Read a Transcript of Our Virtual Event with Trail of Bits
Science of Security: Virtual Networking with the Women Tech Leaders at Trail of Bits
*** This transcript provides a meaning-for-meaning summary to facilitate communication access and may not be a fully verbatim record of the proceedings. ***
Deveshe Dutt: Hello everybody! Good afternoon and good evening! Thank you for joining tonight's event. I'm Deveshe and I'm based in India. I've had the pleasure to work with Trail of Bits in the last several weeks.
Power to Fly is a women led company for highlighting women's roles in certain sectors. Power to Fly is proud to host virtual events to have the opportunity to learn. Over the past few years we've hosted in person and virtual events, with startups, online and in person.
We strive to foster honest conversations that foster conversation with women and allies. For the seminar today we brought together leaders who are in high end security research to reduce risk.
They take on difficult challenging, building new technology, reviewing the security of new tech products. I'm looking forward to learning more about this tech company.
With that, let's get started. We have a great line up of speakers today. Our panelists will introduce themselves shortly. We'll also ask panelists some questions. Today, we'll dedicate the second half of the webinar to your questions. Before I kick off with the formal agenda I'll go over housekeeping agenda to give us the best experience.
It's likely many of us are familiar with most of these tips since working virtually has become the new norm. I'll go over these points.
In case you have a bad connection, don't worry, you can call in from a landline. You can find the dial in in the audio panel. We ask you please mute when you aren't speaking. If you're comfortable have your video on, we'd love to see you. You can ask a question during the Q&A section. You can also visit Power to Fly to see daily virtual events, with career coaching, and other events.
This event is being recorded. Don't worry about taking notes. Last but not least we love feedback. We'll send over a 2 minute survey once this concludes and we love to hear from you.
Know this is a safe place. Type your question to the chat box or ask it live during Q&A. If you asked us something beforehand, we'll also touch on it.
We'll end by talking a bit about Trail of Bits. Now our panel introductions. Johanna, why don't you kick off our introductions by telling us a little about yourself and your role at Trail of Bits.
Johanna Ratliff: I'm a security engineer at Trail of Bits based out of Colorado. That entails me auditing various pieces of software for security vulnerabilities and delivering that to customers.
Deveshe Dutt: Thank you Johanna. I'd love to introduce Skylar.
Skylar Rampersaud: Hi. I'm working out of Washington, DC. I just started with Trail of Bits but I've been in security for 19 years. My job description is similar to Johanna's. I'm looking forward to answering your questions.
Deveshe Dutt: Thank you!
Claudia Richoux: Hi I'm Claudia. I'm new to Trail of Bits and new to the security industry. I'm still in college. I'm security engineer in cryptology team. I look at software and cryptocology protocols. Many things.
Deveshe Dutt: Thanks, Claudia. Let's wrap you up introductions by looking at CEO and cofounder Dan Guido.
Dan Guido: I'm CEO and cofounder, founded with 2 friends of mine, built it to the 50-60 folks working with us today. Excited to share our projects with you today.
Deveshe Dutt: Awesome Dan. We'd love to get into the keynote address. And hear about the projects you're working on.
Deveshe Dutt: Sure. You can bump it to the next slide.
We are a software and research company. We address computer problems to address everyone's use of technology. We're predominantly in tech and finance space. We are a small team of 67 people but on the other hand not many companies have that many engineers in one roof. We tackle really complicated problems. We're a hybrid remote company. Our headquarters are in New York. But since day 1 we employ people not in New York.
As we suffer in this pandemic, our transition is quite easy as we're used to working with people not here.
There's 19M in revenue, there are challenges to get to that size with the 2013 government shutdown. But our services are in demand for challenging projects. We never took money to get to that size. There are a lot of downsides to taking any form of investment that prevent you from working on projects you want.
We turn down a lot of work. There are projects I'm not interested in and I don't feel we need to answer to anyone. We are bootstrapped, we play with our own money.
The company is split into three teams. Security research, for long term research. Various branches of United States military, science foundations, research agencies. We use the work to give us sometimes a 4-year runway to make progress on difficult problems. We write academic papers, apply new research techniques, for the problems. We open source for the vast majority, if you're interested in that. A lot is on our blob or github. I'm not content leaving that in the DC beltleg. We bring that to the public as best we can.
Alongside that, we build software to prove the research techniques. We have competency for security engineering. Mostly that's security software, endpoint security tools. They need code written requiring specialized expertise. We're nothing but specialized experts. A lot of open source software is adopted to make it usable. We've also ghostwritten venture funded startup products. Or high insurance projects like embedded systems.
