A

Foreign.

B

And welcome to Risky Business. My name's Patrick Gray. We've got a great show for you this week. James Wilson and Adam Boileau will be along momentarily to talk through the week's security news. And then we'll be hearing from this week's sponsor. And in this week's sponsor interview, James Wilson chats with Haroon Mir about how going back to basics with security controls is probably, probably going to be, you know, the best path forward when it comes to dealing with sort of AI enabled threats. Funny. Actually, in an interview I did with Adam Pointon, CEO of Knock Knock, another basic control, he came up with this great line which is people look outside, they see it's raining and they talk about getting their AI controlled laser beams to shoot down the raindrops when probably you're just better off with an umbrella. So that one is coming up with Haroon MIA from Thinkst Canary a little bit later on. But first up, we're gonna get into this week's security. We're going to start this week's news with an hour old GitHub social media post, which is best described, I think, as ominous. James?

C

Yes, this does not bode well. So about night ago GitHub posted that they are investigating unauthorized access to their internal repos, but they'll let us know if there's been any impact and we have seen nothing further yet. So, yes, this will be a good one to keep an eye on.

B

Yes, I, I just wonder like, if there's no impact, why are you tweeting about it? I don't know. This doesn't feel good. But of course, like, this is a breaking item now, so we don't really have much to add there. But we've got another GitHub related story. Again, we're going to start with you on this one, James, but apparently it looks like some sort of contractor who was working for CISA was running a repo on GitHub that was just chock full of secrets. And like the Brian Krebs has this story and this, this story, I mean, Adam, you described this as being better than having an RSS reader because Brian actually texted me a link to this story as soon as he published. He's like, hey, check this one out. Because, yeah, it's a doozy. A contractor apparently was taking all of these, like cisa, like AWS secrets and stuff and stuffing them into a repo. That was what public, James.

C

Yeah, so there's all these, there's a lot of companies out there that basically monitor GitHub repos to look for things like this, right? They see a new repo created. If it's public, they look at their secrets. And in this case, it was a company called GitGuardian and they spotted this repo pop up that was, you know, I mean, innocuously named CISA Private. And when they took a locking look inside of it, it's got credentials files, including cloud keys, tokens, plain text passwords, logs and a whole lot of sensitive stuff. Now, the point here is, this is not about, oh, whoops, the repo should have been private. You never, ever, ever store things like this in a GitHub repo, right? This is the stuff that goes in your password manager, in your secrets vault. Repo's just the wrong place. I mean, you say it best, right, Pat? The CIS's century of humiliation continues, but I don't think anyone could have had this on their bingo card in terms of just the sheer severity of the dysfunction here.

B

Yeah, I mean, my favourite tidbit from this is that one of the exposed files was titled Important AWS Tokens and included the administrative credentials to three Amazon AWS GovCloud servers.

C

And those tokens kept working 48 hours after this repo was taken down.

B

Well, this is the other thing, right? Git Guardian were trying to contact CISA and let them know about this and they didn't get a response until Brian, Brian Krebs got involved. You know, this guy went to Brian Krebs and Brian's like, asking sisa and then, yeah, they pulled like a website that. Where the credentials were used, but the AWS credit. Anyway, it was an absolute bun fight. I wonder, though, given it looks like this was the act of a contractor and not some sort of sanctioned approach that, you know, CISA says is the way they should store their credentials open in an. In an open repo. Like, what could you do to prevent someone from doing something this nuts?

C

Oh, well, the answer There is simple. GitHub will stop you from doing this. And there's actually evidence in the logs here that shows that this contractor went out of their way to turn those safeguards off just so that they could actually commit these credentials into.

B

I understand that this guy's done the bad thing, but what I'm asking is what could CISA have done to stop one of its contractors from doing this? And I'm sort of drawing a blank.

C

Yeah, I guess it does depend on the ownership of the repo, where it was located. Is it part of an organization that CISA could have had Policies on like ideally in an organization, you have your GitHub organization, that's where you set your top down policies that would have prevented things like that. You know, don't check in secrets credentials for being turned off. But in this case, you know, I mean this is just the problem of I guess, repo sprawl combined with credential sprawl, which is anyone can create a GitHub repo, anyone can put anything in there and if they're doing it in their own private repo, then they can turn off the safeguards. So this comes down to like a managing your contractor sort of scenario of surely they know that this is just not what you do with credentials.

B

But evidently James, they do not. And I mean Adam, you see where I'm coming from with this, right? Which is you can't stop someone from just like taking creds they have access to and going, eh, you know, I could put these on a text, in a text file on my desktop or I could just throw them into one of my GitHub repos so I can access them that way. Like you can't really do much to stop that.

A

Ultimately this is a thing you can't solve with a technical control. Like this is a human problem where you've hired someone to do this worker contract to do this work and they have decided of their own volition to just use GitHub to. I think the suggestion seems to be they were synchronizing like content from their work machine to perhaps a home machine or something. So it was like shadow it sort of thing going on here. But ultimately like this is a human problem, not a technical one. And I don't know what technical controls you could put in place given that this is being done presumably outside of anything CISA managed, outside of anything where they have even visibility because it's all HTTPs on the wire. So short of, I don't know, having what your DLP look for files called like important Amazon creds Txt and saying that sounds like a bad thing. But yeah, this is a human problem, not really a technical one.

B

Yeah, I mean you can't truffle hog. How are you going to truffle hog a repo that isn't in your control? Right. So I just sort of think, you

C

know, well it was public in this case, so truffle hog away.

B

Sure. But then you're just throwing truffle hog at all rep repos and then it's an attribution problem and like, I don't know. So as much as this is like, yeah, we get to laugh at Sister. I kind of like mostly what I feel for Sister at this moment talking about this story is sympathy and, you know, feeling sympathetic for Sister is a bit of a theme this year. Let's move on though and talk about the latest research into the fast 16 malware. This is the malware that turned up recently when some researchers at Sentinel 1 actually dug it up. It was Jags and Vitaly Kamlook, I think, who found this. And apparently there was like a link to some of the leaked shadow broker stuff because Fast 16 had been mentioned in it and whatever. And that was a breadcrumb that led to the discovery of this malware. And this malware, I mean the guts of it is like a kernel driver that messes with scientific simulation software. And we didn't really know in the first round of reporting what that meddling was supposed to do. And now Symantec come out and said, yeah, this is designed to interfere with simulations, simulated nuclear detonations basically, which makes 100% sense and is also extremely badass.

