Made in SA - For the world

okay good morning folks the really worthy title we'll get to in a little bit for the most part I want to start by saying thanks and sorry um and thanks mainly because it's early in the morning and normally like I try to avoid Keynotes because they not as meaty and there's an old person either trying to sell you stuff or trying to give you advice that's slightly outdated um so yeah thanks thanks a lot for coming I've seen lots of talks in my time seen a few Keynotes and most of them pretty routinely were garbage um so I'm sitting a low bar someone before the talk told me this secret to life is to set a low bar

um yeah so so most Keynotes are generally garbage and and part of the reason is we're talking about it like it's a quirk that you start getting invited for Keynotes when you're old enough that what you do no longer matters as much so you kind of make sure that the person keynoting just doesn't have the right amount of experience for you but like there's that old sunscreen song that says giving advice is a form of nostalgia so the person giving it to you thinks more of it and it's kind of all of you to kind of take it so thanks um and well I want to say sorry because you'd already have noticed I say a lot

sometimes I repeat myself and repeating myself mainly I mean if you've ever watched one of my other talks or ever heard parts of it there's some things that I say a lot some topics that we talk about a lot and it's not just because we're lazy in part it's because it's the stuff we believe in and and so that doesn't change too much from day to day and we end up talking about it a fair bit the other thing is that I use a lot of quotes in my talk and mainly that's because I'm lazy and quoting other people just means that you don't have to actually think for yourself of for the Skinner the last thing I want to

say sorry for upfront is that some of it will sting um and and mainly some of it will sting because in part like that's what the morning talk is for like other people will give you actual practical stuff that you can verify I'm gonna give you hand wavy stuff that you can't hold me to but almost every time I've gotten useful advice from someone it did sting a little because you wouldn't have been doing doing it the wrong way if you didn't think it was right and and when somebody nudges you it stings and and so I guess the first quote that I'll use or the first URL that I'll refer to is if you get one of those things that

sting give it five minutes um and and this was actually a blog post that Jason freed from 37 signals had put out a while back and he's got this really interesting story where he went he went to a talk that someone gave someone said something that he felt was egregiously wrong and after the talk he goes during q a and he immediately pounces on the guy like you said this and this is why you're wrong and you didn't think about that and he says the speaker looked at him and said man give it five minutes like like Let It settle and and he's got this whole post about it that's that's worth reading but he says look like the

speaker has spent time thinking about it he spent time putting this thing together and what he was doing was instantly reacting to it and instantly figured out why the guy was wrong and and sometimes like it's worth just giving it five minutes just to think about it if nothing else it gives me a chance to leave the room I guess one of the things is a perfectly reasonable question is well why you should bother listening to me there's no very good answer to that for the most part I've been really lucky in my career so I got to play in a bunch of different spaces um spent a bunch of time with the other two old guys in front hacking on stuff

um in the early 2000s like we broke into things all over I spent a small stunt sea sewing and now we've got a company that builds security software and and for the most part the only reason that applies here is because I've been lucky enough to be a part of doing research that that played internationally or Building Products that sell internationally and and if not just from my experience like I've got to see people I worked with and so you can tell or or you get to tell like here's the sort of person who does work that becomes first class research or here's someone who builds a product that that has legs and for the most part that's my early

appeal to Authority that says I've worked with some of these people and I can kind of tell the difference and this is what I've noticed um so what's the talk about you should be really afraid because we're five minutes in and I'm just getting to that now um but that's the point of the keynote and I'll ramble a little bit for the most part I'm going to share some links so even if my talk is complete garbage you get some links that you should take away and read um and what I want to talk about is why so few cyber security products make it from South Africa into the world so intersect is one of them and that's cool that

might put for the sponsors there you go um but um they're still shockingly few of them and and if you take security research some of our stuff has made it to the world stage but not a lot and and there's lots of us and cyber security is not that new in South Africa like we've got people who've been doing it for decades now and and the numbers are still surprisingly low and the question is why um I'll start with why we don't make great software or great software companies and and one of the things that should be obvious is if you're a student graduating from our universities today you in the same position as a student

