 So I'd like to introduce Weasel, who's going to bitch about compliance for the next 50 minutes, so. All yours. Morning, guys. Thank you. I don't know why the fuck you guys are here at 10 o'clock in the morning. Did you not drink enough last night? Seriously? I mean, I wanted to sleep in late, but anyway. Okay. Like I said, my name's Weasel. That's about it, so. All right. The semi-secure state of compliance. Basically, we all love compliance. It's this great, great, great thing. It gives everybody jobs. It's wonderful. Nothing could possibly be wrong with it. It's like an amazement in a jar that doesn't open because it's fucking broken. Basically, compliance probably started out with some good concepts and some good ideas and maybe some good intentions, but the problem is, is business got involved. You've got a lot of vendors out there that want to make money, and when money comes in, conflicts of interest come in. So shit screwed up. Benefits of compliance. Those of us who have been around the security industry for a long time, we fought and fought and fought and fought for all kinds of controls that couldn't be put into place because it affected the usability of the systems, whereas for ages we had anywhere from zero to six character passwords back in the day when passwords were actually useful. We never could expand beyond that because it was just too hard to remember your daughter's birth date or whatever people used for passwords back then. So good thing about compliance is it does come along and set down some standards in some places that we never could get put into place before. And then of course standardization of controls comes in handy where across multiple systems we can finally start standardizing on some controls that were extremely different across systems and locations. And of course compliance gives credentials for people who don't want to actually go to school or have experience, and they can go out and get a piece of paper and everybody hires them and pays them lots of money and everything gets worse. Okay, it's not a benefit. I'm going to do a quick overview of some of the compliance standards just to make sure that we're kind of on the same page here. I'm not going to go over all of them. I'm not going to really talk about them in depth. I'm not a compliance expert. I'm just a guy who gets impacted by it and makes me want to hate and kill people every day. COVID probably one of the first big compliances that affected IT was put together by ISACCO, which is the security auditor's organization that's international in the States and I think Europe, maybe a couple of other places. Those of you who have gone through and looked at the security controls and so forth in there, if I remember right there's like maybe two sections in that 5,000 page document that actually cover IT controls. But for those controls that are there, they're okay. I worked for an organization that used to write security checking tools and when COVID-4 came out, we had to go through and map all of the controls that we had to COVID and amended that suck. But you know, vendors wanted to say that they were in the compliance business whether they were or not and so it basically detracted research for a year just so we could say that we were a compliant business and then we got bought and not got fired. PCI, that's probably the biggest one right now. Anyone who has to deal with credit card transactions either moving or storing or copying or whatever credit card data gets covered under the PCI DSS standards. It's probably the shortest standards document of all the compliances out there. I think it's 13 pages or so. It's not very big and it's very practical. I mean it seems like they're getting on the right path at least for writing compliance standards that can be actually be implemented. But the downside is which I'll get into in a bit is it's an organization that feeds on itself. There's possible conflicts of interest there in that the people that write PCI also make money from training for PCI and from the certifications and so forth. So what it looks like on the front may very well be an initiative to secure systems and it's all the great idea. Bottom line is that there really is just a business behind it trying to make money. This is the health care compliance standard that's pretty much implemented in standard state or steady state. There's not a lot of IT controls in that one either. It was a lot of verbiage over health care information. GLBA is a compliance standard that covers financial data. I'm sorry, not financial. What is it? Yeah, I guess it is financial. And then SOX being the knee-jerk standards that came in with the Enron and WorldCom meltdown. One thing about SOX is that you can sit there and say that it was rushed through and all of the really bad controls in it that are oppressive. The organizations are screaming that are oppressive and were hastily put in as we're learning. And then those of you that saw, I don't know when it came out, but Lawrence Lessig's talk recently over the impending I-911 and the soon-to-follow I-Patriot Act. Most of this legislation is written far ahead of time. They're just waiting for the opportunity to implement it. So SOX was, even though SOX is very restrictive to a lot of organizations, they're just controls that someone thought up a long time ago and just waited for the opportunity to put it in. Don't let them discredit the stupid shit that comes out in these as just hastily put together. Somebody specifically wanted those controls. And then, of course, the ISO standards that we've all dealt with as through its many generations. And then, I don't know much about the ITAF. I just ran across it. I think it's just ISOCA trying to get yet another auditing standard out there. All right, the psychological impacts of compliance on the enterprise. Of course, the false sense of security. We've got, and this is kind of the vendor space that's really doing this, but they're really selling compliance as security, and that's a really bad thing. As a friend of mine said the other day, security almost equals