 Good afternoon. It's nice to be here. How's it going in Defcon so far? You guys enjoying it? Awesome! So yeah, so when we're thinking about the RECON, I used to do a lot of open source intelligence. So I thought, okay, let's take another approach. Of course we will go to social networks and all that stuff, but let's try to get information from source code. And that's the idea of this talk to give you some tips. So that will be the talk, so we will see. So my name is Samo Rosis. I'm founder of Bullnex. Bullnex is a startup back in Spain. I used to work in Microsoft in the security team, but now I'm doing my own thing. I also won a U.S. DARPA, so I went here. I was invited here to the Pentagon, so it was quite an interesting experience for me being a 4-inch. I usually go to many conferences and talk, so that's pretty much everything. So the objective of the talk, can you guys hear me fine? Okay, if I cover anything, sorry about that because I'm a bit cold. So today I'm feeling better, but yesterday and Thursday I was miserable. But now hopefully I'm fine. So I will talk a little bit about some basic source code analysis. It will be quite basic. We will not go into too much detail how to do that. And then it will be more open source intelligence tactics, stuff we are looking for, so I'm sure most of you are familiar with those. So how we can apply those to source code. So the agenda will be an interaction. We will cover what we're going to achieve and why. We will start doing some open source intelligence on some developers on the source code, and then we will do some conclusions. Yeah, this is something I've been working on. So this is working in progress, and I thought, okay, let's go to the right village in Defcon and show some ideas I'm working on. Hopefully people can have a nice discussion after some years, that always helps. And how we can improve this. I think it's quite a new field. I haven't seen much people talking how to do open source intelligence and source code and also how to do developer profiling and all that stuff in source code. There's some research on that, but still it's an interesting field to get into. So I will show you what I'm working on, but I'm sure there's much more things we can do. So hopefully people can come up with some nice ideas and we can improve those. So interaction. I guess most of you are familiar with that, right? One of the famous Steven Balmer when he was in Microsoft, not anymore, but when he was there he gave him a speech there and I haven't seen him in person and he's always like energy, quite insane actually, but funny. And he's one of the famous talk he was giving and he was saying developers, developers, developers, right? Of course in Microsoft he's one of the most important things, right? In the company, the NSS software company, so for many companies it's the same, right? So yeah, in this case we will target developers. We're going to get information through the developers. Why developers? I mean I'm a developer myself. So I think it's quite interesting, right? Of course this is only a price of companies who develop software, right? If the company doesn't have any developers, this is not going to help, but there are more and more companies having their own developer staff, right? So most of the time developers are really technical people but not security savvy. That's true. I know a lot of, well, they are really good developers, they are not too much security. So that's perfect for us when we're doing open source intelligence. We can take some benefit there. And also developers, from my point of view, of course I'm a developer and I do a few things so I guess I'm biased for that, I guess. But in most companies, okay, there are no decision makers most of the time, but quite often they are infuers. So they help high management where we should go, so those guys are influencers, so that's good. They have some certain power in the company, perfect. And also they usually have access to information and systems, so that's perfect. They can go to, they have maybe access to information or systems that other people in the company don't have. Sometimes they have too much information because they have developing and they, okay, I need full access to the system when you don't need that, but most companies, okay, you get everything, so that's perfect. So okay, that's quite convenient for us. And of course, there are habits there, right? I mean, you guys are developers, you know, we love science fiction, who doesn't, right? If you don't, you are in the wrong room, I guess. Anime, a lot of people go for anime, porn, I mean, of course, right? Not only developers, I guess, but that's something we can exploit and of course we are, right? That's something that developers love and we can benefit. I mean, we can exploit that, right? And we are getting information and then we are going to do more like social engineering attacks. I'm not going to talk about social engineering attacks here because that's not what I want. But after I pull out all the information I need, I can, I know information about the developers and I can focus on those areas that chances are I will be able to attack his attention through these habits and that's quite common to see that. So methodology, I like to follow. Instead of just going, for example, I have to target a company, right? We usually start with the domains, the IPs, maybe hopefully I can do some Google searches, try to find some emails and stuff like that. That's usually the most of us start, right? Okay, so the way I went is, okay, I have to target a company. At this point, I don't know anyone there, but hopefully I can go and check if they have any GitHub reports or something like that. Okay, so let's go to the reports and start downloading those. So I will start downloading the reports, the code reports, and