10 maart - Rethinking Defense In-Depth - Hugh Thompson

##########################################
Ok I'll only the name I .
Understood from that that discussion yeah I was playing about you.
Hopefully its fine thank thanks so much everyone for for the time in the opportunity I got a little bit of an understanding of this group.
Very very interesting very eclectic background so I appreciate the time to be able to spend with you this afternoon so I been in security for a very long time as I'm sure many of you have as well I just a curiosity did anybody go to the RSA Conference last week and the attendees here now anybody so and so i've been chairman of a conference for I think ten years now and we just had over 40,000 people show up and San Francisco for it which is i think an incredible testament to our industry right now we've grown to this place that we can launch a denial of service attack on a city like San Francisco successfully successfully all the hotel rooms are gone so I'll talk a little bit about some of the trends that came from that event but also really just want to spend some time on this concept that I think probably everyone in here is fairly familiar with it's the first one you learn on day one.
Insecurity write this idea of defense in depth but I think that our notion about what defense in depth as it is changing its changing because people are more mobile than they have been for you heard from the previous presentation about the move to cloud and workloads into the cloud so they're starting to be a very different view not destroying our concept of defense in depth but augmenting it in a world where things are truly mobile so would love to spend a little while on that but before I get there I just want to share a personal security story with you to to set the scene for for what I think some of the biggest problem so are I travel.
Pretty often I think last year and the year before that I flew 500,000 miles which I do not recommend by the way nobody wins nobody wins in that span area but when you fly that much you just see statistically very strange things on planes and and so i you know i i take these long haul trips very often and for years ago I was on a flight from San Francisco to London when I take in many many times it's about a 10 hour flight and I haven't very sad pattern I have my iPad it's loaded with episodes of The Big Bang Theory and enough anyways seen that if you haven't seen you have to see it it's amazing amazing amazing show so I've got my episodes and ready to go.
The plane takes off where maybe 10 minutes into the flight so we're in the air.
Probably five minutes into my office owed and then I hear screaming from the left side of the plane which is for those of you who don't fly very often very unsettling and and so and so then I see an object passed by the left side of my head hit this lady whose two rows in front of me in the back of her head dropped to the ground and take back off and everybody's panicked nobody knows what's going on and the captain comes very calm weighing over the loudspeaker and says oh folks hope you're having a good trip you know you may you may have noticed but we have an extra passenger on board today there is a bird trapped in the cabin of the plane but not to worry we have a zoologist on staff but now think about that that is actually very worrying that this happens and there's a that's very says actually very worrying a way so not to worry we have to all adjust we have been in contact with the zoologist he's formulating a plan.
Man please stand by so meanwhile the bird is terrorizing this plane and you know I don't get into a lot of details and they're just had snacks outside but apparently the bird also had a full meal before the flight leave I'll leave it at that which made it a little a little more unpleasant even the normal and and then in those kinds of panic situations you always get wisdom of the crowd of people that have suggestions of what to do and someone else out there we should have the Air Marshal shoot it right now is it first and that you know it was it was popular for a few seconds and then you know when to implication kind of sad in that went away and then someone else suggested we should roll the window down and bird will fly out you know also not not popular on consideration and then finally the pilot comes back and says okay we've got a plan and the plan is we are going to close all the shades inside of the aircraft such dark in the cabin we're gonna open the bathroom so the lavatories the bird will be attracted to the light and then we're going to trap the bird sounded much better than the other plans proposed so so everybody did it right we complied very quickly and amazingly worked five minutes later the bird flies into the bathroom in business class when it really hits home personally but you know launches a denial of bathroom attack for the rest of the rest of the trip they take it up and we continue on to London and so now it's it's 10 hours later we've landed and it's you know it sounds funny now but was actually incredibly traumatic at the time so as soon as we landed I called my wife in the us- woke her up middle of the night and you know I told her the full story the bird Air Marshal you know the whole thing and her immediate first reaction when I told her this story was is the bird ok did did did the birds survived right and I said I don't know it a minimum it's very unhappy but I don't know I don't know who made it so about two hours after that I met with security professional someone like us it's been in the industry for a long time and he worked for me and you still traumatized by this bird incident I told him the same story same detail same cadence and I told my wife and his immediate first reaction with adding and thinking about it was I bad I could build a small mechanical drone bird that has an explosive charge have it fly into the plane while they're loading food and if they couldn't find a wild animal how would they ever find my drone exploding bird rights a look at the guy and you know first time like a first is very concerning that to me that you would think that but but then I can fast to him that's a first thing I thought about to as soon as a song that bird the first thought that ran through my mind is there is a boner ability in this system there is a weakness that exists here that allowed this bird to enter that plane that's the first thing I thought about the only thing I could think about for the rest of that trip and it's very interesting you know told this story now as part of my therapy for it probably you know probably several hundred times and it's amazing everybody that I've told it to always falls into one of those two groups either either at you know was the bird ok I didn't make it you know