even if it's not as rock solid secure as let's say a new privacy guard, if it's used correctly versus being used, GPG being used incorrectly, it's going to be more secure. And that sounds like just plain semantics, but that's really important when you're thinking about the real world. And crypto is what I use. Crypto, because that works with my Gmail client. Yeah, I do have to set up a PGP public-private key pair, but once you've got that, you can use crypto and that works very well. You can also with crypto use a one-time passkey, so I can create a password for encrypted methods and I can call the person and give them that password over the phone or by some other methods so you can communicate by encryption with people who don't have this as well. Office 365 includes an encryption feature. It's included in the E3 level and above. A lot of nonprofits are on E1, Office 365 because it's free. If you want to add the encryption feature, it's $2 a month, which also then includes some other Azure security features. Note that unlike a tool like Virtru, you can encrypt the message, but you can't do things like set an expiration, prevent forwarding or revoke privileges. It is also extremely simple to use. In our case, I set it up to basically read a tag in the subject line. If you type bracket, encrypted, close bracket, your message is encrypted. You can configure it so that it would encrypt based on who's sending it, who's receiving it, contents of the subject line or a variety of other features. And just to be clear, that's $2 per month per account that you have. So if you had 10 accounts, it would actually be $20 a month. That's right. And you don't, so for example, we have 180 users. I haven't purchased it for all of them. I've purchased it for the 20 who want to use it. Exactly. Hushmail, it is sort of hazardous to use. If you're writing to other people who have Hushmail, it's automatically encrypted. But if you're sending to somebody who doesn't have Hushmail, the way you encrypt it is by creating a secret question and answer. Now, if the answer that you've created is too simple, then it's like using a simple password for anything else. So if the answer to whatever question I posed is 1973, well, that's only four characters and they're all numbers, right? Also note that the free account, you must use the Hushmail domain. And if you don't use it frequently, your account expires. You cannot resurrect it with the same email address. If you want to use it again for free, you'd have to create a new Hushmail username to continue using it. And we have one that's unassigned. I actually don't know a ton about proton mail keys. Do you want to take this one on? I have not used it myself. I do know other people who use it and like it. I think it's particularly for nonprofits. I think you can get a better rate from Virtru. Why bother with using this unless you're happy using the proton mail domain? Yeah. And I think where I've seen this as a use case is people who just don't want to be on Microsoft or Google at all. So this is different from the other folks it's not encrypting the messages that you're using from some of their providers. This actually will host your mail. So proton mail is a, you know, can host your web mail and then you're doing it through proton mail and you're not on Google or Microsoft platform. And if that's a real good position, that's something you might want to look at. Keith, do you want to take this one? Yeah, to the note of it's really, it's similar in functionality and purpose to the previous one. I do know people who use it like it. By the way, I will say for that one, the one euro a month cost for using your own domain is cheaper than for proton mail. And just be aware, especially as we get through these REST slides, some of these we're just going to show very, very quickly because we assume that you're familiar with a lot of this but we just wanted to make sure that you knew that some of them were encrypted. You might not have realized that. First, we're going to talk about file volition and wiping. So if you want to clean a computer and make sure that the files that you've deleted off that machine are not recoverable through a forensic tool or something like that, CC Cleaner and Eraser are both tools that you can use to make it harder for forensic people or basic IT folks to use on delete programs to recover things through computer. Veracrypt is kind of the follow-on to TrueCrypt, which stopped being supported, I guess, a year and a half ago. By the way, TrueCrypt still does work, but I'd rather use Veracrypt because it's continuing to be developed. It can be used for whole disk encryption or to create encrypted containers that you store any number of files in. I will note that the whole disk encryption is a little problematic in that there's about a 20 to 30 second delay between entering your password and the whole disk actually unencrypting. Anybody here who uses Mac and isn't aware of the built-in whole disk encryption should go back and relearn how to use Mac. Since Windows 7 Enterprise and Windows 10 BitLocker is included, which is really the best tool for whole disk encryption on Windows. And on both Macs and Windows, these are really just toggle switches that you'll find to just turn on encryption for the disk and that's pretty much all you have to do. Vaultive is like Virtru for Gmail and