BSides Glasgow 2018 - Beginner's Paradise - Andrew Scott

texture Scotland but try and ignore the branding on the slides that's just a slide deck that I have to use I'm actually here more because I care about security testing and security across Scotland I'm because of that I'd really like to help people to get into security testing our security type rules whatever that may turn out to be and with whatever company so this is absolutely not any kind of sales pitch this is about people getting the right kind of training and doing the right kind of things because it's the right thing to do so assumption is that most of the people in the room here would really quite like to be a pen tester why is that oh yeah

pen testing really cool and that's why you know besides everything else that goes on all pretty decent but pen testers are in lots of money and one of the things that makes it really appeal for me it's kind of that it's helps us as society whether that's Scotland whether that's your little group of friends whether that's your company or just get better now Security's not in a great place in the world so there are lots of opportunities at the moment and it's all worthy things to do if it's working for a bank you're protecting people's money you're working even for the government you're protecting I guess our status as a society if you're working for lady

then maybe it's a bit more violent than that there's still fun and that's kind of kind of icky so this is really about how do you go from I'm interested in security up to I actually I really would like to work in security and it really makes three things you got to have a whole bunch of knowledge you've got to have some execution of that knowledge just having it sitting in your brain is not going to actually help and then fitting into the industry here's it's a big old industry out there you know security is it's a bit of a microcosm you may have noticed some of the stands downstairs where lots of people that all

know each other because they've all work together previously are all just circulating around the industry so it's not that big but there are a lot of different choices and knowing how you fit in is a key part of making sure that you're there to do what you need to do three dots as always and then eventually your profit I do have to put in a little note obviously because I'm going to be recommending through a list that you go out and do some hacking pen testing is hacking but with a bit of paper saying that you're allowed to so if you don't have that bit of paper in some shape or form then it's just

hacking and that's illegal and I don't want anyone to end up in jail because of that and we will come back to why yeah you don't want to end up like that guy so part one knowing stuff lots of different ways to get involved in in security and learning the things that you need to learn I tend to break it down into two different sections first know how things are supposed to work because you know you gotta have something to build on and then secondly work out the little gaps between where those those supposes that supposed to works turn into not what point working right in a kind of a way that's going to lead to some kind of breach or a problem

so how do you learn how to how things are made to work main main routes to that official courses I think fair number in this room either have been or are currently engaged in one of our local university courses some really really good content there but you know that's not always the the option that's open to everyone but the plenty of other ways of learning about security or how to build things whether it's so I've always been a bit of a fan of actually building things for yourself find the reason to drive you towards building something for yourself for a either your family or charity that you care about find University Society that you can be involved in bill

their website out run their email server four of them shoot this stuff together so you can see how it's meant to work and what the that kind of helps you later in your career as well in terms of building an understanding of the people that have to fix the problems that you're hopefully going to find now putting the different you need different systems together it's not actually that easy and I think a lot of people in the security industry sometimes lose track of that a little bit when they say just go and patch that thing they're not really fully understanding what that might mean for the people that have to have to do have to actually implement

that on their behalf now if you if you're more on the coding side then build an app to help someone with something get involved in a B sides and say actually you know what I'm going to put your speaker schedule on a tap and build it out for you stick it on Google Play and then you've been there you've built that and you start to understand the processes that you've got to put it together before you start taking it apart and now I have the same you know I one of the ways that I help educate myself is running a home lab part of that is keeping my personal email account and personal a you know kind of

inside my house IT running and alongside that then run a whole bunch of VMs - to help build things so you can put together a whole Windows demeans on a very reasonably SPECT up set of systems these days put yourself out there and help people absolutely but then how do you take that next step and work out started to break things so start with your own stuff the stuff that you've just built you know there's nothing quite so as informative as taking something you've built and kind of destroying it so way back in probably almost 20 years ago now I built a couple of websites for the university societies I was involved with at the time and I

back then I I wasn't in security at all I was just a computer science grad you know tinkering with PHP and ASP and it wasn't until a couple of years later when I joined texting company and starting to learn about these things I realize quite how badly I decoded those websites absolutely littered with cross-site scripting sequel injection local file inclusion and some of the worst offenses that I committed when I was creating those things were the things that I as a coder thought were the neatest bits which was quite embarrassing luckily I didn't last very long on that on the Internet yeah so when you're saying you start putting on things start learning how to take things apart conferences

