 Good afternoon. Good evening. Welcome to Track 2. My name is Michael Shearer, the Prez 98. And I have to tell you that when the schedule came out and I found out that my talk was 5 o'clock on Sunday, it was a little worried. And I'm not worried at all. Thank you so much for more or less packing the room here. And I hope that your commitment of the next 45 to 50 minutes with me will be worth it. So thank you. I'm going to talk today about a tool, a search engine called Shodan and some applications that it has for penetration testing. This is what we're going to talk today. I'm going to talk about what is Shodan. It's a search engine, but it's a little bit different than other search engines. So I want to explain how it's different. Talk about some basic operations, a little bit about the applications of the search engine to penetration testing. And then I work through a number of case studies and I want to present them to you. That's kind of the bulk of the presentation and how that really applies to what you can do as a penetration tester. So when I use penetration testing in the title, I could use all these things in the title. And I'm not suggesting that all these things mean the same thing because they're all different. However, if you do any of these things, then what I'm going to talk to you today applies to you. So I could say I could put all of these things in the title, but then the title would be just unwieldy. So when I say penetration testing, this is what I mean, all of this stuff. How many of you do one of these things? Probably most of you. Okay, good. So what is Shodan? Shodan is a search engine. It's a computer search engine. It's designed by a web developer named John Matherly, who's with us here today. I actually will talk to him a little bit later. But it's not a search engine. It's not the same as a search engine like Google or Bing or Yahoo. Those search engines crawl web pages for data and then index that data and make it searchable for you. Shodan, on the other hand, interrogates ports. So interrogates port 80 of a particular server. And it grabs the banner. So we're not talking about the data on the web page. We're not talking about the banner. So whatever HTTP status code you get, and then the banner. So IAS 5.0 or 6.0, whatever software is running, version number, et cetera. And then indexes the banners rather than the web content for searching. So we have a search engine of banners and not of content. So instead of looking for specific content on a page, we're looking for specific information about the page. Is it a desktop? Is it a server, a router, a switch, or a printer, or some other sort of device? We can find that out by looking at the content in the banner. Typically these are on port 80, but they could be banners on port 21 or 22 or 23 or some others that we'll talk about. Optimizing search results for Shodan requires us, or at least is helpful for us, to have some knowledge of what a banner looks like. So we'll talk a little bit about that as well. Basic operations of Shodan. This is just a nice little screenshot of Shodan. The URL, by the way, is www.shodanhq.com. And you'll come to this nice page here, and it's got a search box on the top just like every other search engine. And again, like I talked about, it's going to be a little bit different in terms of what you're searching for. There are also two Firefox add-ons that I'll just briefly mention. One is a search provider add-on, which adds, if you're using Firefox, adds Shodan to the little box in the top right corner of the browser. And then there's a Shodan helper add-on that is a sidebar extension for you. I'm not going to talk about these other than to just mention them that they're available. So basic operations. What's the difference between searching Google or searching Yahoo or searching Shodan? Well, the syntax is kind of the same. We can use Boolean operations plus, minus, that sort of thing. We can use quotation marks to narrow down a search, and you just enter them into the box. So the syntax, of course, of what you put into Shodan is the same as any other search engine. However, the actual content of your search term is going to be a little bit different. And we'll talk a little bit about searching later. Login. There's a couple of options. You can use Shodan without logging in at all, although there are some limitations to the results that you can get and some of the filters that you can use. You can also create a Shodan account, kind of an account specifically for that page. Or if you have any other one of these accounts, Google, Twitter, Yahoo, AOL, Facebook, OpenID, if you have those accounts, you can actually log in with those accounts as well. And again, like I said, login is not required to use Shodan, but there's a couple of filters, for example, a country and a net filter, which I'll talk about a little bit later. And those will not work for you if you don't log in. There's also an export feature that allows you to export results into an XML format, and that will not work unless you log in. So just log in page. You can just create a Shodan account, or you can just log in one of those other accounts. Most people have something of one of those accounts, if that's what you want to do. So let me talk a little bit about the filters. Filters are ways that you can take the amount of data that you get from Shodan and kind of narrow it down to a manageable level. As we look at later, if you type in the word Cisco into Shodan, there's 350,000 or something like that devices in Shodan that have Cisco in their banner. Well, that's not really useful for us if we're looking for a specific device. So the filters will help narrow us down. The first is an after. So in the case of the slide here, the filter is actually the word in bold. So followed by a colon, and then followed