Hack The Planet! What Movies Can Teach Us About Infosec

Yes. Hello. Can everybody hear me? All right. >> Yeah. Put your hand up if you can't hear me at all. No. >> No. We doing all right. >> I said I'm doing all right. >> There you go. Let's have some fun. Come on. Right. Okay. The just to answer um the important questions first. I usually get some questions when I am at conferences. Second most common is where are you from? First, incidentally, is who heck are you? The third most common question, I'm from here. I'm from Tel. It's awfully nice. Okay. Uh the third most common question I get asked is where is that? It is there. There you go. That's really it. Also, if anyone is interested and

wants to hear me talk about films an awful lot, I am also the host of an upcoming podcast, Tech Film Noir, where we each episode take in a film and talk about it. something to do with tech. We just want they've got hand up. >> I am so sorry. Okay, I will now stand in front of the >> So, yeah, we just did one on weird science. Spoiler, I did not like that film. Uh, corner me afterwards. I have opinions. So, let's let's move on with this talk. I've got a limited amount of time and I need to get through an awful lot of stuff very quickly. So, what was the first hacker movie ever made? Can anyone

give me a guess on which decade the first hacker movie ever made? Go on. 1980s. No. Anyone else? Sorry. 20. Oh, interesting guess, but no. >> No. No. 60s. Yes. Give that gentleman person a prize. Yay. 60s. The first hacker film was made in the 1960s. It was called Hot Millions. I used to think that it was the Italian job which is indeed a hacker movie. And I used to think that the first hacker in the world was Benny Hill of all people. But no, it was Hot Millions, a rather obscure British film starring our first hacker ever depicted on screen, Peter Eustoff. Uh classy actor from way back. He is a guy with tech skills who comes out of

prison and thinks that there's an awful big tech companies that have money. He has skills but no money. some sort of amicable exchange can be worked out. He sets himself up as the head of as the the team of a big company that make honestly it's actually unclear but something uh it also feature a very young Maggie Smith if anyone remembers her from the Harry Potter and other things. This is her when she played the female romantic lead back in the 1960s. She was young once. Uh so he gets herself set all up in um a big company and of course starts trying to do all sorts of militia things because that's what he wants to do is steal all their

money. So talk briefly about employee fraud cuz that's basically what this is employee fraud. This is the idea that we have an an employee who works in our company legitimately but has bad intention. It's really common. This is something they don't talk a lot about. The employee fraud is really common. Ask anyone who works for a highte a shop brand on the high street and they'll tell you how common that is. Mostly unreported. Companies don't like you to know just how much employee fraud goes on. But the main cause is desperation. Unlike our guy who just wants to become incredibly rich. Most of the people who go through who go on to do fraud are

people who are in poor financial situations and are just desperate and have as they say motive and opportunity. most common form is billing fraud and stealing cash. This is not grand fraud you tend to see in Hollywood where we're we're stealing millions the hot millions of that film. It's really just petty theft. That's really what we're talking about. Someone has got their hands in the till swipes a little bit of change. Not literally that that in principle. That's the most common fraud. I'm not saying grand frauds don't happen, but when they do, they're usually carried out by management. It's also 70% likely to be met. Sorry men, you suck. It cost around 5% of the annual revenues

of companies that are subject to this. That's a lot, especially for big companies. This is a big deal. It might be an awful lot of petty frauds, but it still adds up to quite a lot. How do we prevent this? Know your employees. I told you the main cause is desperation. Get to know your people. What are their problems? What what can you do to help? What do you as a company do to help? Uh maybe you can't literally give them extra money, but maybe you can at least give them support, whether that is emotional or whatever. There's all sorts of things we can do. Supervision. Don't be sitting over their shoulder looking at everything they do, but just make

