 Let's give it up for Def Con, another good year. First, I want to thank Dead Addict for being kind enough to switch slots with me. I wouldn't be up here if it wasn't for him, so let's give him a round of applause, too. Okay, I have an hour's presentation, 178 slides. I've got 45 minutes to do it, and I'm three minutes late, so hold on to your butts. But I do have quality swag. I'm not going to describe all the swag, but I have DVDs. Got two of them, quite possibly the worst hacking DVDs ever. What's that? This is brand new stuff, man. Zero-day B-footage hacking stuff. We got Game Over and we got Virtual Assassin. Smells wonderful. We have the Hacker Tracker Board Game. A strategic manhunt where hot clues and hacker profiles help you capture a cyber criminal. We got two copies of Security Warrior. You can get that signed by one of the co-authors, Seth Fogies, in the audience, helping me out. We have a Starbucks wireless cardboard bus. And we have lots of t-shirts, but you guys got to answer questions to get it right. I need to show my hands as soon as I ask a question. The first hand I see gets a chance to answer it. You answer it right, you get the swag. Fair enough. No calling out. That wasn't the question. Let's go. First of all, who am I? Short on time, so let's make it short and sweet. Okay, we got to rephrase this, you guys. I'll tell you what the swag is, and then I'll ask the question, okay? Who's Johnny? Let's ask Google. Google says, do the query. Google Space Hacker, second hit. That's me. That's all I got to tell you for today, because it's a Google talk. Next. That's what we're going to be talking about. We're going to be talking about how you can use Google to find sensitive information. Those of you that saw this last year sort of know the drill. We're going to go thin on technique and heavy on example this year. This is not new. 2001 slash dot, the problem of search engines and secret data. I'm not showing you zero-day stuff here. We got zero-day examples, though. Is that the same thing? All right. Those of you that haven't used advanced operators, this is the magic. This is what makes this stuff happen. Advanced operators are more than the keywords that you type into Google. Advanced operators help you narrow down your search. An advanced operator takes the form of operator colon search term. No spaces. Give you an example. Here's the site advanced operator. Johnny.iHackstuff.com colon 80. All of that is site. Use the site variable to find sites. In URL, it includes the site and everything after it, the entire URL. If you just want to search URLs, use in URL. File type. Anything after that dot. This is the file extension. Parameters don't matter. You have question marks after the PHP. None of that stuff matters. The file type in this case is PHP. That's the only thing that file type finds. And in title. Title of the web page. Up top in your browser. Let's talk about some slightly more advanced stuff. This would be file type colon PHP. This is index dot PHP. So it found a PHP page. In title colon iHackstuff.com also finds this page because iHackstuff.com. I'm sorry, iHackstuff is in the title. Numb range. I'm not going to talk a whole lot about numb range. I have a good job and I like my job. And if I tell you too much about numb range, you're going to do really bad stuff with it. I guarantee it. If you have questions about slides later on and you're like, what query was that? Chances are it has something to do with numb range. I didn't tell you that. Just use your imagination. Numb range. Find me a number in this range on a web page. Some of you are already thinking about it. I can see it. Find me the words Google masters in the text of the page. In text looks at all the stuff that's on the web page as it's rendered. This does not look for stuff in the source. Very important. Let's move on to what has been termed as Google hacking. Very basic stuff. Find me the word admin in the URL of a web page. Combine that with find me the word orders in the URL of a web page. Combine that with find me file type PHP. The boxes that you see on the screen are your complete query. Type this query into Google. Get amazing results. Here's order pages from e-commerce software. Shows you customer information, customer data, credit card information, how they bought it, whole nine yards. This is a benign one. All right. Search characters, pretty straightforward stuff. I'm going to fly through this stuff. You guys know how search engines work. This is just the stuff that's specific to Google. Very straightforward. Info gathering. I'm going to fly through this stuff too. Crawling a site is very easy with the site operator. If you want to find every single page, Google knows about a particular site. Every single page that they've crawled, use site. Site colon microsoft.com. Google has called 583,000 web pages from Microsoft alone. Server calling. Once you lock on to a server, you can start narrowing down the subdomains on that particular server. For example, site microsoft.com minus site www.microsoft.com. Starts giving you subdomains other than www. Easy stuff. Directory listings. We've all seen them. Pretty boring. Unless you're interested in getting information that you're not necessarily supposed to find. For example, server tags. Server tags at the bottom of an Apache