Why I Love Defensive Work, Why I Don't Love Defensive Work

so um this talk is all about why i love and why i don't love defensive work and other random stories i figured i would probably talk for 40ish minutes plus minus a bunch of times for questions and i'll stick around for a bit after as well so um who am i so i'm originally from oslo i studied in trondheim i moved out first to london in 2010 and then to the u.s in 2012 and um i now live in new york city i am very passionate about journalism security and i'll talk a bit later about exactly how i defined that space i previously worked for the tour project freedom of the press foundation and the

new york times and now for the past two plus years i've been doing primarily freelance work i'm an advisor to ford foundation in the us which is a big big big funder of ngos and smaller non-profits both in the u.s and elsewhere i am also an advisor on a subcommittee of csa the cyber security infrastructure security agency within the u.s government and i also run journalists and spy on instagram which is this like project that in each post profiles a journalist who was also a spy or a spy who used journalism as a cover which i think is pretty cool so check that out and i have a very cute cat pumpkin okay so um why this talk uh well i

agreed to keynote on march 31st which means i had about two months to come up with a topic which should be fairly straightforward right it's not um it's plenty of time to come up with something but you know what do you talk about when you've been just sitting at home for two plus years i can i can tell you that i baked all of two banana breads i built a bunch of mechanical keyboards i watched a lot of netflix so i'm trying to figure out exactly what to what to say for like 40 plus minutes on on stage um i took a lot of inspiration from hulivar's keynote at offensive con 2020 where he talked about

um why he loves and does not love offensive works if you're interested in sort of the flip side to this definitely go and check that out on youtube um also figured that um my take on defensive work plus a bunch of random stories maybe my sort of kind of non-standard path to what i do today can inspire and help someone else here so this is me trying to condense basically a bunch of guidance stories and hot takes into a single talk okay so i was trying to figure out like how i would bucket out reasons to love defensive work there's the technical reasons it's the economic reasons there's the emotional reasons so within the tech space

defensive work can really be full stack like you can work with hardware firmware software logic you can work with um how humans interact with the technology there's like always a new puzzle like a new creative challenge which is sort of what i really found initially way back in the day so i got a computer first when i was 15 and very quickly very quickly found that i really like learning how to do things that i'm not supposed to do and sort of kind of not crossing that that line but sometimes maybe sort of but not breaking any rules um and so i always like really really loved like that puzzle and that creative challenge and just the amount of

different things that you can learn economic i'll get back to that a bit later but bottom line is that everybody needs good security and for emotional reasons everybody deserves good security and i'll talk about the difference um later on and of course it's a fast is it really really good opportunity to do really good work with good people for good reasons which i really enjoy so way back in the day 2009 that was before i started my the last year of my bachelor's i needed a summer job i was i had heard about google summer of code which is effectively google giving non-profit organizations funding to take on summer interns um it's still around you should check it

out um so i was like browsing the google summer code website thinking like surely there is something here that i can apply for i found this thing called tor and i just initially thought it was like really really cool that here's a tool that allows you to be anonymous online and that was it i didn't really think about is that someone's phone okay at least it's not me maybe it's nso um so i fn tour and just thought it was like really cool that like there's this thing that allows you to be anonymous online i didn't consider anything like beyond those lines of code i didn't consider the [Music] connectedness of this tool and the

libraries and how it ties into browsers and the amount of forensic research you can do around it i didn't consider like ui ux and design or the documentation like i didn't think about really anything else i didn't consider how people actually use it or to what extent people can benefit from it so i spent that summer working for tour and then ended up um volunteering for about a year then tour offered me a part-time contract and then later on a full-time contract and i think in total i spent about four years with tor and so over those four years i really got to do a lot of different things and i think that was the benefit of working for like

a either like a startup or like a small um non-profit is that you do it's sort of like an all hands on deck you really do get to try out a bunch of different roles so i got to do both um development and qa documentation training project management i got to do a lot of um training for reporters as well i got to do research into online safety and censorship circumvention um like during the arab spring a lot of people found tor and figured i'd have to then use that tool to get access to censored sites um the governments in the different countries um found different ways to then try and block tour so we did some research to

try and figure out well how do we get around this um and it really wasn't until i found tor that i really got to understand just how important that tool is for people elsewhere and just what it means to them and what it enables them to do and so in i think it was in 2011 tour got funding from if i remember correctly the us department of state to train reporters and i ended up leading that project the the goal was really to teach reporters how to use tor to be safe online but we also found very quickly that it doesn't make a whole lot of sense to teach someone how to use tor if they're

