Between Two Nerds: The 0day fetish - Risky Bulletin

Summary5 min read

Risky Bulletin Podcast Summary

Title: Between Two Nerds: The 0day Fetish
Host/Author: Risky.biz
Release Date: March 24, 2025

Introduction

In the March 24, 2025 episode of Risky Bulletin titled "Between Two Nerds: The 0day Fetish," hosts Tom Uran and Grok delve deep into the world of 0day (zero-day) vulnerabilities. They explore the fascination surrounding these elusive exploits, their operational significance, and the broader implications for cybersecurity. This episode offers a comprehensive examination of why 0days receive disproportionate attention and how they fit into the larger cybersecurity landscape.

Understanding 0day Exploits

Definition and Basics

Tom Uran initiates the discussion by addressing the fundamental concept of a 0day exploit. He explains that a 0day refers to a vulnerability in software that is unknown to the vendor, leaving no patches or mitigations available. "An oday is when there's a vulnerability that's known to people other than the vendor and as a result, there's no patch or mitigation or workaround to fix this vulnerability," states Grok at [00:38].

Operational Mechanics

They further discuss how these vulnerabilities can be weaponized to exploit software, gain unauthorized access, or crash systems. Grok emphasizes the technical prowess required to maneuver such exploits, likening the process to constructing a computer within an exploit to navigate from a minimal foothold to broader system access.

The Fetishization of 0Day

Oversized Attention

Tom Uran introduces the concept of the "fetishization" of 0days, suggesting that these exploits receive more attention than necessary. He observes, "[...] a lot more attention than it needs to do."

Publicity and Patching

Grok elaborates that when a vendor becomes aware of a particularly severe 0day, there is often a push for publicity to ensure timely patches. For instance, Grok references the widely publicized Log4J vulnerability, which was heavily discussed to prompt rapid patching efforts [01:21]. In contrast, older yet still severe vulnerabilities tend to fade from the public discourse as they've likely been addressed in past updates.

Operational Perspectives on 0Day

Academic vs. Practitioner Views

Grok shares insights from an offensive cyber workshop, highlighting a divergence between academic interest and practitioner priorities. While academics and theorists are captivated by 0days, practitioners in the field view them as less central to everyday operations [02:14]. "The practitioners that I saw did not list ODE as an interesting thing, but like everyone else did," Grok notes.

Bread and Butter Tools

Tom Uran concurs, suggesting that organizations like the NSA, with vast personnel resources, rely on a steady stream of reliable, everyday tools rather than reserving 0days for special occasions [04:33]. Grok compares the use of 0days to a rare magic trick: impressive yet fragile and not suited for frequent use [05:34].

Country-specific Approaches to 0Day

Diverse Strategies

The conversation shifts to how different nations approach 0days. Grok points out that while Western agencies like the Five Eyes prioritize keeping their exploits secret to maintain strategic advantages, China employs a contrasting strategy. China reportedly floods the market with public exploits to both deny access to adversaries and increase its arsenal [13:36].

Organizational Complexity

Tom Uran adds that within China's federal structure, decision-making regarding cyber operations is fragmented, with various state actors and freelancers contributing to exploit development and deployment [15:35]. This decentralization complicates the strategic use of 0days, making unified decisions challenging.

0Day vs. Other Cyber Threats

Comparison with Supply Chain Attacks

Tom Uran draws parallels between the attention received by 0days and supply chain attacks. Both are perceived as persistent and unresolved threats that evoke a sense of ongoing vulnerability [22:27]. However, Grok argues that 0days carry an additional allure due to their "sexy and mysterious" nature, making them more captivating in public discourse [23:14].

Access vs. Exploitation

A key distinction made is between gaining access through exploits and what happens post-access. Grok emphasizes that while acquiring access might be a solved problem with numerous methods available, the real challenge and interest lie in effectively exploiting that access to achieve specific objectives [17:02].

The Impact and Perception of 0Day

Public and Policy Implications

The hosts discuss how the existence of 0days shapes public perception and policy. Grok highlights a common misconception: the belief that widespread 0day vulnerabilities make everyone equally vulnerable. "ODE has this sort of outsized importance in the minds of people who are not experienced in cyber operations," Grok explains [21:13].

