 Thanks a lot. Thanks for coming out in the morning. I know it's hard, especially if you've been in Black Hat for a while, so you've been drinking for a few days like I have. I'm going to talk about my perspectives on cybersecurity and cyber warfare, and you may wonder who I am and why it matters, and I sometimes wonder that as well, so I'm going to tell you a little bit about me. I am formerly the CSO of Facebook. I actually quit about three weeks ago, but spent five years building up the security organization in Facebook from nothing to what it is today, which is a really great organization. I think some of my old team were in the audience, and one of the things I'm going to talk about is how that worked. Prior to that, I was a fed, never been spotted as a fed at DEF CON. I'm not one now, so you can't spot me. I did a computer forensics examination and ran the UNIX program, did all the tools for UNIX examinations things of that nature. Before that, I was a VP of technology at Ticketmaster. There you go. It was a great time. I was glad to leave. Prior to that, I worked in financial services in Europe and spat around a lot of packets that were worth a lot of money to people, so they really cared about them. I learned a lot at that job. Most importantly, I love the game Deus Ex, and like I am, it's a great game, so go play it. A little bit more. You might wonder how many phones I'm releasing during this talk, and the answer is zero. Does anyone's name Big Zero, by the way? No? You can take that. I'm kind of pissed that I'm making the badge talk, because the badge is really cool this year, and some of the stuff that it does with other badges is also pretty cool. That's a hint. So leave now if you want to learn about that, because I'm not going to talk about that. Here's what I'm going to talk about. I'm going to start off with the topic that I know the least about, which is cyber warfare. I say that I know the least about it, because I think people who talk about it actually don't know that much about it. I've been studying it for a little while, and I'm very interested in how it overlaps with cybersecurity, which is why I made this talk. I'm going to talk then about cybersecurity, and when I talk about cybersecurity there, what I'm really talking about is the way that I viewed security and how we built out the organization at Facebook to support that. It's a little different, I think, from what other people think I have, a slightly different emphasis. I hope you guys get something out of that. And then I'm going to talk about how I think cyber warfare and cybersecurity are the same thing, and how going forward there may be ways to make them overlap. So there we go. And then I'm going to ask you guys to do some stuff for me. You don't have to. When I do a presentation I always like to make up some little rules except I don't want to call them rules because axiom is a much better word, it has an X in the middle of it. And this is one that I think is pretty important, so I made it number one, which is the word cyber is pretty dumb, but we use it a lot because we don't really have any other word that's not as dumb to describe it. I'm going to be saying it a lot during this presentation. You're going to be tired of hearing it, but not as tired as I'm going to be of saying it, but I'm still going to say it. Here's what I've been thinking about with cyber warfare. If you read a lot of things in the press, and especially a recent semi-popular book, you would believe that come to cyber war everything's going to break down. Anything with an IP address is going to burst into flame, probably in your pocket. It's my understanding that IP 6 devices are going to be spewing locusts. So I don't know how we can defend against that. I mean, all this stuff will go away and that also means no cold beer. I know. There you go. Now we're fighting. And of course dogs and cats will be living together. It's just going to be horrible. Here's what I think is actually going to happen. None of those things. Well, maybe the cat and dog thing. And I'll tell you why. If a cyber war, hot cyber war actually breaks out, the network is more valuable for everyone on the field up than it is down. So if anything goes down, it's probably going to be localized and it's going to have a specific objective and it's not going to affect a lot of people. I could be wrong. I don't know. We'll see. Hopefully not. And actually this is a good time where talking about tactical objectives just to make sure that we're all kind of on the same page with some of the terminology. So strategy in war is an overview of what things you want to achieve. Like let's defend computers or let's keep the network up or let's keep IPv6 devices from spewing locusts. And then tactics are specific actions that you take that are further into those strategies. And then there's the concept of doctrine which is in the middle between those two things. You have strategic goals. You have actions that you can take in between them. You have those two things. When are you making tactical decisions taking tactical actions? How do they support your strategic actions? And doctrines are really what says that and what defines that. So I've talked to a lot of people inside and outside of government about what our current US cyber war doctrine is. And I've discovered there isn't one. There's actually a lot of them. And it really depends on who you talk to as to what level it is. Every service I talk to decides to look at a cyber war through stuff that they own, specifically stuff that they have responsibility and budgets for and recast cyber war in that thing. So for instance, you talk to someone from the Air Force, they will talk about it in terms of close air support, strategic bombardment, stuff like that, precision munitions. You talk to someone from the army, they talk about it in terms of logistics and laying wire and moving packets and things like that. You talk about it to someone in FBI or DHS and they look at it as a law enforcement problem and recast it that way. All of these things are actually