ERP001 - Cyber Security w/ Arkinfosec

Welcome to Evolve Radio where we explore the evolution of business and technology. My guest today is Lochland Turner with Arc Infosec. Lochland is a cyber security expert who has worked for Australia Defense Signals Directorate and now runs his own consulting practice focusing on common criteria certification. We chat about the evolution of cyber security, how's it come to be such a common thing in our day-to-day lives. What are the threats and how can people and businesses protect themselves? I apologize in advance as I had a small issue with echo in my audio. I've tried to minimize it as best I can, so it doesn't distract from the conversation. Appreciate your interest today and I hope you enjoy this discussion. So here we go. Welcome Lochland, you're with Arc Infosec. And you founded a security company. We want to tell us a bit about the background, your history and how you started Infosec, Arc Infosec. Absolutely. Yeah, well, thanks for having me. Hopefully I can shed some insights into cyber security. But um, yeah, Arc Infosec, I started Arc Infosec really to service a fairly niche market. Um, which is IT security evaluation and certification. Um, so we essentially make sure that security products do what they're supposed to do. Uh, and we and we do that within an internationally agreed framework, which is called common criteria. Uh, so we service a very niche market, but um, even that being the case, we have to, we have to keep abreast of the latest cyber security developments. So our typical clients are uh, uh, the IT security product vendors themselves. Uh, you know, the Oracles and the MacAfees and and Intels of the world. And also other cyber security labs we provide services too. I've been in the field for about 14 years. Okay, great. Uh, common criteria is pretty specific, very high level, uh, cyber security work. And how did you move to such a high level of uh, of interaction in that business? Is what was the the path that sort of led you down the security path and the route in in business? Yeah. Um, straight out of university, I, I, uh, I went to uh, work for the Australian Department of Defense. Uh, in what was then called the Defense Signals Directorate, which is now the Australian Signals Directorate, and that's um, essentially Australia's NSA. Um, and through that, I, I was introduced into the common criteria world. Uh, and I, I, uh, actually became the uh, one of the principal certifiers there for for ASD. And so I, I kind of got an inside track on the certification, on how it works. And uh, so from there, I, uh, I, I went and worked for a startup called Stratsec, uh, in Australia. Which serviced common criteria clients, but also uh, federal government clients in the in um, cyber security areas. So I kind of got a a consulting experience and background there with Stratsec in the startup scene. And then coming moving out to Canada in uh, 2008, and I started working for a common criteria labs. And and then from there, I, I became an independent uh, consultant. Very cool. Yeah. So cyber security is obviously a hot topic for a lot of people. It gets a lot of pop culture awareness with uh, the revelations from WikiLeaks and Snowden and definitely brought a lot more of a a public awareness around security. Obviously, it's uh, security around uh, computers and cyber systems and the internet have always been present. Why do you think it is such a hot topic lately? Why is there there an interest now in the the public mind that wasn't there before? Yeah, um, yeah, definitely the media attention, um, you know, and the high profile hacks that are starting to come out now. You know, the the targets target hacks and Sony, Home Depot. But really, it's all um, it's all I think uh, because our our lives are now more increasingly online, um, and business is online. We're so interconnected, interconnected, sorry, um, it's just a reflection of of our lives and how business has evolved. Um, and the criminal element has basically followed the trend. Um, you know, it's it's bigger rewards, less risk for those guys to to go about hacking. You know, organized crime are they love it. And um, because of that, you know, we we see these high profile things. People are becoming more aware that, hey, yeah, so much of my life is online, if if if this information was compromised, if my Facebook gets hacked, if my Gmail gets hacked, it's a big deal. So, so yeah, I think it's it's just part and parcel of of life as we know it now. Yeah, you mentioned um, the the mafia connection. That's something that I often hear as a a driver for that business. Is there a lot of truth to that, that a lot of the hacks come out of uh, a lot of uh, former Soviet mafia connections and they're just seeing this as a business opportunity? Uh, yeah, like I'm not sure of the specific, you know, whether it's mafia in Russia or whatever. But definitely organized