Hashing It Out
Hashing It Out

Episode 55 · 2 years ago

Hashing It Out #55: ConsenSys Diligence - Steve Marx

ABOUT THIS EPISODE

Today's episode brings on Steve Marx from ConsenSys Diligence. Steve only talks with Corey this episode as Collin has to move across the states. Together, they chat about the what the "Diligence" section of ConsenSys is, how it got started, and where it's going. From there, Corey and Steve discuss the very concept of security and how it pertains to Ethereum. Don't miss this episode, as you'll walk surely walk away with a new, useful view of how to stay safe in the blockchain world!

Links:

Donate:

  • https://donate.hashingitout.stream

Now entering kindwork Wokom to hashing it out, apoaskd aresock to the teck innovators behind blocked in intrastructure anddecentralized networks. We dive into the weeds toget at Wy and how peoplebuild this technology. The problems they face along the way come listen tolearn from the best in the business. You can join their racks, everybody woking back to the show. Asalways, I, an your host Arto Cary, Petty Collin is out this week. He ismoving, so you can't do very good podcats from t e car and I don't wantto listen to with the background noise, so he'll be joining us when he gutsback and done. Today. We have Steve Marks Securit, engineer, sinceisdiligence Um. Why don't we get started by the normal way, O introduce yourselfkind, o tell us where you come from, how you got into the space and thenwe'll start talking about consets diligence from there ser hi, I'm SteveMarxs. I got into theorium about a year ago,um or R. Two years ago now, I guess I've been a consensus for about a yearmy background's actually developer platforms. Maybe my claim to fame isthat I gave the Hello World Deml of Microsoft. Azure back in two thousand,and eight e yeah got to be on stage a and sort of show people how that workdid a bunch of rolls and Microsoft back in the day around different or of APIdeveloper platforms. Like spent a lot of my time, teaching people how tobuild on new platforms. Um then I I I did a litte start up in between, wentto dropbox and did developer platform. There kind kind of drove the developer advocacy team there and UMdid the API and platform kind of launch stuff there, and so I've Kinda alwaysbeen into building on new platforms and soetheorium kind of snuck. Up On me, I didn't pay a lot of attention, totblockchain stuff back then Um, and then, when I was when I left dropbox and wasKindo just looking around for what to do next, I just got Kinda into it waslike. Oh, you could build these smart contracts like, as always, I'minterested in new developer platforms and figure out. What can you do withthem that you couldn't do before and so started? Writing a bloge with a friendof mine, called it program the block chain and h after about a year that consensus was reaching out and askingabout doing security, stuff and so ITW's. Actually, my first likeprofessional job, doing Um security work and doing auditing, but I've I'vereally taken to it and Kindof love it. So it KINDOF combines the best of bothworlds. On Re, you know like a new platform erereally just exploring, andit's still pretty nacent, but also getning. To do this kind of deepsecurity work is really fun yeah. I kindof have a similar introduction inthis space. I did data science and and computational physics and then thatbled he into breaking things or understanding like or concepts of, heal,stuff works and that then led into you know security work, which is just it'sa natural fit, especially in this pace, so it consistses diligence. You hearthe word a lot, Heo hear it happening. I feel like they do a lot of things.Can you talk about kind of what consentsus diligence is and um how thayKINDOF reformed as like? I would say, one of the core parts of consensus yeah it's so I don't have a tone of the historybecause I joined a year ago. So there's there's a bit of the history that I'mkind of missing, but diligence is Kindo, interesting and and perhaps like reallypoorly branded. I think like we don't do a great job of of like...

...letting people know what the team isand what we do. So. The part I work on is probably the most straightforwardpart of the team and it's how the team formed, which was the team formedaround after, like the Dow Hack and was just kindo like Oh shoot, like securityauditing is going to be a really important thing if we want a theoriumto actually work like if they want these things to be safe and for usersto actually be able to use it and not just lose all their money. H, it'sgoing to be critical that we have like security expertise, an that we do thatnd. So that's how consens US kind of formed diligence was that there werefew people at consensus, sor, F, the early founders of the team, who saidwe're going to have to read code and verify that it's doing what it says. Itdoes and builds ome best practices around that whatever. So that's how theteam formd and that's the part of the team that I'm on is is mostly auditing, but I guess in general,like kind of security, consulting 'cause, we we we love to work withclients. Earlier in the process. We often don't- we often knowte here fromthem until they're, ready for like a final audit, but we do sort of coverthe little thing and then there are two other pieces of diligence that are nowsort of just building their own brands and that's mythx and Panvalla, and Iknow that you've had on this show. You've had the leaders of those teamson already Berhard does Metexon and Niron does does involn they'v they'veboth done episodes which, which I've listend to and are great. So if peoplewant to like get deep on those go there I'll give you kind of the one or twosentence over view for both of those Um Soe BIFEX is building tooling aroundsecurity analysis and of of smart contrects, so they do static analysis.They do fuzzing. They do this symbolic analysis and basically try to find allthese antipatterns automatically examples of things that work reallywell. There are like reentrancy bugs that's something that swims are prettygood at identifying. The hard part is actually cutting down on, like falsepositives, andlike noise with those M, so they do that and they they've builta service out of that and it's it's coming out of Bata Soon Um. So for now,I think you could still use it for free, but pretty soon you're Goin to have topay to sort of submit code to that service and get results back, and I usethose Inman ieneface for like SB contract that it comes back with thereport. For you, it's pretty nice. I've used it before yess thinks yeah and nowthey've baked it in there's like a remixd plugging. So you can just likehit a button, while you're typing your coad there and they have like Gethubintigration ar whatever so like the Cli is awesome, but also you can just bakeit into your like continuous intigration system or intoyour editor,and things like that they're going pretty heavily after lake. Can we bakethis tool into all the rightplaces so there wherever people are like buildingyeh things, you wantet to t say hey. You can't deploy this because of thisproblem. Yeah Yeah and I we we actually get clients asking about this all thetime. Like part of the way this service developed was because of like Urcustomer demand. One is they wanted like a way to find some of the stuffbefore they came to us for an audit 'cause. We would run all these toolsand but they weren't, they weren't super easy to run and they weren't. Youknow like they weren't easy for clients to use directly and they wanted to runthose first 'cause. They wantte just get rid of all that stuff before they.They bothered us Wat the audit and then a lot of people ask for Hey after thisaudit. You know we're going to do a version too, and you kN W. What helpcan you give us to like maintain the security that we've achieved as we go forward, so lots of peopleware asking for ways to just bake it into the process, and I think that'swhat what the mythex you know service does. Um Yeah, yeah pavalla actually is Um. Hashian out has a penvalic grant, andso, when we start, we get those dispersence we'll be paying more. Iguess being more part of that community as well as like talking about it moreon a show, just because it's, in my...