not already familiar with passwords two-factor software updates all of those other good stuff and so we built like a curriculum around it which is sort of how i then shape that into my definition of uh journalism security and so that's like how i got onto this like track of working specifically within that space because after tour i ended up working for um freedom of the press foundation for a bit doing sort of kind of the same work i then took that to the new york times and worked there as the director of information security for the newsroom and reporting into the cso on the business side of the company but physically sitting in the newsroom with

the reporters and focusing on uh the things that they needed and i'm sure i'll get back to that a bit later on so journalism security um if i were to like try and explain exactly what that is i would say that it's about securing an identity and the business which enables the work so being a reporter is more than a nine-to-five job it's more like an identity you are a reporter if you're sitting on the couch on a friday evening and browsing twitter on your personal phone you're a reporter when you're traveling to berlin or to new york you're a reporter when you're like physically in the office nine to five and so securing that means that you do

need to account for not just the corporate systems and accounts you do also need to consider [Music] their physical safety their emotional safety any sort of legal challenges associated with their work and also their online accounts and that does extend to personal online accounts as well like social media for example um and so that is a much much bigger space than i think what um most corporations view because typically it's the the business will secure the corporate stuff but then who's responsible for the personal stuff right and that's sort of where um where this space exists so within the business that enables the work i put it into sort of three buckets so you got the newsroom with

your reporters and their sources their communications whether that's on a work device or a personal one um you got any sort of notes drafts stories the places that they travel to [Music] all of those pieces all of those challenges that exist in the newsroom and someone needs to think about how do you actually go about securing that type of work then on the business side of the company you got your sort of typical like good finance legal hr m a infrastructure engineering and so on it's effectively all of the groups that just enable the newsroom to do what it's doing so you've got the engineering and infrastructure teams that are maybe hosting email but that's

not super common these days but definitely developing maintaining the cms for example so that is something that they are doing for the benefit of the newsroom so that they can write and draft and publish stories and then finally third bucket we've got subscribers which is really where we're dealing with other people's info and other people's money that's again something that needs to exist and you also need to secure that is something that's primarily sitting on the business side of the company it's the teams on the business side of the company who are responsible for securing the subscribers but ultimately it is the subscriber's money that is funding the work that the newsroom is doing and so

when i say that i work on journalism security stuff a good portion of that exists within the newsroom bucket i do work a lot directly with reporters on someone is traveling someone's communicating with a source someone needs help digging into something else there's a bit more interaction over the years now with the business side as well so these days when i give a training to reporters on how to be safe online i do also ask that at least one person from the business side like from it attend the training so that any advice that i give to the reporters they do have an i.t person there who knows what i said who understands all of it and who can then actually

follow up and support the people when i am no longer there and i think that that is one way to sort of scale it up a bit um and subscribers i'll get back to that a bit later on because not a whole lot is done uh down there these days so here are some like other fun examples um sort of just the type of work that would exist in this space so um newsrooms are also very like fast paced and deadline driven and reporters are notoriously impatient i will say um so i have i've had more than like one case of like a reporter that like just walks into back when i had an office or stops by my

desk and says oh oh by the way i forgot to tell you i'm going to north korea next week what do i do um so you have like a week and a half to try to figure out like what are they doing there who are they going with how long for where are they staying they probably do need a travel laptop but can they get away with the chromebook or do they need something different what exactly is the purpose of the trip what about physical security are they entering the country on a journalist visa or not trying to like ask all of those questions on top of your regular nine-to-five job um then there's a sort

of question of how do you secure an office in pick a country so the new york times has or at least had bureaus in like moscow beijing shanghai and a lot of really really interesting places and so then the question is how do you then safely for one get people in and out of those places but how do you also support a physical office with computers and infrastructure and connection back to hq when they're in these locations which again primarily a business side challenge because that's where you have your ite and support and all of those teams and then we sort of like touch on the the personal side like how do you recover a compromised twitter account

now of the types of um security issues that that i saw a lot of in the newsroom it was primarily like my social media whatever got hacked and what is interesting at that point is that like if if the twitter account for a well-known reporter at the new york times is hacked there's the not only does the actor then have the ability to to tweet and delete and follow and follow retweets but also read dms and a lot of reporters will use dms to interact with sources or like any sort of interview subject so there's a lot of like sensitive um data in there that would have a reputational impact not just on the reporter but also on their employer