obviously here really also please one of the Oregon ahead Adobe sites started putting together a constantly updated list of security things going on in the central belt of Scotland and it very quickly got its a too long a list to realistically mean team there's just so much going on from the security Meetup DEFCON that I think Andy runs got Edinburgh 2600 both all the unis have got societies which are really really awesome places to learn stuff and a lot of them concentrate a lot on CTF vendor challenges you know so we've got the drawing downstairs take a pot it trying to control that no that's about in the yeah so the CTFs fell all the vendor

websites almost all would have some kind of CTF type thing to get involved in a all these societies again you can go out the over the web there's loads of learning resources these days and hack the box we're really quite involved with but there's plenty of other ones the hack lab hack this the site org or wasp will give you images to download and let you let you run them got Muslim their boss here so it's all lots of stuff that you can do pick up that not sure that that's always always enough to teach you exactly how to you know be a pen tester because this is you know the difference between having that knowledge and then taking

that and applying it a way that's going to be really attractive to an employer because that's usually the endgame years to end up employed to hack things because then you get the money and the fun rather than just the fun of it so and satisfying as that can be and that's where you come to actually executing if you know you're taking the knowledge that you've gained through all those courses and it's stuff that you've learnt and actually doing something useful with it but and this is the key thing is being able to evidence that afterwards so take the learnings that you've got you're already employed start getting involved in the security side of that so that when someone wants you to

talk about stories about when did you do a pen test you can say actually I persuaded my boss at my last place where I was just a normal IT guy to let me run some tools on the net where I can find out how the security of the organization was and that's you know that's starting towards being a pen test one of my favorite ones to kind of recommend for people is it's really good in terms of not having any legal implications is install open source stuff yourself use you know make a VM with a mail server web server or something download are what a web mail app that you can host yourself and use that to

access your email potentially but they actually sit in pen tester as well you know these things usually written in PHP or post to yourself our CMS based website all these PHP things dead easy to get up and running loads of vulnerabilities and I'll let you over time you know once you find something interact with the developers of that system get yourself a CV and common vulnerability number and that goes on your CV and really good evidence that you're actively out there doing pen testing involved in community and you know educating yourself Bounty's and responsible disclosures a bit of an odd one especially if you're just starting out I think responsible disclosure it's great because it means

that you've got things you're allowed to test so if you look at some of the banks Facebook Google things that all got responsible disclosure of policies or bug bounties and that basically gives you that bit of paper that says you're a way to do some testing year which is you know that the important step when your dear and that's why working on your own VMs is so powerful because that's all then stuff that you own your testing their code that it's on a network that you're running and that key to not go into jail some certifications I think is interesting so we're recruiting quite heavily just now and we're really finding is that certifications are nice

some are better than others but probably the really good badges that you need to know what it is which ones you're aiming for and what your end goal kind of days before you start working towards them are spending too much money on it like OS CPU it's really well respected crest really well respected ceh probably more to get you past some HR drones there's still you know education process of going through it kind of useful but certainly wouldn't want to wave that bit of paper around and claim that you're you're absolutely definitely a pen test pen tester now and there's just a an example from someone that we've just taken on who's authorized me to put this

up here and it's just the kind of thing that I'm talking about in terms of having that stage of evidence within your CV to get past that first stage of the hiring process just here's a list of things that I've done that actively sure that I really know how to do pen testing so this is this is quite an interesting one so kind of kind of fitting in where do you fit in to the industry again obligatory don't go to jail pretty much no one in the UK is going to employ you once you've been to jail for a pentesting type thing if you got driving offence I don't care but you know if you you broken the computer

misuse Act you're going to have to be something really really special before even consider looking at it and none of our customers are the one to employ you either so yeah avoid going to jail for a computer misuse Act type things but wider than that eh trying to understand where you're aiming for you know because of very different lifestyles available within the security industry you've got examples in the room or people that do secure coding still need to know all about pen testing and what the vulnerabilities are be use it to build things do you want to work in a big multinational company it's a very nice lifestyle and I did it for ten years

largely nine-to-five kind of job but still working to improve that overall security aspect of the world so it's really valuable work there's quite different are you more into consultancy where you know you're working with a different customer every other week different systems really exciting can be a bit high-stress for some people and we also got you know the that's pen testing specialist consultancy or you could even go to like one of the big fives or something and be security specialists within them absolutely space for all those different things so you need to have an idea what you're aiming for because where the things that you need to do to get into those places are very

