Ido Safruti

Oh, there are a lot of extremely sophisticated attackers there. It’s always fun to find them where the glitches where they’re putting something where you can trace who is doing that. There is a criminal part. So one one cases Magecart is a big and attack tool that or attack method that has been utilized in the last few years where what people figured out what attackers figure is instead of hacking into your database to steal data, if I can get some JavaScript code in your website, which potentially I don’t need to penetrate your entire system, I may find a way to modify a script, the script is running on the client side browser, and then we’ll send information to some third party without decided to knowing it, because it goes directly from the browser waits for you to type in your, for instance, credit card information and billing. Yeah, it’s

Jeremy Weisz

not groundside. It’s not like inside their database. But if I’m on there buying something, I’m typing it in there on that site, like actually see,

Ido Safruti

it runs on your browser and sending information directly to the attacker, that home server where they can collect the information quietly, not interfering with the transaction. So completely, the channel of the user using the browser going to the site is completely seems completely legitimate. And usually, and, and one of the things that we’re doing is we’re analyzing that. And because we’re analyzing how the application behaves, we’re analyzing all kinds of anomalies with an application. And we’re seeing these kind of things happening. And one of the attack tax, we found, we found some very specific fingerprints in it, the way they hide their code, the way they encrypt the code, so that if you look at it, it won’t look suspicious to begin with, it will find a specific engine that we were running a search. One cool thing to do is the HTTP Archive and web archive, there are a lot of places where you can search in an efficient way that target or like the few million largest sites, if you want to look okay, who is using this library? Or who is where can I find it. And we found a specific the specific signature of that returned in where we found a site using the exact same library that is selling credit cards. So we found that attack being spread on several commerce site where they were suddenly stealing all the information. 

Jeremy Weisz

As your as your work, you know, led to an arrest or someone I just picture like you You tell the law enforcement, they bust down the door and like take the person away, has it led to actually criminal arrest? Because you’re I mean, obviously, what you do is you’re just you’re trying to like cut it off at the knees before even starts, like not even allow it in. But you may go I’m sure there’s companies that call you after they’ve been I mean, most people probably get a burglar alarm after they’ve been burglarized. Right? So you get those calls all the time, I’m sure.

Ido Safruti

Yeah, we did ask. And part of the things that for compliance reason, and for many other reasons, we’re trying to not collect any personal information. So there is a limit to how much can we help the authorities in in tracing that because we don’t want to log the data, we don’t want to be liable for anything, any breach of data or something like this. We were called a couple of times to help the authorities investigating crime when on sites were protected in attacks that were protected, being related to what we’re doing or being unrelated just because we log a lot of data. And if it led to in a restaurant, I’m not aware. Okay. We do report things. But we’re not necessarily tracking and we’re not being updated. What is done.

Jeremy Weisz

Yeah, no. So what are the type of attacks? Is there something that consumers can do to protect themselves or just at that point, it just the site needs to be protected? Yeah, so So there are different

Ido Safruti

types of attacks. I mean, there are attacks that are targeting the resources of this site. So you as a consumer are not necessarily impacted. If it can’t take over, for instance, when I’m trying to just go use a dictionary of users and passwords that leaked in previous attacks, and going and hitting them and figuring out if I can take over accounts. Nothing is impacting directly your browser or your server. But this is definitely something that is then may affect your identity, because your identity may be stolen on this site, and they may do transaction in your behalf. So just being aware of that. The basic thing is use a password manager. And don’t reuse passwords on different sites, because you need to assume because it’s a fact that a site will be breached. And users name and passwords and other personal identifiable information will be breached. And attackers are using that because the fact is that most users are using the same user and password with the same email password across the entire internet. So if one of them is breached, even if that site will then force you to change the password, you won’t change it on all other sites, using a password manager that automatically stores in and create a random password for Any different site definitely will help you

Jeremy Weisz

take me, Ido inside the mind of a hacker for a second. So like they get that data, then do they go to Amazon and banks to see if they can log in with the same information like what is seen happen. So.

