00:00welcome to the a 16z podcast I'm Michael
00:02Copeland and I am here with my partner
00:04in crime sonal Chuck see today and we
00:07are lucky to have Kim Zetter a senior
00:10staff writer at Wired who covers all
00:12things security Kim welcome thank you
00:16very much so Kim you know we wanted to
00:18actually talk to you about what's going
00:20with RSA coming up with what's going on
00:22in the security world and starting with
00:25like all these hacks that have been
00:27happening lately is it is it me is it
00:29like a lot more than what's been
00:30happening before or are we just hearing
00:33about it more I mean I'm talking about
00:34big companies from Target to the Sony
00:37hack I mean there's there's been so many
00:38like you could probably list more of
00:39them than I can yeah I mean all of this
00:42has happened before it's it's the what
00:43is happening here is the big
00:46government's focus on cyber security and
00:48by government I mean the Obama
00:49administration specifically has made
00:52cybersecurity one of its primary focuses
00:55and that has been trickled down and
00:57caused everyone else to focus on this
01:00more because that means money now is
01:01going into cybersecurity so the business
01:03world is focusing on it as well in terms
01:07of the number of hacks you know that's
01:10sort of the result of the media
01:13obviously paying more attention and the
01:15public paying more attention but we've
01:16always had these kinds of hacks and even
01:18you know the hack gets Target and Home
01:20Depot we had a series of hacks back in
01:232008 and 2010 against TJX and Barnes and
01:27Noble and companies like that
01:30so what what changes is in some of these
01:33taxes that we get a little smarter with
01:35security and so hackers have to go back
01:38and read tool their techniques but they
01:40do come back again they come back with
01:41new techniques and new methods and new
01:43tools just to achieve the same in are
01:48there any common denominators to what
01:50made all the most recent hacks happen
01:52like were they all fishing through
01:54fishing where they through the entry
01:56point through email what was a common
01:58thread if there was one with all of them
02:00what is one of the primary ways that
02:03attackers get in oddly in that didn't
02:05that wasn't the case with the target a
02:06hack in that case this was a this is an
02:09interesting case study because this
02:11involves a third party company
02:14in this case it was a heating and
02:15air-conditioning vendor and they had
02:18some kind of connection to targets
02:20network for billing purposes I don't
02:22quite understand the whole reason for
02:24that why there needs to be some kind of
02:26connection there between the two
02:27networks but anytime that there is
02:29connection hackers are going to be smart
02:31and they are going to loot their way
02:33through those networks and find the
02:36systems that they want so in this case
02:38they went through the access that this
02:40third party vendor had into target's
02:42network and use that as a pivoting point
02:46to then get themselves to the the card
02:51network where the debit and credit card
02:54numbers were being processed so that
02:57wasn't that was an interesting case and
02:58that's something that I think we will
03:00see more of we sort of see you know
03:04obviously I'm their systems are insecure
03:06but growing problem are the issues with
03:09third-party vendors contractors other
03:12people that you work with that are going
03:14to become a conduit for hackers to get
03:16to you so even though they might not
03:17come to you directly
03:19that is a vulnerability that not only
03:21businesses has but the government has
03:24with its contractors I have a question
03:26you know you said that you don't think
03:27the frequency has gone up but is is
03:30there more at stake so you described how
03:33there's more third-party vendors for
03:34example who have access to these systems
03:36and systems get bigger and bigger and
03:38more complex and more interconnected is
03:41there just more to go after and
03:43therefore there's more at stake or is it
03:45have you not seen it change that
03:48dramatically I think that obviously you
03:53know more and more stuff is getting put
03:55online so let's take health records for
03:58example huge push from the government to
04:01digitalize all of our health records
04:03well there were always problems in in
04:06some cases where you might have records
04:08or systems medical systems that were
04:11connected to the internet but now we've
04:13just tripled and quadrupled that and so
04:16that creates problems more and more data
04:18more and more systems are becoming
04:21digitalized and then that creates new
04:23vulnerabilities and and different kinds
04:25of data for hackers to go after and so
04:27right so with like the recent hacks that
04:30have happened what what else have they
04:32had shared in comments the we describe
04:33phishing is one of the avenues and
04:35you've said that the hackers have just
04:36gotten smarter but like how does that
04:39happen like what I mean don't mean to
04:41say that people are stupid but why are
04:42they why are they if I sent an email to
04:51you you would open it right yeah I hope
04:54so yeah I would yeah we're friends so
04:57hackers have the ability to send you an
05:00email but in a way that it appears to