crime. Um, you know, if you you look at the material coming out, Verizon uh, put out a breach report every year and if if you go through that, um, yeah, definitely you see organized crime is is uh, a large uh, factor in in in hacking because it's it's big business. They make a lot of money out of it. Um, and uh, followed also by state actors. You know, so cyber intelligence type activities, which Edward Snowden kind of lifted the lid on that one as well. Yeah. I've heard uh, estimates that the uh, uh, the hacking industry and cyber security breaches and the the revenue generated from that is estimated to approach $20 billion. Is that uh, similar to what you've heard? Uh, yeah, I'd have to check the my latest reading of the report, but yeah, I mean, I wouldn't be surprised if it's up in that in that realm. Um, and a lot of times too, it's hard to quantify, so that that kind of can muddy the water a little bit in terms of um, you know, people don't we don't really have a good handle on how serious problem it is. Cuz a lot of it's um, yeah, you kind of hear numbers thrown, but um, some of the some of the research indicates that um, we haven't really quantified it very well. But we know it's it's a big issue. Yeah. And is that I would imagine that's because businesses are often shy to suggest that they have been victim of a hack attack or that they've lost data because they don't want the public attention that that would then draw. Is that often the case? Yeah, that's right. And and um, not only that, but often times businesses don't know they've been hacked. Um, and uh, you know, the generally the way they find out is is um, a customer or some a partner or uh, a uh, policing agency, you know, FBI or RCMP gets in touch with them and says, hey, um, we've noticed we've noticed some of our data has been leaked online or this and that. And that's that's how they find out generally. It's not it's not through their own um, security kind of awareness, it's it's them being notified by others. Yeah, I definitely saw that of uh, uh, managed the security practice in the past and one of the groups focused on uh, CM and uh, traffic monitoring and we were often uh, very shocked to be able to show uh, the level of activity that happened in data packets being sent overseas to uh, places that they really shouldn't have been. And the the how long that that those infections or, you know, those those uh, that malware had been there was kind of anyone's guess. It was often very eye opening for people to realize that, you know, this is not something that they're defending against, it's that they they're completely oblivious to the fact that it's already there. Yeah, exactly. Exactly. And that's a good question for for a business to ask is, how how would I know? Right. Yeah. Until the RCMP or the FBI shows up, I guess you probably wouldn't unless uh, you're you're uh, consulting with some folks that might be able to to uh, expose the under the covers for you and that, I guess. Exactly. Yeah. So the is this somehow more important than it was before? Is it that, you know, the attacks are are becoming more sophisticated? That they're more prevalent? Is there because there's a market draw for this? Is that uh, is that increasing the number of of attacks? Or is this just something that we've all of a sudden become more aware of? Um, yeah, I think it's a combination of both of those things. Um, the risks have grown because uh, because of our move towards the cloud and and online and interconnectedness, the stakes are higher. Um, you know, businesses rely on their online presence, um, for pretty much every aspect of business, you know, finance, HR management, um, operations, you name it, um, yeah, the the stakes are higher. Awareness is now higher because because you have this high profile media, this high profile media attention. Uh, you know, executives are losing their jobs, like you look at Target, you know, the the CEO resigned after a basically a, I think it was the point of a point of sale hack. Which uh, the attackers were able to uh, infiltrate via a um, a service provider for their, I think it was their Hback, you know, heating and air conditioning service provider, and uh, CEO lost his job. So, yeah, it's it's more important because the stakes are higher, I think. And uh, but absolutely, it's I mean, it's always been ever since there was there was been um, computers, there's been hackers, but now it's become big business. It's it's more than just worrying about our defaced website. It's there's some serious impacts. And that that's sort of what I found uh, in my travels as well as what I suggest to to to people as I chat with them about security. Is that in the old days it was about notoriety and, you know, they, you know, your icons would start dancing and letters appear on the screen with the person that hacked you and it it was about sort of getting that visibility and and almost