 Okay, this is Credit Card Networks 101, what they are and how to secure them. I don't do public talks very often, so if I don't give you guys eye contact, deal with it. This is in the 101 category, so I'm not gonna be getting into crazy stuff like, you know, here's your server, here's exactly how you get the numbers. So all of you that are interested in just getting a quick fix on the stealing credit card numbers, this might not be for you. It's got a very strong focus in the hospitality industry, and that's because of two reasons. One, that's the most unsecure industry as far as credit card networks are concerned, and two, that's the one that I tend to deal with the most and the corporation I work for. So with that said, any of you that didn't read my introduction, I'll start there. Credit card networks have grown into a viable and necessary asset and large transaction-based businesses, are these networks protected? Are there formal security measures to protect these packets from external and internal threats? Most network administrators, controllers, CTOs, and CIOs are not even aware of credit card's flow or existence on their networks, generally speaking. Further, some of these protect their network switches too much and they disable the true functionality of credit card networks causing a lot of problems and opening up a lot of exploits. So we're gonna start off with how credit card data gets to point A, from point A to point B in a credit card network. Okay, so how does the flow of credit cards work? Does your card get swiped and then magically the money is removed from your account? Obviously not, let's take a look into what's involved. In a nutshell, your flow looks like this, and let me give you a quick flow chart here. You have point of sale systems, property management systems that start here, so we'll call them property management systems. And since we're talking about- Brighter color, okay, sorry. Bigger, no, no bigger, sorry, that's the best I got. So you got your property management system and in a credit card network, it's gonna go directly to a central point. Point of sale. Darker. Okay, I can just use hand visuals instead if that would be better, you know. Pretty much, back to blue, how about dark blue? Okay, so these both connect into a master transaction engine. And pretty much what happens is it uses your existing network in most cases where they'll just take the packets of credit card data, swipe data, no, and they'll just swipe them in these systems and they'll go across your existing switches and whatnot to a master server. Master server then has either a dial out or a least line connection directly to the internet or directly to the front end processor. And it gets authorization that way. So that's the very stripped down version of what a credit card network is. The processor, credit cards don't go directly to a bank. All credit cards, they get authorized through a automated clearing house or a front end processor, whatever you wanna call it. And pretty much from the start of time they didn't really organize it too well. It was just diners club and the American Express. It was all in New York. So if you wanted to accept these clients' cards, you know, you just connect it directly to these networks. Well, they wanted to expand it out across the United States and then they added other people like Visa and Mastercard and Traveler's Card, JCB. So what happens is you have all these merchant banks where they have to have the money withdrawn from their account and moved into or credit card issuers banks that has to be moved into a merchant bank. So they created front end processors which is pretty much just somebody that literally gets paid to move money from point A to point B. So they have all the connections to all the issuing banks and all the connections to the merchants' banks. And all they do is just say, move his money from there to there. It also happens in a two-step process. The two-step process is the authorization and settle. For those of you who have debit cards where you have the cute little logo on your credit card, on your check and count and you couldn't get a real credit card to tell, but yeah, I got a real credit card but it's just your check and count. You might notice that, you know, if you don't like balance in your book or whatever and you say, well, where's that money? Or, hey, how did I get overdrawn this money? It's because it first authorizes the money. It doesn't actually remove it. So what happens is if the merchant does not remove the money of your account in time of matter, it just releases the authorization. And all of a sudden you think, hey, they forgot to charge me. I'll just get a free payday. The next thing you know, you're overdrawn 200 bucks. So it has two steps, authorize it first, settle it next. So that's your two stages. So with the credit card network, what we got here is skipping around, trying to catch up from that long speech. So with the credit card network, obviously it goes through there. So you can see some inherent problems when you're just using existing equipment, especially in the hospitality industry. So let's get into the inherent risks of what's all involved there. Getting money using social engineering. If you have the right tools and three letter acronyms and everything you can get what you need from merchants. Calling a hotel and say you're with an issuing bank and that you need a voice merchant account number of this site. Say I'm with your bank, we have a problem, we wanna make sure that this person who was charged was from your site, what's your merchant account number? And they say, oh, sure, no problem, I'll give that to you. And you need this to verify what you need from them, okay. You