>> So, as a speaker, it's very difficult to come to DEF CON and watch really terrific talks and not develop some sense of speaker envy, you know. So this is a very humbling thing to do, and even though this is my 6th  year doing this, it's nothing I take lightly, and it's a great honor to be with you guys doing this, so I'd just like to thank the goons that do speaker opps for make a really great experience as a speaker. Every year at DEF CON, something new happens and I had a new experience this year. I want to thank the people at black hat, as well. I decided to come to the Rio on Thursday to pick up my credentials and went home, I live here in Vegas and I very innocently took out my materials and I sat down my black hat badge on my dining room table and put my DEF CON bag next to it and I looked at it and I go this is really interesting and I did a tweet, you know, the difference between black hat and DEF CON in one picture and I this that was amusing, I didn't think it was bad amusing. Well, between re‑ tweets and favorites and whatnot, this got reposted like 700 times on Twitter, so my phone was doing this for almost the entire Con, it was like warm ‑ ‑ that was a cool experience, a very cool experience. So my name is Michael Schrank, I have a book, I will be doing a book signing, if you have questions, we can book up, I don't tell people I write bot nets and bots any more, I didn't tell people I do that any more because I'm ear met with blank stares or looks of horror, so now I just tell people I do business intelligence, and that seems to have a better story for people. I've been doing DEF CON since 97, DEF CON 5 was my first one and I came out here to cover it for a computer world magazine, it was the first article that I've ever had published and I started thinking this weekend about the effect DEF CON has had on my life, if I hadn't come out here for that, I would have never been published, I would have never got a book deal, all of the things that came after the book, all the foreign travel, the speaking opportunities, the gigs I probably didn't deserve, if DEF CON hadn't made me come out to Vegas once a year for 17 years I probably never would have moved here, you know, so it's an awesome thing, a very awesome thing. So today, what I'm going to talk about, the name of the talk is your leaking trade secrets, but what I'm really talking about is organization of privacy, and it's a little bit different than personal privacy, because individuals tend to leak identity issues whereas organizations tend to leak trade secrets. So the message I want you to have coming out of here is information that you put online, on the web, is not always read by the intended audience and it's not always used the way it's intended to be used now, there's been a lot of awareness about personal privacy but there's been much less awareness about organizational privacy and I think that's largely because of the way the media handles it. The media's been roll good at informing people about things but less good about informing our organizations, and I think a lost that is the types of stories they cover. So in the case of leaked trade secrets, these kinds of stories are always treated as news stories, they're factual, but they don't really teach any lessons. Whereas, you know, there are other reasons I think for the press covering personal privacy issues. For example, the one thing, it creates a lot of customers for a lot of advertisers so it makes good business sense to do that kind of thing. The other thing is it is just really good content. One of my favorite stories about a personal leak, about a year ago, that there was a head master at a Privilege School, I believe it's in Georgia, who was let go. And he felt he was let go for the wrong reason, he felt it was age discrimination, so he filed a suit, they settled out of court, stipulation that he never talked about 9 case about what does his daughter do she gets on Facebook, she lets her know that the case was settled and they were paying for her trip to Europe. The other story like is if you're a soldier and you're stationed someplace where your government says you're not, you can probably removed the GEO codes off your selfie before you upload it to Instagram, I love that one, but these are great because they teach lessons. And the lesson that this should be teaching all of us is that there is not a piece of software, there's not a piece of hardware that can protect against this kind of stuff. It's an awareness thing, and there's really no substitute for awareness. So one of the things I'm going to do is we're talking about trade secret, I've got examples of unintentional data leaks and this is really all about business intelligence, because if it wasn't somebody doing things with these leaks, they really wouldn't matter, right, so we're going to look at little bit about how online intelligence is different than offline intelligence. But then finally, we're going to talk a little bit about what can be done to minimize the effects of all of this kind of