Real-world Examples

Tom references the Kaspersky report on a series of iOS exploits called "triangulation," which, while appearing widespread, targeted a relatively small number of devices compared to the global user base [10:52]. Similarly, they discuss the EternalBlue exploit, which, once public, was widely abused, demonstrating the double-edged sword of releasing exploit information [11:48].

Conclusions

Balancing Significance

In wrapping up, the hosts agree that while 0days are sensational and hold strategic value, they are not the panacea for all cybersecurity issues. Grok advocates for focusing on fundamental security practices—like password management and configuration security—as the "base layer" of defense [06:31].

Strategic Use and Risk Management

Tom Uran underscores the importance of judicious use of 0days, likening them to special tools reserved for high-stakes operations. He posits that the allure of 0days stems from their potential to provide significant access, but their use must be carefully managed to avoid detection and loss of advantage [07:13].

Final Thoughts

Grok encapsulates the episode's essence by contrasting the glamorous perception of 0days with the often mundane reality of cybersecurity operations. He likens worrying about 0days to "worrying about ninjas instead of cardiovascular disease"—highlighting the disproportionate focus on an exciting yet less probable threat compared to everyday security practices [23:21].

Notable Quotes:

Grok [00:38]: "It's outsized. Yeah. Just briefly, an oday is when there's a vulnerability that's known to people other than the vendor and as a result there's no patch or mitigation or workaround to fix this vulnerability."
Tom Uran [05:34]: "It's super fragile. That works most of the time. But when you're looking at the scale that these organizations operate, most of the time isn't good enough."
Grok [21:13]: "ODE has this sort of outsized importance in the minds of people who are not experienced in cyber operations."
Grok [23:21]: "Worrying about O Days is like worrying about ninjas instead of cardiovascular disease."

This episode offers a nuanced exploration of 0day vulnerabilities, balancing technical insights with strategic considerations. Tom Uran and Grok effectively demystify the allure of 0days, advocating for a grounded approach to cybersecurity that prioritizes essential practices over the allure of rare exploits.

