How does data security impact open-source projects?

Bart Farrell
0:00
In this episode of the Data Defenders Forum, Silvana and I got to speak to four different people about the challenges and considerations related to security, data protection, privacy, and compliance in the context of open source projects. We spoke to Sal Kimmich, who was a technical community architect at the Confidential Computing Consortium, Ollie Cuffley-Hur, who is the Senior Consultant at Control Plane cybersecurity consultancy, Horticultural Rado, who is an SRE at SCRM, Legal CN, CF Ambassador, Kedah Project maintainer. And last but not least Leo Nunez Garcia, who was a lawyer at Auden’s, and also an adviser to the Spanish Data Protection Agency. The participants discussed topics such as the difficulties and consensus, common language around these issues, the importance of discovery and data classification, the need for flexible and adaptable data protection processes, and the role of open source maintainers in ensuring secure communication. Let’s take a look at the episode and see what our panelists had to say about these topics. Just want to go around for everyone to sort of, you know, give a little bit of background on some of the things that they’re seeing in their day-to-day regarding these issues. And then Silvana and I have some other questions that we can put out there. So if each of you can just give a bit of a summary, a couple of minutes about some of the things that have been catching your attention around these issues. And that way, we can sort of establish a framework to continue the conversation after that. Um, so that being said, we can start with we’ll just go in the same order. What okay, if you want to chime in about the things you’ve noticed, being a maintainer in the Kedah project, and then also perhaps in your, in your, in your, when you’re not spending thousands of hours responding to Slack messages, things that you see in your day job in, in little, yeah, of course, or I guess that everybody knows, or half pair that all together, but in the case of not heard about it, basically we do an auto scaler or we create a metric server, which school weary 16 year of 60 different upstreams Yeah, for extending the Kubernetes say auto scaling features. And obviously the means are this means that we have to deal with a lot of different authentication ways, depending on the stream depending on the provider depending on the customer’s requirements. So we decided some time ago, to protect every communication, the internal every internal communication was protected over TLS are sore, because it’s required and validation Kubernetes.

Jorge Turrado Ferrero
2:31
Apart from that we are introducing a mechanism probably today will be released in the Americans for a self-managed certificate in a better way than just generating a certificate for five years. And about let’s continue with this party enough. We are introducing also mechanisms for using cert manager or or providing your own certificates and those kinds of things because we think that is a first-class thing that we need to support. In this scenario where we deal with a lot of different information. Another thing that we do is we never store any user data wherever we need them to store data because storing data means that you need to protect the data. So we totally rely on Kubernetes API. And if we need a secret, our users can provide us the secret reference. Okay, the secret is potato and the key inside the secret is tomato, and Kara instead of storing our own secrets, we totally rely on Kubernetes API yet for requesting so we don’t distort any secret. Apart from memory obviously, we need to store the secrets in the process memory but that is not I mean, storing for me. And apart from that, all their other things that we have faced. So with my already with them, biggest cloud providers is that they have a super nice feature from security different from security point of view, that is the like I delegated identities, several trials trust, Rona Shan Shan world identity, however, the specific cloud provider wants to call it but at the end of the day is the same technology and basically, they allows to federate to your own Kubernetes or the oId C server, your own Kubernetes, a identity provider with their provider. And based on that trusted relationship, you can access to the infrastructure. That’s another feature that we that we found and that we trust or on eat and we try to, to improve and to push to our users to go there. Because for me is the most safe, the safest option in cloud providers. So So, basically, our our Threat Protection model is we don’t distort any data. So if we transfer the responsibility to our to them users, they are they’re responsible for storing and managing their secret, we

don’t have access to any other secret. We are, we are really strict in that way, we only query or we only get the minimum needed information. I mean, if you are scaling based on Prometheus, or based on AWS, CloudWatch, whatever, we only do it, we don’t manage anything, we don’t do anything related with management, because that opens the door to having to do weird things and to escalate the regulates, we’re in some places and, and it’s risky. And obviously, it’s totally outside our, our 30 years and are our goal as as project. So that’s the second point. And the third one is, we try when when it’s possible, we try to introduce every every standard, in the in the in the in the tech area, for adding security, like a feather aiding or supporting federate authentications. using TLS, we have recently we have the brigade TLS below 1.2. So for us, the meaning acceptable TLS, for instance, is 1.2 1.2. Because a 1.1, and 1.0 are broken, you guys, you could use them, but they are not safe. So we try to build our security policy, on top of those three things, therefore, not having problems because even if if even even so it’s not our problem, because we are not a company we are an open source project, if they produce are really, really bad publicity, if any user has a leak due to our project.

