 Any other questions before we move on sounds good When I write it to the plug-in authors I include a proof of concept that takes me a little bit more time to write But effectively on many of these things what we've seen is you gotta dig into the code I'm gonna figure out how to get to that section of code like that that line of code So typically you would target via like an API like I kind of pointed out earlier I'm like it looks like they have this API call and then the um, or then you basically hit that API with the request and it just puts you right in the piece of code You want and then it looks at what was you know the request data Which was sent in for me and then request data is whatever object I want You can do like a proof of concept can be as simple as looking at a your as I get requests would be URL Most of the time they're cookie data or post data. So in those cases I use curl Or W get if you guys are familiar with those programs. Those are super weak hacker tools, right? I'm sorry. I'm not gonna be like here's this whole perp speed I'm not gonna I'm not doing the whole like it's gonna be burp intruder Like you said it'd be scanning software and feel that stuff. That's not this audience. Is it? Yes, oh, so I trust way. It's a good question. It would pen test identify and find this the answer is roughly No, it's not something that's so easily Exploitable over the web and I wrote software trust wave That was more ability assessment software. I wrote vulnerabilities for Forward pressing it as well. I have credits in in that and met us would if you've heard those those tools And my name is in the code source code Because I wrote the explains but the problem is that an object I Wouldn't be able to get the response back from the browser to see that the object was created So I wouldn't really know and it's hard for me to know that it's really a thing that that Black box testing which is like testing from the outside without looking at source code. It's not very effective to finding it You have to pay for more you have to for white box testing or code auditing Which is what we're doing right now, and you don't have to pay for it because I just show you how to do it Correcting the lines of code and hoping for the best. All right Yes You want me to look for you I can put it up on the big screen Yeah, I'll double check for you say he's not there and we'll give your your plug How to spell it oh speed car Is there a dash? Oh, it's not in the fucking repo is it? Well, it's not a mine. Sorry. I can't do that Yeah, is it is it well, I can download real well download in the next example, but that was just for un-serialized There's many other vulnerabilities in the world Cross-site scripting this is every security person's first vulnerability. This is I think everybody here's heard of this, right? Yeah, this is probably the stuff you've heard of before unlike un-serialized This is the super popular one. You guys don't know how it works. It's right I want to say y'all stated with me now is I don't trust user input as the Tana comes in from a browser and you just outputted it on to the in your HTML response and that suddenly it's whatever the Browser one quote browser said it was going to be and there's any other different ways for that to interfere The lucky thing is WordPress is really good job at preventing these Naturally, and there's a lot of fixes for it. So again, there's like my mantra. I never trust user input You sanitize on input and you escape on output. What that means is When you're accepting data back from the browser before you store it in the database before you, you know We all put it again or before you make use of it in any ways make sure it was the data You expected it to be objects is very similar problem, right with the object and serialized injections You expected an object you expected a certain type of object Now in PHP 7 higher validate that that's the object class that you want it to be but again You know that breaks backwards compatibility both cross-site scripting again if you expected somebody's name Right, it's it gets complicated and there's a big rabbit hole you can get lost in but you know you expect somebody's name Their name isn't going to be Bobby. No, that's a SQL joke. Sorry. It's not going to be, you know Bobby, you know about the script javascript like script type javascript, right? Like nobody's named javascript And that's really the problem and then of course you have to escape on output. Why it's really because it's better to be safe I'm sorry, so and WordPress has a fantastic Sweep of functions that help you escape on output. This is all the sanitize. Oh, this is start sanitizing and escaping Incentive email. So this is for output. It will validate that the I think it's for output the return is a String which looks like and filter email address because an email address has a RFC Which is that which is like an official way that email address always books You just send sanitize email and that validates that the email actually looks like an email address not HTML not javascript none of that and then you can say if we have to let you can output it fantastic and there's Whole bunch of these you can do it based on your mind type Make sure it looks like a file make sure it looks like a text or a user So this is a fantastic series of functions that really help out on sanitization and escaping as well So you can escape HTML or javascript, which would be something that maybe you wanted it to be out But if you wanted to look nice as opposed to actually run javascript in the browser Same deal. It's a big sweet of it. And this is what the example it shows you that be You know escape HTML in outputs that nice, you know human readable format, but you all know what this is, right? This gate characters ampersands less than right there is less than Which is that that so it makes the browser can help put it correctly nicely UK cookie consent, let's talk about privacy Everybody knows this cookie consent law