Finally, people give us code to help them understand where risks are. We don't look at people's firewalls and Gsuites and other configuration things that can go wrong with running a company, but the technology products they build. That requires mystery of computer languages and computer architecture and generally how computers work. We have a lot of folks we work with.
For a small company like ours, we need to specialize. We can't solve every problem under the sun. There are a lot of projects we turn down. We focus exclusively on product security. We only do low level engineering. Our research teach specializes in binary analysis. We have a cryptography team.
There are other things on the edges and fringes of these 5 bullet points but it's hard to justify doing anything else. We want to be the best in the world at what we are doing. These are things we're best at.
A lot of people recognize we're best in the world at what we do. It's been in the news a lot lately that we were hired by Zoom to work on a lot of the clients they have. The software you're using is something we are currently reviewing to address security issues. There are a ton of other firms we're proud to work with that gave us difficult problems to solve.
A key value of the company is we share our knowledge. We try to do that through many avenues. I mentioned our blog. You may have seen our twitter. The Power to Fly team tweeted beforehand.
We have resources and publications we made available. To help you understand things. We're specialized experts but you can fall in the trap of keeping it away from people who aren't experts. There's a wide gulf between experts and non-experts. You know everything or don't know much. We're doing our best for people to gain expertise.
Empire Hacking was the largest meetup in New York City which we can't have now. Maybe people on this call can join us again later. That's for others to share knowledge gain with a wider audience.
Instead of a real technical demo because all our projects are different we have some reusable tools and techniques we have developed and refined. But it makes more sense to think about it holistically and look at the project end to end and look at what people come to us with and how we help them.
Keeping up with the current moment and time, the big question is how will we vote in November? There's not a lot of certainty that people will be able to go to their local gymnasiums and pull all those levers and not get sick. So online voting is a discussion we are having around the country and we are at the center of that.
Our voting solutions are very important. We are at the center of this. There could be as little as 500 votes cast in an area. Just a single vote being wrong could determine the election. And the risks are higher.
If you were around in 2000 and we get down to a point in time where there's just 40 people in Florida deciding who is President, you want to make sure that the technology being used is accurate within those 40 votes. The vote is very high stakes. So we worked with Voatz. They were the market leader in voting. We did their security and used cryptography and mobile security and offered a combined package to look at the whole thing end to end.
This was revealing to them and to the public. Unfortunately, depending on where you stand, this has identified lots of security issues that people didn't know were present. It changed the national conversation around if these technologies are safe to use in November and if we need to use different methods that don't get everyone sick then.
This is a unique project. You can see the results public. Go to our blog and you can search and bring up the whole report. So if you want to know what it looks like, you can see it.
We thought that was very important. The public is as much a party to this conversation as the vendor is. We wouldn't even work on this project unless we could work on it publicly. So now I will stop speaking! You can go to the web and look at what I'm talking about.
Johanna Ratliff: We also did a Kubernetes Review for the Linux foundation. They are a massive code based project. They hired us as their first really holistic assessment from a security perspective. They chose us because we had applicable expertise in all sub groups that could apply. If you don't know Kubernetes they are in workload management software developed by google. And it's open source owned by the Linux Foundation. It's used everywhere right now in terms of workload management.
Doing this huge assessment of go projects like this, we did a in depth architectural review and threat model that surfaced the issues around the architectural vulnerability when things grow too organically and are that massive. You run into issues around maintaining the security of a project as a whole.
We focus on that architectural review and did kernel fault protection and manual review and assessed the default state of this, even the standing at Kubernetes can be difficult, so showing these limitations in scaling and default config, how secure or insecure it is by default and to make sure everyone running the software has this good security.
Speaker: It taught us lots about go. The problems we work on stress the limits of what we thought we already understood. We found new bug collapses in Go and we built tools to work in Go that we work in other projects.
Johanna Ratliff: Kubernetes is still open source so we still find bugs there and they request the report from Trail of Bits and look deeper into the issue. It has built up a whole lot of investigation into the software which is really cool.
Dan Guido: I think this was Claudia.
Claudia Richoux: Yes. ZCash is cryptographically difficult for people to learn about your transactions. Until recently I was on this project but they needed lots of people to dig into the crypto. There were iterations in this over 100 page documentation. It's not very accessible to casual users.
But we used our experience to check out the protocol and other protocols to make a more digestible white paper to help our users understand it better.