C

James yeah, like it is wild to see the level of, I guess, evidence that they've been able to find here around exactly when this triggered and what it, what it sought to modify. You know, there's the Sentinel 1 report basically linked it to two potential applications and those had a history of being used in nuclear and other CAD things and all. So it was a bit weak. But then this research really goes into the in depth of actually the exact type of calculation that was being adjusted here is specifically related to supercritical nuclear reactions, which is, you know, the point in time when a nuclear reaction becomes self sustaining. And they were also able to identify that the, the actual intention here, it was that it makes the tests seem less effective than they actually were. And so you could imagine the, you know, it gets a researcher in a mode of, well, this is not working. Keep working on it and keep trying to refine the meth methodologies, but just wow, for something so old to be doing such just incredible work. It's fascinating. But to your point about the breadcrumb, the really sort of thing that I find fascinating is it was shadow brokers that had an opaque reference to fast 16. And it was just that the tooling said, oh, if you see this, nothing to see here, move along. But no one knew what it was. Then there's a dormant virus, total sample that sat there for two years before Jags and Co picked it up and realized that was fast 16. Like we lucked into discovering this. What else is out there?

B

Yeah, we sure did. And look, you know, to make it clear, I mean, this thing is like 20 years old. Right. And if they're doing this 20 years old, 20 years ago, it makes you wonder what they're up to now is one thing that I, that I really wonder about. I also think it's quite funny that Iran consistently denies that its nuclear program is anything other than peaceful. Right. And yet, for some reason, presumably the NSA and their colleagues or their counterparts in Israel are spending a lot of time developing software to subvert, developing malware to subvert software that, you know, models nuclear explosions. Gee, I wonder why they're spending all of that time to do that when Iran does not have a nuclear program. Adam, I imagine you've been really enjoying all of the coverage on this as well.

A

Yeah, I mean, seeing like another artifact of Five Eyes tooling from the stuxnet era. And this is, you know, like in some cases, kind of predates some components of stuxnet. The timeline is really interesting there. It's just amazing what they were doing back then and how sophisticated both the thinking about like, how to do it. Some of the bits of specific tradecraft and then, yeah, like the action on objective of this, like actually modifying, you know, simulation of nuclear weapons, you know, kind of implosion, testing or whatever. It was like just wild. One of the things I really liked about the story was in Jags's write up, he talks about like, early on in this research, the thing that got him thinking was there's a bunch of examples of malware that came out of the Five Eyes that used LUA virtual machines to kind of deliver their runtime behavior. So you have basically as little malware as you need to get code running and to propagate and then all the logic you can do in a higher level language. And the use of LUA in that context is pretty unusual. And they found these samples by pivoting on the bytecode headers of lua, bits of LUA code to be executed by a vm. And that's just a really smart thinking. Like JAGS is clearly a smart guy to start with. But like, that's just a really cool insight and going hunting that on VirusTotal and then it leading to this and leading to, you know, this story being uncovered. Like it's just a wild ride. And then of course, you know, we had seen Some talk about fast 16 and then no one really knew what it did until, you know, semantics started digging in a bit of AI to help with Understanding it, like, seeing all those bits of the puzzle come back together and it. Rewriting our history of, like, what stuxnet meant, what. How advanced stuxnet was, what they were doing back then. Now we've got this whole other piece, and as you say, like, that was 20 years ago. What, like, witchcraft are they up to over at Fort Meade these days? Like, now I want to know that, too, so.

B

Well, we always want to know, right? And, I mean, it's kind of sad because the stuff we get to hear about is, like, fake ransomware attacks against Venezuelan state oil companies, and it's like. Yeah, okay. Not exactly imaginative, are you? You know, it's not like this stuff, which is. Which is very, very cool, I'm sure. This stuff. This cool out there, but, you know, it's just a shame that we tend to hear about it 20 years later. So maybe when we've, you know, kicking around, eaten applesauce, couple of teeth left in our head, Adam, we get to. We get to find out, you know. Now, meanwhile, you know, it's not only the United States and its allies that can do this sort of very sophisticated cyber war. The Iranians could do it as well, as per this story in cnn. James, walk us through it.

C

My goodness, they really have levelled up what they're doing, Pat. They have gone after automatic gas tank readers at gas stations in the US with default passwords that had been left on the Internet to just maybe make it look like you've got a little bit less gas.

B

In fact, I believe, in fact, it wasn't even default passwords. It was no passwords.

C

No password is default password. Yeah.

B

Null as a default. Yeah, I guess. I guess you could make that argument. But, I mean, this is pathetic, isn't it? I mean, you know, I'm embarrassed for the Iranians that, you know, what are you going to do, like. And there's this stretch in here. Where is it? I posted this into Slack with you guys earlier. Yeah, so you can mess with, like, gas tank level readings. Right. So the cyber intrusions are not known to have caused any physical damage or harm, but the breaches have raised safety concerns because gaining access to an ATG could, in theory, allow a hacker to make a gas leak go undetected, according to private experts and US officials. That's a stretch, I'm sure you would agree, Mr. Adam Boiler.

A

Yeah, I mean, the juxtaposition of this and fast 16 is just. It's so disrespectful to Iran. Hacking technique. Yeah. Like, that's just it's a real stretch and trying to make these things like, I think CNN have the like exclusive headline scoop of this. So they're trying to make it as jazzed up as possible. And yeah, that's, it's just a real stretch.

B

Yeah. Now look, we're going to move on to a piece here that is not strictly cyber, but all three of us agree that it's really interesting. So I guess, you know, cyber people are interested, are going to be interested in this and 404 Media has a good write up on it. And that is fiber optic cable is like the prices are skyrocketing because there's essentially a shortage. And this is happening for two reasons. First of all, the build out of AI, AI data center infrastructure in the United States is just, you know, the demand is just insane, absolutely insane for fiber optics. And I think with certain build outs there are like local content requirements for fiber as well, you know, building American and all of that sort of thing. So like, you know, you have to get your fibers from Corning or whatever. And the other thing driving up the prices globally is the war in Ukraine where both the Russian and Ukrainian side are just using so much fibre that yeah, the price has got to the point where the Ukrainians are starting to use Starlink dishes on certain one way drones because it's cheaper than using the fiber. I mean this is a great write up, Adam. I mean it's just like what, you know, as you would like to say, you know, this is the cyberpunk dystopian future right here, right?

