CHRIS GATFORD (raw transcript)
Darcy Milne 0:05
Hi, welcome to the cyber security cafe podcast. This is where Louisa and bring you the experts, the stories and the research impacting the cyber security profession today.
Beverley Roche 0:17
Louisa. Welcome back to Australia. Lovely to have you back.
Louisa V 0:23
Great to be here.
Beverley Roche 0:25
Where have you been?
Louisa V 0:26
I've been in the states for a couple of weeks. But just in my last week, I was over in New York and I attended a cyber insurance conference, which was a first for me.
Beverley Roche 0:39
How interesting. So what's new? What are they talking about? In relation to cyber insurance?
Louisa V 0:46
There was definitely a lot of talk about business interruption. One thing I did want to share was they put up a slide about why people buy cyber insurance and Specifically what they want their cyber policy to cover. And the top three things were data breach, cyber extortion/ransom, and then cyber related business interruption.
Beverley Roche 1:15
I think that's really interesting, because they're, they're fairly obvious. But it's good to have that validated that they're the things that they really are wrapping. The so the business continuity data breach. That's fantastic. Yeah. And did you have any other insights to share with us, Louisa?
Louisa V 1:36
I think the other one that jumped out at me was a session I went to around privacy and the views of millennials versus baby boomers. Haha.
Unknown Speaker 1:50
Yeah, the things
Louisa V 1:51
that jumped out at me from that one, because there is that perception that millennials don't care about privacy and the and because of their willingness to use and share on social media. But in fact, the panelists had and there were millennials on the panel, they had a really strong view that millennials absolutely do care about privacy. For them, convenience is king. So they are happy to share data. But they expect transparency about how their information is shared. So they still care about the privacy, their information, but they want the truth about what's being done with it. And then they are happy to share that and to get some benefit. That's usually about convenience. And then the other piece was they shared some research and we'll put the link in the show notes that was done in the UK and looking at Digital sappiness of the generations. And no surprise, I think that millennials, I think 63% of them are digitally savvy versus about 24% of baby boomers. And that then for me, uncovered. The question in my mind is if our baby boomers are less digitally savvy, but they are required to understand, I guess, how to drive privacy settings and things like that? How is that going to impact their ability to manage their own privacy?
Beverley Roche 3:22
Absolutely. And we've covered that we talked about some of the work that Professor Louisa calls camps doing with that large, disenfranchised group. And I think you and I know that's something that we all need to help do is to get those baby boomers, understanding what settings they need to change, and how to look after their privacy. It's another podcast, isn't it?
Louisa V 3:52
It definitely is Beverly.
Beverley Roche 3:54
Hey, so Louisa, we're going to be talking to someone today. about social engineering. And I wanted to ask you a true suit question because you love research and you like Trivial Pursuit, who was one of the greatest con men of our time, who posed as an airline pilot or surgeon, a lawyer. And guess what? He now has his own podcast about how not to get scammed.
Louisa V 4:26
Well, I would say one of the greatest comment of our time was definitely Frank epic now Jr. and I just find him so fascinating. The Many of you may know the movie, Catch me if you can, which starred Leonardo DiCaprio as Frank and it just fascinates me that I guess his scamming techniques still in their own way alive and well today. So in a very relevant In a lot of ways, they haven't changed. And and while we're on that subject, I'm just going to share some definitions that I've, I've had a look at just so that we're all I guess thinking the on the same page around social engineering. The definition in the context of information security is actually the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes. And I guess in the case of Frank, although we wouldn't maybe look at what he did in the pure Information Security context, but he certainly use the telephone so used a piece of technology to scam a pan em, airline pilots uniform, we can see that I guess in Frank's time technology was being used in in a way to scam people as just as it is today.
Beverley Roche 5:51
He used identity theft. I mean, he used other people's licenses are the people's identities. You know, it's it's absolutely not Different now is it? Except we've got this great use of digital enablement, where you can't necessarily see who's behind. Yes.
