Crafting the next-generation Man-in-the-Browser Trojan

thank you know so first of all thank you for being here no no already presented the name of our talk it's going to be about mostly about men in the browser attacks will will demo our own Trojan and discuss the damage that one can do with it then we'll move on to defense scenarios and we'll present a new approach to defend against this type of threats so for the ones that are not familiar with the men in the browser attacks we chose to quote the wasp definition but basically it all starts when a user's device gets infected usually through some sort of email phishing campaign I told you not to click that attached excel file and and then the Trojan just

quietly sits for the user to access one of the infected websites and when it does it's able to freely modify the HTTP requests and responses and they are able to inject arbitrary code into the web page and to exfiltrate sensitive information so this all happens the trojan accesses the network stream after decryption but before the browser renders the the web page so and ends the name main in the browser so it's useful for you to use SSL in your websites you should totally do it but it does nothing to prevent these attacks from happening but many in the browser is not new they have been around for some time let's do a quick incursion into time so the first many the browser

trojan was used in 2007 and this was ten years ago Wow ten years old soon enough it will not require an ID to violate it's source code was released in 2011 which actually opened the doors to many other men in the browser trojans so below you can see a picture that illustrates what we call a web inject you can see that it has a target URL which in this case is intentionally redacted and it has some sections to specify the injection and where to inject so in this case it's adding one field to the form asking for the user's ATM PIN and as you know it doesn't matter how dumb these things are and all

there are always lots of people that will fall for this the second one I would like to highlight is timba it was first seen in 2012 and it's special because it was the very first one to tamper with HTTP headers it actually only removed one header a very specific header the X frame options which allows the attacker to load the web site inside the iframe for instance and and then they can pursue and do a click tracking attack against the website but we don't have time to go to cover all the men in the browser Trojans so this table summarizes or includes some of the most well-known Trojans when the browser Trojans and their capabilities so from left to right you

can see that they are able to do forum grabbing they can collect data in any form and they can do web injects that I already mentioned and these two are almost mandatory for any man in the browser Trojans so they probably include these two for sure but there are other capabilities like keylogging the ability to do data harvesting and Exel tration remote access or also known as rat Trojans and they are some of them a few are capable of spreading outs like worms they also can use web fakes or copies of websites that the users will will actually navigate but they are accessing a different web server and finally the HTTP headers tampering that timber is

capable of so here you can see the most prevalent trojans in the first quarter of 2002 a study by IBM and it's interesting because the top three is Zeus which was the first if you remember and is still in the first position and the second and third never question go see our actual variants of Zeus so in many ways they haven't changed for quite a while and they are still effective and still in the world doing damage also they keep changing their web injects and so it's becomes hard to detect when they are actually modifying the web page because they change the the scripts they change the message and they do it to to spread out to to other regions other

countries and other verticals main the browser Trojans they are responsible for millions in losses they they spread out through different industries and they have infected literally millions of different devices across the globe so but the the thing is it's no one knows the real size of this problem I mean we don't know how many men in the browser trojan attacks go and notice but to give you a couple of examples in 2007 go Z was able to compromise 160 devices from NASA I guess the attacker was anxious to know if we really landed on on the moon or not and in 2010 Citadel was able to to capture half a billion dollars but this this problem is really important

and I think that we all should pay more attention to it if you think about it it doesn't matter if we are able to fix all the vulnerabilities in our web applications because even if we could do it it doesn't matter for a man in the browser attack because they don't need vulnerabilities in order to do web injects they can freely modify the application let's take a look now at some of the standards that you can use to defend web applications on the client side starting with CSP content security policy so it's meant to prevent script injections into pages so you can set a bunch of policies to you say to specify which scripts can be loaded and from

where and you can do that with with the header a special header or with the meta tags it has some limitations it requires a lot of configuration and maintenance and I'd like to emphasize one of the limitations which is it does not apply to browser extensions so this is major actually the the authors of the standard they simply think that this is out of scope for CSP to protect against any code injection from browser extensions here you can see an example so basically on the top in blue you can see a policy which basically allows same-origin scripts but also scripts loaded from www.example.com the the the ash in that rule if they don't the scripts will be blocked and it

