 This is Xavier D. Johnson here at Launchpad Incubation from Detroit, Michigan, organizer of the DC 313, local DEF CON group for Detroit, Michigan. I'm representing Detroit Cyber Security and I'm here at the ISSA Monthly Meetup. I'm sitting here with Chris Roberts, the great. Thank you, sir. Appreciate it. Chris Roberts, Chief Security Strategist over at Ativo, and absolutely pleasure to be here with you as well. Thank you, sir. Thank you for coming. Appreciate it. So getting started in the industry as a beginner. Yeah. What are some of your go-to best practices for learning how cybersecurity works in general and more so on the red teaming side? So I think the in general stuff, the in general stuff is that level of inquisitiveness that we have as humans. Or if you're coming into this industry, that inquisitiveness or even that structure, it was interesting. I was thinking about it as you were talking. Part of it is how do I do the inquisitive stuff, but part of it, especially what we need these days, is almost the structure that goes with that as well. The methodology, the structure, the risk side of it. But for me, it's finding what makes you tick. What am I interested in? Is it programming? Is it coding? Is it reverse engineering taking things to pieces physically or in the electronic world? Is it forensics? There was a couple of folks down there that were talking about forensics. Or is it human engineering? Is it social engineering? Some of the crazy stuff I'm working on with like trains and shipping and brains. So there's so many different facets that security is involved in. You almost have, if you care about John Deere tractors, there's an entire section of farming security and there's a damn farming conference that talks about it. So there's no real excuse to not find a niche that gets you sparked. And so it's taking that spark and going, okay, I've got a day job that pays the bills. I want to get into the industry or I'm studying, but I want to get into the industry. It's like, look, I will carve out two hours, three hours, four hours a day. I'm not going to play on my Xbox 360 or PS or whatever. I'm going to take that time and I'm going to spend it actually learning something in this industry. And it's building that up almost in your own time. And it's going, okay, let me take a step back. How does the computer work? Fundamentally, how does something work? Fundamentally, if I have to look at code, how does it move? How does memory work? How does the drive work? How do things move between each one of those? The further down that rabbit hole you go, the better chance you have from the red teaming's perspective especially. And purple and blue to some degree from the counter, the counter side of it is understanding where you can and can't influence something in the stack. That's a huge start for me. And then to some degree documenting that, be it documenting on a blog or LinkedIn or a post or the forums. I mean, you've got, you've obviously got the DC stuff going, which is huge. Getting people involved in the community is probably one of the biggest things. And that's both virtual online on the blogs, but also physical. You know, obviously we have the ISSA stuff here. You've got the stuff going up into Detroit. We've got GERC on going on. There's BERC on there. There was B-Side's Cleveland. I mean, B-Side's Columbus. I mean, there's so, there isn't, and most of the stuff is free. And I think that's the other thing I love about it is you don't have to go to RSA and spend a small fortune. You don't have to, as much as summer camp in Vegas is nice, you don't have to go there and spend a small fortune. You've got so many local groups now that you can get in all makerspaces. I mean, those are, man, so many amazing conversations at makerspaces. I mean, you just get people together and just geek out and you get to share. And it's the collaboration and sharing of ideas. I think that's a huge part of it because, you know, if you look at the industry, so many companies are like, oh, I need one to three years experience. I need all of this. Well, you can't get the experience without having it unless you come into that company and go, look, I don't have the formal stuff. Here's what I did at school. But also, by the way, here's the projects I've done. Here's maybe where I spoke at B-Side's. Here's where I talked to this. Here's a couple of papers I have online. Here's my blog for the last one or two years. And I mean, that counts way more for so many different people. And then I think the other part of it is getting into the right people. So if all you do is go through the front door with a chart, the chances are you're probably not going to go too far. But if you get onto like the LinkedIn's or the peer lists or the conferences, you go to the conferences and you start talking to people, you start as much as a lot of us are introverts and we don't like dealing with humans all the time. This is one of those times when you have to get out of your own comfort zone and go, okay, I will do this. Because you start building those networks and those connections and people start to realize, oh, okay, yeah, they know what they're talking about on here. Hey, you know, we've got an opening over here. Do you want to have a conversation at which point that barrier that HR can be sometimes? They're not always, but HR can be sometimes goes away because you're being walked in the front door by basically an advocate. Exactly. I was talking with somebody, I think it was B-Side's Nova. We were having a conversation