very different you know you get a big bank recruitment process looks like there's a day-long potential especially if you're a graduate day long day of frankly having been on the other side of the table doing the interviews absolute hell and people deliberately trying to trip you up and making you do presentations of five minutes learn the subject matter and things like that other end of the scale say you know joining a Pentax company practical pen test example bit like doing a CTF quite a good bit of fun get to know other people do do well but all the way through that you know as you're thinking through that a couple years ago I was doing I also sail and

the last section the book about do really high-performance sailing was a thing on performance management and this was really really stuck with me which is probably used that rather than a rather pentesting example here you know it's like how do you build up to being awesome at something and the answer is you break it down into steps and work out how to improve it each of those steps and so this is using software called the gold scape goal scape excuse me something so works for me as a way of thinking about it but you can do this however you want I actually just use a bit of paper but I do use the same kind of format you know

you want to be you know top level pentester how do I go about getting out that well I'm gonna have to be really good at infrastructure pen testing I've been really good at web app testing they have to cover mobile apps gonna have to do web a Web API type testing might need to get a bit more involved in radiofrequency hacking if I want to get a bit more fancy and so on and so forth you stick that all down saying right that's what I want to end up in ten years and you say right how good am I at each of these sections I've just on my OS CP so I'm pretty happy with

infrastructure testing to some extent I'm gonna fill that up and I really see I'm at maybe 50 60 % on there got bit to go but I'm not I'm not completely clueless we're about testing I've not done that so much because I've kind of concentrate on that where CPU which is very infrastructure based so I'm gonna see I know a little bit I can do the top 10 type stuff but I need to need to concentrate on that a bit more someone leave 25% and you fill out what you're good at and what you're not so good at and if you go into an interview or something with that knowledge you you can present a much more honest view

of yourself and understand I might complying for a lead consultant just after I graduated because that's not going to work actually I know I've only done you know four years in a uni learning both how the database works and they know how to hack it and therefore maybe my sequel injection is not so awesome you know I've only done four practicals I've not used this day in day out for three years now so you you know get an understanding of where you are and you start applying for the right jobs which it kind of really helps and you can break that down into actually right so taking the sequel injection how do I get better at that okay I'll go and

lock hack in the box and I'm going to download all the sequel injection tasks and I'm going to sit and I'm hammering my way through them until until I'm actually really good at this write sequel injection that I'm good at right horizontal privilege escalation in web apps yeah not so good at that not practiced right next thing tick it all off and as you fill in those levels you bulk out your ability to hit the higher level jobs get paid more do more exciting stuff move on to the the weirder and wonderful or or you know either Taric type testing start moving into research and things like that and that's kind of party planning how to

get better and I'm going to stick in a big placeholder here saying work at the soft skills okay and I said there's lots of different types of testing to be done be involved in it's so on so forth sorry different types of companies to do this in and only some of them would be labeled consultant consultancy but realistically every single pen test you ever do has to be explained to someone that's better fix the problems and the better you are interacting that them and you know helping get setup of the tests done properly the more successful you're going to be bearing in mind the aim here is to fix as much of the problems in the

world as possible that's really dangerous good thing the next take those things and stick them all together so you know how to build things you know how to put together and you knew I'd take them back par again you've got a fairly good understanding of where you are in your career trajectory as a pen tester to make sure that you're kind of applying for the right jobs you know you're not not a graduate applying for lead equally you're not a lead applying for a low-level job and being grumpy that you're only getting offered half the amount of money that you'd expect put some evidence that you know how to demonstrate skills that you've got whether that's a you know a good long

history of doing pen tests got your CRT qualifications or you've got a long list of CDs or you've been doing bug bounties and you've got you know evidence on those platforms to say hang on up I've been pays 100,000 pounds in bug bounties last year I must know something about what I'm doing and you've been practicing explaining your findings to people so that people can take your knowledge that you've fought hard for and use it to improve their systems and I guess unless you want to sit and do that for yourself but I wouldn't recommend it so the next step is kind of get out there find out how you you know start getting a jobs finding the right

things and obviously the right way to do that connect with its many LinkedIn recruiters as possible no don't don't do that it's a really annoying thing so it kind of comes back a little bit to that have a think about what kind of style work you're looking to do do you want to be part of the big five world big four stories there's a big four world where everything's continually striving to go upward so you prefer to work for a more boutique consultancy where you do a lot more pen testing it's a lot more personal and you kind of more of a relationship with a customer that you're working with you want to work inside one

