Sometimes those of us in technology think that the solution to every

problem is a new piece of gear or a great piece of software.

I've been guilty of this a lot lately when I've been thinking about

how to prevent data exfiltration.

If we could just get the right AI tool in there, we could spot it as

it's happening and shut it down.

This week's guest is a cyber expert who reminded me that I T has three sides.

He thinks the focus should be on process.

Then people then technology.

Hi, I'm w Curtis press an AKA Mr.

Backup.

I've been specializing in backup and Dr for over 30 years.

And I've written four O'Reilly books on the topic like me.

This podcast is dedicated to those of you who are tasked with

the difficult job of backup Dr.

And data protection.

This is backup, centrals, restore it all.

W. Curtis Preston: Hi, and welcome to Backup Central's Restore It All podcast.

I'm your host, W.

Curtis Preston, aka Mr.

Backup, and today I have with me a guy who gave me some really good advice.

It was really good advice up until it wasn't.

Prasanna Malaiyandi How's it going, Prasanna

I'm good, Curtis.

I'm curious what this good advice is that was good at the time

W. Curtis Preston: this silver bullet that you gave me called the FCC complaint

Yeah, I'm surprised not a lot of people know about this.

if you have an issue with your cell phone provider or your cable company, right?

Or internet provider.

you call them in, you complain to them, they give you the runaround,

and then you spend weeks and weeks, and nothing ever happens.

W. Curtis Preston: and you're not anywhere.

exactly.

And then you have this magic thing called the FCC, where you can actually file

a complaint, and say, hey, my billing is off, or my service isn't right, and

the provider literally has to respond to you within, I think it's 72 hours.

W. Curtis Preston: I had never heard of such a thing.

And, and being a person who...

Having, worked for the government at a point, I definitely understand

the inefficiency of government.

So the idea that something could be so efficient was definitely.

a surprise.

the last time I did this ironically enough, now, as this story comes full

circle, I was having problems with Cox as my internet, service provider.

I put in an FCC complaint.

And in the end, we did figure out the problem.

And then I changed to Verizon 5G internet.

And everything was fine until it wasn't.

And then I decided to use this magic bullet again.

I got the call within 72 hours.

During the time that they were working on it, it went from being an intermittent

problem to being all the time.

The official response from Verizon is I will obviously be, Paraphrasing

slightly., yeah, you're right.

We suck.

You should probably get a different ISP.

By the way, I'm not just complaining about like low speeds.

My internet would just drop.

Sometimes in the middle of recording one of these episodes, my internet would just

but basically they said the reason your internet is just dropping, it's congestion

and you should probably get another ISP.

That was their official response.

I was.

dumbfounded, right?

So again, story come full circle, Cox will be back, in six days, they

will be installing the fiber version, because I don't have a lot of choices.

Our guest today is the host of the cyber pros podcast, a short form

podcast, which by the way, it makes it very different from this podcast.

A short form podcast that has five questions and nine minutes.

He's our second former special forces member and we're excited

to have him on the podcast.

Welcome to the show, Rick Mischka.

Hello, gents.

W. Curtis Preston: So what do you cover in nine minutes on that podcast

Yeah, you know, in 2020 I got bored and I wanted to build a

cybersecurity network and I want to do it fast and So we had the idea

of doing a short form kind of video podcast that that would be be quick.

We actually thought six minutes could fit in in six questions could fit in nine

minutes, but we were way wrong on that.

So, so we pivoted down to five.

And, and honestly, the first and last question are more, you know, who are you?

What do you do?

And then.

You know, tell us a fun story or typically we ask, you know, what's your

favorite piece of retro technology?

The three middle questions are really the ones that we get kind

of the, the meat of conversation.

And it's, it's, you know, why do you love being a cybersecurity professional?

Why do you think cybersecurity should, or is, or isn't a top concern?

And then just what insights do you want to share?

Whatever they share with us in those five questions, we then

actually do something interesting.

We, we.

We record bonus content afterwards, and we focus that bonus content

on one, education, two, a little bit of marketing, and then three,

we focus on knowledge, right?

Just, just what knowledge do they want to share even more of?

And we typically do that in 30 seconds to three minutes.

And so now...

Our podcast guests get a full week of exposure.

They get the full podcast release.

They get a bunch of bonus contests released around it.