index. This particular one. Entitle index.of. So we're looking for index listings. Find the words Apache server at. That's the tagline that's at the bottom of the index page. Using that technique and these other techniques, you can start looking for web pages of a certain web software type. You can even narrow this down to specific versions. So, for example, if you've got this ScriptKittyZeroDay exploit against Apache 2.0 something, you can use Google to find targets very easily. You can use that server tag at the bottom of the index, or you can use default server pages. Stuff that gets installed with your web server software. Like this Apache It Worked page. You put this query into Google. Entitle test page for Apache, and it worked in quotes. You're going to find default installs of Apache, or they didn't even have the presence of mind to change the default page. You know what that means. Alright, going to fly through these. Just some quick examples. Some of you in the background are going to have trouble seeing these. I apologize, I'll have the slides up Monday, I promise. But basically, just a real quick run through of some of the other software that you can find. Netscape FastTrack. Netscape Enterprise. IAS, running on Windows 2000. This is a two for one. You know they're running IAS? You know they're running Windows 2000? You never sent the packet to the target, Google told you. Easy stuff. IAS, running on Windows XP. Take a look at the query. All in title. That means find every single one of these words in the title. Welcome to Windows XP server internet services. Kid stuff. Easy. IAS 4.0. Yes, it's true. 66 pages on the internet at the time of this screenshot, running not only IAS 4.0, but running IAS 4.0 with the default web page. If there's anybody in here that feels like can't hack a server that's set up like this, let me know. It would take you a couple seconds, like hook you up. Another interesting IAS search. Basic stuff. Another way you can go after servers to actually find them by their version numbers is to look at the documentation that comes with that specific web server version. This goes after Apache HTTP server, version 1.3. Again, just do a Google search that looks for the docs that come with that web server. Here's just a quick list. I know absolutely no one can read this. Sorry. But this is just a quick snapshot of some other queries that work. Notice the bright orange color. You will see this again later. Some guy on the internet is collecting this stuff and paying attention. For a t-shirt, anybody know whose web page this is? Right there. There it is. Johnny.iacstuff.com. So I'm Johnny Guy. Good job. Really quickly, this is other easy stuff. So I'm going to fly through this, get to the juicy stuff. Error messages. You can harvest error messages to get juicy data out of those pages. For example, hyper news. This hyper news error message gives you not only the server software version, the server OS version, the web software version goes on to give you all sorts of other environmental details about the server. Good stuff. Let's skip this stuff. All right. People give me a hard time about error messages. Okay, this is Google stuff, so we're talking super easy stuff. Error messages are the bottom of the barrel as far as cool stuff, looking for things in Google. The point is, error messages can pop up anywhere. This is my hotmail account. Oh, I edited that, didn't I? Yep, okay. All right. This is my hotmail account. And notice the ad server bombing out on the right-hand side, so I didn't get any advertisements that day. I didn't do that on purpose. Really. All right. Login portals. The front door, the absolute front door of a website. The only reason I'm listing these is because this is another way to profile a server. How about a search for please log in? Pretty easy. How about a search for inurladminlogin.asp? Very straightforward. This is a page where an attacker's going to log in, or anybody's going to log into the server. Most attackers are going to avoid that particular page, like the plague, unless there's an overflow associated with that or something unseemly. That stuff never happens. For an ice-cold red bowl, can somebody tell me the query to find this particular page? Oh, I saw, I saw a hand. Yep, that's pretty close. I'll give it, I'll give that to you. File type CFM will find you cold fusion pages. Okay? Anybody think they actually have it for no swag? Right there, Richard. Beautiful, beautiful. Entitled cold fusion administrator login. There you go. Cold fusion front doors. Windows remote desktop. I don't know why you guys are laughing. This is some solid software right here. Let's give it up for remote desktop. Entitled remote desktop web connection. It's child's play. For a t-shirt, give me the query. This side. Back row. Excellent, you have wonderful eyes and you got the query. That's one way. Here's the other way. Yeah. Don't steal it from the person that got it right. Here's another way to get it. You do it with the in URL, okay? How about this one? Microsoft Outlook web access login. You guys are laughing like this is bad software or something. It's Microsoft Outlook web access. All right. Web access. Big deal. You found the front door. Well, what about exchange? You find some exchange public folders this way? My eyes are pretty bad, but