now, the GitHub is a huge thing these days, right? So that's the place I will go to start there. And then I will start looking for open source patterns in code. So I will do some of the things I usually do in Google searches and stuff like that, but I'm going to source code. And after that, I have a bunch of information there. Of course, I will go more traditional way with such a nervous and different tools and stuff, right? So that's the way I'm going with this. Of course, with things we can look at, we can search in departments, we can start searching in the code, right? We have some of the classic things, usually we do in Google searches or with different tools, right? We look for APIs, domain names, URLs, emails, well, credit cards, maybe in source codes sometimes, phone numbers, we can also find phone numbers. So there's a bunch of different information there we can start pulling out in source code. Usually, and more and more, I've been testing from, I've been doing code reviews for a long time. So actually now these days, people are starting to put in more comments and nicer in the source code, and that's quite nice for us. If you start looking old code, pretty much there's no comments or anything, but for us right now, most modern code is quite perfect. And actually things we can start looking into in source code as well is Twitter alias. There's no notes so common, actually when you go to the GitHub report, people usually put the alias there, so it's perfect, now I have that information, I can start doing more things. But usually in the source code, I haven't seen so often, people usually they put their name but not so often the Twitter alias. But at least that's something we should start looking at. And of course the comments, it depends how well people write their comments and in detail and stuff like that, but sometimes we can also find some interesting piece of information in the comments. So that's the thing I will start looking in into source codes. Right, give me source code, right? So usually we don't have any documentation I don't care about that, in this case usually when you ask, when I do code reviews I usually have no documentation but usually they don't give me any. So I'm used to read code, so in this case it's perfect, in this case we download the repos and now we have to focus on the source code. So yeah, we will start reading the source code. I mean it doesn't mean, actually we don't need to really read the source code, we will do some search there so we don't have to go through the code, up to you. It depends what you're looking for. And here we can start some examples, right? Here we have, we start doing some, for example, I have here a target, it can be a person, a company, but now for example looking this, this is the header, I'm opening this program, this is the American Fusilab, it's a fuzzer, a very popular fuzzer. Okay, so just looking by the header that's quite common that people write headers into the source code, you can see program, as you can see at the end, flanalyse.c, it's a C program. But now for example here, for example I'm supposed to target this company, whatever, but now I have like three pieces of information, I can start work. So I downloaded this, the repo and now I know, for example I have a name, I have an email address and I have a company. So from this, I just got three pieces of information, now I can start, okay, I can start getting that information, I can start working going and get more info. So if I just look at the header, now I have three things. But just downloaded this code, I can start, I can start applying more techniques. Same here, now I have downloaded the Erkac Erkac source code and again I have actually and now it's the same, I have several pieces of information that are quite interesting. We can see that somebody Christopher started in 2004, 2005, how he started the project, but now Thomas has taken over. So we can see there's a relationship, those two guys have been working on the same project and one of them took the over. Okay, that's, we're starting creating relationships. So that's interesting as you guys know, in social networks on Soledad we do a lot of relationship analysis. So now we're starting making relationships there and right now I'm doing this in my mind, but we can start writing that down and as we can see there's more people there that I mentioned. So I have more names. So I can start looking, okay, there's people relationship, then maybe I can go to different social networks and start seeing they are following each other or what they say, they are friends and so on. So I'm here starting relationships. They're going to move other type like social engineering attacks or whatever. Probably with these guys it's not going to work, but that's just an example, right? So that's the way I will start. So okay, so now we have starting names and relationships. So that's good. So now we have some information I can start work with. So I guess some tools, right? At the end it's all about the tools, right? So in this case I'm going to cover some different tools we can start using. There are many more but I just, some of the most I use and I sure in time I will add more, that's for sure. And some of the tools I'm using have to improve a lot as well. But there are some tools we can start using right away. So I think they are nice. Okay, one of the first tools I like is githubarank.com and it's quite a nice tool to give you a ranking of the different reports in GitHub. So we can, for example this is, I told, I gave me the rank of the top, top github in related to C language. Of course the first one is Linux source code with TorWalts there, right? So that's quite interesting. And this side can tell me to start getting, if I'm looking for particular repos, I can see how popular they are and people