BG - Introducing the Smartphone Penetration Testing Framework - Georgia Weidman

okay my mic is taped to the floor probably for the best so the first thing I have things to give away let's see we have a iPhone 4S and in order to win them I need you to say a prayer so who's going to say a prayer we are in a church does anyone want a 4S cover I said it was the whole iPhone but it's actually for us anybody going to say the Lord's prayer for me no really you guys suck drink yeah I could do that so I'm going to drink in a church that makes me feel

sexy let's see what else do we have we have premium kickstand multifunction folio okay that's definitely worth the Lord's Prayer right no all right let's hear it all right that's a winner can you pass that down we also have a Incipio Blackberry Bold case who wants that God black yeah who has a Blackberry I do but that's because of what I do but surely somebody here has an iPhone iPhone anybody all right let's hear your

prayer there we go there it is pass that down please all right so if anybody wants a Blackberry thing you guys can just pass it around until somebody who has one admits to it yeah all right so most of this is going to be demos this says approved for public release distribution unlimited DARPA basically needed something that they could approve so we have slides but most of this is going to be demos I'm actually going to show you the framework working slides are not interesting just claim the views expressed are those of the author and do not reflect the official policy or position of the Department of Defense or the US government I have to say that because

this is a DARPA cyber Fast Track project so I have to say that so love to DARPA yay so DARPA paid for this project um if you're not familiar with cyber FasTrack they give you money so you can do your own research and you keep all the rights to it so basically I went from being Junior pin tester at some company and now I am CEO so so love love love to DARPA and if you want to be a researcher they have just extended it for another year so you should definitely turn into project and see if you can get some DARPA funding yourself they're pretty awesome so the problem at hand is there's smartphones in the workplace

pretty scary stuff generally when you think of smartphone and pinest in the same sentence you think well we're going to port in map or metas sploit or this microphone is really echoing onto our smartphone but what we're actually going to do here is we're going to attack smartphones from the computer though it also has an app so instead of just porting something onto yeah you can just turn it off entirely I'm sure it'll be fine everyone can hear me way there in the back right all right I gotta record

okay so yeah smartphone pinest framework we're actually going to be pin testing smartphones and the idea is we have smartphones in our workplace they attached to our servers they have our emails they have our company's data our companies would theoretically like to know what's happening with that data the problem is with smartphones we've basically got an outof band communication just by default that's how Smartphones work they attach the nice nasty cell tower out there and send out that information so we would like to know as an company or as pin testers what's going on here with the smartphones they're Assets in our environment and we don't really have any way to test them to see if they're

secure at all so just think about all the things your smartphones are doing in your workplace so probably you got your company email so you can come out here at black hat bides Defcon and pretend like you're still working and not take time off you can still talk to your customers so your customers don't even know what's going on so they have the emails there they have your data you probably use a VPN and I've even seen them generate onetime passwords so companies create an app where it generates the onetime passwords for their company right there on the phone so if the app can do it I can do it too so threads against your smartphone

one of them is the apps so we have evil apps they happen on all the platforms Apple may say it never happens but it does it happens more often on Android probably because it's easier but you see malicious apps they steal your data they do stuff on your behalf generally things we don't like company app assets to be doing software bugs also happen as we see with each update every time something gets jailbroken that's a software bug every time one of your platforms there's a jailbreak that's a software bug that's then being patched so your apps have their bugs your Kernels have bugs so your browser every time it gets popped that's a bug in the

software secure software is hard on smartphones too social engineering one people don't think about I actually recently got this text message from Target as if it wasn't from Target and it was on my test phone so I don't know why they think it's a good idea to send it there it says congratulations your entry in last month's drawing won you a free $11,000 Target gift card enter this number at target.com pdf. Biz so so right if I'm not a clued in user who realizes that the actual URL there is not target.com it's pdf. Biz but you know your average user oh cool let's log into with our Target credentials so we can claim our gift card and you know we all use the

same password everywhere always so can our users be tricked into clicking on things can our users be tricked into downloading applications that is a question we naturally want to know people want me to do fishing attacks during my assessments all the time but I send them emails what if I do it to their phone too jailbreaking our users are often jailbreaking their phones we generally don't want them to do this in our environment can we actually tell if they're jailbroken I actually did a talk a couple months ago and someone raised their hand and said all I have to do is change the super user app to super user one and then my MDM system does not see