sure that there is an eye that's got an idle. They're doing a tamper document trail. Just if you're going to do it, make it really hard. Remove the the opportunity. And audits, same basic idea. So try and prevent it from happening in the first place by knowing your people. But if they are going to do it, then make sure they know that it will all be traceable. The places where this is more like to happen is where the there simply is nowhere to audit what the heck just happened and the money is just gone. Uh there is also a common problem at the moment at least in some countries with literal fake employees. Uh it tends to

come out of North Korea. This is the thing. They will set people up as real employees in your country wherever your country is whether that be the US or whatever. And um where they really are is North Korea. And they they set up literal laptop farms in countries that hosting this to give themselves the appearance of an IP address which is legitimate for that company and pose as a remote worker somewhere in your same country but they're not and all of that money is actually just being siphoned off to North Korea. That is an actual thing that is happening. So our guy who in our film used uh finds that every time attempt he makes to

alter the documents results in illegal procedure which means I don't know doesn't matter whatever computer says no uh because there's a security device this is it it is a literal blue light fine okay no one in their right minds is going to understand the real complexity of what the heck this is all about so fine blue light is the security and he is watching the cleaning ladies one day and one of them realizes that her her pot of tea is too cold. Did I mention this was a British film? Um, and she wants to warm it up. So, she gets her bucket of water, bangs it against the computer, the blue light pops open, and

she pops her kettle inside because it's really warm in there inside the workings of the security device because that's that's why it's called hot million, you see. Uh, once it is the lid is popped open on blue light, the security is offline. He can do whatever the heck he likes. All he has to do is whack the machine in the right spot and the security device comes off. Yeah. Isn't that marvelous? This is possibly good time to talk about vulnerability reporting cuz that's what that is. That is an unreported vulnerability in the system. Any of those cleaning ladies could have said that there is a vulnerability there. You know, a grateful company could possibly gone and bought them, say, a kettle or

something to heat their tea without ruining security, but that's a joke, but it is a legitimate problem. So, make it easy to report security vulnerabilities. Have a security.txt on your website that makes it dead easy for anyone to drop you a message. Uh, put your contact details in it. Take it seriously. If people report vulnerabilities and they're not seeing anything happen, they're going to stop reporting and you're just going to have vulnerabilities that no one can do anything about because no one cares. Rewards. It doesn't even And yes, bug bounties is a thing, but it doesn't have to be. An awful lot of people would just love a bit of prestige. Like, you know, get the vulnerability report, fix it,

and then a little bit later, once a bit of time has passed, put a thing up saying, "Yay, really grateful to XY Z because they helped us fix this serious vulnerability. We're so grateful. Thank you." That's all it takes for most people. I'd be chuffed with that. Our guy goes about setting up fake accounts all over with names of companies which are taken from classical composers like Debut and people like that and then runs off to Argentina to become a wealthy person but finds the world boring and actually he ends up rejoining his same company but now is the security expert. Except that actually happens. Maybe not the same company. Okay, that's a little bit of a joke, but an awful lot of

security advisers are former cyber security criminals. That is a thing. Um, right now, let's talk about talking about going from the sublime to the ridiculous Batman and Robin. Has anybody seen Batman and Robin? I am so sorry. This film is what we call bad. It is a bad film and there is just about nothing good to be said about it. Join me later in the pub if you want me to list at length why this is a bad but let's talk about one scene I find particularly amusing Alfred there is lying uh possibly dying in bed and he's got his his niece here and he's decided that someone has to take over from him as the

English butler to Batman and he has a cousin who is also an English butler and he wants his English but cousin to become the new English butler to Batman so he has a a case a case here with all of the secrets of Batman now his his niece doesn't No, she's being a good girl apparently. And just say, "I will deliver this absolutely to to your cousin and not open it." Uh, spoiler, she lies and shims it open with a screwdriver and it's got a CD ROM in there. That that looks like DVDR to me. Fine. So, she pops herself her glasses on so that she looks brainy. And we have a go trying to crack into this

this box. It turns out to be an app which I think was developed Windows 3.1 by the looks of it. And it's called Notice Alfred CD. He took the time to change the name on the form. That's lovely. Uh, so is is the password. We've got so many tries. So many tries, you see. So many tries. Well, we can get into our thing. Try one. Alfred. Alfred. No. No. Shush. Uh, is it Wayne? Well, he works for Bruce Wayne, you see. So, it could be Wayne. No. Try to go gone. Is it England? Now, notice we've zoomed in here. It's almost like the test footage of this was completely unusable after certain points. And anyway, England. Yeah.

