Risky Business #770 -- A Russian IR guy discovers extremely cool spookware

Patrick Gray

Hey, everyone, and welcome to another edition of Risky Business. My name's Patrick Gray. We've got a great show for you this week. I'll be chatting with Adam Boileau about all of the week's security news. We're also going to take a look at some of the things that President elect Donald Trump has promised to do. And we're also going to hear from Chris Tarbell, who is a former FBI agent and the man who actually put handcuffs on Ross Ulbricht in that library over a dec to go. And he's joining us to fill us in on some of the details about the Ross Ulbricht Silk Road case that people seem to have forgotten. This week's sponsor interview is with Feroz Abukadize of Socket. You can find them at socket.dev and what socket does is to basically ensure that you're not including dangerous packages in your software projects. Right. So it's like a supply chain security product. I'm about to publish a demo of that one to our YouTube channel channel in a couple of days. You'll be able to check that out. And this week for us is talking to us, he's joining us to make the case that we should look at Trojan packages. We should look at tracking them in the same way that we track CVEs. So someone like NIST needs to actually track these things, have it, have timelines, have an index, much the same way we track CVEs. It's actually a pretty compelling case. That interview is coming up later. But Adam, we're going to start off this week by talking about the news that iOS 18.1 has a new feature. And that new feature is that if you don't unlock your phone in a 72 hour period, it reboots. And what that means is it winds up in a state which is called BFU or before first unlock, which makes it much more difficult to crack. So this is something that law enforcement has discovered recently and they are not happy about it, at least according to reporting from Joe cox over at 404 Media.

Adam Boileau

Yeah, when the police sees people's iPhones, if they don't immediately have access to unlock them, they will typically plug them in, stick them in a Faraday bag and put them on a shelf. That's a. So like the process can kind of work through. They might get access to the passphrases through, you know, some other means from the, from the people who originally own the phones. But they've been discovering that, yes, those devices have been rebooting Themselves, which makes it a whole bunch more complicated. And you know, Apple's relationship with law enforcement has been pretty complicated. You know, over the, over the last few years, you know, they've been unwilling to provide unlock assistance for phones and law enforcement has kind of settled into a, you know, a middle ground where they can use exploit techniques, hacker techniques to bypass them, or they can kind of wait for, you know, over time as unlocks become available with, you know, older versions of the software, you know, to be able to unlock them later on. And that Apple has, I mean, that relationship has been complicated, I think. And you and I have talked several times about kind of like where that game ends for Apple and law enforcement because it's, you know, it's a difficult situation for both sides.

Patrick Gray

It is. I mean, I think that the interesting thing here is that there was a bit of a status quo when it came to unlocking seized devices which, you know, as you say, stick them in a locker somewhere, wait for an unlock against that version of the software to become available down the line, and then use that unlock capability against those phones. That was the status quo. This changes that. And I can see Apple's point of view, which is that they are a privacy first company. They also have customers who might be located in places that aren't really down with due process. Right. So protecting users against authoritarian states and whatnot seems like a pretty good idea. Although I think this disproportionately impacts places that do have due process, because in the places that don't have due process, when they discover that they can't unlock these devices, they're just more likely to pull someone out of a cell and beat the crap out of them until they get the passphrases. Whereas, you know, the FBI, at least at the moment, can't do that. So I do feel that perhaps this is going to disproportionately impact, you know, law enforcement in democratic countries. And I don't think that's great.

Adam Boileau

Yeah. And this sort of resolving this tension between privacy and security and law enforcement oversight and the ability of the government to try and make communities safe. Right. This is a tension we've seen played out in so many parts of the tech industry as we've got to the point where it is legitimately difficult to intercept communications, to unlock devices. And the traditional tools of wiretaps and pen read registers and whatever else have been gradually chipped away. And we haven't really figured out how to resolve that tension. I mean, the traditional sort of cypherpunk approach of if there's an intercept mechanism or an observation mechanism that that can be abused by third parties is a risk that means we should have end to end crypto or whatever else. Like you know, we've seen intrusions into lawful intercept systems in telcos, you know, that we're talking about in the news at the moment. So you know that that tension is playing up in a bunch of places and this is just kind of one. And Apple's maneuvering to kind of position themselves as a privacy first company, as a, you know, is it because their competitors in the marketplace are more advertising centric, don't make quite so much money out of devices. Right. You know, it's in their interests to be seen that way and also to kind of follow through, not just talk talk, they have to deliver code and devices that live up to that. So it's a tough set of trade offs for them and for law enforcement.

Patrick Gray

Yeah, well I think this is really going to annoy law enforcement, particularly in the United States given that's where Apple's from. Right. So I think that's going to really drive him a bit nuts. But you're right, we are talking about intrusions into surveillance systems. And we've got an interesting story here from the wall where a US agency, it's the Consumer Financial Protection Bureau, has warned its staff not to use cell phones. Don't use cell phones, like plain old cell phone calls and text messages to conduct agency business. You got to do that stuff on Microsoft Teams. And I think this is a really interesting development. Now obviously they say this is because telcos are a little bit secure, insecure, upstream. You know, they don't, I don't think they explicitly say it's because of this campaign, but that's, you know, kind of implied in the advice they're giving to staff here. What I find interesting about this though is that team, as best I know is not end to end encrypted, that material can be obtained. You know, an intruder into Microsoft would be able to get that material. So I think what's interesting here is they're saying don't use, don't trust the telcos, but you can trust Microsoft. Right. Which kind of shows us that telcos do have a problem when it comes to being able to secure their networks. You know, it really does. They really do.

Adam Boileau

Yeah, yeah. I mean, you know, I've long said that telcos are the natural enemy of my people. My people being, being hackers. Like it's where we all learned how trade is breaking into the telco Stealing phone company manuals and lineman handsets, like that's just what hackers did in the old days. And so, you know, they are huge complicated environments and they're very, very difficult to secure. But you know, in some respects, like you look at teams, if anything, teams is more friendly to be able to, you know, steal content. I mean like it will automatically transcribe, you know, two text meetings and calls that you have and then store them and restore video recordings of meetings and all those sorts of things like this. There is a lot in teams to help yourself to which is, you know, better, like less well protected than, you know, lawful intercept in a telco in many cases, despite the fact that the telcos are also trash. So I mean it's definitely, it's a, it's a bold move to say use teams instead of the phone. But you're right, telcos have a long and rather poor security history. And you know, Microsoft also not doing super great, but hopefully better, hopefully better than the average telco.

