Dungeons & Dragons, Siege Warfare, and Fantasy Defense in Depth

you can talk now I can talk yes thank it sorry for the delay yes Dungeons and Dragons Siege Warfare and fantasy defens death that's our talk how do you a b through here so um a little bit about us uh so I'm old and obsolete um yeah am OS d That's my knowledge sort of stops there Evan's the younger and smarter of the two of us um and uh uh he's not a people person and I like to suck on guns so that's yeah okay continue um oh well so here we go this is a little bit about what we're going to be talking about we're going to learn some lessons from the past uh networking security that's kind

of what we're talking about try to we're going to look at what we're doing now and try to forget about it because it's not working um something about a bridge to the future I forget that point but we're going to try to we're going to predict the future and we're not going to use a magic eightball um follow the likey we're actually going to tell you what no Evan's going to talk about the future cuz he knows I have no idea I'm still I'm stuck in the past and we're going to talk about Le to try to secure the future which EV knows okay all right let's talk about the past real quick cuz we're going to sort of talk

about how we got to where we are now and you know everything's a big full circle that repeats and so centralized Computing any old Mainframe users here in uh sweet okay so some of you know okay so there big large shared resources yeah huge yeah information processing number crunching yeah okay dumb terminals who who anyone still use them they're a so Dum terminals they so' 60s '70s big thing really cool uh then we had the smart terminals yeah in the 80s like uh you know the deck BT series 100 for the win bt52 100 BT 200 okay and and so you know these were all Dum terminals I can do some local processing stuff and that's that was

kind of cool that was fun but then we sort of moved to decentralized Compu right so now um we have these these personal computers the computers they they became personal um and so sort of forgetting about the the economics invol let's just talking about the the why they were developed so they were kind of a a reaction to me frames the as my brother once said the individualized pump Rock to their centralized disco and and it they were symbols of power and individuality and freedom because all of a sudden you now had control configuration and all the applications that you could do it all locally you had control and that was really really cool because you could you didn't have to

rely on any kind of external system um super fast computers I mean we had and you know we're talking you know kilobytes of RAM and endless megabytes of storage what else would you need more I don't think so so that was a really cool sort of parad time shift I just like saying partime shift okay um so and with you know decentralized Computing the files are inside the computer the computer so now talk about where we are today which is recentralized Computing which is a term I made up um so we outgrew the traditional PC um you know writing things in basic and saving on the set take drive at least some people did I

still do but so you had the internet Revolution so that the way for all these incredible networking Technologies which increased networking speed I mean now remote sort of uh remote files remote resource everything it it blurred the line between local I mean all of a sudden it was easier to find stuff on the internet at least for me than my local hard drive and it's uh you it's like where did I store that porn or it's like I don't I'll just boom and I can find it faster but that's cuz I'm have disorganized naming system but so then you got well yeah you got um cloud computing and then that's all these as a you fill in the blank as a service and

you had all these platforms that you do all kinds of cool stuff and then you had and I'm done okay we got it what is DND or sieg Warfare do this I I don't know but I was so excited to talk about Dungeons and Dragons and it's not about that so um all right ev's going to talk about some more interesting relevant stuff so go

forward hello hi so um a chronologically incorrect timeline of of stuff which is this process of warfare and and what can we learn from the past and the future and all that good stuff and you know the the big deal is that you know sword beats clubs and you know walls beat whatever and you know by the time you get around you got this you know holy hand grenade and and random men to you with a computer uh but but the whole purpose of this and kind of the goal and in the talk is to kind of look at this aspect of the escalation of warfare and and the advances in armaments and how we

can kind of do a little fantasy prediction into the future based off of all the stuff we learned from the past so if we take Warfare we hear that Warfare get thrown out all the time uh you know if this is war then why are where's our strategy what do we what do we learn so uh you know it's kind of funny because what changed in this process at some point we we learned things that became more important to us like uh you know the other guy has a bigger gun or something like that and so this this shift happened into how do we um you know how do we predict the next piece like what's the next assault going