stuff. So what is the trade secret? Trade secrets are intellectual property but they're very different than patents and very different than copyrights. The biggest difference is that you don't need to publish a trade secret, and if you did publish one, it would not be a trade secret any more, so that's obvious. Unlike patents and copyrights, they have absolutely no expiration date and they're protected by something called the UTSA, and this came about, I believe '70s or '80s unlike patents or copyrights, there were no laws. All but one or two states have signed off on this, but it used to be an issue because if it were a big company and you had offices across the country, you would subject to the various trade secret laws in those various states, so this simplified things quite a bit. In order to be a trade secret, it must have some kind of economic value. The interesting thing that I think about trade secrets is that you can use anybody's trade secret if you happen to discover it on your own. So if you find it on a piece of paper on a sidewalk, you can use it. If you find it in wiki leaks, you can use it. If you discover it through reverse engineering, you can use it. If you discover it. So what is the value of a trade secret? Well, basically  ‑ ‑ oh one other thing I think I forgot to mention is you have to make some effort to protect it, that's the other thing, you can't just come back retro actively and say that's a strayed secret, that doesn't work. The reason you established trade secrets is so you can sue people and recovery losses and damages and attorneys fees and that kind of stuff. But only if somebody misappropriates the trade secret. If you lose it through your own stupidity, it's our own fault. So when people think about trade secrets they automatically think about things like the recipe for Coca‑ Cola or the formula for a fragrance like Chanel number 5. The interesting things about fragrances is you can't copyright or patent a fragrance but you can have a trade secret over the formula, so if you go in Walgreens and find a knock off, they're perfectly legal because you can't copyright or patent a fragrance, but you can trade secret the process or the recipe. A lot of times, trade secrets are used in conjunction with patents, so you might have some patent, but the way you implement those patents is some kind of a process that's protected by trade secrets. But today, more often, trade secrets take the form of data, and I just listed a few of these here, you know, things like your list of your employee, your list of your suppliers, customer lists, funding sources, expansion plan, marketing plans, new product planning, pricing strategy, labor issues, how quickly things move in and out of your inventory, how fast thing sell, IT infrastructure change, security information, this is all data and these are all straight secrets and in your organization, you should treat these as secrets. And every try is going to have a different one. There's no  ‑ ‑ I mean, depending on what you're doing you're going to have different things that you're going to call trade secrets. For example, in the European Union, they have much more progressive privacy laws than we have here in the states, and in the EU, if somebody is collecting personal data, you have a right to go to that organization and say what is the data that you're collecting on me? And they have to show it to you. Well, somebody in I believe Ireland approached Facebook and says I want all my data, I want to know what you're collecting on me, Facebook used a little exemption in the law that said if through the disclosure you're going to show trade secret, you're exempt from the law and Facebook said hey, that's us, that's us. And these are all the trade secrets that Facebook wanted to protect. And I'm not putting these up here for you to read them, I'm just showing you there were 22 of them, a lot of them and they included things like, you know, if you delete an image, we just erase the pointer, it's still really there. If you poke somebody, we record that. You know, all that kind of stuff. And they were saying if you have your data, you're essentially learning about what we do with that data, since we buy the nature of that data, so data has become a trade secret. So we've got all of these potential trade secrets now and they're all floating around on the Internet and this has really changed the way business intelligence is collected. For example, before 1995, and I use 1995, because for me, that's kind of when the Internet [indiscernible] a little bit, before 1995, all the web pages looked like [indiscernible] web pages and things have just matured a little bit there, so before 95, you had to do things like this guy, this is Mitch Modell, the CEO of Modell sporting goods and he was accused of the following: He dressed up as a disguise, misrepresented himself at dick's sporting goods, told the receptionist that he was an executive for Dick's and he was waiting for a meetings with the CEO and she preceded to show him room where there was