The Imposter Syndrome Network Podcast

Per Thorsheim

October 18, 2022 Chris & Zoë Season 1 Episode 12
The Imposter Syndrome Network Podcast
Per Thorsheim
Show Notes Transcript

Hello and welcome to the Imposter Syndrome Network Podcast, where everyone belongs, especially if you think you don't.

Today's guest is Per Thorsheim, founder of PasswordCon and CISO at BankID BankAxept AS.

Today, we'll discover what a CISO does, and learn about Per’s journey, beginning with his first employment as a service hacker and the critical lesson he learned on his first day at work.

He explains to us why he feels so passionate about passwords and why we’ll never see them go away.

We talk about what to do when hacking into a Fortune 500 company, the importance of being wrong, and the best way to tell your parents that you tore their computer apart.


“Please disagree with me because I like to disagree with other people as well. 

And I don't disagree with people, because they're wrong, but because I want to understand if you just came up with your answer or if you have actually thought it through.

I just want to learn, what's your reasoning behind the statement”


If you want to keep the talk going, join our LinkedIn Group.

Send us a message, we would love to hear from you.

 Chris Grundemann

 Zoe Rose


●    LinkedIn

●    Twitter





Thanks for being an imposter - a part of the Imposter Syndrome Network (ISN)!

We'd love it if you connected with us at the links below:

Make it a great day.

Transcript is automatically generated and may contain errors.