Loading summary

Transcript107 lines

[00:04]
Tom Uran
Hello everyone, this is Tom Uran. I'm here with the Gruk for another between two nerds discussion. G'day, Grok. How are you?
[00:11]
Grok
G'day, Tom. Fine, and yourself?
[00:13]
Tom Uran
I'm well. This week's episode is brought to you by Sublime Security. Sublime makes an adaptive email platform and you can find them at Sublime Security. So we've been talking about oday and one of the phrases that people use is the fetishization of ode, which basically means that it gets a lot more attention than it needs to do.
[00:39]
Grok
It's outsized. Yeah. Just briefly, an oday is when there's a vulnerability that's known to people other than the vendor and as a result there's no patch or mitigation or workaround to fix this vulnerability. And it can be used by these other person or other people to exploit that software and gain access or crash the system or do whatever.
[01:05]
Tom Uran
I think part of the reason they get a lot of attention is because when they become known to the vendor, often there's a push to get a lot of publicity so that people do patch. So if it's a particularly bad vulnerability, and bad would be like remotely executed.
[01:22]
Grok
Log 4J was a huge one, right?
[01:24]
Tom Uran
Yeah. Everyone talks about it because they want people to know about it in order to patch it. And so that's not something that happens with vulnerabilities that may be very bad but have been around for a long time. Like you don't mention them anymore because if you're going to patch them, you did it five years ago.
[01:42]
Grok
So this has been on my mind because I took part in this offensive cyber workshop, Chatham House rules. So, you know, don't ask me specifics, but like we came up with some concepts and things to discuss. And what I found surprising was just how big oday was within the minds of like there were academics and practitioners and all that. And the practitioners that I saw did not list ODE as an interesting thing, but like everyone else did.
[02:14]
Tom Uran
Right.
[02:14]
Grok
And so we have things, you know, like non state actors doing operations and cyber operations. What is cyber? What is operation? And then it would be O day.
[02:28]
Tom Uran
So I think it's interesting that you said that the practitioners did not rate it as a particular topic of interest. And so it holds a fascination for people who are thinking about these problems but haven't done those jobs.
[02:43]
Grok
Yeah, yeah.
[02:45]
Tom Uran
So I can understand why it is fascinating because it seems to me a good, I guess it's an exploit. Right? Is operating at the limits of human endeavor, like at the limits of human ingenuity. There was an NSO Group 1 a while ago.
[03:03]
Grok
Right.
[03:04]
Tom Uran
Where I can't remember the exact details, but they were constructing basically a computer inside.
[03:12]
Grok
Yeah.
[03:12]
Tom Uran
Inside the exploit so that they could work the problem after they got a very small foothold. Work the problem so that they could get to the next stage. And, and that kind of stuff is fascinating.
[03:24]
Grok
Yeah, it's amazing. It is. Wow. These people, they had nothing and they turned it into something by.
[03:33]
Tom Uran
They had two bytes.
[03:34]
Grok
Yeah. Like they had two toothpicks and they managed to construct a ship somehow. Like I don't know, you know, and that's amazing. But I think at the same time, Oday, within the context of like operational cyber, like if you're, if you're a state cyber agency and you're doing your day to day operations, you know, show up at 9, work until 4:30, leave early. That's right. When you're doing that, then oday is not your go to for every problem.
[04:12]
Tom Uran
No, no, it just can't be, can it? Because like a few episodes ago we were talking about the size of some of these organizations and if I remember rightly, it was NSA was 30,000 people. And if you've got that many people working on these sorts of problems, there's got to be an everyday reliable bread and butter.
[04:33]
Grok
Like you can't use a super secret thing for absolutely everything. Especially not if it's like you gain a little bit of access and then you use that to create a virtual machine that interprets bytecode that you then send the bytecode to that then creates another exploit that then does this, that then creates a second exploit inside. Like that's amazing. But it's super fragile. That works most of the time. But when you're looking at the scale that these organizations operate, most of the time isn't good enough.
[05:08]
Tom Uran
Right, right, right. Well I mean it's also the chances of discovery go up the more you use it. Right. And when it is kind of the magic, like, you know, we like the magic, we like seeing it, but also the more you use it, the more likely it is to be discovered and patched and then you lose it. Right. So it's a special occasion kind of a thing.
[05:34]
Grok
I mean it is very much like magic in that it would be a magic trick. Right. And if you're at a party and you show everyone like, oh here's a card trick, but then you do it to literally everyone that you meet the entire night, like people will get bored of it and figure out what you're doing because you can't play the trick that many times with that many different people around. It's not going to work forever.
[06:00]
Tom Uran
I mean, I think the difference between magic tricks and a party is that if you're doing this in the real world, there's very well resourced organizations that are trying to discover and unpick your magic trick. It's not like you've got a bunch of rooms at the average party.
[06:16]
Grok