but twitter then considers this a personal account so if i reach out to twitter on behalf of the reporter and say hey so once those account got hacked like what do we do um the answer at least a few years ago would just be oh well you just have to have them like file a support ticket then we'll get back to you so interacting with the social media companies over the years has it's it's improved a lot now i think that facebook and twitter and also at google do have [Music] a process for security teams at immediate works to try and escalate and get the assistance that they need so that they do see that a personal twitter account if

it belongs to a reporter is is both a personal and a um corporate type of account but that's another like fun uh corporate political type of challenge then there were also some like questions around like well do we worry about using g suite so um the new york times got hacked by china back in 2012 and i think the actor was in the system for like four months there's a really really good long art article about it from nicole pearl roth and back then the new york times ran its own email system a couple of years after that switched to g suite but if you're a big media organization doing investigative reporting and you're reporting on google

should you be using google for email should you be using google for your notes for your drafts for your photos for all of your future plans same with slack so those are sort of other questions that sort of came up and we tried to figure out like to what extent is this actually a concern for us and how paranoid should we be and then that like final question is like how do you protect subscribers from credential stuffing um which has been i know a few media orgs in norway has struggled with over the years where someone's just found password dumps online and decided to try out all the usernames and passwords of norwegian sounding names on various

sites in norway and that then goes into this like big question of like who's responsible for subs for securing subscribers i don't know how many uh media orgs today offer two-factor for subscribers but that should definitely be a thing the bottom line is you can you can only do so much right within like a nine to five day and before i went into the times i definitely had this like view of like securing a reporter should look like this if they're traveling to north korea it should look like this but then you get there and it's just like incredibly like fast-paced you don't necessarily have all the resources you thought you would have the reporter

is certainly not going to be patient enough to use whatever setup you had concocted in your mind they may not even want to use a chromebook so like you sort of cobble together the best possible thing that you can and you just sort of figure it out and you make it work which is part of what i really really love about this type of work is that there are so many like curveballs and challenges and like ad hoc solutions that to some extent you just sort of kind of wing it okay gun hacking which was pretty fun uh because why not um so i've always been really interested in like stereotypical american things so back in 2014

uh my my husband told me and we lived in dc at the time he's like well you've never been to a gun show in the u.s and so he decided that we should go so we did and while there i i ran into a booth from a company called tracking points and they had for one they had this like uh video demo they had the rifle there they had like a brochure telling us all about it talking about how it like has um wi-fi and mobile apps and usb ports and it does software updates and it was like well that sounds sounds interesting so like in the in the car on the way home uh i i just

casually asked my husband like hey we should we should uh buy one and hack it and presented blackhead and defcon next year there was always a bucket list item of mine and he's like sure why not so we we uh i'll say that the rifle was 13 000 um and we bought two because we had two because we had to take one apart uh and then we weren't sure if it was going to actually work after so we so we bought two we took a bullet alone we bought two um and it was really a combination of hardware and software where my husband had more experience with the hardware side of things i do more of the

software side and then a good amount of it was like i don't know what this thing does but let's push the button and see and so i also did reach out to some folks at the electronic frontier foundation just to get some legal advice around what it is that we were doing making sure that no one was going to sue us at the end of it but i think i float on the next slide so here's here's what it looks like so it's a standard remington rifle and then tracking point had added the scope with the computer and also the red button by the trigger so the red button allows you to tag your target meaning

once you've tagged the target the trigger is not going to release unless that little computer has figured out that if the trigger is released at this point in time you are going to hit your target so it's like sniping for dummies like this was the first time i actually fired any any weapon and i hit my target 100 of the time um what could possibly go wrong so we had this like sitting on our kitchen counter for about eight months with like cable coming out of it and um computers and batteries and and stuff like that um let's see if i have something on the next slide nope okay so what we were able to find

uh was i'll say first we cannot fire remotely that was like the one good thing about this project um what we could do is we can lock the trigger so you cannot fire at all we found a way to create custom software updates uh because the company had um not properly done signature checking on their gpg encrypted software update so once you had access to the file system on this device you could effectively just reconstruct a software update for any other tracking point rifle so we just made our own we also found that one of the mobile apps allowed you to sort of plug in values for wind and temperature and the type of bullet that you were using

