Become Unphishable

okay uh is not popping up uh yeah unfortunately this is not my normal machine so let's figure out how to so time I I got like a lot ofast 10 minutes you want mirror basically

thanks

fantastic all works got cool you have plenty of time yep that's why I want to find out I don't need more time 10 minutes before I well goodness this morning at the adapter problem so like right after after one single point of failure I was like okay I don't want to like I I had enough time at least to like run home and and grab a fix I don't have time for that now so so your topic is become unfishable yes could you pronounce your last name for me uh Elias el el when

ready okay okay so it's it's a little weird it's I think you'll have to overcome the the uh inclination to talk louder is okay

basic

okay and and roughly like what would you say the split is of people that are on headphones uh like versus I guess headphones it's 99% headphones like I guess how many are physically here I I I'm I'm guessing because of the setup I should put a little more emphasis on like reading like reading or describing all the visuals because not not everyone okay and I have no I have no problem doing that I just adapt to the audience say whatever the

Okay Okay one minute let me grab my I know I I Tred to yeah I cut the first one short 10 so we got 10 minutes offer so now I'm we on the schedule I'm we good yeah I want to make sure

okay got it yeah that makes sense so four minutes great so I'm I'm officially taking over for what Josh Josh yeah okay that's why I was there where's Josh where you from uh University City close you orig from uh California see ACC West Coast Northern California yeah I in college I had a professor who taught literature she had a French accent and I asked her where you from she said CIA in

cwhere ACC most like mostly my area is little Portuguese a lot a lot of Old English but like Old English it's it's a very small kind ofal a lot of people there like generation from that to where you Washington

DCP that's my aspiration I still never been to death like every year I go topic is time off your topic is Place taking my kids there because I just met the girl who going to run the kids oh really yeah I think it be fun like she orend her yeah she's working she has over the village and her name is bianc I would love to bring ROM how old are your kids 11 and 13 that's another that's her this is her boots I say hi to her oh I think I yeah I remember the patch say hi to her my daughter's only

n

we got one minut I can go ahead to do my intro uh good afternoon everyone this is track one I am your track one host my name is Angus Chen I'm very curious about fishing I got fish emails all the time I'm sure you all do uh the next speaker is Brandon elas and his topic is about become unfishable let's welcome brandan

Eliason hi welcome thanks for showing up uh I'm actually not the person you're expecting to see uh depending on when you looked at the uh the program but hopefully you'll find this topic interesting uh my name is Brendan Eliason I do it security audit and penetration testing for a company called Bai security out of Chicago uh but uh have a background in uh Behavioral Science uh kind of psychology and doely teaching and training uh so when I kind of got into security one of the things I found very lacking uh was uh like respecting the degree of quality of training and uh a effess of training uh that I would expect to see for things as

important as fishing so this is ultimately how we can use Behavioral Science and safety science uh to better understand what we're doing wrong right now which is most of it and also get some idea of how we can change so we can actually solve what is probably one of the bigger problems we have uh in our industry um I despite the fact that we fishing anti-fishing training is probably one of the single largest line items on anyone's budget uh certainly Collective in Industry we spend billions of dollars on human-based risk uh like and it hasn't really changed much uh the in fact if it anything the trends have been going up instead of down uh over

the last 10 or 20 years uh and that's really stupid uh we if you spend that much time and that much money on something you would hope to see Trends going the other way but there's some very good reasons for why we're not getting the results that we think we should be getting now first of all this is could be a very short talk uh want to solve fishing always use complex passwords use a password manager always use MFA preferably a hardware token and fully adopt PH2 standards done um but since I've got some more time to speak let's find out like why we haven't done those things and what it is that is lacking in terms of what we are actually

doing um again really old we have just two major problems I what it is we're actually doing and how we go about doing that uh so if we solve those two things we'll be in a much better situation for starters God forbid you look at research uh but this is a a problem that has been actively studied for a long period of time uh sadly little of the research and the results of the research is incorporated into security uh and security awareness training programs uh but the a lot of the research is very good um this is one of the more recent studies very large study out of Switzerland uh studying fishing specifically uh and I know for the

benefit of everyone that is not cannot see the uh the graphics I'll just quote the most uh important takeaway from this which is we find that embedded training during simulated fishing exercises as commonly deployed in the industry today does not make employees more resilient to fishing but instead it can have an unexpected side effect that can make more employees even more susceptible to fishing it's cooperated by an older study uh but one of the better studies with by Angela Sasa and uh me uh Milani vuler and their takeaway from that research is the impact of simulated fishing campaigns on employees self-efficacy and Trust in the organization May negatively affect other organizational goals and that ties into another be

