>>Two years ago I was sitting in the Paris hotel, the Thursday morning that Def Con was to start and my phone rang. And I was a little nervous to answer it because I kinda knew what the phone call was about. And it was my doctor calling me back to tell me that the biopsy that I had had on a lump in my breast the day before I left for Def Con had come back positive and I had breast cancer. I share this with you because it's what actually ended up starting the research that I did that I'm going to share with you today. For those of who have never been through chemo or don't know anyone who's gone through it, I think most people know that, you know the, you know - the losing your hair; the throwing up. That's uh, pretty much everyone knows about that but there's a lot of other side effects that come with chemotherapy. And one of them is called 'chemo brain' and the regiment that I was on was, uh, ACT which is adriamycin cytoxan and taxol and another name for adriamycin is doxorubicin hydrochloride and that's the one that essentially, pretty much, kind of tries to destroy the mitochondria in your brain - it affects their energy levels. And it results in forgetfulness; memory lapses; difficulty concentrating or focusing on tasks; trouble with recall - remembering words or names. Uh, my team can testify to the fact that there have been many of a time in a conference where I've been like trying to put a sentence together and can not recall normal everyday words that most people know. I, I can't pull them out of my head. I'm better; I'm getting better at it but it still happens. Uhm, and then also struggling to do more than one task at a time. Uhm, as a hacker our mind is our like most valuable tool so, losing my hair; my eyebrows; my eyelashes - even losing both breasts was not as traumatic or devastating to me as starting to lose my mind. So, when the chemo ended, uh, I was kind of hoping that it would just all go back to normal and it, and it didn't. So, I started to try to research how to heal my brain and in the process of that I stumbled upon some research that was being done at Stanford and I believe it was SRI International, they were partnered. And they were talking a lot about using the mind for authentication and I kept like, like kind of putting that to the side - like I really wanna look at that but let's get this fixed first. Once I felt a little better about my own cognitive faculties I went back and started looking at this research because I was very fascinated by this concept and I wanted to know how far along they were with it. How does it actually work? I mean, like, really - how do you implant a password? How do you do this? So, today I'm gonna share kind of what I taught myself and what I've learned and kind of some of the, like, hackability of it or, kind of, uh, the where they're at with it as far as actually being a viable option. Uhm, but next slide. So, a little about myself before I start: I'm a security engineer and researcher with Digital Cloak and my undergrad is in Sociology - which is a psychology of group behavior as opposed to the individual. Uh, my minor was deviancy which has served me well in this environment. [laughter] My grad work and degrees are in security management and cyber security. So, I kind came into the security arena from the cyber a, area kind of late but it can be done. Uhm, and the agenda for this talk is gonna kind of cover some conceptual groundwork. So, you can kinda understand some of the research when I, when I share it. I still can't feel the ends of my fingers either. [chuckle] It's neuropathy. Uhm, so last time I spoke at Def Con I was actually fortunate enough to have one of the researchers I cited that attended my talk - so if any of the researchers I mentioned in my talk actually happen to be sitting here, like, jump up and wave your arms! So we can say high and maybe have you come up and maybe, and, and tell us about your research better than I can maybe. Uh, next slide So, cognitive memory, this is, cognition is the mental action or process of acquiring knowledge and understanding through thought; experience; or your senses Or some combination of them. It's knowledge, attention, memory, judgement, evaluation, reasoning, problem solving - all of that. And it can be conscious or sub- slash unconscious. It can be in Excuse me. It can be intuitive which is the ability to acquire knowledge without understanding - so, if you think of like instinct. Or it can be conceptual, so based on ideas or concepts. Like if you're in a classroom learning something. Consciousness can be defined from two different ways - biologically or philosophically. So, your consciousness from a biological perspective refers to the idea of being like awake and aware of your surroundings and experiences and the people and things in your environment. And philosophically it can refer more to having a soul or a sense of self. We're, uhm, going to be focusing on the biologic consciousness here. Unconsciousness is when your ability to maintain an awareness of your environment or surrounding like stimulus is lost. And there's either a complete or near-complete lack of responsiveness to your environment or stimulus. Uhm, there's a medical concept of being unconscious and a legal concept of being unconscious. So, medically you can be unconscious, uhm, kind of, like from, uh, like, like a brain injury or perhaps like a drug induced unconsciousness that they'll do sometimes. Uhm, but legally you can also be unconscious maybe if you're impaired from drugs or hypnosis or has anyone in here been like so tired that they just 'can't even' anymore? It's you, you're, you're awake and you're standing up and you're like able to function but your mind just, you're just