Battle from England. Think out of the box. I like it. I like it. No, it's not that. But who's this on the desk next to the computer? It's a picture of Alfred's ex-girlfriend, Margaret. Could it be Margaret? No, that would be too easy. But wait, there's some writing. Look, Peg. She called herself Peg. Is it Peg? It is. It's Peg. So the the password the super secret password to get you all of the secrets all of the secrets of the batcave and Batman is peg. Fine. Also something notice here. Love peg. See that love peg. No love. Love peg. No love peg. Almost like test audience couldn't understand the scene properly and they had to completely refill half of it

possibly. Anyway, that's terrible. A three character password to get you everything. She gets into the cave with this and now basically equal Batman and all she had to guess was a three character password. So, let's talk about passwords. User accounts. There's no user account on Alfred CD. Anyone could be doing that. That could be the Joker. The Joker could work out a three character password. He's probably crazy enough to try every combination and you would have no way to know that it's the Joker doing it. Now the Joker's gone in all the secrets of Batman and no one knows. Keep it down. You There's always one entropy words that aren't words. I mean, yes, I know about the horse battery

whatever it was trick. They know about that now. It doesn't work. They just use words as characters and are just as easy to hack as ever. Don't do it. Use a randomized password of some sort that's unpredictable. Common password check. There's lists, literally lists of thousands of common passwords. You could easily have an in browser death that says if you're on this list, you ain't going. Sorry. Maximum attempts. Alpha CD has an account, a try check count, but no actual thing that says you've tried too many times. I'm just going to self-destruct something out of Mission Impossible, which is what we should be doing. Multiffac authentication. Okay, we can get that's a whole thing of

itself. Password managers. I use a password manager. Every single website I ever got an account with has got a different password. Uh look at some something called credential stuffing. People that hack this password and every password, every account you've got, it's dangerous. Stoing hashes, whole technical thing. Talk to me afterwards if you want to understand what that is. But if you are using passwords and saving them, do not store the passwords for something else that's safer. Salt the hash. Once again, technical. I've only got so much time. But if you are storing passwords, there are things you should be doing to make sure you are not being an absolute and storing them safely in a form that can't be used and

used. Password free authentication is becoming a thing now. Passwords are becoming something of a a past thing. It's dead easy for people to know a password and use a password. biometrics, eyes, fingerprints. There's probably other things, too. I once had a boss that was fairly convinced that you use uh a biometric scanner on his nose. I don't know if that was true, but fair play to him. Um, multiffac devices. It's becoming pretty common these days. I have just recently finished working for a company that used multiffact with my phone. Uh, smart cards. I know companies that do this literal card on your belt. Pop it in, logged in. When you leave the desk, you pull it out. Auto log out. One

time password, OTP. That's becoming a thing now, too. used to be fairly I used to go to India a lot over there. I saw it all the time. Now it's coming here too. That's another thing. Let's talk about Hackers. Hackers is a great film. Everybody should watch Hackers. Yeah, Hack the Planet. I love this film. Absolutely unapologetically. So, there is a very famous scene where this guy, the baddie, u the plague, uh his pronouns are the plague, um lists all of the common most common passwords. He says, "Love, secret, sex, God." Is this true? I wonder. Let's have a look. I So, I got some passwords. Don't ask me where I got this from. Uh, these are the most common