Office 365. It allows you to take files, store them in the cloud, in Dropbox, in box.org, in OneDrive, in Google Drive, and have those files encrypted, both in transit and at rest. So meaning when you're transferring the file from Google Drive to open on your computer, that whole session is encrypted. And when it's sitting on Google Drive or on Box, it's encrypted. So if someone were able to get to it, they would only get the encrypted data. We'll add on to it. And do I recall you're seeing, Joshua, that the pricing is reasonable there? I don't remember checking. The pricing is reasonable there. And the main use case there would be for what's called blind subpoenas, which we've talked about in previous webinars. We'll talk about that a little bit now. All the major platforms. So Box, Dropbox, Google Drive, and OneDrive, which are just all of these actually do encrypt the files. Most of us, I think, are probably not aware of that, but the files are encrypted. But they're encrypted via those companies. And a blind subpoena where the government says, I'd like to take a look at the data that Joshua has in Google Drive. And I'd like you, Google, to hand it over and not tell Josh about it. If it's encrypted just in the Google Drive encryption, then Google can decrypt it and hand it over. If I use something like Vaultive or a different third party tool to encrypt it, then Google Drive can hand it over. But they're handing over encrypted data that government would then say, hey, we need this decrypted. And they'd say, you're going to have to talk to Joshua because we don't have the key. And that's the big difference there. But the data is, for the most part, encrypted from non-government entities who would try to steal that data from you. Vera is another sort of add-on tool that you can use to, like Vaultive, essentially add different encryptions to those cloud platforms. So that's another tool you can use. Yeah, that's duplicated. And we're going to talk a little bit about fish testing. Keith, I don't know if you want, well, we'll just jump right into it. So, Wombat, oh, go ahead. I was going to say, actually, that I would have... Joshua and I are having a little marital squabble here. I would have named this section security training. Fish testing is one component of it. Oh, we can do that really quickly. Ah, you want to rename it right now? Yeah, sure, why not? Watch this, audience. You're watching things happen as we speak. Yeah, why not? There you go. Ask and you should receive. There's no need for us to fight, Keith. Not in front of the kids. All right. Wombat security, security awareness training programs, what these do is they send fishing emails to your staff. And if your staff are false, they send emails, if they click on the link or open the attachment or respond to the email with the requested information, then they will be notified that, hey, this is, you were compromised by this fish. They'll route you usually to a short, like five minute video or some training resource that'll explain here's what you fell for. Here's how to recognize that sort of thing in the future. And then you will get lots of good data about which, you know, how many of your staff are falling for these things. Keith? No before is what we use at Freedom House. No before features a pretty wide set of training videos. Depending on what level of the service you subscribe to, you get more or fewer of those videos available for your end users. By the way, we make those required for all incoming staff. No before also includes a fishing testing module with a number of, I mean, a large number of preset up templates, also the ability to create your own templates. By the way, the way I use this tool is that when I get the report back about who's clicking on those fishing emails, there's never punishment. What they get back from me is a marked up copy of the email that they fell for, along with guidance about the clues they should have looked for. And so what we're doing is increasing everybody's awareness over time and never making them feel punished for making a mistake. Super important point to make. And I wish to let everybody know now in the spirit of full disclosure, we are not going to make 80 tools in 30 minutes, probably 80 tools in 35 to 40 minutes. We're almost at 230. We got about, I think 10 or 15 slides to go. We're going to keep it brisk though, keep it moving. Another of these is SAM Secure the Human. There's three that we basically said which we consider as three leaders in space which are no before, Wombat security, SAM Secure the Human. I would say that my experience is consistent with keys. I find no before very easy to use. It's also significantly less expensive than the other two, especially at the lower end of the spectrum. So that's just our little impact on that. Orders of magnitude cheaper, I would say. I just got quotes from all three of them. If you actually want a secure device, secure mobile phone, then we have the black phone, black silent phone, these are a bit on the pricey side, but these are essentially encrypted phones or crypto phones that you can use for secure communications and you distribute these among the people that need to communicate securely. Oona OS, I don't know much about this one. Do you want to tell me about some keys? Yeah, I've had some conversations with the folks who are developing it. First