Bart Farrell
7:11
Alright, very good. A couple of things there that we can discuss further. But I think the understanding of almost nowadays, anyone everyone has is in some way a security stakeholder whether they like it or not. And so from your perspective of you know, there are things we have to guarantee other things we’re not going to get involved in because of limitations of perhaps not having, you know, there could be a knowledge gap there, particularly around the the notion of not storing data. And you know that that’s the responsibility of the end user, once again, that this has to be a part of it, even though at face value, it might not seem that Kedah is a security based project, but that still has a very strong component there. And obviously, we could extrapolate that to to other open source projects. In terms of questions, if you got questions, just hang on to them right now. And we’ll get to them afterwards at the end, just to want to get everyone a chance to share their thoughts. That being said, all the your turn, things that have caught your attention lately, things that that you’d like to comment on.

Ollie Cuffley-Hur
8:06
I think for us, because the data we the data we handle is so diverse qubits clients in lots of different highly regulated industries. Our comprehensive security function, obviously, the reports they’re generating and the findings there, their documents income pretty substantive. We, we found that discovery was one of the biggest things, one of the most important things and also keeping our data classification, that protection processes and get our schema for flexible so that we can change it. As always we have we bring in more capabilities or start handling different kinds of data. So we get cleared to do government work in a different country, we need to handle that data according to the regulations and to cut the sensitivities there. So avoiding temptation to over engineer things, is is important because if you go too far in one way kind of making it the most resilient and perfect thing possible. It’s not going to be more difficult to unpick that and and make it work when you actually go online to change it. I guess the the second thing which I touched on must agree with that as well as just as a as a startup as a company that doesn’t have like an internal security team are kind of odd security consulting function, consult with the business itself and kind of act as our own security, but in terms of team making the most of native tools in in waneta capabilities in whatever tool we use it. So G Suite will JIRA or, or, or whatever it is. Having some kind of best practices or patterns documented so that we can just pick those up, tweak them to meet our needs and run with them is is great rather than having to kind of bring in loads of vendors or design New data protection justification approaches from the ground up.

Bart Farrell
10:04
Fantastic. It’s great. And I think another thing that just comes to mind, still, I’ve never thought about this, every single tool that we use has some kind of vulnerability or a security risk that goes along with it and as well as the data that’s been given there. So I think that’s a great insight. We just think about the sheer number of tools that you said, whether it’s Jira, whether it’s trial

, whether it’s, you know, G Suite, which I know you mentioned the previous conversation. Another thing that we can talk about further later on, I’m sure Lael will have plenty to say is that if you’re going to be working with a company, or a government in another country, how much you have to start learning about the individual regulations that you might be completely unaware of. And like you said, avoiding that temptation to over engineer things. Because if you walk into another country where things are going to be totally different, all that work feels like it’s, it’s going to waste. Great stuff. Let’s keep going. Sal.

Sal Kimmich
10:50
So I think there’s there’s two points on that, that I think, really getting an understanding of how to be security compliant across different sovereign nations and different sovereign nations definition of that. That’s something that’s actively coming into play right now. I think it’s gotten much more interesting, since there’s been sort of the push for s bombs and the definitions of what is valid for an S bomb for different governments. I think that’s a really great example of something that we’re going to see an expansion and maybe a differentiation of how regulation is dealing with what ultimately is just a, from a developer’s perspective, a template output, right? So we can standardize that whatever way makes sense. But that convergence has really yet to happen. But I think is coming into play less than two years. But I think on the other side of that, I think there’s something that I’m watching more broadly, I think it’s really interesting in the Kubernetes language, but is, you know, something to pay attention across them. There are certain things about AI particularly pay attention to cloud computing, right Kubernetes go Lang. And in those languages, for Kubernetes, particularly the there’s certain security concerns, some security permissions that just aren’t excellent, but are engineered into the language itself, and cannot be engineered out. And so I’d love to see projects really focus on if we can’t make those more secure, how do we get more honest and better about templating those because particularly from both open source maintainers that I work with, so I’ll work with 1215 Open Source maintainer is to try to get their project secure, both that maintainer and the head of an Aasbo right now, both those personalities are dealing with the problem of not being able to identify and Kubernetes exactly how secure they are, on any given day because of the ingest stream and knowing how secure their ingests are from other packages. So my concerns really are at that broader level, what are we doing to work across, particularly that maintainer level to make sure that the that security standard can be ingested in a way that doesn’t burden you all so severely? I’m not saying that this is now your new job. Let’s solve that systematically.