Ido Safruti

So they’re they’re much more creative and much more efficient than that. And what we’re seeing also is in the dark web and all other firms, you’re seeing special specialization, or I use many cases, in many cases are referred to that as crime as a service. So just like, in the old days, you had to, if you wanted to build a website, you had to run your own servers, you had to have a networking expert, you had to build your software, you had to build every module. And now everything is like Lego blocks with cloud, you can spin up servers from Amazon, you have load balancers, you can use open source libraries, if you want to run a commerce platform you their commerce platforms already, you just need to build your code. The same thing is what is happening in, in crime. So there are this groups or someone specializing in in getting compute power in that sense. So I distribute malware to millions of machines. And now I can rent hours, by the hour access or by my access point to run payloads from machines, which are residential, so are easier to hide. So if I have access to your computer, I can rent access for someone who wants to run things from your computer to do other things, then you have groups that will build specific payloads. So again, if with the example of magecarts, we’ve seen payloads that would the same people that was using by different organizations, from organizations because they bought this engine. So now the criminal it’s almost like a project manager, you need to come with an idea of how can I monetize something, and then you can buy compute From here, you can buy a library, you can commission

Jeremy Weisz

somewhere, and then they’re like, Oh, we are going to sell it to other criminals who can’t do whatever they want to

Ido Safruti

Yeah, and 111 is examples. If I haven’t a username and password of validated, let’s say, Amazon user, I can try and figure out a way, how do they monetize it, because it’s not not necessarily trivial? Well, Amazon stores that credit card on the site, I cannot just go and buy things with it, because they will allow it shipping only to the specific location that is already on record. And without any need to credit card information. So maybe I didn’t find a way, but maybe someone else found a creative way on how to monetize an account not so. So you find those users who are going and running campaigns buying for, let’s say $1,000 and list of a million breached account, at least from one thing, and then build an engine that will test it across 1000s of different sites. Because you have a botnet, you can go and test this dictionary across many 1000s of sites, and then come back with a list of these are the validated accounts that I managed to break into, then you can go online and sell them and maybe an Amazon account will be sold for $5 an account and another another account will be sold for $1. Because and this will be that then there are marketplaces for that. And the value there changes based on how much people know how to do that. And, and this is where you find many creative, fraudulent way. So one might call ways is, and this was done a few years ago already. The first case was when the first popular case was with Fitbit. And this is warranty fraud. So while I cannot access your payment information to send me a new device, if I saw, I have an account, and I saw that you bought a device, I can actually do social engineering for the support. And this is what was done for Fitbit, where people logged into this account, say hey, the device that you send me is not working. Can you please send me a new one. But please send it to this address. And then sure, we’ll do that you should ship back the old not functioning one and then we’ll credit you will hold the charge on the car that you have on file. Obviously the decriminalise did not send anything back. The users were charged and then they complained. So there is a cost of supporting and then getting them in to manage the money back and Fitbit lost a bunch of money on that. So so they will find a way to be creative and how to monetize. They’re very different ways.

Jeremy Weisz

That’s amazing. It’s his whole underworld. So you know, for people that don’t know, the dark web. What is it What’s on there? Okay.

Ido Safruti

So the dark web, you know, I live on I’ll simplify that and and probably will be then mocked for all the inaccuracy when you go through and try to simplify, but

Jeremy Weisz

I’m not, you know, consider someone who’s very technical, we’ll probably get a case I am.

Ido Safruti

Yeah, the idea is, if I want to hide the identity of the server, that our network and there are a few good books about it, the Silk Road on the Silk Road and others were, and these are, how do you leverage that, but it’s originated from the Tor Network, which is the Tor stands for the Onion Routing, which is actually a cryptographic method to anonymize. If I want to anonymize my identity on the internet, there is an IP address. So you know, as a, you can identify and pinpoint an IP address for I’m from Comcast in San Francisco, and maybe even in that neighborhood, and you want unlimited. So what they invented is a crypto engine where you go through at least three or four different nodes and each one, and it’s encapsulating like an onion layer. So I have their message, original message in it and encrypting it in four different tiers, which are going over the network, so that each node knows only who talked to it and who, who it is sending it to, but it does know who originated and where it is destined, what is the destination, so I can then browse access servers, I can use Tor to access their regular network. But then I can also the flip side is I can also now Buddhists connect the server to that and publish a server in a hidden way, in some way affair. And if I so you don’t use the police cannot come and find where the server is, because it’s anonymized.