Louisa V 6:10
And Frank actually said, because as you know, Beverly, he actually went on to work for the FBI. I guess they were so I wouldn't say impressed, but they certainly realized that he was extremely capable in his field. So he,he went on to work for the FBI. And as he said, He's now got his own podcast, but he is actually quoted as saying in a very recent interview, that technology has made crime 4000 times easier today, compared to when he was committing it in his day. So I found that really fascinating. But I also wanted to circle back just to clarify the other definition of social engineering because we use the term a lot in cyber security, but it also has another meaning, which is the use of centralized planning. In addition attempt to manage social change and regulate the future development and behavior of the society. Just to know that there's that other definition out there. I didn't know about that. So, yeah, I certainly learned something from researching this show.
Beverley Roche 7:13
And I think that really speaks more to the things that we've that things that have evolved around Cambridge analytica at a societal level, getting us to believe that that information, you know, which is fake news, but getting us to subscribe to things to views and opinions. So I think that's the elevated social engineering is Yeah, yeah. So what we see in cyber security, but then there's those bigger issues. And thank goodness, we've got global journalists really targeting those issues for us, so that we don't, you know, so that we're not overwhelmed with every element of social engineering. Louisa, we've got Chris Canford on the podcast today joining us for a chat. He's really a security evangelist. He does some really interesting things goes to rock concerts, probably because he loves, but also uses it as an opportunity to go and talk to young people about how to keep themselves secure. He's going to unfold some really interesting things, a little bit about what you said around what we what we think that millennials think about their privacy. Chris will also share some interesting insights about how he landed in cyber security. And you know, he's bought and sold a few companies. So he comes with quite a lot of experience. So I'm really looking forward to having that chat with Chris.
Louisa V 8:47
Yeah, I can't wait to hear it. So let's go to the chat.
Beverley Roche 8:55
Chris, Gatford. Thanks for joining us today. Hey, We're going to talk to you about social engineering. And But first of all, we'd like to get some background on you and your personal story about how you got into cyber security. Want to share that with us?
Chris Gatford 9:12
So, my personal story into cyber security? Well, yeah, I guess it's not it's not overly exciting, but I was always one of those kids that would take their toys apart, and work out a way to put them back together to do something else too often harass my sister and have and, and in my definition, my definition of a of a hacker is somebody not necessarily who's doing something malicious, but it's somebody who's thinking outside of the box and doing something creative and not sort of resetting or standing for the status quo, you know, not, not not accepting it. So. So I always had that sort of approach of you know, Playing with things making them do things that they weren't supposed to. Always, according to my mother, always trying to scam the system, whether it was a homework or a pocket money kind of reward scheme, I was always trying to find a way to scan the system. And so I guess, you know, I had those early, those early tendencies that we see in people who identify themselves as hackers, which is, you know, understanding how the system worked and the thirst for knowledge, wanting to make it do something different. And so when I found it, and I found it early, because my dad was barely into it. He he was building data centers back in the 70s. When, you know, like, they were a big thing. Like, you know, yeah, yeah. So I as a youngster, I saw the world you know, off the back of my dad traveling around the world. Building data centers for various organizations so and so there was a quite a lot of it at home and those, you know, 70s and 80s years, and then, you know, hopefully gravitated towards it school and stuff, but then I was really sociable. And so I really liked the idea of being a bartender. And so I was going to go with the idea of being a bartender rather than going down this whole it lock and then one day when I was foraging for loose, change my dead sock drawer, I came across his payslip and went, now I'm going to go into it. So, anyhow, I went into it and those sort of natural skills around, you know, thinking outside the square, not accepting the technology for the does and trying to work out how you can get to do other things sort of lend itself well for me going into it security. And then within IT security, I was sort of responsible for defending a lot of systems and designing networks for clients back in the like, you know, in the really early days, like we're talking in the 90s. Even rolling out windows 95, to large pharmaceutical chains in the UK and Europe. And so I was tasked with doing this, but also doing it in a secure fashion, you know, computer security is just sort of really saying get bit more, I guess, more considered. And so I sort of went down the path of the security angle, because it's sort of when, I guess quite well aligned to the way I think. And so I was trying to come up with attacks to be able to fin them and I then came back eventually to New Zealand, Australia. And, you know, I worked with some critical infrastructure where I had to apply the same thing. So once again, as a defender having to understand what the malicious attacker was doing intimately so I could better defend the systems and that's really sort of how I got my stop.
Beverley Roche 12:54
And you know, there's a couple of things in there, isn't it? You can't be what you can't see. And so having a father Not only that, having some little sneak peek at his salary also inspired you as well. And the fact that you just love you very interested in people. I think it's a great attribute as well, but I guess it's, you know, are they born these people that like to hack or they created?
