so, hi. I'm David. So just a quick disclaimer. Some people are allergic to cats, im allergic by the lack of cats, so I will talk sporadically throughout this presentation, just a heads up. Cool. this a a very obligatory Biography slide, really boring. Kind of -- presentations. So I'm a developer by trade, but I've been doing more in the design and user experience world, so I've been kind of bringing in, like -- developer perspective. I hope -- I help organize CryptoPartys in New York City, Brooklyn, Manhattan. And kind of the forays into the privacy and hacking technology, something with the thing I called case study, a thing that basically turns Google search and streams into a big mess. theres a version on github that kind of works on chrome, but not really. I don't know why I put -- Ñ Ñ Ñ Ñ Cool, so this kind of a typical story of what happens, uuhhh therse been alot more attention lately on alot of (indiscernible) technology, namely a lot of things that use crypto, so people have been wanting to learn more about it. so people come to CryptoParty, hey, I want to do this stuff. I want to be cool. So, yeah, they go there, exporting (indiscernible) apparently gives you a white background by default instead of the black ones, so this is kind of the history of, like, what we're going to be talking about. since december 2012, first CryptoParty happened in New York, had like 24 of them, and they've been everywhere. So these are all different communities, they all have different skill levels, different areas, not all of them are going to be the holistic fatality of security, cryptography and the math behind it and the operatonal security, so you have hackerspace, these things end up kind of happening first, just enough of a cross over on Twitter between hackers and the CCC and the actual (indiscernible) just ends up happening. So that's kind of the first audience, and we presented to you like a (indiscernible) and Recently had to relaunch, member of. And a lot of people there kind of more or less prime to the idea of security and technology, so what may be less kind of usability, control get into a little bit. Libraries, kind of a different story. We've done a few CryptoPartys, at a broken public library, (indiscernible) is not in the library but I've added in there coz the have a few things that is kind of a requirement. And that brings in kind of a cross -- kind of a cross section of everybody in Brooklyn, not just(indiscernible) just like everybody, like people from Coney Island and stuff, it's great. weve had a lot of internet users, people who have never touched e-mail outside of web browser, outside of app. Whole idea of protocol being whats actually (indiscernible). So it's important to know, remember mental models around, end to end, when it's really not. Art galleries, New York has them. Cal Institute is not an art gallery, but it's a college institute, but inside an art gallery (indiscernible) they have space. Umm, just kind of this weird video game slash / coding / digital art cool space, brings a lot of interesting folks, and they're kind of doing it, because it's just intrinsically compelling thing, to be able to have this technology that, like, takes galaxies of computers, where its like you know, takes this computing power to actually like crash, so coming in from a totally different perspective, not necessarily having a specific case for it, the coolness of having the ability to do that. Co-working spaces, different story. its kind of a mix of like Ò whoa i wanna haveÉ i just want to be more secure the internet is like filthy and dangerous, what do I do? Kind of their perspective. Using technology, conducting business, not necessarily (indiscernible) view of what security means and all of that. Universities are kind of the same kind of general issue, just like (indiscernible) So I'm bringing this in, from some kind of a (indiscernible) perspective, but one of the best avenues for that, kind of the first place to start i think, so the Macintosh interface guidelines are actually really great for more than Macintoshes from OS2 from '90s. not like OS2 like the IBM ost but Like the second OS. The first two chapters or so kind of go into some of the fundamentals of user experience, and use interface, and very valuable lesson, kind of dive into, and particularly some of the ones that, like specifically deal with perhaps dealing with security software. So here's some key lessons. You have this idea back in the day of -- just like having the ability to have to do multiple things without having to switch between different modes, like you have the ability to, like, you know, print while you're doing something else, and you know, multi tasking, et cetera. The idea, with security, you have a mix of modes, including the -- not going to touch the VGA cable. The fact of -- you have the modes between -- secure mode, which a little weird, because that's a very unique case of when not even -- the table, of something to keep in mind and unfortunately, like, this is a place where people can really, really mess up really easily, done extremely well. A lot of the crypto software we have, really popular, built on top of existing systems not inherently not to be secure, e-mail, these things were not designed to be -- encrypted, and because of that, built software piggyback on top of it. Between -- and secure, and like extra secure mode. So, yeah, something to think about and very careful ways of approaching that, which I'll get into that in a little bit. Also -- unfortunately the open source world, we tend to kind of code and kind of add -- later. It's kind of