Keynote: Dan Geer CISO In-Q-Tel

Transcript

mic test okay back thank you I appreciate the introduction I do indeed work for Inka tell that's not why I'm here I'm speaking for myself I'm a obligated to say that every time of course those of you who are entrepreneurs and potential entrepreneurs we do want to talk to you just for the record and we're a particularly good class of investor I'll sort of let it go at that but the intelligence community which is where our funding comes from expects us to find things and indeed 60% of companies we invest in we found them rather than the other way around it is not quite like your ordinary VC situation where someone is behind the desk and there's a line of people out that we're holding their hat we were hunter-gatherers so help us help us to help you and also I appreciate the how should I say this in the most diplomatic way I appreciate the introduction but in this field perhaps like no other the question is what have you done for me lately and I encourage you to think that way heckling I don't mind go right at it but what I am trying to to get at here is that I can't think of a field that has a greater intellectual challenge than this one what was true yesterday is not true tomorrow and vice-versa and furthermore we have sentient opponents we don't have stray alpha particles or bad luck it's a different it's a different game I just read a long article about Boyd who invented the so called Oda loop that's the ideas that we are in this is more like being a fighter pilot and less like being an industrial planner I just encourage you to own days when it seems impossible to remember that that is in a sense what makes it good there's the scene and what was it a league of their own where Geena Davis says it's too hard and the coach says that's why it's great that applies here I think as well I've found it most fascinating and in particular and I suspect that's true in this audience the fact that people come to it from many other disciplines I can think of nothing more Renaissance like than information security it sort of doesn't matter what your background is as long as it involved decision making under uncertainty with with strong outcomes and I don't care where that's being a civil engineer why do buildings fall down whether it's being an attorney I have our I need to differentiate policy from enforceability whether it involves a biology if I combine these two genes does it eat me before I get out the door I mean there's any number of fields that are good preparation for this and I think that we're lucky to have such a mix of people in it now I'll do what I really came to do and by the way I'll make these comments available - there - this button to the organizers but I've gotten to where how should I put this I I was I was trained in public speaking by Reid Buckley you may not recognize his name but William F Buckley was his brother and he may well recognize that name and one of the things he said was that if you respect your audience enough if they're your audience respects you enough to listen you should respect them enough to write it out and so that's indeed what I have done Reid sadly died about a month ago and I'm here to honor him in that regard so um in some sense in this field each of us is one of the twelve blind men circled around the elephant and if that doesn't ring a bell let it go but that's exactly where we are and the elephant is like a rope it is like a tree it is like a rock we are we are at the knee of the curve I believe for deployment of a different model of computation and any time you're in the knee of a curve it's hard to tell you're there exactly it's easy in retrospect but it's hard at the time so I'm guessing in that regard we've had two decades we're in round numbers laboratories gave us twice the computing for constant dollars every 18 months twice the disk drive storage capacity for constant dollars there 12 and twice the network speed for constant dollars every nine if that is in the laboratory that is two orders of magnitude four computes per decade three for storage and four for bandwidth and constant dollar terms that has resulted and are massively enlarging the stored data available per compute cycle yet that data is more mobile in the aggregate than it was when there was less of it it is thus no wonder that crime that cybercrime is data crime it is no wonder that the advanced persistent threat is the targeted effort to obtain change or deny information by means that are difficult to discover difficult to remove and difficult to attribute yet as we all know laboratory results filter out into the commercial ship off-the-shelf products at rates that are controlled by the market power of existing players just because it can be done on a laboratory does not mean that you can buy today at retail so it's been with that triad of computation storage and transmission capacity martin hilbert who you might want to look up his work he is he described how in 1986 you could fill the world's total storage capacity using the world's total bandwidth in about two days today it takes a hundred and fifty days and that to fill the world's total storage with the world's total bandwidth and the measured curve between 1986 and today is all but perfectly exponential meanwhile Moore's law has begun to slow there are two reasons for that reason number one is physics we're finding it harder and harder to cool chips at clock rates much below beyond what we have now reason number two is economics the cost of new fabrication facilities doubles every two years which is more much lesser known second law Intel cancel fab 42 in January because the capital cost per gate has begun to climb and that's important by 2018 under current trends one new fab will be just as expensive in inflation-adjusted