A Victory Lap to the End of the World

everybody thanks for joining us again i'm really excited for the next talk that we have um up next is amy stepovich she's the executive director at silicon flatirons um she's a nationally recognized expert in domestic surveillance cyber security and privacy law in the past she served as u.s policy manager and global policy council for access now and prior to that she was the director of the domestic surveillance project at electronic privacy information center um so as you can tell she has a really long amazing resume anyways we're really looking forward to her talk this year this is the second year she's talked to b-sides um last year was fantastic um this year her talk is a victory lap to the end of

the world about government hacking so amy please uh take it away thanks so much will what a wonderful introduction that was way too kind um i am going to pull up some slides hopefully the right tab yes i got it right the first time um so thank you all for having me and letting me talk and present to you all on government hacking and more specifically um the recent um incident around the microsoft exchange server um this is me i as will said i'm the executive director for the silicon flat iron center i worked previously at epic and at access now and a few years ago i authored a report called the human rights response to government hacking

where i was i felt really lucky that my employer gave me an opportunity to spend some time deep diving into the history of government hacking not only in the u.s but all over the world and looking at what had happened previously what we knew about it what we didn't know about it um and comparing it to human rights standards and how the operations had met or more often than not not met human rights standards and what we ended up doing is setting out a framework with 10 different principles that we thought should govern government hacking operations it was a pretty stringent set of principles admittedly but really government surveillance tends to fall i think quite frequently as somebody who does

human rights on the side of not respecting human rights way too often so we wanted to provide that other side of things and i think throughout my talk you'll you'll start to understand why um so what i'm going to do today is i kind of want to to go backward in time a little bit and um to start at the beginning of of the conversation around um enhanced what i'll call enhanced government surveillance in the u.s um and talk about how we got here so the conversation today is going to start around 1928 um government hacking clearly wasn't in the conversation around 1928 but they were talking about wiretapping um and the conversation revolved around

um a um a person named olmstead he was he was a rum runner he he brought alcohol in from canada into the united states um and was had been wiretapped um and is a it was a very well known case and essentially the supreme court found that the the fourth amendment did not apply in his case um uh it was a fairly controversial decision and the justices of the supreme court along with many many people after this case was decided i don't think it sat well that this new wiretapping technology wasn't going to be protected under the fourth amendment um as you'll see here i have a quote as a means of espionage rights of

assistance and general warrants are but puny instruments of tyranny and oppression when compared with wiretapping there's a quote from justice brandeis um general warrants are the reason the fourth amendment was written um into the constitution to begin with so when you think that calling a general warrant insignificant when compared to the dangers of wiretapping that's a pretty grand statement and as a result largely of this case we get our very first wiretapping laws in the u.s in 1934 the predecessor to what is today known um as the wiretap act um although that came later and it wasn't until 1967 that we had a case known as cats that really overturned or maybe complimented olmstead weird legal questions that have come up

since but we get the fact that the fourth amendment attaches to people not places and this reasonable expectation of privacy test but the wiretap act remains and this idea that new technologies require new enhanced protections still apply and the wiretap act actually goes way beyond the protections in the fourth amendment and requires more than the fourth amendment requires so we're going to jump in time again this time up to 1999 where we have what we know of as the first u.s government hacking operation um it was targeted at nicodemus scarfo who was a mob boss out of philadelphia um and the key it was a key logger that was installed manually on his computer in order to get a password

essentially he was using um end end encrypted email um pgp and they needed to get the password in order to be able to to know what um what he was sending back and forth really important theme coming from government hacking operations right out the door around transparency even though we were able to the public was able to find out that this was a hacking operation that a key logger was involved the fact that it was manually installed the details around that were withheld for quite some time and a lot of journalists and public information open government advocates had to do a lot of digging in order to get the details out around this case which is going to

become a recurrent theme throughout government hacking operations the government never volunteers great great amounts of information about what they're doing in these cases people really do a lot of digging in order to find out what's going on um so we'll call this generation one which leads to of course generation two the rise of the government hacking machines we can we can say we'll get tools like magic lantern and cpav um you know technology um folks and lawyers both love acronyms and so there's a confluence here of just an abundance of acronyms computer and internet protocol address verifier these are remotely re installed tools um that also communicate remotely and are used to collect varying amounts

