Soap Box: Knocknoc glues your SSO to your firewalls for Just-in-Time network access

Adam Pointon

Foreign.

Patrick Gray

And welcome to another Risky Business Soapbox edition. My name's Patrick Gray. If you're not familiar with Soapbox, it is a paid sponsored slot. And that means that everyone you hear in one of these Soapbox editions of the show paid to be here. But today's, today's soapbox is with Knock Knock. It's sponsored by Knock Knock. And regular listeners would know that this is a company that I'm deeply involved in. I'm actually on the board of directors of this company. I helped this company secure its seed funding from Decibel Partners, where I am a founder advisor. And I also helped to recruit our guest today, Mr. Adam Pointon, to the role of CEO. And that is because the people who developed the original technology of Knock Knock, you know, it's, it's, it's spun out of a services company, right? They developed it to deploy it to their customers. And now that Knock Knock is going to be, you know, you know, its own thing. And it's doing a big push out there all on its own. It needed a new CEO. And that CEO joins me now. Adam, we should probably just set the scene of what Knock Knock actually is. I'm going to have a crack at explaining it. I mean, this is a product that we use at Risky Business Media. We love it. Essentially what it is, is just in time. Network access or network allow listing. Basically we have some systems that we use to run our, you know, web property and they're creaky and we don't have too much confidence in them. So what we've been able to do with Knock Knock is basically firewall them off to the Internet. And the only way you can get access to the ports that you need to access these systems is to authenticate to Knock Knock via sso. So it's very easy. You just hit one page, hit authenticate with SSO and then bang, that dynamically opens up the, the ports to your ip, right, so that you can then access those systems. So that is the sort of starter level idea behind Knock Knock, isn't it? Which is this dynamic IP restriction. But there is more and we'll talk about that soon. But that's the starting point for people to understand this, right?

Adam Pointon

That's right. So just in time. Network access control done easily. So as you said, single sign on button and then magically, ports open. What actually happens is in the background, through out of band control, we orchestrate existing infrastructure. So as you said, you've got an existing system, you've got firewalls. What Knock Knock does is rather than sitting in the way of those firewalls or that network path, we actually orchestrate the firewalls and say this IP address is allowed access for four hours to these services and then you go about your business and directly access those services. We don't sit in the way like another zero trust network approach. We actually orchestrate the files that you already have.

Patrick Gray

That said, you can actually ship your own firewall. Right. Like we don't have like PALOS or Fortinet sitting in front of our stuff. So you can actually do it any way you want. Really?

Adam Pointon

Absolutely. Like we don't really like the Swiss army knife analogy, but it kind of works. We can do on host firewall control, we can do PALO upstream, we can do public cloud service, network security, group control. There's a lot of options with it. It can also operate in reverse proxy mode. So actually do layer seven just in time application level, like web application level control, which is really interesting. So we have some customers that are using it to Admin actually requires you to log into Knock Knock separately and then that is allowed through only to authorize users, whereas other parts of a web application are directly accessible. So it can do low level firewall control, any port, any protocol, IPv6, etc. Or all the way up to layer 7 if you operate it in that mode.

Patrick Gray

Yeah, and it's interesting, right, because every different use case you might want to use it slightly differently. So I know that there's one Knock Knock customer that is like an IPv6 shop, right. And it's amazing for them. But as you point out too, you've got like a haproxy part to all of this. So if you want to use this as like an identity aware proxy, you can do that as well. So you've got the IP restriction, but then you've also got an authenticated browser session as well to make sure that it's the correct user that's able to access, you know, what is presumably a hideously vulnerable web application that you, that you are running.

Adam Pointon

Yeah, we like to call them legacy applications for our customers. But yeah, typically they're an application Web application that's been built previously, doesn't have mfa and they wanted to add mfa, take that web application off the Internet, but not force everybody to go through a vpn. So they didn't want another bump in the wire to get to that system. So they're using Knock Knock to protect it. You can't hit it on the IP address, no scan is going to pick it up. It's invisible. But then they also have a layer 7 level control. But yeah, on the IPv6 approach, we love IPv6 because you get individual attribution of the user, obviously. We also support privacy extensions where their IP address sort of rolls and we have that direct access capability into the service. So we love IPv6 and we love our customers with legacy applications because we let them sleep at night a little bit better knowing that they're not on the Internet all the time, just waiting to get host because knock knock's really protecting them and taking them offline.