uh, like a haha. Whereas now we touched on is those infections, you never know they're there and and it's better that they lie dormant and quiet so that they can do their thing. And that that that sort of obviously increases the risk because if it is in your face and you got, you got the the dancing hack message on your website, you know that it's happened, but to the previous point, if you don't, then it's doing all kinds of stuff that you wouldn't know about. Yeah. Yeah, we've moved well beyond the uh, yeah, the old days. Yeah. For sure. So you you touched on uh, some of the the high uh, high visibility uh, um, attacks like Sony and Target. Um, you know, that that's generally the place that people think that are going to be the the victims of hack attacks, the the the big mega corporations. Uh, but I don't think a lot of people know that most uh, cyber security risk and uh, attacks actually are leveled at small to medium business. Is that the case? Yeah, right. Yeah, essentially if if you have an online presence, uh, if you connect to the internet, you can be a target. It's not uh, you know, it's yeah, it's not restricted to to big business. It's um, it's individuals, it's small business, medium business. Uh, you know, the these guys are opportunists, um, and they'll they'll take whatever they can get. Whether it's um, you know, whether they get a foothold in your system to to launch attacks on others or um, or to perform some exfiltration of your information, um, if if you're a target of opportunity, then then you will be targeted most likely. Yeah. So um, yeah. So that that touches on a great point, um, what a lot of people don't often realize is that uh, uh, information exfiltration, so, you know, grabbing credit card data or grabbing intellectual property, that that's uh, sort of the stuff that is usually reserved for for the concerns of the big corporations, financial risk and uh, intellectual property risk. But a lot of people don't realize, you know, that the the the hackers need to create what what are, you know, zombie armies of these machines. And small to medium businesses are are great attack services for creating uh, these machines that will do their bidding, right? That's that's uh, is that sort of why the the small to medium business, you know, most of these operators would think, I don't really have a lot. Why would these guys focus on me? Is that more that they're they're uh, using the the the those places as uh, you know, the the resources for them to conduct attacks on larger entities? Is that is that the uh, the interest on the small to medium business? Uh, well, I think it's more just targets of opportunity, um, uh, so wherever they can find vulnerable systems, then they'll um, they'll try to get a foothold and own those systems. Uh, if they find something interesting, uh, and if they can um, you know, extract some value out of that, you know, they're they're in it for the money. They're they're business business guys, they just deal in in illegal business. Um, so yeah, one thing to note too is um, if if a small or medium business is impacted by by a hack, it can often the repercussions for a small or medium business are often larger than they would be for a large enterprise. Um, just because smaller medium businesses aren't so resilient to uh, say for example, a cash flow shock because uh, because of a a bank account, you know, drain or something along those lines. Whereas big businesses like Target, um, you know, the they'd lost millions of dollars from from the from the hack, executive, you know, the CEO resigned, um, but at the end of the day, uh, their bottom line, it was like uh, an accounting rounding error. Like they, you know, it didn't really impact them financially all that much. Same with Sony. Um, so these big corporations, you know, they can take the hits. Um, but it's the smaller businesses where where I think um, you know, a hack has a potential to to really disrupt business more so than a a large enterprise. That's a great point. Yeah. Um, you know, the ones that that I've seen a lot of and growing in in frequency uh, is uh, crypto wall and where, you know, the the virus gets in and encrypts a ton of data. And, you know, if the sort of a sub portion of a large uh, mega corp, if they get their data encrypted in, you know, a branch office, it's a lot less of a impact to the larger entity. Versus, you know, a one-man shop or, you know, a 10-person organization that their their drive gets encrypted and they lose absolutely everything unless they're willing to pay that ransom. Yeah. And and a lot of times that that's what ends up happening, you just pay the ransom. Um, uh, hopefully you have a a good backup strategy and um, you know, that mitigates that. But yeah, I mean, and also too, small and medium businesses, they hold a lot of um, what we call PII or personally identified information. Like you think about lawyers or