terms as was the entirety of the Manhattan Project hence the big players either have to get bigger or Morris first law is over because of Moore's second law and hardware replacement cycles are no longer driven by consumer upgrade lust by which I mean the need to buy new hardware just because you need new hardware to run new software good enough for everything I need to do pretty much dominates computing except perhaps in mobile but that too is a curve that will flatten only graphic cards are not yet good enough for everything I need to do but every curve has its asymptote in some the commercial off-the-shelf market is not going to keep allowing us to dream big without regard to underlying performance costs we are not going to grow ourselves out of performance troubles of our own making we were able to do that for a good long run but that party I believe is over we can see that today in cryptography in the commercial world cryptographic performance is now a front and center topic of discussion both in individual firms amongst expert discussion groups and within standards bodies the commercial world has evidently decided that the time really has come to add cryptographic protections to an expanded range of products and services the question now being unevenly debated is whether on the one hand to achieve cryptographic performance with ever more adroit algorithm design a specially designed that can make full use of parallelization or to tend towards more hardware implementations as you well know going to hardware yields really substantial gains in performance that are not otherwise possible but at the cost of zero post installation flexibility this is not hypothetical AES performance improvements have of late been because software has been put aside in favor of hardware at least in the views of some of us Hardware embodiments make the very idea of so-called algorithm agility operationally irrelevant because recapitalize in one's data center just so as to get new hardware based crypto algorithms spliced in is just not going to happen nor is turning off some up to optimize not not to mention amortized Hardware just to be able to use some new software that is consequently ten times slower I'm reminded of Donald Knuth comment premature optimization is the root of all evil this brings us to the hardware question in general terms the embedded system space already bigger than what is normally thought of as a computer makes the attack surface of the non embedded space trivial by comparison perhaps I overstate that perhaps that is not true today but by tomorrow it will be true quoting an authoritative colleague that's peter goodwynn in the embedded world which makes the pc and phone and whatnot market seem trivial by comparison performance stays constant while cost goes down ten years ago your code had to run on a cortex-m ten years from now your code will still need to run on more or less the same cortex-m only it'll be far cheaper and have many more integrated peripherals so let me ask a teaser question if those embedded devices are immortal are they angelic let me first talk though about the wider world beginning with Stephanie forest actually here in Cambridge in 1997 regular attention has been paid as was said in the introduction to the questions of monoculture in the networked environment there is no point in belaboring the fundamental observation but let me state it clearly for the record cascade failure is very much easier to detonate in a monoculture so very much easier when an attacker has only to weaponize one bit of malware not ten million that idea is obvious believing in it is easy acting on it and its implications is evident rather hard despite what you might think I am truly an entirely sympathetic to the actual reason we continue to deploy computing monocultures making everything almost entirely alike is and remains our only hope for being able to centrally manage at all in a consistent manner put differently when you deploy a computing monoculture you're making a fundamental risk management decision the downside risk of a Black Swan event is more tolerable than the downside risk of perpetual and consistency that is actually a hard question as all risk management is about changing the future not explaining the past so let me repeat would you rather have the inordinately unlikely event of an inordinately severe impact or the day-to-day burden of everything being different all the time when we opt from monocultures by choice we had better opt for tight central control this is of course what supposes says this of course supposes that we are willing to face the risks that come with tight central and control including the paramount risk of any and all auto-update schemes namely the hostile control of the auto-update mechanism itself irrespective of whether that hostile control is the result of external takeover of a good controller or the result of a previously good controller going over to the dark side but amongst deployed monocultures computer desktops are not the point embedded systems are the trend line and the count of critical monoculture seems to be rising and most of these are embedded systems both without a remote management interface and long-lived that combination long-lived and not reachable is the trend that must be dealt with and possibly even reversed whether to insist that embedded devices self-destruct by some predictable age or that remote management of them be a condition of deployment is the question dare I say the national policy question that it that is what is on the table in either case the Internet of Things was just to say the appearance of network connected microcontrollers and seemingly every device that has a power cord or a fuel tank should raise hackles on every neck given our current posture if you