05:02come from me I compared to come from
05:05your HR department or your manager and
05:07they're not sending you no spam you know
05:11they're sending they're going to send
05:13you an email with an attachment that
05:14appears to be the new budget document
05:17that you were waiting for so H are
05:20talking about benefit so walk us through
05:21the mechanics of that though how can
05:23they actually do that like how do they
05:25know if they're not in the company to be
05:26able to figure that out like if they're
05:28not inside the company like let's okay
05:30between you and me there might be more
05:31points of failure but if you're inside a
05:33company and you have shared language and
05:35you kind of know each other's lingo if I
05:38get an email from Michael I and he sends
05:40me send and random attachment I would
05:42kind of know it's it's it's weird like
05:44how do i pers figure out and wanted I
05:49mean the most simple way and most email
05:52servers will catch this if you've got
05:54good filtering on it the easiest way is
05:56to spoof an email so but it appears to
05:59come and there even websites that will
06:00smooth an email for you so that it
06:02appears to come from one domain if your
06:06system is set up to sort of you know
06:08scour through the track that email has
06:11come through we'll know that it didn't
06:12originate from the email that app
06:14reports do this happens in your Gmail
06:16account where you'll get a message and
06:18Gmail will tell you this doesn't appear
06:21to be coming from the who appears to be
06:23sending it so that's what they're doing
06:25in that case so those are those those
06:27are sort of a low-level
06:28phishing attacks the more sophisticated
06:32ones can come from someone actually
06:35hacking a system in your network so that
06:39it appears to be coming from the same
06:41he address but also let's say they hack
06:43into Michael's computer and they take
06:45over his address book and they start
06:48sending out emails actually through his
06:50account in a way that he doesn't even
06:52see it so that's another that's another
06:54possible method the phishing attacks
06:57don't become sophisticated when they
06:59were when they do what's called spear
07:01phishing so phishing attack can be sort
07:04of you know a cannon effects like spam
07:07where they just send out a lot of random
07:09emails and hope that someone will open
07:11it spearfishing is something that they
07:14put a little more work into this and
07:15Chinese hackers are very good at this
07:17and they will end the Russian hackers
07:20actually I just want to clarify they
07:23both of them are very good at this
07:24depends on who the players are
07:27which how many typos will be in the
07:30phishing attacks anyone here might have
07:32what they will do is they can study you
07:35but if you're if you're a really
07:36valuable target if your system
07:38administrator for instance they can get
07:40into your system so I can get into
07:42everyone else's systems on your from on
07:43your company for example so what they
07:45might do is target a system
07:46administrator and they will do some
07:48reconnaissance on him they look at his
07:50LinkedIn profile don't look at his
07:51social networking they'll see who is
07:53communicating with them they'll see what
07:54he's communicating about and then
07:56they'll send him email that is going to
07:58be in particularly targeted to him let's
08:00say he just come back from a conference
08:02that he tweeted about or he tweets about
08:04presentation that he saw at a conference
08:05and then suddenly get to follow up their
08:07email that appears to come from the
08:09speaker of that presentation or
08:12something else so those are ways that
08:14they really intensify the sophistication
08:16to guarantee you know greater
08:19probability that you'll open it but you
08:21don't actually need that much work you
08:23know you asked if if people are stupid
08:25and they're they're not some cases they
08:29are but you know report came out this
08:32week from Verizon and examining how long
08:36it takes someone to open a phishing
08:38email after it's landed to the company's
08:40network and it takes on average about a
08:42minute and a half someone in that
08:44company is going to open the email and
08:46I'll point you to something that
08:48happened a few beers back this was a
08:50security company one of the top security
08:52companies RSA that's having its
08:54conference next week
08:55they got hit in the phishing attack in
08:572010 around the same time that Google
09:00got here and in that case they sent only
09:03a handful of emails to some specific
09:06employees at the company and the email
09:09filtering system actually caught it and
09:10sent it to the spam folder but one of
09:12these employees went can we stand folder
09:15and solidly you know thought it was
09:17interesting pulled it back out into his
09:18inbox and opened it oh my god that's how
09:20the attackers got it so is the kind of
09:23upshot of that story just never ever
09:25bother checking your spam because I got
09:30useful newsletters and shopping emails
09:33and things that's what you think so you
09:35you mentioned they and yet you talked
09:37about the Chinese and the Russians and
09:38and in these more sophisticated attacks
09:41who are they and what do they look like
