 Hi everyone. My name is Nick Roy, and this is OSINT and the Hermit Kingdom, learning more about the world's most secretive nation. So just a quick introduction about myself. I've been in security for a little over eight, nine years now. I've worked for automation companies. I've done some app development, vulnerability management. I'm based out of Boston. I'm online as SuperDuctos, and I always think all good presentations need to start off with a picture of cats. So this is a picture of my cat Frank, and generally the look he gives me whenever I'm working on something. So let's get right into it. What is OSINT? I'm sure everyone here is familiar with this. So just a brief introduction. It's really data collected from any kind of publicly available sources. It's not related to any kind of open source software or collective intelligence. And really there's a lot of paid services out there, but today we're going to be looking at what's free and what can be found from the comfort of sitting on our own couch. So one of the benefits of OSINT is less risky. We're just going out and essentially doing some really creative searches to find some different pieces of information that we might be looking for. It is cost effective. I think the grand total that I've spent on all of this has been about $20 over the last probably two years, two and a half years it took to put all of this together. It is pretty easy to gather. I did all of this from the comfort of my couch while watching the Stanley Cup playoffs. And certainly I am not a lawyer by any means, but everything's already online that we're looking for. Now some of the challenges of OSINT that we might run into, this is something that I'm sure everyone is faced at one point or another. There is a lot of data out there, especially if we're not really sure what we're looking for. A lot of the times when I started this they really didn't have anything in mind for something specific I was looking for. It was really just kind of doing some general searches to get an idea of what was out there and what I could find. And then I could start to narrow it down from there. But I never really started out with any kind of plan or any kind of hypothesis that I wanted to prove. So there is a lot of data out there. Sometimes reliability is something we need to worry about. Again, this isn't data that we're actually going out and creating ourselves. We're gathering this from available sources. And then certainly revealing all this data can be a challenge. I still have tons of data related to this project that I just haven't had a chance to get through yet. It's pretty easy to automatically gather this data. The kind of piecing things together and making sense of it is where we can start to run into some challenges. Now I'm North Korea. This is a question that's come up a couple of times since I've done this talk now. I'd like to make the joke it's fun to tell my mom. But really it started probably about 10 years ago. I saw a video on YouTube, the Vice Gads North Korea. And I thought it was interesting, fairly from the perspective of they went on a tour and you got to see a little bit of just day-to-day lives of everyone there. So this is really not anything related to any kind of APT activity. This isn't related to anything malware or political. This is really just looking to see what can we learn about the internet in North Korea sitting on our own couch. So let's start to gather some information and see what we can find. There's a couple of ways that we can start to gather this data. Today we're going to focus on really the first two items here, passive and semi-passive data. Passive is anything that we can find online. Semi-passive is where maybe I'm going to go out and use a website to go scan a target for me. But I'm still keeping that site between myself and whatever I'm researching. And we really want to avoid active. I don't want to just run an AdMap scan and do all of my discovery that way. I want to rely on what's publicly available. And today what we want to start to identify, we want to see what's on the North Korean IP space. We want to start to define what the North Korean IP base is. What kind of services are running there? What kind of operating systems can we find? And we'll start to branch out from there and see what else we can learn. As we do, start to find more and more pieces of data that we can work with. So to start off, we need to define our scope. And this one's pretty easy. There is four Class C networks that are assigned to North Korea. We can see it here, 17545.176 to 179. This is really what we're going to focus on today. There are a couple of other IP address ranges that we can see. There's never really been anything too interesting on them. And quite honestly, there's always a little bit of a debate about whether or not they're actually used by North Korea. So we're really just going to focus on what we know is actively used and maintained by North Korea. But what do we do if there's not a Wikipedia article? Well, there's a couple of things we can do. We can pick a domain that we know about. In this case, I'm looking at Apple.com as an example. We can use the dig command. That's going to give me the IP addresses for this server that's responding. And then I can do a who is lookup here where I can get the ASN or the Autonomous System number. This is how we essentially register IP addresses to an organization. I can look up ASN 714. I can see that it is owned by Apple and all the IP ranges that they own. And this is something we can easily do for our North Korean ranges. So even if we think that someone might have edited the Wikipedia article, we can still go in and validate this information. And we can confirm that those four Class C networks are where we want to start looking and see what we can find. So how many servers are online? This is what we want to start to answer next. What's actually active out of these 1024 IP addresses? Now, this was something I found from back in 2010. This was the earliest example I could find of anyone actually scanning North Korea's IP space. At the time, it looks like they had about 12 servers online. So we have a little bit of a starting point, but we