to happen so if I can predict it I can get ahead of it things like that so intelligence there was the shift into intelligence that became very key and how do we do the operational strategic the Tactical advantages and things like that and then we saw things like the Enigma you know breaking of the Enigma code and things like that that just drastically changed uh how this you know the process of World War II happened and ultimately impacted you know the outcome of war and so we see this importance now so we say we're in cyber War like what's an example of of you know what's really happening this is the perfect example I mean F22

fighter anybody know what that thing is I know it's a plain I have no idea what it does um but but it blows stuff up um which is cool I guess but but this perfect example of Intelligence being Paramount to mitigating threats and the power that it has to um you know help you defeat your enemies and that type of stuff but you know where were the techniques to root out the spies that you know that we saw in this where was we we got got all these perfect examples of flame and R October and this the shift in importance of intelligence and learning ahead of things and so you know then we everybody's still on the same

page we still traic traing all right cool um because we're in the danger Archer Archer fanc here oh yeah yeah so so let's forget the present I guess that was try to forget it anyways like what we're doing now because arguably some of it works some of it doesn't um but but would you agree like there we have no security problems right now at all that's why we're here right simpleton [Music] po you know so so kind of setting the stage for this next little piece because we're going to play a little game called Fantasy Defense in depth and it sucks but it's funny anyways and uh you know but but if you ask your CFO they can

tell you right like as time goes on security is going to stay get better stay the same and that as we increase and automate and buy more products and stuff we just need to either throw money or time or whatever and that cost will go down and all that argument of crap so so admin D we're going to play this game we're going to set some context here and do a little role playing who likes to role play and um all right so so we're moving us along we're going to look at a completely exaggerated and fictional example that has never happened before and you yeah so admin guys we got admin guys in the

room no [Music] Security Guys a participation who's totally ignoring me right now all right cool um I forgot to mention one thing um so while Evan was kind of maybe drinking last night I was the last one with the slide deck and I put in a couple of um new slides that he hasn't seen yet uh okay mess up I didn't my notes don't come up on this screen it's going to get really ugly um so you know we we got this defense in depth you know admin guy comes in or admin guys protecting the network or whatever security dude comes in he's doing an audit or something like that and this never happens right you've

never had that as a security refesh never had that admin guy be like I have kickass Network and you're never going to get in right they they we never get in like bad guys never any time he took off I also noticed he took off like the next slide view so I don't it's kind of like u a little fun of that so all right so down the rabbit hole we go um this is where the DND D comes in right I've got my plus eight firewall he's defending my network and I my arsenal of stuff and I've Got My Wizard Sim Appliance and he gives me plus five powers of divination or something like

that you know and even if security dude does get past all of this stuff you know I'm going to be there None Shall Pass then I've got my evil bunny and he's going to naw your face off and it's going to be unicorns and rainb you rainbows and um so so let's let's we ready to play a game because I talking right so uh so so see AB dude's ready um let's let's go how how do we play um Tower Defense anybody love Tower Defense games know how to play them yep cool so so I'm not even going to talk about the what happens in Tower Defense games like we build our castle and anyways do you

ever win I don't never mind okay maybe you do so let's let's gather our resources here we've got all of our stuff in in the Arsenal that we could choose from but the but the key point in this is we got to choose our weapons carefully right we've got a lot of uh of fun stuff and some of it's really expensive but we have unlimited resources and we never run out of there is no thing as money and you know you know I I use buzzwords all the time to defend my network and it keeps people out I I promise you that um it works um so so we got our resources right we're we're ready to go um how do