Patrick Gray

There's also the rumor going around that the Salt typhoon intrusion and hopefully we find out from the CSRB investigation. But there's also a rumour floating around that most of that activity took place on networking equipment. Right, which is why maybe they didn't see it via the edr. I can't wait to get that CSRB report into.

Adam Boileau

It's going to be a good one. I know, I'm super looking forward to that because I do love telco gubbins. So yeah, I'm very much here for that. Good luck. CSRB board, we are ready with bated breath for your report.

Patrick Gray

Now let's talk about some data that's come out of CISA which has resulted in a Five Eyes alliance kind of warning about it. There's been an interesting move in stats around the types of vulnerabilities that are popping up being used in the wild in previous years. Up to last year it was quite often like enda bugs that were being most commonly used to attack targets and pop shells and whatever. That changed last year. 2/3 or 10 out of the 15 most frequently exploited vulnerabilities last year were oday. So this is new and it was all enterprise software tech and it also represented a huge swing towards edge devices. And this is stuff that we've talked about so much over the last couple of years, which is like VPNs and you know, file transfer appliances, things like that at the edge of your network. It's good to see some hard data here that is pretty difficult to refute you know what I mean? Like, you look at this and you're just like, okay, well this is definitely a thing. Now what's your take on all of this?

Adam Boileau

Yeah, I agree. It's nice to have data that lines up with our experience. You know, what we've been reporting on over the last little while, you know, is that that pivot was happening and it's nice to see data that supports that. And you know, the, you know, it's long past time for the vendors of edge equipment to take that stuff kind of seriously. And it's an interesting, like the landscape for network edge devices compared to, you know, like how many years ago, ten years ago now, when we pivoted from server side exploitation to client side, you know, ActiveX control bugs and acrobats, PDF reader bugs and Flashbugs, you know, that set of software that always had those problems, Acrobat and Flash seemed kind of more fixable in a way that fixing Fortinet and Cisco and Citrix do now. Although I guess it didn't feel that way at the time. So maybe I'm, you know, I mean.

Patrick Gray

That'S why Adobe couldn't wait to kill Flash. You know, they didn't really, they really.

Adam Boileau

Did want to kill it.

Patrick Gray

Security leadership at Adobe did not sign up for having the most, you know, widely used, complicated client software on the planet. You know, that's not really what they wanted out of the Macromedia acquisition. But that's just sort of, that's just sort of how it turned out. But you're right, I mean, that's the case of one vendor having to fix something versus in this case, a whole bunch of others with, you know, all of their own approaches to development, whatever. But I will say too that you were having a good old chuckle about Fortinet, you know, committing to secure code, the secure code initiative in our Slack the other day. And I'm like, what? You're laughing at them for trying? That seems a little bit uncharitable.

Adam Boileau

I mean, you know, if it was a good faith effort. But I just kind of feel like Fortinet as you know, and this is modular, us both knowing plenty of good people that work at Fortinet, like the time for a good faith effort was, you know, not now, it was several years ago when they saw this coming. And you know, I'm, I'm a little salty about, you know, how much marketing dollar they spend versus how much they should probably spend on product qa. But yeah, I mean, they should have.

Patrick Gray

Seen this coming, I think is the Point, right? Like they should have seen this coming many, many years ago.

Adam Boileau

Yeah, agreed. And I mean, and when you see the inside some of those products, right, they had plenty of opportunity to do some of this stuff, right? Because some of these bugs are, you know, really brain dead, you know, stuff that even a, you know, even a basic code review, basic pen test of the product before you ship, that would have picked up, you know.

Patrick Gray

Yeah.

Adam Boileau

So yeah, I've been burned by many Fortnite products, so I have feelings.

Patrick Gray

You do. Now let's talk about some incident response research out of Russia. And we are looking at Goblin rat, which is what looks to be a pretty sweet bit of Linux malware that is popping up in all sorts of interesting places in Russia. Your money is on this being Western Sigint. Walk us through the research here. The tear down of this, of this backdoor and also the, you know, build the case for us as to why you think this is, you know, probably some friends for us.

Adam Boileau

So yeah, this is some malware that was discovered inside some Linux boxes in critical infrastructure services. We don't know exactly where a Russian company's written it up and actually I think done some conference presentations about it as well. We are going off machine translation so there's always some room for error there. But this is a piece of Linux malware that provides the usual sorts of things like remote access files, copying up and down shells, network pivoting, that kind of thing. But it has a number of relatively stealthy, relatively sophisticated features. So one is obviously process hiding stuff. Two is command and control is done with port knocking, configurable port knocking, it's written in go so it's nice and portable and it has a whole bunch of stealth mechanisms that just feel like things that siginters would do. So for example, it'll drop binaries into devshm, which is like a RAM disk, so you don't leave traces on disk. It will overwrite when it gets told to delete itself off disk. It will overwrite with data from the random device to defeat disk forensics and a whole bunch of long term persistent stealthiness. The bits that do the initial persistence hide themselves as various a typo of a system process, like one letter different from a system process and that's different on every box. And then the C2 endpoints are also different in every box using domains that are only used for that purpose. There's strong crypto everywhere like cert auth on all the bits and you know, it just feels well engineered. And then the people who did forensics on this actually pulled memory images from a bunch of systems to try and you know, identify infections of this stuff and found a few fragments in like unallocated memory that kind of showed some of the usage patterns. And it feels human driven. Right. There is someone hands on keyboard, making choices, choosing what to do on a particular box that you know there's a degree of skill involved in that and that's a thing that you know to do at scale you have to be a second agency. You have to be someone that's got the people who are sufficiently skilled to do this. Not just off a playbook.

Patrick Gray

Yeah, so this is less Vault Typhoon and more maybe Eagle Tornado if we have to guess. Or perhaps T Fog. I'm just trying to come up with these names on the spot so you can catch my drift. But it does kind of feel like that, doesn't it?

Adam Boileau

I think Pink Apple may well be what it's called because one of the domain names used that particular name in a few bits when they went back and looked at some passive DNS history and so on. Anyway, it feels like the Russian in question who stumbled across this thing when they were investigating something for a client I feel has probably stumbled across them.

Patrick Gray

I fear I was too subtle because what is more American than an Eagle tornado and what is more British than tea and fog, you know.

Adam Boileau

Anyway, we've may well be friends of ours so good work if it was because like yeah it's look pretty reasonable code.

