2016 - James McKinlay - What can Information Security learn from DevOps

so I'm going to shut up so I hand you over to James move good morning everyone and thank you to the organizers for putting me in this is sort of the management track and thank you for coming on to see what I have to say about what information security can learn about DevOps so with a lot of these presentations there's a ubiquitous who I I'm going to keep mine very short and move on I'm just linkedin during our social media point of view if you want to feel on a connector of likely to if you want to carry on any conversations for anything that gets parked up by obviously later very welcome stayed in contact with

people so my security I've always been into pulling things apart and breaking them but my roots as a career I was 19 manager then solutions architect and got a break and security whilst driving around us thinking about when it's Who am I and you live a completely legit life and the alternate stay off the grid it's they are but where the hunting team and whilst driving around thought the few little things that we are connected with who you are that you can't do anything about really and so I popped on our side but that's not going to help me with the tour so and we'll have a quick look at my version of DevOps it's me

those word for some people and it's a cultural movement that's been growing for a long time for other people so I'll set scene with where I've come to you about their moms then i'll throw in whilst I've been working on some projects to bring devops ideas and two links to the information security world i've come across other people who do something similar so i'll introduce some of that and they will go on to look at really how I think information security coming as here's your operation point of view and could be done better using and the ideas behind DevOps move so and just off just to bring here yes disclaimer these are these are just my

thoughts and you may not agree with them but also i'm not in their thoughts and I'm not dead office historian but one of the first things that got me into people discussing how development IT operations and information security and internal morning often don't work together was this work from jinking guy behind the original tripwire and so in 2004 he'd been working on it since 2000 and put out the book visual ops so quickly looking around the audience I can see most of us were born in 2004 not always guaranteed and but that's 12 years ago so people weren't talking about DevOps 12 years ago a few how this was when I till was becoming a

very popular term for large companies and need to get a grip on things going wrong in production through an authorized changes and that's very much the focus of the visible ops the yellow book he came back a couple of years later with some more research that looks at how information security fitted in the picture so at the moment devops and dev seconds is sort of the bringing the security element into the current culture and wording but then invisible op security when he was talking about how and security needs to get involved and they need to police some of it they need to set standards and some of it it's a really really good read and for those

who like read I just wanted to to read a little bit from the introduction so then I'll go back to school mostly for this textbook but development projects made constantly behind schedule part because information security requirements is are they linked in the project to preserve the due date and budget the information security requirements are ignored or marginalized as it's one of the points in the introduction but it's something that has been discussed for many many years it was being discussed a long time for us yet is looking out in 2008 for it will go back a little bit further and we look at culture change this is an important book in the history as I've

loading now back in 2004-2005 I was working as a security and QA elements of projects that were adopting XP and XP methodologies and as it says here it's about embracing change and it's about social changes throughout culture change it was getting away from and the the old way of designing something code to get building it long long periods of time before integrating things together and then spending a lot of effort on patching things up ready for production release maybe one production of temperature releasing here this was about let's have a new culture introduced and continuous integration ideas a pet programming ideas tester and security bug testicle development TDD so this dates back to nineteen ninety nine

so the things that you see flying around Lincoln in job adverts today in 2016 nothing new seventeen years ago they were talking about culture change which is now considered to be DevOps but we can go a little bit but further of it I won't keep going baths and but the idea of a daily build and a daily build with some testing so the precursor to test driven development goes back to of this piece is the piece that discusses it but it references the work about nt3 having a day in build that's enough going backwards and when it comes to the continuous integration sign so DevOps is obviously often described as continuous delivery continuous integration continuous deployment

continuous integration this is an excellent start on the advantages of continuous integration and this was around the time that I was working in a shop that did David bills test on check so then the idea of a of bringing the words dev and ops together to be DevOps really sorted to get some traction following this presentation in 2009 so this is seven years ago so these ideas are not new even though recruitment seem to be just jumping or leaning continuous delivery the book if you're into going back and reading books this is the one of the go to books for looking at bringing looting is delivered in to move bringing development operations closer together and

moving forward to 2012 or four years ago this is when the security is our information security not liking what was going to throw it over the fence by their bond ops and also the DevOps is about speed and scale and how fast can we get the new featuring which rubbed up badly against the old we're looking information security and stop at this gate and run all these tests if you're doing 10 20 30 deploys a day then the old things I've worked when you were doing two or three releases a year with information security no longer worked so there's a lot of discussion then about how we bring security into the blender now it's not everyone's style but the