Bart Farrell
13:05
I think it’s a great point. And also, once again, is, as Jorge kind of explained, is like, look, you’re already signing up for a lot, as as a maintainer. How do you establish, you know, best practices and standards that can be met in a reasonable way without breaking the bank, so to speak, in terms of, of time and know-how, and making it making those conversations easier, rather than? And now you got to become a security expert? That’s,

that’s a great point.

Awesome. Let’s keep going late. Oh, so we’ve had, you know, different mentions of you know, the difficulties in different countries, you got a pretty solid background on that if you want to explain a little bit about, you know, things that you’ve worked on. And then of course, touch on the on the trends that are catching your attention.

José Leandro Núñez García
13:43
Of course, thank you very much well, well, in the in the past, I have been working for a while. And then in international relations, we’re dealing with it by chain, primarily. And one of the trade and sacred area was dealing with was creating a sort of international standards on the region that could be applied all around the world, and could simplify all this mess jurisdictions that we are suffering right now. But of course, this is really, really difficult, because you don’t even approach is that in many countries, they have to previously, it’s absolutely different than the one we have here. For example, in China, this culture does not exist. So you can imagine if the gods the concept of is not not existing, how can you explain to it I will just leave it there that you are trying to protect it, you know, about all the time in the States. I’m sure that most of the other people working from the middle from the human rights on the law point of view on dealing with privacy and all these things

focus just in the protection of the data. And you will look at the at the GDPR there’s been at the regulation we have a Europe. Well, it is important to notice that in data idle these dear. It’s it talks about the protection of personal data, of course, but it also talks about the free movement of such such data, you know, and people do forget about this. And I think that is what is leading to many problems on interpretation, all of the laws work, you know, in my opinion, what companies should do is to create internally common level of protection, which is high enough to comply with the different legislation in which they are trying to work out, and, you know, set this this high level of protection as the standard for the company. So, you can do it from the legal point of view point of view by using a tool, which is very Europe, which is what we just call binding corporate rules, which is a sort of code of conduct that companies can apply internally set or use under some previous era and so on. So, but, you know, this is a lot of work proceed takes a lot of time. And I think that lawyers, Southern technicians working together and trying to set this asana, this common standard in, in companies could be much more effective than than just loss, you know, because I think that this is a way in which we can bolster that data, and at the same time, allow the data to fall to move freely, which is absolutely critical. In this in this era. That’s, that’s our, without my phone.

Bart Farrell
16:39
Or, Hey, since you were first and you’ve been listening to anybody else in whether it’s as a maintainer, or in your regular job, you know, how often is it that you find an intersection and conversations going on between folks that are for more in the legal background and the legal domain also, because you work in a multinational, and people that are on the technical side? Okay.

Jorge Turrado Ferrero
16:59
Well, luckily for me, because I hate those conversations lacking for me. I don’t have to I don’t need to have those conversations from legal part. Because the best part is that we don’t provide any commercial support. Neither in my own coin, my own God. I mean, we are killer users in this virus and Swatch Group we use together, but if there is any leak, or any problem or any legal compliance is not with me, is very wrong problem and they need to talk with a guy who instal Qaeda in that specific place. So for me, is luckily for me is not a common conversation. But I know that forms like a dunker called me, maybe you you know about him awards for Microsoft. And he needs to have these conversations with users. And I think that they are complicated because usually users require legal part requires a super in deep standard actions, which are not totally doable in open source project, or maybe just for covering one Super Eight case. We need to refactor or redo a lot of places. I don’t remember there is a security standard, a lie that requires to call on a specific endpoint sorry, but I don’t remember the name and AWS SDK, for instance, or ESA is the gates support both through board that feeder, but maybe Prometheus is the SDK doesn’t support that feeder and this kind of pillar or those kinds of things, something is are complicated to achieve or to address because you need to balance adding value with being safe we pro with protecting data with no one being that not being attaching your design to those things and sometimes are complicated. The best part about from Dido about that is that in our specific case, I think that control plane folk have the same situation but in general the CN CF umbrella cover as as cn CF project in security terms not the not legally because obviously when you enter in a legal in legal terms, it’s complicated. But for instance, we are we are it’s not a secret we are trying to graduate to be on to be graduate project in cn, CF. And cn CF requires a security LD. So it’s a good bar because at the end of the day, we have a legal or not illegal an official document on official auditory that okay, I’m not going to defend that LD during in front of any legal department, or any firm or anyone I’m not going to defend it, but It’s barley. So if anyone needs to know, okay, it’s Kara secure. Is this project secure? Can we use it how we deal with our data? At the end of the day, the CN CF umbrella covers those kinds of things. And it’s easy for us and specific days. I don’t deal with none of