of information depending on the operation at issue once again we have a number of journalists to thank for the information that is publicly available about these tools and about the operations in which they are used in particular a bunch of journalists at wired magazine and i want to offer my personal thanks to the folks at wired they've done some great reporting on u.s government hacking operations and on these tools and if you're really interested about the history here i suggest that you look up wired's reporting um because it's it's pretty stellar one case in particular that i have found really um educational on this specific generation of hacking operations is in rey warrant to search a target computer um

case name really rolls off the tongue right you're really going to remember that i know essentially it was a case out of the southern district of texas in 2013 judge steven smith there were a few holdings but two of them really specifically stand out and we're going to come back to these holdings a few times as i continue through the talk the first one is that the warren application um in this case the government's um request to conduct the the search the hacking operation did not satisfy the territorial limits of the rule governing um the authority of the magistrate's issue that warren and judge steven smith said i have limits on my ability to issue a warrant in this

case um under the rules of the federal rules of criminal procedure and this application does not satisfy those limits keep that in mind um spoilers you're going to be hearing about this rule in great depth and just a couple slides he also said that the application did not satisfy the fourth amendment's particularity requirement so if i go back just real quick um to the text of the fourth amendment what you'll see is right here at the end that it needs to particularly um describe the place to be searched and the person or things to be seized those are the last few words there in the text of the fourth amendment if you are not saying what computer

or who the person is that you're going to conduct the operation against as many of these hiking operations do not um judge smith was essentially saying you're not meeting the standards that the fourth amendment sets out which brings us and as i said hold on to those two holdings don't let go we're coming back to them it brings us to kind of our third generation third type of hacking cases as we move forward into 2014 which is the playpen case so in 2014 the fbi gets a tip about playpen which is a tour hidden service on which child um exploitative material is being um hosted shared distributed and they get a search warrant to seize the website

but instead of taking the website down as you would think they would do they actually start to take over hosting the website and in fact reports say that um while the fbi was hosting the website that the quality of the website actually went up that they were hosting it better than the people who were originally hosting playpen were doing it they applied for a second warrant to send malware to visitors of the site exploiting what we think is a vulnerability in the firefox browser code and as estimates the best estimate i was able to find is that this led um to at least 137 separate cases um so because of this operation they went after 137 different

individuals and in those cases all over the country um potentially all over the world um there were a lot of different holdings that were coming down and in fact professor orrin kerr who spends a lot of time thinking about these issues um has posited that this is the first case that one single warrant has led to circuit splits where um entire circuits have taken different holdings um stemming from the same warrant so as i said we're going to come back to this rule that judge smith had pointed to the rule is rule 41 of the federal rules of criminal procedure and it governs when a magistrate judge can issue a warrant and generally speaking it says a lot of things about

when a warrant can be issued but as a general rule essentially a warrant should authorize a search that occurs within the jurisdiction of the judge who is issuing the warrant and there are exceptions so for example if a judge issues a warrant to track a car and the car which is a mobile object moves outside of that jurisdiction a new warrant doesn't have to issue in order to continue to track that car um and that's baked into the rule itself um but judge smith said i can't the search doesn't occur when you send out the malware it occurs on the computer itself and so unless you know the location of the computer i'm not able to issue this warrant

and courts in the playpen case started thinking about this as well and they started saying that we also have to say that these this warrant wasn't validly issued um it didn't meet the requirements of rule 41 because you didn't issue the warrant in the location where these computers were located and therefore it doesn't meet this um jurisdictional requirement that rule 41 has limiting where you can where the judge could have issued this warrant from and this was triggering the exclusionary rule which basically said that if a warrant is invalid the evidence from that warrant should be excluded as i said these cases were all over the map um judges were handing down all sorts of different

verdicts as evidence and as these warrants were getting this warrant singular warrant was getting challenged um and some of the cases were saying rule 41 made this warrant invalid um and so cases were starting to get thrown out because of it and this worried the fbi department of justice um for clear reasons and decisions were made that they were going to start to pursue amendments to rule 41 to allow this type of operation to happen um in the future so the amendment that they were pursuing essentially allowed for two different new exceptions to that jurisdictional requirement the first was if the location of the computer was being that they were trying to search was being concealed using technical means

and the effects um from the computer were being felt in the jurisdiction then the judge could issue a warrant from anywhere um the second was if damaged computers were located in five or more districts then um a judge could issue a warrant from anywhere and this was a very contentious rule change um they also changed the notice requirements for people impacted and advocates experts technical um technologists all came out and said this is a bad idea you shouldn't put this rule change into effect they had a lot of arguments against it the least of which is you are taking away a procedural limitation without considering whether or not we need substantive rules so whether or not