will be sent a notification to that endpoint that is specified there's also a version we're blocking does not occur just the reporting and you can see the basic structure it's a different header next HP key P so HP key P is intended to pin a certificate to a certain web server into the browser so this is meant to reduce the possibility of many in the middle attacks with in with forged certificates it it's kind of not really supported by many browsers for instance ie edge and Safari so it has received a lot of support in Chrome but chrome just announced that they are moving away from this standard because it really caused a lot of problems with with websites being

locked out if their certificate for some reason doesn't match the certificate in the user's browser here you can see an example and again I'd like to emphasize one thing which is it has the capability of reporting to an end point if the certificate is not matched lastly the a chest yes which is meant to enforce the use of SSL in your website it's it protects web sites against protocol downgrades and cookie hijacking and well there's nothing really particular about a chest yes but it doesn't do anything against many in the browser attacks so do you see the trend a lot of this browser security is being done using headers but there's a huge caveat if you remove the headers you

will completely bypass these defenses so this is what has been developed in the in the scope of the w3c and also if we were able to somehow prevent those either from being stripped no standard no current standards is able to prevent the script injection as I said CSP doesn't do anything to block any script injection from browser extensions as a side note it's interesting to see that as some of these standards they have reports back capabilities which is interesting because security professionals they want to know when their policies are being offended right so then then we thought man this is bad and want to make it worse that's when we decided to do our own Trojan and here is

where I passed the token to to Paulo that will demo and talk about all Trojan and and following by a demo ok so let me first say that this is my first besides is it on ok awesome let me first maybe ask you how many of you access your banking own banking banking system using a browser ok cool how many of you have a different browser profile to access your key banking and do serve Facebook or other you have two three four five six okay cool not bad as a security company and maybe as most of you we want to break things and our main goal was to break HTTP either based security standards like CSP

of course we want to do this but also pass unnoticed so behave like a real Trojan and recently we did a big effort reverse engineering some men in the browser Trojans to understand how they actually work and we thought that those would be nice starting point we are talking about C++ code and it is not bad you can get it online it's available but then the development process you can imagine it was changed the source code compile the source code get the binary which is a builder then run the Builder to get a dropper then move the dropper to the victims computer infect the victims computer and then see if anything has changed on the victims

environment so it was not quite easy to move forward fast to prove our point so there's another another issue all of them they are binary windows binary Trojans so the audience is Windows only so we thought that make it even bigger and what we can run broadly and browser extensions you use the browser to access web so let's run inside the browser in browser extensions looks really interesting we master web technologies javascript HTML CSS so the development process nice and friendly they also run on Windows Linux Mac doesn't matter if there's a browser we can run there so cool even bigger audience and we have also some extra points CSP does not apply to Chrome extensions browser

extensions sorry what is cool but we want to defeat them anyway and also browser extensions they are developed by anyone and they are known to have all sort of security vulnerabilities PDF GS have cross-site scripting the early stage and we can get these also from a dog extension so it's an interesting point and if there's something interesting about browser extensions and let me choose my words they can read and change all your data on the website that you visit the is cool even if you just want to know the weather the extension will read and change all your data on all websites you visit browser extensions they are developed on top of a broken permission

model like mobile applications are in this is cool because we want to install the mobile application or the browser extension and we just say yes we want it we accept it we know it no problems and in fact they can change completely how your application looks like any application ok all applications all websites they can inject JavaScript so they can tamper with data change data still data do whatever the attacker wants and even they can pass and notice what is really cool so then ok let's choose which browser we want to target and chrome right now is the most used the chrome extensions documentation is really good so easy to go then of course we have to

thought about architecture we are developing and we want to do a great job and we started about modular approach using implants implants are something interesting you don't have to put there the feature inside the extension or the malware you can just pull it remotely so you can offer a nice extension and then pull the malware when it's done its installed so of course our goals were to temper with effort because we want to break the standards but we also want to implement all the major features we saw on the men in the browser Trojans and so I would say that our biggest requirement would be to have a stealthy extension in this case Chrome extension and by stealthy we

mean that we want users to download our extension and use it we want to solve users a problem they have so they will download our extension of course we want to make the maximum our audience so let's see what users are looking for on the store and pass unnoticed of course we don't want them to notice that we are doing dangerous stuff and also bypass antivirus and firewalls so searching on the chrome store what we get adblock and ad blockers in general are the most downloaded extensions anyone has a ad blocker oh cool so adblock claims 40 million users what is cool and they will read and change all your data on the websites you visit cool again so we took