it so I'm able to have a jailbroken phone so we can't really assess whether they're actually jailbreaking their phones and what risk that gives us if the MDM solution which is a really Our Only Solution at this point can't detect it so my question my client wants to know if their environment is secure their environment includes smartphones if I don't assess those smartphones can I really give them any indication whether it's secure or not but there's really nothing in place right now that allows us to assess the security of the smartphones from a network pinest perspective we just saw some stuff about apps out there there's actually been a lot of work done is is your third party

app secure and that's awesome but that's not the whole question that's a part of the question that's definitely useful but we need to look at the other side here as well which is what I focused on kind of thinking of the smartphones as part of the network pinest so what's out there now you can pinest from the smartphone generally when people hear of my project the smartphone pinest framework they're like okay so you port it in map to your smartphone oh my God you're so awesome not really um there's a lots of people who have done that example of Onie anti there's even smartphone live CDs that actually put all the tools for smartphones into one distribution kind

of like backtrack moback is an example of that we can pinest smartphone apps from like Mercury and then the one that you just talked about out there right that's pin testing the app so there's been a lot of good work in that area which is definitely useful to the future of smartphone security but pin testing the actual devices eles I leave with a question question there's not really anything for that so the structure of my framework is I basically have a big server or it could be a small server like that small and uh it's a going to uh run our pin test framework we have our uh smartphones here I have to be on the mic

I can't get that far so we have our client computers so we can work together a bunch of us on a pin test we can actually control this from the smartphones themselves and what we're after is these guys our clients smartphones that we hope to take over so this has a framework console so we can run this in just a menu based console this is all just Pearl so if you have Pearl on your computer it'll run you can run this in backtrack right now like it says BackTrack 5 on the background that's where I built it we also have a framework goey which my mom wrote because she's a better gooey programmer than me so she put a nice

front end onto this so your web server needs to have Pearl which BackTrack 5 currently does not so this will not run in backtrack by default but if you just download zamp or any other little thing my mom wrote that yeah my mom has a PHD in computer science she got it when I was two the idea that women couldn't be in computer science never really made any sense to me because she was so yeah so yeah my mom wrote that we'll look at it but again you have to have Pearl on your web server so that won't work on backtrack by default right now but you just download something like zamp we're going to look at just a Ubuntu VM running it

all so again really easy to install you there's more of the gooey but we're going to look at it DARPA made me write slides you know they have to approve something there's also an app so we can actually control it from the app as well but the main point of what this does is it actually allows us to use the smartphone we already have have to send like SMS based attacks most of the stuff you see it it uses like a paid thing out in the cloud that you pay it 10 cents and it sends an SMS for you through a Gateway but you're already paying for SMS service so why not just use the SMS

service you already have on your smartphone or if you're a pinest company get your boss to buy you a lot of new smartphones to play with so you can use them in the pinest so we actually attach the framework to your actual phone to send the attacks and we will look at that as well so another nice screenshot of that and another so what we can test for with this right now remote vulnerabilities so remote attacks against your smartphone client side vulnerabilities so is your browser vulnerable if we can get somebody to click on a link can we pop their browser if we can get them to open a PDF same sort of things we're testing

for on our actual PC platforms social engineering can I get somebody to just download an app that I send them in a text message you might be surprised local vulnerability so after I've actually exploited their phone can I do privilege escalation can I gather data from their phone is it just sitting there unencrypted for me to steal so there's a lot of examples about this but I don't really want to go through them I'd rather just show you this right so going to actually attack my iPhone so remote vulnerability example we're going to look for the default password on on the iPhone and if you had heard about what I did at hope this is where

somebody wiped my iPhone so I'm going to show you the IP address if the vulnerable phone so naturally you're all just going to log in and wipe it for me but I would appreciate it if you waited until after the demo and then you're your free for all whoever can do the best exploit on my iPhone you win so you're going to know the default password is there so let's actually get started looking at this thing I'd much rather show you it working than talk about slides so I have my little Ubuntu VM so it just has zamp on it so it had Pearl for the web server and my password is password just in case you're

wondering so the first thing we have is we just have a little config file so it's just text space this is really small and I should make it bigger so you can see it that's not much bigger is it zoom in how's that can we see it now yeah that looks much better and I said Nano don't shoot me so it just has a little text based config file so you just give it where's your SQL Server what's my IP address what's my password again my password for my my SQL Server is password so please God don't take down my my SQL Server um and just other default stuff in here so stuff the framework needs to

