My friend Ben: solid employee, DPRK agent

All right. Good afternoon, everybody. Thank you for coming out. I appreciate you taking the time. >> Oh, you can't hear. How's How's the sound? So, so okay, hang on. How about now? >> Much better. Oh, >> still good. All right, great. Make sure these are off.

So, thank you for coming. My name is Chris Merkel. I'm a senior director in cyber defense at Northwestern Mutual, which is a large insurance and investment firm. Um, and I'm here to talk about North Korean uh, workforce infiltration and uh, I'll be sharing a bit about my story. Um, but uh, this is a little bit about me. So, um, I've done a lot of things over a 20 year career in cyber defense um, and and cyber security in general. I enjoy hunting bad actors. Um, I I genuinely consider cyber to be a societal problem and I'm glad to be part of the solution. I enjoy doing career development with folks. So, here at Bsides, there's a career village. Uh, I

enjoy volunteering uh when I can and and do career village things at at a local level. And if you, you know, understood the the the talk title, I I assure you I am not Iglass. If you and I'm not going to do an Iglass impression. And if you understood that joke, thank you. If you didn't, stick around to the end. I'll explain it. Um, and then and then one last caveat, I I have to give these in in all my talks, which is um the information I'm sharing is any perspectives I have are own my own opinion, not that of my employer. but also that some of the information that I'll be sharing today is drawn from

my experiences, but I'll be talking about things that largely are known in public. So, I'm not here dropping any information that would be confidential or things like that or recording. So, with that means that some uh names, places, and things like that have been changed uh because it represents non-public information. Um but the the overall story that I'm gonna I'm gonna try to tell here um is true. The other is that the topic of um workforce infiltration is massive. Um I'm going to be sharing my set of experiences and what I've found in talking to a lot of other folks in the industry is that it tends to resonate with them too. So I I think I'm talking about the most

common set of experiences, but what you face may not be the same as what I've been dealing with. So with that, our program today, a story in three acts. Act one, we're going to set up the story. We're going to talk about the pandemic, the rise of overemployment schemes. Then we're going to get to talking about my friend Ben and the threat of workforce infiltration. And finally, we're going to end with solutions. I like to always try to end with solutions. Um, so we're going to talk about helping people bring their authentic selves to work. So with that, act one, the pandemic and rise of overemployment schemes. So, our story starts pre- pandemic, things that my organization and frankly

most large enterprises have dealt with and are dealing with, and it's what I call subbing. It's contractors all the way down. So pre- pandemic, your organization very likely has some percentage of your workforce represented by outside contractors. The problem is is that your outsourced labor is outsourcing their labor. What that means is that your contract firm is there to throw bodies at the problem and they're not always good at figuring out how to throw qualified bodies at the problem. So what happens that labor market self-optimizes. What that means is that they're phoning a friend when they need help with something. Oh, I don't know boto development. I was hired to do this. I know my buddy knows this and he doesn't

know that. So, we'll just kind of like collaborate. Sounds like a fantastic idea except that that person is outside your organization. That data is going to people you don't know. That gets real problematic real quick. Um, if you have a large um, contingent labor workforce in your organization and you don't think you have this problem, I regret to inform you you do. The only question is whether you're interested in dealing with it. So, how do we prevent this? You know, what we've seen successful is wellrotoed proficiency testing. If you can work with a firm that is willing to do the testing and share those results, that goes a long way to ensuring that you are

uh uh filling roles with candidates that have the right skills. From a detection perspective, how do we know this is happening? Look for longunning calls. So, Zoom, Teams, Meet, what have you, they have a log stream, you hopefully have a SIM, and uh that gives you the ability to uh run analytics on call statistics. So, if you see a uh 5-hour call between two individuals, one of whom is outside the organization um with screen sharing going on and file transfer activity and things like that, there's a good chance that this is happening. Um and then beyond that, you know, relying on on your typical tools for data excfiltration, DLP, things like that. And I understand that those tools

often have their own challenges. So, we're setting the stage here. So this is subbing. What I call subbing. Then the pandemic starts. What did we do? We learned how to make sourdough. We bought ring lights. How many ring lights are in closets right now? Um we learned that we could work four jobs at the same time. Um, so, so this is what I call job stacking. I don't call it job stacking. Everybody calls it job stacking. Okay? And you first heard it here. Corporate America is bad at measuring employee output and performance. If this is news to you, I'm sorry. You'll you'll find out soon enough. Um so so what we found during the pandemic was there was a massive