accountants or doctors, um, you know, that's especially lawyers and accountants, that's a treasure trove of personal information that is valuable to criminals because it allows um, identity theft. Um, which is, you know, which is big business, it enables it enables uh, the establishment of false identities to, you know, take out loans and get credit cards and all sorts of things. So, right. Um, yeah, if you if you take a look at your business and you ask yourself what, you know, uh, what information am I am I holding? And is would this be valuable to to a criminal then, uh, that helps you understand maybe sort of the level of risk that you face. Right. Yeah. Uh, so you touches on an interesting point, you said that, you know, they're opportunists and largely, you know, they're business operators. Cyber security is just their business. Kind of lends itself to a story that I heard that uh, some of the the groups that are operating the receiving end for the crypto wall attacks actually have help desks so that people can connect with with the hackers that have hacked them in order to walk them through the instructions of how to go get Bitcoins and pay the ransom. It's kind of really a counter-intuitive thing to happen that, you know, the they're they're providing a a level of service that you would think of as a customer, not as, you know, the victim of of crime. Yeah. Yeah, I mean, that, you know, they're sophisticated operations, absolutely. Yeah. Um, yeah, they're a business just like just like any other. Uh, and one thing that that really complicates um, you know, any kind of legal ramifications for them is is because it's all cross-border, it's all cross-jurisdictional. Um, it's very hard to to prosecute cyber criminals. Um, and uh, yeah, it's law enforcement is only really starting to catch up in terms of legislation and those sorts of things, uh, you know, and how to deal with with these issues, cross-border issues. Uh, that's interesting. Um, I hadn't considered that as well, the do you think that that will sort of lend itself to some type of uh, coordination or cooperation amongst uh, the the global police forces? For for cyber crime that that it would be more of a global approach and a more integrated approach amongst those parties? Yeah, absolutely. And that's happening now. There's um, uh, you know, there's definitely efforts to to share much more information. Because yeah, otherwise these these actors can operate with impunity. So, Yeah, I mean, I'm not I'm not uh, too close to law enforcement industry. But um, from what I've what I read in the in the um, in the industry, um, materials and and and news articles, you'll often see cooperation between different agencies and and uh, different countries in order to apprehend uh, you know, high profile, um, actors. But, you know, the they're really only it's a drop in the ocean, um, compared to what's actually happening. So, yeah. So let's talk about kind of what some of these attacks look like. There's there's obviously the more sophisticated examples, uh, take a lot of planning, a lot of high-level execution. What are what are some some uh, accessible examples of those more sophisticated attacks? Yep. So, um, each attack, whether it's simple or complex, follows a fairly set uh, number of phases. Um, and those are uh, reconnaissance, so that's um, you know, reconnaissance can be uh, as complicated or as simple as um, you know, sending out mass emails, uh, which we'll talk about fishing, uh, or or, you know, focused, dedicated reconnaissance on a business to find out individuals and systems in place. And those, you know, it can be really targeted or it can be um, spread, but once once the recon phase is over, then there's some kind of um, delivery of what you would call like a cyber weapon or an exploit, um, or or leveraging a vulnerability. But there's some kind of delivery mechanism to get um, the exploit, if you like, to the target. So whether that's sending an email, uh, dropping a USB in a conference pack or in a car park or something like that, uh, whether it's from visiting a website. There's some kind of delivery mechanism to to drop um, an exploit onto the target system. Once the exploit then uh, executes, um, usually there's like a phone home or, you know, they'll in the industry you call it command and control. Basically, you back door the system and you provide some kind of mechanism to phone home, um, and then at that point, you'll it'll either just do what it's going to do. You know, um, start sending information back or that will then lead to more exploits being being loaded to the system. And and so the attackers can gain deeper deeper access into the organization or the system. Um, so, but the simple, like an example of a simple attack would be would be fishing emails. Which we've probably all all seen examples of. I I got one in my junk mail today, you know, click here uh, to buy watches. Um, so