 I'm going to be doing a talk here on good-by-memory scripting malware. I'll go over the talk here in great detail about some of the software. It's an open source project for proof of concept. I'm not here plugging any kind of software. It's a proof of concept. The source code will be out there. We're doing a DEF CON launch. We had trouble with internet connectivity, as many of you will know. We're going to load everything up there. You'll be able to play around with it. I work for a company, KLJ. It's an engineering company up north. These are not the views of my employer. Who am I? What's this talk about? I spoke at DEF CON 22. I have a lot of computer certifications. I went for computer science in geophysics. I've done pen testing professionally about 11 years. I do a lot of security research in malware, things like that. I spoke at DEF CON 22 last year on a burner phone DDoS. Did anybody check that out? Yeah. That was good times. We do a lot of auditing. I know lots of, I've read so many manuals. It's not even funny. Wrote custom exploits for a lot of obscure ISP gear. It's something that's neglected. A lot of people when they write exploits, they go for a lot of 50,000 units, 500,000 units. It's nice to be able to have some exploits for some of the more obscure gear. Anybody here do pen testing for a living? Yeah. It's really hard to find some of the exploits for some of the more obscure gear. It's nice to have a community going. If anybody has any questions about that, feel free to shoot out information for contact later on. The software I'm going over today, it was myself and a co-writer, Tim Swartz. He works with me. It was a concept that we came up with because we got to hear the breaches in the news. It's something that I think if it was implemented correctly, it could definitely stop a lot of the breaches. Like I said, the source code will be loaded on GitHub later today. Everything in the pen testing goes banks, hospitals, you name it. Off my talk last year, we got a DHS contract over the next three years to attack 911 centers. That is very good times to be had. Here we go. I did a variant on last year's ones. If you guys do pen testing and you like rubber duckies, this is an amazing thing. They are fake phone enclosures. I can teach you guys how to make them. They're amazing for pen tests. I started out with the iPhone 5s and got sick of converting them over to the 5 pins. Now I rock an HTC or any Android handset for that matter. They're little TIN-C 3.0s. It tricks it into a keyboard. You can do drive-by attacks. You can run stuff. It's very cool stuff. Do you have any questions? Want to know how to build one? Let me know. I'm going to get started here just so we can see how it goes as it progresses. So I'll exit out of the slides here for one moment. Do you have to stand up for this? There you go. So is anybody familiar with point-of-sale skimming software? Did any research on it or seen any other demonstrations? Yeah, this basically is a Jack POS. The only reason I used it is it's a black POS variant. So it's a very, very graphically nice to view. And I actually have a command version of, so you'll be able to see all the console injection. So I actually slowed it down and normally injects 500 cards per second into memory. It basically feeds the malware or fake credit card numbers and I'm going to show a little demonstration. The actual, this is not set up like a normal environment. Normally the POS does not have where the malicious data is being sent to on the same system. It's just for demonstration purposes. And I'm sure everybody already knew that, but I had to get that out there from when I was telling somebody else about it. So basically this is the actual place where the fake or the credit card numbers are sent. So all the stolen credit card information will be sent by post requests from the point-of-sale system to a server. But in this instance they're both of them. And it's going to go over the dumps. It looks like we have 3100 track data already. So yeah, the resolution is a little bit bad on that. So these are basically track one and track two data. This is where they are putting credit card dumps on forms. And they find out their validity rates. They'll do tests. Stuff like that. And this is the point where the bad guy will start selling it. And I'm actually going to show, go next into the actual software and what it's doing. So here's the actual installer. This is the console version. It's graphically pretty. It looks like, you know, matrix stuff sliding down. So, and the graphic version, it is a full-blown application you can install. And you can modify it as a source code. But as you can see right now it's injecting track one and track two data along with randomly generated names, randomly generated bins, which are bank identification numbers. I'm North Dakotin. So we have special bins up in, you know, that designate I'm a North Dakotin. So that's basically what it's going to do is generate the bins off of where the point of sale system is. So they look like valid credit card numbers. There are no open source bin lists. So at this time we're basically just injecting, yeah, just injecting randomly generated credit card numbers. So I'll go back to the slide, see? And that desktop is just one of our engagement photos. There's nothing strange going on there. I forgot that you would see that. So here I'll go back over to my slides one second. Okay. And we'll go to the second slide, the other slide here. Well, we all speak it here and it's basically a source will be on GitHub here pretty soon. So it is open source. Once again, I'm not trying to plug into things. This is just proof of concept. I think we're working on building it into some PMS, property management software and POS software. It is something that I