Behavioral Science Viewpoint uh research paper that says you know when studied the research found that we found that fewer years of employment at an organization and lower employee satisfaction and loyalty predicted increasingly unsafe behavior in the simulation this suggests that newer and unsatisfied employees are the most vulnerable to fishing attempts the takeaway from this is Al way not only is what we're doing like not helping but in many cases the way we are going about fishing training now actually structurally harms the really Foundation of what we should be having as a security security infrastructure and security culture uh at our companies this all boils down as a great example to the weakest link one of the

most common metaphors that we use in our industry one that is horribly flawed uh one that is not accurate uh but one that also scapegoats the people with the actual responsibility for security training these are all exact quotes uh from specifically the Uber hack that happened a couple years ago and all of it is humans are the weakest link humans are the weakest link humans are the weakest link and pointing to a single point of failure as a single person just a quick anatomy of the Uber hack shows that seven months before the attack Uber ignored a vul vulnerability disclosure um then like attackers used prompt bombing and MFA fatigue to socially engineer uh one of their

employees they used his existing VPN to access the internet but the internet was overprivileged and not subdivided by group uh which allowed the attackers to do lateral movement which set off no alarms whatsoever the attackers were then able to find an open file with Powershell scripts and these scripts had admin credentials uh they were all stored in plain text and these credentials were then uh enable the attacker uh to compromise Uber's Duo One login a AWS and G Suite environment this was not a weakest link this is not a single person like one person did something wrong and if if a single social engineering attack can take down your entire organization it is not that

one person's fault it is ultimately our fault as security people the a lot of the rhetoric and the way we think about this in security comes from Bruce Schneider's book uh secrets and lies where he says that people often represent the weakest link in the security chain and are chronically responsible for the failures of security systems uh to the best of my knowledge Bruce no longer believes this uh but it sounded good 23 years ago in the same book a couple Pages later is a part that most people ignore which is Bruce says the security of a system may be no better than its weakest link but that generally refers to the individual Technologies in a smart

system these Technologies can be layered in depth and the overall security is the sum of the links this is a much more rational way to view what we what our goals are in terms of security Now this gets us to to an idea of like how do people actually learn and how do people like what can we look at in terms of other science that tells us that can tell us how to better train our employees and how to better structure our entire organizations to get the goals we want which is simply a safer organization right now I will take one shiny American Dollar and give it to anyone that can go into the parking lot and pick up my car

it's black toy to pickup I think it's three spots over I can give you a map um I'll wait if anyone wants to volunteer don't see any volunteers problem with that like problem is like maybe you don't know how to pick up a car so let me give you a and I will educate you lift to your knees not your back you maybe you need motivation uh maybe I can make a funny video for you showing you how to pick up my car would that help you and would that help anyone in this room it would not why because it's biologically impossible you know what else is biologically impossible trying to beat a computer at passwords I'm trying to

actually remember complex passwords in a way that would enable us to somehow like beat the ever increasing speed and complexity that computers forget even Quantum are able to do um all way we have not human beings have the same capacity kind mental capacity that we have had for hundreds thousands tens of thousands of years uh computers on the other hand are increasing exponentially like there is never going to be a point where we are going to be able to compete with a computer yet this is what we ask our employees to do every day this is what we have built as a foundation in our industry for decades that we simply need to add more complexity we need to

somehow beat the computer at a computer's game that is not going to happen and ully when you're putting forward these these as our structural goals like and you're telling your people and security awareness training like and giving them these rules they need to to to live by and to do their job effectively and they cannot be done like they are things that are impossible for your employees to do and a they just bypass them like B they lose respect for you as a professional because you're asking them to do stupid impossible things and ultimately it gives you a false sense of confidence in that you think you're doing something when in reality as the stats show and as I think

our everyday experiences show like we are not getting better we are not solving the problem so what can we do uh brief history of research uh canaman tersi uh to Jewish researchers uh this recently won the Nobel Prize uh in case you're uh interested in uh following the the the prizes here are the um unfortunately um and then uh fortunately derski had passed away but uh the this is the foundational study for a the study of Behavioral economics um which is why it won the Nobel uh prize it showed in a very simplistic sense that human beings have a much greater value for loss than they do for gain uh one of the the key