Patrick Gray

Yeah we've linked through to the original write up which is in Russian but translate actually worked pretty well on it. So people can check that out if they are interested in it. Now we're going to talk about some, you know, two bits of really interesting research here. Talk us, talk to us about this Microsoft bookings one where like email aliases get created. Like this whole thing is a bit of a head scratcher. So yeah, we'll start with this. Syberis research into a Microsoft bug, a cloud services bug. Talk us through it.

Adam Boileau

So in Microsoft Azure land you can like arrange bookings from meetings and things and you can invite other people to meetings and so on and so forth. One of the features is when you create a booking for a meeting, it will create a mailbox to receive messages. So you can kind of create repositories for to collect attendance information or whatever else. And so these email accounts will get created kind of programmatically based on the name of the meeting and they get like allocated a non build like secret Microsoft 365 mailbox that still functions as a real mailbox but doesn't charge your license. So that's nice if you want to get some free Microsoft mailboxes, but you can use this as a low privileged attacker to create mailboxes on a domain. And there's a number of places where that might be useful. You could create mailboxes that impersonate other people. So there's some limits as to what characters you can have. But you could make mailboxes that look like legitimate people. You could use mail make mailboxes to bypass things that do domain control authentication via emails, like buy certificates, for example, or you can reactivate old employee accounts if the accounts that it makes are in the kind of the style of the normal email format for that organization. So it's a really interesting tool to go from low priv to I can create new email accounts and then I can use that for social engineering or technical attacks or whatever else. And this is probably a surprise to many organizations because hey, the cloud future, we have no idea what crazy stuff Microsoft is doing. And this seems a little on the crazy side. So yeah, very useful for research.

Chris Tarbell

Yeah.

Patrick Gray

But it's also one of those weird edge case kind of bugs that you wouldn't necessarily think to look for in a standard audit. That's why I find it interesting. Right, because some of these like business logic bugs are always the best because they are subtle and they are hard to find. And you know, they give some examples of the types of email mailboxes you could sort of register here. And it's like an administrator at Domain Host Master Postmaster, Webmaster Admin root, you know, those are going to come in handy. Right. So I just thought that was a, you know, really interesting bit of research. We've also got some research out of Trusted SEC from Justin Bollinger here, which is amazing actually, involving dodgy like certificate signing requests. Talk to us about this one.

Adam Boileau

Yeah, so this is some research that built on like the classic ad certificate services attacks that came out of like Spectrops, the Spectrops crew a few years back. And this is a variant of one of those where essentially you can land on a box as a, as a user and then get a certificate issued where you control some of the contents and using like the normal kind of templates for certificate requests that Windows has. And this was a, like a trick, I guess, where you could change the purpose of the certificate that was being issued. In this case, you could change the subject of the certificate that was being issued in ways that are surprising. And the guts of this is that it turns out there's two ways to specify the specifics of the certificate that you're getting issued. There's a Microsoft way and there's a standard way. And it turns out that if you specify both, it prefers the Microsoft way and then will issue you a certificate where you can, you know, get a certificate, a user certificate for administrator and then onwards for domain admins to great victory. And yeah, this, you know, was a. It's the sort of nuance that lurks in ADCs that traps all sorts of people. And the researchers that trusted SEC who found this ended up looking at a number of their customers and found that this was applicable there. Microsoft were a little confused about the bug report, about whether it was kind of like intended behavior or not, but it clearly is not good. And given there's already what, 15 ways or something like that to get privileged access to escalate your access through ad certificate services, yet another one is not good because these are real workhorse bugs for people escalating access in Windows environments.

Patrick Gray

Yep, they are right. And it's a fun write up. And we've linked through to that one in the show notes. Moving on. And Dorina Antoniok over at the Record has a report report on Russia doing something that China already did, I think a year or two ago, which is to block cloudflare encrypted client. Hello. So essentially ech, what did it used to be called?

Adam Boileau

It used to be called ESNI was.

Patrick Gray

The server name indication, right? Yeah. So it used to be ESNI and now in TLS 1.3 it is ECH. And what that essentially is is like domain fronting by design. I mean it gives you what domain fronting would give you in that you could just connect to a CDN and then in your client, hello, Specify where you want to go and then. And then you connect there. Right. But that's all encrypted and it's not observable. So this ACH can really be used to bypass censorship, which is one thing that's very useful about it and why China and Russia are blocking it. Now the reason I've been banging on about ESNI and ECH for years is that it's also a really, really cool way to do C2 in a way that is very, very difficult to detect because you're just going to see packets going out to cloudflare. So that's something that I think people need to think about when they're architecting like network detection. This is also a solid argument for Doing more instrumentation of browsers so that you can actually know where the browsers are going. And then, like, if that data doesn't match with other data, that is going off to Cloudflare CDN with a, you know, domain name that you have no idea about because it's encrypted in the client. Hello. Yeah, it's interesting. So Russia and China have blocked it for censorship reasons, but this stuff is going to be a problem eventually. I think the one mitigation here is that when you are pushing your C2 through a CDN, you are vulnerable at that point to the CDN squashing your campaign. But if you, you know, if you're writing decent enough malware, you can build a bit of redundancy in there. Frankly, I'm surprised we don't see this sort of C2 being widespread. But everyone I ask about that just says, well, people don't need to do that yet, because it's not like they can't get functioning C2 just with basic techniques. But I guess my. The long story short is I think encrypted client hello, is the Future of malware C2, and I'm not surprised to see Russia join China and ban this when they're starting to get more restrictive about what people can see on the Internet.

Adam Boileau

Yeah, absolutely. And I think Cloudflare has done quite a bit of the engineering work and also deployed this by default in their environment, which I think has probably pushed Russia's hand a little bit. You know, I think China was kind of slightly ahead of the game, but Russia is now seeing it being a practical problem for them, which I think was the point. Right. That's why Cloudflare did it. But, yeah, I agree with you that, you know, like, domain fronting was so useful back in, you know, before we had to worry so much about how we were going to get detected. And this, as you say, does the same things that domain Frontend kind of delivered for us in a way that's even harder to observe without being in the browser, without being in the network stack.

Patrick Gray

Well, yeah, and without having some sort of logic to like, compare different data source. Like, it's a pain in the. It's a pain in the, you know, what to try to get around, like, to try to detect this.

