Nudging Security Awareness Towards Harm Reduction

so I'm really pleased to have the opportunity to speak to you today this isn't a talk that I have given anywhere else and it's a blend and artisanal blend of some talks that I have given in the past so to give if you don't know who I am which you probably don't probably thinking who the hell is she I don't work for any big tech orgs I do a lot of work on the consumer privacy side volunteer wise I work with a lot of at-risk groups so domestic abuse survivors sex workers people about who may need some security awareness that takes into consideration their particular risk scenarios and that isn't something that information security as a

whole is terribly good at dealing with I'm also a survivor of intimate partner abuse so I have that perspective so some of the talk is going to talk about those kind of issues around intimate partner abuse they won't be anything any kind of graphic slides or anything like that or graphic descriptions but just to let you know if that is something also I'm a woman with fairly strong opinions so if that upsets any of you now is the time to leave I've got a QR code there with with link to my blog trap and that's what we call raccoons in America where I very sadly had to come back from last year and I still miss it so if anybody

happens to go to America or a lot on can bring me some stuff from Target I would love that or if you wanna hire me just go to America and just do nothing and I'll just go to Target occasionally that would be quite nice as well I can work remote so yeah and one of the things as well I wanted I kind of wanted a blend this inside I think we talked about security awareness in the right way I think we need to improve it and I think we need to move it towards harm reduction harm reduction I mean that by what I mean by that is are we looking after people who are at risk so you know

from my perspective of a survivor when you have to leave and you have to restart again are these other processes we have particularly in customer-facing rolls when we deal with secure things such as anti-fraud customer service we talk about customer service being the the weakest link and all that coating and people tend to go on about an attack customer service reps and I'll come for that I think we need to completely kind of shift our paradigm if you like about what we're talking about when we talk about security awareness so what I hope you'll get from this talk by the end of it is I've got four to five minutes basically to save the world I'd like us

to know where I think in my opinion security awareness is going wrong and how we can kind of work towards making that better and build in some harm reduction which is really important for all of us really also hopefully and I think the first thing we really need to look at is privacy we all assume when we're talking about security awareness and doing all those a lovely PowerPoint things you have to click through and he's talking about fish fish fish and all this language and malware and all the rest of it and we assume that people are coming from the same point of view right but we're not the very first thing I ever published on information security

platform by the way I'm not you know a technical person I don't work for a big tech org so I'm quite an easy target for all those lovely people on the internet but I probably something on an information security platform which I won't name and I mentioned about that I said this basically and I said the problem with its established practice is that we we share passwords and we think that's normal and so coercive control stalkers just fraud generally is quite easy to get past even if you're not a stalker if you're just a fraud fraud star if you're phoning in to a company it's quite easy to get around those because we just don't have the same practices we think

actually it's fairly normal to share passwords and I had a load of people come on they're security professionals come on and tell me that that was wrong that they share password with their girlfriends with their significant others and they can't tell me that that I shouldn't be doing that and that's completely normal and I'm not saying my point wasn't that they were wrong for doing that my point was that it's the reason why we have half these issues is because we assume that what we want from privacy what we say is private or secure is what other people consider to be you know private and secure and you know just like you know wearing a

seatbelt or smoking a real cigarette or being in a relationship with a conservative Prime Minister we all know that those are really really inadvisable things that you should do and if you do do those then risks yours right but we don't have the same thing with privacy or with security we just don't empower people and I don't mean empower in a kind of yogur way I mean it in a kind of fluffy way I mean it and this has been said in other talks already today we don't let people make those choices we don't educate them and and then that's what we have the problems ok so what I want in privacy is very different to

what my children think I should expect and again even with that if I say well I like to go to the bathroom alone I'll still have other parents say I love it when they follow me and it's really nice it's a bonding experience ok that's still we still need around whatever somebody's saying about privacy security we need people to say actually that's not right that's not normal okay if you're choosing to go away from that to deviate fine but you're doing that knowing your risk and we're not doing that okay I actually spoke to I added this I kind of just switch this around this lyza something slightly different earlier I was talking to Brian hone and

earlier and he said but basically we should talk about resilience more and this is something that we don't mean I know I work in schools quite a bit and when we're talking about we talk about threat model a lot and when you talk about threats that makes people feel especially when I work on a consumer side a lot it makes people feel quite uneasy so I think if we talk about risk scenarios and if you talk about making people resilient have more success if you talk about security if you talk about privacy they're going to switch off potentially okay and also there's a lot of other language we use and I will give you some an