don't see why it wouldn't be in every single system eventually. And the problems of data skimming, it's gotten larger over the last few years. You can literally can't turn on the news without hearing of a breach. So it's gotten a little bit ridiculous over the years. And that's kind of the reason that Tim and myself came up with the software. And yeah, why do people skim data? I think they're very, very low. And how much does it cost? Some of the credit cards like validity rates when they're very, very low, which means, you know, 9 out of 10 will work type situation. The 9 out of 10 cards are about $45 a piece. And off of the bins, you can tell how much you could put on them. This is what nefarious people do when they're people who literally drive around the United States just buying MacBook Pros and selling them or whatever. That's basically where this industry comes. And with some of the card reforms, they're actually able to filter by the bins and things recently, which has made it a lot, lot more dangerous because say for example, somebody's trying to use my card down in Texas or using an orthocode of bin, I'm going to get a call on my cell phone. And they're going to be like, hey, did you try to do this? They'll block it. So that's why it's scary that people are actually able to filter by bins. And that's something that it's nice to be able to actually have more valid looking, generated credit card data. And how much does it cost? As you can see, some of these ones are four and a half dollars up to I think the highest one. I have a script that does analytics for the data and how the validity rates go down and it affects the price. But it actually anywhere from four, I've seen three dollars down up to 40, 150 for some of them for the really big ones. And yeah, it basically goes a little bit into what it costs. And how is it used to defraud? Does anybody in here have an MSR 605 or a two? Amazon, exactly. They are very, very easily obtainable. And that's one of the things like whenever I was telling people about, they'd ask about some software or whatever and I was like, yeah, it's very, very simple. There are tons of people that are going out and doing this stuff. I'm not endorsing that. I'm just letting people know that that's how scary the actual Magstrip data and the environment of Magstrip is. And that's something like literally people will buy these track one and track two days at the right amount of cards. Five minutes later, they're either in an ATM or inside of a store actually doing fraudulent purposes. They're people who order things online. There's tons of things if you're interested in that stuff, you can go into, there's tons of, for a very long time there's been lots of information out about how people do the carding stuff if it's something of interest. So how is it used to defraud? So like I was saying carding or ordering things, there's tons of things that people can see as valid online. So actually ordering things online will order them to dead houses. So these things, they do try to keep them anonymous, duplicating stores. That's one of the biggest retail thefts. The card not present stuff is not as big anymore. ATM cash outruns, people will literally get a bunch of homeless people, feed them for the day and then they'll run them around ATM machines. So it's kind of scary. And then the theft of resources, gas, I've seen where some guy had like a 600 gallon tank attached to his truck and yeah, it's crazy some of the extents that people go to. Theft of online services, such as your 99. I don't know which one is more embarrassing that I went into Kmart to take a picture of that or if it's that still exists. So they have digital movies, digital sales. I know a lot of stuff that's really expensive, like some of the training courses that have been leaked online lately. Yeah, we got watermarks on it. It doesn't matter because it was purchased with a fraudulent card. So that stuff is kind of scary and it's hard to track that down and it defeats a lot of people. Basically people who use cards that you do western union transfers, things like that. That's crazy. If you've never looked at the dark side of the internet, it's definitely interesting to take some looks at it. And how are the batches actually ex-filtrated is something I get a question about all the time. Like for example, this is in the, for four bitcoins, you can get the version two of, I believe that one's Dexter. And Dexter is one of the many POS malform that steals the credit card information. The difference between Dexter and some of the other variants is this one actually has a keystroke catcher because most of that MagCard readers are actually USB devices, USB keyboards. And I do have a portion that will go over with anti-keystroke catching that works in more than just credit card environments. So basically for four bitcoins, people can go and buy this software. That's kind of ridiculous because I guess that's pretty expensive now but for about a half hour hack a system they can have the host and the server portions running pretty quick and they'll be stealing data. So that's actually how it gets loaded on. So people ask how it gets loaded on. It's obvious anyway that a computer is breached in any of the classic ways as I would call them, you know USB devices, people are using spearfish campaigns. So any compromised system, they'll work their way and pivot point into the actual point of sale systems. You know, you can have a great software and things like that. So yeah basically it sends post requests and post requests are basically what are sent to servers. So that's how it's exfiltrating data and some of them actually store it on hand and then exfiltrate the files after they have like a gigs worth or 25 megabytes worth of data. So they do have ones that store