So that's ZCash. Then the other tool, OSQUERY is more the engineering team. It's a psych-ops that lets you turn your database into queries.
It's so cool. But it's under development. It was started by facebook and it works on everything. It scales well to larger organizations. It's so good.
But yeah, some things we have done include adding real time integrity monitoring to find malware. So if you can monitor that and know instantly you know there's malware on the fleet you can do something with it.
Monitoring the MTFS journal, you have to hack around that. In Linux it monitors Sis calls and for file rights and editing.
We did AWS that you can integrate with the data querying. I talked to a coworker about his tools in container introspection so you can use osquery there. But we make cool tools and do cool audits.
Dan Guido: I would like to explain that. I have been in this for many years and it's a real area of investment. When facebook developed this first, these companies just throw them out on the internet and then people use them and they don't work. Because you don't have the same problems that facebook has. So when they developed this they had to make it more useful and to make sure that others could use it. So they asked us to do that.
If they want to make this a successful end point security system it has to be accessible with Windows. So they called us!
Now the project is so big and enough parties of interested that it outgrew it's container at facebook. Trail of Bits was successful in moving this project from ownership by facebook to the owners in the Linux Foundation and so we determined the product direction. It's not a product, it's an open source repository so there's no infrastructure around it to determine where it can go. But we stepped in and offered that structure so people are confident in this project.
Sorry, but I had to make that point! Tell us about SIEVE.
Speaker: This is on the crypto team so I'm a little involved in this. It's a Darpa contract. We are working with Darpa --
Dan Guido: It's a program.
Speaker: So it allows these bug bounty hunters and then expect companies to pay them. But sometimes the companies are bad about that and they lie and not pay you. That stinks and makes the bug bounty hunters economy broken.
So I won't hand you how I broke this, but I will say I did and I will tell you know with zero knowledge proofs. These are protocols that were up to know used in things like ZCash. So you can prove that you have an exploit that runs on a computer without showing it. That's so so cool. But that involves representing the underlying logic of the code that's relevant to the export as a boolean circuit.
This gets us more equitable bug bounty programs and then publications that push that forward. We are working with Johns Hopkins. So that's one of our research projects.
Deveshe Dutt: Thanks all! That was fascinating. I know we will talk a lot more about some of these projects that you mentioned in the question and answer session. But I will ask some questions and then open it up to the audience. I see a few questions coming in. We will get to those.
Johanna Ratliff, I know you joined the Trail of Bits team a few months ago. What motivated your decision to join the company?
Johanna Ratliff: I have actually passed as a software engineer and did distributive systems building and was interested in security for a long time, learning on my own kind of thing.
I thought it would be fun to get paid for it! [Laughing.]
So I had an old coworker who introduced me to Dan after I had a couple of times throughout the years expressed interest in security. He was like, I know a guy! So that's what started the process of me joining the Trail of Bits team. I just liked to write software and play with it but from a security perspective.
Deveshe: That's awesome. I hope to hear more stories especially from our audience about how they joined their jobs they're really passionate about. Skylar, you're next. Security is a hot topic with everything we're doing online. What is one of the largest misconceptions about security today?
Skylar Rampersaud: In my experience, one the largest misconceptions is that there are no people like me doing security, that I won't get a mentor, that I won't do well because it's not for me. I got into computer science because there were scholarships for people majoring in that.
What I really found is that if you put yourself in a position where you're always learning as you work, and find organizations that really support their people in that continuous learning, then you can kind of build your career into what you want it to be. And then people will come to you and you don't necessarily have to wait for someone to recognize you. You are the one building your skills.
I think security as a field is good for that. You can really build yourself.
Deveshe: Wow. That was really insightful, Skylar. I'm sure the audience found that really helpful. Let's hear from Claudia next. How has security changed since you first entered the field? Where do you see it moving in the future?
Claudia Richoux: I'm 22, haven't finished college, mostly through. I started messing with cryptography at 16 when my friend asked. I started with hacker culture, it's become a lot less a free for all in some ways. And more so in others, with people hacking and people having to defend it. There is cybersecurity and it's not like a 16-year-old can just steal money from a bank. There's also so much more stuff on the internet. It's more integrated.
There's the internet of things or the reaper bot net. There's a lot more crappy code running around. That's interesting for someone interested in breaking into software. People are a lot more interested in security. There's also the cryptoanarchist movement, doing blockchain stuff. There's so much interest in privacy now that google makes money off our data. People are more interested in privacy. It's gotten more interesting. Even if you can't do it as you would 10 years ago.