example of this a little further along because I worked for a company during a breach in fact they had the breach my first day and I was hired to do their security awareness and that was a really good ride I can tell you so and I work with their customer service team and the they just switched off they because they were being told that it was their fault and you know words like pentest malware I don't know all these things they're just the vulnerability they mean nothing when people think they're being attacked and people think that they're it's their fault or you know I'm never going to get it was just these computer people telling me about stuff I need to do and

it's so this is something that I think we need to look at as well and we're looking at security and privacy and harm reduction and particularly and we look at when we look at customer service and customer facing teams most of us will have got one of these or when you go online to chat if it's not a bot it's will be even if it's a boy it will have a name they'll be made up but quite a lot of customer facing roles involve giving people's real names and this particular pass and I've very badly blacks and I was going to put somebody else's face on like Nicolas Cage or something but I've anonymize this is the

best I can but I went on because I thought maybe it's not real name cuz I actually find this quite horrible anywhere hate this tracking stuff because you can track these poor drivers all day and I can just stop to go for a restroom break and you're still tracking them you can imagine the hassle they get and that the targets that they're working towards it must be a horrible job and this was seized for your name he's got a LinkedIn profile he so I went everywhere did a whole load of research on him and every time I get something like this and you can try it to you not for any nefarious reasons but just to

horrify yourself that then opens their mouth doesn't it to abuse to harm and things like that and so how can we when we it's fishy and when I was on this customer service team we were we had this breach and we they give us a three line script - we weren't allowed to deviate from when every when angry customers called in in all these different languages and they were actually everybody's very smart and could have learned more about securities that have been properly trained in awareness but they were using their real names as well so you've got an irate customer are talking to a customer service rep and we that's opening us up or them up to getting loads more abuse

being followed home in all these things as people don't think they don't make the connection always between their home and their work good security awareness should make you do that it should show you what risks are what security is make you think about privacy and it should show you that the things that you're doing at works protect yourself and the systems and the data at work and all the rest of it are also things that you can do at home but if we are allowing this kind of things happen at work then we're basically saying well who cares about privacy who cares about the fact that we're using your real name I think it should be false names I honestly think

it should be a fake name I don't need to know his real name I could be always number or something he's still traceable they could make him be called Jack or something I don't know because if there's also here in my country at the moment in England that's you know a lovely non-racist place as well so you've got these people who are going to be opened up to all sorts of abuse because they've got a foreign sounding name it's possibly my most one of the most controversial slides of open for up but like I said when I put my stuff about intimate partner abuse about coercive control up and I thought a long and hard before I published it and he

takes a lot when you're not you know technical person when you're not working for a tech company it takes a lot to post stuff and and you know you get these people who are working in technical roles and I think you probably all know them just because you have learnt to code doesn't mean you're interested in security we had our breach okay any won't worse over our breach it was anything to do with me I joined the company wasn't my fault but I'd already flagged up a few issues with them I star there on Monday on the Monday we have this pretty she took from six hours to mention it to me or anybody else in the

team and then when you know when I went through it with them and I said well you know how did this happen because we we had to notify the entire client database obviously under Duty PR that there had been an incident as we were calling it not a bridge but it was bridge and we had people over the subsequent two-three weeks saying that I deleted my account why am I getting this notification and when I went inside because I said well how come that's happening and I said oh yeah we didn't our delete account button it went nowhere I didn't do anything it's just it was just you just pressed it it just looked like he did something so that was

for a platform that was very recently created these are you know these are senior front-end engineers on their LinkedIn profile or on you know on the company slag basically they were kicking me off flack chats every five minutes because I was saying we know do you not think that we should have had a delete your account button a year ago when gdpr was about to be launched or just just generally ethically as a thing when you're designing and a platform a service a platform should people not have the right to be forgotten and the right to delete their accounts when you're designing that now we just made the decision not to so and that happens

everywhere it's not every time I tell this story and I won't say where it was or anything else on that but every time I tell this story somebody says yeah that happens at my place yeah gosh and everybody's got similar story just because you are in these roles security for a lot of people it's just a paycheck it's just something they can make money out of and we see this a lot with awareness I works in security awareness with some vendors for a while and it's it's horrifying there's just so much noise around it and everybody wants to use the latest buzzwords and quite a lot of them don't know anything about security at all and you'll know that if