that looks like 813 Microsoft Outlook web access pages and public folders with open directory searches as well. Sometimes the login portal is just not the best way in. All right. I get beat up a lot for using Google for hacking. Let's use it for password cracking. Google as a password cracker. John the Ripper, watch out. Because this says when you enter the members only section of this, you'll be asked for your user ID and password. If you can't find it when you're trying to log in, figuring it out is no problem. Your user ID to get in is the same as your digit membership ID number. And your password is the first four letters of your last name and the first two digits of your first name. Password cracking 101 with Google. How about PBX hacking with Google? Anybody want to be a PBX hacker? What about this page? Your password is just the pound sign. All right. This particular really interesting query finds web pages that allow for a very interesting option. It's bad stuff. Can't very watch. How about these pages that let you set up your own email account on a domain that you're interested in? Point, click, spam. Easy stuff. Or how about this one? The username and the password clear text in the title of the page. It doesn't get any easier than this. If you can't break into these sites, you shouldn't be at this conference. Guess the query for a DVD. No. There you go. Inurlpassword.log. Let him take his pick. Inurlpassword.log spilling water and dancing. I haven't even been drinking. This is bad news. All right. Moving right along. How about this one that finds PHP shell installations? I gave this at Black Hat, and nobody really seemed to know what this was. So I have some slides in here that describe really what PHP shell is. It's a PHP shell. So I hope that clears it up. And with a PHP shell, you can type commands like this innocuous one, cat etsy password. Well, it gives you the password. So I decided to make this scenario just like the kids that are out there that basically hack this way. And I'm just going to keep going on this server. Poke around a little bit. Find a WAP directory. W-A-P. We got some wireless here. We go into this directory, and there's Christina and Audrey, and whoa, hey, this is not wireless. This is even better. This script kitty's on a roll. Brittany Spears. This particular script kitty was done. That was the end of that hack. Vulnerability trolling. I'm not going to talk to you guys about this because you guys probably all know how to do this. An advisory comes out. You find vulnerable targets using Google very easily. ConFix contents available. Go to the ConFix site. Go to their demo page. Look at the title. For a shirt, give me the query. Right there. There you go. In title, ConFix Professional. Keep playing around with it. They've got default documentation. So here's our documentation search that we talked about. Poke around a little more. Here's ConFix Professional in the title with login and password in the text. And you can see that we've got active hits. Very easy. This one's pretty tough. For a book, let me see the hand first, and then I'll give you the question. What's a book? Everybody wants a book? Oh, you're brave. Okay, front row. The question is, give me the query to find sites vulnerable to, and on the bottom if you can't read it, Jelsoff v. Bulletin 3.0.0 Can4. If it was this easy, I wouldn't have made it for a book. Close. Right here. Black shirt glasses. Can4? No. All right. We'll change it up. For the book, give me the two words that can, or the three words that can4 should be replaced with. To make it more specific. No. Two words. Can is short for what? Right there. White shirt. Release Candidate 4. There you go. Give the man a book. Powered by V. Bulletin 3.0.0 Release Candidate 4. The reason that's for a book is because you control through the PHP source code and eventually find the little banner that's at the bottom to get to the same point. But if you can get it with a little prodding in a couple of seconds, that's worth a book in my opinion. All right. CGI scanning. Let's talk about traditional techniques. Take a CGI list. Roll it into some Google queries. You got a CGI scanner with Google. Turn them into in URLs or in title index subs. All right. Port scanning. Port scanning is pretty easy if you do it the right way. And as long as you understand that Google doesn't find every listening port on a machine, it finds the ones that were pointed to. In URLs, a bad way to go. Combine it with a search for a known listening software product on a port like VNC desktop listening on port 5800. Look for 5800 in the URL with VNC desktop. Or Webmin running on port 10,000. Combine the Webmin search with in URL 10,000. Combine in URL with minus in text to get the number out of the text of the document. So you don't get a double hit on that. Here's servers listening on 8080. Servers listening on 8,000. Or you hijack tools like this, the NQT network query tool that allows you to look at a site to see if a port is open or not. Basically lets you do a port scanning. Roll a Google search up that actually finds NQT.PHP in the URL. Now you've got sites that you can point to that'll do a port scan for you that you could proxy through. Jokes on them because it takes remote posts. So you can pretty much do this at your leisure. Just a quick word