CLUB CISO |2| Renaud Deraison "Una mirada integral a la Ciberseguridad del Futuro"

t and and basically his role was to say no to everything and that was it and now the ceso is basically as a very strategic role right he has to report to the board of directors he has to explain he has to talk about the risk and not just missing patches etc etc so the role has changed a lot and has become extremely strategic because as all the companies are kind of changing transforming evolving moving to the cloud adapting new technologies to kind of keep running well the ceo has to oversee all that he is the one on the hook if something goes wrong so a lot of changes and at turnable the way we’ve been what we see needs to to happen is that is many things the first one is our mission is to answer one question which is very simple and yet it’s very difficult to always get an answer the question is are we secure are we deploying things securely is our environment in a healthy uh state from a a secret point of view right and that’s something we’re working on with lumen we do it with uh which is one of our offering we do it with uh technology such as benchmarking so we can look at your infrastructure we can compare to others and we don’t just look at the result of you know missing patches here versus others right we look into many dimensions we look at how how often you scan the syst your environment we look at how quickly um patches are being deployed or systems are being remediated versus others and and we can help customers really understand where they stand right because the truth with security is that nothing will ever be perfect and if they are might be perfect for like five minutes right uh because then somebody publishes a new patch and you have to do it over again um but offering a way for customers to compare where they stand is really critical and and and we we continue to invest a lot of resources to help them further uh uh to help them further there the second the second thing that we’re working on is we help our customers make sense of the data right if you just look at von data uh when i started my my carrier with nasus people would just cancel tmz really so they would scan five servers you know the web server dns one dns two which was nearly the same as the first one but not exactly the same uh mel1 and ml2 and that was it right that was your external surface at the time and and that would be it and so at the time managing the data was easy because a typical nasa scan would show up maybe three problems and you would fix them and go home and and then you know you would have a sense of accomplishment well now our customers rightfully are scanning the entire infrastructure so the exposed attack surface the internal servers the internal workstation etc and so now we’re not talking about three or four findings we’re talking about millions of findings right now the problem is that not all of them are equal right some of them are critical flaws some of them are like nice to fix if you have time so we we actually are spending a lot of resources to help customers make sense of it the first thing we did there is that we did something called vpr that we released uh nearly two years ago and the idea with vpr is that it’s a way to score the severity of of fibonacci but not based on what would happen in a lab with against an attacker with an infinite budget who can try the uh an attack a million times it basically we call it pragmatic security right it’s basically it’s okay in real life what’s happening for this problem right let’s for instance if you look at an oracle variability like an oracle database or maybe on paper it’s critical because you can expose because you can execute code but in practice nobody’s talking about it there’s no public exploit about it um there is no uh last time there was a similar flow in that database nothing happened so maybe that shouldn’t be the first thing you fix right but that uh printer phone in windows that everybody is doing patches for well maybe that one that one really matters so vpr kind of helps our customers kind of see varieties in two buckets if you will like things that need to be fixed right now versus things that should be fixed as part of proper cyber hygiene and and we’re continuing to work a lot on prioritization to really help uh um our customers beyond just scoring but looking at the criticality of the servers where they’re exposed as their gaps are not etc etc so so you you’ll start to see more and more uh this thing there and the last thing that we’re working on is that with the cloud in particular you’ve got a completely different workflow and and you need the security team to talk the same language as your devops or srs whatever you call them people right it’s just enumerating a list of missing patches is not helpful right you have to think in terms of configuration of devices and and and sending patches whatever to kind of tell them to redeploy a server you have to map deployed instances to a gold image and say well you need to just fix that gold image and redeploy it instead of saying you’ve got to deploy this hundreds of servers you’ve got to fix this under the server et cetera so we’re working on that to really breach that gap because we see increasingly an infosec team who thinks in terms of servers assets and whatnot and an sra team which is thinking in terms of resources and and which get deployed in a fast way so a lot of things to work on and uh um and uh a lot of things to breed to to to continue to equip our customers to really speak the language of the enterprise and not just the language of security all right that’s kind of our vision in a nutshell um that was infomercial any