examples of This research is they give people a coffee mug and they ask you know how much do you value is the coffee mug and but then when you ask them all how much will it take for me to take away the coffee mug and they typically value the coffee mug at like if I'm taking the coffee mug from you I maybe think the coffee Mug's worth five bucks that seems fair but if you're taking the coffee mug from me I think that's a $10 coffee mug that you should be giving me $10 for so in a very in a very simple sense this provides you with the fact which should be no surpris to anybody that

human beings are not logical uh we are not computers we have never been computers we're never going to be computers that is not what we do but it also gives us a window into trying to understand how we do think how we do behave and the sorts of things we can do to actually use that knowledge to better educate and train our staff they we put forward a model called bounded rationality which better reflects the reality of how we think how we work uh and how human beings work uh instead of just a linear you learn something it happens kind of model they found that three um there are three inputs limited knowledge cognitive capacity and time

limit that all go into a thing they call bounded rationality which is we're not stupid uh you know we're not and we're generally highly intelligent people but as those three inputs will tell you we are limited by how much educ we have which is one part we're also like limited by how many other things are going on at any given time and also on time limits and for anyone that's done a lot of fishing training you will recognize a lot of those as the keys to effectively like getting people to compromise people fishing training and that it's much better if they're trying to multitask if they're not focusing on something if they're have only if

they're zipping through 100 emails and you're just email number 87 these are all things that all we go into why fishing is currently successful as often as it is but also tells us how we can better communicate to our employees and also to our like SE suite and everyone else about how to ultimately make better decisions so people aren't logical again should be a no surprise to anybody here but if they're not logical how do you get them to do the things you want them to do I how do you actually change behavior and how do you how do we actually solve the problem uh because fishing is probably the biggest security problem that we ultimately have or F

fishing and social engineering in general now some of you may have seen BJ fog I definitely one of the more prominent uh researchers he's out of the University of Stanford um he speaks a lot and has kind of what is kind of one of the the better kind of better models for understanding Behavior change um he is called called bmap and ully it's a there's two axes one is motivation one is ability and then fog throws in a prompt the theory here is that along this line anything to the right of the curve between the axes will be most likely successful uh anything below the Curve will not be successful and so the the the standards you have to

play with are either to highly motivate people or make things very easy uh ideally both if you've done that structurally then all you need is a prompt uh you need something to kind of nudge them to to take an action but that action will not succeed and will not be sustainable if you don't have the conditions met for motivation and ability the problem is motivation wise they don't care and they don't care because like they're ambivalent about safety and because they want bad things to happen but most of the people working in your company don't care care because that's not their job that's our job and if there is a like a weakest link if

there is a single point of failure it's us as Security Professionals because we are the only people in the company whose job it is to protect the to protect the company and to keep everyone secure everyone else has jobs to do um I I don't know how to run a depreciation table um I don't know how to there's a hundred things in my company that I don't know how to do and it doesn't matter because that's not my job um you're be trying to get like trying to get a little bit of attention span from your employees to focus on something that honestly in the long run makes their job harder like to some degree and they need to not only

understand that it's something you want them to do they need to be able to internalize why they're doing it and be a be a partner with you in solving this problem and not just someone you're you know you pull every you know 3 to six months you pull aside give them a 30 30 minute hour a 30 minute session of training and then send them off into the world again and then four months later when they get a fishing test and they they fail it they get punished for it I that is not an effective way and it's also it's not an effective way of actually solving the fishing problem but it's also not an effective way of

building culture and without culture and without trust as the research papers I first pointed out it's the employees that have the greatest level of of dissatisfaction that are UL the weakest because you have not equipped them with a way of actually solving their problem they don't trust you they might not even like you uh because a lot of what you're doing seem to be very much like just provoking them or setting them up for failure uh so on that level the use of motivation here and it's one thing fog points out in his research is that all of the axes here all the points are not equal points um a ability and motivation are not actually equal when you're

looking to to put together training for people to change Behavior again motivation really isn't like is the weakest of all of those points ability is absolutely the strongest Point uh and so and that come back to our job of putting together a system and putting together a structure that is easy for people that makes them like makes them successful at doing it not giving them things like passwords that are all biologically impossible so fog clarifies if you want to take the reality of human nature and human psychology into account it means that you can't rely on high levels of motivation there are only two ways to change your behavior in the long run it's small steps uh small steps approach