Yeah, well, there you go. It's like it's a magic trick where mixed in among the crowd are other magicians trying to steal your stuff.
[06:24]
Tom Uran
Yeah.
[06:24]
Grok
When you do use it, you want to be sort of cautious and limited and Ode is a sometimes food.
[06:31]
Tom Uran
Yep, yep, yep.
[06:32]
Grok
It's not the leafy greens. It's not the sort of like this base layer of like here's your grains. You need to have like, you know, five servings of O day a day. Like it's not that. That's password reuse and token theft.
[06:45]
Tom Uran
Yes.
[06:46]
Grok
That's how you're doing most of your stuff.
[06:48]
Tom Uran
That's the base of the access pyramid.
[06:55]
Grok
Exactly. There you go. So you've got your password reuse, then you've got your misconfigurations, then you've got your public exploits and then somewhere at the very tippy top you've got your O day, which is you bring it out for birthdays or your dirt day treat of the week sort of thing.
[07:14]
Tom Uran
Yeah. Okay, so I'll approach this from a different angle and say the oday is worth all the focus because it's what gets people the very super top priority access. Right. So even though it's a small proportion of what goes on because almost by like by the nature of what it is, you save it for the most important targets that you can't get to any other way. And so therefore it has an outsized impact.
[07:46]
Grok
And so this focus on generals when there are so many privates, you know, we should be looking at the, the lance corporals and the enlisted men who make up the bulk of the army, not the, not the guy making the decisions, which is just that, you know, there's a very few of them. So I don't know why they're the focus of these histories about these battles when you. Because the majority of the work being done is not by them. If you look at it from a quantity point of view. Yeah, I think that's the counter argument is still, I think that they get used less than people think. Even for those special occasions.
[08:29]
Tom Uran
Well, I mean it depends what you're talking about. If you're talking about what's most important from a public policy point of view.
[08:37]
Grok
Right.
[08:38]
Tom Uran
I kind of think that the people who are likely to be targeted by those best of the best O days are Greek journalists. Well, I guess the problem is that there is this huge diversity. Right. It is on one, one, extreme individuals who are doing things that powerful people don't like. And at the other extreme, it's the president of the US who, at least in theory, has an entire apparatus that's designed to make sure that they're not using vulnerable smartphones. Like I said, in theory, in theory.
[09:19]
Grok
This is true up until, say, 2025 or so. There's few exceptions.
[09:26]
Tom Uran
I mean, there were stories from the first Trump presidency where he was.
[09:29]
Grok
Yeah, yeah. So I guess one of the things that sort of comes up is that when people think of Oday, they are either like infosec technical people who want to be like, well, you know, if they hacked a TV by finding a specific vulnerability for that particular brand of smart TV in that hotel room so that they could access the remote that had a microphone in it so that they could listen to what's going on, you know, like, that's an O day. Like, it's an unpatched vulnerability, but it's not. Like, unless you happen to be someone with that smart TV that Estate wants.
[10:09]
Tom Uran
To surveil, the planets have to align.
[10:12]
Grok
Yeah. Like, you don't need to worry about it. So you can sort of argue that that's ode, but then at the other end, it's like an iPhone gets hacked by Oday, and that feels like that's a lot of people who are vulnerable in. In theory. So I think that there's a sense that, like, when these organizations have ODE and they're using Ode, it's all about iPhones and Windows and macOS. It's all about the things that I use. And I'm exposed because these people have developed weapons that they're keeping private rather than fixing it. And so there's like. I think people have this sort of misplaced sense of vulnerability that comes from believing that that's what's happening all the time.
[10:52]
Tom Uran
Right. There was that Kaspersky report on. I think they called it triangulation.
[10:59]
Grok
Yeah, yeah, yeah.
[11:00]
Tom Uran
And it was a series, I think, of iOS exploits, and it was very, very clever. And I was surprised at how widely it had been deployed against Russian targets, in that it seemed like it was thousands of them.
[11:18]
Grok
I think we spoke about it at the time as, like, they felt like something that was about to be lost. So you may as well just like spank it.
[11:26]
Tom Uran
Yeah, yeah. And like thousands sounds like a lot, but when you consider that there's a billion iPhones or iOS devices.
[11:36]
Grok
Right, right.
[11:37]
Tom Uran
And you know, maybe it was a thousand in Russia, I don't know, 10,000 in the whole world or something like that, that's still an infinitesimally small number of people compared to the world.
[11:48]
Grok
Right, right. And I think the other thing is we could take the EternalBlue exploit for an example. Again, where it was found used for years. It got patched because when they found out it had been exposed, they worked with Microsoft to get it fixed. But it was only after the exploit became available that it was abused by every threat actor out there beforehand. As an oda, you know, it was magic. And it was also not abused against regular schlops like the rest of us.
[12:23]
Tom Uran
Well, I guess I would say its use was prioritized abuse. I think it depends whether you're a target or not. Right.
[12:30]
Grok
Well, I would say it's abuse when it's used for. And this is again, subjective. Like I'd say it's abuse when it's used for criminal reasons.