...opinion, theye's somewhat of a sponsorat this point right, yeah, yeah, Pan Vall is doingthat. How do we distribute funds? You know throughouttha pae things that makethe place better, like also having somewhat of a token lifetyle, becauseYeaf Grand Ri n grants just dsn't there's something missing in a lop andIknowther pen dallis trying to like fix that part of it, which I I definitelylike want to happen in want. I participate in yeah right, so what O youall wt Yall mostlydo now? What o you mostly do now? What is your DACON system? My Day is almost exclusively now justlike reading code and filing issues like like it's really, it's auditing Um, we've we've gotten a pretty goodpipeline for a long time like the team didn't have dedicated people on Kindoflike sales, business development. You know that sort of stuff, like the seemwas kind of small and frankly, we just got so much work coming in like beingattached to consensis. You know. First of all, we got. We got a bunch ofthings just related to other parts of the consensus business and then we justsort of get referrals from other parts of the company all the time, and so wejust kindo had a ton of work that we would that we would just work throughwe've now actually exstreamwined, all of that, and so we spend less of ourtime trying to well the actual auditors on the team spend less of our time. Youknow trying to hammer out um contracts and things and actually, instead H,working on code, and so these days, like I spend most of my time really htaking you know some clients, the contract system and and manuallyreading through it and and just sort of trying to identifyissues, and so it's all a lot of like kindof manual review. These days M,especially 'cause tooling, has gotten so good that it's no longer the casethat security, otters can just run some tools and find stuff, because most ofthat has already been found. CASCLIENTS are learning to run those on their own,and so we get to do the actual work we should be getting paid to do, which is,you know, apply our brains, uh to really understanding, what's unique,about a contract system and um and fiding issues, and that Um so yeah, like that's most of my day today, is that and then I I spend you know the time that I have free onunsort of tooling stuff for the team 'cause we're always trying to getbetter at how we run audits M, which I don't knowhow super interesting that is for everybody to hear about, but but justkind of. How do we streamline the process of you know you have a team ofpeople looking at some code trying to find bugs? How do you streamlind theprocess of putting all those results together and- and you know, turningthose into a report that you can give to a client, Um and just kind ofcoordinating an all that stuff, so so I sent spent some of my time on kind ofteam efficiency stuff, but but mostly it's yeah. It's really justreading good. I actually find that quite interesting. I spent most of mytime it's tatus trying to prepare code for audits right so like we're tryingto stream Onin Processiv, making sure that we can deliver. We ask for anautior for something we can deliver. The set of everything an anitor wouldwant like, like the dream set of what you would want to perceive and sayingget to get you up to date and started anworking on the actual Corpora, like the things youneed an audior for, like you just said, and not al Te Minutia that the toolingnow takes care of and I'Mneriou and then part of that l people get audits.Unfortunately, people get audits for various reasons. Some of it is for puremarketing purposees to say, hey trust, US we've had other people lookat it, and now we have a blond post. That says: We've got other people lookat it. Things like that, and so the things that you give back are a part ofthat hey we're maintaining a security health marative for projects. What is what is the process of gettingthings, putting together a an amount of information that it's a project, who's who doesn't havesecurity experts can then take and use, and and do things with...

Yeah H. Sorry, wait. Are you askingabout sort of like what what should go into that sort of getting ready for anaudit or or no the other way round? I was just the way of reality. W I spend most of my time on the otherside, getting ready. I'm KINDOF curious as to like what what are thedifficulties of doing the audit preparing things, the efficiency ofcreating an auto report so on and so forth, O sor, I lost you for a second there M.my connection cut out say that again anworse. What are the like? What is the process like on the other end of the SIof the other side of he oft or the audict, like, I spent all my timegetting ready, trying to prepare things so that you can do efficient on it.What is what is the audit team? I guess, from the consensis standpoint, doing to try and give an efficientaudit and create efficient reports that a myriad of different clients canactually use and do something with yeah. That's it I'm glad you aske that'cause, that's actually something I think about a lot like. I. I spend alot of my time t sort of wondering about this, because you also have to pin down like kind ofimplicit in the way you ask the question and inplus in a way. I think alot of people think about audits is that the recipient of the audit reporter th theaudience for the report is the developer, and I've actually started totry to shift our viewpoint on that. A little bit too, the developers who's paying UStypically right t the audit is usually not always we've occasionally hadpeople come in and say: Hey. Can you audit this other code we're thinking ofusing you know, but it's usually the person who wrote the code and they'rebasically looking to get out of it, hey? What are all the issues I have? Youknow t at the base level. Just give me a list of bugs and I'll fix t'em, butat a higher level. It's. Where did I architect things in a weird way orwhere their opportunities for me to simplify things or reduce the surfacearea, whatever Um, but I'm trying to expand our view to also be what whatwould someone who wants to use that system want to see in an audit report,because another use of this is not everyone who uses a theory of smartcontracts is capable of evaluating the quality of the code, the OTNFACT.Hopefully, most people aren't like the more we move to the mainstream. Themore the end users have no idea what this contract is doing and if it's safe,Um and an audit report might be the kind o artifact they could use to dothat evaluation or maybe maybe that other security experts or otherengineers could use, and so I've started to think about. How can theaudit report also reflect like explain the security propertes of the system?Like you know, if you put money in here, it can't be removed unless one of theseconditions is reached, and so you start start to get a specification from asecurity perspective of the system and we've we've tried to include more ofthat in what we do, because that helps into one it helps if thissort of curious bystander, you know like, looks and wants to learn aboutthe thing from the from the audit report. But it also does help thedevelopment team, because one or two things can happen either they look atthat and they go. Oh wait. That's wrong and and N owholywas. We have found bugswhere we read this smart contract and we're like, oh obviously, they'retrying to do x and then we verified and we went yeap they're doing ax, but whenwe explained that they said no, no, no. We wanted to do why x shouldn't happen,and so it's interesting because part of the work of doing this of doingsecurity work in general is knowing what is the expected behavior of thesystem and does the actual behavior match that? And sometimes it's obviousfrom you know, reading code or reading documentation it's like well, obviously,we don't want anyone to be able to take anybody's money. You know there's somethings that are just now clearly not how the contracts, r work and somethings, though, are a lot subtler, and I'm glad to hear that when you guys areapproaching an audit you're looking at how do we document this stuff andwhatever, but but sometimes we don't...