09:44and and and also like Kim exactly and
09:49also what are they the different players
09:52now because I feel like this more
09:53organized approach seems to be something
09:56new and different like I see me getting
09:57here every more segregated they are
10:00getting more so you know in the early
10:02days what you were getting were random
10:04hackers on the Internet sometimes they
10:06would gather in gangs to do identity
10:10theft and and get passwords and go after
10:13credit cards and things like that
10:14and there was some organization then but
10:17what we really saw the change in was in
10:20the late 90s actually I'm sorry
10:23mid 2000s where we started to see the
10:26cyber espionage emerged and that's where
10:28working nation-state attacks like
10:30nations like China and Russia so cyber
10:33espionage then became you know a trade
10:36tool for you know traditional economic
10:39espionage has been supplanted in in some
10:42so now nation-states like China China
10:46has been accused of this of hacking into
10:48companies networks to steal trade
10:50secrets and give Chinese companies a
10:52competitive advantage that's the in
10:54addition to already the national
10:56security stuff that they're stealing you
10:58know for a military weapons and things
10:59like that those range and sophistication
11:01I mean the Chinese don't necessarily try
11:03to hide their their tactics because they
11:06are supported by their government so
11:08we have anything to worry about there in
11:10the case of the Russians really really
11:13sophisticated hackers are in East Europe
11:15and why is that by the way is it just
11:18that they're really code literate and I
11:20don't know I think the I think the
11:22technical training it's really superb
11:24there I think that you know because of
11:28the economic conditions a lot of people
11:30have you know who weren't able to get a
11:33job during certain periods after the
11:36fall of the Soviet Union looked to
11:39develop these kinds of skills you know
11:42in the hacking underground and so it
11:45really paid off for them and it is very
11:48lucrative and again there's the issue of
11:50being untouchable in Russia so it's hard
11:53to go after Russians a little
11:55cooperation with the government and so
11:57your stories have to wait for someone to
11:59leave Russia and go you know on vacation
12:02to Thailand or someplace have not been
12:03there so they're pretty protected there
12:05and in some cases they may be supported
12:08by the Russian government as well but
12:10they're very sophisticated they're also
12:12doing national security stuff but
12:14they're also doing you know economic
12:17espionage to sell it so economic
12:19espionage is based as justice so you're
12:21saying to sell the product that they're
12:22hacking or to extract rents because I've
12:24been hearing stories about ransomware
12:25coming from Russia as well yeah that's a
12:28different kind that would be more on the
12:30criminal ground rather than the
12:31espionage ground such as some where is
12:33another interesting thing that's growing
12:36right now and that started out very not
12:39sophisticated hackers would put malware
12:42on your system that could then it
12:45basically encrypts your whole hard drive
12:46and then they send you a message saying
12:49give us you know this amount of money in
12:51order for us to let let you have access
12:54back to your data and sorry not very
12:57unsophisticated they become more
12:58sophisticated you got smarter about
12:59their encryption it's harder to continue
13:01get around the encryption now and also
13:04you know we're seeing different kind of
13:08ransom such as the case of Sony where
13:11they did ask for money or they appeared
13:14to be asking for money in the Sony's
13:15case but they weren't looking at
13:17preventing Sony from accessing its data
13:19there the threat was if you don't
13:21comply with our demands we'll release
13:24the data and I think that's what we're
13:25going to see more MORE I think that's a
13:28new trend we're going together
13:29and so you question in the case of the
13:32Sony hack whether was North Korea or do
13:34we still not have a clear picture on who
13:35it might have been well the government
13:38is clear the government has been very
13:40adamant that North Korea is behind it
13:42and that they claim they have evidence
13:43of it and they implied although they
13:45don't tell us directly that they know
13:48because of some kinds of perhaps signals
13:50intelligence that the NSA has collected
13:52but they don't say that so we're left to
13:55Krista to connect dots that we're not
13:57sure can be connected my issue with the
14:00the attribution is and attribution is
14:03always difficult no matter whether it's
14:04a Sony hack a really loud hack like that
14:07or a quiet hack whether it's a
14:09sophisticated hack or an unskilled hack
14:12the way we get hackers the way we
14:15prosecute hackers because they've done
14:17something stupid and expose themselves
14:19they've used their real IP address
14:21instead of going through a proxy or they
14:24bragged about their activity to someone
14:26who's an undercover fed online something
14:28like that you know attribution in
14:31nation-state obviously is going to be a
14:33lot more difficult because there are a
14:35lot more resources and skills so the
14:37idea that the government would say
