Joseph Yap (00:00)

Singapore was recently highlighted by CloudFlare,

Being such a small country, Singapore is now notorious for being the second largest source of DDoS attacks, so denial of service attacks. When you think about the scale of Singapore in the country and the interconnectivity, being second in the world as the source for attacks is kind of astounding.

Jon Scheele (00:22)

So this is not actually people in Singapore actively trying to attack anyone, it's their devices being hijacked by others and being used in these distributed denial of service attacks.

Joseph Yap (00:37)

Yeah, so Cloudflare basically posted those statistics and Singapore has been climbing up and up there and the problem is not going away. But basically you're absolutely right. What that means is these households have been compromised in one form or another without their knowledge or understanding and hopefully not their active involvement. But effectively this means that, someone's hiding in your house because they're using your network to attack someone else. That's the stuff that we can tell.

Because we've got records of what Cloudflare is picking up. There's a whole bunch of stuff that we can't actually see that's happening under the surface as well. The cybersecurity agencies have actually picked up where hackers are using multiple countries to obscure the traffic of where they're coming from. So it's almost like laundering your signal of where you're attacking from and where you're attacking to.

Jon Scheele (01:28)

Software is in everything we do, so cybersecurity is in everything we do. Now, companies have been grappling with this for quite some time, but we should all be thinking about our own cybersecurity. So I'm really pleased to be able to talk with Joseph Yap.

Joseph runs a boutique cyber security firm. Joseph, why don't you describe how you got into this game and what you really want to achieve with that. Sure.

Joseph Yap (01:56)

Thanks for the intro Jon I have my background in cyber security is a little bit unorthodox. My background really comes from a

history of operations in supply chain. So I've done things like the lean methodology at work. I've worked with big data in corporate systems. I am probably one of the few people that is really comfortable with data as well as in a warehouse or logistics and supply chain. Because for me, they're both complementary. So being able to work with large pieces of information and use them to gather insights that then drive action was kind of the thing that I do. And from an operations point

of view physical items and material is just built into everything. you, we don't live in islands. We work around with supply chains and COVID was probably a really good example of kind of how things came together. Prior to COVID, there was a lot of stability and supply chain got kind of boring. Some people thought the supply chain was kind of boring, but with COVID, when you had a shortage of toilet paper, when you had crazy demand fluctuations, all of a sudden, data and resiliency came back

into place. that's my background from a corporate point of view, but personally I kind of got involved in cyber security when I had a personal interest in home automation and smart homes. So I set up my house to be kind of working around my lifestyle and convenience. Key example being I built a server around my, for my garage door to be able to inform me, and this was way over 10 years ago, to email me if the garage door was left open. Long story behind that,

basically I started tinkering around with ⁓ home automation and had very little exposure or experience or understanding of cyber security at that point in time. So I got to a point where I started thinking actually I'm really conscious of my home security but what do I actually do about my own cyber security? So I ended up doing a lot of deep diving, going down rabbit holes and doing a lot of research and I think it struck me that we've been conditioned for

giving up security and privacy for convenience. And what that means is it's so easy to onboard or add a new item into your home network. It's so easy to plug in something, set up the wifi because, ⁓ look at this, my fridge can connect to the wifi. Oh my washing machine can connect to the wifi.

We kind of forget why, what's the benefit for doing that? Because really, when you're connecting something to your home network, it's a digital equivalent of letting someone into your house.

So it's very different when you're physically looking at your home security compared to, for some reason, we treat it differently for cybersecurity. Whereas if you had someone that lived in your house all the time and stood there watching you, you'd have a very different reaction to plugging in your smart TV or your robot vacuum cleaner.

But it's kind of the same thing when you think about it. So I got into this when I realized that actually one of the key moments was my robot vacuum. I looked up my robot vacuum and how to integrate it into my home network. And then I looked at what the robot vacuum was doing. And I got a bit concerned about why it was scanning all my neighbor's Wi-Fi points and sending it up to this home server. was thinking, why would you need to be able to do that? So I started exploring into different parts of the home network and automation.

And I got a bit deeper when I basically worked with ⁓ ethical hackers, penetration testers, to try and understand how someone would be breaking into my home network. It sort of spiraled from there and I started looking around and there's a lot of information out there around how people are actually getting attacked and hacked, but have no clue that this is actually happening. Case in point, in Singapore, Singapore was recently highlighted by CloudFlare, who are basically the cybersecurity police for traffic around the world. Being such a small country, Singapore is now notorious for being the second largest source of DDoS attacks, so denial of service attacks. When you think about the scale of Singapore in the country and the interconnectivity, being second in the world as the source for attacks is kind of astounding.