you've ever had to sit through a security awareness thing that's been training that's been made by an outside vendor quite often it's just been googled and then paste it in and it doesn't really teach you anything apart from the fact you might learn that there's some new term for some type of fishing but that's about it and I think when we're when we're designing all these things and we're talking about security when we're talking about privacy when we're talking about security awareness we have to make sure that I think we have to make sure we're training people to understand like I said to understand that their home and their work is those practices work the

same basically you can still secure your home printer the way that you would not use admin admin if you're if you've got the you know the the credentials for anything the access to anything right and you know we're looking up to people like Mark Zuckerberg as icons because they happen to run a platform that doesn't mean he's a good person that doesn't mean he has security and privacy top of his agenda every morning just means he happens to create something so that's what we have to start and I think the people who I was working with on that tech team they weren't a security team we didn't have anybody in security we had the chief privacy officer who

left and who was complicit with that entire thing about their delete your account button not going anywhere but nobody had ever really told them about you know I don't think had ever really trained them they'd learn how to code but they've never really thought about ethics about harm and if we don't learn about ethics and that's not just right and wrong it's what's historically cause people to have to be harmed which groups have historically been harmed because they're still being harmed they're still being hurt how can I stop this am i complicit within something within a system or a machine that's cause it's going to cause more and being able to stand up to that and also to say I don't

know and I don't think much security training really involves people saying I don't know and I think that filters down to security awareness okay so really everything to think on that one so I think that and I'll come back to this in a second but I think the communication gap is massive we have people who if you want to design a security training or if I you know if I'm working with schools or consumers or sex workers or anybody and I mean if you were doing that or if you do do that I mean where where are the easy ways where are the easy places you can get good security awareness advice for consumers where can

people go to in your organization it's very difficult but if I want to know you know he's smoking bad for me what's the speed limit on this particular type of road or how does a car engine work I can go to really really I know there's so much information out there and I'm supposed to know this I'm not shamed if I go to the doc I mean there are bad garages and bad doctors but you know I'm expected to go and ask for help if I don't know but even on security trainings I noticed there's just you know I mean I have friends you go on these massive sounds courses and not having a prophet sounds here but I'm

just saying you know they get nearly their heights in booklets and then they have to go away after the end of testing they have to study again to take an exam and I mean I teach a lot of the time in schools and I can't do that I can't teach that because I have to have measurable outcomes all the time now I have to say what did they learn at the end of that hour whereas and and I have to ask them questions and if they don't know that's okay I'm supposed to be saying you will fail which I think Brian said and rough couple of the talks that I have said this you know you have to

fail at things to learn and we're not encouraging people to fail and because ourselves is in information security is professional people who understand all that we're not allowed to fail we're not allowed to ask questions you're stupid or whatever else you don't get that kind of spirit of learning which we need we desperately need that desperate need standards as well so the security customer when at the customer service side of things I'm really tired of information security people big accounts you'll know who I'm talking about the kind of ones who call me apathy on their personal blogs they they often go for the experience of problem and even though the lethea sleety macaca they still can't seem to find

purity apps or the CISOs email and to advise them of a problem and they want to go for these security awareness reps but I say to people every time when they say and I've gotten the reference section I've written some stuff on who I guilt and shame doesn't work and if you want to read about that you can't I'm not going to go into it now but I'll say to them well there's no it works shame works it works if I you know shame the Virgin Media where it works if I you know go for this company you know wherever it was t-mobile a year or so ago that had the issue every company will have one or has had one it happens

that's security right we learn and the attackers are getting more and more of us we know that we know it's just a matter of time or we just haven't noticed yet and so I say to them if you think Shane works fine what about the later but do you know your social media team you work for this organisation this big tech company do you follow your social media team do you know so would you even know you know you're posting all this stuff on this company's website you and I switch your account I mean information security a lot of people seem to think the world revolves around Twitter and it doesn't but do you know

them do you even know who they are have you done the awareness training with them do they get the training or they just like the team I was working with three lines end of conversation which doesn't do your company reputation any good it doesn't do their customer service team any good either and you follow your organization so if there was an issue would you know while you're yelling about how nobody has any response time you can't find the security at would you even know yourself if there was something that happened at your company and who has the admin passwords for the social media accounts at your company I mean switzer itself had Jack's account got hacked didn't it