this type of operation should be happening really is a question for congress but congress hasn't had a chance to speak to that but instead what you're doing is wiping away this procedural safeguard that is in place um without going through congress who typically would be needed to authorize this type of activity kind of seen as an end run most of the debate most of the discussion focused on this first prong um location being concealed using technical means affects being felt within the jurisdiction very little discussion actually focused on prong 2 which becomes really relevant we start talking about the microsoft exchange case which we're going to be getting to very shortly but i want to make sure you

had this background on government operate hacking operations more broadly and on rule 41 very specifically um and why the exchange case um which will tell you why the exchange case is so incredibly important um regardless of all of this opposition the rule change ended up going into effect um largely without any changes whatsoever even though a very narrow suggestion was made that um if location was being concealed then maybe the operation should only try to uncover the location and not go any further to reveal any other information about the computer that change was also rejected the change went into effect as it was proposed in late 2016 obliterated all these procedural hurdles that judge smith had spoken to

did leave in place the constitutional hurdle and we'll talk about that as we end up as i wrap up the conversation there was one last effort the smh act very uh purposefully titled the smh act it was stop mass hacking um but meant to allude to shaking my head the popular internet meme um congress was not did not have to give a blessing to this procedural change but they did have a role where they could veto the rule change essentially and so senator wyden um with some partners in congress introduced legislation to veto the rule change unfortunately it didn't get enough um members of congress in its corner to actually pass and so the rule change

still went into effect regardless of this one last effort to try to stop it from taking place so then where are we we were in a place where we had some procedural limitations on hacking we had some constitutional safeguards all the procedural stuff we think got wiped out where does that leave us well let's stop and talk about this microsoft case um remember it opened i am a i'm a lawyer i'm not a technologist so i'm not going to go into great technical detail about the exchange case um i am happy to refer you to people who can walk you through that but i will give you an overview we're going to call it the dummies guide to

the hafnam case um and i encourage you to either reach out to me and ask if you're looking for more information or i can send you some information to um different materials online if you're looking to just do research and and read more about it so hapnium is basically state-sponsored actors traced back to china um they used four zero-day vulnerabilities to compromise microsoft exchange servers um once compromised they installed shells to allow for further exploitation both of the servers and the downstream computers um following several reports that both the original hafnium actors as well as other actors were using the vulnerabilities to compromise the servers microsoft started to issue patches um the fbi actually got involved sissa

this oh my goodness i'm so looped up in the acronym of cisa i can't even tell you immediately the cyber security information sharing agency and government issued an official um briefing about this because it was seen as being so critical so all of these different government agencies got involved microsoft saw it as a critical situation that required immediate action they issued patches and sent out information to clean up the shells but estimates were saying that there were still regardless of all of these different actions that have been taken a large number of shells that were remaining on different computers and because of that the fbi decided that they needed to step in and so they

sought and received a warrant to search the servers copy um and fourth amendment parlance sees certain shells and then delete them from the servers so they went further than just to copy them for evidentiary purposes they deleted them fully off of these computers i want to identify a few things that they did that went a little bit beyond what they were required to do by law in the warrant application they identified exactly which servers they were going to search they looked up whois data they based the application um specifically on the difficulty of removing the web shells they referenced that they had passwords for the execution of the operation they tested the code in advance

internally and with external experts to limit the impact on other files they requested delayed notice if you remember back i said the rule 41 amendments changed how notice had to happen but they actually engaged in some early notice in addition to the request for them to delay notice so that they could try to do extra outreach to folks who might be impacted in advance even though they didn't have to that notice was eventually pursued through both direct messages publication and going through internet service providers

and eventually they published and they let the public know what they had done and what was the public response it was overwhelmingly incredibly positive um i published i put on this slide a few of the stories that were published the fbi might have fixed your microsoft email server said nbc worked to remediate the compromises continues um you see just security says were the government's actions helpful based on the information available now the answer is yes just security is generally seen to be pretty left-leaning um here's a story that says i believe this involvement by the fbi is seen as appreciated from the private sector when it comes to protecting against against nation state attacks it's a wise