about Athena. If you're interested in automating this process I highly recommend Athena. It's a nice screenshot. Check out the URL or do a search for Athena and Google because it's gone now. Or check out this whole goo scan by some guy, Johnny who didn't recommend the tool because you're not supposed to do bad things with it. It's proof of concept. Also there's the site digger tool. I would have put up a screenshot but I have a formula that I followed. If unanswered emails is greater than two, screenshot equals null. Next slide. Anyway, now they did reference me in their documentation and I gotta give them credit. But no screenshot. Alright. Poking, prodding and pummeling SQL. Alright, we're gonna start light. Gathering user names with SQL. Warning, access denied for user using password. There's user names. This query locates SQL schemas on the web. Entire database dumps. Dumping data for table. Very easy stuff. You get the entire dump of a database. You just saved an SQL injector about, what, three days? Alright. Poking around SQL some more. Here's username and password in that SQL dump. Here is username or user or users or password in that SQL dump. And yes, there's 389 of them. About this one. SQL command not properly ended. If I asked you the definition of SQL injection, it would probably have something to do with this. Unterminating SQL commands, that's one good way to go. Unclose quotation before the character string discover platinum card. But they apologized. It's in the title. How about this one? Mrs. Prizby's second grade class. Please don't hack them. Have some decency. Alright. We're looking for errors. Alright. We're gonna fly through some of this stuff. Pumbling SQL. How about a front door in the PHP MyAdmin with unauthenticated access? No username, no password. You're in PHP MyAdmin. Do whatever you want to this database. One query. Main.php. Welcome to PHP MyAdmin. This query also looks for cold fusion pages. It looks for select or insert. Lots of interesting stuff. Here's the MySQL Connect function. Username and password and clear text. Alright. Alright. Let's go big on this one. For a DVD. You gotta listen to the question first. What's the SQL syntax that can be used to set a password? Two words. Wait, sure. Two words. Nope. Nope. Ah, ooh. Yeah, I gotta give him that one. Yeah. That's not what I was looking for, but that'll work. That's worth a DVD. How about identified by? That's the example I've got. File type SQL identified by. Lines of SQL code that actually show you the clear text password. Also grant on or create user. Same deal. Let's all beat up on some security people. Private certificates. Private keys. RSA private keys, AOL keyword, private. Nessus scans. Nessus scans are messy because people put them up for demos. But every now and then, it's worth sifting through the dumpster, isn't it? This corporate scan was found on some of guy's personal webpage. You ran it from home. Locating ISS scans. ISS scans aren't supposed to have 1500 users in the report that actually match the user list on the mail server now, are they? How about snort IDS data delivered graphically and served up fresh? Alright, putting an IDS log on a webpage is sort of like putting the monitor for the security camera out by the front door so they can see where it's pointing. Isn't it? No, these aren't all samples. Who can guess the Google query here? For a t-shirt. Over there, black shirt. SSH host keys, you got it. Give it to them. SSH host keys on the web, these are not samples. PGP private keys. Come on, security people are supposed to know better than this. How about hacking hackers? You know those IRC users? IRC bounce points. Find CGI colon IRC EF net. This will find you websites. Find your web-based client to bounce into EF net. Or if you do the query right, let you bounce into any server. Or if you do the query right, let you bounce into any port. Yeah, think about that one. How about side BNC config files? All the elite hackers use bouncers, right? Do all the elite hackers out there actually put the config file on the web so you can see the passwords that they need to get into their channels? Do all the IRC logs online with their nixer passwords? Uh-huh, yeah. You all know about the caching feature. Sometimes they block you. Sometimes the cache picks it up. For those of you that can't see, blue says visa. Yellow is a visa credit card number. How does this happen? Court documents. Public source court documents. Fraud cases. Platinum account number. Account number. Statement account number. Bank number. This is no small report. This fraud case lists every bank account number and every credit card number that was used in that particular fraud case. Okay, but they're closed. No big deal. Some people just don't get it. Corn snakes for sale. I'd like to buy a corn snake. Here's my visa card expiration date. Please send to this address. Yep. expiration date 2005. How about this person applying for a shell account? Here's the easy way to get shell. Apply for a shell account. Put the username and password you want on the public message board, as well as your visa number and expiration date. People put this stuff online, folks. How about this particular guy that put his expense accounts online? Funny how he blurred out, or I did the blurring, but he put Xs through the last three