Jeremy Weisz

The people there. It’s like, there’s crime going on there. Right? I mean, what Yeah,

Ido Safruti

so it started again by purists, not everyone was there is criminal, there are all there are many people who just carry it for their privacy. And they want to do that. But obviously, when you put an anonymize Mark market like this, it is heavily fueled by criminals, I mean, or things that are not necessarily illegal. It could be just for, to avoid taxes. But it also could be to, you can buy, order a murder, you can buy weapons, you can buy drugs you can. And the same way you can then hire someone to build a code that will hack into a site or collaborate with people who are trying to do them or figure out okay, I’m trying to hack to site x.com does anyone have a vulnerability or access to it? I’m willing to pay it out. Again. This is where the marriage of something like the dark web with Bitcoin and other places which anonymizes the source of money created a lot of opportunities for criminals. Not saying that this is the use of that, but this anonymity this this is

Jeremy Weisz

it can lead that type of activity, you know what I mean? It’s a breed it could be a breeding ground, right? Yeah. Before Bitcoin, how are people paying for stuff like that? Because obviously, I could see the dark webs making people anonymous. Yeah. Which makes them so they aren’t hot is easy, but they had to pay the people I imagine.

Ido Safruti

So before that, again, before that dark woman and he’s kind of forums were mostly used by hackers to collaborate and unnecessarily directly to pay. So they would coordinate things they would share, hacks and, and vulnerabilities or do things like this anonymous way. And some of them again, also, what is called White Hat hackers that wanted to share and collaborate but do it anonymously for the sake of improving on obviously, criminals.

Jeremy Weisz

What Why did you start this company? What was the idea behind the company in 2014?

Ido Safruti

So both Omri who is the CEO and I came from Akamai through an acquisition of kendo and we both share a somewhat similar background in both major part of our foundation was security, but then also building a lot of large web infrastructure. Akamai being a CDN are the company, the author, my core if tendo that were part of the leadership team that built a CDN and modern CDN. So the The where security meets web infrastructure and especially web scale was something that was very interesting for us and and something that we’re dealing with most of our career and we saw it in need and opportunity in the way that we felt like the way security is being done on web scale was wrong, that it was sort of forcing almost as an afterthought, enterprise security, on web, which is a very different architecture, instead of rethinking on how should security be their traditional security is usually let’s put a gateway at the entrance to the data center or to my office. And let’s force everything to go through that. And that gateway can monitor any request and decide what goes in what goes out and apply policies on it. When you look at the web, there is no one data center, you’re especially with the the legal, the Lego blocks, or the the many modules on how you build a modern application, I can use Platform as a Service, I can use serverless, I can use a payment vendor, like Stripe for my payment. So in a modern web application is built from sometimes 10s of different sources. And you don’t have one choke point where you can say, Okay, I’ll put a gateway here, or I’ll force everything through that. And most of the security, web security models, were saying, Okay, let’s route everything through one node, let’s put it in the cloud, but it’s still let’s force this architecture. And we felt it’s wrong. And we wanted to see, can we do something different?

Jeremy Weisz

And people are using all these tools on their site? And if there’s a breach, there’s a breach, right? So if they’re using stripe or this plugin, or this, or something else, it’s like there’s all these entry points. Right?