and so we could then by bypassing the app tell that computer that the bullet was heavier than it really was which means that when it tries to calculate when to release the trigger um it has the wrong numbers to start off with and we can cause you to like misfire two and a half feet to the left or to the right so you will just mess your target every single time um and the company like on the day that we presented at blackhead and yeah blackhead in 2015 the company issued this like official statement on their website that read it is safe to continue using the wi-fi on your rifle as long as you're sure there are no

hackers within 100 feet and i think that they've since gone out of business so

so economic reasons to love this work well everybody needs good security and bad people continue to do bad things which leads to fancy headlines bigger budgets uh i'm sure there's like a pie chart or like stats for this but i didn't didn't bother finding any um which also means that we will never ever ever be out of a job which is pretty cool um there's a lot of opportunity in the space there's a lot of opportunity to create something new i mean the type of work that i do there's not it's not like there's a company that does it and it's not like there's a predefined role for it but i do somehow make it work so it's

entirely possible to go out and create a role for yourself that isn't the sort of standard nine to five typical whatever i t security related job so if there's something that you really really passionate about it's entirely possible to do it and last point you should be paid for your work even presentations i'll just say that i'm not getting paid for this one i did get paid for the one i gave yesterday i included that um bullet item because a few years ago um when was this eight years ago maybe i was at a conference in stockholm and i realized that i was the only speaker not getting paid and not flying business simply because i did not ask for it

and i talked to a friend of mine a couple of weeks ago about the sort of talks that i'm giving in the in the next few months and he's like oh wait you're getting paid i'm like yeah you should be paid for your work even if that is giving a talk so remember this for the future emotional reasons to love what i do well everybody deserves good security there's a big difference there between everybody needs it in the corporate sense in the what is it that we are legally required to do and where the emotional everybody deserves it what goes then beyond what is legally required what is the right thing to do and that discussion is

always a fun one to have with legal teams at companies of course bad people continue to do bad things i have a very personal desire to have impact i get a lot of value out of having impact with the work that i do um the high after success i mean i have to say it it does feel really good to like walk home after a long day at the new york times knowing that i got to help with this article that's going to be the on the front page of the paper the next day so no one else really knows about it yet but i know that i had an impact there and so personally i draw a lot of value

from that i think that there will be a sort of a point in time when when i am looking to do more than what i am doing today because i know that there's so many people that need the type of support that i can provide um and so i'm like always like chasing ways that i can have impact and do good work and i also love meeting a lot of different people there's a lot of cool people in in this space there's a growing community of people there's more diversity now than uh before all of which i think is pretty amazing okay why i don't love defensive work i'll try not to be too sad and salty about it

but okay so technical as we as we talked about there's a lot of stuff to play with there's a lot of stuff to secure it's basically securing all the things all the time which is a lot everybody needs good security but not everybody will invest in it everybody deserves good security but corporate politics gets in the way and you get to do good work with good people for good reasons until you burn out that may or may not sound familiar to some of you so back in the day when i was um before i started full time with tor i did pen testing for a small company in london and initially i thought that was

really cool got to learn a lot got to see some interesting clients banks in london have really amazing food but i did find that the work was very very repetitive over time i would go to the same clients to test the same type of app written by the same development team with the same issues giving the same reports and going back for a re-test a few months later and still finding the same issues so over time i just like for me i just didn't find any any joy in that i didn't find that i was like actually making a difference i didn't feel like the work i was doing had any impact there's also a

huge attack surface um out there so like working with a reporter who comes to you and asks like you know what do i do about nso how do i make sure that my phone is not hacked how do i make sure that i can safely travel to china and no one is going to come after me or detain me or take my laptop like you have no guarantees you can just do the best that you can there's also an insane amount of technical debt it's like this thing that we all have that costs money and time and people and resources to do something about no one wants to do it but it does present a

security challenge as well security at scale is really really really hard um i think that one of the examples i can i can give is like if your option is between asking 1200 people to turn on two factor for the email versus turning it on for them by default turning it on by default is certainly the better option and at that point is just enforced it is at scale you don't have to chase 1200 people for the next 2000 years but doing that across this like gigantic attack surface is really hard and there aren't any sort of perfect solutions i'll also say that within this industry like we're not necessarily incentivized to solve security because security products don't