graduating from MIT or Caltech like we've got the same internet the same laptops we're building on the same AWS we've got access to the same open courseware people leave MIT and want to start Google and Facebook and people leave our universities and want to work at one of the big audit houses like like that thing just puts us on a different trajectory where our best want to work at a company at best they end up at a bank doing Java web interfaces um and so part of the question is why and and the moment you ask this question again I think it's just one of those things that's empirically true right we don't have that many software companies and

and there are other products that need lots of Investments but software doesn't which is interesting because if this topic ever comes up one of the first things people go to is that South Africa doesn't have great software companies because we lack good VC ecosystem and like I've got strong thoughts about venture capital and why most of it is pretty terrible for the security industry but even if you look historically you'll see lots of great companies didn't do huge amounts of VC raises like Apple at 3 million MailChimp raised nothing and they currently worth billions so so venture capital on its own is not the reason why we are or aren't making great software and and the answer is

almost tautological we don't make software because we don't make software like it's just not something we get used to doing and and what you'll see and I've been ranting about this for many years is that in South Africa we end up becoming a nation of consumers like by default we think that software is there for us to use we use these big companies it's just not something that we put together and what's worse about it is it's not just that we end up thinking that we can't do it we start to think that all the people around us can't do it and it's it's interesting like like I know intersect and we've worked with them from way back but I can tell you as

a local software company even at my previous at the previous security company that we had most of our customers by far were International when when we built things to Canary we didn't sell much of it locally at all we did no local sales we sold internationally and then some local customers happen to come along like the big Banks and the large financials and in part it's because locally people judge local software differently to how internationally they judge software one of the joys of of Silicon Valley is the way they've embraced failure okay and if if you take the average like walk down any Street in Silicon Valley and you'll find their coffee shop is trying out a new

access control method a new way for people to try paying for their coffees and you'll see a lot lots of terrible terrible products right like if you remember Twitter and how it sucked in its early days and the difference is if something like that comes out from a South African company lots of us will be the first to tear that product down and talk about how junk it is okay and the truth is all software is junk like if if you look at reports of software on early Teslas like people were literally sshing into devices and controlling onboard computers and and when this whole kerfuffle happened a very famous security dude much who's even older than

the guys in the frontier um much stood up and said look that's how software happens like like that's it's messy and that's what happens and in South Africa we kind of lack compassion for our people building that kind of software we tear down very quickly and in the end what it means is that nobody here does it um instead we just use the international stuff and and for this you can get all biblical um because that talks about no profit is accepted in his hometown but but it's a little bit uh more than that when it comes to local software there's a genuine feeling that locals can't do it and and with all evidence to the

country but but the worst part is it creates this horrible Loop right where our best then leave because they can't build software here and then what you left with is people who can't build software and then when they try building software it's terrible and you get to say look the software is terrible why should we pay for that um and one of the solutions for it is just that we need to build more stuff we need to get used to people building more stuff for those of you who remember FTP you slightly date yourself but but everyone who was using FTP for a while was using wuftp and nwu he was literally Washington University FTP and and if you wanted to practice on

a memory corruption bug class you could just do it on wftp because chances are they made that mistake with lots of lots of all went to that University and cut their teeth holding that software and learned how to actually ship real software and if I had to ask you what software South African universities have shipped in the last few years um I don't know about you but I'd be hard-pressed to answer anything and and again with all of the stuff you see there's this cycle um you see the universities and government have a part to play government needs to give projects like this to fledgling software companies if if you look historically you'll see young article

cut its teeth building databases for the government like that's how that stuff happened but nobody in this room controls that and and so for the most part I think what the people in this room need to get used to is being less judgmental now I'm not saying this so that we can start having sucky software products I'm saying it so that we can start having software products and with iteration software products that suck today will hopefully suck a little less and eventually start getting better but if nothing else you should watch it at the Tui just for Anton ego's speech um the the new needs friends um unless you're dealing with cryptocurrencies in which case they need

no friends and it should all be burnt to the ground so so that's my wife on uh building products and and talk about software security research and it's probably gonna sting slightly more for everyone in this room just for the show of hands how many of you here identify as security researchers whether it's part-time or something you want to do shout places ends okay there's a few so so the certain question here that I mentioned at the beginning which is just Why South Africa's software secure why our research output is so small and and you could say that we are small country that's isolated but but if you look historically you'll see other small countries you'll