know so we just change the options here and we never have to worry about them again actually let me make sure my IP addresses came out right when I restarted everything I have to give you a little caveat here I did run this at the Arsenal at blackout twice today I ran everything and every demo worked so I think I run out of karma with the demo God so if this thing falls on its face don't blame it I just the demo Gods can only favor me so long yes that's the right IP address and my IP address of my SQL server great I'm going to make it even easier for you here's the SQL Server you

can take down [Music] 1.2 yes that is in there correctly all right so I'm just going to fire this thing up and start showing you how it works so I just ran framework work. Pearl and it made up a nice little menu thing for us again all we need here is Pearl so most of your Linux distributions are just going to be able to run this by default so the first thing I wanted to show you was that remote attack so it's actually going to try the default SSH password so all I'm going to need to know from my client is what are your IP addresses a lot of our other attacks are going to go like over the mobile modem

but this one in particular is not let's find my IP address

10.0.1 do3 and like I said please wait you can take it out afterwards I don't care the people at Hope did not wait they were not kind they took out my iPhone and I had to show the the video and we don't like to have to show videos all right so I just want to test for the default SSH password that's currently the only remote attack in here so I just kind of a subset of each section for the darer project with hope that we'll add in more cves in each section as we go users will say I want this function and we will put it in for instance I did the ISD podcast last week

and they said I want postr SQL support this currently only runs my SQL so that's going to be the next feature so we will add more things as they come so I want to test for that default SSH password I give it the IP I want to attack it ask me is that correct I say yes and now it tries to log in and it should work here unless one of you is taking out my [Music] phone and it's just running pear expect so it actually will take a second if this demo fails I mean we'll really know the demo Gods hate me how much easier can you get than a default password and it looks like that's

exactly what happening it does oh I just lost connection oh nice yeah I tried to put but it's not in there oh there it goes it made it awesome all right so we did manage to log in and then what it actually does is if it's a successful it logs in over SFTP and actually installs a post exploitation agent in there so it okay that came out very wrong like I said the demm of gods will not favor me anymore today it says it is not vulnerable but it did install an agent that makes zero sense zero sense whatsoever okay we're going to make that run again and see if it fixes itself I have never seen anything so

strange yes that is correct now work properly thank you

should we say a prayer to the demo Gods please demo Gods please favor me with your love just one more time these people came out here to hear me talk at besides Las Vegas which we all know is way cooler than blackhead come on all right so it went but is it going to say it was vulnerable well it's at least installing it at the very least so what it's doing is it's logging in yes there we go vulnerable yes so it does indeed have the default SSH password and it does have an agent and I believe we just saw a bug all right so let's see what else this thing can [Music] do slides

slides client side vulnerabilities so remote attacks are awesome but think about Windows and your Windows 2008 and such there's not as many remote attacks anywhere ms0 8067 was a sad thing of the past you can't do that on your most modern platforms anymore so we're going to see a lot more client side attacks that's what we see in our pin tests against PCS as well we are popping people's browsers we're getting them to download PDFs for us things like that giving up their passwords to a fishing attack so a lot of this will probably as it progresses turn out to be the same so right now we just have a client side attack in here where it will try and

exploit your browser so it just I just imported some exploit code for a browser exploit into it and it also gives you the option to directly download an app so I say oh this is an awesome Angry Birds add-on and nobody would ever download that better than that though I got this text message from T-Mobile who runs my Android and it said as a premium handset subscriber you have the right to download this awesome Security app I click on it naturally because I'm a curious user who doesn't care about you know browser exploits and it sends me to a thirdparty App Store that you know has a nice T-Mobile logo up at the top but

you know I can go to the internet and grab that and then it wants me to download this app so users are actually seeing this so this is something we wonder as a corporation are my users falling for this so we can actually test it with this so let's look at a couple examples of that you guys can take out the iPhone if you want [Music] to all right so the first thing I actually want to do is since I'm going to send SMS messages so to try and get people to answer and download My Apps and whatnot I actually need to First attach a mobile modem so I'm going to attach it to one of my