14:38definitively this is North Korea already
14:41is a little shaky and what they provided
14:45as evidence is an IP address that they
14:47say is which they haven't even disclosed
14:49the IP address all they've said is that
14:51an IP address was used that to conduct
14:54the Sony hack that North Korea is known
14:57to have used or North Koreans are known
14:59to have used and that's a pretty big
15:01statement because they're not actually
15:03saying this is an IP address assigned to
15:05North Korea this is an IP address that
15:08North Korea used to hack Sony they said
15:10this is an IP address that North Korean
15:13is known to have used to have used in
15:15the past meaning so that's that's pretty
15:18flimsy and also just if you can trace it
15:21if you can trace activity back to an IP
15:23address and that's difficult in itself
15:25to find me the real originating IP
15:27address you also have to know whether or
15:30not that machine was hacked as well so
15:33just because we traced
15:35- your machine Michael doesn't mean that
15:37you were the one sitting at that
15:38computer conducting the attack
15:39hypothetically let's be clear about that
15:44someone else could have subverted your
15:46machine hi jacket and the conduction
15:48attack through it right so that's
15:50another problem with IP addresses and
15:52until the government can provide you
15:53know some more extensive proof it raises
15:57questions and why does it raise
15:58questions because if you look at the
16:01communication from the attackers to Sony
16:03the first communication was about
16:05extortion and it was about the movie
16:08that everyone in the end thought it was
16:11about they appeared to be asking in the
16:14first communication for payment and they
16:16were demanding payment and if they
16:18didn't get it they would release emails
16:20and other documents from Sony and
16:22subsequently they did start releasing
16:24that but it was only after media reports
16:27started servicing quoting anonymous
16:29government officials about the Sony
16:31movie that everyone then jumped on this
16:35bandwagon and said this was about 20 but
16:37hackers himself who never mentioned the
16:39movie and by the way the hacker is you
16:41know they made that threat that's posed
16:43a threat what we would have termed a
16:45terrorism threat but if the movie came
16:48out on Christmas Day they somehow and
16:50they kind of implied that there might be
16:52some harm that movie theaters but the
16:57and they also made some threats that if
17:00Sony released movie they would release
17:01more of Sony's data but the movie came
17:04out and we never heard from the hackers
17:05again no more data so it's also
17:10interesting to me that the data that
17:11they released a lot of it pertained to
17:14Sony's efforts against piracy and that's
17:18that's an issue that I can't really see
17:21North Korea being all that concerned
17:23about but it is an issue that the
17:25hacking community the underground
17:27community of anonymous and groups like
17:29that have had and you know a gripe with
17:33Sony for years over over the anti-piracy
17:36efforts and so it makes much more sense
17:39given if you look at the communication
17:41from the hackers if you look at the data
17:43that they released and if you look at
17:44the fact that they never bought the
17:45movie up it really comes across
17:49sort of a traditional kind of hack that
17:51we've seen before against Sony so the
17:53only difference here is that they took
17:55it to another level in destroying data
17:57and releasing data and they used some of
18:01them some malware that have been used in
18:04attacks against South Korea so those are
18:06the only things that give everyone that
18:07gave everyone pause right so came here
18:11touching another interesting theme they
18:12think we should talk about for a brief
18:13moment which is how people are
18:15communicating about the hacks I mean
18:16you're interesting than the other side
18:17of this which is your job is to kind of
18:19investigate the communication trails and
18:21source from different sources and talk
18:23to different you know get different
18:25facts to put together what's actually
18:27happening but there is this problem that
18:29companies face which is they're in a
18:31world where they actually don't know how
18:32to communicate about these things
18:33because they're facing them for the
18:35first time like what are you kind of
18:36observing from that perspective
18:38companies have been forced to be a
18:40little more transparent I mean so we see
18:43you know target obviously wasn't going
18:45to willingly disclose a hack what they
18:47what they do in in the case of credit
18:49cards it's because it can become a
18:50little more obvious because they're
18:53required under breach laws to disclose
18:55to customers when certain signs of data
18:57gets released so that's I'm often the
19:00way we first learned about a breach but
19:01company isn't going to necessarily
19:03announce it or at least they haven't in
19:06now we're actually seeing blog post
19:08things like that where they are coming
19:10out and formally announcing their hack
19:11and sometimes even before they notify
19:14the customers so that's a growing trend
19:17and I think that companies are realizing
19:19that they have to get out in front of it
19:21they don't want it someone else to