Chris Gatford 13:23
You know, it's a good question. I think there's both, I think there's probably both ends of the spectrum. You know, over the years, I've had the privilege of working with some just amazing information security people, some that I've plucked out of university and in some cases, I've literally taken them almost off the street and given them a role and they've become very successful penetration testers in their own right. So I'd say I'd say you can do you can be both you can, you can be sort of naturally gifted but also you can learn some of those skills. It is a hard skill. To learn thinking out of the box, but it can be taught, it can be a discipline that you sort of engage in and, and create. And if you've got that desire to learn, then then there's certainly a lot. There's a lot of things you can do. And security doesn't just have to be penetration testing, of course,
Beverley Roche 14:15
absolutely. Which is a lovely lady into social engineering. Can you kind of tell us a bit more about the sort of things that you're seeing, and this some of the exciting things you've done?
Chris Gatford 14:29
You know, it's interesting, I think. And I was just as I was listening to that question, I was sort of visualizing some of the things I've done over the years, and some things my team have done over the years. And it doesn't really generally change. So for us, social engineering is more than just phishing emails, social engineering is engaging with the client and First off, obviously understanding what their objectives of the testing are. And then sort of us going back and working out what approach might be to achieve those objectives and gain access to whatever the desired information is. So, over the years, you know, often that requires physical access. And so, we are very adept at sort of gaining physical access to organizations in various methods to be able to sit down plug into the internal network and go after often the information or assets, although these days there are some physical assets that people are concerned about and even physical access to those. So social engineering is, I guess, the methods that you use to persuade and extract information from people and we get to do that both physically and electronically.
Beverley Roche 15:45
And a people starting to understand that this is something that can be used because very high profile people are being targeted. So is there more opportunity I guess is better question. The market around tell us everything you can find out about us. What would be that point of that inflection point of finding out how to really get in.
Chris Gatford 16:15
So I think I think people sort of becoming more aware of it. Unfortunately, there is still a focus on the electronic side, which is a shame because social engineering is just so much more than just phishing emails. It's obviously the physical interaction. It's the phone calls, it's the social media interactions, and then becoming very successful and unfortunately in Australia, we do tend to be security unaware. Generally speaking, for the for the people who work you know that the average Joe inside an organization is generally security unaware. And we have seen more recently the business email compromise stuff starting to really I guess, organizations in Australia, business email compromise. If you're not familiar with it, it's when people send fake invoices to be paid, feigning to be a current supplier and normally targeting accounts payable staff who then go and action that or the CEO asking for an urgent deposit to be made. And once again targeting the accounts payable, people were able to do transactions inside the organization. And you know, we are losing millions of dollars a week out of Australia with this technique, it's very successful. And it's because these people don't understand some fundamental security concepts.
Beverley Roche 17:39
I think, look for some of us, we we understand that you know, we go to the executive assistants in organizations and say, typically will lay it out for them and say, This is what it looks like. They will come to you. It will always have those attributes. It will be a different account number But a company that might sound familiar, and it'll always have a sense of urgency. We we've got a long way to, to work on that one. I guess the other one is the social media one's really becoming quite fascinating, where they're impersonating very, very high profile people. Graham Cluley this morning was talking about it on his podcast where they had a fake Twitter account for the British central place. And it was just fascinating. an outsourced company was managing their Twitter account, and they had got hacked, but there was a really big backstory to it. And do you have any advice that you can share with people about, you know, what are the things because it's much harder now than ever before. They used to be typos. They used to be some obvious things that We needed to look for. And there's some things that you can kind of give us some clues.
Chris Gatford 19:05
Yeah, you know, so those good old classics of, you know, typos and the time it was center sort of really null and void these days quite right. And you know, the attackers have become a lot more sophisticated. They will send legitimate emails first, as outside queries to try and get the footers of emails, they'll start conversations that way. They normally start their, their process for specifically for business email compromise, they start their process by looking at LinkedIn. So looking at LinkedIn and understanding who to target inside the organization, so I know it probably goes against the grain but you know, we also recommend to our customers, you know, review your LinkedIn profile, make sure that business titles are specifically advertising make sure that only connections like like valid connections can see some of those more intimate details about you and training their staff about why it's so successful. The next level down is teaching the end users. And for example teaching an end user that and even people in information security sometimes don't really fully understand this but anyone and I mean anyone can send an email purporting to be from anyone else including the email address and the name
Unknown Speaker 20:23
Unknown Speaker 20:24
it it's not I suppose
Chris Gatford 20:27
you could call it's probably more more technically accurate is just, you know, sending an email but forging it the the email address that is coming from because literally, you can go to an online form and for all this and press Send.