increase in remote hiring because you kind of had to and many organizations uh who had who had CEOs who you know wanted to be liked and loved said that's it we're going full remote for the end of time and you know about 10% of those actually you know still do that but whatever. Um so with that came the understanding that the uh the issue in corporate America around managers not being able to uh deal with uh employees underperforming um you know results in people being able to do multiple jobs. Now it's not just the manager's fault. It's not just a training issue with them. It's not just HR's fault. Okay. Um there is an aspect

of bureaucratic enablement and that is to say firing people is a lot of work. Now I'm going to pause there for a moment and interject a personal opinion which is that's a good thing. I believe in strong labor and workforce protections. However, this creates a system in which it is difficult to deal with somebody who is underperforming because as a manager your first question is is this a performance issue? Are they failing to ramp up? What's going on here? Is it is it just that I've I've got a candidate who's not suited to the role or the case that um you know they just need to be educated better. So what most managers do is they just try harder. Good

well-meaning managers put in time and effort to help that employee improve. Then they realize this isn't going to work. um you know so so again you're you're at like several months of of coaching and development at this point. So now we have to go into the multi-step performance improvement plan the good old PIP. Well that takes time because now you have to go and document all the conversations you had and and go through that whole PIP process and that's no fun. The net result is it takes a minimum of six months if you if you haven't caught somebody in the probationary phase. If your organization has such a thing, it's going to take an average of six months

to that get that person back out of your organization. And then uhoh, now we have a downturn in tech. There's a hiring freeze in place. No managers, you're not going to get that back, Phil, because we want that money back. So if you lose an employee, the finance department and our shareholders thank you for your contribution. So what is the unintended consequence of doing this? Tolerating low performance. Because again with these folks that are doing the job stacking, it's not the case that they're intentionally trying to do a bad job. They're just trying to do eight jobs when, you know, realistically they can only really do two well at the same time in corporate America.

Um, so the question is, what does this have to do with a cash hungry mi military dictatorship constantly on the lookout for money-making schemes? Well, that leads us to act two, my friend Ben. First of all, Ben is the name of a stolen identity. Um, I'm using this name and I'm not providing a last name. Uh, because there are actually a lot of Benz. Uh, I read one article where they had let go so many people associated with this scheme and realized that three out of four of them were all named Ben. I don't know why, but they got to calling them the Benz. Um, which I I thought was was kind of funny. Um, so the thing is is Ben is the name

of a stolen identity. So, so, so the person the Ben's refer to is indeed a real person, generally alive, uh, somewhere in the United States. Now, that stolen identity, they may or may not know that this is happening. Um, I did read a comment on a blog post about this topic where some commenter said, "Oh, yeah. I don't work in technology. This happened to me. I'm getting all kinds of paperwork and sometimes paychecks for jobs that I don't have." Um, which I found to be very funny. But let's talk about Ben. What do we know about Ben? Well, Ben's a bit of a prodigy. Ben was hired right out of college as a lead engineer in Silicon

Valley companies. That's impressive. Um, so, so he spent his time cutting his teeth in the the the places that middle America corporate IT looks at and says, "Boy, would I love to have one of those engineers on staff." He leaves SoCal and has since held several principal engineer roles conveniently at companies in my vertical. This is great. What a great candidate. Now, for reasons that I don't completely understand, he leaves that tenure of direct employment behind and signs up to be a contractor instead at the second largest contract firm in the tri-state area. Okay? Which is to say, it's a bit of a headscratcher. Why? When you have access to the salary, the stability, the

benefits, options, and equity, all those things. Why? Why are they doing this? Strangely enough, the contract firms don't seem interested in knowing the answer to that question. They're just super excited that they've got somebody of this caliber that can help them prove their value to their clients. So, let's get to know Ben a little bit better. First of all, Ben moves a lot. And the time he moves is generally between the time he gets assigned to a company and when he needs to get started because something inevitably happens. Uh his significant other takes a job in a different state. Uh a bunch of his friends go here and they want a room together. The excuses for the movement

are endless and varied, but they all have one thing in common. Ben always moves before his laptop arrives. Okay? Now, if you haven't figured out why yet, it's because it's a stolen identity. If you shipped it to the actual address on that resume, the wrong person is receiving the laptop. So, that laptop has to get shipped somewhere else. But that's okay. Ben gets plugged in. His laptop's working good, you know, gets up to speed. Uh, might join your your your Zoom calls, your team calls maybe. Um, but he doesn't talk much about his personal life, which that's okay. You know, I'm I'm standing in a room full of cyber security professionals. Some percentage of you