uh any uh let’s open it up to questions maybe it’s more fun yes um let me check here the no we only have please everybody you can ask questions now i’ll start with one while we wait for the other people to come with their questions um how did you get started in cyber security so it’s a good question you know i got started in cyber security really nearly by accident frankly you know i i i like to say that i started i i discovered computers in reverse because i started with uh when i was younger i started with with a macintosh system right and at the time it was single user it was graphical so easy to use but single user and then i discovered unix and when i discovered unix i discovered the notion of permissions and users being able to do things and whatnot extra and then i discovered the internet and the fact that you could talk to another computer remotely and i always found fascinating the idea that somebody in in in south america i could talk to a server in europe and kind of like make it do things right and so that’s kind of how i got there um i was also very interested in network programming so the two kind of like the two interests kind of merged together and that’s how nessus was born really it was a project that was that was looking uh looking to work on that was actually my second question that how was nessus born so it was born like so i mean i can give you the long version because it’s actually smaller than that right it’s nessus was born so so after i discovered linux um and that whole notion of security i installed something called satan on my computer and satan was like it’s a granddaddy of vulnerability assessment tool right it was the very first scanner uh which was released in like the 90s and i was running a very esoteric version of linux so satan was extremely difficult it took me like three days to install on my system right it’s i had to install binary swatch binaries which are not part of this i experience the details to remember it so that was that bad and and you know the uh when i installed it and i got it running i was like oh it doesn’t do much it’s not that interesting after all and i figured you know that’s just sydney’s then maintained maybe maybe i could do something similar but i learned a lot from it right i learned to be self-contained to not use a billion uh dependencies and things like that so there was a lot of uh um of design decisions which were made just just by using it and and as i said because i was interested in programming i was interested in networking and i was interested in interested in security i felt it was a great project to to to start and to compound all that it’s a world of security in the late night i mean for those of you joining and not familiar with nasus it was released in 1998 so a billion years ago and at the time the um at the time the security community was not that organized you didn’t have something like a von database for instance nobody was keeping track of all the very styles there right so to keep yourself informed as they uh as a defender if you will as a system main or whatnot you had to subscribe to a mailing list called bucktrack which was like a volunteer run and people would just post advisories every now and then something it was an advisory something it was sometimes it was zero day and the only way to keep track of it was to read that mailing list every day and then they would say hey there is a flaw in apache one point whatever it is because it’s a 90s and then you would have to like run around and say oh do we have this installed and so when i did nessus one of the thing is that i figured hey we could automate that pump right eventually end users should not spend their time on that mailing list and trying to figure if something affects them we should have some software telling them you’ve got something and so as part of that design it was not only to kind of make it easier to install than satan and make it more modern but more importantly the idea was to um to keep it self updating so that you would install nessus once and then it would fetch new plugins of his internet and regularly tell you that well something in one moment you would come up and it would the software would tell you that it would be a good idea to fix your send mail server because it’s it’s uh it has issues so so that’s how it it got started and now the funny thing is that so it’s one thing to read software but it’s another to make it live and and what was fascinating to me is that i worked roughly one year on nessus um at home after school and i published it on that track so i sent like a new email an announcement if you do some google search you could find it uh i saw released it in 1998 and then i basically ate 2 cup for a school trip because that’s what i would do and then i came back and my mailbox was full of feature requests and questions about futures report and things like that and really the community kind of like the uh adoption if you will really kept me going right the very first version of nessus was only a ui there was a new uis there was no command line tool so that was the first command the first feature request like make it make it able to run through the command line and not just not just in you know graphical interface and and uh and then you took off from there and it was amazing and and then you know i really thought that i would publish it and be done with it maybe like a month after and here we are we’re still talking about it well that’s good but um so what do you think is the great challenge of cyber security today you know i think so there are many right um i think the biggest one is so for a large enterprise or large companies the biggest one is because