How to Read a Breach Notification

all right so thank you all for coming my name is Zach lick I'm a principal security engineer at New Relic focusing on product uh and now a little bit Enterprise I.T security uh and this talk is about how to read between the lines of a reach notification um so a little bit of background on myself I've been in the defensive side of the industry for 10 years now uh spent time with Dell secureworks and then a chunk of time with the Amazon web services I was in incident response for the web services side of the cloud built out the Hong Kong AWS region redesigned the security for that and then was also the lead security

engineer for the coordinated vulnerability disclosure program so I had a lot of time working with security researchers both on writing their responses and looking between lines I'm also a co-organizer for Buffalo coffee club or Buffalo startup coffee or Buffalo coffee club we have not picked a name in four years it is every Tuesday Morning 7 30 to 9 onto co-working space free Bagels from The Bagel jar so please come on by it's folks building businesses in Buffalo whether you're intact marketing legal we got all sorts of folks there I'm also one of the organizers for devops days Buffalo it's coming to Seneca one this September and we've got a 15 discount for all besides Buffalo attendees so gradually tickets

shouldn't that be devsecops that's part of the conversation you know I the second is implied uh so a disclaimer for me I'm not a lawyer I'm not a compliance specialist I'm a security engineer uh that has read a lot of words uh I also am not speaking on my own behalf not on any employers past present or future and this talk is given in the the spirit of pug Ops um so this is the the principle that anybody can have a bad day anybody can have a breach uh we're not here to make fun of individuals we can make fun of companies but not the people behind them uh and so we're going to start with

reading between the lines [Music] that's all I needed to hear that's all I need to keep going so um so why do companies write breach notifications understanding motivation just like in any other form of attacker or any other action you take care in Corporate America you want to understand the motivation the big thing a company is trying to do is control the narrative if all you see is the headline that says X company got breached you're going to have a negative reaction and so really what they're trying to do is control the narrative and make it seem like it's not as bad as it was until you find out we're going to read between the Lots I

will go back to My Demo slide so yeah and so that's why we have to read between the watch uh they're not necessarily going to give us the information that we need as Defenders to launch our own investigations or unfortunately as consumers sometimes to protect our to protect ourselves they also might run into some issues where any statement they make in America they are likely to be sued over set data breach so any statement they make is going to be part of the official record of that loss so we'll talk about who the players are in the room you might have the CEO making the final approval of the text you probably will have PR you probably

will have a crisis communication shop you definitely will have a lawyer you might have outside counsel you you probably will have the team that owns the asset that was compromised might have Security Management and it's highly unlikely you'll have the actual incident responders so the technical nature of what comes out it's going to be a little more funneled through a public relations and legal aspect rather than a technical also depending on the jurisdiction of the data as well as where the company's located there might have some legal and regulatory requirements to make a public statement or when they make a public statement that might take off a clock and that just depends jurisdiction so what I want to start with is OCTA so

OCTA is an IDP for folks who aren't familiar with it uh the previous talk and the other track was about active directory OCTA is a way of having users log in setting passwords do MFA all those sorts of things it's also a SAS vendor so you don't run it locally you have to trust OCTA and so you know when you're running a SAS business as having been a security engineer to number one a number of them customer trust is the hardest resource to earn and the easiest one to spend and so because of this as soon as you notice a security issue at a SAS vendor you're starting to go into a trust deficit with customers and you have to

start earning it back so early this came out in March of 2020 uh 2022 there were a few other things that were happening around then so the Russia Ukraine conflict had just kicked off with Russia's Invasion sza had launched their Shields up alert uh we were about three months away from log4j it had been a pretty rough 2021 incident response teams were pretty burned out and so what we started seeing on Twitter were screenshots from claiming to be from lapsis which was a group that had reached Microsoft the month before Samsung the week before as well as another as Uber later in 2022 or earlier in 2022. and so security teams started seeing these screenshots that said lapses had super