can even give them the credit card number or fake one or yours, you know, just to tell me up, see, the one that has their credit card, give me that money or give me that merchant account. So what you do with this is you have a merchant account and this is the biggest, most prevalent problem in the credit card industry is actual credit card terminals. You got transfer 80s, variphone, hypercom terminals. These are all very unprotected devices because you can go out on the internet or on eBay and just buy a transfer 80 credit card terminal from anybody. And so with this merchant account number, if you know how to operate these transfer 80s and Omni 395s and hypercoms, you just pretty much take that merchant terminal ID in there, punch it in there, that's not my terminal ID. And you call a front end processor and you say, hey, my terminal broke, I just bought a new one, I'm with X company, can you give me the password to redownload this terminal? So you might talk to X company in California and you live in New York and you just hit the button and you just download all of their data onto there. Now you have a full-fledged working credit card terminal sitting from your favorite phone booth down the street. And yeah, you just swipe a card and say, I want to credit them $300, hit close batch, and boom, you just gave yourself $300 and nobody knows what's going on. And the accounting departments in hospitality networks got to tell you sometimes they reconcile, they don't balance. At the end of the night, they just say that looks good, whatever, and at the end of the month, they reconcile and say, oh, looks like we're short, what do we do? Well, it's too late, everything was already pumped through. We don't know where it came from. Getting money directly from the merchant. Another thing with hospitality networks, auditors get paid $750, $515, $8 an hour. They don't really care about their job. They're working a midnight shift because they have their other daytime job that they're going to support whatever they got going on. So they're pretty much just get this problem fixed, move on to the next one. They don't pay attention whatsoever. So you go to your favorite hotel, you stay there, you actually pay the money and everything, you have no problem with that. She decided, I'm short on money this week, I want to get that money back. So you call them up and say, hey, you double charged me when I was at your hotel. So what they'll do is they'll try and do research using their credit card software and everything. This is beyond terminals, it's actual in front of your software. Well, Faxmere statements proves to me that you got double charged on this because they'll dig through it and they won't be able to find it paperwork or just a big, huge mess but they're not familiar with the software enough. So, Photoshop, you got two credits on your credit card statement and you print it up. And you send it into them and everything like, oh, I can't find it here, but it appears that you have it on your statement. Maybe it was a bug in our system and it double charged you, that's why I can't see it. And then they just go ahead and send you a free credit. Little bit of an issue there. And it does happen and we actually have a story where somebody checked into a hotel from one of my clients, they swiped their card, it was declined. They said, well, okay, it's declined. We'll let you stay right now while you get that fixed. So they stayed for the three nights and it was a really expensive hotel. And then what they did was they're like, well, they just bailed out on the check completely and they didn't pay, they just left. So it was $1,000 that the hotel was out of. Well, they didn't know how to operate their credit card software or their front desk software very well. So instead of just voiding out the transaction, they credited it $1,000. Oops. And then we have our software here that's supposed to audit it, credit card network software. Inherent design is to make things simpler. You have 15 billion credit card terminals in your hotel or in your casino. And you don't wanna have to go from door to door to door getting all these credit card receipts and everything. So it's all electronically stored. You just look at your list, look at what it's supposed to be, you like it, you hit close batch. Well, with these people, they didn't bother doing that. They hit close batch, gave them $1,000. Then they called us up afterwards and said, hey, I just gave them $1,000. And when I tried to recharge them, said the account has been closed. So, yeah, go figure. So somebody out there is really happy with their new $1,000 hooptie. Okay, hacking from, where are we at here? Hacking from inside the network. Using shared networks too often hotels boost. We have internet access in every room and wifi in the lobby. You can see where this is going. And not everyone realizes that they're given their customers access to the same shared media as their credit cards. The latest craze in hotel networks, large install is high speed internet, so they love to boost all this. And the internet hookups in every room. So the general point of attack here is gonna be the lobby. You don't even have to check in. And you just sit there all day long with the port sniffer and you're just grabbing credit card numbers across their network, you know. So, and it is real and it has happened and we have had to reconcile that quite a bit. And of course, you know, they don't put firewalls and it's just like FBI's carnivore for those of you who are familiar with that. And what's inside these packets, that's the important thing that people don't understand. If you manually enter a card, it's no big deal. You just have, you know, 16 digit card number, expiration