depending on who you are if you were like you have different challenges but so the biggest one i think is communication right it’s very difficult for a cso or for somebody reporting to see so to talk in non-technical terms about security and make the rest of the company understand how um how are the states of things without talking about cvs and overflows and things like that and and i think we as an industry have done a a not so great job at producing report that people can read i i think we it’s very technical and then and users need to do that so that’s the number one and the second big problem as i mentioned earlier is that with the shift of technologies adapting the workflows a way of thinking of security people to really what’s happening um with the adoption of new technology and and talking again in the same same terms as usari devops etc so communication is really a big problem yes do you think that the pandemic has helped users to be more away in other ways or all way around uh yes and no i think we’ve seen we’ve seen we’ve seen something i think from an end user point of view so non-technical non-security uh i think there’s been a rise of awareness a bit because we started to see a rise of phishing attacks and things like that and turns out not that many companies got wiped out right before because of like an end user clicking on an email um so yeah i think there is more awareness i think everything happening in the news right now is raising awareness a lot right so so i think as a civilization if you will we’ve never been so cyber security aware which which is a good thing uh i think the flip side of that is that with a pandemic we’ve seen a lot of technologies adopted in a fairly quick way sometimes recklessly sometime in a more controlled way but like you know suddenly you have a large workforce and they suddenly need a workstation thing like remote access and we’ll see longer term if if we discover uh uh side effects there yes i think that’s what we’re all a bit aware of now everything going on and everybody being at home and the children connected all day and it’s a whole new world for everybody especially people who are not specialists in cyber security exactly right and and and of course yeah and to your point like if you compound it to the fact that you’ve got work from home you’ve got kids you’ve got kids on zoom like is anybody here attending use their work computer to join a zoom class for the kids have they let the kids in front of the computer by himself for some time and what did he click on what so yeah i think it will be interesting to see uh um in retrospect like what our stories have happened or have been avoided very narrowly i’m gonna ask them the people are attending here too if they want to ask questions i would just say it in spanish in case so i have another one what do you think of 5g and cyber security um you know it’s so we’ll see i think so when we talk about 5g in cyber security you’ve got multiple layers right you’ve got what i find interesting with 5d is that technically with 5g each uh cell tower may be able to support many more devices than today as a result we could see a future where you know today when you buy like iot devices for your home you have to spend some time a fairly a big amount of time to configure them especially if you’re not technical you have to like spend a long long amount of time to configure them so that they connect to your wi-fi network and all that right and with 5g we could see a future where a lot of these devices just come with their own like sim card and it’s you just turn them on and they just work and then you go to the cloud to configure them and whatnot and if that’s the case then it becomes even more difficult to control which device is out there right because not that it’s easy today but at least you kind of use your infrastructure and you know if you change up your wi-fi password at least you disconnect a few of them um but yeah it it you would have your cd camera you would have your thermostat all that being able to see or sense what’s happening in your house and some of them tend to do that in a not so secure way and be able to connect directly to the internet so what happens then right and so so that’s what i find the most fascinating which of possible futures and security implications because really it means a lack of it means we would give up our ability to control what’s in our environment right and it’s bad at home it’s even worse at the enterprise level because a lot of companies have a lot of iot devices here and there and so now you’ve got devices listening um listening to what’s happening in the room like if you think smart tv if you think cameras you’ve got a lot of devices um which can physically impact the company if you think in terms of ot devices or um or even your thermostat really and cutting the wire won’t be an option if something goes bad so um it will be interesting and then you’ve got the other layer of 5g which is well do we believe the suppliers of the you know the whole huawei kind of like thing from two years ago and there was a ban and whatnot so i guess it’s semi-resolved uh but it does begs the question of well if you know if a lot of the infrastructure is directly on the cell phone operator network like how much do we believe to trust them so we cannot form there okay but and um just my personal question how far is the installation of 5g in front uh it’s you know it’s it’s going to be in two phases right because the first so you’ve got 5g replacing your typical lte uh antenna and here in the us it’s pretty much done it’s um i mean i live in new york city so it does show 5g but like in in all the populated areas of the u.