true and false. Mostly false because I think that they're missing the point that there's actually some other more unifying doctrine out there that has yet to be developed. But they're true in that from the perspective of every agency, from the perspective of every organization, they are matching, cyber is a part of those missions, all of those missions. So when you get people together to talk about it they'll tell you a cyber war doctrine, they'll say it's the U.S. cyber war doctrine, it's really their cyber war doctrine. But these doctrines do share some themes. By and large, all of them say we're going to do things to gather intelligence, we think that our opponents are doing things to gather intelligence and we're going to look at that. Intelligence is, you know, I can see you and I know what you do. By the way, this is a Devo shout out, I don't know if I hope you guys get it. And then there's also network defense which is trying to keep generally these days people from doing the intelligence gathering against you. And then occasionally one or two people will poke up their heads and then stop talking about this part of it, which is, this is military speak right here, deny personnel or assets to your adversary. What that really means is killing someone or blowing something up or also, you know, making the router stop working. These themes are all things that are in all the doctrines that I've heard about to varying degrees. The intelligence gathering is definitely the strongest across the board. Which is actually this is what I just said. But like I said, there isn't a lot of strong emphasis on addiction, on denying assets and keeping personnel out right now. And that's in the U.S. I think that that's probably not necessarily true in other countries. I think other countries are definitely more focused on that and are working on it. And then here's a caveat. I'm a civilian. I'm just a guy and I ask people questions and they tell me things and I kind of put all this together. It could be that I'm completely off because the people who really know about this aren't talking and they probably won't be talking for a while because they're still figuring it out as well. So the military has done some other things besides coming up with a cyber war doctrine. And I posit that the cybersecurity field as a whole originally started in the military because the military made some security standards like TCSEC, the old orange book if you know that and then codified that through purchasing so that if you were going to buy something and they felt it had a security aspect, you had to be orange book certified to be certain places in their organization. So they forced that out into the private sector. And that was, to my believe, probably one of the original founding documents of cybersecurity as a industry. Of course, TCSEC was updated and became the common criteria a few years ago, but it's still kind of the same model of thinking about security in that it's advanced, there's a checklist, you get certified and that's supposed to make you more safe. And all those doctrines are infosec based doctrines, not really information operations doctrines. That's a whole separate thing, which I had actually more in, but I had to take out in there. So some problems with that is at the very core of the military's thinking about computing assets and subsequently at the core of what I think cybersecurity people think about computer assets is we're protecting them still like their buildings. You know, in the late 60's and through the 70's computers were pretty much synonymous with buildings. I mean, there was going to be a big building that your computer was in or there was going to be a core at the center of your battleship that your vaxes were sitting in. These were big boxes and had to be controlled like that. So it was easy and natural to think about them as being buildings. So you make walls like firewalls, you have access controls, you determine who you are and can get into certain compartments and keep track of that and audit those so that you know, hey, these people got to these files, they may have done something with them. But by necessity that philosophy makes you physically segregate your compartments or even virtually segregate your compartments which reduces the information flow between the compartments. And something that I think people forget sometimes is that the whole purpose of these machines, the whole purpose we have computers, is to process information, to move information, to make information flow. So to the extent that the older information security protocols keep that from happening, they're actually reducing the functionality of the machines. So moving forward, these are things that, just part of my thinking I'm going to be doing, but I think everyone can think about it and contribute to it because there is still a unified doctrine out there. I think that the agencies in the government should think more about what a unified cyber warfare doctrine would be. Cybercom's kind of starting, but cybercom is kind of, at its inception, is thinking a lot about intelligence because of the people running it. So they're going to end up with an intelligence based cyber warfare doctrine probably. So I think a good doctrine would be devoid of the service-based bias. It should be applicable across all the services and should be able to encompass things like gathering intelligence, doing the close air support equivalent in the information warfare field, but also being able to go and blow something up if you need to. So those are my thoughts on cyber warfare. I'm still thinking about them as everyone is, but they'll come together at the end of this presentation. So for cyber security, going back to the origins in the military, here's where a lot of us, I think, came from coming into security roles. I mean, like how many people in here started off as an assistant or an editor? Probably a lot. A lot. And the way you started thinking about security was, at least for me, when I came up that way, was why is my disk getting used so much? What's all