want to look at something I suggest you look at dam farmers work on the intelligent the so-called intelligent platform management interface or IPMI the last sentence before the conclusion of his paper on that topic and the references in these notes that I'll share I p.m. I was designed for full control report remote management and monitoring and it's pretty damn good at it farmer tells you in several ways that that very fact is why you are hosed and that is one of my key points for today that an advanced persistent threat one that is difficult to discover difficult to remove and difficult to attribute is easier in a low end on a culture easier in an environment where much of the computing is done by devices that are deaf and mute once installed or where those devices operate at the very bottom of the software stack with nothing underneath them where those devices bring no relevance societal risk by their onesies and twosies but do bring relevant societal risk our today's extant scales much less the scales coming soon some of you might know Dave our tell of immunity Inc as Dave Attell has put many many times for the exploit writer the hardest part by far is test not coding but differently over the years I've modified my own thinking on monoculture so that I now a view monoculture not as an initiator of attack but as a potentiate er not as an oncogene but is angiogenesis 15 years ago laszlo barabasi argued why it is not possible to design a network that is it once proof against both ran false and targeted faults assuming that his conception of a scale-free network is good enough for our planning purposes we see today that we have a network that is pretty well immune from failure from random faults but which is hardly immune to targeted faults 10 years ago Sean Gorman at GMU simulated did simulations and they showed a sharp increase in network wide susceptibility to cascade failure when a single exploitable flaw reached 43 percent prevalence we are way above 43 percent threshold in many many areas most of them built in unseen and silent five years ago Kelly Ziegler of Newark calculated that patching a fully deployed smart grid would take an entire year to complete largely because of the size of the per node firmware relative to the available powerline bandwidth how about we extrapolate from the these various researchers findings the root source of risk is dependence especially dependence on the expectation of stable system state dependence is not only individual but mutual not only am i dependent or not but rather a continuous scale asking whether we are dependent or not we are and it is called interdependence interdependence is transitive hence the risk that flows from interdependence is itself transitive ie if you depend on the digital world and I depend on you then I too am at risk from failures in the digital world if individual dependencies were only static they would be a valuable where we regularly and quickly expand our dependence on on new things and that added dependence matters because we each and severally add risk to our portfolio by way of dependence on things for which they're very newness makes risk estimation and dust risk management neither predictable or perhaps even estimable interdependence within society is today absolutely centered on the internet beyond all other dependencies except climate and the internet has a time constant five orders of magnitude smaller the Gordian knot of these trade offs our trade offs is this as society becomes more technologic even the mundane comes to depend on distant digital perfection our food pipeline contains less than a week's supply just to take an example in that pipeline depends on digital services for everything from GPS driven tractors to drone surveilled to robot vegetable sorting machinery to coast to coast logistics to rfid tag livestock is all the technologic dependency and the data that fuels it making us more resilient or more fragile does it matter that expansion or dependence is where legacy comes from is it essential to retain manual means for doing things so that we don't have to reinvent them under time pressure meet Rakolta from Croatia suggests that the way to think about the execution space on the web today is that the client has become the server's server you are expected to intake what amount to remote procedure calls from everywhere and everyone you are supposed to believe that trust is transitive but risk is not you are supposed you are that is what javascript does that is what flash does that is what html5 does that is what every embedded browser health object does how do you think that embedded devices work or as someone who refuses JavaScript I can tell you that the world wide web is rapidly shrinking because I choose not to be the server server because I choose not to accept remote procedure calls as they say on marketplace let's do the numbers the HTTP archive says that the average web page today makes out references to 16 different domains as well as making 17 JavaScript requests per page and the JavaScript byte count is five times tml bite count a lot of that javascript is about analytics which is to say data collection in the form of surveillance of the user experience and we're not even talking about getting your visitors to unknowingly mine Bitcoin for you about adding that jobs from JavaScript to your website look it up if I was going to run never mind huh to return to the question of whether immortal embedded systems are angelic or demonic I ask you the most fundamental design question should or should not an embedded system have a remote management interface if it does not then a late discovered flaw cannot be fixed without visiting all the embedded systems which is likely to be infeasible because some will be where you cannot go some you'll