Ido Safruti

Exactly. Exactly. And, and even your own application, you may have a database cert from here and a storage and you may run the user authentication in one place, and and the inventory of your items in another place. So how do you secure all that? And how do you manage all that? That’s how you can how do you go back without adding a little? Yeah? And how do you not force and limit the innovation of engineers? Because the reason the things are built this way is because engineers want to move fast. I don’t want to rewrite something. So if there is a component that someone provides somewhere in there, I’ll try to use it. And what we came is with an architecture that is different, that instead of forcing proxies proxy, or am I like this, we said, What if we can put open source or modules components over to enhance the existing infrastructure of the customer, from things that are running on the client side to collect information from the end user, on their behavior and application, through integrations to CDN load balancers, web application and application code, and put a lightweight shim there, that then delivers all the information to our cloud infrastructure, which is out of band where we’re doing all that analysis. And then we’re both collecting information, and then can instruct the infrastructure and make the infrastructure smarter by also being able to intervene. And we came up with this concept. We didn’t think of bots, we didn’t think of clients. These were examples. And then we started interviewing probably 50 different prospects, different customers from different verticals, who say, Hey, we have this crazy idea. What do you think about it? Is it something that interests that you’re interested in? What problems would you want to solve with this kind of things? Here are a few problems that we thought are interesting. Are there are these problems that you’re seeing are these problems, you already figured out the way and we got very, very strong validation to the concept of it is a beautiful thing that again, its founder, you learn is when you come with question, and you’re not trying to sell anything, because again, at that point, we didn’t have a product to sell. We had an idea. People are specially here in the valley. And and same thing I know with companies in Israel, and I guess this is true across the world, people are very happy to share and to listen, because here’s a smart person, potentially with an interesting idea. I’m happy to share I’m not committing to anything. So we got really great feedback and interest and some of them became customers and design partners down the road. And after we’ve seen this 50 different use cases we narrowed in narrowed in on two things. One is the model is solid and we got convinced that we as three founders can want to invest a big portion of our life in buildings And the other thing is that the first use case for that would be the first use case for that would be bot mitigation. Because this was a problem that we kept hearing customers that, yeah, there are a few vendors that are trying to do that now, but they’re not doing it right, they are forcing us to deploy a box in our data center. And that will work or they are forcing us to route all the traffic through some through their cloud or, and they’re just not accurate enough. So we started with that. So we build the infrastructure and the concept of a platform that can do web security, you know, on and the first few years were called bot defender, which is around detecting bots and preventing all these kind of malicious.

Jeremy Weisz

Yeah, I love this. You know, thanks for sharing that. It’s like you went into this is instructive for anyone, right? You have 50 potential part, you have a hypothesis like this is the good idea. But you only knows a good idea until you have someone who’s willing to pay you and get value out of it. So you interviewed 50 people, you ask them the questions to see if it’s a big enough what the problems were and getting validation. And you found there was a big problem that wasn’t being solved. And then you guys went out to solve that problem. What do you do from there? Do you train bootstrap? with the team do go and raise money? How does? What’s the next step?

Ido Safruti

Yep. So once we got convinced that this is something we want to build, we build some, I wouldn’t call it bootstrap, we build a proof of concept mostly to prove to ourselves that also, not only that, there is validation from for the need, but also that the concept and the technology that we’re the way we’re thinking of building it is viable, because it required integrating into. Currently, we have more than 40 different integrations into all kinds of infrastructure. And so we want you to see that this is viable. And once we had that we we went to raise money, we yet we decided to go and raise money, we did a seed a seed round. Funny enough, the first call, the first person we wanted to pray was was a friend who was an advisor in a pre, he was an advisory board of contendo. And I knew him from previous roles he had, he was the VP of technical operations at Facebook, who helped scale them at that. So really knew that and it was more of, we have an idea, we built an initial deck, we want your feedback on it. His name is Jonathan Heiliger, he ended up being the first investor. But what we didn’t know Is he was in a VC he was trying to build his own VC and, and one of the first feedback was Okay, that looks really interesting. I’m working on something, so I would want to invest. But I’m building my fund as we’re speaking. So I don’t want to slow you down, I’ll make some interest to other VCs that I think may be interesting. And let’s see if I managed to get in and at what capacity. And so it was great with him to make a bunch of intros. And that helped get the first investors but also, he ended up unintentionally being the inventor, the investor, instead of just advising, it wasn’t as easy as as it can sound. It’s not that within a week from starting, we close the door. So it took us some probably a couple of months overall. And with Eliza Poppins ups and downs, but

Jeremy Weisz

this is our early on, Ido, when raising money, how do you know how much that you need to raise at a time?

Ido Safruti

It’s a tricky question. I mean, you, you basically raise as much as you can, at the right direction. So I guess you don’t want to give too much of your company at that point. You don’t want to give probably 20 to 30% not more than that in early stage. And it really also depends on what is the trend in the market is the right some for a seed round now 5 million 10 million or 2 million and it changes over the year. So I would love to say that there is a whole discipline about this is the budget and this is what I need to get to the next milestone and it’s more it’s there is a bit of that. What do we need in order to get to the next milestone which is product market fit and having a few reference customers. But also it’s about what is the market how much can you raise which helps you also build a budget. So, Fiona,

Jeremy Weisz

I guess, then at the time when you I don’t know, when you raise if you had customers at the time, but early on, it’s hard to come up with a valuation, I imagine. So how do you come up with a valuation of the time when it’s early on, you don’t have as many customers or clients

Ido Safruti

yet. So obviously, in the seed round, you don’t have zero customers, you have some reference people who validate that they like the idea. So it’s really basically the team, the experience of the team, what is the risk on? Have we’ve done things like this in the past? how likely are we to succeed? And is the idea in the overall right direction? Because it may pivot and change to month after you start?