by whatever the syntax is. So for example, if we put after colon and then a date in the format of day, month, year, we can limit our results to information that's been added to the search engine since that date. So we can look for frequency of data. Or look for data, we can exclude older data if we want. Or before, we can do that as well. The country filter filters by two letter country code. So if you know the two letter country code, whatever the IP address country that's registered to, so for example, obviously country colon US will limit it to US registered IP addresses. Host name filters by text in the host name or domain. So if we want to limit our results to the .edu domain, or if we want to limit our results to Google.com, or whatever words you want to use in a domain or a host name, you can limit your results to that. Net filter, specific IP range or subnet, obviously if you're looking for a specific target, say your company owns a class B or something like that, and you just want to filter on that, obviously you can do that. The OS filter will search by specific operating systems, so Linux, Windows, whatever you want to put in there. Port will narrow by specific services. I'll talk a little bit about the services that are in Shodan now. And then there's also a number of SSL filters that are available with an SSL add on to Shodan. This slide just kind of shows you where you can enter the data. All the data you can enter directly into the search box if you want, the filters. The other ways that you can filter is if you look at the, there's a drop-down map, and as you can see on the map, the color of the country is kind of color-coded based on how many IP addresses in that country have been searched, so you can see obviously that US has the most on here, as well as China, Japan, and Germany, et cetera. And then you can filter by port by clicking on the box there, but it's easy enough just to put it in the search box if you want. On the country filter, if you mouse over a country, the country will turn yellow and it'll tell you how many hosts have been scanned in that country. So, for example, here on the United States, some ridiculously large number. So a couple search examples using the filters. I know you probably can't see it from here, but I'll read it to you. The search here is Apache country colon CH, CH being the country code for Switzerland. So what this will do is it will find all the results in Shodan that are registered to a Swiss IP address that have the word Apache in the banner. And the results that you'll see here, over here on the left, you'll have a IP address with a hyperlink to the actual result. Below that, you'll have an operating system if it's been identified. Below that, there's a date that that result was added to the search engine, and then there's a nice little country flag here as well. This here is the actual banner that you get back from that result, and any search terms that you enter will be highlighted in red. So you can see here that this was a Apache 2.2.13 running on free BSD, et cetera. So this is where I talk about knowing what the banner shows you is helpful for searching for certain sorts of results. Here the search term is Apache 2.2.3. So this will find any servers that have Apache 2.2.3 in the banner. Here we didn't use the country code and Shodan is helpful for us and actually will display the top four countries by results. So United States, Germany, France, Canada. If we're logged in so that we can use the country filter, we can just click on that and that will filter that down further for us. Basic operations, a host name filter. Okay, so we want to filter by host name. So the search here is Apache hostname colon dot nist dot gov. So now we can limit our searches to devices in the dot nist dot gov domain that have Apache in the filter, or that have Apache in the web banner. Or IAS 5.0 host name EDU. So now we're looking at just IAS 5.0 or Microsoft 2000 servers that are in the EDU domain. And obviously if you wanted to put a specific university or something like that, you could certainly do that as well. And then I talked about the net and the net filter. So if you want to filter by an IP or sider notation, you can certainly do that as well. Definitely useful if you really want to limit down to one specific area that you're looking for, and then the OS filter, if you want to just for looking for specific operating system. Finally, you can filter by port. Current collection is FTP on 21, SSH on 22, Telnet on 23, HTTP on 80, SNMP on 161. And recently added is HTTPS data on 443. I should note, and I'll talk a little bit later, that this data is only available through an add-on, which requires some credits. So the SSL filters, these are the SSL filters that are available with the SSL add-on. So you can search for all, I won't go through them specifically, but they're self-explanatory as to what you can search for if you're looking for specific information in the certificate or the cipher that's being used. So the version of SSL or whatever certificate information you're looking for. Search history for Shodan. If you create an account, just using Shodan, the search history in essence is disabled. In other words, your searches aren't being saved for you. If you do create an account and you can enable search history and then you can save your own searches so that if you find searches that are useful to you or searches that are finding useful data to you, you can kind of save them in a way. And again, if you go ahead and disable that once you've already enabled it, then your searches won't be indexed by the search engine. Shodan allows you to export data and this goes into XML format. So there's a sample data file there that you can download if you want to look at the format that it comes out in. And this is one of those