Jon Scheele (05:59)

So this is not actually people in Singapore actively trying to attack anyone, it's their devices being hijacked by others and being used in these distributed denial of service attacks.

Joseph Yap (06:14)

Yeah, so Cloudflare basically posted those statistics and Singapore has been climbing up and up there and the problem is not going away. But basically you're absolutely right. What that means is these households have been compromised in one form or another without their knowledge or understanding and hopefully not their active involvement. But effectively this means that, back to my original example, someone's hiding in your house because they're using your network to attack someone else. That's the stuff that we can tell.

because we've got records of what Cloudflare is picking up. There's a whole bunch of stuff that we can't actually see that's happening under the surface as well. The cybersecurity agencies have actually picked up where hackers are using multiple countries to obscure the traffic of where they're coming from. So it's almost like laundering your signal of where you're attacking from and where you're attacking to.

Jon Scheele (07:06)

This is a tactic that's often used by money launderers to layer. That is move money from one place to another to another to obscure things. And what you're saying is well, people who are hacking, they want to hide where they are. So they get into one machine which then gets into another machine somewhere else and another machine. So to detect, to follow the trial, you have to follow...

Joseph Yap (07:27)

Exactly.

Jon Scheele (07:31)

where these people have come from across lots of different servers around the world.

Joseph Yap (07:37)

And what I, my hypothesis is in Asia especially where there's a high concentration of Wi-Fi, there's another path to follow which isn't just necessarily from

network to a network IP address is from a Wi-Fi point to a Wi-Fi point and I'm getting more evidence that this hypothesis is actually being actively exploited or used. Late last year there was something one of the researchers called it the nearest nearest neighbor attack and basically what that means is rather than attacking the target outright what the hackers are doing is they're attacking the next door neighbor and using the Wi-Fi as an entry point to then attack their target 24

7 because who turns off their Wi-Fi? In the local context, I do scans for people in the houses and I'm finding on average in a 24-hour period, I'm getting at any point in time, at any location, over 800 different devices within range of Wi-Fi. So if you think about how interconnected we are from a network point of view in terms of IP addresses and through the wires,

we are also doubly interconnected through the proximity and no one's really even looked at that. Singaporean researchers recently did and I saw this at Black Hat which is really interesting, they did a study around how they could actually access people's car cameras in the car and they found that I think it was one in five were easily accessible through when you you stop to a drive-through so from the time you

place your order to the time that you pick up your food, they've gone into your dash cam, that's what they call, they've downloaded the audio and the video, and they've also then transcribed it and put it up using AI tools to actually give them a brief of what you've been saying in your own car and where you've been going when you're driving around. So that's another example of the level of exposure that we've kind of got used to, but not without realizing it.

Jon Scheele (09:33)

extrapolating

that for a moment and you gave the example of dash cams maybe perhaps one in five are insecure and can be or if you extrapolate that out to most devices all right if you have 800 devices in your in your neighborhood then the chances are even if only one or two of them are insecure yeah that it's it's a possibility

Joseph Yap (09:52)

in proximity.

Jon Scheele (10:03)

for somebody to be using that.

Joseph Yap (10:06)

Exactly.

So if you think about going back to the Cloudflare statistic, what they had was just evidence around devices that have really been known to be compromised. There's a lot more that don't want to poke their head up because then if they get found out, then they lose that point of access. the ABC in Australia, late last year, they did a story that I saw in other press, but I thought the ABC's version was pretty good.

They found a top-of-the-line robot vacuum, I'm not going to name the brand, but basically there was a vulnerability found in this vacuum, robot vacuum, that allowed anyone within, and I think they did the experiment whereby the robot vacuum was on the third floor of an apartment building, the journalist was on the ground floor and was remotely talking to a security researcher in Europe who was accessing and controlling the robot vacuum clean on the third floor.

So this is someone in a far, far away place that was connecting to a physical robot vacuum remotely through a known vulnerability that had been exposed. Now the reason I bring that up is because after the report and after the vulnerability was published, the manufacturer hadn't yet fixed the vulnerability, but this was a widely known fact. And what was then happening around the world was these models of the robot vacuum were getting hacked.