19:22expose it before they can and also we
19:27see you know the push now from the
19:29government for more information sharing
19:31from companies do you do you get a sense
19:33though that in terms of that disclosure
19:34that that it's only like disclosure
19:37happens when it kind of gets out there
19:39already or you know if nobody knows that
19:42this hack occurred do we still sort of
19:44keep it quiet well that's what they
19:47would love I mean that's been
19:48traditionally what was occurred is that
19:50we never learned about hacks until
19:52either that data started leaking online
19:55or you know credit card numbers were
19:58stolen and they were used for fraudulent
20:01so I think that companies also are
20:05becoming maybe less hesitant about
20:09discussing because they see that
20:11everyone is getting hacked they're no
20:12longer that individual standing out
20:15there alone who's going to get a finger
20:17pointed at you for your bad security now
20:20we know that you know pretty much every
20:24level of security can be subverted by a
20:26really determined attacker so I think
20:29that there's a little less shame in
20:31getting hacked maybe oh yeah well that's
20:35also because of what actually came out
20:37but right exactly so actually Kim one
20:39interesting theme here you know we've
20:41been talking on the background here
20:42about like what's really changed in the
20:45security landscape him you've been
20:46saying a lot of these things been around
20:47for years but the same time the players
20:49have gotten ever more sophisticated the
20:51hacks have gotten much more complicated
20:52but one thing that's kind of interesting
20:55that you nice to talk about wired is
20:57this trend that sometimes companies are
21:00actually it's completely turning around
21:01the paradigm where before the model for
21:03security would you just defend to
21:04protect so are we seeing people go on
21:06the offensive basically so we are to
21:10suit within limits you know there were
21:13there was a lot of talk a couple of
21:15years ago a company called CrowdStrike
21:17actually when they launched they had
21:20made this announcement that they were
21:22going to be talking about you know what
21:24they called active defense which was
21:25attacking back to certain extent and
21:28then I think they realized that some of
21:30the stuff that they might be advocating
21:32was illegal and there are companies that
21:35I think are just now learning that some
21:37of the things they're doing could get
21:38them into hot water so so there are some
21:42things in limitations I mean one of the
21:44things that you can do is you know you
21:46could you can sort of trace back the
21:49source of the attack and find the IP
21:51address and things like that but you
21:52cannot start routing around in the
21:55computer at the other end because that's
21:58unauthorized access you can't pull your
22:00back there's a question about whether or
22:02not you can actually pull back your data
22:03or delete your data on that server and I
22:06think that that would also be a
22:07violation of the Computer Fraud and
22:08Abuse Act because it wouldn't because
22:10you don't know it's performing an
22:12unauthorized action on a computer
22:15and you don't know what the consequences
22:16of deleting something on a computer
22:18might be and also I want to point out
22:20that you know as I said it hackers root
22:23their way through other computers to
22:25conduct their attacks so they could be
22:27on your computer and if your computer is
22:29used to attack me and I go into your
22:32computer to erase data
22:33you weren't the you weren't the
22:35perpetrator and I could cause damage to
22:37your system not to the original attacker
22:40system so there are a lot of legal and
22:42ethical issues around this but one way
22:44that companies are sort of I guess not
22:49attacking back but responding in a more
22:52active way certainly not defensive is
22:54going through the courts and getting
22:57systems taken offline and we've seen
22:59this with Microsoft where they've gone
23:02to they filed a civil action course in
23:05order to get certain IP addresses or
23:08hosting company taken down in order to
23:11control on botnets and other malicious
23:13activities that sort of congregating in
23:16certain IP addresses but what can
23:18companies do because the fact is that
23:20like you know ten years ago or even as
23:22recently as five years ago the security
23:24model was to defend and protect like the
23:25mcafee antivirus firewall you know sort
23:28of thing but we're talking about very
23:30different types of hacks these days that
23:31are going through your various systems
23:33internally like we talked about the
23:35intimacy of coming from your colleague
23:36or your next-door neighbor so what can
23:39companies do then to sort of better
23:41armed themselves I mean it seems like
23:43this is a whole brave new world of
23:44security yeah I think I think the shift
23:48is less from keeping attackers out
23:51although I mean you know you still need
23:53to do that you need to do everything you
23:54can to keep them out but I think that a
23:57company should become more realistic and
23:59realizing that they need to put a lot
24:00more resources into discovering
24:02intruders that may already be in the
24:05system and so that means improving their