Patrick Gray

Yeah. Now, for most of the time, right, like allow listing, a V4 address is actually going to be enough. Right. But there are circumstances where it's not. And that's a fun conversation thinking about, well, hey, if you happen to be in Brazil or whatever and you're trying to access some web application on your network and you're coming out of a CG NAT gateway, that's dirty, Right. That has like a million compromised hosts behind it that are scanning the Internet. You know, you probably don't want to just rely on that control on its own.

Adam Pointon

That's right, yeah. And a lot of the access still, we allow access to the network service people still need to authenticate in. You know, it might be SSH bastion, it might be VPN endpoint. So those hostile IPs do have access to that service for a period of time for the four hours for that session or whatever it is, but it's still not enough. We still want to be able to say this IP can have access, but also we're going to inject some tokens into HTTP streams so that we can do additional layer 7 filtering. So I can thankfully say we've got a solution to that now if it's HTTP. So we're able to use these additional tokens to provide that assurance that it's this IP address is allowed and this actual user's browser, this user session is also validated before it gets passed through to that vulnerable application on the back end.

Patrick Gray

Yeah. And I should mention too that there's something on the roadmap that's pretty cool. It's probably a ways out, but there will be eventually a gray noise integration so that you can make a determination on whether or not an IP should be added to an allow list. Like there's just going to be some IP IPs where it's like, no, we don't want to open up for any duration of time. Right now we should probably talk about one of the primary use cases Here you mentioned, oh, well, maybe you don't want to provision access to an internal application through a vpn. Right. I mean, it's a pain to do that. That's one reason you wouldn't do it. And the second reason is the way that a lot of enterprises are getting owned these days is actually through those sort of border devices, vpn. So funnily enough, a big use case for Knock Knock is actually protecting firewalls and VPN appliances at the edge of your network. So it's like, you know, yo dog, I heard you like firewalls, so I put a firewall in your firewall kind of thing. It's a firewall for firewalls. Why don't you walk us through like what people are doing there? Because that is a popular use case.

Adam Pointon

Yeah, that's right. So with all these Fortinet and PALO and other firewall issues that have happened over the last 12 months in conjunction with all the VPN brute forcing stolen credentials, taking VPNs off the naked Internet, and taking those firewall management interfaces off the Internet, which, you know, they shouldn't be anyway, but it's hard to sort of remotely manage those without IP address, allow listing and doing that specifically. So what Knock Knock can do is manage those devices, add the IP address of the authenticated user prior to those VPN endpoints actually being exposed to, you know, the entire Internet, which prevents the brute force, prevents the stolen credentials. In the case of VPNs, obviously it's a big entry point point for ransomware into an organization and then for the firewall management customers. So there's a lot of MSPs, MSSPs that they need to remotely manage firewalls for their customers 24, 7. And so VPNing to then access the firewall or accessing the file directly means it needs to be on the naked Internet. So Knock Knock allows them to take it off. And they're also doing single sign on. They get attribution. Only those in the firewall group that can edit the firewall then have network level access to the firewall. So they've got multiple layers of user control attribution and then network level access control before they can even get to those soft and squishy firewall appliances.

Patrick Gray

Yeah, I mean, it's crazy, right, that it's people's security equipment getting them owned these days. But I mean if you're listening to this and your fortinets or your palos are keeping you awake at night, I mean this is one way to do that. And indeed you're working on a pretty major trial with a very large company right now. That, I mean, that's exactly the use case. There's.

Adam Pointon

Yeah, absolutely. And the good thing about it is it can be implemented really quickly. So there's a number of ways Knock Knock actually can control or orchestrate a firewall. We've got the passive mode, which is external. Dynamic list is the PALO Alto language where it essentially polls the Knock knock environment for a list of allowed IP addresses. And that's a very passive way. We don't actually orchestrate the file directly. It's more the firewall connects to us and collects a list of IP addresses that are allowed. That's the easy implement. You can sort of get that going really quickly. It doesn't break anything, doesn't interact with anything. And then we've got passive plus where we will actually publish the allow list and then go and tell the firewall, hey, rather than waiting one minute or five minutes in the case of PALO to get the updated list, go and refresh it now. Go and refresh it now. And then we have an active mode where every single login request, we actually go to the PALO and say, add this IP address for this user and we're able to add additional information. So along with that ip, we actually give the username. So within the PALO ecosystem, you can see that this user had this IP address at this point in time, which then flows through into their other management, reporting and systems and gives them more than they get today by just having an IP address allowed.