We're able to bring in a lot of people through a number of different doors.

And man, it's, it's just been a lot of fun.

I've been able to connect a lot of people to, to really

just kind of grow the network.

You know, a couple of the podcast guests got together and wrote a book.

A couple of the podcast guests got together and started a company.

So.

Awesome, right?

So been fun.

Yeah.

W. Curtis Preston: I like it I'd like to hear the five questions

So they're the same five questions for everybody

typically, unless we get somebody who's a specialist

in something, so it's who are you and what do you do, right?

That's We'll call that one question.

And then why do you love being a cybersecurity professional?

That question will change if they're a professional in cloud, if data backup, you

know, so if you were on, we would ask you that question a little bit differently.

And then the third question we ask, you know, cybersecurity is a top concern.

Do you believe that's true?

And in, in the industry you're in, how does that, how does that interact?

And then the fourth question is just.

What insight do you want to share?

Here's your, you know, if you've done your job, you have five minutes to talk

and, and about anything you want to talk

and then.

If you're a first time guest, we always ask if, what's your favorite

piece of retro technology is.

Usually I get some, you know, usually I get all sorts of things.

Usually it's, you know, Apple computers, Commodores, things like that.

I had somebody come back and say the, the semi automatic pistol.

And I was like, that's technology.

So here we go.

We're going down to completely different conversation.

And I have to laugh.

I actually useless trivia.

I actually just bought one of my favorite pieces of retro

technology in its new form.

The Motorola Razr.

So I have newest, the newest flip phone version, and it's so cool

because you can actually set it to, show you as if you were using

the original Motorola Razr, it's

that is awesome.

Yeah,

W. Curtis Preston: I

had the original Motorola Razr

as did I.

And so it's fun.

I get to be the butt of my own question.

What is probably one of the most interesting

insights from cybersecurity answers that you've received?

Yeah.

You know, actually I'll start with the one I get the most of.

The most insights I get are the idea that cybersecurity has

to focus on the people, right?

Dozens of different ways that conversation plays out, but that's the most talked

about is, is the people, cybersecurity, burnout, talent acquisition, security

gap, whatever that looks like, and it's, it's quite interesting, but the

most interesting one that I've ever had was actually the use of artificial

intelligence and machine learning as it pertains to cybersecurity.

And biometrics and the insights that they shared were fascinating because their

company had just gotten acquired, was, was putting a bunch of venture capital dollars

into this solution that were actually selling some of the, the solution to.

Tesla, the way you walk up to your car will unlock the car for you

because it knows your gate, along with facial rec and other biometrics.

And it's fascinating.

It was, it was mind blowing what can do.

So

it's interesting you bring that up, Rick.

So recently my wife and I, we binge watched all the Mission Impossible movies.

And there's, I don't know if you remember, but there's a one Mission Impossible

where it's like, they have to imitate to be the guy and walk through a secure

area where it does a gait analysis.

And I was just thinking, I was like, wow, technology it's come.

It's like real now.

or the other day I was watching Minority Report.

It's like all this stuff they're doing.

It's that's now become like reality.

You should add the Mission Impossible theme to the start of, of this

podcast

W. Curtis Preston: Yeah I just rewatched that one again to Prasanna and of course

that technology was defeated by uploading a different gate analysis The first time

I saw a computer used to do something that that literally I went wow actually

okay The very first thing I remember seeing a computer do something that made

me do wow was when I was in my teens you could go to a police station in Kissimmee

Florida That's where I was from And you could give them an address and they

could print out turn by turn directions of how to get to there And I remember

going That's the most amazing I've ever seen but the second thing was I was a

consultant at a communications company that was using simulation modeling in

a computer to test their device like to harden their device by like in a

computer hitting it with a softball in a computer dropping that device on the

ground Do you know what that device was

The Nokia phone from back in the day?

W. Curtis Preston: It was the Motorola Razr my friend

Fair, there's the full circle.

W. Curtis Preston: Yeah Yeah I was working at Motorola in Schaumburg Illinois

Crazy.

