 Yes, now you can hear me wonderful. I think I shouldn't move that much. No, stay good Hello, everybody. Wow. This is a nice audience and hi to everybody in the internet The billions of people out there that are listening now. This is great This talk is about security theater I'm sure you all have seen that before no matter if you know the term or not and I decided to go to call it a praise of folly and you will see quite some theater references in this talk and It's also about the mostly unknown OZ OSI lever lever layer eight and The layers above so if you expect a technical talk, that's not quite what it's going to be We are going to talk a lot about humans human error and examples for Yeah for things that go wrong. I hope it's funny in some parts and Yes For those who do not know. Oh, yeah I'll have a question section at the end if you want to interrupt me because I'm saying something that's simply wrong feel free to do so and For those who don't know the praise of folly. It was not far from here Erasmus of Rotterdam who in 1909 wrote this lines in his praise of folly that I really like So if you go on a stage and take off the masks from the people who do the Play you would be thrown out of the theater. You would be hit by brickbeds like a drunken disturber And the whole life of mortals is exactly the same he said the various actors come in once they are king the next time they are just a drunken lunatic or whatever on stage and Shakespeare also got this all the world is a stage. So what I'm talking about is the security theater I just start with three four concepts that I want you to know of then I'll tell you what I'll do and Who has heard of cargo cult Great good job. I Don't ask about fine then because everybody knows him I guess so cargo cult is a term That means that that defines practices that make no sense But that except for the fact that people believe in them and they do not follow scientific method I'll have pseudo science Pseudos English pseudo science also in the term in the talk later But there's also cargo cult it or cargo cult programming or cargo cult it security So cargo cult programming according to Wikipedia is a style of computer programming Characterized by the ritual inclusion of code or programs program structures. It's of no real purpose I will tell you about onion code later. Maybe you have heard about that too. There's a lot of Anti-patterns around here also if you want to read about cargo cults Here's the link All slides will be put up there There's a lot of memes and myths around and you may know these pictures. They are they were all in my Google plus stream somewhere and References I can give to you if if you're the owner of the pictures. You don't want me to post them here Then just let me know This is this is for example one thing you are We put gates in places where they really make sense We do pen test pen test not pen testing. We do quality testing qa And we make sure that the little bug doesn't pass Yeah But one thing that we mostly forget is the user because the user will always try Stuff and use the software you code in a way you would not imagine yeah and Security theater itself according to Bruce Schneier who I think coined the term or at least used it first is about feeling You may be totally insecure, but you may feel absolutely safe But you may have exactly the opposite Yeah, and I recommend this talk from Bruce Schneier. He's called the security Mirage. It's a Ted and it's wonderful As I said before this doesn't presentation is meant to be understandable. Please don't Lynch me for when I'm if I'm talking about technical stuff in a very very short way or There's wrongness in it. I want this Understandable also for children and managers and that's a reference to another book. I have later Since three years I am a manager so I've got as you saw I have some hopefully funny openness then a few words about me The openness over have already passed Some definitions of security and security theater followed by a technical explanation of the OSI layers the other ones Yeah, and the main actors plot since of security theater Then the the painful part comes with lots of examples I can go into detail there more or less depending on the time that we have and Then I have some Examples no after the examples. I'll have some short analysis and suggestions that we might that we as open source community should Probably start discussing about I have a video announcement from Julia Rida from the Pirate Party of the European Parliament But unfortunately we did not Get sound to work right now here. I will put it online It's a one-minute statement. I'll put it online with the slides and it's Yeah, it's very helpful. It goes in many ways. It's it's going exactly in the direction that I Want to tell you So who am I some of you may already know me? I Somehow I found out in the last years that I always like dealing with danger This is me with 19 years sleeping on top of the Mount Stromboli an active volcano in in southern Europe Behind the sign that says don't do that That's in Serengeti some years later and you can see I also like traveling and we camped there and that's the sign that you could see on the tree behind me and and This is how my team members some of them are here see me or that's the kind of pictures they Post after we have a meeting. I don't know why they think I'm dangerous. Whatever my History is I studied