user accesses to this super user tool unfortunately the only screenshot I have from that era is super blurry and you can't read it I have an appendix if folks want to see it but um you started seeing this tool super user flying around and so you've got a SAS company that you have to trust you can't run your own IR you can't look at your own logs you purely got to trust what they say and so how does this communication start so this is a tweet that the OCTA CEO sent out was sent out at 4am Eastern Time OCTA is a West coast-based company so they were definitely burning some Midnight Oil to get this out it's a

two-part tweet and there are a couple of things that we can learn from this the other thing is that they also posted a blog post at the exact same time we have to guess because this blog post has no time stamp it has no author and it does not link to this Twitter feed so I know from reading this blog post that these two texts are exactly the same the CEO's tweet does not mention lapsis in any way the reason we know that is because the title of the blog post contains lapses a pretty common thing that happens when you're writing security comms is you forget to include the title of the blog post or the

subject line of the email you'll spend hours writing this language figuring out the right thing to write you're about to hit published and you realize you need a title for it so in this statement they make no mention of lapses but in the blog post they then go ahead and confirm it um this post does tell us a few things right so it confirms lapsis's involvement in the event um it also gives us a very very bare bone set of a timeline so this is coming out in March and they've talked about January so we can assume it's the January earlier in this year so if all you as an instant responder have to go

on you can start looking at every OCTA activity for every employee from January until the date this is public and for a lot of us in the defensive Community this is where we kind of had to get going right because our leadership we Outsource our employees identities to OCTA and so that was where we had to start our investigations it also gives us the indication that OCTA doesn't think that it's still ongoing and we know that the CEO is saying this from his Twitter feed it's likely not him actually posting it since it's a copy and paste of the blog post but it's posted in his name it's you would have to attest to that in court

you made this statement at this time so we think it's over so that gives us this rough timeline uh what the Paul what the posts don't tell us and and part of this talk is also helping us as Defenders write better Communications so especially if you're in the SAS business you want to understand what can your users do today to help themselves so there's no call to action in the blog post there's no indication of who wrote the blog post and when it was posted in a security event you are going to get new information and hopefully you're going to be keeping your customers up to date your users up to date and if you don't

time stamp your Communications they're going to be oh that blog post from the 22nd said this no no it said this and they're talking about two blog posts that you both wrote but no one knows which one is the right one and which one is the more up-to-date one it also doesn't tell what in my opinion is the most important thing in the early moments of an incident response which is when the next update is coming so if you put out a security notification that has very limited information that's fine as long as you say and the next update is coming in four hours and you can use this technique whether you're talking internally to your boss during a

security event or when you're writing Publications for customers it gives them the expectation that more information is coming and so the fact that they have questions that's fine because you promised them an update later um the big thing for incident responders OCTA if you have hundreds of employees you're going to have thousands of OCTA events in January and March so the more timeline information that you can provide helps incident responders Focus their communication so later in the day we got a follow-up blog post now I know it's later in the day because I went to the OCTA blog and saw that chronologically this post came later you can see this blog post does not have a timestamp

it also doesn't link to either the original tweet or the original post and neither one of those two original posts got an update to say hey we put more information here it has a time stamp now they added it yeah so this is this is an archive sorry a lot of my screenshots are from the archive.org okay thank you um and so my opinion when you're writing these security Communications is one URL that you up to you just update it and you just copy and paste the text above that adds Clarity for me you will find a lot of communication staff that are unhappy with that and so that's a discussion you can have when you're

preparing for the event so let's see what we can learn what we can read between the lines from this event so I pulled out some some Choice quotes um they say the OCTA service has not been breached remains fully operational there are no corrective actions that need to be taken by our customers now we can learn a couple things from here and we can also there are a couple of the incident response cliches that are starting to come into this talk so this first sentence is important the OCTA service has not been breached so what does the OCTA service mean nobody really knows it doesn't have a definition now if the CEO is asked in court you