W. Curtis Preston: yeah it was amazing to me what they do One of the things I'm

very concerned about is data exfiltration cause as a backup and recovery person

I can stop a lot of things I can stop a pure ransomware attack by just restoring

the data but what I can't stop if the data is exfiltrated there's nothing I

can do So the question is so I think that AI and ML are the next thing for

basically doing the equivalent of gate analysis on the outgoing traffic for a

typical company and then noticing when something is very different and calling

it out and stopping it automatically So far I'm not hearing A lot of

agreement on that when I talk to folks

are you talking mainly Curtis about

anomaly detection based on

W. Curtis Preston: Yes

looking for data exfiltration?

Okay.

W. Curtis Preston: Yes

Yeah, I mean, I will say, I think people got a little out over their

skis looking at, you know, unsupervised machine learning and trying to train

it to baseline and then anomaly detect.

And you end up with either a lot of false positives or you end up with...

Just a lot of data that the machine learning model is still working on.

And I think the world is seeing kind of, I don't want to call it a

reversion, but an add in to a lot of that unsupervised machine learning

with supervised machine learning.

That's trained on data models of both benign and malicious data

that allows those supervised models to say, okay, here's the 14 or 40

or whatever number you want of.

Threat vectors that we know, right?

EXE files, documents, things like that.

When you have as much data as we have now, you can train these supervised

machine learning models to say, Oh, 98, 99 percent of the time we can catch

something and we don't need anomaly.

And so I think that was the miss for, for me, that's what I'm seeing is people

jump right to unsupervised thinking that anomaly detection was the only way.

And we went from signature known crap to let's figure out what the user is doing

and hope their behavior doesn't change.

And they missed the step.

And I think, you know, good companies, EDR endpoint detection response

vendors, a lot of the new managed detection response solutions that

are bringing in XDR solutions.

have realized that and they can make that model better by adding

in a supervised model as well.

I, I think that's the path we need to get to, to actually

see it be extremely useful, but

I think one of the challenges also with anomaly detection

is, especially with these unsupervised models, you get so many sort of false

positives, where it's hey, the user just did something different, but it's normal.

And the model has never seen it before.

And of course, it's going to flag something.

And as a, as a security engineer trying to go through those logs and figure

out, okay, what's a real threat, what is a false positive, that kills so much

of your time that what I've heard is a lot of people are like, screw it, it's

not worth it, let me just turn it off.

It's true.

And, and, and, you know, I think the other thing that, that people forgot was

They jumped towards the technology and they forgot that there's a whole lot of

process and people that need to be in place for the, for the technology to work.

you know, I know everybody knows the PBT framework.

It's, it's used in almost every technology model ever.

it was actually created in the sixties by a guy by the name of

Harold Levitt as the diamond model.

There was four points to it, but when we do.

An analysis of somebody's cybersecurity posture doesn't matter what machine

learning models doesn't matter what technology they have for us.

The technology is only about 10 percent of the solution that we

present that they should be looking at.

And we talk about, okay.

30 percent is, is, is the people.

Can you provide those?

Do you need people to be outsourced or managed from, you

know, managed service provider?

And then 60 percent of it is, here's your process.

If you have a good process, the technology will work, but most people

just, like you said, turn it on.

All of a sudden they have triple the, the, the alerts and they

don't know how to handle it.

W. Curtis Preston: Yeah it's interesting I think that was a good point about that

people think that technology is just going to solve the problem when in reality Even

if the it was able to detect an anomaly there's still a human being That is going

to have to read that information view that information and respond to that

information because you're not at least I wouldn't think the average person is

not going to automatically start shutting off outgoing communications based on an

anomaly especially if there's so many false positives So there's got to be

that person involved Rick I'd like to ask you about that 30 60 percent that's

it's interesting that you put so much focus on the process like it felt I don't

know if anything I if I was guessing I'd be like 50 50 between the people

and the process thoughts about that

you know, I think, I think we all agree that the technology

is, is just a component, right?

It's, it's supposed to make us better, faster, easier,

whatever they want to look at.

And some would argue that the people side of the house should be, you know, higher

rated, higher percentage of what you do.

In today's world where we automate a lot of things, you can remove a human

for, you know, X number of automations that you do, but I'm going to take it

even further as to why we place such an emphasis on the process side, and

that's everything a company focuses on their business objectives, their

continuity, their resilience, right?

None of those are cyber security based, but all of those have to have

a process in place for people to know.

Hey, that's what my job is.

That's what I'm supposed to be doing to progress this company,

to make more revenue, to drive bottom bottom line goals.

And so.