clicking on that link uh, would likely take me to a place that that sold watches, but in the background, it may also uh, take me to a malicious website that would download some malicious code. Which would be the exploit part and from that point on, you know, it it follows the follows the standard progression. Um, so fishing is is very common. Another one you'll see is um, C scanned image attached. So PDF files, Word documents, they can all contain malicious code. So, so the message there is is don't open attachments, unsolicited attachments, unsolicited email attachments or links because they're likely poisoned. To get to the complicated side of things, fishing can be used at the highest levels, like to infiltrate, I think, the the um, Iranian nuclear facility, the exploit was actually delivered by USB, but other instances has been have been basically an email will come. Looks like it's from a co-worker, looks completely legitimate. The attackers know the industry, they know know the, sorry, the um, organization. They know people's emails, um, and they'll they'll craft an email that that looks completely legitimate, but has a a little secret payload in there. Uh, and once you open, you know, that that spreadsheet or whatever that may look legitimate. Um, you know, that's when the the uh, code gets embedded in into and so that's, you know, very sophisticated uh, attack. But using the same kind of that that fishing mechanism. Yeah, ultimately it's a bit of an arms race between uh, the good guys and the bad guys. The bad guys just keep on up in the ante on that with the level of sophistication even on the low end, right? Exactly. And generally it it attacks that are most uh, most successful usually rely on the human element. You know, the trust factor, where where naturally trusting generally and um, and if if the attacker can convince, uh, you know, the user at the end of of the computer to click something, to open something, then then that's that's where they get the foothold. And that circumvents a lot of controls that are in place to to prevent that. Is is if you convince a convince a user to um, you know, hand over their password. Type in a password somewhere or something like that. Yeah, so that's the the social engineering piece that you hear a lot about. It's often the weakest link. You can build all the secure systems that you want, but if you, you know, call someone and convince them that you're somebody that, you know, needs their password. In order to to do something for them, like even to protect them against an attack. Saying, you know, we've detected something wrong with your system. I need your password to log into your machine and check something. They'll, you know, a lot of people will willingly give that. That's and that's common, that's very common. It's just to target target the user. Yeah. So um, so yeah, there's a lot of effort in in mature security focused organizations. A lot of effort is is put on to awareness and and securing the user. Yeah. As opposed to just technical controls. Great. So that's a great segue as well. I wanted to talk a bit about uh, this is an issue and everyone is sees it and is aware of it. Uh, what are the best practices that people can use to protect themselves? Obviously, education of the user community is one. What are what are some of the other pieces that, you know, the average person should have in place to keep themselves safe? Yeah, yeah, so I guess um, there's the basic basics that probably everyone is familiar with. You know, you have your firewall and your antivirus. Those things um, you know, like we've moved moved way beyond that in terms of security controls, but um, to have those enabled is like a baseline thing, you know, you should still have that. So and there's there's generally free good free. So for Mac, you could download uh, Sophos antivirus and that's a great free antivirus solution. Uh, Microsoft users, there's uh, Microsoft security essentials, um, and all you have to do is enable those things that are generally already present on your system. We talked a little bit about ransomware or crypto wall. So uh, it's a good idea to have backups. You know, good just good IT practices are also good security practices. So have a backup solution, you know, even if you're a home user, um, stick a USB drive on and and set time machine or Windows backup and, you know, if you're going to get hit with one of these things. Another one is um, is enabling two-factor authentication whenever possible. So two-factor authentication is is where you don't just rely on a password, but um, you rely on some other factor. So whether it be an SMS code that's sent to your phone, uh, an app that's on your phone that gives you a number or a, you know, a separate dongle. Um, so for for Google, um, you know, they have an app and you can just enable that uh, for your Google apps, Gmail. Um, Facebook, I believe has a has a