Now I want to talk to you about testing for vulnerabilities in this segment. But let's start by talking about software testing. There's a great computer scientist who lived, he died a few years ago. His name was Edsger Dijkstra, absolutely wonderful computer scientist. And in fact, in my opinion, if computer science science had its Einstein, I think it was Dijkstra. And what he taught us was so much about software, and why software, in some sense, really is rooted in mathematics, and we have to be very careful about it. But one of his major messages was around testing. And how testing, kind of in his words, I'm going to paraphrase. But he said testing is a good way to demonstrate the presence of a problem, but it's terrible way to prove their absence. Does that make sense? When I test, I can show that there's a problem, no question. If I find the problem, I test, it didn't work. I go look, didn't work, I tested, you go, okay. Now what can you conclude from that? You can conclude that there's one problem. If I fix that problem, can I extrapolate that to having fixed all of them? No, and that's a problem in cybersecurity. Look, a lot of you sitting there listening, a lot of our learning community, probably think of penetration testing, meaning doing some probes into systems, as a pretty effective way of determining if there's a security problem. You might be sitting in some town, or city, or country, wherever you are, and maybe you even do some of this. A shop owner, bank, a business, a government agency says, hey, I see you know a little about cybersecurity. Would you help me with my security? And you say, of course, I'd be very happy to help you. And perhaps very innocently and not being aware of the warning that we get from Edsger Dijkstra, you roll in and it becomes your task or your intent to do penetration testing. Or to test for different types of flaws that would occur or be existent in their system, right? You'd roll in, you'd try this, you'd try that. You'd try breaking in to this, you'd fuss around with that. Maybe it's a medical device, you'd wear it, try to break it. You'd connect it to weird stuff. And then you'd have a breakthrough where you'd go, my gosh! If I do this and that, it breaks, and you write it down. And you produce a report, and you go back to your customer and say, I did a bunch of testing. And look, if you do this thing, wiggle the wire connected to this thing, it breaks. Your customer is going to be very pleased. You found a problem, they'll fix that problem, they'll pay you. You go off, and what have you really shown? You've proven that there's one problem, but you've not demonstrated the absence of others. Does that makes sense? It's really important because so much of cybersecurity is rooted in this idea that by penetration testing, by hacking, by being a white-hat hacker, a benevolent hacker, by probing, testing, and so on, that I can demonstrate the absence of security problems. That is just not true, absolutely fundamental that you keep that in mind. Because I think it arguably could be the biggest misconception that exists in cybersecurity today. And I think it plays to the enjoyment that a lot of us have in breaking into stuff. Let's face it, it is fun to break into things. If you're a little mischievous, then you probably find cybersecurity fascinating. That's been experience, I've been at this for 31 years. And I find that the types of people that are attracted to cybersecurity are often the types of people who have that little malicious or mischievous streak. Where they like to break things, and probe, and find problems, and point those problems out. There's nothing wrong with that. I think that's something you should be proud of. That's something that makes you a more intelligent person, a more inquisitive person. So don't lose that, but recognize that there are limitations as we test for penetrations. Now the theory, and we've got a chart that sort of shows that, there's a theory that if there are a number of vulnerabilities between, say, a subject and an object, then by testing, I might find one path through. But if I find 1 path, there might be 50 other paths. And in my report, I would say, hey, here I found these two or three vulnerabilities. I found these paths, you'd be very happy, but I'm missing all the others. You get the idea, but I think it's something that, as a learning community, we need to keep in mind as we go through our material through these sessions, so thanks.