And this allowed people who understood basically how to follow the instructions that were given to them, how to access remotely all these vacuum cleaners around the world. So kids were doing it. Kids were getting their hands on into these robot vacuum cleaners and they were yelling at their owners. So the robot vacuum would go chase the owner and make some nasty remarks or whatever. But the insidious ones were actually the ones that weren't expressing themselves so they could see everything that was happening.

they could control the robot vacuum cleaner, but they wouldn't say a thing because that would then potentially put someone on alert and limit their own access. So going back to the analogy around the Wi-Fi points and connectivity, my view is that it won't be, if no one's doing it yet, it won't be long before we hit a point where you are actually under attack or compromised without knowing about it. And for me, that's a scary thing.

Jon Scheele (12:13)

Cloudflare report, I guess, is based on examining a distributed denial of service attack. So when something big happens, then they start to trace and see, all this activity came from these different devices in Singapore. But as you say, some of these hackers are trying to stay under the radar at the moment. They're not doing something big. They're just quietly sifting away at information that they've been able to glean.

Joseph Yap (12:40)

And

the statistics for the Cloudflare report were roughly about 2 in 1,000 of the attacks came from Singapore. sorry, there were 2,500 IP addresses that were attacked from Singapore. When I extrapolated that to the Singapore population of how many units there are, that's roughly a 2%, 0.2 % mark. And when I go back to that scan I just talked about, if I'm getting about 1,000 Wi-Fi points,

In one 24-hour period, there's at least two of them that would have had something in there that's already been compromised. So in my perspective, I guess there really two things. One, internet is everywhere. There's so many things that are connected now that arguably shouldn't be, but we already passed that point. The Pandora's box has been opened. We have everything as much as possible connected on the internet. The problem as well is that with the vulnerabilities that have now come up and are increasing,

Manufacturers aren't keeping up with trying to keep up with all these things because they're trying to sell you the next new internet connected smart home. They don't want to go back and fix the fix the thing that they had for 10 years ago. So what we're in a position now is we have more and more devices getting out there. We have more and more vulnerabilities because people are finding new ways to break stuff and to break into things. And what we're finding is unfortunately the authorities aren't able to keep up. So the good guys are finding.

that they're overwhelmed with the amount of things to have to fix or look after. And basically, as end consumers, that's the position I started in, you're kind of left on your own devices to protect yourself.

Jon Scheele (14:06)

Yeah

corporates have had to face this problem. You can argue about how well they're keeping up, but they have devoted a lot of resources to their own technology stack and the devices in there. But when they allocate a team, can you take us through what they would do and then apply that to what we can do ourselves?

Joseph Yap (14:37)

Absolutely,

and that's kind of honestly where I started as well because I worked very closely with corporate IT. I've never actually, I've sat with corporate IT teams but I've never actually had a title that's been in the corporate IT team. But basically the process is firstly, and it's very similar to how when you, from the operations and supply chain point of view, when I first enter a facility, the first thing you need to do is understand what do you actually have? What are your assets? So from any respectable hardware manager, the first thing they need to do is do an audit.

So look around your pool of devices, look at all your servers, look at all your laptops, look at all the devices that you have and you are responsible for and take stock. Unfortunately, in this 24-7 news cycle, what do you want to call it, social media, we don't do that. At home, we don't do that at work. We don't.

Jon Scheele (15:23)

create our own asset register.

Joseph Yap (15:25)

Yes,

exactly. it's really hard to... and COVID kind of even called it out when everyone started taking stuff to do work remotely and you you couldn't blame it because you just had to get the work done through a wrench in the machinery. But basically, the starting point is understand what you have to work with. And borrowing from a Lean methodology, while you're doing that, the first thing that makes sense is to tidy it up, cull stuff that you don't actually need.

There's something in Lean called the 5S methodology and it doesn't translate well to English that well but the first, basically what you need to do is sort out the stuff that you have by getting rid of the things that you don't need. So for example, maybe 10 years ago you bought a media player that you sort of got obsolete because your smart TV now does the same thing. But hey, it's already been there, you didn't really think about it when you plugged the TV in, the media player is still there and connected.