was it safe water the damask dick import policies for birds for the United Kingdom like stuff like that or it's folks at see it for what it is which is the exposition of arrest and two sets of people with the same set of facts have those very different reactions and so you have to have to start to wonder how with those two types of people look at something like this so hot pot shows up on the window and ask you a question and if my wife looked at this immediate thought would be what do I need to click to make it go away right that's her algorithm is repeatable a Kenyan works it'll get her to whatever web page he needs to get to if if one of us who lived in breathe this stuff for a long time looks at this shitty get really worried you ask what site did I just go to what now welcome I connected to and what DNS is that thing using you run through a series of questions in your mind about risk but what we have done I think in the technology space is set people to fail from a security perspective we are asking people to make security choices that they are in no way equipped to make and a great example of this is anybody here that has an Android phone when you download an application for that and ask you do you want this thing to have access to your location do you want this thing to have access to your camera do you want to have access to the security log my mom is not in a position to answer that question right all she can think about is I really want to shoot this bird towards these pigs and whatever the staff is going to ask me for I'm going to excite so we have set people up in a way that we know they will fail from a risky choice perspective it's it's very similar to putting the Parmesan cheese next to the industrial strength cleaner at the dinner table every everything might be fine right now but at some point somebody's going to the hospital because it's very easy to make a mistake and I bring this up because I think that many of the problems were struggling with right now in security come down to this exact issue the issue of individuals who are employees inside of the company making choices every day little choices not big choices that are putting companies at risk and I don't think it's a problem that will ever go away so it's it's interesting when you start to get your head around accepting that because you start to think about security in a very different way I think and you start to think about the interaction between the user and a place that the user may be visiting so for a long time we've tried to protect information and user's by protecting something like protecting the device for example that they're on maybe we install antivirus on the device and that's our strategy for protecting user against that threat maybe we put something in the network and that network thing is protecting user against it but we live in a period where more and more of those choices are being made by people every single day especially as we move more technology off to the cloud because in the cloud.
A user often has the ability to take something even a document that's very sensitive and share it with others in a way that we may not even have visibility into I know you had a discussion earlier on on cans be in some of the challenges in that space but I think what it's going to boil down to again and again as user choice now the interesting thing about this though is there is a concept that exact.
That predates technology it goes back probably thousands of years now it's his idea of a proxy not a network proxy so don't don't think about the way that you know we typically think about proxies think about this idea of a proxy being someone who acts on your behalf that has some set of expertise so think about proxies in our normal life usually we appoints a lawyer as a proxy for us they make decisions on our behalf and they in a way enrich our decisions with a set of expertise rights they are experts at are making a choice on our behalf.
Doctors are often proxies for us when you go under anesthesia near bad to have surgery that doctor is proxying a set of choices on your behalf and typically you sign a document saying that he is going to make his best judgment during that period of time so we are in a place where I think more and more we need some intermediate point that goes in between the user and the thing they are interacting with that is truly extensible that we can add new types of expertise to when that expertise is needed sometimes we need our own lives medical expertise sometimes you need legal expertise sometimes we need technical expertise I think there is an influx of new ideas that are coming into the security space but we need a gate in between the user and the thing that users interacting with to bring that technology to bear and said this gets me back to how we classically think about defense in debt right so when we think about defense in down in technology we think usually about this classic model I T set up and it is there is some kind of.
Headquarter office that has some data center may be there several of them and then we have some sort of branch office that has usually in MPLS connection to the main office and then all Internet traffic branches off from that headquarter office and there's some sort of security stack in between those users and the rest of the internet and in an environment of defense and a poll so these are the properties of defense and app that exists whether you're trying to secure network you're trying to scare a castle you're trying to secure anything so I was a professor at Columbia University for many years and of course you know again one of the first things that you teaches defense in depth and whenever you seen and usually people show picture but castle and then I'm so sick of seeing castles I did not put a castle and side of this presentation but the way it's typically described is that look I'm gonna put a moat around the building an enema put a high wall and it's unlikely that the Super swimmer that can get through the moat and the dragon the might be in the mode or whatever else is in the mode has that same skill set to be able to scale the wall right it's two different sets of skills and an attacker would have to use to get past and so its defense in depth which means there are two layers or in some cases many many layers and those layers have to be diverse that's that's too critical properties of defense in depth multiple layers and diversity in layers and then the third one which is the one in the middle here is that it has to be applied around the entire castle as opposed to just in the front of the castle and you know you can just go around the back and there's no mode there's no dry again there's no wall so we have to have consistency of application those properties were true.