24:09monitoring and logging capabilities and
24:11making sure that if when they have
24:13monitoring and logging capabilities that
24:15they're actually reading those logs
24:17and they have them configured in such a
24:18way that they can actually distinguish
24:21between something that is concerning and
24:24something's not but that's the problems
24:25as well target discovered that
24:28target installed a multi-million dollar
24:30security system not long before it got
24:33hacked and that system was designed to
24:36detect anomalous behavior in the network
24:38and it did it sent alerts it sent alerts
24:41to some people who were who will paid to
24:44monitor targets networks I forget what
24:46they were I think in maybe India or
24:48Singapore and they forwarded those
24:51alerts to the system administrators in
24:54the US and those administrators ignored
24:56them and they ignore them because you
24:58can have a system like that and get so
24:59many alerts that you know you get this
25:02battle fatigue from them and you stop
25:04looking or you don't have the resources
25:05to look at everything what also raises
25:08the fact that at the end of the day the
25:09whole model of security always comes
25:11down to became an error aspect as well
25:15and speaking of human error you know
25:17flip it to the consumer are you noticing
25:19or is there hope for us to do a better
25:23job or their behaviors we can embark
25:25upon finally you know two-factor
25:27authentication for everything I mean is
25:29there anything on the horizon there that
25:31seems to help yes I think I think the
25:33move towards two-factor authentication
25:35that seems long overdue and I guess we
25:38have to think we have Edward Snowden to
25:40thank for that an encryption but if an
25:43attacker is already on your system
25:45encryption won't necessarily help you
25:47because they're going to see your data
25:49before it gets encrypted if you are you
25:54know changing passwords strong passwords
25:56things like that you know where we see a
25:59movement towards people demanding the
26:01passwords be eliminated and then we come
26:03up with new systems more biometric
26:05systems things like that I mean there
26:06obviously are a lot of people trying to
26:09look at this issue now and figure out
26:10new ways but I mean for the consumer now
26:13you know two-factor authentication for
26:15any site that offers it that can you
26:20talk to us about what we can do in
26:21two-factor authentication sounds like a
26:23path that we all need to go down quickly
26:26and even three-factor authentication API
26:28by adding the biometric component yeah
26:30and but are there so what are some other
26:32things that you know maybe company
26:34should think about and and also do you
26:36have a any sense of like kind of who's
26:38winning or is that 90
26:40a question that can be asked but hackers
26:43are winning okay reality right so that's
26:46exactly the world where you have advice
26:47then Kim for companies that are and Bend
26:50consumers that are in this world like
26:51what do we do then I mean if you put
26:53your data on the cloud which it could be
26:54a lot more secure because you have a you
26:56know people a lot more administrators
26:58who are dedicated to watching that what
27:00I don't I don't do online banking okay
27:03so I don't have a lot of trust in in
27:07those kinds of systems I don't have a
27:10lot of I'd be very little I don't put my
27:12health records online that kind of thing
27:14so I keep it as you know as much to
27:17minimum as I can and I know that people
27:19don't like that because they like if you
27:21should see him in like convenience but
27:23they have to understand that there is
27:24that trade-off and you are making a
27:26security trade off every time you do
27:28that so so if you do make that trade-off
27:30then what would your parting words of
27:32advice be for people like to be able to
27:34audit like the companies are working
27:36with whether they're a person or a
27:38company I don't know that the average
27:40person can do that because the average
27:42person isn't going to know even if if
27:44you know if you want to put your data in
27:46the cloud do you know you know how
27:51adequate that audit was so if you know
27:54it's kind of a circular problem but I
27:56think minimally if you are a company
27:58that's considering putting you know
28:00using a cloud company cloud storage that
28:04there are something that you can do you
28:05can even see even find out if the
28:08company had been independently audited
28:09and that their security is to a level
28:13that you're feeling comfortable with and
28:15another thing that you might do is feed
28:17some of your data so that if it's stolen
28:19the feeding is sort of planting a little
28:21flags like a water or water meter
28:23yeah yeah so that if the data is stolen
28:25you can see that it's the source of you
28:29and then you can come back to the cloud
28:31company and you know you may be able to
28:34tell them hey you've been hacked but
28:36that's some way one way that you're not
28:38just completely feeding your control to
28:39someone else then that's right well Kim
28:42on that somewhat somber note I promise
28:45if you get an email from me with an
28:46attachment don't open it don't actually
28:49open any email from him
28:50thank you so much the scale that scare
28:54thank you thanks a lot okay