Patrick Gray

So what's funny is, I mean, I've been out there talking to a few CISOs about this product and one of the things that they get really giddy about is that idea that you can start attributing, you know, network connections to users, right? So they're like, the control's great, that's fantastic. But are you telling me that you'll be able to say like that this person was using this, you know, to do this and it's, you know, just seem fuel and they love it.

Adam Pointon

Yeah. And when you combine that with mfa. So adding MFA to a service that's either legacy or even ssh, because they've got to go through the identity provider, they've got to go through the login process, hit the idp, do the MFA challenge, we're adding MFA to those ports and protocols that don't have it, and then we've got attribution for the period that they're using the application. So you can have a 60 minute timer on a certain high security service where user logs in, they're able to access the network service for 60 minutes and then you see them log out or at times out. And that whole chain is then fed through to the same. So you've got actual attribution of the user, their browser, all in the IDP tied with MFA access to the service. And then when they logged out, linked back to the IP address. So it's the data we're getting out and help providing to customers is great.

Patrick Gray

Yeah, I mean I think one of the things that makes this like this is kind of a product that shouldn't exist, right? It is actually kind of a product that shouldn't exist because ideally we wouldn't have vulnerable things reachable from outside. And there's so much to unpack here. Right. So you've got this whole class of products that do like attack surface management. Right. And measurement. So you unleash them, they go and they scan your environment, they come back with a list of, you know, vulnerable stuff. And what's been funny about that is, you know, this is a product category that's existed for a while and they come back and they go, here's a list of 20 things that are going to get you on tomorrow. But no one has actually built the tool to like actually mitigate those findings. Which is kind of crazy when you think about it, right?

Adam Pointon

Yeah, that's right. Well, it's all traditional approach. Oh that thing, maybe we shouldn't have it on the Internet. Maybe we should put it behind the VPN and it's like, well that sort of added an extra hop for attackers. But does it actually solve the problem? Not really. So yeah, it's kind of the first product that actually says take it off the Internet. That thing should be off the Internet. How do you do that? Maybe you should try knock now.

Patrick Gray

Well, and I think it's also, you know, people recognizing that access control and authentication are not the same thing. Right. You can have some, you know, PHP based payroll systems like that's another use case or a file transfer appliance that's sitting out there and they're riddled with pre auth bugs. So this idea that, oh well it's, it's got SSO integration, therefore it's safe to leave on the Internet. Like that's just not true.

Adam Pointon

Yeah, I guess the authorization and authentication thing sometimes gets confused by people. Well, this is really about is it on the Internet or not. And then if it's on the Internet but it's patched and you have to Log in first does not mean it's secure. Yeah, and that's just a common belief or people still think I'll put it on the Internet. It requires authentication, it's tied into saml. But if I hit this path there's pre or bugs and it's an appliance and someone's going to be in there forever and you never know and it's a disaster.

Patrick Gray

You never know when dot dot slash is coming to get you basically.

Adam Pointon

That's right. Yeah. It's 2025. Right. And that's still there. But you know, that's the old adage of what's the most secure system. It's 100ft underground, built in concrete. And what knock knock does is it allows you to move the concrete out of the way instantly tied to a login and then only then can you actually is it actually exposed to the Internet. So the 100 foot of concrete is moved instantly for a user for their IP address for four hours or whatever the time is, and only then is it available or vulnerable and accessible to all those pre auth bugs should they exist, but only to that IP address of the logged in user.

Patrick Gray

So yeah, one thing we should just, on the proxy thing, one thing we should point out is this is essentially like a identity aware proxy. But what makes it different is that most of the ID aware proxies, they're from like Akamai, Cloudflare, Zscaler, they're like cloud proxies and they're fiddly. And there's kind of problems with that. This is much simpler. Right? Like this is a much simpler way to get that, you know, SSO enabled idea where proxy to your applications without having to go through complicated clouds.

Adam Pointon

Yeah. And in terms of the magic cloud we like to call it so Zscaler and others where it's like, well install the agent, put all your machines onto our magic cloud and then we'll handle all of the routing there. That sort of solves the single IP address attribution thing because they have a source IP address, they have to be authenticated, essentially cloud VPN to get that tunnel through and then the IP address of zscale or whoever the magic cloud is that then needs to be trusted or you have a route all the way through to the back end. So you're kind of moving the problem, but you're also connecting all your assets to a magic cloud.