...get very complete. You know specificcase. My lthousing alsmatehric question is like in your experience like. Howoften are you actually gedting 'cause of my opinion, like smart contracts,are created by first understanding what the problem is, creating a verydetailed specification around solving that problem in terms of like muserstories and so on and so forth and Siy this this thing does this, and onlythis and then creating code that satisfies those conditions, and then itwoul be deliver something you deliver all of that stuff together, so that youcan read a specification, then look at the code to make sure it matches Hatiimplementation matches specification. How often is that actually happeningwhen people are coming to you F for an audit yeah? I love how you phrase that, like I meanthat's exactly that's, I love to hear that. That's that's how people shouldbe approaching it. I would say Um. I would say it's always sort of a eighty percent of that or something youknow like like. Nobody ever really comes with kind of everything weactually sqweaked our process a little while ago to add kind of a week beforewe start an audit. We have one person y'cause. The audit is usually like twoor three people or whatever Wereoun sort of full time Br. We now have kindof a role. 've Been Caul a Scout, at least that's what I name. I don't knowif anybody else in the team likes thet name, but I call it a scout who kind oflooks ahead like just tries to run the tests, you know make sure thedocumentation's. Actually there reads through stuff, tries to get in overviewso that we have a chance to Kindo. Ask a client for that extra information or for youknow where we're kind o, where we thinksomething's missing before we get deep into the audit, because once once thatyou know kind of a clock starts ticking at that point, th these audits aren'tcheap they're. Always I yeah and they're always they're, always timeboxed and so you're going to get so so your paint a lot for a small period oftime and you're going to get whatever fits into that amount of time. You knownow we do often end up like having to adjust that as we get into the code andsee it's more complex than we thought or whatever we try not to just sort ofcut off at a time if, if that's otest sort of outcome, but it's Kinda, but Imean there's some reality to that that you're going to get out of it kind ofwhat what is possible to do in that time, foram. So, if my team has tospend, you know three days just kind of figuring out what the code's supposedto do. That's that's just time that could have been spent really verifyingit. You know, and and getting getting deeper and Um tinking up new kind ofthreat models and what you know there's all this higher level stuff we'd liketo do and we're most successful if the clients are really prepared. I guess Ishould plug. We have like a web in or coming up called something like how toprepare for an audit Um. I I would tell you the date, but I honestly don't knowwhat it is. No, whenever we got some in Soondo,yeah th that'll be great. I appreciate that yeah and people should check thatout if they're wondering sor of what, from our perspective like what whatshould you be ready for. You know before before on ot it and a part ofthat preparation is for sure getting that stuff in order, I think what happens. Is a lot of teamsdid do that sort of specification? You know, as you said, described, theproblem were o going to solve rigt sort of a detailed specification of howwe're going to solve it and then write some code, and I think that whathappens is a lot of teams C. do that, but not in a way that they can reallyshare that stuff with somebody else. So it's like well, yes, we did think thisthe whole way through and we had a specification, but we don't have it insome way that we can just you ow. We can't send you Ting sumable for you yeah and it's and it's full of ourteams jargon and it's spread out through our Wicki or something you knowit's just it hasn't been compiled and ready to go, and I think that's one ofthe biggest you know bang for your bok things you can do when getting readyfor an audit is put that stuff together in a nice easily consumable package, weusually schedule a meeting with the client like a day or two into the audit,where it's like. We've had enough time...

...to look at everything, and now we havea bunch of questions, and so we usually like also just start grilling them atabout that time to just really get them to walk us through anything. That'sconfusing Um thire's, a fine line by the way one of my colleagues h Jean Pierce onthe team called this Um institutional capture. It's Actua, it'sa slightly different concept, but that concept, institutional capture is kindof where you keep working with the same security firm and eventually they justbelieve all the false things that you believe like they have donall yourassumptions and and so before. One reason why we tend to do that meeting aday or two into the audit. Is We don't Wan to get all those biases andassumptions in our heads too early? So it's this interesting fine line wherewe want to get as much information from the development team as we can becausethey're the experts in the code, but we also don't want them to convince us ofsomething. That's not true. You know like, Oh everywhere we do this. We dothis kind of check. So that's fine, you know, 'cause that gets in your head. A good, experienced auditor hears thatand puts up their own mental blocks. You know writes down H, Hofy that NTI,you know, but it's hard. You know it. It's M, there's plenty of researchshowing that if you, if you give people false facts, and then you tell themafterwards that that's false, they still kind of believe it like it itwhen you hear something it doesn't always get captured by that filter.Usually thisthi is in the field of politics that people are. You knowdoing this, a lot like hey. Can I tell you something? That's not true and getyou to believe it, and the answer is to some extent yes like. If you hearsomething you assign it a little bit of truth, no matter what the source waswhatever, and so we try to insulate ourselves from that a little bit byhaving like the scouting and then everybody Kindof, looking at the coat alittle bit before we get the the development team who, obviously by nowthinks that they've built a secure system and so may kind of mislead USunintentionally into into adopting or their assumptions. It's like when youread your own code and you can't spot that bug. That's been there forever.It's because you you just kind o skim over it, Ileo that Mon yo find that'sfor the Buk yeah. You think you know what that does you think you have aperfect mental model of it? It's hard to break that out, and that's one ofthe reasons you go to a third party to get some some help. You you go fortheir expertise, some kind of particial particular orientation Ar and security,but also it's a new pair of eyes, a fresh mindset, someone who doesn't haveany of those assumptions, doesn't now the history of the code, how it used tolook whatever you know, can kindof come in fresh, so it's something we we pay alot of attention to is how we approach that with the Clin h, something like I.I find this area of of kind of focus pretty fascinating, especiallywith the way its developed over the past couple of years. In terms of U, I could just say, it's only been a fewyears e. The diligence has existed because it's been like Oh wow. This isgoing to be an issue. It's going to continue to get you and it's also beeneven a short amount of time where had kind of institutional security firmsonto the space and start contributing, and so the relative abundance of m security professionals. S is lowcompared to the amount of people that Er trying to create m smart contracts,inyour developing here, because it's like the way that we set up atheriumhas basically been Um, a a very low barrier of ventry. So it'seasy to get started into building things, but it's also the buildingsomething too being productied ready is a very wide gap and we have a verysmall amount of people who coan evaluate the production, ready, stuffand say yeah, you'Reprob e you're good to go or like we didn't find anythingUm. And what I like about a lot of the stuff is that the tooling and theavailability of the tooling is getting better and better and better, very,very fast, so that when someone like the tools, wowle used to dodevelopment or catching a lot of the low hanging fruit M that you don't wantto spend your time doing so that when...