date and a dollar amount. You know, you can do some damage with that, but if you try and, you know, card a laptop off the internet, you know, they want CVV2 information. They want address information, that kind of stuff. Well, with swipe data, you're literally getting what's off that magnetic strip. So when they swipe it at their front desk system and it goes across, you have magnetic data. And everybody that has any inclination with credit cards I know that that's pretty much the cherry bomb of what you want, you know. So, let's get into the rogue employee. Another thing that we run into with credit card networks is that they're not very, they're very new. Not a lot of people know about them and they're not very secure in a lot of situations. You see a lot of people who are just like, hey, we just have the defenders password, username and password. Everybody in the whole entire hotel, you know, that deals with the credit cards remotely. We'll just log in with these. So you're seeing a lot of remote exploits where ex-employees like, man, I hate that stupid company. It was bad, you know, and, you know, he has this little Uber friend who's like, really? What do you got over there? Well, we were always doing credit cards at night and everything, and we all used the same password. And he's like, really? Tell me more, you know. So, you know, then he's like, well, you know, I'm doing my 60 hour a week, you know, engineering job, but I can squeeze 20 hours out of the week to just get a part-time job over there, you know. It's a pretty unsecured network. Nobody will ever notice. And that one hasn't happened yet, but it can. Also, this stuff is getting pretty cheap, so it ends pretty scalable. So you're gonna have a lot of people who are, you know, five-bedroom motel who has their small credit card network, you know, and they got their hub and their Linksys switch. So they're going across the internet and the traffic's encrypted. It's, you know, 384-bit moving target and all that fun stuff. So when it's across the wire and everything, nobody can really grab it unless they know what they're doing and know what they're looking for. But they're connecting to the internet using a Linksys SOHO router, you know. And the same token, when they use that router, they offer their five-bedrooms internet access, you know, going across the same thing. So that's another exploit that comes into play. What else you got here? Okay, what's involved with them reading the packet information? Let's say one of you guys knows what you're doing and you wanna go out and test this. What are you looking for across your internet or across their network? The most common thing that is a biggest problem why these aren't secure is because they're only supposed to be installed in trusted networks and obviously we're talking about how, even though they're supposed to be, they're not being installed. So how do you read the information out of them? Well, the scary thing is it's all I ask you, you know, going across. So I mean, all you have to do is look date, time, Rx, card number, date, time, Rx, amount to be authorized, date, time, card, Rx, CVV2 code. It's literally all there and ask you because when you're working with a property management solution or a point of sale solution, their engineers are lazy. They don't wanna have to plug this in. They don't wanna use binary. They don't wanna use secure tunnels. They don't wanna take the time to actually make sure it's secure. So what they'll do is just say, well, let's create an API to your interface but let's just make it a clear text API. That way we know we can't screw anything up but there's something wrong. It's all clear text anyways. We can see where it's going wrong. And they'll do that. And there's over 80 point of sales in property management systems that all they do is ASCII right across the line. So that's pretty much all your clear text stuff there. Let's see here. So the main point obviously is that this is a problem and it has to be resolved. So let's get into some ways to protect it from a credit card standpoint. Protecting from social engineering we kind of touch base on that, how to protect yourself against that. It's pretty much, you know, somebody calls in with their Photoshop statement. What you really wanna do is just call your merchant bank. Nobody wants to do that. Just call your merchant bank. Did they take it out twice? Yes, they did. Send the credit. No, they didn't. Okay, let's do some other research, you know. Protecting your networks. Nobody uses, they use ASCII. Nobody's using anything else. VPN solutions are pretty cheap these days. You know, all it would take is just installing a VPN between your two internal computers or help just be smart and get a managed switch. You know, and just, you know, that port only goes to that port. Don't let anybody else talk to that stuff. Easy enough. Social engineering on the card cloning side or the credit card terminal slide, it really can't be avoided too much because, you know, even the best, most secure person who's sure about their network, you know, will give away a terminal ID or it'll just be sitting in a dumpster and you guys can see how dumpster diving works later on today. It's all just still sitting there and you can't get around it. The only thing you can do is move to a credit card network and get off terminals. That's my biggest thing, terminals. Any of you, oh, you all got the CDs. So I left a lot of reference lists in my directory. You have a lot of room to work with, find out which credit card networks are which and the actual white papers and how to program your own transurities. Omni395s, 3300s, HyperComs. It's all freely available on the internet for anybody who wants to be