Thousand years ago they're true today they're going to be true thousand years from now there are invariant but I think that now.
Now we are adding an augmenting a set of things in addition to these properties for defense and that and why why is this changing why I think we're going through this period very very quickly quickly more more quickly than any of us would have anticipated even for five years ago where applications they used to said inside the datacenter are now being liberated off into the cloud and it's happening at a pace that none of us can control it's got to be an incredibly frustrating time if you wanna see at a company because you used to have a huge amount of power you could choose what they were gonna buy SharePoint and we're gonna install SharePoint everybody's going to use SharePoint and yeah I'm a little worried about security summit make people authenticate three times and give a blood sample before they can get into into SharePoint Server today he can still require the blood sample right that's his thats is right but what will happen quickly is a bunch of people probably five or six people around a table and an office in a meeting will say hello you guys all have Dropbox account right every drop us a drop box and then one person will download the file and do the blood sample and get it from SharePoint once and then the rest of that group would just micro standardize on Dropbox and why cuz it's convenient people can always talent increase inconvenience but it's almost impossible for people to tell an increase in risk and I think for that reason we're moving to a time where the true innovation insecurity comes at the nexus of the usability and security so we can.
Can't increase or at least leave neutral the usability of a system by augmenting it with security the security will be notified that's that that that that's a personal belief so let's look at at what's changed in that classical picture first the user's been liberated from the office we know this this has happened for many years now people are bringing their own devices are working from Starbucks outside of class classic protections.
The second thing that's happened as he applications are moving out one by one.
They've been moving out for the last several years is only a few laughed for some of us and some companies but I think one of the most significant moves has been moved to office 365 so for those of you in the audience that have had your organization move from an on premise Exchange server for example up to office 365 it can be slightly painful while that process is happening but then it's like really cool because now you don't have limits anymore you know before maybe only had a 25 bag limit on the file that you could stand to somebody and now you could send somebody two hundred mag PowerPoint file just for fun but if you look at the life of that file and where it is traveling instead of traveling sitting right next to somebody inside of an office and set of traveling inside the network to the Exchange server and then to that person it's actually going out through the internet eat grass out to a server in the cloud and then it's coming right back down again so now you just past 200 megs through the Internet or a spike just to move something from one person to another that has some very strange implications when it comes to both the size of the pilot that a company needs and then the things that are needed to protect that pipe.
The other thing that's interesting is the.
Infrastructure has moved out very very quickly you know you're OK Go Go Go Go gas if they keep it in the class and work on it in PowerPoint in a class that's true for for me for me personally I can get my head around it I have to have that file on my desktop downloaded from that bank or else I freaked out and maybe maybe it's still PTSD from the bird incident that makes me that makes me do those kinds of things but if you do keep it in the cloud and I agree with you you've got that file it still somebody uploads at one time and then it's out there in the cloud you're basically having a browser window that just looks at that filin and masses with it so completely agree with you in some cases and in the case of Google Docs almost dominantly that's exactly what happens by fundamentally the file has left the building right so the file is now not sitting on an on premise side it's now sitting on a place external from where you are and and and that can be good or bad I did good thing about it is Microsoft Google all of these places have huge security teams right so it's not like they don't have any security people in this is very dangerous but it is very different when you start to think about defense in depth the other thing that's happened very quickly again faster than than I think anybody would have anticipated is the massive rise in SSL as a default it's a it's almost becoming the transport layer for the web and it's happened quick if you went back two years ago or maybe two and a half years ago.
Free AdWords Noten and you looked at the 10 right the top 10 sites said that people visit around the world.
Two of those 10 whereas SL by default so they would switch to https was soon as you visited the site today it's eight out of those 10 which is unbelievable now for the average user this is an incredible plus I because my mom has not had to do anything.
Extra there's nothing that she's been asked to do but her connection has become more secure.