...someone actually coms her security onit, you get to do all of that fun stuff. You just said asking high levelquestions, making sure that the architecture that they set out to dodoes what they think. It's supposed to do and tlkeedge cases r things likethat, and so I get really excited about this becauseat the end of the day, like not everyone's going to be able toafford an audit and MHM like associating risk or like evaluatingrisk of something and then figuring out, is that is it worth actually going forout it is, I don't think, exist yet? Have you had any any insight as to likehow does someone figure out when it's time to go, get an audit? How do you,how do you evaluate risk for these types of things and then an to thenfigure out? Is it auditible or to just deploy it and then see what happens andgo hope for an upgrader get an audit later yeah? That's that's a greatquestion and I'm not sure I have I'm not sure. I have a great answer to it.I I will say like so right. I m the the fundamental pointyou make is is absolutely right, which is tools are going to just push? Youknow we're pushing these things together. Tools are gradually likebuilding up to find a bunch of the issues and kind of push the qualityhigher aorginpoint as good as ainter right. It just means tha auditors getto do even more valuable work like it just frees up the auditors to reallylike well, I don't have to look for this kind of bug, because I know it'snot going to be there. I get to spend my time thinking about these higherlevel things so like. I definitely see the same, the same motion and, as yousaid, it's moved really fast like really far really fast over. Youknow just the past like year or two, maybe Um from from almost nothing tolike to some really robust tools and then Um the question of sort of. When do you need an addit or you know?How do you know that? And I think tools will help like? I think one thing is tools. Will tools tend to point outcomplexity in the code in interesting ways, and it depends how you design thetool and Um? I actually have a Microsoft anecdote about this thathe'llget to in a second et me. We sort of make the point and then back it up alittle bit, which is that Um. If you build the tool, there are kindof two two modes analysis tool can kind of run in. I think this is an oversimplification, but one is my coat. I think my coade's already perfect. Iwant to catch anything. I introduce so crank up the false positives. BasicallyI don't mind I'm going to fix everything. I'm Goingno whine, anothermode is well. I wrote a tonacode and now I want to find issues, and I don'twant a huge list of things to check. I want you to find the real things thatyou know or bugs right, so there you're cranking the false spositives down, andthis is always like a dial that sort of goes back and forth and you want kindof different settings and different phases. I think eventually, you want tocrank the false positives way up, and here is to my point of them. You knowtools. KINDOF telling you about complexity is, if you crank that dialthe whole way to like well give me all the false positives. You get falsepasers in the code that the tool can't understand, and so you start to seewhere code is not brain dead, simple s if it were thetool, would understand it and would see that you don't have a bug here. So ThII'll give a more concrete example this, which is some work. I did a Microsoftuh back, I guess now, like fifteen years ago, or so we were working on onwindows and we're trying to like get rid of all the Um of all the buffer over on in windows.There were a lot. They probably still are Wi og millions on milions of lines ofcode and whatever, and so what we did is we built an Anastetic, an Olsis tool.This was all c codes, CR C plus PLUSCO mostly see, and we wrote some analyssstools where you could decorate things, and you could say well this perameter,so you know and see what you have is you have a pointer to something andthen somewhere else you keep in track of how much data you're allowed to readthere or right and buffaroruns happen...

...when those don't match up. So we design a language, basically to say h. Thisparameter is a buffer and its length is given by this other prammeter and thatlength might be invites or it might be in characters, because at some point,windows moved from single bite, characters to Unicode right, and so soyou get kind of gaps there n, what those mean and then we're going to runthese analysis tools that just check every time you access a buffer and makesure it's in bounds, um. So great idea, we rein all that COT and we did get alot of false positives. We'd get developers coming back and saying: Heyyour tool, told me this is broken, but I know it's not. You know you can onlycall this with this kind of thing it's only called by one caller and thatcaollar actually allocates extra space specifically for this reason, or thisloop is a little weird, but it actually does make sure that there's always inpound and to to really impressive level, especially for for Microsoft at thattime, which, as I think, only like turning the corner, untaken securityreally seriously weactually set a policy in windows that said tough. Ifthe tool doesn't understand your code, you have to fix your cout. I don't carethat you're right, that there isn't a buffer overrun, like you, have to makethe code simple enough that the tool can understand it, which isn't thathard. You just have to put like bounce checks in there make sure your loop isactually bound by the the right variable or something, but in a codbased the size of windows. This was like a huge undertaking and, and and itworked, I mean I think the results are Amazi like we killed a bunch ofbuffroruns, probably most W. I don't want to make it ound, like windowts wasredal Ath, probably tings, most of them Wer, you know changed a lot increase alot of Cote quality in terms of like exactly stand like Wita and and justjust didn't have to worry about. You know we we, we kinda just knocked out that class ofBux, like as long as the annitations were correct, which you could kind ofcheck in a differentadifferent way. You know and wh e the tools actually said,like no. This code isn't going to overrun this buffer and that'simpressive. It's a it's a hard bug to get rid of, and we really kind of didonce all the code was G. I mean it was years and years they actually have allthe code, yet kindof updated so that soas going to understandit M, but sobringing that the reason for that antecdote is weere. Talking about howdo you know, you know, how do you assess the code quality or whatever anone way? Is You look at this kind of complex? Like can tools understand? Youknow, raise the bar on the tool too. I'm going to prove that your coat'scorrect and then, if it can't you go well now have a problem either. Ishould simplify my coat or or I'm going to need some expertise. L You K ow.That might be the point where you say: Look the tools are telling me. Theycan't verify this. You know they don't really know. If I'm doing this right,it's time to go to the experts, and I would say the other angle on this iswhen the specification is complicate. Youknow wh, when the behavior you want is not very straightforward. The toolsaren't going to particularly help. You verify that the behavior's rightthey're going to look for some specific kind of patterns of you know the wayyou like reentrancy or you know, or or authorization on things or somethingthey're going to say. Well, you're, not checking the thing you're supposed tobe checking here or you're. Doing these things in the wrong order or you canhave an overflow they're, not going to say. Oh, you wanted to make it sopeople could only purchase based on a signature once, but they can actuallydo it multiple times, lute 'cause, that's a that's! Not In the code. That's somesort of specification of how the thing's supposed to work, and so whenyou find that that specification is getting kind of big or unwieldy or hardto keep in your head at once. OREVR. That's a really good sign that you wantto go to to somebody with with with a lot of Expertiso in particular, canhelp go through that with you identify what are the right threats to beworried about? What's the surface area they might try to attack. How do wematch up? You know what they can do...