them locally but a majority of them actually send them out in encrypted HTML post requests. So it's not 600 times the traffic if you're doing the post request method. So that is something, you can't see if they are stolen credit card data but a point of sale system starts doing 25 megabytes of data when it was doing about a half a meg a bit ago. You definitely got something and it's something that it's very very useful for intrusion detection also and getting your intrusion detection to work better. So it's amazing like the amount of data I couldn't believe how actually it's a GPU utilization. So for running and that's injecting a thousand credit cards a second. And that's into memory, there's stability with it. You can inject it into any 32 or 64 bit process. So when it goes around and steals and looks for credit card data, it's going to come across a lot of cards. So and it's, I will go here and yeah like the two year old target or it's probably three year old now but it still has a validity rate of 0.004 after you run some of these batches. And that's something that's being compiled into bins. That's the thing that really scares me and it actually has shot theft through the roof. So the initial terminal is breached, it's loaded with malware, it's a bad person, loads it onto the actual point of sale server. And then it basically sends it off to the server using the post requests or they pull the data through the FTP. I've seen incremental backups that they're finding very, very tricky ways to actually exfiltrate the credit or store the credit card data and other data. So basically after it's stole on the POS, it's sent off to the server and in this, I just wanted to stress again, in this demonstration, it is all running on the same box. So it is basically sending to 127, it's sending to its home address. So yep and it's basically catching it. Yeah that's for the most part. So that's it's very good for this demonstration because internet connectivity is very shoddy. I've had demos blow up in the past. So especially when you involve virtual machines and unplugged laptops, it usually shuts one of the CPUs off. So that's why I've gone with the video version of the demo. And how does it tell credit card data from other data, just random numbers in there. And there's usually, a lot of them have custom algorithms, some of them go off of the basic LUN algorithm. With the check digit, it actually is mathematically able to detect what is a credit card data. The first few numbers are the actual, first six are the bank identification number. That will tell you if it's a Houston bank or Dickinson North Dakota, Bismarck, Minneapolis number, you'll be able to tell those. And that's actually a way to protect your data. If you're scared of, if you've had a breach four times in a year, go up to Ketchikan, Alaska and get yourself a bank account and it'll never happen again. So or to Bismarck in North Dakota, there's like 600,000 of us. So is it. Oh awesome. Yeah. There's two of us. Here we go. And this is a little bit blown up. This is the actual malware that we tested them against. Chewbacca, JackPOS, Dexter, BlackPOS, back off. There's a couple other ones that are definitely of Russian variants. Vskimmer, BrutePOS. We tested it against all of them. And the actual only ones that we didn't were the some of the versions of Dexter, we had some keystroke catching. That was a little bit harder to catch, but I have a tensi that actually does injections in, there's a black hole on the actual software where you can inject keystrokes into. So it's pretty decent for blocking just in general. Anything like that. And then here, yeah, if anybody do malware research, yeah, you can definitely, this is another reason. If you're doing reverse engineering of point of sale skimming with it, it's a very, very good way to actually get that malware alive and feed it. And I've seen where the actual ones where they dump, like Dexter, I actually locked up a computer because I think it was making 500 megabytes a day of data. And we're just running it to make sure it wouldn't crash or anything. And it's amazing how big some of those files get and how quick they get. So the approach to stopping the breaches, this is an open source software that I made, or myself and Tim made, and we just wanted to release it and see if people could use it and implement it into their own APIs for some of their other software. And that's what I'm saying. There's no reason at all that it's got an MIT license so anybody can improve on it and put it into pretty much anything. So that's something that's nice to be able to, I don't see any reason why people wouldn't want to put it in. I know we're going in chip and pin, but I'm actually working on methods and proof of concepts to make them actually implement chip and pin properly at the most fullest extent. And what currently exists, there are some, for skimming there's the classical firewalls that can manage packets. You can scan out, you can put snort rules. There's lots of actual tools out there, firewalls, there's tons of IDS's and things like that that will look for specific things or look for signatures. But that's not enough with some of the stuff. Especially when you get into some of the honey potting features of it, it's nice to be able to know when you get into it. There's some high availability of bins that you can actually paste in where they'll be almost guaranteed. They look like a $15,000 Amex or something. They're definitely going to get grabbed first and you can actually seed those into your batches and those will get sold off first and you'll actually know a lot better when the breach happened and there are other ways where people can buy for the credit cards and then they can run them through processors and things like that to run into