Hack The Planet! What Movies Can Teach Us About InfoSec

How's everyone doing? You all right? >> I was told that you got a good welcome up here. I remember what was that? >> I said, "Is everyone all right?" >> There we go. That's better. That's better. Right. I am normally give this talk in about an hour. So, I'm going to have to blast through it at lightning pace. So, do watch your next cuz it's going to be a little bit of a challenge to get all the material covered, but I'm going to do my best. My name is Simon. Hello. Um, as well as being a developer for about 20 years and having a little bit of expertise in cyber security as well on the side, I'm also a massive

film buff. Um, this started as a project that I did for uh a series of podcast interviews I did with uh Lyanna Jeff. I don't know if you know the compromising positions podcast is most awfully good. Not just because I am on it but also uh and we sort of started digressing into not just about infosc but also about films because I love films and so do they and that's what got us talking and then we started doing special episodes all about films and now we've actually got a podcast coming out soon called tech film noir which will be exclusively on the subject of films which deal with tech. So watch out for that but warning

it does contain me uh and some much nicer people. So let's go on. What can we learn about cyber security from films? Well, first off, can anyone take a guess at which decade, just which decade the first hacker film came out? Go on. >> 1980. >> 1980. Wrong. I'm sorry, sir. >> 60s. >> 60s. Bang. Bang. Bang. There we go. 60s. The first hacker film was made in the 1960s. It was called Hot Millions. It was a British film. For a long time, I actually thought the first hacker film was The Italian Job and that Benny Hill should be our first hacker. But no, there was one made only one year previously. And I don't know how I

missed this one cuz it's a corker. Hot millions. This gentleman is the very first hacker ever to be depicted on screen. This is Peter Houston. Sorry. And he is a guy who's recently released from prison and decides that he has tech skills but not much money. And the big companies have got plenty of money but not much tech. And so somehow an exchange can be worked out whereby he provides some sort of tech assistance which turns into fraud and then in exchange he gets all of their money and runs away to the uh Satu South America. It also features a very young Maggie Smith. Uh she was indeed young and hot and continued to be hot but not so

young. Uh she plays his um his girlfriend in this film who also ends up becoming his assistant and his uh compatriate in crime and wife later in the story. He gets himself a job in a big cyber uh some sort of tech film. It's rather unclear what on earth they do. Some sort of big company. They do big big tech stuff. And the whole idea is that he's going to use his technical expertise to try and commit fraud on a grand scale in order to you know steal all their money. So what we're talking about here is employee fraud. That is an actual thing that does exist of course. So what though are the realities of

employee fraud? What they depict in this film is grand fraud. fraud on a massive scale carried out by some sort of devious genius who came into the company with a plan. Well, the reality is that employee fraud is very common. It is very common, but also mostly unreported. Most companies don't like to talk about the fact that they have a problem with employee fraud, but nevertheless, it is a problem. But the other thing is the main cause is desperation. And that's something I'll touch on again later. Desperation. This guy comes in and just sort of thinks, how am I going to make myself a heap of cash and retire happily to South America? The real cause

is that you are desperately short on money and you need it and somehow it seems the thing to do to to kind of bend morals a little bit in order to support your family, to support yourself in desperate times, whatever. The most common forms of fraud are billing fraud, stealing cash, basically sticking your hand in the in the till and taking a bit. Not grand fraud the way the Hot Millions depicts it, where you're taking billions of billions. does exist, but it is in no way anywhere near as so common as simply a little bit sneaked off the side. 72% of this is committed by men. I'm sorry men, but you suck. And cost around 5% of annual revenue.

That's not small. Yes, it's common. And yes, it's small scale compared to what you see in the Hollywood films cuz it's not very exciting if occasionally someone steals a bit of money from the till. That does not make a good Hollywood film. But nevertheless, 5% of annual revenue, that is not a small amount. That's a lot. Especially once you start scaling this up to big companies, how can we prevent it? Know your employees. Know your people. Know their struggles. If someone is struggling, then maybe it's time to step in and say, "What can we do? How can we help you? What do what are your problems? How can we assist?" Um supervision. I mean, don't sit over

everyone's shoulder watching every little detail I've been through. is not going to pres give you good morale at work, but nevertheless, it will prevent the opportunity from existing. And tamper proof document trail, try and make it impossible if someone did commit fraud that you can't trace back who the heck did that and why it happened. And audits, again, same sort of an idea. Yes, if it happens, we can work out who did it, which will potentially recoup your money, but also um make it less tempting to try it because you know that you will be caught. There is also another form of employee fraud which isn't talked about quite as much but is becoming a thing now and that is fake