are people who are really really introverted and never ever ever talk about your personal lives. And you are fantastic professionals and I thank you. So you don't stand out on teams like this. his camera's always off. But of course, when you work on a highly demoralized team, that's what everybody does, you know, because, you know, then nobody is seen making faces and rude gestures toward the camera, as may happen on these calls. Ben's not particularly responsive despite the fact that he is on shore, as we would say in uh North America. Um, typically he gets back to you within about four hours. Now, his his manager is not like real happy about that, but you know, Ben generally kind of sort of

eventually gets the work done and the work is fine. Now, I've heard in some cases managers saying, "Oh my gosh, no, we can't let this person go. They're amazing." Right? That happens, too. and and other times. So there's a there's a there's a spectrum of um performance as you find in any labor pool. Ben does frequently miss meetings. His cat, God bless his poor little cats, always coming down with some sort of an illness. And when it's not his cat, it's his girlfriend's cat. Um, and I am using his and him because to my knowledge we have not seen somebody who identifies as female in these types of schemes. It's always been uh men. Now the the other problem is Ben's

manager is really busy. Uh if you look at an org chart, uh he has uh bunch of staff engineers uh who probably take up most of his time. uh and then a huge amount of contractors. So the ability for his manager to provide meaningful oversight simply isn't there. And in the case of contractors, if you're a manager, again, you you make rational decisions as a manager, where do you spend your time investing in people? And the reality is you don't spend your time investing in contractors, you know, personal growth and development and team cohesion and things like that, right? um you know in in in many cases I've seen managers who do a fantastic job

working with and managing contractors and I see others who who treat them as as as a as a jura machine where tickets go in and work comes out the other end and we generally just don't talk to them as long as that continues to happen. I think that's a bit dehumanizing and unfortunate but it certainly does happen. So Ven is settled in. He's doing his work mostly. He's showing up here and there. Um but something's going around going on in the background here. So you you remember what I said earlier about the problem of job stacking and subbing. Now uh uh subbing in most organizational contexts is something you really don't want to happen. It is bad bad bad. Your

data is now at some other firm in the hands of somebody you don't know and and that's that's a bad thing. Uh job stacking like I don't know like that that to me feels like more of an HR and performance issue, right? I don't I wouldn't uh decry anybody who decides to go drive for Uber in their off hours uh despite having a full-time job, right? Uh I don't know if you can swing two jobs. Uh who am I to say that that that's bad? Obviously, there's concern about data spillage, data leakage, and and things like that. But most of these um you know the YouTubers, the guides and things like that um they do a pretty

good job of explaining why you want to keep all of that separated which for me as a security professional I really appreciate. Like thank you. Thank you for not taking the Zoom call from the other corporation's computer. Okay, good on you. So if you're doing that, just do a good job of keeping that separated. Okay, that's all I'm saying. Um, but I've got a team of people who are on the lookout for these kinds of things because like I said, they pose a bit of a risk. So, I've got an insider team who's hunting for these subs and these stackers and we're doing so primarily through technical means. Okay. Um, like I said, we're looking for things like

new accounts downloading VPN and uh remote management tools. um that's usually a sign of two things. One, the the person is is doing this type of job chicainery or they fancy themselves kind of a techie and want to have ProtonVPN and remote in their system with Team Viewer and Any Desk and all this kind of nonsense. They're uh uh uh they are they are IT people that at least in an organiz if you're in an organization that's very uh heavily regulated uh you you don't get to stand out that way. You don't get special tools. Sorry. Like that's that's not allowed, right? So we're looking for things like that because um we want to root out certain

types of of behaviors that kind of run the gamut. We're looking again for those longunning web conferencing sessions. Um, we've been hunting for KVM over IP USB device identifiers. There's a couple of really popular ones on the market. Uh, Tiny Pilot being one of them. Um, there's there's like an endless longtail of uh uh cheap uh overseas manufactured ones. Um, but if you kind of go on Amazon and and pick out some of those top ones, you can find people using uh KVM over IP devices. Um you and if you have uh system management tools or uh EDR tools uh that can do device querying and discovery and things like that, you can find these things.