Bart Farrell
20:18
it. But I think it’s a great example. Because yeah, yeah, that it’s an insurance policy, and

it’s kind

of out of sight out of mind. Well, yes, I’ll I am,

Sal Kimmich
20:27
Ben, because I think this is I mean, really, my kind of my point here is kind of for Leo, because I mean, Oregon is talking to exactly the situation that I run into all the time, were consuming. Open Source organisations assume that open source packages are vendors, and they are not. And sometimes depending on what ecosystem you’re in, the majority of them are not vendors, right. And so security, in every other sector to this point has been put in place with the language in the understanding that there’s a supply chain, because that supply chain was physicalized, where your organisation right, if Bobo’s supply chain is better than another car company, I can see that. In this case, all of those supply chains now are inside of this big cloud thing called Kubernetes. And I do think there hasn’t been a well enough centralised source of support, we’ve got verification, we’ve got monitoring and the best cn CF will do for you right now is helping you to monitor your security and sometimes help you get that into place. But even you know, we’re at this level of graduating from cn CF, when you get to the audit stage, and you get to that threat model. Sometimes they’ll dump you off with a threat model and not give you next steps or support. Now, my question there is that, is that sustainable as a strategy for security for an ecosystem? Absolutely not, you need something that closes that gap. So I can go to, you know, I want your like standard, like LDAP compliant Kubernetes, Prometheus, Grafana, super standard, I want to be able to go to that and know that that’s 100% secure when I pull that down for my release, and we can’t do that right now. So I’m actually really interested on sort of that legal and compliance side, even though those aren’t the same thing. What do you think that’s going to look like moving forward? Because these are fundamental critical infrastructure problems?

Jorge Turrado Ferrero
22:15
I have, I would like

Bart Farrell
22:17
to order the only thing I asked is asked for a quick Anglo Saxon answer.

Jorge Turrado Ferrero
22:21
Yeah, they I don’t have any answer for leads. But I do like to not to remark that. So they’re really often users think that open source projects are vendors, as we are not vendors majority of the time. So you are you are downloading probably a project or code that is public that you could outlive, and you could modify it. But we are not rendered. You shouldn’t think that we are benders, and you shouldn’t despair, you shouldn’t expect a commercial support or any kind of support in your in your very big problem when your infrastructure is burning, though way don’t don’t expect any kind of Ardian support from an open source organisation because we are not vendors. And that’s a really good observation that ASR has them.

Bart Farrell
23:11
That’s great. And once again, as well, it’s like you got the you know, you’ve got the security audit for the CN CF. It’s like, look, you know,

this is we get up until here. And then after that you’re in charge, you know, you’re right. Like you said, it’s

not it’s not a product and that sense, really quickly. Well, I want to hear from Ali and then also from from Lael, just for the sake of time to respect Oh, and cylindrica, Schuberth, dynamic, Ali, all yours.

Ollie Cuffley-Hur
23:36
I think one of the interesting things about like the CNC F and the graduation process is it’s it’s a snapshot, it’s a point in time. And and I don’t have the answers. This is a raise the question in my mind, like how do you do continuous compliance with regulation for open source projects through an organisation like cn CF? Do you? Do you have it on a colour calendars basis? Or do you do or major releases? I don’t know. But I think that’s something that needs to be needs to be thought about. Because these projects change so fast. Like especially in the cloud, native space, open source projects are changing so fast. They do slow down, that release speed does slow down as they mature. But the compliance can change quite a lot between releases or between, even like yearly audits, gap. Data

Bart Farrell
24:31
has a wonderful point. And I think now we can turn it over to Leo as well. When you know, people are working on technology, by the very nature of it, there are

going to be changes. And when those changes come about, how can it be guaranteed that once again, the security data protection compliance is being brought into the picture in a way that doesn’t delay the releases that are going on and so that it’s not forgotten and not seen as being part of the problem, but rather part of the solution. What’s been your experience regarding that in terms of Yeah, we get this established now according to the regulations that we see today, but it’s in sometimes six months or a year or two years down the road, how is that going to look? And how can this be done in a way that doesn’t stall or cause heavy delays on the project progress?