add-on features that's available for Shodan. And the second add-on or the second other add-ons are the HTTPS data and the extended search. So typically, even if you're logged into Shodan, you're going to be limited in the number of results you can see. With the extended search add-on, you can view up to 10,000 results. So one of the first questions that I, when I talked to John about this, is like, well, what kind of feedback have you gotten about, you know, charging for add-ons or extra results and something like that? And he said, and he could probably talk about this later if he wants, but he hasn't, I mean, it's, he's done a lot of work. So I mean, he thinks his time is valuable and the work that he's done is valuable. So if you want extra results beyond what the initial search end is giving you then, you know, it feels like it's reasonable to ask for, you know, something for that. And we could talk about that later if you want. I will say that all the stuff that I've done, it was on the, not having, you know, using none of the add-ons. Shodan also has a newly added section called Network Radar. And this is just a nice little picture of the world and it will show you recently added data to Shodan. So what it'll do is it'll show you a nice little symbol over an area or city or, and then it'll show you the banner. So this is kind of a nice kind of view of things that have been recently added. Let's talk about applications of Shodan for penetration testing. So John originally developed this as a, as a marketing and research tool and it was not really specifically geared towards penetration testers or the hacking community. But you can see, I'm sure that most of you can see that there's certainly opportunities here to look through the data that's been collected in Shodan for opportunities for penetration testing. So that's what I want to talk about. Before I go there, I want to talk a little bit about ethics and, yeah, ethics. And just kind of go through a couple, you know, hypothetical scenarios and kind of just go through some questions that may come to mind. And I will say that when I did this test, all the things that I've done for the examples here were just done on my own. It was not authorized to do anything. So these are kind of rhetorical questions for you. Is it acceptable under any circumstances to view the configuration of a device that requires no authentication to view? So if we click on one of these links and it takes us to some sort of device and it logs us right in because there's no, there's no authentication, is that okay to view that? What about viewing the configuration of the device if we used a default username and password to get into it? Or what about viewing the device if we used a unique username or password? What about changing the configuration of a device that we don't own or that we don't have authorization to use? So this is kind of a black-to-white spectrum and this is where I put these questions on there. You may disagree with it, but I think most of you would generally agree with the general placement. So viewing the configuration of a device that requires no authentication, I think that's pretty clear. I think you could view that. You're not changing anything, you're just looking. There was no authentication required. You just clicked on a result and went right in there. Using a default username and password, well, I think you're getting into a darker shade of gray here because despite the fact that they're using it a default username and password, there's still some authentication mechanism that's trying to keep you out. That's just as far as I went, by the way. I'll show you an example of that one later. Using a unique username and password somehow that you've captured, I think that's fairly black. And then also changing configuration of the device that you don't have permission to do, it's fairly black as well. Like I said, I went to about the middle, so I wouldn't go any further than that. But that's up to you. I think that using Shodan for penetration testing requires some basic knowledge of banners, like I talked about. And also it's very useful to you to know HTTP status codes, and you all know these, so we're going to review them because we can use them to actually filter out results. We know that banners typically talk about the services that they're running and the versions that they're running. I've talked to very few people who have ever spoofed banners. Some people do, but most people don't. So we're assuming here that the banners aren't being spoofed. Just a quick overview of some HTTP status codes that we will see and how they can be useful to us. 200 OK, request succeeded. This is typically our best result because this means we're going to be able to view the page without any authentication at all. 301 and 302 are moved or found, and we'll see that those are not terribly useful to us. 401 unauthorized requires authentication, and then 403 is a forbidden. In other words, we can't go there. So how does that apply to us? OK is really what we're looking for, because that's going to allow us to view a page without seeing anything else. It's not going to ask us for a password, at least not to view that page. 301 and 302, typically first, in the case of Shodan, it doesn't really provide us with a lot of data. Yes, could you follow the result where it's moved to, but typically it's kind of just running into the dark without really knowing where you're going. So we can use the filters, the Boolean logic to filter these out. 401 unauthorized is typically saying, no, you don't have permission to view this page. However, it doesn't necessarily mean that we can't get there. And a 401 unauthorized on a web banner will typically have a www authenticate line, and that will typically indicate to us the presence of a pop-up box. So if we go to one of these, we're going to pop up boss asking for a username and password. 