Um obviously looking for your your typical anomalous um outofcountry login. Um so everything from you know geo IP discrepancies to impossible travel things like that. Um, and then one of the other things that we were looking at was things that look like corporate network peers. Okay, so if you think about your home network, and I, and I know all of you have really cool home network setups that you, you know, you're going to brag to me about. Um, because because everybody's got them. Um, realistically you might have two, three, four corporateisssued devices on your LAN. Maybe you, maybe your spouse, maybe another person, maybe maybe you're rooming with a few people, but like that that total count of

corporate managed systems is fairly small. The rest of what is seen in terms of like broadcast announcements, DNS names and things like that on your local LAN are things like Chris Merkel's MacBook Pro and you know tablets and all this consumer grade stuff. If it's a Windows laptop or a Windows desktop, it's called laptop dash string of letters and characters, right? You know, most people when they have a personally owned device don't go and use what looks like a corporate naming convention to call your computer workstation 38721, right? Um so if you're kind of good at data analysis, you can start to look at network peers to understand um how many corporate devices all kind

of show up in the same place. Now why would you look for such a thing? Well, for those people that are job stacking, you would expect to see a higher quantity of uh corporate assets on on somebody's local land. Now, uh I I do want to state that you can't um uh you have to understand the legal boundaries, right? Um if you're carrying out an end mapap scan or a vulnerability scan from the the standpoint of a local machine, your lawyers may have a problem with you. However, there is a ton of broadcast traffic that occurs on a typical LAN that hits the Ethernet interface of your corporate managed asset that you may be able to take

advantage of. I'm being non-specific because there's not like a good playbook for do doing this. You have to understand your tools, their capabilities, and things like that and determine whether you're capable of doing something like that. So, generally my subs, my stackers, they're usually tripping one or two of these detections. Ben caught them all. Um, and that was wild. Now, at at this point, I don't know that I've got a DPRK person. I've just got somebody who just lit up like a Christmas tree. Um, and in case you're wondering, the AI slop images that I'm using, um, I have used Google Translate on all of the Korean and most of it is actual Korean words. If you speak Korean and you're

reading that and going, "What on earth does that mean?" I don't know. But most of it is syntactically correct. So, having found somebody who, like I said, really lit us up, um, this is where our friendship begins. Or, I should say it's more of a parasocial relationship. So, we start to dig in. We look at Ben's resume. His years of service don't add up. either um he's not telling the truth or he is much older than he appears to be and I want to know his skincare routine. Um it just it doesn't make sense. Uh criminal background check generally clean. Good. Now in some organizations you can get uh workforce history reports like uh Equifax work number um and things like

that. um that history report does not match the resume. Now again, that's not the most damning bit of evidence because people lie on their resumes all the time. Okay. What's interesting is LinkedIn profiles less than a year old have despite having worked in tech since what I think is the age of eight if I do the numbers. Um most of his pictures look like stock photos. So there's a lot of shots from far away that show engagement and like fun and interesting activities but like they're far enough away that you don't get a whole lot of facial detail. Um you know reverse image search great for that kind of stuff. Um, we find out much more about Ben than

Ben's generally willing to disclose to his team on calls, which which is neat. It's fun to really get to know people. Ben likes to ski. Uh, interesting. Interestingly enough, despite being inside the United States his whole life, he owns a ski jacket that's only available for sale in Australia and Singapore. That's kind of neat. Good for him. Like eBay hunting, I don't know. Um, but then that picture from his ski trip to Colorado, which is a a closer, you know, face, very visible pick. Uh, who's played Geogesser before by by show of hands? Awesome. Awesome. I have a son who's really good at Geogesser. Um, so I love that y'all do this. Um, Geogesser, you can play it

at work. It's a real job skill if you're in threat intelligence. You heard it from me. You tell your manager. Okay. Um, the ski trip in Colorado we geoged to be a mountain in China. So that's interesting. Um, and then of course more reverse image searching finds more GitHub profiles, LinkedIn profiles, uh, personal websites, portfolio style websites, and things like that that all share the same picture and name. So now we're left wondering, who am I dealing with here? Right? We're we're starting to zero in on a hypothesis that I might just have a DRPK actor in my environment. So where is Ben? So the the laptop does indeed geollocate to the new city, the city he moved to,

uh three to four states away. Um and this is where where Osent matters. Um the shipping address yields different names associated with the house obtained by publicly accessible property records. Again, maybe you're renting and that is completely normal. Okay. Um but doing some more oent on the actual property owner, you see uh criminal records, civil judgments, um all kinds of stuff like like the person who who actually like owns this house. Um little bit sketchy um at a certain and and then the other thing is we don't see them as looking like an investment property owner. We don't see in the large metropolitan area um you know multiple active ownership of property. We only see one person owning