from our imagination to create the ad block plus extension I would say that we can get also 40 million users and we even they asked also to display the notifications but we kept it simple and we will just we haven't changed all your data on the websites you visit so every man in the browser Trojan has a command and control server this means that you have the client part which you install driven by download you need ad blocker and this is the best one and we have the server from where implants will be taken the malicious part and also the configuration so this was not our main focus so we kept it simple but we made

something distributed so we have plenty of servers spread all over the world and they can send the stolen data and pull configurations any plans from everywhere they send the reports and then everything gets pushed to an elasticsearch instance because we were expecting much data so let's keep it simple and get the right tool to get the job done just to give you a brief introduction to Chrome extensions because then comes the best part this is the lifecycle they offer developers so as we want to break others we have before us and others and we have also the others we see as you if you're familiar with JavaScript on and on our events they are triggered allowing a

synchronous programming so the performance impact on page loads and runtime is really low so it's cool we will be passed and noticed so our first question and our starting point was can we modify others if the developer tools can read them and show them so should we and in fact with just a few lines of code we did it and as lazy as we should be we went to developer tools and check whether the others were removed but they were there unchanged but this and better this way they were there unchanged but in fact they were dropped but because this works on a chain of responsibility the first one to read will see the original

message then the next one will change but it doesn't go back to the starting point so you will see the other on the developer tools but it is taken out so many in the browser trojans they do not change the Dom but they tamper with markup this means that they inject like we saw before the pin field on the HTML on the wire and then when when it gets rendered on the browser the field is already there Chrome extensions they do not allow it okay cool maybe we can think that this is a security strategy but there's a feature request to allow it and the guys are just taking longer because they are concerned about performance so soon we

will be able also to change the response body in fact we were digging and we could do it and instead of using the web request API we could you have used debugger and we would have been able to change the also the responsible but then every time we try to do it this will break our stealthy requirements so we gave up about changing the responsibility because we can change the bomb and we will do it even better because no one will notice this is how extensions work so this is the overall architecture we have right now ok so we have the client we have our implants which get pulled from our command and control server then we

collect stuff in here and listen to their command and control server which then push it to the elasticsearch database and hopefully we'll make profit from it so I'd say that everyone wants to attack not only to be found and what we have next is we will craft the attack oh I came together let me have just let me show you so we said that we would offer users a feature that they want and

this is something that we don't want to see on our pages when we are reading the news so let's enable our extension and go to the same website and get the webpage free of advertisement okay so I think that we have epic customers right now so it's time to pull implants and start playing around with users and let's choose I'm sorry because I'm not so familiar with Mac OS shortcuts it's f how sorry okay cool so let's choose our okay in this is okay control cool let's choose our targets let's think a world where there's only single eventing solution and all of us we are customers of beautiful banking okay this should look like a banking okay this is the e

banking website we will attack okay cool so what I will do next or we will do together next so how can we move this to half screen again okay

let's start from the beginning let's try to make our attack even bigger and instead of focusing only on the web strategy of this Bank let's also offer the customers of vehicle Bank fake mobile application probably some of the users they have their mobile device rooted or jailbroken and you'll get your fake mobile application downloaded and installed so let's use the homepage to communicate users or tell the users that there's a new mobile application ok so what we need is to tamper with the little Bank homepage and show them some announcement of the new application what is in here is just pop up let me just okay I'm not on the right side let's visit visual bank again the full

screen app ok gosh so this is now how visual Bank user will see the website ok so what looks a legit advertisement ok and even you can go to what we call a web fake a web site where you can download the mobile application ok there's nothing here which can trigger the user that he is being tricked ok and there's something interesting here regarding these advertisements now can I do it ok pop up the debugger as we said before and let me show you the network this website is take security seriously and they use the latest stand standards available so they only accept images from their own domain ok and data which should be built in the

built in the market itself but if we have a look on where images are coming from they are coming from a secure website called lay google.com ok so the standard is not working but we said before that it does not apply to browser extensions so let's just move this again ok and let's see how beautiful Bank works so that we can craft our own attack so a user comes to visual bank then he has to sign in this is F okay and doing much better right now they should login and maybe it would be cool to gather all visual bank users credentials so let's update our configuration file the tamper is done let's grab all user authentication