be unable to find and there'll be rather a lot of them in any case if it does have a remote management interface the opponent of skill will focus on that and once a break is achieved we'll use those self same management functions to ensure that not only does he retain control over the long interval but as well you will be unlikely to know that he is there Stuxnet is just an example perhaps what is needed is for embedded systems to be more like humans and I most assuredly do not mean artificially intelligent by more like humans I mean this embedded systems if having no remote management interface and thus out of reach are a life form and as the purpose of life is to end an embedded system without a remote management interface must be so designed as to be certain to die no later than some fixed time conversely an embedded system with a remote management interface must be sufficiently self-protecting that it is capable of refusing a command inevitable death and purposive resistance are two aspects of the human condition that I think we need to replicate not somehow to imagine that overcoming them improves our future that is perhaps the core of my thesis that when sentience is available automation will increase risk whereas when sentience is not available automation can decrease risk note the parsing that replacing sentience was something that is not sentient will increase risk but that substituting automation for what for whatever you have sent you have absent sentience can make things better it won't do so necessarily but it can this devolves to a question of what do I actually mean when I say sentience is available and that devolves to some combination of finance and public policy which is to say the art of the possible both economically and politically the future obviously enough will not be so simple nor am i making it out to be unless some of you think this is all so much Picayune tendentious academic perfectionist posturing here's how to deny the Internet to a large fraction of its users there are better methods there are more insidious methods there are darker paths my apologies to those of you who are aware of what I'm about to describe but this one example of many is known to several of us known in the here-and-now home routers have drivers and operating systems that are binary blobs amounting to snapshots of the state of Linux plus the lowest end commodity chips they were extant at the time of the routers design Linux has moved on device drivers have moved on Samba has moved on chip says have moved on but what is sold at Best Buy or the like is remarkably cheap and remarkably old at the chip level there are only three major manufacturers so Gorman's 43% threshold is surpassed with certainty born of long Engineering experience I assert that those manufacturers can no longer build their deployed software blobs from source if as my colleague Jim Geddes is laborious they measured the average age of the codebase on those ubiquitous low-end routers is four to five years then you can be assured that the CVE catalog lists numerous methods of attacking them both the operating systems and the device drivers and to do so remotely if I can commandeer them remotely then I can build a botnet that is on the outside of the home network it need not ever put a single packet through the firewall it need never be detectable by any means whatsoever from the interior of the network it serves but it is most assuredly a latent weapon one that can be staged to whatever level of prevalence I desire before I ask it to do more all I need is to include in my exploit a way to signal that device to do three things stop processing anything it receives forth receives start flooding the network with a broadcast signal that causes other peers to do the same and zero the onboard firmware thus preventing reboot for all time now the only way to recover is to unplug all the devices throw them in the dumpster and install new ones but aren't the new ones likely to have the same kind of vulnerability spectrum and CVE that made this possible in the first place of course they do so this is not a quick trip to the big-box store but rather flushing the entire design space and pipeline inventory of every maker of home routers now about now you will probably ask if it isn't a contradiction to imagine embedded devices that have no management interface for you but are somehow something that can be managed by various clowns somewhere else the answer is no it is not a contradiction as everyone here knows the essential part of software analysis is fuzzing piping unusual input to the program for the purpose of testing but that is only testing I refer you instead the very important work now appearing under the title language theoretic security or Lang SEC let me quote just two paragraphs after I have a drink of water the language theoretic approach regards the internet and security epidemic as a consequence of ad hoc programming of input handling at all layers of network stacks and in other kinds of software stacks Lang set posits that the only path to trustworthy software that takes untrusted inputs is treating all valid or expected inputs as a formal language and the respective input handling routines as a recognizer for that language the recognition must be feasible and the recognizer must max the language in required computing power when input handling is done in an ad hoc way the de facto recognizer that is to say the input recognition and validation code ends up scattered throughout the program does not match the programmers assumptions about safety and validity of data and thus provides ample opportunities for exploitation moreover for complex input languages the problem of full recognition of valid and expected inputs may be in the formal sense undecidable in which case no