this bandwidth going to, where the packets going and chasing them down? And I think this was an entry path for a lot of us. The Cliff Stoll's book from 15 years ago is exactly that. So we all as an industry then tend to think about cyber security as a sysadmin or a network problem. I think antivirus software had a huge influence on the industry because suddenly security companies were making lots of money selling antivirus and are still making lots of money actually selling antivirus despite the fact it doesn't work that fabulously. But they're thinking about products, how to monetize them, how to resell them, how to continue selling things like antivirus and that may not be the appropriate path to forward. And then a huge influence on the security field is compliance, obviously. So to me, compliance is you walk around your house at night, go through a checklist saying I've shut all the doors, I've shut all the windows, I've locked everything, I've set the burglar alarm but your house will still get broken into. Here's an axiom about that. I'll let you guys read it. Actually, can you read that all the way back? I don't know if it's big enough. I just looked at it and thought, wow, you can't read that. I'll read it to you. Compliance isn't security. Put it off as long as you can. If you're doing things right and won't be hard to check the boxes later, I forgot to put the word later, but if you're spending time and money on compliance too early in your org's life you're getting owned and not just by the hackers, probably by the people who you're paying money to do compliance for. At Facebook, we didn't actually start a compliance program until a couple years after I was there and then it was kind of because we had to which is the only reason you should start any compliance program. It wasn't that hard when it came time to work through compliance because we were doing all the right things already and so it was just a matter of shoehorning them into which boxes we could check but I think if you make the mistake of starting off your security program and building a security organization around the idea that you're going to go through a compliance regimen later, you're probably not doing the right things and I'm going to describe what I think the right things are with this nifty graphic. This is the only graphic in the whole presentation. I think that there's a triangle of things that you need to act upon and think about in security and the base, the one we all know, the one that vexes us every day is this endless amount of vulnerability. So if I could make this base nearly infinite, I would because of all the things that it would encompass. But really the only vulnerabilities that I care about are ones that if they're exploited are going to actually cause damage to my organization. There may be a ton of vulnerabilities that may be relevant, may not be relevant, but if someone attacks them and exploits them and I have other controls and other things set up, I don't really care about those vulnerabilities so I don't really need to mess with them. And threats are those vulnerabilities, the ones that are going to have damage to your organization. Even if you have threats, if no one's attacking you, you really don't even have to worry about those. And I know that we're all getting attacked all the time, but we're not getting attacked all the time in a targeted and focused manner. We're getting attacked by a bunch of botnets, we're getting attacked by a bunch of random crap floating through the network. But there may only be one or two or ten or 20 people or 50 people who are actually targeting you. And the attacks are, those attacks are the ones you have to worry about. And if you look at those attacks, watch those attacks, you can find out who those 10, 20, 50 people are and go after them. So the bottom, threats and vulnerabilities is really where I think most of the industry focuses on. Definitely on the cataloging of vulnerabilities, figuring out what they're affecting and trying to tell people whether or not they're threatening. But only you and your organization can actually understand what the threats are because a component of the threat is figuring out the risk to your organization. And no external company is going to be able to tell you that. Also no external company is going to necessarily be able to see and act on all your attacks. So at Facebook I really focused on the top two portions of this. Where when we were getting attacked looking at the attacks and figuring out as much information as we could about what was being attacked, who was doing it, why they were doing it, and then going after them any way we could. So this is just kind of a recap of the last thing. So the vulnerabilities are the complete possible ways into your systems. That number approaches infinity as your systems grow especially. The threats are a subset of that that would actually cause harm to your organization. And you're really the only people that can understand that inside your organization. Your boss yelling at you is harm in the organization too. Attacks are people that have figured out those threats and are working them going after them. And that is your number one place to gain information about actors. And the actors are the people who are going after you. I think there's a tendency in the organization because of so many botnet attacks, because of so much stuff in the network that's out there, to just look at its attacks as being like weather. It just happens. And it's not something that you can really do anything about. Except it is something you can do things about. Most attacks that are focused on you are being done by someone. And those people live in the real world. They're real people. They're doing it for a bunch of reasons, generally money. And if you can follow the money, follow the people, you can stop real attacks. So when I've talked about this before, I say ignore vulnerabilities and that always sets people off. So this time I decided to put ignore in quotes. But I still kind of mean ignore. In that don't chase