are downloading or stuff like that. So, okay, that's a good start to get a feeling of the popularity of this repo. It doesn't make sense. I'm targeting a company to look for open source intelligence and I start looking for repos that doesn't have any value. I'm just wasting my time. So yeah, that's a good way to start to get some feeling of the popularity of the repo. Okay, cool. So you can see there's a lot of interesting stuff there. Another tool I like is githubrap. That was released a couple of years ago. Actually the tool, the idea of the tool is to recognize github repos for private keys and credentials and stuff like that. But it gives you more information we can use for a more open source intelligence approach. So the tool looks for cadential and private keys and different stuff. So it's quite nice to use for our purpose to start. And this is the tool. It will go to a repo and start downloading those repos and the users and some information that's quite interesting for me. So this is the UI of the tool. It's a web application. So it's quite nice. So let me show you. Okay, let's go there. I have it running here, locally. Okay. Because I don't have any connection, it's time to connect outside. Well, actually hopefully when it's time out, it will give me the images. The tool, what it does, it will start showing this is different repos. Usually the way it works, you will give the tool here. You go to a new assessment and it will ask you for an organization name or a repo. And it will go there and pull out the information there. Okay. So now it's time to connect. It's not connecting. Okay. So actually here by the name I start putting some repos. Usually when it has connection here it will show you the images. Now it's time to connect. It's time now and I have it there with a turn off. I don't know why, but so now it's not showing the image. But anyways, I pretty much know that. So first one is the repo for Raspberry. ID Software. PLC. It has some popular repos. I started getting mab, metasploit just to give me an idea of the people. If we go for example for the first one let's go there. Here the tool as I say is looking for credential credential so you guys have your company did have reports. It's a nice tool just to make sure you have not published any credential or anything like that. But I'm not using the tool right now in that sense. What I'm looking for is the user app. That's something I'm interested. I don't know if we're going to show me the pictures. Let's see. It's not showing me the pictures because it's a connection. It's time to connect there. Okay. I didn't check that, but I can't prepare just in case. Okay. So I put the video because it's time to connect all the time and not show me the pictures. I did a small video because you never know. When you have the reports it shows you the pictures and the interesting thing is it starts showing me the users and what pieces of code they have been working. So that's nice. Now I have information. I start seeing relationships there. This is one of the reports I did software with the Doom game who doesn't love the Doom right from the old days. We will take a look in a little bit as well at the Doom. We have some reports and map Metasploit and stuff. I don't think it does the original Metasploit but anyways it's nice to take a look. So yeah, we can see the different pictures and pictures can tell us a lot of information there. Okay. If you go to the Raspberry repo we can see all the files here. But as some say I'm not really interesting in that at the moment. Well, when I look in formalities of course I am. But right now I'm more interesting in the users. What information I can get from those users and that tool give me is quite convenient. For example, this is one of the developers Damian I can click and now he's giving me some info there. Move there. Okay. And now I have a name where I place his working location in my Twitter account. So now I have a bunch of information I can keep going and start targeting more and more of this user, right? So that's quite convenient for me. And of course the nice of the tool is that all information is put into PostgreSQL server. So everything you see here is storing as SQL server. So you can also make your own queries and search for info. I can do more things. We will do in a little bit. Okay, I can look the pictures and give me an idea of the this should be a fun guy, I guess. Okay, I have a mail address. Yeah, of course I can I can go to Google and do some searches and stuff like that. But right now I want to avoid that for a reason. Actually there are more counter-intelligence companies creating fake information on social networks and all that stuff. And they monitor those sites. But right now the repos are not that monitored. So now I'm getting a lot of info without going for social networks at the moment. So trying to avoid those counter-intelligence companies. So that's one of the things I'm trying with this research. So yeah, I have location there and I can start putting this info and use other well-known tools as we use with this, right? So it's quite convenient. Okay, so that was the GitHub repo. I found this tool quite nice. It's not showing me the pictures. No. Well, there were a few more pictures I wanted to show but I cannot do that. So I didn't have a connection. I was all the time connected so I didn't realize I needed a connection for that. But anyway, just go and it's very easy to set up. So that was good because usually open source tools are pain in the ass. But that one is quite easy to install and use. So give it a try. It's a nice tool. Okay, so the only thing is in Ruby but that's the only thing I can complete off. So now, okay, so that was a good job. It's a nice tool to start getting some information of the users and the report and connections. Of course, there's