If you can create great process, you create great culture and you don't

need as many humans because the humans you have are able to just do more.

You're being more efficient with what you have rather

than trying to add a whole bunch of more people to make up for the lack of process

said it so much better in 12 seconds.

W. Curtis Preston: You should have them on your nine minute podcast Sure

Perfect.

W. Curtis Preston: Rick based on all the people that you've talked to what

do you think are one of the things that we like to ask people is if you were if

you had carte blanche at an environment What are the the top five things that you

think people maybe aren't doing that they should be doing right So we can throw

out the for me the three obvious ones right Good password management MFA And

patch management right So assuming that we're doing those three things what else

do you think companies should be doing

For me, the first one I always tell companies is, is create

an incident response plan that allows you to grow cybersecurity culture.

But that cybersecurity isn't thing that's controlling your business.

I think too many times they're like, well, I'm, I'm beholden to this regulation

or I have this type of data that I have to secure and they, they stop doing

good business to do good cybersecurity.

And I think you you can flip that around.

Quite a bit.

And I think, you know, that that's one of the top ones for me.

The second one, it really focuses on the human side, the people side.

everyone makes the joke, we need cybersecurity

professionals and we want to.

You know, we want somebody who's new to the business, but we need them to have a

CISSP and 14 years of experience, right?

So, entry level position and, and I just, whenever I talk to, you know,

small to mid sized businesses or mid market folks, I explain to them, go find

somebody who's hungry to do the job.

And train them how you want the job done or, or, or paid for their training to

get the job to where they need to be.

And you don't need somebody who has a CISSP.

You don't even need somebody who has a degree.

If you have somebody who's hungry, who's done the certification bootcamps, they're

willing to step in and learn, likely stay with you longer for those reasons.

And I think, you know, even the big enterprise companies are starting

to finally have this moment.

If I go get the college grad.

And I trained him and get him a bunch of certifications in that first year.

He or she is going to stay far longer.

The third thing I would say is you need to understand your

cybersecurity edges, right?

Are you a fully cloud edge?

And do you know what that means, right?

You're using AWS or Azure, but you're also using software as a service applications.

Do you understand the differences?

Do you understand that there's an endpoint edge?

Every user is on an endpoint, so how can you protect your users from

themselves by finding a solution that matches your needs on those endpoints?

And then your network.

Some people don't have a network, and that's okay, right?

They've gone straight, you know, VPN to the internet, call it good.

But understand what those three are, understand how you, how you can cover

those, and that will lead you down a really good cybersecurity journey.

And lastly, Here's my brown nose moment for you guys.

I recommend that everybody understands what actual data backup needs to mean to

them

So if they have an incident, they can recover and not rely on their insurance

company to provide them with investigators and forensics and responders, and

then not pay them anyways, so.

Those are my four.

Those are the four I tend to talk about the most.

W. Curtis Preston: Go

That my

that's

my world cup moment there what do you

Oh I like those four ideas or things that people should be

considering Rick for the first one when you're talking about the incident response

do you find that a lot of companies are woefully prepared they're ostrich with

head buried in the sand It's not going to happen to me I don't need to worry

about this sort of thing Or do you think that's started to change given all the

recent activity around ransomware and data exfiltration and other things like that

I think it's changing.

I don't think, I don't think we're anywhere near where it needs to be.

I believe people are starting to have those moments where, well,

do I have a continuity plan?

Right?

A lot of companies I talked to, they're like, well, we have, we

have a disaster recovery plan.

And I'm like, okay, that's great.

Right?

If, if a hurricane hits you, you know how to fix the problem.

But An incident response plan can encompass your business continuity, your

disaster recovery, and all of your, your security systems planning in one document.

And if it's done correctly, I think what most people say

is, well, we have the plan.

Have you tested it?

Have you played the tabletop?

All right, let's nerd out.

And, and even though you might have never played Dungeons and Dragons, let's go play

the tabletop game with, you know, whatever you want to play, get your entire group

in, and let's see what it looks like.

Usually the point that it fails on is not on the catching of it,

not on the data backing up, right?

Not on, on recovery.

It's, it's on, Communication.

don't follow or have a good communication path, which leads to their cyber

insurance company telling them, Oh, you didn't meet our requirements.

We're not paying you for what you had to do to go recover.

And they also forget about the legal aspect.