geography. I studied English and a lot of other things and 20 years ago. I founded my own IT company. I had students interns and then I was a consultant for a self-claimed leading edge Linux company also some former colleagues of that time Milan Oaks are here and After that I worked for eight years for more than eight years as a Linux journalist I still write and still do journalism I worked as deputy editor in chief of the Linux magazine Germany and in this way I learned how to Get sort of the most of people Over whom I do not have any power. I cannot force them. I cannot force writers To do something I have to persuade or I have to Find the common goals and that is something that in the last years also as a people manager has become more and more in The focus of my life Because you know in open source. It's the same and you can't lead an open source team with pure force You know the job situation the people will leave they get a job everywhere So 2015 I started at Susie with first job as a people manager I said before I love traveling and I do crazy things just ask my team that's around I've done Yeah, I'm a diplomat priest Jedi Knight. I'm a chimera and Stuff why do I do my stuff? I do it just for fun. This picture is Some of you may know it. It's in Finland. It's a small island where Linus Torbolts spent his summer holidays as a kid and I visited his father here on the boat on the left and to for us for an article with Linux magazine and Linus once wrote into his book just for fun. Why do we do things we do them just for fun and That is something that has defined my life. So that's that's basically all Yeah, almost all for me. I had my own company and thereby I learned important things. This is the 90s first office first project management first server room and Fan as a consultant I learned there's always different chairs you have to sit on at the same time and you end up in between You have users customers you have Management you have management at a customer you have manage your management and they have all different views and you have the technical view You know what's best? Technically you might know what the customer will be happy in also two or three years but you have your boss and you have the customer so we end up in between the chairs and That was very important for me because there I learned there's always a variety of truths I've been writing lots of stuff and I learned how to deal with Fragile things like IT security and humans and bring them together somehow Do you feel safe with me? Yes, great For the internet they cheered Would you feel safe in such a place? I? Felt like Simpsons there. This is in Utah south of Provo where Susie has one of its offices and This is little Sahara one of the lesser known national parks in the US and or nature parks reserves And it's very nice lots of dunes and sand and people go there with their sandbuggies and they dig holes obviously and When you get you come there and you see the sign like okay, thanks and You see security is like Shania said is it's it's about feelings and it's feelings versus reality Shania also brings in the model that we make of reality. So he says it's a triangle feelings model reality Shwata when Shwata some of you may know this old old book defines security as Time-based. Yeah We will have that later. For example when you have passwords Why it doesn't make sense to change up to to enforce a regular password change Because the time that you need to iterate through all the passwords if you are a brute force hacker is much more important than the Time-span in which you on you change your passport password and similar things. It's a great book. It's an I Think it's from the 80s still a good read then security in open source It's the term control is something we open source people don't like that much But only transparency gives you really the opportunity to control if if reality has Security is not but it doesn't tell you anything about the feeling the the opposing model is security versus trust That means security by obscurity or the proprietary software model So you may feel security with Apple Microsoft, whatever But I would say this is not security you trust them and therefore you feel secure and There is one thing that comes in here Schneier also talks about it others talk about it we humans We have huge problems when assessing dangers We have great fears from dangers that won't happen every every other minute We have we are more afraid of the big things that just happen one in a million years That's because of our human nature Oxford dictionary design says security has also these two components of security in its definition the state of being free from danger So reality and 1.3 the state of feeling safe stable and free So this the you see the feeling and reality is two components of security and they don't match 2003 in a book I wrote Security is a good feeling and admin has when he goes home in the evening and he thinks he has done everything possible So security theater, however is Also, I think this is also from Wikipedia the simplest possible definition The practice of investing in countermeasures intended to provide the feeling of improved security while doing little or nothing to achieve it Yeah Especially the security repercussions after September 11. You may remember that You know the TSA locks on on your luggage Yeah, and some of you may remember when the keys were