two-factor uh, capability. So, yeah, whenever possible, move to two-factor because uh, passwords are essentially dead. Um, we have a good understanding of um, what passwords people select. We have dictionaries that we can run brute force attacks against uh, people's passwords and crack them fairly easily. So, yeah. Yeah, people are generally terrible with passwords anyway. You know, it's you see those lists that come out every year, the top hack hacked passwords. And it's usually, you know, 1, 2, 3, 4, 4, 3, 2, 1. You know, their their birthday, their last name, whatever it is, right? Yeah, and you know, we're creatures of habit. And it's hard because, you know, how many how many websites and accounts do you have that need a password? Like, for some people it'd be, you know, up to hundreds. So, uh, it's understandable and that's why moving to two-factor kind of alleviates to some degree, um, even if your password gets discovered, that second factor is going to protect you. So, yeah. That's always a good. So system like is uh, last pass. So you remember a single password for your vault. And it creates the rest of the passwords for you and that you don't have to remember them in in a lot of systems it in line places those passwords in for you. So you don't have to remember them, which is the best password is the one you don't know. Exactly. So yeah, last pass, I use last pass, absolutely. And it creates very strong passwords. Right. And it remembers them for you. So, uh, and one other thing that um, people should always be doing is applying uh, those updates and patches. Yeah. To their systems, to their phone. You know, yeah, a lot of times, you know, these high profile hacks and that, generally the the attackers are leveraging a known vulnerability where there's a patch available, but the patches weren't applied. So, um, you know, if you're a big business, you should be looking at deploying automated measures. Patch management solutions, um, and if you're just a small shop, then, you know, when it prompts you to apply a patch, just click install straight away because the attacks come out pretty quickly. Yeah, people get uh, quite frustrated with the sort of the number of times they need to install patches and reboot. And they often just keep saying, you know, next time, next time, next time. It is really important. You need to say install and go grab a coffee. It's it's important enough that you need to let it take the time to do that. Yeah, exactly. Um, some more advanced, but for for businesses, um, uh, where I used to work ASD, the Defense Signals Directorate. Um, they recommend um, and basically their top mitigation strategy to and advice to their federal agencies. The number one control they think would have stopped um, most attacks that occurred against uh, federal agencies was um, application white listing. So that's where um, essentially you you have uh, a solution that only allows you to to run applications that you've uh, indicated are safe to run. Um, you know, and big corporations, there's solutions to allow users to, you know, request an exception and things like that. There's there's good automated solutions, um, to deploy basically just to prevent malicious code from ever running. Um, and that's application white listing. And then follow closely behind that is limiting um, limiting admin privileges. You know, it's not such a big deal if you're a single user. Uh, one thing you can do, Mac does this automatically, but if you're a Windows user, you can create one account for your for your admin and one account that's that doesn't have admin privileges. Um, and just use your non-admin account. And um, it'll automatically ask you to enter a password if you're going to do something that's that requires admin privileges. Mac does that, it's been doing that for years. And that's and that's a good practice for big business, effort there is reducing admin privileges um, to the the the minimal set of people who need them. And and those that have them. Minimizing their privileges to only the systems they really need access to and the privileges that they really need access. Right. Very good. So, what do you know, what does uh, what does the future look like for cyber security? There's uh, you know, the the pace has not stopped about everything being connected. Uh, there's a lot of uh, chatter in the industry around, you know, what it means for the internet of things, once your your refrigerator and certainly, you know, we've seen this with Nest, you know, your your thermostat and your furnace and your water pipes and your watch. And all these things are now connected to the internet. So there's a much greater attack surface and what is that a is that going to be sort of this ever present and growing threat that, you know, everything that that we own that is connected to the internet is somehow an attack vector? Um, yeah, well, it's certainly a present