A

Yeah. I mean some of the pictures of like Ukrainian wheat fields covered in glistening glass fiber because of all of the drones flying back and forth. Like it really just is this topic future stuff, but it kind of makes sense that it would have an impact. I mean you can't put 50 km of fibre on every drone you're sending one way and not have it have some kind of impact on the market. And you know, we've seen some numbers where like the prices have gone up like 2, 3, 4, 5 fold over the, you know, over the course of that conflict. We're also seeing fiber drones being used, you know, by Iran and that kind of fight going on as well. So it's definitely, you know, the state of electronic warfare against radio controlled drones is such that using fiber is a great alternative to dealing with more sophisticated, you know, kind of EW adversaries. So you know, it kind of makes sense that the cost will go up. But yeah, it's, it's just like the Fact that it got to the point where a Starlink terminal is worth throwing away instead of a bucket of fibre, that's pretty crazy stuff. And then some of the defense mechanisms against this, like we saw 404 has a little video of, of a Ukrainian defensive technique which is like a fence made of spinning razor wire. And so then when the fibre drapes over it, it gets tangled up and cut.

B

Yeah. So it's like a single strand. Just to describe it to people, it's a single strand of razor wire that rotates. So the idea is, you know, as a drone flies overhead, you know, it, yeah, it just gets severed. I mean, it's completely sound. The logic in this. You just think, what a great low tech solution to this. I wonder, I wonder how well it'll work.

A

Yeah, but it's exactly the sort of thing we've come to expect from Ukraine. Like super pragmatic, real world solutions to very real problems. And there's going to be like, when someone writes the book about all the things we've learned about modern warfare from this conflict, this is the sort of thing that's going to be in it because there's just so much interesting insight in there.

B

Yeah. And I will say too, it really does look like at the moment Ukraine has the initiative in the war. They were, you know, hitting Moscow the other day with drones. Like, it looks like, you know, Russia's air defenses have been attrited to the point where that's possible. Yeah, it's a very interesting time in that conflict now. I mean, it's been over four years and Ukraine has just not given up. Ukraine has, has fought very hard and innovated and, you know, things are turning around at the moment. Whether that is lasting, it's difficult to know. But we obviously wish them all the best in their struggle. Now, moving on to back to some more bread and butter. Cyber. And we've got a whole bunch of stories here talking about the, you know, what has been termed the vulnpocalypse or the bugpocalypse. You know, the first one we got here is from Alexander Martin over at the Record, which notes that Microsoft is on pace to break its annual vulnerability record. They've just dropped a patch Tuesday with 130 patches in it, so no surprises there. I've had conversations with people in Microsoft and look, I think it's worth noting that they're going through what everyone's going through when it comes to AI, which is the volume of AI generated code within Microsoft at the moment is insane. Trying to do manual review on all of that, Just forget it. The number of bugs they're finding, also insane, you know, trying to also figure out how to deal with everybody wanting to run agents on Windows. That's another insane problem. So they're all very busy. They've also come up with a multi model agentic security system for bug hunting, which is very interesting because it supports the, the what we've been saying and what people we've been speaking to have been saying, which is James, that the model is necessarily the important bit when it comes to bug hunting. The more critical part is actually having a good harness. And that's, that's been Microsoft's approach here. And indeed we've got other coverage from like Cloudflare, where it turns out that's been their approach as well. The funniest part though, I guess is that Microsoft has actually named its harness M Dash, which is the best dis against LLMs, which just love inserting em dashes into any copy they generate. But James, walk us through Microsoft's thinking here. It does really seem like they're onto a similar train of thought as Nils Provost outlined in his interview with you recently.

C

Yeah, 100%. It directly ties back to that in two ways. One, they talk about different models are better at different tasks and so they're very diligent about giving model specific tasks and also quite narrow tasks as well. Right. I think there was not in the Microsoft one, but in the cloud for layer one they particularly called out that if you just use a typical coding agent, even with the best model out there, you're just not going to get the results because coding is a much different approach to security research. So that was the first thing that was interesting. The second is, yeah, as you said, the harness is what matters and in particular it matters because a model really wants to get to done. And this was again what I learned from talking to Niels. Model is trained to finish, to complete, to give you the answer. And so what the harness adds is things like finite state machines where it essentially governs the model and says you can't just go straight to done. We're going to go through an audit phase, we're going to go through a hypothesis phase, we're going to go through a testing phase, we're going to go through a proving phase. And when you can add that structure in those finite states in, it's almost like you've caged the model more restrictively, which causes it to strive for a different kind of level of what done means, which I think is yielding the difference in terms of the actual quality of the output here that Microsoft and Cloudflare have spoken to.

B

Yeah, and it's not just, you know, it's not just Microsoft and Cloudflare. We've had some comments, some grumpy comments from Linus Torvalds. Fancy that. He seems a bit shirty. How unlike him. But he is complaining that the Linux security mailing list is almost entirely unmanageable because there's all these duplicate AI bugs and it's all just, you know, crashing crap. Very, very Torvaldsy Linnasing there, basically. But look, dude makes a good point. I think one of the interesting things is though, is one of the things he's complaining about is duplicate entries. Right. Which has led some people to say again, something that we've said on this show previously when it comes to like, well, you know, are these models going to be useful to the intelligence community? And they're not. Largely because these bugs that the models find, anyone can find them. Right. So they essentially become public at the point that that new model is released. But what do you make of the impact here, Adam, on like open source projects? Because I imagine it's going to be, in some ways it's going to be harder for open source projects to try to get a grip on the bug deluge than it is for, you know, profitable companies that are going to be able to spin up resources and assign resources to dealing with this.

A

Yeah, I mean, it's hard for everybody to deal with the volume of output. And I think the challenge for open source people is they have the added complexity of the social dynamics of open source communities. Like at Microsoft, if they produce hundreds and hundreds of bugs and they have to distribute those to hundreds of teams, there's a real cost involved with that. And everyone understands that if they produce bad reports, it's going to have downstream financial impacts on other units and there's some centralized control there that can direct the discovery process to be more selective or to produce better quality input or whatever. In the open source world, that all comes down to historically just kind of social dynamic and people acting in the interest of the community. And that's quite a hard thing to manage to start with and especially when those communities are rewarded through kind of kudos and kind of recognition. So it's a different, like it's not just a financial metric, I guess. And so open source communities have problems already with that and then AI just kind of. But the economics of that are a bit weird for them. So I think they've got some very real challenges and the Linux kernel I guess is a bit more controlled than the average open source environment because Linus is his grumpy self. So yeah, it's going to be interesting to see how that unfurls. And I'm thinking, I was just mentally comparing it to say how the Curl project is dealing with Badger being very. Also quite opinionated about how and where AI is useful for them. And similarly with Firefox and Mozilla and Firefox. So yeah, we're going to see different responses from different open source communities.