passwords available around the world. The most common password is 1 2 3 4 5 6. Now, in fairness, these all look like test accounts, and I kind of have to give some credit here. So, I filtered out all the ones that have either utterly predinous passwords or test accounts. I don't know which. And we get this. The most common password is in fact football. Football. Okay. I mean most countries have a sport called football. It's not always the same sport but nevertheless it's a thing. Dragon B. Dragon. Sure. Dragons. I like dragons. Flowers. I like flowers. But what that puzzles me is the second most common. Monkey. Monkey. Don't being recorded. Incidentally, does anyone feel a sudden

need to change their password? Just wonders. So, yeah, those specific four, no, but plain text type stuff. So, the other thing that happens in our film is it opens with our lead hacker being taken to court. This is not him. This is his his lawyer. This is him. Uh, now you laugh, but actually this is not wrong. The vast majority of hackers, at least those in court, are kits. Let me introduce you to Laps Us. He was 18 years old when he was arrested for hacking into Rockstar games and leaking a hold of footage early of one of the uh Grand Theft Auto games. Daniel Kelly, he failed at school. Was told he was thick and suggested that he

maybe take a nice manly sport like rugby. I do not approve at all. Uh he performed a DOS attack against college. Uh Max White House, I don't have a photo. 70 years old hacked an online gambling site. Their kids, an awful lot of hackers are taken to court by their moms because they're not old enough to drive. The point is Hollywood loved this image of the the the the secret genius in their secret lair with their hoodie and their mask and text cuz it's always green. Uh for some reason and like who are this like Joker style next level genius. The reality is they're kids. Their kids trying the locks in every door in the street to see who left their

door unlocked. That's what they we're facing. They're doing it because bored. We're doing it because that's what we're facing. Not geniuses. You don't have to cover every single security hole. It just has to be good enough. Good enough that the next guy is more tempting than you are. So, we do see a hack. He phones up the security guy at the the company at a TV station that's about to play a recording by a a far right guy and um and says you would you get the the stuff off the um stuff off the the router there and he says sure okay here you go and hacks it and replaces a farright broadcast with so the outer limits wonderful

incidentally there was actually a hack like this in America in the 1970s an episode of Doctor Who was interrupted by whatever this is it's meant to be Matt Headroom or something you can watch the footage on YouTube it's terrifying Uh so if you if you like sleeping don't watch it but otherwise feel free. Social engineering attack. This is an example thereof. That is a social engineer attack. This is trying to contact someone and saying like you know trying to pretend you're legitimate. Click this link open this thing. You know we're we're legitimate. Do this thing. This is how an awful lot of hacks are. I know I heard a story about a very well-known UK company where

they were subject to um uh a ransomware attack purely because somebody somewhere clicked a link I should have clicked. It's very and very dangerous baiting. Leaving a website like something that looks like an online purchasing site which looks tempting with lots of nice uh cheap goods but just leaving it there for people to find. Baiting preexting, pretending someone not. Whale fishing. This is going after someone big. This is like fishing, but you're going after the CEO or something like that and actually researching them and trying to seem legitimate to them so that you can do something really quite scary. So, what can we do about fishing? Fishing itself times more fishing sites than malware these days. There was a time when I

started out in this business when malware was a thing. Had to be careful. You had to put viruses checks into your into your computer. You had to put disabled JavaScript. all sorts of things because malware was built into every in advert banners. It was they don't bother these days. It's a waste of their time. Fishing gets more dividends. So, this is what they do. I feel sorry, incidentally, for any actual Nigerian princes with with some money to ship cuz no one's ever going to touch them. There is 2 million fishing sites registered on Google and I bet that's only the one they know about. I'll bet you anything there's tons more. There are an estimated 1.8 million losses. That's in

