Svavar Ingi Hermannsson - Rethinking IT Security

is the sentence the title of my book that was published in June of this year and the goal of the talk and the book is to provide it with provocative new ways of addressing the lack of IT security I'm gonna give you a couple of relatively recent examples of data bridges that affected Iceland and one way or another then I will cover I secured awareness experiment that I performed relating to one of those breaches and now get to the core of my talk rethinking ID security where I would give you a metaphor describing the current state of IT security I'll explain to you the methods being proposed to most leaders in that security industry and then I'll

introduce to you the method that I'm proposing which I've decided to name the AES methodology later but hopefully by the end of my talk I'll of convinced you that the AFF Liberty methodology is the only realistic and practical way of approaching this issue so the first data breach that we mentioned has to do with Icelandic telecommunication company or rather an Icelandic subsidiary of an international telecommunication company before getting said how many people in here are full-time IT security professionals majority of the room okay excellent so before continue to sue make sure we share the same understanding of what website defacement is so in a simplest form it's one attack replaces your main web page with something else it could be

malicious it could be work or it could be a political message or simply hacked by XYZ group and there's a common misconception by especially about business people that it's enough just recover from backups now but what we know what actually means is that someone's able to break into your web content management system and the only reason you know about it is because they decide to let you know and very frequently they will gain access to your to your server or an operating system level they will be able to elevate their privileges so whenever this happened you should always assume the worst and hope for the best so you should assume that all your data has been compromised like if you have

database a database server and databases each term that's been compromised if you have configuration files that contain Houston's password authorization tokens to consume external services the tradition that's been compromised with any of questions such as other users can log into a so let's you have a Windows machine then if questions like other a lot of password hashes that can be downloaded to be proof course our final will be later or if the users have walked in recently can the pastor's be dunked for memory and simple way but also in if you can use pass the hash attack to access other servers that share same authorization or authentication information same thing goes for Linux or UNIX you have just

different questions has the secure shell client been replaced by a backdoor one which locks use names and passwords and what source being connected to but in general you should OSS assume the worst and also then there's the question if this particular server is it also connected to your internal network that is inaccessible from internet then you have to ask yourself you know out of the attackers using this have they used to serve as a proxy to attack your internal network because as we know most companies they're very good at installing security updates on external facing servers server space and internet will be more relaxed than internal environments now getting back to this Icelandic telecommunication company there was a

pretty big data breach at the end of 2013 but the store starts two years earlier for me now two years earlier their main website got defaced at the time I called their head of IT security I introduced myself and the company I was working for that's it we'd love to save us some consultancy we'd like to offer you forensic services to try to figure out if the attackers have to infiltrate your network any further we'd also love to do a security assessment on your custom-made web content management systems I work with one abilities and assist you in fixing the one of the less defines the sponsor that was you know Thank You Saul for calling us but we're

gonna take care of internally okay now 18th month 18 months pass they could defaced again I call ahead of I to secured again often the same services just think you saw her again you know we'll take care of internally six months after that they caddy fest again for at that point in time the attackers decided to look around or technically I mean they might have looked around the first time collected the data use it for a couple years and then just decide to dump it at the end of 2013 but the data dump had personal information on a quarter of the estatic population including clear text passwords and so there are so many things are interesting

regarding this issue at least for me but so folks after my password got compromised unfortunately for me I tried to have completely different passwords for all the services that I consume so I was not really affected but this really opened my eyes to just normal people and I guess I'll mention admins comments from this morning little bit later in my talk but there I mean I've lost count of the number of people that have to have conversation with me since the data bridge and they've confide me family members friends coworkers customers and just wires people at security conference there's a surprising amount of people that actually had a one master password for other services and

this was it or they shared the same password in multiple locations and then you have people like there's one senior manager who was working with me who actually sat across from my desk just to show you the the impact now she was a senior manager at the company I worked at she worked there for over a decade which means she had gotten secured awareness training every year for ten years and she'd had to pass a computer-based exam relating to the security awareness exam it's security awareness training but stills was using this password in most locations what happened is that she's been working through this weekend the data dump was dumped on a Friday night she logs into