C

Well actually this was evident in the copy fail bug. I caught up with the folks from Theory that were behind that bug this week and they called this exact problem out when they're disclosing a bug to Microsoft and Google. They knew how to do that safely. And in this case, as you'll hear in the episode that I'll drop in this week, they did actually disclose it to the Linux security and the kernel mailing list and there was patches. But they by their own admission dropped the ball because they didn't understand the social dynamic of then who's contacting the distros, who's managing that process, all of which has a very well managed process in a corporate company. So that was a big part of the reason why that was such a quite a clunky, shall we say, disclosure of that bug.

B

We dropped a patch into the mainline tracker. We're done, we're done, everything's fine. Now look, speaking of other bugs, we've got an interesting Mythos one here. Apparently some researchers in conjunction with Mythos managed to find a memory corruption exploit targeting macOS on Apple M5. And the reason that's interesting is because that means they bypassed Apple's memory integrity enforcement. Now look, I would be more impressed by this if people I know in XDev hadn't kind of intimated to me that memory explained memory integrity enforcement like wasn't perhaps as good as Apple thought it was. You know, it's the sort of thing where you ask oh man, is this thing causing you trouble? And they would just sort of smirk a little bit. So I don't think, you know, it's taken an advanced frontier model to figure this out. But I guess James, you know, you being an ex appler who understands the guts of these operating systems, I'm guessing you would have found this more interesting than most.

C

Yeah, I'm so keen to read the write up from these guys once they can actually publish it because all they've done at the moment is just said, haha, we got past this on an M5 Mac, but we're not going to tell you how we did it until it's patched. Which, you know, again, see earlier comments about disclosure. That sounds a good way to do things. There is. You know, my intrigue is also piqued by the fact that this, whatever they've found is constrained to first of all, the M5 chip, and only on Macs now, is that hardware difference that makes this more exploitable on some platforms or is it at the more closed nature of iOS? That means maybe the bug is there but they haven't been able to find it. So look, there's just, there's going to be lots of really interesting details. I hope this comes out soon.

B

Who couldn't afford Corellium, I think is what. But anyway, moving on and well, actually not quite moving on. This is still very much in the same topic. Last thing on the Same topic is OpenAI has now launched its Daybreak initiative to quote, combat cyber threats. According to Paige Gross at Cybersecurity Dive, I find that framing really funny, which is like you got a model that can crap out oday and that is combating cyber threats. I don't really see it that that's how you combat cyber threats. But James, you actually looked at what Daybreak is and the best you can tell, it's a web form at the moment.

C

Yeah, yeah. Like, gosh, it's another poor example of OpenAI being like, look at us, we do this too. We really do.

B

And if you're also scary, we're also just as scary as Mythos. We're just as dangerous.

C

We're so dangerous. You have to fill out this form if you want to use us. But this, look, it's really hard to work out what this is. The best I can tell is it's their 5.5 model, maybe with some guardrails removed, but they don't give you access to the model. It seems you sign up and they do a security vulnerability analysis for you as a service. So suffice to say, Pat, I don't get it.

B

I mean, look, that's. Maybe that's a good way to do it, right? You could just give your software. Why would you need to have access to the model if you're just going to send a bunch of one shot prompts saying find bug in this. You know what I mean? Like they can do that for you. Like unless you're giving it to some sort of real expert. Like unless you're giving it to Nils Provost, who's plugging it into a harness and like, you know, actually doing some active research on it. Why not? I don't know.

C

This could work, could work. But again, if that's what they're doing, they could have made more noise and been more explicit about it because then we would be, you know, really actually excited about that being a service. But it's, I'm really just trying to read the tea leaves here on what little data they've given us beyond. Fill out this form, please.

B

Now we're going to get Adam to talk about this one and hope that his head doesn't explode as he's describing this bug in BitLocker, which I've got to be honest, I had to read this a few times to be like, wait, what? Really? So it turns out like during a default installation of BitLocker on a standard like Corp laptop up getting around that is comically easy. I could not believe this. But Adam, you walk us through it, please.

A

So in many corporate environments, the like the way that they deploy Windows bitlocker crypto is TPM backed. So the key material lives in the TPM chip on your machine. And at boot time the TPM checks to see whether the machine meets some kind of like trustness, you know, hasn't been tampered with, you know, isn't booting off a weird device, et cetera, et cetera. And if it passes those tests, then it just kind of pulls the key material out of itself and passes that onto Windows to decrypt the drive. Now this is a thing that most corporates prefer because the other option, which is adding some kind of pin or extra like credential step pre boot just has a whole bunch of support overheads. Now there's been a lot of bypasses in TPM, pure TPM pass BitLocker over the years because once the machine has booted, there is a bunch of attack service to try and get that key material out. So for example, we've seen some research that just pulls it straight off the bus, like off the physical wires on the motherboard between the TPM chip and the rest of the computer. Use that steel key material and off you go. This particular researcher who seems to have real beef with Microsoft, it's like an anonymous researcher of the. But honestly, it sounds like he's having, I'm assuming he is having a really rough lifetime. Like it does not seem to be in a good place mentally anyway, he

B

has, there's the real sandbox escaper vibes with this particular person and the knowledge of Windows seems crazy. It's like did you like. Either you are just a screw loose person who just immediately understands everything Windows or you worked there or something and it's like the whole thing is weird.

