Rob Cairns sits down with Robert Rowley and talks all things WordPress security.
- Why security is important.
- Some best practices for WordPress security.
- General security for your business.
- Php 7.4 is going End of Life.
Hey everybody, Rob Cairns here. And today I’m here doing the podcast with my good friend Robert Rowley, who’s the security advocate at Patch Stack. How are you?
Hi, yeah, I’m doing great today. And how are you?
Doing well at the time of this record. It’s baseball playoff season, so life is good in the city of Toronto, as we say.
So, yeah. So I thought we’d talk a little bit about security, a topic you know, very. Well, I know very well and. I mean, we all know about the easy stuff, you know, use complex passwords, don’t use it. Mean do your backups, do make sure your backups can be restored. But in your opinion, what’s the number one thing that website owners do not? Do security wise.
Umm, that’s a good one. Well, you forgot to mention updates. Yes, but I I would put that I would put that as a second to honestly, passwords just seem to be that problem that just keeps coming back those insecure passwords.
But, you know, then those are individual users choosing bad passwords like pizza 123 or whatever it may be.
I’m with it.
Second to that though, yeah, it’s definitely is the updating and that’s more of a, uh, operations problem.
Yeah, what I would tell you is all I’ve said to many clients over the years, you DIY your website when they get into trouble and they come to me. The first thing I look at is when was the last time you did an update? And I like to tell the story. I was looking at a prospective client who I was doing e-mail stuff for, who I am no longer doing anything for due to a a 96% e-mail bounce rate which we won’t talk. And he he was doing an e-commerce site where he had 2000 names. And what I’ll tell you on his woo site was his plugins, his WordPress version and his updates were all eight months out of date. And I said to him, why didn’t you do this? He said I don’t need to.
Eventually, maybe he’s hoping that somebody will break in and start updating the. Site for him.
And he had a custom data, customer data in it. So, you know, I. I don’t know what to tell people and I did my due diligence and advised him and said you should do this. And he said I choose not to. And I said, OK, you’re on your own. Because, yeah, frankly, I don’t need my reputation guide to that issue.
Yeah, well, that that. Something happens in security industry that happens. You would be surprised at some of the large companies. That accept that exact sort of scenario. They just simply accept the risk of not. Dating there’s a policy in practice, there’s a process for this too, and it’s somebody’s name gets put down on a piece of paper saying they are the ones that accept the risk. And then if something bad happens due to this behavior, right? This failure to update, then they look up that documentation, they see the paper trail, and they say, hey, who’s here is. Who is responsible? Strangely enough, I think this week Uber’s CISO or former CISO is now facing charges for behavior that was similar along these lines. It wasn’t about updating, but it. Was about. Being the person responsible for security.
No, I I wouldn’t be surprised, I mean. I’m sure you read Hacker News on a regular basis, and I know I read Hacker News on a regular basis. And uh, every day there’s some hack somewhere with some. Retail companies? Some ransomware problems, some website problem. You know, I don’t think it’s a case of word press being secure or not secure, as Kevin Mitnick would have said in any of his books, the problems to people.
Oh yeah, absolutely. So the people are the problem for the insecure passwords and the people are the problem for not clicking update when in updates available.
Yeah, and by the. Way before you, before you click those updates, please backup your site ahead of time so that if you have a problem you can do a rollback because. There’s there’s issues with that. Uhm, Oh yeah. We were talking before we went to air about PHP and I kind of want to address this issue because I was in a uh build meeting this morning with a bunch of Gutenberg. Builders doing modern WordPress with Brian Gardner a those who don’t know Brian Gardner when the developer advocates up at WP engine and he has these what he calls FSE Roundtable Fridays where we get together and talk about changes and. Full site editing and one of the things I got into, we were talking about Word press 61 and I said be really careful here. Because WordPress 61 is going to be the first version of WordPress as fully 8 point X PHP compatible, but PHP 7 four goes into life at the end of November. What are your thoughts on that?