move this is very positive responses both from government and technical experts the private sector people in the media and these are just a few of the examples really if you and if you are on social media during this time overwhelmingly it was just a positive response that we got um everybody thought that what the fbi had done in this case because of the severity of this case in particular and the potential for really negative impacts that this was something that they should have done and they did a good job doing it um and because this specific case was receiving praise going backward people started to say these rule 41 changes that everybody like was really critical about those

were a really good idea we're really glad that we did those um and all of a sudden everything that had happened leading up to this although it seemed like a really great idea and the fbi got a lot of pats on the back which is how we get to this talk and the title of my talk about it being a victory lap and all of these good things that had happened and why i think we should take that victory lap but also i think the victory lap is probably ultimately leading us to a pretty bad place now i do want to note before the before this case before the microsoft exchange incident we really don't have much indication

of the use of these new powers in rule 41. now remember i said it is a theme in microsoft hacking operations that there's very little transparency about what is happening and it's up to journalists and open government advocates to track things down it's really hard to figure out what's going on and where it's going on and so while we have not much indication that they have been used it doesn't necessarily mean they haven't been used but it doesn't mean they have is this the first maybe it will not be the last though um these new authorities especially now that um this positive reaction has come because of this case um it's going to be seen as a blessing for

future operations not only in the us but countries around the world are going to be and have already been standing up and taking notice um we're not directly working with the us and partner operations we know the uk australia several countries often often partner with the u.s particularly on operations like government hacking operations they will presume that this is a green light to presume government hacking operations and they're not going to look to any safeguards that the u.s put into place before they do so they're not going to try to emulate um what the us did in this instant instance just that they did this hacking stuff went into private servers did some things and now it's okay for them to do

it as well this is generally speaking what happens when other countries look to the u.s as an example unfortunately in the meantime hacking operations are full steam ahead we still have no substantive law on government hacking in the u.s i talked about and right at the beginning how we ended up with the wiretap act or the wiretap x predecessor really because wiretapping was seen as such a significant deviation so much more intrusive than previous means of conducting service searches do you really think that hacking is not as significantly different from what we have done up until now in conducting searches and wiretapping was back in its time and as you answer that i do want you all and

you're on a computer so i understand that this is cheating a little bit or some sort of device but to take a look around you and figure out how many devices are around you right now that have some sort of computer in them and how many are going to be around you in a year or in five years as we start um seeing the expansion of the internet of things and what hacking is going to mean for the government as they can enter more in different parts of your life and get different types of information through these operations that still are not governed by their own special and unique and necessary type of safeguards there's another quote from justice

brandes brandeis in the same opinion looking through to say you know someday there may be developed a way by which the government without removing papers from secret drawers can reproduce them in court and by which it will be enabled to expose to a jury the most intimate occurrences of the home he says advances in psychic and related sciences maybe not psychic but um may bring means of exploring unexpressed beliefs thoughts and emotions can it be that the constitution of foreign protection against such invasions of individual security just the idea that as technology continues to evolve we have these thoughts that it's getting so far beyond even what was thought of back in the days of

olmstead and we're so far leagues ahead and we need to be putting new safeguards for what technology is allowing the government to do today one final reminder and then i'm going to open up for um questions that this is not happening in a vacuum this is in fact a two-front were um hacking provides incentives for the government to undermine digital security you don't necessarily want all of the holes to be patched if a whole is going to allow you to take advantage for an operation that you're going to be pursuing in the next week or the next month at the same time the fbi doj and their global partners are working diligently or out in the

press all the time trying to limit the digital security that private sector entities companies etc can implement including what types of encryption they can put into their products and significant amount of resources time effort are being spent into countering the narratives that they are putting out which have tried which have significantly taken away from the resources that are necessary in order to engage in these conversations around government hacking unfortunately and have meant that this conversation has really suffered from the lack of attention and between the limits on encryption and the spread of government hacking operations i really don't know where that's going to lead us so it's going to end with a apocalyptic scene of the future and i thought that

was really dark and so i decided to end with this 1990s high school middle school picture backdrop and ask me ask if anybody has any questions um thanks a lot amy um yeah so if if any of you have any questions please ask them in the general channel um while we're waiting for questions to come in i guess i'll last one that's been on my mind so um certainly there are many privacy engineers and security engineers and hackers who are taking all kinds of um actions um some legal and some less legal to limit the government's ability to um you know perform hacking operations and get insight into what people are doing so um like a good recent case