came up and unfortunately it's This was a great plug in that added the features that were needed, but it also added a feature That's not wanted a vulnerability cross-experting attack So here we go, let's do some session. What do you guys see here? Where's the vulnerability? Yep right there, that's I don't know actually what the answer is on these either, but that looks all right It's actually back page ID There you go. You were right and all they need to do is escape. Yeah, that's that's it And this gave you HTML right here the post title print that was probably the big one was actually post title same line And ID is probably an ID a number But hopefully it was sanitized on the input or validated on input as being only a number not you know ID member Script JavaScript you alert one Yes, sure. I don't know what it is. They just exist on my laptop right now Yeah, like I explained like all I did was I looked at by the way, this is from where postpone database Did he scan for ability database? Um Good people nice guy And he's great to just email if you're like if you have more abilities to get it you get your name up on their website That's all you get. You only get paid money. You just get fame and glory And this is where you can go to the site find the vulnerabilities your own and then from that site You can look in to see where the dish work Which is you look for the dish like this is what it is and you'll be able to see what it is and how it works But he's got one here. Actually, I don't even know where this vulnerability is. I think I see what it is though Yeah, that's the problem here is then this is an odd one Because they're trying to get environment variables on the trick here is at the server They're basically probably somewhere else in code. It's a bad example price somewhere else in code They're calling it and then I'm putting that to the browser But in this case they're using server remote address I probably use this example because I wanted to point out that that server variables are also not to be trusted because that comes from It can come from a proxy that it can also sometimes come from post headers, which are just the extra HTTP data that's being sent along and Here you go. This is what they did as they're fixed Oh, they had the filter that was the problem is they had to have a whole section where they filter the variable to Make sure it's a valid IP address and this is this is a filtering This is because again remote adder probably could have been a hosting which doesn't look like an IP address and might look a little bit like You know HTML So you want to make sure it looks like an IP address and this is good sanitization or input. All right. Let's see this BB press You press attachments. This one's buying. Well, it's probably better example Who's found it? I think I see it It's not so obvious Probably filing. Yeah, that's what I think that is too. Yeah, so let's see. Let's see It's right there is even escape the HTML output for the error filing or the file there that value this array right here I'm apologize that these aren't like complete more abilities because that confusion. I'm even confused like I don't know really what that's getting Called over that was set to it's another best initial example, but the solution here is good escape HTML That's the solution because he expected HTML and we need to escape it when you output it back So again looking you're looking for things. We're doing a quick workshop. I think we're going a little bit slow So I'm a little quicker in the workshops we're looking for print and echos and And the input includes things like a poster get value And I'll just try to do live one Actually, I'm gonna download your plugin And see what's going on. Sorry, I'm gonna quickly not online. I don't think what was the uh, fucking speedy speedy dash guard Okay, who are Well, I don't have internet so Almost No, it's okay. This is my my phone needs to be very slow. I'm not gonna be able to Download it looks like but I'm just gonna look through random ones. I don't think I'm gonna be able to get up And I'm a password. I don't know my wife. I password see if this works finds anything. Oh That's not good. A lot of people output. It looks they just echo directly. What's funny about this? I'll click story and then I'll move on to the next one So a lot of people obviously use echo and then use a value of capital just a capital I want to say that really looks like a poster get you do the dollar signs gonna be special character So I might just be breaking my show You think that's just gonna work out. There we go. Oh, yeah, there we go much better. Yeah, that's not good I'm right there Right, who sees the problem with that probably gonna be a problem Now there's a story with this word Time I got like half an hour left Yeah the story where Who here sort of defcon information security conference happens once a year Somebody me being interested in security and WordPress and I see this talk that they're gonna give and the talk was Hacking all the WordPress plugins. So I'm like, all right. What do you got like that's what you did The guy was looking for cross-site scripting specifically cross-site scripting and he saw what I just is scrolling across the screen right now a lot of apparent cross-site scripting Luckily, there's actually WordPress core does sentences some basic sanitization on inputs. So actually most cross-site scripting Which any other any other code base? This would be a huge problem because this would be cross-site scripting everywhere WordPress board is a proper sanitization automatically for you and it actually will escape things correctly just just a little bit But it's just enough that this guy who thinks who's basically said he found hundreds of thousands of vulnerabilities and super happy He found zero In the end Any other questions about cross-site scripting it's the idea that again never trust user input the browser We'll output that and if it's HTML and screening it looks bad as we