employees. Fake employees who actually are overseas quite often. I mean the big case is North Korea. And there are actually cases that have been found of laptop farms that exist in places like the UK and the US where all they exist to do is to provide a legitimate UK or US IP address to allow someone in North Korea to bounce all their internet traffic a few steps and make it look like they're sitting somewhere in the UK when in fact they are not. They're in North Korea. That's a thing. That's an actual thing now. So he tries to hack into the system but every attempt he makes to mess with the database or whatever it is I mean this

is this film is vague about how the computer system works he gets illegal procedure it's because there is a security system the security system consists of I joke you not a blue light actually true yes fine okay it's a shorthand for whatever the real security is I'm okay with this it's a handwave in the 1960s knowledge of computer systems was limited So, blue light, but how can we get around our blue light? Well, here in comes the name of the reason for the name of the film, Hot Millios, because he watches the the cleaning ladies one day with their with their bucket of of hot water and he notices them where get their bucket and go to the the blue

light and bang their bucket against it and the light pops open. It turns out there's an undocumented security floor in the system. Bang it in the right spot and the light pops open. The ladies do it because they want to keep their cup of tea warm. And so they pop the pot of tea into the blue lights empty space and warm their tea up and drink their tea and go home. But he thinks, "Aha, the computer security system is offline." And so, of course, he can make use of this. There you go. You bang it exactly there. Again, I'm okay with this. It's a shorthand for something that's actually massively complicated and no one really

needs to know about it and it's kind of funny, you know. So, vulnerability reporting, this is how you get around this sort of a problem. You have to make it easy. If you don't make it easy, there's no point. Um, security.ext, a lot of websites now have security.ex so that you can look at this and see if you find a security flaw with a website, you can report it, contact details. The main important thing though is take it seriously. If people are reporting security flaw laws to you and you're doing nothing about it, everyone's going to stop bothering because it's clearly a waste of time when that same security flaw continues to exist for years

unresolved. But then a reward doesn't have to be money. It can be money. Bug bounties is a thing. Big companies do offer bug bounties for people that find bugs and that's legitimate. But also just give someone prestige. Write them up in the newsletter. Say, "Yay, thanks to this person." You know, I think a lot of people would do a lot of stuff. I would do a great deal of things for a sticker or a pair of socks. you don't have to give me a lot to make me very happy indeed to have reported to you. He then goes on to commit his fraud. He creates uh fraudulent companies and people around the world with names like Claude

Debusi and stuff named after famous composers. If you think that's ridiculous, by the way, have a look at the details of the Enron scandal where there were um companies owned by Michael Mouse and stuff like that. This is actually a thing. And then using all his stolen money, he flies off to uh to to Rio and then lives there with his ill gotten gains until the company track him down and then rehire him as a security consultant. Not totally wrong. That does happen. A lot of security consultants out there are former criminals because who else knows the system better? So I would say first hacking film basically bang on, you know. I mean, yes, this

company could learn a few things and clearly they need this guy to come back and teach them how to avoid these problems, but basics of problems. Yeah. the sort of things exist all over the world. Although there's not a literal blue light and a and a and a hot bottle of bucket of liquid. That's a bit ridiculous. So, from the sublime to the ridiculous, let's talk about Batman and Robin. Has anybody seen Batman and Robin? >> I am so sorry. It's bad. I mean, I watched this and I had to for the purposes of this talk and I had to watch on fast forward. It is bad. I mean, it's really it reputation is deserved. It's

awful. Anyway, so there is a bit where where Alfred is lying ill in bed and he's worried that he might not make it and he has a a hard disc with all the secrets of Batman on the hard disc. It's all the secrets of Batman and he wants his his niece to give it to his cousin so his cousin become can become the new Alfred and and continue the legacy of an English butler who works for Batman. So fine, she like a good and responsible niece jimmies it open with a knife and decides to hack into it because that's exactly what I would have done because she doesn't know what's on this but she wants to know what are all the secrets.