want to start to understand what's changed over the years, what's online now, and there's a couple of places we can turn to. One of my favorite places to search because you can find a lot of interesting information there. Is searching GitHub. So this is where I found actually a number of people who are scanning North Korea. And they're publishing all their results online. So they're running Nmap scans. They have nice repo set up where you can easily search through these. So there's a lot of different projects out there that are actually just scanning the Internet and interesting targets and making it available on GitHub. And we'll talk about GitHub again. There's a couple of other fun things that I found on there as well related to North Korea. But you can find all sorts of things on GitHub that maybe people aren't actually putting that on purpose. I found company API keys. I've reported them. I've seen entire dev repos just deleted because of things that were left there accidentally. There's a lot of good information that you can find on GitHub. Now there's a couple of other places that you can check. Shodan, the Internet-wide scanning project is a great place to check. If you do have your Black Friday key or if you haven't purchased that yet, it's the best $5 I've ever spent. I think I've bought it a few times now. But this is a way where we can start to just see what Shodan knows about these various devices. We can find if there's a number of them reporting here. And again, we want to try to just validate our data as much as possible. We have some end map scans. We have Shodan data. Census is another Internet-wide scanning project that we can look at. So between all of these different services, there's information that we can find online. We can generally get a good idea of what's available online anytime and the North Korean IP space. So this is my very crude drawing that I did. But we can see that there's really three subnets that are in use. 176 subnet is where most of the activity is happening, where most of these servers are deployed. 77 and 78, there's a couple of things here and there. Sometimes these numbers fluctuate a little bit. 79 really don't see anything happening there too much ever. If you do ever see traffic connecting to there, usually it's not a good thing. There's been a couple of reports for various pieces of malware that are connecting back to that 179 space. But this at least starts to narrow down what we're looking at. And now we have a pretty decent idea of where we're starting. So now that we know what's alive, we've narrowed down our 1,024 IP addresses to just 20 to 30 different hosts depending on what's online and what's resolving that day. So the next thing we want to do is we want to start to get a better understanding of what's actually running on these devices. And this is one of the only times we'll actually go ahead and do any kind of active probing. We're just going to put that IP address into our browser. And we can see some interesting information here. We see that it's running Apache 480. But we can see that the operating system is RedStar 4.0. Now if you're not familiar with the RedStar operating system, this is a state-sponsored operating system developed in North Korea. There's two different versions of it. There's a desktop and a server version. There's a couple guys in Germany that did some great work really digging into the desktop version. They found all sorts of nasty things in there. One that deletes files if there are certain strings of text in there. Those get deleted automatically. Another one that actually watermarks files in the background. The watermarks actually stack so you can see who made changes and who had ownership of a file at any time as it's being changed and shared. So they have a great GitHub repo. If you do want to take a look at some of their research, some of the tools that they've published for disabling a lot of these malicious components, you can find that online. They have a great talk about it as well. But if you haven't seen what RedStar looks like, version one had the nice Windows XP theme to it. Version two changed it up a little bit. A little more of the traditional Linux flavor to the desktop. Version three was an interesting change because around this time, we started seeing pictures come out from North Korea where they actually had Apple computers in the country. So naturally the operating system needed to change to reflect that. Now we know that version four is available inside of North Korea. If you do want to try versions two or three, you can find them online. You can find them on archive.org. It's pretty easy to download them and get them going. We know version four is available. One because, well, we saw it reported when we browsed to that IP address. But again, even if we don't want to trust that, maybe we don't trust the banner that we're looking at. This is from a magazine called Foreign Trade of the DPRK. They published this magazine online on one of their commerce websites. And if you're looking for some really interesting things that you might be interested in buying, a lot of interesting things in here. But there was an article in there a couple of months ago about how Red Star 4.0 was developed and released in the country. How great it is, how many people love it in the country. So we do know that it is generally in use. It's being put to use inside the country. It hasn't made its way outside yet. But we do know that it exists. And typically development does seem to be something that's in development and worked on pretty frequently. I did mention that there's two different versions of Red Star. There's the desktop version, then there's the server version. I haven't seen a lot of people really look at the server version too closely. So I started digging into it a little bit. I haven't had a lot of time yet. As far as I can tell, there really isn't the same kind of monitoring or surveillance tools available on here. But there are some interesting things that you can find on here. Beam and RSS mom, which we'll talk about in a minute. SE tools, which is a nice graphical interface for managing SE Linux. And then probably the most curious thing is you run