published and you could print them or have them created That was actually an accident because some journalists Published a high-resolution picture of those keys. This is a blurred version of it but so from this high-resolution picture the public could derive a Template to really create them but in the end the criminal objects probably had those keys anyhow So this was perfect example for security theater. How do we? Never done this people feel comfortable with locking their luggage. They don't think about the rest. That's just that's just reality and Again the feeling secure to many people is more important than the reality And if someone Would come in like that's why I called it a praise of folly because that's what erasim of Rotherdam already said if someone Comes in and uncovers the theater Like me sometimes the feeling secure is totally gone It's the Cassandra effect. Yeah, it's and then it's like quantum entanglement. Yeah, the moment you pointed it It's gone instantaneously in corporate IT I A term comes to the rescue that I coined some almost 10 years ago blame where Is software that is there is being bought to Take the blame So usually it's software that is also not open source it is software that comes from the outside and Where the admins and the IT managers don't have the blame when something goes wrong so that the old saying if you buy from Siemens IBM Microsoft whatever big corporation You're fine if anything goes wrong because it was there it was their fault and every other customer will have the same problem It does not matter if it is realistic to get anything out of a court case any any any rick any kind of compensation Doesn't matter Just get the blame out of the house. I coined that in a in a blog post to the story in 2011 on the German Agents the agency in Germany that Coordinates the the embassies all over the world, which is closely related to the Secretary of State or foreign ministry Auswertige Amt that was a very good example for blame where So blame where how does that even even work because and that's it's pretty easy because we have Is another technical Decision it is a human decision. It is an organizational decision People want to keep their job. They want to stay in place Who doesn't want to stay in place? It's you mostly management upper management or politicians Yeah, and this trickles down and so I if you look in This is also from Wikipedia. You'll find it there We have a we find some layers above the ones that we know as the technological layers that go from One to seven the OSI model on top of that we find the user layer or as we would say the problem sitting in front of the screen and This is as technical as I'm going to get OZ layers one. Oh one to eight. It's wrong one to seven is technical hardware applications and incoming data travels from incoming data travels this way outgoing data travels this way Level eight is the user level nine are all organizations Like your company the company awake we're working for the management the company itself the corporations and Level ten is politics We can discuss this in some places corporations are so big and so powerful that they will be on level ten and Politics is just level nine But as Julia would have said in her video She said the great misconception that we have as open source or one of the mis understandings that that IT Geeks may have is that they think politicians don't know anything about open source and concepts and stuff She says no, that's not really the case in far more situations those those The politicians know about it, but they have different mindsets or concepts So they follow far more often. They think the market will fix it So if open source is superior or whatever then the market will fix it and it will Replace the old model software that we have Well, let's see I did I I know that it is true when it comes to politicians, but I don't believe in that model so Two questions for for you to think about or ponder that I think is very interesting But I have not made up my mind fully to that an article by Jeremy Lent suggests that corporations are analogue artificial intelligence While an article from Tim O'Reilly says a system like Wall Street dominated Financial market capitalism is an analog the first analog super intelligence that we created Just some food for thought. Yeah Okay, what are now we have to we have seen let me go back We saw the stage and the players in the game and now we see the intentions of the actors Politicians want to be re-elected. These are what I think and based on my experience the most important Intentions of the players Correct me if I'm wrong Politicians want to be re-elected Corporations want to make money or have or more money and you can always rely on that Managers Managers want you us to do what they need to make More money to make a career or to satisfy their boss up the ladder up the food chain and the user Yeah, that's sometimes Not no, not sometimes very often we find people who say oh, I don't want to change I just want to do my job I'm fine if I can go home in the evening and just let me do my job in a very in a comfortable way And I'm fine and everything is good. So they don't want to change They don't want to stress. They don't want to learn. They want simple solutions that integrate with my habits And you will lose me after the third sentence of an explanation. I need simple and understandable solutions Like