a developer of this stuff so you can see exactly how it works and how to take over a credit card terminal. So that's pretty easy and straightforward. Okay, so what are the credit card companies doing about this? Well, they've knew a lot about it since it went really crazy with the debit cards back in the mid-90s but they didn't care. They just thought that it wasn't big enough problem so it wasn't until, well, 99, 2000 that they started designing these. So you got Visa, who has their card holder information security program. There's is pretty much, it's called the SISP audit, not to be confused with CISSP, it's CISP. It pretty much just gives you pretty lame stuff to digital dozen, like, hey, only one person is supposed to be accessing your credit card network. Make sure that their loans has a password. Hey, make sure you have a business class firewall. Hey, make sure that the physical access to these terminals are limited and everything. And if you really want to try and own somebody's credit card network, just read through this and like the SISP one and just go to Visa.com and read it and then take everything that's there that says good practices, which are pretty much just like we suggest you should do these and just believe that they ignored all of them intentionally because that's exactly what they did. So that's a good start for anybody who wants to find out how to actually get into these. Just read through that thing and it's like, wow, they're not doing this, they're not doing that. And they're not, you know. Also, these people like small hotels, they have a big huge thing with connecting to cable modems and to DSLs. And anybody that knows cable modems, I don't know how good it is in your areas, but over here, you know, you can still see other people's windows, shared directories and everything across your cable modems. That's kind of lame. So, you know, you can still put a port sniffer on there for a packet or a packet sniffer and port sniff everybody out. And if you see like a weird port and you recognize it from one of these credit card companies ports that they use to send out in crypto traffic, you know, you have a live one and then you go through their Linksys router and just get into their network and then migrate across because the vendors themselves, I work for a vendor, so I'm gonna go ahead and spin our wheel for a minute here. We do do a very good job of encrypting the traffic once it leaves our presence. Thing is, is that before it gets to us, it's not very secure, you know. So, I mean, we got moving target to open source protocols, one closed source protocol who knows what it's coming across, you know. That's pretty secure going across the internet. But coming in, taking it over, that's another story. You can't really get around that. Also, MasterCard has their site data protection one, so you can look up on that as well. And American Express has one. It's kind of hard to find, but it's out there. Unavoidable threats, we already went over that. So basically, I'm gonna kind of wrap it up a little bit early here and open up for questions because I can't think of other stuff I should probably have mentioned. Basically, credit card networks during everything, resale, what else, hospitality, all that fun stuff. They're very insecure. Bring your wifi jacks out there and give them all day long. With that said, any questions? Cause I can't really remember anything, yeah. No, they don't. I'm sorry, the question was, when somebody calls in and decides to be a social engineer and say, hey, I need to get this credit on my statement reversed or this charge reversed to a credit, do they take any information down about that caller? And the answer is no, they don't. The only information they take down is what's your credit card number? Honestly, we're recording this. I've worked at call centers and I've worked in our call center has, I'm sorry, what? Oh, the question was, this call is being recorded for quality assurance purposes. Do they actually record that call and do they actually go back to the tapes? In my experience with call centers, working in different vendors besides this, no, they don't, they listen in on them and like once a week, you're evaluated on a call you have taken. But for the most part, most of them are not recorded, they're purged after one week or a month. Yes, sir. Okay, the question was, what's the regulations on swiping cards versus stamping them? Speak up. Okay. The question was, what's the policy on swiping cards and manual entries? Why do they have that? And what's that involve with it? Is that pretty much it? Well, the thing is, is that swiping a card, ideally when a merchant accepts the responsibility of accepting cards, they are supposed to train their staff on a couple basic points, check the ID of the person that is giving you this card. It's a mandatory thing no matter where you go. Even if you see these visa commercials and everything, let's say like, hey, here's our visa logo, now you don't have to give out five forms of ID, that's wrong. Anything that has a visa logo, American Express logo, I understand that it says that, but automated clearinghouses and merchant service providers have a separate one and it is actually kind of a conflict of interest. You know, the merchant share and some policy exactly because they're going through an MSP, which is not the bank, not the clearinghouse, not the card holder, but just some guy who knows it very well and they just give him free money to just move money around somewhere else, you know? They say like, cause they're the ones that have to deal with charge backs. You know, when a charge back comes, it goes to the merchant service provider and not their direct bank. So they say, you know, we