Which is pretty amazing and it's a really great benefit for an individual that's had a coffee shop that now has a security tunnel to a bank to Google to wherever they happen to be going so there's a massive privacy benefit for the individual but think about this from a corporate infrastructure and governance perspective all of those security tools so you paid a bunch of money for that are sitting on the network looking for malware scanning through AV doing all kinds of interesting I D S IPS work they're blind to the traffic that sits within those assets held tunnels now obviously there things and strategies to kind of crap that thing open but that is a massive massive shift that's happened very quickly.
Faster than I think anybody could have could have anticipated I really do think it was accelerated pretty heavily by by Snowden and then the other thing that's happening is that the regional office is going rogue people are figuring out that it's expensive to hold that MPLS connection between the two and the regional offices breaking off directly to the net and then the last piece is that we're seeing a massive adoption of the Internet of Things we're not even doing a consciously it's just happening from the watch that's connected directly to Salesforce so that you can see somebody from a prospect is nearby and so I should talk to them to the pencil that will be connected at some point I'm not sure why but somebody will enact it and and that poses a great risk so I'll give you an example at that RSA Conference this year weekend about 3,000 speaker submissions that come in every year and then we will all those down to you know maybe two hundred and fifty or so sessions they get presented at the conference this year.
30%.
Of the submitted sanctions had IOT in the abstract unbelievable as crazy that doesn't necessarily mean that 30% the world security problems are IOT but it does mean that there is a massive interest in IOT and we're very early in the security maturity cycle of IOT because most of those submissions are around hacking into stuff and you wouldn't believe the stuff that we got this year I mean everything from me of course there's the token like 20 car hacking ones that come in now and that's old news but we had three refrigerators to washing machines shirt which was really strange for some reason the shared had electronics and then there was two police drone ones which is always entertaining probably highly illegal and so we're we're in this in this era of IOT where people are demonstrating weakness but we're not yet in a place where there demonstrating some kind of cohesive solution to the problem so I I bring up all of these changes because what we're seeing is almost up coalesced sense that we are going to have to have some intermediate point that is consistent in between those devices now what is that likely to to be so first I want to share with you the word cloud and there's the hacked police now as we speak so someone I wanna bring bring to your attention.
The word cloud and we built this every year from submissions are coming to RSA Conference and the words on here I doubt would be surprising anybody in this audience right its rich what you'd expect if you had to just ride from scratch.
Words like data are big cloud as big mobile is big cyber is big we took security is a word out because then it like dominates all the other ones so none of these things are surprised at least I don't think so but what is kind of surprising it if you go back five years ago and look at the word cloud from five years ago it looks totally different from this and it's interesting to live in an industry where that happens so my PHD's in statistics and I can tell you these statistics conferences do not have the cool parties like the RSA Conference but also if you did a word cloud of the cool stuff that's going on in statistics today and you compared with the one from 10 years ago it ain't changed very much there's there is not a lot of change in churn in that industry that we see right now so what does that mean in terms of the changing of this idea of defense in three properties so we talked about at the beginning will never change those are invariant those still exist and will exist still exists far into the future but I think some additional ones that are going to be very interesting its first the plug ability of security architecture how many people here lived through the application of dads as an encryption standard I'm just curious how many people lost sleep over that not too many good will you are very very lucky because when when it was announced that several key government agencies were no longer going to use dads which was dating corruption standard that many things were were based on and we're going to move to this new thing called tripled ads which I guess is three times better than the normal days meant that many systems had to be completely rewritten because they never assume that this unbelievable algorithm would at some point.
Expire or not be as useful as it was in the past and then two years after that they got the word that hang that tripled as thing probably get rid of that moved to this thing called AES Advanced Encryption Standard and several years from now there's going to be another one and we're in the same problem with hashes right MDN 5 sounded really break at some point in time and then shower one look pretty good shot 256 lookin ok right now but it it's not going to make it too long we're actually in a hash crisis right now we we we really we really are hand if anybody if anybody has some math hobbyist I would be happy to discuss this hash crisis with you with you afterwards but I i bring all of those things up to say that we have to anticipate a certain amount of change that's going to happen in the way we defend and I think we're gonna have to anticipate a certain amount of change that happens in the technologies that we bring in to defend I think there are going to be very interesting companies start-ups ones that none of us have ever heard that are going to come up with innovative solutions that are good that we want to be able to deploy but if we don't have an architecture to deploy those things quickly we are going to be behind the curve so I'll share with you another story and this one is from from our essay last year so no one here was at RSA this year so this this may not be as interesting but last year we only only had 33,000 people right so last and last in the 4000 + thousand but still a lot of people it is a barrage stressful week for me personally because all kinds of crazy emergencies occur during that week when you get that many people in one spot.