2020. I couldn't get solid figures more up to date than that cuz I'm sure a lot of companies wrong that's not published. Men are 225% more times more likely to fail fishing pole fishing than women. Once again men you suck and 86% of organizations click a dodgy. I told you it's common. It's easy to do. It's easy to seem legitimate and it's probably not even from the vectors you think. Love for example is a vector. So, let's talk about um pretexting. This is Frozen. Prince Hans here pretends to be a nice fairy tale prince. Spoiler. Sorry for anyone who has not yet watched the 2002 film Frozen. He's totally the secret villain. And he's using love as a vector. Isn't

he mean? Because that works. Let me introduce you to AI Brad Pitt who recently conned a lady out of €830 million. We laugh. But I would like to say that I don't think there any of us that haven't at some point in our lives fallen low enough emotionally that we might not vulnerable to this sort of attack. As a species, we want love. We want connection. We want to be connected to others. I mean, yes, this lady possibly could have passed some of these ideas of passing money around through somebody else, but she did not. Fine. But nevertheless, it's a thing. How can we rent staff training? Train people. Tell them what to look for. Tell them what to

expect. I know a lot of places now do things like they generate fake fish emails and if you click the link and she says look you just totally fell for fishing stop doing this I'm going to tell you manager minimal necessary abilities okay if our staff are a vulnerability don't give them the ability to do anything more than literally what they need to do as part of their job separate admin accounts have one account which you work on and then when you need to install some software or something switch to admin mode if admin mode is something that you need standardized processes Someone phones up and says, "Hey, I'm from tech support. Will you totally

like, you know, buzz this IP in or something like that?" You say, "No, raise a ticket. I am not touch this." Ta. I know a lot of places that still do that sort of unofficial we take a phone call. Just do what you say approach. It's dangerous. Also, staff train. I'd like to emphasize that again. It's really the way forward. Um, so our hacker goes about doing things like uh setting off the sprinklers to prank people and stuff like that. It's it's a fun little film and yeah, that stuff's dead easy to do. IoT devices, all that. Super insecure. That's a huge problem. Look up the Mai bot. If you want to know more about how

dangerous and secured IoT devices can be, but somebody I'm not really going to hackers too much, but someone uses the guard password, which the film doesn't know the difference between username and password. They're the same thing in the film. And this guy is actually doing something called this the half bad guy is actually doing something called salami slicing. The idea is that you you make rounding errors and you shave off those pennies and over time that becomes a huge wad of money. Hollywood love this one. It is also the plot of one of my favorite films, Superman 3, uh which is also about salami slicing. And um I don't believe there's ever been a documented case of a real world of this

actually happening. Your low-level employee fraud is much more thing. It it finishes on a uh so there's a bit where they try and cause problems to the um the the federal agent who's trying to chase them. So they do things like they have his bank card uh registered as as no good and get cut up in front of him. Uh put down on record as having traffic violations and they have him registered dead. Now there is actually of these three one of them is a legitimate problem in the real world being registered dead. Let me introduce you to Sarad. He is from India and he is a member of the Indian undead community. He is dead in every sense except that

he's still alive. That's an actual problem. There is uh tickly death is a one-way process and there isn't usually a facility to restore the dead to life in legal in document form. So there is a common thing happening around India for example where people are trying to commit property fraud by registering the owner of the property as dead and there is no way for them to be restored to life in document form. So this man continues to live dead. It's a thing. But at the end of the film it is time to hack the planet. There is we do some dump diving going through the rubbish. We we we go and have a look at uh

sending people in with with hats on clipboards to have a look at the office and pretend and install devices surreptitiously. um just sending a guy in that's delivering flowers but while there he's looking at passwords stuff like this and you know this is all the legitimate stuff that could be work on premise security this is really really important security level of documents if it's a secure docu important stuff you don't just put it in rubbish shred that stuff uh secure disposal have locked box where you put your secured documents ID cards I mean yes they're of limited use but there's something at least staff training once again. Let people tell people that it is okay to challenge

people at the door. It's all right. You can do it. Multiffac authentication cuz you know the password itself isn't enough. Restrict visitors. Why is the guy delivering flowers being allowed into the actual office? Why can't I drop it at the desk? Sign it out. Who are they? Who they coming in? When are they coming up? Stuff like that. And finishes with a massive hack battle which has to be seen to be believed. It's marvelous. I recommend if nothing else watching this scene. Basically what they're doing is a form of DDoS attack which is where you get millions and millions of devices and get them all to attack the same thing all at the same time and it