[00:00:00] Chris: Hello and welcome to the Imposter Syndrome Network Podcast where everyone belongs, especially if you think you don't. My name is Chris Grundemann and as always, I'm joined by my extraordinary co-host, Zoe Rose. 
[00:00:22] Zoe: Hey! 
[00:00:24] Chris: This is the Per Thorsheim episode, and I just know you're going to enjoy it. Per is a password proponent, a founder, a CISO, uh, and a Norwegian
[00:00:32] Chris: Hey Per, would you like to introduce yourself to the Imposter Syndrome Network? 
[00:00:40] Per: Hi, I'm, uh, Per Thorsheim. I'm, uh, gonna be 51 years old very soon. Uh, I work and live in Norway. Daytime job. I'm a CSO at a company named BankID BankAxept. And, uh, most of my spare time I research into my obsession, which is passwords, pins, and all things digital authentication.
[00:01:02] Chris: Fabulous. I'd like to start right at the top, I guess with cybersecurity being, um, basically as hot as it ever has been. Right now, I'm pretty sure that even our listeners who aren't very much interested in info sec have heard of the title, cso, C I S O, Chief Information Security Officer. As a role, but I'm actually less sure that any of us know what that really is.
[00:01:26] Chris: So would you kick us off by breaking down what it is that you really do as a ciso ? 
[00:01:34] Per: Well, uh, you know, I'm gonna throw this out right now. That's basically being the scapegoat at the company. That's, that's the short version. If something goes wrong, uh, especially security wise, the CISO may be blamed, or at least the CISO would be called in to try to fix whatever went wrong. And the chief Information Security Officer, you know, to be just a little bit more serious about this, the role of the CISO can be many, many things, uh, but basically taking care of security within the business.
[00:02:03] Per: And to make sure that the business runs successfully with whatever they do, uh, sort of operations into anything. And at least to me, security is not just security. Security is helping the company organization achieve its goals, be it to make a ton of money or to help the world in some way, or just in general, be nice.
[00:02:28] Per: In most cases of course it's about making money and try to do something for the world. 
[00:02:34] Chris: So that's why there're companies and, and not non-profit organizations I guess. Huh? 
[00:02:37] Per: The, there there's most definitely a difference there. Yes. . 
[00:02:41] Chris: And, you know, I think it's interesting you bring that up as, as a key point there.
[00:02:45] Chris: It's something I heard other folks say when they have that kind of top security spot, especially. Is, you know, maybe describing it as a bridge between the business world and the security world. Right? Because I think obviously the most secure system is one that is not connected to anything. Maybe you take your computer, you pour it, and you block a concrete, drop it in the ocean, no one's gonna hack it, Right?
[00:03:05] Chris: But yeah, but not useful for business . 
[00:03:08] Per: And that's, that's totally. I have a technical background. I've been sitting in front of a computer screen since I was like 11 years old or something. So, you know, 40 years plus now. And even though without technical background, back in 1998, I started working for pwc back then Pricewaterhouse Cooper as a consultant, and I got hired by them to set up penetration testing, you know, hacking as a service.
[00:03:35] Per: And to do IT security audits. And my manager back then, a partner with the company, he had a financial background. He didn't understand, I mean, he thought that the, uh, you know, back then he had a desktop computer at his desk. Uh, he had a keyboard and a mouse and, and a PC and a monitor. And he, you know, he wasn't really sure which box was actually the computer.
[00:03:57] Per: There was a large, very large power supply that made a lot of noise that you could put CD into and then had a keyboard in the mouse and then the screen and it's uh, Yeah, it's power supply. Oh, that's the computer. Okay. So one of the things I learned back then, because before I started working for pwc, security to me was like, security is the most important thing we can have in any kind of business organization.
[00:04:20] Per: I mean, without security, while there's. No security. There's insecurity and everything will go wrong, and people will die. kittens will die. But at pwc, one of the first engagements I had was to try to hack into a bank in Norway. And I succeeded. It was incredibly easy back then. I set up sort of one of my personal best.
[00:04:42] Per: I achieved domain administrator access and route access in 15 minutes after connecting to the network internally in the bank. Uh, quite a bit of pure luck on that. But when returning back to the office to to my manager, you know, at the end of the day and I was trying to be working for this bank for quite some.
[00:05:01] Per: He asked me if I got access to the bank and I said, yes. I obtained the domain administrator and root access, and he just looked at me like he didn't understand at all what I was talking about, and he said, Did you get access to any kind of sensitive information that if I was bad person could utilize to make a ton of money, like sensitive information about clients of the bank.