and it's redesigning your environment and again weakest link like that's us because it's the redefining the environment like that is the most important part of this equation is putting together a system putting together training putting together a culture that allows people to be successful also uh a another set of research on nudges that perhaps a lot of you have heard of uh it's like often very prominent in the news very similar sets of uh Behavioral Science research uh Allway comes to a lot of the very same conclusions but I with some slightly different points but at the end of the day for nudges you can't nudge anybody to do anything they don't want to do that is not how nudges work that

is not what the research says nudges are for people that have already bought in that the thing they're doing is important now now they just want to do it they want the most effective way to do it they're looking at you to guide them in terms of what is going to be successful in getting that done but if you missed the first part if you miss the culture part if you miss miss the part where you guys are partners and not aers Aries in the situation then you have completely missed the exercise and you will never be successful uh in the system we have right now so Taylor puts forward there be seven stages to to to

nudges I I'm going to read this quickly while I read them think to yourself within your own organizations how many of these steps do you actually incorporate and even if it's not this exact pattern and the exact numbers how many of them are actually in any way even part of how you're designing your security awareness training programs how you're designing your Outreach to your employees first of all defining your changes clearly secondly consider the change from the perspective of your employees not simply what we want them to do but what they need to do in context of what their work is what is their workflow what is their position what is their role and then designing from that point

of view third use evidence to show the best the uh the uh the best chance of success treating them again like equals don't dictate to them what needs to be done but actually work with them like for kind of shared success next present change as an option again if people do not accept the need for the change if they do not buy in then none of the rest of it will be uh will be effective you need to give them the option and let them come to the conclusion that this is something that they want to do next uh listen to feedback all a lot of times you can do the first couple steps uh and all in good faith you can try and

listen to people like but again once you actually Institute a lot of these policies you need to have a feedback loop that tells you as people actually implement the stuff in their job roles like what is successful what is not successful and be able to iterate and fix uh and make make your program better the next one is restrict obstacles and this goes back again making it easy motivation will never be successful like by itself like you will never be able to motivate your employees like to be so motivated be as motivated as you are or more motivated than you are to get these things done if you have not made it easy if you have not taken

away all the obstacles if you have not made it the the right thing to be the easy thing to do and then you want to need to maintain momentum with short-term wins I this is all part of a feedback with loop with them as well like as you go forward and this I think this fits into the listening to the feedback as well as you go forward again your team when things are good everyone needs high fives like they need to understand what is working what is not working and when they do good things you need to have a system in place where you can reward their good behavior like so that they appreciate like what it is like that everyone

collectively is doing okay so now we have a little bit of foundation for and what is kind of what what is successful foundationally for putting together a program where you can work with your employees and set together A system that will build your culture and ultimately lead to better protection uh for your your employees and your company now in terms of kind of more nuts and bolts of how you communicate with your employees this is one of my favorite uh favorite bits of psychology uh from from teaching and this is called the uh eing eing eing hos uh forgetting curve uh it's also my beard inspiration so uh one one one day maybe uh a couple years from

now I I'll be able to compete with the uh the good doctor this ultimately highlights and I think you could take away all the uh the text and just rephrase this as this is modern fishing training this is what we're doing right now like once a year we bring people into a room and we sit them down for half an hour an hour maybe we don't sit them in a room at all anymore maybe they just sit in front of their screen and download whatever module you've assigned to them uh they finish it they do a you know check the box uh assessment and then you say see you again next year you know maybe it's next quarter you know if if

you're if you're a really crazy company that does every three months but this tells you psychologically that you know within an hour of going through this training people have lost uh a majority of the details of what you have just told them uh you know he uh the research only says that you should be doing after a presentation an hour later do a recap then a day later do another recap then a week later doing another recap if you do that if you have repetition built into your training uh then you have the ability to ultimately reinforce what you're trying to get people to understand if you don't don't do that and I can probably say I've almost never

seen this in the industry uh in terms of this sort of reinforcement of repetition of D then you get exactly what the curve says which is people will remember stuff for just barely long enough to answer the multiple choice question and then they move on to other things because they've got other stuff to do um so combating this and understanding that a lot of it is it's not a bulk of information all at once it's ully small pieces in repetition and with uh uh kind of in a system that will get people to actually retain the things you're trying to teach them also people are not all the same uh again not a big surprise uh there's