403 forbidden, typically there's some reason that we can't view the page. And it's also important to note that some banners advertise defaults. We'll see banners that say the password is 1234. It doesn't mean that they're using that, but they're at least telling us what it is, so that's useful data for us. So the first of my 4K studies is the Cisco devices. And this is the first Cisco banner I found, and I just wanted to show it as an example. The two boxes squared in red, the first one is the status code, so it's HTTP 401 unauthorized. And then we see a www authenticate basic realm level 15 or view access. I can tell you that when you see this, when you click on the result for this, you're going to get a pop-up box, and it's going to ask you for a username and password. And if we don't have it, obviously we can't get to that page. Here's an example of a Cisco banner that is a 200 okay. Notice that it does not have a www authenticate box, and it also has the last modified box. When we put these side by side, we find that the two lines, www authenticate and last modified are almost 99.9% mutually exclusive. So what does that mean for us? Well, let's look at the results here. So this is as of last night. If I search show Dan for Cisco, I get 306,000 some devices. The www authenticate, 253,000, last modified, 5800, and then only 31 that have both of those lines. So what that means is if we can get a 200 okay with a Cisco, chances are that device is not going to require any authentication at all. In fact, we really have about 5900 devices as of last night. Cisco devices on the internet publicly facing that require no authentication at all to view, change configurations, do whatever you want. You've already owned them. So let's take a look at one. Many of you will recognize this is the Cisco switch and this is the HTML interface. And if we wanted to administer this interface or administer this device at a certain level, we could click on one of these numbers right here. And whatever number of the level we want is what it will take us to. So surely if we click on level 15, which is like administrator access, it's going to then ask us for a pop-up, right? And it's going to, that's when we're going to be stopped right there. No, it doesn't. So I don't have my CCNA. I don't know what the command is. Well, they're all right there for you. And they're hyperlinked for you. So if you want to do anything to this device and you don't even know the Cisco commands, you can just click on them. And there's a whole page here. You can see that the scroll bar is pretty small. So I mean, you could pretty much run anything. And I ran a few commands, but I just did some show commands because I didn't want to actually, I told you it was not going to change the configuration of a device. So this is the configure commands menu. We were able to get in there with no authentication at all. Here's the execute command menu. We can get in there without any configuration at all. I ran show running config and I got the running config. I ran show CDP neighbors. Let's see what else is around it. And I got some other devices. I won't go into too many specific details, but people will generally say, well, I know this guy. He's doing a CCNA and he set up a router. So it's probably just one of those things, right? Well, some of them might be, and some of these are infrastructure devices belonging to ISPs. And we'll talk about that a little bit later. So what else is out there, Cisco devices? Well, this is a Cisco AirNet access point. This is just the home page though. If we went to one of the setup pages or the security page, it probably would ask us for a username and password. Or it doesn't. So what do you want to do? Change it? Turn it off? Change the IP address? Yeah. Security page? No, nothing there either. They really should enable re-encryption or maybe we should enable it for them. Network interfaces, security services. You want to turn on some services? Turn off some services? Okay, let's keep going. This is a Catalyst 2960 switch. This is the dashboard view. If we went to the configuration view, it's going to ask us for a password, right? No, it's not going to. Some people are really good about labeling their ports. They'll tell you everything you want to know. Where they go to... I actually had one example that's not on here. That was a... It was a real estate company in New York. And they owned several buildings. And they had a switch that administered internet access to various businesses. And each one of their ports was like two XYZ company or two this company or two. So I mean... What about turning them off or just let's go have duplex for a day and see how their internet... And again, let me be clear. I didn't change anything on these devices, but you could if you wanted to. You could. I mean, it's right there. Setup page... Yeah, I mean, whatever you want. Cisco Security Device Manager Express. Configuration. Change the password. Change the IP address. Change the routing. Security. It's pretty much whatever you want. Like I said, there are probably five, six thousand of these devices out there on the internet. And that's just what Shodan has indexed. Shodan has not indexed the entire internet. Large portions, but not the entire internet. So that's just what's already been indexed. It's kind of scary. So second case study on default passwords. And this was the easiest search I did and I just searched for the words default password because I wanted to see what banners have the word default password in them. And again, let me caveat. This doesn't mean that that device is using that default password, but at least they're telling us what it is. And how many people change them? Some people don't change them. So chances