...with with what the behavior youexpectis, and that tools won't help very muchwith even formal verification tools which sort of try to do it, require youto writ a speck, that's really really good, and that is something that mostpeople aren't going to be able to do. It's it's it's at least as hard aswriting the code correctly in the first place, and we know we can't write thecoat correctly in the first place a'd. Actually, I would ad to that and saythat, like Wacchan adds a few things that are unique to this concept likebrisk assessment and that is thre', there's two things I want to make afalse, econy or whatever, but um one, it's a beautiful code. So want you deploy it. It stays that way. No, you have to spend a lot more timeup front, making sure you get it right, and so it's what the risks the risk ofit breaking has to be taken into account and the consequences of how tofix that had a mitigate O or triage that brankage. The next one is that Lie, because it's n, I inherently money or valuem value flow. You have to then assess what is the potential Um risk of losing the value associate otwhatever this functionality is or something going wrong with it? And Iguess I work for Satus as as a securitygeneer, but w also have um aswarm called token economics where products have to go through. Ourpential features have to go through basially, like an economics audit ofwhat oes this thing do, and what is the potential like blowup of value thatthis thing could have relative to the other things at sevisdoes and that helps us figure out whether ornot m. This feature is like if it breaks, okay, there's not a largeimpact on users or value an and status or theToke, or anything like that, which I think really needs to be taken intoaccount, because you can have something that's old for complicated but doesn'thave a lot of impact on the thing you care about most in some circumstancesand Selri Wyou might not need to get an audit because you can just fix it andbring implea minute and o not have a big effect right. Yeah. That's a great point right.That was completely missing from everything I said, but it's absolutelytrue, which is I mean to give a trivial example. You know if you have acontract that Ho holds like you, know, five hundred dollars worth of value,and if somebody breaks it, you lose five hundred dollars and so just deploya new contract, and I put five hundred dollars in t you're out five hundredbucks. No audit is going to cost less than that and so to some extent,there's just there's. Never any reason to do an audit on something that hasthat controls that little value Um and then yea. As you said, you gotto reallydo the full economic evaluation of not not just like how many how many etherare sitting in this contract, but also just what can go wrong like what is theworst case scenario like what is the kind of liability Um, including perhapslike? Does it hurt our reputation in somewady? You know therere things, Yearent as as quantitative you o take an account an and bringing back like thenutability part. We need to think about the lifetime of this contract and whatcan happen in terms like say, for instance, we status only have a fewthousand users right now or so active users, and so a contract might not blowup to a huge amount of money, but eventually we may have millions ofuthers and that same contract, which we may forgotten on. andassumed worksreally well may blow up and then be completely unusable, a brogen and a proof it's trying to scale to that many users. We have to think about that. Thapeople have to think about that type of stuff too, because if redeployingcontracts are upgrading contracts to then move state from one to the next isincredibly complicated, right right, right and yeah exactly youhave to predict the future impact of a bug. Not just you know ye today we'redeploying in sort of Beta or whatever, but, like you have to worry about thatfuture thing. Um, I'm kindaf glad you bring up like mimmutability and upgradeability 'cause. I I this is like a passion topic of mine, which is, Iwrote, a blog post a while ago called...

Upgrad ability as a bug I fred procly.I saw that I didn't read: Ite Talk at it's, probably like the most red andcontroversial thing, I've writteni quite a while, but m, but basically- and I can tell from theway that you're talking about the ability to upgrade you know talkingabout deploying a new contract migrating state wherever that you thinkabout it. Much the same way that I do so the titles inflamatory beforeanybody e is supermadame. I D I just want to say, like it is a little bit ofClick Bait. I don't mean that it's bad to be able to upgrade things. What Imean is there's there's been this push somewhat recently about, like just cart,blanch upgread ability like I want to just be able to change the code at anymoment in my smart contract and j. You know so this proxy pattern, where youyou sort of stand up aproxy that just tends to another address, and then youcan just swap out that address and it's suddenly doing something new. This isthe thing I really wanted to rail against and is my main point in thereis that Um. If somebody is going to trust a smart contract, they need toknow what it's going to do and ther're two big things that I've been arguingagainst two things that harm that one is if it's mutable, then I don't knowwhat it's going to do, because that might change by the time my transactionactually runs or whatever or I might put some funds in there and then thebehavior, the thing changes, and now I can't get them back out or somethinglike that. So mutability kind of harms that and then the other one that I'veI've been. I I discovered it rhymes, so so CONTRAC that are mutable orinscrewable Um. That's my clever rine there. I know it's great inscretable being I just can't tellwhat it does. You know like obficated code, or you know, Code Bike Code rirhe,I didn't share the salidity source or whatever you know that sort of stuff sonobody's going to really be able to tell what it does and and so that you KW so either. I can't read the code. I can't tell what it does or I can seethe code and I do 'T. I know what it does right now, but it might change atany time both of those mean that it can't be trusted that that code can'tbe trusted N. So that was the only point I was trying to make there, but Ithink it's a really good one is people think about security risk. It's really toughbecause you wan to be able to fix bugs like we know, bugs, are going to happen. They're, not all GOINGTO get caught.The audit process helps, but you're Goinna bugs are going to get through.We know that Um and there's a question how you can respond to those bugs and H,but the answer is not turn your immutable contract into a mutable. Onelike you need to think of what is the trust model you have. You know thereare various people who are using this contract. The developer is sometimesnot even one of them, but there you know various parties kind of using thisthing. What o they need to know is guaranteed, and then you can't makethat part mutable you know. So if they there might be parts, that's like well,this is kind of fuzzy and actually doesn't matter how this part worksgreat, then that's fine to kind of swap out logic on, but often the corefunctionauity of the thing just really can't be mutable, and so, instead youhave to look at this kind of Um Yo. How do you migrate to a new contract andand how do you let or let people opt into a change you want to make T. I seethis. A lot actually is a pretty good governance property. where, like we're sort of going to use thatproxy PA, you know we're going to be able to point you to the latest code.But if you were using the old contract you get to keep using it til you decidethat you want to swear and- and that way you don't have to worry aboutsomeone changing it out from under you, but nevolent developer, who is likewilemade a security fix, can make that easily available to you once you chooseto move over and other people are doing sort ofthese timelock things which I think is sort of in between which is like. Wecan change this code, but we have to give everybody one month notice beforewe do it, and that gives them plenty of time to move their funds out or youknow you have to think through what will people be able to do during thattime period to kind of? If, if you're,...