There been a lot of media players that have been compromised. So the first thing is really from a corporate perspective, take stock of your assets. And I'd say exactly the same thing at home. So the second thing then, once you actually tidy up what you have, is to then start getting into some small good habits of keeping up to date, so maintaining it. So in the 5S methodology, one of them is called Shine, which is really more of a hygiene thing. So in a similar way, when you look at your

devices, are your passwords hard enough for someone to try and access? Is the firmware up to date? In some cases, what you find is manufacturers have an end of life. This is a concept that I think as a consumer born in the 70s, it's hard for you to think about something that the manufacturer goes, "Sorry, you're on your own because, well, yes, it might be a really expensive branded thing that you bought 10 years ago, but

there is a shelf life on them." So no matter what brand it is, no matter what high technology features that they put in the first instance, they expire after a while. I mean, quite frankly, you can't expect Microsoft to support Windows 3.1 now when they've got 11 and they're already looking at phasing it out.

Jon Scheele (17:27)

And there are a lot of elevators and other commercial devices, ATMs, that operating on Windows XP or something.

Joseph Yap (17:31)

Operational team.

And cobble.

Like from a, you know, they're having to get some old retired programmers out of the dust of the cobwebs to try and get them to fix some of the operational technology. So, in terms of what we parallels between the work and the home environment, it's really to keep things up to date and be aware that things do expire. One of the scary examples that I had, ⁓ that we saw last year was basically D-Link who at one point

you know, TP-Link where they were generating massive amounts of devices of all sorts of different variety for the end consumer. Basically, someone found the vulnerability in their modems. And these were, some of these were quite high end as well at that point in time when they were made. They were deemed to be high security. They were deemed to be the fancy new protocols, like, you know, top of the range. Unfortunately, they do come to an end of life.

And what a security researcher found was that they're not secure. So when you think about your modem router, it's your front door to your house from an internet perspective. And for that to be something that can be vulnerable, it's almost like having a, you your front door from a metal gate basically became a curtain that someone could walk through. I'm pretty sure the time range is right, but two weeks after they announced it,

people did scans, because you can do that across the whole internet. It's kind of a crazy thought. And they found that there were 66,000 of these devices still active in the wild. So what that means is 66,000 locations could be very easily accessible, compromised through now publicly available information. What this tells me is that the hygiene part of keeping your information, your assets, your access up to date.

hasn't been done in that situation.

Jon Scheele (19:21)

is actually often used in manufacturing. So when you finish a job, clean up your workspace, make sure you have all your tools to hand so you can do the work but then sweep the floor, tidy the machine, and things like that. So when we're using our devices and we've finished with it, we should pack it up and actually think about, well, okay, have we updated everything that we needed to

Joseph Yap (19:46)

Yeah,

and a lot of it's really small habits and my I guess one of the ideas that I like to use in this case is be the path of greater resistance. if you think about Exactly, so if it and the cyber security term for this is defense in depth So basically don't just have one layer of protection have multiple layers. So getting good strong passwords getting multi-factor authentication

Jon Scheele (19:59)

be the softest target.

Joseph Yap (20:13)

You can go for the network sanitation, IP whitelisting. There's a whole bunch of things you could do, but there's a balance to be struck between what you have to lose, what you have to protect, versus how much effort you go into protecting it. You don't want to build your house into Fort Knox if you have to spend 15 minutes getting out of the house just to go downstairs to get some milk.

Jon Scheele (20:31)

There is always a concern with security about balancing security with usability or user experience. in the manufacturing environment, the quality movement, were actually trying to tell people quality actually helps you be more efficient too. we need to consider how

can make them secure while they're also usable.

Joseph Yap (20:59)

Yeah, and exactly so there are new standards that are now being set up for Internet of Things It's gonna take some time to catch up because basically it's so pervasive and so easy to build something and put it on the Internet now I mean the chips are like the cost sense. So when you think about the cost of a smart home automation now You know in the old older days like let's call it ten years ago It cost a fortune to be able to make your lights turn on by voice control

Now it's less than 50 bucks maybe, if that at all. it's gonna take time to try and, again, Pandora's box is open, it's gonna take time to try and come up with a new set of standards, with a new set of agreed protocols, and then roll it out to the rest of the world. But in the meantime, what we're seeing now is the amount of vulnerabilities that we're finding is growing exponentially, the amount of devices that we're seeing is growing exponentially. So if you drew a two by two matrix,

the axis of impact and probability is going further and further out. again, if I use the same example that I drew a curve, it was a lot smaller 10 years ago. It was a lot less attention on it and less visibility of it. But now both axes are growing. But also more people are able to access the information. And what that means is, like I said back to the robot vacuum example, little kids can

And I say little kids. Kids can basically go on the internet and go, ah, I know my neighbor's got this device. Is there anything that I can do to mess around with them? Is there a known vulnerability that I can use? I know what their Wi-Fi password is. Or it's so weak that I can crack into it fairly easily.