as the root user, but you're still lacking certain privileges. And this was something that really caused me some headaches for a while. I knew that I was the root user. But when I started trying to dig through the file system, I was still getting permission denied errors. I was still getting these messages popping up asking for a password. What I learned was it's actually using the Bell Lepageval model for enforcing access control. If you're not familiar with this, essentially the concept is you have various classification for different files and directories on your system so you can have secret, top secret. And that's similar styles enforcing who has access to things. And essentially this is applied here. So even though I was the root user, I still didn't have enough permissions to access certain things on the operating system. So this is where we need to find a way that we can essentially escalate our privileges from here. How do we elevate this? I wasn't too familiar with Bell Lepageval. But what I found here was I started Googling, this is actually Red Star in Russian. Sometimes if you Google another languages, you get some cool things that you can find. So this was from a Russian forum. I found people were sharing pictures and DVDs that they were buying on vacation in North Korea and putting them online. I actually found all of the OS manuals for Red Star on there. Now everything is in Korean. I do not speak Korean. Google translate is very great though. But what I found was the actual steps for how to modify my permissions for my root user. Everything was nicely documented in there. It's about three manuals long actually. And it does have some guides in there similar to the CIS benchmarks if you want to harden your Red Star server. Still working my way through these to see what else I can find in here. But at this point I did have full access to everything. So I started digging through a lot of the files on here. Starts to talk about the differences between DevRandom and DevUrandom for generating random numbers on the system. They wrote their own method for blocking users. So instead of using something like fail2ban, there's actually some code in there that will actually just block you if you fail the password a certain amount of times. And really all of this code as I started digging through it, I was able to start getting some of these applications running as well. This is from the program called BEAM. Once I was able to get this set up now, essentially it's just a graphical interface for managing your Red Star deployment. So this is where you can start to configure all of your services. You can create and modify your users on here. It's actually a really nice kind of setup interface to use. It's pretty easy to configure your server from here. And it really made it nice and easy to get things going once I had access to this. But the other thing I found, I did find a vulnerability in here where you can actually steal session information from other users. So this was just my site where I was trying to post my request to, webhook.site. And my session ID from another user that I created there that I was able to post off to the site. And I do have a website where I keep track of a lot of this, try to update it a number of times a year. I get one comment maybe every five years on here. I posted that screenshot and I got a comment about 30 minutes later that they were interested in the issue. They wanted more details. They even sent me an email with one of the most suspicious email addresses I've ever seen. And I still haven't actually replied to this one. But I thought it was a little curious to see this come in when I posted that image. So that's a little bit of a sidetrack about what the Red Star operating system is. But now what we want to do is we want to start to see how many domains we can find that are in use by North Korea. So now that we know there's however many servers online at any given time, again roughly 20 to 30, depending on what's accessible at the time. But now we want to start to enumerate some of these North Korean domains. Maybe we can find something outside of that IP space. And really we just want to see what we can find. Now a couple of years ago we learned that there were just 28 websites registered to North Korea. Their top level domain is .kp. There was a misconfiguration on one of their DNS servers that allowed global zone transfers. And so this is where someone found this and published the entire list of all the North Korean websites. So since that day, I've tried to keep a list up to date. We now know that there are 32 websites that are publicly accessible. There's 34 different domains. Two of them are essentially duplicates. But again we want to start to enumerate all of these domains because we want to see what else can we learn? What else can we find about this infrastructure? Can we find anything outside of this IP space? And this is another great way where we can use some of these various sources of open source intelligence. This screenshot here is from Air Corio, which is the national airline of North Korea. And if you look on there, the flight status on any given day, everything is always on time or ahead of schedule. But if you look at something like a flight radar, for example, a lot of times it's a little bit different. Some of these flights aren't exactly always on time or even running that day. But what do we do if we don't have something, a nice article where we know all of the domains? Well, there's a couple of sources of data we can turn to. We can take the who is data and start to search off of that. We can do reverse DNS lookups based off of IP addresses. Again, if I look at something like apple.com where I can use domains at apple.com, using that to look up my who is data and doing some reverse DNS lookups, we can find all sorts of interesting domains that are owned by Apple. My favorite in there is animoji.datf. A lot of these last I checked didn't really seem to be in use. But again, it gives us a good way now where we can start to maybe find some different sites, maybe some dev instances that maybe shouldn't be accessible anymore or things that have been long forgotten. So we can really use