said the OCTA service wasn't breached but an employee's laptop was reached well technically that's not the octa-service that's an employee's laptop not the app so it doesn't really tell us what happens also there was never a question that this was an availability event so the fact that they add the and fully and remains operational fully operational Battleship battle station um that lets them say something nice hey we're still running that's great right you're trying to change the perception that comes from this has been a security breach possible denyability exactly and the last sentence this gives us another little another little weird thing what do you mean there are no corrective actions that need to be you've used the word corrective in

there does that mean there are response actions I should be taking does that mean there are like what does that mean so this sentence really threw us for a loop as we were starting our investigation right obviously you were breached and we saw the only information we have as Defenders is what's public and so we saw a breached laptop with a super an application called Superuser and now you confirmed that there was an event but don't worry your service doesn't reached so this is trying to make people feel better but as a Defender it's giving me more and more questions and if I was on the the team that decided you know we're not going to

run our own ad we're going to go with OCTA leadership is going to start asking those questions to us so now we get to the good parts of this this new statement so they gave us this five-day window between the 16th and the 21st so as a Defender this is great right anytime you can put a date range on your query no matter what system you're using for your investigation it's going to help you narrow down the timeline you can do a more firmer or a more in-depth dive uh and nowadays now they give us the information it wasn't the service that was breached it was a support engineer's laptop now again this is where this

statement gets great the ability for OCTA to be able to get this through legal compliance outside counsel the CEO this is like all the people they had to be incredibly confident at their internal data controls so I'm not going to read this whole thing but I'll point out the last sentence right yes you saw this thing in a screenshot and it gave them the ability to reset passwords and MFA factors but they aren't able to obtain those passwords this is a clear statement of fact that this company is making during a security breach so if anybody any lawyer plaintiff's attorney class action lawsuit can prove that that was not the case this is an opener check

case they don't know for proven 10 they don't approve negligence they've got a an official of a publicly traded company making a fraudulent statement during the security event like lawyer fees good job so OCTA the OCTA event earlier this year it started off pretty Rocky right there were many hours where we were not sure octa's support staff and account teams did not have the information to at least they didn't notice was coming right so if you are working a breach and you're a SAS vendor and you have account teams make sure that your field staff is breached so that when the sizzle of your large companies comes to you and say we've got to breach what's going on

their answer is I don't know what are you talking about because they're not on Twitter and they're not reading the company's official log right over communicate even if the answer is yes I know we had an event I don't have an update for you now but I'll have another one fewer than four hours or I'm not running that event it's being coordinated out of here here's the email earliest reach out to it so if you're if you're working on one of these types of breaches make sure that you feel comfortable making this type of a statement because this allows you to to Really prepare for a brief so we talk about Assumption of breach and security

you can also talk about how does that Assumption of breach translate into writing a breach notification before it happens because if you can't write a statement like this you're not comfortable with it in an internal email uh you're not gonna you don't necessarily have the the controls so I want to talk about another event because we're about halfway through uh this is one of T-Mobile's data breaches uh from 2020 not the one from 2018 not the one from 2019 not the second one from 2020. we're talking about the first time thank you so this one is actually pretty if you want them like two months in the library no that is true I am a T-Mobile

customer everyone needs to know that um so the interesting one from T-Mobile's perspective what can we read between the lines here so T-Mobile said that this breach happened because a email provider was compromised and there was a bunch of email of information sitting in the email inbox and so they were able to identify which customers were impacted and they sent out individual text message to individual customers they also use two separate URLs so this CPN I notice which is a customer for proprietary Network information which is from a specific U.S federal law that defines that term was sent to any customer that did not have financial information impacted the bridge whereas this pii notice went to

customers where their social security numbers and financial instruments were included in the breach so this tells us how much access to the attackers had access to because if T-Mobile was able to make this clear this clear statement and not notify customers who met this very specific definition in federal law that means the attackers had the exact same information so this is from uh the first breach I'm gonna yeah sorry sort of got uh very bright all of a sudden so we always there this is a cliche you will find in security breach notifications sophisticated attacker that we quickly shut down um PR people and lawyers are going to want to put this adjective on your reach