Patrick Gray

Well, and that's the thing, other customers of the magic cloud can then attack you through. The magic cloud basically is what you're Getting at there.

Adam Pointon

That's right. You're plugging all your machines into a magic cloud and saying, that's okay, I'll put all my traffic there. It's better than the broader Internet, which is true, but our approach is we don't actually introduce new technology necessarily. So if you've got an existing reverse proxy environment, nginx, haproxy, et cetera, we orchestrate those, we tie the login to those systems so that user logs in and only then can they actually pass through that reverse proxy tier rather than plugging everything into a magic cloud, which obviously has its downsides.

Patrick Gray

Yeah, I like calling it a magic cloud too. That's a good term for it. But I mean, obviously not everything's all web, right. So I'm imagining that over the next couple of years you will be building probably sort of, you know, protocol aware proxying, you know, building blocks for this thing. Like there's a lot of people reaching out who are running stuff. I mean in the case of a web proxy, something like, you know, old school Exchange web access servers, right? Like you can, you could use a web proxy to gate access to those things. There's a bunch of regulated industries where they are still using Exchange because they haven't figured out how to make the cloud stuff all compliant yet in some verticals. So you can actually proxy all of that stuff, keep it safe so that users have to go through this, just hit the knock knock page before they get access to that stuff. And that's going to save you a lot of headaches. But then there's stuff that's not necessarily web. You've got your ssh, your rdp, Citrix is a big one. There's people coming in saying, hey, we've got these Citrix environments we can't get rid of. Please put something in front of it to help us. But I'd imagine that there's going to be more proxies involved with this, right?

Adam Pointon

Yeah, definitely. So we're looking at per protocol, how can we get in the way or inject into them without breaking them or without breaking trust. So our philosophy is we don't want to be in line necessarily. We would rather the direct access continue. It comes from our heritage. So we actually built this originally to solve low latency, high volume bandwidth issues where it couldn't go through a vpn, couldn't go through a proxy, it needed direct access. So our approach was to orchestrate that access, allow just in time, network access control. So that's great, which I'll just butt.

Patrick Gray

In There and say that it's an interesting use case because it was developed specifically for customers in the broadcast industry who would need to like submit video footage, which is often like UDP as well. And they would need to do that from remote locations or wi fi at like, you know, say it was a broadcaster covering some sporting event. You know, they would need to do this.

Adam Pointon

Precisely. So low latency direct access, they get the video stream, they then need to push their audio stream up to hq, which also is protected by knock knock and then that would be split together and broadcast out. So that low latency direct access as opposed to routing through magic cloud or putting through a broker service which obviously adds another hop, another processing. But we always try and extend additional protocols. So we've got a lot of customers that are using SAP and you know that's thickware and they need to extend that to contractors. So contractor needs access to some thickware or some port or protocol that's non standards, not web and doesn't have mfa.

Patrick Gray

I mean again I'm like this is horrifying, the idea that people are like opening up their SAP ports to the Internet. Right. Like and they have to do that, that's horrifying.

Adam Pointon

They have to do that. They've got no control over the machine. So the contractor's got their own non SOE laptop. There's no mfa, it's on the Internet. You know, there's a lot of like just hope is not a strategy. So knock knock is, is opening those ports just in time and then, and then the horror continues once they've got access through. But at least it's off the Internet and not behind a VPN or not behind some other magic cloud. That then adds more latency and more problems.

Patrick Gray

Well, I mean it does give you a pretty high degree of assurance that you're not going to get like mass scanned and exploited.

Adam Pointon

Right, exactly. And it's the old defense in depth, like it shouldn't be on the Internet. You shouldn't have those applications or those systems on the Internet. That's the first point. So taking them offline, they're invisible. They're not going to turn up in a database ready for some zero day or some issue or, or somebody to just go after it in more of a targeted attack. It's just not on the Internet until they've knocked.

Patrick Gray

Yeah. So like with ssh we're seeing more people like kind of work around how to deliver stuff like SSH and rdp, you know, building sort of SSO capable like SSH and RDP gateways.

Adam Pointon

Yeah, absolutely. And there's. We've already, like, we've got some customers that are using Apache Guacamole to deal with rdp and we're adding another layer. Layer to that before it gets to that point. Gives them mfa.