of the big companies or inside a small company you've got got guys downstairs booked to work that are basically a third of the security department for our Arnold Clark you know big retailer still needs security guys kind of work out who you want to work for and what style of work that is I have a preference and this is a message I was kind of asked to give by our recruiters is please come directly to the companies you know so work a if I want to go to pen test company right I need to submit CV to context NCC sir karma pen test partners downstairs who round their websites and find the right email address and send it to them don't

upload your web your CV to some recruitment person one of the problems with that from an industry from inside the industry is that if that recruiter submits your CV on behalf of you they then own the relationship with that company so a that they're also incentivized to get you as high a salary as possible it just seems like a nice thing to have an incentive for but if they kind of go in too high and they're saying Bob wants 40,000 pounds and I'm sitting there saying hang on I'm pretty sure you just graduated last year and his practicals that I did and kind of put more in a trainee you know chunk below that then you can potentially be

caught in that crossfire of them trying to maximize their they they are a cut of that for 8,000 pounds and because they own the relationship you can't then come around them direct to me and say hang on I think maybe I got that wrong what what do you think what would you be willing to pay us because they wonder about the relationship now and that's quite restraining for our recruitment team quite often apparently so definitely find and go direct when you can and that's when linkedin does come in so I know a lot of the big companies these days are starting to increasingly use LinkedIn and just cut out that recruitment layer completely and have an

idea of the process that you're about to go through so this is kind of what ours looks like I'm showing you this because effectively it can be hacked like not in our pentester kind of way but if you understand it then you're in a better position to understand what you're trying to do at each stage so we always have what we call a paper excerpts last year Seavey's anything that you put on the CV so I'll link out to your LinkedIn profile any research or blogs that you've done those CDs maybe and then we're gonna go and read all that and we'll say this person seems decent this person doesn't that kind of gait is what your CV is all about it

doesn't have to do anything else about interviews or anything it's literally about getting to the first stage of a four inch screen and that's when someone's gonna burn up one of our you know myself or one of the other leaders sheron's team or phone you up and just do what we call a porn screen some couple of really simple techie questions interact with you for half an hour to check your human that's that's really what we're looking for you know us which end of a keyboard to operate on he knows point ' does if you put it in the wrong place on the Internet and that's that's kind of it we're just just really quite a little

little Bowl for passing that and it's just to get the to filter out to make sure that we're not wasting time at the next stages on people that really can't do the practical side so for us the next stage is a technical interview and it's really CTF style pers worth practicing on those connecting over a VPN user or it can be in person within one of the officers okay and do some pen testing with one of our senior guys looking over your shoulder a bit different if you're in are looking one of the big companies might be do an Aldi interview process and but there's still be a practical element you know so the bigger companies

tend to do the next stage the on-site interview which we because most people would call competency-based interview you know very much tell me about a time when you have dot dot dot dot they've had trouble completing a pen test and that's all about the consultancy skills so the the bigger companies tend to put that first and we'll pull on some technical questions afterwards we tend to do the techie first and then and then that but that's the different stages that you're going through sometimes we have we do in the second stage of on-site if that's appropriate but there's much for repeat possibly with a more senior person live here depending on various things but I kind

of gives you an idea of the the process that that we go through in our end that it really helps if you're aware of so I had a guy near well be here because my examples are mostly from Scotland they were at the telephone interview script stage he was it was really really good techy guy but he would not not could not but would not answer my basic questions even though I was saying this is just to make sure that you're a human be technically vaguely competent I'm not trying to work out if you're at uber elite tester at the moment or whether you are just you know trainee level person I just want to know what that you

can explain to me the basics of how a browser works how the internet works what sequel injection is that he felt he was being insulted by that and therefore failed that are you a human being I want to work with tests so he didn't get taken for so I did say I think in the in the talker names or summary I did say I was gonna do some exposing no names but I will talk about some this stuff and so yeah it was kind of kind of in the the dot-dot-dot bit before you get to profit good time cool thank you one of the things that comes up quite often is Seavey's how do you