digits of all his accounts. Just the last three digits. All 100 accounts. I'm going to read this. This is a translation of actual text. Good day. I have no small problem. I entered my serial number into the software. The message said the serial number is wrong. How can I fix the license? I purchased on the 23rd by means of visa account number expiration date. Let's sit right there. For a t-shirt, our police crime reports public information. Can't do you again. White shirt. Yes. For a t-shirt, are they online? Man, it's too many. That's it. Yes, they are. And here they are. They are online. They're not supposed to take every card in the person's wallet that got stolen and put them online with the account numbers and expiration dates. It's a bad idea. One through 28 of 28 hits for this site with the word visa or mastercard about expense reports for this county. They list every bank account number that they use for the entire county's purchases. It is no small report. It's a long distance visa cards and dog food. In a video series, each one of which was $300. The county's paying for wicked stuff these days. All right. The credit card thing, most people say, yeah, this is an isolated thing. I'm here to tell you that it absolutely is not. It's boring as all get out for me and my fingers about to get tired because we got credit cards, we got credit cards, expiration dates, expiration, credit, credit, credit, credit, credit, credit, credit, credit, credit, credit, credit, credit, credit cards, credit cards, credit cards, credit cards, credit cards, credit cards, credit cards, credit cards, credit cards, credit cards, credit cards, credit cards, credit cards, credit cards, credit cards, credit cards, credit cards, credit cards, credit cards, credit cards, credit cards, credit cards, credit cards, credit cards, credit cards, credit cards, credit cards, credit cards, credit cards, credit cards, credit cards, credit cards, credit cards, credit cards, credit cards, credit cards, credit cards, credit cards, credit cards, credit cards, credit cards, credit cards, credit cards, credit cards, credit cards, credit cards, credit cards, credit cards, credit cards, credit cards, credit cards, credit cards, credit cards, credit cards, credit cards, credit cards, credit cards, credit cards, credit cards, credit cards, credit cards, credit cards, credit cards, credit cards, credit cards, credit cards, credit cards, credit cards, credit cards. I can get an extension here, goons, right? Credit cards. We proudly accept Visa, MasterCard, Discover, American Express. Yes, folks, Google takes them all. All right, for an ice-cold Red Bull. What keeps somebody from using pilfered credit card numbers online, even if they have an expiration date? Green shirt, right here. Yeah, CVCs. Some people call them CVVs. Sometimes you need them to make online purchases. Here we go. How about credit cards with CVV codes? How about more CVV codes, CVCs, CVV twos? How about bank routing numbers, checking accounts, PayPal passwords, eBay IDs, bank account numbers, routing numbers. You name it, it's all there. For a Red Bull, what's the one nine-digit number you should never give to anyone? Back row gray shirt. Social. Didn't I already give you a prize? Oh, man. Give it to the guy in the purple shirt. Purple shirt, right there in the corner that ratted him out. Bonus question, what can you do with somebody's soesh? Right here, black shirt. Yes. Absolutely. You can own the man. Steal their identity. Let's take a look at how this happens. Some people put them into their source code, hard code them into their source code for their financial transactions. Certain health care corporations actually did this. Remember those police reports? Well, I'm sure they canceled all those credit card numbers, thinking they probably didn't cancel the social security numbers of the victims when they posted them online. Visas, you never know. Social security, social security, social security. How about resumes? This is a fancy word for resume, I think. Somebody posted a resume online. What's their soesh in the resume? Yeah, it happens. This guy used the fancy word for resume and the unfancy word passport and gave his passport number. How about schools? How many of you have had that number used by your school? Student ID numbers? Student ID numbers. There's a ton of them. Once you get a lock on a grade list, you fan it out through the whole school. Find more of them and more of them and more of them. Okay, sometimes these sites get blocked. You guys know where this is going, right? Google's cash. Sometimes the cash picks them right up. The yellow header is social security number. The column right next to it is the student's name. Social security number, student name, socials, names, grades, socials, names, grades. This particular report is the report of a city whose residents owed back sewage payments. They posted their soesh, their names, how much they owed, and their address online. Okay? I mean, but come on, it's a pretty small report. Or maybe it's just not. Hundreds of residents of this particular city are going to be really pissed off in the next couple of days, I guarantee. All right. That's about it for time. Prevention. Don't put this stuff on the web. I mean, I don't need to talk to you guys about prevention. I'm going to do questions