Adam Boileau

Yeah, yeah, exactly. And with, like, the main challenge with the SNI was it relied heavily on DNS to get the keys to send the encrypted sni. And if you just blocked the DNS, that particular part of the DNS request, it would kind of Fall back so you could see it. Whereas ECH is kind of designed so that in the. Even in, with an attacker observing the DNS and able to control it, you've got kind of more options for getting the right key material out to the client. Like it can send key material, new key material, like midway through the TLS handshake, so that the client can then send the encrypted client hello encrypted correctly without having to trust the DNS, which that combined with DNS over HTTPs, which again, Cloudflare did a lot of the work on like all these pieces kind of joined together to make it pretty technically difficult to do anything other than just straight up block this.

Patrick Gray

Yeah, yeah. So just one to keep an eye on, I reckon, is just how that all progresses. Right. Because I think eventually, yeah, enterprises, maybe other networks are just going to say, you know, we're seeing so much abuse with some of this, you know, via ECH, through some of these CDNs, we might need to block them. I doubt they're going to block Cloudflare. That's Cloudflare's thing though. They're so big that you can't block them and it's just going to cause headaches. But Cloudflare certainly used to doing that. It looks like Tor has published a write up on how they've managed to mitigate the IP spoofing attack that was targeting their relays. So I think we spoke about this on the show. I can't remember if we actually spoke about this on the show or if it was just in Risky Business News, our other podcast, but the idea here was people were spoofing SSH scanning activity from Tor Relay IPs, right. So they'd find the. The IPs for Tor Relays, they would spoof SSH connections, which would result in abuse complaints being directed to the ISPs where those relays were located. So this is like what we used to call a Joe job when it came to, you know, email, like spamming from an address that you didn't like to get that address sort of black holed. Similar sort of thing here, but with SSH scanning. And it looks like, though, that Tor has been able to sort this out. How did they go about sorting out something like this? Because I would have thought that would be pretty difficult.

Adam Boileau

I think there's kind of two aspects to it. There's one like whoever was spoofing the traffic, I guess they figured out where it was coming from and managed to shut that down. And the specifics of how they did. That is a little vague. They did say that it was done in cooperation with old man Andrew from Greynoys. So that might give you some idea of kind of what was involved. The other half was there was an organization that was sending abuse complaints kind of, you know, in automated willy nilly kind of fashion that was amplifying the effectiveness of the spoofed packets. So I think they managed to get a bunch of people to ignore that particular organization that was just generating, I mean the organization said like billions of abuse complaints or something. So I don't know what the hell they were doing. But so I think that was the two pronged approach that they took. But they have been a little bit cagey about the specific from, you know, what they did with the spoofing origin.

Patrick Gray

Yeah. Now speaking of bad stuff being kicked off the Internet, talk to us about this operation that Dan Gooden has reported on that has resulted in something like 22,000 malicious IPs being taken down. How does one take down an IP, Adam?

Adam Boileau

Well, that bit's a little bit unclear. This report's been quite interesting. It's an operation I think led by int poll called Synergia2. And it took down, you know, a whole bunch of malicious servers associated with address space and some other bits and pieces. But most of the targets of this operation appear to actually be in China. The reporting says that there are like a thousand servers taken down in Hong Kong, another couple of hundred, three hundred in Macau, and then a few other bits and pieces in Mongolia and Madagascar and Estonia. So a worldwide, you know, police operation, law enforcement operation, but you know, the bulk of it inside China. And I haven't seen any specifics about exactly. Kind of like what sorts of cybercrime they were doing. And the number of like 30,000 potentially malicious IP addresses have been banded about in the press release and I'm not quite clear, you know, what they were doing with them, but, but either way, wrapping up a thousand boxes. I think in Madagascar they seized like what, like they rested, I think 11 people. So like it's a pretty reasonable sized operation. 93 in Mongolia, 93 people. So like quite a big police thing, but not a whole bunch of details about what the cyber crimes in question actually were.

Patrick Gray

Yeah, and interestingly enough, the three private organizations that participated in this were Group ib, which are based in Singapore these days, but were original certainly Russian Kaspersky and Team Kumari. So an interesting little mix there.

Adam Boileau

Yeah, interesting get together there.

Patrick Gray

Exactly. It is time for us to have a little bit of a chat about last week's election. Donald Trump has been returned to the White House and he will be inaugurated next year. I do recall some months ago saying on the show when we were talking about the possibility of Trump coming back, you expressed some skepticism. And having traveled to the US A couple of times in the last year, I think I said, well, you know, I wouldn't rule it out because voters were really waiting for Joe Biden with baseball bats. So I'm not terribly shocked that Trump has been returned to the White House. But this will have implications for the intelligence community, for tech policy, for cybersecurity. The TikTok ban that was going to kick in in a couple of months, I don't think that's happening anymore. Trump has. It was his idea and then he changed his mind. So it looks like tick tock will remain a going concern in the United States. The forced divestiture, I don't think that's going to happen. There's one other thing that Trump promised to do in the lead up to the election, which is very controversial, which is he's agreed. Well, he has pledged to release Ross Ulbricht from prison. So Ross Ulbricht was the, was the founder and administrator for the Silk Road, which was the first really big illicit online marketplace. You could buy heroin there, you could buy body parts, you could buy euthanasia drugs. And Albrecht was also alleged to have organized something like six murders for hire. And somehow over the last decade, people seem to have forgotten a lot of the particulars of the case. I interviewed this morning. I interviewed the guy who actually put the handcuffs on Ross Ulbricht, who is a now former FBI agent named Chris Tarbell. And we're going to play that interview in just a moment. But before we do, Adam, what do you make of this political support that Ross Ulbricht has received over the last few years? Because I agree that his sentence actually might, you could argue that his sentence is excessive, but I don't see why there's so much political pressure to get him out after spending only a decade in prison, given he was a kingpin who, you know, a convicted drug kingpin who put out hits on people, you know. But what's your, what's your take on this?

Adam Boileau

Yeah, I guess the, the comparison with, say, Assange is the one that is the most obvious. Right. Where there has been a long undercurrent of support for Assange that you can kind of understand why. Right. You can see the lines for that. Whereas with, with DPR dread by Roberts slash, Ross Ulbricht it was never quite so clear. People would have made the argument about Silk Road was in some respects a safer place to buy drugs than your local streets. But as in the interview, that you've got to pay in a second. You make the point that it made it a lot easier to get drugs full stop which overall increased the harm because more people had access to harder drugs. And I think that, that there's sort of a, you know, the long war on drugs that America has, you know, has fought. I think there's a degree of sort of, I was going to say like this now just not the right word. There's a degree of sympathy for the extent to which anti drug policies have not helped and that maybe legalizing or reducing penalties or whatever else might actually be a better option. And well, we've seen that.