A

Yeah, I mean they seem pretty unhinged but on the other hand are absolutely delivering the goods with the bugs. So what they've got is basically a trick where you can boot a Windows machine into recovery mode with an extra like USB storage device plugged in. And on that USB storage device you have like NTFS has an option for like doing transactional file system as support for transactional file system kind of bits where there is a file system kind of like can replay changes that were previously written that didn't complete such that it's more. It handles like power loss and other bad situations better. So you put a transaction log on this USB storage device that can then replay changes back onto the main, well onto other drives in the system which in the context of a Windows recovery boot is the RAM disk that contains the Windows recovery image. So then they can overwrite config files and basically make that RAM disk spawn a command prompt pre auth. So at that point the machine boots up, it's in a trusted state, the TPM has released the key materials the Windows recovery RAM disk is running. But instead of running the like Windows hello login process or whatever else, it just drops you into a command shell and at that point you can extract key material, edit the disk, do whatever you like. So the net result is physical access to a TPM backed BitLocker machine gives you full control of the device, which is kind of one of the things that you're relying on Windows BitLocker to prevent. Of course the security community is like well this is kind of like what you should be using PIN based bitlocker for to prevent this kind of thing. Because there's been other attacks and indeed after this particular one came out somebody else published another technique that does a like similar kind of trick manipulating Windows recovery images. But the reality is the support overheads of PIN based bitlocker are just so

B

high that this is how everybody does

A

it and this is how everyone does it. And the protections you are getting from your bitlocker probably don't match your expectations because of this kind of weird weakness. And it's just ultimately there is so much attack service pre boot in Windows like pre full system startup that kind of can break that trust. Chaining from the TPM through the BitLocker into trusted kernel as running and machines in a hardened state. So it's not great. And I imagine plenty of people need to kind of rethink about what this means for their, you know, the amount of trust they can put in their BitLocker. BitLocker systems.

B

I think also we have to remember why it is that organizations apply BitLocker to laptops in particular. And it's because of compliance regimes where previously if a staff member went out for a. A few beers after work, had a few too many, and then left a laptop in the back of a taxi that was going to be recorded as a data breach. So this is why bitlocker is everywhere, is it's a compliance thing. It's a way to stop data breaches that aren't really data breaches. It's just like stuff left in the back of taxis. Right. So I think for most organizations, not much changes here, but for organizations that are really concerned about bitlocker being a functioning control, they're going to have to deal with this. But my guess is if you were dealing, if you were thinking that BitLocker was a functioning control in the first place, you were probably one of the few organizations that was using pin control. So, like, I look at the way that this works and I think, oh my God, like, that shouldn't be the case. Like it shouldn't be possible to do this. But at the same time, I think we got to keep a lid on, you know, we've got to control ourselves when talking about the impression impact of this, I think in the real world. Right. Because yeah, I think it's, I think it's actually quite limited. Look, let's move on to this next story now. And Catalan got this one based on a series of press releases from the Polish government. We, we wrote about this in. Well, he wrote about this in the Risky Bulletin newsletter. So go to Risky Biz and subscribe to that one if you're not already. The Polish government is advising officials to replace Signal with its national messaging app, which is called mcypher. But it's like Ms. Zyfr, which reminds me of the immortal Onion headline from many, many years ago, which is Clinton to deploy vals to Bosnia. But yes, it's pronounced mcypher. And I think this is really interesting. So our colleague Tom Uren, I know he's working on this one for his Seriously Risky Business newsletter, which will go out tomorrow because you kind of worry. I worry. I understand why people are moving away from Signal because it's being phished by the Russians right at the moment. It's causing a Lot of problems because they're doing this like, linking, phishing, where you wind up. They wind up tricking people into like QR code, authorizing an attacker's computer to be linked with their signal account so they can spy on their communications. That's bad. That's a really bad thing. Especially when you consider that signal is like the default de facto method through which politicians communicate, and not just within a country, but globally as well. It is the communications infrastructure of the world's leaders. So now we're seeing, we're seeing possibly some sort of Balkanization here towards homegrown stuff. I don't know, man. I don't know if that. I don't know if that makes me feel good, but, James, walk us through M Cipher here. I believe you, you know a little bit about what they've thrown together.

C

Yeah, it's basically a fork of the matrix open source protocol, which is a signal like thing. But I think the thing when I looked at this was you've got to realize that, yes, signal has its problems with being phished and whatever else. And you and I have talked about how sometimes it's between their use of mobile phone numbers for some identifiers and other handles for other things, it's a bit of a complicated process.

B

I never know who I'm talking to anymore since they introduced this, like, oh, you're a signal connection with someone called D. Yeah. Okay, who's that? I got no way to tell, right? It is, it is. And you've got disappearing messages, so you try to open up the conversation. There's no history there. So it's like, I think they've actually made it quite confusing to use in its default configuration and quite easy to fish in its default configuration. And I think as much as they can put out statements saying, well, this is the way it's got to be. And you know, we put a lot of thought into this and education is key. The fact is, when your most important users are getting owned by Russian intelligence servers and other users like me, and I would not call myself like the most technical person in the world, but I host a cyber security podcast, for God's sakes, and I have done for 20 years. And if I'm finding it difficult to use, then I guarantee you a lot of your other users are finding it difficult to use. And here we are with the Polish government launching their own forks of matrix, which are not going to have the same QA as mainline signal, which really worries me. It worries me.

A

I worry.

B

This is like crime phones, but for the world's leadership. Adam, what do you think here?

A

Yeah, I mean, splintering it up. And one of the great things about Signal is it's had so many eyes over it, right, because it's so important, because it's, you know, used in all sorts of relatively high trust situations. And the moment anyone tries to make it do something else, I'm reminded of the like weird TM signal fork that got, you know, messages leaked out of it because it kind of changed the trust model and bad code quality and so on and so on. Like anytime you move off Mainline Signal, you're into kind of into the, you know, dangerous bits of weeds and matrix, at least by virtue of being open sourced and used in other places, is, you know, going to be better than something completely homegrown.

B

But yeah, like, but that's the protocol, that's not the app. Right. And the problems with Signal, again, they're not in the protocol, they're in the app. You know, they're in all of the weird little features and doohickey stickies that, you know, that get stuck on top of the protocol, you know, I don't know. I mean, look, if people wanted to fork Signal, they could as well. Right? But we've seen, yeah, we saw, as you said, with that, that Signal fork in the. Well, it was an Israeli company that did it and then sold it to the current government there to do log. That was crazy. But, yeah, I just don't know. I just, I don't know. I find this, this is a worrying sign, actually.

A

Yeah, I mean, I think you're right that Signal, one of its advantages was that it was relatively simple and single purpose and as they've added more and more stuff to it over the years, then we start to get, you know, things get a bit more complicated. The UX gets a little bit more difficult to explain.

B

Old phone, who dis.

A

Yeah, exactly. Right. And identity is a hard problem. I give them that. Like, this is a difficult thing to solve. But yeah, I'm not convinced that forking matrix and letting people use it is the solution either. So. Yeah, yeah, I don't know. Signal foundation, I think it's on them to kind of come up with some things to smooth out some of these rough edges.