notification because sophisticated attacker does not have a formal definition it could be anything right use the computer they used a computer it was a computer facilitated attack is another one no it is doesn't it make them look better like it wasn't just someone attack it was this really just a small business

shut down quickly what does that mean right on the galactic time scale if it takes you six months to find an attacker the universe has existed for billions of years so it was quick so it was pretty quickly that we shut it down right you can defend that and then it also says to you which may have impacted some of your personal information now they sent personalized text messages to their individual customers well I know what information was impacted but again some of your personal information because T-Mobile doesn't have your astrology sign it doesn't matter it doesn't have any number of things that we might consider personal information so they can add this qualifier here and

they can defend it now this was an interesting one so they say there were government identification numbers which is great social security numbers Financial assets as well as phone numbers and billing account information and they say um now why is this information sitting in an email inbox right so we know from reading the data breach notification that they say a malicious attack against our email vendor that led to unauthorized access of employee email and then the notification it says there were phone numbers billing and account information so this tells us something about T-Mobile's internal processes it tells us that they are in the habit of storing and sending pii payment information via email so I'm not a PCI compliance person I

don't think email is a part of their PCI what what do they mean by government identification numbers because they call it Social Security numbers what other governments valuations military IDs they also have Canadian customers so so this tells us a lot about the internal process of the team right it doesn't say they gained access to the system where these were stored it was they got access to an email box and these were sitting in an email address so this is the database that got sent to customers that did not have financial information and so in this one they go a little wild because this one they don't have to talk about financials and so they can make

statements like this that we are not aware of any evidence where the information contained in the affected email accounts have been used to commit fraud or otherwise misused yeah yeah so they lost your information they don't they're not aware that it's been used for anything wrong Beyond silly right just beyond silly because it could it could happen anywhere in the world so it's just such a crappy statement to me and so the other thing here when there isn't direct financial information involved in a data breach you'll see this cliche this is another cliche you can pull out and the reason why this gets pulled out is because it's very easy to say this credit card number was stolen this

transaction was made right and I got that credit card on January and then got leaked here clearly you're at fault because I've been involved in the TJ Maxx breach so I got a new credit card whereas when pii is lost it's much more difficult to tie a specific pii loss to a specific attack so any OPM friends in here OPM friends OPM Bridge OPM breach Home Depot breach I'm in that one T-Mobile breaches but yeah if you lose control of that data you're still alive absolutely yeah so all our data is out there already because we don't have a federal data privacy standard that holds companies accountable for their poor poor protection and so they can make this

statement that even if your email does circuiting through spam right well you made a political donation with that email address so you can't prove that it came from here uh you gave that email to your you know cousins Girl Scout cookie sale they might have sold it right so you can make this statement truthfully because they don't have Global logs of how every single email address in the world is used for everything at all times so this is a perfectly valid statement to make so what I want you to think about as you leave is is prepare for your own notification if you're a Defender at a company um know who is in your Communications

training so does your company use crisis PR do they keep it in-house if they do use crisis PR you know how do you invoke that know who your legal team is if you're on the security team and you don't know who your lawyer is uh get ready because you will eventually know them and be friends with them and they're great people here comes some companies might also make use of exercise outside counsel in the event that wants a security incident is declared some companies might keep it in-house if you can find that law firm that your company uses for outside counsel ask for other data breaches they've been a part of because you're going to see what type of

statements that they make it's a little a little odd but as a security Defender it's really helpful to know the voice of your company so how do blog posts read on your does your company have a Blog do you use email notifications what are some of the systems that you're likely to get involved with again and that's because if you're just going to send emails make sure you write subject line it's going to go on a Blog make sure you've got a title it's going to go on social media you might not need those things if it's going to be in all these channels make sure you know all the channels ahead of time um as as Security Professionals in this

room we're all going to fight to avoid these cliches right your privacy and security are important to us terrible way to open a sentence it's or a statement it's always going to get put in there see if you can be the advocate for real useful actionable technical information that OCTA statement about what a support engineer can do is great I'm impressed they got it in there they have a great FAQ if it would have come out the first day of the breach they probably would have had a much better time um but include details that can help Defenders launch their own investigations even if it's just that minor timeline now if you try to have