tokens ok and let's move on then we will behave and do the rest so let's sign in so when user gets in his account we land we'll land on a page with our details all the details about our credit cards account balance okay so let's place a transaction order ok it would be cool to also collect credit card data balances and other stuff so to do it at the glance let's take a screenshot from that page alright okay we are taking a screenshot from this page also okay screenshot is then also but what about the transaction okay let's place pay our rent but let's take all the money to our own accounts okay and this just requires a few lines of

code let's make it easy what this means is that instead of sending to the destination account the user fills let's send it to our one account so a few lines of JavaScript will hijack the submit event of the form prevent user data to reach the server and we will put there our one okay I have here what looks like a shorter version but is exactly the same let's take this configuration with us to our configuration file okay but let's paid our rent and see how it works okay it requires a second authentication factor cool this is something standard right now but we can see that the user will have access to the transaction details so to do a professional job let's do it

right and let's change also in because if we place there our destination account the user will see that the money is being transferred to a different account so let's do the right thing and also tamper with the details so that the user won't notice that we are just redirecting the funds and so we should be done with a full attack if we confirm the authentication code this is the resume of the transaction so we have a complete workflow for a funds transfer what we should do now is see this in action so what I will do next I will show you the attacker side by side on the right side we will see the attacker perspective where we will

collect data I'm not doing okay and ice I told you before that we were lazy so we will use coupon to get live data on our side let me make it live updating now totally fresh every five seconds so let me just clean the database where is no PC here well besides videos okay and right now database is clean so let's start on the left side where we have the victims the victims browser so let's visit the vehicle bank where we will be shown the advertisement okay which we will close and just in a while we get on the right side a report saying that the user let me think def F just to make it bigger right now

we know that the user who visit the homepage we have also IP and other stuff here he saw the banner okay just showing the advertisement to the mobile application so let's no no okay let's just disclose this we don't want to go there but let's make our identification okay and let's see what we get on the attackers website so again we have a report and you can see my ID and password okay so as lazy as we were before let's see what screenshot we got from the client side okay okay this is not the whole page but it's the account details so we can get everything at the glass so let's move on with our

transaction okay it's again on the side cool I have to put this bigger

okay where other than Ella okay better this way then so a new transaction and now it's time to see we have the other window yes

okay what we have now another report saying that the form was ejected and what happens when the form is ejected

let's again pay our landlord the rent okay and this is what we expect to see here and when we confirm the transaction we have also the destination account there but in fact the funds were transferred to a different account number as we saw an eye our eject source code so I have something else to show you because our main goal was to defeat content security policy so I need to show you how it looks when you have a policy enabled so this is how we test the browser this is the official web page standards so if you have your content security policy enabled as you can see here everything is green and let's just have a look on this test so

this image won't to be loaded because it's coming from third-party domain which is not allowed so let's break it and allow drop the policy what may allow resources to get downloaded from anywhere or everywhere and this should be enough to load the image from wherever you want okay and break all the other stuff this means that right now we can run JavaScript from anywhere what kind of JavaScript we won't load resources from everywhere so if you're relying on content security policy to hide or at least feel safe safer due to cross-site scripting or any other security vulnerability you're not sure that the browser is applying the content security policy because we something can drop the

policy so you should be sure that you're not the cross-site scripting vulnerable or any other kind of vulnerability and then you can also leverage this if you want to have fun you can maybe keep your competitors from the game and let's make the world better again and take Google out of our Google Beauty and let's use really search engine who respects our privacy so how can we move back to the presentation okay we had also the goal to pass unnoticed so we have a tool we can make money do you saw the numbers of the market but we had also the goal to pass unnoticed to all the security tools we have on the client side or also server side so

laughs firewalls in general and antivirus most of them they work with signatures they know something they take a picture they know how what to look like to identify what is going on so taking advantage from polymorphic JavaScript we can bypass them and how does this work we just write our source code we pass them through some tool and we get different versions doing the same but looking differently what makes that even if they have a signature then five seconds later our payloads or our implants they will look different they will pass easily these kind of validations so what does this all mean that you're not safe or you're not safer even if you're applying the latest

standards either based for security so you should be sure that your applications are not vulnerable and you have companies here which can help you finding your security vulnerabilities and fixing them you should also if you're offering services over the Internet if you have applications you should care about your users because if something happens with user data user profiles user money your brand has a problem your company has a problem so we should think our applications not only keeping the server and the assets safe but also all the flow should be safe we should deliver something safe and safe safely and you should think about extensions they will become a standard yesterday Mozilla was in a roadshow in