want to keep our charge backs lower on these cards. So we require you to check ID on every card regardless. Okay. As far as that's concerned, swipe data, they believe that once you swipe a card, you have checked their ID and you have compared it with them and you've compared the name on the ID to the name on the card. And so since you've compared all these and you swipe the card, which card physically means the card was there. So you got, I checked his ID, the card was physically there. Everything checks out. That gives you the best charge back protection. Now, if you sit there and go back and forth, back and forth, the card just does not want to read. They have to, now the discount rate, we didn't really talk too much about a discount rate. Discount rate is pretty much when you have, what's my time by the way? 14 minutes, okay. The discount rate is pretty much every card, if you ever go anywhere and they say debit or credit, always tell them credit if you have a debit card. Always tell them because debit, you get charged 59 cents to 250 for a transaction. Credit, the merchants themselves gets charged a percentage of that transaction. So if you have a $100 transaction and the average discount rate is 1.5%, that's your discount rate breaking out. So, what happens is, if it's 1.5% for a swiped card, check the ID and you swipe the card, doesn't swipe, you gotta manually enter it. I mean, you have to manually enter it in. That means the terminal does not know that the card was actually there. The discount rate skyrockets to about 2.9 to 3% depending on what your deals are. So how do you bring that discount rate back down? You manually imprint the card to say, yeah, it really was here. It just didn't read in the reader. And then another thing, yes. Okay, another thing that they want is your zip code. Okay, we need some personal information about this person. Get your zip code in there. That also lowers your discount rate for the merchant. So that way it saves them money. Anyway, they look at it, it's gonna get down to maybe 2% if they have everything required. They entered the CVV2 code. They entered the zip code. They entered the last four digits, the credit card and the terminal again. And they took the manual swipe. It'll probably get down to about 2.9, but not before, sorry, 1.9. Yeah. Possession of a swipe here is the same thing as possession of anything else, like what do you call it? Pirate radio. It's, right, the only, it's another one of those freedom of speech spills. I can have this BQ sword that I'm not supposed to have, but as long as it's on the wall, nobody cares in that sense. And also it's like, well, I have a pirate radio device that can propagate signal like 15 million miles, you know? But as long as I don't turn it on and put it on hijack somebody's frequency, I'm allowed to have it for hobby purposes. So it falls under the hobby rules. You're allowed to have it, but if you get caught doing bad things with it, you know, then of course, you know, you're looking at minimum, I believe. Credit card fraud is minimum 15 years, if I'm not mistaken. Correct me if I'm wrong, anybody that knows. Well, that also gets into the, you know, found facts with the search warrant was for that or this bust was for that. And then we came across this, I think the law, you know, a good choice to lawyer will take care of that for you. I'm sorry, what? Exactly, yeah, you know, and it actually works that way sometimes too. Who's next? You say? Because here's the interesting thing about it, you know, merchant service providers, it's a very dirty industry, you know? They see it as, okay, who does all that fraud protection that wasn't swiped, we're talking about, it wasn't swiped, the discount rate skyrockets, who actually gets that money? Well, the merchant service provider gets a little bit extra of that money because if they have, if that card actually does get charged back, they have to spend their time actually going in and researching it and everything and calling the merchant and all that. So they take that little slice out. So, believe it or not, even though you see these echo terminals and translators and they're all owned by banks, they're not 100% compliant with their own regulations. You know, if a hotel, you have to put rooms, room number that was stayed in, the infolio or invoice number of that room. You know, these terminals can't accept that information and that information actually gives you better discount information and they know that. They don't care. They're just like, well, if it's not fully compliant, it just means we're gonna get more money off the top and it's the same philosophy, you know? It's like, well, we can push that but, you know, they make more money on a transtriety than they do on a credit card network solution, you know? Because it's like, well, I'm just gonna bump the price out. Before they were on eBay, you know, they were charging, you know, for this little box you can get on eBay for 50 bucks. You know, the, what is it? The Hypercom one, I believe they have on there. It's 50 bucks, but, you know, three years ago was $400 from your merchant service provider and they're taking a $250 straight off the top, a profit off that. Yes? Yeah, the actual line of it, it can be up to about, I believe, five different people who touch your money before your bank, before the merchant bank will. Because, Yeah, authorization, the way it works is when you swipe the card, it goes to the front end processor. The front end processor then passes it on to the merchant service provider. Merchant service provider then either passes it on to their little sub merchant, they'll have like a merchant service provider and then their master one so they can double dip, you