can start executing JavaScript We can start inputting whatever data we want on it. I found a vulnerability once in Cisco product like their web page and it's very fun because I put up a Animated gif on their website. So that was my proof of concept was a little cat gif Like you're vulnerable now your site will have cats on it. Well, it can be your as long as it's your site Don't test things on other people's sites like I do Like I tested that in with Cisco's actual website, but that was because that's the only code base It is we're presses open source. You can do it on it cross-site scripting is not very dangerous It's not gonna break a website probably not gonna break a website I can do some interesting things if it's stored in the database because then anytime you visit the page You'll keep popping up JavaScript your your validation But yeah, do it on your own site Vm do it on a test server Serialized is a bit more dangerous and SQL injection is definitely more dangerous. Do not Try it don't test SQL injection up. It'll drop your database. It can drop your database Whole thing. That's the joke. Is it Bobby job tables who here knows the Bobby job tables joke ex KCD It's good art or it's good comic the the joke isn't the parents named their kid Bobby drop tables And they've put a little escape SQL statement and average SQL injection So the school when they send him to school and they put their son's name in the in the database It dropped the whole school Yeah, because remember what I said never trust user input SQL you can do so the correction for SQL injection bases what I just explained the the very similar to cross-site scripting But instead of out putting into the browser. It's your SQL query starts getting Has a little end to the query so your query starts like select star from table and then where Then the conditional that's the brow. That's the data you have from the browser User ID right user ID equals blah and that was the get request ID and get ID value and you expected it to be a number So again, but it doesn't have to be a number because it came from the browser So you're that you can change that statement to select star from table where user ID is Zero and also drop all the tables like afterwards or or update all the tables or or change You can just extend the SQL query to use something very malicious on top of what it tried to do W we're press lucky again This is the second most popular vulnerability out there in the world where press has a great Functionality to prevent this and it's more pressed to be prepared listening prepared statements Which are a way to basically validate that on ID looks like an ID? I didn't go a little faster because this doesn't have the example. This is there turn ID. It's funny I guess that how prepared statement works, right changes from this to this that's this is the problem Select count all the blog is what where I said where a term ID is ID and I do which is pulled from the browser Oh, I do a set there request. All right. I got you. That's problem So the browser sets this value here and they just set it there And if it's going to be an attack or a malicious one the ID value of ID is You know, they only thought it would be a number But really I can just keep adding to that whatever select well, whatever SQL query I want and then do something delicious the fix is using What did you feel be TV prepare prepared statement works a lot like that's pretty enough if you guys are See coders or C++ coders saying same thing you set the type right here. We're doing this little time and Saying that's a digit I'm expecting this to be a digit and then the passing the argument of what you want to put the place of that I don't know that placeholder is but yeah, basically it says anything did it here's an ID And if it's not a digit it makes it a digit or makes it safe at least and the SQL query won't work But at least it won't won't start because executing extra commands directing that number to a database server You can also use escape or in this case they try to use escape SQL And unfortunately, that's not what you want to do. I did it escapes it, but it doesn't It doesn't validate what it is So the fix here on this piece of code was to do a in file Which literally just changes forces it much like what that prepared statement does it forces whatever it is to be It doesn't allow it to be string or any other unexpected data So who here sees the problem? Yep, it's probably exactly where it is They and they also can use prepared statement So, oh, this is my word of warning This is what happens to your plugins when you don't fix path when you don't patch your code The important well, it's great that the plug-in security team or the plugin team it will do this But it also means that many plugins who have been abandoned or lost to time and atrophy and you know Maybe you've moved on if they a plugin team gets a report of a vulnerability and you're not responsive or Reporting back on it. They just shut it down. So the plugin is now gone. Yes Yeah, you can put if Yes, the adopting tag you can talk if you have an old plug-in, and you're not here They don't update it anymore put it up for adoption that somebody else take control figure out The plug-in team will help you out If you just want to take over the plug-in I'm gonna talk about that there's a very And I don't work with the plug-in team. So I'm just on my own. I get along better on my own I know what you're I know cheat so it's basically the concern is like what if the plugins I'm working right everything like that Really the answer I think what their answer is gonna be from the plug-in team, and I'm not speaking for them But they think it is basically why don't you write your own plug-in that does that, right? You can you should be able to all of the plugins should be open-sourced So you can branch off of it and say well I'm doing this because the other guy was not being and if the plug-in team doesn't want Duplicate plug-ins, I think they don't