Jon Scheele (22:39)

Just as corporates have multiple generations of technology in their tech stack, I guess we've developed that ourselves. We look around our houses and then we find, I'm not sure I have a D-Link device anymore, but I certainly have some old DVD players and some newer devices.

What's been your own journey in how you've examined this? Because you started by scanning your own network. found out that your vacuum cleaner was doing something funny. What's been your journey to securing your own place and then thinking about how you can apply that more broadly?

Joseph Yap (23:19)

Yeah, so

I think I initially was, I was shocked to be honest. I was shocked because I started with expecting if I paid 300 bucks for this device from a decent brand, it was going to be fine. It would be all taken care of. It's like if I, I guess it's almost a fallacy that you had from a consumer point of view that you're being looked after, realities to a degree, right? There's a mind shift change that has to happen.

So when I first found out that my home network wasn't as secure as I expected it to be, I was a bit of a shock. It was a bit of, ⁓ wait, why? How did I get into this situation? And how did I end up here? I then ended up creating a workflow for understanding how to do the same exercise for myself, improve my own habits moving forward by automating some of this stuff and record keeping.

I created then the workflow to then start doing it for other people. So basically, while in the process of fixing up for myself, I then worked out how to do it for other people and other people and replicate it and scale it up. So the first time I remember going through the exercise, I had two massive IKEA bags of gear going to a friend's house, plugging everything in, trying to go looking around. I was really encouraged when I found out. And this is kind of sad to say, but... ⁓

Their Wi-Fi password was pretty terrible. It took about three seconds to crack. They had a smart TV that was kind of old and could run remote code execution, which from a vulnerability point of view is just up there. And they had an irrigation controller, because they live in a fairly ⁓ massive plot of land, that had an open permanent back door to the internet. At the point in time when they had set all these things up,

Each of these things were either secure or made sense to be insecure because irrigation control is pretty old. The manufacturer wanted to make it easy for them to go in and fix stuff if they had to. The smart TV was at the point in time top of the line. It could run streaming services when no other TVs could. But again, with time, these things lapse. The security lapses. The rationale for having it this way changes and loses relevance.

Jon Scheele (25:29)

that I'm considered important. Yes. Become important. Exactly.

Joseph Yap (25:34)

Because they're a gaping hole in your home network. when kind of the penny dropped for me and it occurred to me that, hang on, I need to be doing this on a more regular basis. I've never done it before. I've then gone from, ⁓ wait, do I even need to do this? To, ⁓ I need to do this too. actually, I don't just need to do this once. I need to do this on a semi-regular basis, which is really where the 5S part comes in as well. So it's not just about keeping it.

up to date the one time and then going sit and forget, I'm fine now. It's about having that rhythm and the habits. So my advice is typically don't try and get to a perfect state, just start moving. Basically, right, even if you, use Obsidian for my notes, that's kind of where I started with recording what do I have, what's the last time I updated it, and then setting a reminder for myself to have a look every six months. I've upgraded that now to...

I've got a much more robust system of keeping records because now I do that for other people as well. But basically, the rhythm and the hygiene is critical to keeping it clean. So again, it's very similar to the whole 5S methodology. But so my journey basically started from, do I really need to this? To, oh my god, I have to pay attention to this. To, oh, I can actually help other people and help them.

help more people pay attention to it by scaling up my process as well. So now I'm at a point where I can actually run scans for multiple people at the same time, capture all the data at the same time. But what I'm also then trying to do, go further with it is what I call offline monitoring.

Jon Scheele (27:04)

So you touched on how you started cleaning up your own act and then helping other people. You also mentioned using Lean which I guess you really decided you came up with a minimum viable product. It was in a big box. Can you tell us about the process of how you're refining that so that you can make it more repeatable?

Joseph Yap (27:26)

Yeah,

I think that's the key advice that I got from a ⁓ friend of mine when I suggested that I go into his house and have a look at his home network. He's a long time friend of mine and basically said no, because he wants me to think about how to make it replicable. So I did start with not just one backpack, I started with two massive IKEA bags. Not the small ones, the really large ones full of stuff. I had a massive monitor because I

That was what I had at home, so I had to use that as my starting point. Over every iteration of going to someone's house and understanding how best to replicate that process, I basically condensed the process into now a case with a device that fits into a backpack. And what I've done is I've set it up to be able to be sent via the post to basically anyone.