get past that first stage and again the skills that you're learning as a pen tester about reverse engineering what a developer has done or the sysadmin that built the network comes comes in really useful here so what is it that the potentially HR people potentially the testers that you'll be working with want to see in my CV enough to get me to that phone screen interview now this is not about Warren piece it's not about explaining the a renewal of what you think about how to chain X or the latest neat thing that you find with either probe this is literally show you that you can do show me that you can do the job in as concisely as possible

back when I worked at a bank we went through a reorg as you pretty much expect to every two to three years and as part of that we had to reapply for our own job some of us but we had to do it with a one-page CV and that really concentrates the mind and in some ways were think of our aiming for certainly no more than two pages and one of the keys that I really want to bring out here is separate out your skills and achievements from what your responsibilities are so if you're at uni your responsibility is to turn up to the courses and pass your achievement are everything that you do above and beyond

that so if you're running a society you're involved in doing talks about how to do particular kinds of tent hacking tests or you've got involved in a charity to help them be secure or something like that's the kind of thing that I'm looking for to make you stand out that's that as an achievement not a responsibility that that you've signed up or seen for if you you know had a history of employment I don't want your job description maybe a little bit you know further down the page I want a a really you know three three liner about what your job was I want to know what you achieved what what do you do in that

role that wouldn't have happened if it hadn't been you that was there I also was on there that we should point yeah please so first section key skills and achievements take those skills and achievements and ideally match them to the job a job really simple if I've written a job advert saying I want someone for infrastructure testing with experience of using this tool that to them the next thing then stick that in at the top of the page you know really simple makes it simple for me to filter out to see who do I at least want to talk to because that is we're about year the CV stage is just who I'm going to pick to pick up the

phone to and sit and spend half an hour talking to chatting to next section down please reverse order date do not start with when I was five oh into primary school and then workup start with my last job or I've just finished my masters and tell me a bit about that and then work back and the further you get on in your career you know that that needs to tail off I care about the last five maybe six years if you're going back further than that and still writing ten lines about what it was I don't care sorry guys I want to know what you are like no not what you're like ten years ago and so on and so forth

again professional qualifications definitely want them on there although even if it is a CH I've got CH on my my CV and I thought about dropping it off sometimes but I do still have the bit paper so I keep it and the sort of schooling and uni stuff once once you're a bit older you just drop it yeah I went to uni I got a degree I don't care what hires you got maybe if you're coming as a as a trainee just graduated I probably do you want to maybe see your hires but standard grades and stuff don't care I assume that the hires are the things you're interested in now the fun bit some real examples from

the last six months of so six months or so of things not to do so this was a covering letter that I got for the CV hopefully not from someone in the room you start to recognize the any of these bits no one knows who you are just sit and try not to sweat too much first don't put your picture on a CV I don't want to see pictures causes all kinds of HR type problems down the line like it doesn't it has that possibility so it tends to put me off I don't I don't really want to see your picture so they started off really well for theoretical ethical hacking student attending somewhere in Scotland and I'd like to

apply fear and your position in Edinburgh bit of reasoning about why I'm really interested in stuff and and that's that's all pretty good and it finishes off attached to the copy of my CV I look forward to getting back to you that is quite a good covering letter there's stuff in between I wasn't so convinced by that section was all about is pirated games collection back to the don't do anything illegal or at least don't tell me about it that section all about is dad that bit was just over an emotional and kind of digging it is old school class didn't like that and that bits all about his favorite teacher just know you know

covering letters I had someone else asked after a meeting a couple of weeks ago about you know what should go in a covering letter I want to work for you here's my CV here's the two things I think are particularly worth drawing out over my CV that's it you know you're not aiming for maybe this person set themselves a word target or something and had to fill it with something but you don't want the less you say the less can go wrong is again remember this is just about getting to that form screen stage keep it short keep it sweet keep it truthful and not illegal right second one have a quick read of that I think

you'll all be able to see hi I've cleared my OS CP but frankly I had to get help with two out of the four machines okay my reply that's that's not great and watch what your plans is contact hearing no not not for you obviously just again fairly obvious I would have thought a don't cheat at your exams and be don't tell me about it you know I'm not even sure which of those is the more heinous crime technically the cheating just in case you're unclear another one going going back there much farther back actually so this is my first experience of doing an interview from the other side at the table so my first time actually interviewing someone