one property at a time. But the laptop actually uh moves across town. Um and and now if if if this was a rental situation, you would expect that the uh the destination address would have a different owner than where they came from. But they don't. they have the same owner. So that lends additional credence to the idea that this person um this laptop is uh at in in the possession of the person who owns the property. Um another thing you can get from your laptops in your environment is snapshots of uh all the Wi-Fi networks around you. So you can get the BSSIDs, the MAC addresses, signal strength, all those kinds of things. And I have found that

most thread intel organizations that are, you know, really worth their salt still are kind of sometimes sleeping on the Google location services API because if you have an Android phone, uh, and you have nothing but Wi-Fi available to you, uh, you can still be geollocated. So there's a publicly available geoloccation services API. you can feed it the the list of uh SSIDs, signal strengths, things like that and get a fairly accurate uh uh location. And in our case, that location uh services uh based on the the surrounding networks um you know located him in the general vicinity of that property address. So, I had a pretty good handle on saying because because I'll tell you like

generally from a privacy perspective as a corporation, systematic collection of location data on laptops um generally frowned upon. I don't advocate doing that as a wholesale regular routine kind of a thing. Okay. Um I think it results in a lot of uh ethical and privacy concerns. Um but we we say to ourselves, okay, I think we have a laptop farm now. Um, this this next picture here is is one of the few that is not AI generated. This is a picture of an actual laptop farm. Um, I actually kind of cropped the image. It's twice as large as this. Uh, this comes by way of the DOJ. [snorts] Um, and and what happens is in this scheme,

you you can't take a laptop and ship it overseas. It'll get noticed. It'll get caught. It'll, you know, it'll be found out at at some point or another. hopefully in organizations, right? So, so people are recruited uh often by a telegram to operate laptop farms. It is not clear to me in reviewing some of these uh solicitations whether the person knows at the beginning that they are involved in a criminal scheme with the most sanctioned c country on the planet. Okay. Um, obviously most people aren't going to respond to an ad that says, "Do you want to support the weapons program of our dear leader?" Okay, they did the AB testing. It just doesn't work. Okay. Um,

instead it's vague language about uh offshore contracting and facilitating and uh some of them even get into data tenency, you know, and things like that. They've got all kinds of like kind of flimsy excuses. So, if you are a person who is in need of of additional income and and who isn't, um, uh, you're going to get roped into something like this. Um, uh, generally speaking, you have, uh, about up to 50 laptops maintained by that local farmer, and they've got a distinct set of job responsibilities. Uh, they're monitoring all these laptops, what's going on on them. They're ensuring that uh uh VPNs stay connected back to the corporation. They make sure that the mouse jigglers are

there. Um they're installing remote management tools. Uh those are generally preferred first because they can be configured for unattended access. Obviously, if you set up a a a Teams call or a Zoom call or something like that, that takes a little more like care and feeding to like keep up and running and make sure the screen sharing is working and things like that. Um but they're there really to just facilitate the remote access into those machines um and and uh you know make sure that they're up and running. Um laptop farmers uh you know generally take a cut of the take-home pay for each worker. Um in this case uh this is from a person

who was recently sentenced to eight years and a significant monetary judgment uh for operating this laptop farm. This person uh kind of clueless. They're they went on TikTok to complain about their boss one day um and tell them how good the uh the acai bowl was from the place down the street while like the laptop farm was in the background on Tik Tok. >> Um now if you ask me whether somebody of that caliber should be sentenced to eight years, I think that's a good open question. So you found a Ben. What do you do about it? Well, you got to make some decisions. Do you need to collect forensic evidence or are you willing to

just cut that laptop off and walk away? Uh you're you as an organization, you have to decide what's more valuable to you, what your regulatory and risk drivers are. It is a business and risk management decision, not a technical decision. So, you got to bring the right people in. Um you're going to want to do an internal access review. uh you're going to need to work with uh uh HR, law, privacy, and things like that. You're going to need to know how, you know, how and whether you're going to engage with law enforcement and things like that. Um if you decide to go the intel route, um have a plan for quarantining and bricking. Prepare for

when they call the help desk. Otherwise, the help desk will just try to help them. That's not good. Um getting them to join from a personal phone is going to be tricky. They're not going to want to give that up if you've quarantined the laptop. Um, however, they are often willing to ship laptops back. And I was just talking to somebody uh yesterday who who said that sometimes when they know the jig is up, they'll ask for the last paycheck in exchange for the laptop, which I think, yeah, you got to hand it to them. So, that's what ends up happening. And and the thing is is like they're not in there rampaging when they know the jig