we now we prepare for The Siege and okay good he didn't mess that so so we're still playing the defense in death game and uh but now now you got all that stuff and You' never like tied your arm behind your back trying to manage all that have you um you know yeah so I'm so busy configuring and monitoring all my stuff my arm just fell off spontaneously so uh um let's play uh so we've got our stuff we're preparing for The Siege so example number one all right this round number one uh heard of fishing I heard I just became aware of this marvelous new uh attack methodology okay because we because we've learned here that this this works

right it's uh um they're never going to get through all of that stuff with an email like that's just so inconceivable but but but that's a bad example and so we're going to like go on to the next one which is not that but um so so next generation of the fishing example right you know the next generation of the fishing example is like the Thirsty developer and the watering hole attack right so you know so now we have the you know the guy going through and you know you go download a tool and because that tool is completely safe and trusted these guys in these Chinese forums they like they are so helpful and the Indian guys they

love to give me code for free um because anyways all right we got so so EV not the old example it's but it still works right we testers in here contesters does this still work for you guys in organization so so uh Fair um we we lose round one y this one didn't make it in there um this is my fav picture so we're not losing any arms here I'm sorry you want

to did you put the dice in your mouth

okay I'm hogging with Po in here and he likes it all right um so so slide number the next example is you know admin and security D ENT do we have any ENT people in the room do anybody know what the heck that means yeah they've got an awesome presentation on Noah and sky on the black yeah so so we're so thankful that users put all this information for us to to break in but we do not use the cloud organization we have policy we've taught our users not to click on stuff like they they know right and there comes this realization that oh crap our stuff is starting to leave the cloud or going

to the cloud even though we don't use it as an organization and yeah no any anybody seen a customer like finally make this realization in their head oh yeah here I was thinking this stuff was going to kill but Dropbox is so convenient I'm so waiting on that mass suicide now I tell it's just you guys are like Los and there's there's porn on the internet's he's left all right moving on so so does anybody I mean let's just come to the agreement like we've lost control of this stuff we it's there it's being used um like I said we we've got this policy that nobody's going to use cloud nobody's going to use their personal device to check Corporate

email and that we could stop them even if we had to right there's no way they can use their iPhone in a web browser to access ow um because that's you know we give them all blackberries so um uh so game over there the game over um you know it's this all the stuffff that we've done it's like reactionary right we we've put devices in place that try to protect no against known attacks and things that we think might happen and all that good stuff but where where do we change our Focus to get off all right on um protecting devices keeping people out that good stuff like we have to learn to anticipate and expect breaches and

control them he put those dirty dice up on um so I keep having a check like is what's here really up there because I don't know what he did um this this prevention is fuel there's a little organization called Gardener and and even the trites of gner understand that uh that that prevention is feudal and they ex you know this concept of continuous compromise and financially motivated attacks trying to get talk here okay uh so if we if we listen to vendors we we this that's not going to happen we are in control because we bought their product and you know we didn't just Doss ourselves by buying a bunch of stuff and now we're trying to configure

it so so if you're here anybody planning on going seeing a talk on any of these things on this on up here right now like active defense you know defenses those types this is not a talk about that so don't worry I'm not going to bore the life out of you um but uh you know sun says no you're eny blah blah blah um so so all of that stuff is really about like returning fire right we we want to attack them back and uh sweet work so you know philosophically though what we've just been talking about is so we're following this this progression of loosely strung together insanity and and stupidity on our part that philosophically we're fighting

a battle that it's not going to end and there's not really a way to win it it's just about continuing on right so so now we we ready to uh like pull out the magic eightball and predict the future maybe so you oh sorry yeah oh um I forgot talk to okay uh yeah um I do hold on I'm turning my phone off sorry yeah so uh pervasive Computing ubiquitous Computing who's heard of that like two people three people nobody okay oh okay anyone using it no it's not out yet no no I will so no pervasive ubit Compu so that's that's like humans and computers are they're the same ecosystem they're directly interacting and affecting each