threat. Um, whether we'll get to a point where we uh, where there's solutions to, you know, fundamental solutions to to some of the security questions remains open. But, um, for now and for the immediate future, things uh, not to be a doomsday say, but but things will get worse before they get better. Um, you'll see more high profile hacks. You'll see, you'll probably start to see compromises or hacks that result in physical consequences. Power outages, uh, maybe environmental disasters based on, you know, a chemical plant hacks or gas line control. Which I think has already happened, um, uh, there's there's been uh, a hack on on gas line, which resulted in an explosion. Um, that was in Ukraine, right? Yeah, that's right. Exactly. Um, yeah, cars are connected now. So, I think what you'll see is is physical consequences, possibly even deaths. Related to some kind of cyber attack. Um, or uh, you know, hack. And um, as that starts to happen and the consequences really start to become apparent. I think what we'll see is is we'll start to see more regulation and and more standardization, uh, and more effort into into security. Um, you know, much like um, say for example, the building industry now, we know how to build a house pretty well. Um, or we know how to build a bridge, um, but when they first started building bridges, they didn't um, you know, they didn't have all the engineering know-how that they do now. So at the moment, you know, software development and and IT product development's pretty wild west, you know, you just go out there and you just start slapping slapping it together and if it starts working, then it's good. Um, as far as security, what we we need to be doing is is baking it in from the start and and we need and there's work being done like we need to um, have some better solutions for developers to to develop secure. Um, and I think that's where the industry will head is is more it'll become more stabilized and and and we'll we'll understand more about how to build secure systems. Uh, but it'll be a long time before we um, can replace all the current infrastructure and and uh, and uh, yeah. So the internet of things as as it is now, big attack vector for sure. Yep. Uh, another one that that's uh, getting a lot of awareness right now is around cryptography. And, you know, uh, whether or not governments should have access and back doors for encryption for uh, investigation and enforcement purposes. And there's obviously a lot of nuance to this that, you know, people that are not aware of the technical issues seem to be able to choose sides very quickly. And I saw an interesting argument from when a government official said, you know, there's not a lock anywhere in the in North America that people wouldn't be able to open for us under under a warrant. And that somehow doesn't seem to apply to electronic devices yet and that's a a pretty huge concern for for governments and for law enforcement. But, you know, the the implications of creating those back doors are massive. And you want to give give your thoughts on, you know, the the current fight between the FBI and Apple and and, you know, the the growing tension between law enforcement and technology. Yeah, that's uh, that's a great question. Um, and uh, you know, one that probably thinkers who uh, have thought about it more than I have better answers. Um, but yeah, I mean, as with anything, it's it's um, yeah, how do you balance that that need for privacy, uh, with um, with this desire for security. Uh, and and in terms of um, uh, you know, security for for nations, for for people against um, uh, certain threat vectors. So, uh, you know, I really don't I really don't know what the answer is. It's it's I know it is hard to have a back door that that only uh, you know, once you have a back door, it's hard to stop others uh, getting in. Um, and so I think, yeah, there needs to be um, some some more research done into um, into technical solutions that could work. Um, and I think ultimately it will come down to people's like now that people are understanding and becoming more aware of exactly how much access the government can have over their personal information. Uh, you know, with Edward Snowden lifting the lid on on um, NSA's activities to a large degree, um, it'll come down to people's appetite of whether they want um, their privacy to remain intact. Or whether they are happy for security services to um, have the ability to get access to their devices and systems, um, and uh, only time will tell which, you know, which side of the line um, the uh, you know, the politics, which way the politics goes on that one. Yeah, it's uh, certainly not a black and white issue, that's for sure. Yeah, not at all. Okay. Uh, that's uh, I think uh, a good good capture for now. Appreciate your time, Lochland. Thanks for joining us. And uh, stay safe out there on the world of the internet. Thanks, Todd. Okay, take care.