a lot of files and he started particular pictures and he was just helping himself to information. What makes this story really weird is that the same guy was also on undercover boss on CBS where he basically did the same thing except for his own employees so he was really into this. But this is the way intelligence was often gathered prior to the Internet. So before 1995, there were limited number of sources, you know, where are you going to go? You can go look at the patent files, you looked at newspaper, maybe subscribed clipping service, it was manual, it made it a really expensive process, so it's not something that you could do over and over again. Basically, you would take a no shot of what was happening at a certain time. It often required physical contact, you know, maybe would go to a conference and get your competitor drunk and talk to him and not tell him who you were, you know. Probably we've all done that. So it required physical contact and it often required people to identify themselves or if not identify themselves, occasionally get caught. So you're anonymity would be blown. Now after '95  there's almost an unlimited number, I would sigh there is an unlimited number of sources because they keep coming in and out to automate data collection, we can repeat it, do it day after day, you start looking at data collected over time, and you start to analyze trends and do all kinds of cool stuff. It can be done remotely. And you can usually  ‑ ‑ it can usually be done anonymously, so this looks a lot like hacking, right? You can do it remotely, automate it, you can do it anonymously, so basically, business intelligence has now become as far as I'm concerned, the other thing about business intelligence collected online is that it is immediately actionable. And this evident in my talk last year where I talked about a bot net that wrote about $20  million worth of cars over a period of 9 months, 20  million retail, I did it totally by self. And this data that we have basically, the inside information we had some inside information on servers that allowed the client to basically buy things at will, and we were able to act on that intelligence immediately. So through the eyes of a hacker, anything you put online is potential business intelligence. And that's a really important point. Again, every industry has its own cases, I picked out a few that I think we can all relate to. All right. So imagine the plight of an online retailer, this is what they're thinking, I need to keep my online store up to date and I need to keep up with what's happening with competitors as far as pricing, so I need to respond to my market basically. So a hacker looks at that and says hey, I can watch the store remotely, I can do it anonymously and I can automate the information gathering. So if I monitor a retail site and you do it over time it's possible to leak pricing strategies, you start to figure things out, you can Figure out inventory strategies, you have items coming and going, I can't is that? Why is this no longer offered? Sometimes they can show supplier issues, right, if it's something you know that they always have but they don't have it now and they really should have it, they're having a supplier issue. If they come off and they are always having a lower price than you, they are buying it from somebody different or they have a better deal than you have. The problem is much greater when you are a retailer and selling specific item, oh, so we're not talking Sears now that has an infinite number of T shirts we're talking about a real estate website that has one house on the corner of 3rd  and main, we're talking about  ‑ ‑ SE is a huge business, in excess of a billed a year. Emerchants tend to sell one item  at a time, you can learn what is a good thing to sell on eBay and watching what sells and for what price. Used bookstores tend to sell single copies of things, car dealerships, any kind of seller of collectibles, and this group includes anyone selling any kind of uniquely identifiable goods. So if you watch one of these stores over time, they basically disclose their entire service record, right? You monitor this long enough, you pretty much have enough information where you can do their accounting. And this is something that people don't think about. Okay. Let's look at  ‑ ‑ I love picking on HR because I think they're probably the biggest source of leaks within an organization. So let's think about a HR manager, put yourself in their position. They're thinking this year it's going to be a busy year for us, we have a lot of stuff going on, I need to post 250 job postings. So that's what they're think, that's what their task is. The hacker on the other hand thinks, I can watch these job postings remotely, and they can be anonymous while I'm doing it, I can even look like somebody else, I could look like an actual job seeker if I wanted to and I can automate the information gathering. So what does this do? Let's just look at a simple job listing here, this is natural listing, I won't tell you