And many of them have a tendency to hack into stuff right in not a good idea right just in general and so you know I had an incredibly stressful Monday and Tuesday I don't know if you remember but right around the time of RSA there was a guy but hacked into a boeing aircraft probably five days before the conference and tweeted about it while he was in the air and then had all of his stuff confiscated and so he called me that weekend and said hey you know I'm sure you've read about this in the news my arse a presentation was on that stuff that got confiscate I mean just crazy stuff we had three different vendors that had gone with a sumo wrestler motif that year and it brought in actual sumo wrestlers from Japan to be in the booth one of them was smashing through some fake firewall and talking about you know firewalls are dead and all that stuff those those three those three sumo wrestlers apparently unfortunately ended up at the same bar on Monday night and there was an altercation and and and nobody wins in that situation just totally spaced I only given that background is very stressful week so now it's it's Wednesday of that week so two days of the comet is past its Wednesday morning I wake up at a breakfast meeting at seven o'clock at a breakfast meeting at seven o'clock in the morning and I walk outside of the hotel and immediately get a massive nosebleed now you know many of you get nosebleeds regularly so this doesn't sound like a big deal but it's the first 1 I've ever had in my entire life and if you've never had one it is very traumatic to start hemorrhaging from your nose right i mean just a concept that is bad so I grabbed my nose that go into that whole obeyed are go back up to the room and I call the people I was about to have breakfast with this lady answers the phone who I know very well and you know she worked for me and I i told her what you look like got to Stow's day going to be able to come and then immediately she starts offering advice of what I should do for the nosebleeds he said the first thing you need to do is paint sure knows right now obviously I'm already pinching my nose right now and then and then she says no.
Can chat harder than you ever pinched anything in your life can chip in Chouteau you lose feeling in your fingers wow this doesn't sound like a good idea and then hold your head back for 10 minutes and the nosebleed will stop and then I hear almost like up by breaking out at the table and suddenly I'm on speaker phone in the middle of this crowded restaurant and the other guy that was at that meeting says don't do that immediately you need to go to the bathroom stuff your nostrils with tissue and hold your head forward for 10 minutes and bleeding will stop right so you know thanks.
Really appreciated and and as soon as I got off the phone I realize these are two completely contradictory pieces of advice and some like this a medical issue this is serious so I immediately opened up my browser and went to Wikipedia and and if you you know which is ultimate source of truth so if you've never if you never read the Wikipedia nosebleed articles very long but the summary is you're probably okay but you might be dying that's that's that's the that's the summer edge very long but that's based in a sense that's what it says right and so and so my plan you know I better I better contact a doctor so I I pulled out my eyes and I realized that I had access to this service called tell word doc has any any anybody ever heard of this thing it's unbelievable.
It is a remote medicine and service where within 15 minutes you'll have a live video chat with a doctor.
Wow this is great site fire last thing I press the button there like the doctor will face time you in 15 minutes I'm like wow that's great so as I'm waiting I'm cruising around the Yahoo help forums help forums which is never a good idea if you're not doing well and I saw something in there that blood pressure is as a key piece of this and so I find an app on the Apple iStore that measures blood pressure has anybody ever seen or played around with this obviously every tried it without it it's just a concept that being possible was pretty amazing so I spent the 499 and a way that the way that it works if you're really bored this weekend wanna try it you you put your finger in front of the camera it shines a light through it looks at the pulsation that comes back and then you hold it up to your heart the microphone and it gives your blood pressure reading which you know who knows how accurate it and so came back and it was like extremely high which made probably you know really actually much higher and so then the doctor calls again on the video chat.
Hold the phone at odd angles so you can look at the nostrils on that stuff and and he says they're based on when I see you're probably not dying you know you're you're you're probably fine now now the interesting thing about that to me is that I had no idea when I woke up that morning that my phone would turn into a medical diagnostic piece of equipment I had no idea could even do that and it's and it's amazing shirts happen to many of you your phone turns into now whatever you needed to be sometimes I need to be GPS system sometimes I need it actually be a phone sometimes I need it to go and email someone but the reason it can turn into all of those things is not because of the innovation of powerful or the innovation of Google in the case of Android it's the innovation of the millions of people that build apps on top of what is actually just an incredibly rich sensor right so when you bet on any of those phones you're betting on an amazing ecosystem of creativity I bring this up because that is the time we are in right now and security many people in security or jaded they think that there are no new ideas that happen anymore in our industry I can tell you been running a startup competition at last 11 years and innovation is alive and well in our industry to some really cool stuff from completely unknown benders you've never heard of that are coming down the pike I bring that to say that we have to prepare that there will be new innovative solutions to come we don't know which van der so come from we don't know what size of company there will be but we have to set up an architecture that can on board that technology I'll skip this story the closing keynote this year I interviewed this actor named Sean Penn.