that's not a nice thing to do But you can ask when you also talk to them and say you know what like this person's not Communicating this plug-in author like I want to fix this thing in it And I want to make it and you can probably work the plug-in team to get you access to that plug-in And I'm gonna get into why that's kind of the problem But I'm gonna show on time so securing the endpoints And by a point I mean like the best API and Ajax API You need to always remember to call this Current user can that validates the permissions or I think Wordpress has a different word for it, which the talk for that is happening right now That basically allow it validates at the user the action that's happening the user who's blogging can actually do that Actually, so let's say you made it a a best API endpoint to say Machine-i5 examples Yeah, all you do is make sure you call current user can you can also use the nonsense and there's a great resource for that Which is all the plug-in? Security team my tab got suspended and I don't have internet now. Anyways This plug-in handle and I believe in the last slide to this. I believe you are out for it This is super valuable for plug-in authors. You can look to see how I work and they talk about exactly how How you can secure input secure output do data validation? I could have basically just read those those slides and it would be very good for everybody, but I want to show people all more abilities but anyways the rest API endpoint, let's say you have a call back function here and The first thing you need to do always is say current user can can this user do this can this user edit other posts or For Ajax, you have no priv and priv Actions where approval validate the person is logged in but it only validates that they're locked in not do they have a permission? So you still need to validate by saying current user can and that's one function call And then we'll secure your endpoint because imagine you had an endpoint that you wanted to be able to update blog posts real quick Sorry, I put a rest API endpoint that you can paint and then they can update the blog post with that I don't know maybe time stamp or some trivial thing you thought all the help trivial But the problem couldn't come in where now if you forgot to run the current user can Your end point now. That's anybody do that thing This is also how the POC's start This is this is the section where I can actually get into writing POC's because then that's how I can get into pieces of code Like a certain section of code to have it execute the serializer that HTML outputs And don't secure your influence the 10th on way Who remembers 10th up? You know 10 thumb was a scene actually like a library for scenes where they Conveniently created their own section a little bit of code because they needed a way to independently handle file uploads They didn't use the wordpress for a version is wrote in their own and they added this pump this this PHP file to handle all their uploads they created an endpoint for a purpose But there's no security in it at all The this resulted in was a vulnerability where anybody in the world can upload files to any WordPress site that had Tim from itself So who sees the problem with that? And this was horrible because on top of it it was a portion of a theme It was a premium thing so there's no way for them push updates on top of that So people who had seen good page for the things have this this insecure library Tim thumb and they were able to just upload What if you were to supplement people sites everywhere? It was a very bad day. That was when I was at a dream post Here's an example here current user can that literally all you need to do is Is that the current user can that's all? Same thing current user can if not use it can use it can edit posts return false Which makes sense if they can't edit the post just exit the code And it's the most important thing to remember to the exit your code when you encounter the negative thing This is that this was a fix as well for any point They forgot to return false would have been here to die kills the PHP process entirely But the problem here was obviously they did all this checking But the problem is that if you could not verify your nonce or that was the other using nonces for validation here But they couldn't verify the nonce it just it echoed the error, but they never stopped the coast the code that you're running So that doesn't it doesn't work right because then I think you can just keep running whatever code You that when you print an error make sure you exit code return or die or end it I don't really have a lot of time for securing endpoints like workshop here But I think hopefully you look at that idea. It's really basic ideas that because we've been it's a harder one to do because I Can't say to what to look for you have to be familiar with your plug-in and understand what endpoints what API and Ajax calls You create it and then make sure you're doing clean. So if there's an error you make sure you escape or end or you know close the code and if there is a Validation for the user and a user can actually take that action if it is a privilege action And you guys I mean we can continue to ask some questions. I got some more stuff. I think Okay, I am talking about plug-in pieces This is the time that I was like you guys want to keep looking at I think I want to get 15 minutes left though. Is that right? 