Jeremy Weisz

high risk? high reward? I guess, for those people? Yeah.

Ido Safruti

Right. Yeah. And in that case, is like evaluation 10 million, or 20, or 50. Just Right, exactly. Whatever pot, however convincing you are, I mean, the problem might be a huge problem, or a small problem, it’s more about the team and your ability to execute. I think later on, it becomes more of an art. And probably, I know, you’re interviewing also VCs and all that. So I guess they have their own method of how to estimate or how to evaluate a company. But that updates, also a supply and demand thing. If you manage to get a few VCs interested, you can open bidding war, if you don’t, then you’re stuck to what you’re

Jeremy Weisz

talking about early on, Ido, some of the lessons you learned, and maybe any interesting stories from Israeli Defense Forces and Prime Minister’s Office those days.

Ido Safruti

So lessons I’ve learned. I think it’s about again, even though I love technology, and the CTO owning product and engineering in our company, I mean, technology is rarely the driver, I mean, technology is an enabler to solve a problem, the main focus should be always on, what problem are you solving, who is the customer, and explain that because once you know that, using technology to solve it is sort of the easy part. So focusing a lot of that’s focusing on what not to do, were things that even again, as part of my military service, you need to focus on what it is that you do what will get you the most reward, what will get you the highest value for the customer. So this is an extremely valuable lesson. The other thing is, and this is one of the best advice by God is to hire early and to hire for where you want to go. One of the biggest mistakes that people are hiring for the needs they have now especially in a startup that you plan to grow fast. So today, I have an engineering team of five engineers, I need just a team leader that will manage five engineering stuff hired now I need the VP of engineering that will help make lead these five people and build a 50 engineer team, because I don’t want to swap heads every year, don’t want to hire people, and I want to help those skills. So if you think you may need marketing at a certain point hire them. And, and again, it’s a great lesson I took and it’s a great, I can say that I’m practicing it as as well as I am to and one of the feedbacks, and one of the comments we got and this is true 14 We’re extremely frugal, and we’re trying to be very efficient, which was very good. It helped us get to where we are, but in some cases, and I think this is the main regrets I had on almost the actions I did is there are many things that I could have done earlier, I could have hired specific people earlier, I could have hired a person for a later stage where it sounds weird wasteful, or what will this person do? I mean, he used to manage 100 people and now I have a team of 10. But if the challenge is big enough, and if the division and all that and you have such a person then then you will get there.

Jeremy Weisz

What some of the advice you got from a mentor or some of your investors that has proved to help in addition to that, because I’m sure you get a lot of feedback from them as well,

Ido Safruti

yeah, so this one was definitely one. Fire fast, huh? again more about people. If something feels, especially in a small organization, when you’re into growth, if you’re thinking if someone is, is good usually means that is not if you’re thinking about should this person should I fire this person or not? Probably you should. I had only two cases, I think in my career when I thought I should have hired a person. And eventually, I learned that I was mistaken. And in both cases, it was after going through a process of a hearing or going and, and talking to the person and being very straight and being very direct. So I think aiming with clear goals, clear feedback, even if it’s harsh, then it’s less pleasant because of the environment because you don’t only recognize that. But this is definitely something that is extremely important. And the third thing, which is again, all around people, hire early fire fast if it’s wrong. And then also, don’t be just strict. I mean, recognize. And this is something that I’m continuously learning to do better is how do I reward people? How do I recognize the good things? Because it’s very easy when you build something to constantly look at what’s not working? Well, what can I do better? Instead of looking back and say, Okay, what we did is quite significant for both for ourselves, but also for our team members. And they appreciate the criticism and they appreciate it, they strive for perfection, and how can we do things better. But it’s not going to shoulder every once in a while and recognizing that what you did is great is for someone is extremely valuable, and you can never do.

Jeremy Weisz

Yeah, Ido, what has been a hard decision you have to make when you were in the military.