Patrick Gray

I mean you walk, you walk through the streets of Washington D.C. now and it's reeks of weed. You know, like we've seen decriminalization in a bunch of states. Right. I just, I'm not, look, I agree that a war on drug users is ridiculous on people who are selling of small quantities of drugs to support their own habits. Those people don't belong in prison. Right. Like I 100 agree with that. And I think, think we've got to differentiate between people like that getting into trouble and drug kingpins who order murders at the drop of a hat to protect their multimillion dollar profits, which is what Ross Ulbricht was, you know, so this is the thing where I start to get a little bit.

Adam Boileau

Yeah, but I think those two things do get kind of smushed together in people's heads. Right. Because it's very, it's easy for some people to look at someone like Ulbricht and say this guy is, you know, progressive and you know, is, is kind of on our side if you're into harm minimization overall. And as you say, he is not right. He, you know, you'll, people will hear the list of the interview in a second but you know, he really isn't. And I think it is good to remind people some of the specifics of that case because it does seem kind of hard to support letting him out even if, you know, two lifetimes seems like quite a long sentence for someone. But yeah, I think it's timely.

Patrick Gray

I mean I think the guy has reasonable prospects at rehabilitation. Right. I don't think he should die in prison, but I also think 11 years for what he did. And you know, just on the drugs accessibility thing, I know that if you take a heroin user and drop them onto the surface of Mars, they will be able to find heroin. Okay.

Adam Boileau

It's a hell of a motivator, right?

Patrick Gray

It is. They will find it. Right. So I'm not arguing that there's this huge accessibility problem with drugs for drug users, but I think in the case of Silk Road, there were documented instances of people who did not otherwise have access to drugs, accessing, you know, very dangerous substances via Silk Road simply because they could. Because they drop into a chat and people were talking about these drugs. I'll just add to cart. Right. And that's dangerous. That's really dangerous. So I think, you know, they definitely needed to send a message. But the idea that a pro law and order candidate, you know, is or president is going to commute the sentence of someone who committed these crimes is just seems absolutely insane to me. So, Adam, let's you and I wrap it up and then I'll play that interview. But thank you, as always for this week's news discussion. Always. Great. And I'll chat to you next week.

Adam Boileau

Yeah, thanks very much, Pat. I will talk to you then.

Patrick Gray

So that was Adam Boileau there with a wrap of the week's news. And here, as promised, is my interview with Chris Tarbell. Now, Chris was the FBI agent who led one of the investigations into Silk Road. He was actually the agent who put the cuffs on Ross Ulbricht in that library back in, I think, 2013. And he joined me for this conversation about the proposed release of Dread Pirate Roberts, AKA Ross Ulbricht. Now, it's important to note that Chris is not advocating that Ross Ulbricht should stay in prison, but he does want to make sure people remember the facts of the case as he remembers them. So here's Chris Tarbell.

Chris Tarbell

My big problem is that there are a lot of misstatements or misunderstandings exactly. Of what's going on in this case. And you use the word allegations, and that's correct. There is some allegations. Ross was found guilty of numerous crimes, including, you know, kingpin status. And that's really what carried the heavyweight two counts of it. And that's selling a large number of drugs, profiting over a certain amount, and having a certain number of employees under your employment. Was that one. But there were also we. There's allegations. And again, he was never found guilty or charged with these crimes. There were six murders for hire, six people where he paid, ordered and paid to have them killed because they had stolen money from him. There were numerous deaths on the site that he took no Responsibility for. And in fact, he, you know, sort of let the operation continue on even though he knew people were dying from the drugs taken from his site. So I just want to make sure the facts are out there and the people making the right decisions are in the facts. The people that are advocating for his release or stay in prison know the facts of what's really happening in this case.

Patrick Gray

All right, so let's start off with the overdoses, right, because there were. DOJ were able to pin down or attribute six fatal overdoses to the site. And I'm guessing there were a, there were a lot more advocates for what Ross Ulbricht was doing with Silk Road, said that this was a safer way for drug users to acquire drugs. And therefore, you know, if you believe in harm minimization, that, you know, Silk Road was a net positive. The counterargument to that, though, is that it made hard drugs accessible to people who otherwise would not be able to obtain them. And indeed, in some of these overdose cases that where we saw letters from the parents, it certainly looks like these people would, we're getting access to drugs that they otherwise probably wouldn't have. I'm wondering what your feeling is on, on that part of this discussion.

Chris Tarbell

Yeah, it certainly wasn't just weed and mushrooms and what people would call lighter drugs. It was, it was high grade Afghan heroin. You could get really quality stuff that wasn't stepped on. And when I say quality stuff, I see from a drug user it's very high potency. But kids died from it because they didn't realize what was in it. You know, the advocates will say it was safer because the kids didn't have to go into the streets and deal with someone that where they could be shot or, you know, in a dangerous part of town. I don't buy that argument. That seemed to hold water with me. You know, we were given access to drugs that were used for euthanate, for people ending their lives at the end of their life if they wanted to. In some countries that's legal, but kids underage, there were no ID checks. There was nothing to what these drugs were being used for. So the site just gave access to people to drugs that they wouldn't be able to get access to normally. So I don't say it's safer. They had much more access to much more powerful drugs.

Patrick Gray

Yeah, yeah. I mean, I think the argument there though is that, yeah, it would be a change to the criminal ecosystem which would make the process of buying drugs safer. But yeah, I think some of these people who are buying hard drugs on Silk Road perhaps wouldn't be as motivated to go into, you know, a dangerous neighborhood where there are corner dealers. Right. To go and buy heroin otherwise. I mean, that's. That's my opinion on that.

Chris Tarbell

Sure. But I mean, what about the postage handlers, the people handling the drugs, or the package breaks? You know, let's. We can play the what if game all day. They're putting those people at risk. Those people didn't decide to handle hard narcotics or some sort of fentanyl that got on their skin and have an attack. You know, you're putting those people at risk because you didn't want to, you know, go get your drug somewhere. You know, we could do the counter argument to each one of these.