is up. Like, they're just in there to do work. They're there to collect a paycheck. They are not the part of the North Korean uh cyber folks who are there to cause havoc and steal and and do all those kinds of things. This is simply a money-making opportunity just like all the other hairbrained ones the Kim regime is engaged in. So on to solutions here. So that takes us act three. Act three, trust issues. helping people bring their authentic selves to work. The gold standard here is in-person stuff. Now, the second I say that, everybody thinks to themselves, "Oh, no. Our corporate overlords are absolutely not going to be okay with that because the second I have to pay money to fly

somebody in for interviews, I'm adding, you know, a minimum of $1,000 uh, you know, per interview, right? Okay. Well, then don't do that. Do it after you've hired somebody. Well, yeah, but that still costs money. Okay, I get that. So, but I'll tell you what I I stated earlier that this is not a problem that is best solved through technology. It is a problem best solved through process. And that process is do strong in-person identity validation. If you do that, the likelihood of you having this problem goes down drastically. Okay. Now, some bright engineer might say, "Oh, I know. We have all these new document verification services." Yes, we do. And we also have a telegram channel

where I can pay $10 to generate an ID that passes all of those. Okay, those uh know your customer document verification things, if you rely on them, I am sorry. Um maybe they work for your threat scenarios. They don't work for this one. the address change. You need to have visibility into your business process. And oh my gosh, I am so happy right now. As a quick aside, everybody in the audience for being here, you all get North Korean flags. As a speaker, I am given the opportunity to make one outrageous request, and that is to have North Korean flags handed out to all of you. So, uh, let's give it up for the people at BSIS for being super

awesome. Thank you. So, en enjoy your handout. Dear Damon, would like to thank you for participating in the glorious economic activity of our fully American conference. There is no association with the Democratic People's Republic of Korea or any other. We are all happy and productive workers here. Thank you. >> All our volunteers are well fed. [laughter] >> Um, so that address change is a red flag, but that means you have to get in the middle of the hiring processes of your contractors. That means you have to get your contractors on board to stop what they're doing when that happens. But if you can't do that document verification, stopping that laptop shipment is huge. It's critical. Okay.

increase that due diligence of your your contracting partners. Most of this hiring is happening through contract firms and cutouts. It's not usually happening in the uh happening through direct employment, although they try. Um do not necessarily rely on um your contract firms to do these background checks, uh review resumes, and things like that. At least if you have high-risisk positions, identify what those are that have contract staff in them and do those reviews yourself. Make sure they make sense because so many of these résumés have are just littered with with contextual red flags. Um, and then finally, if you have people in high sensitivity positions, um, maybe consider the use of a hardware security token like a phto key. Because if you're

a laptop farmer, having to go around and and like constantly tap that phto key whenever you need to carry out a high-risk interaction with a technology system in your environment, that's a huge huge mess, right? That's going to suck. Okay, if you can do that, I strong first of all, if you can do that in general for high-risisk transactions in your environment, please do so. But uh if you have to like scope it, at least do it for those offshore contractors. Uh and then finally, there are some technical indicators. We talked about those longunning calls, the the installation and use of remote access tools in particular within the first 14 days of hiring. Um, watch out for uh

browser and IDE plugins if you can. A lot of them, just like everybody else, like to use AI. Um, and then of course for for like the subs and stackers, go to r/over employed. Understand what they're doing and and you know, maybe you can work on that, too. So, like I said, focus on business process, not technology solutions. I know you are all technologists, but I'm asking you to to work internally across your organization to solve this problem because that's where it happens is in that partnership with HR and law and those other partners. Okay, if you have the opportunity, educate and manage your environment what those red flags look like. Form that collaboration. So with

that, the last thing I want to say here is that I did this in the style of the show This American Life, uh, which is found on National Public Radio. Um, we have seen a significant devaluation of public media in this country. So um, you know, I will ask you to wave your flags, but more importantly, what I ask you to do is support public media. How many of you listen to darknet diaries? If there was not this American life, there would not be the darknet diaries you're listening to today. Public media um fuels innovation and knowledge and I strongly recommend uh that that you give it the support that it's due. So, with that, I'm at time and um I I'm not going

to be able to take questions because I can't give off-the- cuff responses uh to to some of these things, but even better, we can have some some uh uh out there conversation. So, I'm going to head out there and anybody who wants to to to talk certainly can. And there are a lot of flags available, so please take one. In true democratic people's republic rep public fashion, you are all now part of the economic output of this conference and you must assemble your own flags if you want to go to happy hour later. Thank you so much. >> [applause]