something happened to it we know as something to do is a sim card I think I don't know discord had to help them shut that down and think another platform it took them 30 something 31 minutes to shut their own CEOs account down closed it down because nobody noticed or nobody could do anything but you know everybody all scream and shout about some poor customer service rep who's paid has no 20,000 15,000 pounds a year and who has those big screens flashing yeah this is amount of calls you've got waiting some at waiting time you've got if you don't believe me if go down and have a look at those teams and see the pressure

they're under and then try and talk to them about breaches and things like that and blame them and all that kind of thing it's worth you have to have these levels of communication because like when the Apple FaceTime bug got phoned it I think it got emailed or phoned in originated way into a customer service kind of silo and they didn't know what to do with it that's a grapple laughs well they're actually pretty good washed up don't say so so a fella great but they still didn't have that communication link between incident response for security and customer service and so when you have like you know when you have a like they still have to press a button maybe on an

email I think this is a phishing I think it's suspicious again it goes to somebody in IR or somewhere else yeah at least somebody has the chance even if they boot it I mean probably that would be kicked out anyway because you'll they'll be automated in your lil check it but it at least should go somewhere so they have the chance to kind of catch that but it didn't it's out there for weeks because nobody even at Apple had the link between customer service and any kind of incident response security team so that's it are you training those teams are you in empowering those people okay and so you and they can't ask because they don't know what to ask for

okay and I think really I think security awareness should be like CPA we should get CPA for it people should everybody should well you know security teams and also need you know security awareness training as well everybody should but it should be tailored for those needs that security awareness person whoever they are they're in-house other vendors should go to this manage of that team who should have consulted with the team on their various needs and it should be personalized it shouldn't just be you know click through and then do you quiz lots of ish you know what's a whale what's how does malware spread is really it should be something that's certified that's used by that's created by people

who understand security who are interested in it and who are motivated you make that individualize differentiated accessible and all the rest and it should start with how it all works which is what quite a lot of people even in security are afraid to ask I'm sure you're not there are people who have gaps in their knowledge and I think because it obviously it changes all the time security changes I mean I'm constantly learning stuff and I'm not anywhere near in a MOS like a super engineering tech role so again we need to be able to understand when we're doing security awareness and the stuff that I do very basic level is kind of I say well these are the CIA principles

and this is this is how a network kind of if I go any further sometimes ago this is her networking works and I often have to look all that up you know I check what's DNS like I think because these are the kind of terms that you thought I mean this is a deeper level but people want to learn and if you want to talk about making people interested in even bringing people into security because oh my goodness we need people and their skills gap and all the rest of it but how are we going to get people switched on for this if we just kind of go well it's a it's a computer don't

touch it until you know just cooks I'm just call me don't touch it you know and I padded or a computer is significantly less complicated than your body or your car you know you can force restart it you can't force well you can't force restart your heart but you know you need some help right but we think of not where people are scared the public is scared of touching tech things because we've made them think that they're stupid and we go on line and we allow some of our biggest accounts to you know to basically flame customer service reps or members of the public you make simple mistakes even the mistakes that we ourselves would make and it's really

unfair so this is the kind of thing I've used this in trainings that I've done and this is examine you can pay Julia you can you buy her stuff and she has she does provide some stuff for free for students and there's links that you can use our own honor system but it's worth it something like twelve dollars for a book and she sells a lot of the stuff you got deal with no starch I mean nowhere affiliate said I just think that I just it's nice to recognize good work this is exactly the kind of thing that I think security awareness needs to include and I think quite a lot of people in security every time every time I show

you people this and they're a lot more technical than me they've got all their OS CP and all the rest hello wow they say oh wow this is amazing it's really good I wish I'd had this but it's lovely isn't it beautifully presented then it's nice I mean got you can go and look at that first she's done so much stuff she explains all these different things and I just think we need to make things more accessible Google I haven't got the link but me and you don't need it Google do a Coursera course and I think they offer it on their own you can google it anyway it's they do a really nice course for

aspiring cybersecurity professionals or and think it's like an IT Help Desk course as well if you want to prepare yourself is aimed at people you want to prepare themselves for that course by taking a lot of material from that or I I send people to it because it's really lovely and explains so much so yeah moving on harm reduction really really matters and it matters in the sense of because we're not talking to people who work in customer facing roles about security and privacy and because we don't design things with that in mind people get hurt I have oh yeah this is this comes from a app by security first I've got the link at the end of the