her Facebook accounts on Sunday only to find out that someone had logged in as for and posted on her Facebook well maybe it's time to change my password question mark and to the station still doesn't know who did it now just we'll think about a personal like that is using the same passion many many locations it sort of makes you wonder you know what about executives board members stuff like that and what makes it even more interesting is that this particular company only a couple months earlier they post a brochure to every home in the capital area talking about how seriously they take information security so I mean it's sort of understand why if people have a few

different passwords these one password for sites they trust I mean you can sort of understand why they believe they could trust that particular company now there's a funny sight note that apparently it looks like someone may have been reading Olaf top ten and read that you know you should always store your passwords hashed because next to the clear text column there's a home with the hash of the password sir I've been entertaining now including the data link as well included SMS text messages so at the time it cost about twenty cents to send a text message from your mobile phone but if you log to the web content management system you could send them for free now

there were a lot of interesting SMS text messages there one included a member of parliament sharing confidential information with a news reporter there was apparently one person cheating on his wife which had Rory interesting visual text messages so broke up the marriage and ballots was a sad story in a way but so let's let's get you the interesting points as well now the poster child from administration Iceland concluded that this particular telecommunication company had broken Iceland's privacy regulations that was the conclusion the question is from this year I think was not been federal and March of this year now one of the things that they pointed out is that they do not even implement the basic controls

such as protect the users passwords so what do you think the impact might have been well the current regulation will interesting right so this sort of might explain why the company was so reluctant to spend money on securing the environment if there's no penalty how many of you in here have heard about the general data protection regulation that will take effect next year okay so there was a few people haven't so apparently their general data protection regulation will take effect in May of next year and if you would be found for example let's say you had a data breach in it would show gross negligence like I believe they did in this case then you can be fined either

20 million euros or 4% of your annual turnover that's not four percent of your profits it's four percent of the annual turnover so that can be a lot of money so I mean imagine if if that would have been in place at that point in time if you were the CEO or if you were the board member or even if you would have an IT security manager I mean understand the potential effect like this leaves me with questions such as how could this website have been compromised so frequently and no one taken actions and if someone would have done even internal simple security assessment of web content management system maybe I'll at least have spotted the

passwords right that's one of the first thing that you look look at when you're doing white box security assessment so you know it's sort of why I'm pretty sure if I was the CEO of I was member of the board I would said okay guys I'm an external third-party to a security assessment I want forensics to be done to check what they were into in filtration network or not but and I assume most of you in here would do the same that's because we have a certain amount of security awareness which turns out to be what you believe might become common knowledge is not that common and I'll address this a little bit in the

AFL methodology so just out of curiosity I shall I'm gonna have done funny side note or I think it's interesting at late so everyone nice legs I don't know if you know this is someone's daughter or something son so for example my name is Slava ninja had Muslim that means in the son of Herman if I had a sister she would be Herman stilted or the daughter of Herman so I went in any formal environment Willis is precious other but first name now how many of you in here use a LinkedIn so how many of you are aware that in June of 2012 estimated 6.5 million LinkedIn user emails and passwords were compromised that was a trick question because that's

that's what they believed until May of last year where they found that whoops 117 million so time the difference and of course there was the Russians so that's a bit scary yeah and if you think about it until May of 2016 only a small group of Russian hackers had access to this information and after just after going through you know how frequently people use the same password many different locations you know think about your parents or grandparents they're probably going to do board members or executives how many companies do you think the Russians might have compromised installed backdoors and just got a real good foothold I'm guessing a lot now it isn't into a the old estate gets released in May 2016

that someone starts doing something with it so apparently it turns out that Mark Zuckerberg used the same password on LinkedIn and at least Twitter and Pinterest we don't know what other other places so at least this tells us that the original attackers had access to his information at least for four years and you know for me Mark Zuckerberg he comes off as really smart I've seen a photo of him there's some interesting I believe he had his computer next to him and there was a tape over the the webcam out of the cameras computer so just keeping that in fact I mean thinking about that and seeing Mark Zuckerberg has such a simple password he shares it