becomes yeah like if you take a if you take a little pee and chuck it at a window it's not going to do much but if millions of you gather and all chuck peas eventually something's going to give DDS attacks are one of those slightly unsolvable problems in in today's IT infrastructure there are record levels of DDoS attacks happening a lot of them thought to be sponsored by governments There's a short list of two who are making what appear to be ranging attacks against the US internet infrastructure. Not so long ago, a whole chunk of it was taken offline and sites like Twitter were unavailable. Now these days, that doesn't bother me as much, but

nevertheless, it is a thing. It is dangerous and it is terrifying. We don't even know just how deep that particular pool of of DDS goes. Uh I suspect it ever were a genuine other world war. First thing that would happen is everyone would start attacking each other's internet infrastructure. TDS mitification where it's really hard to solve this problem. It's not coming from one place. It's not a great big one monster that's charging you. It's a billion little ones. Pay up. It's often someone who wants some money. Just pay them and go. I mean yes rather it's not terribly moral but nevertheless distribute web hosting will minimize the problem. won't solve it, but it will be a few pots at once. It's

hard for them to DDoS all of them. Upstream traffic scrubbing. There's plenty of services out there that do that. Someone who's going to take the damage here so that you don't get it downstream. IP listing limited use. There's still a million attackers and there's hosting service that will provide this for so there but all this is is mitigation. I'm not going to solve the problem. IoT laws. I could talk at length about this. There should be laws about securing OT devices as standard. Jurassic Park. >> Jurassic Park's quite a good film. Let me introduce you to Dennis Nedri. He is not a very good developer. He says he can debug was it 3 million lines of code

or Yeah. So can I. So what? But he has financial troubles and the boss ignores him. Should be a red flag that two red flags. Both an employee with financial trouble and the boss ignoring it. What could possibly go wrong? He gets corrupted and starts selling out to their competitors. So he hacks something into the code of Jurassic Park and is that object past. They're doomed. But also I don't know if you see up the top there. It's a little funny. He's named a code base Nedland. He has named the code base after himself. I worked for people like Dennis Nedri. They are dangerous. They are dangerous people. They think they are the smartest person in the room. That

might even be true, but they think they're irreplaceable. They think everything revolves around them and they do not see the danger of this. And the company that they work for is often happy to lean on this apparently self-motivated u genius individual. And that is a dangerous situation to in. What if they leave? What if they get win the hypothetical lottery? What if they become corrupted by a competitor? All of those mean the end of your business, which indeed it does. He puts a timer in Jurassic Park, shuts the whole thing off and takes off all of the security fences. Uh they do try and put some some uh he put this thing in Deuce. Can

anyone else by the way actually hear this this slide at the moment? I can hear this right now. So they switch it off and on again which weirdly works except now we've booted back to console and to get the UI working we have to go all the way to the other side Jurassic Park and we have to um press some buttons which apparently then do that. Unfortunately there are flesheating dinosaurs in the park. Who would have predicted in a site full of flesh eating dinosaurs that turning off all fences was going to end in everyone getting eaten? But nevertheless, this is what happens. So, let's talk about how we mitigate the problems of dinosaurs attacking and eating our guests.

Develop a culture. Dennis Edri is a terrible developer. Not because he doesn't have good output, not because he doesn't have good results, but because his culture is bad, he does not collaborate. He does not take criticism. He has financial issues. He is an egotist. Um, frankly, he's a slob, too. And none of it is. Okay, I'm I'm maybe guilty of that one. But um it's not a good mix for companies these days. We can't afford to have these sort of basement dwelling geniuses running our IT department anymore. There's too many of us. There's too much riding on it to put up this stuff. We shouldn't be doing it. More developers spared no expense, hired one developer. If there been two

developers, they could have checked each other's work and maybe something could have spotted that or the the guys have now got two developers and just doubled their outgoings. Disaster planning. They should have actually thought what if somebody switched off the park and all the dinosaurs came out and started eating everyone. They should have a plan, but they didn't. A fail strategy. They didn't have a fail strategy. Fail open, fail closed. If you were a part full of flesh eating dinosaurs, fail closed. If you are a uh if you're a shopping center on fire, fail open. It's fine. There's the right one in right situation, but choose one. Are we actually out of time now or