Apple offers think different So I know this is a little bit negative and I know there's many users out there that are different, but and This this is us. I mean most of you know the plonk hashtag, right? That's when the head hits the table and It's we need more that's why I'm giving this talk and I found myself in into more and more the the API between techies and and other people we need more Understanding and talking and explaining to Normal people also about the concepts Because we find ourselves in the triangles We're only in a try and a triangle where only two corners We're only one of our possible. So we can have software or systems or Anything that can be secure fast or usable But you can't have all three of them. You can have two Yeah You can have secure software that secure fast and cheaply developed No, kind of two of the three and there's many triangles like that around So what are the plots and mechanisms in the security theater game again? Someone will try to sell you some strange kind of sausage Those who know Pratchett know what I'm talking about It also comes as we can help you this snake oil is perfect for you Then there's give us all your data and you won't have to worry Just recently again Just recently again And the Bavarian National State Party now wants to go for free data free your data everybody day Everybody's data belong to everybody. We call that that's and right to them. They really took that word into that program The same one of the plots is we need more control because everybody wants job security Then we have the trust me. I know what I'm doing thing If you stick with us, you are safe I told you already that if security theater is uncovered then the trust is destroyed But the customers will need new products So best thing is shoot the messenger before he tells anybody Also one of the wonderful management anti-patterns and I don't have a clock here. Just keep me good I'm almost good halfway through The masks disguises or costumes that come in is also very interesting field and you will have to do some research Because I have not don't have the time to tell you all about it, but it's especially management anti-patterns wonderful you know one fee or one with a T at the end One fee or yam fee is yet another meeting will fix it And the conference bingo spreadsheet is around in the internet for a long time where you can the first one who has all the fields Yells bingo and the fields are like, can you hear me? Are you there? You just dropped out. I'm sorry. Whatever, you know these things, yeah Then we have consultants It's the anthropomorphic personification of blame where sometimes I've done that job We have coders. Do you know on young code? You get a blob like a binary blob or whatever and it throws out error messages Yeah, and you don't know the hell what these error messages are from so what do you do this thing one run you've get the error message You write a wrapper around it that just just just works on and push ignores their error message This is not yet on young code. This is just a wrapper but once the next developer comes and Has another error message he will make another shell and this is how the blob grows with lots and lots of shells Around it and that's how the onion grows We often or many of us have been telling users. Well, you can't protect against the NSA so why worry at all? That's completely wrong Or the ignorant have you tried turning it off and on again? Or like, you know the red button this chain is the internet. Obviously, you know it crowd On the other hand, we have a I call this is not I'm not calling all the users fools here I have to be precise, but the fool is Also in the classical theater is a role here and the art of complaining My computer is a mess the software never works. Why is the network software login always so slow the anti patterns to that is it works on my machine or I'll put it in a container. I Learned in the last years that we Europeans tend to socialize through complaining This is an art that the people in Franconia and over false where I come from have Really augmented to a high degree and I know that it is not that way in America. I learned that but This is this is some there's some cultural differences also. Okay So now the painful part comes Our problem is we have cognitive bias. This is a wonderful sheet with the link here and All of that is bias that we have in our head cognitive bias. That means this is Opinions attitudes that we are sure of I am very sure that all of you share my opinion. Of course. Why not? No, don't tell me it is like that and It is that I want to believe and that comes from evolution and because we are tribal so we we try to see the world around us in small groups of the same opinion and we just Classify that there's a lot of them and in this image we have on one side too much information What should we remember? We need to act fast not enough meaning have a look at it. There's a lot of them and that makes Memes More prone to be accepted by us and I have some real-life memes that I don't want to discuss just You know the discussions from the internet one things bicycle helmets With the argumentation that bicycle helmets help every housewife every houseman should wear a helmet and every pedestrian because they are much more prone To deadly injuries and there's statistical proofs about it, but a huge discussion Another one great discussion that I