the company  ‑ ‑ this is an actual listing, I won't tell you the company it came from, this is a decent job listing, I will show you one that's not sos did but this one is fine, there doesn't seem to be anything wrong with it, we have a new location here, we haven't seen this before, and we have a new skill, that's something they haven't seen before. If you look at this over time, you're watching this remotely, anonymous, doing the information gather, you can start to grasp things, you can check out when new postings come out and new skills are mentioned, you can look at when new locations are mentioned, it's like oh, yeah, here's did they've never hired a HR contact representative before, I wonder what's going on there, Portuguese? They haven't needed that before, and an office in Puerto Rico, what's going on here? And if you look at stuff and how the listings come and go, it starts to paint a narrative where you can start figuring out a company's strategic plans, okay? I've been in a lot of HR meetings and I've never heard anybody say are we leaking our strategic plans by listing these job I've never heard anybody say that. Let's look at another one. I love this example. I'm going to advertise a vacancy we have for an IT help desk professional, that sounds like a you nice thing to do, a hacker comes along and says can I read between the lines to learn how to compromise your network? Let's take a look. This is a recreation of an actual ad, and this was an actual ad from a law firm that I used to deal with, and I saw this published than I got on the phone, talked to one of my friends who was a partner and said you need to take this ad down now! And so you look at it and it looks fine, you know, it's a law firm, and the company overview, looked at the description, they have an immediate opening for an IT help professional, with remote access tools like PC anywhere and phone dial, this was a few years ago. Talks about the responsibilities, so yeah, I mean, it looks like a nice little opportunity for somebody. And you're like whoa, what is this? They are announcing they have secret, they're a law firm. Do they have to announce they're a law firm? No, no. The IT people you hire for law firms are essentially the same IT people you would hire for any kind of manufacture plant or whatever you. It's like oh, they have secrets, we know they have secret because their a law firm, we know what kind of secret these have, they do acquisitions. So if you deal in stocks at all, this might be interesting information, right? I wonder who's secrets they have, oh, they've got their client list. So we though they've got secrets, we know what kind of secrets they have, we know who's secrets they are. Okay. Let's look a little bit further here. Never say you have an immediate opening for an IT position like this, because that means there's nobody there now. [ Laughter ] >> No one is watching the store. What kind of social engineering could happen with nobody watching the store, you know? Oh, they're telling us how to break into their network, they're using PC anywhere and phone dial‑ in system, so you guys remember how that works back in the day, you just started at the bottom of a block of numbers and starting dialing until you get something that sounds like a fax machine and then there's nobody watching the store, get your things ready, because we can automate attacks, right? The other thing is that they're liking the fact they have problems with remote access. Okay, so social engineering‑ wise, I mean, yeah. And the other thing is this was the only IT ad they had advertised and this guy's got way too many responsibilities. Helping attorneys, you know, working remotely, responsible for network security, software install, license management, policy development, problem has to see do some training along the way, right, this guy is overwhelmed so what can possibly go wrong? What kind of social engineering things can you think of? What I would do is call them up and ask them, they will tell me if this job has been filled, oh, yeah, we filled that, great. You wait for the great to get settled a little bit, you pose as one of these attorneys emote, you're having problems dialing in, it's 2:00  in the afternoon, you've got a surprise hearing at 2:15, want to settle things out of court, you need a paper from the home office so bad, this guy's new, he's going to do everything possible to help you out. You're in. So be careful what you put in ad, especially IT ads. All right. >> [Off mic]. >> Do you ever go fishing, take a hook out after a fishes mouth that's kind of the response, it's like what? Really? Yeah. Oh, I see. Okay. They did take the ad down. Okay. Sometimes  ‑ ‑ so basically what we talked about so far is walking websites and building a database over time, changes and whatnot. Sometimes databases are left in plain sight, and that was what hand here. This  ‑ ‑ if you Foley elections at all, this was one to watch, because it was so bizarre, it was the senatorial election of 2006 in the state of Minnesota, it was an extraordinarily close election. It was decided by a few votes after a long period in the court systems. There was a lot of shenanigans going to ban back and forth, a lost accusations of hacking, a lost servers going down, a lot of things happening but probably the strangest part about this election was the cast of characteristics involved we started out from Frank, probably known from his days in Saturday night live where he was a writer and a cast member for I think 10 years a long time. Norm Coleman has a really interesting political background, he started off  ‑ ‑ well, his first elected office he was elected mayor of St.  