Okay, if anyone I'm going to talk about The Net. Feel free to go if you want, but I love The Net. Has anyone seen The Net? It's a marvelous film. It's so stupid. I love it. I I mean, don't me wrong, I love Sandra Bull. She's incredible. But um yeah, she's a software tester, right? A software tester. and she's sent Wolfenstein 3D to test. Okay, that's pretty good. That's pretty slick. I love that job. She's told that there is a virus in Wolfenstein 3D. Uh, which everyone's got. It's EDROM game, by the way. Uh, but everyone's got the virus. Oh dear, sounds bad. If someone is the escape key, it kills character. That's rough. Uh, so what she does is she gets an hex

edex. It's a virus out of Wolfenstein 3D. Now no one has the virus anymore. Everyone saves. Thank you, Sand Bullet. the net. So much I could talk about. But she gets sent she gets a disc which she has got a website on it. So this is a floppy disc with a website on it incidentally. Now the bad guys don't have the the website anymore cuz it's on the floppy disc. You see they sent it to her. Um and she looks it's called Moart's ghost. She logs in connect her rather charming oldfashioned dialup router and uh it turns out there's a there's a little thing and if you click it in the bottom of the screen there a

little pie thing. Yeah. It hacked you into any website in the entire cuz the ladies made this website put the little pie thing there. You have to press it while holding I think it's control and shift or something like that and it didn't occur to them. There's a website and no one would ever try that. It just didn't occur to them. And so uh she ends up to go on the run because the baddies go and fake all her records to make her a criminal. She to run away with the floppy disc because she's got the floppy disc. The baddies don't have it anymore. [Music] The net. So sec this is example of security by

insecurity. The baddies thought no one will ever go and see that pi thing and click on it and hold control and shift or whatever it was. And they're probably right, but this is the internet guys. We know what the internet's like. Of course, someone will try it. And also they deal with third party contractors. They were contracting out to Sandra Blick for testing and they sent her the evil build. They should have sent her the good build to test and then deployed the evil build to production. that would have made more sense and be careful what you give them and be careful with what they give you because you know you don't it's a third party contractor. So

quickly sum up that's the end because we don't have time. Your main vulnerability is your people. Educate them. Educate them. If they're lacking in knowledge then fill that knowledge gap and tell them what to expect. Get to know them. Get to know them. If they have emotional problems talk to them. If they have financial problems, advise them even if you can't do anything about it. It removes the motive that can lead to desperation which can lead to all sorts of uh infosc problems. And uh I can't remember what that slide means but okay one more minute. And also last thought is that infoch security is like a bike lock. If there's a whole load of bikes and

there's one of them is not locked, all the rest are, folks are going to steal that one. If all of them are locked and most but all of them have got big locks and one of them's a little lock, they'll go for that one. Your security doesn't have to be perfect. Just has to be better than the next guy. It's like if you and a friend running away from the lion. You don't have to outrun the lion. So, if anyone is interested, this is my website and my blog. Feel free if anyone wants to read my ramblings. mostly about um software development and C which is my day job. I do occasionally write about films as well because that's my

passion subject and I will talk about films at length without being prompted for hours. Sorry in advance except I'm not. And also to remind everyone I am also going to be hosting this film podcast which is coming out in the near future. We've recorded about half a dozen episodes already. More coming as we we're meeting this week to talk about Stranger Days, I think it's called. That one looks like a pretty good one. Looking forward to that one. And that's the end. Thank you very much.