are some of these devices will be using them. So I'm not going to be looking for an attack, but of course, you know, let's try it. So this is the absolute first one I found. It's a 401. It has a www authenticate basic realm default password 1234 printer web port. It's a web interface for a printer. So we're probably going to get a pop up box, right? So yes, it's not using it. It doesn't mean it's using default password. It's a possibility. The default password is 1234. What about the username? Well, there's none listed. So what are our options? Well, a null username, right? Or admin or root probably. So what do we get? Pop up box. So what do I try first? I'm going to try a null username because they didn't list anything, and I'm going to try 1234. But the chances that it's working the first time, or it does. This device is, I mean, this is nothing big. It's the setup for a printer. But, you know, what do you want to do? By the way, all these menus, everything here is accessible now because even though it's the default password, we've effectively logged in. So we authenticate it. Occasionally, if your browser or your computer is not set up to display foreign language stuff, sometimes you get these codes and things, I've found that if you don't know the language, and even if they do display the language, like it's Chinese or Japanese or whatever, typically the underlying HTML is still in English. So if you mouse over the links that you don't understand and look at the status bar, it will typically tell you what those things are. I mean, some of them are pretty obvious there. Well, I went after Cisco, so let's go after Huawei. I mean, they're, you know, I searched for Cisco before, but I want to search for Huawei. And this is where I use those exclusions of I don't want 400 codes, I don't want 300 codes. So I just did minus, I mined all those. And the result is that I get all 200 OKs, which is exactly what I want. And it turns out that there's 283 or so Huawei results on the internet, and almost all of them, or at least a good portion of them, all within the same subnet. And I was like, that's kind of interesting. And if you look at, I know you probably can't tell, but it's 150.186, whatever, and the flag is the Venezuela flag. So I thought this was kind of interesting. And the result is it's Huawei ET523. Well, I want to figure out what that is. Well, it's the Echo Life IP phone. OK. And it adds a whole bunch of these phones public-facing to the internet. So let's check out what they have. Oh! See, this is a good example where we had a 200 OK, so it says, yes, you can view the page, but it's asking for a password. And I couldn't, so I, you know, what's the default password for a Huawei ET523? I don't know, but I found that the default for most Huawei devices is, I don't know, password or something. Again, these things never work on the first time, or they do. I'll scroll through these just to show you the whole screen, but yeah, this is the entire configuration for the phone. A couple of interesting things here. One would be the URL for the firmware upgrades. So if you want to change that and upload some rogue firmware to them, you can certainly do that if you wanted to. You could do stupid things like change the ringtones and other things like that. It turns out that this is some technology corporation in Venezuela and if you go to their homepage, there's smiling Hugo Chavez all over the page. So if you want to mess with them, you know, go for it. And one notice, I didn't block out any of the IP addresses. I mean, they're right there for you. I'm not encouraging you to break the law. I'm just showing you something. OK, this is my favorite one and so I saved it for last. But the title was kind of boring. Infrastructure exploitation. That sounds kind of boring. So I changed the title. Some of you may, I did a talk up in the sky boxes on Friday and the talk was just about this section. So and I think those people would agree that I didn't really oversell the title for this section because you'll see what happens. So I was running across a number of Cisco devices and I was doing a random search. And I found one of these, again, it's another Cisco web interface. And so, well, let's just go right for level 15. Yeah. And I did white out some of the things on here because this was a, at the time, this was a open problem with this, you know, company. Show IP route. And there's a long page of this and I ran a show some other commands. The running config. And so I'm running through these commands and when I get to show CDP neighbors and I know I blanked out the device IDs but the URL was very interesting and because it said it was a telephone, it was an ISP. And so you can see here that there's a number of 3750 switches and then there's a Cisco 6.06 which is the core router for the ISP. And they were all open. Yeah. So I looked up the IP address and it turns out that this was an ISP in Florida. I'll say that. So all these devices were wide open. Contained in the configurations were VLAN IDs for their internal ISP network, hotels, condominiums, departments, convention center, public backbone, all this stuff. So I'll talk very briefly about disclosure because I don't do disclosure. I don't search for bugs and vulnerabilities and things like that. But I thought when I came across this one I thought this is kind of important. So I wrote a one line I looked up the security contact for the ISP and I wrote more or less a one line email to the security contact and it was something like how do you tell them what you did without implicating yourself? So I said something like the following IP addresses appear to allow unauthenticated access to devices on your network. I get an email the next day very gracious pretty much saying thank you you saved their shit and offering me money. I didn't