Paul Minnesota, he changed party affiliations and we reelected. He ran for governor where he was defeated by Jesse Ventura, he was the incumbents in this race and he became the incumbent because his opponent died in a plane crash before the election. And then there was a third‑ party candidate who did pretty well, he got a half million votes, Dean Barkley and he was most well‑ known for being the political advisor for this guy Jesse Ventura, so it was a very likely election, I believe Ventura was actually the governor during this period. Of what happened is after the election, after the Norm Coleman had the most votes not enough to keep the recount from happening, after the recount, Al Franken was ahead by three notes, since month later they decided whether or not they were going to count all of the absentee ballots and Al ended up winning by 312 votes. But like I said, there were all kinds of charges of misappropriation of trade secrets, and in such a close election, any little dirt you have on your opponent or anything is gold. Well, along the way, somebody came up with a database of Norm Coleman's political correcter, their names, what they did for a living, Social Security numbers, their credit card numbers, and the first thing is we've been hacked, somebody took our database, no, they didn't, they actually put it  ‑ ‑ [ Laughter ] >> [Off mic]. >> They compressed it and put it in a directory that was unprotected on their website. If you want to hear the story behind this, Richards how a lot of stuff on YouTube about this but basically they just left it there and there's a lot of this going on. I don't know if you  ‑ ‑ there's a tons of this, one of the things that I do in addition to business intelligence, I do a lot of work with data journalists, primarily in the UK and the Netherlands and I love working with an investigative journalist because they've got a hacker's mind, they think like hackers. You give them a tool, they run with it, they take all of their background and experience and do all kinds of wonderful things. I have been doing all kinds of stuff like this. They were finding like stockbroker's list of clients and how much their funds were and where they had their stuff distributed and they were basically just doing Google hacking is although were doing, just looking for files. So one other back story to this one that I think is kind of interesting, so I somehow came across this database, and it was just an Excel spread sheet, first thing I did was I imported it into an actual database, where I could do queries on it and I was doing queries on it for a couple of days trying to find out interesting combinations of data, and I had done this before, I mean, I had worked with a lot of European newspapers and stuff, on doing this kind of stuff, mostly from freedom of information act kind of stuff and in had enough information I thought that probably would have been good for probably 3 to 5 stories so I contacted the major news newspaper Minnesota, told them what I had done and the kind of stories they could generate from this and the response I got was we have our own IT department, we really don't need what you have. All right. Cool. Okay. VNF can be a major source of leaks, and especially when it comes to marketing. You know, some of you are probably aware of this, but I've got a couple of examples I think that are pretty cool. So you're a marketing person, you go I need to register so domain names for new products we have. Well, the hacker comes along and says I have been watching these registrations remotely, I can do it anonymously and I can automate the process. Or if I have $750, I can just buy this information, a little bit cheaper, and it's true. You can see that Apple has registered about 4500 domain names and for not a lot of money, you can go and see what they are all. Do you think Samsung does this? I'm sure they've got a copy of it, you know. The thing that I found interesting for this is this particular screen shot I took during an organizational privacy talk in Dublin Ireland for the security forum, so this snapshot was done in March, they had 4,000  ‑ ‑ 4544 domains on March  17th. I did this again earlier on just like last week and they had almost another thousand domains they had checked out. Do you think there's any intelligence you can gather from those thousand domains? I'll bet there is. I'll bet Samsung has that list. >> [Off