a problem because really the user only sees the, like they have no understanding of what's going on behind the scenes. Understanding what's going on behind the scenes in some cases. They do perceive any, like, that happens in the front end immediately translates to them as something that's broken kind of underneath the hood as well. So this is something that's particularly important in crypto, because if you screw up in your privacy, then it's kind of game over, so if you want to make sure something is working behind the scenes but isn't on the front, you want to make sure that the front matches what's going on in the back as well. Workingness of the back end, not -- assume it's broken. User testing, so there's -- it's a good idea, cyber software, just like -- just like having one -- all right, we're not touching it forever. Kind of go through as add more features, talk to more people, get them to use it. Hope it was a great talk -- only audio up on the website, you should check it out if you want to use how to user test. There's also the idea of metaphors, this ties into -- here's your contact book but it's not a book. It's like a database. But we use these things to kind of explain like what a thing does and what its function is in the way you use it. And unfortunately this is really hard in crypto because we have a lot of things that are really ambiguous, or reuse things. Create the idea of public and private keys. Just because all of the history of humanity, if you wanted to spend a crypto message, you had to share it, or private, like -- so -- so -- so you have -- real world, you can't really do anything with your keys. Colleague from Phoenix, a lock and then that is your, like -- the actual private key, and that makes more sense. So private key -- with your public key. Sorry, you can lock things up with your private key and then public key for anybody that wants to send you something that you can only unlock. Also have issues with the term fingerprint as well, which I'll get into in a minute. So lessons specifically from cryptography software, user testing, side effect user testing CryptoPartys is there's an idea of forgiveness in -- where you have -- the ability to undo something. You know, if you make a mistake, it's cool, undo it, it's fine. You can't, like -- if you screwed up once and -- and some processes within a lot of crypto software, it's done. There is no undoing. So that means that you instead have to, like, make sure that people know they're getting into and kind of have things that communicate what's about to happen to mitigate mistakes. So another thing it's just like having too many tools, like we're looking at, say, like -- that typical setup we usually prescribe, OSN -- like tools, and if you're doing, you know, all these things, as download them, it's a long process. And that's tedious. That's why people actually -- even though they'd rather get the idea what to do, they'll wait until they get to a CryptoParty before they actually attempt it because so many steps involved they don't want to mess any of them up because crypto -- anyway, so that's kind of the idea there, that's a huge -- a lot of things. There's also -- I'm just calling this, totally made up term, false hope, where if there is something that could go wrong, or a feature might not be available, might not be what it used to, warn user ahead of time. To let them know. Digital equivalent, highway sign has cows, or like goats, you might hit a cow if you come here. It's the same idea. You want to, like, kind of communicate what's about to happen, what requisites they need to get to the next step, and I'll get into some examples with that as we go along. In fact, even if you have everything communicated 100% correctly and it's awesome, and there's no confusion, internet will fuck it up. Go home -- XMPP, and -- game, and game -- pigeon, and it's also called in that system. SMMP. One of those things, realities of confusion of everybody else, kind of -- just like explaining what at a fingerprint is and having analogy, like a hash, for example. So actually -- in the back of my mind that I wanted to -- I wanted to actually start a Tumblr blog, all about calling out bad design and applications. And I wanted to do that kind of crypto software originally but looking at how much that blog didn't solve and everybody tweeted really hard, as snarky as they could, to try to fix the security, design, and it didn't work. In the spirit of -- sort of common -- civility and empathy, permeate through the tech industry. Existing tools, and then going to their GitHub and all these examples except for two of them because it's taking a long time for me to come up with a good design for that, basically offering alternatives how they can do things differently, which I'm going to go over right now. So this first example I recommend in any CryptoParty, because, shitty crypto, but I'm going to bring it up for one great feature and one awful feature, specifically when you're dealing with different devices, there's different software. You know, your crypto could be awesome but if the person on the other end can take screenshot, over. One of those things you want to mitigate, telegram kind of does this by letting people know took a screenshot. I'm sorry. And there's also issues with kind of going back to the idea of modes of knowing, like, whether you're in a secure mode or not secure mode. I have no idea why telegram isn't always in a secure mode because they built their own infrastructure, built everything. Maybe crappy crypto doesn't let them do it by default. People make these mistakes, it's