...making some evil change, then theydon't like? You know what what will they do, but that can increase trust tothen it's like. Well, I don't have to worry about you front running me andchanging the code behavior ex I bee tnsaction yeah exactly, and so I havethat month to hopefully remove any funds of store there or you know,cancel any. You know what whatever sort of tha the functionality is, and so so people should think about what arethey going to do when a bug happens like? I think, that's a really reallygood thing to think about before you deploy. Something is like what are thedifferent kinds of bugs? We can think of that might happen. What will we doin case any of those crop up? I just the answer shouldn't be: Let's justbuild in this like generic upgrad ability, and then we can changewhatever we want whenever we want like that, that's not gonna! It's like that. 'll Help you fix bugs,but it means noone Habans, your cobject yeah yeah. That was actually, I thinkpart of this. This problem is, is a bit inherent to the way we created thingsin the first place, and that is um the language and what it's mall, butmodeled after is not conducive to the mindset you should. You should havewhen building smart contracts correctly Sylia. We modeled it after thatabascript in a lot of ways and jabascript is not like most people wholearn dravascript are doing things that doesn't enforce those like programmingpractices. It's not hmhut Um critical code, it's web frameworks that can failin a lot of ways, and then you just handle the failureappropriately. Whereas you know, if we s the PRETECTIV people who are creatingsmart contracts come in because there's a low, Berier intury come in with thatmindset and that's not the way you should be thinking about creating smartcontracts appropriately. So you end up like creating contracts with aprogramming bindset. That is like an antithetical to how you should do it. Yeah Yeah. I agree with that. A hundredpercent- I I actually was recently auditing some bitcoin script, as partof you know, there's an audit that had sort of an Atherim componen and her bidgoing omponet and a little bit branching out of my comfort zone, butwas was auditing bitquinscrit and I kind of wish that every smart contractof elper started with bit ensod because it is extremely constrained. It is nota Turin complete language, it doesn't have loops, it doesn't have state andso in a lot of ways, it's kind of ideal for the kind of thing you should buildwith smart contracts, except that it's just terribly limited like actuallyadding state is great, having loops as great Um a turn complete, I'm not liketotally sold on that that's necessary, but but frankly, the thermem smartcontracts aren't turing complete anyway, because they have limited gas um butanyway, but so solidity went kind of really far on the extreme of it's justkind, O it's like a generic programming Languageis and you can write whateveryou want. Bitoin script went the other way which is like well, we startedwithout like the Notionos, but we need some. We need some limited ability tocheck like signatures, and you know do Maltisig and stuff like that, and so itcame from like some specific scenarios and was an extremely constrainedlanguage. That's hard to make like really bad mistakes in y. just just cod review can really do a lot with abit coin: script, Ithink and then yeah. On the Soliity side. We kindo wentcrazy Um and I was hoping that Viper would be the answer. The Inbetween, youknow viper sort of constrains you a lot, it's an alternative to write inselarity it. It looks a lot more like Python Than Jab dascript, but that'sonly you know, that's the supersentouto differences right Um, some of the maindifferences are, they got rid of like inheritance and modifiers Um and they gave actual stronger typesaround things like like. You can't get confused between Ome you're, like loopvariable and an amount of ether you're going to send. You know what you can insolity they're, both just numbers, they're innateres, and it doesn'tmatter in Viper they. So they beefed up...

...kind of the type system. They got ridof some of the more confusing ways to wriht code, they're insolidity, and so I I it remains to be seen howsuccessful viper will be, but I'm kind of rooting for it or for something likethat to be a better language. That's more oriented around the types ofthings that people can and should do with smart contracts, which are mostlysort of financial kind of manimulation ertof things, and if we can get thatstuff, just more obviously correct, um andresorts you know to just yeah. We should be constrained. A Lot Iguess is th at is the point like you really shouldn't be able to writeanything you want in these smart contracts. You should have to followsome some rules N, even if there's an escapepatch for the occasional placewhere like Oh. No, I have to do something really weird ere fine have to break out of the sandbox.Most of your code should be in this really safe way, and perhaps rust is agood like analogy to that rust as a programming language. Does they saylike well? Look. We don't want people to have like Um race conditions with data you know,and so we're going to build into the language things around borrowing,references- and you know like wh, who can actually write to this when and howdo we pass these things off between threads and then, if you want to, youcan put unsafe on something and you can write something else like that's anoption, but you should feel bad when you do it and you aren't getting theguarantees Y W you're not getting to help you won it. That's how I think weshould be approaching languages in etheorium is, if you stay in this path,we're going to take care of a bunch of problems for you, where the compilerisgoing to make sure you don't have these certain kinds of bugs and whatever, andif you have to stray you know cavion Afdoor, I think, like you can dothat, but now you're taking on a much higher burden. You you better know wexactly what you're doing you may need to get. You know professional supportfrom from from a security auditor on that on that stuff in particular,that's what I'd love to see and solidity doesn't yet have that there isno happy pats. Oh, if you keep yourself to these few functions or these th fewconstructs you're. Okay, like it really doesn't have that, and so so I hopethat we get there. Although I don't, I don't have many like specific answersfor Ou to do that. Speaking of hopes and dreams, Um wh. What are you excited about likewhat a you like? What's what's coming up, or you see, maybe like trending orsomewhat of a paradime shift in the space, get you're excited to keep going man. That's a great question. I shouldhave a ready answer to Um. I don't like asking questions that people I'vealready answers for yeah allright. Well, it's fair enough,then than success. H, Um! I don't know I mean I'm excited about alot of stuff in the space. I'll say that one thing like that, I don't getsuper excited about, is sort of new Um. Alot of people are sort of like youknow, they're following like hey this. These people launch this new way to dolike this kind of new finance thing that didn't exist before and whateverI'm actually much less interested in those like specific applications thatwatch on a theorum than I am in the we've opened a new door like I saidfrom my background, like what I'm really excited about is a brand newplatform, and oh now we can do things we couldn't do before, and what I likeseeing on a theorum is stuff like, like Um 'm, trying to think of a goodexample. I don't know, maybe MEDA transactions is kind. The idea of ameditransaction for people don't know is like, instead of sending atransaction yourself and paying gas for that, you could just sign a messagesaying what you meant to do and let somebody else send that to the blockchain and pay gas, and perhaps then you reward them in a token or somethinglike that. So basically, so so Meta transaction, because it's a transaction,but you don't actually have to send a transaction to do it y. u you sort ofsign that thing. That's like sort of...