parable the going on a fig fictional journey I mean work very well religious concept that the powerful but in business writing the powerful these two large images here to quite famous parables of DevOps and they both bring in an information security manager into the story and it's a bumpy journey where the start from a place the end of the liver place and it's all down to a devil's culture the reason for the two little books in the corner this is parable for teaching business leaders and that comes from things that work really well for the one minute manager that one in particular is about not doing other people's work and the goal which is about efficiencies and flows

are making things happen the story line behind leaves which are really relevant to improving quality and security what will pushing the production follow the story for gold very closely and they credited as being their inspiration just in case you can't get the slides and you want to go back and have a look at what i think is been driving the history devops and where it touches and security these are some really useful things proper use of get learning about vagrant an ounce of all there are lots of I'll come to some of the tools and lots of others who do these Jets you collect your chef you publish results you've got else works in the variance

page but the scripting uvm sons and the DevOps toolkit is very much about containers docket is very own dr. Linux containers and all the extra services go around tough and so it was really stretching those all get a good move unity that's all people so Amy I'm very hard to share these slides and so that's why I made clear kind of reference take you on this DevOps leave security journey and then 2016 and you may you may have the easier people who are talking about them that this is do things at scale Google style and this is a fantastic coverage of using cloud computing and the different ways that you would need different advantages in different ways

you can use the vision offerings X and reach bottom as it says they are my favorites at the moment but they're only been out for a few months you can pre-order the DevOps version of this is to out later this year they've got it down to over the seven so it's been hiked up on the web in the DevOps forums quite a while because it follows on from the Phoenix story the paralyzed talking about but the next version of that eight years later is due out in October and there are new things being discussed in these groups the next one isn't likely to be service architecture which takes a bit of getting used to when we're used

to whether it's virtual or physical things living you choose nice you Harbor the lowest you keep it up to date you pen test application sitting on oasis but the next step for cloud please front-end as I said no filters service back in as a service not from paying attention back and I throw these two of two reminders that security and operations don't always tackle the same things but they were use the same tools the same word so monitoring for operations it's about uptight about availability it's about scale under map the monitoring of security it's about forensics it's about alerting on things that unusual behavior things and these are two classic looks on those topics there are other things like I till have

incident management but you wouldn't consider I tell Vincent incident management to cover the dfi r-type incident management so a security management and companies or security consultants and testers are hired for the audit of our systems we won't necessarily think of incident management problem management the same way operations do and this is the the same words different meanings problem that creates the division between death and office only security just a quick summary now now and any questions on my quick tour of what I think devops has grown out of and though is a valid answer and we can keep good so I did say a drop in a bit like I've seen recently so I've been focusing on

this sort of about 12 13 months in my researcher and I've come across some things all to share with you so this work going on in Adobe work going on with a guy from pop it and the other ones I think they they meet dev ops and security really well and so you may have come across the room maybe usually something for Houston but and you may be going down to death so calm I thought it was worth of getting any out there see if it's something that other people do just now pop it have been chosen as the conflict management tool by the NSA to provoke the NSA having helped people get to security

done better so they and the NSA now has tools they release if you may know and one of them is simple and fully open source gitane open source its own project page if you're used to using puppet for conflict management then they will give you hardly templates and reporting templates that probably map back into the DoD sticks which I'll checklists or turning on security features of os's and applications and generally good security much so if you didn't know about it let's have a look around and if you didn't know about it mom so be needy security I don't imagine as they I think I've got the roofs in Spain would be anyone in here for me no but

what they produce is a testing tool that you can talk to using cocaine style natural language now probably doesn't short to l.a on the back wall but they you can set up tests that you described in we're going to test for this and it must have this it must have that in a fairly natural language and it's taking the idea of test-driven design test and development feeding Hal behavior driven development to security testing now you don't have to invent this in your bill pipeline it's not that kind of security test it is a result supposin saw like a hacking tool but it it connects remotely it it'll use connect remotely it'll use a mixture of

selenium and map and things under the curve assignments and tests and application but against a natural language list of ten and i think this getting people to describe a test and they're getting a pass or fail in natural language is going to come up more and more in tools and in security automation for whatever came reporting you do so that's real continuum security in Spain now I mention adobe adobe people probably hater don't support / but they might like what their security teams and their internal teams might have to do they might appreciate just how hard they have to work on their intern bone and their security team have added a security config audit report