compliance, but compliance does not equal security, and that's extremely true. The vendor space is kind of cleaning up in this area to some extent, at least externally, where they used to get webinars and so forth and invites from various vendors telling you, come see our little webinar, we'll show you how to pass an audit. And anybody with any amount of intelligence knows that's not how you approach any kind of standardization or security. If you're focusing on passing audits, you're fucked. You're really just playing to the management and the decision makers outside of your organization or outside of your small compartment of the organization. You're not doing what your job is, which is to secure systems, not to pass audits, and that's a fight that we'll have forever. It's just something you get to fight every day. Then there's always the misinterpretation of the concepts of compliance. You'll have senior management that will go through and say, well, again, compliance equals security, so we've got one million a year that we spend on security. Why don't we just push that into compliance and we don't have to worry about it? It's the right way to go. We kill two birds with one stone and never mind the fact that there's considerable amounts of areas that are not covered by any kind of compliance or compliance standard that doesn't get any attention. And you're right back to some of the paradoxes that you used to run into 10 years ago where you couldn't implement security controls because of usability or whatever. Let me check my time. Okay. Compliancy is self-diviring serpent, obviously. Misinterpretations and misrepresentations creates a really shitty posture for compliance. There's a considerable amount of conflicts of interest, specifically with auditors who get paid to deliver results. You're never going to go out and hire an auditor and he's going to come in and say, your secure congratulations, give me my paycheck because you're going to want something tangible and return for that, so you're going to find that they find all kinds of auditing problems with your organization, whether they're there or not. It'll either be nitpicky or whatever. And then there's the extreme worse. An auditor is not going to get shot in the foot or shoot himself in the foot by finding so many problems with your organization that you don't want to bring it back in again. Granted, the right state of mind is that you want that kind of audit report, but the problem is management doesn't. Management, they want the executive summary and not only the executive summary, but they want the reduced feature set. First thing they're going to ask is, okay, which one of these do we not have to implement? Well, an auditor is going to say you're going to implement all of them, but the first thing that happens when you go into the mediation meetings is they go, oh, okay, well, maybe this one's not so bad. You don't have to implement it. And then, again, you've got yet another fucking hole in your organization. And, of course, there's the governance hypocrisies that I mentioned earlier where you've got just too many influences coming into these governance organizations that just pull it so many different ways that there's really no focus whatsoever in it. I like to think that I was an optimist when some of these compliances started coming out and that people really were focused on securing systems. But as we see, I mean, those of you who made it over to Black Hat and saw the wonderfully and strategically placed booths that made everything move so smoothly, 80% of those booths had compliance in there, even vendors that have nothing to do with compliance. The industries, and this happens in every industry, this isn't something new, but it just seems that the industry is constantly trying to replace people with product. That's where the money is. Organizations are going to go out and find products that replace people, and that's all part of the CapEx, OpEx, balancing circus show that organizations do to look like they're being productive and effective. But yeah, it's bad. Everybody wants to be on the compliance bandwagon, whether they are or they're not. As I said in my previous organization that I worked on, we tried to sell multiple, multiple times to very large acquiring IT entities. At least one of those attempts was botched because the CEO pissed somebody off, so they went out and hired two consultants, two MBAs, and focused on improving the presence of these organizations to larger organizations to make them more attractive for buyouts. And we went from like January of 04 or 05 being a security tools company to in six months we were a compliance company. Every product we had had a compliance component, whether it was well implemented or not, that wasn't the question. And the really sad part about it was that the buying company that ultimately bought us, they didn't care if the products were there either. They wanted compliance next to their name. There was a gap in that organization, and they needed to be able to maintain their lead in the market by being in the compliance space. So they went out and bought somebody who said, hey, we're a compliance company. I was like, okay, well now look, we're a compliance company. So not fine. What's going on here? Hold on. It's not moving forward. There we go. Okay, the anti-progression trap. Many times, compliances put controls into organizations that sure sounded great when the compliance component was authored. But you've got situations where controls are being demanded to be put in a place where they're not needed. And one, they're crippling progress. Two, they're not really securing the systems. And three, it's a waste of money. But we're secure because we put a firewall in front of a reverse proxy that had firewalling features because it required that a firewall be there. And then, of course, you've got the antivirus is dead argument. I'm not really going to get into it because I don't think that it is, but I think people are getting in on that. But there's just these concepts that come up that we need to embrace and make sure