many tools and if you guys do know of any tools that are made specifically for point of sale skimming or stopping said point of sale skimming, definitely fill me in. I love hearing about them. How would this concept make batches usable? It's basically you have valid credit card data that is being swiped in there. It's being sent to the credit processor but where it's being stolen is actually in memory. For the most part, simple concept and I'm surprised that not a lot of people use just 500 fake credit cards for a valid credit card number in memory. So when people steal them, they're actually exfiltrating tons of fake data. I tried scrubbing these. Somebody gave me a batch of 500, tried running them through a credit processor. After 50 cards were run, had to do manual authorization on them. So there's no way that a person would be able to scrub these batches. They look valid. They have real names. They're generated off of 25,000 most common names in the United States. If you go off of the bins lists, you can actually generate traffic. If you're in a touristy area, you can leave it open so there's credit cards from everywhere. Just statistically speaking, you're going to generate tons of where it won't matter and that's what I'm saying. When people try to scrub these batches and sell them online, they're going to lose their reputation and that's one of the biggest things. The validity rate is 98%. People will gladly buy those all day long. 0.004, that's actually stopping people from doing the breaches because there won't be any money to be had on it. Yeah, hardly generated. Like I said, it's off of basically a long algorithm and then we have a lit bins list and it's not fully implemented because the bins list is sold. I was planning on making an open source bin list but I thought it would be used for nefarious things more than actually implemented in skimbad. It's open source so I would have had to leave the bins list. I couldn't have separate things compiled. It's not affordable for projects such as this one. That's something where it's the bank identification number, the first six numbers. The first one tells if it's a Visa, a MasterCard, American Express and the rest of them are the actual bank and financial institutions. However, the random cards made basically generates them from scratch and then attaches a name to them and track one and two data. They look like valid credit card numbers. I even throw a gift card in there once in a while so it's actually a very, very good system of way of blocking it. Like I was saying, I pulled a list off the social security web page for the United States for first and last names and basically generated it from scratch and they have a pretty good list of names to input and like I was saying you can modify names and I was watching and my dad's name came across and it's a good list. There are some names that I was like that is an awesome name. Some of them are awesome. This basically explains the Honeypot services. These credit card numbers do not occur naturally so it's something when a credit processor comes across them, they were not ever issued. There's not actually a physical card. That card will come through the credit processor and they'll be able to tell that one was leased to so and so company. I will notify them of the breach because like I was saying, some of those bins, they'll look like some of the lucrative $154 cards or it'll have information with it. That's what I'm saying when it's randomly generated, they'll also be padded around that. That's why I made those actual Honeypot cards. They look a lot better. When you input them, there is a way to reverse the batches depending how you input yours so I have ways to actually fully remove once you seed your Honeypot cards. It's a little bit of a lengthier process and it's not fully loaded. It is something that it is possible. It's very easy to reverse. It's the only problem. But for the kind of people that are stealing credit card information, I think it would be coverage in most 70% of the situations. Anti-3 keystroke catching, that's something that's kind of fun. It's actually plugged in with a little tinsy and it'll inject what looks like valid credit card numbers. It repetitiously puts some of them in and generates them from scratch. I will fill up whatever the ones that have actually capturing data and pulling them locally are also the ones that happen to have functionality with keystroke catching for the most part. So that's something where it can inject from scratch some of the keystrokes. It will fill those logs up very, very quick. Most IDSs will detect a log that's growing 500 megabytes with what looks like null input on it. How will malware evolve on top of this? Obviously people are going to try to attack skim bad if it would get out in the wild, getting used, things like that. We did build some watch dogs and very simple ones to start everybody out with. Let's just only read the memory of the point of sale system. If 32 or 64 bit, you can just directly inject it to the POS of the point of sale software and it doesn't affect how it goes to the credit processor either. That's another big question they're going to get smarter about it they're going to have to take a little step forward. I know most of the malware that I've been coming across when they always bust some 17-year-old Eastern European guy. It's like you think that they would have had somebody more behind it and they would make it sound like it's a dangerous persistent threat but it's simple to stop it. There are a lot of very, very good development tools and things like that but it's something that if we stay on one step ahead we'll be able to do it. That's why a lot of the stuff when it installs it actually randomizes it. That's pretty much the... I'm sure a lot of