So how do we get into all the secrets of Batman? Well, there is a password prompt. Alfred CD. Fantastic. I can absolutely imagine an elderly British butler having a mess around with VB4, which is probably what this was written in, and then making it called Alfred CD and thinking he's done a great job. I can believe that. So, we want to try a password. Is it Alfred? No. No. Is it Wayne? He works for Bruce Wayne. No. No. Is it England? We see his English. You see, they're thinking outside the box a little there. And you notice it's zoomed in. I suspect that this scene got monkeyed with in post-production. I think the original version of this

scene, no one really understood it in the test audience and so there are some weird editing problems around it and I think it's because of that. But is it England? No. Oh, what could it be? There's a picture over there. Who is that? Well, that is Alfred's ex-girlfriend from years ago. Her name was Margaret. Is it Margaret? No. But let's have a closer look. Love Peg. Is it Peg? It is. threeletter password and all the secrets of Batman are revealed to us, including access to the bats cave. Also, by the way, notice here, love peg. See that love peg? No love peg. Love peg. No love peg. It's It's almost as if this scene didn't make any sense and the test

audience said, "What's going on?" and they had to add in a load of close-ups, which is indeed what I suspect happened. Anyway, a three-letter password with no account got you into the Batcave and all secrets of Batman. This is not good security, Mr. Wayne or whoever came up with this. So, let's talk a bit about password security. User accounts. There are no user accounts on Alfred CD. You have no way to know who got in there. Is it Alfred or is it the Joker? There is no way to know. And if the joke if if if if Alfred's knees can hack into a three character password, the Joker sure as heck can too. High entropy. Make it

something no one could predict. The password was literally in the room. That's that's that's about as bad as it gets. Common password check. How it's not difficult to get yourself a list of all the most common passwords in the world. Takes me about 30 seconds and I've got myself as long a list as you want. Just literally have that in browser and say if you're on this list, no. Sorry. No. maximum attempts. I mean otherwise like the Joker can have about however I don't know how many attempts that is. It's a few hundred but still I can imagine the Joker being crazy enough to try that or threaten someone enough to do that and that would work. But if

we have maximum attempts then bang doesn't work. Multiffac something you have something you are something you know something like that dead easy. Password managers don't even know the password. Just get into a password manager get from there. Store only the hashes. I'm not going to go into what that is. That's complicated but this is a good idea. I've only got half an hour, folks. Salt for hash, once again, good idea. If you don't know what that is, look it up. It's a very good idea. It stops someone from hacking your database out of it. Don't have time right now. Password reauthentication is becoming a thing now. Things like biometrics, that's an option. My laptop opens if I

use my fingerprint. Probably shouldn't have told you that, but it nevertheless is. Multiffac devices, you smart cards. There are companies now where you have a card about your person which is tied to your belt. Pop it in. We're logged in. Take it out to go to the L. the pass the the machine locks. That's the sort of thing. Secure onetime passwords. That's an option. Lot of lot of places around the world now use OTPs on everything. It's becoming more becoming more and more common. Even in the UK now, I pretty much can't log into my bank anymore often without an OTP. So, that was Batman. How about the film Hackers? Hack the planet. I I absolutely legitimately adore this

film. Not my favorite hacking film. I'll get on to that one in a minute. But Hackers is a great one. If anyone has not seen this film, you should. It is so 90s. It's wonderful. So this is our baddie. There is a very famous scene where someone has guessed the password, the admin password, and spoiler, it is God. Threeletter password. What is it '90s with threeletter passwords? But fine. And he gives a list. Then he rattles off in the scene the most common passwords, which he says, I love secret, sex, and dot. Is this the truth? Well, don't ask me how I got this data, but I did. And I have a list of all of the

most common passwords in use anywhere in the world. Turns out the most common password in the world is 1 2 3 4 5 6. Now I might be wrong, but a lot of these feel like the passwords test accounts and throwaway accounts and things you don't care about. That's possibly true. So I filtered it based on this is clearly a load of rubbish. And if you are using any of these passwords, do change your password. I mean really. These are actually the most common passwords. Football. Well, it's probably not the same game in every country, but it is still a game in most countries. So football. Monkey. Monkey puzzles me. Monkey. Okay. monkey. I mean, who

doesn't like monkeys? I like monkeys. Do you like monkeys? Uh, let me in. Okay. Dragon, baseball. Yeah, fine. But they're still single plain text English language words. These are clearly things that we need to avoid. And it's not difficult to put a filter in there to stop this sort of thing from happening. And yeah, there is the what is it? The horse battery whatever thing, the three words thing. That's not as good an idea as everyone says it is because basically the hackers know about that one now and they just try lots of words and use each word as a letter and they can still hack those high randomized nonsense words is the way forward. Anyway, later in the