that we're at least looking at them as possible evolutions of the IT industry and just technology in general. We need to at least embrace them and really take a look at them and make sure that they're right before we immediately dismiss them as wrong. The other thing, password technology is a dead technology. It took forever to convince people of that. We still don't have technologies developed or invented that truly replace it, but it's pretty safe to say that password cracking is extremely fast now. And most organizations are eight-character passwords. And what's that take? Half a day at most to crack an entire SAM? I mean, it's just, it's stupid how we continue to have these controls in place because people won't listen and want to fight and not evolve the industry. And then, of course, compliance is not really helping that area because as we put more and more controls in place, there's less breathing room for the innovators. Okay, the risk bandwagon. It's the best name I could come up with this. But basically, we've got a huge amount of concept going around. And I don't know if it's in the CIO magazine. I don't know if they're teaching this in Harvard Law where they're creating the NBA drones who replicate what they learn in their books or what. But risk, if you can mitigate the risk, or I'm sorry, if you can manage the risk for considerably less than actually paying for the mitigation cost, no one's actually looking at the potential damage cost of controls. So let's go out and let's just put in a good process for handling disaster recovery. And that's great. Yes, we'll just dump it in the disaster recovery bucket, but no one ever actually looked at the potential cost of the disaster. So you've got, you know, we saved, you know, like in my example here, we saved, you know, three-quarters of a million dollars by putting or putting adequate or what someone would call an adequate risk management procedure around a particular part of the organization. But if that part of the organization were to go under, the costs could be 100 million or more, and no one's really balancing that. And it's really scary because you've got leaders of organizations that are basically building these IT groups within their organization that follow along with their methodologies and mentality, and it's going to be a really scary thing. This is probably the type of thing that's going to feed into the I-911 that I mentioned earlier that Lawrence Lessig brought up. Organizations are going to have so much risk management going on. There is going to be that big catastrophe that happens and we're all going to be screwed, not only from a financial standpoint, but also from a freedoms standpoint, because I guarantee the I-Patriot Act that will eventually come out is way filthier and scarier than anything that's on the USA Patriot Act. And incidentally, those who aren't aware of this Lessig talk, I can't remember what website I saw it on. I think it might have been on Google News, but I'm not sure. It was basically information passed along directly from Richard Clark, so I think he's a pretty reputable source of what's coming down the pipe. Compliance brings up the Fingerprinting Foundation. Now we're getting into really more of what I wanted to cover today. The great thing about standards, for those of us who do penetration for a living, or those of us who have agendas that involve getting into systems we're not supposed to be in, I think that's about as political I can get on that. Standards do basically create a matrix for attacking an organization or systems. That's great. Now you know exactly what length to set your scope for for brute forcing passwords or for cracking encryption, because odds are you're going to know exactly what encryptions are in place. You're going to know password links. You're going to know data retention stuff. You're going to know exactly what data is supposed to be and what organization and for how long. That's bad. Yes, we need data retention for other reasons, but when everything is so heavily, it's the best way to say this, when everything is so heavily regulated to the point, you basically you're creating a scope for a software solution that pushed a hat, clicked the hat tools because there's no thinking that has to go into the back end of software that breaks into systems anymore. Let me back up just a second. And configuration management, that's the other big thing, is when we're configuring all of our systems exactly the same, this all goes back to Dan Gehr's monoculture paper that got him in trouble at At-Stake several years ago. When everything's configured the same, the systems almost tend to be the same, especially when we start going into VM spaces and stuff like that, that you've got so many systems and so many organizations, again, that we're feeding right into that I-9-11 event that's inevitably going to happen. I think I've already touched on the encryption, basically. That's another thing, is encryption feeds, tells us exactly what the juicy stuff are. When people implement any kind of compliancy, they're only worried about implementing the bare minimum. You only require to have encryption on credit card data? Well, that's all they're going to encrypt. They're not going to encrypt the rest of the traffic. So guess what, if I can't read it in the clear, that's credit card data. I mean, how stupid is that? I mean, yeah, I don't have immediate access to the data, but again, decryption is super easy these days. I mean, there's so many tools that make it so easy. People don't even have to write their own tools to break this stuff anymore. So, yeah, encryption sucks. Okay, using compliance to map penetration. When you look at an organization, those of you who penetrate systems, either for living or for leisure, look at the organization, whether it be an individual or a corporation, nonprofit, government, whatever it is you're working on. You can do a high level look at what the compliancy standards that meet on that organization, and there's your map. You know exactly what controls are going to be in place for that