presentation and Rory Byrne he's there based I think actually have gotten office out of Dublin but they've made this so this is an app it's called the umbrella app you can go on security first and it'll download it for years in the App Store as well and it's really nice if you want to use that to train people around harm reduction okay when we're thinking about how because it looks at their own personal risk first and you go for all these different things to each of those little folders and it goes down there's more than that has lessons and things to consider for you know your security and safety how you manage it are you traveling what your risks it's

aimed at journalists and activists but it is so useful that I've used it in an area quite a few other people are using it as well for just general security awareness because it's so beautifully done all the materials there and they don't mind if you use that I mean credit them but they don't mind they just want it used okay so yeah so so my account was compromised because anti-fraud didn't they have these procedures which are around protecting the business not particular consumer so I had a credit card which and I that was part of how I escaped my ex and I put quite a lot of stuff on there and when I within the I

went paperless and I said to them when I set it up in person I set it up as well and I said I really want no paper nothing no trace of this nothing must have' be seen of my home address about this card or this account okay fine we I got one letter about a year before I left the states I got one letter and I was straight on the phone absolutely you've sent me paper I never want anything else coming I'm closing my account this is really vital this is part of my plan to escape and I said absolutely no ma'am you know we we've because I said I don't care I don't care

what legal things you've got you you know that you mustn't send me anything to my home address it could put me in really big danger and this account I'm you know I'm booking flights on it and other things like that and I managed that was fine but about three months after I'd left and I was back in the UK you can't earn by the way you can't forward mail from the u.s. to Europe which I didn't realize but I didn't I wasn't worried about forwarding mail anyway because everything was paid for less and everything was fine and I shut everything down but they still sent a piece of paper a letter statement to my old address which then got forwarded to

my ex and his stalker mates who'd really enjoyed stalking me all the way through and made my life absolutely hell and so they they open the mail which is a federal offense then they took a screen they took a photo of it which is second federal offense and sent it to him we're compiler compiling our offenses here and I could have taken them to court or in them but I just waited to be done and I phoned my bank and said look this has happened I really want everything shut down I this is the what a few whales have you said and they said they wanted to take me through some more security questions which I could pass for then

there was a subsequent security question which was about the account number as I passed all the security questions and I'm flagging up this is my account I've got a stalker I've had to leave you know in a visa situation and they said we just need for one more question we need to know the entire account number of the account that you were paying that statement from and I didn't have that with me because I kind of had to leave quite quickly and because of that I got completely logged out and then to phone customer service as well I then complains I was almost kind of free toll-free number and I got they transferred me when I said I want to

speak to supervise I see white women do that really well to a manager and and they transferred me to a number in the USA which then met my mobile number got cut off because I was now on my uk-based mobile or cooling aus number and then I had two hundred pounds worth of charges and then like you know my mobile fighter cut me off can you imagine I mean all of this it kind of assumes that you will have a fail-safe no they assumed that I had money that I had somebody who I could stay with you know I'm talking to them about a credit card and they just said we are we frozen it so they locked

me out of it then I had certain all of that then I had to get it shut down so I want it closed you can't close it virtually you have to I don't know you can't even go and pet is really difficult really convoluted so they promised me are they to shut that account down and about three weeks ago I got loads of messages saying hey we've extended your credit limit on this account still active still live so it's just everything that we do is a no it's this assumes that people are living within a the boundaries of what we expect or what we see is normal even there even there security questions were rubbish if

you're in a situation where you have somebody who has coercive control or who knows you most of the people you live with I'll have access to your documents wherever you keep them could probably get through the basic security questions if you've set them up in a normal way if you need your you know social security or national interest number your passport number your mother's maiden name and I've made dogs birthday they would know all of that and for this particular credit card they were asking for such really rubbish questions you know that SSN and stuff a lot of things that you couldn't lie about it required more than just a ridiculous answer that only you would remember you know what's

your mother's maiden name Mars or something you couldn't put that in because it required an SSN or national Sharon's number whatever so it's really important that we think about this and because we're not designing around that because we think everybody lives like us and press the same risks as are so we don't have to care so yeah you can't to reduce harm to understand risk scenarios to understand security and and work towards privacy and securing things we have to make sure that we are you know respecting that aware of that starting it from the ground up and that we're also you know like I've said we're not using you know the real drivers real names or the