East their next November 14th Mozilla will release his quantum browser and Mozilla dropped Firefox extensions and they will implement the same API which they are pushing to be a standard than Chrome ok I had the chance to ask them and about these questions and they kind of don't know they are implementing the same API probably they are not expecting the same issues but I think that they do not thought about them so we should think about this as a global problem if we want to deliver rich browsers allowing users to do whatever they want they can compromise our applications so we truly believe that we don't need to develop any more binary malware to offer only to Windows users

mostly to you Windows users because we can get a better budget if we deliver Trojans to browser extensions because most of the time we are using the browser not specifically the operating system but we are not only he we are not here only today only to show you problems we want to make this something more interesting so what can we do to take security a step further thank you so we thought what else is there to defend against this taking a look to solutions that are not standards but commercial solutions in the market there are a few solutions that we thought about how they could potentially avoid these type of problems ok what about now

better I'll try to speak up ok so one of the solutions is device fingerprinting and geolocation they don't work against men in the browser type of attacks because the user is using his device and it's probably accessing the web page from his usual location so there's nothing that you can gather from using this type of techniques fraud monitoring might work in some cases but remember that many in the browser they can be very subtle on the way that they change the page and the way they change the the transactions the example that you just saw from Paulo they were only modifying the destination account number so considered that it was a one-off transaction to someone how can

the bank potentially know that this isn't a good transaction that that it is a fraudulent transaction they can't know so there are lots of ways for fraud monitoring to fail and then you have bought detection and behavior based detection which won't work either because the user is in command they are controlling the the website they are navigating through the websites so that the the men in the browser is just passively waiting for the user to take the actions and to modify as few things they can and as healthy as they can be to modify the user experience and and commit to fraud and we propose a new approach which is called application real-time monitoring in which basically

we are continuously monitoring the webpage Dom for any modification from any non expected modification and for script injections that might be modifying the native api's and hijacking events so it just need to continuously monitor the page we recommend the white white leasing approach because we we learn from anti-viruses that you cannot possibly recognize everything that is malicious now and in the future but we you have to use something like machine learning to deal with the false positives because some of the changes they will not be they will be benign and and as soon as you detect something you just send out notifications real-time notifications to the backend of the application to web hooks to to any API and that can

potentially trigger reactions from the web application back-end sides so they can if they know that something is beings happening they can stop the user from logging in they can't cancel transactions they can do a lot of things they can call the user and this is a very powerful effect if this is transmitted in real time so it allows the page also to self-heal because if we know that the Dom for instance is being modified we can revert that or try to do it but in order for this approach to even work it needs code protection because otherwise the men in the browser Trojan might just tamper with with the defense code like it does with the normal code from the

webpage and for that we recommend code protection that has runtime application self protection capabilities because it needs to be to be resilient against code tampering and other types of JavaScript based attacks okay now let's do a short demo of the this approach and just sit

okay so what you are seeing is the dashboard where so this is basically operated by the security team of the web application is not available for the end-user and in this page I will load the virtual banking application that you just saw okay so the solution is not enabled yet so you you are seeing the tampering and I would like to show you as well a non-infected version a profile that's clean and with no with no extensions and to load the same website so as you can see no banner in this version okay so let's just quickly enable the solution and for that I just need to add the scripts which is commented out right now like me and

comment it and just start the script again okay and now let me load the same web page again virtual banking so as you could see for a split second you saw the banner there but it was automatically removed and here you can see in the dashboard that we are seeing receiving alerts real-time notifications of the tampering that just happened in the code page so we can see the IP of the end user the user agents being use the URL and you can see it in full detail what was the injection so it's highlighted in red and you can see details like the links for play google.com and as a researcher you can use this type of

approach to have in full detail what the tag looks like and just pursue these information and just follow it to discover the the command-and-control and to just try to take the the bots down and protect your websites okay so let's continue enter the online bank and I haven't even logged in yet I'm already seeing new threats coming in so let's let's see what's happening here and I see code poisoning happening in the page and let's see the full details of this and what happened here was that the form the authentication form the non submit event was changed to this code so you can actually see the code and it's just exit rating the credentials to the C -