emulators so it will actually use that modem it's attacks so I have this the framework Android app here and I'm going to attach that to my server let's look at the server first so option number four attach framework to a mobile modem search for an attached modem is currently in the works you can just put in a USB Modem with a SIM card in it and it will actually use that but I like the attached to smartphone app better could just use a phone you've got and it's still functional it just runs in the background I just have to give it the phone number of the phone I want to attach to I have to give it a control key this is

any seven-digit key that's just used for communication between the app and the server so it just has to be the same between the two my default always to use this key key one which is not a particularly good key but it's easy to type and then I give it a URL path to check in again that just needs to be the same between the two of them so uh this is bides demo so I'll call it that bides demo is that correct I say yes and then it just waits for my app to show up I just need to tell it the IP I want it to attached to so where my server is I just give it the same path besides

demo and give it the key

and again that just needs to be the same click set up and these two basically just do a TCP handshake together and they're now connected and now by sending commands from this control console we can now tell our modem inside of that smartphone to do things on our behalf for instance let's look at running a social engineering or client side attack so number six I have two options I can tell them to directly download an agent or I can put up a malicious web page and get a shell hopefully if their browser is vulnerable so let's look at the direct download first it wants to know what sort of smartphone I'd like to attack so which

agent it needs to put up so an Android agent iPhone or Blackberry let's say Android since we're using Android emulators here hosting path so again where I want to put it just on that web server besides demo one works for me and the file name is what I want to call it so I'll just call it bides demo 1.apk I could be a lot more stealthy about this it's like what is that I could call it Angry Birds phone number to attack so where I actually want to send this text message I'll just attack another one of my simulators I didn't clear the database so it gives me an option of two mobile modems both of which have the same

number but the one I just attached was number two so let's use that one the first thing you generally want to do is clear the data base but it should work anyway and there we go so from 5554 we got a text message that's our guy with the framework app 5554 we got a text message that says hey this is a cool app you should download it and we as the user in your environment we be like oh awesome Angry Birds I like Angry Birds add-ons I don't know so then they would download it and install it and it'll call back to us and say yep that worked so we can also do the same

thing number six run a social engineering or client side attack and do a client side shell so in this case we're just going to put up a malicious web page and currently the attack that it has in it is the webkit vulnerability for Android again we're just going to Port more of them in the initial public release for this it is going to be open source under BSD license and it's coming out on Sunday when I do my sky talks talk at Defcon so this will all be available to you and then I'll add more stuff and fix bugs that you guys find as will can you um you can't at this point spoof the sending phone number but if

you just put a prepaid sim into your phone then it'll use whatever that is so that's generally what people would do to use it if they didn't want to give their clients their phone numbers just put a SIM card in it that's either your work based for or a prepaid one so it just uses the SIM card that's in there so again I just need to tell it where to put it so I can put that as whatever I want it'll just create that on the web server and the file

name and it's going to create a nice malicious web page that if it works correctly will send a shell back to our server which we'll be listening for it again I'll just attack that same emulator and again it says you have these two modems attached which oddly enough have the same phone number but we'll just do the one we just did and now it sits and waits for that shell to show up which would require the text message to show up first but it could take like up to I think 30 seconds we had one demo work the demo gods are listening again

it's just sitting in the downloads waiting for you to run it they'd actually have to install it and now it doesn't want to actually send me the message which is

unfortunate so now it's just going to sit there and wait infinitely actually if I go back to my text messages I should actually be able to finagle it into working like that should still be sitting there so like the last time it did work that malicious page is still sitting there so that they actually got the text message like they're supposed to then they open up the page and it's trying to exploit their browser and again I didn't write the exploit myself so that's just exploit code for the webkit vulnerability that's sending a shell back to me once it

crashes right or you can you can have it be on the same server or you can use a a web server somewhere else as long as you have rights to write to it and there we go so it popped their browser so that page crash typical browser exploit again I didn't write any new browser exploit it's just a CV that I ported in and currently what it does for the demo is it just runs one command it basically says who am I and then closes it and calls to the database and says yes this was vulnerable so they clicked on it and they were indeed vulnerable and stores that in the database for you to put in

your report in future releases I'll have this so it'll throw the shell back to you so you can do things like post exploitation to try and get root but right now it just shuts it and takes you back to our menu and usually I let people do things like waterboard me when when the demos don't work but I get tired of being put on the waterboard so you have to come up with something else for this one and buy me a drink maybe except they're free So speaking of which so that was a one and a half demos working come see it at the Arsenal tomorrow I'm sure to work again I'll pray really hard