ask for money. I didn't say hey I'm going to hack your shit unless you pay me. I didn't say that. They offered me money and I thought that was kind of cool. So he said can we call you? And again this is where your admiral act bar alarm is going off. Right? It's a trap. Right? I don't do disclosure so I'm just kind of like I don't really know what I'm doing so I call them. And very nice. He was a younger guy. This is not a big ISP. This is a small regional ISP. And they were very gracious about what had happened. He just kind of know how I found these devices. And I didn't go into show Dan but I did say that I do research on web banners which I do and I was just doing research on specific information on web banners which is what I was doing and I just came across their devices. They were specifically looking for their ISP. And I don't think he really understood what I was telling him but and he explained that they recently added these devices to their network and that the guys who installed them obviously didn't disable the web interface or something like that. Excuse me. And asked for my address. So again the alarm is going off. So I talked to him on the phone and now he wants my address because he wants to send me the check. So I gave him my address. I will say that I haven't gotten anything in the mail. Not only not the check but I haven't gotten like anything you know legal or whatever. And they did close off the problem. They did shut off their web interfaces so their devices aren't exposed anymore. But what I will tell you is that with the information I had and with the access that I had could I have routed any or all of their traffic to a third party destination and then right back to them and then just sniffed all their traffic and totally owned all their customers. Absolutely. I could have. So I don't think it's unfair to say that. I mean really could have owned this ISP. So there. I mean yeah. A few other small examples and just and then we'll general observations. So I did some searches on show day and this is just for interesting data. I search for IS 5.0. We know that it's Windows 2000. There's a lot of them out there. So you know, this is a couple months old but 362,000 IS 4.5. Now we're getting older. Now we're going back into the 90s. Still almost 10,000. 3.0. You see where this is going right? No. 42. Does anybody know does anybody know what IS 1.0 maps to? It's like Windows NT 3.51 maybe or something like that. It's like 1995, 94ish. Wow! If you go to these web pages I mean they look like they were made in 95 and never touched since. So I mean they may not be used. What's that? Thanks. Thank you. Let me show you one more example before I go into the conclusions. This is another fun example. You've all seen the Google Hacking viewing webcams and stuff like that. Every six months the news media rediscovers the story and plays it on your local news and thinks it's something new. And it isn't... This is just one small side note. Pan and tilt features work on this one. These ladies were diligently working at their computers and I was trying to get their attention and they wouldn't bite. They wouldn't bite. So here's a good example of what I mentioned. If you don't understand the characters I think this is Japanese. If you don't know what this means you can typically the taskbar will tell you what it is in English. In this case it does. So this comes out to snapshot so if you wanted to take a snapshot of the whatever screen is on there right now and then a client which isn't terribly useful to you. The second point about this slide is that I'm viewing this web page in Firefox and while many people still use Internet Explorer I don't know why you would but you might want to. I do use something called IE View Internet Explorer in Firefox. So let's take a look at this and see that there's actually something different here. We actually have a third option. So we actually have snapshot, client and setup config which was not actually viewable in Firefox. Very interesting. So what happens if we go to setup config? Well we can pretty much do anything we want. So again another example if you don't understand the language mouse over and it will tell you these are all the things you can do. Security, system, network, wireless, I mean whatever, wide open. Okay just some general conclusions about Shodan. We've got about 10 minutes left. Shodan aggregates a significant amount of information that's not already widely available. Could you go home and do something like this? Absolutely, you could do it. But it's going to take a lot of time and we've done it for you. It does allow for some passive vulnerability analysis. If we're looking for a certain version of software we can say hey, we can search for that and actually no with some degree of confidence that that IP address is running that software without ever even touching it. Is this going to totally take over the world? No, it's not going to. But this is something new for penetration testers. It's something that you can do to add to explore, to see what other data is out there. And I think it's going to help shape the path for future vulnerability assessments. John Madoli is the creator of Shodan and I'll have him come up here if he's willing to answer a few questions. If you have them for him, these are the guys who wrote the add-ons. People always ask about slides, so here you go. They're not there yet, but they will be really soon. There's a site called Scribe.com. I put all my slides from all my presentations on there. I'm going to flash the press 98. There's some earlier versions of it, but this particular slide deck will be on there probably by tomorrow. So if you want the slides, there you go. We will save the last 10 minutes for questions. I will try to repeat them so that everybody can hear them. And thank you.