people have things coming to mind also of how people would try to stop this type of stuff. I love to hear that kind of stuff because that only makes the product that much better or you can even implement it yourself. It detects bins from certain areas. Say for example North Dakota, if there's a bunch of Florida bins they'll try to scrub new bins that are North Dakota bins and it wouldn't work that way because of just your amount of them. Not to mention when I did the credit processing after 10 failed attempts it does to make you manually authorize them and that would be a lot of work to actually skim through those. I had the watchdog portion so I protected it from malware basically so when it stops the process unless if they have something specifically made to attack, skimmed out it would be pretty hard to stop it. In itself it's not necessarily a rootkit but it does have some protection. It does restart itself when it stops. It's very, very simple. That's the last thing I want is to have a virus signature on the actual anti-software. That's something where I did a skim around on it and it's something that people can implement and if it's implemented in another product it would be very simple. There's a lot of 80 companies that have very, very hard to kill watchdogs. How does the batch look real? They are all valid or for the most part they're valid bins and there are tons of invalid bins because like I was saying I didn't want to load the bins lists and I don't want people to have to pay even a dime for it. That's something where it literally as you can see there it fills just with random data. Not random data but they are credit card passing data. So it's just the sheer mass and volume of it is what makes it inherently protected. So I'm using the fake ones right along with the real ones. I've tried ways to cross check it and if anybody can come up with ways I would love to improve it. How to reverse the batch is like I was saying it was blocked after I tried two different authentication companies and they were blocked after 10 attempts. Otherwise people would just randomly generate credit cards and they would be able to use it that way. That is a mechanism that is working in some of the other ways. People keep signing up for stuff using stolen credit card information to get authentication stuff. It would just make it ridiculously hard. There would be several hundreds of hours, thousands of hours it would literally make it not worth it. So basically when is Chip and Pin going to stop it? For the most part if it's set up correctly there are some replay attacks that I'm sure people have seen out in the wild. I know that there are some with the chip and signature that's the exact same as it's pretty much been in the past. That's all about getting people to properly implement them and getting it to roll forward. I honestly don't think it will stop it until people properly implement it. It is a software that is open source it's free. People can help make it better it does have all the source code out there. If it's something you work through it it's definitely something that I would like to get a community behind it and help people build it up. I'm going to open it up to questions here in a little bit. I'm going to get the demo running in the background. I did transcode it at 480 accidentally so it is a little pixelated but you guys will get the just of it and it's amazing. I did slow the demo down as you can see when it goes through the actual names list and stuff. I will run that through you. Also my contact information if you have any questions or if you want to follow me on twitter I do appreciate that. If you ever want to build one of those 10C devices those are really, really fun and I definitely recommend them for people who do pen testing for a living. It's one step up from the USBs. Can we open up to questions? Yeah. They have the mic too. Sorry about that. That is my real name. That's not my handle. That is German for hacker. You guys go? Yeah. To modify the track data. I've seen where people can actually make them look like manual authorizations when they aren't. I know there are some people that ran stuff through in Brazil. She was asking if you can modify the track data to make it look like chip and pin. Is that correct what you're asking? There are a couple of attacks that are like that if it is improperly set up or the authentication is improperly set up that is something that can be done. Thank you. There are a couple of attacks out there that haven't released the details on them. Does anybody else have any other questions? Yeah. Yes. Yeah. Yes. That's the feedback I want. Not only will people, myself and other people in the community report things over to other operating systems like this one I made it for Windows. It should work with a lot of the older libraries. It is something that is not resource intensive. It literally utilizes less than 1% of a CPU and that's a 4 gigabyte VM with one core. It was a negligible amount. Does that answer your question for that one? Exactly. Okay. That's what I'm saying. Some of the things you can tune in and at 10, even 10 credit cards I think it would be very, very simple for the resources. Some of the logging, that's the next generation. That's the kind of stuff that I want the feedback on. This is literally just a proof of concept. I don't understand. It covers most of those malware. It's literally slapping them on 50 computers at a time. If they're targeted, yes. If they know they're running XPOS, they're going to be able to look at the source code. They're going to be able to look at certain other things or malware to it. I'm not saying that this is literally just a cover. If this would have been running on some of the POS's and the larger breaches, it definitely would have helped with