José Leandro Núñez García
25:17
That’s a good point. Okay, and the problem we have on the by the view of legislation is that it tends to be very rigid. And, of course, you know, when lawyers arrive, technology is already implemented. So although you’re always arriving late, that’s, that’s what’s usually happened. So I think that the solution is regulating taking into account in technology neutrality, I mean, setting setting goals, and not specific obligations that allow companies and the law projects that are open source want to help to address these objectives that will address these goals. And to work forward. By taking into account that, of course, there is law in place, but that it is not possible to comply with every single law in every single jurisdiction, because nobody knows them. And many times there are even contradictory between them. And I’m focusing on on the big on the big goals, you know, of course, what we suggest to programmers and to, and to people will, which is coming to us, in order to ask if they broaden projects comply with, for example, data protection laws, and things like the me we usually say, say that, you know, when you are developing a tool, and it’s not compulsory that the tool is fully compliant with the laws, but just that it allows people to comply with law, which is slightly recurrent, for example, you can buy a car that can run up to 150 kilometres of power, and speed. And this is illegal in practically all jurisdictions, but companies are producing these cars. Why what why are they doing so? Well, because the car can go at 50 and go was 70 can go was 120, and can go and any speed that the driver wants. And I think that with analogy, I mean, the approach should be similar, okay, you can develop a tool, which allows us to do lots, lots of things, amazing, maybe some of them are not legal in some jurisdictions. But in insofar as this tool is flexible enough to be adapted to all these specific cases, and allow the user to, well to modify the tool, in the case of open source, or even to set up the such tool in a way that is usable, under the jurisdiction, this, it would be enough. When When drafting the GDPR, I was involved in the drafting project up to GDPR, representing Spain, at the very beginning of the DOS project. Afterwards, politicians enter into into the drafting of the laws and you know how this works. But in the legal first approach, I went there, and they were, are we in that would be very good to well to, to force developers to obtain some kind of certification on compliance with GDPR. And things like this. From our part, we were absolutely against this, this, this set of initiatives. But because we think that this is not not useful, what is useful is that you can convince, or you can show your clients that it is possible to comply with the law with your tools. And afterwards, we’ll use usually the tool who is setting up the tool and who is deciding what to do with the tool is the user is the end user. So the responsibility is in the you’re in the end user. Of course, if you your to your your software is good enough to allow the user to take decisions on this, and it’s not forcing to something which isn’t legal. And this is our approach when dealing with with software, you know, with software, and you know, and what I mean, I think that is not so rigid. And this is why loss shouldn’t be very explicit on setting requirements or software and things like this, you principles such as privacy by design are really good, because what they try to do is to well, to force you to reproduce privacy in the requirements of your software and that’s developing something which is capable to comply with law.

Bart Farrell
29:44
And I think that this has been fantastic insights. And and I think once again, the the issue of, of ownership of control of responsibility, where does that lie? Since we’re already a bit over time and thanks to everybody for staying on, just want to be thinking about what are things that we can

be can Siri for future conversations. I’ve been taking notes Sylvia has been taking notes. But if there’s anything you would like us to keep in mind questions, Sally, thank you for sharing that link. These are the things that are going to be helpful so that we know that we’re focusing on the topics where there were, there’s a lot of ground to be covered. It’s a face that with a lot of things we’re talking about today, it’s a reminder of why these conversations are important. Because there was uncertainty, there’s doubts, there’s a feeling of being overwhelmed that I feel like I have to learn all these things that can get in a lot of trouble, Leo, in your case, as well, working with a lot of startups that, you know, are trained to do things correctly, they’re thinking about scaling internationally. And in order to be you know, getting their go to market strategy Ready, and, and things like that feeling oh, I have no idea even where to start on this. But I know it’s very important. I think there’s been a lot of stuff shared. So that’s, that’s been very positive in that regard. In order case case, as well, seeing, you know, when an open source project gets started, what are the legal considerations that have to be? Mind it? It’s one thing if it’s a project in the CNCF, we’ll look at other open source foundations, it’s going to be different, slightly different flavours that might be encountered there. As Lael mentioned, as well, how explicit there’s a lot need to be or is more there as a guiding force and reminding folks, you know, who stands on which side? Lots of lots of great insights being shared today. So if there’s anything that we haven’t talked about so far, just really quickly, you can either turn on your mic and share it or leave it in the chat on because we want to know, what are the topics that that would be best to keep in mind? So we’ll go for it.