some local locations so we know what about your parents and your grandparents or executives and all those things so I think that's that's range thing now looking at the data once was released I saw that there were over 12,000 s tronic email addresses so I'm gonna say a static email addresses I'm talking about a March this way domain name answer that is which is the National Register of Friesland you know there was some media coverage in the US but in Iceland there was none so after two months I had some summer vacations saved up I started travelling around Europe and I decided to do an experiment so what I did is I put together an email

and I try to basically try to keep it as much in human terms as possible and actually if you go to the link you can use Google Translate it's an Icelandic review I think it translates pretty well to English we're explained to them basically I gave them the history started lenient bye why am i sending this email and then explained that the password that you use to LinkedIn 2012 has been compromised I explained to them you know if you believe you're using the same password somewhere else consider changing it also if you believe you have are using our help and using the same password with your employer please notify your head of IT or a head of IT security because you

knew you might have been compromised then I also go further into explaining two-factor authentication I explained in how to activate it I also explained the risks you know if you have a mobile device from your an application which we when you have to confirm your when you're logging in and you forget your device at home then obviously you're not going to be able to log into the service that you're trying to look into I'll try to make it as simple as possible I even created I referenced the pates that I said I would maintain if I get questions and answers which I did and then at the end I also included a short survey I'll cover the sauce from

that a little later but I did this and I even got non tunnel people to read over it so it should have been relatively well understood and the way I did this is I created a new email address using the private domain name and the small to long email address so would have been hard to guess but you know there are a few interesting points apparently not everyone was happy with my security awareness experiment so apparently what happened is that as I started out sending these products out I think was on the fourth day or fifth day apparently someone calls the security officer of my employer this is my private domain this is my private time

and everything the cold the cold my employer and a parent like he's I heard like he saw you know what the hell is all about doing he's you know sending my employees emails he's scaring them and apparently from what I can understand when of one of the ladies that worked there had received my email and since you were scared I'm assumed she might have been using the same pass in the environment and she goes to her to the head of iti meaning yes you know she did what she was supposed to but then that mixed feelings cause the security officer was apparently not happy with the results and I was thinking well this was two months after this data was made

public so in my opinion that particular security officer should have sent out an email and you have services such as have I been owned so they should have been able to notify other employees that had been compromised so that person should not have been surprised to seeing my email or it could've been happy but anyway after consulting with the head of IT security my company I decided not to send emails to the 120 other employees that had not received the email so their loss in my opinion little someone who wanted to sue me for breaking the practice regulation sorry like no offense but but yeah so there's apparently a voice of one person internet search provider and apparently

one of his clients had grabbed my email and she thought she was a mailing list didn't quite understand it and he sent an email we're just gonna assume he tried calling me so call him back I was in Europe at the time and I try to explain to him no no there's a one time email only and explain to him why it was so then the well conversations okay so you're gonna remove it from your you know email list I'm like dude there is no mailing list and you know she's not gonna get my note for me okay what I don't want any of my other plans to get when I said okay and if of clans that

have already received they know for me do not get another one but if some of your other clients have been compromised and they haven't received an email they're gonna receive one right away from seed a email for me and that was okay so okay your interesting things now I believe within 24 hours of sending out the first batch of emails for the first time I gets visits to my private web site from Russia interesting so I mean obviously that's an implication that they may still have access to some of those emails that I was sending an email to and also after that this newly created email address I start getting a few phishing email address not nothing too ridiculous but I

would copy paste the path where you're asked that I got paceman to you Irish total and for the ones that I got for antivirus engines Raible to identify this malware and the others were not often that a bit insane another interesting thing apparently a more sophisticated social engineering attack was forefront and this was probably about two weeks after I sent out the initial email were the use my private e matters not demolish that I've created and they sent it to the CEO of the National Register of Duras and Iceland and fortunately enough I since the snow country everybody Morris knows each other so he called me up said like Slava just got this email from me you're