[00:05:26] Per: And I looked at him and didn't really understand what he was talking about. So I said, I got domain administrator access and root access, so I have access to everything. And he looked at me back again. I'm like, Did you or did you not get access to any sensitive information? I said, Well, I didn't get access to any sensitive information, but I hacked into the system so that I could obtain sensitive information, I think. 
[00:05:51] Per: And then he said, Well, then you didn't succeed on day one. Because yeah, I mean, if you can hack into a bunch of systems, okay, great, so you're a good hacker, but you haven't damaged anything. You haven't made anything. And crime is usually about making money.
[00:06:09] Per: Hacking into systems doesn't by itself, make you money. So he said, From now on I want you to focus on whether you can obtain sensitive information from the clients that you're going to do penetration testing against, because that is the real goal that we are looking for. That's when senior management of our clients will listen to you.
[00:06:33] Per: If you can't get access to any sensitive information, they would just say, Okay. Whatever you got. Root access. Don't know all this. 
[00:06:40] Zoe: No, that's really good point is the context setting the right context. 
[00:06:44] Per: It really is. 
[00:06:45] Zoe: Yeah. And, and that's how I get a budget is, uh, I've gotta set the context properly so that they give my money
[00:06:53] Zoe: So I also know that businesses are, you know, they're motivated for making money, but they're also motivated for losing money. 
[00:07:00] Per: Yep. 
[00:07:01] Zoe: So, uh, setting the context is. So I, I think the question that I have for you is, I think this is a question you get a lot, and I'm pretty sure we've already chatted on this, but I always find it an interesting question, is why passwords, Why authentication?
[00:07:17] Zoe: Why is that what makes you tick? Why is that so exciting?
[00:07:23] Per: What is so exciting about. Well, it started when I was working for pwc. I was there for three years, so started there in 1998, and I had this one pen test engagement for a Fortune 500 company somewhere in the world. And this again, is on day one of the technical part of the engagement. So, you know, we had lots of meetings and paperwork and explanation of some methodology and you know, what can we do?
[00:07:48] Per: What can't we do? And so on. But on day one of the technical testing, there were a couple of us showing up at. An office somewhere in the world of this company and you know, we, we came to the door there to the reception in, dressed up in suits and nice black shoes and white shirts and tie and like, uh, hi.
[00:08:07] Per: We auditors and we are here to, uh, audit obviously. And you know, receptionists usually don't argue with auditors. So we were just let into the building without, without actually showing id. So we found ourselves some meeting room that was, uh, you know, not taking by anyone. We got in there and plugged into the network, and by the end of the day, we had obtained domain administrator access off a Fortune 500 company.
[00:08:31] Per: Now, domain administrator access basically means you have access to everything, including the mail of the email of the ceo, you know, to explain this to anyone. And the way we did that is we obtained list of usernames in the Windows active directory of this organization. We pulled out tens of thousands of user names, and then we made a very simple script saying, for each username, try to log in with the company name as the password.
[00:09:02] Per: And if that doesn't work, try the word password. As the password, and if that fails, move on to the next account. So we made two attempts per account, which is at least back then our assumption was that by doing that there's a very low risk of us locking up any accounts. And there's also a very low risk of setting off any alarms when doing this.
[00:09:25] Per: And we just lean back and it's like, this is, this is an incredibly easy way of doing well paid consulting. You know, just do the simple script. Click start, and just lean back and, and see what happens. And we did find some accounts that were using the company name as their password. I mean, tens of thousands of employees.
[00:09:46] Per: You can just, you can safely assume somebody will be using the company name or some variant of the company name, as their password. And as we discover them, I don't know, 2, 3, 4, 5, 6, I mean, it doesn't matter, you still get access. We looked them up and they were, you know, they were just normal employees if I can, you know, put in those terms.
[00:10:07] Per: But suddenly there was one account that just plain on screen, like this account is using the word password. And we look up the account, and again, Blind Luck. That account was a member of the domain administrators group, meaning this account has access to basically everything. And this was a Fortune 500 company, so we were three guys present in the room as at the time.