You know, they're, they think, Oh, I need an attorney after the

fact to help me understand what my Requirements are to my customers.

If I've given up my customer data or my employees, if I've given

up their data, they don't realize

what was that

That's too late though right

it's too late.

And, and what they don't realize is you can actually protect.

and get under that, that, that lawyer umbrella, that cone of

silence, you know, as it were, you can get on that early as you're

creating the incident response plan.

You can have somebody that looks at that plan and says, okay, you now have a,

you know, an attorney client privilege.

You don't have to share some of this information with your insurance company.

You don't have to share this with the general public and here's why.

And so moving the legal and the communication stuff up earlier

in the plan and really hammering it home, the rest of the plan is.

process and technology, right?

Let's be real.

It's, Oh, we found the problem.

We fixed the problem.

So, you know, those are, I think that's the interesting part that people are

starting to finally get this, Hey, wait, there are, there are attorneys,

there are insurance companies out there who are just, you know, available,

but not available at the end.

Let's, let's see how we can move this forward.

W. Curtis Preston: Yeah that would be my I've been pretty consistent with that as

well that basically probably the biggest point of having these discussions up front

with creating that incident response plan and doing those tabletop exercises and by

the way for the record I never played D D But but I like the idea of a tabletop

exercise but I'm just not I'm just not that big of a nerd but I love all the D

nerds but they wouldn't let me play anyway sorry I'm a sad childhood That you're even

excluded from nerdhood but I digress The thing that we talk about this a lot is

this idea of creating those relationships up front Don't have an incident and

then Oh we need to find a cyber security firm We need to find a lawyer We need to

find whatever you need to create those relationships up front because it's like

having a large company in the United States and not having a legal department

I don't know how it is in other parts of the world but we live in such a litigious

society You're going to be sued for something And so you have to have a lawyer

right and of course you have to have a lawyer hopefully so that you have the

right paperwork so that you don't get sued But then you have a lawyer in case you

do get sued You need a cybersecurity team and you need cybersecurity professionals

on your side so that when you get a cyber attack because it is a when not an

if You have those people in your corner right Does that match what you're saying

Spot on.

Yeah.

And it goes back to what we talked about, about that 60 percent process.

If you have an incident response plan, there's your process.

And all you do is go and say, yep, we know this works.

Just follow the process.

So,

I like that I also wanted to touch just given our area

that we always like to talk about I'm glad that you talked about backup Rick

because I feel that a lot of times people forget about it when it comes to sort

of incident responses Or even like you said try doing like the tabletop exercise

try out the thing right Even for backup It's like how often do people go verify

Do their backups work Are they able to recover their data or are they able to

test out their disaster recovery plans I think that becomes really important as

part of the process Piece and spelling out Yes periodically you do want to test

these things to make sure that things are still working because the last

thing you want is hey you got attacked Now you need to recover Oops I forgot

to do this or oops I forgot to do that And so now your environment's kind of

in shambles and you're all scrambling trying to get things back up and running

or they just haven't hardened their backups because

they haven't checked them in, in, you know, three months and

now your backups are just as bad.

what just

X filled.

So hopefully that doesn't happen, but it can.

So

W. Curtis Preston: Yeah The backups are increasingly both a target in terms of

to take them out so that the cyber attack will be more successful and also to use

them as a source for data exfiltration I'm trying to raise the awareness of that

within the cybersecurity world And so if the cyber folks hear anything from me it

should be that somewhere in the corner you talk about that hiring a college

kid and then training them right That's there's also normally a college kid

Maybe not even a college kid That's the person in the corner doing the backups

because it was the only job he could get and he didn't necessarily he's not

that person you were when you said when you were talking about find the person

who has the desire to do this job that's hungry often with the backup the person

was just hungry for a job they weren't hungry necessarily for the site for the

Doing the backups No one is no one's in college going man I really hoped that

somebody hires me as a backup admin

Prasanna Malaiyandi: Except you Mr Backup Except

W. Curtis Preston: no not even I know no this is yeah it's how I got my

job I wanted to be in computers I did want to be in computers and I took

the job as backup person Because that was the job I could get and it got

me into the big bank and and then I just Accidentally never got out of it

So that's how I ended up specializing

in

as I say.

W. Curtis Preston: Yeah the rest is history yeah I like

that I really like this idea, of figuring out where your edges are.