don't want to start here, but code of conduct I totally understand that with American law and American freedom of speech their code of conducts are absolutely necessary in the US But in Europe we have a completely different law I have not seen a code of conduct that would not specify anything that is not covered by German law But not the problem the problem is do we reach the ones we want to address? The guys would misbehave do they really start misbehaving because there's a code of conduct. I have sincere doubts, but Same thing the war on drugs Anybody from Portugal here? Yeah, they got this their country got a different approach to Drug abuse and it's it's successful talk to them asking. It's not like we need to fight it to the end Anybody here from London Correct me, I have heard yesterday that the London CCTV system is on sale Because it doesn't work Yes, true. This is crazy, but it doesn't it doesn't work So the countries that have the biggest video surveillance in Europe have the most terrorist attacks in the last year Well, it doesn't work the same in here. We have the pseudoscience Why did they take those polygraphs? Have been proved that they don't work And you That's all not these are not my jokes. I know you got it These are not my jokes. These are jokes from from the Internet but We are thinking about so many different things in terms of security that we forget the obvious often I wrote an article in 2012 about with a renounce Swiss hacker gonna put other and He and we were at a conference from banks and they really told everybody I use mobile time use your smartphone That's fine. We know it's not secure, but it's not being exploited. We'll tell you when it's being exploited Then we'll bring in the safe systems One more this is from the German secretary of state of finances Mr. Schäuble the fingerprint He said the famous sentence my fingerprint is available for everybody and the chaos computer club Germany said yes It is here. Well, we publish it At Linux magazine we printed it on cups, but this is genius You just need the right oil so you can stamp his fingerprint on every it's a product And that's also genius the internet in things. What could happen? It's brilliant and for those who Haven't seen the first episode of the last South Park season watch it and turn off your Alexa Google whatever devices because they will go mad. They even created a loop where where The devices talk to each other infinitely until you switch them off There is a Simon says Function in Google in the Google's device. I think Somehow just watch it. It's great and you got 15 orders on your Amazon shopping list after the program Very politically incorrect. I can't repeat it You may have seen the Hawaii missile alert last week or two weeks ago but what you did probably haven't didn't realize that The poor guy couldn't deactivate the alarm because he had lost his Twitter password. So the login details so Perfect security theater if it depends on one password, it's wrong but as long as we have governments the top level interfering and Which we just heard if it if the if encryption is not enough for the bad guys is not enough for the good guys Wonderful wonderful. So what what as long as we have governments who try to mess with our our encryption or our devices? Well Thank God. They also do stupid things You may know that good This is master a Sharif a military base in Afghanistan and it's Secret the exact layout of the base is secret. Thank God. There's Fitbit and so just like to train So the Fitbit devices showed they're running Showdown, I think some of you may know showdown He found out that ships use satellite link routers that are Configured with a standard password like our DSL routers were some years ago And so he got hold of So and then he found out correctly if I'm wrong the satellite network is pretty easy You see the other partners in in the network. It's like a network segment and then he did a pearl script And this is the number of ships he controlled when I took the screen shot hundred and eight thousand commercial ships Yeah, and then he took a Defconn map a Defconn map and you can zoom into the map and find the ships I also found a gas station and the gas station has Sensors for the for the gas tanks For the temperature So if you can fake that the heating will go on or the cooling system so that's all just Horrible, but if you think that's antivirus software may protect us You might be wrong too even if you think that it's not the Russians but Even in 2016 we could see That antivirus software itself was a threat and had lots lots of exploits possible and lots of vulnerabilities and In the wake of the my research is for the for the hacking of the German parliament for the article I found documents that where the BSI boss that is like the German NIST Said to the politicians that don't worry antivirus software can only catch 40% of the possible attacks so Cyber cyber right and this is pretty recent November it is By definition a very good way of getting into somebody else's computer There's people out there who don't have a PDF engine on their computer for good reason But the antivirus software brings it in You know this is one of my favorite sentences from KS computer club The Germans will know the two terms PR and the email so years ago The German government tried to install a secure email system. They failed with it and It took years to get it to