film we see our our hacker when he was first involved in hacking being taken to court. This is not our hacker. This is our hacker. He's a kid now. Is this likely? It is. It is actually likely that this could happen. I'm not sure if you necessarily take it to criminal court. I'm not sure how the law in your v in various countries uh works but here let me introduce you to some actual hackers. This is Laxus Arian Kai I'm not guessing 18 years old. He hacked GTA 6 and leaked footage from it. This guy Daniel Kelly did a DDoS attack against his college at 16 years old. This guy I don't have a photo of him. There is no

photo of him anywhere. Uh he was 17 years old. He hacked an online gambling site. The reality is that most hackers are taken to court by their parents because they are not old enough to drive. So yes, but also a thing to take away from this know your enemy. Your enemy is not a devious super hacker sitting somewhere on a secret volcano layer. They're kids. They're bored kids trying it because why not? It's not hard to defend and you can set your expectations appropriately. So, the guy goes and does a simple um a simple hack by phoning up the guy that's the security guy and telling, "Hey, I'm tech support. Can you help me out? Can

you do me a favor, chat?" Like, "I I need to I need some details off the router." And he he goes say, "Sure, sure. I'll help you out." And uh this is a TV station and using this details, a hacker hacks into the TV station and replaces a chat show run by a farright person of some description with an episode of The Outer Limits because who doesn't love the Outer Limits? I love the Outer Limits. This actually does happen or had happened. There are genuine documented cases of this. This gentleman hacked uh a TV station in the US in the I think it was the early ' 80s, late '7s and replaced episode of Doctor Who briefly with I'm not sure

whatever this is. To date, no one knows who this person was or what they were attempting to achieve or almost anything. The footage is frankly quite scary. I'm not sure if it was meant to be or not. It's unclear anything about this, but it did happen. You can find the footage on YouTube if you're interested. Just think, social engineering, forms of social engineering, fishing, emails, and stuff like that attempting to get someone to click a dodgy link. Baiting, that's not an email sent to you. That's just a a site left around on the internet for people to find. Here's our wonderful discount site, which is full of amazing discounts where you can get cheap goods.

Click our link, put in your card themselves, get our goods. And of course, the goods never come. pretexting, pretending to be somebody you are not. Whale fishing. This is where you actually go about finding out all the details of someone in authority and making a personalized fishing attempt which targets them specifically and seems like something they should legitimately feel like they should respond to. This is a thing. Let's talk about fishing. There are 75 times more fishing sites than malware these days. Who can remember the days when that was a thing where you had to be careful where you browse because you're picking up viruses after all the time. The reality is they don't need to bother anymore. They don't

need to bother because fishing yields more dividends. There are 2 million fishing sites known by Google. That's just known by Google. I bet you anything that's a fraction fraction of the total number of sites that exist. 1.8 million losses in 2020. That was 2020. That was 5 years ago. I bet it's gone up a lot since then. I don't think this problem's gone away anywhere. I think it's only getting worse. Men are 225% more likely. Men, you suck. I'm sorry, but you do. >> 856 sorry 86% of organizations click a dodgy link. So 86% of organizations could have just given people staff training that said if the link looks dodgy don't click it. It seems obvious

but nevertheless it's not. Let's talk about pretexting a little bit. So I'm going to diverge a little from cyber security films and talk a little about Frozen. My children are in the room. They're over there. Everyone say hello to them. Uh, so let's talk a little about the the the Disney epic Frozen, which probably is a good film, but I've seen it more times than any sane human being should. Uh, cuz I have two daughters. Um, so in the film, Princess Anna is courted by by Prince Hans, who appears to be the first man possibly in forever to take an interest in her romantically. She falls for him instantly, as all Disney princesses tend to do. And spoiler, he's

the baddie. He wants to take her kingdom. Sorry if I'm spoiling the the Disney epic Frozen here. But nevertheless, he is the baddie. He just wants to steal her kingdom and her money and possibly kill her family too while he's at it. He's not a very nice man. And this, let me introduce you now to AI Brad Pitt. This happened not long ago. This was, I think, late last year. And a lady was apparently in a relationship with Brad Pitt and even saw videos generated by AI of Brad Pitt. And Brad Pit was in a bad way. It turns out he was in hospital. Poor man. And he needed her help. and only she could help him.