vulnerabilities. It's like chasing the needle if you're flying a plane. Go after the ones that matter. Don't go after all of them because you're just going to be it's never ending work and you're going to end up introducing more vulnerabilities and then you're just going to have to do it all over again. So really identify the ones that are important to you about threats and go after those vulnerabilities that are actually part of the threats. And when thinking about threats, really be realistic about what's going to matter, what's really going to affect your organization and think about it in a way that greater restriction of information flow doesn't necessarily mean greater security, but it definitely means degraded capabilities. And this is a big one for me is I decided early on at Facebook to trust the people inside the network. And a lot of security organizations don't want to trust people. And I thought if you can't trust your people, nothing you do from a technological standpoint is going to matter. And if you don't trust your people, why not? Go figure that out. So spend your time watching attacks. They will tell you everything you need to know about who's attacking you. And if you watch enough of them and you get enough of them, you'll actually start to be able to track tools and see hey, this attack was a person writing a tool, this is the person they sold it to who's testing it out, and then they sold it on to someone else who's actually using it against you. And collecting that data, you can end up really building an association network and figure out how to break the chain, how to break the money, how to make it too much trouble. Target the actors. There are reasons for attacking you. If you figure out what they are and they could be technical, they could not be technical. Like I said, it's often money and go break the money for them, break their reasons and make it too hard. And they'll end up stopping or just going on somewhere else, which is a win for your organization. And this is something that I believe really strongly. It's every time someone interacts with you, and from this standpoint I'm really thinking about it as a website like Facebook, where every time someone interacted with Facebook, be it getting a page, looking at a page, doing a ping, trying to do scripting thing, do something, it was an opportunity for us to collect intelligence on people. And then analyze that to see if they were attacks or not attacks. And every site, every application, I would argue even every OS should have some sort of capability for that. Obviously they don't. Okay, so how do we bring these two things together? How do we bring these ideas around US cyber warfare and ideas on cyber security that have been in use at Facebook, and think about going forward, are these things even connected? Do they need to be connected? Why not? I argue they do. Because talking about some of the influences earlier, cyber security and cyber warfare are not even two sides of the same coin, unless they're maybe on the same side. I mean, they are definitely connected and interrelated, and thinking about them is the same way. Is it even possible or relevant to think about a unified doctrine? Well, let's see. If you think about a large site like Facebook, or even a small site, any site, and you think about government and the nation's information infrastructure, are they going to have the same types of threats against them? Maybe. If they're attacked, are they going to respond in similar ways? I think so. So if you have unified threats, any unified method of responding, you probably have the ground there to build some sort of unified doctrine. So something that I think that I have noticed from talking to government about cyber warfare and the way they think about cyber warfare is they view the front lines as being the edges of the .mil and .gov domains. And, you know, it's easy to view things that way because that's really the extent of their authority. And the government doesn't really like to think about things that are outside of its authority. But in reality, those attacks are going to occur much earlier than that. Attacks are happening at telcos, attacks are happening at ISPs, and attacks are happening at big sites. And so if you're doing security in any of those areas, which is pretty much all of the internet, you are on the front line of the cyber war. And thinking about how to respond to that and responding to it in a way that is as if you're acting that way, instead of doing it in an information security compliance mode may change the way that you react to things. So if someone attacks you as a security person, do you really have any idea when that attack starts or when you first see the attack, whether it's just a hobbyist trying something out, playing with the site, whether it's a criminal that's actually attacking you or whether it's some organized state attack. I would argue that you don't actually know that and that at the time that the attack is going on. And you may never know that depending on how much information you can gather around it. So not knowing that and also as it progresses you may not know that they're progressing from one to another. You may identify something as a hobbyist first. It may end up being a test later on for a military act that doesn't go against you even. So how would you respond? I would argue that it doesn't matter. That the way that you respond to these attacks really doesn't matter based on whether or not they're a script kid or a criminal or a military. You're going to respond in the same way, which is you're going to try and protect your assets, protect the things that you're responsible for, gain information, try and find the people. So whether or not any of those classes really doesn't matter in your response. And how you do the things, how you string together the tactical actions that you have, how you gather the intelligence also doesn't change based upon whether it's military or hobby or criminal. So I think you're going to see the same threats because you're on the front lines. You're going