see great stuff from Argentina like like the argentinians have been doing memory corruption exploits that have surprised the world since the early 2000s if you look at Poland they had like the LSD team they had Joanna ratkowska they heavily represented in the world you look at the Australians you look at the kiwis like lots of small places have produced lots of great security research on the world stage but South Africa hasn't and and the question that we have to ask is why like why don't we and and like you don't end up with too many answers other than us like like for for other things you can blame ecosystems and you can blame lots of stuff but but for security

research stuff at this point it's just us there's no great limitations that stop us like we're not doing it because we're not doing it and again because the topic becomes harsh to read I'm mostly going to cheat and refer to this paper that that I've often quoted if any of you have not read Richard Hemmings you and your research like it's awesome I wish I was you because like reading it for the first time it's mind-blowing and and it's so good that that you should periodically read it again whenever you can and in in this it was actually a talk Richard hemming gave to a bunch of scientists and and he was talking to them about what makes the difference

between scientists who do great work he calls it first class work and scientists who don't and and Emperor is amazingly good like he goes through a whole bunch of things motivation work life balance How to Succeed after you've become a success so it's totally worth it if if nothing else comes out of this talk you should go read this paper and it'll still be totally worth it and and one of one of the things that that Hamming starts with in the paper is he says look you've got to start by by admitting to yourself that you want to do great work that that you want to do first class research and this was already in the 80s but but he talks

about how already people kind kind of shy away from saying they want to do that like people are slightly embarrassed to say you know actually I want to present that black hat and there's no reason to be ashamed of it right like like a few years ago I worked with Dominic from Sen's post and and very early on we were talking about he was slightly embarrassed to say like he enjoyed the rush he gets talking at a at a public conference and that's nothing to be embarrassed by like people like being recognized by their peers and one of the things is just to admit that that's what you want and then you work for that thing like

like there's nothing wrong with one thing it's really smart people to think that you're smart wanting to speak at black cat is is cool like it's it's changed lots of the trajectory of lots of people's careers and and as a starting point just saying yep I want to do this stuff is is important um but then Hamming gets like again in the first few paragraphs to a really tricky thing where he turns around and says how did I do this study like like what made me do the study about what makes great scientists and and for him he worked on the Manhattan Project and he talks about how he's there with Hans bet what Fermi with Feynman

and he says I was there to fix computers and I saw that I was a stooge and of course his being self-deprecating like he's invited to work on the Manhattan Project but but it is interesting because almost all the goodness that comes out of his paper comes from this from this sort of self-awareness that says there is great stuff happening there are people doing this amazing work but I'm not and for one of those particularly stinging things I'll tell you that in my experience South Africans have we have a super unusual trait like we joke about it sometimes with some of the other researchers that I know but if if talk to the average South African

it manager he'll have really good advice for you on how Steve Jobs should have run apple or how Elon Musk should run Twitter and and deep in his bones or her bones he's convinced that that's the way that should go and and you see the same for research where you talk to lots of people who've never published research internationally but are super convinced the only reason is because they just didn't get around to it yet and and in and In from from taking stock and going no actually I want to do that thing that thing is really hard to do I'm going to put in the work to do that thing instead it lives in this kind of vacuous space

that goes like I could do that if I had the time or I could do that if my organization was different and and in a way this lack of self-awareness is is almost the opposite of of what you see in the in the Hamming case it's this question that says how do you rank your output or how do you rank your research is something that that modern culture kind of frowns upon you're not supposed to be that competitive you're not supposed to to look at yourself that way but Heming makes it clear that if you want to do first class work what you have to do they do it like what are the trade-offs they making in their life and

and again it's something that it's really easy to fool yourself with okay it's one of those things that every part of your mind wants to convince you that actually you are hellva flake you just didn't do maths uh in matric and if only you did maths instead of doing what you did you'd be hellva too okay but but for anyone who's worked with hellval knows however they know that he's been totally dedicated to his craft for 20 years and and the reason he's hell-wise because of that and the reason I'm not is because I'm not so hemming starts and goes okay you've got to do this and and then he talks about luck so so in this topic of of