let me login and here I am in the account let's initiate the new transaction as before and new threats are coming in so I haven't submitted the transaction form yet so potentially because of the backend already received the notification they could actually prevent the transaction from being accepted and also they could return like something is off and even blacklist the user from doing fraud from from doing transactions and and while they sort this out and call the user and we think that your device might be in fact infected and and for that reason you cannot do transfers and this is for your own goods to protect you from from money being stolen from your account so in

this case we have new a new code poisoning the the code is very easy to read in this case in a real scenario it wouldn't be probably the the code might be obfuscated and and hard to read so in this case they are collecting the the original name original destination account number and just storing this in session storage and at the last minute because this JavaScript won't only execute when you submit the form they are just creating a new new form elements with a different destination account number and confirm the transaction and like Paulo has shown you before even the information that's being shown in so you can see landlord even the information that is being shown in

the confirm transaction page is being tampered because the bank received a different destination account number but you want the user to see the name and destination account number he was expecting in order for him not to suspect that something off is happening and this is basically it so wrapping sorry about that so wrapping this up we saw that modern man in the browser Trojans are capable of completely compromising web applications by doing Dom tampering and hijacking events and doing API poisoning just injecting arbitrary code into the web page and they can exit rate sensitive information trick the user into doing other things like downloading fake mobile applications and compromising the user's mobile device they can they can just

steal money for instance in this website and and and it was easy enough to to completely defeat most application security standards like CSP and other types of standards that are based in heathers and other techniques we saw that they cannot do nothing against this type of attacks we also established that you can use extensions for doing this I think I believe that using extensions can replace the traditional binary many in the browser Trojans and they are very easy to deploy very easy to develop very easy to test and you can leverage social engineering attacks like we developed the adblock plus and it's very easy to get thousands and thousands of users to deploy your extensions

we haven't do it because we don't want to go to jail so don't worry so the codes we haven't released the code and we will not but we are open for questions not offers for questions and and we propose a new approach which is basically if we cannot stop injections from occurring let's try to detect it and do real-time monitoring of injections we think that's the reporting the real-time monitoring is really aligned with some of these standards so we saw that CSP is able to report back HP GP as well and and this is very interesting because applications should report back to to the backend and if that happens automatically even better because developers are using usually

they are not that good at knowing what to detect and what to report so we shouldn't rely on developers to do that and as application security specialist is best that that technology is installed transparently and reports back to the backend and then have developers leverage the notifications to do further reactions in line with the business logic and that's it that's all we had so thank you and we are open to your questions if you have [Music] [Applause] hi I actually have two questions but one of them is the first one is dealing with your method of avoiding the issue just have you tried to use the technique to in a fat web app like Gmail that has a

gazillion events happening and money changing the web application in real time and what's the side effect of that I will curation with your solution and the second one is have you considered using web workers as a way to avoid the detection or this log enos of the inter users browser interface since we're workers work on the background it's easier to hide your stuff okay so if I understood correctly you are worried about this scale right the number of events and how it so basically I can translate your question - does this scale right okay yes cueing uh-huh yeah I think that's definitely a challenge we we defend that the real time monitoring must be intelligent in order to scale so

you cannot possibly check for everything all the time so you need to have some things getting whitelisted and so that you won't do like follow-up processing on that so you need to have both machine learning and some heuristics just to see if some some modification is malicious is potentially malicious and if if if if it's not you just like just don't don't analyze it further and and just focus on the ones that I port potentially malicious and your second question was web workers in fact the web worker our attack is even because when you deliver the extension there's nothing there and yesterday we saw a presentation about file was attacks and in fact we are not

storing nothing on files you are pulling the malicious code from the command and control server so we just have to bypass what's on the network and today the the implant will start with AAA and tomorrow can start or five seconds later you can start with BBB it's completely different if you whitelist or black which the first one the second one will pass so we we don't have to even use web workers or what else to hide the malicious part of the extension because it's anywhere it's all already persistent I mean any more questions one over there if you're using if you're using machine learning and especially you know my affection for sorry I I'm not hearing you well okay if

you're using machine learning and anomaly detection for your solution how are you establishing the baseline using a training period okay so it's and it's for each application use real users but not live data okay okay thanks yes machine weather is it right or wrong so even if you have you can you don't have an environment where you can do the training period if you allow the application to run on prediction and you have someone supervising the the machine learning you can do exactly the same and probably even better if you have a lot of traffic you can do it faster one last question No okay so we're we're gonna have a coffee break now there's per station at

downstairs and I guess you have to run because they're running out [Applause]