done, right? So that can kind of go into the area or like 'legally unconscious' in a way. But I'm not a lawyer so don't try to use that in court. [chuckle] Next slide So, Sigmund Freud in, uh, 1893 was the first to use the term, uh, 'sub conscious'. And what I thought was interesting was when I was trying to figure out like where they really drew a line between sub conscious and unconscious - it turns out that Sigmund Freud actually used the terms interchangeably. Because in his native German it was kind of almost the same word. And now the argument seems to be more of a, kind of a semantic, grammatical thing than a definitive thing. Uhm, in general unconsciousness typically tends to refer to a state of awareness from a medical perspective. And subconscious tends to refer to an aspect of your psyche when discussing more of like a psycho-analytical environment. Uhm, but if there's any shrinks in the audience who wanna argue about, we can do that later. [laughter] Uh, the best I can tell is, uhm, it's more of a grammatical issue than a definite one, uhm, but I am gonna differentiate in them in this talk. Next slide Okay So, for now just think of subconscious as a part of your consciousness that is not currently in your focal awareness. And there was a psychologist named Edwin Locke who put it really well, I think. He called it 'the alternative storehouse of knowledge and prior experience'. And there's two main types of long-term human memory - we have explicit and implicit memory. [audience noise] Oh, that's my.. you can go back. That was my obligatory cat slide for Def Con. [laughter] Uhm, explicit memory is also known as 'declarative' memory. Uh, it's conscious and there's two kinds - epis, episodic and semantic. So, episodic is more storing a personal experience like a kiss that really meant a lot to you or that you remember distinctly. And then semantic would be more like data about the kiss or a kiss. Implicit memory, uhm, does anyone here ride bike, or ? You ride a bike? SO that's kind of a good example, uh, I do triathlons and we train constantly to get things into our implicit memory so that when you're in the middle of a race it, uh, it's just your instinct it kind of takes over. Uhm, so, uhm, it's basically acquired and used unconsciously and it can affect your thoughts and behaviors. And this is kind of where when we get to implanting - this is where they're putting the password. Uhm, one of the most common forms is procedural which helps people performing certain tasks without awareness of actually performing it. Uh, people use explicit memory through the day like remembering and appointment or recalling an event from, you know, years ago. Uhm, and implicit is more like an unintentional un, sub conscious form. So, if you remember a specific driving lesson you had - that's an example of explicit memory but if your driving skill improves as a result of that lesson - that is more the implicit memory. Okay, memory as tool versus memory as an object. Uhm, there's, they put forth that you can use it kind of both ways. So memory's treated as an object when you're recalling or recognizing like an actual memory. But then when you're talking about using it to serve as an authenticator this is more where you would use it as a tool. And, so, why is this important? Because they're looking at this research as being considered potentially a subclass of behavioral biometric measurement. So, this is where we're gonna start to connect with the idea of implanting passwords as an option - so, we're gonna talk about encoding storage and retrieval. So, with encoding, this is processing information into the memory. And there's several different ways of encoding information. There's structural encoding - which is how something looks. And an example would be if you had a word - is it long? Is it short? Is it all uppercase or lowercase? Is it handwritten? Is it typed? Then mnemonic decoding is how something sounds - so, like, how does a certain word sound? So, then semantic encoding focuses more on the meaning and it requires a deeper level of processing than structural or mnemonic, uhm, and it usually results in a better memory because you're kind of creating an association. Storage is after the information enters your brain it has to be stored or maintained or forgotten. So, there's a three stage model that was proposed by Richard Atkinson and Richard Shiffrin, it's often used to describe this process. This is my attempt to make a, a representation of it. So, essentially you have sensory memory; short term memory and long term memory. Sensory memory stores the incoming sensory information in detail but only for an instant - the capacity is very large but the information in it is unprocessed. Visual sensual memory is iconic memory and auditory sensory memory is called echoic memory. SO, then you get to short term memory and some of the information in sensory memory can transfer into short term memory and that can hold information for about 20 seconds. And rehearsing is a way that you can kind of keep information in your short term memory longer. So, an example is like if someone, like if you're parking your car and you're trying to remember like where did you park your car and you're walking to like wherever and you're like 'P2, P2, P2, P .'