s it’s pretty much done in europe it’s kind of making good progress but the second wave will be what’s called the millimeter wave 5g which really that’s the one that people want that’s the one which gives you like gigabyte uh traffic and that is extremely costly to deploy because you have to deploy many more antennas that’s the one which really would be used by a lot of iot devices and i think it’s still behind and and i think the operators themselves are kind of scratching their heads on whether do they do that for free do they is it part of a different subscription model um it’s uh we’ll see so personally i would tell you it’s been disappointing in a big non-event at least where i live well one reads so many things so it’s nice too so you know secure it from somebody who knows um i also have another question what do you think about products being open source or being licensed what what do you think is best or what would you recommend perhaps um i i think it’s not necessary either or i mean everything has a purpose right so nasa started as an open source project the reason we close sourced it after many years is that frankly we were the only one as a company we were the only one contributing to it right so we didn’t have the we had a lot of users which was great uh and users would tell us about bugs and whatnot but nobody or very few people would contribute i mean nobody would contribute to the engine and we got very few contributions to the plug-ins so you end up doing a product for free and you let because competitors use it and it was a strategies still today a very strategic differentiator so open source was not the right fit for us i think that technology is uh when it comes to managing infrastructure where open source does make sense so it really depends on the brick if you will that that you’re talking about right so so we and and look we at the level we still release a lot of open source software we’ve got a github repository we publish a few things it’s you know if it’s not a strategic different share or if it’s something that you know like look if if tomorrow we invent a uh a better way to allocate memory right to make it faster in our software it’s nobody is buying our product because memory is allocated more efficiently so it would be silly to not open source it right it’s it’s a break that we spend time on it’s it’s a sensitive layer in our architecture so yeah let’s let’s open solve that and hopefully some other users will use it and send bug fixes if i need and so in that case is it but if if your whole business is to take your open source products and then maybe you make it five percent better by like adding something on top of it you know you have to look at the amount of resources you put in in the open source versus nanopencils and whether that makes sense yes i think we have some questions here do you think that that in latin america as being a special culture it could influence in certain kinds of of threats that behave in a different manner than in countries with more more developed countries did that make sense yeah i think so if i understand the question right you know a lot of countries have different levels of maturity in security and different levels of concerns right so you probably can’t tell from my accent but i’m from france originally and i uh um and so i kind of watch what’s going there what’s going on there and it’s interesting right because in many ways for instance france is behind in terms of maturity and and it’s if you look at why usually it’s because the whole budget process for security is under i.

t so it’s still like it’s not the same as the us and and so and and ultimately budget is everything right and so in in latin america yeah i mean there are some things which are behind and and which which might make on one hand you could argue it makes the uh uh uh the companies maybe more exposed the flip side is also if you adopt new technologies a bit later they’re more mature and you’re not building on something which is brand new and that’s like flows left and right right it’s people have mythologies developed and whatnot so we’ll see yes it’s a non-answer but every conclusion here in the chat um what is the lesson learned from the colonial pipeline security breach yeah it’s it’s a good one you know it’s so you look at uh i mean the lesson learned is uh the ot environments are not air-gapped and so you know other personal technology so that’s basically the computers running your pump and whatnot in in your pipeline in your weather uh uh weather cleaning systems et cetera uh factories and and you know it’s it’s an interesting world and we do have some you know infomercial we’ve got some offering there but the the uh so we’re very familiar with the technology what’s interesting with ot is that a lot of these protocols were designed you know if you look at the history of these protocols basically initially you had no computers and you had like gauges and like big things like you seen movies and like each of them had wires the copper wires going to the reactor or whatever it was and and then somebody said hey you know what it might be more cost efficient if instead of having like a set of wires for every gauge we kind of like collapsed everything together on a single single uh cable which could be ethernet and so these things could communicate with the net and instead of instead of reinventing the wheel let’s use the iep protocol to transmit packets right but it will never be connected to the internet it’s just the same protocol but it will be our gaps right it’s just to replace those copper wires and so a lot of these protocols have been designed not for security they’ve been designed for real time right so you want to know the pressure in that you want to lose the pressure right now you don’t want to wait five million seconds you don’t want to wait for a key exchange for password to be rotated if you need to know if that thing is going to blow you want to know it now right so so that’s a constraint a lot of these environments are working under right um but eventually what happened is that things were not gapped anymore and things were connected and by the way this little like plcs and whatnot and not that user friendly so what you do is that you put like a windows computer in front of it to kind of have a little ui and you can reconfigure it more easily and whatnot and same thing you don’t take care of that windows computer because it’s supposed to be air-gapped so now you’ve got a bunch of windows xps kind of managing your pump and whatnot and it’s okay because it’s not connected to the internet and then one day somebody comes in and says well you know it’s kind of like sometimes i have to reboot that old windows box and by the way a lot of these factories and there’s no real i.