other on this continuous basis and and they're we're surrounded by all this telecommunication technology and it's there's a seamless integration of everything data services and it's it's going to be awesome or not there yet but um two kind of principles there's uh context awareness where the computers will actually understand sort of the the situation in which the user like you know is requesting information or services for the the content and will provide it accordingly just magically um natural interaction so supplying Services what did I just do I'm messed up sorry um so concept of natural interaction supplying services or resources information without the user having to like worry about how the computer is doing it so it's not like

okay uh you know I I'm going to open up a Google image search and uh to you know search for J jamus and no you just say I want porn and just that's it comes so it's just like that seamless interaction with what yes learn about your preferences though isn't it over time I mean it yes great system yes no iron for you would be I want amputate one yes and so so it depends on Alo Nazi [ __ ] Eskimos that yes that's uh you call that's theas 2.0 so that's that's the idea behind you sort of this pervasive ubiquitous Computing which is coming to a store soon um well now developing security forward so we have this this um

inevitable pervasive Computing platform and and it's it's going to happen it's because we no longer sort of think of going to it's a place a work is not a place you go to it's a thing you do yes I didn't but no really think about it it's not so this whole sort of idea of you know sort of boundaries of you know it's the the network perimeter this you know it's not it's now dynamically going to be changing it's going to be eroding it's it's undefined so um trying to come up with the security architecture for a system like that is it's a that's a very difficult task to actually design and Implement effectively and of course you

know as all products we built Security in from the beginning it's not like an extra layer that we put on top right right it's always never an afterthought it's always so we need to sort of think about how to do this now before um you know the uh it's actually released to the public this uh I think you can I think you can be touring Computing platforms but it's I would I wouldn't recommend it think about like uh actually sort of the in terms of uh PC to user ratios like okay uh old school would be like one PC one person like kind right or maybe now what is it everyone has how many how many computers

like or connected devices like what you know cell phone computer laptop iPad right Apple Newton I mean they're all you have many so it's like one to n where n is like a single digit then with you vious Computing you're going to have like one to n where n is in the double digit so with this kind of like this scaling now this you know it's exponential growth or a really you know steep linear growth trying to scale the security architecture to fit that traditional security methods aren't going to work we have to find a way to buildt it in at a fun core fundamental layer which is something that Evan has done or figured out and going to talk

about right now go all right

um so I guess here's the thing that just that kind of irks me a little bit as a security professional is this whole concept

of um this idea that you know like right now it's all about like data loss prevention how many organizations you have that actually use this a couple and it sucks it's all about keeping people from burning the CDs and things like that so pretty pretty dumb in my opinion but it's we're losing this battle so so why aren't we focusing on data protection and and the concept of ubiquitous Computing and your data being everywhere and available all the time from whatever you're on and all that good stuff like it's you can't always enforce protection of the device or protection of the network or whatever it is and so as Noah said we we start to

lose control of this uh aspect of of where data is and how we protect it and do we even care about devices anymore is the information more important like in the shift of information Warfare of warfare from traditional defenses into information based Warfare and all this type of stuff is that progression are we are we trying to scale in that in that mindset so uh we take this concept of the uh there's this the information security is a three-dimensional thing that it's based on multiple facets and so if we as the lines get blurred between devices and services and all that good stuff yeah anybody's mind like getting just completely warped trying to figure that

thing out because it's very confusing um than you got Nam McCumber for that one um the McCumber Cube and so I yeah but anyways uh if if we stop thinking about it in the context of where our information is that type of stuff so like a lot of cloud storage a lot of uous computing principles and things like that we're using now they kind of look like this like we have protection in transmission and maybe it's confidential in the transmission of it it's we can keep Integrity kind of around uh this this aspect of you know but Integrity is is more important in a lot of services now than than security of transmission or processing and then

availability starts to be limited because if we Implement encryption on everything then we lose functionality for search or something like that so how do we how do we it's this battle for resources not just in an aspect of the Computing piece of but from a information security aspect of how do we wrap our heads as Security Professionals around a threedimensional issue which you know humans and Technology maybe the technology can completely protect us but then that takes away or limits Us in what we can do as far as availability or something like that so honestly I think this is the best we could ever probably hope to get to would be something like this because people are stupid and uh if