amount of input checking or testing or sufficed to secure the program many popular protocols and formats fell into this trap the empirical fact with which security practitioners are all too familiar that's the end of the quotation and that is really and truly the point the so-called weird machines that result from maliciously well chosen input are the machines where regardless of whether there is a management interface as such they allow the target to be controlled by an attacker the Dartmouth group has shown numerous examples of such weird machines in practice including a 2013 USENIX paper which begins a quotation we demonstrate a Turing complete execution environment driven solely by the ia32 architectures interrupt handling and memory translation tables in which the processor is trapped in a series of page faults and double faults without ever successfully dispatching any instructions the hardwired logic of handling those faults is used to perform arithmetic and logic primitives as well as memory reads and writes this mechanism can also perform branches and loops no distribution no way in which that isn't a weird machine no way in which that doesn't tell you what the limit of what can be done is an a Turing complete execution environment based on interrupt handling therefore we now see that devices that have no management interface cannot be repaired by their makers but they can be commandeered by others if enough skill is brought to bear devices that do have error management interface are better off but only if they protect that interface at all costs because the near entirety of internet usage other than HTML 4 relies upon turing-complete languages the security these services cannot cannot and never will be proven because to do so is to solve the halting problem when weird machine style attacks begin to involve devices that do not have a human user who might be coherent enough to notice that something is amiss they will proceed in stealth there's not even a guarantee that their maker knows with precision what went into any one of them after the model here is over the longer live these devices really are the sure it will be that they will be hijacked within their lifetime their manufacturers may die before they do a kind of unwanted legacy much again to Superfund sites and space junk BBC science reporting has already had an article on this very topic as Daniel bailar was largely with siege technologies showed in his analysis of the of Conficker quote attackers and defenders each present moving targets to the other that is his way of saying that oscillating advantage is to be expected just as in nature's predator-prey dynamics or in game theory why is that because a sentient opponent does whatever he can to export your code by way of exploiting the assumptions on which your code is built Sandi Clark at UPenn showed that if software security is your goal then quote software reuse is more harmful to software security than beneficial why because a sentient opponent first has to learn how your code works and you help him by reusing components and short is it time to give up on software security or to double down the way the Lang set group shows us do we need more evidence that then Lang SEC then bill R and Clark give us with their collaborators is it time finally to accept ken Thompson's similar observation that you can only 'trust a program you wrote and you wrote entirely and to act accordingly is it time to say that software per device has to be as unique as possible to be brusque ly clear coat Emperor aeneas Lee with writing this talk about the future I read a scientific paper for a journal that talked exactly about that about distributing software to endpoint devices based on diversity compiling on a onsies basis at the same time while I was writing I also I guess I have to say that the future may have appeared we don't know but the worm called the moon that is now working its way through the world's Linksys routers may be precisely what I described it before it may be that it may not be that the forest might burn it may be that it is already a fire it may be that we are one event away from being unable to disambiguate hostile action from an industrial accident and that matters a lot at least in Washington I don't expect any of my analysis to change the course of the world the market or for that matter to be heard on Capitol Hill therefore let me give you my core prediction of advanced persistent threat in a world of rising interdependence advanced persistent threat will not be about the big-ass machines it will be about the little it will not go against devices that have a hostname and a console it will go against the ones you didn't even know about it will not be something that you can fix in any of the usual senses of the English word fix it will be avoidable only by dampening dependence it cannot and will not be damped by some laying on of supply chain regulations you are Gulliver they are the Lilliputians my personal definition of a state of security is the absence of unmitigated or surprise my personal choice for the pinnacle goal of security engine engineering is no silent failure you for all values of you need not adopt those but I rather imagine you will find that in an internet of things more things than you can imagine an ounce of prevention will be worth way more than a pound of cure that does in fact impact everything we have very little time left a low of Malawian machines of four years from now are being deployed today we have to get a handle on this particularly if as I said at the outset we are at the knee of a curve that we can barely discern but will appear obvious in retrospect Omar Khayyam said this a thousand years ago and you'll recognize it the moving finger writes and having writ moves on nor all that