[00:10:33] Per: And I, you know, maybe I'm overdoing this. We essentially, you know, stood up, took three steps back and like, Okay guys, so this is the moment where we decide whether we go into criminal activity for the rest of our lives and, you know, we'll be off to Bermuda or some other place, uh, you know, Mongolia tomorrow morning, first plane out of this country.
[00:10:55] Per: Or if we actually do as we are supposed to do, act as professional consultants report this as, you know, you gotta change this as soon as possible. Which is what we ended up doing, obviously, and I was, I was so amazed by this. Again, blind luck, but there was one person, and it was a male maybe, to no surprise, Zoe, a male using a very simple password as password.
[00:11:21] Per: But I, I was so amazed about this because this was a fortune 500 company. I have to say, honestly, before this pen test, I, I never thought that such a big company could be completely hacked just because a single individual, an employee with administrative privileges is using password as his password. And since then, passwords and pins and everything has been my, you know, obsession in, in life.
[00:11:52] Per: I, you know, I have no interest in sports or racing cars or, you know, I rarely even drink beer, but I do passwords and pins. So that's, that's the explanation of my obsession. I, this story, uh, is a story I've told trillion times now. And as also a part of your question, uh, on, on, you know, why passwords and so on.
[00:12:13] Per: There's also a realization to me at least that I'm also telling people that passwords are never going away. Pin codes are never going away. And I say there are two reasons for that. Number one, there is no business scenario that justifies the removal of passwords and pins everywhere. They are cheap to implement.
[00:12:32] Per: Everybody knows how they work and in a lot of cases, cases, Passwords or even a single simple four digit pin is more than enough given the risk you're facing or the lack of a risk to, to face actually for your systems. The second reason for passwords and pins will never go away is also the risk analysis.
[00:12:53] Per: There is no risk analysis justifying the remove lock passwords. The risk is minimal to none. So why replace passwords with something more secure? You don't need it. It's gonna cost you more money, uh, to implement and to maintain. And in most cases, you will also need to do some kind of user education for people to understand this new solution, this password replacement, that's also gonna cost you.
[00:13:20] Per: And there are new use users being born every day that are initially learning passwords and pins. And then at some point you also need to learn them this more. You know, maybe it's more complex or easier, but they need to learn something new. And a lot of people, they don't want to learn new stuff because they prefer what they're already using, which is passwords, and pins. 
[00:13:41] Zoe: I will say that that scenario that you ran into in, what was it, 98? Um, I had the same scenario, not the same, not the same, similar, uh, where I did password cracking and uh, also had somebody with an admin account with password as their password. So things. Um, oh, not necessarily changing, but, uh, 
[00:14:03] Chris: Progress!
[00:14:03] Zoe: Hopefully. Yeah, hopefully they'll, um, I suppose the next thing I, I guess I would look at would be, you know, obviously passwords are absolutely brilliant. Actually, that's how we met is, uh, passwords con, but, um, what about. Your favorite kind of job you've ever had. What, what's the, I suppose, since working at PWC with that awesome story, what's something that you've kind of done and been like, Wow, this is really, really exciting, and kind of reinvigorates me, uh, over my whole career, I suppose?
[00:14:37] Zoe: Or is that a big question? , 
[00:14:39] Per: That's, you know, one of the big life questions, you know, what have you achieved in your life that you're sort of proud of? Again, turning 51 in a few days, uh, there are several things that I'm sort of proud of having done. The very apparent thing that I need to mention first, of course, I've created life.
[00:14:58] Per: I have a daughter. I am also proud of, uh, saying that I have saved a life. Uh, I was, uh, in a forest when, uh, a relative, uh, had, um, suddenly experienced heart problems and I rescued that person. And there was no doubt from the doctors that, you know, if I didn't. Do what I did, what I had learned previously, you know, that person would've died.
[00:15:20] Per: So those are the two things that I'm most proud of having done in my life. But back to the work stuff and so on. Back in 2015, I think, '14/'15, I did a bit of work into trying to promote an RFC standard 3207, which is start TLS encryption for email. Sounds very boring because who knows today what email actually is more or less at least my daughter doesn't know what it is.
[00:15:48] Per: But start TLS for the, for SMTP for email is an old standard. I actually started implementing TLS for email back in 2004. So 10, 11 years later. I had a friend of mine help me set up a web page, uh, doesn't exist anymore, And we used that to, you know, it was a publicly available, uh, free service where you could type in a domain name, Uh, type in I don't know;