um would be probably like signal and like moxie marlin spikes hack of the celebrate device i'm sure like many people in the audience have heard of um signal of course has been under fire from law enforcement for a long time and moxie got a little bit of flack for um you know potentially so so for so so there was like one um interesting blog post from rihanna um peppercorn um i might be mispronouncing her name but um that that said something along the lines of you know actions like moxies which are you know hacking devices used by the government rights um you know provide like ammunition essentially to lawmakers and law enforcement to kind of increase their

capabilities and um increase their leeway and so um you know on the one hand we have um you know people like people saying that you know these these actions that you know privacy engineers and security engineers are taking it's kind of giving lawmakers more ammunition to um you know past legislation that we don't really want them to on the other hand it seems like lawmakers have been very happy to try and push the limits of what they're able to to do to begin with so um i guess i guess why i'm getting to with this very long-winded questions first of all do you believe that like you know things that you know security engineers and privacy

engineers are doing um to limits like government hacking operations are um and i guess this goes a little bit into what your last besides thought was right but um do you think they're like um meaningfully you know causing lawmakers to increase the likelihood that they're going to pass legislation that outright bans intend encryption or you know make you know increases the legality of government hacking operations and um second thing is you know um whether or not you believe that's like gonna meaningfully move the needle there um is that something that like privacy and security engineers have to be i'm concerned about in your opinion like do do they have to cannot limit um you know the

the actions they're taking the technologies they're developing so that they're like keeping the government sufficiently happy um you know with their capabilities without you know like kind of overstepping their boundaries so i think there are a few things there there are technologists who i've spoken to who very much don't want to think that policy is a thing and don't want to like engage in the legal pieces of it um and they'll they've taken the position that they can protect themselves and that's good enough and i understand that like i know how to protect my communications i know how to you know secure my devices and that's great coming from a human rights background i think there's an element

of working to secure the broadest number of people that you can and how to make sure that many people are able to keep themselves free from unwarranted government intrusion um so there's there's two the encryption conversation the government hacking conversation are two very difficult to very different conversations that are happening and that's one of the reasons i want to like it's a two-front war because you can't really engage on both sides at the same time because for example encryption we need almost a pro-encryption law um because the fbi is going to continue to try to undermine it until we get something good on the books and every time we every time something happens in the

news that's like for instance celebrities like we can hack into apple devices and then apple's like we've stopped them from being able to do that and celebrates we've gone around like all of those back and forth that you've seen over and over and over again every time apple announces a new way that they stop them from doing it it gives the fbi more ammunition to go into congress and say we need a way to do this um and until we get something positive that's just the way it is that doesn't mean apple should stop doing what it's doing i would never ever say that but to phrase like you don't also go out and frame it as like

we're here to like help criminals or we're here to like make it so that you can do bad things um you have to like think about your framing and all of this on the government hacking side we need we absolutely need a lot like these operations are happening all the time um and there are people there are very hard-line people who are like no government hacking should happen at all and i don't think that's realistic if i'm going to be totally honest and i understand where those folks are coming from i think getting looking at the constitution and realizing like when that particularity piece comes in and knowing we have to abide by the limits of the

constitution but then having the extra protections written into law is going to be really important um and there's a lot that can be done by non-government hackers to show what's possible um that is really great to have those offer that stuff out there within the confines of the law do not break the law this is not legal advice i'm not telling anybody to go out and break the law that's not a good thing but going out and doing things that show the potential of what the government can be doing and publishing and and talking about what's possible um can really start to pull the the curtain back on what the government could be doing for people who

might not understand otherwise like congress yeah that makes sense all right we have had a few questions um let's see here i'm going to scroll through here um all right yowza asked the question that was um along the lines of how does it work with the location based things like gps on devices such as phones fitbits garmins and cars certainly people would enter more than five jurisdictions so the more than five jurisdictions element is specifically to get out things like the microsoft exchange where it's computers or what was brought up during the the debate around the rule was botnets where a botnet has bots in five or more jurisdictions and so so the fbi doesn't have to go to every single

separate jurisdiction where a bot exists they can go to a single jurisdiction and get a warrant for the whole thing and it was really downplayed which is why why it wasn't part of the conversation it was like this is just a like a policy like we're just making it easier like so they don't have to go to all of these different places and they made it seem like a minimal change not like they were going to start going into computers and deleting programs off of computers this is like not something that was necessarily anticipated when the rule change was being discussed location was actually already anticipated by the rule i tried to mention this so if your car is being tracked like i