about the difference between like an advocate and a mentor. And so somebody who's there to ask questions and guide and help versus somebody who's actually going to stand up for you and go, you know, I stake my reputation on this person. And so I think that it's getting either and or both of those together is huge as well. The only way you do that is interaction. Yeah, I totally agree. So to change the topic a bit here, the communication channels between offensive security and kind of the blue team, right? People who are breakers and fixers. People who are like me but that are more focused on the red team but love doing purple team because in my heart, I'm an engineer. I've been in software for quite the time. So what are some of the things that you've seen in the industry that you would like to address as far as correcting the way that we communicate within IT organizations around security? Oh, I think I hope, famous last words. I hope the days of remote red teaming and throwing the report over the fence and taking the paycheck and leaving are going away. I really do. I'm much more an advocate of if you're going to do a red team. Okay, let's actually take a step back. Sure. Let's actually address the difference between a scan and assessment, a pen test and a working red team. Oh, yeah. Let's go puppy mail time. So I think this is where it gets really interesting because as an industry, we've kind of mixed it up and society as a whole is definitely hasn't got a flipping clue. So they're like, oh, we want a red team. Okay, great. We're just going to get to the target. No, no, no, no, no. We want you to scan everything. You don't actually want a red team then. You want a red team. Yeah. And I think that's it. It's, I was actually going to put a couple of blog posts out and I just, I haven't gotten around to them, but I was actually going to do pretty much so the non-techie guide to those four. So, you know, the difference between a scan and an assessment, you know, am I just doing a cursory glance or everything? Am I actually going to poke at it to make it hurt between a penetration where I'm really going to make it hurt because I'm going to get out the toolbox and I'm going to throw everything including the kitchen sink at it to a red team. And I think, you know, which is the red team, we're carrying feeders. If we can just walk in the front door and plant a flag, that's all we care about. Finished. Yeah. Game over. We have achieved what we needed to. We got to the target. You told us to get to it. And the problem is companies like, well, you didn't go in through the web app. Well, why the hell would we? We left the front door open. Oh, well, we wanted you. Well, actually, what you wanted is an assessment then. And I think we have to get our own terminology sorted out. And we have to do a better job of communicating that with people and helping the one. Oh yeah, that we need to simplify the hell out of it. Probably a little bit of both, to be honest. I would agree. Yeah, definitely. But I think the days I hope touch wood, the days of just the report over the fence and it sits on the sits on. I hope they're going away because I'm kind of like you. I don't get me wrong. I love the idea of just breaking into places and having fun. But I also want to have somebody from the company sitting over my shoulder while I'm doing it. Because that way you help them to understand. You help them to learn. Because you know as well as I do, we're always going to get in. There's no chance of us ever not getting into something. So the biggest learning experience is when you have that tame red teamer that can help an entire team learn from our experiences or the tame assessor or pentester. Because if I'm doing an assessment, then look at the tools. Look at my techniques. Look at my framework I'm using. Look at the code I'm writing to bypass your code. Look at the exploits. Here is the intelligence packet that I come in with before I've even started. And I think that helps the company understand as well. So all of this to try to help a company understand better our tactics so they have a better chance of obviously defending or a better chance of going well. Okay, we're not going to buy the 2020 firewall. We're actually going to look at something that's preventative. We're actually going to look at something that's active. And you know whether we look at deception technology, whether we look at some advanced architectures or whatever else like that. There's three or four different layers we can look at but at least help a company understand where they are and how they actually get there. It's going to be huge. And so with the growth of Agile and DevSecOps as an actual role, it seems that we're moving closer to this to this altruistic future where you'll have a red team or implanted on a team as a DevSecOps engineer and he's introducing things into the pipeline so that when things are committed, they may automatically be rejected and not accepted into a pool request at all because they may be using a vulnerable package of sort. So we're definitely moving closer to that. And in that environment where people may be maturing because I can't say that anyone's maturing this journey. Let's say you're maturing. You're a big two or three letter company. In that communication, put your engineers hat on for a second. As an engineer, what ways would you want a red team or a purple team or to be able to communicate, right? You don't want it just to be a JIRA ticket. That's just as good as a report. No, I mean exactly. That's