Patrick Gray

I understand where you're coming from, but there are no documented cases, as far as I'm aware, of that, of that having happened. Not that I'm. Not that I'm at all defending Silk Road or Ross Albrecht. Now, let's talk about the murders for hire. Right? Because you said there were six murders for hire. Now, what we do know about these murders for hire is that in all cases, I believe Ross Ulbricht was actually getting scammed by people who were claiming to be assassins. So he paid the money, and in some cases, murders were staged so that there were death photos sent back to him. And he's like, ah, good, you know, this person is dead. I paid for it. You know, here. Here is your money. But no one actually died, did they, in these. In these murder for hire plots?

Chris Tarbell

Correct.

Patrick Gray

The.

Chris Tarbell

The six we discovered. And again, the evidence of these crimes, these murders for hires, came directly either from the logs that Ross Ulbricht kept on his computer systems or his diary that he kept on his computer system. This, this. That was the evidence of these. So once we investigated them, yes. We figured out that it most likely was a scam based on time frames and locations. We never found, you know, reported bodies or the found bodies. You know, these were all in foreign countries except for the. The two in the United States. That was done through law enforcement, through the Baltimore task force. Yeah. Yes, you are correct. No bodies were found. But again, he ordered them, he paid for them, and then he bragged about them afterwards.

Patrick Gray

Yeah. Now, a couple of these, was it one or two, were actually stage managed by law enforcement. So the, you know, the apparent assassin was actually law enforcement saying, yeah, I'll take the job, and then staging the photos and whatnot. Was that one or two of them or was that all of them or.

Chris Tarbell

That was Just one. That was a former admin on the site, someone who helped run the site before Ross had stolen cryptocurrency from him. And so in a ploy to try to get that money back, law enforcement staged the murder.

Patrick Gray

So that was just one out of the six, Right? Because I think there's a perception out there that all of these murders for hire, there was, like, law enforcement were somehow involved in these. And that's not the case.

Chris Tarbell

No, the other five were not. They was just being tricked by someone kind of egging him on to. To do this. And I try to get into his bona fides, try to get it, you know, lift him up and say that he, you know, hey, we should do this and get this done. Again, it turned out to be a scam. But at one point, you know, the murder for the murderer, the murder for hire, told Ross, you know, hey, I can't get to this guy. He's got three other roommates. You know, I. We were not able to. To get to him without, you know, doing other things. And Ross was just said, kill them all. So he was willing to kill everyone in the house. And again, this comes from the logs that he collected on his own conversations that we were able to get a copy of.

Patrick Gray

Now, why were these crimes. They were mentioned in charging documents, I believe, initially not the final criminal complaint, but they were mentioned at some point along by doj. Why were these crimes never charged? Because that is one of the things that Ross Ulbricht supporters say, which is, oh, they talk about these murder for hire, but if it was real, they would have charged it. You know, is it the case that, you know, DOJ just had such a solid case on the drug stuff that they didn't want to complicate proceedings? Like, can you explain to the listeners why it is that Ross Ulbricht was never charged with murder for hire?

Chris Tarbell

Sure. So the decision was made at a much higher level than me. Very high in the DOJ was that. But, you know, he was sentenced to again, two life sentences plus 40 years. In the federal system in the United States, life means life. The only way you can get out is if. If the Supreme Court, you know, rules and all those options are, have gone for against Ross, or if a president lets you out, commute your sentence again, it would have been just piling on top to keep going. That and the law enforcement murder for hire with the agents that were involved was out of Baltimore. That case sort of fell apart because those agents were later arrested for committing crimes in this case. And so Again, and that muddies the water. Why have a case against someone who's already serving two life sentences plus 40 years in a case where, you know, there were bad agents involved.

Patrick Gray

Yeah. So for those who are unfamiliar, those agents were actually caught stealing Bitcoin as part of this operation. Right.

Chris Tarbell

They stole the bitcoin that was that Ross wanted back for the first murder, for the admin that was killed, supposedly killed, they ended up taking the cryptocurrency.

Patrick Gray

So I mean, that would have been the obvious one to charge. Right. Because you had law enforcement observing blow by blow this murder plot. But as you say, this was complicated by the fact that those agents committed crimes during the course of this investigation.

Chris Tarbell

Correct. And again, I'm not totally intimate with all the details, but I am remembering that their crimes were committed after Ross had ordered the murder. So. But it's still, again, all the facts would have come out in trial that, you know, and it just would have made the case much more difficult.

Patrick Gray

Yeah, yeah, that makes sense. And what about the other murders for hire? Is it the case that just trying to prosecute those crimes based on chat logs would have been a heavy lift? Because I'm guessing that would have been a big part of it for prosecutors.

Chris Tarbell

So yeah, again I'm not a lawyer, so I wouldn't want to argue that. So I presented my facts to the Southern district and they decided what we were charging and I guess, you know, it would have been. It would have. The case we had was solid. And you see the results from the three hour jury verdict to the judges sentencing. It would have been further complicated the case to add more charges to it that obviously were attempts for murder for hire.

Patrick Gray

So why is it that you think, given that we know this is a person who, you know, allegedly committed, there is evidence that they committed murders for hire or at least solicited murders, cold blooded murders. In one case involving an entire household full of people who had sold hard drugs to people who overdosed on them, was selling, I think human body parts at one point was selling euthanasia drugs. And you mentioned that euthanasia is legal in some countries. It's very heavily regulated where it is legal. Right. You can't just go to a pharmacy and buy a suicide pill. So why is it that you think Ross Ulbricht has found political support among people like libertarians?

Chris Tarbell

I mean he has a very strong following. I know his mother Lynn is a big advocate for him and has kept the free Ross alive. But I think some of more the policymakers and decision makers may not know the full facts of the case. So I appreciate you getting the word out there of some of the facts of the case that it's just sort of been perverted over time or sort of lost over the last 10 years.

Patrick Gray

Because there does seem to be this perception out there that, oh, he just ran a website, you know, and how can he be held responsible for what happened on this website? But I guess you're arguing it was a little bit more than that and that he was a, you know, he had knowingly constructed an illicit marketplace and was profiting from it to the tune of millions of dollars.

Chris Tarbell

Well, I don't have to argue that he was found guilty of that. So, you know, the. Those facts are already been decided by a jury.