. It's kind of like a way to keep to kind of keep it in your mind and get it in there a little better. Uh, short term memory has a limited capacity and it can store about seven pieces of information give or take and these pieces of information can be small. Such as like individual numbers or letters or larger like familiar numbers or words. So, like, if you think try and remember the word 'cat' - you're not gonna remember c, a, t - you're gonna remember the word 'cat'. And with the, the visual. [grunt] So, information can be kept in your working memory while you process or exam it and then once you're done with it either is pretty much forgotten or it moves into your long term memory. Uh, long term memory has an almost infinite capacity and the information usually stays there for the duration of a person's life. However the big issue is it's there but you're not always able to retrieve it which is where the chemo kind of affected me was the data was in there - I was just not able to pull it out and that's what I was struggling with. So, with retrieval, that's the process of getting the information out of your memory and they have these retrieval cues and those are stimuli to kind of help you remember. Uhm and they include associations; context and mood. Next slide So, context is, uhm, you can try to remember an event by putting yourself in the same context you were when it happened. Such as if someone lost a paddle from last night and they're trying to remember where it is [laughter] Sorry, that was for my boss Uhm, they could kind of go back to where they remember they had it last and walk through If they can remember where they went next and see if they can find it along Or you can do they same with your car keys if you've ever lost them. Uhm, associations, this is our equal opportunity, gratuitous, sexy photos - I hope I hit most everyone in the audience. Uhm [laughter] If, not, I'm so sorry - I only had so many slides and so much time. Uhm, but the brain stores information as networks of associative concepts so recalling a particular word can be easy if another related word is recalled first. So, here's an example - if you, if I show you guys Like, these sunbathers on the beach, and then I ask you to spell the word 'bear' you may be more likely to spell the word 'b, a, r, e' instead of 'b,e,a,r'. Because the picture kind of primed you and associated you to that particular spelling. And then there's mood, so, uhm, if you're in the same mood you were during a particular event, you could maybe have an easier time recalling the event, like kind of a nostalgia type thing if you think about it. Here's our other cat - they told me I had to put so many cats in and so many sexy photos so I tried to make sure I got them all. Uhm Next slide. Okay, the human brain has about a billion neurons in it and each neuron forms about a thousand connections. And this was about somewhere around a trillion connections , I think. Uhm, the challenge is if each neuron could only store a single memory, running out of space would be a huge problem. So, you might only have maybe a few gigabytes of storage space, like about the same as an iPod or a USB flash drive but because the neurons combined so that each one helps with many memories at a time, it exponentially increases your brain's memory storage capacity to something closer to about 2.5 petabytes and the example, I think it was something like 300 million hours, was it? Was it 300 million? 300 million hours of television shows is about the capacity to store in there because of the ways the neurons can connect. Time check. Doing okay Alright, there are some limitations to memory, uhm, I think everyone's seen that gorilla basketball video? So, that's like inattentional blindness or the illusion of attention - you focus so much on one thing you completely miss other stuff going on. [audience noise] Sorry, there's false memories, there's, uhm, the illusion of confidence which, interestingly enough, apparently that's the opposite of impostor syndrome. THey have one. Uhm, the illusion of cause, there's a tendency to make, uh, causal connections between related facts that maybe are not accurate. Uhm Next one. This is where I wanna get into the research. Uh, one-word concept vocabularies is called 'brain computer interface' so, the initial motivation between brain-computer interfaces was to develop communication devices for the severely disabled. Seeing as that I only have a limited time to speak, I won't go into the deep dive about how an individual can train their mu- and beta brainwaves to control a cursor. And there's some fascinating stuff around visual evoked potentials, uh, but there's a plethora of research if you're super interested in that level of granularity. Uhm, but I did want to point out - there is some research by doctor J.R. Wolpaw , uhm, and his research as a starting and then doctor Niels Birbaumer with the thought translation device - he's with the university of Tubingen in Germany and he has created this device that allows users to compose phrases and sentences electronically just by thinking them. So, he's neat. And you may also want to look at a paper out of Dartmouth College about the neurophone - it's a brain mobile phone interface using wireless EEG headset and in their paper his team shares the details of a brain-controlled address book dialing app they created. So, the point it, this is a super huge area of research but I haven't heard a lot of it on kind of our side of the house as far as the security of these things. Uhm, but I did wanna share the four key pieces of research that I found to be the most interesting with the most potential. Next slide Uhm, first there's this Wait, go back Oh, yea, good. So, first, uhm, I'm gonna murder this man's name, so, I apologize ahead of time. But, Haristo Bohnhoff at Stanford was working with some cognitive scientists at Northwestern University and they designed a game that looks similar to guitar hero and this was called 'SISL' - Serial Interception Sequence Learning. And it's an authentication procedure That they created this testing experiment around it. Add they used mechanical turk through Amazon to do their experiments. So, I'm