no good to me either. I want somebody to sit down and show me, not just show me how they did it, but help me understand why. There it is. Yeah, I think that's the big one. It's, because I mean, you've heard this probably as often as I have, which is, well, why would anybody come after us? We're not a target. Right. Yeah. And I'm like, well, actually in my mind you are and how do I take this and lay it out in such a way that you understand our thoughts? And that I think is probably being the toughest one is trying, yeah. That's interesting. That's interesting because you talk about threat modeling and you talk about some of those other practices where, as red teamers, you may come in and say, well, this is how someone would do this. Now we're talking about post that and we've already done it and we're explaining to them this is how I've done this. Yeah, exactly. That's very powerful. And this is why. And you know, I mean, it's the jigsaw puzzle. You know, it's, we've done it so many times. We've gone out to like GitHub or JetBrain or somewhere else and you start taking a look at the company and you're like, oh, there's four or five developers which are very active and very vocal. Well, let me do some research and let me take a look at their public profiles and their private profiles. Now let's take a look at their interests and you start building up this intelligence packet. You know the code they use and the type they're using and you know, you go out to, you know, have I been pwned? We go out to our private databases that we run and so you're pulling all this intel in. And so you already have three, four, five, ten different attack vectors before you even start any kind of scanning or probing. Exactly. Because you've, and that's without even looking at the HR database for all the jobs that they're offering in IT that tell you exactly what the damn systems they're running. As we need a developer with A, B and C that's running this code and this. I'm like, thank you very much. That's the database. That's the system. And yeah, and you know, and so. And this goes back to the communication within the organization, right? Yeah. As a red teamer, maybe you're not even only discussing these things with engineers. Yeah. Maybe you're having a conversation with HR or recruiting so that they don't give so much of that information that can be used against them and even identifying that information, right? It does become pretty difficult to take what's in your mind and lay it out and train someone to think like a bad guy. Oh, it totally does. And the challenge we've had is up till now, arguably our industry's not done a very good job of explaining in a way that other people can understand it. Exactly. We've come in, we've talked in acronyms, we've talked in, we've talked in tongue basically. And companies, you know, they're either like, the heck get this guy out of me or, you know, or they, you know, 30 seconds later you've lost them. So I think one of the, one of the missing hearts that we really need more and more people to come in with are way better. Back to the psychology, back to the human, back to the communication skills. And I think that it all comes down to that one. It's so much more of it is, you know, we're telling stories. At the end of the day, we are the modern storytellers. So how do we weave this in such a way that people will understand it, grasp it and get it so that that light bulb goes off and they go, oh, I see what you mean. Right. Perfect example. I was deception technology. It's some of the stuff that we're dealing with. And the struggle is how do you get people to understand what deception is? Well, you can go back to Shakespeare and talk about all of the deception in Shakespeare. You can go back to ancient Roman times or you can go, you know what, around the world, you always have the shell game. Somewhere on some bit of the planet there's somebody in a street corner with a table laid out with three shells or three cups and a ball that should be under one of them. That's deception in a nutshell. I mean, so if you can explain a complex subject or a firewall, how do you explain a firewall with like a row of doors or something like that? If you put it in an abstract way that people can grasp, all of a sudden they go, got it. And that point, you're like, great, now let me help foster that a little bit. But you also do it, you also turn the tables and go, great, I'm glad you got that. Do me a favor, engineer, help me understand your perspective. Help me understand what's driving you because I mean, we've had that a number of times. Like with engineers, all I do is I build stuff, got it, beautiful, love what you build, but if what you're building is gonna kill people, let me help you understand maybe how to build it safer. Are you willing to learn that? Brilliant. Let's see if we together can do a better job of that. Okay, that's a really interesting answer. That's definitely, I would say within the industry, that's the way that it's moving. That's the direction that it's moving towards. And it would hopefully, yeah. Yeah. So you talked about psychology and that kind of took me off in my mind somewhere. I don't know if you guys will be able to connect the dots but from my perspective right now, we're putting more and more kids on the internet. Children are starting to get iPads put in front of them at the point that they can touch the screen with the increase of things like MOMO and other things that are trying to manipulate not only our nation at a higher level with regard to