tonight all right so back to the slides

so also our social engineering kind of Falls in with the client side stuff so I think SMS is the new email in terms of spam spam filters work SMS doesn't really have a filter unless you block the number so I think that's where spammers are going like that Target email or Target SMS so I think that's the future of spam so will our users download random apps like that T-Mobile app will they click on links that exploit their browser will they answer fishing attacks question we want to know questions we've wanted to know for a long time but now we're just making it possible to find out on the smartphones as well we also have things like local

vulnerabilities so you know smartphones have local kernel vulnerabilities just like everything else so are they vulnerable to this how do we really know if we can get them to download our agent we can then run privilege escalation as well as other things against them so it has Rage Against the Cage in it right now for the Android so it'll just try and see if it can get those root privileges right now it just drops them in the future it'll give you those privileges so you can do more things with it but for right now it just says yes it worked and then drops them so other things with post exploitation it we just saw the command

shell so it gives you a command shell or we get an app based agent that has loads in it so we can send it via HTTP or Via SMS we can send it commands to tell it to do things like send an SMS or tell me all your contacts or what sms's have you received or do a local privilege escalation so let's look at controlling an app or an agent rather so I've got an agent deployed on this one already it should already be since I didn't clear the database actually already hooked up no there are no available agents so I need to actually attach to one so the first thing I want to do is actually

attach to an agent so I just need to give it some information for the database I just give it the phone number the main control number though it will ask you as we've seen it asking since it has two modems in it which modem we want to use for an SMS based its hack give it the URL path all the code again for this is going to be released so you can change things in the source code if you want to make this meet your specific needs before you deploy it so mine and my code is Android agent

one and again I give it a s digigit control key it doesn't have to be the same one again it just has to be the same one that's in the code so in my case it is KY

key1 and it wants to know what platform this is to the user of the framework it'll seem really streamless streamlined you won't see any difference whether it's Android iPhone or Blackberry but it will make a difference from the Computing standpoint so it just wants to know so it can make decisions is all this information correct correct no it is not at all correct but why is it coming in backwards but that works I'm finding all sorts of bugs talking to you guys all right so now let's send commands to an agent so now we have that agent in there we can send commands to the current post exploitation functionality is we can make it send an

SMS for us we can make it take a picture if it has a functionality and doesn't have some sort of BL lock on it it'll just say it faed if it can't but it will try and take a picture and it will actually upload that picture to you if it is successful it can pull their contacts database which does not work on an emulator oddly enough that's an emulator problem but it will work just the functionality to tell it pull to pull contacts doesn't work on an emulator but if you do this on your actual phone it'll return all your contacts and upload them to the server you can also get your SMS database for

size I just limited it to the last tin you got so it'll say who sent it to you and what it said and it'll also do a privilege escalation attack so here on the Android it will try and root you with Rage Against the Cage and we could easily port in additional ones so anything that's ever been used to root one of these devices or in a jailbreak we can just Port the code into here and it'll try them for instance let's take a picture it gives me the option do I want to deliver this Via SMS or HTTP we've looked at a couple things with SMS already let's do HTTP so our agent is periodically going to check in

I say periodically because if we had it check in constantly that would run down our battery we don't like that and I know you can do like push things with Google but then you have to register with Google and somehow I don't think Google or anybody else would like me using it for this so it does use the old check-in method so that's going to be running in the background and again the agent checks in periodically so should upload that picture to the database but while that's going let's see what else my slides say and I want to show you the guey and the app as

well it so the question is would it if I used SMS would it show up in SMS history and it does not the agent actually swallows SMS if you're familiar with some of my previous work with the Android botnet that used SMS it's really the same concept just swallows the sms's so you never see them which Android makes that particularly easy demos we've been doing that the whole time so we'll talk about that after I show you the rest of the [Music] demos let's see if it's come back yet view information no it did not come back yet hopefully it will or that will be another failed demo and we don't like those let's look at the

app where' my app go did it crash looks like it that shouldn't actually make it stop working though since we used http actually let me show you the gooey and then attach it to there let's just kill this guy off she wrote it all in like just Pearl and HT and HTML so it's all Pearl I didn't know you could do like gooey stuff with pearl but apparently you can it was her idea to use Pearl actually I had never used Pearl before as when you read my code you might notice there were some things I really should have known before I did this kill off my children it does not clean it up itself