insecurity. No, you didn't turn on OCR. And so can you spot like where -- like what indicator, what tells you -- communicates to you in the -- one is encrypted or not. There is the tiniest, like, block icon at the very top of -- next to the name, and the only thing that is, like, telling you, by the way, end to end encrypted, encrypted -- so there's a lot that could be done, and some examples of how to do it better. Chrome does a pretty good job of this. The -- it's more obvious. You have this kind of, like, you know, sort of the way kind of look at stuff top to bottom, left to right. Not necessarily. In this case, go both. The first thing we'll see the top of things, in this case, a window, and you're seeing different color than other windows, a weird creepy sign in the background. In the forefront, though, you see something that will only -- be read once, and typically that kind of lets you know it's about to happen. [ Applause ] >> SPEAKER: Hi, DEFCON. Who is out -- who out there is their first DEFCON? Wow, that's a lot of hands. I'm guessing you guys have already seen this once today? For those of you who don't know what's going on, we have this tradition for first time speakers. They get to do a shout on stage with the goons. [ Laughter ] He has to. Everyone. Should he join in? [ Laughter ] DEFCON. [ Applause ] >> SPEAKER: I know I look 17. Eighty-four, yeah. Cool, yeah, yeah, awesome. So yeah, so we have the -- so we have -- I think it's something about the conductivity of -- it made the screen -- this is good. Might be just something about the metal cable. I'm totally guessing. Ha. >> SPEAKER: Management. >> SPEAKER: So, yeah, so Chrome in this case has a little message in the front that you saw earlier. So it kind of tells you just like what's going on and what specifically this covers. It's not -- it doesn't tell you you're about to enter onion router land or anything. Specifically, you know, cookies, except for this session. This doesn't protect you from your employer, et cetera, or anybody that has access to the network. It's something you had to read once, kind of in the background, out of the way. Useful first time but still there for anybody that needs it. It's a good thing to have. It's a good design, I think. It's out of the way, it's there, but -- okay. Cool. [ Applause ] Thanks. Another good example is -- the TOR browser happens completely distinct window inside of it you're in anonymity, crypto utopia. Outside, back end, surveillance land. Kind of the idea there. The -- and I think that's a good design to have totally separate window and not screw around with anything outside of that. In, like, military, here's the computer, that's like the red computer, the hot computer. Here's one that's safe to use. Two different devices and that makes it so that it's less easy to make a mistake. Whoops, I did this on the wrong totally different machine, versus, oh, no, I did this in the wrong window, I didn't have my proxy set up, whatever. This is one way to do mode really well. This also tells you kind of how it works, kind of -- and it's great. It's good, on the opposite end of not explaining things, this is an old version, all been fixed. Back in January, like kind of ran into some problems with people where it was, like, there's a mystery group, people afraid to touch it. Like label things, it's one of those things where I know, sort of -- sort of -- design, tends to favor things that have, like, you know, very minimal text, very minimal everything, sort of copy Apple on for industrial design. When it comes to things like this, you want to mitigate mistakes, and because of that, you want people to know what they're getting into specifically, and also kind of -- another thing that you see in the design world, it's just like let's take each number of steps and turn them into two steps or three, as many steps as possible, so that it made it so you can have a contact, two steps. And then tap. Unfortunately though it doesn't give you the option of about asking whether you want to call them, so, like, pretty much three out of the four people tried this the first time accidentally called somebody without realizing it was going to go through. This was also fixed. It does -- the other thing is also -- going back to the theme of false hope, signal runs their own, like -- it's not using telephone system, traditional voice telephone system, so doesn't necessarily need an iPhone, installing iPod touch, said I couldn't, kind of didn't have a thing to say no. It does now, and actually just works on the iPhone, so great. But it is one of those things where you want to deal with these kind of cases and, like, make sure people understand right away, like, what they can or can't do before you, like, say go -- these steps, by the way, you can't do anything. This is going to be recurring, few other software packages. Currently, in GitHub, being looked at. There's the idea of call button, having a -- phone, I'm old enough I remember using a noncellular phone and what those were shaped like, including a rotary phone. Like I said, I'm 30. It's one of those things might be a far future concern, post millennials, people stop watching '80s movies, people might not understand this weird, like, half C shaped thing as a phone. Something to think about. The other thing too, just, like, huh, it's a good idea to explain what different features are, incognito did this of course, and mobile device can too, so there's security. This actually specifically is, if you Google exposé thing, applications, that takes say screenshot of what you're doing, and then saves it in