to respond to those threats regardless of whether or not they're coming from someone who's just experimenting or from a state actor in the same way. And they're going to be the same threats and same responses in government as well as outside of government. So there probably is some ground for a unified doctrine between those two things. What does it look like? I'm going to throw out some requirements and things here of what I think it would look like. I think it should absolutely encompass the security idea of identifying the actors behind the attacks and using everything that happens in interacting with your systems as intelligence to do that. And basing your responses on behavior not identity since you don't necessarily know at the beginning in the tactical response who's doing it or why, but you need to respond. I make an assumption that throughout the internet all the hosts are equally suspect. So you can trust people but don't trust machines. That users and machines that are roughly in the same class of activity are going to look alike and they're going to enable you to build a statistical model describing what a good action is versus a bad action. And these things here are actually things that we did on Facebook. So we make decisions at Facebook about when you're interacting with the site whether or not we think you're a script or whether you're a real person. And that's all based upon the behavior that you're exhibiting. And we compare that against a model of all the users and see are you doing like what other users are doing or are you not. And to the extent you fall out of the model we'll start degrading your service based on that. And I think that's a model that you can use on all levels of cybersecurity support. So I'm going to suggest a doctrine here. And I think that this doctrine from my reading and my understanding and talking to people actually, it's an existing military doctrine, actually maps pretty well to something that would work well for cybersecurity and cyber warfare. But it's not something that generally anyone really brings up. It's not one of the metaphors that I've heard a lot. And that's a counterinsurgency. So I'll get into some of the defining points. Because I think it's because I told you I'm really going to say cyber about a million times during this presentation. I decided that the doctrine that I'm going to talk about is going to be called cyber counterinsurgency or C-coin. So under this doctrine, here's some of the things that I think would reflect it. Under a human cyberinsurgency people act in certain ways and you can't really tell the difference between who's a combatant and who's not a combatant until they behave a certain way. And I think that's the same for hosts, IP addresses, packets being flown. All those things reflect human behavior. Be it a person actually behind the keyboard doing something or something that they've written that's running on the machine but everything that happens on the network doesn't happen because machines make it happen. They have them because we make it happen. So given that everything is reflecting some sort of human behavior and I'm going to call these things for the rest of the discussion. I'm going to call that stuff subjects. So subjects are the behavior that's exhibited by technology that's human based. It could be packets. It could be the way that someone's going on a web page. It could be files or in the disc. These things are all subjects. And all the subjects live in this big country called interwebs. I call it that. I don't know what you guys call it. And this country doesn't have any real law enforcement or governance. So there's no intrinsic police telling these subjects what to do. It's all driven on the user's human behavior, the person who wrote the software's human behavior, the things that they wanted to do. And the subjects interact with each other. So people are sending packets to each other. There's interaction between these entities. And depending on how they interact in your philosophy these interactions could be good or bad. You may decide that for you BitTorrent is great stuff and you want more of that so that's good, trusted, other people probably wouldn't think that way. But you get to make your decisions as running your organization and how you interact and what you're able to influence in this country. So in this country much like in other cyber-insurgency countries there's people, the subjects are there, but the subjects act in a particular way based upon what their influences are. And if you read the old Green Beret manuals from the 60s they talk about winning peoples hearts and minds. When you talk about winning subjects hearts and minds I think you're talking about the user behind them, what they're using it for are the machines being used in a way that the user wants them to is the software that's loaded on there in compliance with what the user wants to have happen or not in compliance. And the more software you have that's not in compliance, bots and viruses and other things like that you're really talking about moving it away from moving the heart and mind of the subject away from the user's desire. So, you know, that wasn't that important anyway. I think I've already told you. Oh, here we go. Okay, so the OS has a purpose and most of the purpose is allowing the user to interact with the hardware. So to some extent and how much you like any particular OS that you're working on that's a trusted relationship. Apps allow users to do particular things and to the extent that they're doing what the user wants to do, they're trusted. To the extent that they're not, they can be less trusted. Viruses and bots and other stuff which we all know the vector for that. Those things to a much lesser degree do what the user wants them to do and they're doing what someone else is trying to influence the subject to do. So, existing security software processes at their core are trying to take this idea of restoring the primacy of influence to the user. So when you're running antivirus on your machine what you're really saying