telling us about some link to change her passwords like have you lost your mind what email so it doesn't send me a copy and I was actually surprisingly sophisticated so that was interesting now as I mentioned I offered people the opportunity to send me questions and you know when you've been in the industry for a couple of decades for some reason you just assume that everyone has the security awareness that you've developed but here are some of the questions like that you know thank you for the information I have an anti-virus product which protects my password isn't that enough no I don't understand this my brother enlightenment to join this but I never did anything with this and I don't

understand what it is shouldn't be able to own a computer ok I'm not using this link so I would like to ask you to terminate it for me you are of course financial responsible in case of damages from this after not talking about this break-in for four years and then how do I know I can trust this email so basically and these are just a few of the questions that I got and this is very eye-opening you know I think about the original data bridge to Iceland with their sons health education company I'm gonna try really not really hard not to name them because I don't like public shaming and then with a LinkedIn data

like when people secured awareness is at this stage you know it's very frightening so what did include a survey where I asked people no police I'd appreciate if you'd participate in the survey and to give me your opinion if you liked him or not so 97 people a 9% of the people that responded to my survey they liked it 2% claimed that didn't understand it half a percent who really didn't like it and then half a percent was neutral an issue but you know again we have sort of similar questions how could this happen to LinkedIn ok at least it didn't have clear text passwords but the word salting them right and again how can

people will not understand a simple email describing the preach and potential impact and two-factor authentication I did any sooner understand the terms in my opinion and again the really scary thought how many companies have been infiltrated since 2012 by the Russians so now I'm gonna get to the AFL live with methodology but before that I'm just gonna go a few entering recent nuts a recent headlines so we talked about 117 million password hashes that were leaked from LinkedIn planted that Ashley Madison some other from Troy hunts passwords like really a 320 million password hashes they've been cracked hackers gain switch flipping access to you as power creates 750,000 pacemakers have been confirmed as having suffered

security issues that could let them be hacked Russian agents hacked use warning system manufacturers before use election again LinkedIn maybe I don't know maybe not hackers breached defenses of us voting machines in less than 90 minutes older news the FBI warrants a car worth of car hacking is a real risk and Prime Minister rights under science after the pattern leaks almost almost have last is anyone sheer surprised exactly no one is surprised know what the state of information security is rather lack thereof so I'm going to use a bridge-building metaphor for describing the current state of ID security imagine that we have four thousand bridge builders out of those three thousand they get sort of hands-on

training 1000 they go to university to learn bridge building security out of those 1004 take an elective class in bridge building security okay so let's take the three thousand nine hundred ninety-six bridge builders split them up into five hundred groups and let's take the remaining floor that did the elective class and just let them work in teams of one okay and the reasoning to find there the numbers in that particular metaphor is that Iceland we have over 70,000 companies registered over 1,000 of them are registered as IT companies we have a Facebook group for programmers Iceland there's over 4,000 members and there are three registered cissp s okay so let's imagine we have this 500 groups that are now starting to

build bridges all at the same time right and then we have four security Assessors they're doing security system at the same time now whenever they find a security vulnerability they'll notify the original team and the original team while they fix it I'll say you know it's such an old bridge you're gonna have to buy a new one to get it fixed and imagine that the security Assessors that always find the same kinds of one abilities now if we listen to a lot of the leaders in that security industry and tangly at 1:00 this morning now is this great for example they say the cyber security workforce shortage is projected 1.8 million by 2022 in my opinion whenever

people are talking about potential solutions for ID security it's about you know for security Assessors it's nowhere near enough we need 20 right yes it sort of makes sense for it's not that many and 20 is far better and then you have other ID security leaders that are saying you know you have to look at it from a micro perspective like I say and you have to look at it from the company you have to create in your company a security culture a security awareness and you know that could be good but let's again let's think about the five hundred groups so let's say that 20 or 30 groups they adopt to this they serve you know increasing the