15 minutes or so Yeah, all right. I mean you guys want to keep looking at it looking at the code base I'm gonna talk about plugging off their ownership because that's an important one Also when you include third-party libraries in your code you are responsible for the third-party libraries to a lot of people will Forget this is kind of what happened with Tim Thumb. It wasn't The Tim Thumb wasn't the theme name. It was a library. They included in a bunch of things It's a bunch of random things and the library never got updated and just got age and arcade And then there's a vulnerability in the library and nobody ever updated that there were the vulnerability was the Unauthenticated unauthenticated upload and then there was no maintenance on a section of code Which you think and if you include the library, it's not your responsibility, right? Somebody else that takes that code, but you need to update the updates in your code, too So and especially JavaScript libraries don't think that JavaScript libraries are immune to vulnerabilities. We also have tons Talking about plug-in abuses real quick for every plug-in author here Like I said, we're the trusted source of code for sites that are installing on you That's actually a really awesome thing people do that they write code for free in the wordpress out of repo and give to the Request out of repo give to everybody else who use the wordpress and it extends them the The usage of wordpress, right? Wordpress core is not that awesome when you compare it to all the hundreds of thousands of plugins I don't know how many are in there, but it's a lot of plug-ins in there. It could be a full-featured system US plug-in authors have a huge responsibility to maintain your code be trusted and to accept the trust that the wordpress community has in you to give good code and It's just me saying it's really important what you're doing. It's good There's been a problem in the last year. This is a thing where somebody who wrote free code Submitted it to the plug-in repo might have a few thousand installs five thousand twenty thousand installs It's really nice, right? But maybe they moved on in their life Maybe there's something they wrote in college and they don't care about it anymore and they get this email out of the blue saying hey I'd love to take over your plug-in Here's like an offer of a thousand dollars us and that seems nice, right? Who would who would take up that offer? Somebody offered you money for some plug-in that you stopped developing like five years ago Free money, right? This has been a problem though. This is a scam They offer few hundred us maybe thousand plus us and they take over your plug-in and they push out an update and that update is a backdoor Yeah, everybody did who has a plug-in installed now gets an auto update which includes a backdoor to the easiest way Expensive the easiest way to have to infect a bunch of sites It's definitely been a thing So you as plug-in authors please request that when you get that weird random email for somebody to buy your plug-in Don't think it's just a free ride and it's not free lunch. It's a bit of a problem And so that's what coming back to the point of what do you do? How do you how do you deal with taking over a plug-in or how do you deal with that? The plug-ins team can help change off who the author is for a plug-in, but always Be mindful that they're also worried about this. They're super worried about this Because it's that's horrible thing and they have to protect against it and it's hard for them to protect against it So the things you want to do if you did Have have to transfer ownership of plug-ins don't definitely don't just take over the author's account That's really it's really bad. That's the worst That's what they do in this scam is they try to take over your whole count So it's the same plug-in author just updating it as by what the plug-in team can allow you to do It's a bit of work for them, and they're not paid to do this So don't don't like go there all the time But they can change authors and you can you can get somebody else to take over the thing The way in this case if you had an old plug-in like you mentioned the adopt you can adopt plug-ins So if you want to take over a plug-in if it has a little dot me tag That means it's open for somebody to take it open be good and the same thing in reverse if you're not using the plug-in You don't want to date anymore, and maybe you want to see somebody's interested in it You can add that tag to the plug-in page and people will know that they can take over work on it from there But again, it's a trusted Physician you are in because you are able to push out two sites all over the world now You're the code you write can be on any site in the world that runs WordPress so to begin be respectful that's trust handling security reports In it's a lot of trust you're the steward for your code You're the person who should be doing the verse the best thing possible You've done all the work as a plug-in author to write good code but some Getting a security work report can be kind of scary and some people take offense when I've written them about security vulnerabilities as tone Doesn't doesn't work over email and it really they assume the worst tone when I say hey I found this vulnerability in your plug-in to me. I'm very happy. It's all love Check out how it works. Here's here. I'm doing uploads now And and I've got responses of like who you why are you telling this because they think they think what I said was hey I'm vulnerability of plug-in. This is how it works. Here's all the problems in your code They think that's what I'm saying the reality is I'm a happy guy and I'm like everything is fine It just here's the patch and some people argue with me what the best patch is and I don't care But that's just weird you're doing it that way and like you're gonna like what is your code you've done all the work Treat a reported a security vulnerability report as in free work treat it just like a pull request But I also as a security vulnerability Researcher I can't I can't do pull requests that includes a vulnerability in it because that also looks really bad because maybe you won't see the Pull request. I'm like I fixed this terrible vulnerability in your code Here's the example which also shows the anybody who wanted to be malicious exactly able to attack It's exactly what I showed here. It shows you the diff to say this is the problem So I don't like to have to come in over email So make sure you have a contact address if you're a plug-in author have