[12:40]
Tom Uran
Right. Yeah.
[12:40]
Grok
Right. So if it's.
[12:42]
Tom Uran
That's probably something we should all agree on.
[12:44]
Grok
Yeah. But then people are going to be like, well, the NSA does crime. There are criminal organizations. Right. Which is, you know, like ignoring, ignoring that insanity for a minute. I think we can agree that like, yeah, if there's someone who has a checklist that they have to go through before they can use an exploit and they have to get legal sign off, it's probably not being abused. If there's lawyers involved in the decision chain, it's unlikely that it's being abused.
[13:12]
Tom Uran
Yeah. Mostly I think the incentives, if you've got a piece of magic, you want to hold onto it and one of the ways you hold onto it is by using it carefully. And so I think that's a universal dynamic for any like half sophisticated cyber actor they're going to think about.
[13:29]
Grok
Right.
[13:29]
Tom Uran
Like managing that risk.
[13:31]
Grok
Well, I'd argue that for a while China was not in that group. Yes.
[13:36]
Tom Uran
And I guess that's why I put the caveat of half sophisticated.
[13:40]
Grok
Right, right. But it created this interesting dynamic. So for a while, because China was perfectly happy using public exploits. Right. Like they, they didn't really care what got them in, they just wanted to get in. Whereas that's not true for the five eyes who are very careful about using things that can't be traced to them or Things that won't be detected easily. And so for the Chinese, it was actually smart for them to publish as many exploits and bugs as they could find because they were denying them to the five eyes and making them available and creating cover traffic for their own use. So from their perspective, reporting bugs was actually increasing their arsenal while potentially decreasing the capabilities of their adversaries.
[14:32]
Tom Uran
Right, Yeah. I think that makes sense if you think of it from the point of view of who's in front. And like, if you're behind, it kind of makes sense that you want to just patch everything that you can, and that's your first priority, to mitigate your own weakness. And then if you can still get some mileage out of it afterwards, well, happy days. I think if you feel like you're ahead, you probably want to keep everything secret and try and hold.
[15:01]
Grok
You want to preserve your.
[15:02]
Tom Uran
Your advantage, preserve your lead.
[15:03]
Grok
Yeah, yeah, yeah.
[15:06]
Tom Uran
Does that make sense? I think it does.
[15:08]
Grok
I think so.
[15:10]
Tom Uran
I don't know that the Chinese state as a whole has a really sophisticated view of whether it's ahead or behind. It's just got a lot of pieces, like moving pieces.
[15:20]
Grok
It's much more federal than people give it credit for. I think, like, there's this very strong leadership, but then the implementation is sort of parceled out to individual states and. Or what do they call them?
[15:35]
Tom Uran
Yeah, yeah. And I think that's why I think there wouldn't be a single decision maker who could weigh up the different equities across the whole, like, cyber security. And especially, like, since they contract a lot of cyber espionage, so.
[15:49]
Grok
Right.
[15:49]
Tom Uran
And they would own that decision and make that.
[15:51]
Grok
And they have freelancers who will compromise things first and then try and sell it later as well.
[15:57]
Tom Uran
Yeah.
[15:58]
Grok
The thing about this workshop, that, again, it's just. I found it surprising how excited everyone was to talk about oday and capabilities. And there were sort of a very minority group of people who, when you talk about the capabilities. For us, we were thinking about things like weapon contrivance, which is sort of once you have access to something, or when you're going to gain access to something, you need to develop the tool that's going to have the effect that you want. That's the interesting thing. It's not that how do we get into there? Because that's a implementation detail that we'll figure out. But once we're there with Stuxnet, for example, the interesting thing is not how do we gain access, because we can figure that out by whatever means. But once we have access, there's only a limited number of things that we can do given the environment that we're operating in. So how do we. Like, how do we exploit that? You know, that becomes interesting. Not the actual vulnerability that gets exploited. That's the key. It's the. What you do once you're inside that's interesting.
[17:02]
Tom Uran
Right? Okay.
[17:03]
Grok
I think so.
[17:04]
Tom Uran
I mean, stuxnet seems like maybe not the best example, because I thought the way they got in was interesting in that I think it was a human source. Right. Who was Right.
[17:14]
Grok
So I don't find that interesting, because I think that that's obvious. Right. To me, that's just like, when you have a difficult problem, here's one of the solution sets that you can pick from. And it's interesting because it's not a cyber thing, but it's not interesting.
[17:27]
Tom Uran
I mean, I guess what you're saying is that there's multiple ways a human could get software onto a system, but getting a person to do something for you, that's a solved problem.
[17:40]
Grok
Exactly.
[17:40]
Tom Uran
You're saying that there's one way to get stuxnet to have the effect that you want, and it's a very narrow path, and you want to make damn sure that it works once you've. You sort of attach it to the human, and therefore you need it to work perfectly.
[17:56]
Grok