elections and whatnot, but also just our children and how to protect them. What are some of the things that we should be looking at as security professionals to help convey the understanding of cybersecurity to maybe parents and people who are novice and not interested in cybersecurity outside of protecting their children? And I think that's a good one because I think that comes down to like it's, at that point it becomes not a security conversation, it becomes a safety conversation. Safety. Yeah, and that's, you know, we talked about it earlier is as humans, you know, 50, 60,000 years ago, we stuck our head outside of the cave and if we were lucky, we made it to the end of the day without getting eaten, bitten, torn to pieces, whatever the heck it was or bonked on the head by the next door neighbor. Fast forward to today, there's still elements of that. You know, certain countries, certain areas, certain race, religion, creed, color, orientation have to be more careful depending upon who, what, when, why, where. And that careful is in the form of safety standpoint. So in a situational awareness standpoint, I know I have to be safer about certain things. So if we take that, we understand safety. So now let's take those, that understanding and that being and relate to our kids with technology. And so I think we take a much more safety first type of approach rather than security approach and there's a ton, there's a ton of really, really good information out there. And the argument is, you know, everybody that's building the iPads and the connectors, I mean, some of them are doing a really good job of putting parental controls on and everything else. But you've still got to educate the parents as to what that actually means and why and how. Our industry has done a really nice job of getting kids involved with like the hat for kids, the roots down, deaf con kids. I mean, all of this stuff and I mean, even some of the B-sized chapters and stuff have done an amazing job and the maker spaces. Getting the kids into those is brilliant because it helps them understand the industry and kind of demystifies it. But we also need to bring the parents in and go, hey, little Johnny or little Jemimer are out there building all this stuff and they're coding. Here's how to help steer them in the right direction. Give them constructive, give them productive things to do. The safety is a huge one. I mean, there's some fantastic resources. I put some stuff out on LinkedIn fairly recently about it as well, about, look, you know, you're a kid at this age. These are the things to think about. How do you restrict? How do you manage? How do you educate? Unfortunately, I mean, one of my daughters is 15 and, you know, she knows what I do for a living. And so we've always communicated. We've always had a very good communication relationship where we can talk about why not to do certain things on the internet, why not to post certain pictures on the internet, when she's on Snapchat, why, what to do and what not to do. Just some simple basic stuff and giving her some logic as to why. So I think that's part of it is that we almost need to give the parents literally talking points, bullet points as to, you know, discuss this, discuss this, talk about this, have the conversations. I think one of the important things is, and it hit me the other day, and again, I threw another post out about it, is we also need to restrict it a little bit more as well. It's, I started working out again about three or four weeks ago, and it's been really, really nice. For the last few years, I've just been heads down doing geek stuff and I hadn't, I mean, I did the Olympic trials for Hammer Throwing, I did Highland Games and did pretty well at them and then dropped it for about four years and just focused back on the computer stuff and it's been starting to annoy the hell out of me. So I literally took a step back about three weeks ago and I'm like, no, I'm gonna get selfish. So I literally put the computer aside. Saturdays, don't even go anywhere near it. Well, no way near it. The phone just for emergencies, nothing. And then when I hit the gym, my phone stays in the car. I actually have one of the old iPod shuffles. No screen. No screen, no flipping Bluetooth. You're trying to find non-decent, non-Bluetooth headphones these days, in ear ones. No, impossible, everyone's giving, I'm like, I've got an iPod shuffle and they're like, okay, grandpa, screw you. You know, so it's, yeah, it's interesting because I've almost taken a step back in technology to actually focus more on, you know, kind of be a little bit selfish. And I think as families, we need to do that. Yeah, I was talking to a couple of good friends. I've got some really good comments online that there's some people that, you know, dinnertime, the phones get left in a different room. After eight o'clock at night, the phones get left in a different room. You know, and stuff like that, I think is nice because it means you take a break. Everybody takes a break and you actually communicate more effectively. And these are non-technical solutions. These are things that every mom and dad can handle. You don't have to have a firewall from ubiquity that, you know, is dropping traffic after eight. Totally. I mean, that's, you know, I look at what I've got at the house. I mean, I've got PF Sense running. I've got Greylog running. I've got the open source Haley and Volver. I thought all sorts of stuff running at the house, but that's me. My house has got more VLANs than probably a lot of