organization. Like I said with the PCI stuff, if you know that they deal with credit card data, you know that they have to adhere to PCI, at least on the systems that do handle credit card data. So you don't spend a lot of time or effort trying to break into something or break something that you know it's not going to break in those scenarios. And then of course, what was the other? Yeah, and then what was my thought? Sorry guys, it's early, still drunk. It was a late night. You're with me, thank you. God damn, I can't remember. I had a good point that I was going to make on the slide and for some reason my notes are gibberish, probably because I typed them when I was drunk last night. Okay, we'll move on. Here's an example of basically an attack. The concept, this is not something that's even remotely beneficial to anybody right now, but basically look at your attack avenues on an organization, then overlap what standards apply to that, and then you basically, you eventually start building that roadmap into that organization or into that system to circumvent and reduce your effort. The other benefit of mapping out an organization ahead of time through compliancy is that you reduce risk of detection as well. If you're sitting there hammering away at a system with something that's not going to get in because of a compliancy implementation, you're improving or increasing chances of detection. All right, two developers out there. I've got a tool request. This would be a really, really cool thing. If someone could come out and make an attack matrix tool based on compliancy standards, you basically put in all of the things that you know about the target. It goes through and determines exactly what compliancy standards apply to it and creates your attack matrix minimums and then feeds out into a common format for feeding into those tools. I'm kind of a big fan of the whole metasploit ease of use concept of attacks. It's just a really, really cool thing. It would be great if somebody could do this. If somebody wants to contact me to work on this or something or get my notes on this, I'll be happy to disseminate that. I may actually put all my notes. I've got quite a few notes on the tool features on this that I may put them in the slides because I'll publish these slides on the NMRC website this weekend and I'll put those notes in there. It's not quite the conclusion, but it's kind of the end of this section of the talk. Really, you know, go out there and fight, really, really, really fight the compliancy stuff out there. Get involved in the organizations that actually develop these. Join ISACA and see if you can't feed into the decision makers in these groups and help them realize that, yes, we need controls in place, but let's try and do theoretical controls that don't create standards that are so restrictive that they're creating these roadmaps for attack. Do some real quick Q&A and I'll move on to the next part. Did anybody have any questions? Okay, so basically the question is, have I ever run into an organization that does the risk assessment and actually really looked at the actual costs of an incident versus the costs of mitigation versus risk management? Is that right? No. Well, I can't say that. There was one organization that I worked with that was one of these companies that had been around literally for 100 years and is very process-driven. They've made it through all of the growing pains of major organizations so they could spend a little bit more time on things like this. And it was a critical infrastructure so there was heavy regulation during the Clinton administration to protect critical infrastructure. So we kind of had a benefit there, but I think that was a diamond in the rough. But we did pretty extensive research on everything. We assumed what it would cost, total cost of replacement of equipment, basically go and take your total cost of ownership, subtract that for every system that could be impacted. It's not really that hard to do. I don't believe. I don't know who's... I haven't been in the disaster recovery or the business continuity domain for many years, but I can only assume that people have now applied all the psychological costs and all the other ancillary costs that go along with a major disaster or a major loss. It shouldn't be too hard to do that. I'm sure there's 1,000 consulting firms that had a booth at Black Hat that could probably take care of that. Anything else? What are my thoughts on GLBA and SOCS and to what specific component? Right? Well, as I said, I'm not a compliance expert and I was luckily... When SOCS and GLBA were both being implemented, I didn't work for financial organizations to really have to dig deep into them. The only components that I really looked at on those was when we were trying to map out controls at the organization that I worked at during that time, looking at the technical controls, trying to map them over to the functionalities of our products. So I'm probably not the best person to ask that question because I don't know it well enough at a broad enough scope to be able to give you a solid answer on that. But if you want to get into a more detailed question in the Q&A afterwards, I'd like to talk to you and maybe help a little bit better there. I'm sorry, that's kind of a gap in my compliance experiences. Any other questions? Oh, I'm sorry, I didn't see you because of the light. Right? Is the audit valid? That's really the question. Obviously, the organizations behind... I'm sorry, what was the... Is the validity of an audit on a new technology where the audit standards were not in place prior to that technology... I'm sorry, the audit requirements were in place prior to that technology being invented. So basically, when someone comes out with a new technology, an auditor does a, say, a PCI audit on it or a SOX audit on that system. Is the audit valid? Now, are you saying is the audit valid specifically the total audit or just the audit of that system? Right. Well, I would say from a legal standpoint, it's probably very valid because from a legal angle, we tend to back up