mic]. >> They could be doing that, they could be diversions, but there's probably intelligence you could gather from that, as well. The question was, you know, maybe they're not real domain names but yeah, I think you can probably read between the lines there, too. So here's another example, this was an example from a data journalism class I taught through the center for investigative journalism in London. Keep in mind, this is a group of primarily journalist from the UK, they were not Americans, and I asked them, you know, knowing what you know, can you tell me when Sarah Palin gave first real thoughts, first documented thoughts about running for president? So they were all busy and again, investigative journalists, they're like hackers, and they started looking at DNS records, I didn't tell them to go to DNS records, they just went there and they found this listing by Jay Griffith who after a quick Google search you can find out was her political advisor and he took out the domains Palin for president, Palin 2012, right, that gives you a little bit of an idea of what they were planning, Sarah Palin 2012 a and they were all registered on August  24th  of 2007, that was pretty much a year before she was interviewed and before this ever became  ‑ ‑ before she was ever even a candidate for vice president. So there were some talk in the past. So DNS records are like a snapshot of the past like little time capsules. Employees leak trade secrets all the time, and they'll do it on a personal level, just like that by the number of employees that you have, that's the kind of problems that organizations have. So if you're a HR director, again, we're taking on HR, they will say the company is only as great as their employees and to succeed I need to train, hire and retain the very best ones, I need to invest some money in them and because of that, trade  ‑ ‑ your list of employees is really a trade secret. So what does a hacker think? Oh, I hacker thinks linked in and Twitter is what they think. Because you can go on to linked in and within a matter of minutes I could probably tell you every  ‑ ‑ for example every new business development person in your company. And if I triangulate that information with their endorsements, and what they're doing on Twitter, I could tell you who your client list is. Okay. That's not information you want to have out. Sometimes you know, you can't keep people from using media but you can keep them from doing really stupid things. This is a case where this was actually pretty common, people leaking the code names of top secret NSA projects on their LinkedIn profile. You know, yeah, this is my experience, I worked on this project. You know, it's a lot easier to find out things about projects if you know what they're called, right? And I actually, this is not just snapshot in, this is still going on, you can't keep  ‑ ‑ excuse me, you can't keep people from doing stupid things but you can monitor and keep an eye on things, so what I recommend people doing is use corporate social media accounts for any kind of marketing kind of things that you've got going, in fact, social media accounts are now actually being considered as intellectual property, just the account itself. There was a case about a year ago where there was a salesperson who was Twitter account very effectively, their followers were their customer base and the name of the Twitter account was something like bob@ABC company, well, Bob@ABC company jumped ship took a job with XYZ company, what does he do, he renames his Twitter handle Bob@XYZ company, takes all of his contacts with him, his former employer sues him and they won and they determined no, that is not yours this belongs to your company. So to avoid anything like that, use official accounts that you have control over, if you're going to go use social media for marketing. Now, a lot of leaks you really can't avoid, a lost them are done transparency for regulatory purpose, it's worth watching these things, court record, people pulling building permits, there is a lot of information you can glean by looking all the things like, you know, licensing and you know, FCC filing, that kind of stuff, SEC filings, but you have to make sure your competition [indiscernible] degree that these are problems for yourself it's more about learning about your competitors and what I ask everybody to do is think about what happens if your website is monitored and if all the changes end up in a database some place, would that change what you put on your website? I think it probably would. I strongly suggest, especially if you're doing new product stuff, you are picking out new domains for new products, use a proxy, don't do what Apple appears to be doing. Don't host your own website on your own network. There was a case if you're in Las  Vegas within the last year, where I believe it was a group associated with anonymous got into the Sans corporation, Sans if you don't live here in Vegas, they own the Venetian and in addition to breaking into their website, they discovered