corporations. I mean, I've got separation and segmentation between like my Apple TVs, my home network, my corporate network, all the security around the house is on its own network. I've got a guest network. I've got, I mean, I've got eight or nine networks in the house. And that's just the regular house. That's not the lab, which is its own entire beast unto itself. Right, right. Yeah. And then so it's, so I've, you know, that's me and you can't expect, I mean, you know, my mother, I can't expect my mother to do that. So how do I, how do I help her understand not to click on something? How do I her understand? Well, maybe when you want to download an application, maybe do some checking on where it came from before you click accept or get. And the same thing with kits, you know, the implications, actions, reactions, implications and all those other good things. I think those are just simple conversations. And can you back it up with technology? Absolutely. Of course. Put restrictions in, better web browsers, protection totally. But first and foremost, it's got to come down to communications. Policy is largely different from enforcement. Oh, so true. So, so true. Or like, what is the landscape of life? What is the war of life? Well, I mean, so the war is pretty nasty. I mean, let's just, I mean, let's be very, very blunt. The war is nasty and we're not winning. We are vastly under prepared. We are vastly under, under trained under staffed. And I think the focuses are, are not where they need to be either. You know, yes, do we have a standing force of, you know, digital warriors? Absolutely. Are they effective against other military targets? Absolutely. But I think the differences with this, you know, you look at a war, the differences with this war, it's not military targets. In fact, arguably, it's almost everything but military targets. Right. You know, if I want to inflict damage on, on his country, I'm not going to go kick in the front door. I'm going to take out the banks. I'm going to take out the infrastructure. I'm going to stop the traffic lights from working. I'm going to take out that. Hey, this doesn't, this sound like Ukraine. Yep. Early detection goes away. Every bit of anything that's on the network, I'm, I'm trying to get rid of. Right. And almost everything is on the network now. Yeah. And by the way, if I take out a hospital, I don't care. Maybe aiming at a hospital. Exactly. And so I think that's, that's the thing is I, and I think most normal regular human beings don't feel the impact of it because they get a new credit card in the post or when their father taxes, they get a pin number that goes with it or because their identity has been stolen or maybe they get a new identity. Yes, maybe the, the impact is inconvenience. The impact is they have to call the bank to maybe get the credit card or a new number or the impact is more in the inconvenience standpoint for most people. And I think this is the challenge that we have with humans is until there is unfortunately loss of life, mass loss of life, I don't know if we will pay attention or until we turn the power off and keep the power off in half the country. Right. Or do something unfortunately nefarious. It's, yeah, a perfect example. I mean, we might as well, might as well roast Boeing while we're here for a second. Get out of it. You know, perfect example. You know, Boeing lost an airplane. They realized there was an issue and it took another airplane to go down and lose another 150 lives before they went, before them and the FAA went, hey, maybe we should actually do this now rather than arguing over it for the next couple of months. Right. You know, and that was, that's a software glitch. That's our field. That's IT failing and humans lost lives on mass. I mean, arguably, IT has already had implications from a human aspect and human standpoint, but this was on mass. This was 150 plus people going down because we had an IT software problem. Right. Nothing else more than that. You're looking at the guy who has been uncovering airplane bugs and vulnerabilities at least since when? 2006? Yeah, 2006 and we really started in 2010. So we're 10 plus years into this and there's still a lot of issues let alone the stuff in shipping and all the other transportation stuff. Right. Quick question for you while we're on airplanes. Yeah. That was my first time hearing of you, by the way, the whole airplane situation. So one of the things that happened was your equipment at some point because you had multiple run-ins with airplanes. At some point they grounded a plane because of a tweet even. Yeah, I did it well. And they took your equipment and they didn't give you receipt. Did you ever get that equipment back? I did. There you go. What ended up happening was the FBI seized my equipment off the plane and I went after them. I went after them hot and heavy. EFF got involved and Department of Justice got involved. Wow. Department of Justice basically said to me stop annoying the FBI and they told the FBI give them his equipment back. And the deal was FBI leaves me alone and I don't do too much nasty stuff against the FBI. I'll get my gear back. There you go. So I got all my gear back and my laptop went on Craig's list and my iPad I gave to my daughter. There you go. And I think I'm trying to think what else they took. They took other stuff as well which I think I thought, oh, hard drives. I thermited the hard drives. Oh, nice. Yeah, those got thermited. Yeah, I didn't trust that equipment again knowing some of the stuff that's gone into