B

Yeah, I mean, maybe a version. I mean, look, the whole point is you can't trust phone numbers as an identifier. And what Signal did was it applied PKI on top of that. And that was good. That was the right balance, I think, between being, you know, and then you have a pin. So People can't SIM swap and then reset the account. And I think, you know, that was a really good sort of status quo that combined the sort of availability of phone numbers with the PKI on top of that as an extra layer of sort of identity verification. Now it's just got a bit, it's just got a bit silly. And then the linking, I've never liked linking it as well and you know, I think, I don't know if it's an Electron app anymore but that was the thing that kept me away from it for a long time and now I just find the whole idea weird. I think also there are better ways if you want to use signal, I think using iPhone mirroring, if you're a Mac OS user that's going to be a better way to bring signal to the desktop. But instead of, you know, QR code based linking with like weird electron like frameworks. Anyway, it's just disappointing that they've, they've. I think they've made it more comp. Too complicated for its own good. Anyway, moving on. And God, there's these bugs in like a Cisco SD WAN product. There was a round of these bugs earlier this year that were being exploited in the wild and now there's been a second round of very similar bugs I believe also being exploited in the wild. That sister is telling everyone to patch rapid 7. I think found this second set of bugs but it looks like it is also in the wild but just, you know, absolute clown show at Cisco. And also Adam, there's apparently, according to some original reporting out of the record by Alexander Martin, there's some sort of oday in Huawei gear like DOS Ode that was apparently responsible for bringing down Luxembourg's entire telecommunications network last year. And then on top of that we may as well combine these all into one is there is a patch bypass for a flaw in SonicWall's SSL VPNs. So like you add this up and it's just like, I mean in our run sheet there the tabs of fail between Cisco, Huawei and Sonicwall. Very depressing reading. What's your take?

A

Yeah, there are some fun bucks here actually. The SD Wan Cisco SD Wan 1 There's like a UDP protocol we used for coordinating between the components of the SD WAN solution and you can auth and kind of say that you're one particular type of device and they didn't really think through the auth flow for that type of device and you end up in an authenticated state without having to have a valid Certificate or anything else. And then from there you can call a function that lets you add a SSH private key to the controller. So then you can just like SSH and reconfigure it. And what were you thinking? Cisco? So this one, it was just like, good bug. And I mean, it's probably some product they.

B

They acquired through some acquisition years ago. You know, like, that's always how this, A lot of this happens.

C

2017 acquisition of Viptela. I looked this up because I've worked at Cisco in the days when Cisco was good, and I'm like, I bet this is an acquisition and.

A

Yep, always is.

C

Always is.

B

There were days when Cisco was good. Yeah, man.

C

1999, 2000, 2001. Those were good days.

A

Once upon a time. Yeah, that time was a long, long time ago. The Huawei bugs in Luxembourg. Now this is interesting. So there was an outage of Luxembourg Post, which also operates mobile and landline networks in Luxembourg. And what they seem to be saying is that a whole bunch of their core Huawei router gear crashed and went into a reboot loop. And this bug appears to have been triggered by packet forwarding from the user plane. So this is not people connecting to the Huawei devices management interface and then causing them to go into some DOS thing. It's them forwarding bad packets across them, their interfaces, and that resulting in a

B

reboot loop that should not happen.

A

Which clearly should not happen. That's not the sort of thing we

B

want, like just getting a bad packet to transit a bit of Huawei gear, crashing it, like, that's. I mean, that's cool, you know, I

A

mean, we've seen bugs like that in the past and they feel really good. Like, we, back in the insomnia, old, old insomnia times, we had a, like, single packing UDP Wireshark bug. And you could. It was a beautiful and wonderful thing. And anything.

B

This is ping of death. But for Huawei, I mean, you got to love it. Yes.

A

Yeah, but like, in the user plane, you don't have to ping the Huawei, you just ping across it. Anyway, this was like, what, 10 months ago or something? And we still see no details. Huawei doesn't want to talk about it. No one else seems to know anything about it. So it's just an interesting bug. And like, like I am talking to you across a network that almost certainly is Huawei in the middle, and I would like to know about this magic task.

B

Kiwis are slow learners. But anyway.

A

Well, well, well. Yeah, it's embarrassing for everybody. Concerned. Anyway, I just thought that was really interesting. And if you have Huawei in your network, then maybe time to go hit your Huawei account manager up and apply some pressure. The third one you mentioned, the Sonic Wall, it's like, like it's been written up as a patch bypass and it's kind of not really a patch bypass. It's that when Sonic will patch this particular bug in their older model of their devices, it wasn't enough to apply the patch. You had to also then make a bunch of configuration changes and no one did. And so everyone who was running version 6 of the like Sonic War things, who just applied the patch and didn't read the rest of the patch notes is now getting owned. And fortunately for Sonic Wall in that time period, that particular model of their software has reached the end of life and now they don't have to care about it. So they nailed that particular thing. They managed to thread the needle there, unfortunately. A whole bunch of people getting a lot of owned. But you know, if you run Sonic Walls on the edge of the network, you're probably used to that.

B

Now we're onto the home stretch here and a bit of good news before we go. John Greig reports at the Record. And we had this one in the risky bulletin as well that Microsoft disrupted a malware signing as a service platform tied to ransomware gangs. The service was called Fox Tempest. I found this interesting because really they were doing like simple administrative crime as a service, right? When they were basically spinning up what fraudulent companies obtaining valid signing certificates and then you could submit your malware samples to them and whatever. I mean this is just like, you know, they're simplifying administration. This is, this is a productivity enhancer for the malware scene. I mean this is, you know, I hate to admire a malicious business, but this is fulfilling a market need. What did you think, Joe?

C

Yeah, exactly, Right. It was also interesting just the scale that this is operating because when I was looking through it, I had that same sort of reaction of oh yeah, I could see how this would be useful, but really, how many people really need this? How often do they use it? Turns out, a lot and at scale. So yeah, they were creating hundreds of seemingly valid Azure tenants with made up businesses, et cetera, so that they could create these short lived signing certificates that would make their malware seem legit. But it was all crafted around this as a service concept where you'd have your malware parked on their service ready to go, and then you'd sort of go and log in and say quick, I need a signed version right now, please. It'd go find the right tenant to give you that and create the cert. But this must have been incurring a cost of tens of thousands, maybe hundreds of thousands of dollars in terms of Azure and all the rest. But then in this article it says Microsoft went to the length of tracing the cryptocurrency payments that have been made to fit Fox Tempest and it was ordering in the millions of dollars that ransomware affiliates had been funneling into this company to do their job. So yeah, like you said, admin as a service helping folks out and quite profitable at the same time.