not sure how well that looks as far as like how you're able to look at your subject pool from an experimental prospective. I'm trying I'm like all up on it, uhm, I do wanna walk you through how it works but, uhm, I wanna make sure I get it right so I'm gonna read it. The process of learning the password involves the use of a specially crafted computer game that resembles guitar here - there are six buttons, 'S, D, F, J, K and L' and the user has to hit the cor, corresponding key or note when the circle reaches the bottom threat. So, during a typical training session of around 45 minutes -, a user will make about four thousand keystrokes. And around 80, 80 percent of these keystrokes are being used to subconsciously teach you a thirty character password. Just leave it. Before running the game creates a random sequence of thirty letters chosen from the S, D, F, J, K, and L with no repeating characters. This equates to around 38 bits of entropy, uhm, and the 30 characters sequence is played back to the user three times in a row and then padded out with 18 random characters for a total of a 108 items. The sequence is repeated five times and then there's a short pause and the entire process is repeated six more times. And by this time the experimental result suggests that a thirty letter password is firmly i'm, implanted in your sub conscious brain. The authentication requires that you play a round of the game gut this time you're 30 letter sequence is interspersed with other random 30 letter sequences. To pass the authentication you have to reliable perform your sequence. The research shows that even after two weeks you're able to recall the sequence. The next one is 'passthoughts' - so, these, this is from Berkley, 2013. This technique combines three factors - something you know, which is a thought; something you are, your brain patterns; and then something you have which is the EEG sensor for measuring the brainwaves. To authenticate with a passthought, you think your secret key while using the sensor. The key can be just about anything - a song, a phrase or a mental image and the thought itself is never transmitted - just a mathematical representation of the electrical signals your brain makes while you think it. Now, if someone else were to figure out what you were thinking they still couldn't impersonate your pass-thought in theory because every person thinks the same thing differently. So, you now, we could all think about the same song but we're not all gonna think about it exactly the same way as far as being registered electronically. Time check. Okay, so, this is how they did this one. The following tasks were repeated five times in each session for each subject. They had a breathing task, so, they had to close their eyes and focus on their breathing for 10 seconds. They had to simulate finger movements, so subjects imagine in their mind that they are moving their right index finger up and down insync with their breathing without actually moving their finger. There was a sports task where they selected a repetitive motion from a sport of their choosing and they imagined moving their body muscles to the motion. Then there was a song passage recitation task an eye-audio tone task; an object counting task and then at the very end they had a pass-thought which they were asked to choose their own pass through like a password but instead of choosing a sequence or numbers they thought of a thought like a vision of their wedding or their child being born or the first time they got drunk or what have you. And that, they had to think about that for 10 seconds and then everything together became their pass through. So, this was some other interesting research that was done that kind of fed into the next one. It was on the feasibility of side channel attacks with brainwave computer interface, uhm, I do have these papers sited at the end of my slide deck, so, if you look them up on the torrent they'll be there. Uhm, but it studied the possibility of side channel attacks using commercial EEG types of headsets to reveal users' personal information like their banks, ATMs or pin digits. Their approach was similar to a guilty knowledge test where items familiar to a user evoked different responses as compared to items that were unfamiliar. And so, for example, when a person was shown images of many banks the brain response to the image of their bank had more of an interaction or, uhm, invoked a higher, like, potential with the waves. The problem with their attacks setup is was it intrusive and it could be easily detected by the user but that brought us to 'Peep'. So, Peep built upon their research and what they try to do is create an actual keylogger slash malware and this actually on, uhm, Fizz dot org in June 29. Uhm, and I'll read from the article, it's a quotes, 'Researchers at the university of Alabama of Birmingham suggests that the brainwave sensing headsets, also known as EEG, need better security after a study reveals hackers could guess a user's passwords by monitoring their brain waves'. So, in contrast to the research I mentioned on the previous slide, the folks at the university of Alabama wanted to test out a more surreptitious, less-obtrusive approach that only required passive monitoring of brain signals as users type pins or passwords. And so they called theirs 'Peat' which is Passively Eavesdropping Private Input via brainwave signals. And this was University of Alabama and I think one gentleman from California, Riverside. Now, they extensively reference the research of the previous group with the side channel attacks. And they named their keylogger 'Peep' and so according to their paper, as the use of these devices, which they're referring to the EEG gaming