Patrick Gray

Yeah. So you might want to actually explain to people what Apache Guacamole is. Right. Because until we spoke about it a couple of months ago, I didn't.

Adam Pointon

Yeah. Well, it's essentially just gives you RDP pretty much in the browser. It's fairly lightweight. It just kind of works. It's Apache Foundation. It's pretty robust. We help. Before you can get access to that point, obviously, Knock Knock protects the edge of that. And then, and only then do you get RDP in the browser. So it kind of adds mfa. You get a browser pop up, you're then on the RDP remote machine. Pretty streamlined. The actual user experience is like web, click, click, click, saml. And they're through. You've got your rdp.

Patrick Gray

Yeah, it's like one of those. It's one of those things where like, huh, this works actually way better than we thought it would.

Adam Pointon

That's right. And normally when they work way better than they should have and it connects directly through, it's like, wait, what security controls have you turned off here? Why is this working? Where's my authentic. But you've got those additional layers. So it's a good user experience and it's not super costly.

Patrick Gray

Yeah. So also, you keep coming back to the idea that you can use Knock Knock to apply MFA to legacy stuff. People are looking at this internally as well, because they might have some sort of legacy crapware that they have to run that's specific to their vertical. And say they're in financial services. This might be a compliance problem. Right. Because they don't have MFA on this thing and they can't tick the box. I mean, you can actually use Knock Knock to apply MFA to basically anything that has a IP connection on it. Right. And that's. I mean, that's an easy compliance win for people.

Adam Pointon

Absolutely. And that's internal or external, so you get user attribution. You can apply MFA to whatever that finance application is or whatever that compliance system is, and you get full visibility of it so that user accessed it at this time. And you don't have. They don't have to worry about it being sitting in the corner, still whirring away, sitting in some security policy exclusion list. You know, we have MFA on everything except for these seven things. And we're just Waiting for those seven things to be retired, which we all know is going to be far more years than is appropriate.

Patrick Gray

Well, people, people forget that one of the reasons that VMware was so successful a million years ago is because it allowed people to like extend the life of all of their NT4 based infrastructure. Right. Like if people can find a way to kick the can down the road, they're going to just kick the can down the road. Unfortunately.

Adam Pointon

Yeah. Which I guess on the flip side we're helping them kick the can down the road, but it's kind of better than putting it in a, you know, putting it in VMware and then just having IP address restrictions or not virtualizing it so that if it gets hosed we can just revert to last night's, you know, restored copies, I guess. Less bad. Whereas with Knock Knock, it's you're actually giving the access network level access control. So it's prevention rather than just sort of kicking the can down the road by relying on backups or just getting hosts and being able to restore it.

Patrick Gray

It's interesting, right, because you do have some people using it internally already. And you know, one of our other sponsors is Zero Networks who do like full micro segmentation. Right. So they just do the whole network and whatever. But there's, there's this middle ground of customer who. They just want to apply it selectively to a few places. Right. And that's kind of like Knock knock's good for that.

Adam Pointon

Absolutely, yeah. So one of the early use cases for customers, like we just want to restrict this environment. We've got a management network and kind of every sysadmin on that environment can sort of access everything, sort of all the time, including these sort of air gap things over here and these other environments over there. And that's not ideal. So that's one place where we usually get put in first, like let's control ourselves as sysadmins so that we have to go through a process before we get access to the, you know, the broader management network that controls all this OT environment, all these other assets over here. So that's an early access point to just say let's put through, you know, put the users through MFA before they can SSH across these internal assets. And Knock knock good for that because it can be hosted internally. We specifically designed it so that it can be ran internally with no network access to the Internet, specifically to protect internal systems.

Patrick Gray

Yeah, I mean, it's funny too, right? Like you look at the people who are using it, it's an interesting mix. Right? So you've got some of these critical infrastructure types who are using it to, you know, better restrict access into their OT environments. You've got media, as we spoke about earlier, broadcast media, they love it. Telecommunications, one of Australia's major telcos, uses this to restrict access to all of its ssh. Like you cannot hit SSH without going through knock knock first. And it's a lot of SSH, that one. And then you've got, as I said, some of those verticals who are forced to use vulnerable stuff that can't be fixed. And now more general enterprise worried about things like firewalls, VPNs, whatever, and just all of the craft sitting at the edge of their network. So it seems like it's. Yeah, I mean the flexibility here is something, I guess is what I'm getting at. Like you can, it's such a universal control that everyone can think of a way to use it.