security and bridges that they build let's say seventy or hundred let's say 100 you still have four hundred other groups they're still building insecure bridges so the AEF a little methodology the basic concept is the only realistic way to address this is to teach every pitch builder the basics of bridge building security seems obvious to me apparently not to everyone asked I'm not okay with having 40 or 20 or 40 security Assessors but I mean if you have them you're fighting an uphill battle this is the only way to get realistic results now before I continue I did say I was going to explain the AEF affiliated methodology so how many of you have heard about it I

heard of a little yes Santa Clau que no okay I was hoping for more people's recognize that it stopped air traffic allow go now seeing security one abilities being discussed in the media you see that you know heartbleed or want to cry they get all the media attention because they're cool names right I thought I'd try my luck with this one no luck so far but yes the only realistic way to address this if you have to do asynchronously and every single education that will need to be addressed so we're talking about management business software development system and network administration for members of registered companies auditors legislators and others so what's really missing to me is

like if you look at the MBA programs of the Ivy League schools like in the u.s. there is no mandatory IT and operational security class being taught and considering the importance of iTune operational security I mean companies are going bankrupt there's you know a lot of fines imagine if the the CEOs actually understood the potential implications then they could actually do something so I'm not talking about that they have to stand understand sorry complex things such as what is a buffer overflow or fellow single ability or SQL injection they just have to need to know how to ask the right questions and understand potential impact on the business so for example has an ability assessment been

performed on our internal external Network we're at a critical a high risk when a boy is discovered what were the status of what is the status of the remediation I also having process-related questions though in that book I have a list of processes I don't have time to cover it now but and also ask for night security ports I deal with samurais for executives again if you have some doing a1 ability assessment or pen test ask them for an executive summary for something that the executives could understand but of course in order for them to be able to understand you have to have gotten this education how like even thinking back to the particular Ison self indication

company the head of IT security there he didn't have any technical IT security certifications so maybe he was you know he was really good at doing policies processes procedures but just didn't understand the tender part and don't get me wrong policies and procedures is one of the cornerstones of highly effective information security but again you really have to understand the tangle potential impact as well and in Iceland for example if you want to be a board member of highly regulated company you need to go to the financial superstore furry and you have to pass an exam so why not add an IT security operational security questions to that exam that you had to pass and of course

we have to support this you have to have the training in place to offer to them prior to introducing this don't think that's probably only realistic way of addressing that particular place now if we look at computer science the software in your name here what we need to do I'll get a little bit baptism later but for some reason education levels and the industry you look at you know we have IT in one hand and ITC curity on the other so you know some universities they're not offering information security classes but they don't really necessarily introduce it into this there are traditional software engineering classes now what I propose is that we teach all the professor basic IT and

operational security and then make them point out potential vulnerabilities in the lectures and also the schoolbooks they should not be allowed to have unsecure source code or you know if you were an e2 you want to save space you want to emphasize a particular idea okay you can have insecure source code but it has to be marked with big letters in secure source code and when students they have to hand in their home assignments then if it contains the security vulnerability they should be failed or at least get the grades lowered because if you think about it if you take someone let's assume I go to university for five years then they go work for a big company and

you know doing five years day in day out they've adopted some habits right and then they go work for a big company and let's say there's let's say there's one hour training per year on how to do secure software development let's say this show up right then you know there's a little bit of whispering the latest office gossip and then they have to leave a bit early to pick up the kids you know I'm trying to paint the worst picture here but imagine what do you think they're gonna do do you think they're gonna continue doing what they've been doing day in and day out for last five years well did this one hour just change your life completely

I'm gonna assume they're gonna continue doing what they've been doing damn doubt now there is all the stuff that I'm talking about so far I mean I know it's it's big it's revolutionary and this needs to be on a policy level and a government level I mean this is persistent in besets there's a lot of resources that are required at least a lot of corporation so I mean it's it's a lot of work and we have to do it asynchronously as well now there are a few low-hanging fruits though that we could start applying right now today I was actually hoping someone from Cisco would be here so how many of you are familiar with the Cisco