is I want to make sure that me as the user, controller of this subject am in charge of what's going on there and by getting rid of viruses and getting rid of bots you're restoring your primacy of influence on that machine. You're essentially winning its heart and mind back from the bot owner or the virus writer. And in a theoretical world if you could do that completely you can't ever do it completely by the way, but if you could any machine that had 100% primacy of influence meaning that you completely control the machine and what it's able to do and you as a person are trusted in the organization, you could trust that machine 100%. You would know that it would not attack anything in your network because the person wouldn't be attacking it and they're in complete control of the machine. That's a theoretical possibility it's not actually going to happen, but to the extent that you're able to get to it you can actually trust the machine more. And to the extent that you can't you can trust the machine less. And figuring out where that line is is a philosophical issue. So in a counterinsurgency area of operations a place where there's a counterinsurgency war going on a method usually for identifying you can't really tell just from looking at them who's fighting and who's not fighting. The way that they do tell and can tell is you look at the behavior like are they fighting? That would probably make them a combatant and also who they associate with. If they're hanging out with a bunch of people who are fighting they may be moving towards fighting if they're not already. I think you could do this equally well in a cyber counterinsurgency in that once you start gathering information about what machines are doing, who's doing them and why, you can understand whether this particular machine subject is more trustworthy or less trustworthy based upon their behavior. So I would say that there's, and I know that there's some work going on in this field and the people who are doing it are doing some pretty interesting stuff, but I think it's definitely an area that's worth more generic tool sets. A lot of them are very specific, like the one we have on Facebook was very specific. So cyber counterinsurgency software and processes should really look at that behavior and make available trust information about whether or not this subject can be trusted or should be trusted and at what level and with what types of things. So what? Based on that doctor and I would say if you're a cyber security person here's some of the things that you can do and think about. And one is trust your users. I heard some laughing okay, but if they're in your organization and let's say even if they're in government they're cleared give them some trust because a little bit of trust goes a long way and actually countering people trying to circumvent measures. What I've seen in a lot of organizations and probably what you're seeing in your organizations are people trying to circumvent measures. The reason they're circumventing them is that the measures are keeping them from doing what they need to do. And the more that you understand what people need to do and the more that you trust people to do the jobs that they're given you probably will see less circumvention measures. And we definitely, the way we built out the network at Facebook we gave a lot of trust to our users and we did not see a lot of circumvention I think as a result. And then think about your organizations as a beach head in this ongoing cyber warfare because you already are. Even if you have nothing of interest to anyone any other state or any other warfare just the fact that you have a machine on the internet means that it's important to someone possibly. So think about yourself as being a place you're defending Omaha Beach from someone and change the focus a little bit. So and then I would argue spend less time worrying about vulnerabilities and do more threat assessment, attack identification and an actor ID and then go after them with everything you can. Obviously not illegally. What we did at Facebook is by and large our issues were with spam and a little bit of unauthorized access both of which have very good laws in the US that have full civil and criminal damages. So we were able to build cases against people pretty large cases and then used the legal avenues of attack against them and you'd be surprised how quickly spam will drop off if you get a couple $800 million judgments against people. So I say go for that. Okay so I'm actually running a little bit ahead. Here's what I would like you guys to do and take away from this. Think about start thinking about the things that you control or the philosophy of how you think about security in terms of the subject base and think about what their trust relationship is with you and where you don't have trust relationships think about why. And instead of trying to make technological measures around that think more about building the trust relationships so that you need less technological measures. And then think about this idea of primacy of influence that if you trust your users the more that you can get them to control the machine control and understand it and behave in a way that you that is in line with your organization the less work you're going to have to do from a security standpoint and the better your users will like you. And then inside your organization inside your application build software or if you have a company that builds software start thinking about building behavior based software because I think that that's actually probably way forward more than cataloging endless volums and endless viruses. And finally hack your badge so you can come to the Ninja party and I can buy you beer and you can harass me more about whatever you want. And I'm especially happy to answer questions about Facebook if you're interested. And then here's the last axiom of the presentation. Sometimes you have to ignore all these rules and all the axioms because the bad guys do it all the time. And knowing when to do it will help you out. Okay, thanks.