this conversation ahead of time in the midst of a data breach notification event you're gonna have a bad time right as a security engineer one of the biggest things we bring to an event is calm you're pretty soothing that soothing pilot voice right we've all been in a plane that's or maybe they're hopefully you've been in a plane that's felt a little turbulence and you hear that fine Midwestern impersonation of junkie here I'm over the radio folks a little bumpy there but uh air traffic control is fine under some clear air don't y'all worry if the pilot is not sure why the plane is bumping you're gonna have a bad day right you as a security engineer a

security professional you're bringing calm to this event so you can do this prep work ahead of time and you can say look this is the Playbook we don't use that phrase or hey I know we got to engage the crisis PR firm I'm gonna be their confident now you can change the setup of who is in that room do you find that cyber security insurance agents are getting more involved in these in these announcements because I've seen that too at some words uh if the word the Cyber insurance policy that they're going to sell you they might be involved but a lot of companies are having trouble maintaining Insurance because insurance companies their whole business

is taking your money and not paying you for things and so cyber insurance is bad business to be in um so yeah I've seen that quite a bit yeah some organizations might engage instead of uh they might have cyber insurance that cyber Insurance might come with outside counsel and it's a response firm as well right it might be more of a package bundle so think about how you're going to have a breach ahead of time and sometimes when you sign a policy I know there's Clauses in there that says they will control that as well that yeah yeah um so you also want to think about um notifications that you're going to get from your own vendors so in a most

modern it shops are using some form of a SAS product whether it's infrastructure AWS or Azure whether it's slack for communications OCTA for identity figure out what the communications paths are from those vendors in the event of the data bridge this is the last thing that you want to have happen is your CEO who is on Mastodon for some random reason knows about a data breach before you as a security team when you control the narrative you can say yep we heard about it this is the chat we're starting this investigation thank you as opposed to your boss getting a a slack message from the CEO and then being like no I hadn't heard that the center of all of our

identity has been compromised I'll I'll get back to you right they're going to be at that information deficit so how are those posts going to come are they getting monitored by your sock or knock or on-call person um also do they have up-to-date contact information for you so if you are suffering from uh or suffering at a new startup right where the founder used their personal Gmail account to create the production AWS account and that's the account with the most spend any security notification on that account is going to go to your CEO's Gmail account you're probably not going to have access to that in the sign so at AWS you can set a security contact can you update

the communication to be in a way that your sock or knock or IR staff are going to know that an event a notification came out another thing you want to engage with is do you have contractual language so some companies have a data breach addendum other companies will sign different types of Clauses when they go with a SAS lender that they will be notified in a certain number of hours certain number of days for these types of events that'll help you plan as a security team what type of events might show up and where that type of info might come from another great contact is do you have an account manager at a SAS provider now they're

not necessarily going to be in the loop on a security event it might be right if the company is prepared for it but at least it's a person that you and the Security Org know right because when you're when the CEO wants an update from the sizzo about this you're going to want to be able to escalate on the vendor side and at least if you know a single person's name you can at least say that you're you're talking to somebody so I thought this was funny as I was working on this talk uh this is a Google Trends map of the word data breach and if you'll notice the number one is DC followed by DC's I don't know bigger

second smaller because of the DMV area I don't know what Illinois is up to but uh they get Chicago gets breached a lot well is Illinois also does have some pretty strong biometric protection laws yes so they care about on so this number of is a zero to 100 number of how I'm going to read this if the number represents the search interest relative to the highest point on the chart for the given region and time a value of 100 is the peak popularity for the term so when when did you do this uh this is for the 12 months from last Wednesday to 12 months before that so it would have been it was I'll bet