Man who the Mexican drug mafias after so in the interest of time I want to share my drill with the FBI on what to do if someone breaks out a gun and a crowd of 10,000 people but we can talk about it and drinks if you want to but the central the central point is that we do need to be able to set up an infrastructure to rapidly on board tack and that tax is gonna come from who knows what I don't think it's going to come from the biggest fan dealers in the space today I think it's going to come from innovative start-ups the second piece says we need to be able to deploy anywhere the user as and that might be on premise and in the cloud them ibn AWS 0 but when we're thinking about making security investments I think we have to think about the portability of where those things are going to be deployed the third one is we have to develop a competency in failure we we have to be competent in the act of failing and what we do because we will fail I don't care if you buy something from every security vendor that exists somebody really once again into your organization and our highly skilled and highly funded they will get it and no matter what if that's the case if we accept that then why don't we spend the money on training people processes and the ability to recover from bad situations we we just don't invest the kind of money into that and that seems very reasonable at this time and then the last pieces we need to be able to take action when threat intelligence is noisy and you're here you'll hear a lot and security back threat intelligence this year I think we had 1900 benders on the show floor at RSA and every single one of them had the word threat and intelligence next to each other in their marketing tutorial I would its threat intelligence even really mean in terms of an everyday action that you're going to take we are going to need to be able to make decisions on trend indicators even when we don't know the fidelity of an information so I'll leave you with the last on and I'm painfully painfully at a time and i know you've been here for quite a while and I do not want to launch a denial of drinks attack on you found it very dangerous very dangerous for all parties involved but I do believe that we're in a weird time and security where we have to relearn things that at one point were facts and I personally as I'm sure many of you are are are culprits in the current state of affairs so I written for security books that first one was back in 2003 and at that point the world look very similar to how it looked on that first slide where branch offices connect to corporate office in a corporate office branches off if I had to rewrite the book today it would look really different and I think if we had to revisit some of the core tenants of security not just network security but software security the way that we build systems that way that we couple systems it would be different today because the environment around us has changed and the closest analogy that that I can think of to end is the way we all learned how to drive so when you learn how to drive and you you took the exam and you know felt that the pieces of paper we were all told to hold the steering wheel in the tend to position right this is and you do it for the task in and you never ever do it again but but this is how how you were taught talk to drive and and it wasn't a random choice by some guy that wrote up a manual the first time.
Time it is to statistically calculated optimal hold of a steering wheel to give you the maximum agility and an unexpected situation so if there's a cat that was me Anders into the street if you're holding two-wheeled this way this gives you and the cash the most likely survival kind of conditions because it will allow you to pivot not go hand over hand which apparently very dangerous ten to twenty years ago this was the mathematically correct answer on how to hold the steering wheel today you should never hold the steering wheel like this never hold the steering wheel like this incredibly dangerous the way to hold the steering wheel now and the way that you'll see if you've got kids or nieces and nephews earn grandkids that are learning how to drive I'll tell you the way you hold the wheel is like this and the 93 position so what's changed is the popularization of air bags if you hold the wheel in a tent to position and the airbag deploys you're gonna burn and alarm break an arm or punch yourself in the face right now all of which are not preferable outcomes but if you hold the wheel in this position it's a compromise between the change in environment that's occurred the compensating controls in that environment and agility it's a compromise between those two thanks.
Try telling someone who was taught to hold that the top way that that's wrong and they need to hold it a different way try telling my mom that I will give you her cell phone number I will even pay the long distance charges if you can convince her to change the way she thinks about that so my point there is it is incredibly difficult to learn a fact it is very difficult to unlearn something that was once true and convince someone that it is.
Is no longer true and now there's a new truth but that's where we find ourselves in security and many of the things that we do so if there's anything to take away from this talk aside from you know avoid birds on planes and now you know to use the bathroom and all that kind of stuff it would be that we need to sit back and really challenge convention and what what is considered conventional wisdom in the space so I really appreciate you give me the time and opportunity to be here I hope many of you will come next year to RSA Conference is not not to shamelessly advertising but we did have Sheryl Crow this year at the party and Tony Hawk so you know not trying to influence you but I am but hopefully hopefully you'll be there next year and thanks very much appreciate.


##########################################