you're not if you didn't figure that out yet um okay um so so how can we get as close to this as possible is kind of so we're going to talk about an idea that I had and went all beautiful L all over mirror in a hotel room a few weeks ago so surprise um cut [Music] a so this is probably cut off but here's a concept so the idea you B is Computing and stuff like that is that we have this store any we mentioned earlier this store anywhere available everywhere regard what OS or what device you're on and that's not advancing uh this that we want to use any algorithm that we can

use we don't want to lock ourselves into a particular encryption framework or algorithm and that we want to we shouldn't have to build entirely new methods of of communications we shouldn't have to wait for ip10 to make this work or something and that's uh what that says is support for multiple Access Control methodologies because the the framework can be shifting especially as we talk about like uh got payback attribute based control and all these different things that are coming out all the time that M and all those wonderful people come up with these great ways for us to like wreck our networks and can we incorporate something that's really big right now is incorporating trust into

how we into that context of how we interact with data and devices do I have a like you see the CVSs scores and all that kind of stuff that's about trust right how how much security how can I trust that that device isn't going to get compromised and some of the other things that uh come into this or how do we protect the data and put it in the cloud without anybody without disclosing what's inside of it so we don't want to give our data to Google because they might do something with it like sell it to everybody else or um no really that I'm predicting the future here guys all right they may want to do

that oh that's yeah prism so then this so like the next version of OSX Maverick is going to have data tagging and all that good stuff so that you have these new contexts that you can group files in regardless of where they are in their operating system and things like that so so obviously we're going to drink this magic potion and we're going to have plus 10,000 to the power of my DMD security points experience

points so so uh we we're searching for the holy grill right so we're going to keep going um so so here's my idea and and this is probably going to take as much time until they hook me off the stage because it's a very complicated topic and uh but this what if we had scalable profile pki encryption designed for aous computing so we're talking about the cloud here the cloud it's in the computer um active access control so the methodology for how Access Control to devices and services and things can change over time or can change in context to policy or whatever it may be because we have we recognize that we're not hacked now that we might be hacked

in 5 minutes and how do we we we anticipate a breach so how can we respond accordingly and then what if we had these aspects of file management because file management systems work so well now and and possibly allow us to do Data Destruction through with pki if we're doing this like all we got to do is destroy the private key right and then it's like useless the data is gone and you do this through certificate archiving rication maybe we give data like an automatic kill switch which is that if you're not a it's only got six weeks or whatever to be used and then it dies or something like that this this this concept any any takers here you

smoking the weed at this point um I got some Co um so I have no idea so this is where the the complexity comes into this all right so so we take it in context we have we have an app and uh and so we're going to go around this little slide here and this is going to take me a minute to get through so um hopefully there will be no mass suicide it's very boring um and okay I get so so we have some of the protection mechanisms that we have for apps and devices currently um involve certificate pinning you know aslr seop all these great things so we're we're relying on those things to help us protect our

applications we have all these other ects of devices and things like that that are that are being protected um at at different layers so if we think about it from an OSI model encryption supposed to happen in the presentation layer but the reality is that it's all over the place it just depends on how the application developer decided to implement it and all that good stuff so but we we sign our app with some type of a private key that identifies the individual that's running it and if we create a a security context for you know users accessing the application have some type of identity that they're logging in with and and right now we

have the capability to give them public and private keys and all that kind stuff so that's not we're there at that point and uh so so if we move forward like the user interacts with the app in context to some identity that they've received either from Google or the cloud provider maybe it's from their domain or whatever it is and they create a file everybody with me you you suck at them um so what if they so we take this we've got like right now we pretty much much just describe like pgp right um we interact with it we encrypt this app or encrypt this file with our um you know with our keys and stuff but what if instead of