how much does Luck play a part in in whether you do great work or not and and I'll come back to this in a little bit but to this question this question that says if if you deep down believe that you are quality researcher one of the questions you should be asking yourself is just why you haven't published good research yet and again like you always have really good reasons for it okay there's there's always stuff and and inside you know you're capable of it but you just haven't and again it ties in to the earlier topic that says we start getting really comfortable just consuming security research a few years ago more than a few years

ago now because we old we we started con uh in gauteng and we had this huge fight slash discussion on whether we should do badge hacking or any of the other conference entertainment stuff that happens around security conferences and I was totally against it and and I was horribly overruled and I still think I was right but for the most part you see even security conferences today very quickly Veer down towards containment you go to the conference you do add some LEDs to a badge you learn how to become a DJ you do stuff like that okay and I didn't want it for zacon because I felt it was disrespectful to the speakers like somebody worked months to put a talk

together and instead of listening to the speaker you're now sitting there trying to put LEDs on and I by the argument that that for some people it introduces them to electronics but you start to see to see everything push us towards pure consumerism and and even conferences become like that where it's actually a quick shot of work people go in they attend it they had a nice time and they go home and yeah it's it's one of those things that you're just gonna have to change if you want to do quality research and and whenever why they haven't done a research you'll start to see people say they didn't have the time they didn't have org support

and and for no time like that's an easy one to kill right helva doesn't have more hours in his day um taviso doesn't have more hours in his day he's just making different trade-offs than we are and and again the simple thing becomes do you want to do this if you want to do this you need to understand the trade-offs and then you make them or you don't and if you do you you get a shot at it um no org support is is a really interesting one and I warned you that almost all of this was just bad Nostalgia but when I was at sense post uh we met a customer and and it was a

few days before we went to black hat and and this customer had a he was a CSO at a pretty cushy job in in gauteng and I remember specifically he said something like oh you guys are going to Black Cat you're so lucky my company doesn't pay like and he was all insulting like my stupid company he doesn't pay for me to go and at the time it's really bristled because like for us to go to black cat like nobody was magically paying for it right like we had our day jobs which was doing pen tests and then to do that research we were spending days and nights to be able to do a talk we

submitted talk it gets accepted and that's why we're going to Black Cat and he could have done that like like our org didn't give us any more support than his org did and at the time his Facebook was filled with weekends where he spent four by four in and and like at the time I felt very strongly like a thing that said yeah like my work didn't allow this to happen I gave up quality family time to make this happen you can too um and and then a better example of this came up if have any of you read the book Skunk Works so that's something else that's cool if if you take away there's there's a book

by so firstly if if you work in an org and they talk about doing Skunk Works Skunk Works was originally based on an actual Skunk Works division that Lockheed Martin did and the second person to run Skunk Works guy called Ben rich wrote this book about how they invented stealth technology and the book's fascinating for a whole bunch of reasons but but one of the interesting things for this story was bin takes over from this Legend who who made skunk box and and the guy before him who made Skunk Works had such a reputation that he'd literally tell the Air Force I want to build a jet that uses the stars for navigation give me n

million gets the money makes the jet delivers it to the Air Force he was a legendary pilot legendary administrator and he's now going to retire and so the new guy taking over as to follow in those footsteps and and that's near impossible and so the new guy steps in and he pulls out this old research paper on stealth technology and they start putting together what what eventually becomes the Nighthawk in modern day stealth but but there's a really interesting thing where they pulled it they invented it it's completely impossible at the time right like with the technology they've they've shrunk down the radar cross-section of a jet to the size of a golf ball like

completely unheard of they've presented it to the Air Force and they now get the contract to build these things and and there's a snippet of the book I've actually got that snippet up in that blog post where the US government is now on top of them when they're making the stuff and the governments on top of them in the sort of way that you expect a Draconian kafka-esque bureaucracy it's like they find them for their workspaces not being clean enough they find them for using the wrong materials and and it's really counterintuitive because you kind of think that these people who are doing Skunk Works building Generations ahead aircraft would have this free hand to do cool stuff