and entertainment devices headsets for any of you who game. It becomes mainstream, a use may enter passwords or private credentials to the computers or their mobile phones while they're wearing these devices. And so, they were studying the potential of introducing a malicious app to capture those EEG signals and then process the signals to infer the sensitive keystrokes. So, so, uh, the gentlemen and his team used one regular store-bought EEG headset that, like, anyone could buy at Best Buy or what have you and then they also used a clinical-grade headset in their experiment and they were able to demonstrate how easy a malicious software program could passively eavesdrop on your brainwaves. So, while typing, uhm, your inputs it could sense all of this and, I think he was, so I quote from the article 'In a real-world attack a hacker could facilitate the training step required for the malicious program to be the most accurate by requesting that the use enter a predefined set of numbers in order to restart the game after pausing it to take a break. Similar to where a captcha is used to verify certain users logging in. The research show that after a user entered 200 characters algorithms within the malicious software program could make educated guesses about new characters the user entered by monitoring the EEG data recorded. The algorithm they created was able to shorten the odds of a hacker guessing a four digit numerical pin from one in 10 thousand to one in 20. And, increase the chance of guessing a six letter password from about one in 500 thousand to roughly 1 in 500. So Security posture versus a rubber hose type of cryptanalysis - the challenge in testing their hypothesis is that as far as I know, especially at Stanford there are no studies that actually allow you to beat people during an experiment. [laughter] Uhm, so I think in a way they were kind of sexifying their paper title, you know, no shade [laughter] Uhm, but after a long discussion with a psychologist friend my current opinion with SISL which is the guitar hero in passthought Is there seems to be some dependence on the consistency of the entry of the authentication and by introducing an actual rubber hose type attack or some other similarly dramatic level of extraction, this could affect the brainwaves themselves so the ability to perform the action or the entry in a manner consistent with the password was set up, it could affect that thus rendering it, you know, even if you have it, it's not gonna work because it's not matching the brainwaves. Cause if you're relaxed when you're going through the implantation but you're being beaten with a rubber hose, even if they get the string, it's gonna be different. Uhm, so, so starting with the, the SISL or the guitar hero, they were able to test retrieval but not under stress or trauma and they were able to test basic cohersion, uhm, trying to, like, fool the system and that went pretty well. The potential attacks against that one involve the use of remote authentication approach. Whether or not the attacker is allowed multiple extraction attempt, if there's performance gaps, eavesdropping, none of this stuff's been tested. Just the retrievals been tested. Uhm, with passthoughts a hacker might be able to to beat the system by using a phishing scheme that would trick you into thinking your passthought capturing the output maybe later, playing it back. Uhm, and it was pointed out by the Peep research team that the approach being used by them and the side-channel attacks, uhm My brain just went down. Uh The, the stuff is generated to, for implantation with a random generator, so, you could probably just go after it from the source by going after the random generator that, that issues it versus the actual person who has it, if that makes sense. As to SISL and passthoughts, there's in a mostly theoretical state as far as research and experimentation goes. I didn't really see anyone addressing how memory can be affected by such things as drug use or injury or even degradation such as if you have an employee that's going through chemo and suddenly their brain is affected would they even be able to use, use any of this? Would that, uhm, affect the authentication pattern? Uhm, so, if, I don't really see this being viable for use at large right now until some of that questions are answered and, uhm, one, uhm, you know, we're all here at Def Con, so what happens if you have the password implanted while you're sober at work but then you've had a couple of drinks and then you need to finish you proposal - are you gonna be able to authenticate? Or while being drunk or kinda drunk or even just slightly impaired affect that ability? And that was another thing I didn't' see, uhm, addressed. uhm, cost was another big thing - it's all well and good to propose this but what's the exact cost associated with implementing something like this? And, like, would it be realistic it to deploy? With SISL the training or encoding time was noted to be 45 minutes and with passthoughts it was two 40- to 50 minutes sessions. And, so, if you have a small organisation - five, 10 people, that might be okay but unlike trying to picture Locke and Martin or something trying to do this with thousands of people trying to put each one of them through that. Uhm, with SISL there are certain people this probably would work best with but factors such as mental capacity or psychological issues, uh, my sister in law works with special needs adults who do stuff at the airport and have to got through security check points. So, especially with like the guitar hero type of thing - would there be certain people who just wouldn't be able to authenticate this way? Just legitimately, they just from a handicap perspective