just encrypting the file if we want Security in transmission we want those those that magic holy Grill stuff how do we send data across networks without disclosing content how do we protect our data so that I can be sure that the people that are get that the person on the other end is the only one that can receive it because SSL and all those other ones they have never been attacked they are perfect um so what if we stopped thinking about private public private Keys just for in the context of users and extended that out to like we talked about applications whatever we extended out to servers or services and servers and services and all these types of

things they all get their own public private Keys as well now we're not going to get into how IP management and all that yes that as fast as you can um or actually drink it very slowly so that I can can't bother me anymore um so this concept of like when we get into these more advanced active control active Access Control mechanisms they introduce this concept of a policy decision point server which is what's making the decision on how your context or your interaction with files or Os whatever no don't leave no we suck all right um so so then we we send our five through what if we encryp the file with the public

key of our domain and the only person that can open that file is the domain so maybe it's Google or whatever maybe we've encrypted parts of the content of that file Etc but we send it down to a server and a policy decision Point interacts with the data identifies content and maybe it's Social Security numbers maybe it's something that we want to protect and the decision point server can interact with it and create contexts for how that data gets protected maybe it's only allowing certain users to interact with um Social Security members and so they have you have a role-based Access Control metric that or role based access piece that does that so your identity server then

has you know attributes use role based Access Control mechanisms you have attributes that you're monitoring or or preventing access to things like that and just different policy settings and what that little Cod for what if we give each of those their own set of public private keys and then they take that and they create they add to the file so now we have journaling we have the context that we can you know that data can be segmented and and partitioned away from others and that if you do not reverse resolve those keys if you're not a part of those groups and everything else like perhaps that that journal file and we can do mandatory access control and all

that good stuff I'm probably like like we how do you get to this from the stuff we were doing earlier I honestly don't know um yeah so we uh we create this this file in context and then we we want to make sure that security encrypted all the way up to the and the only other person that can open it is maybe our cloud provider so then we again take that file and the policy decision Point can forward it out to the Dropbox or whoever else and they're the only one that can open it because we've signed it with a public key infrastructure so now it's in dropbox's hands and so now I can turn around and the cycle can continue

that a user can uh interact with their data through the app again and all that good stuff so how does this scale all those good things um and I'm just glad that I got through that most you look like you're still alive so um I was worried for a bit um so so what is this the content of this file look like exactly honestly I have no idea because our testing is it's been interesting so if I can still have because this is a journal file I can still have portions of the document that are encrypted only for me under my identity and I'm the only one that can open so I've now got an aspect you know here that I can send

that through to all these other servers and services but the data that's import to me I can keep private from them so it's not limiting your availability of that file it just restricts access to you and then we Journal other pieces of it maybe I have data that I want to share with another member of the organization so they can collaborate with me on the document again those get signed and encrypted by maybe it's the you know attribute public private key set that encrypts that so then as I reverse resolve uh that key Cipher if I'm if I'm part of the organization I have an identity that resoles that then I can then open the file so and it

allows us do journaling to add and add and add and add and all that good stuff and so the Integrity of the file can be maintained regardless of who touches it I can build trust based off of who's touched the file and what they've added and what they may or may not have been able to see based on time and context any gets kind of big after that and U oh man I don't know I I don't know it just T that all right uh sir gryc he hates encryption by the way um um I think we're doing okay on time here but uh it's a much bigger the concept of this is is much bigger

and we've actually outlined and diagram and done and and started doing uh some proof of concept of this and and the the reason that we're coming and presenting something like this here is the is the aspect of that it's not going to work unless we create something standard that everybody would use it's a framework it's not meant to be a um it's not meant to be in the next release of Microsoft OS whatever um everybody has to use it so our focus is focusing on data protection not loss prevention which is like the next cycle of products that you're going to have to buy um because somebody told you tattoo um so we're working on this we're calling it