B

Well, it's B2B SaaS for cybercriminals and I just find it really funny because it is the type of drudge work that nobody wants to do. So it's actually a really good SaaS play. Adam, you wanted to add something there.

A

Yeah. The thing that I thought was really interesting about this is that they are using Microsoft service called Adaptation Artifact signing where they will sign this code for you. And I was a bit confused because like normally code signing involves code signing certificates and blah blah, blah. But this is a Microsoft service where they sign your binaries for you as a service. And this is kind of part of Azure or I think you can run it standalone as well. But the interesting thing is it's kind of pivoted. What you meant by code signing from this code has been, you know, like Verisign's given a company certificate and they've attested to it themselves and like this kind of idea of a long lived trust signature thing to very, very short time frames. But it's being tied by Microsoft to an Azure identity. So it's kind of changing code signings meaning from company authentication to Microsoft identity authentication. Now we would look at a code signing cert normally and go, well, you know, Verisign says that this company is fine, so therefore the binary is probably fine. Now we're saying, you know, Microsoft has just said this particular account is in good standing in Azure and has paid their bill. The meaning of that is kind of the same. But also like the way you think about code signing I guess is a little bit different than that. I just thought it was an interesting kind of change for how I thought about it as a result of this like very rapid, like now it's just about identity and tying it together at a point in time and that's all. And in a way that's good, good. Like that's kind of what it always

B

was I was just thinking as you were talking, like next week's sponsor interview is with the Airlock guys and it's a funny one because they're talking about a couple of things like how DigiCert got owned with a malicious SCR screensaver file and then someone was able to sign like malicious files or obtain hardware certificates for like yubikeys that were signing certificates. One of them was for like 10 cent by actually completing orders that they paid for and whatever and going through that process. But the funny thing and the reason Airlock we're talking about it is like, like shortly after this happened, Microsoft defender started flagging DigiCert's root certificate as malware and removing it from people's machines. I think it hit like 4% or something of Defender users. And like, thankfully it didn't affect Airlock customers because. And not because they're geniuses, it's because they cache certs, right? So by the time it was like Microsoft detected it quickly and sorted out, but you know, just the whole thing, the whole story, like the CA getting owned, malware being signed, Microsoft's, you know, like, they haven't admitted that that was what they were trying to deal with was like revoking some certs and accidentally nuking the trust cert. But like, the point is that whole system is kind of broken, right? So if we're moving to something a little bit fancier a la what you described, I mean, probably some people who are smarter than us have put some thought into that and it's going to be a step forward, but that is it. Oh no, that is not it for this week's news because we do have one more thing I wanted to add. There's a story here in 404 Media and we'll just add it as a reading list item because we are out of time. There is. It just talks about more of this software that does real time deep fakes. This one's targeted at streamers. We spoke last week about some Chinese software more suited for criminals who are trying to do fraud stuff with the real time reskinning of people. Real time deep fakes. The point of including this this week is this stuff is popping up now and very soon it is going to be absolutely everywhere and available to absolutely everyone. You need to adjust your understanding of risk accordingly and BEC procedures and things like that because. Because it ain't too long before you're going to get FaceTimed by someone who looks exactly like your boss and sounds exactly like your boss, who is not in fact your boss. But we are going to wrap it up there, guys. Great discussion as always this week. James Wilson, Adam Boileau, thanks so much for joining me.

C

No worries, Pat. Thank you very much.

A

Yeah, thanks, Pat. I'll see you next week.

B

That was Adam Boileau and James. James Wilson there with a look at the week's security news. Big thanks to them for that. It is time for this week's sponsor interview now. And you know, as regular listeners would know, I've been a bit under the weather lately. So James Wilson actually stepped up to do this week's sponsor interview with Mr. Haroon Mir, the founder of Thingst Canary. Now Thinkstar, for those who don't know, it makes canaries, hardware canaries that you can plug in at various points in your network. So, and you can, you know, you can set them up to look like anything you want, like a SAP system, file share, you know, network device, whatever. The idea being if someone is on your network and they're starting to see something that looks like an interesting target, they're going to start interacting with it and you get an alert. They also do a lot with Canary tokens and whatnot. And you know, this stuff has been around a while now and is, I think you could probably lump it in with one of these sort of, it's a, it's not a control, it's a detection, but it is one of the simpler ones. Right. And we're hearing a lot of talk lately now that we're entering this and of AI attacker age about how the simple things are really going to be what's, what's most valuable to our defenses in the future. It's a sentiment I happen to agree with. So here is Harun Mir reflecting on that, about whether or not the simple things are what's best.

D

The back to basics thing is an interesting take. A little while back I gave, I think it is a talk at Black Cat where I said one of the problems with back to basics is that it's almost over determined. Like post a breach people say well, they should have covered these basics, but there's 50 bajillion basics. And, and so it becomes a catch. All that makes sense in hindsight, but which of those basics should the CISO have focused on? And, and so a company gets popped because of password reuse and you go like oh, they should have had those basic basics or they get popped because of like flat architecture and you go oh, why didn't they do the basics? And, and so it's a little bit unfair that way. But but what's interesting and, and obviously I'm a vendor and you, you take it with a pinch of salt. But, but we shaped Canary very specifically like, like against other deception players. Almost. One of our defining characteristics has been for crazy ease of deployment. And the main reason we did it, like, there's lots of features that we'd like to build. Like, we'd like the end product, but we think they too implementation heavy. And we think for deception, that's not good enough. Because like, our, our product belief is that deception should install easily and get out of the way. And our pitch for that is if companies have to focus on deception and build like fancy deception stories and deep integrations, then they. That's time they should be spending on solidifying their base and fixing their problems. So we believe canaries work best if the implementation cost is so low that you literally deploy it in an afternoon and forget about it. And so we're looking for that really low cost. And then what we spend time on trying to get right is those sweet spots where you get an asymmetric payoff. Like, the implementation is really cheap, but the payoff is really high.