that their website was on their corporate record so that gave them access to HR records which they published and strangely enough, it also gave them access to the network where all the slot machines were. [ Laughter ] >> So there is no reason to host your own website on your network. In fact, I don't think you should host your own website anywhere, you should have an agency do that for you. There's no reason to do it. And the most important thing to do, I think, is to get everybody's buy‑ in, the organizational privacy  ‑ ‑ that organizational privacy is important to everybody in the organization. You know, any one leak basically pulls everybody down, so you need to get everybody's buy‑ in and again, this is a training issue is what it really is. You need enforceable policy. How many times have you seen security policies that aren't enforceable? You know, there's as good as not having did they're worn not having policies because they give you a good feeling. And when I say enforceable, they should be enforceable through tools, there should be tools enforcing those, you shouldn't need people to do it, you know. You should be doing your own business intelligence on your own system. Audit everything that you publish. Anything that goes out in your website should be audited through some group hopefully that group isn't marketing, because they're empty going to get it, okay? Because the real important thing here is that security and privacy are not IT functions, they're everybody's responsibility. IT can't protect you from the nonsense that you showed you here. Don't disclose a lot of organizational information on every job posting. It's not even important and in most cases it may you don't even needed to put the name of your company, there's no reason to have job listings on your own corporate website. There isn't. I encourage people to use cookies to track their competitors when they're coming to their website and it's good to do cookies and you start to associate cookies of known gateways of your competitors, so that way if you have their cookies, if they're using a laptop or mobile device, if they go somewhere else or go home and go to your website, sometimes people will go to your corporate website and look at different things at home than they might at the job. So you can really screw with people, too, when you do this. And I suggested this to a number of clients I've never had one do it but if you're tracking your competitors and you've got their cookies, you can show them whatever you want, you can show them different prices, you can turn it into a recruiting website to recruit from your competitors. I would love to see somebody do that sometime. Okay. To the that's my talk, thanks for coming. If you have questions, we've got a little bit of time now. We've 5 minutes, otherwise, rhyme doing a book signing at the no starch booth. Thank you all for coming. I appreciate it. [Applause] >> [Off mic]. >> I don't know. >> [Off mic]. >> We're ready for questions here at the mic or are we going to jump right to the desk? >> [Off mic]. >> Sure. Your comment about the hacking with the  ‑ ‑ >> I'm sorry, what? >> The casino in Las  Vegas, your comment, your comment and presentation about the casino being hacked. >> There's a lot of noise. >> Come on up. >> I understand that  ‑ ‑ you said that you published donor lists. >> Not in every case, only certain donors that's my understanding. >> [Off mic]. >> Okay. Okay. >> [Off mic]. oh, yeah. >> [Off mic]. Well, a lot of it is  ‑ ‑ it was also a political thing. >> Yeah. >> [Off mic]. >> Okay. >> [Off mic]. >> Great advice. >> Thank you. >> [Off mic]. >> No, but that's a great identify and this is something that I'm going to publish. Like I they'd, there's a lot of awareness about this. >> [Off mic]. >> Most of the things don't really [indiscernible] I mean  ‑ ‑ >> [Off mic]. >> She was saying in 2007 about running in 2012. Oh, I see. >> Right. [Voices overlapping] >> Oh, thank you. >> [Off mic]. Washington D.C.VIP. >> Okay. >> I'm going a book signing at noon. Is this still on? I was asked where the book signing was going to be. >> I have most idea what I'm supposed to do. Sort of. >> Is this on? Okay. probably, no. Sometimes I think I do thing better drunk. I'm not typically good at [indiscernible] I'm good at [indiscernible]. So yeah, I'm not good at single pin picking, I was submitted for DEF CON was for a lock pick game, I've been doing a lot of that recently. After I leave here, I'm going to go by me some new toys in the vendor room. We've got about 6 minutes before we talk again. How many people here understand the basis of how tour functions? Mostly. Okay. I'm going to do a real quick rehash, I'm going to try to limit it to 10 minutes, I have 45 minutes and in want to get to the main dirt. >> Okay, hi, Scout with speaker opps and it's my pleasure to introduce Adrian. [Applause] "This text is being provided in a rough draft format.  Communication Access Realtime Translation (CART) is provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings."