(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src= 'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f); })(window,document,'script','dataLayer','GTM-KX9RFV5L');

Mister Beacon Episode #103

Addressing the IoT Security Challenge

March 16, 2020

How do you make the IoT secure? What happens when you don’t? What are some of the most powerful IoT companies doing to address those questions? Full episode here:

The ioXt Alliance believes in building a safer IoT world. They believe this world can be made possible through an alliance built on establishing security standards, shaping public policy, and compliance through testing and certification. This week we talk to Brad Ree, the CTO of The ioXt Alliance. This international standard for IoT security was brought to life by some of the tech giants you might be familiar with: Google, Amazon, Comcast, T-Mobile, to name a few. In this episode, we dive into how the ioXt Alliance defines IoT and the vast differences that consequentially create notable variances in security requirements for each. Acknowledging that IoT is scaling and with scale comes increased risk, we continue the discussion about the tradeoffs such as cost, usability, longevity, and more. Turn in this week to learn how The ioXt Alliance is evolving and about how you can become involved in making the ‘Internet of Secure Things’ a priority.


  • Narration 0:07

    The Mr. Beacon podcast is sponsored by Wiliot scaling IoT with battery free Bluetooth.

    Steve Statler 0:16

    Welcome to another episode of the Mr. Beacon podcast. We're really glad you chose to join us. This week I am talking to Brad re who is the CTO of IO x t. Brad, welcome to the show. So Brad, you are a bit of an industry veteran, IO x t is relatively new on the scene. Why don't we just start off with you explaining what IO IO XT is doing? I should say that Wiliot is a member. And I don't know whether it's a good thing or a bad thing in terms of my independence was certainly an interested party and what you're doing, what are you doing?

    Brad Ree 1:03

    Sure, so I am IX t, where the international standard for IoT security and what that really means is we're really trying to address right the the lack of standards around what is happening, especially in the consumer electronics space. And, you know, trying to address all these security, privacy, interoperability issues that are coming on up as as we're trying to combine all this stuff through retail channels, ecosystems and places like that. And sort of as a backdrop of what's going on here is, you know, industry is really, there's been a couple folks that haven't made some of the best products out there. And it really has created a lot of fear and doubt in the consumers minds. So what the iOS t really was founded on was several of our international large tech companies who are like, Hey, listen, we make good secure products, you know, how can we separate ourselves out of this noise? How can we help the consumer know what's going on. And at the same time, your bunch of government regulators are starting to wake up and say, Listen, something has to change here. And so what we're really trying to do is balance industry led initiatives, along with helping the regulators set the appropriate amount of regulations around this. So really, what we've done is we've we've taken, like I said, a whole bunch of a large consumer electronic companies, we're defining our core base pledge items, it's really all around security, upgradability and transparency, and then build a certification program around that, that then all these ecosystems and retailers can use when they're putting out bids for projects and everything. And really trying to harmonize all this this security requirements. So manufacturers can build one product and go into a whole bunch of markets very, really what it's about.

    Steve Statler 3:04

    Very good. Well, thanks for that. I think you set the scene very well, you've raised a whole lot of interesting threads that we will pick at and, and explore. So we can talk about the problem that's solving and who's impacted by it, how challenging it is, I think for companies like like ours, we kind of look at this incredible IoT ecosystem, it's burgeoning. It's growing very rapidly. What could possibly go wrong? And clearly, security is one of those things that could really undermine people's confidence in Internet of Things. So perhaps you can start off by talking about who some of the members are, of IO x t, and how long has the organization been in existence?

    Brad Ree 3:58

    We've been around, I guess it's about a year and a half, two years, somewhere in there. And the original founding members who's on the board, everything is folks like Google and Amazon, Comcast, T Mobile, Yan. And if you just pause at those guys, right there at the beginning, as I mentioned, right, we're looking at how do you enable these ecosystems and everything? So it's really right, Google and Amazon run very large consumer ecosystems, T Mobile and Comcast represents sort of the other side of this equation of managed ecosystems. And as anyone in the IoT industry right there's sort of this you know, there's the do it yourself kind of side there's the Manage side and some of the some of the issues around reliability and security and most important, anyone who has brand on the line when things go wrong, so So those are the top four guys representing that but then we also have resilio, who of course, is the Honeywell brand makes a large amount of products and everything like Ryan who's a very interesting board member too, because they straddled the consumer yet the light commercial and smart building space, along with a couple of silicon vendors, I NXP and Silicon Labs, and then also the the ZigBee. Alliance, who was one of the original founding folks in this organization.

    Steve Statler 5:23

    So I think people looking at that list hearing about that list have to take have to take you seriously, you have some very heavy hitters. We said this is about IoT IoT can mean lots of things to lots of different people. Can you give us some examples of some of the security issues that you're dealing with? And bring this kind of down to nuts and bolts of? What is it that is causing the concern? And what kind of devices are involved?

    Brad Ree 5:58

    Yeah, so actually, I'll, I'll take that question and modify it slightly for you, as always make up your own questions, right. But now, so what are the interesting things as you look at what what is IoT, right, and IoT is such a wide swath of stuff. And even in the consumer space, what what's interesting is even inside of Google, there's, of course, the Google nest team doing all the, you know, traditional home automation products. But then also, the one of our board members is overseeing security for the Android platform. And so just listening inside of Google what IoT means, right? You got one side of it, talking about home security systems and cameras and everything, which of course, are very near and dear to consumers. Hearts, right? Anytime you talk about a camera breach, or do they, the you're looking at at a baby camera, or something like that, you know, really draws a lot of emotion from the consumer. But on the flip side, what's interesting is listening to the Android platform where you are, they've got over 3 billion devices deployed around the world, right, all the Android handsets. And some of the security issues that they face are really interesting, where, of course, you always want to make security better and everything. And typically, security adds cost. But then when you talk to the Android guys, and they talk about, well, you do realize that you know, for every dollar you add to the phone, you're going to trim so many people in third world nations that can no longer afford this digital lifeline. So it really is it's really fascinating mixture of security yet, you know, having people able to connect and grow economies, and then you'll add in the personal privacy and all of these things. So, so in our alliance meetings, as we're working on some of these standards, and everything, what we're really doing, and we're defining a set of requirements that have multiple levels. So you know, think about a consumer life all may have one set of security requirements, while maybe a set top box, or heavy industry may have another set. But as you define each of these, you know, it becomes very crystal clear every time you add another layer, yes, you're making it more secure, but you're adding potentially cost somewhere, either the manufacturing, the design time where there's import time. And then you overlay the business impacts with that just make for some extremely fascinating discussions as we're just once again, just trying to make things secure for the consumer. So, you know, that's the kind of things that really we end up talking about, and it really is that a light bulb to set top box to the consumer to commercial, and how do you balance all of those needs, so that that's the kind of stuff that we've been spending the last year and a half working through.

    Steve Statler 8:49

    So a lot of different kinds of devices. Again, you've raised some interesting themes there. Door Locks, I guess, is another example of an IoT device that many of us including myself, love the idea of an app that can be used to open your door, but the idea of someone who's not authorized, being able to open your door is going over is kind of a scary thing. And I was really struck by you know, some of the the issues that that have been highlighted about door locks being some of them not being necessarily as secure and, and not for the one to have technology in the bill of materials. The I think there's another cost that that actually you bought to my attention, which is okay, there's the cost of the I don't know a Secure Enclave running in the in the hardware, but there's also the cost in terms of ease of use, isn't there you can make something that's super secure, but completely unusable. You can make something that's super secure and much too expensive. But then there's kind of a balance here. Is that Is it really that stark a trade off that we're on one on one side, we have a choice of super expensive unusable, but secure and low cost easy to use and insecure? Is there a happy medium?

    Brad Ree 10:24

    No, there absolutely is a happy medium. And one of the ones that I'm actually fairly happy with is some of these combinations of like Bluetooth and Wi Fi, right? So using Bluetooth from your phone to transfer over the credentials to get these Wi Fi devices on your network. Those are way more secure way easier than you know, the old take my phone connect to this access point transfer and type in all this, I forget I'm walking away, right? So technology is absolutely coming in. And even just a lot of these best practices, and a lot of the companies have started to pave the way, you know, things like two factor authentication, you know, that's been in the news fairly often about should that be turned on? Or shouldn't it Yellin And some companies who may not have had it on, you know, now you have, you have the issues around that, where, you know, just the consumer really is used to getting the PIN code on the phone entering it. So I don't think that it is as stark as insecure or secure, you really do have somewhere in the middle. And honestly, most of this is just around, you know, the the manufacturers being aware and just, you know, basically being aware of the solutions and not in just such a race to get to market right away. Right. That's, that's really some of that effort there.

    Steve Statler 11:47

    Right. So let's look at that in more detail. Because I think a lot of people have the attitude to privacy, not privacy of security that, you know, these guys know what they're doing there. Is there really a problem here? Maybe I can just use the same password everywhere because he's got time to mess with with me. You know, is that really a problem that we need to solve? Or why not just continue with the status quo? Brad,

    Brad Ree 12:25

    you the interesting thing, I go back to the the Mirai botnet attack that happened a couple of years ago that that really was the shot across the bow that woke up the government and it just sort of to remind you, and those do, you may not see it, right. So that was one of the first large scale IoT botnet attack. And what it really was was it was basically an attack on known password. So, you know, the the attackers went out, they actually grabbed a whole bunch of known passwords for equipment, scan the Internet, and were actually able to use all these devices to go and shut down some rather large services, Twitter and a whole bunch of these other things. Well, the interesting part of that be How bad was it, it was actually only 20 different devices that were part of that attack. And so that's the problem is back in the old days, these IoT devices, you know, the connected devices weren't very popular. Now, if we got scale on this kind of stuff, you know, you're talking hundreds of 1000s, you know, you read about a million of these devices. So now, when you have scale, be simple attacks can be greatly magnified. So it really in one essence, it actually isn't too bad, right? We arrived with only 20 Never devices. The downside was those 20 Different devices represented, you know, millions of nodes going out and attacking things. So there has to be a baseline that we secure against at least the simple, you know, password attacks, you know, a lot of them this is where IoT is really trying to get the core baseline what is it that you know, the good hygiene that we can set as these you know, international standards that worked for both Europe and North America, and then can go into these other markets to to prevent the simple things. Now clearly things like, you know, people, you know, hacking your Wi Fi, and that kind of stuff is scary and needs to be fixed. But that isn't scalable, right? There's not too many folks hiding in your bushes outside your house, it's getting on your Wi Fi, but that scalable automated attack, those are the things that actually has a lot a lot of people concerned.

    Steve Statler 14:33

    So people are concerned about their devices being used to stage a denial of service attack, but I mean, it's also about cameras being turned on you and your privacy being invaded. It's about door locks being accessed relatively easily by by third parties. I don't know how much you want to go into that. But some of the things that you demonstrated back at the last meeting, were just completely opened my eyes to how vulnerable we are. And actually how relatively simple some of the solutions were. But so what tell us what can be done with door locks?

    Brad Ree 15:21

    Yeah, so the door lock, one that you're talking about is a pretty interesting attack. And in most of these attacks, without going into the fine, fine detail on the protocol, and everything, that door lock attack shows, so there was an attack that was put out on how to basically get the door lock to leave a network, join an attackers network and be able to send commands to open it, what the root of that door lock attack really is around is a twofold thing. It's a backward compatibility problem. And it's an ease of use problem, right? So what what was going on in that door lock was the hub allowed for devices to rejoin if it fell off the network, which as a consumer, right, you want your equipment to be resilient, you don't want to have to deal with these kinds of things, right, you change a battery, something gets lost along the way. And then also, how much of the old gear right so as a consumer, you have an expectation that when I buy this door, lock this camera, that when they upgrade my Wi Fi router, I don't all of a sudden lose connectivity to all these things. So that is exactly that struggle that you're talking about as as a hub manufacturer, you gotta you know, most of the time, these guys are really about how many devices are in my ecosystem? How wide is this? Right? The more you narrow it, the less competitive you look to the consumer. But on the flip side, some of that old stuff you may not actually want in your ecosystem. So yeah, that door lock has just as you talked about, it wraps it all together. Backward compatibility, at what point do you turn off devices that are no longer secure? Right, and I hear that discussion being talked about quite a bit in the different regulations of if a software company is no longer supporting the security, is that device now a risk to the overall ecosystem? Right? What do you do with that, but you know, consumers, when they buy a car, they expect to be able to drive that car to the wheels fall off now? Hey, my manufacturer stop issuing software patches, I guess I better put that out to the field. So it really is sort of fascinating that the challenges there. And so yeah, it's about usability, it's about longevity. The other thing that you've brought up multiple times, is privacy and security. So that's another really interesting thing as a as I mentioned, right? If we're working on defining international standards, what we're really you know, I'm based here in the United States, but we're doing a whole lot with folks over in Europe. And it's interesting to see the differences in Europeans view of data privacy and Americans view who should own data privacy is that, you know, America tend to be a little bit more on the industry friendly. And in Europe, it's a little bit more on the consumer friendly, but as a device manufacturer, and you're building products to go around the world, how do you navigate these, you know, potentially conflicting security and privacy requirements? So yeah, it's leads to a lot more questions and straight up answers on everything.

    Steve Statler 18:32

    Yeah. But we, I mean, the demonstration that I saw you give was in the space of a few seconds, someone running a script, able to open a door lock on someone's door, gain access, then leave, close the lock, and then execute that in a way that it wouldn't even show up on the on the audit trail of what had happened with with with a lock. And that's not to say that this is a vulnerability that every door lock has, but this was a fairly well known mainstream door lock. And it was because of it was because of essentially compromises made to to ensure ease of configurability and not having to reassociate locks when, when when things change. So I think I feel like I've wallowed enough for long enough in the in the problem. Let's talk a bit about what the solution may be. What's the approach that IX T is taking to help to fix some of these issues? Oh, absolutely.

    Brad Ree 19:45

    And that's where you know, we got our eight different security principles, but I really wrap it into the three which is security upgradability and transparency. The transparency is But sort of two faceted there, transparency is about love telling consumers, what it is they're getting, how long it's going to be supported. And also providing a means for researchers to report issues, that circles right back into, of course, the upgradability and security. So you're right that door lock, what was actually rather interesting was it was a combination of problems, it was the hub and the door lock, the hub had security, have always afraid it was security disabled. So one of our pledge items and security by default, right. So you should never if you have a product that has security as off, leave it on, let the consumer make the decision, we're informed them what they're getting, and everything. Beyond that, you know, there shouldn't be techniques that when vulnerabilities are found companies should listen, provide reasonable updates and reasonably timed updates that can then be deployed at and then you sort of cycle through again, because it really is unreasonable to think that a product ship will be totally secure for the next 20 plus years, right? So you need to make sure that you have techniques to actually upgrade that and everything. So what I O X t aligns is really based on build that core foundation defined based on the best learnings from the Googles, the Amazons, right, these guys Comcast, who, who deploy large, large scale, take that help educate the rest of the folks in the ecosystem, what security should look like. And then like I say, that counterbalance all this is, you know, government regulators are now starting to really pay attention here, help them guide to creating the right regulations. And what I mean to that part of the other interesting challenge right now is you got, especially in the United States, you have many, many different states, California started out with one law saying no fixed password. The challenge is the next state said, Hey, that's a great idea. But we're going to add this, the next state added another thing. So you even got now Virginia with one potential version of that bill that defines what the equation for the password how many MCs characters and everything right? I asked you if you got 50 different, you know, laws out there saying what passwords were look like, how can you ever make a device that can abide by all those. So that's sort of where I Lex T is trying to one help the manufacturers, but to sort of help the regulators understand how important it is for IoT to be able to scale across global market. So So those are the two things that we're really trying to work through and solve.

    Steve Statler 22:45

    Yeah, it seems like a win win, to to do that. And this definitely makes sense for any vendor that wants to be a long term player to align with this. And you touched on it already. But there was this pledge and you distilled it down to three things. But where are you with this? It seems like a pledge is a good way to start people. It's it's a statement of good faith a statement of intent people join IO x t, and they make a pledge. Is that it? Or did you see it evolving from from from a statement of good faith and intent to something more?

    Brad Ree 23:31

    No, you absolutely hit on it. And actually, you hit on the original premise of that. So it's a one of these large companies got together as I pay, let's go make a pledge. Let's go tell consumers that we make great products. The interesting challenge with a pledge is where's the teeth? Where can you prove this? How do you scale this and everything else? So yeah, we're absolutely working on right now as we're looking at launching in q1 of this year 20. So right now, we're going to be launching a third party set of test labs that will actually test against this pledge. So the core concept really is a anyone who wants to purchase a product to go through their channel, white label thing you know, they have Comcast is looking for a camera. What Comcast can do is they can say we're looking for cameras that meet the iOS T security pledge level two from that the manufacturers can build to that. But most important to this is third party test labs can actually test and verify that the devices meet this. So that's really how we're converting the pledge to actually putting your rubber to the road with testable third party verification of the of the stuff. The other really interesting piece that we're doing is, as part of our pledge, we require a vulnerability disclosure program right? So researchers have to have a way to say, hey, we found this problem, you should really go address this. The sort of the top of a vulnerability disclosure program is, well, you really want to motivate these, these researchers to tell you about stuff. So typically, there's bug bounties and stuff like that. What we've actually done with our compliance program is we're actually offering one technique, of course, is third party verification of products from normal test labs. So a very traditional approach. The the challenge is, how do you scale to 10s of 1000s of different skews and need to get certified. So what we're actually doing is we're doing a bonded manufacturer certification. So what that really is that allows companies who can say, Listen, I do these things, I stand behind my product. But unlike other self attestation programs, where all it takes is one bad apple, and all of a sudden, the whole program gets called into question. Here, what we're doing is we're doing a bonded bug bounty style approach where a company can say, I attest that I do this. And by the way, here's a reward to any researcher who can prove that I haven't done this. So it's really taken a lot of those same security principles of listening to the community and applying it to our certification programs. So that's one way that we're really seeing once again, how do you get out of just third party testing where large companies traditionally they already do this kind of, you know, pen test and everything else? How do you scale it to the connected dog dish, right? How do you get the rest of the community to come along, and at least raise their level? Right? So those are the two approaches that we're really doing, which are very, very far from the very initial, hey, let's all make a press release and say, we're good guys. So now this is, we're good guys. We're testing to this. And by the way, we're being held accountable, because we're motivating researchers to prove our statements are valid or not. So. So that's the journey we've done over the last couple years.

    Steve Statler 27:01

    And there was one nuance that you touched on, I just want to drill into this level concept, the idea of having different levels. Because obviously, the intelligence and the vulnerabilities you're going to have in a light bulb are probably going to be different to a set top box, which is got huge amount of processing power and flexible connectivity. And what what's the approach with these levels? Yeah, so

    Brad Ree 27:27

    what we did at the very beginning, and it was sort of interesting, in our very first meeting, I set aside 30 minutes and talk about levels. After two hours, I finally had to stop and like, you know, trying to distill security to one number just didn't work. So what we ended up doing though, is we said each of our eight principles, so like one of them, no fixed password, or another one, which no fixed password is actually codename for, you know, no fixed credentials, that rolls all the way into certificates and everything else at the top of

    Steve Statler 27:58

    the level. And then just to be clear, the fixed password might be the login is admin, and the password is admin.

    Brad Ree 28:06

    Exactly. So be at our base, you can't do admin admin, that's bottom right. But then as you move on up through the different levels, ultimately, you're using things like certificates with revocation and these kinds of things. You can see each one of these levels does add cost and complexity. And maybe for your market that might be something that you need. Another interesting thing is take the vulnerability disclosure program. So in our level for this is the very bottom you have an email [email protected] That's the bottom you're listening, listening to researchers, as you go on up here informing impacted parties, alright, if you're selling into an ecosystem, or a managed on carrier, you'll tell them at the very, very top of this would be bug bounties. Well, now if you think about what a carrier might want, they probably want the highest for no fixed password, but because it's maybe a white labeled product with their brand, they're already running their own vulnerability disclosure, so they can have a lower level. But if it's a white goods for consumer, then maybe no fixed password might be a hair lower, but you need to listen to your consumers. So what we did is we took all eight of those principles, and then we came up with a scoring of one to one to four for each of these. And then that way, once again, the first customer this is the guys who are running the channel, the product managers and things like that. So, you know, set aside the consumer for a second our top line goal was think about the retailer that wants to go get a branded, connected thermostat, we contend that we can teach these guys what eight numbers mean for their channel, and they can put out a quote for that. Now for the consumer. So pulling it back to what is the end goal. What does security look like for the consumer So what we do is we create these certifications. So based on that channel requirement, think consumer life bond versus medical equipment, they would have different levels, that ultimately, you can only certify an x ray machine under the medical and consumer light bulb under the Consumer light bulb. If you meet those requirements for that market, you get the stamp. So the consumer always can see the stamp. And what the stamp means is, it's secure for my use, right? The light bulb secure, my X ray is secure. We clearly know that the X ray and the white Bob would have different security levels because they're being used for different things. So that's, that's sort of a long journey through the tape the eight. We have levels for each of these, we don't just have a bronze silver gold, what we have is we have an IO XP certification. So light bulbs will get a certification, they may have a different level, but to the consumer, it's always one stamp. We tried to distill the complexities. Took some time to get through all that.

    Steve Statler 31:07

    Yeah, no, this is I think it's a great work that you're doing, it's to everyone's benefit for these things to improve. If IoT is really going to spread. People have to trust it. They can't be afraid of the technology that they're starting to bring into their homes and, and businesses. So Brad, anything else that we should wrap up with? Well, maybe just web? Where do people go to learn more about this?