of all, it's in crowdfunding stage. It's not out yet. Their main comparison to the previous one is that they're not using Google apps. They're installing their own apps on it, even though the code is Android-based. So the previous one does send data to Google. This one doesn't. Also, their prospective price point for it is $200 lower than the previous one. Great. And we did this in one, I think, two webinars ago. But the Faraday bag is something you can carry around. You can put your phone in it, and then your phone won't communicate with anything if you just want to be secure for that moment. You're out of protest or somewhere where you'd rather your phone not be communicating, but you have it with you. You can, of course, turn it off. But if even that doesn't make you totally secure a Faraday bag, then you can add podcasts. I'll talk about these, because I think Keith, you said you weren't. These are the ones. Yeah, these are the ones. I've been over the last year running through all the top 10, top 20 lists of security podcasts. These are the two that I listen to pretty much every week when they come out. Risky Biz, I really enjoy it. The guys are funny. They're entertaining. It's much more for enterprise-level cyber security. So a lot of stuff will probably go over most of our heads. Certainly a lot of it goes over mine. But a lot of it is super accessible. And like I said, they're pretty fun and interesting. And Unsupervised Learning by Daniel Meisler, he also releases the newsletter. In terms of the content, there is nothing that even comes close to what he does every week. He gives you a kind of rundown of a bunch of cyber security stuff every week, along with some other interesting things. He does that in about 45 minutes. He also releases the newsletter. It's a repeat of the same thing. His delivery is very dry. So bear with it. But the content is unbelievable. And if you want more podcasts to look at, we have these two links here for some other podcasts you can look at. Resource List, so the Electronic Frontier Foundation. That would be the gold standard for security tools, security news, what are the best practices if you need to communicate privately with other people and keep your communications. They really are, I would say, the gold standard. I'll add just one other thing there. They also advocate for things like net neutrality and privacy. And so if you're looking for a great place to contribute a little of your annual money that you give away, EFF really deserves it. Digital offenders, do you want to say anything about them? Digital defenders has a variety of tools online, including that first aid kit. And I'm going to leave it at that. All right, Tactical Technology Collective. They have a ton of great resources that you can do. And they provide a lot of good security trainings, a lot of good security handouts and things like that. Another very good resource. Not quite at the level of EFF, but a lot of great stuff that they put out. Passcode, so sadly, I love passcode. And it went under. It was a production of Christian Science Monitor. They ran it like a three-year thing. This was my favorite thing that they ever did, which was 15 under 15, 15 stories of 15 kids under the age of 15 doing cyber security work. And I highly recommend checking out. All their historical stuff is still online. They just stopped producing new stuff. But that 15 under 15 was just great and everything passcode did was great. And I'm so sad that they're not here anymore. Keith, you want to talk about that one? Yeah, Do Not Track is a series of webinars or web broadcasts that are high quality and cover really the whole gamut of security issues. Krebsome Security, probably the most well-known. I don't know, the Security Now podcast would probably be the number one thing, certainly, in the podcast store. But Krebsome Security, he was a Washington Post reporter. He started a security blog. And he does regularly have the newsletter, his website has current affairs and lots of great stuff there, also good resource. ZDNet, if you're a little more in the commercial space, they have a blog essentially called Zero Day where they keep, I think, that's a screenshot of their post today. But it's pretty good stuff there, actually. Not bad stuff. Yet more, here we go. Something that we produced that Access Now created this digital persona, digital security persona. And we have a link to that at the bottom of this persona template here. This is a tool that we've been using in our cybersecurity projects. We found it incredibly helpful. Also find this helpful is like a policy tool instead of having like an eight page policy that no one will read. This can be like your, you know, bring your own device policy. You can actually make a template to that to your staff. And we include a blank one here so you can make your own. So go have fun with that. All these additional resources here, we have all the specifics from electronic frontier foundations for self-defense who has your back, digital security processors, the digital security how-to from Access Now, that's where that persona guide came from. Personal security course from Community Red and just a bunch of other things. Getting a note from Keith that he can't hear me. Did my audio cut out? Hello, hello. Let me check my audio. I can hear you. I can hear you. Okay, so Keith, I think maybe