Ido Safruti

So one of the hardest decision was to leave the military. Because you’re doing it and you’re doing it for a long period of time and I’ve served for nine years. It’s you’re doing it because you believe that you’re doing something that is serving a greater greater purpose. It’s not just for the money or it’s not just for the drill. So I think that was one of the hardest decision

Jeremy Weisz

there ultimately, why did you those nine years it’s a long time

Ido Safruti

Yeah, um that might be one of the criticism I had in my period on the military organization. But they don’t they the militaries around by military men and fighters at the head that at the head of the army, or the defend the organization, usually you don’t have commodities, or businessmen at the top, it’s someone who started in the Marines or the Navy, or, or infantry or something like this in special units. So there is sort of a glass ceiling for technologies or for people who can if in fact, were in tech, it’s the opposite. So when you grow and when you start becoming, getting more senior roles, and then in the military, intelligence and all that, you get more responsibilities, but also politics becomes heavier like in any large organization, and this is where At what point do you stop enjoying your day to day job even though you see the greatest greater cause? And this is where I felt okay. It was really enjoyed I want to leave in a good point, and not when it’s sour.

Jeremy Weisz

You know, first of all, thank you I’ve one last question but I really appreciate you sharing your journey, your expertise. And everyone should check out PerimeterX.com If you know of any of these type of companies or brands that you know are taking a lot of transactions online or have a lot of web traffic, tell them the check out PerimeterX.com and You know, now more important than ever, with COVID like everyone, like, there’s so many people just on the internet, maybe you see early on, Ido, like, the issues zoom was having because of the explosive growth.

Ido Safruti

Yeah.

Jeremy Weisz

I mean, you just see security measures after security like patching on on zoom, and this is happening across all the all the business, that’s just one that we probably use, and we see like, I log in, and like, all of a sudden I have to, like, allow people in because they’re putting in these security measures. And some of the stuff we see some of we don’t so check out PerimeterX.com. Um, you know, my last question, Ido, is, you know, you were in Israel for a long time now, you’ve been in the US for a long time. What are some of the differences? You see? Either it’s conducting business or culturally, Israel compared to the US, and then we’re talking to you as you are in San Francisco. So it’s like, obviously, you’re that lens. But what are some of the differences you see, between life in Israel and life in the US? Yeah.

Ido Safruti

I think one of the the main reason I moved to the US is to be close to the market, Israelis a very small market. Most of the startups and companies that are built in Israel are selling to other markets not built to serve the local market. So the main difference when I moved was feeling okay. Now I understand so many things in a different way. It’s it’s more so in consumer web, then in in b2b, which is the business I’m at. But feeling okay, this is where the market is targeting. This is like having Amazon delivery, having Netflix working, having a bunch of, of thing where the target markets are, and understanding the consumer and understanding that businesses are done differently. People are much more direct and rough in Israel, and much more a record. And I must say that in the stop startup rules, specifically in Silicon Valley, it’s closer to that then, I guess, in the Midwest, where people are a little more tame. But it’s very different. I think people are much one. One obvious thing is personal life and the barriers in workplace. The difference between in Israel, the work is where you get most of your close friends, were here, there is a much clearer separation of your private life and your work life. And that benefit now when running a large us office and large Israeli office, how do you make sure that there is one culture overall, while you don’t expect people to really have one culture? I mean, you you want to acknowledge and identify these differences? Yeah, there are actually a bunch of books and recommendations on how different the culture is. But I think these are some, some obvious ones get one simple example on personal life is the first answer when I was shocked after living for six years in the US when I started interviewing for employees in Israel, because well, we live in the us our first hires, we decided to hire and build our engineering, an excellent century interview. So interviewing candidates, and the first thing they’re saying, I’m 28, married with two kids. And these are all things that no one will say in the US interview, especially not starting with that when you’re asking, tell me about yourself. And for me, it was like, why are you telling all that information to me because I was already spoiled, and by living for six years in the US, and I think this is tell us about

Jeremy Weisz

Why do they start with that in Israel?

Ido Safruti

This is how you start because this is what you put on your CV and people are very open about that before telling their age marital situation where they live, what the US

Jeremy Weisz

is more of a divide that just shows the divide between the personal and the business in Israel get all kind of one thing I got. Yeah. First of all, Ido, thank you, everyone, check out PerimeterX.com check out more episodes of the podcast and Rise25 and thank you so much.

Ido Safruti

Thank you