...that's opening! A door that's like wellnow, like I, don't know, of a good usecase off hand for why I need that,but I can definitely see that there's potential. If you have that mechanismto build some new kinds of things M in Particula, MENA transdactions, I thinkhelp people around like this sort of onboarding process. I don't have eitherlike how do I get in there yeah, and so I'm excited about that kind of stuffand Um and I'm excited about actual epherium like sortocorp protocol stuff.You Know Theryum, two point o stuff, there's a lot. That's a moving target like whatexactly that means, but a lot of work around Um, sharting and then how we can do a bunchof stuff in parallel and Hov those ore crossyhard things work. I think that'sreally exciting, because I think opening up scale will open up like alot of other kinds of applications, and so so all the things I'm excited aboutare the flavor like 'm, I'm not doing a great job or examples, but the flavorof them is for a theorum to get to the next level.It has to have sort of an explosion of different applications and things youcan do with it, and I, like things that are eabling technologies, for that. So,like I like to see the sort of technical innovation that opens thosepossibilities up much more than I'm excited about a particular APP. Youknow like some somebody built some new DAP and it's cool and people like itgreat. It almost never gets me that excit Um, but if they're building some newtechnology, if th, if they've advanced the you know how state channels canwork or they've done some side, chane thing that actually has some uniqueproperties like that gets me excited, because I, even if I can't fiure outexactly how that's going to make a big difference I could tell like. I couldfeel that of that's an enabling technology. That's going to do thingsand that's how I feel about a theory. My general like when I first saw smartconjects. I struggled to think of like even just a handful of ideas, of what Iwould do with a smart contract, but I could kindo intuitively tell Oh. Thisis the kind of platform it enables these new sort of trustlessinteractions, somebody's going to come up with good usecases. That's not mystrong suit, but I can contribute to the the technology part of it yeah. Icame from like someone mentioned this to me and I never quite got um like why I can maybe comprehend orunderstand the value a lot of this stuff. I I came from the highperformance computing field, doing a lot of like that scientific research on on massiveclusters and the concept of Um buying time or buying computation time was wasw. s was okay to me. 'causeo there's only a few of these machines around theworld. They are capable of doing these really large calculations in orders touse them. HIV E lie time on them, so you have to really think about howyou're going to use that time efficiently, O why you can't get anyresearch down that concept isn't is foreign to a lotof people which it didn't. I didn't make that click until someone explainedthat to me, that's not normal and e Theorem is that concept, but on a massIV, the distributed a open, so open scale, rigpe and so most people whenthey think about using a therium they think of it in the context of likeeveryday computition. It's like. Why do I need to pay for something when Ihaveen on my phone, it's because you're thinking about the concepts of using amachine riting et incorrectly, and the value of that is onlyapplicable to certain types of things and not everything is supposed to beused there and so like expanding that usecase and then making it likeunderstanding what type of usecases those things are really good for as thelike meseability and maybe efficiency gets better. It is is was where I'm at,which I think is in line with what you just said: It' You're talking aboutmore like the specific technologies, I'm thinking about the broad on f. those technologies did enable ushis humanity to do invervs of like communication and finance and stuffright right, yeah people. I I like when people describe a theor is like theworld's slowest and most expensive computer, because exactl that'sactually it's a really good place. To Start I mean that sounds stupid. Thenit's like well. Why do we want a theory?...

But that's perfect, like a really goodmindset to go into this stuff is go! Oh that sound stupid. I wouldn't want torun anything there. Why would you want to do that and then I go well hey whatif we wanted to flip a coin long distance and the winter gets a dollar?How would you do that without something like a Theoryo you know like like? Willyou send me the money first and I'll flip the coin? You don't think or rightlike you get that's how it usually explains me. I do it with e gamblingthing 'cause. I think it's a very straightforward. It's like Oh yeah. Idon't trust the person, I'm betting against, like that's obvious right likeand then you get to. Well. What could you trust? So you get a third party.Well that, like now, you both have to trust thatr and it's like well N.here's where the world's most expensive and slow as computer comes in it's onewhere we can both trust that the computation's going to be done fairlyand exactly how we thought it would and- and we were going to have to pay forthat like that- does come in an expense Um, but there are use cases wherethat's totally worth it, and and that's so, I think it's a good place to startactually thinking that t a theoremis really stupid and then move to okay. But what are people actuallydoing and whior odoaanthing right a and once you see one or twocompelling usecases, then you realize Oh, it's it's an enabling technolo!It's letting people do things that otherwise I I don't know how we woulddo, and that to me is what I mean. That's.What drew me in and got me really excited in the first place and yeahit's what's still gets me excited, is, is seeing that Um seen mostly seeing other people explorethat, like again, like my strength, is really like seen that technology and helping peopleto understand how to use it and an the case of doing security work, it's howto use it safely. You KN ow in a way that that isn't going to blow up inyour face and then just watching them Bild all sorts of cool, innovativestuff on it. Like that, that's really where, where I live so so you'll neversee me out there. You know building a brand new kind of thing, but you willsee me Um, exploring the technology and helping other people to realize likewhat's possible. Actually I call myself a professional whole puncher, try andbuild the skillset around that. It's like I'm, not doing a lot of the thingsmyself, I'm just evaluating what other people are doing. B, Lik, that's Goin,have a problem right there and that should be fixed first bre foren andbuilding a skillset around making sure I can do that really. Well an I think.That's that allows me to kind of get a broad scope of what's happening and getexcited about justuse cases and then seeing people implement those thingslike okay, this is novel or this is this is interesting or like. Okay, youhave a problem here. This is how you're going to fix it. Go do that 'cause. Idon't want to do it. I I might steal that that sounds like a perfectdescription of security work in general e, rational, whole puncher, there's ahole there, I'm Gonta blow it wide open and you're Gona have to go fix that nowright all right, Kno, thats, nic, Ay to rapthis up. Are there any questions that you wish? I would have asked that Ididn't. Oh Man, that's good Um, maybe well all right t! I don't knowwhat question you would have asked to lead me to talk about this, but I willgive sort of one. One final thought: I think that has been on my mind, a lotlately which we touched on, which is how to get involved earlier, like Ihate when we get handin some code and we go oh if you'v just written it thisway. Instead, everything would have been better and it's too late. You know by the timewe give that advice, they've already written they've buttoned everything up.They haven't just o a for ensiment there's like there's a lot of rightright, so we're always looking to figure out. How do we get in earlier inthe process and kind of give architectural advice or give sort ofearly like code reviews even and just go like hey here's, a thing you mightwant to Um we've done this a couple of times, but it's nice when we get to getin there and go like hey. You know what you're doing this thing and you reallyshould be doing it this way or let let me give you like. Let me have one ofone of our guys give you give your team,...