Unknown Speaker 20:40
Chris Gatford 20:43
it's, it's not hard, you can't have a two way conversation. It's a one way conversation. What more modern attackers are doing those putting in the address in the email when they hit the reply. It does a different reply address, so people check the from address first We've been teaching people to look at the from address and then they've got a sense of legitimacy and hit the reply and they don't check that and it's going somewhere else. So that's why the lot of the business email compromise stuff is working so well so we teach people to be put in decent business processes to start you know, challenge the emails never even teaching an end user that anyone can send an email purporting to be from anyone else significantly improves the security posture because now they just don't trust email.
Beverley Roche 21:29
And they get so many of them you know, I find in my line of work I actually I am people because I can bypass the email system which is usually got about 158 miles sitting in it. But you right, you're absolutely right look that they are great points on you know, border the things that we you know, because we really want to help people get, get a good understanding of what's going on around the human side. Now. Speaking of which, you're hanging out at rock concerts, Chris, specifically one, the science tent and splendor on the grass. What do they have to do by attending those with social engineering? And what are you seeing from that age group that are attending those concerts?
Chris Gatford 22:22
Well, that's a that's a very pointed question. You don't work for the ATO (Austrailan Tax Office) do you but just in case you are listening, I got full receipts
Beverley Roche 22:34
for the outfit as well.
Chris Gatford 22:38
God like I really do enjoy, sort of being a security evangelist and and talking to, you know, all sorts of people and luckily, I've been invited for the last couple of years to the science and forum tin. We've talked to cow and Adam Spencer and doing it panel was soo let Dreyfus and a couple of other industry chumps, talking about information security and it's really interesting like, you know, we're really focusing in a very basic level we're showing you know, splinter punters you know how to protect yourself things that you can do basic steps. And, you know, over the years, I think, you know, we've sort of educated hundreds of people on on better cyber security hygiene.
Beverley Roche 23:28
And they really, I think we can make a lot of assumptions about certain age groups about how they don't value their privacy. They starting to understand through, you know, recent release the great heck about Brexit, and because they do care about politics, and they do care about global issues, are they starting to really bite into their own safety online?
Chris Gatford 23:58
You know, they are, there's a varied audience specially at splendour in the grass. I was on a panel two years ago, and on the panel was, you know, three different politicians, including Anthony Albanese. And, you know, the questions from the audience are really interesting. So this panel was sort of like cross, like a couple of different topics. And, you know, like, the audience is very, very thoughtful in their questions. You know, they are very, quite an astute audience, and they are concerned about all sorts of issues.
Unknown Speaker 24:38
Chris Gatford 24:40
I think in relation to splendour, it is it is a useful outreach, you know, I think we should be doing more of it as an industry, getting out there and talking and educating groups about how they can better protect themselves.
Beverley Roche 24:54
I think it's fantastic. I may not want to talk to anybody that's interested in privacy, safety and security. I mean, I think what we've what's really missing is if you look at what the ancc are doing, you know, we're lagging behind, because we've got too many points of entry. And we're not getting out to the masses around how to improve their online hygiene, as you call it. So what are some things that we have you got some messages that you really like to convey about? So we talked about social engineering? You know, what are you saying to your kids? Because I imagine, I know the young and they're online. What do you what sort of messages? are you managing with them?
Chris Gatford 25:47
Geez, I'll tell you. That's one of the funniest topics at the moment is securing the family home and as an info sec professional when you are tasked with that. You think, you know how how could it be achieved? It's hard is very hot,
Beverley Roche 26:01
it does take on a whole level of discipline, because what you tell people they should be doing in the workplace. This emotional level playing at home with no but I really need access to this,
Chris Gatford 26:17
this bed but there's also the technology that they using and I'm just amazed like, you know, I will we locked down YouTube obviously and you know they could use kids youtube and occasionally they will say look, this isn't available on kids youtube. So can I, you know, use use a normal browser and gain access to it. You know, like yeah, okay, all right. And then you know, you to make sure that you know, they were, they were on the up and up. And then one time. One time I was like looking at, came into my son's room. And I noticed he was seeing a video that wasn't inappropriate, but I knew you wouldn't be available through through kids youtube and what he done is at the End of just a harmless normal, you know, game on the iPad, it had a video tutorial. And he was then leapfrogging through the other suggestions to be able to see all the other content.