Just a month away. Yeah, I’m I’m going to start with how PHP developers in the team behind PHP communicated their their end of life and end of support and end of security support. Now they’ve got a page on their website, net, it’s supported versions, they’ve got a big list and they can tell you every branch of PHP 7. All the way back to 7.0, which was end of life back in like 2019. They have 7172737480 and eight one and they can clearly say that. Yeah, we know. In the past when they ended, support was we also can tell you in the future we know we can tell you that 80. I have it up right now. It was released November 2020. It is actively supported, which just means you know, active updates to it until November 2022, and security support, which means security patches only until November 2023. This has been community and this is the same thing for 8.1 which is actively supported until November 2023 and security support is planned until November 2024. So this is, I think this is like the greatest way for operations people to know when to expect the updates to come, right? They know that. They’ve got to get off of 6 point or sorry 7.4 and onto 8.0. So technically in November like next month but. Yeah, and this is the it’s, it seems like a short period of time, but reality is this has been known for over a year. We already know that 8.0. You’re going to have to get off of 8.0 and onto 8.1 because security support ends in November. 2023 so you’ve got a whole year to revamp both your backends, right? The hosting infrastructure as well as? Code to accommodate for this. Now there’s also the extended support right, which we we could go into as well, but those are third parties who continue to provide security support for older PHP packages.
Yeah and the one, the one thing I would say and we were talking about is the issue with most WordPress devs and designers is. Have the there plug in. Uh, manufacturers or coders? Have they got those plugins up to date? So I’m in the middle right now I run just over about 350 sites that I’m responsible for updating, and I’m already in the middle of doing testing to see what sites I’m going to have problems with and which ones I can move. Now to save myself issues. And I’m about a halfway through that process and I’m think I’m running about a 5050 split right now. You know what you can do, and the way and the way to check is to check your server logs and find out what’s going on when you when you flip a site ’cause.
The error messages will tell you.
Yep, yeah, I’m just remembering too many times I’ve seen site owners not check their error messages in the error logs. So it’s very common that when I when I worked at hosting providers, I go through the error. Logs and it’s. Just like well, here’s the exact problem you’re dealing with today, and here are ten additional problems that you’ve not dealt with yet. Like they’re all warning messages ’cause a modern language. I do not know for sure if PHP does this, but I know I dealt with this when I was developing in Ruby DW. Warnings for depreciated function calls. I’m pretty sure PHP does the same. If you know that your if your code is running a function and the name of the function is something that’s going to be depreciated in the next release, where will that show up? How can the code tell the developer, hey you need to change this from this function to that? Well, they tell you right there in the error logs, but somebody has to be checking them. Has to look.
Yeah, and even on a shared server there are error logs that you can look at and people don’t realize that. So I think people need to learn to use the tools that are available to them. Am along the same lines in PHP. WordPress has made an announcement lately they will no longer support some older versions. I actually think that’s a really good idea. Because the codebase is so old, the security issues are so old. Do you have thoughts on that or?
Yeah, I mean, I I like it. I do not know what. What’s the version that they’re going back to?
I think anything 3X or 4X they they will not support.
Oh, that’s Oh my goodness. Yes, they need to drop support for those. If that’s Oh no, you’re talking about the WordPress version or the PHP version.
The WordPress core version.
Oh my, OK, I thought you were talking about word the PHP 3IN PHP 4. Which is why I’m like, Oh my, yes, those are decades old. No, the WordPress versions. Yeah, the that. That’s a great thing to you know. Mostly because, yeah, those are the old versions that were still, I don’t think they could run on modern PHP infrastructure, right? They they would be running old outdated versions of PHP and. I think it’s common that I see a lot of code that supports PHP 5.6, so there’s a big difference between PHP 5 and PHP 7, and there’s security implications within those differences. I’m aware of vulnerabilities that are no longer being addressed and they have a lot to deal with object injection methodologies of. Back and those are just simply not patched in. 5.0 or five point XI should say. And the seven point X versions is really where PHP changed how they handled objects when they’re being instantiated within the codebase to make it more secure. So like era circa like 2018, the whole PHP ecosystem. Got a lot more. Sure. And how it handles objects that are being, you know, created within the code base. However, if you have a user ecosystem that’s still supporting these five point X, there’s 5.6 and these older versions of PHP, all those new security updates don’t help. And this is the same or similar for WordPress. All of this 43 point. I think it’s 3.94 point oh through 4 point like one and two. Dropping support for those. Officially dropping support for those. Well, shoot, how do I explain this officially dropping the unofficial support for those ’cause that’s really what it that’s like the truest way to explain that. Uh, is the best, best thing to do? Because those site owners, they really need to get moved up. And if they refuse to, it needs to not be. I’m sorry. Like the WordPress community and those developers need to stop holding their hand and simply say, you know, I’m sorry, but you know, we can’t continue put in time backporting security fixes for you. And if you give me a second, I would love to explain why that complex chain of clarifications why we like dropping support for the officially unofficial supported versions of WordPress is the true statement. That’s mostly because the official version of Word Press that’s supported is only the most recent release, right? So that’s six. One now, right? Or six? Oh, it’s almost six. One, it’s 60.