One of my highlights was, because I was based in Melbourne, sending it to Sydney and scanning someone's house because she said that her TV was acting really strange and looked like someone had control of it and she was really concerned. But basically, I got to a point where rather than if I was going to try and help more people all at once, I needed a process that was going to be easier, less intrusive, almost allowing someone to act on their own time.

And basically that's what I've set up now. So I've got a small device that you receive in the mail, you plug it in, you scan the QR code, and you go around taking photos of your own network asset, which then gets uploaded to my server. And what that does is the scan happens automatically. So again, it used to run, I used to have to do it manually and try and do all sorts of coding in Linux, but now the scan runs automatically. It generates an asset register.

It runs a deep scan of basically the vulnerabilities that may be available or accessible within your home network. what the user then has to do is basically take photos of the network devices. I've also provided some ways to obscure any sensitive information because I don't want responsibility of sensitive data either. And what that means is it's a fairly easy process that takes about two days.

from the time you receive it to the time you pack it up and ship it back. And what that gives us is a view into your network, into your network assets, and a detailed report around the things that you have to fix. So to give you an example, like I said, with the TV, actually, if I step back a bit, one of the challenges with the home network, and different from a corporate environment, is in a corporate environment, you typically have a smaller range of devices. You have a...

send the operating system where it's the same across all of them. Every household that I've scanned so far or I've looked into has a whole different setup. And what that means is the requirements or recommendations for a household vary as much as every household. So I found robot vacuums with issues, found TVs, home network servers, routers, printers. The list is pretty long. We don't have that much time. But basically,

The recommendations will be based on the actual home setup as well as the level of risk that you're willing to take. So what I'm finding is not everyone needs to, again, have a Fort Knox in their house, but there are people that do want to protect themselves better. I've come across a situation recently where a fairly high value individual had their bank transactions, their travel records, their home family photos all packaged up and put on sale for...

extortion on the dark web. Not sure yet how this person or this actor managed to get all this different information, but the actions that he needs to be taking are going to be a lot more severe and a lot more responsive to the threat. Not everyone needs to be able to do that, right? So depending on what the actual situation is. So my process is do the ESSET register, do a deep scan to help you understand where you are at risk.

Help you deal with those risks as well. So some things might be as easy as changing a password It might be as simple as putting something on guest Wi-Fi rather than putting on your main network. So those recommendations change and vary but really what I'm trying to do is give more people access to the methodology that you would have from a corporate level But geared towards what makes sense for home environment. So if I do a of a bell curve

I've been seeing that corporates are really big targets because you can get a lot of them. The end consumer that has three smart devices, they don't really care about it. I'm looking for the people that do want to be protected, don't really know how to go about doing it. Also, quite frankly, find the administration and the effort involved quite tedious. I can help. That's where I package up my workflow to really hit that spot. And I'm looking at trying to get better with that further.

by adding other extra value adds along the way as well. So things around understanding what's a better option to try and increase your cyber security posture. What else can you do to try and go further up the scale and make it, like I said, create a better path of resistance and not make it so easy for yourself to be to

Jon Scheele (32:22)

I guess regardless of what tools or service you take on, it's up to all of us to take ownership of, we have to take ownership of our own finances, have to take ownership of our own security. ⁓

Joseph Yap (32:36)

That's right.

Jon Scheele (32:40)

appreciate you enlightening us about the vulnerabilities that there are and the sort of steps that we can take. For people who want to know more about you, what's the best way to find you?

Joseph Yap (32:52)

My

website, so my cybersecurity company is called Otonata, which is O-T-O -N- A-T-A. It's a play on Otonata, which is dragonfly. For me, the metaphor of a dragonfly being really silent, sneaking up on a prey and picking it up. So bugs, you know, it's another kind of play on the word. But basically, that's the name of the business. And it's really boutique. Like I'm not looking at servicing the big corporates because, you know, there's a lot of people that are looking at them.

I'm looking at the homes that don't really have other options or nowhere to turn that I want to be able to help with.

Jon Scheele (33:26)

Okay, well thanks very much Joseph for sharing that with us.

Joseph Yap (33:30)

Thanks Jon, thanks for having me.

​