memory. But in this case, it didn't say that's what this protects from, so it -- when you do the exposé thing -- great, so the screenshot is like this blue screen with the logo in the middle. So yeah, great, really not hard to do, I think, I'm not an IOS developer and also this -- here's the deal with fingerprint. Alluded to the idea me not liking -- like using fingerprint, especially with mobile apps only because in the context of where a lot of people are using these in New York, people have been arrested protests, had fingerprint taken and the back of their mind they have this idea that, yes, there is a way to make this thing that was -- into a digital thing and is that what that is? IPhones have a fingerprint reader built into them, so the context of where this is happening is a little bit different so something has literally been shaking people up as far as what that means. Also no explanation of just, like, what it's derived from or why it's useful, so if you're going to use that, I would recommend saying -- seeing how it's useful and like, how, it's a mathematical hash, whatever other kind of protocol. So, yeah, so fingerprint, I don't like that analogy, especially with mobile. So going back to the theme of kind of systems have own infrastructure, this is -- this is great. This is awesome because, like, if you have that ability to just have only a secure mode, and just have it run in the background and not have to think about it, it makes it so you can't make the mistakes, oops, sent in plain text. Ran into, next slide. One of which is, like, you have to add a contact, message to them, not necessarily communicated well and looks so much like e-mail, assumes works like e-mail. Twitter, whatever, this is my -- username, all right, I'm going to go send somebody a message. The other thing too is, the idea of -- so another thing that is -- that is fantastic is it makes what I would consider better passwords in terms of using -- really long instead of weird things that are hard to remember. This is great, but there's also short thing, if you're on specifically -- that will only work on that device, let you enter a short pin. Kind of like a muscle, I guess. If you don't exercise that long phrase, people forgetting them over the course of a week or so. So there's ways of testing for that. I did a really weird project where I tried to use images, or a pin that only worked on a local -- at the last place I worked at. User test, before wrote single line of code, giant piece of cardboard and placed a series of 12 baseball cards -- zoo cards from Netherlands, pick your favorite one and we'll write it down and then a few days later, we'll be, like, which one did you pick? And then a week later, which one did you pick? And then like a month later, three months later, they all remembered, it was awesome. The only reason we went forward with it. I think phrases could be done the same way, but I think there is a sweet spot of when people start forgetting. Similar user, doing things that way, will, I think, be great in helping figure that sweet spot out, I think. Kind of an average that can come in and weigh on that. This is kind of what I was alluding -- and this is on their radar, something looking into. So this is just what I did, what I think one -- hey, I have username, let's write a message. Oh, no. Recipients. I have one. What do you mean it doesn't? It's one of those things, you kind of want to let them know. Prerequisite step. Give them false hope of continuing -- especially when you quit working to it. So here's down side of a lot of these kind of systems that have their own, like, infrastructure that doesn't piggyback on insecure legacy systems, is every investor wants their -- as far as the new messenger app, want to go after what's out, whatever and almost none of them are inoperable. Nobody is going -- apps on phone and remember what -- so everybody just counting on network effects, can you use, you know, sure spot, or whatever? And there are standards. I would encourage any developers out there to use standards. Of course, signal has -- thing, but can be used by other things. Used -- P is also used. Let's talk about OTR. So here's the thing that just always the thing that comes up, in every CryptoParty, despite having kind of a lot of other secure messaging optioning. OR plug in, the things -- the way this is communicated a little weird. People are, hey, let's go download a TR. Go to their phone and look for OTR. So -- but that really means, oh, you have to use something like chat secure a different client and you have -- it's different if you know what platform you're on. And it's called the actual protocol behind scenes, different thing, already have to have -- create one but sometimes there's not an easy way to do that. And so yeah, huh, and then you need XMPP account, sometimes providers doesn't have signed certificate, ends up looking weird. End up sketching people out. So this is what the pigeon interface looks like. We kind of have people use, and so Thunderbird has this. They have on boarding process. Thunderbird first time, you can set up a new e-mail account, whatever. Pigeon unfortunately lacks this. I would like to see built in, working on designs, how to do that. And you have to kind of have an account or if you know the server you want to connect to, there, using this, but it's also weird because it's, like, it's the same interface, it's one of probably really efficient where it's the same display, screen also the same further create screen but you have this, like, persistent check box at the bottom. If you're tweaking microphone, still