6.0 point two at the time that this record 61 comes out on November the 1st.
Yeah, yeah, 602 is the only official current release, and the moment 61 comes out, that’s the only six. One will be the only officially supported release, however. Practically speaking, like an actual like how the real world works and how the ecosystem really what the support they do provide. They’re providing something called security releases. The security releases go all the way back to well, it was 3.9 and I commented on this a few times during the Patch Stacks weekly saying this is actually quite surprising and. It is something great this community does. They have security backports for over 10 years of software version. However, the official word from wordpress.org is only the most recent version is supported. So it’s really kind of confusing and that’s why I have to make this really weird phrase of the only officially supported, unofficially supported like version of WordPress.
So it’s so true and it’s, and it’s worth mentioning that and uh. I don’t know. Like I’ve I’ve played around with debate is for six one and I’m not sure at this point how much of it is going to be a feature release and how many security patches so they’ll throw in there. Probably not many. It’ll probably be A6, typically it’ll be a six one point. One which will come a week later or two weeks later with all the security stuff. Typically and you.
Yeah, you’re right on it there. Yeah, that’s how they do it. They, they do the major releases with features and they don’t sneak in security releases and the major ones. But of course, you know, a couple weeks later a security of the lease. Will be well, tends to pop up.
Yeah, and you were? We were talking about 0 days. It’s interesting, out of the WordPress community, one of the biggest zero days running around right now is a Microsoft Exchange. Zero day that. Uh, it has keeps rolling its ugly head all of a sudden. And yeah, and I don’t know why, knowing Microsoft. What embach? This one, to be honest with you, it seems to be keep going and going and going.
Yeah, well, some researchers found a lot of stuff I remember about two or three years ago in exchange, and I think this is kind of connected to those. I believe the original research was, funny enough, object injection related, but because object injection attacks are not PHP specific, they’re in Java, they’re in C hash or whatever. Exchange is developed in and. And yeah, it’s it’s it’s just a weird little different way of of accidentally writing a security bug.
So true I am saying in my business and that is your web hosting company has to be your partner and I stress the word partner in security, not a vendor you employ. What do you think about that? I think some hosts do security layers better than other hosts. Do you have any feeling?
Oh, I like that quote, you know. Yeah, because they’ve got a being a partner with it is like, yeah, like they’re willing to help you out. And when I worked at hosting providers, I’ve I don’t think I’ve ever tyed the Security Service site services I developed for those hosting providers to a product, so it was never charged for security. And it was always just security is just what’s given, mostly because it’s beneficial for everyone. You can’t leave a hacked site there and try to hold it hostage with the customers saying you need to pay us an additional 5 hundred $600 to clean up your ACT site. Right. You just like fix it, right ’cause that’s the right thing to do, but just fix the hack site. Tell the customer what they need to do. Tell that you can even probably inform them there’s more they need to do, right? Like you need to change your passwords, make sure you do updates, make sure you have backups. Double check everything you know. Make sure everything is still clean because this was a free, you know this was a Security Service provided for free. Feel free to hire a third party auditor but the hosting provider saying, oh you know, you gotta try pay extra for security. It’s a big deal in security industry. In fact, there’s a list as an ongoing list. Somebody does where they call. All out services, online services who only offer two factor authentication on premium plans, right? Like you literally have to pay them extra to do 2 factor auth which is super easy and it can be implemented for free. They just have to take the time to update their off form. And yet they’re like, no, if you want to factor all together, you want if you want to secure your account, pay us more money. It’s just it’s where it misses the mark and that’s when security marketing kind of can clearly conflict.
Yeah, and uh. And as somebody in this space, personally, I suggest that people turn on 2 factor authentication. The the new Authenticator apps like the Google Authenticator app is really easy to use. I use it and the Microsoft one. I got a I was sharing with you. I just got a new phone recently and they transferred those authenticator apps to the new phone. Was easy peasy, wasn’t hard base with the right credentials.