know, kind of like electricity industry and then it goes to the issuing bank. Issuing bank then spits out a six digit off code and it comes back to that line. Then when it gets cleared at the end of the night and they close out their terminal, goes to the front end processor, says hey, close my account. So the front end processor tells the merchant service provider hey, close everything out of their account. So then it actually removes all the money out of them and moves it to the front end processor and the front end processor moves it to another back end processor and the back end merchant service processor puts it into the merchant's account. So it actually goes across that line. Now the people on this end who say, I can give you a really great deal, these are what I was talking about, those shiesty people out in the merchant service business, you know, they're just like, and they're not gonna even give you a good deal, they're gonna take people who have no nothing about it and just screw them right with these. Yeah, in all honesty, 50% of Visa charges that go through don't even talk to Visa, they just have a logo and the bank pays a royalty to Visa for carrying that logo, you know, and they make a lot of, they make a lot of money off that, you know. The only one that actually does have a lot of transactions moving through his MasterCard and I think they have like six MasterBanks that they like Wells Fargo and a couple others that actually carry the MasterCard logo and they actually store a lot of their data there because they give them data mining purposes for it. They actually have the right to give to all of their issuing banks information in groups of like general trends, yeah. Aloha is on ASCII, that's all I'll say on that one. Just go to eBay and type in Omni395. How did he get it? They don't care, they don't, there's no regulation who's allowed to get these terminals. If you're a customer that wants to buy one of these from us, we're gonna sell it to you. You'll sell it to anybody. You don't care who it is. You don't need a little certificate saying I'm an MSP. Yes sir, in the back. I'm sorry, what? I'm not informed on that, so I couldn't tell you. Yes sir, how do charge backs work? Generally speaking, what happens is when somebody sees something on their statement that they don't agree with that they think somebody fraudulently took, what they'll do is they'll call their issuing bank to start it and say, hey, there's a charge on here that's not mine. And then the issuing bank will then in turn initiate a call with the merchant service provider. And they'll say, hey, we have your merchant here. It says that he wasn't charged. So then the merchant service provider will then contact directly the merchant and they'll say, we need your records for this particular client. We need to see a signed receipt. We need to see your close out batch on this and we need to compare this to their general signatures of this client of this issuing bank. And they have to go through this big, huge fiasco. And the thing with credit card networks is they make charge backs simpler in that aspect because it's all stored on computers and whatnot. So all you have to do is type in a credit card number and it pops up. Their signature, you know, you're seeing electronic signature pads now. That gives them a better discount rate because it's easier from the pull it up. They don't have to go through a huge two-year box of receipts to find it. So that's generally how charge backs work. I couldn't tell you the actual little details on it. I'd deal mostly with the merchants and. I couldn't. Yes, sir. PayPal actually has a quasi credit card network. They have their own master merchant and what they do is they have all their clients going through their master merchant and that master merchant then gets authorized. It gets an ID tag from what I understand. Anybody from PayPal, go ahead and shoot me if I'm wrong. It goes through there and then it just goes to front-end processors like anybody else. Some people would say they're front-end processors like PayPal, but they're actually still going through a front-end processor. You know a bank. Well. It started as a bank through a bank. Well, they're a bank, but they still have to, they still, they still, they still have to go through a front-end processor just like any other bank. So if they have their own front-end processor, they have their own, but they still have to go through it and it still has to be a separate entity. So, right. Yeah, an X and all that. Is there any others? I leave, I'm just about out of time. I'll take one last question. I know that people have partnerships with each other like generally speaking like Sears and a couple of their other, because Sears has their own clearing house as well. They would, they work with other businesses as well having similar black lists, but for all intents and purposes, there really isn't. The whole point is that the credit card industry, it seems robust and secure and it's not. It's just plain old not. Nobody knows what the other guy's doing and it's just free rein and people wonder why card terminals are getting cloned and people are stealing credit cards. And not the second one, but the first data place got gipped. I already read about that. Where five or six million credit cards were just taken off the internet. Yeah, it's just not there as far as security. Yes. Okay, I can't answer that one. If you wanna talk to me about it afterwards, I'd love that. Please give me a signal to clear everybody out. Thank you very much to those who stuck around. I really appreciate it. And apparently there's one other guy at the con with his shirt. So if you see me and you have more questions, just come flag me down.