necessarily work well with each other you'll have one that gives you a you'll have another one that gives you b maybe they sort of kind of play well together but they probably won't there's like threat intelligence sharing but only among people who are really good friends and other special people um you get some of the information that you need but not all of it so companies are here to make money because security is a big problem because there is this huge attack surface but we're not really incentivized to actually solve the problem for real on the economic side everybody needs good security but not everyone will invest in it your team probably unless you're in sales does not

make money i can tell you that me advising reporters at the new york times on how to be safe online no one no one was really paying for that it's not like subscribers were sending in money specifically so that the newsroom could be secure right so in many ways we are a cost center we're not the team that makes the business a whole lot of money which means that requests from product and marketing in legal will typically come first and security concerns are sort of added to the list at some point in time unless it becomes critically important and then it's someone in leadership then gets to decide well what is critically important and having that debate

again and again and again can be pretty exhausting and then there's that question of like what is what is right for people what is right for your staff for your users for your subscribers for your readers for the people around you and what are you as a company legally required to do whether you're talking about securing subscribers at a media org or even in the context of gdpr that again is this pretty interesting debate and i think a lot of people will have a lot of different opinions about well how far do you go and how much focus do you put on um doing the best that you can versus doing the bare minimum

and then on the emotional side everybody deserves good security but corporate politics gets in the way which i just mentioned we operate with probabilities and not guarantees i can tell you that there are tools out there that allow you to check your phone to see if you currently have pegasus on it but that is the pegasus the way that it looked probably a year ago not necessarily pegasus the way that it looks today i cannot guarantee that your device is not compromised i can do the best that i can to help you check to see if that is the case and that can sometimes be really really frustrating because i like i like helping people feel like they're

actually safe in doing what they're doing i don't want security to be something that they have to worry about but knowing that we are sort of in that state all the time um can sometimes be pretty pretty sad and like there's no end state which i think can be both a plus and a minus on one end there's no end state which means that we constantly learn and improve and we get to do better and we come up with new solutions and new mitigations at the same time it does mean that we have this like constant armed arms race with people who do offense and other attackers and again there's no guarantee so any any sort of mission-focused work

is also hard there's a lot of people that deeply care about what they do there's a lot of people that have sometimes very different opinions on what is right and what is what is right and how far you go to make sure that you implement that and what is good enough in that specific case so here's um here's my uh final slide from my talk yesterday actually um just to sort of highlight the example of um some of the challenges in this space in in looking at how media works get hacked i sort of looked at the new york times in 2018 tribute had ransomware in 2018. ships that media had some issues in 2019

in 2021 and if you if you look at how reporters are hacked we're talking usually a compromise of a social media account or a compromise of a device and then sometimes the zero day like pegasus but if you look at how media organizations get compromised we're looking at phishing phishing and or an outdated system leaked passwords most likely lack of two-factor authentication again ships that leaked passwords likely a lack of two-factor authentication and then on media with ransomware last year phishing and or after this system like we know how to address phishing we know how to address outdated systems we know how to protect against ransomware like these are not unsolvable really hard problems we know how to address them

but then we get back to this challenge of like well what is the right thing what are we legally required to do do we have a time do we have money do we really have to do this right now and so even if we know what needs to be done there will be other people somewhere higher up in the corporate stack and decide that just now is not the time to spend the people and the money and what have you to do these types of things which can be really frustrating so where am i going with this like a very uplifting uh coming up to the end of my talk um do something different also no one asks

how to avoid burnout over the years i've i've decided to sort of try something new once a year just to challenge myself a bit so about four and a half years ago i decided to try pool dancing which i absolutely love and i still do i tried improv which i absolutely hated but i went i bought this like pack of like four classes and i went and it sort of feels like when you go to the dentist you go because you said you would go but you're not really enjoying it um scuba diving is still on my list for this year did the gun hacking got my motorcycle license a couple of weeks ago which i

will tell you in the us is absolutely terrifying uh built far too many mechanical keyboards um do a bunch of like foil work reverse engineering metal run analysis just to learn something different and then at least this year there's been a whole lot of spy stories and true crime and journalists and spy and all sorts of fun stuff and so i will say that finding something else to do is it is really really important and it can certainly be related to your work it doesn't have to be so in short defensive work is both great and terrible it is mission critical to have diversity and we can definitely do better in that space we have done very well over the

years i would say we can definitely do better security is hard and there are no guarantees to what we do i found what i love through my work with tor it's okay if you haven't found your thing yet i would say figure out what it is that you love doing and go and try that out see if you can find a way to make that work and with that i hope you have a great conference thank you for coming and if you have questions let me know