see it, create account server but it doesn't belong in that context anyway so why is it there? I would recommend moving that out. I'll give an example in a second and, yeah, there's this, like, issues with, like, the fact that it's just a very alien way for a lot of people to do things that they would normally do, reset password. And then just things that are kind of a throw back to what -- used to do, but don't really make sense in this context right now, notifications. There's also just a mix of different things that are related, security privacy being thrown out in kind of similar context which you'll see as well. Yeah, there's just not too much -- very distinct way to distinguish transit security versus -- which I think something that really is a new thing that -- I don't know how to communicate that visually well but something I'm interested in tackling. OTR settings, different place because plug in, so works in a different way. And the install process a little different. Install pigeon, and you have to install O2R plug in, et cetera. Tools. Different in other places, install, have a signed copy of that available. Other things, check box install, cross your fingers. And then people are, like, hey, why don't we have this built? Yay, awesome, 2013, let's do it. Afterwards people are just going to, yeah, thumbs up. It's 55% there, as of May, and also July. We'll see how far that goes, but it looks like that will be available in pigeon 3.0 release which I'm looking forward to in five years. Chat secure, really great example how to do this. So this has a very distinct thing to be able to say, do you have an account? Let's create one. Have that be available right away. It's very easy to just kind of jump in immediately and start using it, which is good. So this is basically what it could be, like you don't have to memory rise URL for different things are, oh, CCC.com. You see everything right there. You can add your own. Freedom to do that, awful. Defaults, encryption. A few other things. Very good user experience. This is basically user experience, other OTR enabled apps. So let's take it up a notch. Let's talk about -- which -- it's basically if -- you know what this is like. Usability has been talked about for a while. Recommendation is, crypt, my colleague recommended, which is great. So this talks about 19 -- issues from 1999 regarding PPG. Some actually still run into. Some of them have been solved quite well, but, yeah, they actually did user testing with specific audience of, like, maybe 12 to 24 people, and like two of them were able to successfully do everything properly as far as sending encrypted e-mails to other person, which I'll let you look into by downloading that sometime. Okay. So the thing, you already have too many movie parts. Too many tools, alluded to earlier. Whatever reason, a huge crossover, security privacy and group, any CryptoParty in New York, more people that know how to install this, than you do on Windows. And because those interfaces are different, it's hard, like, open PPG tools, it's like this. In here, it's like this. Nobody really knows for sure. People are afraid to do things. If they make a mistake -- and the order of things, you have to explain. People aren't used to the e-mails of protocol. You have to set up your e-mail account first, and install. Even though part of Thunderbird, talk to you, PPG install, so you have to do that. And internet users never looked at e-mail outside of a website or app. It's something that has to be considered to play. You're not just introducing an encryption to them and PPG, you're also introducing the idea of e-mail as a protocol to them, which is we're, and also people that have been having -- have had Gmail account now for ten years, you know, default, so trying to download everything. Set up -- internet connection slow, and you can't do things while it's happening. Chokes up CPU. Take advantage of threading for different processes and have things in the background run well. Wasn't the way e-mail always was. Made so wouldn't have it so you're not downloading entire e-mail -- one e-mail landing in one place that you checked and a different e-mail landing in another place that you checked and having those not sync across devices. In modern age, after '90s, people are terrified by. And the other thing too, just like the stack we're counting on as far as Thunderbird, the cross platform thing tell everybody to use in Windows, Linux, or Mac, a -- they're doing bug fixes, not changes happening any time soon. Little things, like people don't think about, sizes, resolution, displays, things like that, and how small that gets, so it's important to accommodate really big screens because even if you don't think your e-mail app is going to show in Times Square, resolutions of your screens are only going to get stronger, that's something that's going to have to be thought about. There's also -- subject line, nonencrypted. 