the establishments and not necessarily question everything every time. Is it valid from a security standpoint? It really depends on the system, of course, or the technology. But, yeah, bottom line is it's really up to the interpretation of the person being audited. That's the thing that you've got to do when you guys are getting audits in the IT field is make sure that the education goes into management as to what exactly these audits are. So many times, you know, there's that fear monger that goes on with auditing. It's like, oh, no, we're getting auditing. My job's on the line. Your job should be on the line as to whether or not you actually implemented the mitigation components for the audit. And that's so often missed. Again, that goes back to the marketing campaigns from a lot of the vendors, is, you know, past your audit webinars and training and so forth. It's bad. It just seems like we keep missing this point, is that, you know, yeah, if you have two audits in a row and you said that something was mitigated or something was, you know, you actually implemented controls to fix an audit item and you still fail it, that's when people's jobs should be on the line. That's when the audit actually, one, has benefit for what it's really doing and two, really grades the effectiveness of the implementations. But other than that, from a legal standpoint, I'm sure it's backed up. If you question it, the only thing you can do is go to the governance board. I haven't really dealt with any of the governance boards directly, other than I saw, I'm sorry, ISC2. Is that how they say that? I guess it's ISC2. Is it? ISC2. Oh, that's even geekier, that's awesome. Yeah, I've dealt with them and there really was deaf ears. I had issues with quite a few things. Another example is I know somebody that works for Juniper who was, there's a new CERT and it might be ISC2 as well that's doing a CERT on software assurance, is that correct? Someone's developing a software assurance basically, you know, secure coding and so forth and he submitted extremely basic questions for the test pool for this new CERT and some of them were basically very simple basic memory management and the response he got back from that board was that the question was too technical and I mean, if you're a software assurance professional shouldn't you know very, very well how important memory management is? It baffles me. That goes back to feed with the hypocrisies of the governance boards is that they really are out to make a buck. I would love to say, no, no, no, that's not what's going on, but it really does give the impression that they're just trying to create yet another credential that people want to run out and get so that they can get high paying jobs without experience or education. But hopefully, hopefully it's changing, I know it's not, but hopefully it's changing. I won't go into my certification rant here, but okay, I will for a second. Certifications are stupid. They've got some really, really good benefits in that, thank you. One of the benefits of certification, which is this is if you use certifications for anything in your organization, this is exactly why you use a certification, and it's a common body of knowledge that you can hold your people responsible to. Anything outside of that it's extremely stupid. It's not a drop-in replacement for 20 years experience analyzing systems. It's not a drop-in replacement for a Dartmouth PhD. Sorry, it's just not that. I mean, I'm not a big education person. I've got, I tend to work with a lot of educated people, maybe that's why, because they think on a different level. It's crazy stuff. I'm more of a practical person, so as opposed of a theological person, even though most of the talks I do are really theory more than anything, that's just kind of sharing of a mindset. Certes aren't going away. Compliance is not going away. Get used to it. Get involved with the governance boards and see if you can really change their mind a little bit. I would love anybody from a governance board if you're here. Please come talk to me. It's just crazy how it is. And I know I recently saw a movie. I was a little late watching it called The Smartest Men in the Room, the Enron documentary or Drama Humanity or whatever you say. They referenced a study from the 60s over accountability. And it really comes into play here and I think this is why these governance boards get so screwed up because it's someone else's responsibility. It's someone else's fault. I'm just doing my job making a paycheck. It just happens over in this crazy loop. The premise of this study was that they had an actor and then they had a subject in these tests and the actor was in one room, the subject was in another and the subject would systemically go through and I don't remember if he was asking questions and every time he got the question wrong he threw a trigger and the trigger was supposedly shocking and the actor would act like he's actually being shocked and they would have the subject actually systemically go through each question. Every time a question was wrong it would be a greater shock and if I remember right they had a section of the panel as you went up the panels. I mean this is the 60s, this is the old spaceship big tall giant box with flashing lights and a bunch of switches. So it really created a great illusion that this was a massive apparatus and you're really hurting this man in the other room and he would be screaming and everything but there was actually a section towards the end where it said fatal or dangerous or warning do not go past this point and everybody would get to that point and the guy would scream extremely loud when he got close to that and people would not push past that section. Sorry I'm talking to God damn much for one slide apparently. There we go. Anyway the thing was the interesting thing about the study was that as soon as they would get to that area they would stop and turn to the tester and say I'm going to kill this guy I can't move forward and half of them would ask a very important question are you talking to the tester saying