thanks so much runa for sharing your experience in infosec i think a lot of us can relate to the journey that you you took in uh wanting to have an impact is a common thread for a lot of people uh in this community and i think uh we've been there so uh i i'm i'm guessing that uh you you found a way uh to uh to keep the positives outweighing the negatives in the end and that's why you're still here with us today and we're not getting paid either which i assume you knew but i wanted to make that clear to everybody out here uh if it wasn't clear b-sides is run by um and

non-profits an amazing group of volunteers yeah thank you so much thank you we do have time for uh questions i'm going to ask one question just to grease the wheels here uh you said that you you went to your your first gun show i'm wondering uh if they still let you in uh or are you on some list now have you been to any sense i have not been to any since i am i am not a big fan and remington actually uh they went bankrupt they got parted out to some buyers in the 2020 coincidence probably it wasn't me okay uh anybody have any questions for that if not i'll be around later so if you

want to chat in private we've got one in the back oh okay coming down keep your hands up

one question that you probably have been asked a couple of times did you ever get doom running on the rifle i did not try to get doom running on the rifle the software update screen though shows duck hunt

you talked a little bit about spies and journalists is spying still as common now as it was back in like for example the cold war days it's a good question i think i would say yes but it probably looks a bit different than it did back then i think more of it is now online like you don't need to place people um in different countries and different bureaus under different covers a lot of it can just be done online yeah online and anonymous i guess yeah yeah okay thank you

mr brown thanks ryan um very briefly when you're talking about your security work towards journalists was it normally made aimed at the digital side of things so how to secure their devices how to secure the accounts on that or when also some of your work in the advising journal is traveling to north korea moscow et cetera you'd give them advice on how to secure their person as well how did you balance that sure so i've always just focused on the digital side of things so before let's see back in 20 early 2016 i took a hostile environment training course focusing on physical security training just to have some sense of what it is that the reporters

would go through but um i've always just then either worked closely with or like found someone who does physical security work so that i can just tag on to what they are doing and we can together find a solution that actually works for the reporters who are going out um so that's what i still try to do like i can i can figure out who to talk to but i don't want to give much advice about what to do from a physical safety standpoint questions

similar question but not quite um since you're securing now or giving advice on how to secure when people are traveling to other regions do you use the same advice for when they actually are in the native country and i'm thinking specifically if you're in the u.s and you have to worry about say the police are going to do an investigation or the fbi or if you're in the uk and things happening or even you're in norway so access require access requests for information and investigations do you use the same advice or do you change it because i got legal local concerns i do i do change it like if you're traveling to say moscow having a travel

laptop and travel phone is like an easy advice to give but if you're living there or if you're going to be there for like four or five six months that's not going to be super helpful it's not going to be sustainable right and so at that point it's more about figuring out how you secure the devices that you do have with you so we can talk full disk encryption parade off we can talk about having a safe and then also to your point about different jurisdictions yeah there's a different discussion among people who cover protests in north africa versus new york city versus in oslo for example it just really depends on where you are

what you're trying to achieve and also how technical you are like there's a bunch of like super neat technical tools that are out there to do stuff in a safe way but not all of them are usable not all of them are cheap not all of them are like scalable um so it really sort of comes down to like that specific context i do think that today we have the tools and the technology for people to be safe online so then it just comes down to like process and workflow and budgets and resources and all of that fun stuff any other questions last question um where would you draw the line in securing end users that consume your

product for example subscribers you talked about mfa would you even go as far as to enforce strong password policies and what are other i guess recommendations do you have to secure end users so in um in the subscriber context specifically and i know that this is something like the big tech and the us are doing already so there's um strong passwords required for some of them at least there's two-factor authentication in some form is if not required then at least [Music] available you have both google and facebook now have facebook calls it i don't know facebook graph i forget the name google has the advanced protection program which enforces yubikey auth on your google account and provides a

stronger level of security on on your account and so facebook has the equivalent for people who want to opt in and in addition these companies also do download and share public password dumps to see if your password is is in there and if it is forces a password reset and so i think that all of this is doable just not a lot of companies actually do it because it goes beyond what they're legally required to do to protect their users all right uh are you going to be with us for i'll be around until after lunch at least fantastic so if you want to chat with rooney please take the opportunity and thank you so

much for joining us thank you

[Applause] you