some sort of way to contact you You can contact the other support forums, but that's public. So that's also weird again It's not good for me to point out our security person to point out of vulnerability publicly So we try to keep it nice under under wraps and just discuss it and say is what I found here's how to fix it and Again, what is my mantra? What is the mantra of security? Yeah, yeah, perfect all you need to take away from this and that's all I've been saying for the last hour and a half Sanitize escape validate permissions Be mindful that your you are the person responsible for code and this code can be anything your code your plug You might end up on I don't know some major website. I think the US president uses wordpress, right? I know what I did right The White House. Yes, they use where your code might end up on the White House. So be Be mindful of that respect that you get This is my recommended means and we're pretty much wrapping up I think I did decent on the time he's got five minutes and I'll just hang out Chad and you guys can look at code the one I highly recommend is the These are just nice reading This is the building secure software is the book that I read when I was 16 years old and it is all about writing exploit role preventing exploits and in C and socket layers stuff and And guess what the guess what the where I got my mantra from This book the entire thing I write when I was 16 years old I read this whole thing I'm gonna like figure out how those vulnerabilities work and then in the end I'm like, oh, it's just user inputs Don't trust user inputs never trust user inputs and that's that's the whole book I just wasted their their money because nobody's gonna buy the book. That's all I need to do is table web is a great source and no search press makes a lot of great how-to books for stuff Taylor, but there's a great one that is a Web app, it's not really web app But he's a vulnerability of security researcher and he just did a great list about how he finds vulnerabilities is interactions with companies like Microsoft and stuff It's kind of a more about auto biography, but right here the plug and developer handbook is a great resource. That is what I have up right here Read this as well Understand nonces and secure inputs and outputs of validation and user capabilities That is gonna make your plug in a thousand times more secure if there was a and the WASP is a great thing There's WP bone DB is where I got all these vulnerabilities So you guys can take you do if you had fun a little bit of fun or wanted to see to find your own vulnerabilities These WP bone DB you'll see how the all the vulnerabilities work. Well, all the vulnerabilities that get reported And now I also have to ask that anybody actually find any vulnerabilities. We found some close ones to me So I have to find the DC right? The un-serialized vulnerability I found it like right off the bat. Yeah, it was savvy. It would be migrating so So we have to go find those Those guys and show them in person that I'm only full of love when I point out this line of code Any other questions from anybody? Yes Yeah Yes, so that is that is PHP code sniffer another utility would be is that paid or is free? It's free Audits for you. Yeah, there's another product out. It's called rips RIT. Yes It's tech makes it. It's that's the one I knew of unfortunately I want to recommend it because it's paid So I didn't want to be like hey guys by this product like I'm not here Rips RITS I don't know what I think it's something and they also there's a big problem So what that is is that is dynamic code analysis so they're able to load WordPress and see Have introspection on all the objects and how PHP is breaking itself out And then they can start hitting those objects with with most common attacks to see if the output from PHP includes the expected string so if you Are able to like work on at that level it's probably it's what dynamic code analysis does you loaded it You can inject what looks like an SQL you see a bit of code that looks like an SQL query And then you see if the input from that if you can make it to see if the output completes as a SQL injection or things like that what we did here was static code analysis. It's very slow to hit and miss sometimes But yeah using PHP sniffer code sniffer I'm just gonna put that up big The better PHP code And then yeah, you said the other one But he's because never rips Rips or it might be rips tech I think rich tech is the company both of these things the biggest thing that's important on those is that they need to Adhere and understand WordPress Which is something that rips didn't used to do and it basically useless because it you work press is a very complex Background that's kind of what the guy did and when I mentioned Def Con he thought he found Thousands of vulnerabilities and realities he didn't understand WordPress where press had its own built-in checks and clean clean ups for it So that's basically a thing. So both of these these are dynamically analysis tools also good But I will be checking out code sniffer because I want to I want to free one myself. I don't like I don't get paid enough to Pay for these they're pricey. They're a little bit pricey It's because the intended audience for this is somebody who's a pen tester who you can pay and then you pay them thousands of dollars so they can pay thousands of dollars for code once and then And then get charged out of people as they can code all its constantly You know, I think I'm done two minutes. So final questions. I'll also be at the probably the bar of the crown No, no, no, that's in a real bar If you find me around and see me around you want to yell at me or make me look at your code This city guard. I hope I don't have to email you the next week Now check it out for you. Also, I brought stickers and shirts. Unfortunately, the shirts are only small But stickers if anybody wants and as long as I got my USB things back, can I have my USB things? Thank you