What's called the VAR model it uh ultimately highlights how different people learn uh so in addition to having some sort of redundancy and uh repetition to the content you're you're teaching your your employees you also need to understand that you need to have it in different formats some people are auditory Learners some people are visual Learners some people like reading and writing is what better reinforces the ideas um I personally I'm a very kinesthetic learner I like to do things and I like to dive in get a bunch of stuff wrong fix it all that helps me understand like complex learning but everyone is different and if you're the one who's in charge of Designing the programs for

your company you should also be making sure that all the content you want your employees to understand is available in multiple formats ideally inter interlocking with each other because often times like people won't have a single mode that is like that's the only way they learn it's an interaction of all of them but again this is something that if you are in almost any other industry and certainly if you're in the education industry if you're in Psychology or Behavioral Science like you would not ever consider building an education program that didn't incorporate multiple modes of learning but it's something in our industry we never even think about uh I I've seen a small handful of programs that actually

take this to account but ultimately very few and a lot of is because we're not Educators I most people in this room don't have degrees in education or psychology or Behavioral Science or everything like that you have very wonderful degrees in engineering and other things uh it's also one of the reasons as an aside why we should be very welcoming of people from outside the industry coming into security because a lot of times they're adding skill sets like this that are not naturally present in our industry also a big point and this goes back to BJ fog's idea of a prompt um it also goes back to the idea of context and I I was a lifeguard in high

school um got to carry around one of these life preservers uh all day long uh if you were drowning and I threw this to you it was amazingly helpful you were really appreciative of like me having this tool for you at that moment if I had one of these right now and I just threw it at your head in the audience not so happy like context matters and relevance matters like going back to what we do in the industry right now again once a year we sit down and go through a list of things that sometime in the next year you know these 10 things may happen to you in your work you know here like here's what we want

you to do about them and then we let people go uh none of those things are actually relevant to them at the time and then 6 months later when it maybe is relevant at the time they've already forgotten it so Building Systems and this one's actually much harder to do because you don't know exactly when those prompts are going to be you don't know when those fishing emails are going to come in you don't know when they're going to get people are going to try and social engineer them you don't know when a lot of the other like security issues are going to happen but it means that you also have to have consistent relevant contact with your employees uh

to make sure that relevance is part of this because simply telling them something at a time where they don't care about it and they don't need the information is a waste of resources and ultimately doesn't uh get you anything it doesn't get you any level of

success so one of the um fun or frustrating things about moving to to the industry when I did um is that I had had a chance to actually see what some other Industries have done and still do to this day uh to train employees for risk and uh train them for safety and things that are very intuitive uh and like very successful nether Industries are things that are completely ignored in security um the one of the easiest Industries to point to is Airlines uh and air safety uh I'll read relatively long quote but I think it's worth the uh review this is the former chairman for flybe airlines in uh the UK says the focus on Aviation

risk management is is not on blaming people it's on developing processes that deliver safe performance and a culture where people understand what the risks are and if there are issues are prepared to investigate look at them and have a just culture Aviation says something to go wrong says for something to go wrong maybe a dozen other things must have failed because we we make sure that there are barriers to risks becoming events I this should be again totally different industry very obvious relevance to where we are right now like this is not this is the opposite of what the weakest link mentality is this is saying that there can't be that that we have built in so

many layers of protection that even if we're looking at that very last step in the chain that maybe like was the last causal event so many things had to fail before then that our job is to fix the system to fix the redundancy and to fix the right to fix the entire chain not just scapegoat a single person at the end of that chain it also points out that as a culture this is one is a culture of non-lame and a culture where like people are not called out for like small mistakes uh because ultimately it's the culture that needs to be successful for the uh for your training to be successful now I don't actually fully

expect you to see all the numbers here they're very small um but the uh charts on the left are the airline industry charts on the right are us um so over the last 40 years um fatal accidents per million flights and uh fatalities per trillion uh I think it's roundtrip passengers carried or something close to that um you can see a very clear like very strong downward projection in the airline industry for safety they have gotten consistently way more and more safe and even as you can see on the other uh axes as the number of flights have gone up and as the number of people in the air have gone up the actual deaths and the actual