[00:16:20] Per: And we would analyze the mail server for Facebook for the domain and tell you whether they supported start TLS encryption for email or not. And if they did support it, how well working is the configuration? Like are they using, you know, topnotch state of the art encryption or is it a really shitty configuration in there?
[00:16:40] Per: And back in 2014, back, yeah, 2014, 2015, we knew that. 20, 22% of the email service around the world were using start tls. Everybody else was sending your email in plain text. So that's like re writing that secret love letter on a postcard and sending it by normal posts. And everybody who gets in sort of, you know, contact with with the card, they can read your text.
[00:17:06] Per: Now, this is a secret love letter, so you would prefer it to be inside an envelope, with a secret stamp on, on the outside. So if somebody opens it up to read the contents, at least there will be some marks saying, Hey, this had been opened and may have been read by somebody who weren't supposed to do so.
[00:17:24] Per: With this service, starttls.Info, the American Civil Liberties Union picked up on it. They found a service. They thought us, Whoa, this is, This is really nice. And there was, um, tech lawyer at ACLU back then who used starttls.Info to check on. Well, Facebook and Google and Microsoft and Apple and a few other really big services.
[00:17:46] Per: Yahoo. And. He basically called them and said, Hi, this is the ACLU calling and, uh, we've checked your email servers and you are not supporting an email standard that will provide better security, better privacy for all your use users. And this is an internet standard that has been around for more than 10 years, and it's dead easy to implement.
[00:18:06] Per: I mean, a person who knows how to do this can fix this in like an hour or so for a single mail server. So why are you not doing it? And in six months, approximately. The internet went from approximately 20% of all email being encrypted to like 90-95% of all mail being sent on the internet to be encrypted while in transit.
[00:18:33] Per: And that was due to our little starttls.Info website, which was up and running for, I don't know, less than a year. I think. And two large tech companies. They also decided to, uh, send me a little bit of money just as an appreciation for the work that we done. We were two of us. There was me and a friend of mine who's now the CISO of, of a large newspaper here in Norway.
[00:18:56] Per: And, uh, yeah, I'm sort of proud, uh, to, uh, assist in making the world use encryption for email worldwide. And we turned that around in six months, back in 2014. That was, uh, that was pretty cool. 
[00:19:13] Chris: That is very cool. Yeah. Yeah. Uh, highly cool. I would say really great work there. I've done a little bit of kind of tech evangelism myself.
[00:19:21] Chris: Nothing quite as impactful or, or hands on as is what you've done. So I know the, the feeling that comes with it and the effort that goes into it. So definitely kudos. On that. That's huge. And, and that's something that's been kind of a part of your career, I think it seems like over time is kind of taking initiative, going out there.
[00:19:36] Chris: I know you, you founded a couple companies and ran them for a time, you know, this was something that was, you know, I don't believe this was part of a job. This was just something you did for the good of the internet that the start tls 
[00:19:45] Per: Yeah, I, I mean, I was, I was working for a large telecom company back in, in 2004, the largest telecom and ISP in Norway. So, yes, I started looking into this for, you know, improving the email security of the company I was working for, but seeing that, hey, the internet is not doing this and if we implement it, that doesn't help anyone. I have to convince the entire world to do this as well. And then suddenly it became more like an obsession that, you know, what can I do to convince the world to implement starttls support?
[00:20:20] Per: And, uh, you know, I wasn't, you know, this was an idea by myself, but the internet standard already existed there. It was a lot of other people who did the main part of the work. I was just, you know, having a blabber mouth about, you know, either you do starttls for SMTP or you suck. I mean, it's, it's easy to do.
[00:20:39] Per: Other others did the, the hard work on this. So, uh, there's a lot of people that I need to say how big thank you to as well for this. 
[00:20:47] Chris: Awesome. That's, that's really, really cool. 
[00:20:49] Chris: So it seems like that's been a theme of your career is kind of taking on more work than, than was necessary for the specific role. And I don't know, is that, is that giving back, Is it just something that is just natural energy or where does that come from, that kind of, you know, willingness or passion to go above and beyond? 
[00:21:06] Per: Well, I, I, you know, one of the jokes that I make to colleagues, younger colleagues, and even to my girlfriend as well, is, you know, Oh look, there's a brick wall , step aside, and let me, you know, get up to running speed and bend my head forward and see if I can smash through it.