And of course, she she duped over a whole load of money. Now, it's easy to laugh. It's easy to laugh. But the most successful vector into convincing people to do something they shouldn't is love. That's that's who we are. We're human beings. We want connection. We want to feel love. I would like to bet that nearly any of this or possibly all of us here if we were at the right point of our lives at the right low moment could fall victim potentially to stuff like this. Maybe not handing 830,000 euros. I don't have that much money but nevertheless we could and love is a vector that works. How can we prevent social engineering attacks like this staff training? I mean

fundamentally just teach people to recognize it and not click on the dodgy link or ask someone is this a dodgy link and then find out before they click is simple but nevertheless 86% of companies are still getting this clearly this message is not getting through so therefore staff training minimum necessary ability don't give people abilities more than they need to have if someone has the ability to transfer vast amounts of money but it's not part of their day job why give them that ability give them no more than they actually need to do their day job and the problem largely reduces separate admin accounts. If you need admin abilities, have a separate account. So, you literally need to

specifically switch over to admins to access your admin abilities like installing software or whatever. Standardized processes. I have worked plenty of places where the business have phoned me up directly and sort of said like, you know, I'm in a bit of a bind. This data fixing. Wouldn't you mind fixing this data? I just can't be bothered to, you know, like it's very easy to sort of think, sure, I like that person. That person's a good person. I'll do them a good favor. But that's not good. go through a standardized process. It records it. It is recorded. It is there. We have a log and it means that uh it has to be approved potentially, but make it make it uh

stress free, make it easy, make it frictionful so that it's easy because otherwise what you get is what's called elephant tracks. An elephant track is where you're supposed to go like this, but frankly no one can be bothered and they go like this. So if the process is simple and easy, then they will follow it. If it's complicated, they're going to find shortcuts. And once you've got a shortcut, you have yourself a security vulnerability. Staff train. I'm going to emphasize that again. Staff train, right? This is going back to our our our hackers guy. Now, this, by the way, is the server room, which the guy skateboards in and out of. I did say it

was '90s. Uh, the film also had no idea of the difference between a user account and a password. Guard is both the possibly the account and possibly the password. It's unclear, but fine. The actual plot here is what's called salami slicing, which is where you take advantage of rounding errors in banking transactions and pocket pennies at a time, but done on mass, you end up with huge amounts of money. There's no real evidence that this has ever really happened much, if at all, in the real world, but Hollywood loved this one. Hollywood loved this one. Also seen, by the way, in the fantastic film Superman 3, in which uh this gentleman here is our hacker, and Superman appears to be

trying to steal him or something. I'm not sure. But Superman 3 is a great film. Ironically, mostly it's not a very crude film at all. Superman 1 is a much better film. Uh, so our guys decide they're going to u mess around with an FBI guy that's trying to cause them trouble. So they do things like destroy have his cards destroyed by by hacking the bank and telling the bank that he's gone over limit. Um, they they change his details so that he now has a traffic violation and gets arrested by traffic police and they have him registered dead. Now, of these of these, which of these would you think is the one that actually is a legitimate problem in the

real world? It is probably not the one that you would think it's actually being registered dead. If I really wanted to call someone a real problem, I wouldn't kill them. I'd have the records say they were dead, and then they're going to have a problem for the rest of their lives. Let me introduce you to Pasad. I hope I'm saying that right. Am I saying that right? Near enough, apparently. Um, he's dead. He's dead in every way that matters except that he's not dead. He's alive. He is a member of the Indian undead community, which does not mean he goes around sucking blood at night. At least not to my knowledge. Oh god, 5 minutes left. Oh, we got really going to

bust. Um, but he he has been registered dead. It's actually property fraud that's going on. Property fraud. It happens. And that will follow through these people forever because it's very easy to get registered dead. Death tends to be a one-way passage. there is not really much of a computer process called the bursting death. Therefore, this is a problem. So, the guys um go in, they do some hacking, they have to gather some data. So, what do they do? They uh dumpster die. So, this is why you should shred all your important data when you're done with it. They send in people posing as workmen because apparently no one in this company actually vets anyone that comes into their building. And they

plant uh tracking devices in the network. They have a guy delivering flowers who goes into the office and watches people pay enter passwords. All of these legitimate actual problems because on premise security is a thing. You have to watch on premise security because once the guys are in your building basically all bets are off and they have what they want. That is the way it is. So mark security level on documents. Have a disposal process. Make sure that anything sensitive does not end up in the rubbish or if it is then destroy it. Destroy it thoroughly. Secure disposal. ID cards. No one has an ID card. Why are they in the building? Staff training. Tell them it's okay.