piety nor which lurid back to counsel half a line or all that tears wash out a word of it you know there's never enough time thank you for yours yeah and thank dan was like I'm gonna die I den was like I'm gonna go big and he definitely won big do we have do you have like a couple minutes I would guess there are probably some questions in the audience for whatever whatever you're the MC whatever you want to do okay are there questions okay I run open work open wrt it's an important one any other questions for Dan of course on the at the same time I have one of the $10 tender ones where we run a business and people who say don't you have any Wireless I can use they get to use that one that makes me mean you heard it here anyway yes and is the pipeline full of things that are similar yeah okay I did not plant this I will say that there's no change in money here no no exactly um and what would be your and somewhere in many words assumption here is that is it a failure of execution or is it worse is it intentional in other words you know that a little bit about never ascribed to treachery what soon okay I know sands I think did a little sandbox test or a little honeypot test over the weekend with a with a home router or last week or the home router that kind of hung it out there and see how long it took you know if you when I mentioned the moon which is a worm that's moving there is also the possibility that malware against that has appeared because as everybody here knows when somebody figures out how to do something somebody else says thank you for doing that for me I will follow you number one number two there appears to be a banking fraud underway in Brazil that might be related yes and yes this is all true I was saying to a couple my colleagues here at the break there's a lovely little paper look up it's called place Raider like it sounds place Raider and the idea is that if I walk in with a whether with a smartphone camera put it in my pocket I now have a 3d image of everything in the room because with enough math that's possible and so the argument is if there's any camera it doesn't have to be me being obvious and waving you know a smart phone around if there's any camera with enough math who can reconstruct space and you can do that with numerous cameras I mean I'm trying to think of the name of the company there's a company that that is selling LED replacements for lighting systems in large venues I believe they actually did the Mosconi in San Francisco which is only amusing because that's where our si was held right but they along with that along with the lighting devices comes as options cameras microphones sensors of various sorts i pv for v6 with or without permanent address you know and so forth you can do a lot of things with that and in fact EF as i said just this one little I just was an academic paper I like little academic papers but with one little camera just waving it around you can reconstruct if you have a dozen of them I mean let's pick on this room there at least how many top hats in here what do they like 25 top add lights you don't need anything else I mean and and how you find that I used to be on a mailing list for people who quote debugged and by that I mean swept a conference room for listening devices I don't know that mailing list has gone silent and I wonder if that's because it just can't be done well yes he got silent that might be it on the other hand if you haven't been in a skiff lately they still enforce the you know no electronic devices whatsoever a secure communication facility I don't know where that goes but it's embedded now in everything and it's cheap it's it's drastically cheap I've in my day job I've seen camera lenses that can be focused electrostatically there's no moving parts you put a little voltage across it and it changes the zoom and they're tiny and they would be in your camera today except that the people who make the cell phones are so cheap that the three cent upgrade cost is one that they're not prepared to pay yet but it'll come it'll come you know when you start making movies you do want to zoom right you know that the miniaturization thing is you suggest this is every everywhere I mean how many exploits are there against printers you know just as a trivial example sure print every document I'd like a copy thank you you know who who would notice who would notice I would I would guess that we can sense a lot of things you know that that included as you probably know DNA analysis is down to under 24 hours under a thousand dollars so that's forensics but I'm saying that sensors generally speaking I was using DNA s as perhaps the hard problem you know that end of the scale but so the question is can you believe the sensor and that's the hard problem I mean Stuxnet was all about that sensor said spending just fine when it's like whatever it is 30 percent over limit and of course the really skilled person doesn't make it blow up right away they make it do something it looks like failure looks like failure there's a great talk a great talk given by I can't remember his name I'm sorry he's the head of the Boston water sewer commission and in turn he is the head of the the water I sack a is a see if that means anything to y'all but he talks about how water systems are completely unprotectable this 100% analog anybody can go to Home Depot by a power washer hook it up in reverse and put anything in the system they want and there's nothing to prevent it nothing whatsoever and there's no way to tell that it's going on and there's enough abandoned houses you don't even need to do it at home and he gives a wonderful talk about this in so many words there's no hope of this so what do they do instead and the answer is they do and I didn't mention this today one of the arguments that you