make it secure and in the end they defined it as secure by politics They said this system now is secure and that's where Linus Neumann from KS computer club came with a sentence on one of the CCC conferences for every technical problem. There is a political solution Incomes that's beyond the anwaltz post for so a special email Service for German lawyers Yeah, and they they picked it up and they they Yes, such a long list of mistakes starting with making a starting a web server on the client to set to to to be reachable from the server but to do this They had to copy the private key on the client of the CA And that's only the beginning they had old Java libraries So the web server was also running. I think Java and they had Java old Java Java libraries with lots and lots of Vulnerabilities and they they had to turn it off again and it's this is a Satire on on their advertisement. It's it's German. It says simple digital broken The company in this case we have a company behind it that is well known and big and if you have been dealing with With administrations politician political stuff, then you will have run into them if you're from Britain You know them because they were their IT was Yeah involved in the NHS scandal and It's a toss in this case. They've been doing lots of stuff in Germany, but they are it's just It's just one example. There's many companies out there who make money like this and that's because the politics allows them and gives them the possibility to do that and One of the inside has told me then this company is just to be to not fail It's just an example the problem is and I have this book here This is wonderful scarter and me and it says a book for children and management. Yeah, and this is Robert Emily And this is wonderful. This is uh, what is the time? Can you tell me? Oh Okay This was written by a university and US Air Force cyberspace operations officer and the children's book animator Scala some of you may know is a architecture for controlling machines in in production and This is some from inside the book So this guy explains it to the child the child is asking question Can these people protect scarter for me? No, they are confused. You must protect it yourself the author quotes are wonderful problem is a lot of effort is focused on Big attention grabbing attacks. It's rare for a state to launch such a big attack Yeah, and the basic security measures are not in place at the same time and Such the most probable attacks are very simple and it is very simple to protect against them But many people are focusing on the big ones and that's just wrong and that is because a lot of people who go on about cyber war it just wants a job security and Big contracts Okay, I'm jumping over my recent articles about passwords because I only have ten minutes left. I was told Told that's an article in IX German magazine When you use passwords, you should never just one thing never reuse a password Yeah, ask yourself if you trust the service and I don't know if you trust the password manager. I Know I will get bitched for that But usually your apartment in this world today and a sheet of paper in your apartment at home It's a much safer place than any computer you might have for your password. It's not usable. Okay, I know that it's not very user-friendly Your safe is even better, but and the only two things that matter when you come to a password is length and entropy Don't reuse it Same applies to the dark net if you're in the dark net my article You'll be safe for a few minutes if you use the right setup But after that at least the advertisement industry Google whatever will know who you are Because you human error and social hacking are your enemies and that is you I gave a radio interview just a few days ago about that That's that's all from the internet. That's not my creation. I'm a disclaimer and a book from 1850 Meltdown Spectre. Yeah, I Came into responsible or irresponsible disclosure topics with Meltdown Spectre as a journalist And I found a quote from a book from 1850 that says It is to the interest of honest persons to know about insecurities because the dishonest are tolerably Tolerably certain to be the first to apply the knowledge practically 1850 one of the foundation books of Lock making This is a study from 1995 paid for by the NSA or under the auspices of the NSA that said the x8 x86 architecture Where is it? Yeah Undesirable for secure systems because of potential security and reliability problems guess what's in there. It's 1995 but nobody cares so Those were the painful examples What can we do to better the situation today the internet is controlled by four big companies and That is in my opinion and as others say a direct outcome of the invisible hand is directing the market meaning We're doing nothing. We haven't done anything and so we are stuck with Google Facebook Apple Amazon. I think We need somehow liability for software mistakes and such embedded in hardware I know it's a controversy topic But I I'm from Germany will Fox walk and get away with it. Will Intel get away with it? Yes, you say yes, I don't know And of course I this is all just for discussion. I am open for ideas and anything to change my mind This is just what I think about at the moment Lawmakers have to define rules of the sauce software has of course to play a bigger role It is no guarantee for security, but you all know there's no security