that. I'm like, yeah, thanks guys. I love you, but no. Yeah, that was, and again, the challenge on that one, that's where it gets really interesting because I took a lot of shit in the industry but also took a lot of people that were like, okay, yeah, now we see why. Especially you fast forward to now because DHS took a lot of the stuff we'd done and did a lot of their own research. Precisely. And they made a cherry on top. Yeah, exactly. And you had been knocking on their doors for quite the year. I know. It's frustrating that it had to take that because I mean, you're right. We were knocking on the doors going, hey, you've got a problem. You've got a problem. Let's try to do responsible disclosure. You've got a problem. And in the end, you just, you hit the button, you go, this is more than just about me. Right. This is fundamentally the system is flawed. Trying to do the same thing in a couple of other industries at the moment now and locomotives, they're not listening. AAR and NTS, AAR especially are being, so DHS has been really good. I have to give credit to DHS and NCCIC N-Kicks. Yep. I've actually got a lot of a huge shout out to Falcor and a couple of the guys out there who are actually care. Yep. So I will give them a lot of credit that they're actually listening and so that's been a very, very positive experience. N-Kicks is working really hard, especially because we have those advanced persistence threats that have been actively penetrating our infrastructure. Yeah. And I got the chance to see a webinar and be involved with a webinar that was a deep dive into that incident. So I guess I want to ask you, as someone who works with those types of organizations, people from the outside like me who haven't had the pleasure of working with those organizations firsthand, what are some of the things that we can do to possibly be more involved as civilians, but still, you know, frontline on the cyber? I think N-Kicks is probably a good one. Like U.S., all the various different certs that are out there, like FSISAC on the financial side, there's the healthcare one, there's obviously N-Kicks, U.S. cert, N-Kick stuff. I think it is more involved with those, a lot more. And also, you know, back to the bug crowd and also back to the hack one, because those guys will also tie back in as well when necessary. And you know, when Hack the Pentagon comes up, there's some stuff that Air Force is working on. Air Force had a hackathon with the Air Force stuff. They're now working on a deeper dive in their stuff. So anytime these come up, it's worthwhile going, hey, it's not perfect, but kudos for them to doing it. And yes, we want to help. And I think that's the big thing. It's rather than lambasting them for being 10 years behind the curve and not wanting to do it. You go, okay, I get it. You've got 10 years worth of red tape to go through. I'm glad you're doing it. Now let's actually do it. That'd be the lovely thing if, you know, if, you know, if one of the rail companies or GE or somebody like that said, hey, there's a locomotive. You've got 72 hours, have at it. And we'll take all the results and you can publish some or whatever the ends up happening. There you go. You know, that was always my comeback on the aviation stuff was like, you know what, if you believe in your stuff, fly plane into Las Vegas, pop open the door and go, fair game. Oh boy, that'd be exciting. I'd be there. Tell me you and I both had to remake a few cables and stuff, but I would definitely be there. Yeah, but I think that's, you know, and that's, you know, to that point, you look at Tesla and actually to some degree GM as well. I've got to give both of those a fair amount of credit because they at least took a stand and went, hey, we want to learn and we want to understand this more effectively. Whereas you flip the coin and go, you know, the fake Chrysler group were, were awful. Right. We went in two years before Charlie Miller went in. Oh wow. And we said, we tried because we were working with GM at the time. We went in with, before Charlie went in and we tried to explain to them the problems they had, they wouldn't listen. Charlie went in and tried helping them and they wouldn't listen. And in the end, he just hit the sod it button and obviously, you know, the infamy of that video as well. Because you get to a stage where it's like, look, this is more than just about you and I. This is a human, a safety, a life and issue problem. Right. And so the intersection of security and safety is ever so present. Yeah. And I think it's going to become even more so. I mean, you've only got to look at where, you know, you look at the healthcare space and biotech and nanotech embedded technology, human intelligence, augmented technology, intelligent augmentation and all the stuff that's coming down the line, 5, 10, 15. I mean, I'm working on projects now that probably won't see the light of day for 10, 15 years where we're basically synthesizing human intelligence and you've got AI in one direction for all it's worth. And then you've literally simply got, I'm going to do a facsimile of a human onto a microchip. That's what I'm working on. And so at that point in time, it's awesome. I mean, you think of the, the possibilities just exploded at that point in time, but we still can't solve passwords. And so you've got, on one hand you're like, we're screwed. On the other hand, you're like, there's not even, there's no boundaries, but if I can get to a point where I can synthesize an actual human in the next 10 to 15, 20 years and you can