layer to one of the conflict management tool salt stir and call the tunnels back and they can test redhat servers again missing red hot patches thinking that kind of thing automatically using these tools against massive massive estates they can get reports back on 40,000 servers for have you seen this problem before have you seen that problem for do you meet this security template so really very powerful only released it to the public in july this year it's soft a powerful tool novel stack on top with its feeding of CVE checks and vendor vendor checks and oakland scraps it now as well very very powerful tool where dev and ops and security are working together and now this is more

it's it's scared at all it's a responsible but because it's fast it scales that uses a new languages i thought it fitting in quite well with this thought about dev and ops and security working together and it's worth looking at if again you need to you need to do security orbits of thousands and thousands or service and this one will like many instant response might close this one will do your hash hitting you files and leave units liquid stuff as anyone playing around with Mozilla's me know anyone be needy security tool that's why i put min to brigham a dead sec problem you if i give up the security ops the the guy who launched this last year

they were so successful he's being able to give up his job start events company to to create this icon as a going concern and i think next one is 02 yeah 20th of october inland and the speakers and the speaker content for this fascinating if I was in the country I'd be there

so these are the people involved with those last few slides and the last one Gareth Gareth didn't start out pop it was ended up at pocket and has that huge amount of experience in using puppet as a security auditing to so really embedding security and devil process so different places you can test and fail build placed on the test he has demonstrated his ideas for using popular config management tool that's embedded in the build workflow to do security checks for you based on standards and guidelines that are specific to your company to you describe things of it like you to throw them in be needing any questions on section Oh bonus section right when it comes to

large-scale security operations and checked and there are commercial offerings that have been around a long time so they are not DevOps they if you've got long relationships with big companies they will try to save these things and what were the exception this new one that why out of that one I'm saying there are tools that would have the security of operations automatically were closed authorizations for you but I think we as a community can be better with the DevOps approach and the open source software now those those are all big brands have been around with their price for a long time these are a couple of you plays on there trying to blend the ideas together

making commercial now transom got a lot of press what all having happy comes as a new way of using and this is a workflow web-based workflow for the FI are were tying into the alert and socket sensitive tying into the alerts your security advisors generating and the doctor is saying that 11 probably have when you get into vulnerability scanning is you got masses and results that leave you need help with remediation so that's the space their way now working in the remediation help but in tooling so that they don't there's no service rather there's no humans checking their only thing but they've seen this opportunity and I just thought of green people's attention and in order for marketing to say we do

continuously soaping to use that or v8 later Reda that they are teaming up with well milligrams and giro is like a well known bug tracker in the devil space and I'm always skeptical when it says continuous in radiation or automatic radiation I'm sorry if people collecting with is responsive and it's a fantastic product but the marketing you got to anyone in my security plans you have to be very careful nice so now you move into the troop DevOps space and we've got a lot of it is based on after something is checked into source control the idea for continuous integration is that you do you test check in and the furnace employment which is where people

that this new thing people are excited about straight into production you've got to you check out you bill does it pass the early build services in part here actually test can you push you to point can it on the automated automation and orchestration this is this is what they speed side demos is all about and that image was taken from the junk inside I throw up here some of the different areas of the tool that you need to working on pipeline and different different things that are coming up as new ways of doing things sometimes for the ones i've highlighted perform run day he okay these are ones i think that security teach security option ops can get real advantage one

the form is a GUI that will sit on top of most of these confirmations and i love you granular logins you sometimes you see important touching without hugely changes and run death is a workflow tool that works with the same under the same under the covers so with a workflow and a GUI and the GUI that can read what profit management knows about everything is going home to live give that to security instead of giving up to operations a lane know the state that they are sated in and we can do if it can embed regular checks and regular activities so that everything is automated everything standard anyone with the right credentials can carry them out I work function and then he

okay collect log everything that's all the logs and I'm draw your own dashboards also really hard there was a workshop at black patent dead or DEFCON problem which one it was out which was focusing on using Yelp a step for security operations of monitoring now little bit on security cuz I'm going to put a bonus level anyone the room no I meant by map 31 doesn't matter is very very obscure it was the hidden level in due to feast your favorite man so I wanted it just again for as takeaways introduce a few things and crafting reset playbook is a fascinating pure set ops look at using a workflow based on a bug tracker to collect event