but it's actually complete opposite every dime that they get they have to justify every decision that they get and you start to realize that if you working at an org where you think they don't give you the freedom to innovate they didn't innovate at Skunk Works because they had a free hand they innovated that Skunk Works despite the fact that they didn't have a free hand and if if you building your stealth it's probably not because your org is restricting you it's probably because you're not been rich and I give this example of taviso um all of you show of hands anyone doesn't know tavisil okay so so Tevis is a pretty famous researcher who works for Google project

zero if if there's anything that's vulnerable chances are someone in the world has exploited it and chances are that someone is terrible so Jokes Aside like early on had the PSP really a skillful code auditor his his hack on the PSP was actually the same Hack That Was Then used by people on the iPhone so so the early iPhone jailbreaks used his hacks but one of the interesting things if you look at taviso's stuff you know break my slides to do this but let's see and that totally doesn't work because who knows how that works ah take it the other way so this is tevis's home page and what you'll see here is just a list

of bugs that Tevis had found before joining Google project zero okay and this was all completely in his spare time like this was just Tevis doing what Tevis does and and again what's interesting is if someone looks at Tevis today you kind of go well I could probably find bugs if I was working full time at project zero and working next to natashenka and and that sort of stuff but Tavis was doing it when he was doing it for free auditing Debian packages for fun okay and actually if we go back to this page I'll show you something else that's interesting if if you go to the bottom like I can't really see this there's a thought

now I'm just gonna break everything that's fine if you go down here you'll see he lists a whole bunch of crack Mees a whole bunch of hackmas for those of you who've never done it crack me is well the way lots of people got into early reversing so somebody puts together an app broken in a certain way hey reverse the cereal and and if you read through tavis's comments I included this in one of my previous talks get to one of them where his he walks through his solution and his solution spends more than a year it's like played with this filter VM did this and and again it's one of those times when you realize that

Tavis because he was born with crazy off the charts alien IQ his Tevis because in the times when we were out or I was playing with my kid he was doing crack means and auditing Debian packages and and it's totally fine if you choose not to be a Tavis like not everyone can but the problem comes in when you want to be a Tavis without putting in that level of work because that's just fooling yourself see if that comes back on it does um yeah so so Tevis finds his stuff because he's Tevis not because he works for P0 Ben Rich pulls the stealth not because he works at stunt works but because he's been rich

and we've got to ask whether we are that person and and at this point the very logical question is what about life balance like like how does the life balance fit into this um and and one and and it's a tricky one especially now and I'll give you a few mixed answers on it one again Hamming addresses it directly in his paper um in his paper he says look here to neglect his wife some of the time um doing great work requires this neglect in in the actual talk there's a q a that happens if you can read the talk or you can watch it on YouTube you should actually read it he's not that good a

speaker and it takes away from it slightly but in the actual video there's a q a section where they delve into this question more and he talks about the fact that yeah look you can choose to have a good life or you can choose to be a Nobel winning scientist um but you're choosing that's just how it is and and these questions come up a few times recently in part because of the insanity around musk and Twitter right now so so for those of you who don't recognize the meme one of the Twitter PMS shortly after their new boss came on tweeted about how she was sleeping in the office and and this causes a whole bunch of

pain like I uh we have a company and we can't promote this sort of Lifestyle like if we did this we'd kill everyone working for us and nobody would work for us and unfortunately until fairly recently this used to cause me a bunch of uh consternation because in my young days like I've written Bunches of internal blog posts on how you only get goodness burning the candle at both ends like like I used to be hardcore for you only get goodness by working yourself today and at some point building things we had to say look if you want to build a sustainable company you can't build something like that and so we don't like we have reasonable working times and

lots of leave and all of that or we try to and for me it was still hard to reconcile because I still believe that this is true I've never seen great researchers who don't skew heavily towards workaholism when it comes to doing good research and and for a while I couldn't figure what that was but fortunately there's a loophole because building products for your company is not the same as doing security research that either becomes Nobel prize winning work or black at conference work one of them is something that you do and hopefully you do it well and hopefully you find a way that's sustainable but if you want to do great world-class research that's not the same thing and