Even my son's finding ways to get aruond my security controls
Beverley Roche 27:17
well. Yes, you might have another
Chris Gatford 27:20
chip of the old block you think? Yeah,
Beverley Roche 27:21
absolutely. I think there's a following in the footsteps. So where do you see because your kids are quite young, where do you see that generation going in terms of digital literacy, when they really do seem to understand how to use the technology, getting them to understand, you know, just the level of appropriateness and how long they should be using it for and all that sort of stuffs more challenging is,
Chris Gatford 27:48
yeah, so one of one of my industry colleagues, who speaks at Splenda with me. You know, he takes his daughter along. In fact, they all do a lot of panel took along the kids this year. And they're very cybersecurity aware. You know, it's it's, it's really interesting. So I think, you know, coming back to securing the family home a, it's hard, it's much harder than you might imagine. Obviously encouraging to factor off good complex passwords, introducing password management, the early days. You know, those are the sorts of things we should be thinking about. And then at the boundary level on the network layer, you know, putting appropriate filtering controls in place. And if you're a little bit stuck about where to start, go check out the open DNS solution. That's things pretty much free these days. But that just stops your any systems inside your house going to anything nasty. So let's do the usual BBQ conversation I have.
Beverley Roche 28:51
There are some bigger questions I think about so is hacking going to be outsourced? You know, is it really something When I say really change as a profession? So is the nature of how people hack their applications. Is that model going to change?
Chris Gatford 29:14
It depends on the organization itself. Like whilst we see various services coming and morphing within the industry, I don't think so. And organizations with a really high security model, maturity can can take different choices but traditional security consulting and knowing who is testing your environment, and being able to reach out and touch them, I don't think that will ever go away in a hurry.
Beverley Roche 29:44
It you really, it's highly confidential staff and the trust, it's probably a 10 plus for trust is not you know, what you find out what you ascertain, you know, you know everything about them. So that's going to be I agree with you. I think that trust models still got to exist. So, Chris, thanks so much for joining us today. How do people get ahold of you?
Chris Gatford 30:15
Yeah, so my team and I, these days, we're at a company called hacktive.io. That's active with a K All the cool kids, by the way, have.io domain names now. And we form a range of services from security testing to managed security services to consulting around different frameworks, so feel free to reach out to me or hit me up on Twitter at Chris Gatling.
Louisa V 30:48
Beverly, I love that chat with Chris What an amazing security evangelist he is, and so knowledgeable about his domain. I really really enjoyed that conversation. And I think I've got some really pointed questions for you. But before I go to those, I'm starting to see a pattern emerge from all of our podcast chats with our guests, when we ask them that question, how did you land in cyber? And it seems Chris was also sharing what many of our guests have shared is that that curiosity that you need to be in cyber security, and whether that's a curiosity about how a piece of technology works, and that one wanting to unpack it, or a curiosity about humans, and about how they behave. It's definitely that key ingredient for a career in cyber security. But I think for Chris, you can see he's combined a curiosity for technology and people and I think that's probably one of the reasons he's been so successful in building and selling several businesses in our industry as well.
Beverley Roche 31:59
What do you think? I don't think he would have been satisfied as barman. I know, that was one of us. You know, he's clearly found our profession really enriching and he does a lot of things outside, you know, going to rock concert. Even if you love a rock concert, you've got to assimilate into that environment. He has a lot of fun with it, a sort of photo of him splendour in the grass. And you know, they they're just doing great things to get our messages across about how to stay safe online. Not doing such a good job with his children. None of us are, we're just hopeless, it folds folding when they say this app and I want it now and I felt him cringe as we were talking about that and I could so relate to when they ask you for something and you think, you know, in your heart, you should be reading the terms and conditions. You know, you should be looking at what settings but they wanted and they want it now. So yes, the That's a challenging, that's a challenging space for for everybody. Isn't it also love some of the things that he talked about in terms of saying that, you know, the millennials are really asking very thoughtful questions about their privacy and security, which is just, it's great to hear, it's reassuring to hear that these messages are amplifying out, especially all the good work that the a safety offer stars, you know, it seems to me and said, it's all starting to amplify out, isn't it?