So, like, I think that that's the more interesting thing. It's the hypothetically, we have access to this thing. What is a thing that we could do that would achieve our goal? All right, how do we make that happen? That strikes me as more interesting than how do we get software installed onto the secret network? Because you can figure that out. Like, that's not a. That's not insurmountable.
[18:18]
Tom Uran
Right.
[18:19]
Grok
Like, as an example, here's the thing that many years ago, someone was telling me about how this particular enterprise got hit by this was pre ransomware. That's how long ago it was. But they got hit by banking trojans. And the way that it was installed was there was a Word document with this macro infection thing. And the Word document said, enable macros for a chance to win a $20 gift certificate. And so this one guy at the office had taken this Word document and had run it on all of the PCs he could find. Like, he wanted to maximize his chances of getting that $20 gift certificate. It's just taking it around after hours. Like, click, run. Next one. Click, run. Yeah, so I think that's a solved issue. That's done, right?
[19:13]
Tom Uran
Yeah. Yeah. I mean, going back to our food pyramid I guess what you're saying is that there's this smorgasbord of options to get access, and that if an organization is large enough, you will get access somehow. There's very, very few organizations where it's impossible to get access. And those maybe are the ones that sit at the top of the access pyramid, or where the solution sits at the top of the access pyramid, maybe.
[19:38]
Grok
Right.
[19:39]
Tom Uran
And so then when you say, well, access is fundamentally like, that's a problem that you have to deal with because it's inevitable. It's like, what do you do next is the thing that you've got to tackle. And so therefore, zero day doesn't really make sense to talk about, because it makes sense to talk about if you're that organization that will be. Or like you say, a Greek journalist. And therefore. But the question is really not how do I protect myself from zero day, but what do I do next? And so for a Greek journalist, it might be like lockdown mode or whatever you can do with an answer.
[20:15]
Grok
Not keeping things on your phone so that even if you are compromised, there's no access. There's ways of doing impact containment such that oday is not a problem, or it's not as big of a problem because your exposure just isn't there. Odays are magic if you don't know how they work. So, yeah, like, ODE has this sort of outsized importance in the minds of people who are not experienced in cyber operations. But I guess we sort of need to be careful to not downplay it too much either, because it is important. It's important because you use it for the things that are most important as opposed to the majority of stuff. Like the majority of your operations, you're reusing passwords, you're using misconfigurations and so on. You're not using the crown jewels on everything. And I think people get super excited because they believe that the crown jewels impact them in some way.
[21:13]
Tom Uran
Well, maybe it's their crown jewels, right? So everyone. We don't all have the same crown jewels. Like countries have different crown jewels, for example.
[21:24]
Grok
It's like literally, I think for people outside, they can understand that vulnerabilities in software is bad and they should be patched and that ODA are about vulnerabilities. And so not patching them is bad. Yeah, it's a sort of transitive property of like, we know that vulnerabilities are bad. ODAE are unpatched vulnerabilities. ODAE are bad. Therefore, any ODA that exists means that the vulnerabilities are out there everywhere and we're all more at risk for them.
[21:59]
Tom Uran
It's a bit like supply chain attacks, where it's clear once you know that there's a vulnerability, like there's an answer which is patch or mitigate it somehow. Once you know it's there, you can do something about it. But both with Supply Chain and O Days, there's at least this feeling of there's an unmitigated vulnerability that we don't know about or could appear out of nowhere.
[22:27]
Grok
Yeah.
[22:28]
Tom Uran
And so I think they both get attention because it feels like an unresolved problem, an insoluble problem to some degree. So, I mean, I don't think that's quite as strong with Supply Chain because there are a lot of things you can do. But to me, it's the same. The same dynamic at play or the same logic. They get a lot of attention because they feel like they're either insoluble or not yet solved.
[22:53]
Grok
So I think that's part of it, is that there's the sense of vulnerability, this unsolved problem that's just out there menacing us. But I think part of it is also that it's sort of like, sexy and mysterious. It's unknown, and it's because it's unknown. It's attractive and, like, it's cool. Right. And I think that that makes it.
[23:14]
Tom Uran
It's like Rumsfeld Unknown unknowns, except it's a dangerous unknown.
[23:19]
Grok
Yeah. Right. It's like.
[23:21]
Tom Uran
So it's a known unknown, you know, that they're out.
[23:24]
Grok
It's a known unknown. Right. But to quote myself, worrying about O Days is like worrying about ninjas instead of cardiovascular disease. Right. Like, it's really sexy to be like, ninjas could be out there after me. You don't know. Like, it's. I don't know, it could be.
[23:41]
Tom Uran
It sounds like a lot better film being chased by ninjas rather than.
[23:47]
Grok
Yeah, it's. It's, you know, safety and security through doing the boring basics versus, you know, train hard and get revenge. I guess it's.
[23:58]
Tom Uran
It's the Karate Kid, not the patching kid.
[24:04]
Grok
Thanks a lot, Tom.
[24:05]
Tom Uran
Thanks, guy.