said and you get a warrant in one's one jurisdiction and then in and the tracker is installed in that jurisdiction if anybody remembers the usb jones case the reason that warrant was invalid is because they installed the tracker outside of the jurisdiction where the warrant was issued and actually after the warrant was no longer valid um but if you install while the warrant is valid in the jurisdiction and then that car drives into as many different places as possible you don't have to go to all of those different places same with any location tracking people move all right we have um another question from scrim to win um considering that rule 41 defines location of the

endpoints as the location where the crime is committed for jurisdiction purposes does that mean that in the example you gave if the tor exit node is in state a and the consumer's computer is in state b there's interstate trafficking of exploitative media um yes start start with that there's a little bit more to that question after that but so it's about the difference between the is it the difference between the tour exit node and the computer itself yeah it looks like the questions about um and and if you want to clarify our by the way in general feel feel free to do so um it's about um whether you know if four exit notes in one state

and you know like my computer and in other states um whether that's um i guess that that constitutes interstate trafficking of deployative media and like whatever laws are um kind of there surrounding surrounding that

i mean if you're using tor to be then you're engaging in obfuscating your location using technical my slides are still showing right yes yes you are concealing your location using technical means so it wouldn't matter necessarily where you were versus where the different where any of the tour nodes were including the exit node um at that point you are concealing your location because you are sending your traffic through the tor network um actually same with any vpn potentially um so that is what this is meant to do rule 41 doesn't go toward to the crime itself so child exploitation material is a absolute crime mentoring it doesn't like doesn't matter what your state of mind is

if you have it it's a crime um federal state whatever it is like it what this just goes to whether or not they need where they can get a warrant to search your computer for not necessarily if it's a crime or not like i said this is a procedural limit not substantive it's not speaking to the substance of the crime this only goes to where they can go to get the warrant for it all right i think we have enough time for two more questions the first one from urban is um what current um work is going on in congress to like address the issues that you've discussed um in your presentation senator wyden has still been very active

on these issues has been out in front discussing them he actually i don't know if anybody knows chris de goyan used to be the chief technologist at the american civil liberties union works with senator wyden's office incredibly smart actually testified against rule 41 when he was at the aclu so he leads a lot of the work that senator wyden does definitely pay attention to that office in particular and then i know what else is happening up there right now with the transition in the new congress i don't know if there are actively pending bills that i'm aware of um but there are several different offices that get involved in this issue um on and off um and that is the

widens is really the key office i think to key and on because normally he'll be if he isn't sponsoring the legislation he's promoting it all right all right um last question from brandon um going off the first question regarding government having and not disposing of vulnerability can you speak at all um to how eternal blue has been a prime example of this and how that um impacted things uh so there's a great the government has a process for this it's called the vulnerabilities equities process um it got re-god what is the term re invited reinvigorated under president obama um and then we didn't hear about it for a while and every now and then you'll

hear again about the vulnerabilities equities process um it's supposed to take all of the different perspectives into a room and talk about when they tell you um when they release a vulnerability and when they don't but clearly with eternal blue we've seen that not only are there equities at stake about when they might want to use a vulnerability versus disclose it but if they can even guarantee that they're protecting what they're keeping one of the things that i worked very hard at for a while was this idea that the nsa the national security agency has two separate missions um that actually under admiral rogers when he was the head of the nsa stopped being two separate missions and

he just like decided to make them a mission of signals intelligence and information assurance so they're both the code breakers and people who tried to make the code better and under their information assurance mission they're responsible for consulting with nist to the national institute for standards and technologies about encryption standards and it came out under snowden that they were basically like working to undermine encryption standards to preserve their own hacking capabilities um and nist came out with like we're not gonna let you do that anymore and standards around it i think we need more of those like flat out you can't do this these are the limits of what we're going to allow you to do and the name of preserving your

ability to break into systems because we've seen the consequences and it's getting worse and worse and worse for people not any better and again with eternal blue and the fact that they're not protecting even their systems like nsa used to be untouchable nobody thought that anybody would ever be able to break into that big dark black building in maryland and again and again and again we've seen that that's not true anymore and we need to rethink i think a lot of things around that great well thanks a lot amy um and thanks everybody for your great questions um next up we have kurt von gardner talking about threat attribution so i hope to see our next talk

at three o'clock