Louisa V 33:36
And Beverley, I've actually got a question for you. And this is an area of your expertise because I know you have been hands on in the penetration testing space and running programs in that space and I'd love to get your take on that question you asked Chris about are we going to see the pen testing outsourced and that that feedback that came back from both of you really about the fact that is such a trust based exercise in a business because of the information that comes out of it. And one thing I, I guess I would love to have heard both of your views on was about bug bounty programs. And when are they appropriate to you?
Beverley Roche 34:22
Thanks for asking it. There was probably just, you know, we were limited from a time perspective, but that you're absolutely right. That as much as we want to look at other models can pen testing can be really expensive as a program. And I'm certainly saying that currently, but I'm not saying it's not worth it. It absolutely is. And you do look to explore, where can you use bug bounties? Where can you use other models to get the results that you're looking for because we all know that having pen testing on Staff, it can have its challenges in relation to they need new and exciting things to work on. And and if you just giving them the same old stuff, they're not growing and prospering their careers as well. Look, I think it really comes down to, I think if you've got something that's not in production that you're happy to do, you know, there's tools, obviously for code reviews, but if you need some testing, I think that's a great opportunity for those bug style bounty solutions. But I think for anything that is legacy or holds data, that is really key to your competitive advantage in business, then I think its traditional pen testing. I was surprised to to get that area Sir, but it did validate for me that trust beyond everything else is probably the most important thing. And, you know, you and I've talked about so the future state of cyber security, which we'll talk about in more detail in another podcast, but I think it it will be interesting to ask those questions over each of the domain, domain holders or domain expertise about where do you see this going. So it was great to get that feedback from greed. Yeah,
Louisa V 36:35
that was Yeah. Because I think we've, we've heard the feedback from multiple people at multiple levels, that there isn't a skill shortage in cyber security, that the challenge lies in our recruitment process. And then the other question, as you said, is then what does the future workforce look like? What do we need to plan for As leaders in the cyber security industry, how do we plan for the next 10 years as technology changes the shape of our roles, both from a, the criminal element that we're dealing with, but also then from a day to day job perspective, as we see AI, other technologies automate some of our work just like the other industries are experiencing. So I think there's some really big questions we need to answeron a future podcast
Beverley Roche 37:31
I think thats too big for the end of this one. Because I can see that you know, we got to pull set people up through this industry. We're not doing that we're tightly holding some of those key roles. We're not future planning and succession planning in the way that we should be doing. And of course, we're going to have a massive intake, add of all ways, university courses and certificate courses that Everybody's throwing good money at, we need to be able to work out where to put those people. I think the other point was the conversations changing, isn't it? The conversation around the sort of things that you can impart with people? I know that when you're in a taxi, what conversation do you have with the taxi driver Louisa?
Louisa V 38:23
Well, actually from doing the podcast, it's probably changed. And now I take the Graham Cluley approach, which is to tell people to get a password keeper, and to not reuse passwords across different sites. So that that I've taken with me and that's now the message that I'm sharing for now. And of course, we must always be ready to change our message. As the criminals evolve. There's never going to be that silver bullet. This is the same advice every time every month. Yeah, I guess that's certainly the the line that I'm using today until things are
Beverley Roche 39:00
And Chris said during our chat that the BBQ conversation has really changed. People actually really talk to him about not what he's doing. But what advice he should give in of course, he's saying, securing the family home two factor authentication filtering, especially if you've got little kids making sure then they're not seeing things on YouTube that are going to scare the living daylights out of them. And also using the advice that the as a Safety Office produces and you know, how to have, you know, basically how to have fun and safe digital experience. I think that's a wrap Louisa.
Louisa V 39:45
Yeah, I think that's pretty much all we've got time for today. We really look forward to you joining us soon.
Darcy Milne 39:53
Thanks for listening to the cyber security cafe podcast. Be sure to subscribe for future episodes. And for more more information, visit cyber security cafe calm and find us on Twitter at cyber ACC cafe.