[00:21:21] Per: And if I can do it on the first attempt, I just have to go back and try again. Call me stupid. But I see something that I don't think is good enough, or at least it can be better. And then sometimes it just becomes an obsession that, you know, I, I have to fix this. I'm not a rich guy. I've, I've never tried to make money out of any of this stuff, but the feeling that of doing good for society or, you know, if when I, I go to conferences, all travel anywhere, and I meet peers in the security industry, uh, younger or older than me, and they, they tell me that.
[00:21:58] Per: You did a good job. And this coming from people that are heroes to me is like, that's the best feeling that I know of. More or less. That's pretty cool. 
[00:22:09] Zoe: That's awesome. From my perspective, when we met, we met randomly here. I was calling you from, uh, the city I lived in and I was lost, if you remember, , Um, . But I remember calling you and we were talking about passwords con.
[00:22:23] Zoe: Yep. And, um, from my perspective, you were this. Really impressive security expert about passwords. I think when I was chatting with you, it wasn't like, uh, it was somebody that was really, you know, far in their career. They were really impressive. But one question I had, which might be a bit of a silly one, is, you know, you've had so many big parts of your career, so many impressive things that you've done.
[00:22:48] Zoe: Has there ever been a really, really, I suppose, embarrassing thing or embarrassing mistake that you've made that was a very strong lessons learned. . 
[00:22:59] Per: Yeah, . There've been, there've been many of them, Zoe, And also I, you know, I don't even have a bachelor's degree from university. I, I haven't been to university. I've learned stuff the hard way, uh, in my own way.
[00:23:14] Per: You know, even today, I, I don't see myself as, an expert, if people refer to me as an expert, I, you know, I, I get nervous because I just know that the next question that I'm getting now is gonna be a question that I am clueless about how to answer at all. But I, I, I take a lot of joy in doing in what I do. And I've also learned, you know, back when I was 11, 12 years old, and then I got access to my first computer.
[00:23:40] Per: I've learned the hard way, which includes, Fucking up things, breaking things and just not being able to put a computer back together again and having to go to your parents and say, Uh, can I get money for a new computer? Or some new spare parts because I've torn this thing apart and I shouldn't have done that.
[00:24:00] Per: And , it's not that I recommend everyone to, to, to break apart stuff and try to build it together again. But even now, you know, when I get a new computer. I don't buy myself a new computer. I buy computer parts and I put them together. By myself at home. I buy the, the cabinet, the hard drives, the memory, the motherboard, the cpu, the water cooling, all the fans.
[00:24:24] Per: I put everything together myself, and I still find a lot of joy in doing that because I've done that since. And now I get to put it together and it actually works. , I don't break the computer parts. I actually make it work. And breaking things is sort of, I guess, a part of the hacking culture as well. And it's not breaking things in a bad way.
[00:24:45] Per: It's breaking things to learn how stuff works and to put it back together again. That's hacking to me and that's a lot of fun.
[00:24:53] Chris: It is. Right, And I like that. It's almost as if, you know, creating opportunities for yourself to learn is tantemount to creating opportunities for yourself to fail. Right. I mean, they're really kind one of the same, it sounds like.
[00:25:05] Per: Yep. I also think it's, it's important also to sort of, you know, you need to be able to admit that you did wrong, uh, that you were wrong. And I also like to tell people that I sort of like to see you prove me wrong, because if I'm right, it means something is wrong. and things should be working, should be... Security should be fine.
[00:25:31] Per: And if I say: I don't think security is the way it's supposed to be here. If I'm right, then something is wrong, and if I'm wrong, then security is good and it is the way it should be, so you know, please prove me wrong because that probably means security is better than I thought initially. 
[00:25:51] Zoe: No, that's a really good point.
[00:25:52] Zoe: And actually that kind of similar, different, I guess context, but similar in the sense of when I'm talking to like coworkers that are maybe more junior and they have an idea that I didn't think of, and sometimes they feel unsafe to bring it up. I always say, actually, your insight is really valuable because you might not have the blinders that I have, you know? 
[00:26:14] Zoe: Cause I've worked in industry for a while, but there's new things happening and there's new considerations, new aspects that I haven't thought of. So one, prove me wrong to make sure things are secure, but two, bring up your ideas because it very well could be that I simply just didn't think of it.