Adam Pointon

That's right, that's right. Everybody can use it in some way. Typically it starts in, you know, controlling access, but then it's like, well, wait a minute, because I can take those systems offline, I can easily apply it over here to protect those. And there's a lot of like solving a specific problem they have and then there's a lot of prevention. So wait a minute, I can take that off the Internet until somebody logs in. Why aren't we doing that in other places? Why do I have an attack surface? Yeah, well, you know, I can georestrict to certain countries, but we all know that's, that, that's not actually a solution because everyone just VPNs and pivots through. So geo restriction, it helps, but it doesn't actually solve the problem. So why do I have an attack surface? Knock knock actually allows me to take those systems off the Internet until somebody logs in. Why aren't I doing that in more places? And that kind of. We see that in people as they realize they have the aha moment, which is, oh, this is different. Okay. It actually orchestrates access. Oh, that's different.

Patrick Gray

Well, it's just extending SSO to like network access control. Right. Which is exactly, you know, people are sort of underutilizing SSO when you think about it.

Adam Pointon

Yeah, exactly. And we sort of, we sort of joked about like just in time, network access control, you know, this jit knack idea. And it is just, just in time access to systems tied into your existing saml IDP at the network level, any port, any protocol. And as soon as people have that Aha moment. They're like, I can actually apply this in many places.

Patrick Gray

Yeah, yeah. I mean as I say, we use it and we sleep better. Right. And you know, it's, it's definitely good for that. So let's talk a little bit about the history though because I just alluded to the idea, you know, to the fact that it's used by major telco in Australia for example. It's been around for a while. So Knock Knock as a company is fairly new but this was actually developed by a Sydney based networking company called SOL1 specifically for some of their clients. Right. And then they realized after a while, huh, okay, probably people who aren't our customers are going to need this one as well. So it's essentially been spun out of that company. Dave and Andy, who are the guys who developed this? You know they're the founders, co founders with you. You came in later in the piece and you know, as I mentioned at the intro, like through decibel, I helped to organize a funding round and brought you in. I should probably mention too that you and I are actually very close friends and have known each other since we were kids. It's actually Adam's fault that I'm in security everyone. He was the guy who as a high schooler got me into all of this. But I mean that's, you know, it's not a brand new startup. Like this thing has been battle tested so the guts of it are actually very reliable and have been tested. I guess the interesting thing is though there has been dev work to do since you've come on board. One of the things that you've been working on real hard, and I love this is you hired a front end dev to try to make this thing much easier for people to understand because that has been a barrier in the past is like the way that you install and configure it has made sense to the people who built it, but made less sense to people who are seeing it for the first time.

Adam Pointon

Yeah, that's right. So user experience is obviously really important to the actual backend is really mature as you said. It's been used daily for four and a half, five years. Originally it was called Sol Tulsa because it went well with Guacamole. It's had a number of rewrites, architecture changes, but it's been used daily for over four, four and a half years. But the front end, all of the management side, it required various degrees, linux capability, skills, etc. Which just it needed to be more product friendly, easier to get going So a lot of the time was spent over the last few months or five months now is getting the user experience right, the whole out of the box utilization, deployment up and quickly integration with more devices. And we're in a good spot now where we've got bit of a workflow happening. It's just easier to get going and get into organizations and make a change quickly as opposed to it being a bit more effort and needing strong sysadmin skills. We want it to just be simpler.

Patrick Gray

Yeah, yeah. So we should mention too, that the new interface that's in beta, or beta, as we would say here in Australia. Yeah. All right, Adam, we're going to wrap it up up there. Anyone who wants to check it out can go find Knock knock. And it's spelled funny, which is great. Real helpful there, guy. But it's knoc, knoc.IO. so knock knock IO everybody go check it out. You know, if you've got feedback, you can bring it to me. I work with this company. Right. So we'd love to know your thoughts. We think it's super cool. I think. Yeah, I'm really into this one. I love fundamental controls, simple controls that are enduring. I think this is one of them. Adam, great to have you back on the show. You actually were a news guest something like 15 years ago or something, so it's not your first time on Risky Business, but it's great to have you back here after a long absence. Great to talk to you and I wish you all the. All the best luck with it.

Adam Pointon

Thanks, Patrick.