Illinois was the Facebook suit so it's very funny if you extend this for five years through the OPM breach and then bam right when the OPM breach happens and DC is just cool uh so it's it's it's so we're hoping that uh there might be some uh some change coming um I've got some other breaches I can run through I've got some some Uber slides but I want to open up to the room see if anyone has any questions uh yeah um I noticed you said that when the communication is being composed the the security people are no longer in the room um I've put in place I don't know probably close to a dozen response plans

from Ab initio now and one of the things that we do when we constitute a team is we include all those people on the same response system so is it your experience that the like the pr and the lawyer go off in a corner and say get away we're doing this so the fact that you have an incident response plan is why you get to be in the room all right if a breach is if it's the first time that this has happened and there's no plan it's possible that yeah the legal and the pr people are just going to disappear and they might not know who the security people so you're not guaranteed to be in the room

especially because as the security staff you're running the event so so my Reflex on those possessions when I show up in a new organization say well what's our incident response plan look like when they say our what and I say what we don't have an instant responsible incident so that's the second thing I do the first thing I ask is anyone using root AWS credentials and then I asked about the incident responsible so but yeah having a right like no plan survives contact group don't put anything else up funny until I get back from the head so no plan survives contact with the Enemy but at least if you have a plan you have something to fall apart from as

opposed to just starting so so yeah the the question was you know have I seen incident responders not be in the room it happens they might not have they might have you know the one Tech guy at the company working on things you just can't know um hopefully the tech staff get to be involved but if they don't have that plan in place they just might not they might not be there and and the the one thing I saw at one company I was at they had not only did they have an incident response again but it was in a binder in a book because their premise was that if it was a sufficiently large incident we may not

have access to our computers or we may have to turn stuff off so by having it on paper you know all of the information written out with all of the contact phone numbers and everything in it it was always 100 available do you have your manager's cell phone number in a way that you can get to so you can get to them on Signal when slack goes down having you know this is this is extending more into General IR plans right but yeah having that call tree having that phone tree what's the backup you know slack goes down we've got uh we've got you know Google Chat as part of our you know nobody uses it but

that's that's the next backup and then we've got signal as the and and like if your company is all void do you have a single dedicated hotline someplace on the Prem that can be used to contact you if your internet is down yes it's amusing the overload um especially for says companies communication principles between and response and general outages um some customer if you don't know when something will be that done when they'll be updated returns yeah so the statement was about there's a lot of similarity between an availability event and a security event right providing on Clarity that's not the right word a lack of clarity for customers about when the next update is going to hurt Corey

Quinn who does a lot of work in the in the AWS space has a a newsletter slash podcast depending if you're a verbal or a reader uh where he talks about the lies of the status page and that if you're having an outage and your status page is green right that's you're you're losing regularly in a trust deficit and that's not going to help you re-earn it cool well thanks everybody for coming this was great um happy to chat if anyone has any questions uh I am Z1 G1 in most places on the internet except for Instagram there's a Russian weightlifter who got that for me so I guess hang out with him he seems I don't know you still got 12

minutes we still got 12 minutes all right let's talk Uber then we've got we've got times to talk over so uh so this is uh another thing that was attributed to lapses now this one is this one is fun so they put this in there for each notification uh this is the first time I've seen a breached notification a second Factor exhaustion attack as uh as the way that they got it so for folks who aren't familiar there are apps that employees put on their phone and then they get a pop-up notification that says did you just try to log in and so lapsis purchased the account that they used because they purchased employees username and password and then

they just kept trying to log in hundreds and hundreds and hundreds and hundreds of times and the poor employees phone just kept it and eventually they just said fine they said yes and so that's how that got in and so once uh once they got in they were able to move laterally uh inside and gained access to Google Apps and to Slack and we were talking about slack I was talking about slack with somebody yeah yeah um slack is great uh slack also is the brand of your entire company and when someone has access to your brain you're not used to all sorts of weird things can happen so slack has automation it's got chat history it's

got attachment history it's got channels that you can join and they may soon have objects yeah and so that was in September 22. then in December of 22 they had to announce a second one so they made it three months uh and so unfortunately for them this was another lapsis event uh and they got caught in the crossfire of a downstream breach from this I.T vendor activity Activity thank you word I had not said out loud before writing this presentation um this was and your classic we had an S3 bucket full of stuff type reach so again Corey Quinn and S3 bucket negligence award um Corey if you're watching this uh he does have a physical trophy that he claims he