Because back in the day, right?

The edges were the edge of the building, right?

Nobody had computers outside the building.

All the computers were inside the building.

We had a data center.

It was the center of the data, right?

That was the way that things were, but now your edges are everywhere, right?

there, all this work from home that's going on, and the SaaS and the, the

cloud data centers, the PaaS services.

You're, you are, I wonder if you don't have a handle on that today,

how does one go about, figuring out where their IT department has scrawled

to, I can't imagine how you could start doing something like that.

know, I've, I've seen an interesting trend

of companies who have gone.

The way of not having any location, my wife's company actually has done that.

They have no buildings that they pay rent for.

They provide a stipend for every one of their employees to go find a coworking

space, which is, which really cool for them, but now you're on public wifi for

the most part, and they don't have any.

Firewalls, they have no network security.

Everything they, they do is, is, in the cloud, right?

Access is through a SaaS application and they made the intelligent

decision that they didn't need all of this network security they needed

to make sure that their employees were protected on the end points.

Right?

Typically a laptop provided to them or a mobile device.

And then they took it one step further and said, all of our data is in the cloud.

They're accessing everything that's somewhere in the cloud.

We need a security broker.

We need a workload protection solution.

And that's how we're covering our edges.

But there's still people hanging on to, well, I need all three edges.

Do you?

I don't, I don't know, but understand why you think you need that.

The most important edge today is, is wherever your users are accessing

the data, find a way to secure that.

And you've secured a majority of, of.

Now, that doesn't mean you can't still have your users click on something stupid.

you can't train stupidity.

So, it's gonna happen.

But at least if you have protection where they're clicking on it,

hopefully you'll catch it a lot sooner.

or worst case...

You fall back to your data backups who are far more protected from someone like you

or the, or the kid that just wanted a job.

Yeah.

or, and the other thing is hopefully you can also reduce the blast radius, right?

W. Curtis Preston: Yeah.

And you've got to do both.

You've got to train the users.

And then you've got to.

Prepare to respond when the users don't do what you trained them to do.

I mentioned this a lot on the podcast, but at that bank where I worked, we

constantly trained new employees that one of the things that we always told

them over and over again is no one in the IT department will ever call

you and ask you for your password.

And then the next day after their new employee training, we would call

them and ask them for their password.

And they would give it to us a sadly high percentage of the time.

And, people will, and sometimes you'll just access sometimes

you'll, it takes a moment Of just not paying attention, right?

A little bit too much muscle memory, clicking on something.

so even smart people that are trained and normally do the right thing

can also click on the wrong thing.

I know, I remember doing that once when I thought I was talking to

LifeLock because my employer at the time had subscribed us all to LifeLock.

it was a spear phishing attack because, it was like they knew

that I was using LifeLock.

And so they went right after me, or maybe it was just, I don't know if it was just

a random phishing attack, but, but I logged into what I thought was my LifeLock

account and, it very much was not, and I immediately did all the I needed to do.

yeah.

I also remember the other story, Curtis, you told, just going

back to muscle memory, right?

It's, I remember you had a story where, You got an MFA request and

you're like, but I don't remember making that MFA request, remember?

And were like, yeah, but you actually did do that, right?

And it's I think it can go both ways, right?

The muscle

W. Curtis Preston: yeah, absolutely.

I remember that where I got an MFA request and via muscle memory, I was like, yeah.

Boom.

Boom.

And then I was like, wait.

what did I just do?

What did I just approve?

And what it was because I had opened up, Chrome and it had 37 tabs and one

of those tabs was authentication via that, the system that was doing an MFA.

So I breathe the sigh of relief.

I appreciate those four things.

see Rick, we probably could have done this podcast in nine minutes,

and done just those four things.

we should all be like you.

I appreciate brevity where I find it.

but no one ever finds it on this podcast.

so thanks.

Thanks a lot, Rick, for coming on and talking about, one

of our favorite subjects.

thank you guys for having me.

This was so much fun.

W. Curtis Preston: And, thanks Prasanna for reminding me of that sad

moment in, in my personal history.

Anytime, Curtis.

I always try to bring you down.

And Rick, it was as well

W. Curtis Preston: All right.

Thanks again to our listeners.

we'd be nothing without you.

Be sure to subscribe on, wherever you listen to the podcast so

that you can restore it all.