Yeah, it’s a process, so you should share with everybody what that process is, ’cause they’ve got to remember to. You can’t just go out and buy a new phone and trade in your old phone and before you do the Authenticator app swap.
Yeah, what I what I did actually was I wanted to make sure when I started working with the. New phone. I had everything in one place, so I actually grabbed my Android tablet. And people say, why would you do that? Because I decided I wanted my authenticator apps and then other places a backup in case something happened. So I grabbed my Android tablet. I loaded both the Microsoft and Google Authenticator on the Android tablet, so that gets the apps on there. Then I went back to my phone, which at the time was a Pixel 48. And Google is really easy. You bring it lets you bring up a barcode internally in the app, and then all you do is take the new location. And scan it. And once you scan that barcode, it imports all your authentication stuff. In my case it’s like over 150. It’s unreal. Now I only use the Microsoft Authenticator for Microsoft Apps ’cause it works a little bit. Uhm, what you do in the Microsoft side is you make a backup to your Microsoft account of what’s in your Authenticator app, and then when you’re running up the first time when they do the device it says do you want to restore from a backup with this account? You say yes, and it imports it all in the process really. If you do it right, it takes a couple minutes per app. So when I got my Pixel 68, I just repeated the process. I wiped the four eight, so I’ve totally wiped that phone. I’ve actually sent it to my brother Outlast, so I had to. Wipe it. And I’ve now got my authenticator apps on my Android tablet and on my 6A so that if something goes wrong. I’ve gotten in another location as well. Perfect. You know, along that I also use a password manager. So, uhm, I’m a big believer that passwords should be strong and complex. We talked about that. Not in a dictionary. So my my password manager choice for about the last couple of years has been bitwarden, which is open source. I pay for it. ’cause I want to support what they’re doing. And what I do with Bitwarden is every couple months I export a password list. Yes, I know. But that password list goes into an envelope which goes into my safe that says if you need something and I’m not in a position to help you, i.e I’m sick in the hospital and so on. Here is my entire password list. Open this envelope.
And it’s something I think that business owners and even personal users don’t think about. What happens to my passwords if I died anymore or if I get incapacitated. Yeah, and all my family knows that password list is right next to my. Will and they know how to get at it, so that’s really important.
Yeah, that that’s an important thing. Definitely securing it, having a good home safe and like, you know, actually get to use your home safe for something good besides just, you know, copies of your birth certificate and Social Security cards and stuff.
And passports. Passports. Yeah, yeah.
At this point.
And so I think that’s really important. I I also think. And we were. Talking a little bit, I’m about to start working remotely and I’m in the process. I’m going to be building out a new laptop. Uh, which will be a Windows laptop high end? And then I’m going to remote to a Linux box that’s, uhm located in my home residence. So when I’m out, I’m instead VPN ING from my windows box to where I need to go. I’m actually going to VPN home to my Linux box and then go out. Back that way. And one of the reasons I’m going that way. Is for security. The other reason I’m going that way is if I’m in the middle of a large file transfer and I’m on a Wi-Fi connection that doesn’t want to behave, I don’t lose that transfer in the middle. Uhm, do you have any thoughts on me doing that in my over killing or my under killing?
Yeah, I think you have a good use case that’s the best. That’s the biggest thing you’re you’re only over killing if your use case doesn’t match what your tech stack is capable of and your use case is the biggest one there was, yeah, what if you’re on? Laptop and you’ve got to download a backup, right? Maybe your clients right need a. A site update and the right thing to do first is do a backup first, but they’ve got 50 gigs of data. Or, you know, even 20 gigs could be a little bit much. 10 gigs can be too much on some hotel Wi-Fi networks. And what if you’ve got to go get dinner or something? You’re going to leave your your laptop sitting there and hope that the Wi-Fi doesn’t drop during the middle of the transfer. And then you get to start it. So using a, you know, a server that’s back at home that you’re just VNC type connecting to is a great way to do it. Now I know you know security, network security stack, but perhaps the other listeners don’t. You gotta be really conscious and aware of not just opening the port with your firewall. That’s not a, that’s not a VPN. Right, I’m sure that you’re doing an actual proper VPN where you’ve got authentication to before you can start VNC ING to that local server. Another way? Uh, there’s a there’s a few apps that do this now. And one that I’m familiar with, that I’ve set up myself as Cloudflare has something called Argo Tunnels, and those Argo tunnels can open up an intern like a a port on an internal box that’s not accessible to the Internet and you have to traverse through Cloudflare’s authentic not authentication. But basically, yeah, they’ll have an authentication layer. Before they allow you to connect to that server. That’s inside of a network, which is quite funny. This is the same thing attackers do to get persistence and connections right like they’ll they open up a port internally and they do an auth protocol between the two where where the process running on the local server that’s hidden behind the network is the one that like gets authenticated and then allows connections in. And this is all done without having to open up. Network port and you don’t even have to have a VPN VPN portal open. It’s all kind of handled in the. So doing something, as long as you’re doing something to secure that, that sensitive box that’s behind the VPN for your case, or behind an Argo tunnel, or basically it’s not publicly accessible, you’ve got an authentication layer before somebody accesses it, then it’s perfect because you’ll be able to log in, get past authentication layer, get past the VNC layer. Have a log in as well. And then you can start the process and that process will run on that local system.