it. The validity rates, some of the people, the class section lawsuits would have been cut down because they wouldn't have to cancel people's cards when they're in Belize on vacation. That's some of the things that people ended up suing for. Does that answer your question? Okay. Awesome. Because anything more than that, I'm going to start covering in memory, especially on smaller POS systems. You're going to cover them in memory before they're actually pulled by the scraping malware. You can do up to 60,000. That's the highest I went. It would just be counterintuitive. It wouldn't have any purpose to it. That's why I stayed with 500 credit card numbers because it'll start copying over itself. Does that answer your question? Excuse me? Oh, yeah. You can pretty much fine tune it. Like I said, does anybody in your program in C++? You'd be able to easily modify it. I do have some a little bit of DLL errors and stuff that are getting worked out, but I'm going to release it here soon. Yes. Offer some of the post requests and stuff like that? Yeah, a lot of them. A lot of the IDSs already do block post requests, stuff like that. That's why the malware dump them locally or they have other ways of exfiltrating. I was just going over a lot of the main ones. Yep. Tell that to the last Fortune 50 companies that got breached and it's like, I thought the same thing too. I was like, there's no way that, you know, but yeah, it happens every day and a lot of people, they do. It's one of the things of the original IDSs, too many emails, too many red flags on some of the stuff where it's just like, how do you tell what's real at the end of the day? Does that answer your question? Yeah, it's kind of been ignored by a lot of the industry and stuff like that. There's a place that do work, most work. Some of them, they have to actually, you know, there are other steps that people have to take to actually breach their point of sale systems. Some of the point of sale implementations that I've seen in the last two years are ridiculous and they are doing a very good job at it. But once again, it's, you know, the mom and pop shops can't afford it or some of the smaller point of sale ones. So, is there any other questions? Yes. Well, one of the main systems, I did go into some embedded systems. The point of sale systems, so Windows 7, Windows XP, some of the older ones, some of the embedded ones. And what was the question again? Yeah, it doesn't interfere with all the ones. I can't go into detail. I don't program the point of sale systems, but it just injects it into memory so it's after the fact of where it would have gotten dumped. So when it's taken, that's the point it's taken is before it's some of the end-to-end encryption stuff, like that's where it would lose it at. So it's, yeah. Okay, yeah, not a problem at all. So what was your question? Every single one of them on that list, which was the big breaches, they have gone, I've literally tested. And so, yeah, it's something that a lot of those, they do, literally just go through memory. And even, yeah, you select the process ID that you put it into. So like you can actually put the process ID for your actual point of sale system. So that's what I'm saying, you can inject it directly into the memory of the point of sale systems, embedded stuff. That's where the malware looks for it. At this time, they literally scrape all the memory. The point of sales, if you guys have ever reverse engineered an actual point of sales malware, it is very, very, very, very simple in most cases. And very, very, not resource intensive. So does that answer your question? So, and I would love to talk to you guys afterwards. I love constructive criticism. So, yes. Yeah, none of the near field stuff. I haven't tested any of that. I don't have the money to actually buy some of that stuff. Because some of those systems, to do a proper implementation, you do the back end server stuff. And you need time servers. There's lots of setup for it. And it's just something I didn't take the time to learn. And it's something that I have not had the privilege of testing an environment like that. But I see no reason at all, if it's being ripped to credit card data that would pass one of the algorithms or the search algorithms for the malware. There's no reason at all that you couldn't inject that data with it. So, does that answer your question? Okay. Yes. And that's something that's why I talked about the evolution. I know this is very simple, but the malware skimmers that are out there are very simple right now. And that's why that next step isn't injecting that data. I know some of them obfuscate the code into another valid looking credit card number. There's tons of other methods. But this is literally just to cover the last, you know, five years where people are still using some of the first generation Dexter, the Jack POS I've actually seen. And now ours should be able to creep through memory and still still credit card data. And that's kind of what I was trying to stop is the brunt force of it and get that concept out there because it's open source. I'm not trying to make money. I'm not trying to pitch any software. It's something where I want the vendors to actually implement that. So does that answer your question? Okay. I think I've got time for one more question. Okay. Yes. And there are ways, though. There are a couple of point of sale systems where they don't memory at certain times and things like that. I did come across some of that, but nothing to the level. Yeah. You guys are coming up with the exact same reasons. I was like, why don't people do this or that? That's kind of why I did this talk this year because I wanted people to get that proof of concept out there. Any other questions? Well, thanks. I really do appreciate your time.