pacifier and collect reports and have them have a way of tracking them through the book track of how they were dealt with do we need to refine our responses and it is a really good read and this one is a free free to the world get my ideas down in a book type book rather than going to a big publisher and I've start this quote here this is someone who say he's saying everyone hangs windows XP doesn't update it if a windows 10 but you can actually make if you know what doing an XP machine very difficult to compromise at least no not that he turned on at operative now no you use a sandal browser that's that one that

launches earn a virtual boss to do your browser you stall em it you might also install six-month you are they pee every one of that would be very careful about which one quick there you very capable login as guest and s you to account they can do something and you keep updating the hosts file with wrong addresses so these are things that XP that everyone's so scared of would make it really really difficult for someone to compromise if they still could would it make it difficult and the reason why this is very secure I feel ruby on rails from Florida I've got their vision is looking for that it the third fourth edition or a fascinating look at using

online services the tutorial and you use big bucket to move things to her if you something and this is cloud get web publishing and it's just a really good resource people love playing things couple more things in the security upside I don't anyone anyone using Faraday and you're using fair fix someone down in physics of holiday favorite these are a couple of those community versions paid version and they are way of manipulating your output from lots and lots of tools you might like so the big ones you know that's go that one's that the skittish so they will take all the different outputs normalize them spit them out and reports and dashboards so and the faraday one in particular is

more teams so he set up a server and only team to log into who's really a complicated pen test where we've got splitting up your team to go into different areas of the company you can use this as a place to consolidate everyone's work that will be able to map the apple from any of those tools into reporting so it's all about automation standardization workflow for bringing it to the pentastar still kick incur if you run team fan Chester's be interesting to look into that and yet there are community versions and papers right and now I'm check time what can we learn Devils just wanted to say the next bit I've yet to see tried

serve a look at term a basic idea behind not somebody does the work checks in then everything gets automated the bill tool checks it out does it build this is fan fest is an automatic deployment and that so that's just what type of their two reminders what a great way of automating things that would be the security policy so for information security manager in a company a company that might be bound by standardized Richardson around here I wish I didn't have dimensions of these things but it will help for this case you need to do an annual review or through policies in East and the team that make up the head of your eye SMS

what about if you have source control server that you kept your policies in and what about if you had a branch or author and reviewer so author QA or authorize to publish and then publish them a member for me was how many and you have some simple tests must have must have an offer in this field must have a reviewer in this field date some versions must have moved on and must be some changes in the document even if it's just to add those details in the front of the document so here are some simple tests and then it gets deployed to your internet and then all the locks from your internet get fed into ALK and there is a

dashboard to see and a message goes out to your population of users that says go to see the new policy and then you can review the dashboard of the okay to say you've got and clicked on the new document all these things fit very well in the DevOps learning but never seen it tried using those sort tool with the scourge of Russians and then if we look it's soaked steer clear of any more references to ty said about the warm or PCI 32 how many of you are aware of the NSA's top 10 from their information assurance but there are links to talks by the FSA head of the hacking team about how to keep us off your

networks obviously they want on your network or beyond and so if that's just a bit of marketing but they do produce this top 10 of things to make it harder to hide and as whether you're aware attackers or defenders in the room we can all see these would make things half application wirelessly control admin privileges I'm not going to read them all now do you consume it is it a big fun the one time highlighted in yellow are ones i think this idea of checking your changes so the automatic system checks out changes when it ceases to be a change made run some tests wrote from the bill with some tests ones are deployed look send your report I think

that would work very well with both the training and the turning on in production of application whitelisting and removal of local admin privs turning on things like emmett and extra things in applications most applications if you get the stigma rule allowing to really hardened turning on sato so to any anyone come up against oh say it's been around a long time it's a host-based detector log chipper license is it it's another order to look you do and would really tie it with this tool set baseline context there how for years people have been saying that these are the secure options he stinks and you guys from vendors and the conflict management tools will roll them out and

if you run into problems you can back off the ones the bitter are giving you problems and marvel at change downs an exception and again I think it's ideal for this devops mentality of moving to speed and automation once a purple I think that's where appliances or tooling would call out to say virus totally the URL side just there are so many different IFC feeds out there there's so many people that argue whether there's still value in IRC when you have friends accounting but when it comes to helping users with their web proxies and their email filters then we tapped into lence got to help although the acceptable usage of iris scan won't change to prevent and