No, no, I do that. And uh, the other thing I do. And you know, I’ve talked about before many times. Uh, because this is a business? For high end stuff I actually have a custom script that runs so all my backups go to the cloud. It takes the backups and copies them to a local Synology Nas server and then I which is RAID 5. And then I have another Nas server in another location and Synology has this cool software that lets you just say. Sync my two dads servers in the middle.
So it just goes about and syncs my two data servers so. Backups are key that people need to realize. Having the original one other copy is not sufficient. You need multiple copies in multiple places, preferably offsite. And I gotta stress that, because there’s been people who’ve had fun house fires or thefts. And what it is? Thieves do they steal the backup drive that’s next to the computer.
So yeah, those things are not cheap either, right? They don’t even. They won’t even care about the data on that drive. They’ll just plug it into a factory reset and boom, everything is gone.
So that that is so, that is so key.
So, so we talked a little bit about that. One of the things I’d like to put out to the listeners is what they should do. If you want a quick security synopsis every week is make sure you listen to the patch stack weekly, give Roberts. Weekly round up a little plug. It’s usually 10 or 15 minutes of great security info. It’s a podcast available on most platforms, certainly on pocket casts. Uhm, that’s where I listen to it. And and you try and talk about whatever is on your mind. And what’s happened? During the week, yeah, I think it’s really important.
Yeah, every week is a little weekly knowledge share, so there’s something for everyone to learn. And if that week knowledge share isn’t quite in your arena name, maybe next week will be a bit different. You know, I’ve gone all over the all over the spectrum of security topics.
And I think come and you also identify like two or three plugins that have major security issues. And yeah, that is one of my sources for staying up to date. I always say to people. Find people smarter than you.
Yeah, yeah, yeah.
And and there’s then there’s you. There’s certainly a ithemes does a really good job on their Wednesday roundups. Yeah, security generally does a good job now they cover more than just a WordPress space. I think their their last e-mail was all about Joomla updates and and certainly the folks over at WP Scan which is an automatic company do a pretty good job at covering so. I think you got. Yeah, if you’re gonna want to stay up to date with security, there’s a couple really good sources out there.
So yeah, yeah, especially the good ones that are nice and brief. And I also love whenever I can kind of talk about how a vulnerability is not really severe, severe or critical issue, even though like some of the communications has gone. Those have been the topics of prior weeklies and I think even this week weekly I get to talk about oh, like this one sounds bad, it’s UN authenticated, but there’s these extra things that you like aren’t being clearly communicated, like you need this extra thing, which means it’s not actually a huge risk.
No, it’s true. And you gotta realize that just because of vulnerabilities out there, is it a one on a 1 to 10 or is it a 10 on their tender? 10I. Yeah, there is a difference in complexity. And people hear the word security vulnerability and they jump. And I sometimes get really upset at mainstream tech journalists. They’ll right on. An article and they’ll say, oh, here’s another security problem. We have word press. No, no, no. Microsoft patches their operating system on Patch Tuesday every month. Without failure, and they’re not doing that. To Microsoft so. I think the key is insecurity, and you and I have had this conversation is who do you trust?
All about that trust, yeah, but and how you build that trust too is by wording it different. The communication needs to be different. When these journalists say security bug or they say vulnerability in WordPress, really it’s a security bug that was. Patched in a. Big difference in those two phrases.