literally, at that point, I can digitize it and I could put it on a waveform. There's no limits at that point, none. And yet we can't solve passwords. Yeah, it's a little bit mind boggling at times. So I mean, at the, at the risk of signing salesy, I want to talk to you more about deception. Yeah. Because, you know, I'm one of those guys that runs a honeypot. You know, deception and honeypots aren't the same thing. And I think this is the perfect opportunity and form to possibly have that conversation. Yeah. What are some of the distinct differences between deception and honeypots and why are you so into deception right now? So I think a couple of different things. Let's start with the easy one. To me, a honeypot is very much more, I love them. They're amazing. They're great for research, but their ability to be dynamic and much more, no one say enterprise grade because I mean, you can make some good honey architectures that are enterprise-ish grade, but for me, the honeypot is much more of like a singular type of entity type of thing that works as a single focus. Whereas you look at deception, the concept of deception is it should literally be camouflage. Not only should it be camouflage, but use a virus term, it should almost be a polymorph. It should blend into the environment no matter how much the environment changes. And not only that, it should be able to alert. It should also be able to put breadcrumbs and leors. It shouldn't just sit there and go, it shouldn't sit there and wait. It should be active. It literally should actually be out there actively talking to each other, actively adding little things into the files and printers and shares so that it's part of an environment. And I think that's the big difference is the honeypot is very much more, it's almost a simplified version. It doesn't have that level of interaction. It doesn't have that level of interest. Yeah, it's much more static. Whereas the whole concept of deception is you shouldn't be able to tell the difference. You know, if I'm looking, you know, the analogy I typically use is either the shells or doors. If you have an entire wall of doors as an attacker, that's your network. I can look at 10 different doors and go, I can take each one out. But if I've built my deceptive technology properly behind half of those doors is a booby trap. Behind the other half, I'm going to open the door and there'll be a welcome mat. And I'll be like, yeah, and I'll step on it and I'll get nailed or I'll pick up the file which will follow me out and I'll get tracked or I'll grab the credentials which look perfectly legitimate and I'll use them at which point I'm found out or any one of 10, 15, 20 different ways of actually building deception properly. And I think that's the big difference. You know, you have the difference between like a standard virus and a polymorphic. One's very, very single-minded focus and the other one's just going to do really nasty things in your environment. And so that's the biggest one. And for me, I think deception is there is because again, like you and I have talked about, you're never going to stop us from getting it. And no matter how much, and human training is huge, totally huge, but you will always be able to circumvent something. That the application, the system, the supply chain, whatever it is. So once I'm in your environment, once we're in your environment, how the heck are you going to know and what are you going to do about it? Which I think is where deception really, really comes into its own. And so me and my company, we've been practicing this model of assumed breach. And this is the very best tool that will, this is the very best practice that I found with regard to deception because I can say, okay, let's say someone isn't. Well, I know me, how you get in, you escalate privileges and you move laterally. I want to pivot through. If I'm lucky, they pivot, they go from one door. Even if they don't touch the local mat, they just want to open up a bunch of doors. Eventually they blow up. One's going to blow up in their face. And I think that's, again, that's one of the nice things about it is, you have the ability to influence files, printers, shares, domains, credentials, systems, registry, all these other things. And by the way, they also talk to each other. So if I'm sitting there watching the wire, then I can, I still see interaction. So all of these together, and especially, you know, as well as you know, if I get in and I can fire up a VM or I can do something, another IP or another MAC address, all of this stuff gets noticed. So any of that extraneous activity is also reported out as well on a deception-based platform. Yeah, it definitely is. It's for me, and I think the other big thing is for me on deception as well, is it's one of those things you can just drop in right at the beginning of a security practice. You know, you suddenly walk in, brand new CISO, brand new whatever. You don't have to go, oh, I've got to get everything ready for deception. Yeah, I can drop it in. When it goes off, you know you've got to pay attention. And then you have that safety net where you can then get on and get everything else fixed. There you go. All right. And I mean, with that, I don't think I have any, you have any more questions like anything that you want to touch on? No, this was, I think we hit, this was fantastic. It was awesome for me. This was well, Chris, it has been a pleasure. Oh, same thing. Thank you very much for taking the time. Yeah, you kidding me. Thank you so much. No worries.