this data to start to further map out our target we're looking at. We can also look at things like passive DNS data. There's a number of services out there that provide this for free for limited searching. And again, this is where now we can start to search different IP addresses and just see what kind of domains that are known to resolve to them as well based off of all these DNS requests that are being made by users around the globe. And then we can also start to look at things like the certificates for our websites. Census is a great tool that we can use. You can take the fingerprint of a certificate and you can search it there to see if it was reused anywhere. You can also just actually read the certificates in the case of North Korea. We can see down the bottom here they actually list out where the certificate is being used under the alt names. So I found some of the domains listed in there. I haven't found anything new this way in a long time. But it still is a nice way to make sure that we are aware of what's there and maybe what's not being used anymore. And then one of my favorite things that was published, this was published about maybe two and a half, three years ago. This is the website dprkportal.kp. I'm always convinced that this was published in response to just trying to stay on top of all the active domains. This was published by North Korea where they actually publish a list of all of their websites. And any time there is something new published, the last new site published with the top level North Korean domain was in December 2020. So this was the first time I've ever actually seen it updated with a new site. So it seems like they are keeping it up to date here. For the most part, for anything that they want to be publicly accessible and known about. So we have a list of these domains now. We know what's actually active inside of this IP space. We know what kind of operating systems are running on these various devices. The last thing we want to understand is what's actually running on these devices. So in our case, again, there's a number of different ways that we can gather this data. This is one of the Internet-wide scanning sites. This is one that actually scans from China. But we can see there, the banner from their DNS servers reporting that it is running on Red Hat. We can find some other fun things on there as well. I've seen things like VMware pop-up from time to time. I've seen media streaming servers pop-up on there. There is a Cisco device that always seems to be present in the North Korean IP space. And again, if there is something that maybe just doesn't make sense to us or maybe it's something we think this is maybe wrong, we want to try to validate this data as much as possible. So yes, they can reference this through a couple of different sites. People who are scanning the Internet can verify that everyone is reporting this as a Cisco iOS device. So I feel pretty confident that this is correct. We can mark this off as something that maybe isn't as suspicious as we thought it was originally. So to recap a little bit of what we found, what's actually running on all of these hosts, we're not going to go through everything. But there's a couple of different web servers out there. Your standard DNS, NTP, SMTP servers, VMware server, there's an FTP server. And then a mix of Red Hat and Red Star devices. A couple of Windows servers. We have our one Cisco device. And then I left it at the very bottom on the left-hand side. There's 20 services running on port 8080. They actually have no idea what this is. Within the last couple of weeks, most of these actually seem to have gone away. They were always open for a couple of years, but for whatever reason, they're not in use anymore. I will talk about those in a minute about trying to see if we can find some more information. But really, why do we want to identify this information? Again, just looking at some of this banner information, maybe it's not the most reliable information. But it still gives us really good starting point for understanding what's on these targets and what's inside this environment. So like I mentioned, most of what we're going to do is all passive gathering. A couple of things. We do want to gather semi-passive. This is where we're going to use some different websites to actually go out and maybe gather a bit of information for us. This is something that someone sent me last year. One of these websites used for actually testing your mail server to find any misconfigurations. They ran this against a North Korean mail server, and they found out that it was actually operating as an open SMTP relay. Apparently, you could only send emails to any of the other top-level.kp domains, but this was something that was publicly accessible for a while. Another website we can use, Proxy Checker. It seemed like a good way to see maybe 48080 on some of these systems was functioning as a proxy in some way. In this case, it didn't seem like that was the case. I still don't have any idea of what it is. Looking through the manuals, they do talk about Tom Catalog and using 48080 for management. So my new guess is it's something to do with that. Unfortunately, those services don't seem to be online anymore. So it's kind of hard to tell exactly what they were. And then we can start to turn some other unusual tools as well. We can use things like SEO tools to go out and gather information about our site. This will tell us what the site was built with. It'll follow links, tell us what's broken, what's valid. One of the things that it found that I thought was pretty interesting on one of the North Korean websites, we can see it here down in the developer view. There was a broken link that was pointing to a 172.200 address. A couple of slides will talk about why that's kind of exciting to see. But there's a lot of different tools we can use. We don't have to think about our traditional security tools. We can get a little creative and use some other things to find out some of this information that we might be looking for. So we spent some time talking about what's running on this North Korean public IP space. I kind of wanted to flip this around though as I was working on