...like a thirty minute presentation aboutthis one kind of best practice or this sort of thing, or you know, like Ohyou're, building a payment channel Juess what we kind of have a check listof things. You want to think about n or payment channel and we'd like to givethat to you now before you write all the coat and and by the way, when youget to your audit, it's not going to be cheaper because it's not going to takeas much work because the code's going to be better, it's going to be simpler,there's going to be less attax surface an Wso we've been struggling with howto do this, and I don't have any answers except sort of a plea toanybody. WHO's, listening who's thinking about hiring us later for anaudit is hirer us now and or at least get in touch with us and just thinkabout how we can start the process considerably earlier. Um and again, Idon't think this necessarily has to be more expensive, like. I think that anaudit at the end is a really big heavy kind of expense, and you can actuallysmooth it out a little bit by heading some of these things off early on, andso that's something I've been thinking about. A lot is how we truly getinvolved. You know how we're not just being auditors at the end, but we'rereally being kind of security partners throughout and were doing this withsome clients Um who, where basically we did an audit and when they e e butthey'ere, doing more work and they wanted us to kind of get involvedearlier and, as I said, that's part of how mythexs GOINGTA get not going. IsPeople wanted that m unknown stuff, but we don't get to do it much so so openquestion for people, please please tweet me or whatever. If you have ideas,I somethingit's a good way to get in there, something I think about a lotactually and- and I m there's a few things that you can do to help withthat. One, as always, is education and that's similar of the type of thingsthe Weabon are. The inmentioned earlier and m making standards and thendiscussing ith people like having someone like me in a company that triesto corral all this stuff and then make sure that they're doing the right thingso that you get to an audit approbrately yeah I or a can really really help.Some people cant afford that what do they do? Whon the toolings, gettingbetter the tooling the way the tooling is created and the types of things thatoutput from it help people should guide you in away of the types like the wayin which you should be doing things and the types of things you should belooking for to have for augoformal audit uh, and then I think the main like the maindriving force or the creation force of the T. security community was creatingall of these guides and standards and checklifts, and things like that. It'sjust funding an time basically is the bane of everyone in the space'sexistence. Yeah, and I the next thing that I think wouldbe interesting or like useful is retainers. Yeah have a security firm that you likeor may be multiple and put them on retainer, so that when you havequestions you're starting a project, you say: okay, check, C, N Y. U This is this is our idea.This is o r t implementation ideas. We have is the rough sketch. Can you lookat this and say: Give us a checkless and th? Maybe help us figure out a riskassociated with what it could be and then we'll start the building and willcome t you more dowt than on it. Yeah, yes, B! That's what we found and we've.I think, we've pretty much only been successful in having this kind ofrelationship with people after they're. First Autid, like I think, what'susually happened for Usis we've done an audit and then, as they've started asthe company started planning, you know V to or you know, or adding somefunctionality, then they're like hey. Can we run this past you and we're like?Yes? Thank you. That's I mean we love that like it is.It is the best time for us to really. We can make a huge differencein you know, half an hour of time, if it's at the right time, you know and-and the audit is too late for some of that we'R we're making a huge everycritical bug we find is obviously tremendous impact or whatever, but ifwe could have upfront just headed that off by giving a little architecturaladvice or or just heare's a thing. What watch out for as you implement this orsomething m? It's amazing! You know! When Y, U, when you get a hold of anexpert like Sometim, they can give you...

...sort of that that really a little bitof their time can go a long way, and so I wish we got more of that before thefirst audit. What we tend to do is like, after we've, you know people love theAudat work we did and then they're like hey. How else can we work together andI love those relationships? Those are kind of the clients feel like we'rehelping the most, so I've been on a crusade to Tryta like well. All I'vereally done is s t around and think about it a lot other people in the teamhave been trying to like really m get this out there with clients and soanyway. So when you said like hey what else, what did we miss? That's been onmy mind and any time I have a chance to put that in front of other people andhave them think about it and and maybe give us some feedback on how we can dothat better. I love to bring that up. That's I. I mreally glad you said that continuing with the whole punch of anallogy Um, if, if you have the ability to look forholes in an early project, that's small and identify them, you can fix thembefore they. As you continue a project you' built something holds exacerbateand grow drastically. Anstil I ten to Geo an Audi, that' small hole. Youwould have found early just by saying O know. YOUOULD have a problem here:Yushould fix that B for a small amount of time, um turnsinto somethings, like you have a serious issue that es completerearchitecture and yet in a lot of ounvarstances orlike this is going to have this. Has I major drawback and what you're tryingto do because of the way you you've built everything around it, and so ityou build things on top of stuff that the stacks below get ousified. Youcan't change them very well. 'CAUSE! You have like you, know consequentialeffects on things above them and I think that's like people cancanvisualize. That of like. I have this small idea this project, let's run itby an expert for a small amount of time or or over a retainer or just pass itthrough something, and then they can say. Okay, here's an issue. Youo fixthat FAI MAR seemg solid. You should go start building a mouth e'll, look at it,Itaohe Yeah Peopl! Have that mindset, I thinkthat's just a vary. Quality Might Sayt, but once again, there's only a few ofyou in the space that are capable or doing that and if you already haveenough eough time and if to get to the point whe're like that's all you do,the prices of that are going to ride so standards and education around doingthat have to grow yeah, yeah, yeah yeah, a good point Yep. I yeah, I think we're both quitepassionate about that. Subject, talk about it forever, but that's all thetime we have thanks for coming on. I really appreciate it TA. I I've reallyenjoy Ed this conversation. How can EO reach you and and learn more yeahthinks so much far meon I it was a blast. Um Yeah people can always find h.You know diligence that consents us dotnet is the way to get to our wholeteam. That's like the easiest we have like web forms. You can fill out, butman just emailis and H and I'm online everywhere assmarks. So so I and get U and smark on Geab N swetter dotcom, slash mark allthat stuff. So if people want to get me, they can do that way or or Steve Dotmarks at consensus, dot net that one's harder to remember so h, yeah yeah get in touch if you, ifyou have anyfeet back onany of the stuff or, if or obviously, if you'reinterested in hiring us for something we we get booked fast, so so be asearly as you can. If you know you need an audit coming up, it's also a greatway to secure atod it later on down. The line is to kind of INTRODU AOR project early, so that'sUST, even a better way to kind of potentially one get your foot in thedoor to get the audit you want later, as well as maybe Tatyoua do a lot ofprice in it. Yeah Yeah, definitely Geythi. That's agood salespitch way to make the sales betfor me why? I I it by Iback my wholegoal as a security engineret status is to minimize the cost of audits, firalso getting oriht yeah yeah all right. Well. Thank you very much.

In-Stream Audio Search

NEW

Search across all episodes within this podcast

Episodes (108)