a lot of counters and there are many more. Some of the counters I have seen and writing your own code is as easy. It's not that hard, I mean. So if you don't want to use good wrap, you can just, for example, go this. The first two are Python based and the other one I think is in JavaScript. So there are many more. I think there are some Ruby counters. So there is a lot of people who have been releasing GitHub counters we can use. And we don't want to use the GitHub wrap tool that we've seen before. We can use those callers and pull the, or we're going to do a Chrome that works too. But that allows us to do a lot of repos at the same time, right? So some of the tools we can start using especially if we want to automatize things. Okay. So another thing I've been working lately and that's the thing for, I mean when DevCon, so everything, I guess everything is allowed, but anyways, I just to make sure. But anyway, hopefully you guys don't get offenses. What's not me is the source code. So don't get offense or anything like that but you will surprise what you can see in source code. And the idea for this is to look for bad words in the source code because this is some basic developer profiling. I want to get a feeling how this guy feel. I want to be this guy angry or not. And source code, so I've been working and usually it's quite common to do that, the sentiment analysis, we will talk about a little bit. And apparently the same thing needs to do in source code. That's a bit tricky that we have to still need more work for sure. So I will show you a few things, right? So if you look into the Linux source code, this is for real. This is what you can find in the Linux source code. So you can see, I guess at some point I can move with this. I'm not sure. So you can see between versions there, 2, 6, 9, and 3, something happened. I don't know what happened there. I guess it was I don't know what happened there but there was a lot of shit and crap and everything pretty much. So I guess they were working on something new, I guess. But you can see that there. So there was a lot of angrieness there going on and I think it's just going up. So I guess it's not something, but that's funny. That gave me an idea what's going on with those people, right? So yeah, but everything is not that bad. I mean, it's not only bad words. You can also find good words. Okay, so that's fine, right? So we have some love, we have some good nights and sweet and kids, right? But looking both things, we can see more happiness than happiness. So we should be concerned about that, I don't know. But yeah, no, so now everything is bad, so that's good. Did you go to that URL? You will find more funny metrics like this one with just related to the Linux kernel. So it's quite funny. Okay. So let's do the same for the repos we are working on. One other thing I've been, when I've been doing this, is you guys into more data science with information. There is the process we have to do data cleaning, right? You get information but not all the information you need is what you don't need all the information you collect. You have to do some cleaning. And it's also going to happen big time. Because for example, in the case of the comments, you get so much crap. You don't need that and it doesn't have any value for us. Like for example, in comments you can also find code. We don't want that. We don't get pretty much any results for that. If we're going to do more like sentiment analysis or anything like that, or it's not going to help. Some code statements, nothing I can use. We also there's a lot of back characters like dollar sign, equal and all that stuff. We should remove that. The same way we do Twitter analysis, usually remove the hashtag and all that stuff. The same thing. And also when I look around, there's just a lot of useless text. Especially with license. People pull out the license in the source code and doesn't give me anything because that is not from the developers. So I don't need that. And we can see a lot of that into source code. So that's things. So right now I'm something we have to improve a lot because I've been writing some tools and stuff but this is a much more to be done because there's so much stuff in the comments I don't need. So right now it's something we have to improve how to get comments that I can really use. So for example, and here for the comment, for example, we have here, I don't know, let's see. For example we can do, this is one of the tools I use. Tools and projects. Let's do, I don't know, which one? M-map I guess. See. And now this excuse me because I didn't do the slash B. Okay, now what the tool did, it created a something around there. Okay, my bad. Okay, there. So what I did is I used a small tool I wrote, and that tool I have to improve a lot. But now it's going to the repo, I downloaded and I'm telling, look for C files and pull out all the comments. So yeah, so as you can see there's so much stuff there. It's not like tutors. Like if you go to tweet, you can start downloading all the tweets and do some and take those tweets and analyze them. Here we have to do a lot of cleaning. And that's a thing I'm working but this much more work to do because you can see so much stuff that doesn't mean anything. For example, we have a license here, so we have to remove that. So there's a lot of data cleaning we have to perform to really get some information I can use or get a feeling of the developers. So yeah, so that's a work in progress. But just to give you an idea of what things we have to do, right? As you can see this numbers here probably doesn't mean it doesn't have anybody for me. Yeah, so sometimes you can see comments that are really interesting but I don't know if I can find any of those right now. But yeah, just looking around so that takes time. Right now it's a