It's okay. As human beings, at least especially as British people, we like to be polite. We like to be polite and help people out. Do you want to know what one of the easiest ways to get into a secure building is? Get yourself a big pile of boxes and sort of struggle like this towards the door and people will potentially help you in through the secure door because they want to be nice because that's the sort of people we are. Train them that it's okay to be a little bit rude in this limited and specific manner. Multiffac authentication restricts visitors. Why is the guy allowed to deliver the flowers straight to the desk? Why not leave it at the door and

have the door bring someone down? That would make more sense to me. Sign visitors in that. Who was in our building? Who when did they leave? When did they come out? Which results in a massive dodo attack. All of this involves a massive epic hacker battle at the end of the film where they dodo the company using all sorts of extraordinary means which you have to see the film in order to believe. And frankly, I still don't. DOS is where you have hundreds of of machines scattered all over the world for sending packets. Uh it's it's like um get a peashooter and shoot a P at someone. Doesn't hurt very much. Get 5,000 peashooters with 5,000 P's. You're

going to notice that that's how it works. The biggest DOS attack I've been able to track down was 3.15 billion packets. This is weapon grade stuff. It is known that there are there is a short list of states in the world that is countries in the world who are doing ranging attacks against the US uh IT in internet infrastructure. There's a short list of two countries thought to be behind it. You can all guess which de los mitication. There isn't one really. Wait, you could pay up, make them go away. Distribute web hosting. I mean, that will limit your problem. It won't make you go away. Upstream packet scrubbing that will again reduce it. But

fundamentally, an IP blacklisting. All of this will reduce and mitigate your problem, but it's only going to mitigate. There is two days no real defense against this sort of a problem. I'm hoping we've got time to quickly blast through Jurassic Park. Let's see how quickly I can get through this. Jurassic Park, Dennis Nedri, absolutely terrible developer. Probably everyone remembers this. I had a VHS of this when I was a kid, which I watched religiously from that u Christmas in 1997 and onwards. Dennis Nedry has financial problems. He tells the boss he has financial problems. The boss says, "I don't care. Your problem, Dennis." And this is supposed to be cuddly uh um Dicky Atinburgh that we're all supposed

to love. And so, it turns out having both the opportunity and motive, he gets corrupted by piles of money to take down Jurassic Park. This is the source code of Jurassic Park. If you notice at the top, it is called Nedriand because Nedri thinks he is the sole person responsible for the whole of Jurassic Park, which he is. There's only one developer working on Jurassic Park. And this is written in object Pascal. They are all doomed. and he sets off a um a timed system whereby having talked to his guy over on the phone. Um sends a a a timed mechanism which is coded in to shut down all of the security in the whole of the

park and then it won't go back unless you say the magic word. And can anyone else hear this screen capture right now? Oh, one minute. So, we have to My god, Jurassic Park is off. What do we do? Switch it off and turn it back on again. And the whole of Jurassic Park is off. It comes back, but it's not booted yet. Oh my god. What do we do? We have to trap all the way across the compound. Switch it off and on again once again. And dinosaurs are trying to eat us. This does not sound like good disaster recovery to me. So design dinosaur attack mitigation developer culture. Dennis Nedry is a terrible developer. He brags that he can

write millions of lines of code. Sure, I can do that. We could, a lot of us could probably do that. So what? Dennis Nedry doesn't work well with other people. Dennis Nedry thinks he is irreplaceable. He thinks he is Jurassic Park. It all revolves around him. He is a horrible human being and a terrible developer. And we should not allow that sort of culture. It's dangerous. Dinosaurs can attack you. More developers. Have more than one developer. Have two developers. Have them check each other. Would have made it a lot harder. Now the guys are going to come in and bribe two developers. Twice as hard. half as likely that you'll get your dinosaur attacks. Disaster planning. Jurassic

Park fails open. Upon failure, all the cage doors open and the dinosaurs eat everyone. That's a terrible design. It should be um it should be on fail closed. Unless you are a shopping center on fire, which on fail open either way, have a plan. Plan it at all. Wait. >> Yeah, we're I'm going to have to skip through the net, which is one of my absolute favorites. And I'm so sorry to everybody. Can I just have two seconds to wrap up and then >> Right. Okay. Quick quick summary. Be nice to your people. Be nice to your people. They're your best asset and your biggest risk. Be nice to them. Understand them. Do what they help them.

Staff training. And your security is only as good or rather your only as good as the next person's is not. There we go. There's my website. Feel free. I'll I'll sign off with that. Thank you.