in a second. Keep an eye on my site, johnny.ihackstuff.com. I have a Google hacking forum, search engine hacking forum, and a database keeping track of some of this stuff. I do not post the credit card stuff online. I'm going to give out swag for best question in a second. Are we okay? Five. Ten. Oh, we're going to have a power question and answer session. All right. Here's found Stone's screenshot because I'm not a jerk. Okay. There's my web page. Let me give the thanks out. Thanks to God for the gift of life. Thanks to my wife for the gift of love. My children for the gift of laughter and my friends for filling in the blanks. Let me give a shout out to Singress, who's going to be publishing Google for Penetration Testers. It's going to be a Google hacking book. I'm looking at doing primary author on it. It should be out in December, so I appreciate your support when that time comes around. My company and the guys that I work with, let me give a shout to the strike force and all the guys on the forum that actually make this happen. We call them the Google masters. These guys do a bang up job. Quality question and answer time. Questions. Yes, over here. Yeah, absolutely. You can use robots.txt. The word is still out as to whether or not that actually works. I can't tell you. I've seen lots of examples of sites whose data was posted online that had a valid robots.txt file. Yes. Actually, I got a trial membership sent to me sort of out of the blue. I don't know how this service works, but I keep track of my web page. The Google Alert service is excellent. When somebody posts a reference to my site, I get an email saying, you know, somebody's pointing to you, that sort of deal. I got what, three prizes left here? We almost out. And then there's going to be a push for the rest of the Red Bulls. But we're going to do a vote on best questions, so keep the questions in mind. Yeah. You're trying to get me in trouble, aren't you? Question is, do you think Google has any responsibility to fix this crap? Google's responsibility is to serve it up fresh. It's the way I look at it. That's the way they've done it in the past and they've folded to no one except major countries. Yes. Yes, that's a good question. Work for a company that's got a huge web presence. The answer to the question is, yeah, you can go through every single reference that Google has in your company. Just use the site variable, page through all the pages. Optionally, you can use tools like Athena to automate it. But the real way to do it is to just check yourself. Yes. What are risks that require authentication? Oh, the old authentication question. What about authenticated pages? Google does not do any sort of magic to bypass authentication, first of all. That's a rumor. What they do is they pound sites mercilessly. So if they come after your site and your authentication is broken, they cache the page. If your authentication comes back up, the cache still has it. So the short answer is no, by default, they don't bypass authentication. The other answer is they have, in the past, appeared to have used credentials to access members-only areas. So it appears that in some cases they do have cached images, but that's up to the site to give that to Google. I don't know how they do it behind the scenes. How long does it take to go away? I don't know the answer to that. I don't know what the answer is. I know you can speed up the process. Google's Webmaster section has all the information you need to actually pull something out of the cache and make it go away. So you can go in and fill out a form. Don't try that unless you actually own that site, please. A lot of questions run out of time. We're down to four minutes. Is there a way to get a list of all these variables? Yeah, go to Google's API page. Yes, quite sure. Have I worked with Unicode, Japanese characters, stuff like that? Or does Google work with it? The answer is no, and yes. I haven't, and yes, Google will handle it fine. Right, sure. Yes, that's a quality question. I think that's in the running. What about date range? Yes. Yes, date range I did not cover, and yes, it is Julian. It is the date that Google actually picked up that page. It's a good question, and yes, it is in Julian. There's no way around it. Trending. It's really good for trending, looking for spikes. It's really good for intelligence. The talk that Mudge was going to give, it's perfectly suited for intelligence to see when spikes on certain sites go up around certain media events. It's a good question. Last thought. Let's do two more questions. BlueShirt right here. What about searching? Yeah, you can search for your own source, but I'm not going to answer that question in any more detail because it will get abused. Just use your imagination. Let me do that. BlueShirt, I've abused you guys. I make it a policy to try to alert everyone. Unfortunately, I cannot. My site has made several attempts through the forum to let people know, and as far as I know, we've got no responses from anyone except one guy who mentioned in an email to another guy, not even to us. Hey, they're cool. They let me know I had a problem. Your question about the police department, I found that three days ago. Haven't had a chance to. That's it. I think we're out of time. We've got to keep it on track here. Thank you guys.