without it. I Want to stress the the campaign from the FSFE public money public code You think about if we introduce software liability as a society we could decide to exempt open source from it So telling a company if you publish your code You will not be liable because then we know what we get and That is a good argument against the standard argument about software liability the politicians or whoever says you will kill all the small Software companies if you make them liable we can say okay, they should let them do open source there's business models it works and Make open source mandatory for certified secure infrastructure and environments and Another thing I suggest is certify user hardware and software that's also very debatable I think but Many German conservative politics Politicians talk about the data highway Because they hear that there's packets and parcels going around and there is a lot of traffic And then they think of a highway and so I try to get the traffic Meme or concept in here So let's let's think about how we handle traffic on roads. Yeah, we have the cars We have the software in the cars in the meantime We have liability to the owner and the driver So if the dry in Germany at least it is like that if you have an accident the driver cannot be found the owner is Liable to a certain degree So we have the cars are checked every two years in Germany The drivers have a driving license The software is there any checks for software being used in cars in Germany or wherever? I don't know. I haven't I haven't heard of that Obviously, it's not open source and that's therefore not really checked and off the grid Where all of that is you have racetracks or amusement parks or off-grid tracks or private ground communities where You're not tied to these kinds of certifications It driving your car is sort of guaranteed anonymous except for the number plate But again CCTV or in Germany toll collect the system Is severely attacking that and conservative powers are attacking that so the fear is there if this is prone to control and If we think about any system like that for the internet that might make the internet less anonymous I understand that I just want to give I just want to start a discussion on that and The image that mean works as you can see Just a few days ago a cyclist Slowed down car traffic outside the FCC building to demonstrate against network neutrality if a car driver gives him $5 He would let him pass We have one more problem in security politics. That is the wretched Wretched is this Stelrad, you know, or I like to it's a one-way street Or I like to this is a cut through through a zip tie At the moment our security politics takes always Titans Titans Titans Titans, it never goes back. We never reverse. We never release. Yeah So that's why I want sunset causes in any security related laws sunset clause means this law will be in power for a year or two or whatever and There is checks and a goal that we want to reach if you don't reach that goal after a year The law will be gone because we we are humans. We are making stupid mistakes. We are making stupid laws and whatever so I Think we need something like that and on top of that They should be mandatory if anything is security related I'm not a lawmaker nor am I a politician, but I think this is something we should really start to think about Because otherwise we'll just end up in in getting closer to 1984 or any other dystopian state And I think this is my last slide until then I Like to say that to nerds common sense is not witchcraft And if against who do you want to protect your people your company, whatever? Always remember you will need a secret service if you want to protect against the secret service full stop and If you ever heard of the Pareto rule Pareto is a management rule. It says 80 percent is enough You want the last 20 percent of the closer you get to 100 percent to achieve of any kind of solution the more Expensive and the more yeah expensive in any way it gets so common sense and Realization this must be enough. This is enough now Well to the managers and politicians do your homework create the goals reviews and checks and enforce them To the users, this is our task also to make it clear that they have to be ready to learn again and again This is against human nature because we all want to settle down as all the older We get the more we just want to settle down and on and not nothing new again And we have to install a culture of errors and mistake This is something that I love about Susie. I have to say because we have We have a culture of errors and mistake It is good if somebody does a mistake because we learn out of that if the mistake happens for the same mistake happens for three or four times then we have a discussion but Try things do a mistake. That's how we learn and install a culture of that Open source is mandatory for security. There's no security without and That would have been the video from Julia Not all politicians are stupid or ignorant of open source some really know but they just don't care and they have different business models That was a point landing I guess, huh? Questions possible Okay Very sorry, but we ran out of time you run out of time. So there are no questions I didn't have a clock here in this in this auditorium, but perhaps You have time to answer any question or start any discussion outside. Thank you very much. Thank you