certifications and Marshall certifications okay some of you so now Cisco Microsoft they have these certification so you can show how good you are at least you know the basic skill sets for the Cisco Certified Network Associate there are nine different types of certifications now you have the one particular which is CCNA security I would say if I want to hire someone to run my routers and switches I would want them to have a certificate I have Cisco equipment I would want them to have a certification from Cisco I would want them to be a CCNA in routing and switching right I'm not what make sense to me now if you look at the requirements for that

there you have to pass the ice in d1 in the ice in d2 but technically the restaurant exam that combines the two but that's basically what you have to have to pass now technically they cover like a tiny tiny bit relating to IT security but it's from my purposes of non-existence however if you look at the CCNA security exam that is impressive that's really impressive so what I'm proposing is why not make that mandatory of any CCNA so instead of having my ancestral Medical Associates degrees drop it down to eight but make a requirement whenever you want to pass a CCNA that you pass the CCNA security exam at least within two years imagine a

world where if you wanted to get someone to run in from robbers and switches the only person you could get to do that I also had a deep knowledge on how to secure it and maintain it as opposed to the way it is today for me that's a pretty beautiful beautiful picture now if you look at the Microsoft certification as well they now have Microsoft certified solution associate and let's take a look the Windows Server 2016 there are three exons that you have to pass and again they more or less do not really touch a night security if you want to climb a Microsoft Certified solution expert then they do offer so basically have two

perhaps one out of ten optional exams one of them is secured in Windows Server 2016 and again looking the material they have there again what's relatively impressive and what I'm proposing is basically the same thing why not make it a requirement for just email an actual certified solution associate why do we want to distinguish the two why can't you just make you want someone to run your operating system or run your servers or whatever why not make it a requirement that they have the basic skill set for information security so and in my poop I do also cover I mean I do to emphasize that legislation can be very helpful especially now with the GTR

at least in Iceland this is going to increase security awareness of that I throw it's my dearest rinoa also maybe relatively unrealistic but I wonder whether you should maybe require some sort of an exam like if you think about if you if you lease and Iceland if you want to have a gun license you have to have something recommend you you have to take an exam you have to get some training if you want to come out a pilot you have to pass examination there are always early sort of things that you have to pass but apparently not for softer development why not make a similar certification program there so you know if you want to do it's just

when you use a computer you still have to show the basic skill set it so like your driving license and then if you want to develop software but just internally maybe you have to live that more requirements if you want to develop software that's being consumed externally on commercial sense higher requirements if you don't work in the health industry you know like pacemakers or you know when a program software for a car then there's even higher requirements so I'm throwing up a lot of ideas that I consider a relative interesting and I do have the book with me and if someone gives me an interesting question I will probably give you a copy otherwise I can

give you a fair price for a signed copy and do have a few books with me but I'm shameless I know so yeah who was the first question yeah

basically remind ourselves or white common come from static do you think it's possible first a control for all insecure campus Lane so that's the more interesting question how did everybody hear the question okay so I mean you almost have to prioritize and if people are not security aware I know it's definitely something you should do and you would want to do there could be sort of a community project and I mean because I mean I've heard of a lot of cases where people have copy pasted code that actually had secured one of doors in them and there are stories that have heard that some actually intentionally pasted that code because content secured one ability it's definitely something

that could be done or could be tried to be done I'm not sure we're in the prioritization should go but yeah it's that's good Christian yep

is there some way

yeah I mean so technically I mean by where they are accountable for the operational security of the company I mean they're they have to do the taxes they have to do all that they're responsible for financials regarding you know towards the owner so by law they are definitely responsible the problem at least until today still is that they just don't understand IT security and the question is why should they understand security you know why do you know something it's because someone taught it to you or you decide to learn by yourself and if it hasn't been taught to them then you can't really expect them to to know it so I know I know there's a lot of workshops relating to

the gdpr or the consultancy so trying to really sell consultancy hours so they're doing a lot of and they're doing a lot of work for us but not asleep

yeah so basically the way it works is that legal system overloads change a little bit now and you have to be compliant and you can be audited and some companies will definitely be audited but obviously there are like in Iceland when you have 70,000 companies and the people working on the Data Protection Authority are not that many then you know obviously they're gonna prioritize or do some risk based assessments if someone sends them pointers I would assume that would throw up on that notice I don't know exactly how it is but I would assume that's the way and I also assumed that I wouldn't be surprised if there was some sort of auditing body that could certify you up