this, and I wanted to know can we find any activity of North Korea online anywhere? And if you're not familiar with the internet in North Korea, it started in 2001. It was really just an email relay between North Korea and China. But inside of North Korea there are essentially two different networks. There's the intranet, which is what most people have access to. And then there's the official kind of internet for high-ranking party members. College students do have access to it inside of North Korea. And this is access to the full internet. This picture here on the right is taken from an internet cafe in North Korea where we can see screenshots of some of the internal only North Korean websites. Looking through Flickr for tour groups to North Korea is a hobby of mine. This is actually where I found this on a Flickr page where someone had taken this picture. I cropped it a little bit to make it a little bit easier to see. But there's, again, a lot of different places we can turn to to find some of this information that maybe we don't always have access to. Now, some of the domains, they do actually come up from time to time if you are researching North Korea domains. A couple of them here are on the left-hand side. None of them are publicly accessible. But I've talked to a few people where they seem to think that they are used internally for email. One of them is the portal used inside the hotel for accessing the internet. And then the other third one seems to be a social network of some kind inside of North Korea as well. And really, one of the other things that kind of prompted this idea of can we find North Korea online or any kind of activity? This is a map steam published a number of years ago showing where all of their users were connecting from. If you look really closely there in the circle, you'll see one dot inside of North Korea. So I was really curious to see can we find any North Korean activity online. So one of the first things they did was just using some of these different Google Dorks to search for different things. This one's actually pretty simple. We're just searching for any of the log files that Google might have indexed. Just searching for different IP addresses. So this was on a Russian oil website. I found some North Korean IP addresses that were browsing this site. I'm sure everyone knows about public paste. Paste in any of these sites where we can search information. This was, it looked like it's from a Minecraft server, but there was a user that was connecting from an IP address inside of North Korea. You can also search Wikipedia, especially since I've talked about it a lot. If you don't have an account, it'll record your IP address. So we can see where there were some changes made to different books. Some of them were for content management system. There's actually a lot of changes coming out of North Korea. They seem to have stopped about four years ago, maybe five years ago at this point. But we can see some activity there from North Korean IP addresses making some changes to these different Wikipedia articles. And again, we want to get creative with our searching. This is a website called IKnowwhatyoudownload.com where they're essentially just monitoring all of these torrent trackers and all of the IP addresses that are connecting. They have a nice interface that you can use to kind of search this data. So these were some of the top movies in North Korea. Modern family is actually really popular there. But one of the things they did was they wrote a script to just query IKnowwhatyoudownload to find any North Korean IP addresses that were active in torrenting. And then I went in and started searching based off of these. Again, what's interesting is we see a lot of it coming out of the 177 and 178 networks. But what I thought was even more interesting was looking into not just the movies and TV shows being downloaded, but things like device drivers. We can see different graphics cards in there, devices for cameras, and different types of laptops. So it's a good way where we can maybe get an idea of some of the other devices inside the country that maybe we don't have first-hand access to see from different pictures or things like that being published. And then since I had a list of all of the North Korean domains, I got the idea of what happens if, since most of them are .com.kp or .org.kp, what happens if I bought just the .com version. So I found two North Korean domains that were available. I bought those. I found one that was in the OS manual that was listed in there that was available. And then one of them kept popping up in different thread intel feeds from a couple of years ago, and it actually just became available. So I bought that as well. I don't want to say what I bought, but just threw some Google Analytics on it just to see if I would get anyone connecting to it. And I did get some traffic over the last year, year and a half. No traffic from North Korea. And these domains aren't something that you can accidentally just type in. I'm assuming you would have to really go here on purpose. So it was interesting to see some of the connections that were coming in to these domains that I bought. And then lastly, as we are trying to understand, can we find North Korea online? This was an article I saw last year about LinkedIn becoming a social media of choice for North Korea's elite. I haven't gotten any friend requests on there as far as I know. But we can find a lot of things on social media that maybe we shouldn't be posting. I've found things like People's Badge and their schedule and information that they post. Hashtag New Job is a great way to find information about different companies. Hashtag Visitor Badge is another fun one. I guess people are really excited about that. They post their visitor badges from different companies when they go to visit. So what can we find about North Korea? Well, there was a brewery inside of North Korea. Apparently they're working on mini kegs. This was a manual inside of the North Korean hotel that I always just giggled when I read the title. I found things like visas, long-term stay cards for people going to visit on tours. And then one of my favorite ones, the Palace of