customer service reps real names when we're doing things because that affects their privacy is when it since our big message even if it's not over if they really have to think about it and if you're doing really good security awareness right from the base if you write down what is privacy you know if I teach the kids I teach a photo a bit of citizenship with them or whatever else whatever I'm asked to teach I have to say well what is this what does this mean to you what does voting mean to you what does you know consent mean to you and you have to write it down and then we have a discussion if you say Steve

what does privacy mean to you if you're saying to this bunch of van drivers for DPD what does privacy mean to you they might not have even considered the fact that their real names are out there and the harm and the risk might be there to them or they might have but you won't know until you ask and it won't get solved until you ask it until you start thinking about that and if you do start thinking about that then maybe you should stop it and also marketing I've kind of lost the will to live a little bit with the amount of security awareness things that just people just hire event planners who just run old because you know they can run a

CTF right because CTF is security awareness it's not okay and we have to demand that the people who are training us who are doing the awareness who are you know securing the systems that we all use that they are trained right they are qualified and they're interested in security and privacy that that is their main motivation they're constantly learning everybody in this room is here because they want to learn I hope you're learning something in this but alike we're all here because we're interested in moving forward and getting new ideas and talking to each other and the conversations that you have in the corridors and things they're so valuable and I don't see that reflected in the

security awareness noise I just don't I've sat in some incredibly powerful rooms with people who have paid more than I will ever be paid in my entire life and I've had to explain to them even though they're in a cybersecurity heart or that you know they've got cyber in their title I've had to explain to them what are you big he was I've had to explain to them how to use email yeah and I expect to do that in a public sector role where I am sometimes but I mean wow if you're the VP of security or something you should really know what are you be key is you should really know what MFA is and I'm afraid a

lot of people don't see nudges and not just the things like this now the things that make you behave in a way that is kind of file a new like oh I'll do that and you don't think about doing it yeah I would totally run up those stairs and I'm a lazy fat moose okay so insecurities don't we try I'm trying to get people away from using just the red line box because we know we shout after that you accept the risk yes do you want to see the risky content absolutely okay if we make it kind of fun oh no I don't want to be too fun because there is a serious side to it

but you know we've had pop-up boxes come up for people we've had charts on the wall we've had things where people come into offices and just in the foot steps they're taking there's a little thing that's saying you know are you thinking about there so you're thinking about the privacy people are you thinking about you know why they asking this question if somebody's ringing up and saying hey my my wife can't come to the phone because she's or my husband can't come to the phone because you know they're just outside milking the cows and can you just give me the access to their account it should be these things of it is the person there can you speak to

them yeah and other things like that if the anti-fraud had had better questions they might have helped me because I was saying to them I am a victim of abuse I really need some help you know this is really important and somewhere somehow lots of things went wrong so yeah the Nadi's will remind us of what we want to do because we forget what we want to do a healthy me goes to the shop and buys those of healthy snacks and then hungry me at eight pm really hates healthy me but yeah in the end I'm kind of pleased okay so these are what the nudges are for yeah it's making sure that we put

things within our systems to our scale Custer the people who are dealing with customers or anybody you know if they're answering the phone if they're dealing with anything outside or even if they're not actually you need those people are going to get calls they're going to get you know I don't want talk about phishing and all rest of it but if they're going to have that kind of interaction where they might be able to access something and give somebody data or information or manipulate accounts or whatever else they need to have Nadja's pop up are you sure this is the right person you're speaking to could they provide another form of ID vacation has they done this have you

checked this does this feel right and they won't know if it feels right unless we've made him think about security and privacy okay see how the good questions and the good reflexes and the good light and the good training do save lives and they save money because ultimately we're not just talking about you know people their lives like me you know if I'm a abuse survivor I got out I'm fine so far okay but even if I die suppose it doesn't cost anybody any money but if you talk to companies about they save how they can save money how they can protect themselves but how they're not because if that DPD driver he'd be great

you could probably fish him or you could probably you know go after him you know it's not just about harming him it would be also about you know trying to get information and there's easy ways to do it because people don't realize they really don't all the time yeah thank you for listening and these are some resources that I have and there's also more on the blog if you're interested but thank you very much for listening [Applause]