you're out. Everyone out. And a bunch of other stuff there. I'm not gonna run through all of these, but I think we're okay. And then of course, ninja.rt.nyc, all of the webinars we have done as part of this series are resources. And what's next? So we finished only five minutes long. That's not too bad. And we are going to be doing now what incident response planning in two weeks. And then after that, all you have is on May 30th, your quiz to see if you can get your ninja certificate. I'm very much looking forward to that. The whole session will be your cybersecurity quiz and studying. We'll just be reviewing the previous webinars if you wanna study. And there'll be prizes and there'll be all that good stuff. And we've lost Keith. So I think Keith is gonna try and reconnect. But fortunately, he made it through almost the whole session. And maybe he'll be back in, but we are open for Q and A. And thank you everybody for staying in. That was your 80 tools plus in 35 minutes. And plus a little peachy-coochish. You get a feel for what that was like. And I think we're all set. So if anyone has any questions, go ahead and throw them in. Otherwise, I think we will wrap. I'll give it just a minute or so and see if anyone has anything. Ben, do you have any tools or any comments or anything you wanna share about any of that? No, I mean, I just wanted to make sure that you mentioned security now, but you got to it right at the end there. Kinda backed your way in mentioning it. Not one that I've listened to. Do you actually listen to security now? I do, yeah. Yeah, so it's been on for almost 12 years. So there's plenty of back catalog. And it's Leonard not Locate. What's his name? Leonard, who's the guy who does? Leo LaPorte, that's right. Yes, Leo LaPorte hosts. I am back and can hear you guys now. Great, great. Would Steve Gibson as the co-host? All right, I think actually it's probably reversed. Steve does most of the talking. He's the security expert. Okay. The guy who asks the most questions. It's like that, gotcha, okay. Are you still like that one? Okay. I do, yep. They do alternating Q and A's every other week. So if you have questions or whatever, you can always. And how long is the security now podcast? It can take some time. And I think the Q and A episodes are usually about two hours. And the other episodes are usually quite a bit longer or can be quite a bit longer because he's talking about different topics and things like that. But he usually picks a topic that's in the current news cycle. So it has relevance in the short term but also in the long term. So I find it very useful. We do have a really good question here from Michael who asked a question about signal which has had signals been compromised. And I do want to respond to this question because this comes up a lot. And this is a real problem with the media and they're trying to support on cyber security things generally. So the WikiLeaks dump the shadow brokers leaks about all the NSA and CIA tools that they used and the methodology that they used. A lot of the media reported that signal wasn't one of the things that were compromised that the NSA or the CIA had been able to crack so to speak. And I just want to clarify exactly what was meant there and also clarify that signal itself was not breached or cracked in any way. And there's no indication that it has been. However, and again, this was the point we made at the beginning of the webinar. The way that these tools are implemented ultimately is going to determine the security of them. If I am running a signal on my mobile phone and my mobile phone is compromised, is in hacker parlance owned by the CIA because the CIA has been able to get malicious code on it and they can see and record everything that's going on on my phone, then everything I'm doing in signal is being revealed. It doesn't mean that signal's been compromised. It means that my phone has been compromised. So I have to ensure that the device that I am using, signal on is, Akith, we got really loud breathing on your side again, sorry, that the device on which I am using these encryption tools, that the device itself is secure and the person with whom I'm communicating, that their device is secure. And this is why security is in effect really hard. But signal itself was not compromised, but they had tools that could allow them to own somebody's phone. And then if that phone had signal on it and the person was using signal, then of course they'd be able to see what that person was doing in signal. But that's the answer there. And great question. And hopefully I was able to clarify that. And that makes it interesting. I typed in a couple of answers there as well. Oh, thank you. And I think that is it. Thank you so much for joining us. It was so great having you back. Thanks for all the tools and everything. By the way, I want to give Keith credit a lot of the tools in there were from his great resource which I listed on the second class resource page. So if we go back to slides here, just so everyone knows the last of these tools, second to last comprehensive list of security tools and resources, there is the entire list from Keith Burner. So there's a link there. And that's where a lot of these things came from today. So Keith, thank you so much for that. And thank you all for joining us and we'll see you back here in two weeks. Bye all.