up nicely

yet okay all right so let's look at the gooey and then have it reattached so let's restart this guy so we've started up menu. Pearl and this is my mother's lovely handiwork it does all of the same stuff just within a nice menu based way let's just clear our database which we should have done so this actually will just destroy all of the information that's in there so any of our attacks we've run any information we've gathered from an agent we're going to delete it and start again so it just recreates the datab base new for us so the first thing I want to attach to that mobile modem so again it's just nicely menu based for us here

oh and it remembers what I've said how

nice and then it again is just going to wait for

us and they do their TCP hand handshake and so here from the actual app we can run a subset of functionality like we can't destroy the database because that would detach the app so that would be counterproductive but we can run things like attacks so we see the same things our remote attacks client side attacks sending commands to an agent there currently no agents attach since I killed the database but for instance if we hit remote attack which platform do we want to attack so if I choose iPhone it gives me the option of that default SSH and then we give it the IP and it'll actually run that attack right here in this case since it's going to be network

based it's just going to call back to the server and tell it to do it same thing here with our client sides we can run them here as well and like do a browser exploit against Android and it gives us that cve we fill in that same information and it will just send it right here from this modem it doesn't give us the choice in this case since we're actually sitting on that modem it will run it from this modem directly and call back to the server and tell it what to

do let's actually attach it to an agent again so we can look at

that so nice how it remembers everything for me so I've attached it to that agent again and then from here this may not work right off the bat because it needs to update oh y there it goes so we it pulls our agents from the database and will actually let us do our sending commands to our agents right here from the app 10 minutes all right so like I can send an SMS like right from here who do I want to send an SMS to let go after my third emulator again helps if you write the correct number like I want to say hi and then we see I just sent it twice I'm not sure why I did

that um see I've demoted a lot today um but we see that it uh it came from the number 5556 which if you notice we use the same emulator to do our client side attacks and those all came from 5554 which is the one that has the app whereas 5556 is the one that just looks normal here and this is all running in the background so actually from that agent and we just told it send an SMS to somebody else so whether that's useful or not in the pin test I don't know that's just functionality I knew how to do really well because of the botnet thing so I just included it so yeah that's pretty much all in there for

the functionality right now so let's talk briefly about the future of the project so I want to add more modules in each category obviously right now we've kind of just got this demoing subset of things we can do there's been a lot more client side cves against smartphones and just that one I showed you I want to put in more more post exploitation options so let you keep the shell let you keep your privilege escalation if you run a like a route keep those privileges and like install system level stuff want to put in more things like right now it just takes a picture and does SMS for remote control it'll only take your contacts

and take your SMS for gathering information so I want to add more things here pulling your email and whatnot I want to continue like with integration with other tools like social engineer toolkit and Metasploit and what I'm really interested in is community-driven features I want to see people use this when it releases on Sunday and say I really want this functionality for instance the ISD podcast guys hadn't even seen it yet and they're like you know postc sequel would be really nice so that's what we're adding next so and I also want more reporting capabilities right now I really just spits out the database and says here's who we attacked were they vulnerable did we get an agent

these are the information we have about the agent I want to have it write a nice pretty report for you because I hate reporting I know we all do so and this is me I'm Georgia and again this is going to be released on Sunday during my sky talk so it'll be open source BSD license you can pretty much do whatever you want with it so if you're interested I I do have business cards but that's all I have for now and I have a few minutes for questions if anybody has any

more you mean the stuff running on the app like on the smartphones yeah yeah everything that runs on the server is all Pearl so if you have Pearl on your system then all of that will run so the stuff for the the agents them anything that runs on the smartphone is going to be in that that smartphone's language so Java for your Android and some really messed up version of C for the iPhone and whatnot I mean really they just took C and beat it over the head yes all of that including the agents like all of the source code you know you just open it up in eclipse and change anything you want so yeah

everything you see here is going to be included in the open source along with a nice little PDF that tells you how to install everything and how to run everything with lots of nice screenshots that I originally wrote for DARPA so yeah everything you see here will be included in the open source release anything else well thank you all for coming out it's like the last Talk of the day so I really appreciate it [Applause] [Music] [Applause]

great J thank you