and it was looking okay this is 15 years ago back when before SecureWorks was SecureWorks when it was still company called dns we were interviewing for intern for the summer and guy was really nervous we couldn't really work out why we're just asking questions and give you know so competency-based tell me about a time where you had some responsibility for something like I'm talking to school leaver guys who weren't looking for you know someone did save the world or anything just tell us about a time where you had to you had some responsibility you had to deliver and you know what you did to make sure that that worked out and the guys at home I don't think I've

ever had any responsibility okay says on your CV you were head boy that must have involved something no we were expecting there to be a really decent story for that level of person based in that and the we brought in they said you know and said here had a boy here on your CV ah yeah that our careers person said I should put that on I was I was covering for the actual head boy while he was away in holiday for two weeks so ah well that's thanks thanks for coming in we'll call you so yeah so the you know just be honest don't meet thumbs up because you'll get caught unless you make things up deliberately

to be funny I have a friend that used to always be that he was a Boland dancer his outside of work interests just to see me go asked about he was not a Napoleon dancer but that stage it was okay because it was actually really good technically and it was deliberately done as a joke but don't claim responsibilities or achievements that you've not actually got because it'll get spotted now the people doing the hiring are experienced at doing this and can support when you're having trouble so and then the next bit is welcome to the industry well done at this point I've been slowly sort of tapping people on the shoulder for the past couple of days here just to try and

get a bit help at this stage so in the room today we've got people from KPMG I don't think Lori's here but so really all soft at running b-sides downstairs works for HSBC as a head of something to do with security I'm not even sure if he knows anymore Irene's here from RBS head of their security testing department got Pro check up in the room and ISA karma and literally depend old congratulations in the market change but he also literally wrote the book on this stuff and obviously I'm I'm kicking around downstairs sure Sean are seen Sean thank you I was asked to that last time we spoke down secure work secure cording so if

anyone has any questions I'm not saying these people have jobs but they have said that they're willing to talk about people about how to get into the security industries above and beyond you know pen testing but also above and beyond you know as I say that start I am context but my salespeople hate me because I don't I'm not that close to the brands or anything I'd much rather people got into the industry did well find vulnerabilities and help people fix them so I think that's more important than us are arguing amongst ourselves as a security industry to to pay and sort of cut cutting each other I much more important that we improve the internet in general

and so on and then worrying too much of our each other so there you have it knowledge execution where you fit in any question I think we've got a couple of minutes three minutes apparently and actually the people I just called out so zippy at the back KPMG Eileen at the front RBS Sheena from Pro checker Shan been here and the and Rory's downstairs will you'll be trying to stop the conference from crashing but yeah like look don't bug them just know that and they said hey if you want to have a chat then feel free to but for the moment questions to the front Oh Cheers thank you the this industry is really welcoming once you get into it and it's

just a matter of finding the right people to grab and say I'm thinking about submitting my CV can you have a quick read or I'm stuck in this place am I in my career what do I need to do is my next step what would make me more attractive to your business and people will very happily answer that question almost anytime that one that was blanked out that we went through it by far the worst covering note or the CV was of a similar kind of quality to be honest a in terms of people so it was one and I brought up the chronological order thing in a CV because I did have some one

movie ended up employing and wrote their CV backwards like to be fair you know they were not not British so different traditions so the series change depending where you are in the world you are the same as the meaning of what red eye red team is does the you know having to work through three pages of starting at Burger King whilst looking for a job working down towards oh actually you've done five years as a full-time pen tester right okay that's where we are that was pretty annoying I don't think so because you talking largely about the same suspect and in terms of who your employers are and what they are trying to sell to their clients is consistency

so if you have a pen tester from context coming to do coming to do a job it doesn't matter which office they come from and other than accent it comes with

yeah just wanted we don't label it racist that it's the same yeah Italy prefers coach person to come French fine German fine Syrian fine yeah I think that the industry is driving towards consistency you're seeing that as the all the pen test convicts get brought up you know that the number of genuinely independent pen test companies left is really small or at least the ones that are worth talking to and so I've spent a long time measuring the quality of pen test companies and it's not a big brand name then the Toyo reason for that you know the big big drive towards consolidation in the industry just now the people that are worth buying or get

involved were reasonably lucky that me got bought and it didn't destroy the company we're still very much independently run still at same CEO CTO CEO CTO structures and everything all the same even the world when you buy are almost fifty one hundred company didn't see the same thing happen with pork college though they got bought by Cisco and none of those people here but it didn't go that well I would argue and kind of just disappearing everyone's going off to the wind and joining the other companies okay thank you okay