Deveshe: You know what they say about fact being crazier than fiction. That's the case with what you described. Thanks for that, Claudia. There are a lot of questions coming in. First one, from Jan. Who wanted to it, have you been working with self-sovereign identity?
Dan Guido: I'll take that one. Not specifically. Trail of Bits is a services provider for security. If you are using weird blockchain you might find yourself at my doorstep because you don't know if the technology you made was safe. We've worked with the largest in the world, with weird lending protocols and people doing everything under the sun with blockchain. Can't point to one specifically. But if someone doesn't know if they can trust it and asks how much they should, we have expertise to help them.
It's just a matter of what other folks are doing. Whatever is hot and new, where people are pushing novel technology and the limits of what's possible.
Jan: You mentioned a research arm. Besides self sovereign identity or IOT, are you researching these areas? Or areas where you are already getting jobs? Is it led by what the marketplace asks for?
Dan Guido: Research team is different, they put out things they need solved. The United States government wants a way to disclose vulnerabilities without information on the vulnerabilities. We have a code translating into circuits. There's automated program analysis and stuff allowing us to understand what a binary system is doing. Sometimes by emanating electronic signals. We've looked at automated vulnerability research. Pairing a machine with a human brain to be faster than a human with their own two hands.
We are looking at automated patching. Given a description of a patch or information on an automated bug hunting system can we use information to correct the defect without interacting with a human. A lot is at the intersection of analysis and cryptography. A lot of the topics you dropped, spatial web and others, are outside.
We are trying to stay focused on software security. There are a lot of problems. I choose the ones I can solve. That's what I choose to focus efforts on.
Jan: You are choosing interesting projects. It makes me think of other ones in the world.
Deveshe: Thank you Dan. And Jan.
A little pivot to talk about the culture at Trail of Bits. There are questions submitted by the audience. Can you talk about the culture and how it approaches inclusion and equitable practices? Who'd like to take that?
Dan Guido: I don't know if people are waiting for me to take it.
Deveshe: Looks like it.
Dan Guido: I probably should have prepared but I'll do it off the top of my head. There are a lot of things. A lot comes from the cultural perspective of how we have always done remote work. You're judged on what you can achieve at the office. There are people I only see through a screen like this.
What am I trying to get at here?
Well I don't really know what I'm trying to say. I think from a cultural perspective, we really count on each other as a team. We try to be transparent and engage openly. We have a guide on how to be a project maintainer to help you see the perspective of someone using the product. So you have empathy for what they are going through. That courses through a lot of it.
There are company procedures in place. We've taken a step at looking at the employee handbook. Making sure there are systems for when issues arise. Sexual harassment doesn't take a back seat. We've made sure we're prepared. We want it to be a safe workplace.
Also how we engage with the public. When we list job recs we make sure there's not biased language so everyone has a fair shot and they can visualize themself in the role.
We look at the way we work with Empire Hacking. When we give talks we want to make sure it's representative of the community out there. We had a good run of 50-50 men and women. I was hoping to keep it up. But I don't think we can have the meetup this year.
We also offer family leave early. For a small company like ours that's not a google, we always offer parental leave. We are lax about how you can get your job done. I think that was what I was trying to get to at the beginning. If you have to leave for your personal life for a couple hours, it's no consequence to ours. You can get the job done however you have to.
I think that covers a lot of it.
Johanna Ratliff: I can add a couple things from what I noticed. It was a good interview experience. It was a remote interview around a holiday when I couldn't fly to New York. It was easy to manage a remote interview. Everyone spent the interview nerding out around cool things like Go. We spent the interview nerding out about the same kinds of edge cases and bugs that drive us up the wall. You get a feel from how it will be to work at the company.
For hours, it's very flexible. To be honest, when you have everyone around the globe-- there are people from Argentina to Poland. When you have everyone around the globe, time frame is based more on when you work best. Depending on pandemic, I might not be productive at 3pm. 2am might be my sweet spot! That's appropriate.
Dan Guido: A core value of the company is sharing knowledge. That invites people to the community who don't know they could be part of it. Doing engagements like this. "This field exists, you should participate." That's a big part of what we do. I target that to diverse audiences. This event is great, we've also participated in SummerCon. We gave them money to diversify speakers a few years ago. They provided it as grants to people for research before their talk. We reviewed those people to make them confident.
We have done lots of work with Women in Cybersecurity and other organizations. I'm not getting invited to too many Meet Ups these days, but I try to book extra when it comes to talking to young people or women or other diverse groups of people around what you can do in this field.