to a point similar to you know the ISO 27000 M certification

yes I think it's gonna be mixed but I think the big question is sort of you know are you ready to risk it because you need to be compliant whether you've been audited or not so if you if you demonstrate course negligence and there was a huge data breach I mean like like this particular sonic telecommunication company I'm pretty certain they we've been fined four percent of their annual turnover and for especially the big companies that can be a lot of money and even for small companies so once you hear those numbers then hopefully you will react let's hope so yep yeah [Music] sorry I definitely I think that would be a great idea and

you know if you look at the look at the GTR or the PSD to war ISO 27001 or even the peace ideas there's all these sort of standards there's or the anion is thing yeah it always pushing them in the same direction that you should have an IT security policy and ideally a statement that you should have processes in place it should be ideally risk-based approached and so if you were compromised and you showed that you had a privacy program in place you were working on implementing with controls I'm pretty sure you know but he's still just time to get lucky I'm pretty sure that would I wouldn't be surprised if they forgive that or give you the lower

fine which might be 21 yeah for some companies that's pocket change but it's

to

yeah

the [Music] yeah but this is a very good question and if you think about it it's I mean I can promise you that the CEO of their sons health communication company or the CEO of like any company has been compromised they did not say I knew it could happen and I just was ready to risk it it's because they didn't understand and just from the emails and the questions that I received from the people that I was trying to explain you know how important is that different past which the duplication all those sort and the strengths of the passwords that don't understand it so you're correct is the consumer but at the same time I think the only realistic way to

address this is basically by the government forcing it into the educational system and I'm talking about university level now but ideally I will always want to introduce in high school maybe even lower and again there are always different perspectives like if you go for the younger children for example it's more about okay install security updates and privacy issues being aware that whoever your time - it could be someone else and just creating the awareness I think the only realistic way is if we get governments on board if take one University and they introduce this or you know one a few companies or if it's two small units then yes they'll be more secure but if you also look at people are claiming

like the there was hacking related to the US election you look at the government what about hacking in other countries is it important for them that the reduction is not hacked if it is something this is sort of the only realistic way to start fighting it sir well yeah I think the only risk of ways to get government to force it yes pass yeah definitely I mean it depends like on how aggressive you can be how aggressive you believe it can be because ideally I would I would be interested you know from this day on like one year from now you have to have your computer license to operate a computer and then you'd have like again

how realistic it is probably unrealistic but you sort of need to force people yeah well sorry you were first I think yep yes

people whose

so yes there was there was a lawsuit but it was covered in the media when a group got together to sue this particular company but then it was never talked about again so it never reached the media again at least so maybe they were able to reach some sort of agreements or something so always they kept it out of the media that's again it's the question like if you yeah you have to in ice on the last very interesting you can you have to like in the US the travel motivate I made a lot of money in Iceland it's the amounts you get for craziest things are very low so it can be very difficult and

if they get something that's I it might not even cover the cost of the legal prosecution just yeah

we're not that when people send out the security monitors yep

everybody I it's a good question I completely agree you ship using static analysis tools you should be using every possible tool we can but you should not rely on that issue to both because I mean evening static analysis codes I mean tool sorry you you find the low-hanging fruit - coal injections the Buffalo falls potentially at least the obvious ones but you're not going to find logic vulnerabilities and again it's not going to make people to secure passwords it's not going to make peak people enable two-factor authentication there's yeah exactly yeah so there's I'm going to think the only realistic way to address this is is we have to force every bit like using the

bridge balloon metaphor I think every bridge builder needs to be trained in the art of bridge building security

yeah why so much well here's the thing though like if you if you haven't taken a class on IT security you don't know this tool exists you don't realize why you need it right why should you spend like oh the - it's it's like very code it's it's not cheap you know you can use that for static analysis it's pretty cool and the company I work for they they use that