can make it's sorta like the the availability calculus you can either say mean time between failures is infinite and you work toward that or you can say mean time to repair is zero and work toward that and as far as I know the water people are trying to figure out whenever they discover something how quickly can they contain it and that might be where we have to go it you know one could argue I think pretty effectively that either we take a break right now and redesign a lot of things or we say that the nature of liability has got to change and let in some sense the market take care of that although it will take a while and now you're relying on the trial lawyers I will not go there and or or you say that fast recovery is the issue and fast recovery might well be the issue and either no in a hospital operating room electric power is on the fast recovery model we do everything we can not to have the lights go out but if they go out and this be a flicker and nothing really happens maybe that's what we need maybe we need the fast recovery but I'm suspecting that for small devices it is quite likely that we will be heavy-tailed that the distribution will be heavy in the tails for either it just doesn't fail or it recovers quickly and the key to that is can you believe the sensors and I I suspect that as a design problem as a perhaps even a research problem although I hope not how to have sensor proof how to have sensors that cannot be made to lie or you can tell when they are back to my real point is no silent failure I will assume that it will fail can I tell that it has I don't know I'm making this up as I go talking to you but that's how if that's what comes to mind yes yes I mean you know nonstop computing sort of solve that a long time ago you know you you do your calculations in quadruplicate and they're compared in pairs and if any pair doesn't match you know that and you know you don't go to the moon with a salt one computer you go with you know several and and and so forth and so forth it may well be that the Internet of Things ought to be thinking in terms of high levels of quote unnecessary unquote replication so that single points of failure are obviated by deployment strategies rather than by design strategies it might be they're based on quorum right and Fordyce Worth split key crypto or threshold crypto is perfectly capable of doing quorum type calculations such that it says three of these have to agree it doesn't matter which three and that's something that you know if you want to talk sometime I can talk about that that's actually something I know something about this will have to be the last question good did you say boiling the ocean okay yeah boiling the ocean is fine go ahead I I'd rather be doing I'd rather be doing that is the NSF rather than as National Science Foundation then as an investor of course part of the investor problem is we're a little different but your ordinary investor says what's the chance of $1.00 in gets me 10 out within the lifetime of the fund from which I'm withdrawing the dollar you know I've said it makes no sense but you know you have a you have a return requirement in our case I'll just be honest with you what inka tell is measured in is the rate at which intelligence agencies adopt the products of companies we have invested in so we're measured on adoptions now for me that means the intelligence community has to be interested in the problem I brought them away you know folks I know some of you work for the press and so forth I'd really rather you didn't put this in the newspaper so I'll be a little vague but I'd be very very vague unless you want it in the newspaper well there are no you can't I know that I know no offense Boston College just showed that and I know the head librarian yeah well let me put this way suppose I could prevent modification of chip masks when I send them to Taiwan I get them all way I want them and I send them and I'm worried that something might happen you know people who know what they're talking about tell me that you can have a kill switch in a network capable device for maybe 3,000 gates surely 3,000 gates may be as few as 1,000 you're talking about 20 million gates on the chip how you gonna find it they're not I mean even if you have the patience of Job and an electron microscope you're not going to find it suppose I had a technology that prevented the insertion of extra functionality after the chip mask was frozen what would that happen what would you do with that and the question is that would be mighty useful wouldn't it but who's going to invest in that and I can only invest when I have a customer and I will as you can guess I have not invested why because nobody wanted to attack the supply chain problem at that level or and it's a good argument it comes back which is no what I want is a supply chain where the components I have leverage over at some other level like they're big enough to sue or we have treaties or you know something that's of a different sort not that I can can obviate it per se by a little technology from a company that was much smaller than a number of people in this room now why did I bring that up because there was this wonderful line ice which came back to me was we don't do chips and I said well chips do you and I got stony silence who's the market is the question you want to man does it have to be a mandated market or can you make it attractive enough that it's not a mandated market this goes back to the question of you throw liability in the mix or not I don't know I don't know I'd like to say that you have to throw a liability in there but on the other hand that has an awful lot of side effects an awful lot of side effects it's the chemotherapy if you will of you know solving the problem Dan thank you so much let's give it well