Patrick Gray

Now, look, you seem reticent to express an opinion one way or another about whether or not he should be released. Like, I got to be honest, like these. And I've spoken with journalists, too, who covered this. Like, people who are in the court all the time, people who know the family, and they say the whole thing's really weird because, you know, irl, like, in real life, Ross Ulbricht seems like a perfectly reasonable, nice person who was just a monster when given anonymity and a keyboard and this. And this sort of virtual empire. So I don't know what an appropriate sentence for him is. It does strike me, though, that 11 years is a little bit light. You know, you can't tell me you have absolutely no feelings about the way this will go. I mean, that's what you said when we started this conversation. I don't believe you, Chris. I mean, what do you think about the idea that he could be out in a couple of months? It must. I mean, isn't it crazy making for you?

Chris Tarbell

Well, you are correct that I do have feelings. I don't publicly make those feelings out there. But you're also right. Ross is a nice guy. I mean, I was with him for, you know, a couple days. I arrested him one afternoon. We spent that afternoon together through the booking process and that sort of thing. And he, you know, he asked for a lawyer, so I couldn't question him, but we could still talk as human beings. And I bought him breakfast the next morning as I took him out of jail and took him over to court. So, you know, he did seem like a nice person. But remember when I was trying to hunt for him and find him, I spent nine months learning who DPR was. And DPR doesn't necessarily mean that's Ross. People flex what I call their E muscles. Online, we see it every day. People have a voice on X or Twitter that they would never use in a public setting. They would never say the same things to someone's face. I arrested a guy named Hector Monsour. Was Sabu and Anonymous, Hector and Sabu, two different people. The online Persona is not the person you meet. And so you are right, Ross is a good person and a nice person. But dpr Ross's Persona online did a lot of horrible things.

Patrick Gray

So do you think that that is, do you think that that actually mitigates their culpability a little bit? I mean, that's the, that's the core question in all of this. Right. And that's the thing that I find really funny is like, do we cut people a little bit of slack for the crimes they commit when they think they're shielded by Internet anonymity? And I mean, that doesn't seem right.

Chris Tarbell

I don't believe so. I don't. I don't believe just because your crimes are online versus inside a bank or inside a store, it's no less of a crime.

Patrick Gray

All right, well, Chris Tarbell, thank you so much for joining us to talk about all of this. A fascinating interview. Great to meet you and we'll talk again, I hope.

Chris Tarbell

Thanks, Matt. Yeah, it was great. Anytime.

Patrick Gray

That was Chris Tarbell, a former FBI agent there with a discussion about Ross Ulbricht or the Dread Pirate Roberts as he is known. It is time for this week's sponsor interview. Now with for us, a book a DJ from Socket. Socket is a software supply chain security company which can basically flag bad packages that you might be bringing into your projects. So someone's hijacked a package and put a bunch of malware in there. It'll let you know if a package is trying to do stuff like send, you know, environment information off to some random server in Russia. It'll let you know that if it's trying to download and run executables, it'll let you know that. Right, so. So just a good idea in this age where we're constructing software out of so many pre built packages. But Feroz has made a good point and he's here to make the case that we need to start tracking bad packages the same way that we track CVEs and that there needs to be some sort of central repository for this information. So here's Feroz at Bookadj to make that case.

Feroz Abukadize

We're detecting about 100 supply chain attacks per week in npm, Ruby, gems, maven, and some of the other popular ecosystems. And the big problem is that when we find these threats, our options are very limited. We can obviously protect our customers, we can give them that data. We have a lot of ways to do that and we have a lot of folks already using that. But to protect the broader community, our options are contact the registry and let them know that this package is malicious. We get various levels of responsiveness from the different registries. We see that a lot of these are volunteer run, right? Like PYPY is volunteer run, for instance. And so they're under a lot of load, the folks maintaining these registries. And so there's usually a pretty long period where these packages remain live before they're taken down, if at all. I mean, we're tracking some stuff that's been up for years and is still not taken down and just got lost in the mess. And then the problem is like once it is taken down, there's no way for a company to figure out whether or not they ever installed that package. In the past, you don't get a CVE issued nvd and that whole system is. They very rarely issue a CVE for one of these types of findings. They just consider it out of scope. Not to mention the other problems they have around just the backlog and inability to do what their current purpose is today. Right. So it's not a good situation. Right. So then the only way for people to find out whether they might have installed one of these packages is to come to a vendor like us and we can help them look through their artifactory or whatever they might be using internally to mirror packages and to see if they're in some cases still mirroring packages that have already been removed for being malicious in the public registry, but it's still being served to developers inside the company, for instance. So yeah, it's a huge problem.

Patrick Gray

But do you currently publish this information to your website though? Right? Like stuff that you find not just for customers. But I guess what you're arguing is it shouldn't just be up to a private vendor to catalog this stuff?

Feroz Abukadize

I think so, yeah. It feels like something, this data feels like it's analogous to what the National Vulnerability Database does. Right? The NVD's cataloging this, cataloging vulnerabilities. And we need something analogous for malicious packages. If they don't want to do it, someone needs to do it. We put them on our website today for folks to access, and we're not today publishing them in a consumable format, but folks go and search for a package, they can get all the information that we have.

Patrick Gray

Yeah. So you're not publishing standardized data like some sort of XML feed that people can ingest and then throw around. I guess that makes sense because that's kind of valuable IP at that point, right?

Feroz Abukadize

That's right. Especially because of the time delay. Right. I mean, we find stuff within a second or two of it being published, since we're replicating the feed in real time and we have basically every package and every new version of every package. And so that is kind of part of the value add of what we can do for folks is give them that coverage while they're waiting for the takedown to happen. But we do take it down. Right. We do want to make sure that the community is protected and they don't have that. We're, you know, we're, we're sharing our information with the registries right away when we find stuff. It's just that they're the ones who are taking time to, to actually get it removed.

Patrick Gray

Yeah. I mean, I think it's probably worth pointing out at this point that NVD is having trouble. Like you alluded to that earlier, they're having trouble even doing their current workload. There's been new contracts issued and whatever. But I mean, at some point they just stopped enriching vulnerability data earlier this year. Right. Like, do you know, have you been tracking that much?

Feroz Abukadize

I've been following it somewhat, yeah. I know that at one point there was more than 50% of vulns on the KEV list, the known exploited vulnerability list, that were missing that enrichment data. So all the valuable details and context that that would provide. And so that's just that backlog and that whole, especially not having stuff even on the KEV isn't even that many vulnerabilities in the grand scheme of things. So I just think it really undermines the reliability of CVEs as the kind of primary means of assessing software security. And that's something that's always, frankly bothered me, is that when folks throw a package into a vuln scanner and say, oh yeah, there's no cve or it doesn't match, they think it's safe to run that package. But it's always been a bigger problem than that. Right?