t team on site you’ve got the engineers are like is a real engineer like physical engineer and so and some of them know how to use a computer so that’s a de facto at it staff and so what happened in in in colonial in particular is that basically they’ve got remote access so that this engineer if this if a windows xp box needs to be rebooted at 2 am that guy doesn’t have to drive 45 minutes to kind of push a button all right so they basically do the remote access and then once they got access it was easy to spread malware because it’s a bunch of windows xp box i mean i say windows xp i don’t know what it was on colonial but it’s a bunch of unmaintained system and the lesson learned is that you know ot in particular so in that particular industry the the the way of thinking has always been well there’s no need to patch if it’s working i don’t need to patch my windows system i don’t need to upgrade my windows system i don’t need to upgrade the plc and and look i’m not criticizing like we when you talk about upgrading your factory just the software of the firmware you’re literally talking about like sending people home for that day or not being able to kind of push the vr right because that’s the way it’s being built but we need to rethink it right and we we need to rethink it because in absolute i mean these things are critical for the for for the nation for the economy and so sometimes they have like you know some of our customers they deal with explosives and things like that and so so as part of the risk matrix they have like evacuation plans for the whole city next to the factory um and we can’t continue to live hoping that these systems are gaps they’re not right and and whether it’s remote access whether it’s somebody with a usb key which shouldn’t be plugged it’s a bunch of unmanaged systems running with protocol which are not meant for security and and we can just hope nothing bad will happen to to them no that’s a bad strategy to just hope um so i haven’t i actually so yeah don’t worry before you move on but so we two days ago we actually published on the turnable blog we published a um we found a security problem in uh in one of the plc’s produced by siemens electric where basically you can you can bypass the authentication right you can just send commands and whatnot and and we published a blog basically not not bashing uh uh no sorry it’s with schneider schneider um we didn’t like blame them but we published a blog basically saying well look it really is time to rethink it look is it normal that like i have like a demo stat went like here here right is it normal that this thermostat can self update without me noticing without like missing a beep uh a beat but a a a a factory which is uh uh critical like is being left and maintained and that’s not normal if you think about it and so i think it’s time to meet the lesson learned from the whole colonial pipeline act is the whole ot industry needs to address these problems and and start thinking about identifying devices keeping them up to date find a way to keep them up to date automatically the vendor should be uh um should be involved in that and find ways to update them without missing a beat so yes well i have one more here um how can we print protect ourselves from the apt the advanced persistent threat oh well that’s well that’s a complex one uh well if you look at the post-mortem on many of them so so let’s leave aside for one minute the solar winds hack for one minute and i’ll address it right um but if you look at most intrusions most apt intrusions nothing fancy is being used right they don’t the attacker is not sending a very complex zero their attacks they don’t this is they don’t uh uh use flaws which were undisclosed they basically go in with the assumption that just bound to be an unpatched system somewhere and they go from there and and so the very first way to protect yourself against apt attacks is to make sure your environment is up to date and not just the base operating system but all the third party applications are acrobat and all these things kind of running on this system so that’s the number one number two if you look at what happened with solarwinds so solarwinds is a different story because now one of your vendors is supplying you with software which contains malware really right and and that’s really unheard of uh in a way and in that case if you look at what that malware did it basically escalated privileges so what it did is that it’s kind of like logging into the network and then it inserts your identity and then from there somebody else identity and whatnot then it becomes domain admin and when it’s domain admin it can push commands to basically anybody and and then for this one you know you need to have a good grasp on your active directory security because that’s what this network do right that’s why we acquired we acquired a company last year called alcid they focus on active directory misconfiguration and security because that is what is that’s the number one target that both the high-end apt attacks are targeting as well as a very low-end ransomware uh software right they both have that thing in common they go after your active directory server because the ultimate goal is to be be able to push a new policy and spread this way right because then then you win and it’s fairly easy to escalate privileges uh unless you’re really good at managing active directory so so um if you do these two things you raise the bar so high that it’s it’s unlikely somebody’s going to break in great i must i don’t have anymore in the chat everybody is very shy today yes maybe don’t be shy see if there’s any more so why everybody is thinking about a question uh i’ll talk a little bit about something which i really like that we do at the level so we have a group within the research group called the zero-day research group and so we’ve got a bunch of engineers whose job is to dissect some software or some hardware and find vulnerabilities in it right uh undisclosed memorities we do this actually if you look at so so the reason why we we we started doing this is that we started as a company to find a lot of zero days by accident right basically when a vendor we release a patch for the software you know and as part of our job we would kind of like look at what the patch does to try to find if there’s a way to remotely um detect the problem and and we would often follow that often but this is every now and then we would find that the vendor did not properly fix organity right so there was another way to access