then software improvements from the NSA paper is about patching it's about patching and patching applications now cause I think we can all see that they would benefit from this methodology [Music] or skip through to another panel how many of you have seen the consensus order guidelines develop into the top 20 critical controllers and then now is ended up with suspense box come across the top 20 actually I gone to about version 2 3 so it's been a long time and some of the people on the UK talking circuit of work worked on it since the beginning the CP and I anyone anyone no I'm not saying will not know because it's still too long to put the

handle the CP and I Center for protection of national infrastructure anyone work with the cpn I and you will work in oil and gas transport so now is at the airport for a few years if your life is so really good organization if you're in user land rather than vendor space and you need to learn you have regular meetings behind closed doors to talk about security concerns you imagine with ports and airports there's a physical cyber cyber like the website is a healthy it is all over yours researches it's important and they adopted critical controls and so if you're not mandated to have I though for whatever and you're not taking card details there not being chase to figure

out this is an excellent set of security controls you know there are some controls of the 20 that come on them and it is a really really good place to go to invest in item 36 is food to see is and it will come up again in the moment there's the there's the 20 headlines but I keep coming back to the NSA I do not work the answer no interesting what they do but they do provide some great guidance and the management manual network plan that's the project plan to deliver the topical controls and many of those could benefit from source code repository bills automatic build tool devops pipeline tests test driven development the the trying these ideas or updating

them could all be embedded with that and then you have evidence that you did what you said you were going to do and it was in the large monitors another great set of mitigation strategies coffee so they stop and there's in 2012 10 in 2014 the NSA top of them 20 30 service over so you can see if the lots of overlap and application whitelisting he punches observation because it's from a much bigger licks it can they can split out operating system mass application excellent from a defense point of view and the the site that promotes this this standard has a chart of how easy or difficult a business will adopt changes to do things like application

whitelisting removal of local umma gist though giving some red flags are some of it there's a lot of overlap there with the other of the top 10 but because they split there's out there's some others who could and work very well with in automatic appointment and monitoring for changes in there it's also a review a host-based firewall USB control all these things that complete often scared to try and but if you did try a lot of you probably for going and so by using we have a test environment we have tests that you can see in the testing tool you can add confidence to to management this is a well thought out well bramlage repeatable it can be done in a hurry

rice of only just as the right lawyers all these things would really help the adoption of these standards that would really help the defenders keep the crack off the networks so to summarize that last section I think many of the the practical security controls that should be deployed in the organization whether it's someone developing web app or whether it's touching the hosts in a large office waiting for benefit from person making the decision checking in at the start of a DevOps pipeline so security templates however it's done Active Directory papa chef there is all the information you need to build secure countries you might want to try them in different rounds this devops pipeline will allow you to

do that hits and firewall tuning at wise mr. AppLocker an srp you could put them in later versions of Windows you put them in learning mode ship the logs off somewhere and find out you're not going to break anything by turning on and then turning on all the Evans will be captured in you double by one touchy touchy module these are all things that you get a lot of resistance in the business room no matter what the hosts are developers might be on max anibal to your office might be on next page in some places you get a lot of resistance from the business about patches break things I was a block of ratings but this won't

give you the evidence that you had tested it wasn't gonna break anything and then you could make tweaks and it will be automatically deployed everywhere without regular

the Quickfire ponle that's overly so hopefully the title of Julian thank you very much at stake some people couldn't and it's a culture about speed and scale and automation and working together to little business goals which is very different for the old Cylons and nitrides and that we didn't really know old and the check in check out test deploy back out love report all of that from a devil pipeline i think is ideally suited for doing security bettering the automation side of it has been maturing for over 10 years so we need to put together evidence that it works more than that doesn't work to beat down the business side you say they don't want to

try some of you and there is a growing dead set for opt community where developers interested in the security are coming together and that's why this deficit conlou growing out of and if you if you do nothing else I would just have a look that Vee through I want garrison said about bringing security policy security standard security updates into conflict management system very smart guy move to puppets based on his lover puffing

time is precious I am the slot before lunch thank you very much for coming along listening not heckling and we didn't before but I imagine customers if anyone's gonna crush you if it's not about questions I'll be hanging around a bit if you want to have a chat there is a question here here we'll get to those i will share the slice if that is our enemies i'll give them to the organizers and i'll put a lot much like so two hands went up start with I'll start the ball the middle and then we will try to get those votes so in my personal p ok do you wanna put me in solingen devil syndrome which is