What might be engaging to you?
Deveshe Dutt: Thanks Dan, we are looking forward to you speaking at the summit, June 14th-17th with that diverse audience.
I wanted to go back to something that Johanna Ratliff brought up around this crazy time we are in, and a question around that.
Especially in the age of COVID-19 how do you maintain a strong work life integration and how does Trail of Bits support you in this?
Claudia Richoux: I can answer that. My manager is so chill. As long as you make the client meetings and get your work done, no one cares when you get it done. The pandemic is crazy and I flipped to nocturnal a few weeks ago. I get my code written up at night now.
It's chill. Lots of 9 to 5 jobs though, it's like when can I go to the doctor? I have to take the afternoon off and things are not open Saturday, so how do I do That?!
But at Trail of Bits it's so chill. Lots of people work from home 1-2 days of the week, or more. My manager is so flexible and my teammates are also on flexible schedules. We get Facetime together. But if you have a different work schedule we are flexible to that.
Dan Guido: I gets back to what someone else said where we already work with people in Poland. Not everyone can work synchronously. So our adjustment in the company happened many years ago.
We already record all our meetings so if you are not present, you can watch and we have meeting notes for those who weren't present can understand what happened. And opportunities for spontaneous connections. We set up random video chats with people.
When you work remote sometimes the only conversations you have with people are about work! So we force other conversations to happen because they are beneficial.
And from a transparency perspective, everything I do happens in a public channel and it's easy to keep up with even though I'm the CEO. You can keep up with all the projects. That helps people stay motivated and engaged and see everyone kicking butt. It's a nice common mindset that we are all here, doing what we have to do, even though there's crazy stuff going on outside.
Speaker: I'll say in addition, in terms of how we are handling COVID-19 and everybody's different reactions to that, we were already remote so we are rampage up the amount of Dan called them "forced Interactions" -- [Laughing.] -- between people so you can talk to your coworkers and feel like you are regularly seeing each other. Things like that.
One of the cool things is that we are open, depending on who you are, about mental health at this company. It's a small enough company still where you can say, "hey, I'm having a weird day." Then you hop on the coffee time call and Dan has brought alpacas!
That did really happen last week! So it comes from having that small company.
Dan Guido: I'll direct you to a Tweet that I made of pictures of the llamas. We have proof that I did that!
Deveshe Dutt: So it's not in your imagination! [Laughing.]
Dan Guido: But you got to keep things interesting. And I thought that might be fun.
Deveshe Dutt: Absolutely. Skylar I will call on you.
How does Trail of Bits compare to other jobs you have had in your security career?
Skylar Rampersaud: It's the best job.
Touching back on the remote from the start, in previous jobs I had to be the office, and develop a rapport and trust before I could work from home, or choose the areas that I wanted to research.
Coming into Trail of Bits it was, "what are your interests?" That's great. It aligns with what we want to do. So do it!
The work from home, work when you need to. It's done. It's not an issue.
I don't know if Jan or anyone else was interested in more technical aspects? Doing security assessments has gotten harder over the past 10-15 years. It used to be something you could do in an afternoon but now it's like multi-week projects. But that's not an issue for me personally. That's just an overall change that companies must shift to.
Dan Guido: And some people got good at securing our software! We have to work harder!
Deveshe Dutt: It's more challenging and that's more exciting. A question from Mercedes to all the panelists.
Bug bounty programs and how do these compare to [don't understand.]
Dan Guido: Bug bounties. I think lots of people lot at that and think it's easy. They think they can just throw up a website and say please, show me all the bugs and then the software will improve in quality over time.
People don't realize the problem at first. They reach out with open arms with a pile of bugs and someone walks up and punches them in the nose. They don't know all the insecurities and then they get this avalanche of issues. Then they handle it poorly and the communications are not well received and then it causes an issue.
Or the opposite happened what someone can't look at your software and then no one checks. Then you have this false sense of security. But was someone motivated enough to even look?
And this is tactical. When you do bug bounties the way you do it is drive bys. You try to find just a few bugs and you try to find these on every website on the internet. But that's not good architectural guidance or assessing risks or helping people improve. I like bug bounties are the last thing, and the final stage of the software maturity but lots do them first.
We have reviewed public research around bug bounties and put it on the blog On Bounties and Boffins. This was a journal article from data on facebook and Hacker 1s bounty program over 2 years and drew conclusions on who does the bug bounties and what their motivations are.