will you take responsibility for this and when the tester would take the responsibility for the shock treatment they would just go right at the switch because it was no longer their responsibility it wasn't their fault if they killed the man in the other room. So that's a great human study and I think that's really what feeds into why large organizations with too much management you have so many people responsible that not one person is really responsible so they're able to really push into these crazy loops of obfuscity obfuscity obfuscity thank you sorry it's still early and it just seems like it's never any spiral but it makes money so it will keep going so again, you know, get out there and really talk to these organizations those of you that really get pissed off by this join the little local ISACA groups and bring it up every meaning be a thorn in their side in these meetings and say hey guys again, compliance is stupid why aren't we doing it any other questions yes I don't know anything about the federal standards that's probably the main reason I left them out the question was why I left out the federal standards I haven't been involved with them enough to really be able to talk on it I wasn't specifically trying to do a broad scope list of compliance standards I was just trying to use them as examples and those are the ones that I've had somewhat some amount of experience with so that's the only reason that I didn't cover the federal standards I can only assume that they're worse and they're more obfuscated than anything else just like, you know, it's the military what do you expect okay anyone else alright, let's take a quick break and have some fun so some observations that I had at Black Hat the first one is room security illusion we've all got these great safes in our rooms at Caesars my malfunction it wasn't the fact that I was drunk and punched the wrong number in when I locked it I promise I called them up, they showed up underneath the handle is an RJ11 connector plugged a fob in, opened the door that's not secure, I'm sorry so if it's on a fob it's on eBay, if it's on eBay anybody who gets into your room has one anybody that's going to do that, it happens I really don't think that there's really any kind of illusion of security, the other great thing and it kind of goes into this next point that I have was what booth had that stupid spin the wheel thing that was so annoying who was that does anybody remember, was that like core impact or next to core impact oh, it's Fortify is anybody from Fortify here, you want to come up? please yeah, that was stupid you have this tart up there with a big feather whatever that was spinning, the only person having any fun of this thing is the guy that went in and turned in to get his free spin on the wheel, that's the only person having fun but we decided to give this woman a microphone and tell everyone else how much fun he's having while he's doing it and while we're standing there in line because we left to talk because we thought that break meant we could go get a drink and not go stand in this crazy fucking cluster fuck of a gauntlet in this very tiny hallway I wasn't there last year, was it the same way and didn't someone say last year that they were fixing that is there too many MBAs at the new company that they can't come to a decision I mean yeah yeah, obfuscuity at its best I did bring up the company's name god damn me yeah I just I'm starting to hear a Bill Hicks bit here now fuck you, I'm not talking about that yeah, so yeah, that was stupid, a thing that went along with that is they were going around I guess apparently everyone that was flagged as a black hat attendant at Caesar's got a little wheel or something in there, an invite down to the booth is this the same thing I was walking back to my room and there's a there's a hotel individual walking through opening doors putting this little flyer in people's rooms and closing the door I'm sorry I rented that room the only reason you're coming into my fucking room is to clean it and to change out the dead hooker every time I'll stay the fuck out I mean what kind of what kind of security vendor is this you're talking about a vendor that's supposed to be focused on fucking security and they're putting flyers in people's rooms yeah, yeah, it's trust yeah, whatever okay, one other point booth babes, wow there was a lot of them, huh I actually made this statement about two weeks before black hat I said as soon as my trade industry starts having booth babes I need to get the fuck out because it's over I think that pretty much the concept is if you, those of you who are just starting an IT are starting in more specifically in security and like maybe this is your first or second trip leave seriously there's no there's no chance of breaking in once there's booth babes at your trade at your trade show you're screwed you're not you're not getting into that industry that means there's too many fucking people in there but there's a caveat a couple of them look like tore up hookers so maybe there's still chance I mean really really $20 an hour guys can you spend a little bit more so maybe there's a chance maybe there's one more year to break in maybe next year we'll have some E3 quality booth babes and those old cynics can have more stuff to bitch about that's a great thing about being in an industry a long time you can be extremely bitter about it so you new guys come on over the water's warm we'll welcome you in okay I'm actually running a little short but I do have time for more questions if anybody has any okay well you guys have a good oh I'm sorry yes right okay so NIST went out and did they do just a sampling or did they do a broad test of all tools it was a broad test of all tools they went out and tested all the security tools to see that they actually did what they say that they're doing so definitely go out there and check your tools before you go shopping for tools they should be able to tell you at least give you an idea of the quality of the tool and alright well thanks guys I appreciate you coming and have a good con