if you're lucky you find an org that sustains both of them the org will support you it'll let you do your stuff but if you ever think it's not going to take mind-bending work you're lying to yourself and it's probably not gonna work out too well for you so really quickly I'm actually not sure of my time some some quick pointers one go read hemming totally worth it it'll change your life to sit from his paper you need to periodically ask yourself whether you're working on interesting stuff like like whether you're working on stuff that's meaningful in the paper hemming takes this to an extreme where he he meets people for lunch and asks them like what's the most interesting

problems in your field and why aren't you working on them and he talks about how he stops getting invited to some tables after those conversations but it is interesting because we do the same thing in infosec there people who who call themselves researchers who want to do research and if you ask them well what what are you working on right now what's the interesting space you're looking into and you find they not um and you can't possibly move forward or make great strides unless you actually choosing areas that matter one of the big things to avoid are the easy dopamine hits um and and you see these all over the show you see them for conference talks

um we try to encourage Young Folks at the company to give talks to start uh building their muscle with doing research and giving talks and and it's really interesting to see how many times Young Folks will will give a talk and just scratch the surface of that talk so so they're looking into a topic and the stuff that they put together on the topic is the stuff that you could learn with an hour of research on the internet like like you could Google you could do it and you see this a lot at local conferences someone says okay there's a hot new topic on distributed apps like I'm gonna do a talk on dapps and the talk will start about why

Bitcoin is good and why Satoshi did this and how it's being used in Ecuador and all of that stuff doesn't give them a deeper understanding of how the technology works and at the end of the day they get off the stage and they're now happy because they've given a talk but they haven't fundamentally learned the technology they've not gotten before with that topic and instead what happens is you get this mean hit of being a speaker at a conference and you walk away and now you speak and you've got a speaker badge this starts to happen so much that like I'm starting to kick back against people who say they want to be a speaker like

being a speaker isn't a thing like like if you want to be a researcher that's something like do the research but but one thing to speak is pretty empty um learn the trade not the trick so for years we did this we gave classes at sense post on how to break into things and we spent a lot of time telling people that they needed to go deeper on everything they did and especially if you're interested in doing security research stopping at trick gives you such a surface level understanding of things and and you can spot those people who just constantly go deeper who take whatever they're looking at down to First principles to say this is how this

thing fundamentally works because the jump from that to how do I break it or how do I abuse it is is much much smaller um I promise I'm almost done the internet allows you to hang out with anyone um so there's an apocryphal quote about how you the average of The Five People You interact with most but it's super interesting that you have the internet which means you can hang out with anyone and most of us hang out with the same people we always have and and this is not me saying you should kick out your friends or kick out your besties but it is saying you spend time with and the people you emulate better

if you want to be a security researcher and if you are following halva and Dino and taviso one of the things that you'll pick up is their discipline as it comes down to research Time Project time work time and it's really easy to miss that stuff if you're following them and also happen to be following a bunch of comedians but yeah the internet allows you to pick your your five people well you should use it smartly um almost the last slide make more stuff with a quick show quick show hands how many of you here have tweeted in the last month people are currently nervous how many of you have posted something on a Blog

there's quite a few bloggers it's interesting any of you built and released software you don't count s don't count um um no so so part of the reason why it's interesting is because if you put out anything you start to see the value in building stuff releasing stuff getting feedback on it and if if you blogging for example and it's it's really if you think about it shouldn't be that hard you start to become appreciative of 300 people who read your blog like a thousand people read your blog and it's like holy a thousand people just did this and and the problem is when you don't produce stuff those things skew so so you see someone release an app online

and they get 10 000 users and you know that's not enough but if you wrote a blog post and got 300 readers you'd celebrate if you got a thousand readers you'd celebrate and that's part of the thing that comes from just making stuff it it changes the way you think about it and the thing to note when you're building stuff is that it will suck so if you haven't seen this on back because it's really worth it if you haven't seen this video I had a glass put out this video on making stuff and and why it's hard and it's super worth it

and currently you can hear it from my Max speakers let me try again

nobody tells people who are beginners and I really wish somebody had told this to me is that all of us who do creative work like now we get into it and we get into it because we have good taste but it's like there's a gap that for the first couple years that you're making stuff what you're making isn't so good okay it's not that great it's trying to be good to have submission to go but it's not that good but your taste I think I got you into the game your your taste is still killer your taste is good enough that you can tell what you're making it's kind of a disappointment to you you