[00:26:30] Per: Yeah. Tell your coworkers to disagree with you. Tell your employees to disagree with. And tell 'em to do that? Well, not always. Uh, sometimes the boss needs to, you know, make some decisions as well. But please disagree with me because I like to disagree with other people as well. And I don't disagree with people because they're wrong, because they, they might be correct.
[00:26:56] Per: But I will say I disagree with you initially because I want to understand if you just came up with your answer, just like right now. Or if you have actually thought it through, I mean, have you used more than two minutes to think about this idea and try to look into cases where your idea might not work, and in cases where your idea might work really, really well?
[00:27:20] Per: Because way too many times, and this is I guess, completely natural for all of us to do, way too often we make decisions that we haven't thought through at all. We just make rush decisions right there and then. In some cases you might be uh, correct. In other cases you might be wrong. And I like to just test that.
[00:27:39] Per: So give me a statement and I will say, I disagree Zoe. And it's not like I really disagree with you, I just want to learn, you know, what's your reasoning behind the statement you just made as an example. And I do that just to make conversation maybe sometimes. 
[00:27:55] Chris: Yeah, I like that a lot. Um, my wife doesn't always love it, , but I think
[00:28:00] Per: Yeah, I, I sort of recognize that from software. Hmm. I'm divorced. Uh, yeah, I've heard that one before. Yeah. 
[00:28:09] Chris: But there is a quote, I forget who said it, I'm terrible at attribution, but someone said something along the lines of, it's, it's better to debate an issue and not settle it then to settle it without having debated it.
[00:28:18] Chris: And, and that's what I hear coming from you a little bit, right. Is, you know, get in there, talk about these things, poke holes, play the devils advocate. And that way we can all kinda move forward together. We're all growing and learning that way. Yeah. Cause to your point, right, if I think I'm right and no one proves me wrong, then I just go on being wrong if I happen to be.
[00:28:34] Chris: Yep. But if you can prove me wrong, then now I've learned something which is actually more valuable than, than thinking that I'm right. 
[00:28:39] Per: Yep. Absolutely. Yeah. So please disagree with me. 
[00:28:43] Chris: Yeah, I love it. That's just about all the time we have for today. So first off, uh, Per thank you so much for joining us and sharing your story with the Imposter Syndrome Network.
[00:28:54] Chris: And of course, thank you to all of our listeners for your time, your attention, and your support. If you haven't already, please feel free to join us on LinkedIn. We have a group for conversations between the episodes, but more than that, uh, for this community, this imposter syndrome network to give and get advice from each other about our careers and our work, uh, and technology and so on.
[00:29:14] Chris: But, uh, before we shut off the lights, totally here, Per, I'm curious, what is the most valuable lesson you've learned in your career so far? 
[00:29:25] Per: Oh, the biggest one. At the end, the biggest lesson I've learned is most definitely to challenge my coworkers to disagree with me because that way I will, you know, spend more time to think about my own suggestions and also realize that in quite a few cases, maybe way too many, I'm actually wrong when I thought I was right.
[00:29:48] Per: So again, please disagree with me. 
[00:29:51] Chris: Awesome. I I love that. I think that is great advice. Are there any projects you're working on currently or involved in that the network should be aware of? And also how can folks connect with you if they wanna chat? 
[00:30:02] Per: Well, you can find me on LinkedIn. You can find me on Twitter as my, you know, my Twitter handler.
[00:30:07] Per: Well, there's only one guy in, in the world with my name, . Same. So it's 
[00:30:11] Chris: and we'll link to it in the show notes as well. 
[00:30:12] Per: I, I, I can't really hide anywhere, online, but yeah, I, I always have some projects going on on the side. I, uh, was just recently in Las Vegas to do my passwords con track at B-Sides. I also did a talk at the, um, crypto privacy Village at DefCon and that was about ID theft insurance, and based on, uh, examples from Norway and I'm really curious about ID theft insurance in Norway, in Scandinavia, in Europe, and also in other countries.
[00:30:43] Per: I've heard some of how this is being done in the us. I really would like to look more into this because the short version of ID theft insurance in Norway is that it doesn't cover your financial losses and it doesn't cover anything if the ID theft is being committed by any close relatives and it doesn't cover anything if it has to do with your work or your profession. So it basically doesn't cover shit more or less. 
[00:31:11] Chris: Yeah. Wow. 
[00:31:12] Per: That's one of the projects I'm doing right now. 
[00:31:14] Chris: Sounds good. Well, yeah, hopefully folks that are interested in that will reach out, as I said, we'll drop some links to your profiles and the show notes and folks can find you if they wanna talk about that.
[00:31:23] Chris: But yeah, that's it. We'll see everyone next week.