bit manual process. We have to start, usually what I do is I put all these to a CVS and then I can open with different tools and start removing some things. But it's a quite time consuming at the moment, right? If anyone has a good idea to manage this, perfect. Just let me know. I'm working on different things to speed up this process but right now it's a bit time consuming. Well, data cleaning is what we see. Even in data science and everyone familiar with that it's a hard hard process, right? Not everything can be optimized. It's hard sometimes. Okay. As you can see we can get so much comments and stuff. The only thing we have to find information we want there. There's chances that we can find something that can be used. But we have to find it first. At least we start narrow things, right? I used source code. Now from the source code I'm getting comments. Now I can start narrowing the information I want. Okay. You can see there's a lot of comments here and stuff. Just being there and taking some time to see what's going on. We can find some interesting things in the comments. Let's move on and hopefully it will be more interesting. Another tool I developed this tool is a source code intelligence tool. I use this tool to compile projects. What I do is an analyzer there. It's a tool that runs inside GCC. When you're building projects it will pull out intelligence from the source code. It only works in GCC and for C code. But at the same time I'm starting putting... I'm adding more tools into the framework called profanitor and osinter there. So profanity will look for bad words in the code. And osinter will look for open source intelligence patterns in the source code. Those two are completely language-agnostic. It will go for the files. An analyzer has to be running inside GCC for C code. So profanity is completely agnostic. So those are the tools we can start using to get some information. So I'm not going to run them because profanity is more or less fast depending on the size of the code or the code base. But osinter takes quite a long to run. So I will skip that. I have already run them in several reports to get some results. So for example let's do the DOM. There's a profanitor. So what I did is I run a profanitor tool and create a JSON file with all the bad words and now I use another tool inside the framework to generate a report. And this is the DOM source code from the game. And we can start seeing some words there. So don't get offence. You see something there. So yeah, we can see there is hello there, Sack. Fack, shit. Buster. Sack as well, I don't know. You go there to the... And sometimes you go there and check the file. Maybe you can find a comment there that sometimes they talk about somebody else in the company. Or this code is Sack because it's hard or they have a back or whatever. So that's a convenient for us. Now right now I'm using two dictionaries. I was just looking for English and Spanish. But in the Tintoreira there's dictionaries for I think 15 language from Chinese. I don't know. The only thing is for speed in Spanish I remove all of them but you download the tool you have all the dictionaries. The only thing is it takes a bit longer to run because you're looking at all the words. But pretty much, yeah, I mean this was a U.S. company in Texas. So yeah, there were pretty much all the bad words in English that make sense. So there is a bunch of there. And the funny thing is I guess when things are moving forward things are getting nastier and the code for the doom for the doom you can see they are not that much. So okay, that's that's okay actually in terms of bad words. If you go to, for example, Quake Stream from the same people and that's a so you can see actually there are, yeah, there's a lot of X there but there looks there are more there. So there's a bunch of words. So this is a newer game but the newer game is seven years old but they use more bad words in the game than before, right? So I guess there are more stress, I don't know. Hardcore, I don't know. When you start looking at those files it's very funny to see where that war is and what they're saying what are they saying there. So that started giving me a feeling about these guys. Yeah, that was funny. Actually you go to there, to the caster fact that one I looked it up because I said actually it's a function there and they say this function is a caster fact. It has to be fixed. So when I look in formalities that's a piece I will go that's for sure. Okay, so that was a profanity to write. So that's quite nice to start looking and get a feeling, right? So now we can do actually there was another thing I did before. Let me actually so what I did is I started taking some other developers of this reports so I was looking of these reports I didn't show you, for example TensorFlow, you guys familiar with Google framework and actually there's pretty much no bad words in TensorFlow and the codebase is huge. So I don't know if the people in Google are nice or there's some kind of bad word policy. I don't know but I was surprised about that. It's a huge codebase and pretty much there's no bad words. So I don't know if there's some policy or not. But for example looking at those, what I did here is I downloaded those are the tweets from several developers and I did, I downloaded the tweets and I submitted to a sentiment analysis API to give me a feeling of this guy's of the angriness. Can you guys guess who is the most angry person here? Or guess there? Excuse me, who? Who? Carmack, actually that's right, that's your own Carmack that's the developer of Doom and Quake. You got answers so those are the tweets and that's very easy to do with Python script and take the tweets and submit it to an API for analysis and it's free actually so that's I always do that. So here you go to, so now I have