it and whatnot and you know we’re disclosing the vaughn to the vendor and all that stuff it’s it quickly becomes a full-time job and so we decided to have a team to dedicate it to to do this report to the vendors of the flaws we find by accident and also find new flaws and they’ve been focusing a lot on iot devices and you know and mostly like the home iot so we don’t do that to kind of like create a new nesus plugin and whatnot it’s really we’ve been spending a lot of time to raise awareness on all the iot devices that you guys have at home right because the security of these things still in 2021 is disastrous it’s really speaking of like avoiding apt the first thing you want to control because these devices we actually give them too much credit right they can watch us they can listen to us they can control our locks they can do a lot of things and and they make it really easy to to uh uh to steal your data out to spy on you and and the reason why by pure uh chance it be that research became important is that with the whole working from home paradigm paradigm shift it it opens a whole kind of forms right because now you work from home and you’ve got some [ __ ] iot device kind of listening to what you’re saying and you’re talking about something confidential in the course of your work and so should that device listen to you who is responsible for it right so it’s a lot of questions there and um and and i think we’ll see what happens in the future but it’s it these things are fairly scary so make sure you buy devices from reputable vendors and and it’s okay to kind of turn them off every now and then yeah i think that’s a very good message as a as a in a family setting at least um what have you ever been to chile have you been down here or not yet not yet no uh in south america i’ve been to the other side i’ve been to brazil a bit um but not chile i look forward to it i mean with the world reopening who knows yes yes yes once it’s safe again so and i have one last funny question but what’s your hobby now that what’s my hobby um you know i i enjoy i enjoyed traveling so that was my hobby um and now it’s kind of coming back no i i like uh um i one of my hobbies is i read a lot about japanese culture and and all that so i’m very much into that so so um reading books about the history of japan and things like that so so that was that’s one of them and the other hobby i’m just thinking right now is that i started to develop uh to develop again in uh on ios so using the modern the very modern way to develop for for the iphone which i used i did one app for the iphone the nexus app uh maybe 10 years ago so shortly after the iphone came out and so it’s interesting and and i never had any reason to really do any new application myself because i’ve got people doing it um but um it was very interesting to kind of like get up to date and realize how much progress has been made and and how easy it is these days so i really encourage everybody here if you want to code actually it’s a very good platform to learn coding etc so that’s good okay i have one last question here what do you know about the technologies used in the mining industry and the management the remote management of industrial trucks and their threats threats um well i i know cursory right i mean what i know is that it’s a very fragmented set of devices and we’ve got we’ve got a team dedicated to kind of work on that and they’re much smaller than me on on this whole topic so usually you’ve got some plc’s involved for mining because basically they’re just some actuators it’s just do things but what’s interesting is that no matter what the industry is it’s it’s a very fragmented set of vendors it tends to be outdated devices or like way past their end of life by the vendors so vendors does not support them anymore uh etcetera so that’s situational or you’ve got the opposite it’s like the brand new factories brand new mining so i’ll be happy to put you in touch with our team if uh if that’s your concern and and uh and they’ll have a much better understanding and of of uh of of this and the nato okay well thank you so much it’s been really really interesting well thank you so much for having me if anybody else has one last question otherwise i think we we’re gonna wrap up something said beep i’m not sure because somebody has a meeting next next meeting yes i hope the day i don’t know are we on the same time as where you’re living is it also seven o’clock at where you are yes yeah yeah it’s seven o’clock right now okay well thank you everybody for attending until the end and uh bearing with uh my rambling i’m available if you have any follow-up question you can reach me on linkedin you can reach the thumbnail team by email and um we look forward to hearing from you okay well thank you so so much for your time thank you and thank you tenable for for arranging this for us as well and um yes i think i’m gonna switch to spanish now not to leave you outside but just to give a few messages if that’s all right of course but thank you so much um yeah it’s been just a pleasure for us to have you here with us today so very interesting everything um the the the impressive uh um is um but thank you very much all the people are saying thank you very much to you renault for your time thank you i have one more in the chat oh okay sorry we didn’t get that last question anna says industrial internet of things has been a trend in the last two or three years what are the main challenges for organization let’s take this before we wrap up all right it will be the closing words um i i as i mentioned i think so so so there is a big push to automate everything some some people talk about lights out factories and all that like really fully automated factories and the main which is an interesting trend i think the big challenges will be to find a system to keep the factory up to date it’s one thing to build it but maintaining it up to up to code etc and and up to date is going to be a much much more difficult thing for the record there is a company i know off and work with um and and which work in the heavy industry and they have a whole line which is still running under windows 3.

11 and so at this point because they never thought about the maintenance the upgrade of the system right it’s like well it works so so why would we do it and um and so yeah maintaining it keeping track of all the keeping track of all the uh devices out there and not just the computers maintaining them having a team on site to maintain all that is necessary thank you so much you.