uh safety issues have actually gone down like that is what you should see with an appropriate safety culture and that is what you should see where you have a system built in place that actually prioritizes like structural structural safety and not simply like yearly one-off training on the other hand you see our industry where we spend more and more time and more and more money uh on uh cyber security training on security awareness training and our numbers have gone nothing but up uh and this is and these numbers actually only end at 2019 so that doesn't even take into account uh the more recent challenges we've had with covid and with work from home and

and and other things uh but you clearly see that like what we're doing is not working and again it is the frustrating part of doing training in the industry that it has not really ever worked I it has been decades since anything I since a lot of the things we're doing now have tried and failed and we did them again and they failed and we did them again as they failed and they keep on failing greater and we're still doing the same things it's another example there's a Human Resources company called pin uh out of Australia it's a a com it's a a partnership between the former uh manager of people at atlassian and the

former manager of HR for a company called signal amp um that did HR uh they we saw a lot of the similar failings in in HR and formed this company like one of the Hallmarks of this company is and this is kind of their mission statement that every employes journey is different said we believe that every single message that is sent to an employee speaks to the personal circumstances and context of that individual the takeaway for this is ultimately the Rel an going back to the life preserver they have built a system in HR where instead of having HR training once a year where they would set people down and just give them a big

catalog and say Here's all the stuff you need need to know about HR they have built up a system where like you're working at your job you get promoted to manager that's a trigger moment now they know great you need to you now need to know processes for being a manager you need to know how to deal with people promotions vacation time whatever it is in your organization uh but they have built in a system within their um within the HR Management Systems to find all those triggers to find whenever it is like when do you need that information and giving you that information at that point and not not before not after but actually at the point where you need it

and they've had enormous success with relevancy uh because ultimately six months before you were a manager you didn't need any of that information but now you do and if they can build a system like that based on on human resources and based on management like that is something we can easily do given the technology and the um I think the uh uh the capability and and resources we have in our country in our industry uh and then I recently found one other uh example with you within our industry which I I don't have a final slide for I trying to keep this relatively vendor neutral especially as far as Securities uh goes but uh there's

a a company in the UK called uh think cyber uh that actually I I will say I've never used the product so like I can't claim what the uh uh I don't have much knowledge of that but they are built on a foundation of the principles we're talking about like today and they they are have read all the research we've talked about as well as a lot of other research and they have actually built a specific security product based on that and so they have a product where things are communicated to people in ways they understand and they also communicate like security risk as it like as it happens in real time so they have a

system that's integrated like as an example into your email system where you get an email from someone that you've never seen before that isn't your email list and there's a link in that email like that like that you don't know the the uh the safety of when you go to hover over that link with your mouse their system pops up and says hey do you know this person do you want to click that link you know and just double check doesn't really stop them from doing anything but it gives them an actual real time check that causes them to stop and think about what they're doing as opposed to again what they're most likely doing otherwise which we all do

is reading a 100 emails at the same time and trying to uh multitask with a bunch of other tasks so there there are real world ways that we can be integrating a lot of these lessons into our actual Security Programs so to to wrap up like how do you become unfishable first of all like stop doing it badly I the like and also stop using it as a metric for Success the like if there is a single point of failure in all of this it's all way us as security teams I we are the one group in any organization that has the power to fix things has the knowledge to fix things has the motivation to fix things if things

aren't running well or aren't don't get fixed it's our fault so internalizing that and then looking at our relationship with our employees as Partnerships and both way looking building a system where we can better understand how people actually work don't require to do them to do things that are biologically impossible communicate them in in a peer-to-peer fashion in a way that gives them relevant information when they need it uh and then reinforces that over a period of time I those are UL the steps that we can do right now to have a fundamental like change in our security awareness training and the capability of our employees to like make better safety decisions more consistently are there any

questions are we doing

questions great I'm yeah otherwise uh yeah thank you very much for for for coming well Brendan is really the first uh speaker that I've seen bridging econ e economy uh psychology and cyber security by the way the book he mentioned is thinking fast and slow you should check it out yeah thank

you little under I only only got sign I know that's I was asking was

itos do of my teaching was actually in the wine industry wine I was a wine maker uh for many many years before I and then got very very bored

doing

educ

ass

think

for

e

e

what looks like the next speaker

be

you

TR

you yep angles change pleas to meet you you're