speeding so delicous are forced regalo functionality as speed aspect in this is all about speed going into production automation alert so do hiring solution like another person feel like a city of functioning or six recording or implement is it so you days of Majorca mention pipeline there are lots of people discussing a lot of people experimenting with the different sort of test phases tests to check in and the test your evil to include security checks now what I'm seeing is nothing about test design or blindly security is better for passing proper there are many other testing doors or windows up for continuous integration a difficult night customer but I said security uncommon security function either so I be given

example that all of us asked to eliminate authentication login Mackenzie so he don't know there is a brute force attack so he need to implement a functionality like it okay love McKenna so maybe he need to blow up my cancer so he know how to code but he don't know if he's made the agreement so this kind of sound just like it now offers men always think like a misuse case so they always think use cases and they don't based on the use cases so like misuse case or whatever that that's good for now what is some question in that I can answer because I do know that lots of herbs and the security consultancy to build source

fertilizers will offer training to developers she stopped making sense dates over again I also know that there are people are productized that knowledge embedded it into a knowledge base in the tool and so people have seen commercial optical opportunities in that problem developing those how to bringing loves that doesn't know how to trigger on a report of time you can teach them about it I'm sure and our people have seen as opportunity and adding context and we're training I think two companies but I'm not here to promote them so they're going to do the training of but there is also a it's a vendor who is hopefully this kind of solution like this is kind of automatic so for example

sentiment you just give the functionality working needed to download or something it will generate with a security requirements acute from time bc making women and mosque you do that when you already mentioned and then security they have a product called I this risk so Stephen yeah we have a dissolution yeah I've come across it environment research as well or people tackling lap now some other hands went up unloaded back so what's the time on in your fine you've got a few minutes oh if all the way thank you for lunch every the food is starting to appear brighter throw two more hands on this one won't look first very very attention that they do you

think that almost which is there in essence excitingly aged in each piece about how to treat corporation see what lucky what I have seen and one of the tools i put up on page it'll names that has a community version or is mathematics and free is so not cute so latin composition some of the vendors order amongst and i've seen people embed that in Europe which is a popular book tracker lies come and dance you development in tests removal and work opportunism so I've seen people bringing Shearer and we saw you together and make it a mandatory set to pass and [Music] pass security Templars is so love you see nothing and also in the middle of

the first section my version is your denims I think when I got to about twenty twelve of the side tables and YouTube's where they were talking about DevOps and safe there's an awesome those guys were discussing how to get security training both 80 developers and tooling to that into the chain to to help you especially like that being leader he's good into talking a natural language so although that is next own custom if you have any that in that you could write your own security tests in that and the word from kara the Potters you look at some of his on the speaker day he has tackled this problem of getting security requirements into tests because probably out there do

you mean require section to it so those things like is is there only 25 / mon and internal mail these kind of questions they'll test anymore and fail if there's anything else that kind of thing prevented simple stuff so if you get a copy of the slides and go get up the names of people the inspired resolution you'll find this a lot of research they won't be able to but first of all just quickly in response to that i'm an exorcist that mean i still got some interesting came up so I can see it from that side of the fence and one of the things about the ops is that it is very much cultural

it's not just technological yeah and certainly one of the ways that some organizations are approaching it is that they are creating dedicated product-based teams and their including all of the disciplines in the team's related to a product rather than departmental izing the organization and then trying to cross feed the information between departments that's one approach um and that does seem to be working for some people so it brings people in at the early eight bring security in it the earliest design stages which is the important thing which is always the problem with having development anyway my vehicle I use that move up from two other day yeah well he won't fall out um the other thing is I just wanted to

mention is that I don't know if you know that BCS is at the process in the process of constituting a sea full deficit cops at the moment I didn't I BCS do a lot of fantastic work so if it was actually convened a group to say let's put something out to help some of the leading lights in the British DevOps world are pushing this probably in the BCS but obviously the pcs ping BCS they required but security will be brought on board as well so is actually going to be at have set cops group but register and there wasn't no I'm over there yeah just to say following on the toolbox he printed to us

in terms of inventing stuff organizationally and keeping track of those tools and mix it with other people and attack far be it from me to throw a lot of the standard in the mix as obvious added any way through the king or the trustworthy software framework which have a number of das 75 all the jungle contributed a lot of obstacle a very very good point people often look with the eyes oh I know the probable one and overcome to maybe 12 tackles ammonia is causing this but AAS as well great one as up reading on the ground fresh mushrooms if not we can show the victory will be left photo shoot