C

So I think the key takeaway from what you just said is as people go back and revisit that long list of stuff they could have, would have, should have done. Canary is actually pretty low on that list and should be like the next thing to pop out because it's fast, it's broad spectrum, and you just get it done fast. Right.

D

I think you. You end up mentioning there the. The perfect takeaway for me from Matas model Vulmpocalypse is like, probably one of the most enduring security quotes that I don't think gets enough airtime was Brian Snow, way back had this great quote that said your networks only survive due to like, the sufferance of your opponents. Like, like, the only reason you're not popped is because opponents haven't popped you yet. Like, it's not what your team are doing. And, and you and Brad were, were saying during the week or during the previous podcast, we've gone through a few iterations of is this a world changer? And, and like, like to put a thing on it. Like, when patch diffing became a thing, everyone was like, oh my God, we're done. Yeah, we're going to reverse patches. We're going to have n days we can't patch so fast. We did. When Metasploit came out, it was like, oh my God, everyone's going to have access to shells and good shell code. And all of them were game changers. Like, they did accelerate timelines. But more than anything, what, what every one of those did was chip away at this thought that said our network's untouchable. Like all of them said, you're touchable now. Yeah, yeah, you better do something about it. Like, like you're gonna get. You're already naked. Like, like the tide's going out. So the famous quote is like, when the tide goes out, you see who wasn't wearing their swimming trucks. And all of these are basically like, yep, the tide's moving out. You'd better, you'd better put on some shorts.

C

There was a point in time when a canary was super useful because you would know when someone was rifling through your stuff. And that was back in the days when dwell time was long. And if you got that heads up, you could probably evict them. You could minimize your damage. But man, what we're seeing emerge now is just this indiscriminate. Soon as you've got access, smash and grab, do the damage and go. I mean, tell me why a canary is still useful in this day and age when frankly, by the time the canary pops off, we're all gone anyway.

D

Yeah, so. So I think, I think as those attacks become a thing, like again, if I talk about original sin stuff, one of the problems we always have is when a new attack pops up, it doesn't mean the older text stop, stop and stop being useful. So, so we've got to worry about these new speed of wire attacks. And look, some people like Dave Vital has been even pre LLMs making this claim and insisting nowadays attacks are going to happen so fast, detection doesn't matter because we're going to be out of there before anything, anything really trips a wire. And I think that's true, but I think you've still got state agencies taking their time and rifling through stuff and finding things and you still to detect that stuff.

C

And so if I, if I understand what you're saying there just. I think it's a good point, right? I think what you're saying is this is, it's almost like this is a cumulative game, right? The surface area and the defenses are cumulative. And you don't just stop doing one thing because the speed's increasing. Because if you do well, maybe they'll turn around and say, actually that smash and grab was not what we want to do. That was means to an end. And if you've all given up on canaries awesome days, we just take our

D

sweet time now and I think that happens pretty consistently. There's a defocus on this and that becomes the path of least resistance again and attacks. And I don't think those attacks have gone away. I don't think people are massively retiring their teams of attackers because people are still going to be doing the troll through networks. I think we can see signs like with the recent publisher Mexico Mexican government attacks, you seeing signs of people abdicating to agents so that agents can move really quickly. And I think those are going to happen. And again I'd argue even in those cases like the thing that we largely got lucky with with canaries was attack on like objectives of the attacker are still such high quality signal that says you can absolutely react to this attack thing. So, so when someone's done this stuff you can now say very few things give you the certainty to say yep, kill that ip. Yep, absolutely kill this, drop this whole segment because this attack is so clearly bad.

C

And the different intent you're talking about there is like there's probably a very different response to hey, the canary that's pretending to be our SAP instance is just gone versus you know, hey, that, that you know, AWS credential that we left lying around. Right. Because it's just if I'm understanding right, those are fundamentally two different mindsets of an attacker. If it's the thing that looks like the SAP instance that they're going after, then you've probably got someone that's very interested in your data. If it's the AWS credentials could be totally different motivation. Right?

D

Exactly. Right. And so like a long time ago Ryan from Slack said any sufficiently advanced attacker is indistinguishable from your lead developer.

C

And, and I think it's vice versa now with agents as well.

D

Exactly. It's, it's gonna be impossible to tell. And, and interestingly for, for agents internally, I think there's a whole new problem that's going to come up where like it's a whole separate thread that, that we can go down that, that says with agents and, and we've started to see it with open claws. We had these problems with over provisioning users with credentials and we largely, despite what people with scars would tell you, we've largely gotten away with over provisioning users because Sally from accounting didn't know what to do with domain admin even though she had it.

C

But her plus there's a couple of other checks and balances that make sure that Sally's not going to go and wreck the domain.

D

So, so what's interesting is lots of Sally's and Bobs were running around with more creds than they needed. But actually they didn't know what to do with it. Their agents will. And, and so we're gonna bump into this next level of the problem where the agents go well I've got the credentials and I've got Powershell and now I can go do stuff and I think we still gonna going to figure out what happens there there. But, but, but to close that off I, I think yeah. Because canaries so accurately are able to say this is badness, you're able to do stuff at reaction speed that, that doesn't easily happen with other stuff.

C

So there's no second guessing. Right. It's like exactly. It's like step one detect, step two, close it out as you said. Right. There's, there's no like I wonder what they could be doing. What does that log message mean? This is abnormal activity.

D

Yeah, exactly right. In fact in again in our product and this was a product decision early on, lots of the people who evaluated deception stuff wanted deep forensic traces like post a Canadian getting hit. Until today we don't do that. Like, like we literally make our pitch on actually if I told you this IP did this thing like in our

C

case, that's all you need to know.

D

Yeah, it's, it's this guy did something really bad, go do something to it. And we've gotten better around it, like better info for security teams but for the most part we think it's sufficient because that's what we're going for. This is really high quality signal. This is badness. Go do something.

C

Well, it's a slippery slope that you're avoiding as well, right? Those product requests mount up. Harun, listen, it has been so great to be chat with you. Thank you for putting up with my, my cranky challenges and I appreciate the answers. You know it's going to make me really rethink the way I've been viewing this problem and what we need to do. But man, like I said, great to meet you. Thanks for dropping by.

D

It's been super fun. Nice to meet you.

B

That was Haroun Mir from Thinkst Canary there. Big thanks to him for that. And you can find them at Canary Tools. And that is it for this week's show I did do. Hope you enjoyed it. I'll be back soon with more security news and analysis but until then I've been Patrick Gray. Thanks for listening.