Yeah, I I would agree. What’s going on? Up a patch that you guys have a wonderful dashboard that you can eels. I am a patch stack user farm and burn. You start off with a free plan so if somebody got a couple sites and they want to give it a spin they can go there. And do that. Uhm, you’ve got really good communication. I know every Monday or Tuesday and e-mail goes out about the weekly. I’ve I’ve probably. Knowing me, I’ve listened to it by then. It’s kind of one of those things. When it pops up in my podcast catcher, it hits the playlist pretty quick. Uhm, what else are you doing? Up to.
Yeah, I mean you, you, you mentioned the big one, right? We’ve got this plugin which connects to our App Dashboard, which gives site owners, even at the free level, a nice little, what I call Security operations center. You can put in all your websites and you’re going to get a dashboard where you can see the health of security of those components that are installed on every one of those. WordPress sites.
Aside from that though, we take this and all of this is powered by the intelligence which is part of our patch check database. Which you can view ashtak.com database and that that’s really just a firehose of. Every new vulnerability or security bug that’s being patched. And what’s really cool about those, if you look closely, there’s some little red flags and little green flags that identifies if there’s a. A patch available for that or not. So there’s a little red flag next to a security bug that we’re reporting. That means that we’ve reported it to the developer and we’ve gotten no response back. Typically you’ll also go to thewordpress.org plugins repository and you’ll notice that those plugins are $10 be marked closed due to either no reason or no official reason, or after about a month they finally clarify. Yeah, there was a security bug that was not patched, so they no longer want to distribute those plugins. So those little red flags are great little key bits of insight. Another thing that we started adding is if you look closely, sometimes there’s a little, I think it’s a radar or basically little flashing note notice, and we’re starting to communicate when we’re seeing active attacks against these security bugs in popular plugins. I think that’s a wealth of information. And we take all this intelligence that we have, which is more than just a list of which plugins are vulnerable. It has that information about if there’s a patch available, it has that information about if it’s being actively exploited and we’re partnering with hosting providers. One big one this week was one.com and all of their their subsequent brains underneath them. They’re now going to start integrating our patch tech intelligence into their service, is another big announcement, which was last month just before Wordcamp US was host. And they’re a EU based host, but they’re starting to use our intelligence as well. Again, we’re working with the hosts so that the hosts can notify their customers. We’re also working directly with site owners and we’re working with agencies like like yourself, right? When somebody site owner doesn’t have a hosting provider that’s helping them out with security or even if the site owner can’t do the security, they updates and. All that works themselves. Then they can they should be hopefully working with an agency that can use. A tool like patch. Text uh, to to let them know hey, this is a critical security vulnerability on this on this website. You should probably. Be, you know, putting some some of your time aside today to work on this right away. Or, you know, there’s a security bug. It’s medium, but so it takes some time this week to do it.
Yeah, and the other place I’ve seen it recently is you have a partnership with the WordPress toolkit in C panel. I’ve I’ve certainly seen the links in there when vulnerabilities come up on. On certain sites and. You know you and me and it points back to a patch stack. And then the last place worth mentioning is follow the patch stack Twitter ID because you, your team tweets out the vulnerabilities on Twitter on a regular basis.
Yes, Patch Tag app on Twitter. Also haku. I think there’s an under score at the end of Haku on Twitter as well. Haku is the one that always talks about the vulnerabilities and the security bugs.
Yeah, I see. I actually, I actually have those two apps right in their own Twitter list, so I don’t miss. Some believe it or not. So yeah. So there’s some, there’s all kinds of good sources, and. And you know, if people are having problems, come Roberts pretty approachable. You can reach out and and say to him, hey, what do you think I should do? Can you can you guide me? If somebody wants to do that, how’s the best way to reach? Out to Robert.
You can reach out to me on. If you’re on post status, I’m easily there. I’m Robert R on post status. On Twitter you can reach out to either @patchstackapp Stack app or try to hit up Haku. Or you can just reach out to me is my Twitter handles. I am @iamlei. So it’s I am Lee on Twitter and you just, yeah, message me and see what’s up. And I’m always, basically, I always love to help. So if you got a problem and it’s a discussion or a short one, I can always help. But I’m not going to build you a whole security infrastructure.
Robert, it’s been great. Thanks for sharing your knowledge as always. And you have a wonderful day and a great weekend.
Thank you very much for the time. Thank you. Bye.