Patrick Gray

Yeah. Now, just speaking of the problem, you said earlier that you track something like 100 malicious packages every week. Are there any places where they're popping up more than others? Are there particular types of malicious packages that are more likely to do the rounds at the moment? What's a rough breakdown of what that threat environment looks like.

Feroz Abukadize

Yeah, there's a bunch of campaigns that we've posted about recently. There was recently a massive malware campaign that was using Ethereum smart contracts to evade detection. They were using that as the command and control and it was a huge spam campaign. It went and posted a bunch of packages and squatted a bunch of names. There was a recent thing we found too that's quite interesting, something we're kind of calling an author typo squatting attack, where the attackers were able to impersonate a popular maintainer on NPM by faking important metadata in the package that ended up kind of showing up on the official package website. So it's always evolving. There's always new stuff. A lot of it obviously is going to be really, just in terms of volume is going to be pretty silly. And not the most eye popping things. You get a lot of people just stealing all the environment variables as soon as the package is installed. That type of thing we catch all the time. What mystifies us is just how little effort is put into even attempting to obfuscate what they're doing. It's like they know no one's looking. You know what I mean?

Patrick Gray

Well, I mean, you're the one who's looking.

Adam Boileau

Right?

Patrick Gray

Which is why it's mystifying to you because you could see it. But as you point out, most people don't, don't look. Right. So they're not going to see it. You just mentioned. Well, most of it's pretty dumb. Most of it's like not eye popping. There's no obfuscation. What's some of the more advanced stuff that you've seen? Can you talk a little about that?

Feroz Abukadize

Yeah, I mean, we've seen stuff that's just heavily, heavily obfuscated. Stuff that targets a single organization through checking different facts about the environment and only activating in those scenarios.

Patrick Gray

And what sort of organizations are they targeting there? Is that like, I'm guessing, crypto exchanges are going to feature pretty heavily there.

Feroz Abukadize

They often target crypto wallets so that they can get built into one of those wallets. And a lot of those tend to be built with electron. So you got a lot of JavaScript dependencies in those wallets. It's such a target, right? You get into the wallet and you can just wreak havoc and steal the keys. Yeah, it's, it's such an incentive to go after. Right. When you have just all that juicy, juicy crypto sitting right there.

Patrick Gray

Can you think of examples where that's been successful?

Feroz Abukadize

Yeah, yeah, for sure. There was an incident not too long ago in a package called let's see, which story do I want to tell? Because there's actually been multiple of these. I mean, my favorite one, this is the one that actually caused me to start the company, to be honest with you. Right. So there was a package called Event Stream. It was, got about 6 million weekly downloads. A very popular package made by a maintainer who is very prolific. He has published over 500 packages. One of these mega maintainers. Some of the packages not very well maintained as you can imagine one person trying to manage that many projects. But one of his projects was very widely depended upon by the ecosystem, was used in a lot of almost all of the dependency trees of a lot of Node JS users. And so someone approached him and said, hey, you're not really maintaining this package. There hasn't been an update in two years. Could I have commit rights to be able to help maintain this? Because we use it at my company. And this maintainer was like, yeah, sure, of course, whatever. I'm not even using this anymore. I've already moved on and made a, a replacement for this library that I like better. So he gave the access to the person and even removed himself and fully was like, I'm done, you have the package. And that person proceeded to make good publishes for about a month and then they took the permission they had and used that to put an obfuscated backdoor into the package. If this is sounding familiar, this is something that happened this year with xe. The XE utils compromise. It's almost the exact same pattern. This happened back in 2017. So you can see how little we've improved as a security community when it comes to these things. The best part of all is.

Patrick Gray

The.

Feroz Abukadize

Way that the backdoor triggered is it looked at the context in which it was executing and if it was running inside the particular Electron app, it would decrypt the code successfully and then execute it. Otherwise the decryption would fail. But the way the community caught it was it's going to sound a lot like what happened with xc. You got a nerdy programmer just kind of looking at things. So what happened was the Node JS runtime deprecated a function used by the attacker in their attack code.

Patrick Gray

And it broke.

Feroz Abukadize

No, it didn't break. Just a warning was printed. But the deprecation happened a couple days after the backdoor was added. And so they didn't know that this was deprecation was going to happen. And so folks that were Running the bleeding edge version of the node runtime, we're getting this deprecation warning and trace it back to this chunk of obfuscated code and we're like, what the heck is this? It looks super out of place, right?

Patrick Gray

Yeah, yeah, yeah.

Feroz Abukadize

Doesn't that sound so similar to xz? Like you got this total accidental, accidental discovery. It makes you realize, like, if we keep finding these things accidentally so often, how much more work is there to do as an industry to improve this?

Patrick Gray

Now, I just want to go back to the idea of an nvd, like body, doing some tracking here. As much as we do this for CVEs, we've never really done it for malware. Right? We've never really had one central repository for malware, signatures, hashes, whatever. So, I mean, aren't these supply chain infiltrations a little bit more akin to malware than to CVEs? I mean, I guess it's. It's complicated, isn't it? Because you are talking about a building block of software and that's often what CVEs are used to. You want to track those issues as you're importing stuff into your code. So it seems like this sort of straddles the line a bit between being more like a CVE or more like a malware sig.

Feroz Abukadize

Yeah, I mean, it's certainly not a vulnerability that we're talking about here. It is different. But the thing about the CVE system is it's actually one area that we've actually done pretty well as an industry. We've widely deployed CVE scanners. And CVE scanners are oftentimes, they're in the compliance requirements and things that we have to cover as, you know, as security practitioners. So given that we have this system and given that it's already widely deployed, you know, it. It might be just. It might be the case that we should just use it for more things, you know, because everyone's already, you know, hooked in in some way to the system. So that's the argument for using it for more than just vulnerabilities.

Patrick Gray

Yeah, yeah, I think it's a pretty good one. All right, Feros Abuka dj, thank you so much for joining us this week to talk through all things software, supply chain security. A pleasure to chat to you, as always.

Chris Tarbell

Cool.

Feroz Abukadize

Yeah, thanks, Pat.

Patrick Gray

That was for us a Booker DJ there from socket, and you can find them@socket.dev and that is it for this week's show. I do hope you enjoyed it. I'll be back soon with more risky business for you all. But until then, I've been Patrick Gray. Thanks for listening.