has sent to companies that have earned the S3 bucket negligence award so um you know tell your friends about that so this is the tech quivity post uh they have they have hired the penetration a pen testing firm so don't worry what it brought in a pen testing firm so so after the breach they have hired a third party pen testing Department would do that so this is the thing the words are true they have done that it doesn't help in any way but they have in fact done this thing Pam said that they are going to do but again for people that aren't experts in the area that sounds great it sounds cool yeah

but they just see that and go oh that sounds good it sounds like if I had a battery fire in my electric car I would then go look it up and Consumer Reports to see if it was one of the better muscles so the other one that's interesting is the incident is ongoing they've notified some customers they have taken steps to ensure the situations to Jose the investigation is unlucky incident yeah the investigation sorry you're right and so but they do make these nice factual statements right against when we look at a breach notification what can we learn from it and one of the things is they were able to know what their system stores in S3

which is good it was stored in an open S3 bucket which is not good but it was they did have this information I love they said you've prevented this type of event from happening again should they say in parentheses at least for the next 10 minutes I mean how can they make that clean you know we'll prevent it from happening again so if I were asked to read that so the classic thing you know Mr Glick can you read the highlighted Passage so if you're if the CEO had been given that and said you know read this highlighted passage after you got hacked another time you could say well the facts of the case were different this

time right that time they used an open S3 bucket this time they used compromises

Uber's I.T vendor who wrote this so activity wrote this to whom this is a on their blog or on their website so Tech quivity is a an I.T asset inventory system from what I could tell from their marketing material okay because I couldn't make sense of the data item yeah so lapsis found this S3 bucket that was full of tech quivities customer information and not encrypted with private keys and they just don't apologize they sincerely apologize attractive for uh corporate how does the work location details cross over with not revealing the home address if a bunch of people are probably still working at home from the pandemic because the work location only contains it only continues

yes technically correct they if they are working from home your work location happens to be your house well but it's only the city it doesn't it doesn't give it wasn't the full patterns although depending on the city that could be an issue yes the city of Chautauqua New York there's not that many Tech workers versus you know Chicago so that's why we're the best city in the world you do have a train restaurant that I do you want I want to go to The Junction Cafe at some point they apparently serve they serve your food on the on Railroad Flat cars coming up to your table oh my God yeah that's in Chicago yeah I live here I don't know

what's it called The Junction Cafe all right please give this talk to Five Star reviews uh use use coupon code Zach almost six when you check out the Junctions Cafe hey I'll treat you yeah here in town There's wind that just opened up that has Robot servers there was a restaurant in Seattle called The Iron Horse which my mom still is traumatized about the food from because it was apparently that bad but she took her four or five-year-old son because he loved going there and they would serve your food to you on a little trained car so I have like very fond memories of this restaurant the bed was closed when the Superdome you want to steal some

food on a train car that's actually good yeah well you know we can hope right here it is there as you go you sincerely hope I sincerely hope that it's a good restaurant you take the quality of the food very seriously you gotta use those burgers and wraps get delivered by model trains you gotta use those adjectives that is actually sounds pretty Caffeine restaurant wow they got it yeah 22 books oh only 22 I guess 22 votes with five stars at a 22 that's the Junction Cafe well over 2001 that's the Fiji islands oh it's close oh this is the Fiji yeah that's not it it's it's the junction Diner is there an island of Chicago

I mean the Great Lakes are pretty great though the junction China bait and switch this is why we need to know each other in Chicago yeah awesome that only happens they only had a 3.0 out of five and if you look at Maps it's four four PBS Kids expressed rights are rails along the diner Tower to deliver your order kids of all ages are entertained by a drink table light up dream village coin operated engine so the menu has a wide selection of homemade options for diners of all ages thanks everybody for coming

[Applause]