know what I mean a lot of people never get past that phase a lot of people that might think the thing I would just like say to you with all my heart is that most everybody I know who does interesting creative work they went through a phase of years where they had really good taste they could tell what they were making wasn't as good as they wanted it to be they knew it felt short it didn't have this special thing that we wanted to have and the thing I would tell you is everybody goes through that you can go through it if you're going through it right now if you're just getting out of that phase

you gotta know it's totally one one of the most important possible thing you could do just do a lot of work do a huge volume of work put yourself on a deadline so that every week or every month you know you're going to finish one story because it's only by actually going through a volume of work that you're actually going to catch up and close that Gap and your the work you're making will be as good as your Ambitions in my case like it took longer to figure out how to do this than anybody I've ever met it takes a while it's going to take you a while it's normal to take a while and

you just have to tie it your way through that okay so now there's two things it's either Hemmings post or either glass on creativity so just to end off again it's totally okay if you choose not to do security research like it's it's fine like it's totally your call the main thing I want to avoid is is where we identify as reach researchers we say we want to do it and and we don't put in the work behind it I guess just to end off the question of is it worth it like like if we're saying it's affects your life all of this stuff I can tell you personally for me it's been amazing and I can also tell you

that in some ways we put out this product called Canary tokens for for some of you who who might not know it for those of you who don't and one of the interesting things about Canary tokens is that fundamentally version one is crazy simple to do like like when we built version one it's a weakened project create something random save it in a database if someone comes along well give that random thing to someone and later on say I gave it to this person literally you could build it in a weekend but we built this version one of canary tokens and then smarter people in the company added on to it and then shortly thereafter you started to

get people saying hey this stuff saved me hey I didn't know that we were under attack and shortly after that you had people from Cruise automation doing talks on how they were deploying Canary tokens at scale or Colin mullener who's done amazing research over the years talking about how he was using tokens to detect reverse engineering and and tokens are so simple that anyone could have done it like literally if you learned programming today you could build version one of canary tokens this weekend but we did it and we put it out there and people built around it and good stuff happened and and last year in December like Canary tokens was used over 4 million times and and for us as

people putting stuff out there it's incredibly helpful we don't charge for Canadian tokens but like if young Engineers want to join the company we get to say to them hey you can work on X or you can work on this thing that Colin Molina said was cool or this thing that last year four million people used and it becomes a no-brainer and and again just because we did it and and mainly that's my push is you should just do it and and again Hamming talks about it and he says if you keep doing stuff sooner or later you'll do good stuff and and like we build tokens but it comes after years and years of putting out

stuff that probably nobody else ever looked at so the question is it worth it for us we've built lifelong friends we've built careers totally worth it it's hard but worth it and somebody you should build more stuff you should be kinder to people who are building stuff um you should hold yourself to a harder account like there's no reason we can't beat eversos there's no reason we can't build great companies um we just need to actually knuckle down into it harunmir on Twitter so you can tell me there why I suck or I think I've got a few moments for questions I do but thank you very much

we have to repeat the question but it starts with someone having a question Charles gonna have a question

yeah so so to repeat the question what do you think of the relative value of security research given that South Africa has a bunch of problems why should and given that doing security research has costs why spend it on X and not why um I don't have a good answer to it I think Ben Horowitz or when asked about how kids should choose their career he says Don't Follow Your Passion follow the intersection of what you can do what you can do well and where there's a need and and so for example I think I would make terrible plumber um I think if if like the choice was Plumbing or solving something computer geekery I'm better aimed at that and and

so I think it kind of becomes something like that which is you choose the intersection of your talent and your interests and where there's a need and it also happens to be a need here like like for us in South Africa I think software is aside from security research I think building software companies is hugely potentially valuable I think like if you look at you look at the outliers you look at the big U.S companies we can build those companies like there's no reason why we can't like we have the same grads coming out we've got the same skills there's no reason and and the economy needs it the country needs it so so I

think you can yeah I think there's there's value in it but I think it has a cost how you weigh it against other costs I I don't know a good answer to it um anyone else we've got to cut it or Crystal is going to cut my neck off I'm not sure what that means thank you very much folks