they can't do it. You know, even some of our wounded warriors like who don't have hands to do this kind of intricate type of authentication and then things like Parkinson's seizures - what if the individual's blind and can't even see? I mean, I, I didn't really see any of this addressed as far as like , using it in the real world on a large scale. Uhm, all in all I think it's fascinating with potential but the research is still in a pretty early stage. Uhm, the sample groups also, if anyone here [audience noise] Grad school, scientific research test groups to the SISL size experiment number one was done with 35 participants. Number two had two groups - 32 and 80 participants for a total of a 147 but they didn't clarify if any of were duplicates from the first to second experiments - so it actually might have been a smaller, a smaller group number. Uhm, based on my own experience, 'm not sure a 147 represents a solid sample other than whether it warrants further study - I do think it warrants further studies but so far it's very theoretical the passthoughts material I read was based on research on a group of a total of 15 subjects. The side channel attack research had 28 subjects and the Peep research had a whopping 12 subjects. So, again, this is still really kind of in a very theoretical stage and a pool of 12 subjects to me is not a huge sample size from a research perspective except for maybe to, to do further research. Uhm, my thoughts around hackability - SISL refers to the rubber hose - I just really don't see that, I don't, I don't see how they're really, like addressed it, i just think they used the word cause it sounded kinda cool. Uhm, the theory that, that the knowledge is not consciously accessible to the individual - I'm still not sure on that. Uhm, I have a psychologist friend and he's in agreement with me, like, if you can put it in, you can take it out. Uhm, and there's to do that. Uh, for SISL, a good potential attack factor might be the, the, again, like I said - the random number generator or the random password generator. And in their paper, the pass through team pointed out they were not vulnerable to shoulder surfing because their system was invisible but they felt they were very vulnerable to most social engineering and dictionary attacks as their system stood. However it was their hope that with advances in signal recording and processing technology it would allow for a much more detailed capture of the thought itself And that would protect better against some of the dictionary attacks,. And they also felt they were fairly vulnerable to phishing attacks where if you could get someone to click on something and record their thoughts while they' were clicking they were kind of vulnerable from that perspective. SISL's not designed to prevent eavesdropping and shoulder surfing attacks, so, I imagine a good video recording of them performing the sequence could allow an attacker to replicate it and considering how many security video cameras are insecure, this is like definitely a distinct possibility and I believe they did say that in some of the experiments the, the error ratio was just enough that if someone knew that person's sequence there were times they were able to impersonate it. Uhm I talked to my sh, my psychologist friend, uh, bout, uhm, using hypnosis to potentially extracted it - that I did a little bit more research into and I'm not sure that's really a viable, like, vector but he and I are actually still discussing that at length, so, maybe I'll have more on that in the future. Another thing, SISL's a flash application. [laughter] So, I'll just put that right there [laughter] Uhm, that was my first big, like, 'Okay' Uhm, and SISL authentication proj, uh, process is potentially vulnerable to attack, uhm, if even an untrained person is able to, like, mimic or degrade their performance of the person they've watched authenticate. Uhm, and then the authentication based on keystroke dynamics is similar to authentication based on tough, passthoughts, uhm, so it looks a their typing rhythm and at what they're thinking at the same time. With the, uh, so I dunno, I think they just, they just still need to do more research. So, in closing, I think much of this is still in the experimental stage and it's going to be really interesting to see if anything actually comes of it especially considering trying to deploy it across a, a large environment or organisation or a very varied depopulation - like a bigger sample size in total. Uhm, check for time. So Some of my research I have the papers - there are links to them but you don't have to click 'em. Uh, but you can just google the name of the paper and google scholar will come right up. And then the last thing I wanted to leave you with is, it was kind of interesting, about halfway through my research someone mentioned to me 'Oh my God, have you read this?' It's a book called 'Hard Boiled Wonderland and the end of the world'. And it was written by Haruki Murakami and it's actually from 1985 - '85. And what, what I thought was very interesting was,it's, it's, and I'm not gonna spoil it, if you wanna read it, but it's a parallel narrative type setup. One of the narrators is called a 'calcu tech' and it's a human data processor encryption system who's been trained to use their sub conscious as an encryption key and the other narrator is a newcomer to a strange, isolated town. And I'll leave it there so I don't spoil it. But if you find this interesting I actually thought it was pretty fascinating that back in 1985 even, like, fantasy authors were thinking about the idea of using the mind to authenticate for encryption. So, that's all I have I can do questions now, if anyone has them? [applause] [cheering]