the Sun, if you go on a tour of North Korea, this is somewhere that they'll take you and they stress that you're not allowed to take pictures or that you have to take your shoes off. You go through the machines that kind of blow all the dust particles off of you. But it's actually geotagged on Instagram. Someone's taken some sneaky pictures in there. So again, even in a country like North Korea where cameras aren't allowed in certain places, we can still find some information and get an idea of what's there. But we can also look at things like what's running on their computers. If you look in the background, you see that Windows XP is still very popular inside of North Korea. And again, we want to verify our information as much as possible. This comes from the official North Korean media website. And other pictures look just a little too perfect in the background. So we can use a website like Photoforensics, which we'll try to highlight. Anything that's essentially any kind of errors in the picture. So it seems like a lot of times pictures are just posted onto that generic background to make it look a little more bright and blue skies and sunshine for a lot of these outdoor pictures. And we can also start to turn to some different places as well. Strava is a fitness tracker similar to Fitbit. They actually publish all of their data online. So if you want to find new places to run or hike is the idea. When I found out about this, I immediately started browsing through North Korea. We can actually see some of the actual lines on here where assuming people are going on tours in the country. And if you really zoom in, you can start to see individual buildings that they're going into. The next thing I want to do is start to overlay this with something like Google Maps to see if we can get an idea but one of the things I also noticed was in the north there's two very faint lines in these mountains and I was really curious to know what these were. So I switched over to Google using these coordinates. Looks like it's some kind of ski lodge here but the interesting thing is it's not the one that's shown in most of the official North Korean media which is this. Looks like it's a different one. So you haven't found too much information about that but again, just differently it's where we can find some of these new things that we can investigate further. And then as we start to wrap this up, Silly Vaccine is another one that's interesting. This is a North Korean anti-virus program. Checkpoint did a great paper on this. But one of the things that I found was we looked back to GitHub, the Shadow Brokers League, the CIA tools, a lot of people married these tools to GitHub and the source for them but as they started searching some of the Silly Vaccine strings I found that they are actually in use in the Shadow Brokers League as well. So some of these tools are actually scanning the endpoint to see what kind of protections running on there. So it appears that whoever is building these tools is aware of Silly Vaccine inside of North Korea and actually checking for that to see if it's present before executing the next step of their programs. I've also found some other fun things. This is on the North Korean website looking at the source. We can start to find just different fonts being used. When I googled those I found out they are North Korean fonts developed inside the country. But I've also found different sandboxes where those fonts are available and I really just always love this comment, no idea what it is. I found it on my laptop. I haven't looked into it more personally of no idea if it is anything related to North Korea or if they are just using that font. But again, different ways where we can start to maybe find some new things to investigate. And as we are looking at this different pieces of software a lot of times sandboxes, different things like that a lot of people aren't aware that this information is publicly searchable. So this is how I found a lot of North Korean software online so I'm just searching the name then I have a hash and more information about it gives me all sorts of new rabbit holes to go down to try to find a lot of this software. But just starting with some basic information we can really start to get a lot more information about what this software is. So I want to start to wrap this up here a little bit. A lot of people ask what I use for tools. Ocentframework.com is a nice tree that we can use to really search all this data. I have a website nknternet.wordpress.com I try to keep it sort of up to date as I find new things. And one last thing I want to end on here this is a website that I found a couple of years ago. I found it early in the Sunday morning I was looking at this it seems pretty interesting signature of this detection system in the top command and control server and as I was looking at this I got a phone call the number was 000 I picked up said hello and nobody was there. Granted it was six in the morning at the time when I was looking at this. So I put my phone down phone rings again a few minutes later same number no one's on the end of the line I start thinking that I need to pack up my house I need to wake up my wife we need to move outside the country as I'm pacing the room a little bit trying to figure out if these phone calls and if this website is related I get a third phone call from the same number 000 I pick up they say hello hello someone says Mr. Roy Yes I said Mr. Roy this is Steve from Enterprise sorry our phone system isn't working they've been trying to call you and tell you that your ransom car is ready Thanks Steve for the heart attack Again always interesting things that you can find it did actually reach out because there was a certificate to see if they had any information they told me that they're not a software company could be a whole conspiracy theory still not too sure on that but again always keeps me up at night wondering what this was it's not online anymore but thank you everyone for listening had a great time presenting certainly any questions feel free to reach out or always happy to talk more about this and share any other kind of data or information that I have so thank you very much