some statistics so let me move that there so yeah we can see actually this guy is more negative than positive. So that's quite interesting to give me an idea of when I profiled this developer. No wonder there's so much wild boogers in the games, in the source code. So that's quite interesting to do, right? We have also the BLC because you know guys BLC there's also some different type of vulnerabilities there so I want to, when I'm looking for vulnerabilities in software it's always nice to get a feeling of how these guys are feeling. Yeah, okay more or less need to go, okay. So yeah you can do those type of things to just to give me an idea of the developer. So I think it's quite nice. And then we have also the open source patterns. At the end there's one of the tools in the Tintorera framework the center that Prima do this but also you can do it by your own. So at the end we will look for IP links, emails and different stuff in the source code. I don't want to go to the Google or anything to start doing searches at the moment I'm looking on the source code and you will find a lot of information there quite interesting doing the same thing. So for example here there is a TensorFlow the repo in TensorFlow so just a regular question there I'm looking for email address so now I have a bunch of address of course I have to do some cleaning there that's easy to do and now I can take all those email address and use all the different other tools other tools open source intelligence and put those emails and start getting about the source quite nice. And the good thing is many times people in source code they forget stuff, they put more links internal IPs so that's quite convenient. So now I have information about more sensitive information that chances of doing Google searches I might not find them. Okay, well some of the queries I mean that's not too excited there but that's for example I can post those online but also some of the queries I use and you can also find them in the tutorial tool. That one is for look for email address IPs and after like that. So no worry, I can post those. Those are my simple regular expressions to search for information, right? Okay, and now for example, so now I can have links, IPs, domain names names of the developers so a bunch of information now okay after some doing some cleaning I can start using my regular open source tool that we open source intelligence tools we all have, right? I can start putting those information into Maltego, ReconNG data storage and of course some custom scripting tools right? I have a bunch of custom tools that I've used all this information I get from the source code pass it to those scripts and now we can just go our regular approach in the open source intelligence ascent. So yeah, so for the point of view I think a source code is goal because many times it's people don't pay too much attention, they just submit to the repos so in source code we can find open source intelligence, we can find email links, IPs and stuff like that we can sometimes find sensitive information people forget tokens, credentials and stuff like that so that's nice we can also do comments and sentiment analysis, we have to do a lot of cleaning on the comments but we can still do some getting a feeling of the developers and of course we can also find one of these so yeah, so in my opinion source code is really nice, it's a gold mine the only thing is we have to harvest that and of course from talking with people yeah, there's a lot of, I was mentioned before, there's a lot of there are several companies doing content intelligence and stuff like that, they put that in social networks and stuff to make open source intelligence harder but code repos are at this time for man standing people that don't pay so much attention, so we can go to the repos and start getting info without going to the social network or don't making any attention to go to the social network for example and pretty much we can get a lot of information as well, so yeah so source code is gold so next steps there's a lot of work to be done so yeah, we have to for sure we have to do some actually, when we're talking I don't know, we'll see, I don't know I was talking with Datasploit and actually they were saying that they want to also add some stuff like this into Datasploit, I think that's quite nice, right? so yeah, so we have to improve this feel I guess, so we need more improvement tools, that's for sure more optimization, that's for sure for the comments, there's a lot of with the CreenApp analysis and classification of the comments so that's quite nice and I didn't go too much into detailing to the developer profiling by also working on that and the idea is you take source code and look in different type of parameters I can give you an idea of profiling the developer looking for how he writes, what's his style of coding and we can find similar coding of the developer in other places so that's the developer profiling and that's interesting feel, but it's more or less related but it's another thing, so yeah, so these are the things we have to improve in this thing and of course we should start adding or Datasploit or ReconNG or other tools start adding these source code analysis and get information into those tools so yeah, that's a thing that's pretty much the talk I don't know how I'm in time I'm good or not, or what time is it I don't know, okay so you guys have any questions, comments yes please yes, yeah that's the point yeah, that's called that's open source ops no, that's yeah, I know, I have to fix that yeah you guys have any more questions if you guys want to talk about open source I will probably be in the bar in the afternoon so come and grab me for a beer and we can talk so you guys have any more questions thanks a lot, there's been a pressure being here and thanks