1999 paper, there are ways kind of highlighting things within like those text boxes. You do that for -- does -- to let people know. Should also be for subject line, in my opinion. Kind of like what it does here, where you have -- red, because I don't have signatures, trust levels not high enough, whatever. Subject line but nothing is indicating that's not encrypted at all. We have to tell everybody -- we could -- highlight in red, have a thing that pops up, hey -- sorry that's the way 1970s designed e-mail. We also have this idea of multiple -- multiple types of encryption happening and a little bit of confusion, I'm going to explain what each of those are. Future is not looking so good for that. But there's also the idea of PPG in browser, has security issues, but that's why it's been an extension, not browser, but browsers get hacked, so do operating systems, so securitywise, I don't know, I'll leave that to all of you to figure out whether that's an awful idea or not. Yahoo -- kind of the same thing. Haven't had a chance to use Yahoo or Google -- sorry, white out, I couldn't use because froze and I couldn't -- maybe didn't generate key successfully, and I didn't know -- so what people do when they tell me, use -- they start writing a message, and a little thing that pops up kind of in the very corner of that composed window, no text on it, like a little thing that has a little icon with a pencil, piece of paper on it, and as soon as start typing, disappears, and doesn't come back, then you're, like, ready to encrypt. Wait, I can't. And you open up the tab and it's saying -- you open up the button and it's saying, what does that mean? Ability to -- different web service providers, useful feature but it's not in the place people expected. Advanced settings or different thing. The other thing too, well -- you've already typed -- want to say whatever and already done. There's no undo on that. Age of Google, data retention. So that's the thing. It should literally stop you. It should have a different -- composing window that should ask you immediately, is this going to be a secure message? Do not start typing yet and then go for it. This is a complex design, web-based context. Already -- but there -- everybody has web browser, familiar with -- whatever. Chromebooks, all over the place. Even like the speaker room had Chromebooks, just everywhere. Not going away. There's also just the idea of P -- fundamental architecture doesn't always work so well with browser extension context, storage, caches, private key. Suddenly you don't have a private key anymore. And these -- back in the day. I don't want to diss, 1991, back then you had a computer, you only had one computer. You didn't have to worry about you have mooing files around because always on one machine and it was in a locked house. You didn't have to worry about key security. Didn't have to worry about iCloud, private key, giving to Apple. It just wasn't a thing back then. Key servers back then kind of made sense, because you have secure, like, a real strong way to say, hey, here's how -- public key without secure -- HTPS and -- uses HTPS, outlets, can put public keys in not only different websites but different jurisdictions those websites. Public key on or -- IM, whatever, and you know, Twitter, and then you have to deal with three giant governments hate each other, public key. So try to change all those basically. So it limits -- model a lot that way and kind of approaches. Also -- slow to begin with, with prime factoring, and even I think GitHub issue, one of the GitHub issues I saw on Googles -- encryption involved, find out -- looking at Chinese mathematicians, days, how they did stuff. Actually -- Sun Zhu. So one of those things, do we need private keys to be filed? Can we just have them determined or derived like deterministically, public key with a long -- does. That gets around the idea of, like, having to worry about file security, which people are not good at. People lit -- literally have people go into classrooms and not understand what a file looks like, iPad apps, so it's -- it's scary but also we need to deal with. Umm, and like I said, social media kind of helps with -- the function basically used at one point, the way key base is doing I think is extremely compelling. Encryption. ECC -- not so much. Yeah, and that's basically my talk. My twitters, website. Don't forget to add me as a contact person, I have to approve it, and that's when we can talk. Public key ID, fingerprint, and also for any of you are working on these tools, open source, check out simplysecure.org. A lot of people running behind the scenes. Really great. Have taught me. They're good people to talk to. And like I said, check out that. Yeah, that's it. Any questions, comments, ideas, concerns, rants? No idea where the microphones are for Q and A. So the question was, do you think it makes sense to keep working on PGP or kind of, like, send it to the glute factory? I think a lot of people are using it. I think -- it will continue to exist whether we like it or not so might as well come up with ways to have -- use in a way that makes sense. Some of the things I was thinking about specifically, well, what if you treated file security the way you would with a key like for door, and it's just a thing you carried with you? Do you really need your private key on the computer that you want to use it with? We have, like, armed based computers that can live on USB drive and I wonder whether that could be a super lock down PGP, computer you carry with you and plug into the USB to the laptop that you want to use PGP on or -- just like to be able to say, crypt this message. Not do the encryption on the machine. On your user device. But the actual PGP computer. Send in plain text, give me back cyber text and do the delivery from there and that would solve a lot of userability problems. File security, think about backup software, all of these other things. One approach I think works. The other is better desktop software, malpile, seems like promising. Again as long as private keys are made as files. Either going to have to have that file in, like, one place really secure or going to have to learn to become a security expert. So, yeah. Any other questions? [ Applause ] >> SPEAKER: Thank you.