presentation six and a half presentation layer six and a half for encrypting all the things you won't hear that again for the rest of the week at all all the things so pest.com uh we break stuff and do stupid things and Noah sexually harasses me um happened like twice so are we good all right questions questions uh lady yes yes ma'am yeah so two-part questions how are you planning to monetize this and how are you planning to merchandise so does the Box have lights on it no I mean that's the whole point right talking get off sorry yeah no the the aspect is exactly that if we monetize this we do something then nobody else is going to get to take

advantage of it so it's all about it being available to everybody it plugging in having this presentation six and a half type of thing plugging into because it has to be pervasive right how do we make it pervasive how do we that's the challenge that we're facing right now so there is no money involved in the development of this it's all just me and a few buddies that uh I I'll back up real quick special shout out to John Collins who's coding a lot of this stuff I had some slides in here on like on what we were doing but we knew we weren't going to have time to talk about every little bit of you know the web

ontology Frameworks and things like that that we've actually use to build this stuff or stuff we stole from it that sucked but we're going to use it anyways um um we don't want to write something new we want to use existing stuff and stuff that's out there already because that's how we get Mass adoption that's how we can get critical mass and so we we've we don't have the code published up but right now it's written Java boo Java um or unicorn Boo as I like to call it um but that's just what we know and we're hoping to open up the audience and open up the developer contributions so if you got skill set encryption and and

developing framework technologies that can be written and whatever language your iPhone wants to use next type of stuff um then please hit us up and join in terms of monetization notice Micosoft Microsoft yeah no we don't we don't

work I can make you that's that's a they have a great business model and uh we're hoping to follow what they've done in the past so secure software at a reasonable price other question yes

I well the idea is that if like so we talk about trust and that kind of stuff so all I have to do is revoke the certificate of that file so it won't resolve anymore so when it comes back it like I said I know it's a really complex thing but the idea is that the data that's that's encrypted with that key is can no longer be unrendered the theoretically right because the certificate is no longer valid so it's just like certificate rication ocsp that you have now you go to a site and it says this this is you know no good but those private keys for contexts or users belong to them so they're withheld it's

it's not like you can say well I choose to resolve it anyways it's to unencrypted you have to have the private key and your policy decision server holds it and they can say I'm not going to allow you use it anymore so that data effectively becomes unusable um does that make

sense the only thing that with yes you have more of an attack surface but the only thing that it would do for you I mean you'd have to get if you got all the private keys to everything that would be what you what you'd attack but it's no less complex than what we have now I mean it's we're talking about it's just like active directory think about pgp plus active directory Plus pgp in the most simplistic of terms there are devices and and beasts that you have to have out there already anyways Nei those are build it doesn't have to be I mean it's the idea too is that the only thing that I care about trusting anymore I don't

care about devices at this point because I can build context based of devices based on attributes and I can say I don't trust that device therefore the data won't I won't even allow that file to be released so I don't care I'm going to have to rely at some point on that's why it's we calling it 6 and A2 because it kind of it has to sit at layer 6 and A2 or layer six for presentation layer security so I'm going to rely on application Level protections like seop and memory allocation you know stuff and all that good stuff I'm going to rely on sandboxing and all that stuff because I can't fix that stuff and I can't keep

developers from from using it and I've got to rely on Lower label lower level stuff like at later five for session control and the security mechanisms that they that get applied there the the reality is that there's this misconception I think by a lot of developers that layer six has to be yeah I'm getting the hook so we can talk about this off line but um thank you very much and they'll be releasing with prism API that'll be helpful as well um and the other thing is U this is no substitute for homomorphic encryption which um anyone have any solutions for that talking said hph homomorphic that's not gayc no it's homomorph no you encrypt stuff and it stays encrypted and

you perform Funk it never gets decrypted so that's which is sort of the hoing cryp but that's anyway okay someone buy you a beer question thank you for listening to the rambling and if you are interested