    Brad Ree 31:36

    Yeah, so absolutely. IoT alliance.org is where our website is that you can come join, what we have is, we have multiple levels of membership, the the easiest one is just to join as a public member, the public member, you can attend our monthly conference calls along with our our conferences that we have the interesting reason the way that I highly recommend joining in some of those calls, what we typically do is we balance between industry and the regulators. So very often in these meetings, what we do is we'll bring in some of the regulators from, you know, in the US, we've gotten this and NTIA in the in the EU, we've got some of the work coming out of the UK Government. And we bring those folks in to really talk about what it is that they're concerned about. And then we create sort of this open forum for people just got, you know, the concerns about what certain regulations would mean to industry and everything. So you always say I keep putting the regulations out there, because that is one of the more interesting areas that could greatly impact us. On the flip side, the real important thing is for the companies that are getting into some of this connected space, getting into some of these workgroups and hearing the concerns, as I said, you know, when when the the Android Phone Guy starts talking about 3 billion devices, that that's a different scale than some of us have had to solve. And it's interesting to hear the journey that they've gone through some of the problems that they had to solve along the way. So absolutely. Come join us and join in the conversation.

    Steve Statler 33:14

    Wonderful. Badri, CTO of IO x t. Thanks so much for your time. All right, thank

    Brad Ree 33:20


    Steve Statler 33:27

    so were you able to think of three songs that you would take on a trip to Mars?

    Brad Ree 33:31

    I did. That was sort of an interesting when you when you have to nail it down to okay, what three songs what three songs are meaningful and all that. So? Absolutely, I did. So. Yeah, the the three songs that really come to me are going to Memphis by Johnny Cash.

    Steve Statler 33:52

    Why did you choose that one?

    Brad Ree 33:54

    Yeah, so that was sort of interesting. I honestly, it was I got into Johnny Cash Back in the Napster days when you can sort of try a lot of different music and my my, my firstborn was just a baby. And surprisingly, there's sort of a chain game part of that song. And for whatever reason, he would be in the middle of crying and as soon as they start doing the chain gang and the Johnny Cash boys comes on, my son would just stop crying. So we would take long long trips when I lived in Atlanta going up to Michigan, eight hour trips, having to listen to go into Memphis on repeat over and over and over until my son would fall asleep. We got a couple minutes of any other music he wake up and we'd have to put it right back on and so so that sort of is going into a special warm smile whenever I hear that I think and how he would fall asleep to it.

    Steve Statler 34:47

    And that was the only song that's

    Brad Ree 34:51

    what it was. Yeah, so it actually was sort of bad because it was we bought a box and it was love God murder the go into Memphis was on or Why'd we had to stop listening to uh when my son got old enough and the very next one was like cocaine blues my son goes down what's cocaine? Some kids music

    Steve Statler 35:14

    class and all that stuff is probably not quite such good listening but let's let's challenging questions. Okay Johnny Cash number one number two.

    Brad Ree 35:23

    So number two is Best Buy kiss so you know that song is always sort of an interesting thing of radio, the the artist who's you know, so engaged in what he's doing creating things yet still trying to struggle you know, the work life balance and so crazy that there's an actual song that really captures that whole work life of anyone who's engaged in what they're doing. Right You're you're in the middle of creating something new and you know, though, it's your work, but it's your baby that you're trying to get launch and all this kind of stuff and, and yet, on the flip side, right, there's a struggle of wanting to go home and spend time with the family and, and I just sort of find it amazing that someone like kiss can actually sing about such a deep meaningful thing that we struggle with so often, right?

    Steve Statler 36:08

    Yeah, I think it's almost universal in this business isn't a it's not a nine to five job and yet, you have to stay sane. And I don't know about you, but I've found that a lot of my my college mates have just burned out the slide, about 50% of us are just out of work and because because it's just tough to keep up the pace and so that work life balance is tricky. It's tricky.

    Brad Ree 36:38

    Which leads me to my third song is tonight we ride from Tom Russell. So it's basically sort of a cowboy ish kind of song and everything but I lived in Austin for a couple years and got a motorcycle there and just I would start playing that song and then my wife makes fun of me because in my mind, I'm this cowboy I'm going out riding my motorcycle and there's a freedom of it it's sort of you know, leaving in and going out on the range and she she says I'm foolish and everything for it but so that's my made up song I put on the Music Hop on the motorcycle and, and for at least a short while I get to be accountable.

    Steve Statler 37:18

    Really excellent. Three great choices three great stories or ideas behind them. Thanks. Thanks very much, Brad.

    Transcribed by https://otter.ai