Sal Kimmich
31:28
Yeah, I’m gonna jump them right on that. Because I think we’re like right at the cusp of what my like, my biggest issue right now is that on the legislation slide, like, intent, absolutely observable. But oftentimes, the, you know, the acts, these new resilience Act, a lot of it’s getting closer and closer to actually being technically empathetic to what can be done with the state of the internet as it exists. So what I’m really interested in is where are the conversations being had? And if they’re not being had, because I can’t find them? Where are we going to have a conversation about what metadata? Is it appropriate to hold and tracked for a digital object on the internet? How much of that do we want to track? And when and why does it make sense to track that? Because for there’s examples now, where we’re seeing, man, when GDPR came in, when you tried to retro factor that on to a system, absolutely not possible, the best thing we got out of that was the ability to like tick a box to, you know, state our own rights. And I think that’s a great practice. But we’re in a different situation now with this total supply chain, and asks like s bomb would actually be radically over engineered for most conditions that they’re set up to support. So I’m interested Yeah, where are we going to go to get to a point where my regulation document is paired to a readme document, so that I can save myself years of translating the gap between as an organisation?

Bart Farrell
32:59
Excellent, and once again, plenty of plenty of things to go further on there.

Any other thoughts before we wrap it up?

Ollie Cuffley-Hur
33:05
So one of the goals that came up, I guess, sure, engineering perspective, is there a standard suburb API’s for metrics and telemetry and that sort of thing. And I just wonder how possible it would be to develop some kind of standard for just creating an API endpoint is exposed on a on a piece of open source software or Briatore software, that just gives you like a snapshot of compliance with various different various different standards and regulations that’s kind of stored in code that’s kept up to date with the configuration of that particular instance of the software. So in a sort of move from a dev sec, Ops II, or continuous monitoring approach, you can tell if someone’s gone in napkins go and change a setting that has certainly made data public, you don’t need to wait till the next audit, that will appear at this slash compliance endpoint. And that format is standardised across across different tools. Just a bit of blue sky thinking to use the consultant of No,

Bart Farrell
34:16
but still well, this is where

the casual conversation on a Thursday turned into a billion dollar startup. So thank you all for giving that information for free. We appreciate that. We are transparent here. This is being recorded, so we don’t have to worry about remembering her. That’s, that’s brilliant. That’s lovely. I like and that’s the thing is that how much you know, we

talk a lot about automation. How can this be done? So it doesn’t have to be every six months when there’s an audit of these things can just be detected and there’s more transparency if there are changes made, who made them and when they happen, so I think that’s great, good. Leah, you

want to say something as well?

José Leandro Núñez García
34:50
It was a little joke just just to say you are good at talking with lawyers not as terrible.

Bart Farrell
34:59
Here we go. input anything today we got here today in the same room as a lawyer. And that’s, that’s wonderful. But I think I think that’s I think it’s really, really good to hear what a guy’s perspective also being so honest and authentic and transparent and say, I really happy that I don’t have to deal with this stuff. And that’s once again, the pain points for stakeholders when they feel they’re being dragged into conversations, like, Look, I’m

a programmer, maintainer. This should be out of sight out of mind, at the same time is that it is 2023. And, you know, how much do we really trust a lot of the a lot of different agencies and companies that are out there with with the data that’s being shared? How much are we aware of when we, you know, classic things that when we agree to Terms and Conditions, what’s going to be done, as was brought up earlier to all the tools that we’re using, all right,

whereas, you know, we’re willingly signing up, we’re

paying on a subscription basis, we’re giving away lots of information, what has been done with that, and what has been done to protect it, uh, where does it become our responsibility, whereas there’s lots of big questions there. And then also things that are more on the technical side, I think Jorge is ready to go have for those of you that aren’t in Spain, it’s a tradition on on on Thursdays to go have a social time and have a well we call it in the in the Basque Country pinchable day. What are you going to do that today?

Jorge Turrado Ferrero
36:15
You smell Corbin, who’s Corbin tool?

Bart Farrell
36:19
Yeah, we also say coordinates which is a combination of Thursday and Friday. So anyway, this is this is really good. And thank you very, very much.