It's a purito [sp?] distribution. Some people find all the issues, but then there's a long tail of others that find one or no issues. So there's misinformation out there. Yes, there's the wisdom of crowds and many eyes looking at your code, but the reality is it's just 50 people! And that's it! But it shows in the data.
So how do you get one of those 50 people to look at your code? You need to structure the communication and plan how to engage with a high performer. So at Trail of Bits we take the opposite approach. It's not indeterministic if you will get information from us but we work with you to understand the end to end product and look at the structure and help you build a secure product. Then we can help you run a good bug bounty program.
I'll post the article in the chat, but I hope that provides some perspective on the bounties. Claudia, or Skylar, or Johanna Ratliff, other perspectives?
Claudia Richoux: Coming from my background and doing CTFs, there's a guarantee for a solution and I thought, oh bug bounties the same, but you don't know where to look towards in bug bounties. In CTFs it's directed and you get points. You know there's a prize. But with bug bounties it's not that fun. You don't know if you will find anything and you don't know where to look. You don't get the source code and if you find something, the company might just be rude to you and not pay you!
So as someone who breaks into things, I won't say that bug bounties is a waste of time, but if you are interested in breaking into things, do CTFs or white box reviews. You don't want to just poke around in the dark and not hit anything.
But I think bug bounties are a bit silly.
Dan Guido: In a CTF you know there's an issue. Once the competition is over, you have a solution. You can complete your learner cycle with a CTF, but with a bug bounty you look and look, And not find anything. No one reveals the answer to you.
If you are just starting, then CTF is the place to go. Hey, bug bounty is nice, and if you want to get a couple thousand bucks in a weekend, but it's more helpful to do the CTF.
Speaker: With knowledge ramp-up as well, the difference in what we do we don't always have source code. But the benefit of having it and mentally traverse a potential intended path and come at it from the security perspective and figure out, "okay, if I mess with it here, what's the entry point from outside the box?" But with bug bounties when you have that veil shading what's happening and you can't see the logic path they coded in, lots of it in my opinion is scatter shotting tools at the software to see what falls out. To me that's not as fun.
Deveshe Dutt: Skylar, this is the last question. I hope you can close us out. We want to hear what you have to say on this topic?
Skylar Rampersaud: I'm a little older, the web stuff is not what I'm interested in. If you want to learn about security of other things that's not web-based, you're really not going to get that in a bug bounty program.
That's where doing capture the flag exercises or finding some other training exercise to build up your skills is a lot more valuable than throwing a bunch of tools at a website hoping some bug will shake out.
Deveshe Dutt: Thank you for that Skylar. Claudia, we love that your dog just came to say hi!
Thank you so much, panelists. This has been really insightful and interesting. If we didn't get to your question, we'll do our best to follow up with you, you'll hear from us.
I want to tell you more about Trail of Bits. [Reading Trail of Bits description on screen]
This has been made evidently clear today. Trail of Bits is hiring. Even before this 50% of employees worked remotely. Many chose to work from home. It's in the best work from home companies 2020. Especially when you hear additional benefits include 3-4 months parental leave, charitable donation matching, and PTO. You can find out more by typing in Trail of Bits in your search.
Dan Guido: There's discrepancy on whether or not we're hiring. I'll throw roles online then we can close it down. The current business capacity is uncertain but we encourage folks to join, we're in a different spot than in march. After the call we'll open up a few positions, and take it one step at a time. Just like everyone else.
But I'm lucky that the kind of situation we've got ourselves into is, we've lost a couple clients. There were people paying us who suffered a lot from the pandemic and they can't pay us. But we also picked up remote work from technology companies who need us. We've had minuses and pluses. We are on a steady foundation for the rest of 2020. We'll carefully start growing the team again. I'd like to start with the folks here first.
Deveshe Dutt: Thank you Dan for your transparency at a time like this, nothing is more appreciated. As we wrap up today's chat, check out our many daily virtual events. Dan will speak at our virtual summit, the 14th to 17th of June. We'll be chatting about security. You can go to www.powertofly/summit to continue the conversation. You can follow Power to Fly on social media. Or visit the blog updated daily.
Thank you for being part of our discussion today and asking great questions.
The summit link is posted in the chat, feel free to join in. We'll send a short survey. We'd love to hear your opinions so we can continue to make these events. I hope you enjoyed the event. Thank you so much for joining us, have a wonderful rest of your evening. Stay safe. Bye bye.
[End of event]
*** This transcript provides a meaning-for-meaning summary to facilitate communication access and may not be a fully verbatim record of the proceedings. ***